SD WAN User Guide 20

Cisco SD-WAN User Guide
Step-by-Step Guide for Partners
GPSA
September 19, 2022
2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential.
1
Table of Contents
Lab Overview ..................................................................................................................................... 5
Lab Topology ................................................................................................................................... 5
Access Info ...................................................................................................................................... 5
Device Credentials ........................................................................................................................... 8
IP Address Scheme ......................................................................................................................... 9
Site 300 - Templates ........................................................................................................................ 11
Overview ........................................................................................................................................ 11
Create the cEdge System Feature Templates ............................................................................... 11
Create the cEdge VPN Feature Templates ................................................................................... 12
Create the INET VPN Interface Feature Template ..................................................................... 14
Create the MPLS VPN Interface Feature Template ................................................................... 14
Create the VPN 512 Interface Feature Template ....................................................................... 15
Create and Attach the Device Template..................................................................................... 16
Site 300 - Onboarding C8000v ........................................................................................................ 19
Overview ........................................................................................................................................ 19
Onboarding C8000v with bootstrap config file ............................................................................ 19
Site 300 – Service Side Routing ..................................................................................................... 21
Overview ........................................................................................................................................ 22
Create the cEdge VPN10 Feature Template ................................................................................. 22
Implement Dynamic Service Side routing at Site 300 - EIGRP .................................................. 23
Verification – EIGRP ................................................................................................................... 24
VRRP at Site 500 .............................................................................................................................. 25
Overview ........................................................................................................................................ 25
Editing Templates to support VRRP .............................................................................................. 26
Verification and Testing ................................................................................................................. 27
TLOC Extension at Site 500 ............................................................................................................ 27
Overview ........................................................................................................................................ 28
Templates for TLOC Extension...................................................................................................... 29
Creating VPN Template for TLOC-Ext interface......................................................................... 29
Creating VPN Template for Tunnel interface.............................................................................. 30
Creating the BGP Template for the MPLS link ........................................................................... 31
Updating the VPN and Device Templates .................................................................................. 32
Activity Verification ..................................................................................................................... 35
Hub and Spoke Topology ............................................................................................................... 35
2
Overview ............................................................................................................ 35
Creating the Policy ......................................................................................................................... 36
Activity Verification ......................................................................................................................... 40
Data Center Preference ................................................................................................................... 41
Overview ........................................................................................................................................ 41
Policy Creation to Load Balance DC between Sites ...................................................................... 42
Regional Hub ................................................................................................................................... 46
Overview ........................................................................................................................................ 46
Policy for Traffic from Site300 to the Regional Hub ....................................................................... 47
Policy for Traffic from the Fabric to Site300 ................................................................................... 48
Verification .................................................................................................................................. 49
Site 300 – DIA ................................................................................................................................... 50
Overview ........................................................................................................................................ 51
Enable DIA for Site300 Service VPN10 – Using Static Route ....................................................... 51
Enable DIA for Site300 Service VPN10 – Data Policy ................................................................... 52
Application Aware Routing............................................................................................................. 55
Overview ........................................................................................................................................ 55
Create Localized Policy to enable Deep Packet Inspection (DPI) ................................................. 55
Create Policy for AAR .................................................................................................................... 57
WAN QoS.......................................................................................................................................... 63
Overview ........................................................................................................................................ 63
Prefer MPLS TLOC for Site 100 and 300 ...................................................................................... 63
Add a Class List and QoS Map ...................................................................................................... 63
Configure the IPv4 ACL Policy....................................................................................................... 65
Complete and apply the Localized Policy ...................................................................................... 68
Apply the ACL and QoS Map ......................................................................................................... 68
Dynamic On Demand Tunnels........................................................................................................ 74
Overview ........................................................................................................................................ 74
Exploring the current setup ............................................................................................................ 74
Configuring a Control Policy for Dynamic Tunnels ........................................................................ 75
Configuring OMP Templates.......................................................................................................... 78
Enabling Dynamic Tunnels ............................................................................................................ 81
3
Enabling Unified Security Policy on Site 400 ................................................... 86
Overview ........................................................................................................................................ 86
Enabling internet access for Site 400 using DIA route................................................................... 87
Verify TLS/SSL Proxy CA .............................................................................................................. 88
Importing UTD Virtual Image in vManage ...................................................................................... 88
Configuring Unified Security Policies ............................................................................................. 89
Policy Attachment and Activity Verification .................................................................................... 96
SDWAN-Umbrella Integration ....................................................................................................... 101
Overview ...................................................................................................................................... 101
Umbrella DNS Redirection ........................................................................................................... 102
Perform Umbrella Registration..................................................................................................... 103
Attach DNS Security Policy to Template...................................................................................... 105
Create DNS Policy on Umbrella................................................................................................... 106
DNS Redirection Verification ....................................................................................................... 108
DNS Redirection Configuration Cleanup ..................................................................................... 110
Umbrella SIG Integration ............................................................................................................. 110
Create SIG-Tunnel Template ....................................................................................................... 112
Map SIG Templates to Device ..................................................................................................... 115
Add Service Route to VPN 10...................................................................................................... 115
Create Policies in Umbrella.......................................................................................................... 115
Activity Verification ....................................................................................................................... 118
Inter VPN Routing and Service Chaining .................................................................................... 122
Overview ...................................................................................................................................... 122
Creating Inter VPN Routing ......................................................................................................... 123
Setting up Inter VPN Routing Policy ............................................................................................ 126
Policies for Service Chaining ....................................................................................................... 131
Service Chaining Verification ....................................................................................................... 135
Cloud OnRamp for SaaS ............................................................................................................... 136
Overview ...................................................................................................................................... 136
Cloud OnRamp for SaaS Configuration ....................................................................................... 136
Verification ................................................................................................................................... 140
4
Lab Overview
The SD-WAN Lab Guide is based on the following Topology. This section also covers lab access steps and
device credentials.
Lab Topology
Given below is the lab topology being used for the GPSA SD-WAN Lab.
Access Info
To Access the lab, please follow the below steps:
1. Login to dCloud >> Select the Correct Datacenter >> My Hub
5
2. Click on Sessions >> Identify your Session and click View to navigate to the session details
section. Click the Jumphost, then Remote Desktop.
3. Launch Google Chrome.

• Navigate to POC Tool using the browser bookmark. Log in to POC Tool using username
dcloud@cisco.com and password C1sco12345.
• Open another browser tab and navigate to vManage using the browser bookmark. Log
in to vManage using username admin and password C1sco12345.
4. Launch mRemoteNG. You will use this software to connect to Ubuntu hosts via VNC, and to
networking devices via SSH
6
5. You can also Console to all the devices directly from POC Tool UI. Navigate to the Site. Right-click
on the device and click Console.
7
Device Credentials
VNC Credentials
Common name IP Address User Password
dcloud@cisco.c
POC Tool 198.18.133.200 C1sco12345
om
vManage 198.18.133.200:8443 admin C1sco12345
Site300-Ubuntu-VPN10 198.18.133.200:30503 ubuntu viptela
SSH Credentials
vBond 198.18.133.200:19002 admin admin
vSmart-1 198.18.133.200:19003 admin admin
vSmart-2 198.18.133.200:19005 admin admin
Site100-cE1 198.18.133.200:19007 admin admin
Site100-Core-VPN10 198.18.133.200:19010 admin C1sco12345
Site300-Core-VPN10 198.18.133.200:19016 admin C1sco12345
DCI-Router 198.18.133.200:19009 admin admin
MPLS 198.18.133.200:19006 admin admin
8
Internet 198.18.133.200:19004 admin admin
UI Credentials
dcloud@cisco.c
POC Tool 198.18.133.200 C1sco12345
om
IP Address Scheme
WAN Edges - Internal

Node System IP Site ID VPN10 Lo10 VPN 11 Lo11 VPN 12 Lo12
Site100-cE1 1.1.10.1 100 100.110.10.1 100.111.10.1 100.112.10.1
Site100-cE2 1.1.10.2 100 100.110.10.2 100.111.10.2 100.112.10.2
Site200-cE1 1.1.20.1 200 100.110.20.1 100.111.20.1 100.112.20.1
Site200-cE2 1.1.20.2 200 100.110.20.2 100.111.20.2 100.112.20.2
Site300-cE1 1.1.30.1 300 - - -
Site400-cE1 1.1.40.1 400 100.110.40.1 100.111.40.1 100.112.40.1
Site500-cE1 1.1.50.1 500 100.110.50.1 100.111.50.1 100.112.50.1
Site500-cE2 1.1.50.2 500 100.110.50.2 100.111.50.2 100.112.50.2
WAN Edges - External

Node MPLS INET VPN10 LAN VPN 11 LAN VPN 12 LAN
Site100-cE1 10.1.2.2/24 10.2.2.2/24 10.10.1.1/24 10.11.1.1/24 -
Site100-cE2 10.1.3.2/24 10.2.3.2/24 10.10.1.2/24 10.11.1.2/24 -
Site200-cE1 10.1.4.2/24 10.2.4.2/24 10.20.1.1/24 10.21.1.1/24 -
Site200-cE2 10.1.5.2/24 10.2.5.2/24 10.20.1.2/24 10.21.1.2/24 -
Site300-cE1 10.1.6.2/24 10.2.6.2/24 10.30.1.1/24 - -
Site400-cE1 10.1.7.2/24 10.2.7.2/24 10.40.1.1/24 - 10.42.1.1/24
Site500-cE1 10.1.8.2/24 10.2.8.2/24 10.50.1.1/24 - -
Site500-cE2 10.1.9.2/24 10.2.9.2/24 10.50.1.2/24 - -
9
Controllers
Node System IP Site ID INET Default GW
vManage 1.1.1.1 1 10.2.1.7/24 10.2.1.1
vBond 1.1.1.2 - 10.2.1.6/24 10.2.1.1
vSmart-1 1.1.1.3 1 10.2.1.5/24 10.2.1.1
vSmart-2 1.1.1.4 1 10.2.1.4/24 10.2.1.1
Third Party Devices

Node Type Site VPN IP Address
Site100-Core-VPN10 LAN Core Router 100 10 10.10.1.100/24
10.10.1.150/24,
DCI-Router DCI Router 100 10,11
10.11.1.150/24
10.20.1.150/24,
DCI-Router DCI Router 200 10,11 10.21.1.150/24
Site300-WANEmu1 WAN Emulator 300 0 -
Site300-WANEmu2 WAN Emulator 300 0 -
Site300-Core-VPN10 LAN Core Router 300 10 10.30.1.100/24
Site300-Ubuntu-VPN10 Host 300 10 10.30.1.10/24
TRex1-VPN10 Traffic Generator 300 10 10.30.1.50/24
TRex2-VPN10 Traffic Generator 300 10 10.30.1.30/24
10
Site 300 - Templates
Overview
In this section, we will be creating required feature and device templates for Site 300 cEdge and
onboard it to our SDWAN Fabric. To onboard a brand-new device to the SDWAN fabric, we will configure
following templates:
• System feature template

• VPN feature templates
• VPN interface feature templates
• Device template
Create the cEdge System Feature Templates

1. On the vManage GUI, navigate to Configuration => Templates=> Feature Tab and click on Add
Template.
2. Search and select C8000v. From the feature templates list, Click on Cisco System.
3. Give the Template a name of Branch1_Site300_System and a description of System feature of

Site300-cE1.
4. Under the Basic Configuration section, make the following settings as variables by choosing the
Device Specific from the drop down next of each field and click on Save.
Field Global or Device Specific (drop down) Value

Site ID Device Specific site_id
System IP Device Specific system_ip
Hostname Device Specific host_name
11
Console Baud Rate Global 9600
Note: The values to all the variables fields in templates can be provided manually or using a CSV file at the
time of onboarding the wan edge. We will be using a .csv file to fill in the values when we will attach the
device template to a device later in this exercise.
Create the cEdge VPN Feature Templates

Template.
2. Search and select C8000v. From the feature templates list, Click on Cisco VPN to start
configuring the VPN 0 Template.
3. Give the Template a name of Branch1_Site300_VPN0 and a description of VPN 0 feature

Site300-cE1.
4. Under Basic Configuration, specify the VPN as 0.
5. Under the DNS section, set the drop down to Global and specify the Primary and Secondary
DNS Address as 8.8.8.8 and 208.67.222.222 respectively.
6. Click on New Host Mapping. Add the Hostname as vbond-test-drive and List of IP as 10.2.1.6.
Then Click on Add.
7. Under IPv4 Route, click on New IPv4 Route and specify the Prefix as Global. Populate 0.0.0.0/0
as the prefix and click on Add Next Hop.
12
8. Click on Add Next Hop again in the popup window.
9. Click on the drop-down arrow, set the value to Device Specific and enter the key as
Branch1_Site300_vpn0_inet_next_hop
10. Click on Add Next Hop again. We will now be adding the default route for the MPLS link.
11. Choose Device Specific from the drop-down and give it a name of
Branch1_Site300_vpn0_mpls_next_hop. Click on Add
12. Make sure the IPv4 Route screen shows 2 Next Hop and click on Add
13. At the main page, click on Save. VPN 0 Feature Template for Site300 has been created.
13
Create the INET VPN Interface Feature Template
This template specifies the configuration for the interfaces in a VPN. Site300 will have two interfaces in
VPN 0 (INET and MPLS) and one in VPN 512. We will first set up the VPN Interface Feature Templates for
the Internet link.
1. Navigate to Configuration => Templates=> Feature Tab and click on Add Template. Search and
select C8000v. From the Select Template list, Click on Cisco VPN Interface Ethernet to start
creating VPN Interface Template.
2. Give the Template a name of Branch1_Site300_INET_Gig1 and a description of INET Interface

GigabitEthernet1 Site300-cE1.
3. Enter the details on this page as listed in the table below. Click on Save once all the fields have
been populated.
Section Field Global or Device Specific (drop down) Value

Basic Configuration Shutdown Global No
Basic Configuration Interface Name Device Specific inet_if_name
Basic Configuration IPv4 Address Device Specific inet_ipv4_address
Tunnel Tunnel Interface Global On
Tunnel Color Device Specific inet_if_color
Tunnel - Allow Service All Global On
This completes the configuration of INET Interface Feature Template for Site300.
Create the MPLS VPN Interface Feature Template

We are now going to set up the VPN Interface Feature Template for the MPLS link, by making a copy of
the INET template “Branch1_Site300_INET_Gig1”.
14
1. Search and find the Branch1_Site300_INET_Gig1 Feature Template from Configuration =>
Templates => Feature tab. Click on the three dots in the extreme right-hand side of the
template and click Copy. Name it Branch1_Site300_MPLS_Gig2 with a Description of MPLS
Interface GigabitEthernet2 Site300-cE1. Click on Copy
2. Click on the 3 dots next to the Branch1_Site300_MPLS_Gig2 template and choose to Edit.
Modify the details as per the table given below and click on Update. (we have changed the
Device Specific names to reflect mpls and set the restrict to on)

Basic Configuration Interface Name Device Specific mpls_if_name
Basic Configuration IPv4 Address Device Specific mpls_ipv4_address
Tunnel Tunnel Interface Global On
Tunnel Color Device Specific mpls_if_color
Tunnel Restrict Global On
This completes the configuration of the MPLS VPN Interface Feature Template.
Create the VPN 512 Interface Feature Template

We are now going to set up the VPN Interface Feature Template for the VPN 512 interface.
select C8000v. From the Select Template list, Click on Cisco VPN Interface Ethernet to start
creating VPN Interface Template.
2. Give the Template a name of Branch1_Site300_VPN512_Intf_Gig8 and a description of VPN512

Interface GigabitEthernet8 Site300-cE1
3. Enter the details on this page as listed in the table below. Click on Save once all the fields have
been populated.

