RansNet Documentation - VRF over SD-WAN

VRF over SD-WAN

In certain SD-WAN deployments, branch networks are required to backhaul all traffic to a centralized firewall located at the headquarters or data center for centralized security inspection and policy enforcement.

RansNet routers support VRF over SD-WAN - establishing VPN tunnels using the system default routing table (transport VRF), while leveraging VRF instances (service VRF) over the SD-WAN overlay to maintain a dedicated routing domain for internal traffic.

This architecture simplifies branch router WAN link failover configuration, and enhances overall security by fully isolating internal networks from direct external reachability. This model also can be used for service providers who want to share a centralized SD-WAN gateway for multiple customers (each customer is assigned to a unique service VRF).

Alternative approach is to use a Layer-2 SD-WAN mode, we will discuss this in a separate document.

The following sample topology is used to illustrate this design and the associated traffic flows.

In above scenario:

Routers (both branch and gateway) will use system default routing table to establish VPN tunnels. Configure WAN failover between links, if there's redundancy.
Assign SD-WAN (hence VPN tunnel) and router LAN interfaces (both HQ and Branch) into a dedicated VRF (eg. VRF-4, follow the VPN instance ID).
Run BGP instance in the service VRF and advertise default route 0.0.0.0/0 to branch routers, and each branch router advertises its local LAN networks.
All branch LAN traffic will follow the BGP default route through VPN tunnel to HQ, within the service VRF.
Optionally, configure route leaking between SD-WAN VRF and router default VRF, onlly if you want branch networks to breakout from CMG/HSG gateway to Internet.

Configuration Snips on the Gateway Router

NOTE on the gateway config:

Add route-map (and prefix-list) for the VPN instance to filter 0.0.0.0/0 to the branch routers only, so that they don't need to receive other branch routes unnecessarily.
If you need the SD-WAN VRF to communicate with other networks directly, just assign the connected interface to the same VRF. For example, if you have another firewall to filter the traffic, just assign the interface (connected to the firewall) to the same VRF, and add a default route to the firewall within the SD-WAN VRF.
Route leaking is only necessary if you want SD-WAN VRF traffic to breakout from local CMG/HSG gateway (via gateway default routing table).

Below are the relevant gateway configs (without route leaking). We will skip the general network configuration.

interface eth1

description "Interface connection to firewall"

ip vrf 4

ip address 10.10.10.2/30

ip route 0.0.0.0/0 nexthop 10.65.31.1 remark "system default route to Internet"

ip route 0.0.0.0/0 nexthop 10.10.10.1 vrf 4 remark "VRF-4 default route to firewall"

router bgp 65051 vrf 4

bgp timer 5 15

neighbor 0168_RansNet_SSL3OPENVPN_4 as-peer

neighbor 0168_RansNet_SSL3OPENVPN_4 as-remote 65051

neighbor 0168_RansNet_SSL3OPENVPN_4 next-hop-self

neighbor 0168_RansNet_SSL3OPENVPN_4 route-map HQ2Branch out

neighbor 0168_RansNet_SSL3OPENVPN_4 route-reflector-client

neighbor 0168_RansNet_SSL3OPENVPN_4 soft-reconfiguration

neighbor 0168_RansNet_SSL3OPENVPN_4 weight 0

neighbor range 10.4.168.0/22 as-peer 0168_RansNet_SSL3OPENVPN_4

network 0.0.0.0/0

ip prefix-list HQ2Branch permit 0.0.0.0/0

route-map HQ2Branch permit 10

match ip address prefix-list HQ2Branch

firewall-input 500 permit all tcp dport 179 src 10.0.0.0/8

firewall-access 500 permit outbound eth0 remark "Permit out to Internet"

firewall-access 501 permit outbound tap+ remark "Permit SD-WAN traffic"

firewall-access 502 permit inbound tap+ remark "Permit SD-WAN traffic"

firewall-snat 500 overload outbound eth0

security sslvpn-server 4

server address sdwan.ransnet.com 1604

server tap-mode

encryption AES-256-CBC

server client-to-client

tunnel-pool 10.4.168.0/22

tap vrf 4

client 00-60-e0-a3-59-f7

start

Verifications

Gateway# show ip bgp summary

IPv4 Unicast Summary (VRF 4):

BGP router identifier 10.65.31.134, local AS number 65051 vrf-id 8

BGP table version 2

RIB entries 2, using 384 bytes of memory

Peers 1, using 724 KiB of memory

Peer groups 1, using 64 bytes of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc

*10.4.168.2 4 65051 105 106 0 0 0 00:08:26 1 2 N/A

Total number of neighbors 1

* - dynamic neighbor

1 dynamic neighbor(s), limit 2000

Gateway#

Gateway# show ip route

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,

f - OpenFabric,

> - selected route, * - FIB route, q - queued, r - rejected, b - backup

t - trapped, o - offload failure

VRF 4:

S>* 0.0.0.0/0 [1/0] via 10.10.10.1, eth1, weight 1, 00:09:39

C>* 10.4.168.0/22 is directly connected, tap4, 00:09:39

C>* 10.10.10.0/30 is directly connected, eth1, 00:09:39

B>* 192.168.8.0/22 [200/0] via 10.4.168.2, tap4, weight 1, 00:01:25

VRF default:

S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0, weight 1, 00:10:04

C>* 2.1.2.1/32 is directly connected, lo, 00:10:10

C>* 10.65.31.0/24 is directly connected, eth0, 00:10:10

Configuration Snips on the Branch Router

NOTE on the branch router config:

Assign LAN interface (where internal devices reside) to the SD-WAN VRF
Run BGP VRF instance
Use tcpdump to trace packet flows

We will skip the general network configuration. Below are the relevant branch configs:

interface eth1

description "Default connection to LAN"

enable

ip vrf 4

ip address 192.168.8.1/22

dhcp-server

lease-time 86400 86400

router 192.168.8.1

dns 8.8.8.8 8.8.4.4

range 192.168.8.10 192.168.11.254

enable

router bgp 65051 vrf 4

bgp timer 5 15

neighbor 0168_RansNet_SSL3OPENVPN_4 as-peer

neighbor 0168_RansNet_SSL3OPENVPN_4 as-remote 65051

neighbor 0168_RansNet_SSL3OPENVPN_4 next-hop-self

neighbor 0168_RansNet_SSL3OPENVPN_4 soft-reconfiguration

neighbor 0168_RansNet_SSL3OPENVPN_4 weight 0

neighbor 10.4.168.1 as-peer 0168_RansNet_SSL3OPENVPN_4

network 192.168.8.1/22

firewall-input 500 permit all tcp dport 179 src 10.0.0.0/8

firewall-access 500 permit outbound eth0 remark "Permit out to Internet"

firewall-access 501 permit outbound tap+ remark "Permit SD-WAN traffic"

firewall-access 502 permit inbound tap+ remark "Permit SD-WAN traffic"

firewall-snat 500 overload outbound eth0

security sslvpn-client 4

tap vrf 4

start

Verifications:

Branch# show ip bgp summary

IPv4 Unicast Summary (VRF 4):

BGP router identifier 10.18.18.190, local AS number 65051 vrf-id 18

BGP table version 10

RIB entries 2, using 384 bytes of memory

Peers 1, using 724 KiB of memory

Peer groups 1, using 64 bytes of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc

10.4.168.1 4 65051 561 557 0 0 0 00:29:17 1 1 N/A

Total number of neighbors 1

Branch# show

Branch# show ip route

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,

f - OpenFabric,

> - selected route, * - FIB route, q - queued, r - rejected, b - backup

t - trapped, o - offload failure

VRF 4:

B>* 0.0.0.0/0 [200/0] via 10.4.168.1, tap4, weight 1, 00:29:23

C>* 10.4.168.0/22 is directly connected, tap4, 00:48:27

C>* 192.168.8.0/22 is directly connected, eth1, 00:22:03

VRF default:

K>* 0.0.0.0/0 [0/1002] via 10.18.18.1, eth0, src 10.18.18.190, 23:26:14

C>* 2.1.2.1/32 is directly connected, lo, 23:34:24

K * 10.18.18.0/24 [0/1002] is directly connected, eth0, 23:26:14

C>* 10.18.18.0/24 is directly connected, eth0, 23:26:14

Configure Route-leaking on the Gateway Router

Route leaking is needed, on the gateway router only, if your want the traffic from service VRF to breakout from the gateway router (eg. to Internet). It requires route "leak" between service VRF and default VRF on the same gateway router.

There are two options to configure route leaking:

Configure static route for each remote network, for smaller SD-WAN deployment
Use MP-BGP to auto populate, for large SD-WAN deployment

You will also need to take note on NAT/SNAT configuration.

