GPSA-SDWAN-20

Cisco SD-WAN User Guide
Step-by-Step Guide for Partners
Global Partner Solution Advisors (GPSA)
October 30, 2023
1
Table of Contents
Lab Overview ............................................................................................................................. 4
Lab Topology.......................................................................................................................... 4
Access Info ............................................................................................................................. 5
Device Credentials ................................................................................................................. 6
IP Address Scheme ................................................................................................................ 7
Create a new Admin User .......................................................................................................... 9
Create the new Admin user on vManage ................................................................................ 9
Deploying Sites Using Configuration Groups ............................................................................10
Overview ...............................................................................................................................10
Lab Verification......................................................................................................................10
Create Tags...........................................................................................................................11
Create Configuration Group for Site 100................................................................................13
Create Templates for vSmart/Controller. ...............................................................................33
Edit Configuration groups. .....................................................................................................38
Associate Devices to Configuration Groups ...........................................................................53
Deploy Configuration Groups ................................................................................................56
Deploy TLOC Extension with Configuration Groups ..............................................................59
Deploy Templates to Vsmarts/Controllers ..............................................................................62
Activity Verification ................................................................................................................64
Service Side routing in Site_100 ............................................................................................66
Verification – Service Side Routing........................................................................................69
Quick Connect - Onboarding Site 300 .......................................................................................70
Overview ...............................................................................................................................70
Quick Connect Workflow .......................................................................................................71
Config Group for Site-300 .........................................................................................................73
Site 300 - Onboarding C8000v ..................................................................................................79
Overview ...............................................................................................................................79
Onboarding C8000v with bootstrap config file........................................................................79
UX 2.0 Control Policies (Topology) ...........................................................................................82
Overview ...............................................................................................................................82
Creating the Policy ................................................................................................................82
Activity Verification ................................................................................................................97
2
Multi Region fabric ..................................................................................................................101
Overview .............................................................................................................................101
Configure MRF Border Devices ...........................................................................................101
Configure MRF Edge Devices – East_Coast_Region ..........................................................117
Configure MRF Edge Devices – West_Coast_Region .........................................................120
Activity Verification ..............................................................................................................121
Transport Gateway ..............................................................................................................124
Router Affinity Groups .........................................................................................................130
Data Policies (DIA) ..................................................................................................................136
Overview .............................................................................................................................136
Data Policies(Enhanced Application Aware Routing) ..............................................................148
Overview .............................................................................................................................148
NWPI ......................................................................................................................................166
Overview .............................................................................................................................166
NWPI Configuration .............................................................................................................166
Unified Security Policy - Site 300 ............................................................................................171
Overview .............................................................................................................................171
Configuring Security Policies: ..............................................................................................171
Zone Based Firewall Verification. ........................................................................................186
URL Filtering Verification. ....................................................................................................190
AMP Verification. .................................................................................................................192
TLS Decryption Verification. ................................................................................................194
IPS/IDS Verification. ............................................................................................................195
SDWAN-Umbrella Integration .................................................................................................199
Overview .............................................................................................................................199
Create DNS Policy on Umbrella...........................................................................................203
DNS Redirection Verification ...............................................................................................205
Umbrella SIG Integration .....................................................................................................206
Add Service Route to VPN 12 .............................................................................................210
Create Policies in Umbrella .................................................................................................210
3
Lab Overview
The SD-WAN Lab Guide is based on the following Topology. This section also covers lab access steps and
device credentials.
Lab Topology
Given below is the lab topology being used for the GPSA SD-WAN Lab.
4
Access Info
To Access the lab, please follow the below steps:
1. Login to Dcloud >> Select the Correct Datacenter >> My Hub
2. Click on Sessions >> Identify your Session and click View to navigate to the session details
section. Click the Jumphost, Expand Remote Access >> WebRDP.
3. Launch Google Chrome.

• Navigate to POC Tool using the browser bookmark. Log in to POC Tool using username
dcloud@cisco.com and password C1sco12345.
• Open another browser tab and navigate to vManage using the browser bookmark. Log
in to vManage using username admin and password pocadmin.
5
4. You can also Console to all the devices directly from POC Tool UI. Navigate to the Site. Right-click
on the device and click Console.
Device Credentials
VNC Credentials
Common name IP Address User Password

dcloud@cisco.c
POC Tool 198.18.133.200 C1sco12345
om
vManage 198.18.133.200:8443 admin pocadmin
Site300-Ubuntu-VPN10 198.18.133.200:30503 ubuntu viptela

6
SSH Credentials

vBond 198.18.133.200:19002 admin admin
vSmart-1 198.18.133.200:19003 admin admin
vSmart-2 198.18.133.200:19005 admin admin

Site100-cE1 198.18.133.200:19007 admin C1sco12345
Site100-Core-VPN10 198.18.133.200:19010 admin C1sco12345

Site300-Core-VPN10 198.18.133.200:19016 admin C1sco12345
UI Credentials

dcloud@cisco.c
POC Tool 198.18.133.200 C1sco12345
om
IP Address Scheme
WAN Edges - Internal
Node System IP Site ID

Site100-cE1 1.1.10.1 100
Site100-cE2 1.1.10.2 100
Site200-cE1 1.1.20.1 200
Site200-cE2 1.1.20.2 200
Site300-cE1 1.1.30.1 300
Site400-cE1 1.1.40.1 400
Site500-cE1 1.1.50.1 500
7
Site500-cE2 1.1.50.2 500
WAN Edges - External
Node MPLS INET Premium INET1 Premium INET2

Site100-cE1 10.1.2.2/24 10.2.2.2/24 10.3.1.2/24 10.4.1.2/24
Site100-cE2 10.1.3.2/24 10.2.3.2/24 10.3.2.2/24 10.4.2.2/24
Site200-cE1 10.1.4.2/24 10.2.4.2/24 10.20.1.1/24 10.21.1.1/24
Site200-cE2 10.1.5.2/24 10.2.5.2/24 10.20.1.2/24 10.21.1.2/24
Site300-cE1 10.1.6.2/24 10.2.6.2/24 10.30.1.1/24 -
Site400-cE1 10.1.7.2/24 10.2.7.2/24 10.40.1.1/24 -
Site500-cE1 10.1.8.2/24 10.2.8.2/24 10.50.1.1/24 -
Site500-cE2 10.1.9.2/24 10.2.9.2/24 10.50.1.2/24 -
Controllers
Node System IP Site ID INET Default GW

vManage 1.1.1.1 1 10.2.1.7/24 10.2.1.1
vBond 1.1.1.2 - 10.2.1.6/24 10.2.1.1
vSmart-1 1.1.1.3 1 10.2.1.5/24 10.2.1.1
vSmart-2 1.1.1.4 1 10.2.1.4/24 10.2.1.1
vSmart-3 1.1.1.10 1 10.2.1.3/24 10.2.1.1
vSmart-4 1.1.1.12 1 10.2.1.224 10.2.1.1
Third Party Devices
Node Type Site VPN IP Address

Site100-Core-VPN10 LAN Core Router 100 10 10.10.1.100/24
Site300-WANEmu1 WAN Emulator 300 0 -
Site300-WANEmu2 WAN Emulator 300 0 -
Site300-Core-VPN10 LAN Core Router 300 10 10.30.1.100/24
Site300-Ubuntu-VPN10 Host 300 10 10.30.1.10/24
TRex1-VPN10 Traffic Generator 300 10 10.30.1.50/24
TRex2-VPN10 Traffic Generator 300 10 10.30.1.30/24
8
Create a new Admin User
We will be creating a new admin user in vManage with the following information. We are doing it
as a backup mechanism, in case default username “admin”, gets locked because of a bug in
this current version on vManage.
User Password
netadmin C1sco12345
Create the new Admin user on vManage
1. Login to vManage and goto Administration >> Manage Users.
2. Click Add User.
3. Enter the following details

Full Name: netadmin
Username: netadmin
Password: C1sco12345
Confirm Password: C1sco12345
User Groups: netadmin
9
Deploying Sites Using Configuration Groups
Overview
Configuration group provides a simple, reusable, and structured approach for the configurations in Cisco
Catalyst SD-WAN. You can create a configuration group, that is, a logical grouping of features or
configurations that is applied to one or more devices in the network that is managed by Cisco Catalyst
SD-WAN. You can also create profiles based on features that are required, recommended, or uniquely
used, and then combine the profiles to complete a device configuration.
• Configuration Group: A configuration group is a logical grouping of features or configurations

that can be applied to one or more devices in the network managed by Cisco Catalyst SD-WAN.
You can define and customize this grouping based on your business needs.
• Feature Profile: A feature profile is a flexible building block of configurations that can be reused
across different configuration groups. You can create profiles based on features that are
required, recommended, or uniquely used, and then put together the profiles to complete a
device configuration.
• Feature: A feature profile consists of features. Features are the individual capabilities you want
to share across different configuration groups.
The configuration group workflow in Cisco SD-WAN Manager provides a guided method to create
configuration groups and feature profiles.
In this section:
1. Devices in Site 100,200,400 and 500 have already been onboarded to the overlay but are not
managed by Catalyst Controller.
2. Deploy configuration to Site 100,200,400 and 500 using the configuration groups.
3. Configure TLOC Ext. in Site 500.
4. Restrict Enabled for all the data Tunnels.
Note: A device can either be associated to configuration group or device template, but not both.
Lab Verification
1. Ensure you have 4 vsmarts/Controllers and 7 WAN Edges up and running.
10
Create Tags
Tags are used for grouping, describing, finding, or managing devices.
The Device Tagging feature helps you do the following:
• Add tags to devices: Tagging helps you manage devices more effectively. You can use the tags
for grouping, describing, or finding devices. You can add more than one tag to a device.
• Add devices to configuration groups based on tagging: Using tags, you can create rules to define
which devices need to be automatically added to a configuration group.
1. Navigate to Configuration >> Devices.
2. Click Add Tag >> Enter East_Coast_DC >> Click Create New Tag East_Coast_DC
3. Similarly Create the below Tags

