Aruba SilverPeak SDWAN 1 - Deployment #arubanetworks #sdwan #silverpeak

welcome to what I hope to be a series of videos on the Aruba Silver Peak sd-wan product I was recently lucky enough to obtain licensing to set up a lab and

wanted to provide what I hope to be a series of videos that show real world scenarios and highlight the capabilities of the Aruba Silver Peak product

first the typical disclaimer has it's likely not hard to find out where I work so my comments and opinions here are my own and not my employers

I've been working with the Aruba Silver Peak sd-wan solution for over five years now and I've seen a lot of change and exciting enhancements to it I've enjoyed working with the product and have

deployed and seen it save companies huge amounts of money first as they migrate away from the traditional mpls weigh-in

to utilizing cheaper internet Dia and Broadband connectivity and second as they migrate away from their on-prem

firewall type solutions to sassy Solutions like zscaler as an engineer who deploys and sets it

up one of my favorite aspects of the product is its ease of use from the configuration operation and upgrade perspective the Silver Peak

solution is comprised of three main pieces the cloud portal orchestrator in the appliances the cloud portal is what the

orchestrator and appliances first connect to once an orchestrator is online and provided a key it Associates with your company and pulls down the licenses

associated the cloud portal also Brokers connectivity to the appliances as they come online and gain internet access it provides their information to

orchestrator to be able to pull in and configure the orchestrator is the management plane of the solution it can be Cloud hosted

or on-prem it provides all of the configuration and single pane of management and monitoring most of the time spent managing the

solution is in orchestrator the appliances are obviously the devices deployed at your sites that actually do the work

they can either be virtual or physical so to pull the covers back on the lab here a bit I'm simulating A Cloud hosted orchestrator but in reality it's

actually on-prem you can see that here with the private IP address being shown the difference here is that typically in an on-prem environment the orchestrator

would live internal to the network somewhere and be directly reachable by the appliances once they are up and configured we're in a Cloud solution the

orchestrator would not be internal and would be reachable just like the cloud portal via internet connectivity the rest of the lab appliances and all

simulated Network in the way of internet and Wan are running in even G so the appliances in this case are

virtual appliances I purposefully used even G as it allows me to simulate network issues in the way of packet loss delay and Jitter as we walk through and

highlight how traffic gets handled so orchestrator is a VM that lives right outside of the even G environment next to a firewall that provides the

environment internet access as we look at the topology here we see three active sites and as previously stated I hope to simulate

real world scenarios so we have a foresight that we're going to be bringing online new we're just waiting on internet connections like we always do that will

probably resonate with most so back to the design here this will be one of the first projects we do in the lab what we see as we work top down is our

orchestrator and internet connection at the top below that we have a vyos cloud router that would technically be part of the

internet a normal internet router at each site we have two vyos Cloud routers simulating the internet circuits

in the way of isp1 and isp2 in the real world all of the IP addressing here would obviously be public space

each ISP link was delivered to us with a 20 whack 29 and we'll talk about that a little later but for the sake of the lab

as it relates to the real world the network addressing facing us from the ISP routers would be public wack 29s

below that we have a pair of Internet Edge switches simply there for breakout that again we'll talk about later

then we have our Silver Peak appliances behind them we have our internal core routers or switches in a machine at each

site that we'll be utilizing in our scenarios in addition between the West and East sites we have a simulated mpls

to put that to the real world in a lot of cases as companies move to sd-wan they have existing in PLS that doesn't make sense to turn down uh and pay the

early termination fees uh on or um you know as it does so frequently ordering new internet circuits to the site turns into a nightmare so this

highlights the fact that the solution can handle these circuits in stride and utilize them no different than the internet circuits we've got in this

