KB Implementing SD-WAN Workbook

Implementing SD-WAN
Authored By:
Khawar Butt
CCIE # 12353
Hepta CCIE#12353 Preparing the Network for SD-WAN
CCDE # 20110020
Netmetric Solutions
(c) KBITS Live | https://kbits.live
Http://www.Netmetric-Solutions.com 1 of 150
Lab 1 – Configuring the WAN
Components
Interface Configuration
HQ
Interface IP Address Subnet Mask

E 0/0 199.1.1.14 255.255.255.240
E 0/1 199.1.1.30 255.255.255.240
E 0/2 192.168.101.1 255.255.255.0
E 0/3 192.1.101.1 255.255.255.0
MPLS Cloud

E 0/0 192.168.101.254 255.255.255.0
E 0/1 192.168.102.254 255.255.255.0
E 0/2 192.168.103.254 255.255.255.0
E 0/3 192.168.104.254 255.255.255.0
E 1/0 192.168.105.254 255.255.255.0

2 of 150
Internet Cloud

E 0/0 192.1.101.254 255.255.255.0
E 0/1 192.1.102.254 255.255.255.0
E 0/2 192.1.103.254 255.255.255.0
E 0/3 192.1.104.254 255.255.255.0
E 1/0 192.1.105.254 255.255.255.0

3 of 150
Task 1 – HQ Router Configuration
o Configure the Interfaces based on the Logical Diagram

o Configure OSPF as the IGP to communicate with the MPLS Cloud.
Enable all the interfaces.
o Make sure OSPF only sends and receives OSPF packets on the link
towards the MPLS Cloud using the Passive-interface command.
o Configure a default route on the router towards the Internet. The
IP Address of the Internet Router is 192.1.101.254
o Configure BGP between vEdge1(199.1.1.17) in 65001 and HQ
router. Redistrubute OPSF into BGP.
HQ Router
Hostname HQ
!
Interface E 0/0
ip address 199.1.1.14 255.255.255.240
no shut
!
Interface E 0/1
ip address 199.1.1.30 255.255.255.240
no shut
!
Interface E 0/2
ip address 192.168.101.1 255.255.255.0
no shut
!
Interface E 0/3
ip address 192.1.101.1 255.255.255.0
no shut
!
router ospf 1
network 192.168.101.0 0.0.0.255 area 0
network 199.1.1.0 0.0.0.255 area 0
passive-interface default
no passive-interface E0/2
!
Router bgp 65001
Neighbor 192.1.1.17 remote-as 65001
Redistribute ospf 1
!
ip route 0.0.0.0 0.0.0.0 192.1.101.254

4 of 150
Task 2 – MPLS Cloud Router Configuration
o Configure the Interfaces based on the Logical Diagram.

o Configure OSPF as the IGP on all the interfaces.
MPLS Cloud Router
no ip domain-lookup
!
line con 0
exec-timeout 0 0
logging synchronous
!
hostname MPLS
!
interface Ethernet0/0
ip address 192.168.101.254 255.255.255.0
no shut
!
ip address 192.168.102.254 255.255.255.0
no shut
!
ip address 192.168.103.254 255.255.255.0
no shut
!
ip address 192.168.104.254 255.255.255.0
no shut
!
ip address 192.168.105.254 255.255.255.0
no shut
!
router ospf 1
network 192.168.101.0 0.0.0.255 area 0
network 192.168.102.0 0.0.0.255 area 0
network 192.168.103.0 0.0.0.255 area 0
network 192.168.104.0 0.0.0.255 area 0
network 192.168.105.0 0.0.0.255 area 0

5 of 150
Task 3 – Internet Cloud Router Configuration

o Configure a Static Route on the Router for the 199.1.1.0/24
network. The Next Hop should point towards the Internet IP of the
HQ Router.
Internet Cloud Router
no ip domain lookup
!
line con 0
exec-timeout 0 0
logging synchronous
!
hostname Internet
!
ip address 192.1.101.254 255.255.255.0
no shut
!
ip address 192.1.102.254 255.255.255.0
no shut
!
ip address 192.1.103.254 255.255.255.0
no shut
!
ip address 192.1.104.254 255.255.255.0
no shut
!
ip address 192.1.105.254 255.255.255.0
no shut
!
ip route 199.1.1.0 255.255.255.0 192.1.101.1

6 of 150
Lab 2 - Installing the Enterprise
Certificate Server
Note: It builds on the topology created in the previous lab.
Task 1 – Configure the Interfaces
First Ethernet Interface:
IP Address: 192.168.1.5
Subnet Mask: 255.255.255.0
Third Ethernet Interface:
IP Address: 199.1.1.5
Subnet Mask: 255.255.255.240
Default Gateway: 199.1.1.14
Task 2 – Configure the Timezone and Time
Configure the appropiate Timezone and Time on the Windows Server.
Task 3 – Installing the Enterprise Root Certificate Server
➢ Open Server Manager

➢ Click Roles
➢ Click Add Roles
➢ Click Next
➢ Select the "Active Directory Certificate Services" and click Next
➢ Click Next
➢ Select "Certification Authority Web Enrollment" and click Next
➢ Leave it as Standalone and click Next
➢ Leave it as Root CA and click Next
➢ Leave "Create a new private key" and click Next
➢ Leave the default for the Cryptography for CA and click Next
➢ Set the Common name as KBITS-CA and click Next
➢ Leave the default for the Validity Period and click Next
➢ Click Next
➢ Click Install

7 of 150
Task 4 – Install WinSCP
➢ Double-click the WinSCP Installation file.

➢ Do a Default Installation.

8 of 150
Implementing SD-WAN
Authored By:
Khawar Butt
CCIE # 12353
Hepta CCIE#12353
CCDE # 20110020 Initializing the Controllers

Netmetric Solutions 9 of 150
Http://www.Netmetric-Solutions.com
Lab 3 – Initializing vManage – CLI
Task 1 – Configuring the System Component
o Configure the System parameters based on the following:
▪ Host-name : vManage1
▪ Organization: KBITS
▪ System-IP: 10.1.1.101
▪ Site ID: 1
▪ vbond Address: 199.1.1.3
▪ Timezone: Based on the appropriate Timezone
Note: Default username: admin Default password: admin
vManage
config
!
system
host-name vManage1
system-ip 10.1.1.101
site-id 1
organization-name KBITS

10 of 150
clock timezone Asia/Muscat
vbond 199.1.1.3
!
commit
Task 2 – Configured the vpn parameters
o Configure the VPN parameters based on the following:
▪ vpn 0
- Interface eth1
- IP Address: 199.1.1.1/28
- Tunnel Interface
- Tunnel Services (All, NetConf, SSHD)
- Default Route: 199.1.1.14
▪ vpn 512
- Interface eth0
- IP Address: 192.168.1.1/24
vManage
config
!
vpn 0
no interface eth0
interface eth1
ip address 199.1.1.1/28
tunnel-interface
allow-service all
allow-service netconf
allow-service sshd
no shut
ip route 0.0.0.0/0 199.1.1.14
!
vpn 512
interface eth0
ip address 192.168.1.1/24
no shut
!
commit

11 of 150
Lab 4 – Initializing vManage - GUI
Task 1 – Organization name & vBond Address
➢ Log into the vManage from the Server by browsing to

https://192.168.1.1:8443 using a username of admin and a
password of admin.
➢ Navigate to Administration -> Settings
➢ Click Edit on the Organization name and set it to KBITS. Confirm

the Organization name. Click OK.
➢ Click Edit on the vBond address and change it to 199.1.1.3.

Confirm and click OK.
Task 2 – Configure Controller Authorization as Enterprise Root and

Download the Root Certificate.
➢ Browse to http://192.168.1.5/certsrv
➢ Click “Download Root Certificate”.
➢ Select “Base 64”.
➢ Click “Download CA Certificate”.
➢ Open Explorer and navigate to the downloads folder.
➢ Change the name of the Downloaded file “Certnew” to “RootCert”.
➢ Open the “RootCert.cer” file using Notepad.
➢ Copy using CTRL-A and CTRL-C.
➢ In vManage, Navigate to Administration -> Settings -> Controller

Certiticate Authorization.
➢ Change the “Certificate Signing by:” to “Enterprise Root

Certificate”.
➢ Paste the RootCert.cer that you had copied by using CTRL-V.

12 of 150
➢ Set the CSR Parameters with the Organization name, City, State,
Country. Set the Time to 3 Years and save.
Task 3 – Generate a CSR for vManage
➢ Navigate to Configuration -> Certificates -> Controllers ->

vManage -> Generate CSR.
➢ It will open a window with the CSR. Copy by using CTRL-A and
CTRL-C.
Task 4 – Request a Certificate from the CA Server
➢ Click “Request a Certificate”.
➢ Select “Advanced”.
➢ Paste the CSR in the box by using CTRL-V and click Submit.
Task 5 – Issue the Certificate from the CA Server
➢ Open Server Manager and navigate to Active Directory

Certificate Server -> KBITS-CA -> Pending Requests.
➢ Right-Click the request and click “Issue”.
Task 6 – Downloading the Issued Certificate
➢ Click “Check on Pending request”.
➢ The issued certificate link will show up. Click on the link.
➢ Select “Base 64” and click “Download”
➢ Change the name of the Downloaded file “Certnew” to “vManage”.
➢ Open the “vManage.cer” file using Notepad.

13 of 150
Task 6 – Installing the Identity Certificate for vManage
➢ In vManage, Navigate to Configuration -> Certificates ->

Controllers
➢ Click on the “Install” button at the top right corner
➢ Paste the Certificate (CTRL-V).
➢ The Identity certificate should be installed on vManage.

14 of 150
Lab 5 – Initializing vBond – CLI
▪ Host-name : vBond1
▪ System-IP: 10.1.1.103
▪ Site ID: 1
vBond
config
!
system
host-name vBond1
site-id 1
vbond 199.1.1.3 local
!

15 of 150
Commit
▪ vpn 0
- Interface ge0/0
- IP Address: 199.1.1.3/28
- Tunnel Interface
- Encapsulation: IPSec
▪ vpn 512
- Interface eth0
- IP Address: 192.168.1.3/24
vBond
config
!
vpn 0
no interface eth0
interface ge0/0
ip address 199.1.1.3/28
tunnel-interface
encapsulation ipsec
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 199.1.1.14
!
vpn 512
interface eth0
ip address 192.168.1.3/24
no shut
!
commit

16 of 150
Lab 6 – Initializing vBond - GUI
Task 1 – Add vBond to vManage
➢ Navigate to Configuration -> Devices -> Controllers -> Add

Controllers -> vBond and specify the following to add the vBond
in vManage.
o IP Address: 199.1.1.3
o Username: Admin
o Password: Admin
o Check Generate CSR
o Click OK
Task 2 – View the generated CSR for vBond and Copy it
➢ Navigate to Configuration -> Certificates -> Controllers -> vBond

-> View CSR.
CTRL-C.


17 of 150
➢ Change the name of the Downloaded file “Certnew” to “vBond”.
➢ Open the “vBond.cer” file using Notepad.

Controllers
➢ The Identity certificate should be installed for vBond and pushed

to it.

18 of 150
Lab 7 – Initializing vSmart – CLI
▪ Host-name : vSmart1
▪ System-IP: 10.1.1.102
▪ Site ID: 1
vSmart
config
!
system
host-name vSmart1
site-id 1
vbond 199.1.1.3
!

19 of 150
Commit
▪ vpn 0
- Interface Eth1
- IP Address: 199.1.1.2/28
- Tunnel Interface
▪ vpn 512
- Interface eth0
- IP Address: 192.168.1.2/24
vSmart
config
!
vpn 0
no interface eth0
interface eth1
ip address 199.1.1.2/28
tunnel-interface
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 199.1.1.14
!
vpn 512
interface eth0
ip address 192.168.1.2/24
no shut
!
Commit

20 of 150
Lab 8 – Initializing vSmart - GUI
Task 1 – Add vSmart to vManage

Controllers -> vSmart and specify the following to add the vBond
in vManage.
o Username: Admin
o Password: Admin
o Click OK
Task 2 – View the generated CSR for vSmart and Copy it

vSmart -> View CSR.
CTRL-C.


21 of 150
➢ Change the name of the Downloaded file “Certnew” to “vSmart”.
➢ Open the “vSmart.cer” file using Notepad.

Controllers
➢ The Identity certificate should be installed for vSmart and pushed

to it.

22 of 150
Implementing SD-WAN
Authored By:
Khawar Butt
CCIE # 12353
Hepta CCIE#12353
CCDE # 20110020 Initializing the WAN Edges

Lab 9 – Initializing vEdge – CLI
Task 1 – Upload the WAN Edge List
➢ On the vManage Main windows, Naviagte to Configuration ->

Devices. Click on “Upload WAN Edge List”.
➢ Select the file you downloaded from the PNP Portal. Upload it and
check the Validate option.
vEDGE-1
▪ Host-name : vEdge1
▪ System-IP: 10.2.2.201
▪ Site ID: 1

24 of 150
vEdge1
config
!
system
host-name vEdge1
site-id 1
vbond 199.1.1.3
!
commit
Task 2 – Configure the vpn parameters
▪ vpn 0
- Interface ge0/0
- IP Address: 199.1.1.17/28
- Tunnel Interface
- Encapsulation IPSec
▪ vpn 512
- Interface eth0
- IP Address: DHCP Client
vEdge1
config
!
vpn 0
no interface eth0
interface ge0/0
ip address 199.1.1.17/28
tunnel-interface
encapsulation ipsec
allow-service all

25 of 150
allow-service sshd
no shut
ip route 0.0.0.0/0 199.1.1.30
!
vpn 512
interface eth0
ip dhcp-client
no shutdown
commit
vEDGE-2
▪ System-IP: 10.2.2.202
▪ Site ID: 2
vEdge-2
config
!
system
host-name vEdge2
site-id 2
vbond 199.1.1.3
!
commit
▪ vpn 0

26 of 150
- Interface ge0/0
- IP Address: 192.168.102.2/24
- Tunnel Interface
- Default Route: 192.168.102.254
▪ vpn 512
- Interface eth0
vEdge2
config
!
vpn 0
no interface eth0
interface ge0/0
ip address 192.168.102.2/24
tunnel-interface
encapsulation ipsec
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 192.168.102.254
!
vpn 512
interface eth0
ip dhcp-client
no shutdown
!
commit
vEDGE-3
▪ System-IP: 10.2.2.203
▪ Site ID: 3

27 of 150
vEdge-3
config
!
system
host-name vEdge3
site-id 3
vbond 199.1.1.3
!
Commit
▪ vpn 0
- Interface ge0/0
- IP Address: 192.168.103.3/24
- Tunnel Interface
- Default Route: 192.168.103.254
▪ vpn 512
- Interface eth0
vEdge3
config
!
vpn 0
no interface eth0
interface ge0/0
ip address 192.168.103.3/24
tunnel-interface
encapsulation ipsec
allow-service all

28 of 150
allow-service sshd
no shut
ip route 0.0.0.0/0 192.168.103.254
!
vpn 512
interface eth0
ip dhcp-client
no shutdown
!
Commit
vEDGE-4
▪ System-IP: 10.2.2.204
▪ Site ID: 4
vEdge-4
config
!
system
host-name vEdge4
site-id 4
vbond 199.1.1.3
!
Commit

29 of 150
▪ vpn 0
- Interface ge0/0
- IP Address: 192.168.104.4/24
- Tunnel Interface
- Default Route: 192.168.104.254
▪ vpn 512
- Interface eth0
vEdge4
config
!
vpn 0
no interface eth0
interface ge0/0
ip address 192.168.104.4/24
tunnel-interface
encapsulation ipsec
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 192.168.104.254
!
vpn 512
interface eth0
ip dhcp-client
no shutdown
!
Commit

30 of 150
Lab 10 – Registering vEdges in vManage
vEDGE-1
Task 1 – Upload the Root Certificate to the vEdge
➢ On the Windows Server, open WINSCP application.
➢ Connect to vEdge1 using the following information:
o IP Address : 199.1.1.17
o Protocol - SFTP
o Username : admin
o Password : admin
➢ Copy the RootCert.cer file from the Downloads folder to the

/home/admin folder on the vEdge1
Task 2 – Install the Root Certificate on vEdge1
➢ Connect to the console of vEdge1 and issue the following

command:
request root-cert-chain install /home/admin/RootCert.cer
Task 3 - Activate vEdge on vManage
➢ Navigate to Configuration -> Devices
➢ Note and use the Chassis Number and Token number for the 1st
vEdge from vManage.
➢ Use the information from the previous step in the following

command on the vEdge1 console.
request vedge-cloud activate chassis-number XXXXXXXX-XXXX-

XXXX-XXXX-XXXXXXXXXXXX token
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
➢ You should see the vEdge in the vManage console with a Certificate
issued.

31 of 150
vEDGE-2
o IP Address : 192.168.102.2
o Protocol - SFTP
o Username : admin
o Password : admin


command:
➢ Note and use the Chassis Number and Token number for the 2nd
vEdge from vManage.


issued.

32 of 150
vEDGE-3
o IP Address : 192.168.103.3
o Protocol - SFTP
o Username : admin
o Password : admin


command:
➢ Note and use the Chassis Number and Token number for the 3rd
vEdge from vManage.


issued.

33 of 150
vEDGE-4
o IP Address : 192.168.104.4
o Protocol - SFTP
o Username : admin
o Password : admin


command:
➢ Note and use the Chassis Number and Token number for the 4th
vEdge from vManage.


issued.

34 of 150
Lab 11 – Initializing cEdge – CLI
cEDGE-1
▪ Host-name : cEdge5
▪ System-IP: 10.2.2.205
▪ Site ID: 5
cEdge1
config-transaction
!
hostname cEdge1
!
system
site-id 5

35 of 150
vbond 199.1.1.3
exit
!
clock timezone GST 4
commit
Task 2 – Configure the Interface and Tunnel Parameters
o Configure the Interface parameters based on the following:
▪ GigabitEthernet1 Parameters
o IP Address: 192.168.105.5/24
o Default Route: 192.168.105.254
▪ Tunnel Parameters Parameters
o Tunnel Interface: Tunnel1
o Tunnel Source: GigabitEthernet1
o Tunnel Mode: SDWAN
▪ SDWAN Interface Parameters
o Interface: GigabitEthernet1
o Encapsulation: IPSec
o Color: default
o Tunnel Services (All, NetConf, SSHD)
cEdge1
config-transaction
!
interface GigabitEthernet1
no shutdown
ip address 192.168.105.5 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.105.254
!
interface Tunnel1
no shutdown
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel mode sdwan
exit
!
sdwan
interface GigabitEthernet1
tunnel-interface
encapsulation ipsec
color default

36 of 150
allow-service all
allow-service sshd
exit
exit
commit

37 of 150
Lab 12 – Registering cEdges in vManage
cEDGE-1
Task 1 – Upload the Root Certificate to the cEdge
➢ Open the TFTP Application on the Windows Server.
➢ Configure the Default Folder as the Downloads Folder and using

the 199.1.1.5 as the TFTP Interface.
➢ Connect to the console of cEdge1 and copy the RootCert.cer file to

flash: using the following command:
copy tftp://199.1.1.5/RootCert.cer flash:
Task 2 – Install the Root Certificate on cEdge1
➢ Connect to the console of cEdge1 and issue the following

command:
request platform software sdwan root-cert-chain install

bootflash:Root.cer
Task 3 - Activate cEdge on vManage
CSR Device from vManage.

command on the cEdge1 console.
request platform software sdwan vedge_cloud activate chassis-

number CSR-XXXXXXXX-XXXX-XXXX-XXXX-
XXXXXXXXXXXX token
issued.

38 of 150
Implementing SD-WAN
Authored By:
Khawar Butt
CCIE # 12353
Hepta CCIE#12353
CCDE # 20110020 Configuring Templates

Lab 13 – Configuring Feature Template –
System
Task 1 – Configure the System Template to be used by all vEdge-

Cloud Devices
➢ In vManage, Navigate to Configuration -> Templates -> Feature ->

vEdge Cloud -> Basic Information -> System
➢ Configure the System parameters based on the following:
o Template Name : VE-System

o Description : VE-System
o Site ID -> Device Specific
o System IP ->Device Specific
o Hostname -> Device Specific
o Timezone -> Global : Asia/Muscat
o Console Baud Rate -> Default
➢ Click Save to save the Template.

