In this lab, we are going to see how to create different topologies for each Service

VPN. We have two Service VPNs, VPN1 and VPN2. You are going to configure Hub
and Spoke for VPN1 and mesh connectivity for VPN2.

This lab requires VPN2 in B1-R1 and B2-R1 that is created as a part of VPN
Segmentation Lab.

Perform VPN Segmentation lab before going through this lab or create VPN2 in B1-
R1 by moving ge0/3 to VPN2 and create loopback interface in VPN2 of B2-R1 with
IP address 10.3.2.1/24

Full Mesh
By default, SD-WAN forms full mesh connectivity between all the sites.

Let’s verify the same.

Navigate to Monitor>Network
Select B1-R1

Go to Troubleshooting and Trace Route

Trace to a host in DC network from VPN1.

Trace to 10.1.1.100 from VPN1 and select a source interface from VPN1.

Refer to the below screenshot to perform the traceroute from vManage.

Notice the Path, B1-R1 >DC >Destination

Similarly, perform the trace to B2-R1 service VPN1 interface IP address 10.3.1.1
Notice the Path, B1-R1 > B2-R1

Similarly, trace to B2-R1’s VPN2 interface IP address 10.2.2.1 from VPN2.

Notice the Path, B1-R1 > B2-R1

This verification shows that the default topology for all the VPNs is Full Mesh i.e.,
Branch1 is sending traffic to Branch2 with out traversing the DC.

 Default Route from Hub

For spoke to spoke communication via DC (Hub), we need to
advertise the default route from the hub to all the spokes.

Let’s create a static default route (to null0) for the lab purpose and
OMP will advertise this to all other sites.

Navigate to Configuration>Templates>Feature
We need to create a default route in Service VPN of DC (Hub)
devices. Let’s identify the devices attached VPN1 feature template.

Notice that the template attached to DC and Branch2. However, we

need to create the default route in DC only.
Clone this template by clicking on Copy.

Give the below Name and description.

Template Name: DC-VPN1

Description: DC-VPN1
Click Copy.

Edit the cloned DC-VPN1 template.

Under IPv4 configuration section, click on New IPv4 Route and

configure below.
Prefix (Global): 0.0.0.0/0
Gateway: Null0
Enable Null0 (Global): On
Click Add
Update the template.

Modify Device Template

Go to Device templates and edit DC-Template

Under Service VPN section, change the VPN feature template to

DC-VPN1 and update the template.

Click Next
Select a device from the device list to preview the configuration.

Notice the default null route and click on Configure Devices

Confirm and OK
Wait until the template push is successful.

Verification
Let’s verify if branch WAN edges received the default route from DC
(Hub).

Navigate to Monitor>Network>B1-R1>Real Time

Select IP Routes from Device Options.

Do Not Filter

Notice the default route from DC WAN Edges.

Select B2-R1 from Select Device drop down menu.

Select OMP Received Routes from Device Options.

Do Not Filter

Notice the default route from DC WAN Edges.

Hub & Spoke Policy

Now lets create a policy for VPN1 traffic from branch1 destined to branch2 to go via
DC and viceversa

Navigate to Configuration>Policies
Click on Add Policy

Creating Lists:
Lists are used to match the traffic.

Site Lists:
Create Sites using the below list.

Site Name
Site ID
DC
 Site Name site ID

DC 10

B1 100

B2 200
Refer below screenshots to create the site list.

The completed site list should be like the below list.

TLOC List
Create a TLOC list with below information.

TLOC IP Color

192.168.1.101 Biz-internet

192.168.1.101 Mpls

192.168.1.102 Biz-internet

192.168.1.102 Mpls
Refer below screenshots to create the TLOC list.
The completed TLOC list should be like the below list.

VPN List:

Create a VPN list using below information.

VPN List Name VP

 VPN1 1

VPN2 2

The completed VPN list should be like the below list.

Click Next.
Topology: Hub-and-Spoke
Select Hub-and-Spoke from Add Topology drop down menu.

Configure Hub and Spoke policy using below details.

Name: VPN1-HS

Description: VPN1-HS

VPN List: VPN1

Click on Add Hub-and-Spoke to call Hub and Spoke sites in the policy.

To add hub, Click on Add Hub Sites and select DC and then click Add.

To add Branch1, Click on Add Spoke Sites and select B1 and then click Add.

To add Branch2, Click on Add Spoke Sites again and select B2 and then click Add.

Click Manage Custom Preferences and Prefix Lists

Select Advertise Hub TLOCs and choose DC-TLOC from the drop down.
Save changes.
Save Hub-and-Spoke policy.
Click Next

Click Next again.

Create the main policy.

Policy Name: LearnEdze-Policy
Policy Description: LearnEdze-Policy
Save Policy

To preview the policy configuration, click on (…) and Preview

Preview the configuration in cli and click OK.

Policy will be now applied to the vSmart having system-ip 192.168.1.3

Click on Activate
Wait until the policy push to the vSmart is completed.

  Verification
From B1-R1 VPN1, perform trace to a host in the DC Network. In this case
10.1.1.100

Notice that there is no change in the path to DC from B1-R1.

From B1-R1 VPN1, perform trace to B2-R1’s VPN1 interface IP address. In this case
10.3.1.1

Notice the change in the path to B2-R1 from B1-R1. Now it is traversing via DC
(Hub)
Let’s verify the VPN2 traffic from B1-R1 to B2-R1.

Notice that VPN2 communication is completely failed.  

We have created Hub-and-Spoke policy for VPN1 only. However, this policy breaks
TLOCs for all the VPNs by default.

Let’s verify if B1-R1 is receiving any routes in VPN2.

Navigate to Monitor>Network>B1-R1>Real Time

Select IP Routes from Device Options

Do Not Filter.

Notice that B1-R1 has only connected route in VPN2 routing table.
Verify if it is receiving B2-R1’s TLOCs via OMP.

Notice that B1-R1 doesn’t receive B2-R1’s TLOC.

To resolve this, we need to create a Mesh policy for VPN2.

  Mesh Policy
Navigate to Configuration>Policies
From top right-hand side, click on Custom Options and select Topology

Select Mesh from Add Topology drop down menu

Configure below:

Name: VPN2-Mesh
Description: VPN2-Mesh
VPN List: VPN2
To create a Mesh region, click on New Mesh Region and configure below.
Mesh Region Name: VPN2-Mesh
Site List: B1 & B2

Click Add

Save Mesh Topology

Edit the main policy.

Choose Topology on the top.

Select Import Existing Topology from Add Topology drop down menu.

Choose Mesh as Policy Type.

Select VPN2-Mesh policy and import.

Click on Policy Application from top menu

Save Policy changes.

Now the policy will be applied to vSmart. Click on Activate.

Wait until the policy push to the vSmart is successful.

Verification
Let’s verify VPN2 Routes in B1-R1.

Navigate to Monitor>Network>B1-R1>Real Time

Select IP Routes from Device Options

Do Not Filter.

Notice now that, B1-R1 received VPN2 Routes from B2-R1.

Verify the traceroutes.

Perform the below traceroute and notice that VPN2 communication is successful.

Perform the below traceroute and notice that VPN1 communication between
Branch1 and Branch2 is traversing via DC.