Basic Configuration Interface Name Device Specific vpn512_if_name
Basic Configuration IPv4 Address Device Specific vpn512_ipv4_address
This completes the configuration of the VPN 512 Interface Feature Template.
15
Create and Attach the Device Template
The feature templates created in the previous sections are referenced in Device Templates. Devices are
then attached to Device Templates which pushes configuration to them, in line with the settings in the
Feature templates.
1. From the Configuration => Templates window, make sure you’re on the Device tab and click on
Create Template. Choose to create a template From Feature Template
2. Choose C8000v as the Device Model and SDWAN Edge as the Device Role. Enter
Branch_Dev_Temp_Site_300 for the Template Name and Device template of Site300 with cE1
as the Description
3. Navigate to the Basic information section. To ensure standard basic settings are being used
across all devices in the SDWAN Fabric we would also make following changes:
Field Sub Field Value (Drop Down)

Basic information Cisco System Branch1_Site300_System
Basic information Cisco NTP Ntp_System_All_Sites
Basic information Cisco BFD VIP09_Aggressive_BFD

Basic information Cisco OMP OMP_Branches
Basic information Cisco Security Factory_Default_Cisco_Security_Template
16
4. Navigate to the Transport & Management VPN section. Update the fields as per
the table below, selecting templates which we created before and click on Create to create the
Device Template
Field Sub Field Value (Drop Down)

Cisco VPN 0 Branch1_Site300_VPN0
Cisco VPN 0 Cisco VPN Interface Ethernet Branch1_Site300_INET_Gig1
Cisco VPN 0 Cisco VPN Interface Ethernet Branch1_Site300_MPLS_Gig2
Cisco VPN 512 Cisco VPN Interface Ethernet Branch1_Site300_VPN512_Intf_Gig8
This completes the creation of the Device and Feature Templates for the Branch 1 Site 300. We will now
attach this template to a new wan edge device.
5. From the Configuration => Templates window, make sure you’re on the Device tab. Find the
Branch_Dev_Temp_Site_300. Click on the three dots in the extreme right-hand side of the
template and click on Attach Devices.
6. Click on the device UUID listed under Available Devices. Now, click on the blue > arrow to move
it to the Selected Devices and click Attach.
7. On the next screen, we need to provide values to all the variable fields we set while creating the
templates. The values can be entered manually by clicking on the three dots on far right of the
device UUID and choosing “Edit Device Template” or we can upload a CSV with all the values.
Note: You can download the CSV template from this and upload it back after entering values. However,
for this exercise we have already created the CSV and saved it in the downloads folder.
8. Click on the blue upward facing arrow on the far-right side of the screen and click on choose
file. From the pop-up go to Downloads, select Template-Site300.csv and click upload.
17
9. Notice the Green check mark next to the Device UUID , this shows all values
were successfully entered. Now, click Next at the bottom of the screen.
10. On the next screen, click on the Device UUID >> Config Diff >> Side by Side. You can see all the
configuration that will be pushed to the device, highlighted in green. Click on Configure Devices.
11. On the next screen the status would show as “Done – Scheduled”.
We have successfully attached the device templated to a new device. In the next section we will
complete the onboarding of a C8000v wan edge at Site 300.
18
Site 300 - Onboarding C8000v
Overview
In this section, we will onboard a brand-new device to the SDWAN fabric using a bootstrap file in Site
300 for which we created the Templates in the previous section.
Onboarding C8000v with bootstrap config file

We can simplify onboarding of a new device to fabric by using bootstrap config file and uploading it to
new device.
Note: While we will upload the file to flash using scp, in the field the file is usually put in a USB drive and
plugged into the cEdge. On bootup, a cEdge looks for a file on USB port(if a bootable USB is connected)
and then in bootflash. The bootstrap config file allows the device to come up and establish control
connections.
1. Navigate to Configuration => Devices. Scroll down and find the C8000v from the list. Scroll to
far-right and you would notice that a template was assigned to this device and the status is
Sync-Pending. Click on the three dots and choose Generate Bootstrap Configuration.
2. A pop-up window will appear, click OK >> Download. Select Keep on the warning at the bottom
right of the screen. The file gets saved in Downloads folder. Close the pop-up window.
3. Go to the Downloads folder and rename the config file as “ciscosdwan_cloud_init.cfg”.
4. Open a new browser window and launch the POC-Tool. Navigate to Site 300. Right click on
Site300-CE1 and click Console.
5. The Router is not in controller mode presently and following commands have been
preconfigured to enable reachability to scp server and Root Cert has been added.
19
conf t
ip scp server enable
username admin priv 15 password admin
line vty 0 4 login local exit
interface gigabitethernet8 no shut ip
address 192.168.1.9 255.255.255.0 ip
route 0.0.0.0 0.0.0.0 192.168.1.1 exit
6. Launch the windows command prompt from the taskbar. As the bootstrap file was saved in
Downloads folder, we will first need to change the folder by entering “cd Downloads” as shown
in below screenshot:
7. Once the path reflects as C:\Users\admin\Downloads>, enter the following command to copy
file to router flash and hit enter:
scp -P 19017 ciscosdwan_cloud_init.cfg admin@198.18.133.200:ciscosdwan_cloud_init.cfg
8. Type “yes” for fingerprint prompt and end the password as “admin”. The file be uploaded to the
router successfully.
20
Go back to the Site300-CE1 router console session on POC Tool and change the mode to sdwan by
entering the “controller-mode enable” command in privilege mode and hit enter twice.
The Router will now reboot and connect to SDWAN fabric when it comes back online. We can confirm by
going to vManage dashboard => Site health => Full WAN Connectivity. Site 300 devices should be listed
and reachable.
This completes onboarding of a new wan edge into the fabric.
Site 300 – Service Side Routing
21
Overview
In this section, we will be creating VPN10, VPN Interface and EIGRP feature templates for Site 300 cEdge
and establish service side connectivity using dynamic routing protocol (EIGRP).
Create the cEdge VPN10 Feature Template

Template.
2. Search and select C8000v. From the feature templates list, Click on Cisco VPN to start
configuring the VPN 10 Template.
3. Give the Template a name of Branch1_Site300_VPN10 and a description of VPN 10 feature

Site300-cE1.
4. Under Basic Configuration, specify the VPN as 10.
5. Under the Advertise OMP, click New Advertise OMP, choose Connected from the protocol
dropdown and click Add. Repeat these steps to add Static and EIGRP protocols.
Note: We will be adding EIGRP to Site300 VPN10. To ensure EIGRP routes are being advertised in OMP,
we need to add it to Advertise OMP in VPN 10 Templates.
6. Click on Save.
7. We will now create the VPN 10 Interface Template. From the Configuration => Templates =>
Feature Tab page, click on Add Template and select C8000v. From the feature templates list,
Click on Cisco VPN Interface Ethernet.
8. Populate the details as shown below and click on Save.
Global or Device Specific (drop

Section Field down) Value
Template
Name Global Branch1_Sit300_VPN10_Intf_Gig3
Interface GigabitEthernet3
Description Device Specific Site300cE1
Basic
Configuration Shutdown Global No
22
Basic Interface
Configuration Name Global GigabitEthernet3
Basic
Configuration IPv4 Address Global 10.30.1.1/24
Implement Dynamic Service Side routing at Site 300 - EIGRP

In Site300 there is a Core Router called Site300-Core-VPN10 running EIGRP on the service side (VPN 10).
It is pre-configured to advertise network 132.132.132.0/24. We will now create an EIGRP feature
template and attach it Site300 VPN10 to establish the neighborship with Site300-Core-VPN10.
select C8000v. From the Select Template list, Click on EIGRP to start creating VPN Interface
Template.
2. Give the Template a name of Site300-EIGRP-Neighbor and a description of EIGRP template for
service side routing (Site 300). Populate the Autonomous System ID as 132.
3. Under the Unicast Address Family => Re-Distribute section, Click on New Redistribute, choose
OMP and click ADD. This enables OMP route redistribution into EIGRP.
4. Under the Unicast Address Family => Network section, Click on New Network, enter
10.30.1.0/24 as Network Prefix and click ADD.
5. Under Interface, click on Interface to add a new one. Enter the Interface Name as
GigabitEthernet3 and click on Add. This is our LAN facing interface in VPN 10 on Site300-cE1.
6. Click on Save. Now we will attach the VPN10 and EIGRP feature templates to
Branch_Dev_Temp_Site_300.
7. From the Configuration => Templates => Device Tab page, search for
23
Branch_Dev_Temp_Site_300, click on three dots on the far right and click Edit.
8. Scroll to the Service VPN section and click Add VPN.
9. On the pop-up screen, select Branch1_Site300_VPN10 and click Next.
10. On the next screen, click on Cisco VPN Interface Ethernet and EIGRP from Additional Cisco VPN
Templates.
11. Choose Branch1_Sit300_VPN10_Intf_Gig3 for Cisco VPN Interface Ethernet and Site300-
EIGRPNeighbor for EIGRP respectively and click Add.
12. Click Update, then click Next and Configure Devices to push the updated configuration to
Site300-CE1.
This completes the configuration of Service Side VPN and Dynamic Service Side routing for Site300.
Verification – EIGRP
1. Navigate to Monitor > Network > Site300-cE1 > Real Time and type IP Route in Device options.
Scroll down the list to ensure that 132.132.132.0/24 route is now installed into the VPN 10
routing table of Site300-cE1.
2. Navigate to Monitor > Network > [Pick a vSmart] > Real Time > OMP Received Routes. Confirm
that 132.132.132.0/24 route is received and installed on vSmart.
3. Navigate to Monitor > Network > Site100-cE1> Real Time > IP Route. Confirm that
132.132.132.0/24 route is received and installed on remote WAN Edges.
24
4. Open browser tab and go to PoC Tool>>Site 300>>Right click on Site300-Core-VPN10>>Console
and type “show ip route”. Confirm that routes originating from OMP on VPN10 are being
correctly advertised and installed on the Site300-Core-VPN10 router. Notice that they are seen
as EIGRP external.
VRRP at Site 500
Overview
Using Configuration Templates to set up VRRP as a First Hop Redundancy Protocol at Site 500.
25
Editing Templates to support VRRP
1. On the vManage GUI, navigate to Configuration => Templates => Feature Tab
2. Locate the Branch3_Site500_VPN10_Intf_Gig3 template and click on the three dots next to it.
Select Edit.
3. Navigate to the VRRP section and click on New VRRP. Update the parameters as shown in the
table below, using the image for reference. click on Add.
Field Global or Device Specific (Drop Down) Value
Group ID Global 10
Priority Device Specific vpn10_if_vrrp_priority
Track OMP Global On
IP Address Global 10.50.1.3
4. Click Son Update.
5. Scroll right and enter a Priority of 105 for Site500-cE1 and a priority of 100 for Site500-cE2 under
variable vpn10_if_vrrp_priority. This will ensure that Site500-cE1 becomes the MASTER, if
available. Click on Next
6. Click Configure Devices, Confirm the configuration change and click on OK
26
Verification and Testing
1. Log in to Ubuntu host on Site500 by going to Site 500 on POC tool and right click the ubuntu host
>> Console.
2. Log in to host using the password “viptela”. Open Terminal and run pings to 10.40.1.10
3. Confirm that VRRP is operational in Site500. Node Site500-cE1 should be the VRRP master and
Site500-cE2 should be the VRRP backup. Navigate to Monitor > Network > Site500-cE1 > Real
Time > VRRP Information. VRRP is enabled for VPN 10 only.
4. Reboot node Site500-cE1. By going to Site 500 on POC tool and right click the Site500-cE1 >>
Console. Enter the Username and password as “admin”. Reload the box using “reload”.
5. Monitor VRRP state on Site500-cE2. It should become VRRP master. Go to console of Site500cE2
and issue the below command
Show vrrp 10 gig3
And the Pings will continue to work. Once Site500-cE1 is back up, it will retain the role of MASTER as it is
configured with higher priority. This can be checked using the command in Step 5.
This completes the configuration and verification for VRRP at Site 500.
TLOC Extension at Site 500
27
Overview
Several sites have a couple of routers in place, but transport connectivity to just one of the available
transports. In the event of a link failure, there is no mechanism for traffic to be redirected over the other
transport. That’s where TLOC Extensions come in.
TLOC Extensions allow vEdge/cEdge routers with a single transport to utilize the link on another
vEdge/cEdge router at the same site. Given below is a graphical representation of what we’re trying to
achieve in this section of the lab.
Site500-cE1 is connected to the MPLS transport whereas Site500-cE2 is connected to INTERNET. If the
Internet link goes down, Site500-cE2 doesn’t have a way to utilize the MPLS link available at Site500-cE1.
TLOC Extensions seek to remedy this.
vEdge/cEdge routers build IPSec tunnels across directly connected transports AND across the transport
connected to the neighboring vEdge/cEdge router to facilitate transport redundancy.
Without TLOC Extensions, the cEdges at Site 500 form control connections and bfd sessions over directly
connected transport. To verify run the commands below.
Show sdwan control connections

Show sdwan bfd sessions
28
Site500-cE1#show sdwan control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB
GROUP TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION
LOCAL COLOR PROXY STATE UPTIME ID
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------
vsmart dtls 1.1.1.4 1 1 10.2.1.4 12346 10.2.1.4 12346 Viptela-POC-Tool - 19827mpls
No up 1:06:06:48 0
vsmart dtls 1.1.1.3 1 1 10.2.1.5 12346 10.2.1.5
12346 Viptela-POC-Tool - 19827mpls No up 1:06:06:48 0
vmanage dtls 1.1.1.1 1 0 10.2.1.7 12446 10.2.1.7
Site500-cE1# Show sdwan bfd sessions

SOURCE TLOC REMOTE TLOC DST PUBLIC
DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP
PORT ENCAP MULTIPLIER INTERVAL(msec UPTIME TRANSITIONS
---------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------
1.1.10.1 100 up mpls mpls 10.1.8.2 10.1.2.2
12346 ipsec 7 1000 10 1:06:08:06 0
1.1.10.2 100 up mpls mpls 10.1.8.2 10.1.3.2
12346 ipsec 7 1000 10 1:06:08:08 0
1.1.20.1 200 up mpls mpls 10.1.8.2 10.1.4.2
12346 ipsec 7 1000 10 1:06:08:02 0
1.1.20.2 200 up mpls mpls 10.1.8.2 10.1.5.2
12346 ipsec 7 1000 10 1:06:07:55 0
1.1.40.1 400 up mpls mpls 10.1.8.2 10.1.7.2
12346 ipsec 7 1000 10 1:06:07:55 0
Site500-cE1#
Templates for TLOC Extension

We will need to create a total of three Feature Templates for this section which will be applied to
Site500-cE1 and Site500-cE2 Device Templates.
Towards the end of the lab, we will copy and modify the primary uplink feature template used by the
interface on Site500-cE2 to allow for NAT. Both cEdges at Site500 use the same feature template for
VPN 0 uplink so making a change on one will impact the other as well. Hence, we will be breaking off the
Site500 VPN Interface template from the one being used. This new template will be identical to the VPN
0 interface template being used at this Site, except for NAT being enabled on Site500-cE2.
Creating VPN Template for TLOC-Ext interface
1. Go to Configuration>> Templates>> Feature >> Search for “Branch3_Site500_primary_uplink”
29
2. Click Copy >> Change the name “Branch3_Site500_Tloc_no_tunnel_Gig4”
3. Search for “Branch3_Site500_Tloc_no_tunnel_Gig4” and click edit.
4. Make the following changes

Global or Device
Section Field Value
Specific (drop down)
Template
NA Branch3_Site500_Tloc_no_tunnel_Gig4
Name
Site500 TLOC Extension Template without Tunnel
Description NA Configuration
Basic
Shutdown Global No
Configuration
Basic Interface
Device Specific GigabitEthernet4
Configuration Name
Basic
IPv4 Address Device Specific if_ipv4_address_notunn
Configuration
Tunnel
Tunnel Global off
Interface
TLOC
Advanced Device Specific Vpn0_tloc_ext_intf
Extension
5. Click Update.
This completes configuration of the VPN Interface Template for TLOC Extension interfaces, without a
Tunnel. Each participating vEdge/cEdge will have an interface that will not have a Tunnel associated with
it (but will have a TLOC Extension association) and another one which will have a Tunnel (but won’t have
a TLOC Extension associated with it).
Creating VPN Template for Tunnel interface
1. Navigate to Configuration => Templates => Feature tab and search for tloc. You should get one
template (the one we just created). Click on the three dots next to it and choose Copy
2. Rename the Template to Branch3_Site500_Tunn_no_tlocext with a Description of Site 500

Template with Tunnel Configuration no TLOC-Ext. Click on Copy
3. Click on the three dots next to the newly created template and choose to Edit
4. Update the details as in the table below. Use the images for reference and click on Update when
done
30
Global or Device Specific (drop
Section Field Value
down)
Basic Configuration Interface Name Device Specific if_name_tunn_notlocext
Basic Configuration IPv4 Address Device Specific if_ipv4_address_tunn
Tunnel
Tunnel Global On
Interface
Tunnel Color Device Specific tloc_if_tunnel_color_value
Tunnel Restrict Device Specific tloc_if_tunnel_color_restrict
Tunnel - Allow
All Global On
Service
Advanced TLOC Extension Default
This completes the configuration of our second feature template.
Creating the BGP Template for the MPLS link
We will now set up the BGP template for eBGP peering on the MPLS link. This is so that the TLOC
extension subnet (10.1.9.0/24 in this case) can be advertised to the MPLS network.
1. On the vManage GUI, go to Configuration => Templates => Feature tab. Click on Add Template
and search for 1000v. Select CSR1000v and scroll down to the Other Templates section. Choose
BGP
2. Enter the Template Name as Branch3_Site500-cE1_Mpls_Bgp_Tloc and the Description as BGP

Peering Template for TLOC Extension on the MPLS link. Set Shutdown to a Device Specific
variable of bgp_shutdown. Set AS Number to a global value of 65534. This will be the AS
number on our Site500-cE1 for BGP Peering
3. Under Unicast Address Family, set the Maximum Paths to 2. Click on the Network tab and click
on New Network. Enter the Network Prefix as a global value of 10.1.9.0/24 and click on Add.
This is the subnet which will be advertised in BGP
31
4. Under Neighbor, click on New Neighbor and enter details as per the table below. Click on Add
(don’t miss this - far right corner) to Add the Neighbor details and then click on Save (bottom-
middle of the screen) to Save this template.
Neighbor Address Global 10.1.8.1
Neighbor Remote AS Global 65535

Neighbor Address Family Global On
Neighbor Address Family Global ipv4-unicast
Updating the VPN and Device Templates

We will start by updating the existing VPN template for Site 500 (Branch3_Site500_cE1_cE2_VPN0) to
include a default route with a next hop to the corresponding TLOC Extension interface (i.e., to 10.2.8.1
on Site500-cE1 and 10.1.9.1 on Site500-cE2).
1. Navigate to Configuration => Templates => Feature tab on the vManage GUI. Search for
Branch3_Site500_cE1_cE2_VPN0. Click on the three dots next to it and choose to Edit
2. Scroll down to the IPv4 Route section and click on the pencil icon next to 0.0.0.0/0 route to edit
it.
3. Click on 1 Next Hop in the Update IPv4 Route popup
4. Click on Add Next Hop and set the new hop address to Device Specific with a name of
tloc_ext_next_hop_ip. Click on Save Changes.
32
5. Click on Save Changes again, making sure that the Update IPv4 Routes field now shows 2 Next
Hop. Click Update >> Next.
6. Populate the details for the Address (tloc_ext_next_hop_ip) for the two cEdges. Site500-cE1
should have 10.2.8.1 and Site500-cE2 should have 10.1.9.1 as the next hop IP. Click on Next
7. You can view the side-by-side configuration if needed and click on Configure Devices. Click
Confirm.
8. Navigate to Configuration => Templates on the vManage GUI. Make sure you’re on the Device
tab and locate the Branch_Dev_Temp_Site_500 template. Click on the three dots next to it and
choose to Edit
9. Under Transport & Management VPN, click on BGP under Additional VPN 0 Templates. Click on
VPN Interface twice to add two VPN Interfaces over on the left-hand side. Populate the BGP
template we created in the BGP field (named Branch3_Site500-cE1_Mpls_Bgp_Tloc). Populate
Branch3_Site500_Tloc_no_tunnel_Gig4 under the first VPN Interface and
Branch3_Site500_Tunn_no_tlocext under the second VPN Interface. Click on Update.
10. Click on the three dots next to Site500-cE1 and choose Edit Device Template. Enter the details
as shown in the table below, referencing the image and click on Update
33
Field Value
Interface Name (if_name_tunn_notlocext) GigabitEthernet1
IPv4 Address (if_ipv4_address_tunn) 10.2.8.2/24
Color (tloc_if_tunnel_color_value) biz-internet

Restrict (tloc_if_tunnel_color_restrict) Checked
IPv4 Address (if_ipv4_address_notunn) 10.1.9.1/24
Shutdown (bgp_shutdown) Not Checked
TLOC Extension (Vpn0_tloc_ext_intf) GigabitEthernet2
11. Click on the three dots next to Site500-cE2 and choose Edit Device Template. Enter the details
as shown in the table below, referencing the image and click on Update and then click on Next
Field Value
Interface Name (if_name_tunn_notlocext) GigabitEthernet2
IPv4 Address (if_ipv4_address_tunn) 10.1.9.2/24
Color (tloc_if_tunnel_color_value) mpls
Restrict (tloc_if_tunnel_color_restrict) Checked
IPv4 Address (if_ipv4_address_notunn) 10.2.8.1/24
Shutdown (bgp_shutdown) Checked
TLOC Extension (Vpn0_tloc_ext_intf) GigabitEthernet1
12. View the side-by-side configuration (optional) and click on Configure Devices. Confirm the
configuration change on 2 devices.
13. From the vManage GUI, navigate to Configuration => Templates. On the Feature tab, search for
Branch3_Site500_primary_uplink template and make a copy of it, renaming to
Branch3_Site500_primary_uplink_nat and updating the description accordingly
14. Click on the three dots next to the new Branch3_Site500_primary_uplink_nat template and
choose to Edit. Set NAT to a global value of On and click on Update
15. Make sure you’re on the Configuration => Templates Device tab and locate the
Branch_Dev_Temp_Site_500 template. Make a copy of it, renaming to
Branch_Dev_Temp_Site_500_nat and updating the description accordingly
34
16. Choose to Edit the newly created Branch_Dev_Temp_Site_500_nat via the three
dots next to it and update the VPN Interface field under Transport & Management VPN to
reflect the VPN Interface template we created in step 14. The name of the newly created VPN
Interface template is Branch3_Site500_primary_uplink_nat . Click on Update
17. Click on the three dots next to the Branch_Dev_Temp_Site_500_nat device template and click
on Attach Device. Choose the Site500-cE2 device and Attach it. Click Next/Configure Device as
the prompts pop up (nothing will need to be populated since we’re using a device template
copied from before with NAT set to on)
Activity Verification
1. To verify that our configuration is working, log in to the CLI of Site500-cE1 and Site500-cE2. Issue
the same commands as before and compare with the output we had taken at the start of this
section. You will Observe there are 2 TLOC’s on both Edges.
Show sdwan control connections Show

sdwan bfd sessions
This completes the configuration and verification for TLOC-EXT. at Site 500.
Hub and Spoke Topology
Overview
Cisco SD-WAN builds out a full mesh network between sites by default for all VPNs. This might not be
desirable in some cases, where there is a requirement of a Hub and Spoke or a partial mesh topology.
35
Cisco SD-WAN Policies allow us to enforce a custom topology, thereby controlling the
data flow within our network. We will be setting up a Hub and Spoke topology for VPN 11 at all Branch
sites, steering data to the DC/DR (if in case DC is down) site, post which it will be routed to its
destination. Other VPNs in the network will retain full mesh connectivity. First, let’s check the status of
the connectivity.
1. Log in to the vManage GUI and navigate to Monitor => Network. Click on Site500-cE1 and scroll
down to Troubleshooting. Click on it and then choose Trace Route.
2. Enter the Destination IP as 100.111.40.1, choose VPN as VPN - 11 and populate the
Source/Interface as Loopback11. Click on Start. You will notice that traffic is flowing directly
between the two sites (i.e. Site 400 and Site 500) in VPN 11 (if there are multiple hops shown in
the image in your POD, run the test again)
3. Log in to console of the Site400-cE1, by going to POC tool >> Site 400 >> right click Site400cE1>>
Console. Run the below command. It can be seen the routes point directly to Branches.
Show ip route vrf 11
Note: We will only be testing inter-site traffic in this section. In case you even want to route the internet
bound traffic hubs, do ensure you are advertising a default route from hub in the overlay for that VPN
segment.
Creating the Policy

We will now start enforcement of the Hub and Spoke topology via Control Policies. This is kicked off by
creating a Policy which encompasses various Network Constructs (like Site Lists, VPN Lists etc.) that are
used within the Policy.
Configuring Network Constructs
1. First, we will create our Network Constructs. Click on Configuration => Policies in the vManage
GUI to start configuring the Policy. Click Centralized Policy >> Add Policy.
36
2. We will create a Site List. Click on Sites and then choose New Site List. Give it a name of
Branches and enter 300,400,500 in the Add Site section. Click on Add.
3. Eight more Site Lists need to be created in a similar fashion. Some won’t be used right now, but
it’s best to create them while we’re here. Use the table and images below as reference points
Site List Name Add Site
DC 100
DR 200
Sites_100_200 100, 200
Site300 300
Site400 400
Site500 500
Site_100_300 100, 300
Fabric 100, 200, 500
All Sites 100, 200, 300, 400, 500
4. Click on VPN on the left-hand side and click on New VPN List. Specify the VPN List Name as
VPN10 and enter 10 under Add VPN. Click on Add.
37
5. Repeat Step 4 two more times to create VPN Lists for VPN11 and VPN12. They will
have VPNs of 11 and 12 associated with them, respectively
6. Click on TLOC on the left-hand side then click on New TLOC List. Give a List Name of HUB-TLOCs.
Specify the following values (click Add TLOC 7 times - this will add the number of rows we need).
We will give a preference of 100 for TLOCS of DC and preference of 50 for TLOCS of DR to have
seamless transition in case of DC being down.
7. Click Next.
Configuration of the Network Constructs is complete for our Control Policy. These will be used as
building blocks for our policies. Configuration of the policy itself will continue in the next section
(carrying on from the page we’re at in the vManage GUI).
Adding a Custom Control Policy
Continuing from the previous section, let’s build out our Custom Control Policy to enforce a Hub and
Spoke Topology on VPN 11.
1. You should be at the Configure Topology and VPN Membership page after the previous section.
Click on Add Topology and choose Custom Control (Route & TLOC)
2. Specify a Name of HnS-VPN11 with a Description of Hub and Spoke for VPN 11 only. Click on
Sequence Type and choose to add a Route Control Policy.
38
3. Click on Sequence Rule to add a new rule. Under Match click on Site and populate Branches in
the Site List. click on VPN and choose VPN11 in the VPN List
4. Move over to the Actions tab and click on Accept. Then click on TLOC and populate HUBTLOCs in
the TLOC List. Click on Save Match and Actions
5. Go to the Default Action and click on Accept. Click Save Match and Actions. Click Save Control
Policy
39
6. Click Next >> Next
7. Enter a Policy Name of Hub-n-Spoke-VPN11-only and give a Policy Description of Hub and
Spoke policy for VPN 11 only. Click on New Site List under HnS-VPN11 and populate Branches in
the Outbound Site List. Click on Add. Click on Save Policy
Note: Control Policies (such as the one you just built) are enforced by vSmart. Hence, the policy you just
created is from the perspective of vSmart. The application of this policy is enforced in an outbound
direction towards branch sites (i.e., Branches Site List). Think of how a BGP Route-Reflector would modify
the next-hop of routes it receives before sending them back out to neighbors.
8. Back at the main Policy page, we should see the Hub-n-Spoke-VPN11-only Master Policy
created. Click on the three dots next to it and choose to Activate the policy, Click Activate
This completes our policy creation and activation. We will verify functionality in the upcoming section.
1. On the vManage GUI, go to Monitor => Network and click on Site500-cE1 scroll down to
Troubleshooting. Click on it and then choose Trace Route.
2. Enter the Destination IP as 100.111.40.1, choose VPN as VPN - 11 and populate the
Source/Interface as Loopback11. Click on Start. You will notice that traffic is flowing via HUB
40
between the two sites (i.e., Site 400 and Site 500) in VPN 11 (if there are multiple
hops shown in the image in your POD, run the test again).
3. Log in to console of the Site400-cE1, by going to POC tool >> Site 400 >> right click Site400cE1>>
Console. Run the below command. It can be seen the routes point directly to Hub.
Show ip route vrf 11
4. Deactivate the Policy after testing. Back at the main Policy page, we should see the Hub-
nSpoke-VPN11-only Master Policy created. Click on the three dots next to it and choose
to Deactivate the policy, Click Deactivate.
Data Center Preference
Overview
Using Policies different set of branches can prefer different data centers and how DC failover will take
place in the DC preference context.
1. Prefix 100.100.100.0/24 is being advertised into the overlay routing table for VPN 10 of Site 100
and Site 200. Examine the OMP tables for VPN 10 on node Site400-cE1 by going to Vmanage >>
Monitor >> Network >> Site400-cE1 >> Real Time >> Under Device options search for OMP
Received Routes>> Show Filters >> Set VPNID to 10.
a. Device should have entries for 100.100.100.0/24 pointing to all TLOCs of Site 100 and 200. Look
for routes with status C I R (Chosen, Installed, Resolved).
41
2. Perform the same operation as Step 1 on other WAN Edge Site300-cE1.
3. Simulate Flows to confirm connectivity, by going to vManage >> Monitor >> Network >>
Site400-cE1 >> Troubleshooting >> Simulate flows. Select the options as set in the screenshot
VPN- VPN 10 , Source for VPN-10 – Loopback10 , Source IP – 10.110.40.1, Destination IP –
100.100.100.100 . You can see 8 paths available.

Policy Creation to Load Balance DC between Sites
In this section we will create a policy to
• Make Site 300 use Site 100 as DC and Site 200 as DR.
• Make Site 400 use Site 200 as DC and Site 100 as DR.
1. Navigate to Configuration >> Policies >> Add Policy >> Click TLOC from the left-side panel >>
Click New Tloc List >> Give a List Name of TLOC_Site200_Preference. Specify the following
values (click Add TLOC 7 times - this will add the number of rows we need). We will give a
preference of 100 for TLOCS of Site 200 and preference of 50 for TLOCS of Site 100.
TLOC IP Color Encap Preference
1.1.10.1 biz-internet ipsec 50
42
1.1.10.1 mpls ipsec 50
1.1.20.1 mpls ipsec 100
1.1.20.2 mpls ipsec 100
Click Next
2. Click New Tloc List >> Give a List Name of TLOC_Site100_Preference. Specify the following
values (click Add TLOC 7 times - this will add the number of rows we need). We will give a
preference of 100 for TLOCS of Site 100 and preference of 50 for TLOCS of Site 200.
TLOC IP Color Encap Preference

1.1.10.1 mpls ipsec 100
1.1.10.2 mpls ipsec 100
3. Click Next
4. You should be at the Configure Topology and VPN Membership page after the previous section.
Click on Add Topology and choose Custom Control (Route & TLOC)
5. Specify a Name of Site200_Preference with a Description of Prefer Site 200. Click on Sequence
Type and choose to add a Route Control Policy.
6. Click on Sequence Rule to add a new rule. Under Match click on Site and populate
Sites_100_200 in the Site List.
43
7. Move over to the Actions tab and click on Accept. Then click on TLOC and populate
TLOC_Site200_Preference in the TLOC List. Click on Save Match and Actions
Policy
9. Click on Add Topology and choose Custom Control (Route & TLOC)
10. Specify a Name of Site100_Preference with a Description of Prefer Site 100. Click on Sequence
Type and choose to add a Route Control Policy.
11. Click on Sequence Rule to add a new rule. Under Match click on Site and populate
Sites_100_200 in the Site List.
12. Move over to the Actions tab and click on Accept. Then click on TLOC and populate
TLOC_Site100_Preference in the TLOC List. Click on Save Match and Actions
44
Policy
14. Click Next >> Next
15. Enter a Policy Name of DC_Preference and give a Policy Description of Determine DC preference
for Site 300 prefers Site 100 / Site 400 prefers Site 200. Click on New Site List under
Site200_Preference and populate Site 300 in the Outbound Site List. Click ADD.
16. Click on New Site List under Site200_Preference and populate Site 400 in the Outbound Site
List. Click on Add. Click on Save Policy
17. Back at the main Policy page, we should see the DC_Preference Master Policy created. Click on
the three dots next to it and choose to Activate the policy, Click Activate
1. Examine the OMP tables for VPN 10 on node Site400-cE1 and Site300-cE1 by going to Vmanage
>> Monitor >> Network >> Site400-cE1 >> Real Time >> Under Device options search for OMP
Received Routes>> Show Filters >> Set VPNID to 10.
a. Device should have entries for 100.100.100.0/24 pointing to all TLOCs of Site 100 and
200. Look for routes with status C I R (Chosen, Installed, Resolved) it will only be
towards Site 200.
45
3. Simulate Flows to confirm connectivity, by going to vmanage >> Monitor >>
Network >> Site400-cE1 >> Troubleshooting >> Simulate flows. Select the options as set in the
screenshot. You can see 4 paths available only available via Site 200.
4. Go to POC Tool, Select Site 200. Right click on the Site200-cE1 >> Stop >> Ok. Perform the same
Steps for Site200-cE2.
5. Perform the Simulate Flow test again on Site400-cE1 as done on Step 3, now you should see
automatic failover to Site 100 TLOC’s.
6. Go to POC Tool, Select Site 200. Right click on the Site200-cE1 >> Start. Perform the same Steps
for Site 200-cE2.
7. Same Tests can be performed for Site300-cE1 as well from Step3-6 (optional).
Deactivate the Policy after testing. Back at the main Policy page, we should see the DC_Preference
Master Policy created. Click on the three dots next to it and choose to Deactivate the policy, Click
Deactivate
Regional Hub
Overview
A regional hub can be used to simply design of SDWAN fabric, branches connect to the regional hubs for
Internet breakout, Services, or fabric connectivity. Think of the hub as a flexible routing and switching
fabric that aggregates connections from different domains. In this lab, we will be using policy to
establish fabric connectivity for VPN10 in Site300 through Site400.
46
We will be using following constructs to build the policy.
• Site List
• Policy for Traffic from Site300 to the Regional Hub
• Policy for Traffic from the Fabric to Site 300
Policy for Traffic from Site300 to the Regional Hub

1. On vManage, navigate to Configuration > Policy> Centralized Policy Tab. Click on Add Policy.
We will be using existing site lists which were created during previous exercises. Click on Next to
navigate to Configure Topology and VPN Membership step.
2. Click on Add Topology and choose to add a Custom Control (Route and TLOC) topology.
3. Enter the Policy Name as “Site300-to-RH” and a Description of “Site 300 to Regional Hub at Site
400”. Click on Sequence Type and choose TLOC.
4. Choose to add a Sequence Rule and click on Site under Match. Select the Site List as Site400.
5. Go to the Actions tab and choose Accept. Click on Save Match and Actions.
6. Click on Sequence Type again and click on Route.
7. Click on Sequence Rule and go to the Actions tab. Choose Accept, then click on TLOC. Click on
the TLOC List and choose New TLOC List from the drop-down.
47
8. Enter RH400 as the List Name and choose to Add TLOC. This should give two
rows. The TLOC IP is 1.1.40.1 (in both rows) and the Encap is ipsec. One row should have the
color bizinternet whereas the other row should have mpls. Click on Save.
9. Click on the drop-down for the TLOC List and choose the RH400 List we just created. Click on
Save Match and Actions.
10. Verify the configuration looks like the image below and click on Save Control Policy. Note that
there are two Sequence Types - a TLOC and a Route, along with the Default Action.
Policy for Traffic from the Fabric to Site300

1. At the Configure Topology and VPN Membership page, click on Add Topology to add another
Custom Control (Route & TLOC) policy.
2. Enter the Policy Name as “Fabric-to-Site300” with a Description of “Fabric traffic to Site 300”.
Click on Sequence Type and choose TLOC. Click on Sequence Rule and select Site under Match.
Populate Site300 in the Site List. Leave Action as Reject, then click on Save Match and Actions.
3. Click on Sequence Type again and choose Route. Click on Sequence Rule and choose Site under
the Match tab. Populate Site300 in the Site List. Click on the Actions tab and choose Accept.
Click on TLOC and populate RH400 from the TLOC List drop down. Click on Save Match and
Actions.
4. Click on Default Action and choose Accept. Save Match and Actions to complete configuration
of this Control Policy and click on Save Control Policy.
Saving and Activating the Policy
48
1. Click on Next twice to navigate to Apply Policies to Sites and VPNs. Enter the
Policy Name as “Site300-Regional-Hub-Site400” and the Description as “Regional Hub Policy
for Site 300”.
2. Under the Fabric-to-Site300, click on New Site List and populate Fabric in the Outbound Site
List. Click on Add.
3. Under the Site300-to-RH, click on New Site List and populate Site300 in the Outbound Site List.
Click on Add and then click on Save Policy.
This completes the configuration of Policy for routing Site300 traffic through Regional Hub. At the
Configuration > Policy> Centralized Policy, scroll down to Site300-Regional-Hub-Site400. Click on the
three dots on the far right and choose Activate.
Verification
1. On the vManage GUI, navigate to Monitor => Network and click on Site300_cE1. Scroll down to
Troubleshooting (on the left-hand side) and click on Trace Route. Enter the Destination IP as
10.10.1.100 with a VPN of VPN10 and a Source/Interface of ge0/3. Click on Start.
Notice that the traffic destined for the Site100 Service Side VPN is going through Site400
(10.2.7.2/10.1.7.2). On vManage, navigate to Configuration > Policy> Centralized Policy, scroll down to
Site300-Regional-Hub-Site400. Click on the three dots on the far right and choose Deactivate.
2. Navigate to Monitor => Network and click on Site300_cE1. Scroll down to Troubleshooting (on
the left-hand side) and click on Trace Route. Enter the Destination IP as 10.10.1.100 with a VPN
of VPN10 and a Source/Interface of ge0/3. Click on Start and notice the traffic destined to fabric
sites no longer goes through Site400 and reached the destination directly.
49
This completes the configuration and verification of our Regional Hub scenario. This design can also
be used for regional Internet breakouts and service insertion (firewall/ips).
Site 300 – DIA
50
Overview
Direct Internet Access can be enabled in a variety of ways using the Cisco SD-WAN solution. In this lab,
two options are pursued to demonstrate the flexibility with which this can be managed:
• A static route in the Service VPN pointing to a locally configured exit interface on the node.
• The use of a Data Policy that allows for a great degree of flexibility in deciding how an Internet
breakout can be enabled for a variety of traffic sources and destinations, along with the ability
to rely on a backup (backup covered in a later test case)
Enable DIA for Site300 Service VPN10 – Using Static Route

1. Launch the PoC tool. Navigate to Topology View>> Site 300>> Right click on Site300-
UbuntuVPN10 and choose Console. Open Firefox or Chromium browser and enter
www.cisco.com, it will fail as there is no internet access. To enable internet access for users in
Site300 VPN10, we will add a default route in VPN 10 pointing to VPN 0 and enable Nat overload
on VPN0 inet interface.
2. On vManage, navigate to Configuration > Templates > Feature, search for Site300. Sort the
templates by name and find the one named Branch1_Site300_VPN10.
3. Click on the three dots on the far-right side and choose Edit.
4. Scroll down to IPv4 Route and click on New IPv4 Route. Enter the Prefix value as 0.0.0.0/0,
choose “VPN” for Gateway and select “On” for Enable VPN section as shown below and click
Add:
5. Click on Update to save the changes.

6. On the Configuration > Templates > Feature Tab, search for Site300. Sort the templates by
name and find the one named Branch1_Site300_INET_Gig1. Click on the three dots on the
farright side and choose Edit.
51
7. Scroll down to Nat, under the IPv4 section change the value of Nat field to “On”
and choose “Interface” for Nat Type.
8. Click on Update to save changes.
This completes Direct Internet Access configuration for VPN 10 users in Site 300. Go back to the
Topology View>> Site 300>> Right click on Site300-Ubuntu-VPN10 machine and verify internet access
by browsing to www.cisco.com.
9. Remove the static route from Branch1_Site300_VPN10. Confirm the lack of internet access on
the Ubuntu host.
Enable DIA for Site300 Service VPN10 – Data Policy

1. On vManage, navigate to Configuration > Policy> Centralized Policy Tab. Click on Add Policy.
2. Scroll choose Data Prefix and click on New Data Prefix List to create a list for Site300 VPN 10
network. Enter Site300_VPN10_List as Data Prefix List Name, IPv4 as Internet Protocol and
10.30.1.0/24 as the Data Prefix as shown below and click Add.
3. Click Next twice and make sure you are on Configure Topology and VPN Membership section.
Click on Traffic Data> Add Policy> Create New as shown below.
52
4. On the Add Data Policy screen, enter the Name as “Site300_VPN10_Direct_Internet_Access”
and Description as “Local breakout from Site 300”. Click on Sequence Type and choose Custom.
5. Go to the Match tab, click on Source Data Prefix. Search and select Site300_VPN10_List as
Source Data Prefix List under Match Conditions.
6. Go to Actions tab, click on Accept. Click on Nat VPN and the Save Match and Actions.
7. Click on Default Action on the left side of the screen. Make sure it is set to Accept and click Save
Match and Actions.
8. Click Save Data Policy and click Next. On the Apply Policies to Sites and VPNs section enter the
Policy Name as “Site300_Direct_Internet_Access” and Description as “direct internet access for
VPN 10”.
53
9. Go to the “Traffic Data”. Under the Site300_VPN10_Direct_Internet_Access, click
on New Site List and VPN List. Select From Service, for Select Site List choose Site300 and
VPN10 for Select VPN List. Click on Add, then click on Save Policy.
10. On the Centralized Policy screen, find Site300_Direct_Internet_Access policy. Click on the Three
Dots on far right and choose Activate.
11. Go back to the Topology View>> Site 300>> Right click on Site300-Ubuntu-VPN10 machine and
verify internet access by browsing to www.cisco.com.
This concludes DIA configuration using date policy for site 300. Navigate to Configuration > Policy>
Centralized Policy Tab. Find Site300_Direct_Internet_Access policy. Click on the Three Dots on far right
and choose Deactivate.
54
Application Aware Routing
Overview
Using Application Aware Routing (AAR) we can make business-critical applications to use a preferred
transport as long as the SLA meets the set threshold.
Application-aware routing tracks network and path characteristics of the data plane tunnels between
Cisco SD-WAN devices and uses the collected information to compute optimal paths for data traffic.
These characteristics include packet loss, latency, and jitter, and the load, cost, and bandwidth of a link.
We will create the below

• Two SLA classes, one defined to manage Critical Apps (DSCP 46) and one to manage Priority
apps (DSCP 41-31-21).
• SLA class DSCP46 has a preferred color of MPLS and SLA Class DSCP 41-31-21 doesn’t have a
preferred color. This means that the latter will find any path that supports the required SLA.
Note: In the case where an SLA class is specified with no path preference, data traffic that matches the
SLA is forwarded as long as one tunnel interface is available. The algorithm will first attempt to use a path
that matches the SLA. If a single path matches the SLA, data traffic is sent using that. If two or more paths
match, traffic is distributed among them. If no path matches the SLA, data traffic is simply sent through
one of the available paths. The behavior can be configured to decide what should be done in case no
matching paths are available using the Strict option.
Create Localized Policy to enable Deep Packet Inspection (DPI)

The app-visibility enables NBAR to see each application of the flows coming to the router from all VPNs
in the LAN. If app-visibility or app-visibility-ipv6 is defined, then nbar is enabled globally for both IPv4
and IPv6 flows.
1. Navigate to Configuration >> Policies >> Localized Policies >> Add Policy
2. Click Next, for 5 times.
55
3. Enter the name of the Policy DPI_Visibility along with description Enable app visibility. Check
the option “Application”. Click Save Policy.
4. Navigate to Configuration >> Templates >> Search for “Branch_Dev_Temp_Site_300” >> Click
on 3 dot on the right >> click Edit
5. Click Additional Templates >> And select the policy “DPI_Visibility” >> Click Update.
6. Perform Step 4 and 5 for Template Primary_DC_Dev_Temp_Site_100. We will enable

appvisibility on Site100-cE1 and Site100-cE2.
Note: In this case we are using aggressive BFD timers for testing. The BFD timers if being modified
from default should be reviewed with a Cisco SD-WAN TSA for production.
56
Create Policy for AAR
1. Navigate to Configuration => Policies=> Centralized Policy and click Add Policy. Select SLA Class
from left-side pane and click New SLA Class List.
2. Give the SLA Class a Name of Priority_Apps and specify the Loss % as 7. Enter 150 for the
Latency and 100 for the Jitter. Click on Add.
3. Click New SLA Class List again and give the SLA Class a Name of Critical_Apps and specify the
Loss % as 2. Enter 50 for the Latency and 100 for the Jitter. Click on Add.
4. Click Data Prefixes >> New Data Prefix List >> Give the Data Prefix a name of
VPN10_Site300_Prefixes >> Select Internet Protocol IPv4 >> Enter the Add Data prefixes values
as 10.30.1.0/24, 100.110.30.1/32 >> Click Add
5. Click Applications >> New Application List >> Give the application name of SIP >> Select
Application radio button >> Select Session Initiation Protocol under Select Application >> Click
Add
6. Click on Next twice (till you get to the Configure Traffic Rules page) and click on Add Policy
under Application Aware Routing >> Click Create New
57
7. Give this AAR Policy a name of VPN10_AAR and a Description of SLA-based
routing for DSCP46 (prefer MPLS) and DSCP41-31-21 Applications (no preferred color) on
VPN10. Click
on Sequence Type and then click on Sequence Rule. Under Match, select DSCP and Source Data
Prefix and enter a DSCP value of 46 along with Source Data Prefix VPN10_Site300_Prefixes
under Match Conditions
8. Click on the Actions tab and choose SLA Class List. select the Critical_Apps SLA Class and set the
Preferred Color to mpls. Click on Save Match and Actions
9. Select the App Route on Left-Side Pane >> Click on 3 dots >> Click Rename >> Rename it to DSCP
46.
58
10. Click on Sequence Type and then click on Sequence Rule. Under Match, select
DSCP and enter a DSCP value of 41 under Match Conditions
11. Click on the Actions tab and choose SLA Class List. select the Priority_Apps SLA Class and set the
Preferred Color Blank. Click on Save Match and Actions.
12. Click on Sequence Rule. Under Match, select DSCP and enter a DSCP value of 31 under Match
Conditions. Click on the Actions tab and choose SLA Class List. select the Priority_Apps SLA Class
and set the Preferred Color Blank. Click on Save Match and Actions.
13. Click on Sequence Rule. Under Match, select DSCP and enter a DSCP value of 21 under Match
Conditions. Click on the Actions tab and choose SLA Class List. select the Priority_Apps SLA Class
and set the Preferred Color Blank.
14. Select the App Route on Left-Side Pane >> Click on 3 dots >> Click Rename >> Rename it to
DSCP41-31-21.
15. Click on Save Match and Actions. After Steps 10, 11, 12, 13 it should look like below.
16. Click on Sequence Type and then click on Sequence Rule. Under Match, select
Application/Application Family List and select Application/Application Family value of SIP under
Match Conditions
17. Click on the Actions tab and choose SLA Class List. select the Critical_Apps SLA Class and set the
Preferred Color to Biz-internet. Additionally, Select backup SLA Preferred color and set it to
mpls. Click on Save Match and Actions.
59
18. Click on Save Application Aware Routing Policy. Click Next
19. At the Apply Policies to Sites and VPNs page, give the Policy a Name of
SLA_Routing_for_Critical_and_Priority_Apps and a Description of SLA-based routing for
DSCP46 (prefer MPLS) and DSCP41-31-21 Applications (no preferred color) on VPN10. Click on
the Application Aware Routing tab and click on New Site List and VPN List. Under Select Site List
choose AllSites. Under Select VPN List choose VPN10. Click on Add
20. Click Save Policy.
21. Click on the three dots next to the SLA_Routing_for_Critical_and_Priority_Apps policy we just
created and choose to Activate it.
We will Demonstrate how traffic takes the MPLS or Internet path depending on the color preference set
(where applicable) and SLA match.
60
1. Use WAN Emulator 1 on Site 300 to create WAN impairment required to
invalidate the MPLS path from conforming to the set SLA. On POC Tool, navigate to the site,
right-click Site300WANEmu1, and then select Edit. Click Interfaces, choose eth0, and define
impairment (for example, latency to 100ms). Click OK to close the window and click on Deploy
to commit changes.
2. Navigate to Monitor >> Network >> Branch1_Site300_CE1>> Troubleshooting >> Simulate

Flows in VPN 10 to destination 100.110.40.1. Flows tagged with DSCP31 and 41 are evenly
divided across the MPLS and Internet TLOCs. DSCP46 should now use Internet (GigabitEthernet
1 as output interface) as SLA is not being met on MPLS transport. (Wait for around 5 mins after
adding latency)
61
3. Remove the WAN impairment across the MPLS path and monitor the path using Simulate flows.
Solution should now prefer flows tagged DSCP 46 to MPLS. To remove the impairment. On
POC Tool, navigate to the site, right-click Site300-WANEmu1 and select Edit. Click Interfaces,
choose eth0, and delete impairment parameters. Click OK to close the window and click on
Deploy to commit changes.
4. Navigate to Monitor >> Network >> Branch1_Site300_CE1>> Troubleshooting >> Simulate

Flows in VPN 10 to destination 100.110.40.1. DSCP46 tagged flow should now prefer mpls.
(Wait for around 5 mins after removing latency)
5. Deactivate the SLA_Routing_for_Critical_and_Priority_Apps policy by going to Configuration >>

Policies >> Search for “SLA_Routing_for_Critical_and_Priority_Apps” >> Click on 3 dots >>
Deactivate >> Deactivate.
62
WAN QoS
Overview
While Application Aware Routing allows us to choose the path taken by traffic and switch paths based
on SLA parameters, QoS strategies in SD-WAN allow packets to be marked with standard DSCP values
which are then utilized to prioritize packets accordingly.
We will Demonstrate the below
• Demonstrate QoS on WAN edge device by generating traffic across several traffic classes.
• Demonstrate the use of a Data Policy to perform Classification, Marking and Policing.
To ensure that this test is as straightforward as possible, only Sites 100 and 300 will be used. In addition,
the internet path will not be used. This allows the focus to remain on a single path between two nodes
and the outcome of the associated QoS policy.
Prefer MPLS TLOC for Site 100 and 300

We will change the Preference for MPLS TLOC to 100, so that traffic is routed via MPLS than Internet
uplink for testing QoS.
1. Navigate to Configuration >> Templates >> Feature, and then search for
“DC_Site100_MPLS_Gig2”. Click on 3 dots in front of the searched template and click Edit.
2. Click on Tunnel >> Advanced Options >> Set Preference to 100. Click Update, then click Next,
and then click Configure Devices.
3. Repeat the same steps 1 and 2 after searching for Branch1_Site300_MPLS_Gig2.
Add a Class List and QoS Map

1. On the vManage GUI, click on Configuration => Policies and choose the Localized Policy tab.
Click on Add Policy
63
2. Under Create Groups of Interest click on Class Map on the left-hand side. Click on
New Class List and specify the Class as REAL-TIME. The Queue should be 0. Click on Save
3. Click on New Class List and create 3 more Class Lists, as shown below. Remember to hit Save
after each Class List is created.
Class Queue
STANDARD-DATA 1
Best-Effort 2
DEFAULT0NO-DSCP 3
Once all the Class Lists are created, click on Next
4. The Class Lists are referenced in QoS Maps. Under Configure Forwarding Classes/QoS, make
sure you’re on the QoS Map tab and click on Add QoS Map
5. Give the QoS Map a Name of QoS_Map and a Description of QoS mapping (four classes). Click
on Add Queue. Specify the following details and click on Save Queue
Queue Bandwidth Buffer % Scheduling Drops Forwarding Class
%
64
1 5 5 Wighted Round Robin Random StANDARD-DATA (Auto
(WRR) Early Populated)
6. Click on Add Queue and add a couple more queues as per the table given below. Remember to
click on Save Queue after you’re done setting up the Queue
Queue Bandwidth Buffer % Scheduling Drops Forwarding Class

%
2 5 5 Weighted Round Robin Random BEST-EFFORT (Auto Populated)
(WRR) Early
3 85 85 Weighted Round Robin Random DEFAULT-NO-DSCP (Auto
(WRR) Early Populated)
7. The QoS Map queues should look like the image below. Click on Save Policy to save your QoS
Map and then click on Next
Configure the IPv4 ACL Policy

1. Continuing from the QoS Map which we just built, you should now be at the Configure Access
Control Lists page. An ACL Policy can be used for classification of traffic on the LAN. Click on Add
Access Control List Policy and choose to Add IPv4 ACL Policy
65
2. Give the ACL Policy a Name of QoS_ACL and a Description of ACL to classify data packets into
appropriate forwarding classes. Click on Add ACL Sequence and then click on Sequence Rule.
Make sure you’re on the Match tab and click on DSCP. Enter a DSCP value of 46. This specifies
our match criteria
3. Click on the Actions tab and make sure the Accept radio button is selected. Click on Class and
select REAL-TIME which we created before. Click on Save Match and Actions
4. Click on Sequence Rule and follow the same procedure to create rules as per the following table.
Make sure that you click on Save Match and Actions once done creating each rule
DSCP Class
48 REAL-TIME
66
41 STANDARD-DATA
10 BEST-EFFORT
5. click on Sequence Rule. Make sure you’re on the Match tab and click on Source Data Prefix.
Click New Data Prefix List >> Enter the value as per table >> Click Save
Data Prefix List Name Data Prefix
VPN10_AllSiite_Prefixes 10.10.1.0/24, 10.20.1.0/24, 10.30.1.0/24, 10.40.1.0/24,

10.50.1.0/24, 100.110.10.1/32, 100.110.10.2/32, 100.110.20.1/32,
100.110.20.2/32, 100.110.30.1/32, 100.110.40.1/32,
100.110.50.1/32, 100.110.50.2/32
6. Enter the Data Source Prefix list value of VPN10_AllSiite_Prefixes that was created before. This
specifies our match criteria.
7. Click on the Actions tab and make sure the Accept radio button is selected. Click on Class and
select DEFAULT-NO-DSCP. Click on Save Match and Actions
8. Verify that the Access Control List Policy looks like the image below and click on Save Access
Control List Policy
67
9. Click on Next twice and you should be at the Policy Overview page, which continues in the next
section.
Complete and apply the Localized Policy

1. Continuing from the previous section, while on the Policy Overview page, give your policy a
Name of QoS and a Description of QoS (classification, marking and policing). Under Policy
Settings, put a check mark next to Application. Click on Save Policy
2. Navigate to Configuration => Templates and locate the Branch_Dev_Temp_Site_300 Device

Template. Click on the three dots next to it and choose to Edit. Click on Additional Templates
3. Populate QoS in the Policy drop down. In the real world, the QoS Policy we configured should be
included within the same policy. Click on Update
4. Click on Next and then Configure Devices. You can view the side-by-side configuration, if you
want to.
Apply the ACL and QoS Map
To apply the configuration, we will be modifying the Service VPN 10 interface such that traffic is
classified based on the ACL we created, in the inbound direction.
68
The QoS Map will be applied in the outbound direction on the WAN interface (MPLS)
1. Navigate to Configuration => Templates => Feature Tab and locate the
DC_Site100_VPN10_Intf_Gig3 Feature Template. Click on the three dots next to it and choose to
Edit the Template.
2. Scroll to the ACL/QoS section and configure QoS_ACL as an ingress IPv4 ACL (make sure to enter
the name correctly).
Branch1_Site300_VPN10_Intf_Gig3 Feature Template. Click on the three dots next to it and
choose to Edit the Template.
4. Scroll to the ACL/QoS section and configure QoS_ACL as an ingress IPv4 ACL (make sure to enter
5. Apply the QoS Map to the MPLS-facing interfaces of Site100-cE1/cE2 and Site300-cE1.
a) Navigate to Configuration > Templates > Feature, and then search

DC_Site100_MPLS_Gig2. Click on 3 dots and Click Edit.
b) Scroll to the ACL/QoS section and configure QoS_Map as QoS Map (make sure to enter
c) Navigate to Configuration > Templates > Feature, and then search

Branch1_Site300_MPLS_Gig2. Click on 3 dots and Click Edit.
d) Scroll to the ACL/QoS section and choose QoS_Map as QoS Map and click Update.
69
In Site 300 use the traffic generator to generate flows destined for Site 100 addresses with multiple
different DSCP values.
1. On POC Tool, Console to TRex2-VPN10 by going to Site 300 and right click on TRex2-VPN10 and
Click Console. Enter the password “viptela”. Click on Trex. Click on Connect. Enter localhost for
connections.
2. Click on Port0 >> Acquire
70
3. Expand Port 0 >> Click Profiles >> Select VIP16.yaml under Profile details. This
profile contains 4 flows marked with DSCP46, DSCP41, DSCP10 and DSCP0. Set the traffic
bandwidth initially to 10 pps and start the traffic.
4. Monitor the traffic assignment to each class in vManage. Monitor > Network >
Branch1_Site300_cE1 > QoS. Make sure to select the MPLSfacing interface GigabitEthernet2
and to set the graph to Real Time. You might want to change policy rate to pps for better flow
identification.
• Recall the mapping between classes and queues.

o Queue 0 = LLQ = FC Control (REAL-TIME) = DSCP 46, 48
o Queue 1 = WRR = FC STANDARD-DATA = DSCP 41 o
Queue 2 = WRR = FC BEST-EFFORT = DSCP 10 o Queue 3 =
WRR = FC DEFAULT-NO-DSCP = DSCP 0
5. Try increasing the rates of the traffic flows with DSCP41, DSCP10 and DSCP0, so they can be
differentiated on the vManage graph. By clicking on the stream >> Click Edit Stream. Then
Change the pps rate accordingly as per the table below.
Stream PPS
71
DSCP46 2
DSCP 41 2
DSCP10 3
DSCP0 1
6. Go to Monitor > Network > Branch1_Site300_cE1 > QoS. Make sure to select the MPLS-facing
interface GigabitEthernet2 and to set the graph to Real Time.
7. Stop Streaming by clicking Stop on Trex.
This completes the QOS Config and Verification. Now we will remove the config to bring the pod back on
original configuration.
72
8. Remove the preference for MPLS TLOC. Navigate to Configuration >> Templates
>> Feature, and then search for “DC_Site100_MPLS_Gig2”. Click on 3 dots in front of the
searched template and click Edit.
9. Click on Tunnel >> Advanced Options >> Set Preference to default. Click Update, then click
Next, and then click Configure Devices.
10. Repeat the same steps 13 and 14 after searching for Branch1_Site300_MPLS_Gig2.
DC_Site100_VPN10_Intf_Gig3 Feature Template. Click on the three dots next to it and choose
to Edit the Template.
12. Scroll to the ACL/QoS section and set ingress IPv4 ACL to default.
13. Perform Steps 16 and 17 for after searching for template “Branch1_Site300_VPN10_Gig3”.
14. Navigate to Configuration > Templates > Feature, and then search DC_Site100_MPLS_Gig2.
Click on 3 dots and Click Edit.
15. Scroll to the ACL/QoS section and set QoS Map to default.
16. Perform Steps 19 and 20 for after searching for template “Branch1_Site300_MPLS_Gig2”.
73
Dynamic On Demand Tunnels
Overview
IPSEC tunnels are established between TLOCs in a full mesh fashion between devices in the SD-WAN
overlay. This leads to multiple, potentially idle tunnels remaining up between sites and an overhead of
traffic traversing the WAN links (due to BFD).
With version 20.3 + of vManage, Cisco SD-WAN allows the creation of on-demand tunnels between sites
- i.e., tunnels will only be set up when there is traffic traversing the sites.
The following configuration components come into play when setting up Dynamic On-Demand Tunnels:
• Control Policies
• OMP Templates (max path and ECMP limits)
• System Templates (for configuring Dynamic Tunnels)
We will set up Dynamic On-Demand Tunnels between Site300-cE1 and Site400-cE1 with the
Site100cE1/Site100-cE2/Site200-cE1/Site200-cE2 functioning as backup forwarding nodes.
Exploring the current setup

1. Go to POC Tool, and console to Site300-cE1 by clicking on Site 300 and right click Site300-cE1 >>
Click Console. check the OMP routes for VPN 10 subnets behind Site400-cE1. Run the command
below. Site300-cE1 routes traffic for the subnets directly to Site400-cE1 (normal full mesh
operation of SD-WAN)
Show sdwan omp route 10.40.1.0/24
2. Similarly, console to Site400-cE1 and run the command below. The command’s output shows
traffic for Site300-cE1 VPN 10 subnets directly to Site300-cE1.
74
Configuring a Control Policy for Dynamic Tunnels

1. Navigate to Configuration >> Policies >> Add Policy
2. Click on Site and then on New Site List to create a New Site List
3. Name the Site List Site300_400 and enter 300,400 in the Add Site field. Click on Add
4. Click on TLOC and then search for HUB-TLOCs >> Click Copy
5. Name the List HUB-TLOCs-DOD. Click Edit and remove the preference values from TLOC as
shown in screenshot below. Click Save.
75
6. Click Next.
7. Click on Add Topology and then on Custom Control (Route & TLOC) to create a new control
policy
8. Give the control policy a Name of site300-400-dynamic-tunnels and a Description of Dynamic

Tunnels between Site 300 and 400 with DC as a backup. Click on Sequence Type and choose
Route
9. Click on Sequence Rule and select Site. Populate the Site List Site300_400 and click on Actions.
76
10. Set the Action to Accept and click on TLOC Action and TLOC. Populate TLOC Action as Backup
and the TLOC List as HUB-TLOCs-DOD. Click on Save Match and Actions.
11. Click on Default Action and then the pencil icon to change the default of Reject Enabled to
Accept Enabled. Click on Accept and choose to Save. Make sure the Default Action is set to
Accept Enabled and click on Save Control Policy.
12. Click Next >> Next till you’re at the Apply Policies to Sites and VPNs tab and give the policy a
Name of Dynamic-Tunnels-Site300_400 with a Description of Dynamic Tunnels between Site 300
and Site 400. Under Topology, click on New Site List for the site300-400-dynamic-tunnels policy
and choose the Site300_400 Site List under Outbound Site List. Click on Add and then click on
Preview to view the CLI output of the policy.
77
13. We will notice that the control policy is setting the TLOC of Site 300 and Site 400 OMP Routes to
the HUB-TLOCs-DOD TLOC list. It is also setting a tloc-action backup to populate the ultimate
tloc value in the OMP route, pointing to the other site TLOC (rather than punting traffic out the
HUB-TLOCs). Click on Save Policy
This completes the Control Policy required for Dynamic On-Demand Tunnels.
Configuring OMP Templates

We will be applying OMP Templates to the vSmarts and the WAN Edges at Site 300 and Site 400.
1. Navigate to Configuration >> Templates >> Feature >> Add Template. Search for vSmart in the
Select Devices section and select the vSmart Device. Click on OMP under Basic Configuration to
start configuring an OMP Template for the vSmarts
78
2. Give the template a name of vsmart-omp-dt with a Description of OMP
modification for Dynamic Tunnels - vSmart. Set the Number of Paths Advertised per Prefix to a
Global value of 16 and click on Save
3. We will now apply this Feature Template to the vSmart Device Template. Go to the Device tab in
Templates and locate the vSmart Device Template. Click on the three dots next to it and choose
to Edit the template
4. Under OMP, set the template to vsmart-omp-dt. Click on Update. Click on Next and Configure
Devices.
5. Confirm the configuration change and click on OK
6. Navigate to Configuration => Templates => Feature Tab and click on Add Template. Search for
CSR and select CSR1000v. Click on Cisco OMP
79
7. Give the template a name of cedge-omp-dt with a Description of OMP
modification for Dynamic Tunnels - cEdge. Set the ECMP Limit to a Global value of 16 and click
on Save
8. Search for template “cedge-omp-dt”. Click on 3 dots >> click Change Device Models.
9. Add 8000v. Click OK
10. We will now attach the OMP templates just created to Site300-cE1 and Site400-cE1. Navigate to
Configuration => Templates. While on the Device Tab, locate the Branch_Dev_Temp_Site_400
template and click on the three dots next to it. Choose to Edit the template.
11. Update the Cisco OMP template as cedge-omp-dt and click on Update. Click Next and Configure
Devices to push the changes to Site400-cE1.
80
12. Navigate to Configuration => Templates. While on the Device Tab, locate the
Branch_Dev_Temp_Site_300 template and click on the three dots next to it. Choose to Edit the
template
13. Update the Cisco OMP template as cedge-omp-dt and click on Update. Click Next and Configure
Devices to push the changes to Site300-cE1.
This completes the configuration of our OMP Feature Templates for Site300-cE1 and Site400-cE1 to
support Dynamic On-Demand Tunnels.
Enabling Dynamic Tunnels

