Cisco SD-WAN Hands-On Training - LABs - 6.8-Print

4/23/18
Cisco SD-WAN Hands-On Labs
Day 1 1. ZTP Lab

2. Initial Device Bring-Up Lab
3. BFD Tuning Lab
Day 2 4. CLI Template Lab

5. Feature Template Lab
6. TLOC Extension Lab (Unguided)
Day 3 7.
8.
Control Policy Lab
Data Policy Lab
9. Application Aware Routing Policy Lab
10. Control Policy Challenge Lab (Unguided)
Connecting to Viptela Instance in dCloud

Used Anyconnect: dcloud-sjc-anyconnect.cisco.com
Username/password to connect to the dCloud will be assigned
Once connected – Open RDP session to 198.18.133.36

RDP Cred = Username: dcloud\administrator, Password: C1sco12345
vManage IP address = 198.18.1.10

vManage Cred = admin/admin
Open the Putty application – CLI of the vEdge routers can be accessed here
All vEdges have username/password = admin/admin
*Note: When you are connected via Anyconnect, you can also SSH/HTTPS to vManage and the
vEdges on the Management IP addresses directly from your laptop
1
4/23/18
dCloud Topology
DAY 1
ZTP Lab
2
4/23/18
Bring the Branch vEdge up using ZTP

Objective:
Understanding ZTP operation
Steps:
Attach the template to the new chassis number and go through ZTP process with the vEdge
Tasks:
Make sure the new chassis is in Valid mode on vManage
On vManage, attach the template to the vEdge (ddd801b2-8cbe-4394-abd1-3b71e39886e3) - BranchType2 Template to the vEdge
Upload the CSV file with the parameters for the vEdge
Check final config and deploy
On the vEdge, configure “no shut” on VPN 0, interface ge0/0 (which has the default “ip dhcp-client”), to simulate
plugging in the cable
Verification:
Show control connections
Show bfd sessions
Show ip route vpn #
Show run
Hints:
Attaching the vEdge to a Template on vManage

• Use Anyconnect and SSL into dCloud based on your given POD number
• Open Microsoft Remote Desktop
• Open Chrome and from the top menu bar, select vManage:
• Opens to = https://198.18.1.10
• On the left menu bar, select Configuration -> Templates
• Under the listed Device Templates, select the one called “BranchType2”
• On the right, click on the 3 dots, and select “Attach Devices”
• There should be a device with name: ddd801b2-8cbe-4394-abd1-3b71e39886e3
• Select it and click the (->) arrow
• Here you will need to upload the file with the variables, use upload button
• Find the csv file is on the RDP machine for BranchType2 and upload it
• Click Next
• Click Configure Device
3
4/23/18
Attaching the Template
Attach the CSV file and Preview the Config
In RDP Session, use MPutty to

SSH into BR2-VEDGE1
-> use the following commands
to enable the interface,
simulating plugging in the device
config
vpn 0
interface ge0/0
no shut
commit
Configure Devices will push the configuration to the vEdge
*TASK
On the vEdge, configure “no shut” on VPN 0, interface ge0/0 (which has the default “ip dhcp-client”)
4
4/23/18
Verify the vEdge ZTP

• Confirm that vManage shows all 7 vEdges
• Confirm that the vEdge has the full configuration pushed from vManage
• SSH to the BR2-VEDGE1 (either from the RDP Putty session, or from vManage)
• Notice the hostname has changed
• “show run” should show the entire config that was pushed from vManage
• “show system status” will show that the vEdge is in vManage mode, and the
configuration template name
• ”show control connections” should show all of its control connections on both MPLS
and biz-internet transports
• ”show bfd sessions” should show full connectivity to all other sites
• “show ip routes vpn 10” and other VPNs (20, 40) should display full routing tables
for the service side routes
Rollback
After completing ZTP. We will decommission and rollback the vEdge config to get ready for the next lab
• Go onto vManage -> Configuration -> Devices, find BR2-VEDGE1

• Then on the right side 3 dots, select ”Decommission vEdge”, then confirm
• Then on the same 3 dots, select “Generate Bootstrap Configuration” -> Select “Cloud-Init”
• You should see the Cloud-Config file with OTP (token) and UUID (chassis-number)
• Export this OTP/UUID into a file for use later
• This step prepares the vManage for vEdge-Cloud to initially connect again
• SSH to the BR2-vEdge1 (198.18.134.106)

• please rollback the configuration to the FIRST (earliest) configuration today from “config” mode
• Example:
vedge# conf
Entering configuration mode terminal
vedge(config)# rollback configuration ?
Possible completions: (first 100)
0 2018-02-23 05:23:11 by admin via cli
1 2018-02-23 05:22:42 by admin via cli
2 2018-02-23 05:18:58 by admin via cli
3 2017-08-16 15:30:20 by admin via cli
4 2017-08-16 15:28:01 by vmanage-admin via netconf
5
4/23/18
Rollback Cont.
• The FIRST configuration from today is version 2

vedge(config)# rollback configuration 2
vedge(config)# commit and-quit
• Do “show run” to verify the configuration is gone
• Type the following from command prompt:

• request vedge-cloud activate chassis-number UUID token OTP (copy/paste from the file exported from
vManage)
• Ex: vedge# request vedge-cloud activate chassis-number ddd801b2-8cbe-4394-abd1-3b71e39886e3 token ffe38942f870868c2796a9350e16e100
• (Note: Token will be different)
• This step prepares the vEdge for initial connection to vManage (next lab)
Initial Device Bring-Up Lab

- Manual Configuration
6
4/23/18
Device Validation and Initial Bring-up Lab

Objective:
Deploy the minimal configuration to remote branch sites manually without using ZTP
Steps:
Make sure the configuration is rolled back on BR2-VEDGE1
Configure minimal information on the vEdge so that it can connect to the control plane
Verify control plane connectivity and manageability
Tasks:
Put the remote site vEdges (serial numbers) in valid mode on vManage
Configure System info (system-ip, site-id, org name, etc)
Configure IP addresses on the WAN interfaces
Configure appropriate default GW and DNS information
Verify control plane connectivity and manageability for the vEdges
Verification:
Make sure all interfaces are up
Make sure control plane connections are up on the configured WAN interfaces
From vManage these vEdges should show up in the dashboard and fully reachable/accessible
Hints:
Check for control plane connections status and history
Do “show control connections” and “show control connections-history” on both sides of the session
Configure Minimum Information on BR2-VEDGE1

Manually to Allow Connection to the Control Plane
• Connect to the assigned POD using Cisco Anyconnect
• Connect RDP session to 198.18.133.36
• Open Putty session to BR2-VEDGE1 (username/password = admin/admin)
• Go into config mode:
vedge# config
vedge(config)#
• Enable ge0/0 interface in vpn 0, and commit the change:
vedge(config)# vpn 0
vedge(config-vpn-0)# int ge0/0
vedge(config-interface-ge0/0)# no shutdown
vedge(config-interface-ge0/0)# commit
Commit complete.
*the interface is preconfigured with IP DHCP-client and will automatically pick up an IP address
• Configure System block information on the vEdge so that it can connect to the control plane
vedge(config-interface-ge0/0)# system
vedge(config-system)# system-ip 10.4.0.1
vedge(config-system)# site-id 400
vedge(config-system)# vbond 198.18.1.11
vedge(config-system)# organization-name "Cisco Sy1 - 19968"
vedge(config-interface-ge0/0)# commit
*Be careful with the organization-name, there are white spaces, and case sensitive
7
4/23/18
Verification
• Exit Config mode and verify the control plane is up to vManage and vSmart
vedge# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE UPTIME ID
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 12.12.12.12 10 1 198.18.1.12 12346 198.18.1.12 12346 biz-internet up 0:00:13:47 0
vmanage dtls 10.10.10.10 10 0 198.18.1.10 12346 198.18.1.10 12346 biz-internet up 0:00:13:47 0
• Show the IPSec tunnels established on the vEdge (*Note: you may not have BFD sessions unless you add
a color to the TLOC, can you add color “biz-internet” under the tunnel-interface on ge0/0)
vedge# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.1.0.1 100 up biz-internet biz-internet 100.64.4.2 172.16.11.2 12386 ipsec 7 1000 0:00:17:12 0
• A few commands to help you troubleshoot if connection did not come up *See instructor
• show control connections-history
• show control local-properties
• show run vpn 0
• show run system
• show ip route vpn 0
• ping vpn 0 198.18.1.11
Verification Cont.
• A few commands to help you troubleshoot if connection did not come up *See instructor
• show control connections-history
• show control local-properties
• show run vpn 0
• show run system
• show ip route vpn 0
• ping vpn 0 198.18.1.11
• Finally, attach the vEdge to the template “BranchType2Template”

• Make sure all the configuration is there
• Make sure all control connections and BFD sessions are there
8
4/23/18
BFD Tuning Lab
Path Quality and Liveliness Detection

Multiplier (n)
• Each vEdge router sends BFD hello packets for
path quality and liveliness detection
- Packets echoed back by remote site
• Hello interval and multiplier determine how
Hello Interval (ms)
Liveliness many BFD packets need to be lost to declare
IPSec tunnel down
Quality
App-Route Multiplier (n) • Number of hello intervals that fit inside poll
interval determines the number of BFD packets
Poll Interval Poll Interval Poll Interval (ms) considered for establishing poll interval average
path quality
• App-route multiplier determines number of
poll intervals for establishing overall average
path quality
Hello Interval (ms)
9
4/23/18
Tuning BFD Timers – Hello and App-route

Objective:
Understanding BFD operation, timers and intervals
Steps:
Change BFD Hello timer and multiplier on BR1-VEDGE1 for sub-second failover in CLI
Modify app-route interval on BR2-VEDGE1 in feature template
Tasks:
Manually tune hello timer and multiplier for branch 1 vEdges
Manually tune app-route poll-interval and multiplier on branch 1 vEdges
Observe app-route statistics behavior
Verification:
CLI: show running-config bfd app-route
show app-route stats | tab
show running-config bfd color
Hints:
Changing the bfd hello timer will have an effect on app-route stats collection; because the same probes that are used
for liveliness is used for app-route stats collection
BFD Hello Timer and Multiplier

Make BR1-VEDGE1 BFD convergence time to be 800mSec on both MPLS and biz-internet
• On vManage -> Configuration -> Devices, highlight the BR1-VEDGE1 device
• Select Change Mode -> CLI Mode
• Log into BR1-VEDGE1 and configure below:
BR1-VEDGE1# conf
BR1-VEDGE1(config)# bfd ?
Possible completions:
app-route color
BR1-VEDGE1(config)# bfd color biz-internet ?
hello-interval Hello interval, in milliseconds
multiplier Maximum number of attempts
pmtu-discovery Automatically discover path MTU
<cr>
BR1-VEDGE1(config)# bfd color biz-internet hello-interval ?
<100..300000> milliseconds[1000]
BR1-VEDGE1(config)# bfd color biz-internet hello-interval 100
BR1-VEDGE1(config-color-biz-internet)# multiplier 8
BR1-VEDGE1(config-color-biz-internet)# exit
BR1-VEDGE1(config)# bfd color mpls hello-interval 100 multiplier 8
BR1-VEDGE1(config-color-mpls)# commit
Commit complete.
• This lab tuned the hello interval on the TLOCs to 1 hello every 100ms, and the IPSec tunnel will only go
down if 8 consecutive BFD packets are missed in a row (or 800ms)
10
4/23/18
BFD App-route Multiplier and Poll-interval

