Embedded Files
In certain SD-WAN deployments, branch networks are required to backhaul all traffic to a centralized firewall located at the headquarters or data center for centralized security inspection and policy enforcement.
RansNet routers support VRF over SD-WAN - establishing VPN tunnels using the system default routing table (transport VRF), while leveraging VRF instances (service VRF) over the SD-WAN overlay to maintain a dedicated routing domain for internal traffic.
This architecture simplifies branch router WAN link failover configuration, and enhances overall security by fully isolating internal networks from direct external reachability. This model also can be used for service providers who want to share a centralized SD-WAN gateway for multiple customers (each customer is assigned to a unique service VRF).
Alternative approach to isolate internal traffic is to use "L2 over SD-WAN", for smaller network size.
The following sample topology is used to illustrate this design and the associated traffic flows.
In this scenario:
Routers (both branch and gateway) will use system default routing table to establish VPN tunnels. Configure WAN failover between links, if there's redundancy.
Assign SD-WAN (hence VPN tunnel) and router LAN interfaces (both HQ and Branch) into a dedicated VRF (eg. VRF-4, follow the VPN instance ID).
Run BGP instance in the service VRF and advertise default route 0.0.0.0/0 to branch routers, and each branch router advertises its local LAN networks.
Route all LAN traffic using the BGP default route through VPN tunnel to HQ, within the service VRF.
You may optionally configure route leaking between SD-WAN VRF and router default VRF, only if you want branch traffic to breakout from CMG/HSG gateway to Internet.
Configuration on Gateway
Configuration on Gateway
NOTE:
Add route-map (and prefix-list) for the VPN instance to filter 0.0.0.0/0 to the branch routers only, so that they don't need to receive other branch routes unnecessarily.
If you need the SD-WAN VRF to communicate with other networks directly, just assign the connected interface to the same VRF. For example, if you have another firewall to filter the traffic, just assign the interface (connected to the firewall) to the same VRF, and add a default route to the firewall within the SD-WAN VRF.
Route leaking is only necessary if you want SD-WAN VRF traffic to breakout from local CMG/HSG gateway (via gateway default routing table).
Below are the relevant Configuration Steps on Orchestrator
Step 1: Assign LAN interface to the service VRF
Step 2: Configure default route for the service VRF
Step 3: Configure prefix-list and route-map
Step 4: Enable VRF for BGP Instance and apply route-map
Step 5: Assign branch device to the VPN instance
Apply Config
CLI Configuration Sample
Below are the relevant gateway CLI configs (generated by mfusion). You should use mfusion orchestrator to provision SD-WAN configurations. Most of the settings are done on gateway, at the SD-WAN VPN instance. CLI samples are for references and expert mode only.
!
interface eth1 vrf 4
description "Interface connection to firewall"
ip address 10.10.10.2/30
!
ip route 0.0.0.0/0 nexthop 10.65.31.1 remark "system default route to Internet"
ip route 0.0.0.0/0 nexthop 10.10.10.1 vrf 4 remark "VRF-4 default route to firewall"
!
router bgp 65051 vrf 4
bgp timer 5 15
neighbor 0168_RansNet_SSL3OPENVPN_4 as-peer
neighbor 0168_RansNet_SSL3OPENVPN_4 as-remote 65051
neighbor 0168_RansNet_SSL3OPENVPN_4 next-hop-self
neighbor 0168_RansNet_SSL3OPENVPN_4 route-map HQ2Branch out
neighbor 0168_RansNet_SSL3OPENVPN_4 route-reflector-client
neighbor 0168_RansNet_SSL3OPENVPN_4 soft-reconfiguration
neighbor 0168_RansNet_SSL3OPENVPN_4 weight 0
neighbor range 10.4.168.0/22 as-peer 0168_RansNet_SSL3OPENVPN_4
network 0.0.0.0/0
!
ip prefix-list HQ2Branch permit 0.0.0.0/0
!
route-map HQ2Branch permit 10
match ip address prefix-list HQ2Branch
!
firewall-input 500 permit all tcp dport 179 src 10.0.0.0/8
!
firewall-access 500 permit outbound eth0 remark "Permit out to Internet"
firewall-access 501 permit outbound tap+ remark "Permit SD-WAN traffic"
firewall-access 502 permit inbound tap+ remark "Permit SD-WAN traffic"
!
firewall-snat 500 overload outbound eth0
!
security sslvpn-server 4 vrf 4
server address sdwan.ransnet.com 1604
server tap-mode
encryption AES-256-CBC
server client-to-client
tunnel-pool 10.4.168.0/22
client 00-60-e0-a3-59-f7
start
Verifications
Gateway# show ip bgp summary
IPv4 Unicast Summary (VRF 4):
BGP router identifier 10.65.31.134, local AS number 65051 vrf-id 8
BGP table version 2
RIB entries 2, using 384 bytes of memory
Peers 1, using 724 KiB of memory
Peer groups 1, using 64 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
*10.4.168.2 4 65051 105 106 0 0 0 00:08:26 1 2 N/A
Total number of neighbors 1
* - dynamic neighbor
1 dynamic neighbor(s), limit 2000
Gateway#
Gateway# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
VRF 4:
S>* 0.0.0.0/0 [1/0] via 10.10.10.1, eth1, weight 1, 00:09:39
C>* 10.4.168.0/22 is directly connected, tap4, 00:09:39
C>* 10.10.10.0/30 is directly connected, eth1, 00:09:39
B>* 192.168.8.0/22 [200/0] via 10.4.168.2, tap4, weight 1, 00:01:25
VRF default:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0, weight 1, 00:10:04
C>* 2.1.2.1/32 is directly connected, lo, 00:10:10
C>* 10.65.31.0/24 is directly connected, eth0, 00:10:10
Configuration on Branch Routers
Configuration on Branch Routers
On the branch router, we just need to assign assign LAN interface (where internal devices reside) to the SD-WAN service VRF. Relevant Configuration Steps:
Step 1: Assign LAN interface to the service VRF
Apply Config
CLI Configuration Sample
!
interface eth1 vrf 4
description "Default connection to LAN"
enable
ip address 192.168.8.1/22
dhcp-server
lease-time 86400 86400
router 192.168.8.1
dns 8.8.8.8 8.8.4.4
range 192.168.8.10 192.168.11.254
enable
!
router bgp 65051 vrf 4
bgp timer 5 15
neighbor 0168_RansNet_SSL3OPENVPN_4 as-peer
neighbor 0168_RansNet_SSL3OPENVPN_4 as-remote 65051
neighbor 0168_RansNet_SSL3OPENVPN_4 next-hop-self
neighbor 0168_RansNet_SSL3OPENVPN_4 soft-reconfiguration
neighbor 0168_RansNet_SSL3OPENVPN_4 weight 0
neighbor 10.4.168.1 as-peer 0168_RansNet_SSL3OPENVPN_4
network 192.168.8.1/22
!
firewall-input 500 permit all tcp dport 179 src 10.0.0.0/8
!
firewall-access 500 permit outbound eth0 remark "Permit out to Internet"
firewall-access 501 permit outbound tap+ remark "Permit SD-WAN traffic"
firewall-access 502 permit inbound tap+ remark "Permit SD-WAN traffic"
!
firewall-snat 500 overload outbound eth0
!
security sslvpn-client 4 vrf 4
start
!
Verifications
Branch# show ip bgp summary
IPv4 Unicast Summary (VRF 4):
BGP router identifier 10.18.18.190, local AS number 65051 vrf-id 18
BGP table version 10
RIB entries 2, using 384 bytes of memory
Peers 1, using 724 KiB of memory
Peer groups 1, using 64 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
10.4.168.1 4 65051 561 557 0 0 0 00:29:17 1 1 N/A
Total number of neighbors 1
Branch# show
Branch# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
VRF 4:
B>* 0.0.0.0/0 [200/0] via 10.4.168.1, tap4, weight 1, 00:29:23
C>* 10.4.168.0/22 is directly connected, tap4, 00:48:27
C>* 192.168.8.0/22 is directly connected, eth1, 00:22:03
VRF default:
K>* 0.0.0.0/0 [0/1002] via 10.18.18.1, eth0, src 10.18.18.190, 23:26:14
C>* 2.1.2.1/32 is directly connected, lo, 23:34:24
K * 10.18.18.0/24 [0/1002] is directly connected, eth0, 23:26:14
C>* 10.18.18.0/24 is directly connected, eth0, 23:26:14
(Optional) Configure Route Leaking
(Optional) Configure Route Leaking
If you want service VRF traffic to breakout from the gateway (eg. using CMG default route to Internet), it requires route "leak" between service VRF and default VRF on the gateway router, to allow gateway to route traffic between different VRFs.
VRFs are isolated by design — they don’t automatically share routes with the default table.
For Internet breakout, return traffic must find its way from the default routing table back into the VRF.
Without leaking, return traffic would arrive at the gateway but never know how to return into the VRF.
NOTE:
You only need to configure route leaking on the gateway router.
Configure firewall/SNAT to permit inbound/outbound traffic.
You can use the same method to leak out directly from branch router, for some rare cases only (NOTE: If you generally allow local breakout for branch routers, you don't even need to run "VRF over SD-WAN", just the traditional method will do - advertise HQ/DC routes and everything else route through local default routes).
There are two options to configure route leaking:
Configure static route for each remote network, for smaller SD-WAN deployment
Dynamically import (use MP-BGP), for large SD-WAN deployment
Option 1: static route leaking
Static route leaking configuration is simple when you have a few remote locations. But it gets tedious when the remote sites grow as each site requires one static route.
NOTE:
Static route leaking requires static nexthop for each remote network.
The nexthop is the remote branch router's tunnel IP, so we will need to set static tunnel IP for each branch router.
CLI Configuration Sample
Below are the relevant gateway CLI configs for reference only (other general configs are omitted).
!
hostname Gateway
!
interface eth0
description "Default connection to WAN"
enable
ip address 10.65.31.134/24
!
interface lo
enable
ip address 2.1.2.1/32
!
interface tap4 vrf 4
enable
!
ip host portal.ransnet.com 10.65.30.18
!
ip route 0.0.0.0/0 nexthop 10.65.31.1 remark "system default route"
ip route 0.0.0.0/0 nexthop 10.65.31.1 vrf 4 nexthop-vrf default remark "VRF-4 default route via system"
ip route 10.4.168.0/22 nexthop tap4 nexthop-vrf 4 remark "return to VRF-4 VPN network"
ip route 192.168.8.0/22 nexthop 10.4.168.10 nexthop-vrf 4 remark "return to branch_LAN in VRF-4"
!
router bgp 65051 vrf 4
bgp timer 5 15
neighbor 0168_RansNet_SSL3OPENVPN_4 as-peer
neighbor 0168_RansNet_SSL3OPENVPN_4 as-remote 65051
neighbor 0168_RansNet_SSL3OPENVPN_4 next-hop-self
neighbor 0168_RansNet_SSL3OPENVPN_4 route-map HQ2Branch out
neighbor 0168_RansNet_SSL3OPENVPN_4 route-reflector-client
neighbor 0168_RansNet_SSL3OPENVPN_4 soft-reconfiguration
neighbor 0168_RansNet_SSL3OPENVPN_4 weight 0
neighbor range 10.4.168.0/22 as-peer 0168_RansNet_SSL3OPENVPN_4
network 0.0.0.0/0
!
ip prefix-list HQ2Branch permit 0.0.0.0/0
!
route-map HQ2Branch permit 10
match ip address prefix-list HQ2Branch
!
firewall-input 500 permit all tcp dport 179 src 10.0.0.0/8
!
