--- title: Velocloud description: Connect Velocloud to Cloudflare WAN. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-wan/configuration/third-party/velocloud.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Velocloud This document is intended to provide Arista VeloCloud customers with the steps to provision non SD-WAN destinations through Edge for connectivity with Cloudflare WAN (formerly Magic WAN). ## VeloCloud Edge Nodes profile configuration 1. Log into VeloCloud Orchestrator and go to **Configure** \> **Profiles**. 2. Select **New profile** to create a new profile (for example, `vc-edge-03-profile`). 3. Select the **Device** tab and expand the **Interfaces** section. 4. Select the **Edge Model** corresponding to the device (Virtual Edge). The default interface scheme for the Virtual Edge will be displayed. For example: eight interfaces, from GE1 to GE8. 5. You are only using interfaces **GE3** and **GE4.** Disable all unused interfaces to ensure anyone with physical access to the edge node cannot connect any unused interfaces. Do this by selecting each interface one at a time and unchecking **Interface Enabled** followed by **Save**. ### Configure interfaces This documentation assumes: * **GE3**: WAN Interface (Static IP) * **GE4**: LAN Interface (Static IP) ### Interface GE3 - WAN interface Configure interface GE3 with the following settings: * **Interface enabled**: Enabled * **Capability**: Routed * **Segments**: All Segments * **Radius Authentication**: Not applicable * **ICMP Echo Response**: Enabled * **Underlay Accounting**: Enabled * **Enable WAN Link**: Enabled * **Edge to Edge Encryption**: Enabled * **DNS Proxy**: Disabled * **VLAN**: Unspecified (this example assumes the device is connected to an access-layer switch port) * **EVDSL Modem Attached**: Disabled #### IPv4 settings * **Addressing Type**: Static * **WAN Link**: User Defined * **OSPF**: Not applicable * **Multicast**: Not applicable * **Advertise**: Disabled * **NAT Direct Traffic**: Enabled * **Trusted Source**: Disabled * **Reverse Path Forwarding**: (unspecified) #### IPv6 settings IPv6 is currently not supported with Cloudflare WAN. Uncheck the **Enabled** checkbox. **Router Advertisement Host Settings** * Disabled **L2 Settings** * **Autonegotiate**: Enabled * **MTU**: 1500 Select **Save** to apply changes for Interface **GE3**. ### Interface GE4 - LAN Interface * **Interface Enabled**: Enabled * **Capability**: Routed * **Segments**: Global Segment * **Radius Authentication**: Disabled (Not applicable) * **ICMP Echo Response**: Enabled * **Underlay Accounting**: Enabled * **WAN Link**: Disabled * **Edge To Edge Encryption**: Enabled * **DNS Proxy**: Disabled * **VLAN**: Unspecified (this example assumes the device is connected to an access-layer switch port) * **EVDSL Modem Attached**: Disabled #### IPv4 Settings * **Addressing Type**: DHCP or Static (example assumes Static IP) * **WAN Link**: User Defined * **OSPF**: Not applicable * **Multicast**: Not applicable * **Advertise**: Disabled * **NAT Direct Traffic**: Enabled * **Trusted Source**: Disabled * **Reverse Path Forwarding**: Unspecified #### IPv6 Settings IPv6 is currently not supported with Cloudflare WAN. Uncheck the **Enabled** checkbox. **Router Advertisement Host Settings** * Disabled **L2 Settings** * **Autonegotiate**: Enabled * **MTU**: 1500 Select **Save** to apply changes for Interface **GE4**. The Interfaces section should indicate the **GE3** (WAN) and **GE4** (LAN) interfaces are configured and all other interfaces are administratively disabled. ### VPN Services * Enable **Cloud VPN**. Select **Save** to apply changes for the Profile. ## Network Services 1. Go to **Configure** \> **Network Services**. 2. Expand **Non SD-WAN Destinations through Edge** and select **New**. ### General * **Service** **Name**: Name of destination here. For example, `Magic_WAN_vc-edge-03`. * **Tunneling Protocol**: **IPsec** * **Service Type**: _Generic IKEv2 Router (Route Based VPN)_ * **Tunnel Mode**: _Active/Hot-Standby_ or _Active/Standby_ ### IKE/IPsec settings 1. In the **IKE/IPsec Settings** tab, select: 1. **IP Version**: _IPv4_ 2. **Primary VPN Gateway** 1. **Public IP**: Specify one of the two Cloudflare anycast IP addresses assigned to your account, available in [Leased IPs ↗](https://dash.cloudflare.com/?to=/:account/ip-addresses/address-space). 