40 of 150
Task 2 – Configure the System Template to be used by all cEdge-
Cloud Devices

CSR Cloud -> Basic Information -> System
o Template Name : CE-System

o Description : CE-System
o Timezone -> Global : Asia/Muscat

41 of 150
Lab 14 – Configuring Feature Template –
Banner
Task 1 – Configure the Banner Template to be used by all vEdge-

Cloud Devices

vEdge Cloud -> Basic Information -> Banner
➢ Configure the Banner parameters based on the following:
o Template Name : VE-Banner

o Description : VE-Banner
o Banner: KBITS Authorized Users Only !!!!!!!!!!!
o MOTD: Welcome of SD-WAB !!!!!!!!!!!!!
Task 2 – Configure the Banner Template to be used by all cEdge-

Cloud Devices

CSR Cloud -> Basic Information -> Banner
➢ Configure the Banner parameters based on the following:
o Template Name : CE-Banner

o Description : CE-Banner
o Banner: KBITS Authorized Users Only !!!!!!!!!!!
o MOTD: Welcome of SD-WAB !!!!!!!!!!!!!

42 of 150
Lab 15 - Configuring Feature Templates -
VPN & VPN Interfaces for VPN 0 & 512 ––
Branch Site(vEdges)
Task 1 – Configure a VPN Template to be used by all Branch vEdge-

Cloud Devices for VPN 0

vEdge Cloud -> VPN -> VPN
➢ Configure the VPN parameters based on the following:
o Template Name : BR-VE-VPN-VPN0

o Description : BR-VE-VPN-VPN0
Basic Configuration
o VPN -> Global : 0
o Name -> Global : Transport VPN
IPv4 Route
o Prefix -> Global : 0.0.0.0/0
o Next Hop -> Device Specific



Basic Configuration
o VPN -> Global : 512
o Name -> Global : MGMT VPN

43 of 150
Task 3 – Configure a VPN Interface Template to be used by all
Branch vEdge-Cloud Devices for VPN 0 for Interface G0/0

vEdge Cloud -> VPN -> VPN Interface Ethernet
o Template Name : BR-VE-VPNINT-VPN0-G0

o Description : BR-VE-VPNINT-VPN0-G0
Basic Configuration
o Shutdown -> Global : No
o Interface Name -> Global : ge0/0
o IPv4 Address -> Static -> Device Specific
Tunnel
o Tunnel Inteface -> Global : On
o Color -> Global : MPLS
Allow Service
o All -> Global : On
o NETCONF -> Global : On
o SSH -> Global : On



Basic Configuration
Tunnel
o Color -> Global : BIZ-Internet
Allow Service
44 of 150
Click Save to save the Template.

Branch vEdge-Cloud Devices for VPN 512 for Interface Eth0

o Template Name : BR-VE-VPNINT-VPN512-E0

o Description : BR-VE-VPNINT-VPN512-E0
Basic Configuration
o Interface Name -> Global : eth0
o IPv4 Address -> Dynamic
➢ Click Save to save the Template

45 of 150
Lab 16 - Configuring Feature Templates –
External Routing - OSPF for VPN 0 –
Branch Site(vEdges)
Task 1 – Configure a OSPF Template to be used by all Branch vEdge-


vEdge Cloud -> Other Templates -> OSPF
➢ Configure the OSPF parameters based on the following:
o Template Name : BR-VE-OSPF-VPN0

o Description : BR-VE-OSPF-VPN0
Area Configuration
o Area Number -> Global : 0
o Area Type -> Default
o Interface Name: ge0/0
Advanced
o OSPF Network Type: Point-to-Point
➢ Click Add to add the Interface and Click Add to add OSPF.

46 of 150
Lab 17 - Configuring and Deploying
Device Templates for vEdge – Branch
Site(vEdge2)
Task 1 – Configure a Device Template for Branch vEdge Devices.
➢ In vManage, Navigate to Configuration -> Templates -> Device ->

Create Template -> vEdge Cloud
➢ Configure the Device Template based on the following:
o Template Name : BR-VE-TEMP

o Description : BR-VE-TEMP
Basic Information
o System -> VE-System
Transport & Management

o VPN 0 : BR-VE-VPN-VPN0
o VPN Interface : BR-VE-VPNINT-VPN0-G0
o OSPF : BR-VE-OSPF-VPN0

o VPN Interface : BR-VE-VPNINT-VPN512-E0
Task 2 – Attach vEdge2 to the Device Template
➢ In vManage, Navigate to Configuration -> Templates -> Device -> BR-

VE-TEMP.
➢ Click on “…” towards the right-hand side.
➢ Click Attach Devices.
➢ Select vEdge2 and click the “ -> “ button.
➢ Click Attach.

47 of 150
Task 3 – Configure the Variable Parameters for the Feature
Templates
➢ vEdge2 will appear in the window.
➢ Click Edit Device Template.
➢ Configure the variables based on the following:
o Default Gateway for VPN0 : 192.1.102.254

o Interface IP for ge0/1 :192.1.102.2/24
o Hostname : vEdge-2
o System IP : 10.2.2.202
o Site ID : 2
➢ Click Update.
➢ Verify the Configuration & Click Configure Devices.
➢ Wait for it to update the device. It should come back with Status of
Success.
➢ Verify the configuration on vEdge2. You can do that by verify OSPF

Neighbor relationship with the MPLS Router by issuing the Show ospf
neighbor command on vEdge2.
➢ Type Show Ip route on vEdge2 to verify that you are receiving OSPF
routes from the MPLS Router.

48 of 150
Lab 18 - Configuring Internal Routing
Protocols on the Internal Routing
Devices – HQ & All Branches
Site-1

E 0/0 192.168.11.11 255.255.255.0
Loopback1 172.16.11.1 255.255.255.0
Loopback2 172.16.12.1 255.255.255.0
Loopback3 172.16.13.1 255.255.255.0
Site-2

E 0/0 192.168.20.22 255.255.255.0
Loopback1 172.16.21.1 255.255.255.0
Loopback2 172.16.22.1 255.255.255.0
Loopback3 172.16.23.1 255.255.255.0
Loopback4 172.16.234.2 255.255.255.255

49 of 150
Site-3

E 0/0 192.168.30.33 255.255.255.0
Loopback1 172.16.31.1 255.255.255.0
Loopback2 172.16.32.1 255.255.255.0
Loopback3 172.16.33.1 255.255.255.0
Loopback4 172.16.234.3 255.255.255.255
Site-4

E 0/0 192.168.40.44 255.255.255.0
Loopback1 172.16.41.1 255.255.255.0
Loopback2 172.16.42.1 255.255.255.0
Loopback3 172.16.43.1 255.255.255.0
Loopback4 172.16.234.4 255.255.255.255
Site-5

E 0/0 192.168.50.55 255.255.255.0
Loopback1 172.16.51.1 255.255.255.0
Loopback2 172.16.52.1 255.255.255.0
Loopback3 172.16.53.1 255.255.255.0
Task 1 – Internal Site Router Configurations

o Configure OSPF as the IGP to communicate with the vEdge/cEdge
devices. Enable all the interfaces under OSPF.
o Configure the Loopback Interfaces as OSPF Network Point-to-point
Interfaces.

50 of 150
Site-1
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
Hostname Site-1
!
Interface E 0/0
ip address 192.168.11.11 255.255.255.0
no shut
!
Interface Loopback1
ip address 172.16.11.1 255.255.255.0
ip ospf network point-to-point
!
Interface Loopback2
ip address 172.16.12.1 255.255.255.0
!
Interface Loopback3
ip address 172.16.13.1 255.255.255.0
!
router ospf 1
network 192.168.11.0 0.0.0.255 area 0
network 172.16.0.0 0.0.255.255 area 0

51 of 150
Site-2
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
Hostname Site-2
!
Interface E 0/0
ip address 192.168.20.22 255.255.255.0
no shut
!
Interface Loopback1
ip address 172.16.21.1 255.255.255.0
!
Interface Loopback2
ip address 172.16.22.1 255.255.255.0
!
Interface Loopback3
ip address 172.16.23.1 255.255.255.0
!
Interface Loopback4
ip address 172.16.234.2 255.255.255.255
!
router ospf 1
network 192.168.20.0 0.0.0.255 area 0
network 172.16.0.0 0.0.255.255 area 0

52 of 150
Site-3
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
Hostname Site-3
!
Interface E 0/0
ip address 192.168.30.33 255.255.255.0
no shut
!
Interface Loopback1
ip address 172.16.31.1 255.255.255.0
!
Interface Loopback2
ip address 172.16.32.1 255.255.255.0
!
Interface Loopback3
ip address 172.16.33.1 255.255.255.0
!
Interface Loopback4
ip address 172.16.234.3 255.255.255.255
!
router ospf 1
network 192.168.30.0 0.0.0.255 area 0
network 172.16.0.0 0.0.255.255 area 0

53 of 150
Site-4
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
Hostname Site-4
!
Interface E 0/0
ip address 192.168.40.44 255.255.255.0
no shut
!
Interface Loopback1
ip address 172.16.41.1 255.255.255.0
!
Interface Loopback2
ip address 172.16.42.1 255.255.255.0
!
Interface Loopback3
ip address 172.16.43.1 255.255.255.0
!
Interface Loopback4
ip address 172.16.234.4 255.255.255.255
!
router ospf 1
network 192.168.40.0 0.0.0.255 area 0
network 172.16.0.0 0.0.255.255 area 0

54 of 150
Site-5
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
Hostname Site-5
!
Interface E 0/0
ip address 192.168.50.55 255.255.255.0
no shut
!
Interface Loopback1
ip address 172.16.51.1 255.255.255.0
!
Interface Loopback2
ip address 172.16.52.1 255.255.255.0
!
Interface Loopback3
ip address 172.16.53.1 255.255.255.0
!
router ospf 1
network 192.168.50.0 0.0.0.255 area 0
network 172.16.0.0 0.0.255.255 area 0

55 of 150
Lab 19 - Configuring Feature Templates –
Service VPN – VPN, VPN Interface and
Internal Routing – Branch Site(vEdges)



Basic Configuration
o VPN -> Global : 1
o Name -> Global : Data VPN



Basic Configuration

56 of 150


Redistribution
o Protocol : OMP
Area Configuration

57 of 150
Lab 20 - Implementing a Service VPN
using Templates – Branch Site(vEdge2)
Task 1 – Edit the BR-VE-TEMP Device Template for Brance vEdge

Devices.

VE-TEMP -> “…” -> Edit
➢ Edit the BR-VE-TEMP Device Template based on the following:
Service VPN
o OSPF : BR-VE-OSPF-VPN1

Templates
➢ Click on “…” towards the right-hand side & click Edit Device
Template.
➢ Click Update.
Success.

Neighbor relationship with the Site-2 Router by issuing the Show ospf
routes from the Internal Site Router.

58 of 150
Lab 21 - Pushing Template to configure
other Branch Sites - – Branch
Site(vEdge3 & vEdge4)
Task 1 – Attach the BR-VE-TEMP Device Template for Brance vEdge

Devices.

VE-TEMP -> “…” -> Attach Devices.
➢ Select vEdge3 & vEdge4 and click the “ -> “ button.
➢ Click Attach.
➢ vEdge3 & vEdge4 will appear in the window.
➢ Click on “…” towards the right-hand side for both devices, one at a
time click Edit Device Template.
vEdge-3

o System IP : 10.2.2.203
o Site ID : 3
➢ Click Update.
vEdge-4

o System IP : 10.2.2.204
59 of 150
o Site ID : 4
➢ Click Update.
Success.
➢ Verify the configuration on vEdge3 & vEdge4. You can do that by

verify OSPF Neighbor relationship with the Internal Site Router by
issuing the Show ospf neighbor command on the vEdges.
➢ Type Show Ip route on Internal Site Routers to verify that you are
receiving OSPF routes from the other Sites.
➢ Verify reachability between the sites by Pinging the Internal Loopback

to Loopback networks.

60 of 150
Lab 22 – Configuring Feature Templates
for HQ-Site(vEdge1) – VPNs, VPN
Interfaces, External & Internal Routing
VPN 0
Task 1 – Configure a VPN Template for HQ vEdge-Cloud Devices for
VPN 0

o Template Name : HQ-VE-VPN-VPN0

o Description : HQ-VE-VPN-VPN0
Basic Configuration
o VPN -> Global : 0
IPv4 Route
Task 2 – Configure a VPN Interface Template to be used by HQ

vEdge-Cloud Devices for VPN 0 for Interface G0/0

o Template Name : HQ-VE-VPNINT-VPN0-G0

o Description : HQ-VE-VPNINT-VPN0-G0
Basic Configuration

61 of 150
Tunnel
o Color -> Default
Allow Service
Task 3 – Configure a BGP Template to be used by HQ vEdge-Cloud

Devices for VPN 0

vEdge Cloud -> Other Templates -> BGP
➢ Configure the BGP parameters based on the following:
o Template Name : HQ-VE-BGP-VPN0

o Description : HQ-VE-BGP-VPN0
Basic Configuration
o AS Number -> Global : 65001
Neighbor
o Adddress -> Global : 199.1.1.30
o Remote AS -> Global : 65001
o Address Family -> Global : On
o Address Family -> Global : IPv4-Unicast
➢ Click Add to add the Interface and Click Add to add BGP Neighbor.
VPN 512
Task 1 – Configure a VPN Template to be used by HQ vEdge-Cloud
Devices for VPN 512


62 of 150
Basic Configuration

vEdge-Cloud Devices for VPN 512 for Interface Eth0

o Template Name : HQ-VE-VPNINT-VPN512-E0

o Description : HQ-VE-VPNINT-VPN512-E0
Basic Configuration

63 of 150
VPN 1
Task 1 – Configure a VPN Template for HQ vEdge-Cloud Devices for
VPN 1


Basic Configuration
o VPN -> Global : 1


o Template Name : HQ-VE-VPNINT-VPN1-G2

o Description : HQ-VE-VPNINT-VPN1-G2
Basic Configuration
Task 3 – Configure a OSPF Template to be used by HQ vEdge-Cloud

Devices for VPN 1


64 of 150
o Template Name : HQ-VE-OSPF-VPN1
o Description : HQ-VE-OSPF-VPN1
Redistribution
o Protocol : OMP
Area Configuration

65 of 150
Lab 23 - Configuring Device Templates
for HQ-Site(vEdge1) to deploy VPN 0, 1
and 512.
Task 1 – Configure a Device Template for HQ vEdge Devices.

o Template Name : HQ-VE-TEMP

o Description : HQ-VE-TEMP
Basic Information

o VPN 0 : HQ-VE-VPN-VPN0
o VPN Interface : HQ-VE-VPNINT-VPN0-G0
o BGP : HQ-VE-BGP-VPN0

o VPN Interface : HQ-VE-VPNINT-VPN512-E0
Service VPN
o VPN Interface : HQ-VE-VPNINT-VPN1-G2
o OSPF : HQ-VE-OSPF-VPN1

HQ-VE-TEMP.

66 of 150
➢ Click Attach.

Templates

o System IP : 10.2.2.201
o Site ID : 1
➢ Click Update.
Success.

Neighbor relationship with the Internal Router by issuing the Show
ospf neighbor command on vEdge1.


67 of 150
Lab 24 – Configuring Feature Templates
for CSR – VPNs, VPN Interfaces, External
& Internal Routing
VPN 0
Task 1 – Configure a VPN Template by CSR for VPN 0

CSR1000v -> VPN -> VPN
o Template Name : BR-CSR-VPN-VPN0

o Description : BR-CSR -VPN-VPN0
Basic Configuration
o VPN -> Global : 0
IPv4 Route
Task 2 – Configure a VPN Interface Template to be used by CSR for

VPN 0 for Interface GigabitEthernet1

CSR1000v -> VPN -> VPN Interface Ethernet
o Template Name : BR-CSR-VPNINT-VPN0-G1

o Description : BR-CSR-VPNINT-VPN0-G1
Basic Configuration
o Interface Name -> Global : GigabitEthernet1

68 of 150
Tunnel
o Color -> Default
Allow Service



Basic Configuration
Tunnel
o Color -> Default
Allow Service
Task 4 – Configure a OSPF Template to be used by CSR for VPN 0

CSR1000v -> Other Templates -> OSPF
o Template Name : BR-CSR-OSPF-VPN0

o Description : BR-CSR-OSPF-VPN0

69 of 150
Area Configuration
o Interface Name: GigabitEthernet1
o OSPF Network Type: Point-to-Point
VPN 512
Task 1 – Configure a VPN Template to be used by CSR for VPN 512


o Description : BR-CSR-VPN-VPN512
Basic Configuration



Basic Configuration

70 of 150
VPN 1
Task 1 – Configure a VPN Template for CSR for VPN 1


o Description : BR-CSR-VPN-VPN1
Basic Configuration
o VPN -> Global : 1

VPN 1 for Interface G3

CSR -> VPN -> VPN Interface Ethernet

Basic Configuration

71 of 150
Task 3 – Configure a OSPF Template to be used by CSR for VPN 1

CSR -> Other Templates -> OSPF
o Template Name : BR-CSR-OSPF-VPN1

o Description : BR-CSR-OSPF-VPN1
Redistribution
o Protocol : OMP
Area Configuration
o Interface Name: GigabitEthernet3

72 of 150
Lab 25 - Configuring Device Templates
for CSR to deploy VPN 0, 1 and 512
Task 1 – Configure a Device Template for CSR Branch Devices.

Create Template -> CSR1000v
o Template Name : BR-CSR-TEMP

o Description : BR-CSR-TEMP
Basic Information
o System -> CE-System

o VPN 0 : BR-CSR-VPN-VPN0
o VPN Interface : BR-CSR-VPNINT-VPN0-G1
o OSPF : BR-CSR-OSPF-VPN0

o VPN Interface : BR-CSR-VPNINT-VPN512-E0
Service VPN
o OSPF : BR-CSR-OSPF-VPN1
Task 2 – Attach cEdge1 to the Device Template

CSR-TEMP.
➢ Select cEdge1 and click the “ -> “ button.
➢ Click Attach.
73 of 150
Templates
➢ cEdge1 will appear in the window.
o Interface IP for GigabitEthernet3 :192.168.50.5/24

o Hostname : cEdge-1
o System IP : 10.2.2.205
o Site ID : 5
➢ Click Update.
Success.
➢ Verify the configuration on cEdge1. You can do that by verify OSPF

Neighbor relationship with the Internal Router by issuing the Show ip
ospf neighbor command on cEdge1.
➢ Type Show Ip route on cEdge1 to verify that you are receiving OSPF


74 of 150
Lab 26 - Configuring and Deploying
Feature and Device Templates for vSmart
Controllers
Task 1 – Configure a VPN Template to be used by vSmart Controllers

for VPN 0

vSmart -> VPN -> VPN
o Template Name : vSmart-VPN-VPN0

o Description : vSmart-VPN-VPN0
Basic Configuration
o VPN -> Global : 0
IPv4 Route
o Next Hop -> Global : 199.1.1.14

for VPN 512

o Template Name : vSmart -VPN-VPN512

o Description : vSmart -VPN-VPN512
Basic Configuration

75 of 150
Task 3 – Configure a VPN Interface Template to be used by vSmart
Controllers for VPN 0 for Interface Eth1

vSmart -> VPN -> VPN Interface Ethernet
o Template Name : vSmart-VPNINT-VPN0-E1

o Description : vSmart-VPNINT-VPN0-E1
Basic Configuration
Tunnel
o Color -> default
Allow Service
Task 4 – Configure a VPN Interface Template to be used vSmart



Basic Configuration
o IPv4 Address -> Static -> Device-Specific

76 of 150
Task 5 – Configure a Device Template for vSmart Controllers.

Create Template -> vSmart
o Template Name : vSmart-TEMP

o Description : vSmart-TEMP
Basic Information

o VPN 0 : vSmart-VPN-VPN0
o VPN Interface : vSmart-VPNINT-VPN0-E1

Task 6 – Attach vSmart to the Device Template

vSmart-TEMP
➢ Select vSmart and click the “ -> “ button.
➢ Click Attach.

77 of 150
Templates
➢ vSmart will appear in the window.
o Interface IP for Eth1 :199.1.1.2/28

o Hostname : vSmart-1
o System IP : 10.1.1.102
o Site ID : 1
➢ Click Update.
Success.

78 of 150
Lab 27 - Configuring Application Aware
Policies using Telnet and Web
Requirements:
➢ Los Angeles & London Sites should use the MPLS Transport for Telnet
Traffic and the Biz-Internet Transport for Web Traffic.
➢ Telnet Should have a SLA based on the following:
o Loss – 5%
o Latency – 200
o Jitter – 100ms
➢ Web Should have a SLA based on the following:
o Loss – 10%
o Latency – 500
o Jitter – 100ms
➢ Create the Sites for Los Angeles and London.
➢ Create the VPN for VPN ID 1.

79 of 150
Task 1 – Configure Groups of Interests/List that will be used for
Telnet & Web Application Aware Routing (AAR) Policy
➢ In vManage, Navigate to Configuration -> Policies -> Custom

Options -> Centralized Policy -> Lists.
➢ Click SLA Class and select New SLA Class list. Create 2 policies
based on the following:
o Name : SLA-Telnet
o Loss : 5%
o Latency : 200
o Jitter : 100ms
o Name : SLA-Web
o Loss : 10%
o Latency : 500
o Jitter : 100ms
➢ Click VPN and select New VPN list. Create 1 policy based on the
following:
o Name : VPN1
o ID : 1
➢ Click Site and select New Site list. Create 2 policies based on the
following:
o Name : Los Angeles

o Site ID : 2
o Name : London
o Site ID : 3

80 of 150
Task 2 – Configure an AAR policy based on the Requirements

Options -> Centralized Policy -> Traffic Policy.
➢ Configure 2 App Routes based on the following:
o Policy Name : TELNET-WEB-Policy

o Description : TELNET-WEB-Policy
Telnet Sequence
Match Conditions:
o Protocol : 6
o Port : 23
Action
o SLA Class List: SLA-Telnet
o Color : mpls
o Backup Preferred Color: biz-internet
o Click Save Match and Actions to save the Sequence.
Web Sequence
Match Conditions:
o Protocol : 6
o Port : 80
Action
o SLA Class List: SLA-Web
o Color : biz-internet
o Backup Preferred Color: mpls
o Save the Policy.
Task 3 – Create a Centralized Policy and call the Traffic Policy

Options -> Centralized Policy -> Add Centralized Policy
➢ Click Next on the “Group of Interests” page as we have already

created the required lists.
➢ Click Next on the “Topology and VPN Membership” page as we are

not using any Control Policies.

81 of 150
➢ Click Add Policy on the “Configure Traffic Rules” page.
➢ Click “Import Existing” and select the TELNET-WEB-POLICY from
the drop-down list and click Import.
➢ Click Next to move to the “Apply Policy to Sites and VPNs” Page.
➢ Click the “Appliacation-Aware Policy” tab.
➢ The TELNET-WEB-Policy will be there. Click “New Site List and VPN
List” button.
➢ Select Los Angeles and London in the Site List.
➢ Select VPN1 in the Site List.
➢ Click Add.
➢ Assign the Policy a name and Desription based on the following:
o Policy Name : Main-Central-Policy

o Description : Main-Central-Policy
➢ Click the Save Policy button towards the button.
➢ Activate the policy.
➢ Wait for it to push the policy to the reachable vSmart Controller(s).
➢ Verify the policy by using the Monitor -> Network -> vEdge2 ->
Troubleshooting -> Simulate Flows Tool.
➢ Telnet from Los Angeles or London should only use the mpls
transport.
➢ Web from Los Angeles or London should only use the biz-internet
transport.
➢ Normal Ping from Los Angeles or London should use both the
Transports.

82 of 150
Lab 28 - Configuring Application Aware
Policies using Chat Applications
Requirements:
➢ Rome should use the Internet Transport for AOL-Messenger, MSN

Messenger & Whatsapp Messenger application. It should not use the
MPLS Transport at all.
➢ The Chat applications should have a SLA based on the following:
o Loss – 10%
o Latency – 600
o Jitter – 100ms
➢ Create a Site for Rome

Chat-based Application Aware Routing (AAR) Policy

➢ Click Applications and select New Application list. Create a policy

based on the following:
o Name : Chat-Apps
o Appls: Aol-Messenger, MSN-Messenger & WhatsApp Messenger
➢ Click SLA Class and select New SLA Class list. Create a policy based
on the following:
o Name : SLA-CHATS
o Loss : 25%
o Latency : 600
o Jitter : 100ms
➢ Click Site and select New Site list. Create a policy based on the
following:
o Name : Rome
o Site ID : 4

83 of 150
Task 2 – Configure an AAR policy based on the Requirements

Options -> Centralized Policy -> Traffic Policy.
➢ Configure 1 App Routes based on the following:
o Policy Name : CHAT-Policy

o Description : CHAT-Policy
Telnet Sequence
Match Conditions:
o Application List: Chat-Apps
Action
o SLA Class List: SLA-CHATS
o Color : mpls
o Backup Preferred Color: biz-internet
Web Sequence
Match Conditions:
o Protocol : 6
o Port : 80
Action
o SLA Class List: SLA-Web
o Color : biz-internet
o Strict: Checked
o Save the Policy.
Task 3 – Modify the existing Centralized Policy “Main-Central-

Policy” and call the Traffic Policy

Options -> Centralized Policy -> Main-Central-Policy -> Click “…”
-> Edit.
➢ Click Traffic Rules on the Top of the page.
➢ Click Add Policy.
➢ Click “Import Existing” and select the CHAT-POLICY from the drop-
down list and click Import.
84 of 150
➢ Click Policy Application on the Top of the page.
➢ Click the “Appliacation-Aware Policy” tab.
➢ The CHAT-Policy will be there. Click “New Site List and VPN List”
button.
➢ Select Rome in the Site List.
➢ Select VPN1 in the Site List.
➢ Click Add.
➢ Verify the policy by using the Monitor -> Network -> vEdge3 ->
Troubleshooting -> Simulate Flows Tool.
➢ Normal Ping from Rome should use both the Transports.
➢ Use Aol-messenger as the appliacation and simulate from Rome. It

should only use the biz-internet transport.
➢ Use Aol-messenger as the appliacation and simulate from Los

Angeles or London. It should use both the Transports.

85 of 150
Lab 29 - Manipulating Traffic flow using
TLOCs
Requirements:
➢ Rome should only the MPLS TLOC as the preferred color while
communicating to Los Angeles. The Internet TLOC should be backup
TLOC.

Traffic Engineering Policy for Rome

➢ Click TLOCs and select New TLOC list. Create a policy based on the
following:
o Name : LA-TLOC-MPLS-INT
o TLOC#1:
• IP Address: 10.2.2.202
• Color: MPLS
• Encapsulation: IPSec
• Preference: 300
o TLOC#2:
• IP Address: 10.2.2.202
• Color: Biz-internet
• Encapsulation: IPSec
• Preference: 200
Task 2 – Configure Control/Topology policy based on the

Requirements

Options -> Centralized Policy -> Topology.
➢ Configure 1 Route Policy based on the following:
o Policy Name : LA-MPLS-INT

o Description : LA-MPLS-INT
Route Sequence
Match Conditions:
86 of 150
o Site List: LosAngeles
o VPN List: VPN1
Action
o TLOC/TLOC List: LA-MPLS-INT
Default Sequence
Action
o Accept
o Save the Policy

Policy” and call the Topology Policy

-> Edit.
➢ Click Topology on the Top of the page.
➢ Click Add Topology.
➢ Click “Import Existing” and select the LA-MPLS-INT from the drop-
down list and click Import.
➢ Click the “Topology” tab.
➢ The LA-MPLS-INT-Policy will be there. Click “New Site” button.
➢ Select Rome in the Outbound Site List.
➢ Click Add.
➢ Verify by using the Show IP route vpn 1 command on the Rome

vEdge (vEdge4).
87 of 150
➢ It should only have 1 TLOC for Los Angeles routes (10.2.2.202 –
MPLS), whereas it will have 2 TLOCs for London (10.2.2.203-MPLS,
10.2.2.203-Biz-Internet).

88 of 150
Lab 30 - Configuring Route Filtering
Requirements:
➢ The 172.16.234.2/32, 172.16.234.3/24 & 172.16.234.4/24 should

not be propagated to the Dubai Site.

Route Filtering Policy for Dubai

➢ Click Prefix and select New Prefix list. Create a policy based on the
following:
o Name : PL-234
o Prefix List Entry: 172.16.234.0/24 le 32
➢ Click Site and select New Site list. Create a policy based on the
following:
o Name : Dubai
o Site ID : 1
Task 2 – Configure Control/Topology policy based on the

Requirements

Options -> Centralized Policy -> Topology.
➢ Configure 1 Route Policy based on the following:
o Policy Name : PREF-234-NOT-2-DXB

o Description : PREF-234-NOT-2-DXB
Route Sequence
Match Conditions:
o Prefix List: PL-234
Action: Reject
Default Sequence

89 of 150
Action
o Accept
o Save the Policy

Policy” and call the Topology Policy

-> Edit.
➢ Click Topology on the Top of the page.
➢ Click Add Topology.
➢ Click “Import Existing” and select the PREF-234-NOT-2-DXB from

the drop-down list and click Import.
➢ Click the “Topology” tab.
➢ The PREF-234-NOT-2-DXB will be there. Click “New Site” button.
➢ Select Dubai in the Outbound Site List.
➢ Click Add.
➢ Verify by using the Show IP route vpn 1 command on the Dubai

vEdge (vEdge1).
➢ It should all the routes from the Branches except the

172.16.234.X/32 routes.
➢ These routes should be present in the vEdge2, vEdge3 and vEdge4

routers. You can use the Show IP route vpn 1 command to verify.

90 of 150
Lab 31 – Configuring the WAN
Components
Cloud Edge

VLAN 199 199.1.1.14 255.255.255.240
E 1/0 192.1.100.1 255.255.255.0
E 1/1 192.168.100.1 255.255.255.0
MPLS Cloud

E 0/0 192.168.100.254 255.255.255.0
E 0/1 192.168.11.254 255.255.255.0
E 0/2 192.168.12.254 255.255.255.0
E 0/3 192.168.21.254 255.255.255.0

91 of 150
Internet Cloud

E 0/0 192.1.100.254 255.255.255.0
E 0/1 192.1.11.254 255.255.255.0
E 0/2 192.1.12.254 255.255.255.0
E 0/3 192.1.22.254 255.255.255.0
E 1/0 192.1.31.254 255.255.255.0
WAN Setup
Task 1 – Cloud Edge Router Configuration

o Configure OSPF as the IGP to communicate with the MPLS Cloud.
Enable all the interfaces.
o Make sure OSPF only sends and receives OSPF packets on the link
towards the MPLS Cloud using the Passive-interface command.
o Configure a default route on the router towards the Internet. The
IP Address of the Internet Router is 192.1.100.254

92 of 150
Cloud Edge Router
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
Hostname Cloud Edge
!
Vlan 199
!
Interface range E 0/0-3
Switchport mode access
Switchport access vlan 199
!
Interface VLAN 199
ip address 199.1.1.14 255.255.255.240
no shut
!
Interface E 1/0
ip address 192.1.100.1 255.255.255.240
no shut
!
Interface E 1/1
ip address 192.168.100.1 255.255.255.0
no shut
!
router ospf 1
network 192.168.100.0 0.0.0.255 area 0
network 199.1.1.0 0.0.0.255 area 0
passive-interface default
no passive-interface E 1/1
!
ip route 0.0.0.0 0.0.0.0 192.1.100.254

93 of 150
Task 2 – MPLS Cloud Router Configuration

o Configure OSPF as the IGP on all the interfaces.
MPLS Cloud Router
no ip domain-lookup
!
line con 0
exec-timeout 0 0
logging synchronous
!
hostname MPLS
!
ip address 192.168.100.254 255.255.255.0
no shut
!
ip address 192.168.11.254 255.255.255.0
no shut
!
ip address 192.168.12.254 255.255.255.0
no shut
!
ip address 192.168.21.254 255.255.255.0
no shut
!
router ospf 1
network 192.168.100.0 0.0.0.255 area 0
network 192.168.11.0 0.0.0.255 area 0
network 192.168.12.0 0.0.0.255 area 0
network 192.168.21.0 0.0.0.255 area 0

94 of 150
Task 3 – Internet Cloud Router Configuration

o Configure a Static Route on the Router for the 199.1.1.0/24
network. The Next Hop should point towards the Internet IP of the
HQ Router.
Internet Cloud Router
no ip domain lookup
!
line con 0
exec-timeout 0 0
logging synchronous
!
hostname Internet
!
ip address 192.1.100.254 255.255.255.0
no shut
!
ip address 192.1.11.254 255.255.255.0
no shut
!
ip address 192.1.12.254 255.255.255.0
no shut
!
ip address 192.1.22.254 255.255.255.0
no shut
!
ip address 192.1.31.254 255.255.255.0
no shut
!
ip route 199.1.1.0 255.255.255.0 192.1.100.1

95 of 150
Server Setup
Task 1 – Configure the Interfaces
First Ethernet Interface:
IP Address: 192.168.1.5
Subnet Mask: 255.255.255.0
Third Ethernet Interface:
IP Address: 199.1.1.5
Subnet Mask: 255.255.255.240
Default Gateway: 199.1.1.14
Task 2 – Configure the Timezone and Time
Configure the appropiate Timezone and Time on the Windows Server.
Task 3 – Installing the Enterprise Root Certificate Server
➢ Open Server Manager

➢ Click Roles
➢ Click Add Roles
➢ Click Next
➢ Select the "Active Directory Certificate Services" and click Next
➢ Click Next
➢ Select "Certification Authority Web Enrollment" and click Next
➢ Leave it as Standalone and click Next
➢ Leave it as Root CA and click Next
➢ Leave "Create a new private key" and click Next
➢ Leave the default for the Cryptography for CA and click Next
➢ Set the Common name as KBITS-CA and click Next
➢ Leave the default for the Validity Period and click Next
➢ Click Next
➢ Click Install

96 of 150
Task 4 – Install WinSCP
➢ Double-click the WinSCP Installation file.

➢ Do a Default Installation.
Controller Setup – vManage

▪ Host-name : vManage1
▪ System-IP: 10.1.1.101
▪ Site ID: 1
vManage
config
!
system
host-name vManage1
site-id 1
vbond 199.1.1.3
!
Commit
▪ vpn 0
- Interface eth1
- IP Address: 199.1.1.1/28
- Tunnel Interface

97 of 150
▪ vpn 512
- Interface eth0
- IP Address: 192.168.1.1/24
vManage
config
!
vpn 0
no interface eth0
interface eth1
ip address 199.1.1.1/28
tunnel-interface
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 199.1.1.14
!
vpn 512
interface eth0
ip address 192.168.1.1/24
no shut
!
commit
Task 3 – Organization name & vBond Address
➢ Log into the vManage from the Server by browsing to

https://192.168.1.1:8443 using a username of admin and a
password of admin.
➢ Navigate to Administration -> Settings
➢ Click Edit on the Organization name and set it to KBITS. Confirm

the Organization name. Click OK.
➢ Click Edit on the vBond address and change it to 199.1.1.3.

Confirm and click OK.

98 of 150
Task 4 – Configure Controller Authorization as Enterprise Root and
Download the Root Certificate.
➢ Click “Download Root Certificate”.
➢ Select “Base 64”.
➢ Click “Download CA Certificate”.
➢ Change the name of the Downloaded file “Certnew” to “RootCert”.
➢ Open the “RootCert.cer” file using Notepad.
➢ In vManage, Navigate to Administration -> Settings -> Controller

Certiticate Authorization.
➢ Change the “Certificate Signing by:” to “Enterprise Root

Certificate”.
➢ Paste the RootCert.cer that you had copied by using CTRL-V.
➢ Set the CSR Parameters with the Organization name, City, State,
Country. Set the Time to 3 Years and save.
Task 5 – Generate a CSR for vManage

vManage -> Generate CSR.
CTRL-C.
99 of 150

➢ Change the name of the Downloaded file “Certnew” to “vManage”.
➢ Open the “vManage.cer” file using Notepad.

Controllers
➢ The Identity certificate should be installed on vManage.

100 of 150
Controller Setup – vBond
▪ Host-name : vBond1
▪ System-IP: 10.1.1.103
▪ Site ID: 1
vBond
config
!
system
host-name vBond1
site-id 1
vbond 199.1.1.3 local
!
Commit
▪ vpn 0
- Interface ge0/0
- IP Address: 199.1.1.3/28
- Tunnel Interface
- Encapsulation: IPSec
▪ vpn 512
- Interface eth0
- IP Address: 192.168.1.3/24

101 of 150
vBond
config
!
vpn 0
no interface eth0
interface ge0/0
ip address 199.1.1.3/28
tunnel-interface
encapsulation ipsec
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 199.1.1.14
!
vpn 512
interface eth0
ip address 192.168.1.3/24
no shut
!
Commit
Task 3 – Add vBond to vManage

Controllers -> vBond and specify the following to add the vBond
in vManage.
o Username: Admin
o Password: Admin
o Click OK
➢ Navigate to Configuration -> Certificates -> Controllers -> vBond

-> View CSR.
CTRL-C.

102 of 150

➢ Change the name of the Downloaded file “Certnew” to “vBond”.
➢ Open the “vBond.cer” file using Notepad.

Controllers

103 of 150
➢ The Identity certificate should be installed for vBond and pushed
to it.
Controller Setup – vSmart

▪ Host-name : vSmart1
▪ System-IP: 10.1.1.102
▪ Site ID: 1
vSmart
config
!
system
host-name vSmart1
site-id 1
vbond 199.1.1.3
!
Commit
▪ vpn 0
- Interface Eth1
- IP Address: 199.1.1.2/28
- Tunnel Interface
▪ vpn 512
- Interface eth0

104 of 150
- IP Address: 192.168.1.2/24
vSmart
config
!
vpn 0
no interface eth0
interface eth1
ip address 199.1.1.2/28
tunnel-interface
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 199.1.1.14
!
vpn 512
interface eth0
ip address 192.168.1.2/24
no shut
!
Commit
Task 3 – Add vSmart to vManage

Controllers -> vSmart and specify the following to add the vBond
in vManage.
o Username: Admin
o Password: Admin
o Click OK

vSmart -> View CSR.
CTRL-C.

105 of 150

➢ Change the name of the Downloaded file “Certnew” to “vSmart”.
➢ Open the “vSmart.cer” file using Notepad.

Controllers
➢ The Identity certificate should be installed for vSmart and pushed

to it.
106 of 150
WAN Edge Setup – (CLI)
Task 1 – Upload the WAN Edge List
➢ On the vManage Main windows, Naviagte to Configuration ->

Devices. Click on “Upload WAN Edge List”.
➢ Select the file you downloaded from the PNP Portal. Upload it and
check the Validate option.
vEDGE-1
▪ System-IP: 10.2.2.201
▪ Site ID: 1
vEdge1
config
!
system
host-name vEdge1
site-id 1
vbond 199.1.1.3
!
commit

107 of 150
▪ vpn 0
- Interface ge0/0
- IP Address: 192.168.11.1/24
- Tunnel Interface
- Default Route: 192.168.11.254
▪ vpn 512
- Interface eth0
vEdge1
config
!
vpn 0
no interface eth0
interface ge0/0
ip address 192.168.11.1/24
tunnel-interface
encapsulation ipsec
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 192.168.11.254
!
vpn 512
interface eth0
ip dhcp-client
no shutdown
commit

108 of 150
vEDGE-2
▪ System-IP: 10.2.2.202
▪ Site ID: 1
vEdge-2
config
!
system
host-name vEdge2
site-id 1
vbond 199.1.1.3
!
commit
▪ vpn 0
- Interface ge0/0
- IP Address: 192.168.12.2/24
- Tunnel Interface
- Default Route: 192.168.12.254
▪ vpn 512
- Interface eth0

109 of 150
vEdge2
config
!
vpn 0
no interface eth0
interface ge0/0
ip address 192.168.12.2/24
tunnel-interface
encapsulation ipsec
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 192.168.102.254
!
vpn 512
interface eth0
ip dhcp-client
no shutdown
!
commit
vEDGE-3
▪ System-IP: 10.2.2.203
▪ Site ID: 2
vEdge-3
config
!
system

110 of 150
host-name vEdge3
site-id 2
vbond 199.1.1.3
!
Commit
▪ vpn 0
- Interface ge0/0
- IP Address: 192.168.21.3/24
- Tunnel Interface
- Default Route: 192.168.21.254
▪ vpn 512
- Interface eth0
vEdge3
config
!
vpn 0
no interface eth0
interface ge0/0
ip address 192.168.21.3/24
tunnel-interface
encapsulation ipsec
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 192.168.21.254
!
vpn 512
interface eth0
ip dhcp-client
no shutdown
!

111 of 150
Commit
vEDGE-4
▪ System-IP: 10.2.2.204
▪ Site ID: 2
vEdge-4
config
!
system
host-name vEdge4
site-id 2
vbond 199.1.1.3
!
Commit
▪ vpn 0
- Interface Ge0/1
- IP Address: 192.1.22.4/24
- Tunnel Interface
- Default Route: 192.168.22.254
▪ vpn 512

112 of 150
- Interface eth0
vEdge4
config
!
vpn 0
no interface eth0
interface ge0/1
ip address 192.1.22.4/24
tunnel-interface
encapsulation ipsec
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 192.168.22.254
!
vpn 512
interface eth0
ip dhcp-client
no shutdown
!
Commit

113 of 150
WAN Edge Setup – vManage (GUI)
vEDGE-1
o IP Address : 192.168.11.1
o Protocol - SFTP
o Username : admin
o Password : admin


command:
vEdge from vManage.


issued.

114 of 150
vEDGE-2
o IP Address : 192.168.12.2
o Protocol - SFTP
o Username : admin
o Password : admin


command:
➢ Note and use the Chassis Number and Token number for the 2nd
vEdge from vManage.


issued.

115 of 150
vEDGE-3
o IP Address : 192.168.21.3
o Protocol - SFTP
o Username : admin
o Password : admin


command:
➢ Note and use the Chassis Number and Token number for the 3rd
vEdge from vManage.


issued.

116 of 150
vEDGE-4
o Protocol - SFTP
o Username : admin
o Password : admin


command:
vEdge from vManage.


issued.

117 of 150
Lab 32 – Configuring Firewalls to
supports SD-WAN
ASAv1

Gig 0/0 192.1.31.10 255.255.255.0
Gig 0/0 192.168.31.10 255.255.255.0
Firewall Configuration
Task 1 – Interface Configuration and Default Routing on ASA in Los
Angeles

o Configure Gig 0/0 with a Name of “Outside” using the default
Security Level.
o Configure Gig 0/1 with a Name of “Inside” using the default
Security Level.
o Configure a default route on the ASA pointing towards the Internet
Cloud thru the Outside Interface.

118 of 150
ASAv Firewall
Hostname ASAv1
!
Interface Gig 0/0
Nameif Outside
ip address 192.1.31.10 255.255.255.0
no shut
!
Interface Gig 0/1
Nameif Inside
ip address 192.168.31.10 255.255.255.240
no shut
!
Route Outside 0.0.0.0 0.0.0.0 192.1.31.254
Task 2 – Translate vEdge5 on the Outside.
o Statically Translate vEdge5 as 192.1.31.5 on the Outside.

o The Private address that will be assigned to vEdge5 is
192.168.31.5.
ASAv Firewall
Object network vEdge5

Host 192.168.31.5
Nat (Inside,Outside) static 192.1.31.5

119 of 150
Lab 33 – Configuring vEdges with NAT
thru Firewalls
vEDGE-5 Initialization – (CLI)

Task 1 – Configuring the System Component on vEdge5
▪ System-IP: 10.2.2.205
▪ Site ID: 3
vEdge-5
config
!
system
host-name vEdge5

120 of 150
site-id 3
vbond 199.1.1.3
!
Commit
Task 2 – Configure the vpn parameters on vEdge5
▪ vpn 0
- Interface ge0/0
- IP Address: 192.168.31.5/24
- Tunnel Interface
▪ vpn 512
- Interface eth0
vEdge5
config
!
vpn 0
no interface eth0
interface ge0/0
ip address 192.168.31.5/24
tunnel-interface
encapsulation ipsec
allow-service all
allow-service sshd
no shut
ip route 0.0.0.0/0 192.168.31.10
!
vpn 512
interface eth0
ip dhcp-client
no shutdown
!
Commit

121 of 150
vEDGE-5 Initialization – vManage(GUI)
Task 1 – Configure an ACL on ASAv to allow the Certificate server to
SFTP to vEdge5 to upload the Root Certificate
ASAv
Access-list OUTSIDE permit tcp host 199.1.1.5 host 192.168.31.5 eq 22

!
Access-group OUTSIDE in interface Outside
o Protocol - SFTP
o Username : admin
o Password : admin


command:
vEdge from vManage.


122 of 150
issued.
vEdge5 Templates Creation
System
Task 1 – Configure the System Template to be used by all vEdge-

Cloud Devices

vEdge Cloud -> Basic Information -> System
o Template Name : VE-System

o Description : VE-System
o Timezone -> Device Specific
VPN 0
Task 1 – Configure a VPN Template to be used by all BR3 vEdges

(vEdge5) for VPN0

o Template Name : BR3-VE-VPN-VPN0

o Description : BR3-VE-VPN-VPN0
Basic Configuration
o VPN -> Global : 0

123 of 150
IPv4 Route
Task 2 – Configure a VPN Interface Template to be used by all BR3


o Template Name : BR3-VE-VPNINT-VPN0-G0

o Description : BR3-VE-VPNINT-VPN0-G0
Basic Configuration
Tunnel
o Color -> Global : Biz-internet
Allow Service
VPN512



124 of 150
Basic Configuration

Branch vEdge-Cloud Devices for VPN 512 for Interface Eth0

o Template Name : BR-VE-VPNINT-VPN512-E0

o Description : BR-VE-VPNINT-VPN512-E0
Basic Configuration
VPN 1
Task 1 – Configure a VPN Template to be used by all Brance vEdge-



Basic Configuration
o VPN -> Global : 1

125 of 150


Basic Configuration



Redistribution
o Protocol : OMP
Area Configuration

126 of 150
vEdge5 Templates Deployment
Task 1 – Configure a Device Template for BR3 vEdge Devices.

o Template Name : BR3-VE-TEMP

o Description : BR3-VE-TEMP
Basic Information

o VPN 0 : BR3-VE-VPN-VPN0
o VPN Interface : BR3-VE-VPNINT-VPN0-G0

Service VPN
o OSPF: BR-VE-OSPF-VPN1

BR3-VE-TEMP.
➢ Click Attach.

127 of 150
Templates

o Timezone: America/Los_Angeles
o System IP : 10.2.2.205
o Site ID : 3
➢ Click Update.
Success.
Site-3 Internal Router Configuration

Site-3 Internal Router
No ip domain-lookup
!
Hostname R3
!
Interface E 0/0
Ip address 172.16.30.33 255.255.255.0
No shut
!
Interface loopback1
Ip address 172.16.31.1 255.255.255.0
Ip ospf network point-to-point
!
Interface loopback2
Ip address 172.16.32.1 255.255.255.0

128 of 150
!
Interface loopback3
Ip address 172.16.33.1 255.255.255.0
!
Router ospf 1
Network 172.16.0.0 0.0.255.255 area 0
Verification
Neighbor relationship with the MPLS Router by issuing the Show ospf

129 of 150
Lab 34 – Configuring TLOC Extensions

VPN 0
Task 1 – Configure a VPN Template to be used by BR2 vEdges for

VPN0


Basic Configuration
o VPN -> Global : 0
IPv4 Route

130 of 150



Basic Configuration
Tunnel
o Color -> Global : Mpls
Allow Service



Basic Configuration
Tunnel
131 of 150
o Color -> Global : Biz-Internet
Allow Service
Task 4 – Configure a Template that will be used for TLOC-Extension

on BR2 vEdges

o Template Name : BR2-VE-VPNINT-VPN0-TLOC-G3

o Description : BR2-VE-VPNINT-VPN0-TLOC-G3
Basic Configuration
Advanced
o TLOC Extension: Device Specific
Task 5 – Configure a OSPF Template to be used by vEdge3 for VPN 0

o Template Name : BR2-VE-vEdge3-OSPF-VPN0

o Description : BR-VE-vEdge3-OSPF-VPN0
Area Configuration
132 of 150

Task 1 – Configure a Device Template for BR2 vEdge3.

o Template Name : BR2-VE-vEdge3-TEMP

o Description : BR2-VE-vEdge3-TEMP
Basic Information

o VPN Interface : BR2-VE-VPNINT-VPN0-TLOC-G3
o OSPF: BR2-VE-vEdge3-OSPF-VPN0

Service VPN

BR2-VE-vEdge3-TEMP

133 of 150
➢ Click Attach.

Templates

o TLOC Extension: ge0/0
o Timezone: Europe/London
o System IP : 10.2.2.203
o Site ID : 2
➢ Click Update.
Success.

134 of 150
VPN 0
Task 1 – Configure a OSPF Template to be used by vEdge4 for VPN 0

o Template Name : BR2-VE-vEdge4-OSPF-VPN0

o Description : BR-VE-vEdge4-OSPF-VPN0
Area Configuration

Task 1 – Configure a Device Template for BR2 vEdge4.

o Template Name : BR2-VE-vEdge4-TEMP

o Description : BR2-VE-vEdge4-TEMP
Basic Information

o VPN Interface : BR2-VE-VPNINT-VPN0-TLOC-G3
o OSPF: BR2-VE-vEdge4-OSPF-VPN0

135 of 150
Service VPN

BR2-VE-vEdge4-TEMP
➢ Click Attach.

Templates

o TLOC Extension: ge0/1
o Timezone: Europe/London
o System IP : 10.2.2.204
o Site ID : 2
➢ Click Update.
136 of 150
Success.

No ip domain-lookup
!
Hostname R2
!
Interface E 0/0
Ip address 172.16.20.22 255.255.255.0
No shut
!
Interface loopback1
Ip address 172.16.21.1 255.255.255.0
!
Interface loopback2
Ip address 172.16.22.1 255.255.255.0
!
Interface loopback3
Ip address 172.16.23.1 255.255.255.0
!
Router ospf 1
Network 172.16.0.0 0.0.255.255 area 0
Verification
➢ Verify the configuration on vSmart. You can do that by making sure
that you are receiving 2 TLOCS for vEdge3 and 2 TLOCS for vEdge4.
The command to verify is show omp tlocs.

137 of 150
Lab 35 – Load Balancing using Multiple
vEdges

VPN 0
Task 1 – Configure a VPN Template to be used by BR2 vEdges for

VPN0


Basic Configuration
o VPN -> Global : 0
IPv4 Route

138 of 150



Basic Configuration
Tunnel
o Color -> Global : Mpls
Allow Service



Basic Configuration
Tunnel
139 of 150
o Color -> Global : Biz-Internet
Allow Service
Task 4 – Configure a OSPF Template to be used by all BR2 vEdge-


o Template Name : BR1-VE-OSPF-VPN0

o Description : BR1-VE-OSPF-VPN0
Area Configuration
vEdge1&2 Templates Deployment

Task 1 – Configure a Device Template for BR2 vEdges.

o Template Name : BR1-VE-TEMP

o Description : BR1-VE-TEMP
Basic Information


140 of 150
o OSPF: BR1-VE-OSPF-VPN0

Service VPN
Task 2 – Attach vEdge1 & 2 to the Device Template

BR2-VE-TEMP
➢ Select vEdge1 & vEdge2 and click the “ -> “ button.
➢ Click Attach.

Templates
➢ vEdge1 & vEdge2 will appear in the window.
vEdge1
o Timezone: Asia/Dubai

141 of 150
o System IP : 10.2.2.201
o Site ID : 1
vEdge2
o Timezone: Asia/Dubai
o System IP : 10.2.2.202
o Site ID : 1
➢ Click Update.
Success.

No ip domain-lookup
!
Hostname R1
!
Interface E 0/0
Ip address 172.16.10.11 255.255.255.0
No shut
!
Interface loopback1
Ip address 172.16.11.1 255.255.255.0
!
Interface loopback2
Ip address 172.16.12.1 255.255.255.0
!
Interface loopback3
Ip address 172.16.13.1 255.255.255.0

142 of 150
!
Router ospf 1
Network 172.16.0.0 0.0.255.255 area 0
Verification
➢ Verify the configuration on vEdge1 & vEdge2. You can do that by
verify OSPF Neighbor relationship with the MPLS Router by issuing
the Show ospf neighbor command on vEdge1 & vEdge2.

143 of 150
Lab 36 – Configuring A Hub-n-Spoke
Topology using a TLOC

for VPN 0


Basic Configuration
o VPN -> Global : 0
IPv4 Route
o Next Hop -> Global : 199.1.1.14

144 of 150
for VPN 512


Basic Configuration
Task 3 – Configure a VPN Interface Template to be used by vSmart



Basic Configuration
Tunnel
o Color -> default
Allow Service
Task 4 – Configure a VPN Interface Template to be used vSmart

145 of 150

Basic Configuration
o IPv4 Address -> Static -> Device-Specific
Task 5 – Configure a Device Template for vSmart Controllers.

Create Template -> vSmart
o Template Name : vSmart-TEMP

o Description : vSmart-TEMP
Basic Information


Task 6 – Attach vSmart to the Device Template

vSmart-TEMP

146 of 150
➢ Select vSmart and click the “ -> “ button.
➢ Click Attach.

Templates
➢ vSmart will appear in the window.

o Hostname : vSmart-1
o System IP : 10.1.1.102
o Site ID : 1
➢ Click Update.
Success.

147 of 150
Policy Requirements:
➢ Los Angeles & London Sites are communicating to each other directly.
You can verify this by checking the routes. The routes should be
pointing directly at the TLOCs of the Branch Sites directly.
➢ All traffic between the sites should be forwarded via the HQ Site
Dubai. Use a TLOC list to accomplish this task.

Hub-n-Spoke

➢ Click VPN and select New VPN list. Create 1 policy based on the
following:
o Name : VPN1
o ID : 1
➢ Click Site and select New Site list. Create 2 policies based on the
following:
o Name : Dubai
o Site ID : 1
o Name : London
o Site ID : 2
o Name : Los Angeles

o Site ID : 3
➢ Click TLOC and select New TLOC list. Create 1 policies based on the
following:
o Name : TLOC-Dubai
o TLOCs
• 10.2.2.201 – mpls – IPSec – 500
• 10.2.2.202 – mpls – IPSec – 500
• 10.2.2.201 – biz-internet – IPSec – 400
• 10.2.2.202 – biz-internet – IPSec – 400

148 of 150
Task 2 – Configure a Topology based on the Requirements

Options -> Centralized Policy -> Topology -> Add Topology ->
Custom ->
➢ Configure the topology based on the following:
o Policy Name : Hub-n-Spoke

o Description : Hub-n-Spoke
Route Sequence- London

Match Conditions:
o Site: London
Action
o TLOC: TLOC-List = Dubai-TLOC
Route Sequence- Los Angeles

Match Conditions:
o Site: Los Angeles
Action
o TLOC: TLOC-List = Dubai-TLOC
Default
Action
o Accept
Click Save Match and Actions

o Save Control Policy.
Task 3 – Create a Centralized Policy and call the Traffic Policy

Options -> Centralized Policy -> Add Centralized Policy
➢ Click Next on the “Group of Interests” page as we have already

created the required lists.
➢ Click Add Policy on the “Topology and VPN Membership” page.

149 of 150
➢ Click “Import Existing”, Select Custom and select the Hub-n-Spoke
from the drop-down list and click Import. Click Next.
➢ Click Next on the “Configure Traffic Rules” page as we are not using
any Control Policies. You will move to the “Apply Policy to Sites and
VPNs” Page.
➢ The Hub-n-Spoke policy will be there. Click “New Site” button.
➢ Select Los Angeles and London in the Outbound Site List.
➢ Click Add.
➢ Assign the Policy a name and Desription based on the following:
o Policy Name : Main-Central-Policy

o Description : Main-Central-Policy
➢ You can verify this by doing checking the routes. The routes should
be pointing directly at the TLOCs of Dubai and all traffic will be
forwarded thru Dubai.

150 of 150

KB Implementing SD-WAN Workbook

Uploaded by

Copyright:

Available Formats

KB Implementing SD-WAN Workbook

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KB Implementing SD-WAN Workbook

Uploaded by

Copyright:

Available Formats

What are the steps to configure the interfaces on the HQ router?

What are the steps to configure the interfaces on the HQ router?

What are the steps to configure OSPF on the MPLS cloud router?

What are the steps to configure OSPF on the MPLS cloud router?

Implementing SD-WAN

Interface IP Address Subnet Mask

Interface IP Address Subnet Mask

(c) KBITS Live | https://kbits.live

Interface IP Address Subnet Mask

(c) KBITS Live | https://kbits.live

o Configure the Interfaces based on the Logical Diagram

(c) KBITS Live | https://kbits.live

o Configure the Interfaces based on the Logical Diagram.

MPLS Cloud Router

(c) KBITS Live | https://kbits.live

o Configure the Interfaces based on the Logical Diagram

Internet Cloud Router

(c) KBITS Live | https://kbits.live

Note: It builds on the topology created in the previous lab.

Task 1 – Configure the Interfaces

First Ethernet Interface:

Third Ethernet Interface:

Task 2 – Configure the Timezone and Time

Configure the appropiate Timezone and Time on the Windows Server.

Task 3 – Installing the Enterprise Root Certificate Server

➢ Open Server Manager

(c) KBITS Live | https://kbits.live

➢ Double-click the WinSCP Installation file.

(c) KBITS Live | https://kbits.live

(c) KBITS Live | https://kbits.live

Task 1 – Configuring the System Component

o Configure the System parameters based on the following:

Note: Default username: admin Default password: admin

(c) KBITS Live | https://kbits.live

Task 2 – Configured the vpn parameters

o Configure the VPN parameters based on the following:

(c) KBITS Live | https://kbits.live

Task 1 – Organization name & vBond Address

➢ Log into the vManage from the Server by browsing to

➢ Navigate to Administration -> Settings

➢ Click Edit on the Organization name and set it to KBITS. Confirm

➢ Click Edit on the vBond address and change it to 199.1.1.3.

Task 2 – Configure Controller Authorization as Enterprise Root and

➢ Click “Download Root Certificate”.

➢ Select “Base 64”.

➢ Click “Download CA Certificate”.

➢ Open Explorer and navigate to the downloads folder.

➢ Change the name of the Downloaded file “Certnew” to “RootCert”.

➢ Open the “RootCert.cer” file using Notepad.

➢ Copy using CTRL-A and CTRL-C.

➢ In vManage, Navigate to Administration -> Settings -> Controller

➢ Change the “Certificate Signing by:” to “Enterprise Root

➢ Paste the RootCert.cer that you had copied by using CTRL-V.

(c) KBITS Live | https://kbits.live

Task 3 – Generate a CSR for vManage

➢ Navigate to Configuration -> Certificates -> Controllers ->

Task 4 – Request a Certificate from the CA Server

➢ Click “Request a Certificate”.

Task 5 – Issue the Certificate from the CA Server

➢ Open Server Manager and navigate to Active Directory