Cisco SD-WAN Service VPN

We have installed Cisco SD-WAN controllers, onboarded vEdge routers, and learned how to use templates.

It’s about time we send traffic between sites. That’s what we can do with a service VPN. We can configure service VPNs from the CLI or with templates. I’ll show you both options in this lesson.

Configuration

This is the topology we have:

Cisco Sd Wan Service Vpn Lab Topology

I have two vEdge devices, each on its own site. Behind each vEdge router is a switch. I’ll use these switches to ping from one site to another.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

vEdge2

system
 host-name               vEdge2
 system-ip               172.16.1.2
 site-id                 2
 organization-name       nwl-lab-sdwan
 vbond 10.1.0.2
!
vpn 0
 interface ge0/0
  ip address 10.65.91.2/24
  ipv6 dhcp-client
  tunnel-interface
   encapsulation ipsec
   color biz-internet
   allow-service all
  !
  no shutdown
 !
 interface ge0/1
  ip address 10.65.92.2/24
  tunnel-interface
   encapsulation ipsec
   color public-internet
   allow-service all
  !
  no shutdown
 !
 ip route 10.1.0.0/24 10.65.91.100

vEdge3

system
 host-name               vEdge3
 system-ip               172.16.1.3
 site-id                 3
 organization-name       nwl-lab-sdwan
 vbond 10.1.0.2
!
vpn 0
 interface ge0/0
  ip address 10.65.91.3/24
  ipv6 dhcp-client
  tunnel-interface
   encapsulation ipsec
   color biz-internet
   allow-service all
  !
  no shutdown
 !
 interface ge0/1
  ip address 10.65.92.3/24
  tunnel-interface
   encapsulation ipsec
   color public-internet
   allow-service all
  !
  no shutdown
 !
 ip route 10.1.0.0/24 10.65.91.100

SW2

hostname SW2
!         
no ip routing
!
interface GigabitEthernet0/0
 no switchport
 ip address 10.2.0.102 255.255.255.0
!
ip default-gateway 10.2.0.254

SW3

hostname SW3
!         
no ip routing
!
interface GigabitEthernet0/0
 no switchport
 ip address 10.3.0.103 255.255.255.0
!
ip default-gateway 10.3.0.254

CLI

We’ll start with the CLI option.










Create a new VPN, assign the ge0/3 interface to it and configure an IP address:

vEdge2(config)# vpn 10
vEdge2(config-vpn-10)# interface ge0/3
vEdge2(config-interface-ge0/3)# ip address 10.2.0.254/24
vEdge2(config-interface-ge0/3)# no shutdown
vEdge2(config-interface-ge0/3)# commit
vEdge3(config)# vpn 10
vEdge3(config-vpn-10)# interface ge0/3
vEdge3(config-interface-ge0/3)# ip address 10.3.0.254/24
vEdge3(config-interface-ge0/3)# no shutdown
vEdge3(config-interface-ge0/3)# commit

That’s all you have to configure. There aren’t any commands that you haven’t seen before. You can pick any VPN number except 0 or 512.

Templates

Now let’s see how we can configure a service VPN with templates.










Feature Templates

This takes some more work.  Go to Configuration > Templates > Feature and click on Add Template. 

VPN10

In the next screen, select the VPN feature template:

Cisco Sd Wan Add Feature Template Vpn

There are two items we need to change here. Under Basic Configuration, set the VPN to 10:

Cisco Sd Wan Service Vpn Feature Template

Then, underAdvertise OMP, enable Connected (IPv4):

Cisco Sd Wan Service Vpn Feature Template Omp

Click Save to store the template.

Ge0/3 Interface

We need another feature template for the interface that connects to the switch. Click on Add Template and select VPN Interface Ethernet:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 740 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

546 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Hi @ReneMolenaar and @lagapides ,
    I have tested this with my lab.Service VPN is working fine.But I have some confusion because in my main dashboard it said partial wan connectivity.when I dig deeper I found that BFD sessions between two colors are down.

    https://cdn-forum.networklessons.com/uploads/default/original/2X/3/301834d8be0e9ad3fe1419002d5e8097e13a26e4.png


    As far as I know WAN edge routers try to form overlay tunnels to every received TLOC from a different site using every available color.So can you please help me to understand this issue.Your help is ... Continue reading in our forum

Ask a question or join the discussion by visiting our Community Forum