Edu en Sdwandm4 Lab Se
Edu en Sdwandm4 Lab Se
com
mcse2012.blogfa.com
azarpara.vahid@gmail.com
Lab Manual
VMware SD-WAN™
Copyright © 2022 VMware, Inc. All rights reserved. This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of
VMware, Inc. in the United States and/or other jurisdictions. All other marks and names
mentioned herein may be trademarks of their respective companies. VMware vSphere® 2015,
VMware vSphere®, VMware vCloud®, VMware vCenter Server®, VMware vSphere®
vApp(s)™, VMware Verify™, VMware SD-WAN™ by VeloCloud®, VMware SD-WAN™ by
VeloCloud® – WFH Pro Subscription, VMware SD-WAN™ by VeloCloud® – WFH
Subscription, VMware SD-WAN™, VMware SD-WAN™ for AWS GovCloud (US), VMware
SD-WAN™ on AWS GovCloud (US), VMware NSX®, VMware Go™, and VMware ESXi™ are
registered trademarks or trademarks of VMware, Inc. in the United States and/or other
jurisdictions.
The training material is provided “as is,” and all express or implied conditions, representations,
and warranties, including any implied warranty of merchantability, fitness for a particular
purpose or noninfringement, are disclaimed, even if VMware, Inc., has been advised of the
possibility of such claims. This material is designed to be used for reference purposes in
conjunction with a training course.
The training material is not a standalone training tool. Use of the training material for self-
study without class attendance is not recommended. These materials and the computer
programs to which it relates are the property of, and embody trade secrets and confidential
information proprietary to, VMware, Inc., and may not be reproduced, copied, disclosed,
transferred, adapted, or modified without the express written approval of VMware, Inc.
www.vmware.com/education
mcse2012.blogfa.com
Typographical Conventions
• <ESXi_host_name>
www.vmware.com/education
Contents
iv
Task 4: Change the Profile Assigned to the Edge ............................................................................................ 39
Lab 6 Configuring and Verifying Overlay Tunnels ........................................................... 41
Task 1: Configure an Auto-Detected Overlay ..................................................................................................... 42
Task 2: Verify the Auto-Detected Overlay .......................................................................................................... 46
Task 3: Verify the User-Defined Overlay .............................................................................................................. 47
Lab 7 Configuring Overlays for Cloud VPN ....................................................................... 49
Task 1: Explore the OFC Table and Enable Cloud VPN for Internet-Only Profiles................................ 50
Task 2: Enable Cloud VPN for Branch Hybrid Profile ....................................................................................... 53
Task 3: Change the Device Role from Edge to Hub ......................................................................................... 54
Task 4: Enable Hub-Spoke Topology for Branch Hybrid Profile...................................................................57
Task 5: Enable Branch to Branch VPN with Gateways .................................................................................... 58
Task 6: Verify the Path for Branch to Branch VPN ........................................................................................... 59
Task 7: Enable Branch to Branch VPN with Hubs .............................................................................................. 60
Lab 8 Dynamic Multipath Optimization ................................................................................ 63
Task 1: Ping the Data Center Server from the Chicago Client ...................................................................... 64
Task 2: Run iPerf on Port 5001 ................................................................................................................................. 65
Task 3: List the Active Flows .................................................................................................................................... 67
Task 4: Configure a Preferred Option Business Policy .................................................................................... 68
Task 5: Run iPerf on Port 8080 ................................................................................................................................ 70
Task 6: Verify That Traffic Follows the Preferred Route .................................................................................71
v
vi
Lab 1 Understanding the Lab
Environment
Reviewing the Lab Topology
This section helps you understand the lab topology before you begin. A thorough understanding
of the lab design allows you to understand the objectives of each lab.
For most of the VMware SD-WAN configuration, you must log in to VMware SD-WAN
Orchestrator. The VMware SD-WAN Orchestrator VM name is VCO-1-Primary.
1
Data Center Site
You configure the data center site as a hub. You check VPN connectivity between various
remote sites and the data center.
NOTE
The purpose of this lab is to provide an overview of the lab topology. This lab does not have
any tasks.
2
Lab 2 Exploring VMware SD-WAN
Orchestrator
3
Task 1: Access VMware SD-WAN Orchestrator
You access VMware SD-WAN Orchestrator to create new user accounts.
IMPORTANT
Use this login procedure as needed for the remainder of the lab exercises.
4
3. Click Sign In to launch the orchestrator.
NOTE
Enter VMware1! in the Password text box if it does not populate automatically.
NOTE
5
6. In the Account Role drop-down menu, select Customer Read Only.
With this role, the user has a read-only view of the company's network services.
7. Click Create.
6
Task 3: Create and Configure a Read-Write Account
You create a read-write orchestrator account to provide access to a user who has privileges to
monitor and configure objects.
