Scribd Logo
Upload

Welcome to Scribd!

  • 222 views

    Cisco SD-WAN Hub & Spoke, Mesh Policies Lab

    Uploaded by

    Shashank Tripathi
    This document provides instructions for configuring different VPN topologies in a SD-WAN environment. It describes how to configure a hub-and-spoke topology for VPN1, with the data center acting as the hub, and a mesh topology for VPN2 to allow direct connectivity between branches. Key steps include creating VPN, site, and TLOC lists; defining hub-and-spoke and mesh policies; activating the policies; and verifying connectivity between sites within each VPN.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Cisco SD-WAN Hub & Spoke, Mesh Policies Lab

    Uploaded by

    Shashank Tripathi
    222 views31 pages
    This document provides instructions for configuring different VPN topologies in a SD-WAN environment. It describes how to configure a hub-and-spoke topology for VPN1, with the data center acting as the hub, and a mesh topology for VPN2 to allow direct connectivity between branches. Key steps include creating VPN, site, and TLOC lists; defining hub-and-spoke and mesh policies; activating the policies; and verifying connectivity between sites within each VPN.

    Original Description:

    SDWAN

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides instructions for configuring different VPN topologies in a SD-WAN environment. It describes how to configure a hub-and-spoke topology for VPN1, with the data center acting as the hub, and a mesh topology for VPN2 to allow direct connectivity between branches. Key steps include creating VPN, site, and TLOC lists; defining hub-and-spoke and mesh policies; activating the policies; and verifying connectivity between sites within each VPN.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    222 views31 pages

    Cisco SD-WAN Hub & Spoke, Mesh Policies Lab

    Uploaded by

    Shashank Tripathi
    This document provides instructions for configuring different VPN topologies in a SD-WAN environment. It describes how to configure a hub-and-spoke topology for VPN1, with the data center acting as the hub, and a mesh topology for VPN2 to allow direct connectivity between branches. Key steps include creating VPN, site, and TLOC lists; defining hub-and-spoke and mesh policies; activating the policies; and verifying connectivity between sites within each VPN.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 31

    In this lab, we are going to see how to create different topologies for each Service

    VPN. We have two Service VPNs, VPN1 and VPN2. You are going to configure Hub
    and Spoke for VPN1 and mesh connectivity for VPN2.

    This lab requires VPN2 in B1-R1 and B2-R1 that is created as a part of VPN
    Segmentation Lab.

    Perform VPN Segmentation lab before going through this lab or create VPN2 in B1-
    R1 by moving ge0/3 to VPN2 and create loopback interface in VPN2 of B2-R1 with
    IP address 10.3.2.1/24

    Full Mesh
    By default, SD-WAN forms full mesh connectivity between all the sites.

    Let’s verify the same.

    Navigate to Monitor>Network
    Select B1-R1

    Go to Troubleshooting and Trace Route


    Trace to a host in DC network from VPN1.

    Trace to 10.1.1.100 from VPN1 and select a source interface from VPN1.

    Refer to the below screenshot to perform the traceroute from vManage.

    Notice the Path, B1-R1 >DC >Destination

    Similarly, perform the trace to B2-R1 service VPN1 interface IP address 10.3.1.1
    Notice the Path, B1-R1 > B2-R1

    Similarly, trace to B2-R1’s VPN2 interface IP address 10.2.2.1 from VPN2.

    Notice the Path, B1-R1 > B2-R1

    This verification shows that the default topology for all the VPNs is Full Mesh i.e.,
    Branch1 is sending traffic to Branch2 with out traversing the DC.

     Default Route from Hub


    For spoke to spoke communication via DC (Hub), we need to
    advertise the default route from the hub to all the spokes.

    Let’s create a static default route (to null0) for the lab purpose and
    OMP will advertise this to all other sites.

    Navigate to Configuration>Templates>Feature
    We need to create a default route in Service VPN of DC (Hub)
    devices. Let’s identify the devices attached VPN1 feature template.

    Notice that the template attached to DC and Branch2. However, we


    need to create the default route in DC only.
    Clone this template by clicking on Copy.

    Give the below Name and description.

    Template Name: DC-VPN1


    Description: DC-VPN1
    Click Copy.

    Edit the cloned DC-VPN1 template.

    Under IPv4 configuration section, click on New IPv4 Route and


    configure below.
    Prefix (Global): 0.0.0.0/0
    Gateway: Null0
    Enable Null0 (Global): On
    Click Add
    Update the template.

    Modify Device Template


    Go to Device templates and edit DC-Template

    Under Service VPN section, change the VPN feature template to


    DC-VPN1 and update the template.

    Click Next
    Select a device from the device list to preview the configuration.

    Notice the default null route and click on Configure Devices

    Confirm and OK
    Wait until the template push is successful.

    Verification
    Let’s verify if branch WAN edges received the default route from DC
    (Hub).