Option 1: static route leaking

Static route leaking requires static nexthop (to the remote LAN network), which is the branch router's tunnel IP. That means, we will need to set static tunnel IP for each router.

hostname Gateway

interface eth0

description "Default connection to WAN"

enable

ip address 10.65.31.134/24

interface lo

enable

ip address 2.1.2.1/32

interface tap4

enable

ip vrf 4

ip host portal.ransnet.com 10.65.30.18

ip route 0.0.0.0/0 nexthop 10.65.31.1 remark "system default route"

ip route 0.0.0.0/0 nexthop 10.65.31.1 vrf 4 nexthop-vrf default remark "VRF-4 default route via system"

ip route 10.4.168.0/22 nexthop tap4 nexthop-vrf 4 remark "return to VRF-4 VPN network"

ip route 192.168.8.0/22 nexthop 10.4.168.10 nexthop-vrf 4 remark "return to branch_LAN.10 in VRF-4"

router bgp 65051 vrf 4

bgp timer 5 15

neighbor 0168_RansNet_SSL3OPENVPN_4 as-peer

neighbor 0168_RansNet_SSL3OPENVPN_4 as-remote 65051

neighbor 0168_RansNet_SSL3OPENVPN_4 next-hop-self

neighbor 0168_RansNet_SSL3OPENVPN_4 route-map HQ2Branch out

neighbor 0168_RansNet_SSL3OPENVPN_4 route-reflector-client

neighbor 0168_RansNet_SSL3OPENVPN_4 soft-reconfiguration

neighbor 0168_RansNet_SSL3OPENVPN_4 weight 0

neighbor range 10.4.168.0/22 as-peer 0168_RansNet_SSL3OPENVPN_4

network 0.0.0.0/0

ip prefix-list HQ2Branch permit 0.0.0.0/0

route-map HQ2Branch permit 10

match ip address prefix-list HQ2Branch

firewall-input 500 permit all tcp dport 179 src 10.0.0.0/8

firewall-access 500 permit outbound eth0 remark "Permit out to Internet"

firewall-access 501 permit outbound tap+ remark "Permit SD-WAN traffic"

firewall-access 502 permit inbound tap+ remark "Permit SD-WAN traffic"

firewall-snat 500 overload outbound eth0

security sslvpn-server 4

server address sdwan.ransnet.com 1604

server tap-mode

encryption AES-256-CBC

server client-to-client

tunnel-pool 10.4.168.0/22

tap vrf 4

client 00-60-e0-a3-59-f7

static 10.4.168.10

start

Verification

Gateway# show ip route

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,

f - OpenFabric,

> - selected route, * - FIB route, q - queued, r - rejected, b - backup

t - trapped, o - offload failure

VRF 4:

S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0 (vrf default), weight 1, 00:05:23

C>* 10.4.168.0/22 is directly connected, tap4, 00:26:33

B>* 192.168.8.0/22 [200/0] via 10.4.168.10, tap4, weight 1, 00:00:26

VRF default:

S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0, weight 1, 04:01:58

C>* 2.1.2.1/32 is directly connected, lo, 04:02:04

K * 10.3.168.0/22 [0/0] via 10.3.168.2, tun3, 04:01:41

C>* 10.3.168.0/22 is directly connected, tun3, 04:01:41

S>* 10.4.168.0/22 [1/0] is directly connected, tap4 (vrf 4), weight 1, 00:11:45

C>* 10.65.31.0/24 is directly connected, eth0, 04:02:04

S>* 192.168.8.0/22 [1/0] via 10.4.168.10, tap4 (vrf 4), weight 1, 00:00:26

* via 192.168.8.1 (vrf 4) inactive, weight 1, 00:00:26

Gateway# ping 192.168.8.1 source 4

ping: Warning: source address might be selected on device other than: 4

PING 192.168.8.1 (192.168.8.1) from 10.4.168.1 4: 56(84) bytes of data.

64 bytes from 192.168.8.1: icmp_seq=1 ttl=64 time=3.36 ms

64 bytes from 192.168.8.1: icmp_seq=2 ttl=64 time=3.67 ms

64 bytes from 192.168.8.1: icmp_seq=3 ttl=64 time=3.40 ms

64 bytes from 192.168.8.1: icmp_seq=4 ttl=64 time=3.66 ms

64 bytes from 192.168.8.1: icmp_seq=5 ttl=64 time=3.78 ms

--- 192.168.8.1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4008ms

rtt min/avg/max/mdev = 3.356/3.573/3.776/0.164 ms

Gateway#

Option 2: Use MP-BGP to auto populate

Report abuse