Legacy in PLS that at some point will turn down and do away with so that's the lab as I previously stated I chose even G here as I get the option to manipulate

any of these links I simply right click on it edit quality and input the changes I want to make in the way of

delay Jitter loss in addition I can turn down and up the links simulating outages by simply right clicking on them and

suspending the link as for the internet Cloud portion of this that being the ISP routers and the cloud router at the top

in the background here they are just running ospf they learn about each other's networks just like the internet would albeit not be bgp it just made

sense here so that's it that's the setup for our first exercise we've got to get this Dallas location online we've been waiting months for the isps to deliver

circuits and it's delayed the office opening because that never happens so we see here our ISP links are in

finally however someone messed up they were supposed to be delivered with whack 29s however they ended up getting

ordered and delivered with whack 30s we'll put in an order to have that fixed and talk about it later for now we have

a single usable IP and we'll make do so first we got to get our silver peaks in now something to keep in mind is the

difference in how startup works with virtual and physical appliances when I order a physical Appliance the serial number gets put into my account

if that device catches a wifi internet it shows up for me to manage with virtual since we don't have any serial number or any identifying Mac

address as we build it we have to work uh do some work up front to put in our licensing information so the startup really depends on how you deploy

there are many ways to get things going simply plugging in the management zero port to a network with internet will do it staging the devices by bringing them

online and pre-configuring them with static Wan IPS Etc delivered from the carrier and then shipping it to the site

at the end of the day if you can get the device internet connectivity over any of its interfaces it'll work so with our virtual Appliance we need to

bring it up configure the interfaces with our IPS and provide it our account name and key so the cloud portal knows what orchestrator to notify about it

to do this I'll add the appliance here connect it up boot it up and connect the management zero port to an out-of-band network no different than plugging

directly into the appliance to pre-configure it an interesting note all of the appliances have a management

zero and a management one interface management zero is DHCP by default plug it into a lan it gets an IP address

has internet we can stage it away it goes management one comes pre-configured with an ited arpa address

169.254.0.1 so if we want to manage the device we just plug into management one set our adapter for DHCP it of course

won't get an IP address and windows will assign a 169 in at our address as it does at that point we can hit one six

nine two five four zero One login and configure it in addition the physical appliances have serial console and the virtual appliances have the Virtual Console that

we can use from a command line perspective I'm using the out of Bin management Network on management zero as I have

some limitation with even G and getting access into the lab so I'll be using a combination of the Virtual Console to assign a static IP to

management zero then a VM on that Network to hit the web interface and finish the config so a quick recap

bringing up a Silver Peak the goal get internet access on any interface how you do that is whatever works best in your environment based on the current

deployment at the site scenario our site is on mpls only today

and gets internet via that mpls our East Miami site as an example take the Silver Peak out the internet

circuits out this mpls here probably terminated to the core router I shipped the Silver Peak to the site

plug-in management zero to the network where it gets a DHCP address has internet access it'll show up and I can configure its interfaces once that's

done I plug in my internet connections and the rest of the network migration is with the routing away from the mpls

and in this case once I moved away from the mpls into the Silver Peak I went ahead and migrated the mpls to the Silver Peak as well one other point of

note here is today we have no security we'll talk about that and the design around it later but right now we're really simulating just replacing Legacy

Wan with internet on sd-wing so I mentioned earlier that I was lucky enough to get licensing and that is something I did want to

cover here so with orchestrator and the Silver Peak solution until you get your account key

and put it into orchestrator there are no licenses and nothing works so in order to build a functional lab you

would have to first obtain some licensure that's been something that across many different vendors as an engineer who

truly wants to sit down learn a product understand every step of the deployment so that when I come to a customer I can do so crisp and clean

knowing exactly what's going to happen next in an install roughly how long this step is going to take even with upgrades