We will now add some basic configuration on the DC-vEdges and enable Dynamic On-Demand Tunnels
via System templates.
1. Navigate to Configuration => Templates => Feature Tab and locate the DC_Site100_VPN0
Feature Template. Click on the three dots next to it and choose to Edit the template
2. Scroll down to the Service section and click on New Service. Set the Service Type as TE and click
on Add. Click on Update. Click on Next and Configure Devices. Confirm the configuration change
81
3. Navigate to Configuration => Templates => Feature Tab and locate the DR_Site200_VPN0
Feature Template. Click on the three dots next to it and choose to Edit the template
4. Scroll down to the Service section and click on New Service. Set the Service Type as TE and click
on Add. Click on Update. Click on Next and Configure Devices. Confirm the configuration change
5. Navigate to Configuration => Templates. Click on the Feature tab and then click on Add
Template. Search for CSR in the Select Devices section and select the CSR1000v. Click on Cisco
System under Basic Configuration to start configuring a System Template for Site300-cE1.
6. Give the template a name of cedge-system-dt with a Description of System modification for
Dynamic Tunnels - cEdge. Set the Console Baud Rate to the default value. Under Advanced, set
On-Demand Tunnel to a Global value of On and the On-Demand Tunnel Idle Timeout (min) to 5.
Click on Save.
7. Search for template “cedge-system-dt”. Click on 3 dots >> click Change Device Models.
8. Add c8000v. Click OK
9. We will now attach the System templates just created to Site300-cE1 and Site400-cE1. Navigate
to Configuration => Templates. While on the Device Tab, locate the
template.
82
10. Update the System template as cedge-system-dt and click on Update. Click Next
and Configure Devices to push the changes to Site300-cE1.
11. Navigate to Configuration => Templates. While on the Device Tab, locate the
template
12. Update the Cisco System template as cedge-system-dt and click on Update. Click Next and
Configure Devices to push the changes to Site400-cE1.
Note: While pushing the system template, enter the site id value as 400.
This completes the configuration of our System Feature Templates for Site300-cE1 and Site400-cE1 to
enable Dynamic On-Demand Tunnels.
1. Go to POC Tool, and console to Site300-cE1 by clicking on Site 300 and right click Site300-cE1 >>
Click Console. check the TLOC routes for Site300-cE1. Run the command below. Site400-cE1
TLOCS should show the bfd-status as inactive.
83
Show sdwan omp tlocs
2. Run the commands below. You will notice that Site300-cE1 shows itself as On-Demand yes and
Status Active. However, the Status of Site400-cE1 is inactive.
Show sdwan system on-demand Show sdwan system on-demand remote-system
3. Run the command below. Notice that the OMP routes for the VPN10 subnet at Site400-cE1 are
in an Unresolved, On-Demand Inactive state (U, IA).
4. On the vManage GUI, navigate to Configuration => Policies and locate the Dynamic-
TunnelsSite300_400 policy. Click on the three dots next to it and choose to Activate this policy.
Click on Activate and Configure Devices if prompted
5. Once the policy is active, go to the CLI of Site300-cE1 and run the command below. We now see
that the traffic to the VPN 10 subnet at Site400-cE1 (10.40.1.0/24) is being routed via the
DCcEdges, with the direct routes to cEdge40 in an Installed, Unresolved and On-Demand Inactive
state (I,U,IA).
84
6. Run a Traceroute to 10.40.1.1 via the CLI traceroute vrf 10 10.40.1.1. We will see that the initial
path will traverse an IP in VPN 10 at the DC-vEdges (10.1.3.2 in this example) and will then start
going directly to cEdge40. This is because the initial packet takes the backup DC-cEdge route after
which the Tunnel between Site300-cE1 and Site400-cE1 is established. Run show sdwan system
on-demand and show sdwan system on-demand remote and we will see that the
Tunnel to Site400-cE1 is now active, with the Idle timeout counting down from 300 seconds (i.e.,
5 minutes, as we had configured in the System Template)
7. Subsequent traffic will go directly over the Tunnel between Site300-cE1 and Site400-cE1, if the
Tunnel is active. This can be verified by running traceroute vrf 10 10.40.1.1 on Site300-cE1
85
8. show sdwan omp routes 10.40.1.0/24 indicates that the Chosen, Installed, resolved (C, I, R)
route for the 10.40.10.0 subnet is the direct path to Site400 -cE1.
9. Wait for approximately 5 minutes and we will find that the Tunnel between Site300-cE1 and
Site400-cE1 transitions to an inactive state after the Idle Timeout expires, assuming there is no
traffic between the two Sites. Once the tunnel is inactive, show sdwan omp routes
10.40.1.0/24 shows the traffic path traversing the DC-cEdges again, with the direct path to
Site400-cE1 in I, U, IA.
Enabling Unified Security Policy on Site 400
Overview
Cisco SD-WAN solution offers on-box security configuration options with UTD container running as
security services provider on IOS-XE platforms. Service like Zone Based Firewall, IPS/IDS, URL Filtering,
TLS/SSL Decryption, Advanced Malware Protection can be configured directly on the SDWAN edge, given
that the base requirements for the same are met by the SDWAN Edge.
This section of lab guides you through Unified Security Policy configuration and verification. Unified
Security Policy configuration is closer to how the configurations are applied in Firepower Access Policies
and will be de-facto going forward.
Following is the summary of steps:
1. Enable internet access via DIA NAT route on Site 400 Edge.
86
2. Review vManage configured as TLS/SSL Proxy CA.
3. Import UTD Virtual Image in vManage.
4. Configure Unified Security Policies.
5. Policy Attachment and Activity Verification
Enabling internet access for Site 400 using DIA route

1. On the vManage GUI, navigate to Configuration => Templates => Feature Tab
2. Locate the Branch2_Site400_VPN10 template and click on the three dots next to it. Select Edit.
3. Navigate to the IPv4 Route and click on New IPv4 Route. Add the parameters as shown in the
table below and click on Add.
Field Global or Device Specific (Drop Down) Value
Prefix Global 0.0.0.0/0
Gateway NA VPN
Enable VPN Global On
4. Click on Add
5. Click on Update => Next => Configure Devices to push the template to device Site400-cE1.
87
Verify TLS/SSL Proxy CA
Explanation: For this lab, vManage is already configured as SSL proxy CA, this will be utilized
during TLS/SSL decryption lab, in the following steps you will confirm this configuration.
1. Navigate to Configuration => TLS/SSL Proxy.
2. Verify that TLS/SSL Proxy configuration has vManage as CA.
3. Note the common name (CN) on the CA certificate is vmanage.dcloud.cisco.com
Importing UTD Virtual Image in vManage

Explanation: This UTD image will run as a container on the IOS-XE router, and will be pushed to
the routers, when UTD features like IPS, AMP, URLF, etc. are deployed.
1. On vManage, navigate to Maintenance => Software Repository, select Virtual Images

(topcenter).
2. Click on Upload Virtual Image => vManage.
3. Click on Browse and select the following image from downloads folder on Jumphost and select
upload.
secapp-utd.17.06.01a.1.0.7_SV2.9.16.1_XE17.6.x86_64.tar
4. Overwrite the existing image and copy the new image to vManage.
88
Configuring Unified Security Policies
Explanation: In the following steps, we will create a URL Whitelist.
1. On vManage, navigate to Configuration => Security, and click on Custom Options on top right
side, and select Lists.
2. Select Allow URL Lists from the left side panel and click on + New Allow URL List on the right.
3. We are about to import a URL Whitelist, which will allow certain URLs, when configuring URL
Filtering policy.
4. Enter the Allow URL List Name as URL_Whitelist1
5. Click Import on the right side, and select file ‘URL_Whitelist’ from the desktop
6. Click on Add button.
Explanation: In the following steps, we will create multiple security policies (IPS, URLF, AMP, etc.),
and will then combine them into a single Unified Security Policy.
7. On top right side, select Custom Options drop down menu, and select Policies/Profiles.
8. In the left side panel, select Intrusion Prevention, click on Add Intrusion Prevention Policy, and
select Create New.
89
9. Fill in the values based on the following table:
Field Value
Policy Mode Unified

Policy Name IPS_uniPolicy
Signature Set Security
Inspection Mode Protection
10. Click on Save Intrusion Prevention Policy.
11. In the left side panel, select URL Filtering, click on Add URL Filtering Policy, and select Create
New.
Field Value
Policy Mode Unified
Policy Name URLF_uniPolicy

Web Categories Block => social-network; news-and-media
Expand Advanced
Whitelist URL List URL_Whitelist1

Alerts and Logs => Alerts Whitelist; Reputation/Category
90
13. Select Save URL Filtering Policy.
14. In the left side panel, select Advanced Malware Protection, click on Add Advanced Malware
Protection Policy, and select Create New.
Field Value
Policy Mode Unified

Policy Name AMP_uniPolicy
AMP Cloud Region EU
16. Click Save Advanced Malware Protection Policy.
17. In the left side panel, select TLS/SSL Decryption, click on Add TLS/SSL Decryption Policy, and
select Create New.
18. Click on Enable SSL Decryption.
Field Value
Policy Mode Unified
Policy Name SSLd_uniPolicy
20. Click on Save TLS/SSL Decryption Policy.

21. In the left side panel, select TLS/SSL Profile, click on + New TLS/SSL Profile.
Field Value
Profile Name SSLdecrypt_Profile
Policy mode Unified
Explanation: In the next steps, we will enable TLS/SSL decryption only for computer and internet
info category of websites.
91
23. Assign policy Decrypt to computer-and-internet-info category.
24. Click Save (may have to scroll down) to save the TLS/SSL Profile.
25. In the left side panel, select Advanced Inspection Profile, click on + New Advanced Inspection
Profile.
Field Value
Profile Name AIP_uniProfile
Description For Unified Security Policy

Intrusion Prevention IPS_uniPolicy
URL Filtering URLF_uniPolicy
Advanced Malware Protection AMP_uniPolicy
TLS Action Decrypt
TLS/SSL Decryption SSLdecrypt_Profile
27. Click Save to save the Advanced Inspection Profile.
Explanation: Now, we will create the new Unified Security Policy and NG Firewall Policy, where
we will utilize the constructs, we have created in previous steps.
28. Navigate to Configuration => Security and select Add Unified Security Policy.
92
29. Click on Add NG Firewall Policy drop down and select Create New.
Field Value
Name USP-FW-Policy
Description Unified Security Policy FW Rule
31. Click on Add Rule/Rule Set Rule and select Add Rule.
Field Value
Order 1
Name Deny_Netflix
Action Drop
Log Selected
+ Source
Type IPv4 Prefix
IPv4 10.40.1.0/24
Click on Save
+ Application List Browsing
Click on Save
93
33. Click on Add Rule/Rule Set Rule and select Add Rule.
Field Value
Order 2
Name InspectTraffic_AIP_Profile
Action Inspect
Advanced Inspection Profile API_uniProfile
+ Source
Type IPv4 Prefix

IPv4 10.40.1.0/24
Click on Save twice
94
35. Click on Save Unified Security Policy.
36. Click on Add Zone Pair.
Explanation: Zone list Zone_VPN10 and Zone_VPN0 are preconfigured as part of base
configuration.
37. Select Source Zone as Zone_VPN10 and Destination Zone as Zone_VPN0 and click Save.
38. Click on Next.
39. Skip DNS Security for now and click on Next.
Field Value
Security Policy Name USP1

Security Policy Description New Unified Security policy
TLS/SSL Decryption Policy (last field
SSLd_uniPolicy
/ field at bottom)
Click on Save Policy
95
Policy Attachment and Activity Verification
Attach Unified Security policy to Site400-cE1
1. Navigate to Configuration => Templates.
2. Edit the device template Branch_Dev_Temp_Site_400.
3. Under Additional Templates, Select the Security Policy as USP1.
4. Click on Update.
5. Continue and push the configuration to the router.
96
Turn on Site400-Windows-VPN10 at Site 400
1. In the POC tool, click on Site 400 on the left site panel.
2. There is a Windows test PC named Site400-Windows-VPN10 connected to VPN 10
3. The current state of the Site400-Windows-VPN10 VM should be Stopped.
4. Right clock on Site400-Windows-VPN10 VM and click Start button to start the VM.
5. This VM will be used for Activity Verification.
Verifying Firewall Rules

1. In the POC tool, open console of Site400-Windows-VPN10 PC as well as console of Site400-cE1
router.
97
2. Open Chrome web browser, open URL www.netflix.com, the URL will not open as
this is blocked using rule 1 of our firewall policy.
3. A log like the following will appear on the router console.
Aug 21 15:11:15.608: %IOSXE -6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000004291804949059 %FW-6-DROP_
PKT: Dropping udp pkt from GigabitEthernet3 10.40.1.10:43379 => 8.8.8.8:53(target:class)-(ZP_Zone_VPN10_Zone
_V_-1042664563:USP-FW-Policy-seq-1-cm_) due to Policy drop:classify result with ip ident 28307 (srcvrf:ds tvrf)-
(10: global) (srcvpn:dstvpn)-(10:0)
4. If you missed this log, you could enter the following command on router to see it:
Site400-cE1# show logging | in seq- 1
5. In vManage, navigate to Monitor => Network, and select router Site400-cE1.
6. On the left side panel, scroll down and click on Security Monitoring => Firewall, here, click on
USP-FW-Policy, and notice the hits for USP-FW-Policy-seq-1-cm_ rule. This log can take up to 30
minutes to show up on GUI, so you may continue with next verification steps for now.
Verifying IPS Configuration

1. In the POC tool, open console of Site400-Windows-VPN10 PC.
2. Open Chrome web browser and visit website www.toknowall.com, this attempt will be blocked
by IPS engine.
3. This will trigger IPS engine activity, in next steps we will verify this activity on CLI and GUI.
4. From POC tool, gain console access to router Site400-cE1, and login using credentials
admin/admin. give the command show utd engine standard status and verify that UTD engine
is running.
98
5. Give the following command to view IPS logs.
show utd engine standard logging events threat-inspection
6. In the output, you will notice logs like the following, which indicate that access to the website
toknowall.com, was detected as trojan activity and packets were dropped.
2022/08/21-08:55:02.639078 PDT [**] [Hostname: 1.1.40.1] [**] [Instance_ID: 1] [**] Drop [**] [1:46807:3] MA LWARE-
OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter [**] [Classification: A Network Trojan
was detected] [Priority: 1] [POLICY: AIP_uniProfile] {UDP} 10.40.1.10:48553 -> 8.8.8.8:53
8. On the left side panel, scroll down and click on Security Monitoring => Intrusion Prevention,
here you will notice Signature ID 1:46807 has been triggered. This log can take upto 30 minutes
to show up on GUI, so you can continue with next verification steps for now.
URL Filtering Verification

