Prisma Access
Arista VeloCloud SD-WAN Solution Guide
Table of Contents
Arista VeloCloud SD-WAN Solution Guide
Learn to integrate Arista SDWAN (formerly VMware SD-WAN) by VeloCloud in Prisma
Access.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The following sections describe how you use the Arista (formerly VMware)
VeloCloud SD-WAN with Prisma Access:
Supported IKE and IPSec Cryptographic Profiles
The following table documents the IKE/IPSec crypto settings that are supported with
Prisma Access and VeloCloud devices. Use the recommended settings when you onboard a
remote network and define IKE and IPSec cryptographic settings when connecting the
Prisma Access and VeloCloud device.
A check mark indicates that the profile or architecture type is supported; a dash (—)
indicates that it is not supported. Default and Recommended settings are noted in
the table.
| Crypto Profiles | Prisma Access | VeloCloud | |
|---|---|---|---|
| Tunnel Type | IPSec Tunnel |
√
|
√
|
| GRE Tunnel | — | — | |
| Routing | Static Routes |
√
|
√
|
| Dynamic Routing (BGP) |
√
| — | |
| Dynamic Routing (OSPF) | — | — | |
| IKE Versions | IKE v1 |
√
|
√
|
| IKE v2 |
√
|
√
| |
| IPSec Phase 1 DH-Group | Group 1 |
√
|
√
|
| Group 2 | √ (Default) |
√
| |
| Group 5 |
√
|
√
| |
| Group 14 |
√
|
√
| |
| Group 19 |
√
| — | |
| Group 20 | √ (Recommended) | — | |
| IPSec Phase 1 Auth If you use
IKEv2 with certificate-based authentication, only SHA1 is
supported in IKE crypto profiles (Phase 1). | MD5 |
√
|
√
|
| SHA1 | √ (Default) |
√
| |
| SHA256 |
√
|
√
| |
| SHA384 |
√
| — | |
| SHA512 | √ (Recommended) | — | |
| IPSec Phase 1 Encryption | DES |
√
| — |
| 3DES | √ (Default) | — | |
| AES-128-CBC | √ (Default) |
√
| |
| AES-192-CBC |
√
| — | |
| AES-256-CBC | √ (Recommended) |
√
| |
| IPSec Phase 1 Key Lifetime Default | √ (8 Hours) | √ (24 Hours) | |
| IPSec Phase 1 Peer Authentication | Pre-Shared Key |
√
|
√
|
| Certificate |
√
| — | |
| IKE Peer Identification | FQDN |
√
|
√
|
| IP Address |
√
| — | |
| User FQDN |
√
| — | |
| IKE Peer | As Static Peer |
√
|
√
|
| As Dynamic Peer |
√
| — | |
| Options | NAT Traversal |
√
|
√
|
| Passive Mode |
√
|
√
| |
| Ability to Negotiate Tunnel | Per Subnet Pair |
√
| — |
| Per Pair of Hosts |
√
| — | |
| Per Gateway Pair |
√
| — | |
| IPSec Phase 2 DH-Group | Group 1 |
√
| — |
| Group 2 | √ (Default) |
√
| |
| Group 5 |
√
|
√
| |
| Group 14 |
√
|
√
| |
| Group 19 |
√
| — | |
| Group 20 | √ (Recommended) | — | |
| No PFS |
√
| — | |
| IPSec Phase 2 Auth | MD5 |
√
|
√
|
| SHA1 | √ (Default) |
√
| |
| SHA256 |
√
|
√
| |
| SHA384 |
√
| — | |
| SHA512 | √ (Recommended) | — | |
| None |
√
| — | |
| IPSec Phase 2 Encryption | DES |
√
| — |
| 3DES | √ (Default) | — | |
| AES-128-CBC | √ (Default) |
√
| |
| AES-192-CBC |
√
| — | |
| AES-256-CBC |
√
|
√
| |
| AES-128-CCM |
√
| — | |
| AES-128-GCM |
√
| — | |
| AES-256-GCM | √ (Recommended) | — | |
| NULL |
√
| — | |
| IPSec Protocol | ESP |
√
|
√
|
| AH |
√
| — | |
| IPSec Phase 2 Key Lifetime Default | √ (1 Hour) | √ (8 Hour) | |
| Tunnel Monitoring Fallback | Dead Peer Detection (DPD) |
√
|
√
|
| ICMP | — | — | |
| Bidirectional Forwarding Detection (BFD) | — | — | |
| SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A |
√
|
| No Regional Hub/Gateway/Data Center | NA |
√
| |
SD-WAN Deployment Architectures Supported by Arista VeloCloud SD-WAN
The VeloCloud SD-WAN supports the following deployment architectures for use with
Prisma Access. a dash (—) indicates that the deployment is not supported.
| Use Case | Architecture | Supported? |
|---|---|---|
| Securing traffic from each branch site with 1 WAN link (Type 1) |
|
√
|
| Securing branch and HQ sites with active/backup SD-WAN connections |
|
√
|
| Securing branch and HQ sites with active/active SD-WAN connections |
|
—
|
| Securing branch and HQ sites with SD-WAN edge devices with a primary and secondary tunnel |
|
√
|
| Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2) |
|
√
|