Etc I like to be able to know what should be happening and of course that also leads to being able to spot when things are going wrong

but that being said across a number of products now getting that licensing as an engineer whether you're an End customer or a partner

has been very difficult um I know it's that way here with Silver Peak but in addition to that any of the

sassy Solutions and z-scaler or Prisma Cisco's product with [Music] um umbrella Sig Etc uh it's not like I can

just go deploy that in my lab and learn it and get intimately familiar with it and how it works so whenever I'm with any of these uh

vendors I always poke them about that and I know Silver Peak is is you know working to make that a little easier at least hopefully for partners

um at a minimum okay so let's move on here and go ahead and get this uh Dallas site deployed I'm going to go ahead and add a node

it is going to be a Silver Peak I'm gonna name it Silver Peak South just going to go ahead and double these

uh one thing of note here um when you deploy virtual silver Peaks there is a document out there that identifies you know CPU and RAM for the

amount of throughput Etc do I need this much no I mean I've only got 20 megabit of license on throughput so um it's not like it really matters to me

but uh I did it anyway then here we will go ahead and get this guy connected up to this automated management Network e0

connect it up to isp1 on E1 connected up to isp2 on E2 and then connect it whoa whoops

down to our core here on E3 once that's all done we're just going to boot it up

once it turns green here it should be able to click on it and it's going to boot up here this will take just a second

okay now that this is booted up we'll log in admin admin is the default credentials for both physical virtual whatever from a Silver Peak perspective um

we need to do three things here and these are uh specific to the virtual Silver Peak for the most part other than obviously setting a static IP address on

management zero if you need it um in my case uh the OS finds these interfaces eth012 and three

um and the Silver Peak has its own interfaces for management way and land Etc we need to tie the interface Mac

address for each zero to my management zero interface so in that scenario um we'll do the rest of the interfaces I'll show you that in the GUI later but

at least to get connectivity we have to do this so uh very cisco-ish to a point um config T and here we will do

interface management zero Mac address and I know for a fact that it's the first one here you could do a show

interfacing zero to see it but uh it's of course telling me to reboot in this case I'm also going to do a null interface management

0 DHCP and I'm going to do an interface management zero IP address

192.168 71 and 53 by 24.

whoops then reload okay so now that this is booted back up we should be able to jump over to my machine here and

hit the web interface and log in so first um in this scenario there is a

startup initial config wizard that I just typically use to get those interfaces assigned um it also lets us do the licensing

so in here we need to understand which interfaces are which and again if I come back over to here login

control interface eth1 which is going to be my Wan zero circuit that is o one

so over here weighing zero is a one gonna guess when one is O2 and my lamb

zero is O3 but we'll verify that quick O2 and all three yep give it a name and here I will have to put in my

account name and key that I get from Silver Peak and I have that on my desktop here um I'm going to go ahead and blur it out

for the sake of the video um because it is my license and key not that you could do anything with it even if you did have it uh Silver Peak will

only allow one orchestrator to use that at a time so even if I was to set up another one I would have to actually call them and have them release that

back to me so um all paste in the key and the account and then I will save that

and there used to be a bug don't know if it's still there I'm going to go ahead and say no reboot later and then once that's done and this web

page loads there will be two buttons up here in the top right hand corner and I am going to first save changes and then reboot

the bug was simply that the uh interface assignments that you changed would not save so it booted back up we see we have our uh name here

the next thing I need to do now is assign the interfaces so I'm going to go to deployment

and again this would not be necessary right had my management zero network uh already had connectivity to the internet

um because it doesn't uh in this scenario I've got to get my outside internet interfaces connected to the internet so that uh it can reach the

cloud portal and register so here I'm going to switch to router mode and I'm going to add one lambside interface in one way inside or two way

inside interfaces so when zero win one and land zero um in this scenario I don't really need to worry about the land side but I'm going to do it while

I'm here um so for IP addresses we know we have a

192.168.72 DOT uh 34 and 73.34 and their wac 30s so

192 168 72.34 Weck 30.

this will be 73.34 whack 30.

um a few points here uh this firewall mode allow all is of course you know kind of what you use on maybe an mpls circuit if

you didn't want uh anything inbound stateful would be of course stateful firewall stateful plus snap is what we would use if we wanted to Nat internet

traffic out as well for internet connectivity and Harden locks down the interface so that really the only thing

it will do is respond to ipset tunnels to build the sd-wan tunnels so in my case I choose stateful plus snap because I want this Silver Peak to drop my

client internet traffic out to the internet as well um here again I own uh I only have a 20 meg license uh so I'm gonna say that

this is a 10 Meg circuit and this is a seven Meg circuit that only makes 17 uh mag obviously but in this scenario

um I'm using the other three mag um you know in my mpls on the east and west

site so I'm just keeping this uniform this would be what literally whatever you have for bandwidth um you know from the internet service provider so

hit calc it'll automatically calc it I'll hit apply whoops it's going to yell at me because I forgot to do this that is going to be

[Music] 192.168.104.1 I've been incrementing by 10.

I believe what were those those are whack 24s as well okay and then this will be 192.168.04.2 [Music]

oops just applying reboot anytime you change land side way inside or add excuse me lay inside are we inside interfaces it will ask you to reboot

okay now that this is back up assuming I put in the license and account key properly we're going to jump back over to Aruba orchestrator and as you can see right away this appliances discovered up here

was blinking away um I'm gonna add a group over here for South and these groups

don't have like templates assigned to them or anything it's more uh formatting thing right from a look and feel over here in the list of all of my different sites

um when I go over to appliances discovered I see here that my Silver Peak South Appliance is here

um what I public IP had showed up from why it shows Phoenix Arizona I have not put in any address yet um I'll do that in the next step it's

currently unassigned this is when it was discovered right now it's unreachable this will come back here shortly and then this approve button will be green

foreign I'll go over and show you one other thing here um kind of along the way of troubleshooting that scenario right now over on the

Silver Peak if I go to Administration and Silver Peak Cloud portal and orchestrator I can see the cloud portal is reachable

orchestrator is not right now um to get more details about that I can click here and I can see yet again um what's all connected obviously

orchestrator is not yet jump back over here in addition we notice the alarms over here too I just clicked on the alarm category here

and we can see we've got a couple alarms about the license not being assigned or granted we've got an alarm stating that it's registered but not approved

which is obviously our next step and then we've also got a next top down alarm so one of these interfaces looks like one of my weigh-in interfaces is

not able to Ping or monitor its Gateway and at that point when this happens if I was in production it will shut down

traffic to that tunnel just to make sure that sending package to nowhere now we can see here the approve button

for green has lit up it shows we're reachable when I hit approve the first option I will get

is an option to upgrade the appliance um you know in in Silver Peak it's always good to have all of the appliances at the same firmware version

so in this case I am running the latest and greatest here the 922 94 322 which is current at this point

but it's cool that it does give us the option to do the upgrade before we pull it in um not that I would have to I could do it afterwards too um but I'll go ahead and do that now I

just hit upgrade and reboot and it will do the upgrade in progress and then reboot it um this will actually push the configuration down to the Appliance

um and one important thing to note here is all of this is being done without the device actually being able to talk directly to orchestrators so all of the

work that I'm doing right here is being proxied through the cloud portal um so far as to even give me complete access to the device which we'll see in

a minute once I get it brought in after the upgrade here okay we can now see that our Silver Peak

rebooted came up and we are on version 9220 at this point we're going to go ahead and bring this in uh keep in mind that

that's not going to just up and make it start working uh unless we choose to do so so here when I hit approve

I get the same pop-up at this point I'm going to skip that and it's going to come up to a wizard that will let me go through all the settings

shows me my name what group I'm going to put it in in this case I'm going to move it to South I have to set up password Here

this will change whoops this will change the default password uh from admin clearly I can't type there we go

and we'll just call it Dallas I did not create a region for this we'll talk about regions in a little bit I'll go create that once we're done here

uh and then in here the site name um this really comes into play when we have multiple appliances for ha at a

site we'll talk about that in a little later in this case I'm just going to give that South you notice it's not required it does say over here used to

identify appliances at the same location this basically is so that you know we've got two appliances at the same location they don't try to build tunnels to themselves the next page we kind of already did all

of this work but it would give us the opportunity to you know again if you were to have just plugged this into the network on management zero it came out it found the dashboard or it found the

