Configure SD-WAN Edge Router for Inline Deployment

Available Languages

Download Options

  • PDF     (50.1 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (101.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (90.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 2, 2023
Document ID:221008

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure Cisco SD-WAN Edge with MPLS transport to access Cisco SD-WAN controllers on Internet via inline DC WAN Edge.

    Prerequisites

    Requirements

    Cisco recommends knowledge of these topics:

    • Cisco Software-Defined Wide Area Network (SD-WAN)
    • Routing

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco vManage version 20.6.5.2 
    • Cisco WAN Edge router version 17.06.05

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    In an Inline DC WAN Edge deployment, control traffic incoming from the MPLS need to reach SD-WAN Controllers on the Internet. Traffic can be routed between MPLS and Internet in VPN 0.

    In this case, the tunnel configuration needs to be removed from the MPLS and Internet physical interfaces and placed on two separate loopback interfaces.

    Network Diagram

    Network TopologyNetwork Topology

    Configurations

    In this Deployment, the Branch WAN edge device needs to access controllers through DC WAN edge. In this scenario, an additional physical interface is added in VPN 0 on DC WAN edge and tunnels are moved from physical interface to loopback interface.

    Moving the Tunnel from Physical interface to loopback interface allows the DC WAN Edge Router to act as transit for the traffic from DC WAN edge and Branch WAN edge Router. There must be connectivity between loopback IP addresses and controllers to form control and data plane.

     This output captures DC WAN edge Interface configuration: 

    interface GigabitEthernet0/0/0
     ip address 10.201.186.175 255.255.255.224
     no shutdown
    !
    interface GigabitEthernet0/0/2
     description connection to Branch_WAN-Edge
     ip address 192.168.20.21 255.255.255.252
     no shutdown
    !
    interface Loopback1
     description wan_color_green
     ip address 192.168.20.2 255.255.255.255
     no shutdown
    !
    interface Loopback2
     description wan_color_custom2
     ip address 192.168.20.10 255.255.255.255
     no shutdown
    !

    Next output captures DC WAN edge tunnel configuration:

    DC_WAN-Edge#sh sdwan running-config sdwan
    sdwan
     interface Loopback1
      tunnel-interface
       encapsulation ipsec weight 1
       no border
       color green
       no last-resort-circuit
       no low-bandwidth-link
       max-control-connections 1
       no vbond-as-stun-server
       vmanage-connection-preference 5
       port-hop
       carrier                       default
       nat-refresh-interval          5
       hello-interval                1000
       hello-tolerance               12
       no allow-service all
       no allow-service bgp
       allow-service dhcp
       allow-service dns
       allow-service icmp
       no allow-service sshd
       no allow-service netconf
       no allow-service ntp
       no allow-service ospf
       no allow-service stun
       allow-service https
       no allow-service snmp
       no allow-service bfd
      exit
     exit
     interface Loopback2
      tunnel-interface
       encapsulation ipsec weight 1
       no border
       color custom2 restrict
       no last-resort-circuit
       no low-bandwidth-link
       max-control-connections 1
       no vbond-as-stun-server
       vmanage-connection-preference 5
       port-hop
       carrier default
       nat-refresh-interval 5
       hello-interval 1000
       hello-tolerance 12
       no allow-service all
       no allow-service bgp
       allow-service dhcp
       allow-service dns
       allow-service icmp
       no allow-service sshd
       no allow-service netconf
       no allow-service ntp
       no allow-service ospf
       no allow-service stun
       allow-service https
       no allow-service snmp
       no allow-service bfd
      exit
     exit
    !

    Next output captures Branch_WAN-Edge tunnel configuration:

    Branch_WAN-Edge#sh sdwan run sdwan
    sdwan
     interface GigabitEthernet0/0/2
      tunnel-interface
       encapsulation ipsec weight 1
       no border
       color custom2
       no last-resort-circuit
       no low-bandwidth-link
       no vbond-as-stun-server
       vmanage-connection-preference 5
       port-hop
       carrier                       default
       nat-refresh-interval          5
       hello-interval                1000
       hello-tolerance               12
       no allow-service all
       no allow-service bgp
       allow-service dhcp
       allow-service dns
       allow-service icmp
       no allow-service sshd
       no allow-service netconf
       no allow-service ntp
       no allow-service ospf
       no allow-service stun
       allow-service http
       no allow-service snmp
       no allow-service bfd
      exit
     exit
    !

    Verification

    Next output captures control plane connectivity for DC_WAN-Edge.

    DC_WAN-Edge#sh sdwan control connections 
    PEER PEER CONTROLLER 
    PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP 
    TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION LOCAL COLOR PROXY STATE UPTIME ID 
    ------------------------------------------------------------------------------------------------------------------------------
    vsmart dtls 10.10.10.2 1 1 10.201.186.172 12346 10.201.186.172 12346 rch_sdwan_lab custom2 No up 0:00:00:37 0
    vsmart dtls 10.10.10.2 1 1 10.201.186.172 12346 10.201.186.172 12346 rch_sdwan_lab green No up 0:00:00:37 0 
    vmanage dtls 10.10.10.1 1 0 10.201.186.171 12746 10.201.186.171 12746 rch_sdwan_lab green No up 0:00:00:35 0

    Next output captures control plane connectivity for Branch_WAN-Edge.

    Branch_WAN-Edge#show sdwan control connections
    PEER PEER CONTROLLER 
    PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP 
    TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID 
    ------------------------------------------------------------------------------------------------------------------------------
    vsmart dtls 10.10.10.2 1 1 10.201.186.172 12346 10.201.186.172 12346 custom2 No up 0:00:00:20 0 
    vmanage dtls 10.10.10.1 1 0 10.201.186.171 12346 10.201.186.171 12346 custom2 No up 0:00:00:22 0

    Next output captures data plane connectivity for DC_WAN-Edge. The local color green is forming BFD session with remote edge devices. 

    DC_WAN-Edge#sh sdwan bfd sessions 
    SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX 
    SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec UPTIME TRANSITIONS 
    ------------------------------------------------------------------------------------------------------------------------------
    10.10.10.60 60 up green biz-internet 192.168.20.2 10.201.186.167 12346 ipsec 7 1000 0:00:06:37 6 
    10.10.10.20 20 up green biz-internet 192.168.20.2 10.201.186.180 12346 ipsec 7 1000 0:00:06:37 6 
    10.10.10.5 5 up green default 192.168.20.2 10.201.186.181 12346 ipsec 7 1000 0:00:06:37 6 
    10.10.10.10 10 up green gold 192.168.20.2 10.201.186.182 12346 ipsec 7 1000 0:00:06:37 6

    Next output captures data plane connectivity for Branch_WAN-Edge. The local color custom2 is forming BFD session with remote edge devices.

    Branch_WAN-Edge#sh sdwan bfd sessions 
    SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX 
    SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS 
    ------------------------------------------------------------------------------------------------------------------------------
    10.10.10.5 5 up custom2 default 192.168.20.22 10.201.186.181 12346 ipsec 7 1000 0:00:07:37 2 
    10.10.10.10 10 up custom2 gold 192.168.20.22 10.201.186.182 12346 ipsec 7 1000 0:00:07:37 2 
    10.10.10.20 20 up custom2 biz-internet 192.168.20.22 10.201.186.180 12346 ipsec 7 1000 0:00:07:37 2 
    10.10.10.60 60 up custom2 biz-internet 192.168.20.22 10.201.186.167 12346 ipsec 7 1000 0:00:07:37 2

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    02-Oct-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Tushar Uttamrao Jagtap
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products