2. Open Chrome web browser, access the websites twitter.com, instagram.com and cnn.com,
notice that these are not accessible, as we blocked social networking and news category of
websites.
3. Also access facebook.com or fb.com, although this is social networking website, but it should be
accessible, as we added this site to our URL whitelist.
4. To check the logs on CLI on Site400-cE1 router, give the following command:
99
show utd engine standard logging events url-filtering | in instagram
5. You should be able to see the log, which confirms that traffic to Instagram.com was dropped by
URL filtering policy.
6. Give the following command on CLI to check facebook logs on Site400-cE1 router:
show utd engine standard logging events url-filtering | in facebook
7. The logs should confirm that traffic to facebook was allowed, because of whitelisting.
9. On the left side panel, scroll down and click on Security Monitoring => URL Filtering, here you
can check URL Filtering logs. The logs can take up to 30 minutes to show up on GUI, so you can
continue with next verification steps for now.
AMP Verification
2. Open Chrome web browser, open google.com, and search for keyword tekdefense.
3. Click on the Link Downloads > Malware Samples – Tekdefense from results.
4. Try to download Malware samples less than 10Mb is size, notice that download will fail.
5. Check the CLI logs by giving the following command on Site400-cE1 router console:
show utd engine standard logging events file-reputation
7. On the left side panel, scroll down and click on Security Monitoring => Advanced Malware
Protection, here you can check AMP logs. The logs can take up to 30 minutes to show up on
GUI, so you can continue with next verification steps for now.
100
TLS/SSL Decryption Verification
2. Open Chrome web browser, and browse the website www.cnet.com
3. Check the SSL certificate of the website, and notice that this certificate if signed by vManage
RootCA, because of TLS/SSL decryption configuration.
This completes the verification tasks.
SDWAN-Umbrella Integration
Overview
SDWAN integration with Umbrella supports the following two methods of integration:
101
1. DNS redirection to Umbrella – Configure SDWAN edge to redirect DNS queries
coming from LAN subnets/VPNs to Umbrella DNS for resolution. Exceptions can be defined for
local domain resolution. For DNS redirection policy to work properly, DNS queries must pass
through SDWAN edge.
2. Umbrella Secure Internet Gateway Integration - Cloud managed Umbrella SIG service serves
not just SD-WAN environments, but a host of other use cases backed by Cisco SASE. Umbrella
SIG provides a host of cloud-based security controls, which provide secure access to internet
and cloud hosted services, without putting significant computation burden on SD-WAN Edge
devices. In this method, IPSEC tunnels are configured between SDWAN edge and Umbrella
platform either in Active/Standby or Active/Active configuration.
In this lab, we will first configure Site400-cE1 router for DNS redirection to Umbrella, followed by
Umbrella SIG integration.
The summary of lab flow is as follows:
• Configuration cleanup from previous activity

• Perform Umbrella Registration
• Configure DNS Security Policy on vManage
• Attach DNS Security policy to Template
• Configure DNS Policy on Umbrella
• Verify DNS Redirection Policies
• DNS Redirection Configuration Cleanup
• Configure Feature Template for SIG-Credentials
• Configure SIG-Tunnel Templates
• Map templates to device Site400-cE1
• Add service route in VPN10
• Create policies on Umbrella platform
• Map policies to Site400 IPSEC tunnels
• Verify Umbrella SIG redirection results
• Configuration Cleanup
Umbrella DNS Redirection
Config Cleanup
Explanation: As a part of this cleanup, we will detach the security policies attached to Site400cE1
in the previous exercise.
1. Navigate to Configuration => Templates.
2. Edit Template Branch_Dev_Temp_Site_400.
102
3. Under Additional Templates, Select Security Policy as None.
4. Continue to push the configuration change to Site400-cE1 router.
Perform Umbrella Registration

1. From Jumphost, open chrome and click on the Umbrella SSO bookmark to launch Umbrella
dashboard.
2. On Umbrella dashboard, navigate to Admin => API Keys => Legacy Keys => Umbrella Network
Devices and click + Generate Token (if the keys are preconfigured, delete the preconfigured
keys and the click + Generate Token).
3. Open notepad on Jumphost, and copy key and secret to notepad
4. From the URL in chrome address bar, copy the 6-7 digit number which appears in the URL, and
paste it in Notepad as Org ID.
103
5. On vManage, navigate to Configuration => Security, and click on Custom Options drop down
from top-right, and select Umbrella Registration.
6. From Notepad, copy the Organization ID, Registration Key and Secret to this dialog box, and
click Save Changes.
Note: In this lab, for the sake of simplicity and clarity, we created separate USP for on-prem
firewall features and are creating a separate USP for DNS Security. In actual deployments, the
two can be combined in a single Unified Security Policy (USP).
7. Click on Add Unified Security policy to create a DNS Security Policy.
8. Click Next.
9. Click on Add DNS Security Policy drop down menu and select Create New.
10. Configure Policy Name as DNS_SEC_POL.
11. Select Custom VPN Configuration, and click on Target VPNs
12. Under Add Target VPNs dialog box, in the VPNs field, enter 10, and click on Save Changes.
104
13. Under Advanced, disable DNSCrypt and click Save DNS Security Policy.
14. Click Next.
15. Configure Security Policy Name as DNS_SEC_USP.
16. Configure Security policy Description as DNS Unified Security Policy and click Save Policy.
Attach DNS Security Policy to Template

1. On vManage, navigate to Configuration => Templates, and edit Branch_Dev_Temp_Site_400
device template.
2. Under Additional Templates, select Security policy as DNS_SEC_USP.
3. Click Update => Next => Configure Devices to complete the deployment of modified template.
4. On vManage, browse to Monitor => Network, and select Site400-cE1 router.
105
5. On the left side panel, select Real Time, and for Device Options select Umbrella Device
Registration.
6. Verify that the Registration Status is set to CREATED.
7. In chrome, click on Umbrella SSO bookmark, and open Umbrella dashboard.
8. Select Deployments => Network Devices, verify that Device Site400-cE1 has Status Active (this
may take 5 minutes, and you will have to click refresh button of chrome to see modified status).
Create DNS Policy on Umbrella

1. On Umbrella Dashboard, Navigate to Policies => Management => DNS Policies.
2. Click on sign on top-right side of the screen.
3. Click on
4. Select Network Devices.
5. Click on
6. On Security Settings screen, leave settings as default and click on
106
7. On Limit Content Access screen, select Custom on left side, under Custom Setting on right,
select Default Settings, and under Content Categories, select Social Networking and News, and
click Next.
8. Under Applications to control, Block 4shared and Netflix, and click Next.
9. Click Proceed.
10. On Apply Destination Lists Screen, click Next.
11. Under File Analysis, click Next.
12. Under Block Page Settings, click Next.
107
13. Configure the Policy Name as Site400 DNS Policy, and click on
14. Expand Site400 DNS Policy and Enable SSL Decryption under Advanced Settings => Enable
Intelligent Proxy, and click on
DNS Redirection Verification

1. In POC Tool, open the console of Site400-Windows-VPN10 PC.
2. In Site400-Windows-VPN10 console, open network and sharing center and change the DNS
server of the NIC to 10.40.1.1.
3. On Site400-Windows-VPN10, open chrome browser and browse to

https://welcome.umbrella.com.
Note: At this stage, you may encounter a certificate error message, this is because the old
certificate for DST CA has expired, and windows updates on this VM are disabled. Ignore the
certificate error message and continue to welcome.umbrella.com
4. On Site400-Windows-VPN10, browse www.facebook.com, www.instagram.com, www.cnn.com,

all these websites will be blocked as they belong to blocked URL categories.
108
5. On Site400-Windows-VPN10, browse www.4shared.com, www.netflix.com, these websites will
be blocked, as these applications are blocked by our policy.
6. On Site400-Windows-VPN10, in chrome address bar, browse to

www.tekdefense.com/downloads/malware-samples/
7. From this page try to download a malware file, the download will fail as we have blocked
download of malware files.
8. Go back to Umbrella dashboard and navigate to Reporting => Activity Search
9. Filter based on Blocked Responses on left side panel.
10. Look for the log, which points to facebook, and View Full Details of the log.
11. View Event Details .
12. Similarly, view Event details of other blocked events as well.
109
This completes the verification tasks for Umbrella DNS Redirection.
DNS Redirection Configuration Cleanup

1. From the POC tool, open the console of Site400-Windows-VPN10, and change the DNS server to
8.8.8.8 from network and sharing center.
2. On the Jumphost, open chrome and click on Umbrella SSO Link.
3. On Umbrella dashboard, navigate to Deployment => Network Devices, on the right side of the
page, delete Site400-cE1-vpn10.
4. On Umbrella dashboard, navigate to Policies => DNS Policies, and delete Site 400 DNS Policy.
5. On vManage, navigate to Configuration => Templates and edit template

Branch_Dev_Temp_Site_400.
6. Under Additional templates, set the Security policy to none, then click on Update => Next =>
Configure devices to push the configuration to Site400-cE1 router.
Umbrella SIG Integration
Configure SIG Credentials
110
1. Open chrome browser on Jumphost.
2. Click on the Bookmark which reads Umbrella SSO, this will log you into Cisco Umbrella.
3. Navigate to Admin => API Keys => Legacy Keys => Umbrella Management and click + Generate
Token (if a key is already created, delete the key and click on + Generate Token).
4. Open Notepad on Jumphost and copy the Key and Secret to Notepad.
5. From the Umbrella URL, copy the 6-7 digit number to notepad as Org ID.
Create SIG credential template in vManage
1. On vManage, navigate to Configuration => Templates => Feature => Add Template.
111
2. Select device, CSR1000v on left side, on the right side, scroll all the way down and select
template Cisco SIG Credentials.
Field Value
Template Name SIG_Credentials

Description SIG_Credentials
Organization ID Org ID copied to notepad
Registration Key Key copied to notepad
Secret Secret copied to notepad
Click on Save
Create SIG-Tunnel Template

1. On vManage, navigate to Configuration => Templates => Feature => Add Template.
112
2. Select device, CSR1000v on left side, on the right side, under VPN, select template Cisco Secure
Internet Gateway (SIG).
Field Value
Template Name SIG_Tunnel_template

Description SIG_Tunnel_template
Tracker > Source IP Address 10.2.7.2/32
Under Configuration, click Add Tunnel
Interface Name ipsec1
Tunnel Source Interface GigabitEthernet1
Data-Center Primary
Expand Advanced Options
TCP MSS 1300
Click Add
Click Add tunnel, under Configuration section again
113
Interface Name ipsec2
Tunnel Source Interface GigabitEthernet1
Data-Center Secondary
Expand Advanced Options
TCP MSS 1300
Under High Availability Section > Pair-1
Active ipsec1
Active Weight 1
Backup ipsec2
Backup Weight 1
Click on Save
=>
=>
114
Map SIG Templates to Device
1. Navigate to Configuration =>Templates and edit Branch_Dev_Temp_Site_400 template.
2. Under Transport & Management VPN, click + Cisco Security Internet Gateway (on the right),
and map SIG_Tunnel_template.
3. Under Additional Templates, map Cisco SIG credentials to SIG_Credentials.
4. Click Update and continue to push the modified config to the Site400-cE1 router.
Add Service Route to VPN 10

1. Navigate to Configuration => Templates => Feature and edit Branch2_Site400_VPN10
template.
2. Under Service Route section, select New Service Route.
3. Enter prefix as 0.0.0.0/0 and click Add.
4. Click Update and continue to push the change to Site400-cE1 router.
Create Policies in Umbrella

1. On Jumphost, open chrome and click use the bookmark Umbrella SSO to login to Umbrella
Cloud.
2. Goto Deployment => Core Identities => Network Tunnels and verify that Site400 Tunnels are in
established state.
115
3. Navigate to Policies => Management => Firewall Policy. Click on + Add on top right side and
create a New Rule to deny ICMP traffic, and fill in the values based on following table:
Field Value
Rule Name ICMP_Deny
Priority 1
Description Deny ICMP Traffic
Rule Action Block
Protocol ICMP
Logging Logging Enabled
Click on Save
116
4. Navigate to Policies => Management => Web policy and click +Add on top right side.
5. Configure Ruleset Settings based on following table:
Field Value
Ruleset Name Site400_Web_Policy
Ruleset Identities Select Tunnels
File Type Control Block PDF
Click Close
117
1. In POC tool, open console of Site400-Windows-VPN10.
2. On Site400-Windows-VPN10 PC, open Chrome web browser, and visit URL

welcome.umbrella.com, this should confirm that your traffic is now passing through Umbrella
SIG Cloud.
3. In the browser, open google.com, and type tekdefense.
4. Click the link, Downloads > Malware Samples – TekDefense, from search results.
5. Try and download a few malware files, note that the downloads are blocked, as these are
sample malware files.
6. In google search, search for download pdf sample files, click the link A Simple PDF File from
africau.edu, this download will be blocked, as we have stopped the download of PDF files.
7. On Site400-Windows-VPN10, open command prompt (cmd) and try to ping www.cisco.com.

Note that the ping will fail, because of the firewall policy, we created.
8. Back on the umbrella portal on jumphost, navigate to Reporting > Core Reports > Activity
Search.
9. Check the box, which reads blocked, view full details of the blocked activity, and notice that this
is as per our configured policy.
118
119
Config Cleanup
1. On Jumphost, open chrome and click Umbrella SSO bookmark.
2. On Umbrella dashboard, navigate to Policies => Firewall Policies, and delete ICMP_Deny policy.
3. On Umbrella dashboard, navigate to Policies => Web Policies, and delete Site400_Web_Policy.
4. On vManage, navigate to Configuration => Templates and edit Branch_Dev_Temp_Site_400

template.
5. Under Transport & Management VPN, delete Cisco Secure Internet Gateway.
120
6. Click Update => Next => Configure Devices and push the configuration to Site400-cE1
7. Navigate to Configuration => Templates => Feature and edit Branch2_Site400_VPN10

template.
8. Delete the default route under IPv4 Route and default route under Service Route.
9. Click Update => Next => Configure Devices to push the configuration to Site400-cE1 router.
121
Inter VPN Routing and Service Chaining
Overview
As of now, devices in different VPNs cannot communicate with each other. VPN 10 devices can talk to
other VPN 10 devices but not to VPN 11. In this section, we will be setting up Inter VPN routing.
Additionally, there might be a requirement where we need to send traffic from one VPN to another
through a firewall. This feature is known as Service Chaining (other devices like Load Balancers can also
be part of the Service Chain) and is used widely in real-world SD-WAN Deployments.
We will be focusing on ensuring devices in Site 400 VPN 10 can communicate with devices in Site 500
VPN 11. Initially, this will be direct communication between the two VPNs. A firewall will then be
inserted in the path so that all traffic between the VPNs traverses the firewall, which will be located at
Site100 in VPN 40.
Note: The Black arrow between Site 400 and Site 500 indicates the traffic flow when Inter VPN Routing
configuration is done for the first time. Traffic flows directly between the two sites.
The Orange arrow is the traffic flow from Site 500 VPN 11 to Site 400 VPN 10 once Service Chaining is
configured.
122
The Green arrow is the traffic flow from Site 400 VPN 10 to Site 500 VPN 11 once Service
Chaining is configured.
Creating Inter VPN Routing

1. Log in to the vManage GUI using the bookmark. Click on Configuration => Templates.
2. Go to the Feature tab and click on Add Template. Search for CSR and put a check mark next to
CSR1000v. Choose VPN to create a VPN Template.
3. Give a Template Name of DC-Site100-vpn40 and a Description of Edge VPN 40 Template for
Service Chaining. Put the VPN as 40
4. Scroll down to the Advertise OMP section and select Static>> Add. Perform the same steps for
Connected >> Add.
5. Go to the Service section and click on New Service. Select the Service Type as FW and enter an
IPv4 Address of 10.140.40.4. Click on Add and Save.
6. At the Configuration => Templates => Feature Tab page, click on Add Template. Search for CSR
and select CSR1000v. Choose Cisco VPN Interface Ethernet as the Template Type.
7. Give a Template Name of DC-Site100-vpn40-Gig6 with a Description of DC VPN 40 interface. Set