portal um this would be blank so it gives us the opportunity to configure all of our Wayne and landsite interfaces I don't need to do anything here because I

already did that local Direct on the appliance alternatively I could have set the licensing down here uh as well right now

and I didn't we'll go back in and do that once we're done here on the next page here we can add loopback interfaces um I have no need for those in my

deployment right now so I'm just going to say next here um we can add local routes so this is you know we can we can advertise networks into the sd-wan in a number of

different ways uh whether it's coming from a routing protocol from our core uh we can also you know in small networks it's not uncommon for us just to add

networks here uh that this guy is going to advertise um in my case I have no need to do that we are going to peer this uh via bgp to

our core switch and it will advertise the routes up to us we will in turn send them out to the sd-wan um

and the other check boxes we have here um automatically advertise local land subnets if I check that that would automatically advertise my land side

um automatically advertise local weigh-in subnets same thing it would advertise the WAN networks uh as well and here is where we would

apply our overlays we'll go over those in detail a little later as well as any templates we have I'm going to check this routing one we'll talk about the

templates in a little bit we'll apply this says it's successful and now what we'll notice is under South here our Silver Peak is here

so first we thing we can do if we right click and go to the Appliance it will actually pull us up as though we

were locally administering that Appliance uh the other thing we can do is pretty much anything that can be done on the appliance directly can be done through

orchestrators so here this search menu is great um if I type deploy I get the deployment tab

this guy is obviously still syncing from the changes we made so right now this is just loading we'll give this just a minute to settle down so at this point

what we'll notice after things settle down is that the Silver Peak came up uh you'll notice it's a gray color right and if we hover over it we can see that yep it's connected to the portal

websocket but it is not connected to orchestrator yet um at this point again I can right click Appliance manager and I can get to this

Appliance and I can manage it locally but at the same time anything we can do locally for the most part we can also do from

the orchestrator itself so you know we we left off we needed to license it yet and a few other things here um

so at that point I can find the licensing I can edit this guy and I can say I want to give it a 20 meg

license I can apply hit okay additionally over here if I were to go to configuration deployment

once this page opens up I have an opportunity to apply the license here as well now either way works and it's going to take the license regardless so

um you know again with with many products uh a number of different ways to do the same thing now we can see here that the license was

granted it's got a 20 meg license if we go over to the Appliance itself you can see that license is down here um so I could have easily just come in

here switch this to 20 and hit apply and it would have done the same thing but now we've got our license uh there um one thing you'll notice is here we've

got a whole bunch of alarms right the licenses uh alarms we know are you know gonna clear here shortly we also get

complaints about labels um and then we also still notice that the appliance is not connected to orchestrator

um now I've purposefully set up the lab so that that's the case um orchestrator itself does not have any way to talk directly with this Appliance

right now uh we'll go look at that here and I'll explain why I've done that uh right now um you know again I wanted to highlight the

cloud portal being a proxy into the appliance um to be able to let us manage it even when it doesn't have connectivity to orchestrator so this is highlighting

that you'll notice the difference it's a little grayed out down here under connectivity it shows us that hey it's not connected to the orchestrator um

in that scenario we would be able to fix that if I get logged in here

what's going on there is this whole network up here is this 192.16870 network and the traffic from these appliances while it can come

directly up and hit orchestrator orchestrator's default gateway much like this router is the firewall at 70. uh

one and actually 70.2 so the traffic comes up hits here hits the firewall I've got asymmetric routing in place and again I

did that on purpose just so that uh these guys wouldn't connect um in my scenario you obviously wouldn't need to do this in the real world I have to go in and put the routes into

orchestrator to allow it to send traffic to these 19216872 networks that we added on our ISP side so that that traffic is uh

symmetrical and non-i-symmetric I'll go do that in the background and then we should see that clear okay so as you can tell here I went

ahead and put those routes in on orchestrator this guy has gone um black now so we can see he's connected both to the uh orchestrator and the

cloud uh the only thing we're seeing now of course are these label alarms which we'll get to in a minute and then uh evidently an ntp server alarm that I'll

have to look into as well um before we go any further uh the next thing I need to do is set up that Landslide routing we were talking about

so um in here I will go to routes and we will go to bgp

I'll edit this turn on bgp try to remember what I was going to use for an AS it's going to be six five whoops six

five zero one zero I normally just run you know it says typical bgp I'm going to use the 192.168.

