Embedded Files
If you want service VRF traffic to breakout from the gateway (eg. using CMG default route to Internet), it requires route "leak" between service VRF and default VRF on the gateway router, to allow gateway to route traffic between different VRFs.
NOTE:
Only configure this on the gateway router. Nothing to do with branch routers
Configure firewall/SNAT to permit inbound/outbound traffic.
You can use the same method to leak out directly from branch router, for some rare cases only (If you generally allow local breakout for branch routers, you don't even need to run "VRF over SD-WAN", just the traditional method will do - advertise HQ/DC routes and everything else route through local default routes).
There are two options to configure route leaking:
Configure static route for each remote network, for smaller SD-WAN deployment
Dynamically import (use MP-BGP), for large SD-WAN deployment
Option 1: static route leaking
Static route leaking requires static nexthop for each remote network.
The nexthop is the remote branch router's tunnel IP, so we will need to set static tunnel IP for each branch router.
Static Route CLI Configuration and Verifications
Static Route CLI Configuration and Verifications
NOTE: most of the SD-WAN (BGP and VPN) configurations are auto generated by mfusion orchestrator. Do not try to configure SD-WAN features using CLI.
Below are the relevant gateway CLI configs for reference only (other general configs are omitted).
!
hostname Gateway
!
interface eth0
description "Default connection to WAN"
enable
ip address 10.65.31.134/24
!
interface lo
enable
ip address 2.1.2.1/32
!
interface tap4
enable
ip vrf 4
!
ip host portal.ransnet.com 10.65.30.18
!
ip route 0.0.0.0/0 nexthop 10.65.31.1 remark "system default route"
ip route 0.0.0.0/0 nexthop 10.65.31.1 vrf 4 nexthop-vrf default remark "VRF-4 default route via system"
ip route 10.4.168.0/22 nexthop tap4 nexthop-vrf 4 remark "return to VRF-4 VPN network"
ip route 192.168.8.0/22 nexthop 10.4.168.10 nexthop-vrf 4 remark "return to branch_LAN in VRF-4"
!
router bgp 65051 vrf 4
bgp timer 5 15
neighbor 0168_RansNet_SSL3OPENVPN_4 as-peer
neighbor 0168_RansNet_SSL3OPENVPN_4 as-remote 65051
neighbor 0168_RansNet_SSL3OPENVPN_4 next-hop-self
neighbor 0168_RansNet_SSL3OPENVPN_4 route-map HQ2Branch out
neighbor 0168_RansNet_SSL3OPENVPN_4 route-reflector-client
neighbor 0168_RansNet_SSL3OPENVPN_4 soft-reconfiguration
neighbor 0168_RansNet_SSL3OPENVPN_4 weight 0
neighbor range 10.4.168.0/22 as-peer 0168_RansNet_SSL3OPENVPN_4
network 0.0.0.0/0
!
ip prefix-list HQ2Branch permit 0.0.0.0/0
!
route-map HQ2Branch permit 10
match ip address prefix-list HQ2Branch
!
firewall-input 500 permit all tcp dport 179 src 10.0.0.0/8
!
firewall-access 500 permit outbound eth0 remark "Permit out to Internet"
firewall-access 501 permit inbound tap+ remark "Permit SD-WAN traffic"
!
firewall-snat 500 overload outbound eth0
!
security sslvpn-server 4
server address sdwan.ransnet.com 1604
server tap-mode
encryption AES-256-CBC
server client-to-client
tunnel-pool 10.4.168.0/22
tap vrf 4
client 00-60-e0-a3-59-f7
static 10.4.168.10
start
Verification
Gateway# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
VRF 4:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0 (vrf default), weight 1, 00:05:23
C>* 10.4.168.0/22 is directly connected, tap4, 00:26:33
B>* 192.168.8.0/22 [200/0] via 10.4.168.10, tap4, weight 1, 00:00:26
VRF default:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0, weight 1, 04:01:58
C>* 2.1.2.1/32 is directly connected, lo, 04:02:04
K * 10.3.168.0/22 [0/0] via 10.3.168.2, tun3, 04:01:41
C>* 10.3.168.0/22 is directly connected, tun3, 04:01:41
S>* 10.4.168.0/22 [1/0] is directly connected, tap4 (vrf 4), weight 1, 00:11:45
C>* 10.65.31.0/24 is directly connected, eth0, 04:02:04
S>* 192.168.8.0/22 [1/0] via 10.4.168.10, tap4 (vrf 4), weight 1, 00:00:26
Gateway# ping 192.168.8.1 vrf 4
ping: Warning: source address might be selected on device other than: 4
PING 192.168.8.1 (192.168.8.1) from 10.4.168.1 4: 56(84) bytes of data.
64 bytes from 192.168.8.1: icmp_seq=1 ttl=64 time=3.36 ms
64 bytes from 192.168.8.1: icmp_seq=2 ttl=64 time=3.67 ms
64 bytes from 192.168.8.1: icmp_seq=3 ttl=64 time=3.40 ms
64 bytes from 192.168.8.1: icmp_seq=4 ttl=64 time=3.66 ms
64 bytes from 192.168.8.1: icmp_seq=5 ttl=64 time=3.78 ms
--- 192.168.8.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4008ms
rtt min/avg/max/mdev = 3.356/3.573/3.776/0.164 ms
Gateway#
Verifications
Gateway# show ip bgp summary
% No BGP neighbors found in VRF default
IPv4 Unicast Summary (VRF 4):
BGP router identifier 10.65.31.134, local AS number 65051 vrf-id 7
BGP table version 5
RIB entries 7, using 1344 bytes of memory
Peers 2, using 1448 KiB of memory
Peer groups 1, using 64 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
*10.4.168.9 4 65051 618 618 0 0 0 00:51:11 1 1 N/A
*10.4.168.10 4 65051 618 618 0 0 0 00:51:13 1 1 N/A
Total number of neighbors 2
* - dynamic neighbor
2 dynamic neighbor(s), limit 2000
Gateway# show ip route vrf all
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
VRF 4:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0 (vrf default), weight 1, 00:52:39
C>* 10.4.168.0/22 is directly connected, tap4, 00:52:14
C>* 10.11.11.0/24 is directly connected, vlan11, 00:52:40
C>* 10.12.12.0/24 is directly connected, vlan12, 00:52:40
B>* 192.168.8.0/22 [200/0] via 10.4.168.10, tap4, weight 1, 00:51:19
B>* 192.168.16.0/22 [200/0] via 10.4.168.9, tap4, weight 1, 00:51:17
VRF default:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0, weight 1, 00:52:39
C>* 2.1.2.1/32 is directly connected, lo, 00:52:47
K * 10.3.168.0/22 [0/0] via 10.3.168.2, tun3, 00:52:22
C>* 10.3.168.0/22 is directly connected, tun3, 00:52:22
C>* 10.65.31.0/24 is directly connected, eth0, 00:52:47
B>* 192.168.8.0/22 [20/0] via 10.4.168.10, tap4 (vrf 4), weight 1, 00:06:20
B>* 192.168.16.0/22 [20/0] via 10.4.168.9, tap4 (vrf 4), weight 1, 00:06:20
Gateway#
Option 2: Use dynamic route import (MP-BGP)
Static route leaking can be very hard to manage when you have hundreds or thousands of remote networks. So the simpler approach is to use MP-BGP to dynamically import routes between VRFs - run BGP instance in each VRF and import the routes from the target VRF.
Below is a complete config on the gateway/CMG router. In this sample case, we just want service VRF-4 to have Internet breakout through default VRF.
Configure static route leak in VRF-4 (via gateway in default VRF), for Internet access.
Configure BGP in default VRF to dynamically import routes from VRF-4, so that default VRF knows the return paths.
Optionally configure a route-map for the VRF route import, to only allow the authorized routes to leak into default VRF routing table (in below config, the routes 10.11.11.0/24 and 10.12.12.0/24 are not imported/leaked into default VRF because of the route-map filter).
With dynamic route import, you don't need to set static tunnel IP for each remote branch routers.
Despite it's quite simple to config this feature, the impact can be significant if wrongly configured. So we only allow this config through CLI only. In below sample config CLI, we import routes from VRF-4 into default routing table (there's no VRF ID configured for the BGP instance so it means default routing table).
router bgp 65051
import vrf 4
import vrf route-map VRF4_TO_DEFAULT
!
MP-BGP CLI Configuration and Verifications
MP-BGP CLI Configuration and Verifications
NOTE: most of the SD-WAN (BGP and VPN) configurations are auto generated by mfusion orchestrator. Do not try to configure SD-WAN features using CLI.
Below are the relevant gateway CLI configs for reference only (other general configs are omitted).
!
hostname Gateway
!
interface eth0
description "Default connection to WAN"
enable
ip address 10.65.31.134/24
!
interface lo
enable
ip address 2.1.2.1/32
!
interface vlan 0 11
enable
ip vrf 4
ip address 10.11.11.1/24
!
interface vlan 0 12
enable
ip vrf 4
ip address 10.12.12.1/24
!
ip route 0.0.0.0/0 nexthop 10.65.31.1 remark "default route to Internet"
ip route 0.0.0.0/0 nexthop 10.65.31.1 vrf 4 nexthop-vrf default "default route to Internet for VRF-4"
!
router bgp 65051
import vrf 4
import vrf route-map VRF4_TO_DEFAULT
!
router bgp 65051 vrf 4
bgp timer 5 15
neighbor 0168_RansNet_SSL3OPENVPN_4 as-peer
neighbor 0168_RansNet_SSL3OPENVPN_4 as-remote 65051
neighbor 0168_RansNet_SSL3OPENVPN_4 next-hop-self
neighbor 0168_RansNet_SSL3OPENVPN_4 route-map HQ2Branch out
neighbor 0168_RansNet_SSL3OPENVPN_4 route-reflector-client
neighbor 0168_RansNet_SSL3OPENVPN_4 soft-reconfiguration
neighbor 0168_RansNet_SSL3OPENVPN_4 weight 0
neighbor range 10.4.168.0/22 as-peer 0168_RansNet_SSL3OPENVPN_4
network 0.0.0.0/0
network 10.11.11.1/24
network 10.12.12.1/24
!
ip prefix-list HQ2Branch permit 0.0.0.0/0
ip prefix-list VRF4_TO_DEFAULT permit 192.168.0.0/16 ge 16
!
route-map HQ2Branch permit 10
match ip address prefix-list HQ2Branch
!
route-map VRF4_TO_DEFAULT permit 10
match ip address prefix-list VRF4_TO_DEFAULT
!
firewall-input 100 permit all tcp dport 179,22 src 10.0.0.0/8
!
firewall-access 500 permit outbound eth0 remark "Permit out to Internet"
firewall-access 501 permit inbound tap+ remark "Permit SD-WAN traffic"
!
firewall-snat 500 overload outbound eth0 remark "PAT to Internet"
!
security sslvpn-server 4
server address sdwan.ransnet.com 1604
server tap-mode
encryption AES-256-CBC
server client-to-client
tunnel-pool 10.4.168.0/22
tap vrf 4
client 00-60-e0-a3-59-f7
client b0-bb-8b-00-e7-a8
start
Gateway#
Verifications
Gateway# show ip bgp summary
% No BGP neighbors found in VRF default
IPv4 Unicast Summary (VRF 4):
BGP router identifier 10.65.31.134, local AS number 65051 vrf-id 7
BGP table version 5
RIB entries 7, using 1344 bytes of memory
Peers 2, using 1448 KiB of memory
Peer groups 1, using 64 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
*10.4.168.9 4 65051 618 618 0 0 0 00:51:11 1 1 N/A
*10.4.168.10 4 65051 618 618 0 0 0 00:51:13 1 1 N/A
Total number of neighbors 2
* - dynamic neighbor
2 dynamic neighbor(s), limit 2000
Gateway# show ip route vrf all
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
VRF 4:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0 (vrf default), weight 1, 00:52:39
C>* 10.4.168.0/22 is directly connected, tap4, 00:52:14
C>* 10.11.11.0/24 is directly connected, vlan11, 00:52:40
C>* 10.12.12.0/24 is directly connected, vlan12, 00:52:40
B>* 192.168.8.0/22 [200/0] via 10.4.168.10, tap4, weight 1, 00:51:19
B>* 192.168.16.0/22 [200/0] via 10.4.168.9, tap4, weight 1, 00:51:17
VRF default:
S>* 0.0.0.0/0 [1/0] via 10.65.31.1, eth0, weight 1, 00:52:39
C>* 2.1.2.1/32 is directly connected, lo, 00:52:47
K * 10.3.168.0/22 [0/0] via 10.3.168.2, tun3, 00:52:22
C>* 10.3.168.0/22 is directly connected, tun3, 00:52:22
C>* 10.65.31.0/24 is directly connected, eth0, 00:52:47
B>* 192.168.8.0/22 [20/0] via 10.4.168.10, tap4 (vrf 4), weight 1, 00:06:20
B>* 192.168.16.0/22 [20/0] via 10.4.168.9, tap4 (vrf 4), weight 1, 00:06:20
Gateway#
Report abuse