firewall-access 500 permit outbound eth0 remark "Permit out to Internet"
firewall-access 501 permit inbound tap+ remark "Permit SD-WAN traffic"
!
firewall-snat 500 overload outbound eth0
!
security sslvpn-server 4 vrf 4
server address sdwan.ransnet.com 1604
server tap-mode
encryption AES-256-CBC
server client-to-client
tunnel-pool 10.4.168.0/22
client 00-60-e0-a3-59-f7
static 10.4.168.10
start
Verifications
Gateway# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
VRF 4:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0 (vrf default), weight 1, 00:05:23
C>* 10.4.168.0/22 is directly connected, tap4, 00:26:33
B>* 192.168.8.0/22 [200/0] via 10.4.168.10, tap4, weight 1, 00:00:26
VRF default:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0, weight 1, 04:01:58
C>* 2.1.2.1/32 is directly connected, lo, 04:02:04
K * 10.3.168.0/22 [0/0] via 10.3.168.2, tun3, 04:01:41
C>* 10.3.168.0/22 is directly connected, tun3, 04:01:41
S>* 10.4.168.0/22 [1/0] is directly connected, tap4 (vrf 4), weight 1, 00:11:45
C>* 10.65.31.0/24 is directly connected, eth0, 04:02:04
S>* 192.168.8.0/22 [1/0] via 10.4.168.10, tap4 (vrf 4), weight 1, 00:00:26
Gateway# ping 192.168.8.1 vrf 4
ping: Warning: source address might be selected on device other than: 4
PING 192.168.8.1 (192.168.8.1) from 10.4.168.1 4: 56(84) bytes of data.
64 bytes from 192.168.8.1: icmp_seq=1 ttl=64 time=3.36 ms
64 bytes from 192.168.8.1: icmp_seq=2 ttl=64 time=3.67 ms
64 bytes from 192.168.8.1: icmp_seq=3 ttl=64 time=3.40 ms
64 bytes from 192.168.8.1: icmp_seq=4 ttl=64 time=3.66 ms
64 bytes from 192.168.8.1: icmp_seq=5 ttl=64 time=3.78 ms
--- 192.168.8.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4008ms
rtt min/avg/max/mdev = 3.356/3.573/3.776/0.164 ms
Gateway#
Option 2: Use dynamic route import (MP-BGP)
Static route leaking can be very hard to manage when you have hundreds or thousands of remote networks. So the simpler approach is to use MP-BGP to dynamically import routes between VRFs - run BGP instance in each VRF and import the routes from the target VRF.
Below is a complete config on the gateway/CMG router. In this sample case, we just want service VRF-4 to have Internet breakout through default VRF.
Configure static route leak in VRF-4 (via gateway in default VRF), for Internet access.
Configure BGP in default VRF to dynamically import routes from VRF-4, so that default VRF knows the return paths.
Optionally configure a route-map for the VRF route import, to only allow the authorized routes to leak into default VRF routing table (in below config, the routes 10.11.11.0/24 and 10.12.12.0/24 are not imported/leaked into default VRF because of the route-map filter).
With dynamic route import, you don't need to set static tunnel IP for each remote branch routers.
Despite it's quite simple to config this feature, the impact can be significant if wrongly configured. So we only allow this config through CLI only. In below sample config CLI, we import routes from VRF-4 into default routing table (there's no VRF ID configured for the BGP instance so it means default routing table).
CLI Configuration Sample
Below are the relevant gateway CLI configs for reference only (other general configs are omitted).
!
hostname Gateway
!
interface eth0
description "Default connection to WAN"
enable
ip address 10.65.31.134/24
!
interface lo
enable
ip address 2.1.2.1/32
!
interface vlan 0 11 vrf 4
enable
ip address 10.11.11.1/24
!
interface vlan 0 12 vrf 4
enable
ip address 10.12.12.1/24
!
ip route 0.0.0.0/0 nexthop 10.65.31.1 remark "default route to Internet"
ip route 0.0.0.0/0 nexthop 10.65.31.1 vrf 4 nexthop-vrf default "default route to Internet for VRF-4"
!
router bgp 65051
import vrf 4
import vrf route-map VRF4_TO_DEFAULT
!
router bgp 65051 vrf 4
bgp timer 5 15
neighbor 0168_RansNet_SSL3OPENVPN_4 as-peer
neighbor 0168_RansNet_SSL3OPENVPN_4 as-remote 65051
neighbor 0168_RansNet_SSL3OPENVPN_4 next-hop-self
neighbor 0168_RansNet_SSL3OPENVPN_4 route-map HQ2Branch out
neighbor 0168_RansNet_SSL3OPENVPN_4 route-reflector-client
neighbor 0168_RansNet_SSL3OPENVPN_4 soft-reconfiguration
neighbor 0168_RansNet_SSL3OPENVPN_4 weight 0
neighbor range 10.4.168.0/22 as-peer 0168_RansNet_SSL3OPENVPN_4
network 0.0.0.0/0
network 10.11.11.1/24
network 10.12.12.1/24
!
ip prefix-list HQ2Branch permit 0.0.0.0/0
ip prefix-list VRF4_TO_DEFAULT permit 192.168.0.0/16 ge 16
!
route-map HQ2Branch permit 10
match ip address prefix-list HQ2Branch
!
route-map VRF4_TO_DEFAULT permit 10
match ip address prefix-list VRF4_TO_DEFAULT
!
firewall-input 100 permit all tcp dport 179,22 src 10.0.0.0/8
!
firewall-access 500 permit outbound eth0 remark "Permit out to Internet"
firewall-access 501 permit inbound tap+ remark "Permit SD-WAN traffic"
!
firewall-snat 500 overload outbound eth0 remark "PAT to Internet"
!
security sslvpn-server 4 vrf 4
server address sdwan.ransnet.com 1604
server tap-mode
encryption AES-256-CBC
server client-to-client
tunnel-pool 10.4.168.0/22
client 00-60-e0-a3-59-f7
client b0-bb-8b-00-e7-a8
start
Gateway#
Verifications
Gateway# show ip bgp summary
% No BGP neighbors found in VRF default
IPv4 Unicast Summary (VRF 4):
BGP router identifier 10.65.31.134, local AS number 65051 vrf-id 7
BGP table version 5
RIB entries 7, using 1344 bytes of memory
Peers 2, using 1448 KiB of memory
Peer groups 1, using 64 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
*10.4.168.9 4 65051 618 618 0 0 0 00:51:11 1 1 N/A
*10.4.168.10 4 65051 618 618 0 0 0 00:51:13 1 1 N/A
Total number of neighbors 2
* - dynamic neighbor
2 dynamic neighbor(s), limit 2000
Gateway# show ip route vrf all
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
VRF 4:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0 (vrf default), weight 1, 00:52:39
C>* 10.4.168.0/22 is directly connected, tap4, 00:52:14
C>* 10.11.11.0/24 is directly connected, vlan11, 00:52:40
C>* 10.12.12.0/24 is directly connected, vlan12, 00:52:40
B>* 192.168.8.0/22 [200/0] via 10.4.168.10, tap4, weight 1, 00:51:19
B>* 192.168.16.0/22 [200/0] via 10.4.168.9, tap4, weight 1, 00:51:17
VRF default:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0, weight 1, 00:52:39
C>* 2.1.2.1/32 is directly connected, lo, 00:52:47
K * 10.3.168.0/22 [0/0] via 10.3.168.2, tun3, 00:52:22
C>* 10.3.168.0/22 is directly connected, tun3, 00:52:22
C>* 10.65.31.0/24 is directly connected, eth0, 00:52:47
B>* 192.168.8.0/22 [20/0] via 10.4.168.10, tap4 (vrf 4), weight 1, 00:06:20
B>* 192.168.16.0/22 [20/0] via 10.4.168.9, tap4 (vrf 4), weight 1, 00:06:20
Gateway#
Report abuse