um 105.1 that's just my landside uh IP here as the excuse me 104.1 as the router ID

bgp peer I'm going to hit add pure IP 192.168.104.2 off my landside interface 650 11.

and then this will be Branch PE router would be used obviously if I was connected to a mpls in this case it's branch

um admin status up um here there's some default route Maps we'll talk about route Maps later but I'm going to use the inbound BR for branch outbound VR for branch

and that should be it and I'll save that and now with any luck assuming I did everything right if we go back over to routes here we should see

we're learning this address via bgp ebgp from the router the core router core switch at the site so our routing is up

and the next thing we need to do is get our labels turned on so a very big portion of Silver Peak here

um labels make tunnels so to this point we have done all of this work yes this Silver Peak is in it's in production as you can tell it's complaining about

labels here but it has not um started building any tunnels nor advertising any routes simply because we don't have any labels

now I could have assigned these labels when I went through the deployment and this thing would have come online hot I typically don't do that I like to wait until I know that all my you know

internal routing and everything else is up but in here I've got inet 1 and inet2 these are configurable these are just the ones that come out of box

and quite honestly make most sense in most cases so I will apply those and I will save that and what we'll start to see now if I

look for tunnels and once this loads it's busy in the background here building these figuring out who it needs to connect to and I just realized the one thing we did

forget was the region I said I'd come back to that later so [Music] we only have those regions we're going

to add a South apply that notice these guys got wind that this exists so they just pulled up a bunch of tunnel down alarms um because they're in the process of

building tunnels with this guy and I'm sure if we go here we can see yep our Silver Peak self tunnels were down and here we can see

tunnels coming up to Central East West isn't quite there yet another point of note whenever you make changes in orchestrator that require it

to push different pieces of configurations to the other appliances there's this little blinking button up here and it'll kind of show you what it's working on you know what

configurations being pushed where and how much time is roughly remaining um just to kind of give you an idea of what's going on in the background and when you should really start looking for

issues or problems so all of our tunnels came up here everything looks good um we noticed three types of tunnels here we've got the underlay

underlay obviously refers to the routing in between the sights uh outside of the tunnel so to speak so on an mpls your

raw mpls would be underlay we've got pass-through this is traffic that passes through you know pretty much to the internet is really what it comes down to

um from that perspective and then we've got the overlay which of course are the tunnels themselves that the traffic would typically go down the other thing we'll notice here now

that we brought this up if we go back over to routes what we're going to see in the routes is that we're now learning

routes from the other sites so we've got the 75 Network 85 Network and the 95 network from West East and Central in

addition to that if we go just look at West we should also see a route from our

um South the 105 showing up there so we know that route advertisements as far as the sd-wan are uh making their

way across and at this point the sd-wan should be functioning so if I was to jump into here pull up this Linux box

log into it and try to Ping 192.168 75.2 which is the Linux box over

at the West site notice I get ping replies here so that traffic is coming into the Silver Peak getting sent out in the sd-win tunnel

across the internet coming in the Silver Peak at the West site and hitting uh this box to prove that point and one of the

really awesome pieces here is the flows active and recent flows and if I look at South here I can see the current flows and sure enough here it is at the end of

the flow here I can see the inbound tunnel is to Silver Peak West and the outbound tunnel is to Silver Peak West and we've got bi-directional traffic

showing here our source and destination IPS what the traffic is and what overlay it hit again we'll get into overlays later uh I'm gonna stop this video at this

point uh in the next video we will move on to talk about a number of other uh options to Aid Us in the uh deployment

process uh things like the zero touch provisioning and templates that sort of stuff and we'll start to work our way

into additional configurations of the sd-wan