2. In **IKE Proposal**, expand **View advanced settings for IKE Proposal**: 1. **Encryption**: _AES 256 CBC_ 2. **DH Group**: _14_ 3. **Hash**: _SHA-256_ 4. **IKE SA Lifetime (min)**: _1440_ 5. **DPD Timeout(sec)**: **20** 3. Expand **View advanced settings for IPsec Proposal**: 1. **Encryption**: _AES 256 CBC_ 2. **PFS**: _14_ 3. **Hash**: _SHA 256_ 4. **IPsec SA Lifetime (min)**: **480** 4. Scroll up **Secondary VPN Gateway**, and select **Add**. 1. **Public IP**: Specify the second of the two Cloudflare anycast IP addresses 2. **Keep Tunnel Active**: Enabled (this is read-only and cannot be modified) 3. Tunnel settings are the same as the primary — therefore they are greyed out in this section. ## Provision Edge Devices 1. Go to **Configure** \> **Edges**, and select **Add Edge**. 2. Select the following settings: 1. **Mode**: SD-WAN Edge 2. **Name**: The name for your edge. For example, ` vc-edge-03` 3. **Model**: _Virtual Edge_ (select the model of your Arista VeloCloud Edge appliance) 4. **Profile**: Select the Profile created in the Provision configuration section. For example, `vc-edge-03-profile` 5. **Edge License**: Select the appropriate license 6. **Authentication**: _Certificate Acquire_ 7. **Encrypt Device Secrets**: Unchecked (do not select) 8. **High Availability**: Unchecked (configure accordingly based on your environment) 9. **Contact Info**: Provide a local contact name and local contact email 3. Select **Next** to advance to the next section. ### Additional settings 1. Configure the following settings based on your environment — left blank in the following example. ![This example was left blank. You should configure this based on your environment.](https://developers.cloudflare.com/_astro/image1.ZgVGq2jm_BVSWv.webp) 1. Select **Add Edge** to save changes. ### Edge — Device Settings Once the Edge device is added, you should land on the **Device** tab. #### Connectivity — Interfaces 1. Expand the **Interfaces** section. 2. Note the interface configuration is inherited from the Profile configured in the previous section. Interfaces **GE3** and **GE4** will display a `WARNING` indicator as these interfaces require additional configuration. 3. Select **GE3** to open the properties for the WAN interface. 4. Many of the properties in this section were inherited from the Profile — as such, they are greyed out. You can select **Override** to modify the configuration specifically for this interface. 5. Scroll down to **IPv4 Settings**, and configure the following options: 1. **Addressing Type**: _Static_ (this is inherited from the Profile) 2. **IP Address**: Specify the WAN interface IP address 3. **CIDR Prefix**: Add your subnet mask in Classless Inter-Domain Routing (CIDR) notation 4. **Gateway**: Default Gateway (`0.0.0.0/0`) 5. All other settings are inherited from the Profile. 6. Scroll down and select **Save**. 7. Select **GE4** to open the properties for the LAN interface. 8. Scroll down to **IPv4 Settings**, and configure the following options: 1. **Addressing Type**: Static (inherited from the Profile) 2. **IP Address**: Specify the WAN interface IP address 3. **CIDR Prefix**: (subnet mask in CIDR notation) 4. **Gateway**: Default Gateway (0.0.0.0/0) 5. All other settings are inherited from the Profile. 9. Scroll down and select **Save**. #### User Defined WAN Link Note the indicator next to **GE3**. The steps in the Profile section disabled **Auto WAN Link Detection**. As a result, the WAN Link must be specified. ![Note the indicator next to GE3.](https://developers.cloudflare.com/_astro/image2.CXnQ2TCU_Z1m3RjI.webp) 1. Scroll down to **WAN Link Configuration** \> **Add User Defined WAN Link**, and configure the following options: 1. **Link Type**: _Public_ (the WAN interface is connected directly to the Internet in this example — you may need to select _Private_ depending on your environment) 2. **Interfaces**: Check the box for **GE3** (WAN Interface) 2. This example assumes default settings under **View optional** **configuration** and **View advanced settings**. 3. Select **Add Link** to save the changes. 4. Confirm the **User Defined WAN Link** is displayed and an indicator no longer appears next to interface **GE3**. #### VPN Services 1. Scroll down to **VPN Services**. 2. Expand **Non SD-WAN Destination through Edge** and select the **Override** checkbox. 3. Select **Add**. 4. Select the drop-down under the **Name** column. 5. Select the **Network Service** defined earlier. For example, `Magic_WAN_vc-edge-03`. 6. In the **Action** column, select the **+** button, and configure the following options: 1. **Public WAN Link**: Choose the Public WAN Link (refer to User-Defined WAN Link) 2. **Local Identification Type**: _FQDN_ 3. **Local Identification**: Enter the FQDN specified when configuring Cloudflare WAN IPsec tunnels through the Custom FQDN IKE ID API endpoint. 