Change BR2-VEDGE1 BFD Application-Aware Routing multiplier to 3 (Global value), and poll-interval
to 10000
• From vManage -> Configuration -> Templates
• Select “Feature” templates
• Find and modify the BFD template used by Branch 2 (*hint – click the right side dots and
see which devices are using the specific feature template)
DAY 2
CLI Template Lab
11
4/23/18
CLI Template Lab

Objective:
Understand how CLI Template works
Steps:
Fully configure a vEdge
Create a CLI template using the vEdge config
Create variables in the CLI template, then attach
Tasks:
Detach BR2-VEDGE1 from its Feature template
Show running-config on BR2-VEDGE1 and copy its full configuration to clipboard
Create a new CLI template on vManage, and paste in the running configuration
Create all of the variables and names for BR2-VEDGE1 according to the following page
After completing the CLI template, attach BR2-VEDGE1
Enter the values for the vEdge from the following page
Verification:
Check final vEdge config with backup config and make sure its correct
Check all interfaces, control connections, BFD sessions and routing after applying the template
Hints:
CLI Template Variables
VARIABLES VALUES
HOSTNAME BR2-VEDGE1
LAT 32.79
LONG -96.77
SYSIP 10.4.0.1
SITEID 400
MPLS-GW-IP 172.16.4.1
MPLS-IP-MASK 172.16.4.2/30
VPN-512-IP-MASK 198.18.134.106/18
VPN-512-GW-IP 198.18.128.1
VPN10-INT-IP-MASK 10.4.254.10/24
VPN20-INT-IP-MASK 10.4.20.1/24
VPN30-INT-IP-MASK 10.4.40.1/24
12
4/23/18
Feature Template Lab
Feature Template Lab

Objective:
Building feature templates
Steps:
Create BR2-VEDGE1 Configuration using new Feature templates
Tasks:
Configure new feature templates (system, BFD, OMP, VPN, etc) for vEdge-Cloud
Configure new Device template from feature templates
Deploy Device template to BR2-VEDGE1
Verification:
Check final vEdge config with backup config and make sure its correct
Check all interfaces, control connections, BFD sessions and routing after applying the template
Hints:
13
4/23/18
System Feature Template

Configure the System feature template:
• Go to Configuration -> Feature Template on vManage
• Go to Feature Template -> Add Template, then select vEdge Cloud
• Create a new System Template, call it New-System-Template, enter a description
• Under Basic Configuration -> Site ID, make it Device Specific,
• Under Basic Configuration -> System IP, make it Device Specific, and
• Under Basic Configuration -> Hostname, make it Device Specific, and
• Under GPS -> Change Longitude and Latitude to Device Specific
• Save
BFD Feature Template

Configure the BFD feature template:
• Create a new BFD Template, call it New-BFD-Template, enter a description
• Under Basic Configuration -> Poll Interval, make it Global, enter 5000
• Save
What is Polling Interval?

poll-interval milliseconds
How often BFD polls all data plane tunnels on a vEdge router to collect
packet latency, loss, and other statistics to be used by application-aware
routing.
Range: 1 through 4,294,967,296 (232 – 1) milliseconds
Default: 600,000 milliseconds (10 minutes)
14
4/23/18
OMP Feature Template

• Change the ECMP Limit -> Global -> 8
• Save
Note: You will create a new template,

the lab guide is showing you where to
configure it but it is not repeating how
you did it in 83,84
What are we doing by upping the
ECMP limit? This is the number of
routes the vedge will install from the
vsmart, in this case we’re upping it
from 4 to 8. 16 is the maximum and
we usually set it to the max unless the
design is very high scale.
VPN 0 Feature Template

Configure the VPN 0 feature template:
• Create a new VPN Template, call it New-VPN0-Template, enter a description
• Under Basic Configuration -> VPN, make it Global, enter 0
• Under DNS -> New DNS -> Hostname, enter vbond.cisco.com; List of IP, enter
198.18.1.11,198.18.1.21
• Under IPv4 Route -> Add New IPv4 Route -> Prefix 0.0.0.0/0
• Select Add Next Hop -> under Address -> make it Device Specific, enter Key MPLS-GW
• Save Changes -> Save Changes
• Save
Note: Entering the key is deceiving, all this is, is a detailed description for the operator who ends up inputting the
value to have a better idea of what it is they’re inputting. This is a free form text area.
Make sure you click add after you’ve created the default route and next hop, otherwise it won’t save.
15
4/23/18
Internet-TLOC Feature Template

