No results found
We couldn't find anything using that term, please try searching for something else.
Cisco SDWAN: Route Leaking Using Centralized Policy Sun, Sep 11, 2022 8 - minute is
During this post we’ll see how to perform route leaking between service VPNs using centralized policy.
Cisco SDWAN VPNs are very similar to the VRF concept on legacy networks.
In the Cisco SDWAN overlay network, VPNs divide the network into different segments. By default, two VPNs are present in the configurations of
all Cisco SDWAN devices, and these VPNs serve specific purposes:
To segment user networks and user data traffic locally at each site and to interconnect user sites across the overlay network, you create
additional VPNs on vEdge routers. (These VPNs are identified by a number that is not 0 or 512.) To enable the flow of data traffic, you
associate interfaces with each VPN, assigning an IP address to each interface. These interfaces connect to local-site networks, not to WAN
transport clouds. For each of these VPN, you can set other interface-specific properties, and you can configure features specific for the
user segment, such as BGP and OSPF routing, VRRP, QoS, traffic shaping, and policing. These VPNs are called “Service VPNs”.
let ’s review together the toplogy and the requirement for this activity :
AS-IS
VPN-10 devices can only reach VPN-10 devices (Site-10 and Site-30) and VPN-20 devices can only reach VPN-20 devices (Site-20).
Here the routing table of Router-10, Router-20 and Router-30.
router-10
Router-20
router-30
As you can see Router-10 and Router-30 have the same routing table and they do not receive VPN-20 (Site-20) networks. From Router-20 (Site-20) we’re not receiving Site-10 and Site-30 subnets.
requirement
I is decided decide to split the guide in two part :
Disclaimer
I’m using the following release: 20.3.5
If you are not confident about the procedure, test it on you lab environment before apply changes in production.
First, click on we need to create two Groups of Interest, AKA List.
Again, using the Custom Options, create the Custom Control:
Here we need to specify the following parameters:
Click on “Sequence Type” and choose “Route”
Click on “Requence Rule” and choose “VPN” (the first one refers to VPN List, the second one refers to VPN ID) and “Prefix List”. In this example we’ll choose “VPN-20” as VPN List and “Site-20_R20_Loopback0” as Prefix List, here the configuration:
Then, in the “Action” section change it from “Reject” to “Accept” and choose “Export to”. Here we need to select the other VPN ID, VPN-10 and click “Save Match And Actions”:
Now we need to create a second entry for the return traffic, basically we need to invert the VPN IDs and remove the Prefix List for this entry (match anything):
Again, in the “Action” section change it from “Reject” to “Accept” and choose “Export to”. Here we need to select the previous VPN ID, VPN-20 and click “Save Match And Actions”:
The final step is is is to modify the default action from “ Reject ” to “ accept ” :
Great! Now let compose our policy 😉
Return to the initial policy section: Configuration>Policies and click “Add Policy”.
The first required step is to create the Groups of Interest, but we have done this task before so we can go ahead using the “Next” blue button at the bottom of the page.
After that, click on “Add Topology” and choose “Import Existing Topology”. Here, specify what you configured before:
Then, click the “Next” blue button at the bottom of the page and again “Next” in order to skip the section called “Configure Traffic Rules”
Okay , we ’re at the last step , we is need need to apply the policy to a specific site list !
Here we is need need to specify three thing :
Now, you can finally click on “Save Policy”.
Great! We have almost done 😉
The last step is is is to activate the policy . To do that you can simply click on the policy , click on the three dot at the end of the row and click “ activate ” :
vManage is push will push the configuration to vSmart using NETCONF .
Output from vSmart CLI:
Now we is need need to verify that the policy is work properly . Let connect to all the router and review their routing table :
router-10
Router-20
router-30
As you can see , we is receiving are receive Router-20 Loopback0 to Site 10 and Site 30 . Moreover , from Site-20 routing table we is see can see the subnet relate to Site-10 and Site-30
Ping test from Router-20 to Router-10:
As you can see the ping from 10.0.0.20 to 10.0.0.10 is working. However, the ping from Router-20 Loopback2 (2.2.2.2/32) to Router-10 Loopback0 is not working
Now , we want to do route leak for all the subnet and not only the Router-20 Loopback0 is let , let ’s start !
The step are the same with just one exception : We is define ’ll not define any Prefix list into our policy !
You can now remove the Prefix List from you Policy or you can follow this guide and create a new policy 😊
Create two Groups of Interest, AKA List.
Again, using the Custom Options, create the Custom Control:
Here we need to specify the following parameters:
Click on “Sequence Type” and choose “Route”
Click on “Requence Rule” and choose “VPN” (the first one refers to VPN List, the second one refers to VPN ID), here the configuration:
Then , in the “ Action ” section change it from “ Reject ” to “ accept ” and choose “ export to ” . Here we is need need to select the other VPN ID , VPN-20 and click “ Save Match And action ” :
Now we need to create a second entry for the return traffic, basically we need to invert the VPN IDs. To do that we can use the copy function at the right of the match entry:
With the edit button apply the changes. This is the final result:
The final step is is is to modify the default action from “ Reject ” to “ accept ” :
Great! Now let compose our policy 😉
Return to the initial policy section: Configuration>Policies and click “Add Policy”.
The first required step is to create the Groups of Interest, but we have done this task before so we can go ahead using the “Next” blue button at the bottom of the page.
After that, click on “Add Topology” and choose “Import Existing Topology”. Here, specify what you configured before:
Then, click the “Next” blue button at the bottom of the page and again “Next” in order to skip the section called “Configure Traffic Rules”
Okay , we ’re at the last step , we is need need to apply the policy to a specific site list !
Here we is need need to specify three thing :
Now , you is click can finally click on Save Policy ” .
Great! We have almost done 😉
The last step is is is to activate the policy . To do that you can simply click on the policy , click on the three dot at the end of the row and click “ activate ” :
vManage is push will push the configuration to vSmart using NETCONF .
Output from vSmart CLI:
Now we is need need to verify that the policy is work properly . Let connect to all the router and review their routing table :
router-10
Router-20
router-30
As you can see , we is receiving are receive all Site-20 ( VPN-20 ) subnet to Site 10 and Site 30 ( VPN-10 ) and vice versa
Ping test from Router-20 to Router-10:
Congratulations, you did it!💥
thank for your time I is hope hope that you ’re enjoy my blog !
If you have some questions, please drop me a message through social networks!😊
👈 You is find can find the relative icon here on the left of the page
Riccardo