• East_Coast_BR1 • East_Coast_BR2
• West_Coast_DC • West_Coast_BR1
11
4. Click the filter icon in the Search Table. Filter reachable from the Reachability Tab.
5. Click Add Tag in front of Site100-cE1 and Site100-cE2. Check East_Coast_DC >> Apply Tag
Perform similar steps 4-5 for Tagging the devices as per the table below:
Hostname Tag
Site200-cE1 West_Coast_DC
Site200-cE2 West_Coast_DC
Site400-cE1 East_Coast_BR2
Site500-cE1 West_Coast_BR1
Site500-cE2 West_Coast_BR1
Note: It may take a few seconds for the Tag to be reflected Infront of the device.
12
Create Configuration Group for Site 100
6. Click Workflows >> Create Configuration Groups >> Name it East_Coast_DC>> Click Next.
7. Select Site type as Dual Router.
8. Configure the following parameters.
Section Field Global/Device value

Specific
Site Settings Local Device Access Global C1sco12345
Site Settings Message of the Day Global Welcome to 20.12 Lab
Site Settings Login Global Configuration pushed
through Configuration
Groups.
9. Configure WAN Interface as per directions below:

• Select Full Mesh.
• Change the interface to static.
• Click Show Advanced.
• Update the values as per the table below.
13
Field Global/Device value
Specific
Transport Name Regional_INET
Interface-Color Global Public-internet
Interface name Global GigabitEthernet1
IP Address Device Specific
Regional_Internet_IP
Subnet Device Specific Regional_Internet_Mask
10. Configure 3 More interfaces by setting them static as per values below:

Specific
Transport Name Regional_MPLS
Interface-Color Global mpls
IP Address Device Specific
Regional_MPLS_IP
Subnet Device Specific Regional_MPLS_Mask
Click on Add to add 2 more Interfaces.
14
Enter the following values to the new interfaces:

Specific
Transport Name Premium_INET_1
Interface-Color Global Gold
IP Address Device Specific premium_inet1_ip
Subnet Device Specific premium_inet1_mask

Interface-Color Global Silver
11. Expand WAN Routing, Click Add Routing >> Static IPv4 >> Click 1 Next Hop >> Click Add Sign 3
times. Enter the values as per table below and hit Save:
15
Global/Device Specific value
Device Specific Regional_Internet_next_hop
Device Specific Regional_mpls_next_hop
Device Specific premium_inet1_next_hop
Click Save
12. Click Show Advanced >> Enter the below values.

Field Global/Device Specific value
Network Address Global 0.0.0.0
Subnet Mask Global 0.0.0.0
13. Expand LAN & Service VPN Profile >> Uncheck VRRP >> Enter the values as per table below:
• Check Show Advanced

Specific
Segment Name Corporate_Users
VPN Global 10
Number of Global 1
Interfaces
Interface Name Global GigabitEthernet3
Description Global Corporate
IP Address Device Specific vpn10_ip_address
Subnet Device Specific Vpn10_mask
Click Add Routing >> OSPF >> Click Show Advanced
16
Enter the values below and Click Save:

Area Number Global 0
Range Network Device Specific vpn10_ospf_nw_add
Address
Range Network Device Specific vpn10_ospf_mask
Subnet Mask
17
14. Update the other LAN Segment as per the table below:

Specific
Segment Name IOT_Devices
VPN Global 11
Number of Global 1
Interfaces
Description Global IOT
Subnet Device Specific Vpn11_mask
Delete the other 2 LAN Segments by clicking the BIN Icon.
Cick Next >> Next >> Review Configuration >> Click Create Configuration Group. You should receive a
Success Message and click “No, I will do it later”.
18
1. Go to Configuration >> Workflows >> Create Configuration Groups >> Name it
West_Coast_DC>> Click Next.

Specific
Groups.
4. We need to configure 4 Static WAN interfaces. Configure WAN Interface as per directions below:
• Select Full Mesh.
• Click Show Advanced
• Update the values as per the table below:

Specific
IP Address Device Specific Regional_Internet_IP

IP Address Device Specific Regional_MPLS_IP
19
Interface-Color Global Gold

Interface-Color Global Silver
20
5. Expand WAN Routing, Click Add Routing >> Static IPv4 >> Click 1 Next Hop >> Click Add Sign 3
times. Enter the values as per table below:

Click Save
6. Click Show Advanced >> Enter the below values:
21
7. Expand LAN & Service VPN Profile >> Uncheck VRRP >> Enter the values as per table below:

Specific
VPN Global 10
Number of Global 1
Interfaces
Interface Name Global Loopback10
Description Global Corporate Loopback
IP Address Device Specific Loopback10_ip_address
Subnet Device Specific Loopback10_mask

VPN Global 11
Number of Global 1
Interfaces
Description Global IOT Loopback
22
Delete the other 2 LAN Segments by clicking the BIN Icon.
23
East_Coast_BR2>> Click Next.
9. Select Site type as Single Router.

Specific
Groups.
11. We need to configure 1 Static MPLS WAN Interface. Configure WAN Interface as per directions
below:
24

Specific
Delete the Rest of the Interfaces by clicking the Bin icon.
12. Expand WAN Routing, Click Add Routing >> Static IPv4 >> Click 1 Next Hop >> Enter the values as
per table below:

25
Click Save

14. Expand LAN & Service VPN Profile >> Enter the values as per table below:

Specific
VPN Global 10
Number of Global 2
Interfaces
Subnet Device Specific vpn10_mask

VPN Global 11
Number of Global 1
Interfaces
Description Global IOT Loopback
Segment Name Guest
26
VPN Global 12
Number of Global 2
Interfaces
Description Global Guest
Description Global Guest Loopback
27
Delete the other LAN Segment by clicking the BIN Icon.
28
Site 500 will be configured as a TLOC Extension site.

West_Coast_BR1_Tloc_Ext>> Click Next.

Specific
Groups.
4. We need to configure 2 static WAN Interfaces. Configure WAN Interface as per directions below:
• Select Transport Extension.
• Select Transport Sharing Interface on both the interfaces.
For Device with Tag EdgeDevice_01
Specific
29
For Device with Tag EdgeDevice_02

Specific
5. Expand WAN Routing, Click Add Routing >> Static IPv4 >> Click 1 Next Hop >> Enter the values as
per table below:

Device Specific Regional_inet_next_hop
30
Click Save

7. Expand LAN & Service VPN Profile>> UnCheck VRRP >> Enter the values as per table below:

Specific
VPN Global 10
Number of Global 2
Interfaces
31
Delete the other LAN Segment by clicking the BIN Icon.
32
Create Templates for vSmart/Controller.
1. Go to Configuration >> templates.
2. From Device Template >> Click Create Template >> From Feature Template
3. Enter the following information:

• Device Model: vSmart
• Template Name: vSmart-MRF
• Description: Template for MRF Enabled vSmarts
4. Click System >> Create template
33
5. Enter the Following and Hit save.
• Template name: vSmart_MRF_system

• Description: vSmart_MRF_system
6. Go to Transport & Management VPN >> Click VPN 0 >> Create template.
7. Enter the Following.
• Template name: vSmart_VPN0

• Description: vSmart_VPN0
• VPN : VPN 0
Click DNS >> New Host Mapping >> Hostname: vbond-test-drive, IP: 10.2.1.6 >> Add
Click IPv4 Route >> New IPv4 Route >> Prefix : 0.0.0.0/0
34
8. Click Add Next Hop >> Add Next Hop >> Global “10.2.1.1” >> Add
9. Click Add >> Save.
10. Go to Transport & Management VPN >> Click VPN Interface >> Create template.
35
• Template name: vSmart_VPN0_intf

• Description: vSmart_VPN0_intf
• Shutdown : No
• Interface Name : eth0
12. Under Ip Configuration >> Select Static >> set IPv4 as device variable >> “vpn_if_ip_address”. >>
Save
13. Enable Tunnel Interface
36
Click Save
14. Click Create.
15. Click 3 dots in front of vSmart-MRF >> Copy >>
• Template name: vSmart-Non-MRF

• Description: Template for Non MRF Enabled vSmarts
Click Copy.
17. Click Feature Templates >> Click 3 dots in front of vSmart_MRF_system >> Copy.
• Template name: vSmart_Non_MRF_system

• Description: vSmart_Non_MRF_system
Click Copy.
19. Click Device Template >> Click 3 dots in front of vSmart-Non-MRF >> Edit .
20. Select the System Template “vSmart_Non_MRF_System” >> Under System.
Click Update.
37
Edit Configuration groups.
We are going to edit the configuration groups to do the following:
• Add the vbond host mapping for each of the groups (It is a requirement in the lab as we
don’t have a DNS Server)
• Add VRRP configuration.
• Enable Restrict on the Tunnel Interfaces.
1. Go to Configuration>> Configuration Groups
2. Click 3 dots in front of the East_Coast_DC >> Click Edit
3. Expand Service profile:East_Coast_DC_LAN
38
Note: You may see different subtemplate names under Corporate_Users and IOT_Devices, those are
autogenerated during workflow. You can change the sub templates by clicking on 3 dots Infront of them
and edit.
4. Click on 3 Dots in front of “VPN_Payment_Processing_Network_12_Interface” which is a

subtemplate for Payment_Processing_Network >> Edit feature>>
Note: VPN_Payment_Processing_Network_12_Interface is the workflow created interface created under

the VRF Corporate_users . You can change the name by clicking Edit.
5. Click VRRP >> Expand IPv4 Settings >> click Add VRRP IPv4 >>
6. Enter the values as per Table Below:

Group ID Global 202
Priority Device Specific vrrp_priority
IP Address Device Specific vrrp_ip_addr
39
Click Add
Click Save on both devices.
7. Expand Transport & Management Profile:East_Coast_DC_WAN >> Click 3 dots in front of VPN0
>> Edit Feature >>
8. Click Host Mapping >> Add New Host Mapping >> Enter the values as per table below and Click
Add:

Hostname Global vbond-test-drive
List of IP Global 10.2.1.6
40
9. Click Save on both devices.
10. Click Edit feature in front of Regional_MPLS.
11. Click Tunnel >> Enable Restrict as Global >> Save on both devices.
41
12. Perform steps 10-11 for Sub templates:
• Premium_INET_1
• Premium_INET_2
• Regional_INET
42
13. On top of the tab >> click Go back to Configuration Group list
14. Click 3 dots in front of the West_Coast_DC >> Click Edit.
15. Expand Transport & Management Profile:West_Coast_DC_WAN >> Click 3 dots in front of VPN0
>> Edit Feature >>
Add:

43

• Premium_INET_1
• Premium_INET_2
• Regional_INET
44
20. On top of the tab >> click Go back to Configuration Group list
21. Click 3 dots in front of the East_Coast_BR2>> Click Edit.
45
22. Expand Transport & Management Profile: East_Coast_BR2_WAN >> Click 3 dots in front of VPN0
>> Edit Feature.
Add:

Click Add.
46
26. Expand Service Profile: East_Coast_BR2_LAN and Click on 3 Dots in front of

“VPN_Payment_Processing_Network_12_Interface” which is a subtemplate for Corporate_Users
>> Edit feature>>

47

Group ID Global 202
Click Add
48
29. On top of the tab >> click Go back to Configuration Group list.
30. Click 3 dots in front of the West_Coast_BR1_Tloc_Ext>> Click Edit.
31. Expand Transport & Management Profile: West_Coast_BR1_Tloc_Ext >> Click 3 dots in front of
VPN0 >> Edit Feature
Add:

33. Click Edit feature in front of Transport-Regional_INET-Shared-Tloc.
49
34. Click Tunnel >> Enable Restrict as Global >> Save on EdgeDevice_01.

• Transport-Regional_MPLS-Tloc
• Transport-Regional_MPLS-Shared-Tloc
• Transport-Regional_INET-Tloc
50
35. Expand Service Profile >> Click on 3 Dots in front of
“VPN_Payment_Processing_Network_12_Interface” which is a subtemplate for Corporate_Users
>> Edit feature>>

51
Group ID Global 202
Click Add
Click Save on Both Devices
52
Associate Devices to Configuration Groups
1. Go to Configuration >> Configuration Groups >> Click 3 dots in front of the East_Coast_DC>>
Click Edit.
2. Click Associated Devices >> Associate Devices
3. Click Next >> Select Site >> Select SITE_100 >> Click Next
4. Ensure that we tag Site100-cE1 as EdgeDevice_01 and Site100-cE2 as EdgeDevice_02
Click Next >> Save.
53
Click “No, I will do it later” >> Click View List of configurations groups
Note: You may see the below error after saving. Please save again to get around the error.
4. Click View List of Configuration Groups.
5. Perform the steps 1-4 for Configuration Groups West_Coast_DC , East_Coast_BR2 &
West_Coast_BR1_Tloc_Ext:
• Click 3 dots in front of the respective configuration group >> Click Edit.
• Click Associated Devices >> Associate Devices
• Click Next >> Select Site >> Please select Sites as per table below:
Configuration Group Site

West_Coast_DC SITE_200
East_Coast_BR2 SITE_400
West_Coast_BR1_Tloc_Ext SITE_500
• Ensure that we tag the devices as per below bullet points:
o Site200-cE1 as EdgeDevice_01 and Site200-cE2 as EdgeDevice_02.

o Site500-cE1 as EdgeDevice_01 and Site500-cE2 as EdgeDevice_02.
54
• Click “No, I will do it later” >> Click View List of configuration groups.
55
Note: You may see the below error after saving. Please save again to get around the error.
Deploy Configuration Groups

1. Go to Workflows >> Deploy Configuration Group >> Click Next >> Select East_Coast_DC >> Next.
2. Select SITE_100 >> Click Next >>
56
3. Select SITE_100 >> Click Import >>
4. Select Downloads Folder >> Select Site100-Variables >> Open.
5. Click Next >> Click Preview CLI >> Select SITE_100 >> Deploy
57
6. Click View Deployment Status. It should show Success.
7. Perform the steps 1-6 for Configuration Groups West_Coast_DC & East_Coast_BR2.
• Go to Workflows >> Deploy Configuration Group >> Click Next >> Select the respective
Configuration Group.
• Select Site >> Please select Sites as per table below and Click Import :

West_Coast_DC SITE_200
East_Coast_BR2 SITE_400
• Select Downloads Folder >> Select the file as per table below for the respective
configuration group workflow and click Open.