Create the Internet TLOC feature template:
• Create a new VPN Interface Ethernet Template, call it New-Internet-TLOC-Template, enter a
description
• Under Basic Configuration -> Shutdown, make it Global, select No
• Under Basic Configuration -> Interface Name, make it Global, enter ge0/0
• Under IPv4 Configuration -> select Dynamic
• Under Tunnel Interface -> make it Global, select On
• Color -> choose biz-internet
• Restrict -> choose On
• Under Allowed Service
• NTP -> Global, On
• STUN -> Global, On
• Under NAT -> make it Global, select On
• Under ACL/QOS -> Select QoS Map, make it Global, type WAN-QOS
• Save
Note: it isn’t required to place restrict on biz-internet. Why? If an interface has restrict on mpls on another router, the tunnels will not
be built.
MPLS-TLOC Feature Template

Create the MPLS TLOC feature template:
• Create a new VPN Interface Ethernet Template, call it New-MPLS-TLOC-Template, enter a
description
• Under Basic Configuration -> Shutdown, make it Global, select No
• Under Basic Configuration -> Interface Name, make it Global, enter ge0/1
• Under IPv4 Configuration -> select Static
• Make IPv4 address -> Device Specific, enter Key MPLS-TLOC-IP
• Under Tunnel Interface -> make it Global, select On
• Color -> choose mpls
• Restrict -> choose On
• Under ACL/QOS -> Select QoS Map, make it Global, type WAN-QOS
• Save
16
4/23/18

• Under Advertise OMP -> turn On OSPF, turn On External
• Save
Note: you can advertise ospf in two places, either from the OMP process which does it
for all VPNs, or on a per-VPN-basis.
VPN 10 Interface Feature Template

• Create a new VPN Interface Ethernet Template, call it New-VPN10-Interface, enter a
description
• For Interface -> enter ge0/2
• Under IPv4 Configuration - > choose Static
• For IPv4 Address -> choose Device Specific, key new-vpn10-interface-ip
• Under ACL/QOS -> Ingress ACL IPv4 -> set to On
• Ingress IPv4 Access List -> add LAN-Classification
• Save
Note: don’t forget to do no shut!
17
4/23/18
OSPF Feature Template

Configure the OSPF feature template:
• Create a new OSPF Template, call it New-OSPF-Template, enter a description
• Under Redistribute -> Select New Redistribute, under Protocol select OMP
• Under Area -> New Area -> Area Number -> enter 0
• Under Interface -> Add Interface -> Interface Name -> enter ge0/2 -> Add
• Under Advanced -> select Originate, make it Global -> On
• Select Policy Name -> make it Global -> enter denyInfraRoutes
• Save
Note: don’t forget to click add when you create the area/interface and redistribute.

• Save
18
4/23/18

description
• Ingress IPv4 Access List -> add VPN20-BizData
• Save

• Under IPv4 Route -> Add a New IPv4 route
• Make Prefix Global -> 0.0.0.0/0
• Make Gateway as VPN
• Set Enable VPN to On
• Save
19
4/23/18

description
• Ingress IPv4 Access List -> add GuestWiFi
• Save
Create Device Template From Feature Templates

Configure the device template from the new feature templates
• Go to Device Template -> select Create Template -> From Feature Templates
• Device Model -> select vEdge Cloud
• Enter Template name, call it New-branch-template, enter a description
• Select the feature templates that were created
• System – New-
• Logging - factory
• AAA – factory
• Security - factory
• BFD – New-
• OMP – New-
• VPN 0 – New-
• Internet – New-
• MPLS – New-
• VPN 10 – New-
• OSPF – New-
• Interface – New-
• VPN 20 – New-
• VPN 40 – New-
• VPN 512 – dCloud
• Interface – VPN512interFACE
• Banner - dCloud
• Policy – LocalizedPolicyBaseline
• SNMP - dCloud
• Save
• Try attaching it to branch2 vedge. Look for the IP address values in the running config of the device.
• You can get this by going to Configuration > Devices > Select the 3-dots on the right hand side of BR2-VEDGE1
20
4/23/18
*TLOC-Extension Lab
(Unguided - time permitting)
TLOC-Extension Configuration Lab (Unguided)

Objective:
Extend transport from 2 vEdges, each connecting to a different transport so that each vEdge can utilize both
transports
Steps:
Change BR1-VEDGE1 and BR1-VEDGE2 from vManage mode to CLI mode
ERASE the TLOC-Extension configuration (ge0/1 & ge0/2) on BR1-VEDGE1 and BR1-VEDGE2
(Make a copy of the config in Notepad before erasing – just in case)
Create TLOC-extension on BR1-VEDGE1 and BR1-VEDGE2
Tasks:
Configure interfaces between BR1-VEDGE1 and BR1-VEDGE2
Create TLOC-extension configuration on both vEdges: Use Diagram: TLOC Extension Lab Reference &
Sample Configuration from: “TLOC Extension Configuration Example” as a guide
Verification:
Make sure all interfaces are up
Make sure control plane connections are up on the extended-TLOC
Make sure BFD is up on the TLOC-extension
Make sure OMP routes reflect the additional route on the new transport from each vEdge
Hints:
Make sure there is routing to the TLOC-extension segment on the MPLS side
Make sure there is NAT on the Internet transport
21
4/23/18
TLOC Extension Lab Diagram

Wkst-1 Host FW Host FW DC2 – Site ID 200
DC1 – Site ID 100
San Jose Chicago
.36 .21 .130.1

