CLC CCIE EI SD-Wan Lab v1.0 - Full Solution

CCIE Enterprise Infrastructure: SD-WAN Practice Lab v1.
1|Page
CCIE Enterprise Infrastructure: SD-WAN Practice Lab v1.0
Workbook Description
Author: CCIE Lab Center (CLC)
Focus: Practice
Level: Expert (CCIE)
Stream: CCIE Enterprise Infrastructure: SD-WAN Technology
Content: Topology, Questions, Initial Configuration, Solutions, Verifications.
Format: PDF
Protection: DRM Protected
Price/Cost: $100 USD
2|Page
Table of Contents Page No
1) Lab Details 6
A) Lab Summary 6
B) Initial configuration 12
2) SD-WAN Controller Deployment 26

A) Initial Configuration 26
I. vManage 26
II. vBond 29
III. vSmart 30
B) ROOTCA on vManage & uploading Certificate 33
I. vManage 33
II. vBond 39
III. vSmart 42
C) Controllers final bring up 45
D) Final verification of all controllers 47
E) Viptela vEdges License downloading Procedure 49
3) SD-WAN vEdge routers onboarding 64

A) Common procedure for alI vEdges Routers (.pem Certification) 64
B) Configuration of all vEdges 65
C) vEdges nodes with vManage licenses installation 75
D) Verification on vEdges 76
4) Common Template for all vEdges 82

A) Create common basic templates 82
B) vSmart template 96
5) Deployment of vEdges (RTP) @ Data Center 97

A) Data center details 98
B) Configure the transport VPN 0 98
C) Configure the Service VPN 108
D) Creating devices Template 116
E) Attaching device Templates to DC vEdges 1 & 2 120
F) Final verification of template output from vEdges CLI 124
6) Deployment of vEdges (San Jose) @ Branch 127

A) Branch details 127
B) Creating Transport feature template of vEdges 3 & 4 128
C) Branch Service side VPN 1 138
D) Attaching device template to vEdge3 & vEdge4 147
E) Verification on vEdges 3 & 4 154
7) Deployment of vEdges (New York) @ Branch 155

B) Creating device templet of vEdges 5 & 6 157
C) Creating device template from feature template for vEdges 5 & 6 160
D) Attaching to vEdges 5 & vEdge6 162
E) Verification on vEdges & vManage 166
3|Page
8) Deployment of vEdges (Las Vegas) @ Branch 169

B) Creating Device template for Las Vegas vEdge 7 170
C) Verification on vEdge 7 171
9) Deployment of vEdges (New Jersey) @ Branch 172

B) Creating device template for Francisco vEdge8 173
C) Attaching device template to vEdge8 174
D) Verification vEdge8 177
10) Deployment of vEdges (Francisco) @ Branch 178

B) Creating device template for Francisco vEdge9 178
C) Attaching device template to vEdge9 180
D) Verification on vEdge 9 182
11) Hub & Spoke Integration 183

A) Create Site lists 185
B) Create Topology 187
C) Create Policy 189
D) Policy Activation 190
E) Verification on Spoke vEdges 191
F) Default route originate from Site100 (RTP) 193
12) Local Internet Breakout 194

A) Create Lists 194
B) Create Data Policy 195
C) Global Policy 198
D) Verification 199
13) Implementing Traffic Engineering (Policy Based routing) 202

A) Create Policy list(Data Lists) 202
B) Create Traffic Policy 203
C) Global Policy 204
D) Activation 205
E) Verification 206
14) Implementing QoS Policy 207

A) Create Policy Lists 207
B) Create QoS Policy 208
C) Activation 211
D) Verification 211
15) Application Aware routing 213

A) Create Policy List/SLA List 213
B) Traffic Policy (AAR Policy) 215
C) Global AAR Policy 217
D) Activation 218
4|Page
E) BFD Polling template 218

F) Verification 220
16) Traffic Flow Monitoring with Cflowd 222

A) Create Traffic Policy 223
B) Applying policy into Local-Internet-Access 224
C) Policy activation 226
D) Verification 226
17) Final CLI output of all vEdges & vSmart controller 227
5|Page
1 LAB Details
A) Lab Summary
1) Feature & Devices Template
2) Hub & Spoke Policy.
3) Local Internet Breakout
4) Implementing Traffic Engineering (PBR)
5) QoS
6) Application aware policy
7) TLOC
8) cflowd
a) Hardware Requirement
CPU 8 core
RAM 32 GB
HDD 500 GB
Note: After starting all nodes wait for 10 minutes for CPU utilization getting back to normal.
6|Page
7|Page
b) How to upload images into EVE-NG server

Step1: After starting eve-ng instance Login with filezilla (with your displayed ip address using
username & password as root & eve respectively)
Step2: Upload qemu images as shown below
Step3: Login to your eve-ng server/hypervisor/vmware/etc. with username root & password eve
Step4: Run below command using cli
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
Step5: Uploading IOL images as shown below
8|Page
Step6: Run below command using cli
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
For more details on uploading images you can visit the below link.
https://www.eve-ng.net/index.php/documentation/howtos/howto-add-cisco-iol-ios-on-linux/
c) Lab Topology in light mode
9|Page
d) Lab Topology in dark mode
10 | P a g e
e) IP details
S/N Hostname Locations Site ID System-IP OU

1 edge1 RTP 100 10.200.1.1
2 edge2 RTP 100 10.200.1.2
3 edge3 San Jose 200 10.200.1.3
4 edge4 San Jose 200 10.200.1.4
5 edge5 New york 300 10.200.1.5
6 edge6 New york 300 10.200.1.6
viptela sdwan
7 edge7 Las vegas 400 10.200.1.7
8 edge8 New Jersey 500 10.200.1.8
9 edge9 Francisco 600 10.200.1.9
10 vmanage AWS 700 10.200.1.10
11 vsmart AWS 700 10.200.1.11
12 vbond AWS 700 10.200.1.12
Controller IP's details

Hostname VPN0 ETH0 VPN512 ETH0 VPN0 GW VPN512 GW
vmanage 10.10.0.5/24 59.239.98.5/24
vbond ge0/0 10.10.0.4/24 59.239.98.4/24 10.10.0.1 59.239.98.1
vsmart 10.10.0.3/24 59.239.98.3/24
f) Lab nodes
Image versions used in lab.
 Viptela 18.4.4:, vManager, vBond, vSmart, vEdge
 MPLS Router: i86bi-linuxl3-adventerprisek9-15.5.2T.bin
 Internet Router: i86bi-linuxl3-adventerprisek9-15.5.2T.bin
 L2 Switches: viosl2-adventerprisek9-m.03.2017 & i86bi-linuxl2-adventerprisek9-15.2d.bin
 Host system: EVE Docker GUI-Server
 CA Server: EVE Docker GUI-Server
11 | P a g e
B) Initial configurations
For ISP router, Switches, hosts and servers configurations are pasted as given bellows.
Startup configuration
I. Internet Router
hostname Biz-INT
ip name-server 8.8.8.8
ip name-server 1.1.1.1
interface Ethernet0/0
description *** Connected to Internet ***
ip address dhcp
ip nat outside
ip virtual-reassembly in
!
description *** Connected to vedge1 ***
ip address 64.100.101.1 255.255.255.240
ip nat inside
!
ip address 64.100.102.1 255.255.255.240
ip nat inside
!
ip address 64.100.103.1 255.255.255.240
ip nat inside
!
ip address 64.100.104.1 255.255.255.240
ip nat inside
!
ip address 64.100.105.1 255.255.255.240
ip nat inside
!
ip address 64.100.106.1 255.255.255.240
ip nat inside
!
12 | P a g e

ip address 64.100.107.1 255.255.255.240
ip nat inside
!
description *** Connected to SW2 ***
ip address 64.100.108.1 255.255.255.240
ip nat inside
!
description *** Connected to MPLS P2P Link ***
ip address 5.5.5.6 255.255.255.252
!
ip nat inside source list nat interface Ethernet0/0 overload
ip route 10.1.1.12 255.255.255.252 5.5.5.5 name static-4-vedge9
ip route 10.10.0.0 255.255.255.0 64.100.108.2 name static-4-controller
ip route 192.168.0.0 255.255.0.0 5.5.5.5 name static-4-MPLS
!
ip access-list standard nat
permit 64.100.101.0 0.0.0.15
permit 64.100.102.0 0.0.0.15
permit 64.100.103.0 0.0.0.15
permit 64.100.104.0 0.0.0.15
permit 64.100.105.0 0.0.0.15
permit 64.100.106.0 0.0.0.15
permit 64.100.107.0 0.0.0.15
permit 64.100.108.0 0.0.0.15
II. MPLS
hostname MPLS
clock timezone PDT -7 0

ip name-server 1.1.1.1 8.8.8.8
interface Loopback10
ip address 192.168.10.1 255.255.255.255
!
interface E0/0
ip address 192.168.1.1 255.255.255.252
no shutdown
interface E0/1
ip address 192.168.2.1 255.255.255.252
no shutdown
interface E0/2
ip address 192.168.3.1 255.255.255.252
ip nat inside
no shutdown
13 | P a g e
interface E0/3
ip address 192.168.4.1 255.255.255.252
no shutdown
interface E1/0
ip address 192.168.5.1 255.255.255.252
no shutdown
interface E1/1
ip address 192.168.6.1 255.255.255.252
no shutdown
interface E1/2
ip address 192.168.7.1 255.255.255.252
no shutdown
interface E2/0
ip address 192.168.8.1 255.255.255.252
no shutdown
interface E1/3
description *** Connected to Internet P2P link ***
ip address 5.5.5.5 255.255.255.252
no shutdown
router ospf 10
redistribute connected
redistribute static
network 192.168.8.0 0.0.0.3 area 10
dns server
ip route 0.0.0.0 0.0.0.0 5.5.5.6
ip route 10.1.1.12 255.255.255.252 192.168.7.2 name static-4-vedge9
ntp master 1
III. SW1
hostname SW1
vlan 100
name VPN512
interface E0/2
description *** Connected to vBond VPN512 ***
switchport access vlan 100
switchport mode access
no shutdown
spanning-tree portfast edge
!
interface E0/1
description *** Connected to vSmart VPN512 ***
14 | P a g e

no shutdown
!
interface E0/0
description *** Connected to vManage VPN512 ***
no shutdown
!
interface Vlan100
description *** Connected for VLAN512 ***
ip address 54.239.98.1 255.255.255.0
no shutdown
!
IV. SW2
hostname SW2
vlan 200
name VPN0
interface GigabitEthernet0/0
description *** Conneced to vManage VPN0 ***
no shutdown
!
description *** Conneced to vSmart VPN0 ***
no shutdown
!
description *** Conneced to vBond VPN0 ***
no shutdown
!
description *** Connected to MPLS ***
no switchport
ip address 192.168.8.2 255.255.255.252
no shutdown
!
description *** Connected to Internet ***
no switchport
ip address 64.100.108.2 255.255.255.240
no shutdown
!
15 | P a g e
description *** Connected CA Server ***
no shutdown
!
interface Vlan200
description ** Created for VPN0 ***
ip address 10.10.0.1 255.255.255.0
!
router ospf 10
network 10.10.0.0 0.0.0.255 area 10
network 192.168.8.0 0.0.0.3 area 10
ip route 0.0.0.0 0.0.0.0 64.100.108.1
ip route 0.0.0.0 0.0.0.0 64.100.108.1
V. SW3
hostname SW3
vlan 10
name FTP
vlan 20
name WEB
interface Port-channel10
description *** Created for SW4 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
media-type rj45
negotiation auto
channel-group 10 mode active
!
media-type rj45
negotiation auto
!
no switchport
ip address 10.1.1.2 255.255.255.252
ip ospf network point-to-point
negotiation auto
!
16 | P a g e
no switchport
ip address 10.2.2.6 255.255.255.252
negotiation auto
!
switchport trunk allowed vlan 10,20
media-type rj45
negotiation auto
!
interface Vlan10
ip address 172.16.10.2 255.255.255.0
vrrp 10 ip 172.16.10.1
vrrp 10 priority 250
!
interface Vlan20
ip address 172.16.20.2 255.255.255.0
vrrp 20 ip 172.16.20.1
!
router ospf 10
auto-cost reference-bandwidth 100000
redistribute connected subnets
network 10.1.1.0 0.0.0.3 area 0
network 10.2.2.4 0.0.0.3 area 0
network 172.16.10.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
VI. SW4
hostname SW4
vlan 10
name FTP
vlan 20
name WEB
interface Port-channel10
description *** Created for SW3 ***
!
media-type rj45
negotiation auto
17 | P a g e
!
media-type rj45
negotiation auto
!
no switchport
ip address 10.1.1.6 255.255.255.252
negotiation auto
!
no switchport
ip address 10.2.2.2 255.255.255.252
negotiation auto
!
media-type rj45
negotiation auto
interface Vlan10
ip address 172.16.10.3 255.255.255.0
vrrp 10 ip 172.16.10.1
!
interface Vlan20
ip address 172.16.20.3 255.255.255.0
vrrp 20 ip 172.16.20.1
vrrp 20 priority 250
!
router ospf 10
network 10.1.1.4 0.0.0.3 area 0
network 10.2.2.0 0.0.0.3 area 0
network 172.16.10.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 10.1.1.5