With this role, the user can view and manage users and access the global settings across all
services.
7. Click Create.
With this role, the user can monitor edges and activity in the network as well as initiate
diagnostic actions across the company's network.
7. Click Create.
7
Task 5: Validate the Newly Created Accounts
You validate the newly created orchestrator accounts to ensure that they have been configured
correctly.
2. Verify that the settings are correct for each of the new accounts.
3. Log out of the orchestrator, and then log in as one of the newly created roles to validate its
credentials.
8
Lab 3 Zero-Touch Provisioning
9
Task 1: Provision a New Branch
You provision a new branch with VMware SD-WAN Orchestrator.
8. In the Edge License drop-down menu, select POC | 10 Gbps | North America.
10
11. Click Search.
11
13. Scroll down and click Create.
NOTE
NOTE
Because you do not have access to an email system in the lab environment, this lab simulates
the email activation process.
12
2. Right-click the activation URL and select Copy Link.
13
4. Send the activation URL to the CHI-CLIENT-01 desktop.
c. Right-click in the Terminal window and select Paste to enter the URL from the activation
email.
d. Press Enter.
14
5. Connect to your vCenter Server system.
a. From the taskbar, open the Firefox browser.
Disregard this step if the browser is already open.
b. Click the Region A bookmark folder and select the vcsa-01a.corp.local bookmark.
6. From the vCenter Server system, access the Chicago client desktop.
a. Select RegionA01 Data Center > RegionA01-BRANCH01 > CHI-Branch vApp > CHI-
CLIENT-01.
b. Click LAUNCH WEB CONSOLE.
7. From the CHI-CLIENT-01 desktop, double-click the activation.txt file icon and copy the edge
activation_key URL.
15
9. In the browser address bar, paste the activation URL that you copied from the text file and
press Enter.
13. Dismiss the Activation successful! message and close the Warning message.
IMPORTANT
16
14. Return to VMware SD-WAN Orchestrator to verify that the edge is successfully activated.
a. Select Monitor > Edges and confirm that the Chicago edge status is Active.
Activation might take up to 5 minutes. Refresh the browser window to see the latest
status.
b. On the Edges page, select CHI-VCE-01 to view more details.
If Throughput | Bandwidth statistics are updating under Link Status, then the
commissioning was successful.
10. Scroll to the top of the page and click Save Changes.
17
11. Click Confirm.
1. Select Test & Troubleshoot > Remote Diagnostics in the navigation pane on the left.
d. Click Run.
18
Lab 4 Configuring Segmentation
19
Task 1: Configure a Cardholder Data Environment Segment
You configure a segment named CDE Segment and assign it to a branch profile.
The Cardholder Data Environment (CDE) segment allows secure card payment traffic.
20
11. Next to Select Profile Segments, click Change.
13. Click the right arrow to transfer CDE Segment to the Within This Profile column.
21
15. Configure the VLAN settings for CDE Segment.
a. Scroll down to Configure VLAN.
b. Click Add VLAN.
c. From the Segment drop-down menu, select CDE Segment.
d. Enter 20 in the VLAN Id text box.
e. Select the Assign Overlapping Subnets check box and click OK when the warning
appears.
22
16. Inspect the Configure VLAN section and verify that 20 - CDE Segment appears in the VLAN
column.
23
10. Under All Segments, select Guest Segment.
11. Click the right arrow to transfer Guest Segment to the Within This Profile column.
c. Select the Assign Overlapping Subnets check box and click OK.
f. Scroll down to DHCP and enter 10 in the Num. Addresses text box.
24
15. Scroll down to Configure VLAN and verify that 30 - Guest Segment appears in the VLAN
column.
4. From the Configure Segment drop-down menu, select CDE Segment [CDE].
25
6. Configure the Configure Rule dialog box.
c. In the Rule Name Search box, type Facebook and press Enter.
26
7. Scroll down to Configure Segments.
8. Under Firewall Rules, verify that Deny Facebook appears in the Rule column.
27
9. Under Interface Settings, verify that 20 - CDE Segment appears in the VLANs column next
to the GE1 interface.
12. From the top Firefox taskbar, click the vSphere - CHI-CLIENT-01 tab.
28
13. If the vSphere - CHI-CLIENT-01 tab is closed, access the Chicago client desktop from the
vCenter Server system.
a. Click the Region A bookmark folder and select the vcsa-01a.corp.local bookmark.
15. From the taskbar of the Chicago client desktop, open a Terminal window.
29
Task 5: Test the Guest Segment with No Firewall Rule
You configure the Chicago edge to utilize the guest segment and then verify that you can access
Facebook.
9. Under Interface Settings, verify that 30 - Guest Segment appears in the VLANs column next
to the GE1 interface.