4. **PSK**: Enter the Pre-Shared Key. Ensure you use the same PSK for both Cloudflare WAN IPsec tunnels. 5. **Destination Primary Public IP**: Pre-populated from the Network Service defined earlier. 6. **Destination Secondary Public IP**: Pre-populated from the Network Service defined earlier. 7. Select **Save** to finish defining the IPsec tunnel settings. 8. Scroll down to the bottom of the Edge configuration page, and select **Save Changes** to finalize the Edge device configuration. ## VeloCloud to Cloudflare WAN routing Configure the **Site Subnets** to facilitate: * Routing traffic from one Cloudflare WAN site to other Cloudflare WAN sites. * Ensure Cloudflare WAN IPsec tunnel health checks perform optimally. 1. Go to **Configure** \> **Network Services**. 2. Expand the **Non SD-WAN Destinations through Edge** section. 3. Select the desired non SD-WAN destination, like `Magic_WAN_vc-edge-03`. ### Site Subnets Configure a minimum of three IPsec tunnels. This example demonstrates two routes for tunnel health checks and two routes for traffic destined for remote sites: * Cloudflare WAN IPsec tunnel health checks * Primary VPN Gateway: * To the respective Cloudflare WAN IPv4 interface address associated with the primary Cloudflare anycast tunnel endpoint IP address * Routed through the Primary VPN Gateway. * Secondary VPN Gateway: * To the respective Cloudflare WAN IPv4 interface address associated with the secondary Cloudflare anycast tunnel endpoint IP address * Routed through the Secondary VPN Gateway. * Remote Cloudflare WAN site(s): CIDR blocks to route through Cloudflare WAN * The LAN interface for vc-edge-03 is: * 172.16.34.254/24 (subnet address: 172.16.34.0/24). * This does not need to be specified under Site Subnets as it is local. * Assume two remote sites, each of which need to be defined as Site Subnets and routed through both the Primary VPN Gateway and Secondary VPN Gateway. * 172.16.32.0/24 * 172.16.33.0/24 1. Select the **Site Subnets** \> **Add**. Then, select the following configurations for routes: 1. Tunnel Health Check - Primary: 1. 10.252.11.4/32 - Primary VPN Gateway 2. Tunnel Health Check - Secondary: 1. 10.252.11.6/32 - Secondary VPN Gateway 3. Site vc-edge-01: 1. 172.16.32.0/24 - Primary and Secondary VPN Gateways 4. Site vc-edge-02: 1. 172.16.33.0/24 - Primary and Secondary VPN Gateways 2. The **Site Subnets** tab should look like the following when configured as indicated: ![An example of how the Site Subnets tab should look like when configured as indicated.](https://developers.cloudflare.com/_astro/image3.CgIDPbhJ_ZsGr1s.webp) 1. Select **Save** to commit changes to the Site Subnets. ## Cloudflare WAN and Cloudflare Gateway Cloudflare WAN and Secure Web Gateway (Cloudflare Gateway) are tightly integrated. Arista VeloCloud customers can easily route traffic through Cloudflare WAN to Cloudflare Gateway. All Internet egress traffic is subject to Cloudflare Gateway policies. Arista VeloCloud's Business Policies allow for intelligent routing of traffic destined for the Internet with only a few selections. ### Configure Business Policy 1. Go to **Configure** \> **Edges**, and select the appropriate Edge appliance. 2. Select the **Business Policy** tab. 3. Select **Add** to create a Business Policy Rule: 1. **Rule Name**: Provide a meaningful name to describe Internet traffic routed through the Cloudflare global anycast network. 2. **IP Version**: _IPv4_ 3. **Match** 1. **Source**: Select _Any_, _Object Groups_, or _Define_ to classify the relevant traffic flows. 2. **Destination**: Select _Define_ \> _Internet_ 3. **Application**: _Any_ 4. **Action** 1. **Priority**: Normal 2. **Enable Rate Limit**: Unchecked 3. **Network Service**: _Internet Backhaul_ \> _Non SD-WAN Destination through Edge / Cloud Security Service_. 4. **Non SD-WAN Destination through Edge / Cloud Security Service**: Select the Network Service associated with the respective Edge device. For example, `Magic_WAN_vc-edge-03`. 4. Select **Create** to save the rule. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-wan/configuration/","name":"Configuration"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-wan/configuration/third-party/","name":"Third-party integration"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-wan/configuration/third-party/velocloud/","name":"Velocloud"}}]} ```