!
VII. SW5
hostname SW5
vlan 10
18 | P a g e
name FTP
vlan 20
name WEB
description *** SW3 ***
media-type rj45
negotiation auto
!
description *** SW4 ***
media-type rj45
negotiation auto
!
description *** WEB ***
media-type rj45
negotiation auto
!
description *** FTP ***
media-type rj45
negotiation auto
VIII. SW6
hostname SW6
VLAN 100
Name employee
VLAN 200
Name guest
interface E0/1
no shutdown
!
interface E0/0
description *** Connected to vEdge ***
no shutdown
!
interface E0/2
description *** Connected to Host1 ***
19 | P a g e

no shut negotiation auto
IX. SW7
hostname SW7
VLAN 100
Name employee
VLAN 200
Name guest
interface E0/0
description *** Connected to vEdge4 ***
no shutdown
!
interface E0/1
no shutdown
!
interface E0/2
no shutdown
X. SW8
hostname SW8
vlan 100
name Employee
interface E0/0
no switchport
ip address 10.1.1.34 255.255.255.252
no shutdown
interface E0/1
no switchport
ip address 10.1.1.30 255.255.255.252
no shutdown
interface E0/2
switchport
no shutdown
20 | P a g e
interface Vlan100
ip address 172.18.1.1 255.255.255.0
description *** Employee host ***
no shutdown
!
router ospf 10
network 10.1.1.28 0.0.0.3 area 0
network 10.1.1.32 0.0.0.3 area 0
network 172.18.1.0 0.0.0.255 area 0
XI. SW9
hostname SW9
vlan 100
name Empoyee
vlan 200
name Guest
interface E0/1
no shut
!
interface E0/2
no shut
!
interface E0/0
no shutdown
XII. SW10
(no config)
hostname SW10
interface Et0/0
no shutdown
XIII. SW11
hostname SW11
no switchport
21 | P a g e
ip address 10.2.2.18 255.255.255.252

duplex auto
!
!
!
interface Vlan100
description *** Employee ***
ip address 172.21.1.1 255.255.255.0
shutdown
!
ip route 0.0.0.0 0.0.0.0 10.2.2.17
XIV. R3
hostname R3
ip address 10.1.1.13 255.255.255.252
duplex auto
speed auto
media-type rj45
!
description *** Connected to MPLS ***
ip address 192.168.7.2 255.255.255.252
duplex auto
speed auto
media-type rj45
ip route 0.0.0.0 0.0.0.0 192.168.7.1
22 | P a g e
XV. CA Server
23 | P a g e
ifconfig eth0 10.10.0.254 netmask 255.255.255.0

route add default gw 10.10.0.1 eth0
vim /etc/resolv.conf
nameserver 1.1.1.1
nameserver 8.8.8.8
esc>:wq
Same way you can do for FTP,WEB & system hosts
XVI. RTP
16.1 FTP Server

16.2 WEB Server

XVII. SAN JOSE
17.1 Host1
17.2 Host2
XVIII. New York
Host1
XIX. Las Vegas
Host1
XX. New Jersey
Host1
24 | P a g e
XXI. Francisco
Host1
25 | P a g e
2 SD-WAN Controller Deployment

A) Initial Configuration
i. vManage initial config
NOTE: The IP addresses and details are given on the topology.
Step 1.1 First time boot. Login in the vManage
Login ID:admin
Pass :admin
Login: admin
Password: admin
Welcome to Viptela CLI
admin connected from 127.0.0.1 using console on vmanage
You must set an initial admin password.
Password: admin
Re-enter password: admin
Available storage devices:
hdb 100GB
hdc 3GB
1) vdb
2) hdc
Select storage device to use: 1
Would you like to format vdb? (y/n): y
Step 1.2. After reboot you need to login again & configure vManage with following:
Be careful to configure exactly the same organization-name. Organization name, when you downloaded
from https://software.cisco.com (PnP) section
conf t
system
clock timezone America/Los_Angeles
host-name vmanage
system-ip 10.200.1.10
site-id 700
organization-name "viptela sdwan"
vbond 10.10.0.3
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
config t
vpn 0
interface eth0
description Connected-vSmart-ETH0-VPN0
ip address 10.10.0.5/24
26 | P a g e
no tunnel-interface
!
no shutdown
!
ip route 0.0.0.0/0 10.10.0.1
commit and
config t
vpn 512
interface eth1
ip address 54.239.98.5/24
no shutdown
!
ip route 0.0.0.0/0 54.239.98.1
commit and
reboot
Are you sure you want to reboot?[yes,NO] yes
Step 1.3. From CA server host open Chrome web browser and navigate to vManage web interface.
https://10.10.0.5 Navigate to Administrator > Settings. Verify that Organization Name is correctly
displayed. Edit the vBond settings and enter vBond Public IP address (10.10.0.3).
Even though you have already entered vBond IP address in the CLI, you still need to configure vBond
address also under system settings. Otherwise, process of generating bootstrap configuration for vEdge
Cloud instances will not be successful.
27 | P a g e
The dashboard looks like this.
Once logged in navigate to the settings page.
Enter the Organization Name and click Save. This field must match what you used when creating the vBond profile.
28 | P a g e
ii. vBond initial config
Login ID: admin

Password: admin
conf t
system
host-name vbond
system-ip 10.200.1.12
site-id 700
vbond 10.10.0.3 local
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
config t
vpn 0
interface ge0/0
description Connected-vBond-GE0/0-VPN0
ip address 10.10.0.3/24
no tunnel-interface
no shutdown
!
ip route 0.0.0.0/0 10.10.0.1
commit and
config t
vpn 512
interface eth0
description Connected-vBond-ETH0-VPN512
ip address 54.239.98.3/24
no shutdown
!
ip route 0.0.0.0/0 54.239.98.1
commit and
reboot
Are you sure you want to reboot?[yes,NO] yes
29 | P a g e
iii. vSmart initial config
Login ID:admin
Pass :admin
conf t
system
host-name vsmart
system-ip 10.200.1.11
site-id 700
vbond 10.10.0.3
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
config t
vpn 0
interface eth0
ip address 10.10.0.4/24
no tunnel-interface
!
no shutdown
!
ip route 0.0.0.0/0 10.10.0.1
commit and
config t
vpn 512
interface eth1
ip address 54.239.98.4/24
no shutdown
!
ip route 0.0.0.0/0 54.239.98.1
commit and
Final Verification on controller before certificate installation on all controllers.
show control local-properties

clear installed-certificates
30 | P a g e
31 | P a g e
Clear all the certificates on the local device, including the public and private keys and the root
certificate, and return the device to the factory-default state
32 | P a g e
B) Create ROOTCA server on vManage & Uploading Certificate

You need generate the Root CA certificate. First login to the vshell which is a Unix like shell. Login with the vshell
command.
I. On vManage
Vshell
1.1 Generate a Root CA key.
openssl genrsa -out ROOTCA.key 2048
1.2 Generate the Root CA certificate. I will generate a certificate with 5 years of
validity.
openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 2000 \
-subj "/C=US/ST=California/L=San Jose/O=viptela sdwan/CN=viptela sdwan" \
-out ROOTCA.pem
This will create a Root CA cert named ROOTCA.pem

“cat” the file contents so you can copy and paste them in an upcoming step.
exit back to the cli shell and find the IP address of the vpn 0 interface.
33 | P a g e
Once you have the IP address browse to the URL https://10.10.0.5 and login with the username/password
admin.
The dashboard looks like this.
Once logged in navigate to the settings page.
34 | P a g e
Change the Controller Certificate Authorization to use Enterprise Root Certificate
. Paste in the contents of the generated ROOTCA.pem file from the previous step and click Import & Save.
35 | P a g e
1.3 Cat ROOTCA.pem from vmanage vshell
Paste in the contents of the generated ROOTCA.pem file from the previous step and click Import & Save.
Next we need to create a CSR for the vManage. Navigate to the certificates section.
36 | P a g e
A window will popup with the CSR text. This can be ignored for the vManage.
Back in the vshell there will be a file called vmanage.csr. Sign this file with the ROOTCA.key and ROOTCA.pem.
1.4 Generating vmanage.crt
openssl x509 -req -in vmanage_csr \

-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
-out vmanage.crt -days 2000 -sha256
This creates a file called vmanage.crt cat the file in order to copy and paste it into the web interface in the next
step.
Navigate to the certificates page and install the certificate by pasting the contents of the vmanage.crt file and
click Install.
37 | P a g e
1.5 Vmanage:$ cat vmanage.crt (uploading ROOTCA into vManage)
38 | P a g e
1.6 Resync root certificate with browser (important)

From CA host open web browser and navigate to
https://10.10.0.5/dataservice/system/device/sync/rootcertchain to resync vManage DB. Verify the
output as shown below.
II. On vBond
1 Add the vBond to the vManage.
Enter the vBond details add click Add.
39 | P a g e
1.1 Navigate to the certificates page to get the vBond CSR text.
Copy the CSR text and go to the vManage vshell to generate the certificate.
Use vim to create a file called vbond.csr with the contents of the vBond CSR from the previous step. Then sign
the CSR with the Root CA certificate.
1.2 Vmanage:$Vim vbond.csr

Copy/patch using below command
Press (insert)---patch-----press (esc) then type :wq (write & exit)
openssl x509 -req -in vbond.csr \

-out vbond.crt -days 2000 -sha256
40 | P a g e
This will create a certificate file called vbond.crt. cat the contents of the vbond.crt file in order to copy and past
the contents to the vManage in the next step.
Navigate to the certificates page and install the vBond certificate by pasting in the contents of the vbond.crt file
and click Install.
1.3 Vmanage:$ cat vbond.crt
41 | P a g e
III. On vSmart
1 Adding the vSmart to the vManage.
Enter the vSmart details and click Add.
42 | P a g e
1.1 Navigate to the certificates page to get the vSmart CSR text.
Copy the CSR text and go to the vManage vshell to generate the certificate.
Use Vim to create a file called vsmart.csr with the contents of the vSmart CSR from the previous step. Then sign
the CSR with the Root CA certificate.
1.2 Vmanage:$Vim vsmart.csr

Copy/patch using below command
openssl x509 -req -in vsmart.csr \

-out vsmart.crt -days 2000 -sha256
43 | P a g e
This will create a certificate file called vsmart.crt. cat the contents of the vsmart.crt file in order to copy and
patch the contents to the vManage in the next step.
1.3 Vmanage:$cat vsmart.crt
Navigate to the certificates page and install the vSmart certificate by pasting in the contents of the vsmart.crt file
and click Install.
44 | P a g e
If it was successful you will see a success message similar to the below.
C) Controllers final bring up
To finalize controllers, bring up, you need to configure VPN0 with tunnel interface settings. Log
in first to vManage using SSH. Under interface eth0 configure tunnel-interface and commit the
configuration change. Your session should look similar as below:
1 vManage
vpn 0
interface eth0
tunnel-interface
commit and-quit
2 vBond
On vBond, you’ll also need to specify encapsulation type under tunnel-interface. Set it as ipsec.
vpn 0
interface ge0/0
tunnel-interface
encapsulation
ipsec commit and-
quit
45 | P a g e
3 vSmart
vpn 0
interface eth0
tunnel-interface
commit and-quit
Navigate back to the vManager Main dashboard. You should notice Up status for vSmart,
vBond and green checkmark status for vManage. There should be no certificate errors.
46 | P a g e
D) Final verification of all controllers
Show control connections

Show certificate installed
Show control local-properties
47 | P a g e
On vBond
Show orchestrator connections
48 | P a g e
E) Viptela vEdges License downloading Procedure

https://codingpackets.com/blog/cisco-sdwan-self-
hosted-lab-part-1/
I. Add Virtual Account
A virtual account is a logical container for groups of devices.
Navigate to https://software.cisco.com and select Manage Smart Account.
Select Virtual Accounts.
49 | P a g e
Select New Virtual Account.
Enter the details of the virtual account and select Save.
50 | P a g e
II. Add Controller Profile
You need to add a vBond controller profile in order to create virtual edges.
Navigate back to the main page and select Plug and Play Connect.
Select the Default dropdown then select the virtual account you created in the previous step.
51 | P a g e
Select Controller Profiles.
Select Add Profile.
Change the controller type to VBOND then select Next.
52 | P a g e
Enter the vBond details and select Next.
Note
The Organization Name will need to be unique, the IP address can be anything.
53 | P a g e
Select Submit.
Select Done.
You should see your newly created controller profile in the list.
54 | P a g e
III. Add Virtual Edges
Now create some vEdge and cEdge devices so we can generate a serial file.
Navigate to Devices and select + Add Software Devices.
55 | P a g e
Select +Add Software Device.
Enter the PID VEDGE-CLOUD-DNA for vEdges, specify the desired quantity and select Save.
56 | P a g e
Select Next.
Select Submit.
57 | P a g e
Select Done.
Rinse and repeat the process for cEdges but this time use: CSR1KV as the PID.
Note
At the time of writing a total of 25 virtual devices can be added to a virtual account.
Once added devices will be in a Pending for publish state.
58 | P a g e
After a few minutes they will transition to the Provisioned state.
IV. Serial File
This is it, the moment you have been waiting for, the all-important serial file. The serial file is required to add edge
devices to the fabric.
Navigate to Controller Profiles and select Provisioning File.
Select 18.3 and Newer from the dropdown and then select Download. Save the file to a safe location to import into the
vManage at a future time.
59 | P a g e
Summary
We created a Virtual account, controller profile added software vEdge and cEdge devices and have our all important serial
file in hand.
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/TECSEC-2355.pdf
V. Uploading serial.viptela into vManage
Copy serial.viptela to CA using HTML5 console (as option)
CA > Desktop > thinclient _drives > GUACFS – Drag and drop our viptela.serial license and move it to
rootCA. If we cannot see GUACFS > Download – stop Linux machine and start again.
A window will open that will allow you to save your file on your Linux or just close and open again. This
process is described in the EVE Professional cookbook, Section 13.2.
https://www.eve-ng.net/index.php/documentation/professional-cookbook/
Option. Copy file to Linux using native console
Linux > Desktop > thinclient _drives – we can see our PC disks, just find our license and with right copy to
Home folder or another folder
60 | P a g e
Before you can add vEdges to the system, you also need to import license serial.viptela file. Navigate to
Configuration > Devices. Select Upload WAN vEdges List.
Browse for license file root > rootCA > serialFile.viptela

