This article explains How to stage a branch, where Versa SDWAN controller is behind Hub in different traffic domain.
Prerequisite
§ Versa Headend is deployed and Functional
§ Hub should be deployed.
§ Should be aware of Workflow Template and Branch On boarding.
§ Versa SDWAN Controller is hosted on Internet/Public Cloud.
§ Hub has connectivity to Versa SDWAN Controller via Internet Link, it also has WAN(MPLS) connectivity to different Branch offices.
§ Branch office only have MPLS connectivity to Hub. Hub, MPLS and Internet Transport-VR will be configured to act as transit for Versa SDWAN Controller and Branch Communication.
§ HUB is placed behind firewall and NAT is handled by firewall to reach Versa SDWAN Controller over Internet.
§ Connectivity between Versa SDWAN Controller-HUB and HUB-Branches are in different Transport Domains(TD), Internet (default ) TD with id 20 and HUB1-MPLS TD with id 30 are mapped respectively .
§ Transport Domain(Name and Id) are mapped to Network Name which are further mapped to WAN interface in Workflow Template. HUB will part of both TD as it has two WAN links connecting it to Versa SDWAN Controller and Branches
Please Note This article is applicable in case where Branch site has an Internet link and MPLS link to HUB, but require reachability to Versa SDWAN Controller via HUB over MPLS for redundancy.
Topology
Configuration
1. Configuring Hub
§ HUB is already deployed from this document perspective but here we are showing you how Hub WAN Interfaces, Network Name and Transport Domain mapping looks like in Workflow template.
§ Internet is the default TD present on Versa with id 20.
§ Versa SDWAN Controller WAN interface is also mapped to Internet TD
§ HUB1-MPLS TD with id 30 is configured and mapped to MPLS interface
- To configure the Hub as transit for Branch to Versa SDWAN Controller communication, we will create paired TVI between INT-Transport-VR and MPLS-HUB1-Transport-VR and enable EBGP over the created TVI to export route between two transport-VR’s.
- Select Configuration > Device Template >Select org> Select Hub > Networking>Interfaces>Tunnel +. Fill the required information and mention the Paired TVI number. Submit OK. This will also create the tvi-0/605. Select the paired tvi-0/605 under Tunnel Interfaces and configure IP address.
§ Go to Virtual Routers>Select Transport-VR. We will first edit INT-Transport-VR> +, add created TVI-0/604 under VR.
§ Select Static Routing. Now add static route for Versa SDWAN Controller IP in INT-Transport-VR with valid next hop (INT-Gateway IP), this will be advertised to MPLS-HUB1-TRASNSPORT-VR via EBGP. If you are learning Versa SDWAN Controller network via IGP/BGP, static route is not required.
- Select BGP > +, fill the required information in General Tab. Define Local-AS here.
- Select Peer Group Tab > +, add required details. Select Neighbours> + and fill rest of the details and submit OK
- Peer AS will be of MPLS-HUB1-TRANSPORT-VR
- Now in INT-TRASNPORT-VR select Redistribution Polices > + Give policy name and Select +, fill required details and Submit OK. Map the policy Redistribute to BGP
- We need redistribution policy to redistribute static route(need in case of route learned via IGP) in BGP RIB. If Versa SDWAN Controller IP/network is learned via BGP(Same Instance ID) in INT-TRANSPORT-VR, redistribution policy is not required as route will be in BGP RIB. Peer/Group Policy for neighbour can be used to control routes import/export.
- Follow similar steps to edit MPLS-HUB1-Trasnport-VR. Add TVI-0/605 in MPLS-HUB1-Trasnport-VR, add static routes for Branch WAN IP address with valid next hop ( to MPLS gateway IP).
- Enable
BGP.
- Peer AS would be of INT-TRANSPORT-VR
- Configure redistribution policy to redistribute static routes
- Add created TVI to Traffic Identifications under Org.
- Select >Others>Organization>Limits>Select Org> Traffic Identification>+, add tvi-0/604 and 605. This is required to allow traffic from MPLS transport to INT Transport VR.
Configuring Branch Template for staging.
- Follow the Workflow Template (LINK) and Branch On Onboarding (LINK, LINK2) with one exception. Branch and Versa SDWAN Controller are in different TRANSPORT DOMAIN(different TD id). To make it work we have to add two Transport Domain on WAN interface of Branch, Internet TD with id 20 and HUB1-MPLS TD with id 30, which we added on HUB during its onboarding. Adding Internet TD will push Versa SDWAN Controller WAN Internet link IP address in SPOKE template configuration for post staging reachability from Branch. HUB1-MPLS TD will be used for Branch to Hub SDWAN reachability
Versa SDWAN Controller
admin@Versa SDWAN Controller1-cli> show configuration | display set | match transport-domains | match id
set system sd-wan transport-domains Internet id 20
SPOKE: POST Staging output
admin@SPOKE1-cli> show configuration | display set | match transport-domains | match id
set system sd-wan transport-domains HUB1-MPLS id 30
set system sd-wan transport-domains Internet id 20
EBGP state between INT and MPLS transport VR
admin@HUB1-cli> show bgp neighbor brief
routing-instance: INT-Transport-VR<span class="fr-marker" data-id="0" data-type="false" style="display: none; line-height: 0;"></span><span class="fr-marker" data-id="0" data-type="true" style="display: none; line-height: 0;"></span> Neighbor V MsgRcvd MsgSent Uptime State/PfxRcd PfxSent AS 169.254.0.5 4 32827 32818 1w2d21h 2 1 64515 routing-instance: MPLS-HUB1-Transport-VR Neighbor V MsgRcvd MsgSent Uptime State/PfxRcd PfxSent AS 169.254.0.4 4 42170 42163 1w2d21h 1 2 64513
INT-VR will have static route for Versa SDWAN Controller IP and BGP routes for Branch IP with next hop as TVI-0/605 IP address.
admin@HUB1-cli> show route routing-instance INT-Transport-VR
Prot Type Dest Address/Mask Next-hop Age Interface name ---- ---- ----------------- -------- --- -------------- static N/A +0.0.0.0/0 192.168.50.2 2d20h02m vni-0/0.0 conn N/A +169.254.0.4/31 0.0.0.0 2d20h03m tvi-0/604.0 local N/A +169.254.0.4/32 0.0.0.0 2d20h03m directly connected static N/A +192.168.40.0/24 192.168.50.2 2d19h49m vni-0/0.0 conn N/A +192.168.50.0/24 0.0.0.0 2d20h02m vni-0/0.0 local N/A +192.168.50.10/32 0.0.0.0 2d20h02m directly connected BGP N/A +192.168.71.0/24 169.254.0.5 00:21:14 tvi-0/604.0 BGP N/A +192.168.81.0/24 169.254.0.5 00:21:14 tvi-0/604.0
MPLS-VR will have static route for Branch IP and BGP routes for Versa SDWAN Controller IP with next hop as TVI-0/604 IP address.
admin@HUB1-cli> show route routing-instance MPLS-HUB1-Transport-VR
Prot Type Dest Address/Mask Next-hop Age Interface name ---- ---- ----------------- -------- --- -------------- static N/A +0.0.0.0/0 192.168.51.2 2d03h54m vni-0/1.0 conn N/A +169.254.0.4/31 0.0.0.0 2d20h03m tvi-0/605.0 local N/A +169.254.0.5/32 0.0.0.0 2d20h03m directly connected BGP N/A +192.168.40.0/24 169.254.0.4 00:21:21 tvi-0/605.0 conn N/A +192.168.51.0/24 0.0.0.0 2d03h54m vni-0/1.0 local N/A +192.168.51.10/32 0.0.0.0 2d03h54m directly connected static N/A +192.168.71.0/24 192.168.51.2 2d03h54m vni-0/1.0 static N/A +192.168.81.0/24 192.168.51.2 2d03h54m vni-0/1.0
Branch is not currently staged. To test reachability to Versa SDWAN Controller, add IP address to WAN/VNI interface and configure static route for Versa SDWAN Controller IP address/Subnet.
set interfaces vni-0/0 enable true unit 0 family inet address 192.168.71.1/30 set routing-options static route 192.168.40.0/24 192.168.71.2
admin@SPOKE1-cli> ping 192.168.40.1
PING 192.168.40.1 (192.168.40.1) from 192.168.71.1 : 56(84) bytes of data. 64 bytes from 192.168.40.1: icmp_seq=1 ttl=61 time=26.2 ms 64 bytes from 192.168.40.1: icmp_seq=2 ttl=61 time=6.56 ms 64 bytes from 192.168.40.1: icmp_seq=3 ttl=61 time=11.7 ms 64 bytes from 192.168.40.1: icmp_seq=4 ttl=61 time=14.4 ms 64 bytes from 192.168.40.1: icmp_seq=5 ttl=61 time=12.1 ms
Once the branch is staged you can have IGP/EBGP enabled between HUB(MPLS-VR) and Branch(MPLS-VR) to learn routes dynamically. In Dual HUB case this will help in auto switchover of traffic to redundant path via Second HUB.