.21 .1
198.18.133.0/18 10.2.0.0/24
OSPF
.211 .212 .211 OSPF .212
System-IP DC1 DC1 System-IP System-IP DC2 DC2 System-IP
10.1.0.1 VEDGE1 VEDGE2 10.1.0.2 10.2.0.1 VEDGE1 VEDGE2 10.2.0.2
.2 .2 .2 .2 .2 .2
.2 .2
172.16.23.0/30
172.16.10.0/30
Controllers
Internet
MPLS Transport
Transport
ZTP
AS 100
AS 200
172.16.3.0/30
TLOC Extension
BR1
.2 ge0/0
VEDGE1 ge0/0 .2 ge0/0 .2
BR1 ge0/1
ge0/1 ge0/1 System-IP
System-IP .2 10.20.20.0/24 .1 VEDGE2 BR2
ge0/2
10.4.0.1
10.3.0.1 .1
ge0/2
.2
System-IP VEDGE1
10.10.10.0/24
.10 ge0/2
ge0/3 .2 ge0/3 .3 10.3.0.2 10.4.254.0/24
VRRP .1
.254 OSPF
10.3.0.0/24 .21
10.4.0.0/24
Dallas .21
Los Angeles
BR1– Site ID 300 BR2– Site ID 400
Test Host Test Host
** Note this is not the actual configuration for the lab – just an example.
Please refer to the LAB diagram for actual IP addresses **
TLOC Extension Example
vpn 0 vpn 0
ip route 10.5.52.52/32 100.65.51.1
interface ge0/0 interface ge0/0
description MPLS tunnel description INET tunnel
ip address 100.65.51.1/30 Add route to ip dhcp-client
tunnel-interface reach br1- nat
encapsulation ipsec ! Do not forget
vedge2 mpls NAT
color mpls restrict tunnel end-point tunnel-interface
max-control-connections 1 encapsulation ipsec
[service list] MPLS INET color biz-internet restrict
! max-control-connections 1
interface ge0/1 [service list]
description INET tunnel !
ip address 10.5.51.51/24 interface ge0/1
! ip address 10.5.51.52/24
tunnel-interface ge0/0 ge0/0 tloc-extension ge0/0
encapsulation ipsec 100.65.51.1/24 dhcp no shutdown
color biz-internet restrict ge0/1 ge0/1 !
max-control-connections 1 10.5.51.51/24 10.5.51.52/24 interface ge0/2
[service list] description MPLS tunnel
! ip address 10.5.52.52/24
interface ge0/2 tunnel-interface
ip address 10.5.52.51/24 ge0/2 ge0/2 encapsulation ipsec
tloc-extension ge0/0 10.5.52.51/24 10.5.52.52/24 color mpls restrict
no shutdown br1-vedge1 br1-vedge2 max-control-connections 1
! [service list]
ip route 0.0.0.0/0 100.65.51.2 !
ip route 0.0.0.0/0 10.5.51.52 ip route 0.0.0.0/0 10.5.52.51
22
4/23/18
DAY 3
Control Policy Lab
Control Policy Lab

Objective:
Create Control policy for hub-spoke where branch1 prefers DC1 and branch2 prefers DC2 for default route
Steps:
Set up appropriate lists for the policy
Implement policy and verify before and after application
Tasks:
Create new site lists and VPN list(s)
Create new control policy using policy GUI (Topology)
DC1 default route only to branch1, and should have a preference of 100
DC2 default routes only to branch2, and should have a preference of 100
No inter-DC tunnels should be built
No inter-branch tunnels should be built
Apply finished policy to all sites
Verification:
Check BFD sessions before and after implementing policy
Check routing information before and after implementing policy
Test traffic patterns by using ping, traceroute
Hints:
Control policies are applied from the vSmarts’ perspective, in an in-bound or out-bound direction
By default tunnels are full mesh. Control policy can influence whether tunnels are built, as well as how routes are
distributed. Control tunnel building match on TLOC, to control routing match onb Routes
23
4/23/18
Control Policy Creation

Go to Configuration -> Policies
• Add Policy
• Select Site on the left and make sure the following site lists: DC1, DC2, BranchG1,
BranchG2, AllDC, AllBranches
Control Policy Creation Cont.

• Select Prefix on the left and make sure the DefaultRoute prefix exists, or create a New
Prefix List, and add the 0.0.0.0/0 prefix
24
4/23/18
Control Policy Creation – Group1

Click Next at the bottom
• Select Add Topology
• Select Custom Control (Route & TLOC)
• Name the policy New-Hub-Spoke-Control-Policy-G1, add Description
• Add Sequence Type (from left), Select Route
• Select Sequence Rule
• Under Match
• Select Site, then select DC1 under Site List
• Select Prefix List, then select DefaultRoute Note: The instructions for
• Go to Action
• Choose Accept the lab only allowed the
• Select Preference route from DC1, if DC1
• Enter 100
• Save Match and Actions goes down, no backup
• Add Sequence Type (from left), Select TLOC route exists from DC2.
• Under Match How would you fix this so
• Select Site, then select AllDC under Site List DC2 is a backup to DC1?
• Go to Action
• Choose Accept
• Save Match and Actions
• On the left choose Default Action
• Edit the Default Action (use pen icon on the right side), and choose Reject
• Save Control Policy
Control Policy Creation – Repeat for Group2

Click Next at the bottom
• Select Add Topology
• Select Custom Control (Route & TLOC)
• Name the policy New-Hub-Spoke-Control-Policy-G2, add Description
• Add Sequence Type (from left), Select Route
• Under Match
• Select Site, then select DC2 under Site List
• Select Prefix List, then select DefaultRoute Note: The instructions for
• Go to Action
• Choose Accept the lab only allowed the
• Select Preference route from DC2, if DC2
• Enter 100
• Save Match and Actions goes down, no backup
• Add Sequence Type (from left), Select TLOC route exists from DC1.
• Under Match How would you fix this so
• Select Site, then select AllDC under Site List DC1 is a backup to DC2?
• Go to Action
• Choose Accept
• On the left choose Default Action
• Edit the Default Action (use pen icon on the right side), and choose Reject
• Save Control Policy
25
4/23/18
Review Control Policies