 Validate
Select checkbox for validation of uploaded vEdge list. Select upload and confirm the upload action by pressing
OK.
61 | P a g e
62 | P a g e
Verify navigate Configuration > Devices. WAN Edge list
63 | P a g e
3 SD-WAN vEdges routers onboarding
A) Common procedure for alI vEdges Routers (.pem Certification)
1.1.Configure vEdge and cEdge routers with following initial configurations:
1.2 You should be able to ping 10.10.0.3(vbond),10.10.0.4(vsmart) & 10.10.0.5(vmanage) from all vEdges.
1.3 Copy & Paste in the contents of the generated ROOTCA.pem file from vmanage vshell & save into all vEdges
vshell ROOTCA.pem
On all vEdges
Vedges:$vim ROOTCA.pem
From vmanage
vmanage:~$ cat ROOTCA.pem

-----BEGIN CERTIFICATE-----
MIIDnTCCAoWgAwIBAgIJAI9MdFbvczo5MA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEW
MBQGA1UECgwNdmlwdGVsYSBzZHdhbjEWMBQGA1UEAwwNdmlwdGVsYSBzZHdhbjAe
Fw0yMDA3MTQxNjQwMzlaFw0yNjAxMDQxNjQwMzlaMGUxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEWMBQGA1UECgwN
dmlwdGVsYSBzZHdhbjEWMBQGA1UEAwwNdmlwdGVsYSBzZHdhbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMfTv3MsDWohP2rxGY3XJ5FNgEDM3Av7eLNW
43dqhfcVe02/EPtE5XKTyz7wyIJdqUUYqE3JfFWCOQStGAnzPXl+N0XsBkjCYqyl
M6GVlNlhhNYQWN4l2CF98IpdPxTJBDBi+zZY+38w5Lvs793gWk3GkyMriw3zzaP/
HwKjTp21vw48nlSf1Xfy+3mtOEkfDY/kGGOdAmTdswrtRnIods3bVkL2p1FB9wwH
ka0UeLh3yZpAd2dYAOXe0XId68uHKAQJKGSsjKN9OleF+94XYipnxX1GodcgARhM
LApJyOhXVKX950cqpYrWDy/JI458GOpNMzrqcWQwKVm7+1PWN0ECAwEAAaNQME4w
HQYDVR0OBBYEFLopKEWMuPlXWkOI94gKWkTpUd9kMB8GA1UdIwQYMBaAFLopKEWM
uPlXWkOI94gKWkTpUd9kMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
ACWum6HtZQPCZAz+QVjpRaRXxpRMAs4WbMMwTTmSi2FN87UKi/NdUJ3W3vR3vWip
q5QJdfy8rGiMvUVYd3dMkvmBP4x1uJNOPuwDHoTCWHYaU8Rsc4Vna9OT2xmCacXE
Oxpi3+9t040ES35+PtrddgrVBJ/YBG1OHZ51FO5s8F5IM952iOLzI2PleQSxlxt/
aymB8ABWXAW3LSeYZ2SlzKKelns6wUIUOq6OtKq1c1NRaJ9XY62KX6DZJr/LzhLc
wL58bA98R6qiPQem5FdmJp/AHGCWxlxdb9fE3g3TYnQ/r/isTyAr6d1fugupIs9c
HA/opvjae+gJ6kZABsaWsdw=
-----END CERTIFICATE-----
64 | P a g e
1.4 To vedges
vedges:~$ vim ROOTCA.pem

-----BEGIN CERTIFICATE-----
MIIDnTCCAoWgAwIBAgIJAI9MdFbvczo5MA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEW
MBQGA1UECgwNdmlwdGVsYSBzZHdhbjEWMBQGA1UEAwwNdmlwdGVsYSBzZHdhbjAe
Fw0yMDA3MTQxNjQwMzlaFw0yNjAxMDQxNjQwMzlaMGUxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEWMBQGA1UECgwN
dmlwdGVsYSBzZHdhbjEWMBQGA1UEAwwNdmlwdGVsYSBzZHdhbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMfTv3MsDWohP2rxGY3XJ5FNgEDM3Av7eLNW
43dqhfcVe02/EPtE5XKTyz7wyIJdqUUYqE3JfFWCOQStGAnzPXl+N0XsBkjCYqyl
M6GVlNlhhNYQWN4l2CF98IpdPxTJBDBi+zZY+38w5Lvs793gWk3GkyMriw3zzaP/
HwKjTp21vw48nlSf1Xfy+3mtOEkfDY/kGGOdAmTdswrtRnIods3bVkL2p1FB9wwH
ka0UeLh3yZpAd2dYAOXe0XId68uHKAQJKGSsjKN9OleF+94XYipnxX1GodcgARhM
LApJyOhXVKX950cqpYrWDy/JI458GOpNMzrqcWQwKVm7+1PWN0ECAwEAAaNQME4w
HQYDVR0OBBYEFLopKEWMuPlXWkOI94gKWkTpUd9kMB8GA1UdIwQYMBaAFLopKEWM
uPlXWkOI94gKWkTpUd9kMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
ACWum6HtZQPCZAz+QVjpRaRXxpRMAs4WbMMwTTmSi2FN87UKi/NdUJ3W3vR3vWip
q5QJdfy8rGiMvUVYd3dMkvmBP4x1uJNOPuwDHoTCWHYaU8Rsc4Vna9OT2xmCacXE
Oxpi3+9t040ES35+PtrddgrVBJ/YBG1OHZ51FO5s8F5IM952iOLzI2PleQSxlxt/
aymB8ABWXAW3LSeYZ2SlzKKelns6wUIUOq6OtKq1c1NRaJ9XY62KX6DZJr/LzhLc
wL58bA98R6qiPQem5FdmJp/AHGCWxlxdb9fE3g3TYnQ/r/isTyAr6d1fugupIs9c
HA/opvjae+gJ6kZABsaWsdw=
-----END CERTIFICATE-----
vedges:~$ exit
1.5 ROOTCA installation on vedges
Vedges#request root-cert-chain install /home/admin/ROOTCA.pem
B) Configuration of all vEdges

I. vEdge1
conf t
system
host-name vedge1
system-ip 10.200.1.1
site-id 100
vbond 10.10.0.3
commit and
conf t
system
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
conf t
65 | P a g e
vpn 0
interface ge0/0
description MPLS
ip address 192.168.1.2/30
tunnel-interface
encapsulation ipsec
allow-service sshd
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 192.168.1.1
commit and
conf t
vpn 512
interface eth0
ip address 172.16.10.253/24
ipv6 dhcp-client
no shutdown
!
ip route 0.0.0.0/0 172.16.10.1
commit and
II. vEdge2
config t
system
host-name vedge2
site-id 100
vbond 10.10.0.3
commit and
conf t
system
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
conf t
66 | P a g e
vpn 0
interface ge0/0
description MPLS
ip address 192.168.2.2/30
III. vEdge3
config t
system
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
conf t
system
host-name vedge3
site-id 200
vbond 10.10.0.3
commit and
config t
vpn 0
interface ge0/0
description MPLS
ip address 192.168.3.2
tunnel-interface
encapsulation ipsec
allow-service all
allow-service sshd
!
no shutdown
!
ip route 0.0.0.0/0 192.168.3.1
commit and
config t
vpn 512
interface eth0
67 | P a g e
ip address 172.17.1.253/24
no shutdown
ip route 0.0.0.0/0 172.17.1.1
commit and
IV. vEdge4
config t
system
host-name vedge4
site-id 200
vbond 10.10.0.3
commit and
conf t
system
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
config t
config t
vpn 0
no interface ge0/0
interface ge0/1
description Internet
ip address 64.100.103.2/28
tunnel-interface
encap ipsec
allow-service all
allow-service sshd
!
no shutdown
!
ip route 0.0.0.0/0 64.100.103.1
commit and
config t
68 | P a g e
vpn 512
interface eth0
ip address 172.17.2.253/24
no shutdown
ip route 0.0.0.0/0 172.17.2.1
commit and
V. vEdge5
config t
system
host-name vedge5
site-id 300
vbond 10.10.0.3
commit and
config t
system
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
config t
vpn 0
interface ge0/0
description MPLS
ip address 192.168.4.2/30
tunnel-interface
encap ipsec
allow-service all
allow-service sshd
!
no shutdown
!
ip route 0.0.0.0/0 192.168.4.1
commit and
69 | P a g e
config t
vpn 512
interface eth0
ip address 172.18.1.253/24
no shutdown
ip route 0.0.0.0/0 172.18.1.1

commit and
VI. vEdge6
config t
system
config t
host-name vedge6
site-id 300
vbond 10.10.0.3
commit and
config t
system
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
config t
vpn 0
no interface ge0/0
interface ge0/1
description Internet
ip address 64.100.104.2/28
tunnel-interface
encap ipsec
allow-service all
allow-service sshd
!
no shutdown
!
ip route 0.0.0.0/0 64.100.104.1
commit and
config t
70 | P a g e
vpn 512
interface eth0
ip address 172.18.1.252/24
no shutdown
ip route 0.0.0.0/0 172.18.1.1
commit and
VII. vEdge7
config t
system
host-name vedge7
site-id 400
vbond 10.10.0.3
commit and
config t
system
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
config t
vpn 0
interface ge0/0
description MPLS
ip address 192.168.5.2/30
tunnel-interface
encap ipsec
allow-service sshd
allow-service all
!
no shutdown
!
71 | P a g e
ip route 0.0.0.0/0 192.168.5.1

commit and
config t
vpn 512
interface eth0
ip address 172.19.1.253/24
no shutdown
ip route 0.0.0.0/0 172.19.1.1
commit and
VIII. vEdge8
config t
system
host-name vedge8
site-id 500
vbond 10.10.0.3
commit and
conf t
system
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
config t
vpn 0
interface ge0/0
description MPLS
ip address 192.168.6.2/30
tunnel-interface
encap ipsec
allow-service all
allow-service sshd
!
no shutdown
!
72 | P a g e
ip route 0.0.0.0/0 192.168.6.1

commit and
config t
vpn 512
interface eth0
ip address 172.20.1.253/24
no shutdown
ip route 0.0.0.0/0 172.20.1.1
commit and
IX. vEdge9
config t
system
host-name vedge9
site-id 600
vbond 10.10.0.3
commit and
config t
system
ntp
server 192.168.10.1
version 4
prefer
exit
commit and
config t
vpn 0
interface ge0/0
description MPLS
ip address 10.1.1.14/30
tunnel-interface
encap ipsec
allow-service sshd
73 | P a g e
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.1.1.13
commit and
config t
vpn 512
interface eth0
ip address 172.21.1.253/24
ip route 0.0.0.0/0 172.21.1.1
no shutdown
commit and
74 | P a g e
C) vEdges nodes with vManage licenses installation
Generating bootstrap from vManage
To add a virtual edge you need to generate a bootstrap file. Navigate to the devices page.
Generating Chassis UUID and OTP Token
Generate bootstrap configuration to extract the UUID number and OTP token for the vEdge Cloud activation.
75 | P a g e
request vedge-cloud activate chassis (UUID) token (OTP)
D) Verification on vEdges
show certificate serial
show control connections
show certificate installed
I. on vEdge1
Verification on vManage
76 | P a g e
Same you need to run on all vEdges
II. on vEdge2
III. on vEdge3
77 | P a g e
IV. vEdge4
V. on vEdge5
VI. On vEdge6
78 | P a g e
VII. On vEdge7
VIII. On vEdge8
79 | P a g e
IX. On vEdge9
X. Verification on vManage
Navigate to the vManager Main dashboard. You should notice Control Status Up status for all WAN Edges.
80 | P a g e
81 | P a g e
4 Common Templates for all vEdges

A) Create common basic templates
In this section, the feature templates that fall under the basic information section of the device template will be
configured. This includes system settings, logging, Network Time Protocol (NTP), AAA,Banner and VPN 512 feature
templates.
i. vEdge system template

