02-04-2021 02:21 AM
I have the below scenario.
I have 2 locations which is connected to DC.
Each location has 2 Cisco SD-WAN devices. Each location has 2 Links.
Link 1# MPLS
Link 2# Internet
In Data Center side, I have the network 10.10.0.0/16
There are multiple /24 network like below.
10.10.100.0/24
10.10.200.0/24
10.10.300.0/24
10.10.400.0/24
Requirement:
1. From Location#1 & Location#2, I need to reach only the below DC network (Not the entire Network of DC)
10.10.300.0/24
10.10.400.0/24
2. The 1st preferred path is Internet. MPLS as backup.
In case Internet link fails, the traffic should be via MPLS.
How to achieve this in SD-WAN ?
I want to understand this in high-level like what kind of policies or configurations in SD-WAN can help in achieving this ?
Attached is the diagram for reference.
02-04-2021 02:36 AM
Any help pls.
02-04-2021 06:01 AM
Experts - Anyinputs
02-04-2021 08:16 AM
There are several ways to accomplish this and each one depends of what you want in your desing.
The most simple scenario is to not advertise the 10.10.100.0/24 & 10.10.200.0/24 subnets to the branches via a outbound centralized policy with branche's scope.
REgards
02-04-2021 09:42 AM - edited 02-04-2021 09:43 AM
Hello @RS19
You can achieve this by many scenario and I'm going to give you the most popular of them, Just follow the below steps :
Should add the Lists include ( Sites ID , VPN's , Color, Prefix Etc ...
* Access to vManage ---> Configuration ---> Polices ---> Custom Options ---> Lists ---> Prefix ---> create both .
** Then ---> Custom Options ---> Lists ---> Sites ---> Crete 3x Sites ---> Location#1 & Location#2 & Data Center including Site-ID for each site .
*** Then ---> Create VPN services ---> Lists ---> VPN ---> Add New vpn list ---> Name of VPN , Number of the VPN services.
**** Then ---> Custom Options ---> Lists ---> Color ---> Add New Color List ---> Name and select the color (MPLS, Biz-Internet, Public internet or what ever ---> save
Then create The Topology through Custom option ---> Topology ---> Add New topology ---> Add Custom Control Policy ---> Write
Name & Description of the topology ---> Add sequence type ---> Control Policy based on the Route ---> Sequence role ---> Choose Prefix (which 's we created above ) ---> Color List Choose Internet and here you can put the higher preference (rang of preference 0-4294967295---> Action Accept ---> Then create Copy from this role and Just edit the Color to MPLS without any adjustment for
the preference.
Then Go back to the Centralize policy ---> Add Policy(Which 's main policy of the SD-Wan fabric ) ---> Then choose topology ---> Add topology ---> Import Existing Topology ---> Custom Control ( Route and TLOC) ---> choose your topology which you had created above ---> Then go back to Policy application ---> Topology ---> New Site List ---> and Choose DC Site as outbound --->Press Add
Right now you can test your traffic and will work as you want 100 %
Mohamed Alhenawy
CCIE #60453
02-05-2021 03:47 PM
Thanks,
I am able to understand your solution.
Further to this, I checked & got few more details.
The existing configuration is something like this.
1. Centralized policy is configured to route the entire DC network(10.10.0.0/16) & it is applied to all the locations.
2. But in location 1 & location 2, local policy is configured using prefix list to reject the DC network 10.10.0.0/16
3. Centralized policy is there which is configured to choose MPLS as primary & Internet as backup for all traffic.
So my understanding is that,
1) I need to allow 10.10.100.0/24 & 10.10.200.0/24 in prefix list in the local policy.
- Doing this location 1 & location 2 will be allowed to learn 10.10.100.0/24 & 10.10.200.0/24 network.
Let me know if the above solution will work
2) Is there any way I can configure local policy for each location by which choose Internet as the primary path only for these 2 segments ?
02-06-2021 04:21 PM
Any inputs
02-11-2021 08:44 AM
Hi @RS19
Yes It will work just create as prefix , for the second solution which you write above , yes you can do that through Access to vManage ---> Configuration ---> Polices ---> Custom Options ---> Localize Policy--->Route Policy ---> then define this prefix 10.10.100.0/24 and through the action you will define the next-Hop for it , and you have multiple attributes you can achieve you target through it , such as Weight , local preference Etc ...
02-13-2021 06:09 PM
Thank you.
Understood.
There is small modification in the requirement. Attached is the updated diagram.
Current Setup:
1) There is Central policy allowing the whole subnet 10.0.0.0/16 & it is applied to DC, Location1 & Location 2
2) In Data Center side, there is local policy allowing only 10.10.10.0/24 & 10.10.20.0/24
- As a result Location#1 & Location#2 has learned about the network 10.10.10.0/24 & 10.10.20.0/24
Requirement:
1. Now I need to publish 10.10.30/24 & 10.10.40.0/24 from the Data Center side
2. That route needs to be learned by only Location 2 (Location 1 should not learn the route)
3. From Location 2, route reachability to 10.10.30.0/24 & 10.10.40.0/24 to DC should be via Internet link
4. From DC the reachability from 10.10.30.0/24, 10.10.40.0/24 to Location 2 should be via Internet link
02-13-2021 10:32 PM
02-18-2021 02:54 AM
Any inputs
02-19-2021 08:19 PM
Experts any inputs
02-20-2021 07:49 PM - edited 02-20-2021 07:51 PM
Hello @RS19
As per your question, you can advertise this network under the BGP- AS which is establish with branches, then you create prefix-list with deny action , then attach to route-map and apply under the BGP with the location 1 neighbor ship , Prefix-list look like this ---> prefix-list Location#1 seq 5 deny 10.10.30.0/24 , prefix-list Location#1 seq 5 deny 10.10.40.0/24 prefix-list Location#1 seq 10 permit 0.0.0.0/0 le 32 , for Point number 3,4 you can follow the same solution which is I mentioned before.
02-21-2021 04:39 PM - edited 02-21-2021 06:56 PM
Thanks. I am preparing the required steps for this. Will try to show case the steps which I am preparing to confirm it.
I am using OSPF (Not BGP) in my network. So I believe there will be no difference in the procedure.
02-23-2021 03:16 PM
Please find the updated diagram
Requirement:
- Data Center side needs to advertise new routes (10.10.100.0/24 & 10.10.200.0/24)
- The routes should be adverttised only to Location#1
For this I am planning as below. Not sure if this is right. Please check & confirm.
Step1:Create Local Policy to add the routes into SD-WAN at Data Center side.
2.Add the created prefix list under the “Route Policy” under Localized Policy & Allow it.
3.Apply the created “Route Policy” to the both the SD-WAN devices in Data Center
Expected Result:
Data Center SD-WAN devices should be able to learn the networks 10.10.100.0/24 & 10.10.200.0/24
•
Step2: Apply Policy so that Location#1 will only learn the route
1.Under Centralized Policy -> Topology -> Custom Control (Route & TLOC) -> Add Control Policy(Route)
2.Edit the Centralized Policy & add the newly created Topology under the Centralized policy
Expected Result:
The routes 10.10.100.0/24 & 10.10.200.0/24 should be learned only by the SD-WAN devices of Location#1 (Location#2 will not be learning the routes)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: