Cisco SD-WAN-Hub&Spoke-Policy Guide...The Cisco SD-WAN solution (at a very high level) is comprised...

Cisco SD-WAN Policy Guide Hub & Spoke Topology

Version 1

Hasham Malik Cisco SD-WAN - Technical Marketing Engineer

Confidential Cisco Systems, Inc. Page 2 of 34 Cisco SD-WAN Design Guide

Table of Contents INTRODUCTION 3 CISCO SD-WAN SOLUTION 3

SD-WAN POLICIES FOR HUB & SPOKE TOPOLOGY 4 1. HUB-AND-SPOKE TOPOLOGY POLICY 7 2. CUSTOM CONTROL TOPOLOGY POLICY - HUB-AND-SPOKE 18 3. CLI POLICY - HUB-AND-SPOKE 24 RESTRICTING DATA TUNNELS 28

Cisco SD-WAN Design Guide Page 3 of 34 Confidential Cisco Systems, Inc.

Introduction This document provides the information on how to configure Policies on Cisco SD-WAN (powered by Viptela) to create Hub & Spoke Topology. Note: 18.x code version was used on the devices while creating this document.

Cisco SD-WAN Solution The Cisco SD-WAN solution (at a very high level) is comprised of a separate orchestration plane, management plane, control plane and data plane.

• Orchestration plane (vBond): Assists in the automatic onboarding of the SD-WAN routers into the SD-WAN overlay.

• Management plane (vManage): Responsible for central configuration and monitoring. • Control plane (vSmart): Builds and maintains the network topology and makes decisions on

where traffic flows. • Data plane (WAN-Edge): Responsible for forwarding packets based on decisions from the

control plane.


SD-WAN Policies for Hub & Spoke Topology Cisco SD-WAN Fabric, by default, creates a full-mesh topology between all WAN-Edge routers. Using the Policies on the vManage we can establish different topologies per segment and create flows as per the design requirements. There are multiple ways a Hub-and-Spoke topology can be created for Sites for single or multiple VPNs. Here are three different ways we can use to create a Hub and Spoke topology in the network

1. Hub-and-Spoke Topology Policy 2. Custom Control Topology Policy 3. Centralized CLI Policy

Before we explain how to use each of these policies, let us see how the current below topology setup is:

By default, the traceroutes shows that the topology between three sites shown in the figure is full mesh, where each site is directly reachable from the other site. Ping from Br113-Edge1 to a host 10.112.1.10 behind Br112 WAN-Edge1 on VPN1.

Login to vManage->Monitor->Network->Br113-Edge1->Troubleshooting->Trace Route


Ping from Br112-Edge1 to VPN1 Interface IP on Br113 WAN-Edge1, shows direct data-tunnel:

The show ip route command shows the subnet 10.113.1.0/24 is learned from TLOC 10.10.113.1.


1. Hub-and-Spoke Topology Policy This policy will filter advertisements of Routes and TLOCs between the Spokes. Therefore, it is required that a DC Site advertises a default route to the Spoke Sites to facilitate the routing between the Spokes. Here is the BGP configuration sample for the vEdges and Core router, where default route is originated on the Core router and advertised to DC vEdges.

Core router configs example: Router bgp 65001 Bgp router-id 2.2.2.4 Bgp log-neighbor-changes Neighbor 10.101.1.2 remote-as 65101 Neighbor 10.101.1.2 description DC1-vEdge1 Neighbor 10.101.1.3 remote-as 65101 Address-family ipv4 Neighbor 10.101.1.2 activate Neighbor 10.101.1.3 activate Default-information originate Exit-address-family DC vEdge1 router configs example: vpn 1 router bgp 65101 router-id 10.101.1.2 ßEdge router interface address-family ipv4-unicast redistribute omp neighbor 10.101.1.200 description Core Router no shutdown remote-as 65001 address-family ipv4-unicast neighbor 10.101.1.3 description DC1-vEdge2 IBGP-PEER no shutdown remote-as 65101 address-family ipv4-unicast vEdge2 router configs example:


vpn 1 router bgp 65101 router-id 10.101.1.3 ßEdge router interface address-family ipv4-unicast redistribute omp neighbor 10.101.1.1 description Core Router no shutdown remote-as 65001 address-family ipv4-unicast neighbor 10.101.1.2 description DC1-vEdge1 IBGP-PEER no shutdown remote-as 65101 address-family ipv4-unicast

To create a Hub and Spoke topology first create the Lists that can be used in a Control Policy: Go to vManage->Configurations->Policies->Customer Options->Centralized Policy->Lists.

Create Site List for Spokes


Similarly create Site List for HubGo to vManage->Configurations->Policies->Customer Options->Centralized Policy->Topology

VPN List allows us to create separate topologies per VPN. More than one VPNs can be defined but in this example, create a VPN List for only VPN 1.


Now to create an Hub and Spoke Topology, go to vManage->Configurations->Policies->Customer Options->Centralized Policy->Topology

Click Hub-and-Spoke under +Add Topology

Fill out the Name and Description fields. Then add the VPN List, Spoke and Hub Site Lists.


Click Preview on the left bottom side to see the CLI of the Policy before saving control-policy Control_Spokes_Br112-113 sequence 10 match route site-list Hub-DC1-Site101 vpn-list VPN1 ! action accept ! ! sequence 20 match tloc site-list Hub-DC1-Site101 !


action accept ! ! default-action reject !

Now Save the Policy.

We have successfully created the Topology Policy; however, the policy is not visible under Configurations->Policies->Centralized Policy

This is because we created a specific Topology Policy only. Let’s add this Topology Policy in the list of Centralized Policy: Click Add Policy and then click Next as we already have created the required Lists. Under Configure Topology and VPN Membership, add Topology Policy using the Import option


Import the Policy


Click Next->Next and then name the Policy

Click Preview to view the complete Policy in CLI

policy control-policy control_2031446662 sequence 10 match route site-list Hub-DC1-Site101 vpn-list VPN1 ! action accept ! ! sequence 20 match tloc site-list Hub-DC1-Site101 ! action accept ! ! default-action reject ! lists site-list Hub-DC1-Site101 site-id 101 ! site-list Spokes_Br112-113 site-id 112 site-id 113


! vpn-list VPN1 vpn 1 ! ! ! apply-policy site-list Spokes_Br112-113 control-policy control_2031446662 out ! !

Once Policy is activated, it is pushed to all vSmart controllers to be implemented in OUT direction to the Spokes, as can be seen from the CLI. Save the Policy and now it is visible under the Centralized Policy

Now activate the policy by clicking … of the Hub-and-Spoke Policy and then click Activate


The Hub-and-Spoke Policy is successfully pushed to the vSmart. Let’s test the policy. On Br113-Edge1 show ip route vpn 1 shows that we are not learning any routes from Site112.

Traceroute from Br113-Edge1 to a host 10.112.1.10 behind Br112 WAN-Edge on VPN1 which takes the default route, learned from DC site.

Monitor->Network->Br113-Edge1->Troubleshooting->Trace Route


Deactivate the policy when not needed:


2. Custom Control Topology Policy - Hub-and-Spoke You can use Centralized Custom Control Policy to create a hub and spoke topology. In this policy we change the next hop TLOC address for the OMP routes of Spokes’ to the Hub’s TLOC before routes are advertised to other Spokes by the vSmart controller. To start a new policy, go to Configurations->Policies->Centralized Policy and click Add Policy

In this document, we created the Site lists and VPN list in the previous section of Hub-and-Spoke Topology Policy. Create the Site list for Spokes and a site list for Hub, if not yet created. For guidance refer to the previous section in this document.

Create list for VPN1:


Click Next and to go to Configure Topology and VPN Membership -> Add Topology -> Customer Control (Route & TLOC)

Add Sequence Type and select Route


Add Name and Description, click Sequence Rule, rename the Rule Sequence, and Match on Site. Then select the site list for Spokes.

Change Action for the rule to Accept and set the TLOC to DC1-vEdge1 TLOC IP, color to MPLS and encapsulation to IPSEC. To specify more than one TLOC, that can be used as a Nex-Hop, use TLOC List. Color and Encapsulation can be set for different values, if needed. This action will change the next-hop TLOC IP of the prefixes advertised by the Spokes to DC1-vEdge1’s TLOC.


Change the Default Action to Accept and save the rule.

Now save the Policy and click Next and Next again. In Apply Policies to Sites and VPNs, add Name and Description and add Site lists of Spokes in Outbound direction. Outbound direction is from vSmart perspective as vSmart is the Control plane that receives the prefixes from all branches and then advertises out them to other sites. This Policy is applied in outbound direction which means that vSmart will update the TLOC of Br112 prefixes before they are advertised to Br113. Now Preview and then Save Policy. The CLI of the policy is below

policy control-policy Custom-Hub-and-Spoke_112-DC-113 sequence 1


match route site-list Spokes_Br112-113 ! action accept set tloc 10.10.101.1 color mpls encap ipsec ! ! ! default-action accept ! lists site-list Spokes_Br112-113 site-id 112 site-id 113 ! ! ! apply-policy site-list Spokes_Br112-113 control-policy Custom-Hub-and-Spoke_112-DC-113 out ! !

Let’s Activate the policy

Policy is successfully pushed to the vSmarts


Let’s check the routing tables on Br112 and Br113 vEdges show ip route on Br112-Edge1 shows that in VPN 1 the Next-Hop of Br113 route is now DC1 TLOC

Similarly on Br113-Edge1 shows that in VPN 1 the Next-Hop of Br112 route is now DC1 TLOC

Lets test this using the traceroute as well. Go to Monitor->Network->Br112-Edge1->Troubleshooting->Trace Route


Traceroute confirms that traffic from Br112 takes one-hop through DC site to reach Br113. Traffic from Br113 to a host in Br112 confirms the hub-and-spoke topology as well.

Deactivate the Policy before going to the next section.

3. CLI Policy - Hub-and-Spoke Same task of creating the Hub-and-Spoke topology can be achieved using the CLI Policy. To create one, click CLI Policy under Customer Options and then click Add Policy

Fill out Name and Description fields. In the CLI Configurations, type in the policy or copy/paste the CLI policy that was previewed in Custom Policy Hub-and-Spoke.


Click Add and then Activate the policy

After successful push of the policy, test the topology using traceroutes


The result shows that the DC WAN-Edge is a hop for the route which confirms that the topology is now Hub-and-Spoke for VPN 1 between Br112 and Br113.

Traceroute from Br112-Edge1 to Br113-Edge1 VPN1 interface

Traceroute from Br113-Edge1 to host behind Br112-Edge1


Restricting Data Tunnels In some designs we may need to restrict creation of data-tunnels between two sites. In the previous sections we created hub-and-spoke topologies by either filtering IP routes or by changing the next-hop TLOC of the prefixes. However, the Data Tunnels are still created between the Spokes. This is because Spokes are learning the TLOC advertisements and the data-tunnels are created using the TLOCs information of the Edge routers. To restrict the data tunnel creation between sites, we need to filter the advertisement of the TLOC between those sites. To demonstrate that, let’s use copy the Custom Policy Hub-and-Spoke and add Name and Description

Then Activate the new policy. Confirm status of the Activated policy is true

Confirm Br112 route learned on Br113 has Next-Hop TLOC of DC and vice versa


In below command output we can see that data-tunnels are created between Br112 and Br113 Br112-Edge1# show bfd sessions SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10.10.101.1 101 up mpls mpls 100.17.112.242 100.17.101.34 12406 ipsec 7 1000 42:00:06:05 0 10.10.101.2 101 up mpls mpls 100.17.112.242 100.17.101.35 12346 ipsec 7 1000 42:22:46:15 89 10.10.113.1 113 up biz-internet biz-internet 100.16.112.242 100.16.113.242 12366 ipsec 7 1000 0:00:12:25 4 10.10.113.1 113 up mpls mpls 100.17.112.242 100.17.113.242 12366 ipsec 7 1000 0:23:39:48 2

Let’s now modify this policy and to restrict the TLOC advertisement of Br112 to Br113 and vice versa. Edit policy TLOC-Filter-Hub-n-Spoke112-113 and go to Topology tab. Copy the Custom-Hub-and-Spoke_112-DC-113 and then detach it so we can modify the new policy

Edit the new topology

Add new Sequence Type of TLOC


Rename Sequence Type then create new Sequence Rule and match on Spoke Site IDs. Select Reject in the Action. This will filter the TLOC advertisements from sites from Br112 and Br113.

Save the rules Confirm that the Default Action of the policy is Accept. This will allow Br112 and 113 to learn all other TLOCs.

Save Control Policy and in Policy Application tab add Spokes List in Outbound Site List


Preview the policy. CLI shows that now TLOCs are matched and rejected in sequence 11 and 21.

policy control-policy TLOC-Filter-Hub-n-Spoke112-113 sequence 1 match route site-list Spokes_Br112-113 ! action accept set tloc 10.10.101.1 color mpls encap ipsec ! ! ! sequence 11 match tloc site-list Spokes_Br112-113 ! action reject ! ! default-action accept !


lists site-list Spokes_Br112-113 site-id 112 site-id 113 ! ! ! apply-policy site-list Spokes_Br112-113 control-policy TLOC-Filter-Hub-n-Spoke112-113 out ! !

Save Policy Changes and Activate the policy

Check the route tables to confirm that next-hop is DC TLOC

There are no data-tunnels between Br112 and Br113 Br113-Edge1# show bfd sessions SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS


------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10.10.101.1 101 up biz-internet biz-internet 100.16.113.242 100.16.101.18 12386 ipsec 7 1000 0:02:10:47 0 10.10.101.1 101 up mpls mpls 100.17.113.242 100.17.101.34 12406 ipsec 7 1000 6:03:35:51 0 10.10.101.2 101 up biz-internet biz-internet 100.16.113.242 100.16.101.19 12386 ipsec 7 1000 0:02:08:48 0 10.10.101.2 101 up mpls mpls 100.17.113.242 100.17.101.35 12346 ipsec 7 1000 6:03:35:51 0 10.10.102.1 102 up biz-internet biz-internet 100.16.113.242 100.16.102.18 12386 ipsec 7 1000 0:00:03:10 1 10.10.102.1 102 up mpls mpls 100.17.113.242 100.17.102.34 12346 ipsec 7 1000 0:00:03:10 3 10.10.102.2 102 up biz-internet biz-internet 100.16.113.242 100.16.102.19 12366 ipsec 7 1000 0:00:03:10 1 10.10.102.2 102 up mpls mpls 100.17.113.242 100.17.102.35 12346 ipsec 7 1000 0:00:03:10 3 10.10.114.1 114 up mpls mpls 100.17.113.242 100.17.114.242 12426 ipsec 7 1000 0:00:03:10 3

Deactivate the policy. Save Policy and then Activate it

Policy is successfully pushed to both vSmarts

Let’s verify the IP routes on WAN-Edge routers of Br112 and Br113. We can see Br112 prefers default route from RTP-DC Site 101 and Br113 prefers default route from SJ-DC2 Site 102.

vManage->Network->Br112-Edge1->Real Time->Device Options->IP Routes



If RTP-DC1 site goes down or stops advertising default route, we should see Br112 installing default routers learned from SJ-DC2. To test this, we shutdown the LAN interfaces on the RTP-DC1 Edge routers.


We can see that now Br112 is installing default routes from SJ-DC2 site 102. Deactivate the policy.

Date post:	31-Jan-2021
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Cisco SD-WAN-Hub&Spoke-Policy Guide...The Cisco SD-WAN solution (at a very high level) is comprised...

Documents