Navigate to the vManage Configuration > Templates. Select Feature Tab. And press Add Template.
From the list left side choose vEdge Cloud and CSR1000v devices and select System
Type a template name and description. Template Name:
vEdge-system
Template Description: vEdge-system
82 | P a g e
Navigate to Timezone, Select Global, and Your timezone. Example America/Los Angles
Navigate to console baud rate and select 9600 SAVE template
83 | P a g e
ii. Logging
To create a logging feature template, go to Configuration > Templates and select the Feature tab. Select the Add
Template button.
From the list left side choose vEdge Cloud and CSR1000v devices and select System
. Select the Logging template block under the Other Templates category on the right.
The Logging template is presented. Fill in the Template Name (Logging) and Description (Logging)
Select Server in order to jump to the logging server section of the template. Select the New Server button. In the
Hostname/IP Address box, type in the logging server hostname or IP address (172.16.10.253) in this example).
By default, this is a Global value, which means the value of 172.16.10.253 will be applied to all devices this
template is applied to. Alternatively, this could have been defined as a Device Specific variable instead.
For VPN ID, select Global from the drop-down box and type 1, which references the service VPN number that
will be created. The logging server, which sits in the data center, should be reachable from any site's local
network. For remote sites, traffic will traverse over the tunnel to reach the data center.
84 | P a g e
For Source Interface, select Global from the drop-down box and type loopback0 into the text box. We want to
source logging messages from loopback0, which will be the system IP for the device so you can better correlate
the events which appear on vManage.
85 | P a g e
By default, events are also still logged to the local disk. For priority, informational messaging is the default. Select
the Add button to add the logging server configuration to the feature template.
Select the Save button to complete template.
iii. Network Time Protocol (NTP)
In the NTP template, the devices will use an NTP server located on the MPLS router, 192.168.10.1 which is
reachable through the transport VPN, VPN 0. Keeping correct time is important because certificates are used to
authenticate and connect to the controllers. Connection to the vSmart controllers is needed before IPSec tunnels
can be formed and connectivity to the data centre restored from the branches. In order for NTP to work
properly, a DNS server to resolve the NTP hostname will be required in the transport VPN. In addition, the NTP
protocol needs to be allowed on the tunnel interface or NTP will not work in the transport VPN. DNS and allowed
protocols are configured in the VPN interface templates configured later in this guide.
Assuming that you are still on the feature templates page, select the Add Template button. Create the NTP
template using the following device types, template type, template name, and description:
Select Devices: vEdges

Template: Basic Information/NTP
Template Name: NTP
Description: NTP
In the Server section, select the New Server button, and type 192.168.10.1 in the Hostname/IP Address box.
There is no authentication configured and the VPN ID by default is 0.
Select Add. Add any additional servers as needed.
86 | P a g e
Select Save to complete the template.
87 | P a g e
iv. AAA
In the AAA feature template, define local authentication and create additional users, an operator with read-only
privileges and a netadmin user who can perform all operations. Note that this controls access when users use
ssh to access the devices. Different users under different groups can be separately configured in vManage to
control access to the vMangage GUI (under Administration>Manage Users).
Assuming that you are still on the feature templates page, select the Add Template button. Create the AAA
template using the following device types, template type, template name, and description:

Template: Basic Information/AAA
Template Name: AAA

Description: AAA
Under the Authentication Order parameter, deselect radius and tacacs from the drop-down box (so only the
local method is left). Click outside the box to close the drop-down menu.
Under the Local authentication section, click the New User button.
Next to Name enter oper1. Next to Password, enter a password. Next to User Groups, select operator from the
drop-down text box.
Click Add.
Click the New User botton to add the second new user.
Next to Name enter oper1. Next to Password, enter a password. Next to User Groups, select operator from the
drop-down text box.
Next to Name, enter netadmin1. Next to Password, enter a password. Next to User Groups, select netadmin
from the drop-down text box.
Click Add.
88 | P a g e
89 | P a g e
v. Banner
There are two types of banners: one that is displayed before the CLI username/login prompt (login banner) and
one that is displayed after successfully logging in (message of the day, or MOTD, banner). Configure an MOTD
banner.
Select Configuration>Templates, and select the Feature tab. Select the Add Template button.
Create the banner template using the following device types, template type, template name, and description:

Template: Other Templates/Banner
Template Name: Banner
Description: Banner
90 | P a g e
vi. VPN 512 Template for vEdge

Navigate to the vManage Configuration > Templates. Select Feature TAB. And press Add Template.
From the list left side choose vEdge Cloud and select VPN.
Add name and description
Template name:

Template: Other Templates/Banner
Template Name: VPN512
Description: VPN512
91 | P a g e
Save Template
92 | P a g e
vii. VPN 512 interface template

Navigate to the vManage Configuration > Templates. Select Feature TAB. And press Add
Template.
From the list left side choose vEdge Cloud node and select VPN Interface Ethernet.
Add name and description Template name: VPN512-interface

Template Description: VPN512-interface
Basic Configuration, Shutdown > Global > yes Basic Configuration, Interface Name > Global > eth0 Basic
Configuration, Description/Global > Management
Save
93 | P a g e
viii. Interface Template for Las Vegas, New Jersey & Francisco vEdge7, 8& 9
1 Branch LAN interface1 vEdge7, 8 & 9
2 Branch LAN Interface2 vEdge7, 8 & 9
94 | P a g e
XI. NAT to be enabled on all Internet Interface on vEdges

On below templates
DC-INET-Interface
Branch-INT-Interface
95 | P a g e
B) vSmart Template (V Important)
Creating feature template for vSmart interface
Creating device template from feature template for vSmart
96 | P a g e
5 Deployment of vEdges (RTP) @ Data Center

RTP DC Topology
In this topology, there is one data center and five remote sites. The transports shown are one MPLS and one
Internet service provider. The SD-WAN controllers are deployed using AWS cloud-managed service and reachable
via the Internet & MPLS transport. There is one vManage, one vSmart controller, and one vBond orchestrator on
the U.S. West Coast,
Each WAN Edge router attempts to make a connection to the controllers over each transport. The vEdge router will
initially connect to a vBond and will then connect to the vSmart controllers over each transport. vManage connection
is made from the site, and it will depend on which transport first connected to it, but this preference is configurable.
The WAN Edge routers connect directly to the controllers over the Internet transport &MPLS. The WAN Edge routers
connect to the controllers over the MPLS transport by being routed over the IPSec tunnels to the data center and
following the default route to the Internet & MPLS transport.
97 | P a g e
A) Data centre details

In the example SD-WAN network, two Cisco vEdge 1000v routers (labeled vEdge1 & 2) are positioned in the data
center
i. Transport side
The transport VPN (VPN 0) contains interface ge0/0 for the MPLS transport and ge0/1 for the Internet
transport on each vEdge router.
will use a static default route in VPN 0 to route the tunnel endpoint out to the Internet transport.
The vEdge will use a static default route in VPN 0 to route the tunnel endpoint out to the MPLS transport.
ii. Service side
The service VPN (VPN 1) contains interfaces ge0/2 and ge0/3 for the connections to the aggregation
switches. Interface ge0/2 of each vEdge connects to data center WAN aggregation switch 1 (labeled SW3) in
the network, while interface ge0/3 connects to data center aggregation switch 2 (labeled SW4). Each vEdge
peers to each switch via OSPF area 0 using the interface addresses, in OMP OSPF route would be
redistribute to get advertise to all locations.
iii. IP details
vEdges IP's details
Hostname ge0/0 MPLS ge0/1 Internet g0/2 SW3 g0/3 SW4
vEdge1 192.168.1.2/30 64.100.101.2/28 10.1.1.1/30 10.2.2.1/30
vEdge2 192.168.2.2/30 64.100.102.2/28 10..1.1.5/30 10.2.2.5/30
B) Configure the transport VPN 0

For the data center, the transport VPN, or VPN 0 feature template, needs to be created. In the VPN
template, you configure Equal-Cost Multipath (ECMP) keying, DNS, and static routes. You then define the
physical interfaces for each of the transports, the MPLS and Internet interfaces. In those templates, you
configure interface names, IP addresses, and IPSec tunnel characteristics
i. Configure the transport VPN0 Template
In the vManage GUI, Select Configuration > Templates, and choose the Feature tab.
Select the Add Template button.

For the VPN-specific configurations, the data center templates stay separate from the branch templates, so
a change in the branch template configurations do not inadvertently change the configurations at the data
center.
Under the Select Devices column, choose vEdge cloud. Select the VPN template block under the VPN
section on the right.
98 | P a g e
Configure the Template Name and Description:

Template Name: DC -VPN0
Description: DC Transport VPN 0
Under Basic Configuration next to VPN, configure 0 as the VPN ID.
Next to Name, select Global from the drop-down menu, and type Transport VPN, a description for the VPN.
Next to Enhance ECMP Keying, select Global from the drop-down menu, and select On. Enabling this
feature configures the ECMP hashing to use the layer 4 source and destination ports in addition to the
source and destination IP address, protocol, and Differentiated Services Code Point (DSCP) field as the
ECMP hash key. ECMP is used when there are equal-cost routing paths in the VPN and traffic uses a hash on
key fields in the IP header to determine which path to take.
Under DNS and next to Primary DNS Address, select Global from the drop-down menu and enter 1.1.1.1. The
Secondary DNS Address box appears. Select Global from the drop-down menu and enter 8.8.8.8 in the
Secondary DNS Address text box.
99 | P a g e
Under the IPv4 Route template section, default routes are added for each interface. These routes are used so the
tunnel endpoints can peer with neighboring sites. Multiple default routes can exist because the WAN Edge uses
the physical tunnel endpoint source as well as the destination when making a routing decision.
Under the IPv4 Route section, click the New IPv4 Route button. Add 0.0.0.0/0 in the Prefix box and select Add
Next Hop.
A pop-up window appears that prompts you to add your first next hop. Select the Add Next Hop button.
Since this template applies to more than one WAN Edge, the next hop parameters are variables instead of global
values. On the pop-up window, under Address, select Device Specific from the drop-down menu, and type in the
next-hop IP address variable for the MPLS transport in the text box (vpn0_mpls_next_hop_ip_addr). Click the
Add Next Hop button to add the second next hop.
Under Address on the second next-hop entry, select Device Specific from the drop-down menu, and type in the
next-hop IP address variable for the Internet transport in the text box (vpn0_inet_next_hop_ip_addr).
100 | P a g e
Select Save to create the template.
101 | P a g e
ii. VPN 0 interface (MPLS)

Select Configuration > Templates, and choose the Feature tab.
Select the Add Template button.

For the VPN-specific configurations, the data center templates stay separate from the branch templates, so a
change in the branch template configurations do not inadvertently change the configurations at the data center.
Under the Select Devices column, choose vEdge cloud. Select the VPN interface Ethernet template block under
the VPN section on the right.
Template: VPN/VPN Interface Ethernet

Template Name: DC-MPLS-Interface
Description: DC MPLS Interface
Under the Basic Configuration section next to Interface Name ge0/0 & global no shutdown
Under Basic Configuration next to Description, select Global and type in MPLS Interface to describe the interface.
Under Basic Configuration under IPv4 Configuration next to IPv4 Address, select Device Specific and type in the
variable name vpn0_mpls_int_ip_addr|maskbits.
102 | P a g e
Under Tunnel and next to Tunnel Interface, select Global and select On. When you select On, additional
parameters for the tunnel are shown. Next to Color, select Global and select mpls from the drop-down text box.
Next to Restrict, select Global and select On. Restrict means that only tunnels will be formed with other
endpoints of the same color.
By default when the tunnel is enabled, the physical interface accepts DTLS/TLS and IPSec traffic in the case
of WAN Edge. In addition, other services can be enabled and accepted into the physical interface
unencrypted - this includes DNS, DHCP, HTTPS, and Internet Control Message Protocol (ICMP) by default.
Other protocols include SSH, NETCONF, NTP, BGP, OSPF, and STUN. It is a best security practice to minimize
the allowed protocols through. In the example network, for initial troubleshooting purposes, ICMP stays
enabled and DHCP is turned off for the MPLS interface since the IP address on the interface is static. NTP
and DNS are allowed through since the MPLS transport can route through the data center to reach the
Internet.
Under Tunnel and the Allow Service section, next to DHCP, select Global and select Off. Next to NTP, select
Global and select On.
103 | P a g e
Below the Allow Service section, select the Advanced Options text. The Encapsulation section is revealed.
Next to Preference, select Device Specific and configure the variable as
vpn0_mpls_tunnel_ipsec_preference. The IPSec tunnel preference allows you to prefer one tunnel over
another depending on the preference value.
Press the Save button to create the template.
iii. VPN 0 interface (Internet)

Next, configure the Internet interface under the transport VPN. The template should be very similar to the MPLS
VPN interface template with the exception of the variable names.
104 | P a g e
Assuming that you are still on the Feature Templates page, find the feature template just created (DC-MPLS-
Interface) and select to the far right. Select Copy.
On the pop-up window, define the template name and description as:
Template Name: DC-INET-Interface
Description: DC Internet Interface
29. Select the Copy button. The feature template is created and is now in the list with the other created
feature templates.
105 | P a g e
Modify the interface description, interface name & variable Ip address
Modify restrict off , variables, and tunnel color.
106 | P a g e
Once configuration changes have been made, select the Update button to save the changes to the feature
template
107 | P a g e
C) Configure the Service VPN

i. Service VPN 1
Select Configuration>Templates, and select the Feature tab. Select the Add Template button.
Create the VPN 1 template using the following device types, template, template name, and description:
Select Devices: vEdge cloud

Template: VPN/VPN
Template Name: DC-VPN1
Description: DC Service VPN 1
We need to advertise OSPF route into OMP
108 | P a g e
With the Advertise OMP configuration, OSPF routes are being redistributed into OMP so the remote sites will
have reachability to the data center service-side routes.
ii. VPN interface Ethernet 1 (ge0/2)
Assuming that you are still on the Feature Templates page, select the Add Template button.
Create the first VPN 1 interface template using the following device types, template type, template name, and
description:
Select Devices: vedges cloud

Template Name: DC-LAN-INT1
Description: DC LAN Interface 1
109 | P a g e
iii. VPN interface Ethernet 2 (ge0/3)

Assuming that you are still on the Feature Templates page, find the feature template just created (DC-LAN-INT1) and
select to the far right. Select Copy.
In the pop-up window, define the Template Name and Description as:
Template Name: DC –LAN-INT2

Description: DC LAN Interface 2
Select the Copy button. The feature template is created and is now in the list with the other created feature
templates.
Choose to the right of the newly-created feature template (DC-LAN-INT2) and select Edit to modify the template.
Modify the interface variables.
110 | P a g e
Once configuration changes have been made, select the Update button to save the changes in the feature template
iv. VPN interface Ethernet Loopback 0
A loopback0 interface is created with the system IP address so that logging, SNMP, and other management traffic
could be sourced from the system IP address, making correlation with vManage easier. This template can be shared
across all device types.
Create the loopback0 interface template using the following device types, template type, template name, and
description:
111 | P a g e
Select Devices: All except vManage and vSmart

Template Name: Loopback0
Description: Interface Loopback 0
112 | P a g e
v. Open shortest path first (OSPF) Template
Configure OSPF in the Service VPN. In the configuration, OMP is redistributed into OSPF so the data center can
have reachability to the remote sites.
Create the BGP template using the following device types, template type, template name, and description.
Select Devices: vEdges cloud

Template: Other Templates/OSPF
Template Name: DC-LAN-BGP
Description: DC LAN OSPF
Redistribute OSPF route into OMP

Select redistribute >omp >add
113 | P a g e
Area > new area> area number > 0
Add interfaces ge0/2 & ge0/3
114 | P a g e
Save it
115 | P a g e
D) Creating devices Template

In this procedure, you create a device template that references the feature templates just created.
On the vManage GUI, go to Configuration > Templates and ensure the Device tab is selected (the default tab).
Select Create Template and select From Feature Template from the drop-down box.
Select the Device Model (vedges) from the drop-down box.

Fill in a Template Name (DC-vEdges) and give it a Description (DC MPLS & INET - Static to Transport and BGP to
LAN). By default, the areas in the device template that require feature templates are pre-populated with default
templates.
Under Basic Information next to System, select the feature template, vEdge-System, from the drop-down box.
Next to Logging, select the feature template, Logging, from the drop-down box.
For NTP, this feature first needs to be added to the device template. Under Additional System Templates, click
NTP, and select the feature template from the drop down, NTP
Next to AAA, select the feature template, AAA, from the drop-down box.
116 | P a g e
Under the Transport & Management VPN section, select VPN Interface on the right side under Additional VPN 0
Templates. This will add a second VPN interface under the Transport VPN. Select the newly-created feature
templates under the VPN 0 drop-down box and under each VPN Interface drop-down box under VPN 0.
117 | P a g e
For VPN 512, select the newly-created feature template under the VPN 512 drop-down box and under the VPN
Interface drop-down box under VPN 512.
118 | P a g e
Under the Service VPN section, hover over the + Service VPN text. A window will appear with a text box for the
number of service VPNs you want to create.
Select 1 and press return. A VPN drop-down box will be added. In the Additional VPN Templates on the right side,
select VPN Interface three times (for the two LAN interfaces and Loopback0 definition) and select the OSPF template
as well.
Optional additional template
Select Create to create and save the device template.
119 | P a g e
E) Attaching device Templates to DCvEdges1&2
To deploy the device template created to the WAN Edge routers, the vManage builds the full
configurations based on the feature templates and then pushes them out to the designated WAN Edge
routers. Before the full configurations can be built and pushed out, you need to first define all variables
associated with the feature templates attached to the device template. There are two ways to do this:
either by entering in the values of the variables manually within the GUI, or by uploading a .csv file with
a list of the variables and their
Enter values manually
Go to Configuration > Templates and select the Device tab. Find the desired device template (DC-
vEdges). Select the to the right of the template, and select Attach Devices.
A window pops up listing the available devices to be attached to this configuration. The list of available
devices contains either the hostname and IP address of a device if it is known through vManage, or it
will contain the chassis serial number of the devices that have not yet come up on the network and are
unknown by vManage. In any case, the list contains only the device model that was defined when the
template was created (vEdge cloud in this case).
Select the devices you want to apply the configuration template to, and select the arrow to move the
device from the Available Devices box to the Selected Devices box. You can select multiple devices at
one time by simply clicking each desired device. Select Attach.
120 | P a g e
i. We need to edit the device for vedge1 template
121 | P a g e
ii. We need to edit the device for vedge2 template
Click next
Click configure devices
122 | P a g e
Click ok
Run successfully.
123 | P a g e
F) Final verification of template output from vEdges CLI
i. On vEdge1
124 | P a g e
Routing table
Control connection
125 | P a g e
ii. On vEdge2
Routing table & control connection
126 | P a g e
6 Deployment of vEdges (San Jose) @ Branch

A) Branch details
1 Dual router/TLOC extension/layer 2 trunk LAN switch/VRRP site (Topology)
i. Transport side
San jose contains two vEdges routers, with each router having a direct connection to one of the
transport providers. This site has TLOC-extension links between the routers to give each router access
to both transports. WAN Edge 1 (labelled vedge3) runs static default in the transport VPN to
communicate the TLOC extension link subnet to the MPLS cloud, so WAN Edge 2 (labeled vedge2) will
have reachability to the controllers through the data center and to other WAN Edge routers on the
MPLS transport to form IPSec tunnels. On both routers, static default routes pointing to the next-hop
gateways are configured for tunnel establishment on the MPLS (GigabitEthernet0/0) and Internet
(GigabitEthernet0/0) links on both WAN Edge routers. The TLOC-extension interface does not need
any special routing configured since it routes tunnel and control traffic to the next hop, which is
directly connected.
ii. Service side

Each WAN Edge router connects to a LAN switches (labeled SW6 & SW7) via a trunk interface. Only one link
on each WAN Edge router is attached to a single LAN switch if you configure a link from each WAN Edge
router to each LAN switch, you would need to configure Integrated Routing and Bridging (IRB), which can
add complexity.
The trunk links are each configured with two VLANs, vlan 100 & 200, which translate into two different sub-
interfaces on each WAN Edge router. The physical link, GigabitEthernet0/0/1, is configured in VPN 0, while
each sub-interface is a part of the service VPN, VPN 1. With Virtual Router Redundancy Protocol (VRRP), the
WAN Edge routers become the IP gateways for the hosts at the branch. VRRP is configured on each sub-
interface with a .1 host address for the two subnets, 172.17.1.0/24 and 172.17.2.0/24 respectively.
127 | P a g e
iii. IP’s details
vEdges IP's details

Hostna ge0/0 ge0/1 ge0/3 g0/2 SW6
me MPLS Internet TLOC Vlan10,20 g0/2 SW7 Vlan10,20
vEdge 192.168.3. 10.1.1.9/3 10.2.2.9 172.18.1.2/24, VIP 172.18.1.1

3 2/30 0 /30 172.18.2.2/24 & 2.1
vEdge 10.2.2.10/ 64.100.10 10.1.1.1 VIP 172.18.1.1 172.18.1.3/24,
4 30 3.2/28 0/30 & 2.1 172.18.2.3/24
B) Creating Transport feature template of vEdges 3 & 4
i. Branch Transport template VPN 0
One VPN 0 template will be used for all the branch WAN Edge devices. For MPLS & Internet for
both.
Go to Configuration > Templates and select the Feature tab. Select the Add Template button and use the
following parameters to configure the VPN 0 feature template:
Template: VPN/VPN
Template Name: Branch VPN0
Description: Branch Transport VPN0
128 | P a g e
DNS
129 | P a g e
IPv4 route
Adding next hop
130 | P a g e
ii. Branch MPLS Interface Template

Add a new feature template using the following parameters:

Template Name: Branch-MPLS-Interface
Description: Branch MPLS Interface
131 | P a g e
IPv4 config
Tunnel config
132 | P a g e
Allow-services sshd & NTP
IPSec preference
133 | P a g e
iii. Branch Internet Interface Template

Template Name: Branch-INT-Interface
Description: Branch internet Interface
We can copy Branch-MPLS-interface template to Branch-INT-Interface
Modifying template as per internet interface
134 | P a g e
Rest parameter as same as MPLS template
135 | P a g e
iv. Branch TLOC Extension interface feature template
Devices: vEdge cloud

Template Name: Branch-TLOC-Extension
Description: Branch TLOC Extension Interface/Sub-interface
136 | P a g e
137 | P a g e
C) Branch Service side VPN 1
i. Branch-VPN1
One aggregate prefix for the remote site is advertised into OMP instead of multiple site routes. Note that
even though you can mark this prefix as an optional configuration, once you turn aggregation on, you need
at least one aggregate prefix defined. Redistribute connected is turned on to advertise the loopback
interface for reachability to and from the data center for management.
A static route is configured and marked optional so that it can be used on branch to reach the LAN segments behind
a layer 3 switch. Instead of redistributing static routes into OMP, the site is advertising the aggregate prefix instead.
1. Add a new feature template using the following parameters:
Devices: vEdges cloud

Template: VPN/VPN
Template Name: Branch-VPN1
Description: Branch VPN1
138 | P a g e
139 | P a g e
Select Save to create the template
ii. Branch-LAN-INT1-VRRP

Template Name: Branch-LAN-INT1-VRRP
Description: Branch LAN Interface 1 VRRP
140 | P a g e
iii. Branch-LAN-INT2-VRRP
We can copy Branch-LAN-INT1-VRRP for Branch-LAN-INT2-VRRP

Template Name: Branch-LAN-INT2-VRRP
Description: Branch LAN Interface 2 VRRP
141 | P a g e
iv. Branch LAN Parent Interface Template

Template Name: Branch-LAN-Parent-interface
Description: Branch LAN Parent Interface
142 | P a g e
v. Create the San Jose device templates
Branch-San-Jose-MPLS-TLOC-EXT-VRRP for vEdge3
Configure the device template with the following parameters:
Device Model: vEdge Cloud

Template Name: Branch-San-Jose-MPLS-TLOC-EXT-VRRP
Description: Branch Dual WAN Edge Hybrid TLOC Extension with MPLS and LAN-side Trunk and VRRP
143 | P a g e
Select Create to create and save the template.

144 | P a g e
vi. Branch-San-Jose-INT-TLOC-EXT-VRRP for vEdge4

Configure the device template with the following parameters:
Device Model: vEdge Cloud

Template Name: Branch-San-Jose-INT-TLOC-EXT-VRRP
Description: Branch Dual WAN Edge Hybrid TLOC Extension with INT and LAN-side Trunk and VRRP
145 | P a g e
146 | P a g e
D) Attaching device template to vEdge3 & vEdge4

i. On vEdge3
Device variable
147 | P a g e
148 | P a g e
149 | P a g e
150 | P a g e
ii. On vEdge4
Attaching devices template to vEdge4
151 | P a g e
152 | P a g e
153 | P a g e
E) Verification on vEdges 3 & 4
Routing table & control connection table
154 | P a g e
7 Deployment of vEdges (New York) @ Branch

A) Branch details
1 Sub-interface TLOC-extension/layer 3 OSPF routing site (Topology)
i. Transport side
In this Branch we’ve two vEdge routers are depicted, each with a direct connection to one of the transport
providers. This site has a TLOC-extension link between the vEdge routers to give each vEdge router access to
both transports. The TLOC-extension link utilizes sub-interfaces. vEdge 1 runs in the transport VPN to
communicate the TLOC extension link subnet to the MPLS cloud, so vEdge2 will have reachability to the
controllers through the data center and to other vEdge routers on the MPLS transport to form IPSec tunnels.
On both vEdge routers, static default routes pointing to the next-hop gateways are configured for tunnel
establishment on the MPLS (ge0/0) and Internet (ge0/1) links. The TLOC-extension sub-interface does not
need any special routing configured since it routes tunnel and control traffic to the next hop, which is directly
connected. The physical links, ge0/1 on vEdge 3 and ge0/20on vEdge 4, as well as the sub-interfaces, are
configured in VPN 0.
ii. Service side
This Branch has two vEdge routers connected to a layer 3 switch and running Open Shortest
Path First (OSPF) between them. All devices are in area 0. The vEdge router interfaces are
configured for OSPF network point to point on each interface to the layer 3 switch.
155 | P a g e
iii. IP details
vEdges IP's details

ge0/1.20 ge0/1.10
Hostname ge0/0 MPLS Internet TLOC g0/2 SW8
vEdge5 192.168.4.2/30 10.1.1.17/30 10.2.2.13/30 10.1.1.29/30
vEdges IP's details

ge0/0.20
Hostname ge0/0 Internet ge0/0.10 MPLS TLOC g0/2 SW8
vEdge6 64.100.104.2/30 10.2.2.14/30 10.2.2.18/30 10.1.1.33/30
156 | P a g e
B) Creating device template of vEdges 5 & 6
i. Creating feature template of LAN side OSPF
157 | P a g e
158 | P a g e
Save it
159 | P a g e
C) Creating device template from feature template for vEdges 5 & 6
160 | P a g e
161 | P a g e
D) Attaching to vEdges 5 & vEdge6
162 | P a g e
163 | P a g e
i. Providing Variable on vEdge5
164 | P a g e
ii. Providing Variable on vEdge6
165 | P a g e
E) Verification
I. on vEdges Routing table & control connection
166 | P a g e
II. Verification on vManage
167 | P a g e
III. Verification Remote VPNs

Check routing tables of each vEdges Ping reachability between sites VPN1 Host must be success.
Example below: Ping from vEdge7 to Host FTP 254 (VPN1)
168 | P a g e
8 Deployment of vEdge (Las Vegas) @ Branch
A) Branch details
1 Single vEdge/layer 2 trunk LAN (Sub-Interfaces) switch site
I. Transport side
Branch 3 contains one vEdge router which connects to both the MPLS and Internet transports. A static default
route pointing to the next-hop gateway is configured for tunnel establishment on the Internet (ge0/1) and MPLS
(ge0/0) transports.
II. Service side

The vEdge router on Las Vegas is trunked to a layer 2 switch. The trunk link is configured with two VLANs, vlan
100 (Employee) and 200 (Guest), which translates into two different sub-interfaces each on the vEdge router
side. The physical link, ge0/2, is configured in VPN 0, while each sub-interface is a part of the service VPN, VPN 1.
III. IP details
vEdges IP's details

Hostname ge0/0 Internet ge0/0.10 MPLS ge0/0.100 VLAN 100 ge0/0.200 VLAN 200
vEdge7 64.100.105.2/30 192.168.5.2/30 172.19.1.1/24 172.19.2.1/24
169 | P a g e
B) Creating Device template for Las Vegas vEdge 7
170 | P a g e
Next save
C) Verification on vEdge 7
Routing table & control connection.
171 | P a g e
9 Deployment of vEdge (New Jersey) @ Branch

A) Branch details
1 Single vEdge/dual WAN/L2 LAN switch
I. Transport side
Branch has one vEdge router, which connects to both the MPLS and Internet transports. on the MPLS transport
(ge0/0) & internet ge0/0,LAN side ge0/2
II. Service side

Branch has one L2 switch. Ge0/2 is terminated on L2 switch
III. IP details
vEdges IP's details
Hostname ge0/0 Internet ge0/1 MPLS ge0/2 LAN
vEdge9 64.100.107.2/30 192.168.6.2/30 172.20.1.1/24
172 | P a g e
B) Creating device template for Francisco vEdge8
173 | P a g e
Save it
C) Attaching device template to vEdge8
174 | P a g e
175 | P a g e
Update & next
176 | P a g e
D) Verification vEdge8
177 | P a g e
10 Deployment of vEdge (Francisco) @ Branch

A) Branch details
1 CE router/layer 3 switch/static LAN routing site (Topology)
I. Transport side
Francisco has a single vEdge directly connected to the Internet transport and is also connected to a CE router,
which has a connection to the MPLS transport. A static default route pointing to the next-hop gateway is
configured for tunnel establishment on the Internet (ge0/1) and MPLS (ge0/1) transports. Configured on the CE
router advertises the vEdge MPLS subnet so the vEdge router can have reachability to the other vEdge routers
on the MPLS transport and connectivity to the controllers through the data centre.
II. Service side

The vEdge router at Francisco connects to a layer 3 switch and there is static routing between the LAN switch
and the vEdge router.
III. IP details
vEdges IP's details

Hostname ge0/0 Internet ge0/1 MPLS ge0/2 LAN
vEdge9 64.100.107.2/30 10.1.1.14/30 10.2.2.17/30
B) Creating device template for Francisco vEdge9
178 | P a g e
179 | P a g e
C) Attaching device template to vEdge9
180 | P a g e
181 | P a g e
D) Verification on vEdge 9
182 | P a g e
11 Hub & Spoke Policy integration

Objective: Implement simple hub and spoke topology for VPN 1. Site100 must be as next hop for all VPN1
nodes in the lab.
Before we start implementing Hub & spoke: Let’s check how vEdge7 node is reaching vEdge8 network over
VPN 1.
Navigate vManage Monitor > Network

Select vEdge7. Navigate Troubleshooting > Connectivity > Trace Route Set
values:
183 | P a g e
vEdge8 is one hop away
184 | P a g e
A) Create Site lists

Navigate to Configuration > Policies. Select Centralized Policy Tab > Add Policy. In the first step,
you will define different lists, which will be later referenced in the policy.
Navigate to Site and define seven lists. One for Hub site (site 100), one for Spoke-Sites23456
(sites 200,300,400,500,600), Sites100200 (sites 100,200),site400500(sites 400,500) and one for
each of site.
185 | P a g e
I. Create VPN lists

Create a VPN list. The policy will apply to the Service VPN, VPN 1. Select VPN on the left, then select New
VPN List. Type in the VPN list name (Service-VPN) and then type 1 in the Add VPN textbox. Select Add.
Add another VPN list called ALL-VPNS, with a VPN list of 1-511. Select Add.
Click next
Next
186 | P a g e
B) Create Topology
Click on the Add Topology. For simple Hub-and-Spoke topology, you can select
preconfigured Hub-and-Spoke template.
Define desired topology name and description (example Hub-and-Spoke-VPN1-Topology). Specify VPN
list to which policy will be applied. Select Co VPN list.
Associate Hub site list and Spoke site list you have created in previous steps. Then click Save Hub-and-
Spoke Policy. Click Next.
187 | P a g e
188 | P a g e
C) Create Policy
On this page, the centralized policy is named. Type in the Policy Name (Hub-Spoke-Policy) and Policy
Description (Global Policy), and select Save Policy.
I. Config preview CLI

policy
control-policy control_-1978396596
sequence 10
match route
site-list RTP-HUB-100
vpn-list Service-VPN1
!
action accept
!
!
sequence 20
match tloc
!
action accept
!
!
default-action reject
!
lists
site-id 100
!
site-list Sites23456
site-id 200
site-id 300
site-id 400
site-id 500
site-id 600
189 | P a g e
!
vpn 1
!
!
!
apply-policy
site-list Sites23456
control-policy control_-1978396596 out
!
!
D) Policy Activation
Click on the policy options on the right side (…) and select Activate. Confirm activation on
listed vSmart.
190 | P a g e
E) Verification on Spoke vEdges
191 | P a g e
If we will check the vEdge7 routing table, we will notice that route to the Edge3 to 6 to &7 are
VPN1 is gone. This can be sort when we provide default route to the braches from hub location
Verification on vManage
Navigate vManage Monitor >Network
Select vEdge21. Navigate Troubleshooting > Connectivity > Trace Route
Set values Destination IP (10.200.1.5), VPN (1), Source interface (VPN1):172.19.1.1
Node vEdge7 is reaching vEdge5 over the hub Site100 vEdge2.
192 | P a g e
F) Default route originate from Site100 (RTP)

Remote sites are receiving only Site100 routes, and cannot reach other sites via HUB Site100. This task we
will implement default information originate default from Site100.
You can modified existing feature template DC-LAN-OSPF to push default routes to all vEdges
Update
Apply changes for Site100. Default route should appear in the remote sites routing tables.
193 | P a g e
12 Local Internet Breakout

Objective: Configure Sites 100,200 and 500 for Local Internet breakout for Employee & guest VPN1
RTP DC Site Internet test.

Open Host Web server verify Internet reachability. Use Mate terminal, ping 1.1.1.1. It is
unsuccessful.
Direct Internet Access Traffic policy

Navigate to vManage. Navigate to Configuration > Policies. Deactivate AAP-POLICY
A) Create Lists
Press Custom Options > Centralized Policy >Lists.
194 | P a g e
Define new Data Prefix Lists named InternalNetworks, which will include
172.16.0.0/16,172.17.0.0/16,172.20.0.0/16 prefix.
B) Create Data Policy

Custom Options > Centralized Policy > Traffic Policy. Tab: Traffic Data. Select Add Policy > Create New.
Define name and description (example: DIA).
Click Sequence Type and choose Custom.
195 | P a g e
Add Sequence Rule. In first rule Destination Data Prefix match all traffic destined to corporate
172.16.0.0/16,172.17.0.0/16 & 172.20.0.0/16 & 10.0.0.0/8 prefix. Set Accept action for it. This rule will
match all corporate traffic and allow it to be forwarded according to other policies or default best path
selection. Click Save Match and Actions.
196 | P a g e
Add another Sequence Rule, which will match remaining traffic and forward it towards the internet. For
Match statement, do not select any criteria. This will act as the any statement. For Action select Accept
and NAT VPN, which will forward matched traffic via NAT interface in VPN0. Click Save Match and
Actions.
Edit the Default Action and set it to Accept.

Click Save Data Policy.
197 | P a g e
C) Edit Global Policy (Local-Internet-Policy)

Navigate vManage > Configuration > Policies and Edit Local-Internet-Policy
Navigate Tab: Traffic Rules, Tab Traffic Data. Add Policy > Import Existing: Local-Internet-Access.
Created in steps above.
Navigate to Policy Applications, Select Traffic Data tab and associate defined policy with Site100, Site200 and
Site500. For direction select from All for Site3 and from service for Site100,200. For VPN List select Guest list
VPN1 for all sites. Click Add. Select Preview to analyze the CLI configuration of created policy.
198 | P a g e
Select Save Policy Changes. Click on options button and activate policy.
D) Verification
Open Lab Window host @New Jersey 172.20.1.254, Host1 and verify reachability of 1.1.1.1 from VPN1.or
Able to open google.com
Must config static IP/GW/DNS
199 | P a g e
Open Web server 172.16.20.254 @RTP DC (VPN 1) and verify Internet using Browser.
Configuing DNS IP in FTP & Web Server
vim /etc/resolv.conf
press insert
nameserver 1.1.1.1
nameserver 8.8.8.8
esc>:wq
200 | P a g e
201 | P a g e
13 Implementing Traffic Engineering (PBR)

Objective: It is asked that access to Employee VPN 1 Server FTP 254 from remote Site500 must prefer
MPLS (Private) WAN link.
Path to FTP server (254) before policy applied

Let’s check how Server FTP is reachable from Site 500
Navigate to vManage and select Monitor > Network and choose vEdge8
Select Troubleshooting > Simulate Flows. You will verify the paths between vEdge8 VPN 1 and prefix
172.16.10.254 advertised from Site 100. Select VPN 10, ge0/2.10 as source interface and enter 172.16.10.254
as destination address. Click Simulate.
You will notice outgoing traffic flowing from vEdge8 towards Site 100 utilizes both WAN links by default.
MPLS and biz-internet
A) Create Data Prefix list

Navigate to Configuration > Policies, Press Custom Options >Centralized Policy >Lists.
Define new Data Prefix Lists named FTP-Server, which will include 172.16.10.254/32 prefix.
202 | P a g e
B) Create Traffic Policy

Navigate Custom Options >Centralized Policy >Traffic Policy
Select Tab Traffic Data, Create New Policy FTP-Traffic-Policy policy
Press Add Sequence Type and select Traffic engineering
Press Sequence Rule, select Destination Data Prefix and choose RTP- FTP-254 data Prefix list
203 | P a g e
Select Actions tab, select Local TLOC and choose TLOC Color: mpls.
Save Match and Actions

Choose default action and set enable
Press Save Match and Actions
Press Save Data Policy
C) Global Policy
Navigate Tab Traffic Rules/Traffic Data/ Add Policy/ Import Existing
Choose recently created FTP-Traffic-Policy Import

Navigate to Tab Policy Application, Traffic Data. New Site List and VPN List
204 | P a g e
Select Site500 and Employee VLAN1
Save Policy Changes
D) Activate Centralized Policy

Navigate Configuration >Policies, Select FTP-Policy, (…) Activate.
205 | P a g e
E) Verification
Simulate traffic flow again, you will notice that only mpls WAN link is utilized
Let’s simulate main MPLS link failure on vEdge8.

Right click on topology vEdge8 link Ge0/0, choose option Suspend Link
Simulate traffic again, you will see that vEdge8 has chosen WAN link biz-internet.
Right click on topology vEdge8 link Ge0/0, choose option Resume Link
206 | P a g e
14 Implementing QoS Policy

Objective: It is asked to apply QoS policy for YouTube application at Site100, VPN1 Guest
A) Create Policy Lists

Press Custom Options > Centralized Policy >Lists.
Press Application > + New Application List Name: YouTube, Application: Choose from list
YouTube. Press Add.
Navigate to Policer, Press + New Policer List. Name: YouTube-policer, Burst: 15000, Exceed:
Drop, Rate: 10000. Press Add.
207 | P a g e
B) Create QoS Policy

Navigate again Custom Options and select Traffic Policy. Select Traffic Data tab
Select Local-Internet-Acces, Edit
Press + Sequence Type and select QoS
208 | P a g e
Press +Sequence rule, select: Application/Application Family tab. Select YouTube

Application.
Select Actions tab and Policer tab. Set Policer list: Youtube-policer and on Counter add the name
for Counter Name: YouTube
209 | P a g e
Save Match and Actions
Drag and drop QoS before previous Custom rule
Save Data Policy
210 | P a g e
C) Activate Policy.
Navigate Configuration > Policies, Select Local-Internet-Policy, (…) Activate.
i.
D) Verification
Open Host1 Web server host web browser and run YouTube site. Play some video.
You need to suspend the vEdge1 Link MPLS & Internet to result on vEdge2.
Login in the vEdge2 node cli and issue command show policy data-policy-filter.
After some time, you will notice policy capture.
vEdge2# clear policy data-policy

vEdge2# show policy data-policy-filter
211 | P a g e
212 | P a g e
15 Implementing Application Aware Policy

(AAR) Policy
Application-aware routing policies are configured as part of a centralized policy. It affects traffic on a vEdge
router that is flowing from the service (LAN) side to the transport tunnel (WAN) side. Traffic is matched and
placed into an SLA class, with certain loss, jitter, and delay values. The routing behavior is as follows:
Traffic will be load-balanced across all tunnels meeting the SLA class. If no tunnels meet the SLA, the
traffic is sent through any available tunnel.
If preferred colors are specified in the policy, then traffic will be sent through the preferred color
tunnels as long as the SLA is met. If no tunnels meet the SLA, the traffic is sent through any available tunnel.
If a backup-SLA preferred color is specified, then that tunnel is used when there are no paths that meet
the SLA. Another path is used if the backup tunnel is unavailable.
A strict keyword can be used in the policy, which means if no tunnel can meet the SLA, the traffic is
dropped.
The policy can be configured with no default action, meaning, if traffic does not match any sequence in
the list, it is routed normally according to the routing protocol. Alternatively, this default traffic can be placed
into an SLA class.
There are three main steps to creating an application-aware routing policy:

Create any lists. Create SLA class lists, which include the name of the SLA class, and any performance
characteristics, like latency, loss, and jitter. Four SLA classes are supported.
Create any application lists for traffic to match on and to assign an SLA class to. This allows you to group
applications so you can reference the group as a whole.
Create any site lists, VPN lists, or data prefix lists as needed. The routing policy gets applied to a site list
and VPN list. Data prefixes can be used for matching traffic within the policy.
Create the application-aware routing policy, which consists of matching traffic that gets placed into a specific
SLA class.
Apply the policy definition to a site list and vpn-list.
An example policy is configured in the following steps:
A) Create Policy List
Once a centralized policy is created, it is not possible to build lists by editing the policy - you can only create
policy definitions and apply them through the centralized policy configuration. You need to select Custom
Options on the main policy page in order to modify or create lists.
In the vManage GUI, go to Configurations>Policies. Select Custom Options in the top right corner of the
page and select Lists.
Select SLA Class on the left side, and select New SLA Class List. Type in the SLA Class List Name, the
Loss (%), the Latency (ms), and jitter (ms). Select Add and repeat for all of the SLA classes. Use the following
settings:
Application-aware routing policy SLA class list (example)
213 | P a g e
Task: apply AAR policy for Voice application using DSCP 46 at Site500, VPN1 Employee hosts.
Voice application with DSCP 46 must prefer MPLS path, fallback link is Biz-internet
Verify link quality

Select Monitor > Device and choose vEdge8.
Select Real Time and under Device Options type in or select App Routes Statistics. Filter the output to
Remote System IP 10.200.1.1. This will display path measurements only between vEdge1 and vEdge8.
Notice the current Mean Loss, Latency and Jitter values. In a policy you will configure in the next few steps,
you will define how to react based on these measurements.
Create SLA List

Navigate to vManage. Navigate to Configuration > Policies. Select FTP-POLICY (…) Deactivate FTP-
POLICY
Press Custom Options > Centralized Policy > Lists.
Navigate to SLA Class and define new list. Define a name Business-Critical-voip-AAR and specify Loss
20%, Latency 1000ms and Jitter 500. Click Add
214 | P a g e
Note: Configured values are lower than the actual real life voice requirements, to make sure failover
action will be triggered in the lab environment.
B) Traffic Policy (AAR Policy)

Navigate again Custom Options and select Traffic Policy.
Go to Configuration>Policies, and ensure the Centralized Policy tab is selected.

Select Add Policy and select Create New.
Under Application Aware Routing choose Add Policy > Create New. Define a name and description
(example: VOIP-AAR-Policy). Select Sequence Type and add Sequence Rule. You can match traffic for
AAR policy in several different options. In this lab exercise, you will match voip traffic based on a DSCP
value 46.
215 | P a g e
Select DSCP and specify the value 46.

Under Actions, first select SLA Class List. Select Business-Critical-VoIP-APP you have previously defined
and specify mpls as Preferred Color. Specify also Backup SLA Preferred Color, which will be used if none
of the links fulfills the SLA criteria. Select biz-internet
Click Save Match And Actions. Verify Default Action. Since this is AAR policy, it does not drop the packets.
Click Save Application Aware Routing Policy
216 | P a g e
C) Global AAR Policy

Navigate to vManage. Navigate to Configuration > Policies.
Navigate to Traffic Rules, Application Aware Routing, Import existing. We had created this policy in
previous steps
Navigate back to Policy Application > Application-Aware Routing. Add + New Site List and VPN List.
Site List: Site 500. VPN List: Employee VPN1. Press Add.
217 | P a g e
D) Activation
Activate Policy. Navigate Configuration >Policies, Select AAR-POLICY, (…) Activate.
E) BFD Polling template

Navigate to Configuration > Templates. Edit the New Jersey vEdge8 template and add a new BFD
Feature template. Define name and description BFD-vEdges Modify Poll Interval to 5000 ms. Click
Update, then proceed to push the configuration changes to devices.
218 | P a g e
Applying in Branch-New-Jersey-L2-Switch template
219 | P a g e
F) Verification
Navigate to Monitor/Network/vEdge8/Troubleshooting Simulated Flows for vEdge1 and verify the path
for packets sourced from VPN1, headed towards 172.16.10.254 with DSCP marking 46. The path is taken
via MPLS
You will now worsen the performance of the MPLS link connecting vEdge8. Right click on ge0/1 link
connected to vEdge8 and click on Edit Quality.
Specify Delay to 1000, Click Apply settings at the bottom of the page
Navigate to Monitor > Events. As poll and multiplier timers are configured very aggressively, you will now
see multiple App-Route events because of SLA violation.
220 | P a g e
Navigate again to Monitor/Network/vEdge21/Troubleshooting Simulated Flows for vEdge8 and verify the
path for packets sourced from VPN11, headed towards 172.16.10.254 with DSCP marking 46. The path is
taken via biz-internet
221 | P a g e
16 Traffic Flow Monitoring with Cflowd

Cflowd monitors traffic flowing through vEdge routers in the overlay network and exports flow information to a
collector, where it can be processed by an IPFIX analyser. For a traffic flow, cflowd periodically sends template reports
to flow collector. These reports contain information about the flow and data extracted from the IP headers of the
packets in the flow.
The Viptela cflowd software implements cflowd version 10, as specified in RFC 7011 and RFC 7012. Cflowd version 10
is also called the IP Flow Information Export (IPFIX) protocol.
Cflowd performs 1:1 sampling. Information about all flows is aggregated in the cflowd records; flows are not sampled.
vEdge routers do not cache any of the records that are exported to a collector.
Components of Cflowd
In the Viptela overlay network, you configure cflowd using centralized data policy. As part of the policy, you specify
the location of the collector. By default, flow information is sent to the collector every 60 seconds. You can modify this
and other timers related to how often cflowd templates are refreshed and how often a traffic flow times out.
You can configure a maximum of four cflowd policies. The Viptela software can export template records to a
maximum of four cflowd collectors. When you configure a new data policy that changes which flows are sampled, the
software allows the old flows to expire gracefully rather than deleting them all at once.
The vEdge router exports template records and data records to a collector. The template record is used by the
collector to parse the data record information that is exported to it. Option templates are not supported. The source
IP address for the packet containing the IPFIX records is randomly selected from any of the interfaces in the VPN. The
flow records are exported via TCP or UDP connections. Anonymization of records and TLS encryption are not
performed, because it is assumed that the collector and the IPFIX analyzer are both located within the data center,
traffic traveling within the data center is assumed to be safe.
222 | P a g e
A) Create Traffic Policy
Under cflowd tab
223 | P a g e
B) Applying policy into Local-Internet-Access
224 | P a g e
225 | P a g e
C) Policy activation
D Verification
Show below output on vEdge1 or 2
show policy from-vsmart cflowd-template
show app cflowd flow-count
show app cflowd flows
226 | P a g e
17 Final CLI output of all vEdges & vSmart

controller
1) vSmart.
vsmart# sh run
system
host-name vsmart
system-ip 10.200.1.11
site-id 700
admin-tech-on-failure
sp-organization-name "viptela sdwan"
vbond 10.10.0.3
aaa
auth-order local radius tacacs
usergroup basic
task system read write
task interface read write
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password
$6$siwKBQ==$wT2lUa9BSreDPI6gB8sl4E6PAJoVXgMbgv/whJ8F1C6sWdRazdxorYYTLrL6syiG6qnLABTnrE96HJiKF6QRq1
!
!
logging
disk
enable
!
!
!
omp
no shutdown
graceful-restart
!
vpn 0
interface eth0
description Trasnport
ip address 10.10.0.4/24
tunnel-interface
227 | P a g e
color mpls
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service stun
!
no shutdown
!
ip route 0.0.0.0/0 10.10.0.1
!
vpn 512
!
policy
data-policy _Service-VPN1_Local-I_1804088537
sequence 1
match
source-ip 0.0.0.0/0
app-list youtube
!
action accept
count youtube_-2013586706
set
policer Youtube-Policer
!
!
!
sequence 11
match
destination-data-prefix-list Internet-ACL
!
action accept
!
!
sequence 21
match
source-ip 0.0.0.0/0
!
action accept
nat use-vpn 0
!
!
default-action drop
policer Youtube-Policer
rate 10000
burst 15000
exceed drop
!
cflowd-template Cflowd-Policy
flow-active-timeout 30
flow-inactive-timeout 10
228 | P a g e
template-refresh 60
flow-sampling-interval 10
collector vpn 1 address 172.16.20.254 port 13322 transport transport_udp source-interface loopback0
!
lists
vpn 1
!
data-prefix-list Internet-ACL
ip-prefix 10.0.0.0/8
ip-prefix 172.16.0.0/16
ip-prefix 172.17.0.0/16
ip-prefix 172.20.0.0/16
!
app-list youtube
app youtube
app youtube_hd
!
site-list Franscisco-600
site-id 600
!
site-list Las-Vegas-400
site-id 400
!
site-list New-Jursey-500
site-id 500
!
site-id 100
apply-policy
site-list Franscisco-600
data-policy _Service-VPN1_Local-I_1804088537 from-service
!
site-list Las-Vegas-400
!
site-list New-Jursey-500
!
229 | P a g e
2) vEdege1
vedge1# sh run
system
host-name vedge1
site-id 100
no route-consistency-check
console-baud-rate 9600
vbond 10.10.0.3
aaa
usergroup basic
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password
$6$b0Jypw==$AvlWgs2a6J4XlTK.5ry1.idmALj.kgkPsoyApbK3.6NeUl/SC5QLSbQBGo16B4D//cldYmDpyQ
5TvQOXEc/zE0
!
user netadmin1
password
$6$b5PCHw==$fVhuSaCIemWW90pzMchDYdJ1UcuFC.hfFlwPxD8Wod7IJ8L1PM1viAN5jg06culKyIsptP9
A0Dz01Mfw.wWSL.
group netadmin
!
!
logging
disk
enable
!
server 172.16.10.253
vpn 1
source-interface loopback0
exit
!
230 | P a g e
ntp
server 192.168.10.1
version 4
exit
!
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
authentication-type sha1-hmac ah-sha1-hmac
!
!
banner
login "MOTD Banner"
motd "This is a private network. It is for authorized use only."
!
vpn 0
name "Transport VPN"
dns 1.1.1.1 primary
dns 8.8.8.8 secondary
interface ge0/0
description "MPLS Interface"
ip address 192.168.1.2/30
tunnel-interface
encapsulation ipsec preference 0
color mpls restrict
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
no allow-service ospf
allow-service https
!
no shutdown
interface ge0/1
description "Internet Interface"
ip address 64.100.101.2/28
nat
!
tunnel-interface
231 | P a g e
color biz-internet
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 64.100.101.1
ip route 0.0.0.0/0 192.168.1.1
!
vpn 1
name "Service VPN 1"
router
ospf
default-information originate always
timers spf 200 1000 10000
redistribute omp
area 0
interface ge0/2
network point-to-point
exit
interface ge0/3
exit
exit
!
interface ge0/2
description LAN-INT1
ip address 10.1.1.1/30
no shutdown
!
interface ge0/3
no shutdown
!
interface loopback0
ip address 10.200.1.1/32
no shutdown
!
omp
advertise ospf external
232 | P a g e
!
!
vpn 512
interface eth0
description Management
no shutdown
3) vEdge2
vedge2# sh run
system
host-name vedge2
site-id 100
vbond 10.10.0.3
aaa
usergroup basic
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password
$6$b0Jypw==$AvlWgs2a6J4XlTK.5ry1.idmALj.kgkPsoyApbK3.6NeUl/SC5QLSbQBGo16B4D//cldYmDpyQ5TvQOXEc
/zE0
!
user netadmin1
password
$6$b5PCHw==$fVhuSaCIemWW90pzMchDYdJ1UcuFC.hfFlwPxD8Wod7IJ8L1PM1viAN5jg06culKyIsptP9A0Dz01Mf
w.wWSL.
group netadmin
!
!
logging
disk
enable
233 | P a g e
!
server 172.16.10.253
vpn 1
exit
!
ntp
server 192.168.10.1
version 4
exit
!
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
!
!
banner
login "MOTD Banner"
!
vpn 0
dns 1.1.1.1 primary
interface ge0/0
ip address 192.168.2.2/30
tunnel-interface
color mpls restrict
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
interface ge0/1
description "Internet Interface"
ip address 64.100.102.2/28
nat
!
234 | P a g e
tunnel-interface
color biz-internet
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 64.100.102.1
ip route 0.0.0.0/0 192.168.2.1
!
vpn 1
name "Service VPN 1"
router
ospf
default-information originate always
timers spf 200 1000 10000
redistribute omp
area 0
interface ge0/2
exit
interface ge0/3
exit
exit
!
!
interface ge0/2
no shutdown
!
interface ge0/3
no shutdown
!
interface loopback0
ip address 10.200.1.2/32
no shutdown
!
omp
!
!
235 | P a g e
vpn 512
interface eth0
no shutdown
!
4) vEdge3
vedge3# sh run
system
host-name vedge3
site-id 200
vbond 10.10.0.3
aaa
usergroup basic
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password
/zE0
!
user netadmin1
password
w.wWSL.
group netadmin
!
!
logging
disk
enable
!
server 172.16.10.253
vpn 1
236 | P a g e
exit
!
ntp
server 192.168.10.1
version 4
exit
!
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
!
!
banner
login "MOTD Banner"
!
vpn 0
dns 1.1.1.1 primary
interface ge0/0
ip address 192.168.3.2/30
tunnel-interface
color mpls restrict
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
interface ge0/1
description "internet Interface"
nat
!
tunnel-interface
color biz-internet
237 | P a g e
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
interface ge0/2
description "LAN Parent Interface"
mtu 1504
no shutdown
!
interface ge0/3
description "TLOC Extension Interface"
tloc-extension ge0/0
no shutdown
!
ip route 0.0.0.0/0 10.1.1.10
ip route 0.0.0.0/0 192.168.3.1
!
vpn 1
name "Service VPN"
ecmp-hash-key layer4
interface ge0/2.100
description LAN-Interface1
ip address 172.17.1.2/24
no shutdown
vrrp 100
priority 200
ipv4 172.17.1.1
!
!
interface ge0/2.200
ip address 172.17.2.2/24
no shutdown
vrrp 200
priority 200
ipv4 172.17.2.1
!
!
interface loopback0
ip address 10.200.1.3/32
no shutdown
!
omp
advertise connected
238 | P a g e
advertise static
!
!
vpn 512
interface eth0
no shutdown
!
5) vEdge 4
vedge4# sh run
system
host-name vedge4
site-id 200
vbond 10.10.0.3
aaa
usergroup basic
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password
/zE0
!
user netadmin1
password
w.wWSL.
group netadmin
!
!
logging
disk
enable
!
server 172.16.10.253
239 | P a g e
vpn 1
exit
!
ntp
server 192.168.10.1
version 4
exit
!
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
!
!
banner
login "MOTD Banner"
!
vpn 0
dns 1.1.1.1 primary
interface ge0/0
ip address 10.2.2.10/30
tunnel-interface
color mpls restrict
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
interface ge0/1
ip address 64.100.103.2/28
nat
!
tunnel-interface
240 | P a g e
color biz-internet
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
interface ge0/2
mtu 1504
no shutdown
!
interface ge0/3
ip address 10.1.1.10/30
no shutdown
!
ip route 0.0.0.0/0 10.2.2.9
ip route 0.0.0.0/0 64.100.103.1
!
vpn 1
name "Service VPN"
interface ge0/2.100
ip address 172.17.1.3/24
no shutdown
vrrp 100
ipv4 172.17.1.1
!
!
interface ge0/2.200
ip address 172.17.2.3/24
no shutdown
vrrp 200
ipv4 172.17.2.1
!
!
interface loopback0
ip address 10.200.1.4/32
no shutdown
!
omp
advertise connected
advertise static
241 | P a g e
!
!
vpn 512
interface eth0
no shutdown
!
!
vedge4#
6) vEdge 5
vedge5# sh run
system
host-name vedge5
site-id 300
vbond 10.10.0.3
aaa
usergroup basic
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password
/zE0
!
user netadmin1
password
w.wWSL.
group netadmin
!
!
logging
242 | P a g e
disk
enable
!
server 172.16.10.253
vpn 1
exit
!
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
!
!
banner
login "MOTD Banner"
!
vpn 0
dns 1.1.1.1 primary
interface ge0/0
ip address 192.168.4.2/30
tunnel-interface
color mpls restrict
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
interface ge0/1
mtu 1504
no shutdown
!
interface ge0/1.10
ip address 10.1.1.17/30
243 | P a g e
nat
!
tunnel-interface
color biz-internet
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
interface ge0/1.20
ip address 10.2.2.13/30
no shutdown
!
ip route 0.0.0.0/0 10.1.1.18
ip route 0.0.0.0/0 192.168.4.1
!
vpn 1
name "Service VPN"
router
ospf
timers spf 200 1000 10000
redistribute omp
area 0
interface ge0/2
exit
exit
!
!
interface ge0/2
description "OSPF Interface"
ip address 10.1.1.29/30
no shutdown
!
interface loopback0
ip address 10.200.1.5/32
no shutdown
!
omp
advertise connected
advertise static
244 | P a g e
!
!
vpn 512
interface eth0
no shutdown
7) vEdge 6
vedge6# sh run
system
host-name vedge6
site-id 300
vbond 10.10.0.3
aaa
usergroup basic
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password
/zE0
!
user netadmin1
password
w.wWSL.
group netadmin
!
!
logging
disk
enable
!
server 172.16.10.253
vpn 1
245 | P a g e
exit
!
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
!
!
banner
login "MOTD Banner"
!
vpn 0
dns 1.1.1.1 primary
interface ge0/0
mtu 1504
no shutdown
!
interface ge0/0.10
ip address 10.1.1.18/30
no shutdown
!
interface ge0/0.20
ip address 10.2.2.14/30
tunnel-interface
color mpls restrict
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
interface ge0/1
246 | P a g e
ip address 64.100.104.2/28
nat
!
tunnel-interface
color biz-internet
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 10.2.2.13
ip route 0.0.0.0/0 64.100.104.1
!
vpn 1
name "Service VPN"
router
ospf
timers spf 200 1000 10000
redistribute omp
area 0
interface ge0/2
exit
exit
!
!
interface ge0/2
description "OSPF Interface"
ip address 10.1.1.33/30
no shutdown
!
interface loopback0
ip address 10.200.1.6/32
no shutdown
!
omp
advertise connected
advertise static
!
!
vpn 512
interface eth0
247 | P a g e
no shutdown
8) vEdge 7
vedge7# sh run
system
host-name vedge7
site-id 400
vbond 10.10.0.3
aaa
usergroup basic
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password
/zE0
!
user netadmin1
password
w.wWSL.
group netadmin
!
!
logging
disk
enable
!
server 172.16.10.253
vpn 1
exit
!
!
omp
248 | P a g e
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
!
!
banner
login "MOTD Banner"
!
vpn 0
dns 1.1.1.1 primary
interface ge0/0
ip address 192.168.5.2/30
tunnel-interface
color mpls restrict
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
interface ge0/1
ip address 64.100.105.2/28
nat
!
tunnel-interface
color biz-internet
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
249 | P a g e
!
no shutdown
!
interface ge0/2
mtu 1504
no shutdown
!
ip route 0.0.0.0/0 64.100.105.1
ip route 0.0.0.0/0 192.168.5.1
!
vpn 1
name "Service VPN"
interface ge0/2.10
description "VLAN 100"
ip address 172.19.1.1/24
no shutdown
!
interface ge0/2.20
description "VLAN 200"
ip address 172.19.2.1/24
no shutdown
!
interface loopback0
ip address 10.200.1.7/32
no shutdown
!
omp
advertise connected
advertise static
!
!
vpn 512
interface eth0
no shutdown
9) vEdge 8
vedge8# sh run
system
host-name vedge8
site-id 500
vbond 10.10.0.3
250 | P a g e
aaa
usergroup basic
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password
/zE0
!
user netadmin1
password
w.wWSL.
group netadmin
!
!
logging
disk
enable
!
server 172.16.10.253
vpn 1
exit
!
ntp
server 192.168.10.1
version 4
exit
!
!
bfd app-route poll-interval 5000
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
!
!
banner
251 | P a g e
login "MOTD Banner"

!
vpn 0
dns 1.1.1.1 primary
interface ge0/0
ip address 192.168.6.2/30
tunnel-interface
color mpls restrict
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
interface ge0/1
ip address 64.100.106.2/28
nat
!
tunnel-interface
color biz-internet
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 64.100.106.1
ip route 0.0.0.0/0 192.168.6.1
!
vpn 1
name "Service VPN"
interface ge0/2
description "LAN interface"
252 | P a g e
ip address 172.20.1.1/24
no shutdown
!
interface loopback0
ip address 10.200.1.8/32
no shutdown
!
omp
advertise connected
advertise static
!
!
vpn 512
interface eth0
no shutdown
10 vEdge 9
!
vedge9# sh run
system
host-name vedge9
site-id 600
vbond 10.10.0.3
aaa
usergroup basic
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password
/zE0
!
user netadmin1
password
253 | P a g e
w.wWSL.
group netadmin
!
!
logging
disk
enable
!
server 172.16.10.253
vpn 1
exit
!
ntp
server 192.168.10.1
version 4
exit
!
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
!
!
banner
login "MOTD Banner"
!
vpn 0
dns 1.1.1.1 primary
interface ge0/0
ip address 10.1.1.14/30
tunnel-interface
color mpls restrict
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
254 | P a g e
!
no shutdown
!
interface ge0/1
ip address 64.100.107.2/28
nat
!
tunnel-interface
color biz-internet
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 10.1.1.13
ip route 0.0.0.0/0 64.100.107.1
!
vpn 1
name "Service VPN"
interface ge0/2
description "LAN interface"
ip address 10.2.2.17/30
no shutdown
!
interface loopback0
ip address 10.200.1.9/32
no shutdown
!
ip route 172.21.1.0/24 10.2.2.18
omp
advertise connected
advertise static
!
!
vpn 512
interface eth0
no shutdown
255 | P a g e
256 | P a g e

CLC CCIE EI SD-Wan Lab v1.0 - Full Solution

Uploaded by

Copyright:

Available Formats

CLC CCIE EI SD-Wan Lab v1.0 - Full Solution

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CLC CCIE EI SD-Wan Lab v1.0 - Full Solution

Uploaded by

Copyright:

Available Formats

What are the main sections covered in the document?

What are the main sections covered in the document?

What are the steps to configure the SD-WAN controllers?

What are the steps to configure the SD-WAN controllers?

CCIE Enterprise Infrastructure: SD-WAN Practice Lab v1.

Table of Contents Page No

2) SD-WAN Controller Deployment 26

3) SD-WAN vEdge routers onboarding 64

4) Common Template for all vEdges 82

5) Deployment of vEdges (RTP) @ Data Center 97

6) Deployment of vEdges (San Jose) @ Branch 127

7) Deployment of vEdges (New York) @ Branch 155

8) Deployment of vEdges (Las Vegas) @ Branch 169

9) Deployment of vEdges (New Jersey) @ Branch 172

10) Deployment of vEdges (Francisco) @ Branch 178

11) Hub & Spoke Integration 183

12) Local Internet Breakout 194

13) Implementing Traffic Engineering (Policy Based routing) 202

14) Implementing QoS Policy 207

15) Application Aware routing 213

E) BFD Polling template 218

16) Traffic Flow Monitoring with Cflowd 222

b) How to upload images into EVE-NG server

Step2: Upload qemu images as shown below

Step4: Run below command using cli

Step5: Uploading IOL images as shown below

Step6: Run below command using cli

c) Lab Topology in light mode

d) Lab Topology in dark mode

S/N Hostname Locations Site ID System-IP OU

Controller IP's details

description *** Connected to vedge9 ***

clock timezone PDT -7 0

switchport mode access

ip route 0.0.0.0 0.0.0.0 64.100.108.1

ip route 0.0.0.0 0.0.0.0 10.1.1.1

ip route 0.0.0.0 0.0.0.0 10.1.1.5

switchport access vlan 100

ip address 10.2.2.18 255.255.255.252

ip route 0.0.0.0 0.0.0.0 10.2.2.17

ifconfig eth0 10.10.0.254 netmask 255.255.255.0

Same way you can do for FTP,WEB & system hosts

16.1 FTP Server

16.2 WEB Server

XVII. SAN JOSE

XVIII. New York

XIX. Las Vegas

XX. New Jersey

2 SD-WAN Controller Deployment

NOTE: The IP addresses and details are given on the topology.

Step 1.1 First time boot. Login in the vManage

The dashboard looks like this.

Once logged in navigate to the settings page.

ii. vBond initial config

Login ID: admin

iii. vSmart initial config

Final Verification on controller before certificate installation on all controllers.

show control local-properties

B) Create ROOTCA server on vManage & Uploading Certificate

1.1 Generate a Root CA key.

description * Connected to vedge9 *