We have created 2 control policies
New-Hub-Spoke-Control-Policy-G1
New-Hub-Spoke-Control-Policy-G2
Applying the Control Policies

Select Next until you are at Apply Policies to Sites and VPNs page
• Enter Policy Name as vSmart-policy-lab, enter Description
• The 2 policies should be shown under Topology
• Select New Site List and add BranchG2 to New-Hub-Spoke-Control-Policy-G2 to Outbound Site List
• Select New Site List and add BranchG1 to New-Hub-Spoke-Control-Policy-G1 to Outbound Site List
• Save Policy
• The vSmart-policy-lab should show up, go to the right side with the 3 dots -> Activate
26
4/23/18
Verification
Check all the vEdges and verify if:
• From branches,
• BFD sessions are only built to the DCs (use “show bfd sessions” from vEdges)
• Only default routes are in the routing table and only to the preferred DC (use
“show ip routes vpn 10”, “show omp routes”)
• From DCs,
• Should see all the routes from the Branches
• Should have all BFD sessions (tunnels) from all the branches
• Should NOT have BFD sessions to the other DC – is it there?
• Need to add a policy to address this requirement*
• Hint:
• From Configuration -> Policies -> Custom Options (top right) -> Topology
• Add Topology -> Custom Control (Route & TLOC)
• Sequence Type -> TLOC
• Accept TLOC from AllBranches
• Reject TLOC from AllDC
• Default Accept
• Add this to the vSmart Policy, then apply it to Site List AllDC
Data Policy Lab
27
4/23/18
Data Policy Lab

Objective:
Create a Data Policy to manipulate different traffic types
Steps:
Apply policy to branch 2
Tasks:
Ensure site lists and VPN list(s) are already created.
Create new data policy using policy GUI (Traffic-Data)
Youtube traffic should be dropped
ICMP traffic should use MPLS only
SSH traffic should use Internet only
Apply the policy to Branch 2 VPN 10
Verification:
Check vSmart policy on the vEdge
Use counters to verify traffic is being matched
Use simulator on vManage to show where the traffic should be going
Use ”show app cflowd flows” to see the path traffic takes
Fail MPLS/Internet to make sure the redundant path works
Hints:
Create Data Policy

vManage -> Configuration -> Policies -> Custom Options -> Traffic Policy
Select Traffic Data -> Create New
28
4/23/18
Create Data Policy

Give the Policy a name and description, then add “Sequence Type” -> select Custom
Create Data Policy Cont

Add sequence to match on Application Family “youtube”, create it here by searching on
”youtube” -> select “Youtube.com” & “Youtube HD” -> Save and select it under Match
29
4/23/18

Go to “Action”, and verify “Drop” action is Enabled -> Save “Match And Action”
Add another +Sequence Rule, Match on ICMP (protocol 1) -> Action “Accept”
-> Set Local-TLOC MPLS
Add another +Sequence Rule, Match on TCP (protocol 6) & Port 22 -> Action “Accept”
-> Set Local-TLOC biz-internet

Policy should look like below -> Save Data Policy
30
4/23/18
Add the Data Policy to the vSmart Policy

Go to Centralized Policies and Edit the vSmart Policy
Go to Traffic Rules -> under Traffic Data -> Add Policy -> Import Existing ->
Import the Data Policy you just created
Apply the Data Policy to Branch-2 site, VPN 10

Go to Traffic Application -> Traffic Data -> Select Site-List & VPN-List
31
4/23/18
Save Policy and Apply

Save Policy Changes -> It will automatically apply the policy when you click “Activate”
Verification
• Check vSmart policy on the vEdge
• show policy from-vsmart
• Use counters to verify traffic is being matched
• Use traffic simulator on vManage to show where the traffic should
be going
• Use ”show app cflowd flows” to see the path traffic takes
• Fail MPLS/Internet to make sure the redundant path works and
traffic can still pass even if it was intended to be sent on MPLS
32
4/23/18
Application Aware Routing Policy Lab
App Aware Routing Policy Lab

Objective:
Create an AAR Policy to manipulate different traffic types
Steps:
Tasks:
Create SLA Classes “new_voice_video”, “new_business_app” & “new_default”
Create new AAR policy using policy GUI (New-AAR-policy)
WebEx traffic should prefer Internet in VPN 10 and have SLA Class new_business_app
Voice (EF) and Video (AF41) traffic should prefer MPLS in VPN 10 and have SLA class new_voice_video
SSH traffic can use either MPLS or Internet and have SLA class new_default
Change the latency on the MPLS link so that Voice traffic fails over to the Internet link but not the other
classes (observe in events for SLA change)
Verification:
Check vSmart policy on the vEdge
Use counters to verify traffic is being matched
Use simulator on vManage to show where the traffic should be going
Use ”show app cflowd flows” to see the path traffic takes
Check app-route statistics on the tunnels and use vManage statistics real time function
Correlate SLA changes in the log when creating additional latency on the network
Hints:
xxxxx
33
4/23/18
SLA Classes
On vManage -> Configuration -> Policies -> Custom Options -> Lists
• Select SLA Class -> Add the below SLA Classes:
• new_voice_video (latency=150ms; loss=1%; jitter=35ms)
• new_business_app (latency=300ms; loss=2%)
• new_default (latency=500ms; loss=5%)
Define a new AAR policy with 3 sequences

