02-04-2021 02:21 AM
I have the below scenario.
I have 2 locations which is connected to DC.
Each location has 2 Cisco SD-WAN devices. Each location has 2 Links.
Link 1# MPLS
Link 2# Internet
In Data Center side, I have the network 10.10.0.0/16
There are multiple /24 network like below.
10.10.100.0/24
10.10.200.0/24
10.10.300.0/24
10.10.400.0/24
Requirement:
1. From Location#1 & Location#2, I need to reach only the below DC network (Not the entire Network of DC)
10.10.300.0/24
10.10.400.0/24
2. The 1st preferred path is Internet. MPLS as backup.
In case Internet link fails, the traffic should be via MPLS.
How to achieve this in SD-WAN ?
I want to understand this in high-level like what kind of policies or configurations in SD-WAN can help in achieving this ?
Attached is the diagram for reference.
02-04-2021 02:36 AM
Any help pls.
02-04-2021 06:01 AM
Experts - Anyinputs
02-04-2021 08:16 AM
There are several ways to accomplish this and each one depends of what you want in your desing.
The most simple scenario is to not advertise the 10.10.100.0/24 & 10.10.200.0/24 subnets to the branches via a outbound centralized policy with branche's scope.
REgards
02-04-2021 09:42 AM - edited 02-04-2021 09:43 AM
Hello @RS19
You can achieve this by many scenario and I'm going to give you the most popular of them, Just follow the below steps :
Should add the Lists include ( Sites ID , VPN's , Color, Prefix Etc ...
* Access to vManage ---> Configuration ---> Polices ---> Custom Options ---> Lists ---> Prefix ---> create both .
** Then ---> Custom Options ---> Lists ---> Sites ---> Crete 3x Sites ---> Location#1 & Location#2 & Data Center including Site-ID for each site .
*** Then ---> Create VPN services ---> Lists ---> VPN ---> Add New vpn list ---> Name of VPN , Number of the VPN services.
**** Then ---> Custom Options ---> Lists ---> Color ---> Add New Color List ---> Name and select the color (MPLS, Biz-Internet, Public internet or what ever ---> save
Then create The Topology through Custom option ---> Topology ---> Add New topology ---> Add Custom Control Policy ---> Write
Name & Description of the topology ---> Add sequence type ---> Control Policy based on the Route ---> Sequence role ---> Choose Prefix (which 's we created above ) ---> Color List Choose Internet and here you can put the higher preference (rang of preference 0-4294967295---> Action Accept ---> Then create Copy from this role and Just edit the Color to MPLS without any adjustment for
the preference.
Then Go back to the Centralize policy ---> Add Policy(Which 's main policy of the SD-Wan fabric ) ---> Then choose topology ---> Add topology ---> Import Existing Topology ---> Custom Control ( Route and TLOC) ---> choose your topology which you had created above ---> Then go back to Policy application ---> Topology ---> New Site List ---> and Choose DC Site as outbound --->Press Add
Right now you can test your traffic and will work as you want 100 %
Mohamed Alhenawy
CCIE #60453
02-05-2021 03:47 PM
Thanks,
I am able to understand your solution.
Further to this, I checked & got few more details.
The existing configuration is something like this.
1. Centralized policy is configured to route the entire DC network(10.10.0.0/16) & it is applied to all the locations.
2. But in location 1 & location 2, local policy is configured using prefix list to reject the DC network 10.10.0.0/16
3. Centralized policy is there which is configured to choose MPLS as primary & Internet as backup for all traffic.
So my understanding is that,
1) I need to allow 10.10.100.0/24 & 10.10.200.0/24 in prefix list in the local policy.
- Doing this location 1 & location 2 will be allowed to learn 10.10.100.0/24 & 10.10.200.0/24 network.
Let me know if the above solution will work
2) Is there any way I can configure local policy for each location by which choose Internet as the primary path only for these 2 segments ?
02-06-2021 04:21 PM
Any inputs
02-11-2021 08:44 AM
Hi @RS19
Yes It will work just create as prefix , for the second solution which you write above , yes you can do that through Access to vManage ---> Configuration ---> Polices ---> Custom Options ---> Localize Policy--->Route Policy ---> then define this prefix 10.10.100.0/24 and through the action you will define the next-Hop for it , and you have multiple attributes you can achieve you target through it , such as Weight , local preference Etc ...
02-13-2021 06:09 PM
Thank you.
Understood.
There is small modification in the requirement. Attached is the updated diagram.
Current Setup:
1) There is Central policy allowing the whole subnet 10.0.0.0/16 & it is applied to DC, Location1 & Location 2
2) In Data Center side, there is local policy allowing only 10.10.10.0/24 & 10.10.20.0/24
- As a result Location#1 & Location#2 has learned about the network 10.10.10.0/24 & 10.10.20.0/24
Requirement:
1. Now I need to publish 10.10.30/24 & 10.10.40.0/24 from the Data Center side
2. That route needs to be learned by only Location 2 (Location 1 should not learn the route)
3. From Location 2, route reachability to 10.10.30.0/24 & 10.10.40.0/24 to DC should be via Internet link
4. From DC the reachability from 10.10.30.0/24, 10.10.40.0/24 to Location 2 should be via Internet link
02-13-2021 10:32 PM
02-18-2021 02:54 AM
Any inputs
02-19-2021 08:19 PM
Experts any inputs
02-20-2021 07:49 PM - edited 02-20-2021 07:51 PM
Hello @RS19
As per your question, you can advertise this network under the BGP- AS which is establish with branches, then you create prefix-list with deny action , then attach to route-map and apply under the BGP with the location 1 neighbor ship , Prefix-list look like this ---> prefix-list Location#1 seq 5 deny 10.10.30.0/24 , prefix-list Location#1 seq 5 deny 10.10.40.0/24 prefix-list Location#1 seq 10 permit 0.0.0.0/0 le 32 , for Point number 3,4 you can follow the same solution which is I mentioned before.
02-21-2021 04:39 PM - edited 02-21-2021 06:56 PM
Thanks. I am preparing the required steps for this. Will try to show case the steps which I am preparing to confirm it.
I am using OSPF (Not BGP) in my network. So I believe there will be no difference in the procedure.
02-23-2021 03:16 PM
Please find the updated diagram
Requirement:
- Data Center side needs to advertise new routes (10.10.100.0/24 & 10.10.200.0/24)
- The routes should be adverttised only to Location#1
For this I am planning as below. Not sure if this is right. Please check & confirm.
Step1:Create Local Policy to add the routes into SD-WAN at Data Center side.
2.Add the created prefix list under the “Route Policy” under Localized Policy & Allow it.
3.Apply the created “Route Policy” to the both the SD-WAN devices in Data Center
Expected Result:
Data Center SD-WAN devices should be able to learn the networks 10.10.100.0/24 & 10.10.200.0/24
•
Step2: Apply Policy so that Location#1 will only learn the route
1.Under Centralized Policy -> Topology -> Custom Control (Route & TLOC) -> Add Control Policy(Route)
2.Edit the Centralized Policy & add the newly created Topology under the Centralized policy
Expected Result:
The routes 10.10.100.0/24 & 10.10.200.0/24 should be learned only by the SD-WAN devices of Location#1 (Location#2 will not be learning the routes)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide