Scribd
Upload
162 views49 pages

NJ SDWAN - Workbook v10.0

The document provides details about the lab topology, access credentials, and IP schema for a Cisco SD-WAN lab workbook. It includes the network devices that will be used, including vEdges, vManage, vBond, MPLS router, internet router, LTE router, and switches. It also lists the management IP addresses, usernames, and passwords required to access each device. Finally, it shows the IP addressing scheme that will be used for each device, including the site ID, organization name, interface, VPN ID, and interface IP.

Uploaded by

Mateen Virk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
162 views49 pages

NJ SDWAN - Workbook v10.0

The document provides details about the lab topology, access credentials, and IP schema for a Cisco SD-WAN lab workbook. It includes the network devices that will be used, including vEdges, vManage, vBond, MPLS router, internet router, LTE router, and switches. It also lists the management IP addresses, usernames, and passwords required to access each device. Finally, it shows the IP addressing scheme that will be used for each device, including the site ID, organization name, interface, VPN ID, and interface IP.

Uploaded by

Mateen Virk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 49

Page 1 of 49

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088

SDWAN WORKBOOK

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 2 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

CISCO VIPTELA SDWAN LAB WORKBOOK


Table of Contents
Lab Topology .......................................................................................................................................... 3
Access Credentials .................................................................................................................................. 3
IP Schema ............................................................................................................................................... 4
Lab37: DIA (Direct Internet Access) ....................................................................................................... 5
Task37.1: Changes in Topology Diagram ........................................................................................... 5
Task37.2: Internet Router Configuration & ASA Configuration........................................................ 5
Task37.3: Configure Feature Templates for DIA ............................................................................... 8
Task37.4: Enable NAT on vEdge ......................................................................................................... 8
Task37.5: Apple previously created feature templates into ETA-ZETA Device Template ............... 8
Task37.6: Configure Variables in Device Template to be used by vSmart ....................................... 9
Task37.7: Apply Device Template to be used by vEdge-ETA & vEdge-ZETA .................................. 10
Task37.8: Create Lists ....................................................................................................................... 10
Task37.9: Create Traffic Rules (Data Policies) ................................................................................. 13
Task37.10: Add Site list & VPN List to Policy & Activate newly Created DIA-Policy ...................... 14
Task37.11: Post-Verification || Verify path from SW1-ETA to Internet IP after Policy................. 15
Lab38: Centralized Internet Access & DIA Failover ............................................................................. 17
Task38.1: Configure Feature Templates for DIA Failover ............................................................... 17
Task38.2: Configure Feature Templates for DIA ............................................................................. 18
Task38.3: Apple previously created feature templates into Delta Device Template .................... 19
Task38.4: Internet Circuit Failover................................................................................................... 20
Task38.5: Post-Verification || Verify path from SW1-ETA to Internet IP after Policy................... 20
Lab39: Service Chaining........................................................................................................................ 21
Task39.1: Internet ASA Configuration ............................................................................................. 21
Task39.2: Configure Feature Templates for Service Chaining ........................................................ 22
Task39.3: Apple previously created feature templates into DELTA Device Template .................. 24
Task39.4: Create Lists ....................................................................................................................... 25
Task39.5: Create Topology (Control Policy) .................................................................................... 26
Task39.6: Add Site list & VPN List to Policy & Activate newly Created SC-Policy .......................... 27
Task39.7: Pre-Verification || Verify path from ETA to ZETA Site ................................................... 27
Task39.8: Post-Verification || Verify path from SW1-ETA to SW1-ZETA ....................................... 28
Lab40: VPN Segmentation & VPN Route Leaking ............................................................................... 29
Task40.1: Changes in Topology Diagram ......................................................................................... 29
Task40.2: Configure SW2-BETA and SW2-ZETA as per below configuration ................................. 29
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088
Page 3 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task40.3: Configure Feature Templates for VPN-Segmentation .................................................... 31


Task40.4: Apple previously created feature templates into ZETA Device Template ..................... 37
Task40.5: Apple previously created feature templates into BETA Device Template .................... 39
Task40.6: Post-Verification of applying Templates......................................................................... 40
Task40.7: Create Lists for VPN route leaking .................................................................................. 43
Task40.8: Create Topology (Control Policy) .................................................................................... 44
Task40.9: Add Site list & VPN List to Policy & Activate newly Created SC-Policy .......................... 45
Task40.10: Activate the policy ......................................................................................................... 45
Task40.11: Post-Verification || After Applying Policy .................................................................... 46

Lab Topology

Access Credentials
Device Hostname Access Method Management IP Username Password
vManage CLI/GUI 192.168.30.1 admin admin
vBond CLI 192.168.30.2 admin admin
vSmart CLI 192.168.30.3 admin admin
CA Server CLI 192.168.30.4 Administrator Test123
vEdge1-DELTA CLI admin admin
vEdge1-ZETA CLI admin admin
vEdge1-GAMMA CLI admin admin
vEdge2-GAMMA CLI admin admin
vEdge1-ETA CLI admin admin
vEdge2-ETA CLI admin admin

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 4 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

CSR1-BETA CLI admin admin


MPLS Router CLI admin cisco
Internet Router CLI admin cisco
4G-LTE Router CLI admin cisco
HQ1-Alpha Router CLI admin cisco
Docker CLI 192.168.30.10 admin cisco
SW1-ETA CLI admin cisco
SW2-ETA CLI admin cisco
SW1-GAMMA CLI admin cisco
SW1-ZETA CLI admin cisco
SW1-DELTA CLI admin cisco
SW1-BETA CLI admin cisco

IP Schema
Device Hostname SITE ID Org Name Interface VPN Interface IP
Number/Name Membership
vManage 30 njsdwan eth0 vpn 0 203.0.113.1
eth1 vpn 512 198.168.30.1
system-ip 30.1.1.1
vBond 30 njsdwan ge0/0 vpn 0 203.0.113.2
ge0/1 vpn 512 198.168.30.2
system-ip 30.1.1.2
vSmart 30 njsdwan eth0 vpn 0 203.0.113.3
eth1 vpn 512 198.168.30.3
system-ip 30.1.1.3
CA Server 30 njsdwan e0 vpn 0 203.0.113.4
e1 vpn 512 198.168.30.4
vEdge1-DELTA 25 njsdwan G0/4 vpn 0 172.16.25.4
system-ip 25.1.1.1
vEdge1-ZETA 20 njsdwan G0/1 vpn 0 10.1.20.1
system-ip 20.1.1.1
vEdge1-GAMMA 15 njsdwan G0/1 vpn 0 10.1.15.1
system-ip 15.1.1.1
vEdge2-GAMMA 15 njsdwan G0/2 vpn 0 100.64.15.2
system-ip 15.1.1.2
vEdge1-ETA 10 njsdwan G0/1 vpn 0 10.1.10.1
system-ip 10.1.1.1
vEdge2-ETA 10 njsdwan G0/1 vpn 0 10.1.11.1
system-ip 10.1.1.2
CSR1-BETA 5 njsdwan G1 vpn0 10.1.5.1
System-ip 5.1.1.1
MPLS Router e0/0 10.1.5.254
e0/1 10.1.2.254
e0/2 10.1.15.254
e0/3 10.1.10.254
e1/0 10.1.11.254
e1/1 10.1.20.254
Internet Router e0/0 100.64.5.254
e0/1 100.64.11.254
e0/2 100.64.2.254
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088
Page 5 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

e0/3 100.64.20.254
e1/0 100.64.15.254
e1/1 100.64.10.254
e1/2 100.64.25.254
4G-LTE Router e0/0 172.16.25.254
e0/1 172.16.20.254
e1/0 172.16.2.254
HQ1-Alpha e0/0 203.0.113.5
Router e0/1 10.1.2.5
e0/2 100.64.2.5
e1/0 172.16.2.5
Docker 192.168.30.10

Lab37: DIA (Direct Internet Access)

Note: Remove QOS Configurations from vEdge1-Delta from previous lab before doing this lab

• Requirement: Internet traffic from ETA & ZETA Site should go directly via Internet Circuit
• Requirement: Traffic from ETA SITE to ZETA Site should go directly over SDWAN tunnel

Task37.1: Changes in Topology Diagram


Note: Skip this task if it is already configured for you else

• Do following changes in lab topology diagram before continuing with this lab
o Add one link from Internet Router e1/3 to cloud
o Add ASA to topology
o Add ASA eth1 to Cloud & ASA eth0 to G0/0 vEdge1-Delta

Task37.2: Internet Router Configuration & ASA Configuration


• Add following configuration on Internet Router & ASA Firewall

INTERNET ROUTER

configure terminal
!
interface Ethernet 1/1
ip nat inside
!
interface Ethernet 1/3
ip address dhcp
ip nat outside
no shut
!
ip nat inside source list 1 interface Ethernet1/3 overload

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 6 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

!
access-list 1 permit 100.64.10.0 0.0.0.255
access-list 1 permit 100.64.20.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
end
!
wr

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 7 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

ASA Firewall

enable
configure terminal
!
hostname ASAv
enable password cisco
!
interface Ethernet0
nameif INSIDE
security-level 100
ip address 192.168.126.1 255.255.255.0
no shutdown
!
interface Ethernet1
nameif OUTSIDE
security-level 0
ip address dhcp
no shutdown
!
object network PRIVATE
subnet 192.168.0.0 255.255.0.0
nat (INSIDE,OUTSIDE) dynamic interface
!
access-list IN_TO_OUT extended permit ip any any
access-list IN_TO_OUT extended permit icmp any any
!
access-group IN_TO_OUT in interface OUTSIDE
!
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.1
route INSIDE 192.168.105.0 255.255.255.0 192.168.126.50
route INSIDE 192.168.110.0 255.255.255.0 192.168.126.50
route INSIDE 192.168.120.0 255.255.255.0 192.168.126.50
route INSIDE 192.168.125.0 255.255.255.0 192.168.126.50
!
class-map traceroute
match any
policy-map global_policy
class traceroute
set connection decrement-ttl
!
end
!
wr

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 8 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task37.3: Configure Feature Templates for DIA


• Navigate to Configuration > Templates > Feature templates
• Copy Existing Feature Template (vEdge-VPN100-INT-G0/2)
• Rename newly copied template as vEdge-VPN100-INT-G0/2-DIA

Task37.4: Enable NAT on vEdge


• Navigate to Configuration > Templates > Feature templates > vEdge VPN100-INT-G0/2-DIA
• Enable NAT and set it to Device Specific in NAT Section

Task37.5: Apple previously created feature templates into ETA-ZETA Device Template
• Navigate to Configuration > Templates > Device Template > ETA-ZETA Device Template
o Replace vEdge-VPN100-INT-G0/2 with vEdge VPN100-INT-G0/2-DIA

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 9 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task37.6: Configure Variables in Device Template to be used by vSmart


• Select System IP > Navigate to
o Edit Device Template & tick NAT to enable

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 10 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task37.7: Apply Device Template to be used by vEdge-ETA & vEdge-ZETA

Task37.8: Create Lists


• We need to create following lists:
o VPN List
o Site List

• VPN List:
o Navigate to Configuration > Policies > Custom Options > Centralized Policies >
Lists > Select VPN
o New VPN List
 VPN List Name: VPN-100
 Add VPN: 100

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 11 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Site List:
Navigate to Configuration > Policies > Custom Options > Centralized Policies > Lists > Select Site
o > New Site List
 Site List Name: DIA-SITES
 Add Site: 10,20,25

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 12 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Data Prefix List:


o Navigate to Configuration > Policies > Custom Options > Centralized Policies > Lists >
Select Data Prefix
o New Data Prefix List
 Data Prefix List Name: SUPERNET-SUBNET
 Add Prefix: 192.168.0.0/16
o New Data Prefix List
 Data Prefix List Name: DIA-SUBNET
 Add Prefix: 192.168.110.0/24, 192.168.120.0/24

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 13 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task37.9: Create Traffic Rules (Data Policies)


• Navigate to Configuration > Policies > Centralized Policies > Add Policy
o Configure Traffic Rules > Traffic Data
 Sequence Type > Custom
 Sequence Rule > Match > Source Data Prefix List – SUPERNET-SUBNET
 Sequence Rule > Match > Destination Data Prefix List – SUPERNET-SUBNET
 Action – ACCEPT

Save Match & Actions

• Navigate to Configuration > Policies > Centralized Policies > Add Policy
o Configure Traffic Rules > Traffic Data
 Sequence Type > Custom
 Sequence Rule > Match > Source Data Prefix List – DIA-SUBNET
 Action – ACCEPT
 Action – NAT VPN – VPN ID = 0 & Check Fallback

Save Match & Actions

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 14 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task37.10: Add Site list & VPN List to Policy & Activate newly Created DIA-Policy

Add default route from SW1-ETA Lan switch pointing to vEdge1-ETA Next-hop vpn100 Interface

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 15 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task37.11: Post-Verification || Verify path from SW1-ETA to Internet IP after Policy


o Traceroute from SW1-ETA to 8.8.8.8 going directly via internet circuit

o Traceroute from SW1-ETA to SW1-ZETA going via mpls circuit

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 16 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

o NAT translations on INTERNET Router

o NAT translations on vEdge1-ETA

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 17 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Lab38: Centralized Internet Access & DIA Failover

• Requirement: Once Internet circuit is down, then traffic will go to Data center which is
Delta Site in our case and then it goes to internet from that site via ASA

Task38.1: Configure Feature Templates for DIA Failover


• Navigate to Configuration > Templates > Feature templates
• Create New Feature Template (vEdge VPN100-DIA-G0/0)
• Add Static IP on G0/0 interface of vEdge1-DELTA = 192.168.126.50/24

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 18 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task38.2: Configure Feature Templates for DIA


• Navigate to Configuration > Templates > Feature templates
• Copy Existing Feature Template (vEdge VPN100)
• Rename newly copied template as vEdge VPN100-DIA

• Advertise Static & Connected Route to OMP to originate default route for sites

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 19 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Create default route with next hop of = 192.168.126.1 (ASA Interface)

Task38.3: Apple previously created feature templates into Delta Device Template
• Navigate to Configuration > Templates > Device Template > ETA-ZETA Device Template
o Replace vEdge-VPN100 with vEdge VPN100-DIA
o Add newly created template vEdge-VPN100-DIA-G0/0
o Activate Device template to do changes

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 20 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task38.4: Internet Circuit Failover


• Navigate to Internet Router > Interface eth1/1
o Shutdown that link to initiate failover

Task38.5: Post-Verification || Verify path from SW1-ETA to Internet IP after Policy


o Traceroute from SW1-ETA to 8.8.8.8 going directly via mpls circuit to Delta DC and
then through ASA it is going to Internet

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 21 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Lab39: Service Chaining

Note: Remove DIA Configurations from vEdge1-Delta from previous lab before doing this lab

• Requirement: Traffic from ETA Site should go directly go to delta site first then inspected
by ASA firewall and then reach to ZETA Site and vice versa

Task39.1: Internet ASA Configuration


• Remove previous ASA Configuration & add following configuration on ASA Firewall

en
conf t
hostname ASA
enable password cisco
interface Ethernet0
nameif INSIDE
security-level 100
ip address 192.168.126.1 255.255.255.0
no shut
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list test extended permit ip any any
access-list test extended permit icmp any any
!
access-group test global
route INSIDE 0.0.0.0 0.0.0.0 192.168.126.50 1
!
class-map traceroute
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
class traceroute
set connection decrement-ttl
!
wr
!

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 22 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task39.2: Configure Feature Templates for Service Chaining


• Navigate to Configuration > Templates > Feature templates
• Copy Existing Feature Template (vEdge VPN100)
• Rename newly copied template as vEdge VPN100-SC

• Configure New Service inside template


o Choose service type as FW
o Provide IP address as 192.168.126.1 which is of firewall interface IP

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 23 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Configure default route pointing towards FW interface as next-hop


o Configure Prefix as 0.0.0.0/0
o Gateway = Next-hop
 Address = 192.168.126.1

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 24 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task39.3: Apple previously created feature templates into DELTA Device Template
• Navigate to Configuration > Templates > Device Template > DELTA Device Template
o Replace vEdge-VPN100 with vEdge-VPN100-SC

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 25 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task39.4: Create Lists


• We need to create following lists:
o VPN List
o Site List

• VPN List:
o Navigate to Configuration > Policies > Custom Options > Centralized Policies >
Lists > Select VPN
o New VPN List
 VPN List Name: VPN-100
 Add VPN: 100

Site List:
Navigate to Configuration > Policies > Custom Options > Centralized Policies > Lists > Select Site
o > New Site List
 Site List Name: SC-SITES
 Add Site: 10,20

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 26 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task39.5: Create Topology (Control Policy)


• Navigate to Configuration > Policies > Centralized Policies > Add Policy
o Configure Topology > Custom Control (Route & TLOC)
 Sequence Type > Route
 Sequence Rule > Match > Site List – SC-SITES
 Sequence Rule > Match > VPN List – VPN100
 Action – ACCEPT
 Service Type – Firewall
 Service VPN - 100

Save Match & Actions

• Configure Default Action = Accept

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 27 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Import Existing Topology Policy

Task39.6: Add Site list & VPN List to Policy & Activate newly Created SC-Policy

Task39.7: Pre-Verification || Verify path from ETA to ZETA Site


• Traceroute from ETA to ZETA going directly without going to ASA

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 28 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task39.8: Post-Verification || Verify path from SW1-ETA to SW1-ZETA


o Traceroute from SW1-ETA first going to ASA and then to SW1-ZETA

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 29 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Lab40: VPN Segmentation & VPN Route Leaking


Task40.1: Changes in Topology Diagram
Note: Skip this task if it is already configured for you else

• Do following changes in lab topology diagram before continuing with this lab
o Add SW2-BETA to CSR Edge
o Add SW2-ZETA to vEDGE1-ZETA vEdge

Task40.2: Configure SW2-BETA and SW2-ZETA as per below configuration


SW2-BETA

enable
!
configure terminal
!
hostname SW2-BETA
!
interface ethernet 0/3
no switchport
ip address 192.168.106.50 255.255.255.0
no shut
!
int loopback 36
ip address 192.168.36.50 255.255.255.0
interface loopback 37
ip address 192.168.37.50 255.255.255.0
interface loopback 38
ip address 192.168.38.50 255.255.255.0
interface loopback 39
ip address 192.168.39.50 255.255.255.0
interface loopback 40
ip address 192.168.40.50 255.255.255.0
!
exit
!
router bgp 5
neighbor 192.168.105.3 remote-as 5
network 192.168.36.0 mask 255.255.255.0
network 192.168.37.0 mask 255.255.255.0
network 192.168.38.0 mask 255.255.255.0
network 192.168.39.0 mask 255.255.255.0
network 192.168.40.0 mask 255.255.255.0
!
end
!
wr
!

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 30 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

SW2-ZETA

enable
!
configure terminal
!
hostname SW2-ZETA
!
interface ethernet 0/3
no switchport
ip address 192.168.121.50 255.255.255.0
no shut
!
interface loopback 31
ip address 192.168.31.50 255.255.255.0
!
int loopback 32
ip address 192.168.32.50 255.255.255.0
!
interface loopback 33
ip address 192.168.33.50 255.255.255.0
!
int loopback 34
ip address 192.168.34.50 255.255.255.0
!
int loopback 35
ip address 192.168.35.50 255.255.255.0
!
exit
!
router ospf 10
network 192.168.0.0 0.0.255.255 area 0
end
!
wr
!

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 31 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task40.3: Configure Feature Templates for VPN-Segmentation


• Navigate to Configuration > Templates > Feature templates
• Copy Existing Feature Template (vEdge-VPN100)
• Rename newly copied template as vEdge-VPN200

• Navigate to Configuration > Templates > Feature templates


• Copy Existing Feature Template (vEdge-VPN100-OSPF)
• Rename newly copied template as vEdge-VPN200-OSPF

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 32 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Navigate to Configuration > Templates > Feature templates


• Copy Existing Feature Template (vEdge-VPN100-SERVICE-G0/3)
• Rename newly copied template as vEdge-VPN200-SERVICE-G0/0

• Edit newly copied template vEdge-VPN200


o Change VPN = 200

• Edit newly copied template vEdge-VPN200-OSPF


o Change OSPF interface to ge0/0

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 33 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Edit newly copied template vEdge-VPN200-SERVICE-G0/0


o Change interface name to ge0/0
o Change device variable name to vpn200_ipv4_address|mask

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 34 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Navigate to Configuration > Templates > Feature templates


• Copy Existing Feature Template (cEdge-VPN100)
• Rename newly copied template as cEdge-VPN200

• Navigate to Configuration > Templates > Feature templates


• Copy Existing Feature Template (cEdge-VPN100-BGP)
• Rename newly copied template as cEdge-VPN200-BGP

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 35 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Navigate to Configuration > Templates > Feature templates


• Copy Existing Feature Template (cEdge-VPN100-SERVICE-G0/3)
• Rename newly copied template as cEdge-VPN200-SERVICE-G0/10

• Edit newly copied template cEdge-VPN200


o Change VPN = 200

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 36 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Edit newly copied template cEdge-VPN200-SERVICE-G0/10


o Change interface name to GigabitEthernet10
o Change device variable name to vpn200_ipv4_address|mask

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 37 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task40.4: Apple previously created feature templates into ZETA Device Template
• Navigate to Configuration > Templates > Device Template > ETA-ZETA Device Template
o Add one more Service VPN Section
o Add newly created template vEdge-VPN200
o Add newly created template vEdge-VPN200-OSPF
o Add newly created template vEdge-VPN200-SERVICE-G0/0
o Activate Device template to do changes

• Select System IP > Navigate to


o Edit Device Template & fill variables for ZETA

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 38 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Select System IP > Navigate to


o Edit Device Template & fill variables for ETA (Optional)

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 39 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task40.5: Apple previously created feature templates into BETA Device Template
• Navigate to Configuration > Templates > Device Template > BETA Device Template
o Add one more Service VPN Section
o Add newly created template cEdge-VPN200
o Add newly created template cEdge-VPN200-BGP
o Add newly created template cEdge-VPN200-SERVICE-G0/10
o Activate Device template to do changes

• Select System IP > Navigate to


o Edit Device Template & fill variables for BETA

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 40 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task40.6: Post-Verification of applying Templates


o vEdge1-ZETA shows VPN200 routes in show ip route output

o cEdge1-BETA shows VPN200 routes in show ip route vrf 200 output

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 41 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 42 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 43 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task40.7: Create Lists for VPN route leaking


• We need to create following lists:
o VPN List
o Site List

• VPN List:
o Navigate to Configuration > Policies > Custom Options > Centralized Policies >
Lists > Select VPN
o New VPN List
 VPN List Name: VPN-100
 Add VPN: 100
 VPN List Name: VPN-200
 Add VPN: 200

Site List:
Navigate to Configuration > Policies > Custom Options > Centralized Policies > Lists > Select Site
o > New Site List
 Site List Name: VPN-SEG
 Add Site: 5,20,25

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 44 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task40.8: Create Topology (Control Policy)


• Navigate to Configuration > Policies > Centralized Policies > Add Policy
o Configure Topology > Custom Control (Route & TLOC)
 Sequence Type > Route
 Sequence Rule > Match > VPN List – VPN100
 Action – ACCEPT
 Action – Export to VPN200

Save Match & Actions

 Sequence Rule > Match > VPN List – VPN200


 Action – ACCEPT
 Action – Export to VPN100
Save Match & Actions

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 45 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

• Configure Default Action = Accept

Task40.9: Add Site list & VPN List to Policy & Activate newly Created SC-Policy

Task40.10: Activate the policy


• Select Policy > Navigate to > Activate
o > Activate

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 46 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

Task40.11: Post-Verification || After Applying Policy


o Now SW2-ZETA which is in VPN 200 having VPN 100 routes as well

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 47 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

o Now SW1-ZETA which is in VPN 100 having VPN 200 routes as well

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 48 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

o Now SW2-BETA which is in VPN 200 having VPN 100 routes as well

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088
Page 49 of 49
Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:
https://wa.me/919739521088

o We able to ping between VPN 100 & VPN 200

--END OF WORKBOOK--

Trainer Shank || SD WAN 300-415 || www.networkjourney.com || For enrollment: networkjourneydotcom@gmail.com || Whatsapp:


https://wa.me/919739521088

You might also like