West_Coast_DC SITE200-Variables
East_Coast_BR2 SITE400-Variables
• Click Next >> Click Preview CLI >> Deploy.
• Click View Deployment Status. It should show Success.
58
Deploy TLOC Extension with Configuration Groups
Site 500 has a TLOC Extension Configuration.
Site500-cE1 is connected to the MPLS transport whereas Site500-cE2 is connected to INTERNET. If the
Internet link goes down, Site500-cE2 doesn’t have a way to utilize the MPLS link available at Site500-cE1.
TLOC Extensions seek to remedy this.
Workflow automates and makes the TLOC Extension configuration easier to deploy. In order to do so
workflow adds default variables name which have been mentioned below with values:
Device Variable Value
Site500-cE2 Regional_Internet_IP 10.2.9.2
Site500-cE2 Regional_Internet_Mask 255.255.255.0
Site500-cE2 vpn_0_regional_inet_shared_if GigabitEthernet4
Site500-cE2 vpn_0_regional_inet_shared_if_static_ipv4 10.2.8.1
Site500-cE2 vpn_0_regional_inet_shared_if_static_subnet 255.255.255.0
Site500-cE2 vpn_0_regional_inet_adv_tloc_exte GigabitEthernet1
Site500-cE2 vpn_0_regional_mpls_shared_tloc GigabitEthernet2
Site500-cE2 vpn_0_regional_mpls_shared_tloc_static_ipv4 10.1.9.2
Site500-cE2 vpn_0_regional_mpls_shared_tloc_static_subnet 255.255.255.0
Device Variable Value
59
Site500-cE1 vpn_0_regional_inet_shared_tloc GigabitEthernet1
Site500-cE1 vpn_0_regional_inet_shared_tloc_static_ipv4 10.2.8.2
Site500-cE1 vpn_0_regional_inet_shared_tloc_static_subnet 255.255.255.0
Site500-cE1 vpn_0_regional_mpls_shared_if GigabitEthernet4
Site500-cE1 vpn_0_regional_mpls_shared_if_static_ipv4 10.1.9.1
Site500-cE1 vpn_0_regional_mpls_shared_if_static_subnet 255.255.255.0
Site500-cE1 vpn_0_regional_mpls_adv_tloc_exte GigabitEthernet2
Site500-cE2 Regional_MPLS_IP 10.1.8.2
Site500-cE2 Regional_MPLS_Mask 255.255.255.0
1. Go to Workflows >> Deploy Configuration Group >> Click Next >> Select the
West_Coast_BR1_Tloc_Ext Configuration Group.
2. Select SITE_500 >> Click Next >>
3. Select SITE_500 >> Click Import >> Select Downloads Folder >> Select Site500-Variables >>
Open.
Enter the Value of the variables as per table above.
60
4. Click Next >> Click Preview CLI >> Deploy.
5. Click View Deployment Status. It should show Success.
For TLOC Extension to work we need to few more steps

• Enable NAT on the INET interface on Site500-ce2.
• Advertise the MPLS interface P2P link between Site500-cE1 and Site500-cE2 towards the MPLS
provider. In this setup we are doing that via Static routes at the backend though in real world
you will be doing it via BGP.
6. Go to Configuration >> Configuration Groups >> Click 3 dots in front of

West_Coast_BR1_Tloc_Ext >> Edit.
7. Expand Transport & Management Profile >> Click edit in front of Transport-Regional_INET-
Tloc.
8. Click NAT >> IPv4 Settings >> Enable NAT.
Click Save on EdgeDevice_02
61
9. Click Associated Devices >> Select Site_500 >> Deploy.
10. Select Site_500 >> Next >> Deploy.
Deploy Templates to Vsmarts/Controllers

1. Go to Configuration >> templates.
2. Click 3 dots Infront of the vSmart-MRF Template >> Click Attach Devices.
62
3. Select vmsart-1, vmsart-2 and vmsart-3 >> Attach.
4. Click On Import File Icon.
5. Click Choose File >> Select vSmart-Variables >> open >> Upload.
6. Click Next >> Configure Devices >> Select the Radio button “Confirm configuration changes on
3 devices” >> Click Ok.
7. Click 3 dots Infront of the vSmart-Non-MRF Template >> Click Attach Devices.
8. Select vmsart-4 >> Attach.
63
9. Click On Import File Icon.
10. Click Choose File >> Select vSmart-Non-MRF-Variables >> open >> Upload.
11. Click Next >> Configure Devices >> >> Click Ok.
Activity Verification
1. Go to Tools >> SSH terminal
2. Click on Site100-cE1 >> Enter user: admin , password:C1sco12345
64
3. Run “show sdwan control connections” , you should see vsmart control connections over each
TLOC.
4. Run “Show sdwan bfd sessions”.
We will observe that the router is forming tunnels only with Site400 and Site 200 over Gold and
Silver TLOC . This is expected as HUBS can only communicate via Gold and Silver TLOCs.
6. Run “show sdwan control connections” .

65
We would see vsmart connections over Public-Internet and MPLS . This Proves the TLOC
extension is working as expected as the router only had direct connection to Public-Internet and
is leveraging the MPLS from other router.
7. Run “show sdwan bfd sessions”. We will expect Tunnels only to Site 200 over INET and MPLS.
Service Side routing in Site_100
1. From the Cisco SD-WAN Manager menu. Go to Configuration>>Configuration Groups. Edit

East_Coast_DC Configuration Group.
2. Under Service Profile:East_Coast_DC_LAN, edit Corporate_Users Lan VPN feature. Navigate to
Advertise OMP tab and click Add OMP Advertise IPv4.
66
3. On the pop-up window choose OSPF from the protocol dropdown and click Add. Repeat these
steps to add Static and Connected protocols. Then click on Save.
4. Under East_Coast_DC_LAN, edit VPN_10_OSPF Lan OSPF Route feature. Navigate to Area tab
and click on the pencil icon to edit Area 30.
67
5. On the pop-up window, click on Advanced Options. Change the OSPF Network Type to
Broadcast. Then click Update>>Save.
6. Scroll up and go to Associated Devices tab. Select the Site_100 and click Deploy. Complete the
deployment workflow to push the configuration to Site100.
68
Verification – Service Side Routing
1. Navigate to Monitor > Devices > Site100-cE1, select Real Time from left side and type IP Route
in Device options, select Do Not Filter. Scroll down the list to ensure that 100.100.100.124/32
route is now installed into the VPN 10 routing table of Site100-cE1.
2. Navigate to Monitor > Devices > [Pick a vSmart-1] > Real Time > OMP Received Routes.
Confirm that 100.100.100.124/32 route is received on vSmart.
3. Navigate to Monitor > Devices > Site400-cE1> Real Time > IP Route. Confirm that
100.100.100.124/32 route is received and installed on remote WAN Edges.
4. Open browser tab and go to PoC Tool>>Site 100>>Right click on Site100-Core-VPN10>>Console