    Navigate to Monitor>Network>B1-R1>Real Time

    Select IP Routes from Device Options.


    Do Not Filter

    Notice the default route from DC WAN Edges.


    Select B2-R1 from Select Device drop down menu.

    Select OMP Received Routes from Device Options.


    Do Not Filter

    Notice the default route from DC WAN Edges.

    Hub & Spoke Policy


    Now lets create a policy for VPN1 traffic from branch1 destined to branch2 to go via
    DC and viceversa

    Navigate to Configuration>Policies
    Click on Add Policy

    Creating Lists:
    Lists are used to match the traffic.

    Site Lists:
    Create Sites using the below list.

    Site Name
    Site ID
    DC
    Site Name site ID

    DC 10

    B1 100

    B2 200
    Refer below screenshots to create the site list.

    The completed site list should be like the below list.


    TLOC List
    Create a TLOC list with below information.

    TLOC IP Color

    192.168.1.101 Biz-internet

    192.168.1.101 Mpls

    192.168.1.102 Biz-internet

    192.168.1.102 Mpls
    Refer below screenshots to create the TLOC list.
    The completed TLOC list should be like the below list.

    VPN List:

    Create a VPN list using below information.

    VPN List Name VP


    VPN1 1

    VPN2 2

    The completed VPN list should be like the below list.

    Click Next.
    Topology: Hub-and-Spoke
    Select Hub-and-Spoke from Add Topology drop down menu.

    Configure Hub and Spoke policy using below details.

    Name: VPN1-HS

    Description: VPN1-HS

    VPN List: VPN1


    Click on Add Hub-and-Spoke to call Hub and Spoke sites in the policy.

    To add hub, Click on Add Hub Sites and select DC and then click Add.

    To add Branch1, Click on Add Spoke Sites and select B1 and then click Add.

    To add Branch2, Click on Add Spoke Sites again and select B2 and then click Add.

    Click Manage Custom Preferences and Prefix Lists


    Select Advertise Hub TLOCs and choose DC-TLOC from the drop down.
    Save changes.
    Save Hub-and-Spoke policy.
    Click Next

    Click Next again.


    Create the main policy.

    Policy Name: LearnEdze-Policy
    Policy Description: LearnEdze-Policy
    Save Policy

    To preview the policy configuration, click on (…) and Preview


    Preview the configuration in cli and click OK.

    Policy will be now applied to the vSmart having system-ip 192.168.1.3

    Click on Activate
    Wait until the policy push to the vSmart is completed.

      Verification
    From B1-R1 VPN1, perform trace to a host in the DC Network. In this case
    10.1.1.100

    Notice that there is no change in the path to DC from B1-R1.

    From B1-R1 VPN1, perform trace to B2-R1’s VPN1 interface IP address. In this case
    10.3.1.1

    Notice the change in the path to B2-R1 from B1-R1. Now it is traversing via DC
    (Hub)
    Let’s verify the VPN2 traffic from B1-R1 to B2-R1.

    Notice that VPN2 communication is completely failed.  

    We have created Hub-and-Spoke policy for VPN1 only. However, this policy breaks
    TLOCs for all the VPNs by default.

    Let’s verify if B1-R1 is receiving any routes in VPN2.

    Navigate to Monitor>Network>B1-R1>Real Time

    Select IP Routes from Device Options


    Do Not Filter.

    Notice that B1-R1 has only connected route in VPN2 routing table.
    Verify if it is receiving B2-R1’s TLOCs via OMP.

    Notice that B1-R1 doesn’t receive B2-R1’s TLOC.

    To resolve this, we need to create a Mesh policy for VPN2.

      Mesh Policy
    Navigate to Configuration>Policies
    From top right-hand side, click on Custom Options and select Topology

    Select Mesh from Add Topology drop down menu

    Configure below:

    Name: VPN2-Mesh
    Description: VPN2-Mesh
    VPN List: VPN2
    To create a Mesh region, click on New Mesh Region and configure below.
    Mesh Region Name: VPN2-Mesh
    Site List: B1 & B2

    Click Add

    Save Mesh Topology

    Edit the main policy.

    Choose Topology on the top.


    Select Import Existing Topology from Add Topology drop down menu.

    Choose Mesh as Policy Type.


    Select VPN2-Mesh policy and import.

    Click on Policy Application from top menu


    Save Policy changes.

    Now the policy will be applied to vSmart. Click on Activate.


    Wait until the policy push to the vSmart is successful.

    Verification
    Let’s verify VPN2 Routes in B1-R1.

    Navigate to Monitor>Network>B1-R1>Real Time

    Select IP Routes from Device Options

    Do Not Filter.

    Notice now that, B1-R1 received VPN2 Routes from B2-R1.


    Verify the traceroutes.

    Perform the below traceroute and notice that VPN2 communication is successful.

    Perform the below traceroute and notice that VPN1 communication between
    Branch1 and Branch2 is traversing via DC.

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy