This document provides instructions for configuring internet access to branch sites via the data center (DC) and via local internet exits. The key steps are:
1. Create a VPN template with a default route to Null0 and apply it only to DC devices to advertise the default route.
2. Enable NAT on the internet interface VPN template and apply it to all devices.
3. Create a policy to accept traffic to/from the branch subnet and NAT it out the internet interface in VPN0.
4. Modify the policy to also allow internet access directly from the branch router by adding it to the site list.
This document provides instructions for configuring internet access to branch sites via the data center (DC) and via local internet exits. The key steps are:
1. Create a VPN template with a default route to Null0 and apply it only to DC devices to advertise the default route.
2. Enable NAT on the internet interface VPN template and apply it to all devices.
3. Create a policy to accept traffic to/from the branch subnet and NAT it out the internet interface in VPN0.
4. Modify the policy to also allow internet access directly from the branch router by adding it to the site list.
This document provides instructions for configuring internet access to branch sites via the data center (DC) and via local internet exits. The key steps are:
1. Create a VPN template with a default route to Null0 and apply it only to DC devices to advertise the default route.
2. Enable NAT on the internet interface VPN template and apply it to all devices.
3. Create a policy to accept traffic to/from the branch subnet and NAT it out the internet interface in VPN0.
4. Modify the policy to also allow internet access directly from the branch router by adding it to the site list.
This document provides instructions for configuring internet access to branch sites via the data center (DC) and via local internet exits. The key steps are:
1. Create a VPN template with a default route to Null0 and apply it only to DC devices to advertise the default route.
2. Enable NAT on the internet interface VPN template and apply it to all devices.
3. Create a policy to accept traffic to/from the branch subnet and NAT it out the internet interface in VPN0.
4. Modify the policy to also allow internet access directly from the branch router by adding it to the site list.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 27
Introduction In this Lab, user will learn how to provide Internet access to the sites that are enabled with SD-WAN fabric. User will perform both Internet access via DC and Local Internet Exit (Direct Internet Access (DIA)).
This lab is built once the overlay comes up and all the required templates are pre- configured. If it is not done already, user need to perform Overlay bring up Lab and Templates Lab.
Initial Verification Test the internet access from a PC connected in Branch1.
Open the Firefox browser from Mgmt-PC (D2) and browse Facebook and google. Notice that both are failed.
Let’s check if desktop D2 can reach 8.8.8.8
Open the command prompt and tracert 8.8.8.8
Notice that it stopped at B1-R1.
Task Identify the reason why the trace is stopping at B1-R1.
Default route B1-R1 doesn’t have the default route. Hence it is not able to forward the traffic.
Let’s advertise the default route from DC WAN edges using a Null route.
Login to vManage:
Login to the vManage URL.
Username: admin
Password: admin Go to Configuration>Templates>Feature
The default route needs to created in VPN template and should be only on DC WAN edges.
Notice that the VPN1 template is attached to two device templates. Click on 2 to see what are the templaes.
This feature template is attached to DC and cEdge in Branch2 device templates.
We want to add default route to Null0 only on DC WAN edges. If we modify this template, it will reflect the changes also in B2 WAN edge device.
Copy this VPN1 template and give the below names.
Template Name: DC-VPN1
Description: DC-VPN1
Edit the DC-VPN1 template to create default route to Null0.
Click on New IPv4 Route under IPv4 Route section and configure below.
Prefix (Global): 0.0.0.0/0
Gateway: Null0
Enable Null0 (Global) : On
Click Add and update the template.
Now attach this feature template in DC device template.
Go to Device templates section and edit DC-Template
Under Service VPN section, select DC-VPN1 template as VPN template and update. Click Next to proceed further.
Click on a device to preview the configuration that will be pushed to the WAN edge.
Notice the default Null0 route and click on Configure Devices
Confirm and OK
Wait until the template push is successful.
Verification Let’s verify if B1-R1 received this route. Navigate to Monitor>Network>B1-R1>Real Time
Select IP Routes from Device Options. Do Not Filter.
Notice that, now B1-R1 received the routes from DC WAN edges.
Let’s verify the from the desktop.
D2:
Still no access to the internet. But this time B1-R1 is forwarding and because of Null0 route in DC WAN edges, the traffic is blackholed.
For this to work, we need to create policy to direct the traffic to NAT enabled Internet interface in VPN 0, instead of blackholing the traffic by matching Null0 route.
NAT Now Let’s enable Internet access for Branch using a policy via DC.
Templates For the internet to work, NAT needs to be enabled on the VPN0 internet interface. In this lab it is ge0/0. Ignore if it is already enabled in your lab setup. Just verify.
Navigate to Configuration>Templates>Feature
Edit VPN0-Internet-Interface template
Turn On NAT under NAT section and update the template.
Click Next to Proceed further.
Preview the config by selecting a device and notice that NAT is enabled on ge0/0 which internet connected interface. Click on Configure Devices, confirm and wait until the template push is successful.
Policy Now let’s create a policy to direct the internet traffic to this NAT enabled interface.
Navigate to Configuration>Policies
Click Add Policy
Creating Lists Data Prefix List: Name: Local-Subnet
Data Prefix: 10.0.0.0/8
This is the major prefix used in all the branches.
Click Add
Site List: Name: DC
Site: 10
Click Add VPN List: Name: VPN1
VPN: 1
Click Add and Next
Click Next again to proceed further.
We need to Configure Traffic Rules.
Click on Traffic Data, then Add Policy and Create New.
Configure the below Name and Description for the policy.
Name: Internet-Exit
Description: Internet-Exit
Change the default action from drop to Accept for this policy. Click on Sequence Type to create a Custom Policy
Create a Sequence rule that will Accept the traffic to(Destination) Local-
Subnet Data Prefix List.
Create a second Sequence Rule that will accept traffic from(Source) Local-
Subnet Data Prefix List and send it to NAT enabled interface in VPN0. Ensure the policy created is matching below and Save the Policy.
Click Next to proceed further.
This policy needs to be applied under main policy. Configure the below names.
Policy Name: LearnEdze-Policy
Policy Description: LearnEdze-Policy
Click on Traffic Data.
Apply Site and VPN List to Internet-Exit policy by clicking on New Site List and VPN List. Refer below screen shot and Save the policy.
Preview Policy Click on (…) and Preview. Click on OK once policy is verified. Your policy should match the below policy.
policy data-policy _VPN1_Internet-Exit vpn-list VPN1 sequence 1 match destination-data-prefix-list Local-Subnet ! action accept ! ! sequence 11 match source-data-prefix-list Local-Subnet ! action accept nat use-vpn 0 nat fallback ! ! default-action accept ! lists data-prefix-list Local-Subnet ip-prefix 10.0.0.0/8 ! site-list DC site-id 10 ! vpn-list VPN1 vpn 1 ! ! ! apply-policy site-list DC data-policy _VPN1_Internet-Exit all ! ! Activating the Policy Click on (…) and Activate.
Policy will be applied to vSmart. Click Activate
Wait until the policy push to the vSmart is successful.
Verification VNC to desktop D2 and traceroute to 8.8.8.8
Now notice that the traffic is forwarded to B1-R1>DC>DC-Internet next-hop.
Your trace will be incomplete as any traffic initiated from outside(VPN0) to
inside(VPN1) not allowed
Open the browser and browse Facebook and Google.
Access to Facebook and Google is successful.
Now, we have successfully provided Internet access to branches via DC (Hub location).
Internet exit from Branch
As we established WAN connectivity for Branch using the Internet, we can use the same interface for providing internet access instead of going via DC.
Modify the Policy for Local Internet Exit (Direct Internet Access (DIA))
Navigate to Configuration>Policies Click on the Custom Options and Lists from Top right-hand corner.
Create a New Site List for B1-R1.
Name: B1
Site: 100
Edit the main policy (LearnEdze-Policy)
Click on Traffic Data and edit the rule
Select B1 and update the rule.
Save the policy changes.
Now the modified policy will be pushed to vSmart. Click on Activate.
Wait until the policy push is successful.
Preview the Policy
Click on (…) and Preview Click OK once the policy verification is completed.
Download Complete The Travels of Peter Mundy in Europe and Asia 1608 1667 Volume 4 Travels in Europe 1639 1647 Richard Carnac Temple PDF for All Chapters
Download Complete The Travels of Peter Mundy in Europe and Asia 1608 1667 Volume 4 Travels in Europe 1639 1647 Richard Carnac Temple PDF for All Chapters
