Loopback Orchestration
Configuration > Networking > Loopback Orchestration
Use the Loopback Orchestration tab to create a pool of loopback addresses from which Orchestrator can automatically create loopback interfaces. You can assign IP addresses from the pool to each appliance in the network.
IMPORTANT: Loopbacks must be configured consistently on all appliances. Loopbacks are used for IP SLA source IP, DNS Proxy source IP, and other management functions, such as TACACS, NetFlow, and SNMP. You must create a loopback label and management zone before you start setting up loopback orchestration. Be sure to configure a unique LAN-side label (such as “Loopback”) for the orchestrated loopback interfaces. If you use the built-in zone-based firewall, you should also configure a dedicated firewall zone such as “Management”.
You can select a segment in the Segment drop-down list to filter loopback interfaces in the table. This list includes all segments configured on the Routing Segmentation (VRF) tab. Select All to display all loopback interfaces.
The following table describes the fields for each loopback interface listed on the Loopback Orchestration tab.
Field | Description |
---|---|
Segment | Segment associated with the loopback interface. Each loopback interface is associated with a specific segment. |
Region | Region associated with the loopback interface. By default, this is set to Global, which includes all regions. You can create multiple loopback interfaces for the same segment, but with different regions. |
Label | Label of the LAN-side interface being used. The default setting is NONE. |
Zone | Firewall zone associated with the loopback interface. By default, this is set to the system-provided Default firewall zone. |
Management IP | Indicates whether management applications running on the appliance should use this loopback interface. NOTE: If you configure multiple loopback interfaces for different regions, you can specify different management interfaces for each region defined. Otherwise, if you configure multiple loopback interfaces for the same region or no regions, only one management interface is allowed. |
Loopback Pool | Subnet IP address and mask used for the loopback pool. To change the loopback pool subnet IP, see Change the Subnet IP for a Loopback Pool below. You can configure one loopback pool per region and per segment. |
Allocated / Total | Number of loopback IP addresses allocated from the pool out of the total number of IP addresses in the pool. |
Deleted | Number of loopback IP addresses deleted from the loopback pool. The Reclaim link is displayed if the number is greater than zero (0). To return deleted loopback IP addresses to their original pools so they can be used again, see Reclaim Deleted Loopback IP Addresses below. NOTE: You must use Appliance Manager to delete an interface from an appliance. |
Additional information:
-
When enabling regional loopbacks, Orchestrator assigns each loopback a sequentially incremented loopback number. For example, if you have two regions (EAST and WEST) with IP addresses 10.1.1.0/24 and 10.2.2.0/24 respectively, Orchestrator creates lo20001 for EAST and lo20002 for WEST. Features such as BGP refer to explicit loopback names. You need to adjust them after Orchestrator assigns regional loopbacks to the appliance.
-
It is recommended that you select the Management IP check box for the loopback associated with the Default segment. Only one management IP can be selected per appliance. This option causes the EdgeConnect to prefer the management IP as source IP for many management functions. It also causes the Orchestrator tree to display the loopback that has been selected using the Management IP check box.
-
If a loopback interface exists for the Global segment, and an appliance is in a region not represented by any other loopback interface, the appliance will have loopback based on the Global loopback pool.
-
If a loopback interface does not exist for the Global segment, and an appliance is in a region not represented by any other loopback interface, the appliance will not have loopback because a Global loopback pool does not exist.
-
When an appliance is removed from the Orchestrator, the associated loopback address is retired and moved to Deleted status. If the appliance is later re-added to the Orchestrator, the original loopback IP is restored to the appliance.
-
If you configure regional loopbacks, and then an appliance is moved from one region to another region, the loopback for the appliance is retired and moved to Deleted status. If the appliance is later moved back into the original region, the original loopback is restored.
Create a Loopback Interface
To create a loopback interface:
-
From the Segment drop-down list, select the segment to which you want to apply the new loopback interface.
-
Select +Add Loopback Interface.
The Loopback Interface dialog box opens.
The selections you make on this dialog box will be applied to the segment selected on the Loopback Orchestration tab.
NOTE: You can create more than one loopback interface for a segment. However, you can create only one unique loopback range per segment.
-
Optionally, you can do the following:
- Select a label from the Label drop-down list. This list includes all LAN-side interface labels configured on the Interface Labels tab.
NOTE: Use a dedicated “Loopback” label. Do not re-use an existing LAN-side label. If your system does not already have a “Loopback” or similar label, you should create one.
-
Select a firewall zone from the Zone drop-down list if you want the loopback interface to be part of a specific firewall zone. This list includes all zones configured in the Firewall Zone Definition dialog box. If you do not select one, the system-provided Default zone will be used.
-
Select a region from the Region drop-down list. This list includes all regions configured on the Regions tab. If you do not select one, the system-provided Global pseudo-region will be used.
-
Select the Management check box if you want management applications running on the appliance to use the loopback interface. This setting also causes the Orchestrator tree to display the Management IP when you hover over the appliance.
-
Click OK.
The new loopback interface is added to the table on the Loopback Orchestration tab.
Change the Subnet IP for a Loopback Pool
To change the loopback pool subnet IP for a loopback interface listed in the table on the Loopback Orchestration tab:
-
Click the link in the Loopback Pool column for the appropriate loopback interface.
The Loopback Pool dialog box opens.
-
In the Subnet IP field, enter the subnet IP address you want to use for the loopback pool.
-
Click Update.
NOTE: Orchestrator immediately begins to reassign loopback IPs to all appliances. If the appliances were using the existing loopback to communicate with Orchestrator, you might see the appliance disconnect and then reconnect to the Orchestrator. It is recommended that you make loopback changes within a maintenance window.
Reclaim Deleted Loopback IP Addresses
The Orchestrator tries to maintain the loopback to appliance mapping even after an appliance is removed from Orchestrator or moved to a different region. When an appliance is removed, its associated loopback is retired and moved to Deleted status. If your loopback pool becomes depleted, you can reclaim deleted loopback IPs by returning them to their original pools so they can be used again for new appliances.
To reclaim a deleted loopback IP address:
-
Click the Reclaim link displayed in the Deleted column.
The Reclaim Deleted Loopback IPs dialog box opens.
-
To return a listed loopback IP address to the original pool, click the Reclaim link in the Reclaim column.
NOTE: Alternatively, you can click Reclaim All to return all listed loopback IP addresses to their original pools.
A confirmation dialog box opens, asking whether you want to return the deleted loopback IP to the pool.
-
Click Reclaim.