Shutdown to No and the Interface Name as a Global value of GigabitEthernet6. Set the IPv4
Address to a Device Specific value of vpn40_if_ipv4_address.
8. Go to VRRP >> Add new VRRP and set the Group ID to 40. Set the Priority to a Device Specific
value of vpn40_if_vrrp_priority along with setting Track OMP to ON and IP Address to
10.140.40.1. Click on Add and Save.
123
9. Go to Configuration => Templates on the vManage GUI and make sure you’re on the Device tab.
Locate the Primary_DC_Dev_Temp_Site_100 template and click on the three dots next to it.
Choose to Edit the template.
10. Scroll down to the Service VPN section and click on Add VPN. Move the DC-Site100vpn40
template to the right-hand side and click on Next
11. Click on Cisco VPN Interface Ethernet under Additional VPN Templates and select DC-
Site100vpn40-Gig6 under the VPN Interface drop down. Click on Add
12. Make sure the Service VPN section shows the addition of the VPN 40 Template and click on
Update
124
13. Enter the IPv4 Address field for vpn40_if_ipv4_address as 10.140.40.2/29 (for Site100-cE1) and
10.140.40.3/29 (for Site100-cE2) and vpn40_if_vrrp_priority as 105(for Site100-cE1) and 100(for
Site100-cE2). Click on Next.
14. Click on Configure Devices. You can choose to view the side-by-side configuration, if required,
noting the addition of VPN 40 with the corresponding service addresses.
15. Confirm the configuration change by clicking on the check box and clicking on OK
16. Once the configuration update goes through, log in to the CLI of Site100-cE1 and Site100-cE2 via
Putty and issue the following commands. You should see successful ping responses. On Site100-
cE1 - ping vrf 40 10.140.40.4 On Site100-cE2 - ping vrf 40 10.140.40.4
17. Since Inter VPN Routing hasn’t been configured yet, VPN connectivity as of now should not be
possible. To verify that let us perform a traceroute from Site400 VPN10 to Site500 VPN 11.
18. Navigate to Monitor => Network>> Select Site400-cE1. On the left-hand side, click on
Troubleshooting and select Traceroute.
19. Enter a Destination IP of 100.111.50.1 and select VPN 10 from the VPN drop down. Populate the
Source/Interface as Loopback10 and click on Start.
125
We have established that Inter VPN communication is not happening between Site 500 and Site 400 as
of now.
Setting up Inter VPN Routing Policy

1. On the vManage GUI, go to Configuration => Policies
2. Click on Custom Options in the top right-hand corner and click on Lists (under Centralized Policy)
3. Select VPN and click on New VPN List. Enter a VPN List Name of FW and put 40 for the Add
126
VPN field. Click on Add.
4. Click on New VPN List again and enter a VPN List Name of vpn10_FW. Enter 10,40 in the Add
VPN field. Click on Add
5. Click on New VPN List again and enter a VPN List Name of vpn11_FW. Enter 11,40 in the Add
VPN field. Click on Add.
6. Navigate to Configuration => Policies >> Add Policy >> Next >> Click on the Topology tab (top of
the screen) and click on Add Topology. Choose to add a Custom Control (Route & TLOC) policy
7. Give the policy a Name of vpn10-inter-vpn11-40 with a Description of Control Policy for Inter
VPN Routing from VPN 10 to VPNs 11 and 40. Click on Sequence Type and choose Route
8. Click on Sequence Rule and add a VPN match. Select VPN10 from the VPN List drop down
9. Click on the Actions tab and select the Accept radio button. Click on Export To and select
vpn11_FW from the drop down under Actions. Click on Save Match and Action.
127
10. Select Default Action on the left-hand side and click on the pencil icon to edit the Default Action.
11. Click on Accept and then Save Match and Actions >> Click Save Control Policy.
12. Click on Add Topology and add another Custom Control (Route & TLOC) policy. Give it a Name of
vpn11inter-vpn10-40 with a Description of Control Policy for Inter VPN routing between VPN 11 and VPNs
10 and 40. Click on Sequence Type and select Route.
13. Click on Sequence Rule and select VPN as the match. Select VPN11 from the VPN List.
14. Click on the Actions tab and select the Accept radio button. Click on Export To and select the vpn10_FW
VPN list in the Export To drop down under Actions. To save the rule, click on Save Match and Actions
15. Click on Default Action on the left-hand side and click the Pencil icon to edit the Default Action
16. Select Accept and click Save Match and Actions >> Click Save Control Policy
128
17. You should see two control policy as per screenshot below
18. Click Next 2 times.
19. You should be at the main policy screen. Click on New Site List under the entry for vpn10-inter-
vpn11-40 and select the Inbound Site List as Site400. Click on Add
20. Click on New Site List under the entry for vpn11-inter-vpn10-40 and select the Inbound Site List
as Site500. Click on Add.
21. Enter Policy Name inter-vpn-routing-policy and Description as Policy for Inter VPN Routing.
Click Save Policy.
22. Search inter-vpn-routing-policy. Click on 3 dots >> Activate >> Activate
129
Inter VPN Routing Verification
1. Navigate to Monitor => Network>> Select Site400-cE1. On the left-hand slide, click on
2. Enter a Destination IP of 100.111.50.1 and select VPN 10 from the VPN drop down. Populate the
Source/Interface as Loopback10 and click on Start.
130
Policies for Service Chaining
Service chaining allows data traffic to be rerouted through one or more services, such as firewall, load
balancer, and intrusion detection and prevention (IDP) devices. These services could be located at
central/regional hubs or in cloud. Some of the reasons to reroute a traffic flow through a service or
chain of services are list below:
• Traffic flow from a less secure region of a network must pass through a service, such as a firewall, or
through a chain of services to ensure that it has not been tampered with.
• For a network that consists of multiple VPNs, each representing a function or an organization, traffic
between VPNs must traverse through a service, such as a firewall, or through a chain of services. For
example, in a campus, interdepartmental traffic might go through a firewall, while intradepartmental
traffic might be routed directly.
• Certain traffic flows must traverse a service, such as a load balancer.
In this Section we will route the traffic from VPN10 in Site400 to VPN 11 in Site 500 via the Firewall. We
will achieve this via service chaining.
131
1. Navigate to Configuration => Policies and locate the inter-vpn-routing-policy
Policy. Click on the three dots next to it and choose to Edit the policy. Click on the Topology tab
(top of the screen) and click on Add Topology. Choose to add a Custom Control (Route & TLOC)
policy
2. Give the Custom Control Policy a Name of site500-fw-site400 and a Description of Traffic from
Site 500 to Site 400 via the Firewall. Click on Sequence Type and choose Route.
3. Click on Sequence Rule and select Site for a Match Condition. Click on the Site List drop down
and choose Site 400. Click on the Actions tab
132
4. Select the Accept radio button and choose Service. Under Actions select the Service: Type as
Firewall and specify a Service: VPN of 40. Select an Encapsulation of IPSEC and click on Save
Match And Actions to save this rule.
5. Click on Default Action on the left-hand side and click the pencil icon. Select Accept and then
Save Match and Actions. This would change the Default Action to Accept Enabled. Click on Save
Control Policy
6. Make sure you’re on the Topology tab and click on Add Topology. Choose to add a Custom
Control (Route and TLOC) topology. Give the Custom Control Policy a Name of site400-
fwsite500 and a Description of Traffic from Site 400 to Site 500 via the Firewall. Click on
Sequence Type and choose Route.
7. Click on Sequence Rule and then select Site. Choose Site 500 in the Site List under Match
Conditions. Click on Actions
8. Select the Accept radio button and choose Service. Under Actions select the Service: Type as
Firewall and specify a Service: VPN of 40. Select an Encapsulation of IPSEC and click on Save
Match and Actions to save this rule
133
9. Click on Default Action on the left-hand side and click the pencil icon. Select Accept and then
Save Match and Actions. This would change the Default Action to Accept Enabled. Click on Save
Control Policy.
10. Go to the Policy Application tab and locate the site500-fw-site400 and site400-fw-site500
entries. For site500-fw-site400, click on New Site List and choose Site500 in the out direction.
Click on Add. Similarly, for site400-fw-site500, click on New Site List and choose Site400 in the
out direction. Click on Add. Click on Save Policy Changes. Activate the change when prompted
to do so.
134
This completes the configuration of service chaining policy to route the traffic from VPN10 in Site400 to
VPN 11 in Site 500 via the Firewall.
Service Chaining Verification
1. Navigate to Monitor => Network>> Select Site400-cE1. On the left-hand slide, click on
2. Enter a Destination IP of 100.111.50.1 and select VPN 10 from the VPN drop down. Populate
the Source/Interface as Loopback10 and click on Start.
135
We can observer that traffic is now going through FW (10.140.40.4). This completes the inter-vpn
routing and service chaining exercise.
Cloud OnRamp for SaaS
Overview
The performance of any SaaS application is only as good as that of the underlying network, because
these SaaS applications rely on fast, efficient, and secure network connectivity to provide a seamless
experience to users. To address underlying network issues and optimize user connectivity to SaaS
applications, Cisco SD-WAN has developed a cloud networking solution called Cloud OnRamp for SaaS.
Cisco SD-WAN Cloud OnRamp for SaaS continuously monitors all possible paths to the SaaS applications
by sending probes and then, based on probe latency and loss, selecting the best possible path for
routing the traffic, thereby helping ensure fast, efficient, and reliable connectivity.
Cloud OnRamp for SaaS Configuration

1. To configure and test Cloud OnRamp for SaaS functionality, we will first enable DIA on Site300
by activating Policy Site300_Direct_Internet_Access. On vManage, navigate to Configuration >
Policy> Centralized Policy Tab. Scroll down to Site300_Direct_Internet_Access policy, click on
three dots and choose Activate.
2. Go to the PoC Tool>> Topology View>> Site 300>> Right click on Site300-Ubuntu-VPN10
machine and verify internet access by browsing to www.cisco.com.
136
3. On the vManage GUI, navigate to Administration>> Settings. Scroll down to Cloud OnRamp for
SaaS and ensure it is Enabled.
4. On the top right of the vManage, click on the cloud icon and choose Cloud OnRamp for SaaS as
shown below.
5. The new screen shows you the Cloud OnRamp for SaaS configuration flow. On the top right
corner of the screen, click on Manage Cloud OnRamp for SaaS and choose Applications and
Policy as show below.
6. On the Application and Policy screen, notice the list of applications. Locate Amazon AWS, click
on Disabled under Monitoring and change it to Enabled. Click on Save Application and Next.
137
7. After the changes are applied, click on Manage Cloud OnRamp for SaaS, and choose Direct
Internet Access (DIA) Sites. On the Manage DIA screen, click on Attach DIA Sites. On the pop-up
screen click on Site300_CE1 and move it to Selected Sites as shown below and click on Attach.
8. Once the changes are applied, click on the cloud icon on top right to go back to Cloud OnRamp
for SaaS configuration page and click Manage Cloud OnRamp for SaaS and choose Gateways.
9. On the Manage Gateways screen, click on Attach Gateways. On the pop-up, click on
Site400_CE1 and move it to Selected Sites. Click on Add Interfaces to selected sites (see arrow)
138
On the next screen, click on VPN0 and choose All DIA TLOC. Click on Save Changes.
This completes the configuration of monitoring for AWS (SaaS) traffic for Site300. If you go to
Configuration => Cloud OnRamp for SaaS (or click the Cloud icon and go to Cloud OnRamp for SaaS),
notice the dashlet for Amazon AWS with 2 Devices attached to it. Click on the dashlet, to view
application vQoE status, DIA Status and Selected interface to forward SaaS traffic.
Note: If the vQoE status is red, refresh the page after a few minutes.
139
Verification
To verify SaaS monitoring is working effectively, we would introduce delay on Site300 internet link using
WAN Emulator and notice the changes in path selection.
1. Go to PoC tool >> Site 300 >> right click on Site300-WANEmu2 and choose Edit. On the pop-up,
click on Interfaces tab and choose eth0. Enter Latency value as “1000” and click Ok as shown
below.
2. Click on Deploy on top right side of the screen. It would take a few minutes (3-5 minutes) for the
changes to take effect.
3. On vManage, go to Configuration => Cloud OnRamp for SaaS>>Amazon AWS Dashlet. Notice
the change in DIA status.
140
Notice the Site300 DIA status changed to gateway and now the activated gateway shows as Site400
System IP. As the performance on the local link was degraded, the SaaS traffic failed over to better
performing link on gateway site.
This completes the Cloud OnRamp for SaaS configuration and verification.
141

SD WAN User Guide 20

Uploaded by

Copyright:

Available Formats

SD WAN User Guide 20

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SD WAN User Guide 20

Uploaded by

Copyright:

Available Formats

Cisco SD-WAN User Guide

Step-by-Step Guide for Partners

September 19, 2022

1. Login to dCloud >> Select the Correct Datacenter >> My Hub

3. Launch Google Chrome.

Site300-Ubuntu-VPN10 198.18.133.200:30503 ubuntu viptela

Site300-Ubuntu-VPN12 198.18.133.200:30504 ubuntu viptela

Site400-Ubuntu-VPN10 198.18.133.200:30501 ubuntu viptela

Site400-Ubuntu-VPN12 198.18.133.200:30500 ubuntu viptela

Site500-Ubuntu-VPN10 198.18.133.200:30502 ubuntu viptela

vBond 198.18.133.200:19002 admin admin

vSmart-1 198.18.133.200:19003 admin admin

vSmart-2 198.18.133.200:19005 admin admin

Site100-cE1 198.18.133.200:19007 admin admin

Site100-cE2 198.18.133.200:19008 admin admin

Site200-cE1 198.18.133.200:19011 admin admin

Site200-cE2 198.18.133.200:19012 admin admin

Site300-cE1 198.18.133.200:19017 admin admin

Site400-cE1 198.18.133.200:19021 admin admin

Site500-cE1 198.18.133.200:19024 admin admin

Site500-cE2 198.18.133.200:19025 admin admin

Site100-Core-VPN10 198.18.133.200:19010 admin C1sco12345

Site300-Core-VPN10 198.18.133.200:19016 admin C1sco12345

DCI-Router 198.18.133.200:19009 admin admin

MPLS 198.18.133.200:19006 admin admin

WAN Edges - Internal

Site100-cE2 1.1.10.2 100 100.110.10.2 100.111.10.2 100.112.10.2

Site200-cE1 1.1.20.1 200 100.110.20.1 100.111.20.1 100.112.20.1

Site200-cE2 1.1.20.2 200 100.110.20.2 100.111.20.2 100.112.20.2

Site300-cE1 1.1.30.1 300 - - -

Site400-cE1 1.1.40.1 400 100.110.40.1 100.111.40.1 100.112.40.1

Site500-cE1 1.1.50.1 500 100.110.50.1 100.111.50.1 100.112.50.1

Site500-cE2 1.1.50.2 500 100.110.50.2 100.111.50.2 100.112.50.2

WAN Edges - External

Site100-cE2 10.1.3.2/24 10.2.3.2/24 10.10.1.2/24 10.11.1.2/24 -

Site200-cE1 10.1.4.2/24 10.2.4.2/24 10.20.1.1/24 10.21.1.1/24 -

Site200-cE2 10.1.5.2/24 10.2.5.2/24 10.20.1.2/24 10.21.1.2/24 -

Site300-cE1 10.1.6.2/24 10.2.6.2/24 10.30.1.1/24 - -

Site400-cE1 10.1.7.2/24 10.2.7.2/24 10.40.1.1/24 - 10.42.1.1/24

Site500-cE1 10.1.8.2/24 10.2.8.2/24 10.50.1.1/24 - -

Site500-cE2 10.1.9.2/24 10.2.9.2/24 10.50.1.2/24 - -

vBond 1.1.1.2 - 10.2.1.6/24 10.2.1.1

vSmart-1 1.1.1.3 1 10.2.1.5/24 10.2.1.1

vSmart-2 1.1.1.4 1 10.2.1.4/24 10.2.1.1

Third Party Devices

Site300-WANEmu2 WAN Emulator 300 0 -

Site300-Core-VPN10 LAN Core Router 300 10 10.30.1.100/24

Site300-Ubuntu-VPN10 Host 300 10 10.30.1.10/24

Site300-Ubuntu-VPN12 Host 300 12 10.32.1.10/24

TRex1-VPN10 Traffic Generator 300 10 10.30.1.50/24

TRex2-VPN10 Traffic Generator 300 10 10.30.1.30/24

Site400-Ubuntu-VPN10 Host 400 10 10.40.1.10/24

Site400-Ubuntu-VPN12 Host 400 12 10.42.1.10/24

Site500-Ubuntu-VPN10 Host 500 10 10.50.1.10/24

• System feature template

Create the cEdge System Feature Templates

3. Give the Template a name of Branch1_Site300_System and a description of System feature of

Field Global or Device Specific (drop down) Value

Create the cEdge VPN Feature Templates

3. Give the Template a name of Branch1_Site300_VPN0 and a description of VPN 0 feature