and type “show ip route”. Confirm that routes originating from OMP on VPN10 are being
correctly advertised and installed on the Site100-Core-VPN10 router. Notice that they are seen
as OSPF external type 2.
69
Quick Connect - Onboarding Site 300
Overview
Quick Connect Workflow feature provides a new, guided method in Cisco SD-WAN Manager to onboard
supported WAN edge devices into the Cisco Catalyst SD-WAN overlay network. As part of the Quick
Connect workflow, basic day-0 configuration profiles are created, which apply to all Cisco Catalyst SD-
WAN Device (IOS XE) devices, irrespective of the device model and device family. This workflow adds
edge devices to the WAN transport and establishes data plane and control plane connections.
This feature is supported on Cisco IOS XE Catalyst SD-WAN devices only.
Quick Connect Workflow Prerequisites:

• The organization name should be configured.
• Certificate authorization for the Cisco SD-WAN Validator and the Cisco SD-WAN
Controller should be configured.
• The controllers (Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN
Controller) should be installed and configured.
You can upload your devices in one of the following ways, either as part of the Quick Connect workflow
or independently.
• Using the auto sync option, where your Smart Account is synced with Cisco SD-WAN Manager.
This option requires Cisco SD-WAN Manager to be able to connect with the Cisco Plug n Play
(PnP) portal.
• Using the manual upload method, where you download the authorized serial number file of
devices from the Cisco PnP portal and upload it to Cisco SD-WAN Manager
In this section we will be using Cisco SD-WAN Manager using the manual method to onboard a new
branch as Site-300.
The bootstrap method helps you onboard a factory-shipped WAN Edge device with the configuration
needed to securely deploy it to join the Cisco Catalyst SD-WAN network.
Note: The Quick Connect workflow supports creating day-0 configurations for a maximum of 25 devices
at a time.
70
Quick Connect Workflow
1. From the Cisco SD-WAN Manager menu, choose Workflows.
2. From the Workflow Library, choose Quick Connect. On the pop-up window, click Get Started.
3. Go over the workflow steps on the Process Overview and click Next.
4. Choose Skip for now and click Next on the Import device serial numbers step.
5. On the Select devices to bring up step, Select the Chassis Number (C8K-11E7C6ED-39EA-AABF-
7829-5D02B848D302) as show in screenshot below and click Next.
71
6. On the Add & Review Device Configuration step, fill out the fields as below and Apply >> click
Next:
• Hostname: Site300-cE1
• System IP: 1.1.30.1
• Site: SITE_300 (Type in search box and click Create New)
7. On the Tag devices step, choose East_Coast_BR1 >> click Apply 1 Tag and click Next.
8. Click on Onboard on the Summary step.
This Concludes the Quick Connect workflow. In the next step, we will create an appropriate Config group
for the new Branch device.
72
Config Group for Site-300
In this section we will create a new configuration-group for Site300 and attached to device profile we
created using Quick connect in the previous exercise.
1. From the Cisco SD-WAN Manager menu, choose Workflows. From the Workflow Library, choose
Quick Connect. On the pop-up window, click Let’s Do It.
2. On the Step 1, please enter the name as East_Coast_BR1 and description as Branch with Internet
and MPLS connectivity and click Next.
3. On the Site Configurations step, leave the Site Type as Single Router and click on Site Settings. Fill
out the site settings as below:
Specific
Groups.
4. Under the WAN Interfaces, delete the LTE Link. Complete the following steps for both MPLS and
Internet interfaces.
• Click Show Advanced.
Field Global/Device Specific Value

Note: Please ensure to type the values, as copy/paste may add extra spaces which will result in an error.
• Please refer to screenshot below to verify Wan Interface config:
73
5. Under the WAN Routing, Click Add Routing >> Static IPv4 >> Click 1 Next Hop >> Click Add 1 more
time. Enter the values as per table below and click Save:
Global/Device Specific Value

6. Click on Show Advanced >> Enter the below values:

74
7. Click on LAN & Service VPN Profile and Delete the first 2 segments. Complete the steps per as
below for remaining two segments:

• Fill in the values as below:
Guest_Users:
Segment Name Global Guest

VPN Global 12
Number of Interfaces Global 1
Description Global Guest
Corporate_Users:
Segment Name Global Corporate_Users

VPN Global 10
Number of Interfaces Global 1
75
8. Please refer to screenshot below to verify Lan & Service VPN Profile config:
9. Click on Next twice and go through the Summary to review the config-group. Click on Create Config
Group. This completes the Config Group creation.
76
10. On the pop-up window, choose Associate Devices.
11. Click Next on the Process Overview step. On the Choose Devices step select Site_300 and click
Next.
12. On the Summary screen, verify the devices Chassis number matches the device we onboarded using
Quick Connect workflow and click Save.
13. On the pop-up window, choose Provision Devices. Click Next on the Process Overview.
14. Verify East_Coast_BR1 is select on the Site to Deploy step and click Next.
15. On the Add & Review Device configuration step, click on Unassigned.
77
16. We have created a CSV file to update values to all the blank fields. Click on Import on top right of
the screen. Select the Site300-cE1 file and click Open and click Next.
17. On the Summary screen, scroll right and verify all the fields have values. Click Deploy.
Note: This completes the config group creation and device attachment exercise. Since this is a virtual lab
environment and not connected to Cisco Smart Account, we must make a small update to VPN 0
config. We will manually add the host mapping for vBond to poing to Lab vBond.
Updating vBond Host Mapping for manual onboarding in Lab:

