Deprecation and Replacement of the “Management IP” on the VMware SD-WAN Edge
Article ID: 312354
Updated On:
Products
VMware SD-WAN by VeloCloud
Issue/Introduction
This article covers VMware SD-WAN's deprecation of the Management IP Address in Release 3.4,0 and higher and its removal in upcoming Release 4.3.0.
For customers who continue to rely on the Management IP Address for monitoring and do not have a up and advertised interface to source traffic, the article notes the availability of a special Edge image that will loopback traffic.
In Release 2.x, before VMware SD-WAN supported network segmentation, the "Management IP" was introduced as a secondary virtual IP address on a VLAN. This was introduced due to underlying system limitations that prevented initiating traffic from LAN IP addresses or reaching the LAN IP address from across the VPN (e.g. for ping or SNMP).
In Release 3.x., the Management IP was decoupled from the VLANs to support using all routed interfaces. This is now the recommended configuration on all platforms except VMware SD-WAN Edge models 500, 520, and 540—which have an integrated hardware switch.
In Release 4.3.0., the Management IP will be fully removed from the system and replaced with a flexible mechanism for choosing the source interface for locally originated traffic. As an interim step, VMware SD-WAN has worked to eliminate reliance on the Management IP so that it can be safely removed completely.
As a result, Release 3.4.0 Edges will no longer source any traffic from the Management IP by default. Instead, the Edge will choose the first "up and advertised" interface on a segment to initiate traffic. If no such LAN interfaces are found, traffic will egress directly to the Internet using a NAT-enabled WAN link.
For the great majority of customers there will no issue associated with this behavior change.
However, for customers who are connecting Edge-initiated services (e.g. RADIUS, Conditional DNS forwarding, Private DNS server) to servers across the VPN and relying on the fact that the management IP is assigned from within an advertised corporate VLAN in 2.x, there will be an impact.
The reason is that these applications either use or are bound to the Management IP address, and if all the Edges are using the same 192.168.1.1 IP address there is no way to effectively route/differentiate traffic associated with these applications and the traffic will simply drop.
For customers who continue to rely on the Management IP Address for monitoring and do not have a up and advertised interface to source traffic, the article notes the availability of a special Edge image that will loopback traffic.
Management IP Address History
The deprecation of the Management IP Address began with VMware SD-WAN Edge Release 3.4.0 and was covered in the 3.4.0 Release Notes under the "Important Notes" section. To quote from that document:In Release 2.x, before VMware SD-WAN supported network segmentation, the "Management IP" was introduced as a secondary virtual IP address on a VLAN. This was introduced due to underlying system limitations that prevented initiating traffic from LAN IP addresses or reaching the LAN IP address from across the VPN (e.g. for ping or SNMP).
In Release 3.x., the Management IP was decoupled from the VLANs to support using all routed interfaces. This is now the recommended configuration on all platforms except VMware SD-WAN Edge models 500, 520, and 540—which have an integrated hardware switch.
In Release 4.3.0., the Management IP will be fully removed from the system and replaced with a flexible mechanism for choosing the source interface for locally originated traffic. As an interim step, VMware SD-WAN has worked to eliminate reliance on the Management IP so that it can be safely removed completely.
As a result, Release 3.4.0 Edges will no longer source any traffic from the Management IP by default. Instead, the Edge will choose the first "up and advertised" interface on a segment to initiate traffic. If no such LAN interfaces are found, traffic will egress directly to the Internet using a NAT-enabled WAN link.
Impact for customers who migrated from a 2.x Release to a 3.x Release
For a customer enterprise which migrates from a 2.x Networked profile to a 3.x Segmented profile, the VMware SD-WAN Orchestrator assigns 192.168.1.1 Management IP Address to all VMware SD-WAN Edges. This replaces the existing Management IP Address the customer used previously.For the great majority of customers there will no issue associated with this behavior change.
However, for customers who are connecting Edge-initiated services (e.g. RADIUS, Conditional DNS forwarding, Private DNS server) to servers across the VPN and relying on the fact that the management IP is assigned from within an advertised corporate VLAN in 2.x, there will be an impact.
The reason is that these applications either use or are bound to the Management IP address, and if all the Edges are using the same 192.168.1.1 IP address there is no way to effectively route/differentiate traffic associated with these applications and the traffic will simply drop.
Environment
VMware SD-WAN by VeloCloud
Resolution
Using a Special Edge Software Image With Global Segment Loopback
The VMware SD-WAN Edge expects an up and advertised interface available in each active segment that can be used for sourcing traffic, including the global segment. If the Edge does not, then originating VPN traffic in the Global Segment (e.g. to a private DNS server behind another SD-WAN Edge) will not work.If for some reason it is not possible to have an up and advertised interface in the Global Segment, a special version of Edge software which re-enables the previous virtual "loopback" Management IP is available. This special Edge software was introduced with the 3.4.x Release and has the standard name of a regular Edge build but with the addition of 'MGMT-IP'. Builds through the 4.2.x train will have a MGMT-IP build created and available for customers that require that functionality.
Note: If this special Edge build is needed for a direct customer, the customer should contact VMware SD-WAN Support to upgrade the enterprise to this special build. If a partner does not have this build available in their list of software images, the partner should contact VMware SD-WAN Support to get the appropriate build added to the partner's portal.
Removal of Management IP Address in Upcoming Release 4.3.0.
In upcoming Release 4.3.0 scheduled for Q2 of 2020, the Management IP Address will be completely removed without losing any functionality. Release 4.3.0 adds support for Loopback Interfaces on any segment, which allows advertisement of "always up" virtual IP addresses. When Edges are upgraded to Release 4.3.0 and have a Management IP that is different than the default (192.168.1.1), a Loopback Interface will be automatically created in the Global Segment using the currently configured Management IP and used to source traffic from services that previously sourced from the Management IP, preserving the behavior.Release 4.3.0 would also replace the use of the Management IP address as the OSPF/BGP router ID.
Feedback
Yes
No
Powered by