30
11. In the Confirm Changes dialog box, click Confirm.
12. From the top Firefox taskbar, click the vSphere - CHI-CLIENT-01 tab.
13. If the vSphere - CHI-CLIENT-01 tab is closed, access the Chicago client desktop from the
vCenter Server system.
a. Click the Region A bookmark folder and select the vcsa-01a.corp.local bookmark.
• Password: VMware1!
c. Select RegionA01 Data Center > RegionA01-BRANCH01 > CHI-Branch vApp > CHI-
CLIENT-01.
31
15. Open Firefox.
Access to the Facebook web page is allowed as per the guest segment firewall rule.
32
8. From the VLANs drop-down menu, select 1 - Corporate.
10. Under Interface Settings, verify that 1 - Corporate appears in the VLANs column next to the
GE1 interface.
33
34
Lab 5 Configuring Profiles
35
Task 1: Create a New Configuration Profile
You create a new VMware SD-WAN profile. You do not assign it to any edge device.
5. Click Create.
e. Click Create.
The configuration page for Branch Virtual Profile appears. Under Profile Overview, the
enabled edge appliances are shown next to Enabled Models.
36
2. Click the Device tab.
4. Deselect the check boxes of all edge appliance models except Virtual Edge.
6. From the Edge License drop-down menu, select POC | 10 Gbps | North America.
37
7. Click Create.
NOTE
This is the expected result. The error is valid because the profile was configured in an earlier
task to be restricted to Virtual Edge only.
8. From the Profile drop-down menu, select New Segment Profile and click Create.
The new edge provisioning is successful because New Segment Profile has no restrictions.
38
Task 4: Change the Profile Assigned to the Edge
You change the profile assigned to the Test-VCE-01 edge to Branch Internet Only Profile.
5. Click Apply.
39
40
Lab 6 Configuring and Verifying
Overlay Tunnels
41
Task 1: Configure an Auto-Detected Overlay
You configure the CHI-VCE-01 public WAN link on the GE4 interface to trigger an auto-detected
overlay.
3. On the Edges page, select CHI-VCE-01 and click the Device tab.
42
8. Configure the GE4 interface.
43
11. Click Confirm.
NOTE
44
12. Verify that two WAN links were created.
a. From the VMware SD-WAN Orchestrator dashboard, select Monitor > Edges.
45
Task 2: Verify the Auto-Detected Overlay
You verify that the WAN link automatically built an overlay tunnel to the primary and secondary
gateways.
1. Select Test & Troubleshoot > Remote Diagnostics in the navigation pane on the left.
The resultant paths should now show VPN tunnels between each local IP address and the
remote IP address of each VMware SD-WAN Gateway instance.
46
Task 3: Verify the User-Defined Overlay
You verify the user-defined private WAN overlay without altering its configuration.
47
6. Verify that User Defined Overlay appears in the WAN Overlay drop-down menu.
7. Click the X in the upper-right corner to close the Edge VMware dialog box.
8. Under WAN Settings, verify that User Defined appears in the Type column for the GE4
interface.
48
Lab 7 Configuring Overlays for Cloud
VPN
1. Explore the OFC Table and Enable Cloud VPN for Internet-Only Profiles
49
Task 1: Explore the OFC Table and Enable Cloud VPN for Internet-
Only Profiles
You explore the Overlay Flow Control (OFC) table to see a global view of all routes. You
examine the OFC table before and after enabling the Cloud VPN option.
2. Select Configure > Overlay Flow Control in the navigation pane on the left.
50
6. Click Search to initiate the routing table search.
No results are found. This result is expected because Cloud VPN is disabled in the profile.
f. Click the browser back button twice to return to the Configuration Profiles page.
51
8. Identify the subnet route in the OFC table.
a. Select Configure > Overlay Flow Control in the navigation pane on the left.
b. Click Search.
e. Click Search.
The 10.24.1.0/24 route appears in the OFC table because Cloud VPN is enabled.
52
Task 2: Enable Cloud VPN for Branch Hybrid Profile
You enable Cloud VPN functionality for Branch Hybrid Profile.
d. Under Configure Segments, verify that the Cloud VPN toggle is on.
53
Task 3: Change the Device Role from Edge to Hub
You change the role of device DC1-VCE-01 from edge to hub. Before enabling the hub role, you
run the List Path command to verify that it only displays a gateway peer. After enabling the
hub role, the List Path command displays both a gateway and a hub device as peers.
a. Select Test & Troubleshoot > Remote Diagnostics in the navigation pane on the left.
d. Click the Peer drop-down menu and verify that Gateway is the only choice.
54
2. Change the role of device DC1-VCE-01.
h. Click OK.
55
3. Run the List Paths command.
a. Select Test & Troubleshoot > Remote Diagnostics in the navigation pane on the left.
List Paths now displays the newly added hub in the Peer drop-down menu.
d. From the Peer drop-down menu, select DC1-VCE-01 and click Run.
Now that a hub-spoke Cloud VPN is enabled for Branch Internet Only Profile, the CHI
and LAX branch sites have overlay tunnels to the hub site.
56
Task 4: Enable Hub-Spoke Topology for Branch Hybrid Profile
You enable a hub-spoke topology for Branch Hybrid Profile. DC1-VCE-01 acts as the hub, and the
Chicago and Los Angeles edges act as the spokes.
4. Scroll down and verify that the Cloud VPN toggle is turned on.
9. Click OK.
a. Select Test & Troubleshoot > Remote Diagnostics in the navigation pane on the left.
c. Scroll down to List Paths and select DC1-VCE-01 from the Peer drop-down menu.
d. Click Run.
57
Task 5: Enable Branch to Branch VPN with Gateways
You change the configuration of Branch Hybrid Profile and Branch Internet Only Profile, using
gateways to establish Cloud VPN tunnels for branch-to-branch communications.
The gateway distributes routes to all edge devices. The routes learned from other edges are
called overlay routes.
5. Under Dynamic Branch to Branch VPN, deselect the Enabled check box.
58
Task 6: Verify the Path for Branch to Branch VPN
You verify the Branch to Branch with Gateways configuration changes.
1. Select Test & Troubleshoot > Remote Diagnostics in the navigation pane on the left.
Verify that VPN connectivity is established between the selected edge and the other sites.
a. Select Test & Troubleshoot > Remote Diagnostics in the navigation pane on the left.
b. On the Remote Diagnostics page, select the edge device being verified.
d. From the Peer drop-down menu, select the edge device being verified and click Run.
59
Task 7: Enable Branch to Branch VPN with Hubs
You enable Branch to Branch VPN with hubs. This topology might be beneficial for proofs of
concept and trials.
4. Under Branch to Branch VPN, click Use Hubs for VPN and then click Select Hubs.
60
6. Click the right arrow to add DC1-VCE-01 to the Branch to Branch VPN Hubs column.
7. Click OK.
61
62
Lab 8 Dynamic Multipath Optimization
63
Task 1: Ping the Data Center Server from the Chicago Client
You verify that 10.101.1.11 is reachable from 10.24.1.1 VLAN-1.
2. Select Test & Troubleshoot > Remote Diagnostics in the navigation pane on the left.
7. Click Run.
64
Task 2: Run iPerf on Port 5001
You connect to the vCenter Server system and run iPerf on the Chicago client and the data
center server, using 5001 as the port.
b. Click the Region A bookmark folder and select the vcsa-01a.corp.local bookmark.
• Password: VMware1!
2. From the vCenter Server system, access the Chicago client desktop.
a. Select RegionA01 Data Center > RegionA01-BRANCH01 > CHI-Branch vApp > CHI-
CLIENT-01.
65
3. Log in to the DC1 server using SSH.
c. At the prompt, enter yes to accept the ECDSA key fingerprint and continue connecting
to the server.
4. Run iPerf.
66
5. Run iPerf from the CHI-CLIENT-01 desktop.
a. In the Terminal window, click the plus sign (+) icon in the top-left corner to open a new
tab.
In this test command, -c is the client, -p is the port (TCP), and -t is the timer.
The iPerf command does not need to run completely before you continue to the next
task.
c. If iPerf does not respond, run the iperf3 -s -p 5001 command from the DC1
tab.
A failure to respond might be the result of a reachability issue between the Chicago
client and the DC server. Alternatively, the DC1 iPerf service is not running on port 5001.
1. Select Test & Troubleshoot > Remote Diagnostics in the navigation pane on the left.
4. Verify that deep application recognition recognizes the TCP port 5001 as iPerf.
67
Task 4: Configure a Preferred Option Business Policy
You configure a business policy to influence link steering. You verify that traffic follows the
preferred route.
68
h. Under WAN Link, click Preferred.
i. Click OK.
69
Task 5: Run iPerf on Port 8080
You connect to the vCenter Server system and run iPerf on the Chicago client and data center
server, using 8080 as the port.
b. Click the Region A bookmark folder and select the vcsa-01a.corp.local bookmark.
• Password: VMware1!
2. From the vCenter Server system, access the Chicago client desktop.
a. Select RegionA01 Data Center > RegionA01-BRANCH01 > CHI-Branch vApp > CHI-
CLIENT-01.
3. Initiate traffic from the Chicago branch to the DC1 server on UDP port 8080.
You ran iPerf on the DC1 server machine in an earlier lab task.
70
Task 6: Verify That Traffic Follows the Preferred Route
You start live monitoring to verify that traffic follows the route configured in the business policy.
6. Review the graph to verify that UDP traffic on port 8080 uses the preferred 198.18.14.11 link.
71
72