Embedded Files
NOTE on the gateway config:
Add route-map (and prefix-list) for the VPN instance to filter 0.0.0.0/0 to the branch routers only, so that they don't need to receive other branch routes unnecessarily.
If you need the SD-WAN VRF to communicate with other networks directly, just assign the connected interface to the same VRF. For example, if you have another firewall to filter the traffic, just assign the interface (connected to the firewall) to the same VRF, and add a default route to the firewall within the SD-WAN VRF.
Route leaking is only necessary if you want SD-WAN VRF traffic to breakout from local CMG/HSG gateway (via gateway default routing table).
Relevant Configuration Steps:
Step 1: Assign LAN interface to the service VRF
Step 2: Configure default route for the service VRF
Step 3: Configure prefix-list and route-map
Step 4: Enable VRF for BGP Instance and apply route-map
Step 5: Assign branch device to the VPN instance
Apply Config
CLI Configuration and Verifications
CLI Configuration and Verifications
NOTE: most of the SD-WAN (BGP and VPN) configurations are auto generated by mfusion orchestrator. Do not try to configure SD-WAN features using CLI.
Below are the relevant gateway CLI configs for reference only (other general configs are omitted).
!
interface eth1
description "Interface connection to firewall"
ip vrf 4
ip address 10.10.10.2/30
!
ip route 0.0.0.0/0 nexthop 10.65.31.1 remark "system default route to Internet"
ip route 0.0.0.0/0 nexthop 10.10.10.1 vrf 4 remark "VRF-4 default route to firewall"
!
router bgp 65051 vrf 4
bgp timer 5 15
neighbor 0168_RansNet_SSL3OPENVPN_4 as-peer
neighbor 0168_RansNet_SSL3OPENVPN_4 as-remote 65051
neighbor 0168_RansNet_SSL3OPENVPN_4 next-hop-self
neighbor 0168_RansNet_SSL3OPENVPN_4 route-map HQ2Branch out
neighbor 0168_RansNet_SSL3OPENVPN_4 route-reflector-client
neighbor 0168_RansNet_SSL3OPENVPN_4 soft-reconfiguration
neighbor 0168_RansNet_SSL3OPENVPN_4 weight 0
neighbor range 10.4.168.0/22 as-peer 0168_RansNet_SSL3OPENVPN_4
network 0.0.0.0/0
!
ip prefix-list HQ2Branch permit 0.0.0.0/0
!
route-map HQ2Branch permit 10
match ip address prefix-list HQ2Branch
!
firewall-input 500 permit all tcp dport 179 src 10.0.0.0/8
!
firewall-access 500 permit outbound eth0 remark "Permit out to Internet"
firewall-access 501 permit outbound tap+ remark "Permit SD-WAN traffic"
firewall-access 502 permit inbound tap+ remark "Permit SD-WAN traffic"
!
firewall-snat 500 overload outbound eth0
!
security sslvpn-server 4
server address sdwan.ransnet.com 1604
server tap-mode
encryption AES-256-CBC
server client-to-client
tunnel-pool 10.4.168.0/22
tap vrf 4
client 00-60-e0-a3-59-f7
start
Verifications
Gateway# show ip bgp summary
IPv4 Unicast Summary (VRF 4):
BGP router identifier 10.65.31.134, local AS number 65051 vrf-id 8
BGP table version 2
RIB entries 2, using 384 bytes of memory
Peers 1, using 724 KiB of memory
Peer groups 1, using 64 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
*10.4.168.2 4 65051 105 106 0 0 0 00:08:26 1 2 N/A
Total number of neighbors 1
* - dynamic neighbor
1 dynamic neighbor(s), limit 2000
Gateway#
Gateway# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
VRF 4:
S>* 0.0.0.0/0 [1/0] via 10.10.10.1, eth1, weight 1, 00:09:39
C>* 10.4.168.0/22 is directly connected, tap4, 00:09:39
C>* 10.10.10.0/30 is directly connected, eth1, 00:09:39
B>* 192.168.8.0/22 [200/0] via 10.4.168.2, tap4, weight 1, 00:01:25
VRF default:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0, weight 1, 00:10:04
C>* 2.1.2.1/32 is directly connected, lo, 00:10:10
C>* 10.65.31.0/24 is directly connected, eth0, 00:10:10
Report abuse