On vManage -> Configuration -> Policies -> Custom Options -> Traffic Policy
• Under Application Aware Routing -> Click Add Policy -> Create New
• Name the policy New-AAR-policy and set a description
• Add Sequence Type (from left)
• Under Match
• Select DSCP, then type “46 34” (no quotes - this is to match voice(EF) and video(AF41))
• Go to Action
• Choose SLA Class and select the SLA class you created under lists and prefer-color
• Select Sequence Rule (to add an additional sequence)
• Under Match
• Select Application/Application Family List
• Search for WebEx
• *If WebEx is not there, create an Application List here and add it to the rule*
• Go to Action
• Choose SLA Class and select the SLA class you created under lists and prefer-color
• Repeat new Sequence Rule for SSH (you may use TCP/22, or Application List)
• Save the AAR Policy
34
4/23/18
Add the AAR Policy to the vSmart Policy

Go to Centralized Policies and Edit the vSmart Policy (one that says true under Activated)
Go to Traffic Rules -> under Application Aware Routing -> Add Policy -> Import
Existing -> Import the AAR Policy you just created
Go to Traffic Application -> Application Aware Routing -> Select Site-List (AllDC
and AllBranches) & VPN-List (10)
Save Policy and Apply

Save Policy Changes -> It will automatically apply the policy when you click “Activate”
35
4/23/18
*Control Policy Lab Challenge

(Unguided - time permitting)
Control Policy Challenge Lab

Objective:
Create multi-VPN and multi-topology policy
Tasks:
Create the site lists and VPN list(s)
Create new control policy using policy GUI (Topology)
VPN 10 - Corp segment should have full mesh, with branch1 preferring DC1 and branch2 preferring DC2 for
default routing
VPN 20 – PCI segment should be only hub and spoke with all branches preferring DC1; no routing between
branches
VPN 40 – Guest segment, traffic should go out to the Internet locally only at branches; no routing between
branches; no routing from branches to the DC
Verification:
Check BFD sessions before and after implementing policy
Check routing information before and after implementing policy
Test traffic patterns by using ping, traceroute
Hints:
Don’t send default route in a VPN if you don’t want branches to talk to each other through the DC
Use VPN membership in vSmart policy - if a site is not allowed to be part of a VPN it means it can’t send or receive
routes on that VPN, but the VPN can still exist locally
36
4/23/18
dCloud Pod Sessions – Iselin, NJ

Session Id Session Name Usernames Password
71919 1 - Cisco 4D SD-WAN (Viptela) v2 v109user1; v109user2; ... v109user16 e6f86d
71918 2 - Cisco 4D SD-WAN (Viptela) v2 v1274user1; v1274user2; ... v1274user16 4de781
71917 3 - Cisco 4D SD-WAN (Viptela) v2 v629user1; v629user2; ... v629user16 bb6f09
71916 4 - Cisco 4D SD-WAN (Viptela) v2 v1160user1; v1160user2; ... v1160user16 af8bd6
71915 5 - Cisco 4D SD-WAN (Viptela) v2 v898user1; v898user2; ... v898user16 736f53
71914 6 - Cisco 4D SD-WAN (Viptela) v2 v1056user1; v1056user2; ... v1056user16 dab62e
71913 7 - Cisco 4D SD-WAN (Viptela) v2 v972user1; v972user2; ... v972user16 5d09bc
71912 8 - Cisco 4D SD-WAN (Viptela) v2 v669user1; v669user2; ... v669user16 b3b78b
71911 9 - Cisco 4D SD-WAN (Viptela) v2 v789user1; v789user2; ... v789user16 8cfadd
71910 10 - Cisco 4D SD-WAN (Viptela) v2 v828user1; v828user2; ... v828user16 201b18
71909 11 - Cisco 4D SD-WAN (Viptela) v2 v928user1; v928user2; ... v928user16 a7febd
71908 12 - Cisco 4D SD-WAN (Viptela) v2 v1003user1; v1003user2; ... v1003user16 c863ff
71907 13 - Cisco 4D SD-WAN (Viptela) v2 v77user1; v77user2; ... v77user16 6c7ca0
71906 14 - Cisco 4D SD-WAN (Viptela) v2 v682user1; v682user2; ... v682user16 68dc79
71905 15 - Cisco 4D SD-WAN (Viptela) v2 v515user1; v515user2; ... v515user16 1c741a
71904 16 - Cisco 4D SD-WAN (Viptela) v2 v1472user1; v1472user2; ... v1472user16 74bf12
71903 17 - Cisco 4D SD-WAN (Viptela) v2 v1372user1; v1372user2; ... v1372user16 b23ec0
71902 18 - Cisco 4D SD-WAN (Viptela) v2 v1488user1; v1488user2; ... v1488user16 caae67
71901 19 - Cisco 4D SD-WAN (Viptela) v2 v761user1; v761user2; ... v761user16 6fcd40
71900 20 - Cisco 4D SD-WAN (Viptela) v2 v1291user1; v1291user2; ... v1291user16 e6b305
71899 21 - Cisco 4D SD-WAN (Viptela) v2 v258user1; v258user2; ... v258user16 ef5aef
71898 22 - Cisco 4D SD-WAN (Viptela) v2 v294user1; v294user2; ... v294user16 379530
71897 23 - Cisco 4D SD-WAN (Viptela) v2 v91user1; v91user2; ... v91user16 3a22f2
71896 24 - Cisco 4D SD-WAN (Viptela) v2 v610user1; v610user2; ... v610user16 a11a59
71895 25 - Cisco 4D SD-WAN (Viptela) v2 v500user1; v500user2; ... v500user16 f91543
Corporate VPN 10
Wkst-1 Host FW Host FW DC2 – Site ID 200
DC1 – Site ID 100
dCloud-GW
San Jose Chicago
.36 .21 .130.1

.21 .1
198.18.133.0/18 10.2.0.0/24
OSPF
.211 .212 .211 OSPF .212
.2 .2 .2 .2 .2 .2
.2 .2
172.16.23.0/30
172.16.10.0/30
vBond
vManage
Controllers
Internet
MPLS Transport
Transport
ZTP
vSmart
AS 100
AS 200
172.16.3.0/30
vEdge
BR1
.2 ge0/0
VEDGE1 ge0/0 .2 ge0/0 .2
BR1 ge0/1
ge0/1 ge0/1 System-IP
System-IP .2 10.20.20.0/24 .1 VEDGE2 BR2
ge0/2
10.4.0.1
10.3.0.1 .1 10.10.10.0/24
ge0/2
.2
System-IP VEDGE1
.10 ge0/2
ge0/3 .2 ge0/3 .3 10.3.0.2 10.4.254.0/24
VRRP .1
.254 OSPF
10.3.0.0/24 .21
10.4.0.0/24
Dallas .21
Los Angeles
BR1– Site ID 300 BR2– Site ID 400
Test Host Test Host
37
4/23/18
IOT/PCI VPN 20
DC1 – Site ID 100 Test Host Test Host DC2 – Site ID 200
dCloud-GW
San Jose Chicago
.10 .10
10.1.20.0/24 10.2.20.0/24
.2 VRRP .1 .3 VRRP .1
.2 .3
vBond
vManage
Controllers
MPLS Transport Internet ZTP

vSmart Transport
AS 100
AS 200
vEdge
BR1 BR1 System-IP

BR2
VEDGE1 VEDGE2 10.4.0.1
VEDGE1
System-IP System-IP
10.3.0.1 ge0/4 VRRP .1 ge0/4 .3 10.3.0.2 ge0/3 .2
.2 connected
10.4.20.0/24
10.3.20.0/24 .10 .10
Los Angeles Dallas

BR1– Site ID 300 BR2– Site ID 400 Test Host
Test Host
GuestWifi VPN 40
DC1 – Site ID 100
dCloud-GW
San Jose

vBond
vManage
Controllers
MPLS Transport Internet ZTP

vSmart Transport
AS 100
AS 200
vEdge
BR1 BR1 System-IP

BR2
VEDGE1 VEDGE2 10.4.0.1
VEDGE1
System-IP System-IP
VRRP .1 ge0/4 .2
10.3.0.1 ge0/5 .2 ge0/5 .3 10.3.0.2 connected
10.4.40.0/24
10.3.40.0/24 .10 .10
Los Angeles Dallas

BR1– Site ID 300 BR2– Site ID 400 Test Host
Test Host
38
4/23/18
ZTP Info for BR2-VEDGE1
Connectivity Tests
39

Cisco SD-WAN Hands-On Training - LABs - 6.8-Print

Uploaded by

Copyright:

Available Formats

Cisco SD-WAN Hands-On Training - LABs - 6.8-Print

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco SD-WAN Hands-On Training - LABs - 6.8-Print

Uploaded by

Copyright:

Available Formats

4/23/18

Cisco SD-WAN Hands-On Labs

Day 1 1. ZTP Lab

Day 2 4. CLI Template Lab

Connecting to Viptela Instance in dCloud

Once connected – Open RDP session to 198.18.133.36

vManage IP address = 198.18.1.10

Bring the Branch vEdge up using ZTP

Attaching the vEdge to a Template on vManage

Attaching the Template

Attach the CSV file and Preview the Config

In RDP Session, use MPutty to

Configure Devices will push the configuration to the vEdge

Verify the vEdge ZTP

• Go onto vManage -> Configuration -> Devices, find BR2-VEDGE1

• SSH to the BR2-vEdge1 (198.18.134.106)

• The FIRST configuration from today is version 2

• Type the following from command prompt:

Initial Device Bring-Up Lab

Device Validation and Initial Bring-up Lab

Configure Minimum Information on BR2-VEDGE1

• Finally, attach the vEdge to the template “BranchType2Template”

BFD Tuning Lab

Path Quality and Liveliness Detection

Tuning BFD Timers – Hello and App-route

BFD Hello Timer and Multiplier

BFD App-route Multiplier and Poll-interval

CLI Template Lab

CLI Template Variables

Feature Template Lab

Feature Template Lab

System Feature Template

BFD Feature Template

What is Polling Interval?

OMP Feature Template

Note: You will create a new template,

VPN 0 Feature Template

Internet-TLOC Feature Template

MPLS-TLOC Feature Template

VPN 10 Feature Template

VPN 10 Interface Feature Template

Note: don’t forget to do no shut!

OSPF Feature Template

VPN 20 Feature Template

VPN 20 Interface Feature Template

VPN 40 Feature Template

VPN 40 Interface Feature Template

Create Device Template From Feature Templates

TLOC-Extension Configuration Lab (Unguided)

TLOC Extension Lab Diagram

.36 .21 .130.1

TLOC Extension Example

Control Policy Lab

Control Policy Creation

Control Policy Creation Cont.

Control Policy Creation – Group1

Control Policy Creation – Repeat for Group2

Review Control Policies

Applying the Control Policies