1. From the Cisco SD-WAN Manager menu, choose Configuration>> click Configuration
Groups.
2. Click on the three dots on far right for East_Coast_BR1 and choose Edit.
3. Click on Transport & Management Profile, then click on three dots next to VPN0 and
choose Edit Feature.
4. On the VPN0 Feature Click on Host Mapping tab and click on Add New Host Mapping.
5. On the pop-up window enter hostname as “vbond-test-drive” and IP as “10.2.1.6”. Click
Add >> Save.
6. Under the East_Coast_BR1, choose Associated Devices and select Unassigned and click
Deploy.
7. On the next screen, click on Unassigned >> Next >> Deploy.
This completes the workaround steps. In the next section we will onboard the branch device.
78
Site 300 - Onboarding C8000v
Overview
In this section, we will onboard a brand-new device at Site 300 and add to the SDWAN fabric using a
bootstrap file for which is created after attaching the config group to Site-300.
Onboarding C8000v with bootstrap config file
We can simplify onboarding of a new device to fabric by using bootstrap config file and uploading it to
new device.
Note: While we will upload the file to flash using scp, in the field the file is usually put in a USB drive and
plugged into the cEdge. On bootup, a cEdge looks for a file on USB port(if a bootable USB is connected)
and then in bootflash. The bootstrap config file allows the device to come up and establish control
connections.
1. Navigate to Configuration => Devices. Scroll down and click the forward arrow sign to move to
next screen. Find the C8000v attached to Site-300 from the list. Scroll to far-right and you would
notice that a template was assigned to this device and the status is Sync-Pending. Click on the
three dots and choose Generate Bootstrap Configuration.
2. Select Cloud-Init on the pop-up window and click OK. On the next screen click Download and
the save it as “ciscosdwan_cloud_init”. The file gets saved in Downloads folder. Close the pop-
up window.
79
3. Go to the Downloads folder and ensure the config file present.
4. Open a new browser window and launch the POC-Tool. Navigate to Site 300. Right click on
Site300-cE1 and click Console.
5. The Router is not in controller mode presently. Following commands have been configured to
enable reachability to scp server and the Root Cert has been added on the Site300-cE1 router.
Go to console session Site300-cE1 on POC Tool, go privilege mode using password: C1sco12345
and verify the commands below are part of running config:
conf t
ip scp server enable
username admin priv 15 password admin
line vty 0 4
login local
exit
interface gigabitethernet8
no shut
ip address 192.168.1.9 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
exit
6. Launch the windows command prompt from the taskbar. As the bootstrap file was saved in
Downloads folder, we will first need to change the folder by entering “cd Downloads” as shown
in below screenshot:
7. Once the path reflects as C:\Users\admin\Downloads>, enter the following command to copy
file to router flash and hit enter:
scp -P 19023 ciscosdwan_cloud_init.cfg admin@198.18.133.200:ciscosdwan_cloud_init.cfg
8. Type “yes” for fingerprint prompt and end the password as “admin”. The file be uploaded to the
router successfully.
80
9. Go back to the Site300-cE1 router console session on POC Tool and change the mode to sdwan
by entering the “controller-mode enable” command in privilege mode and hit enter twice.
The Router will now reboot and connect to SDWAN fabric when it comes back online. We can confirm by
going to vManage dashboard => Monitor => Devices. Site 300 device should be listed and reachable.
This completes onboarding of a new wan edge into the fabric.
81
UX 2.0 Control Policies (Topology)
Overview
By Default, when SD-WAN devices are onboarded into the Overlay they will create Data Plane tunnels in
a full-mesh fashion with all other devices with all Colors being used.
• Since overlay is flat, full mesh of tunnels does not scale after a certain threshold.
• It is difficult to bring in transports from disjoint providers for underlay.
• This is particularly relevant in trying to lever age middle mile provider or cloud backbone
provider’s network for inter-region traffic.
• Large enterprises and managed service providers (MSP) require SDWAN to span multiple
regions.
In this exercise we will create Regional Hub architecture to overcome the above-mentioned limitations
by using Control Policies UX 2.0 workflow.
• We will be creating hubs in East Coast (SITE_100) and West Coast (SITE_200) Regions, while sites
(SITE_300, SITE_400) will be East Coast Branch and SITE_500 will be West Coast Branch.
• We will restrict the routers to create tunnels between East Coast Branch and West Coast
Branches.
• For West Coast Spoke sites to reach to East Coast Spokes, the traffic will need to go via West
Coast HUB to East Coast HUB. Direct connectivity between the spokes will be restricted.
Creating the Policy

1. Go to Configuration >> Policy Groups.
82
2. Click Group of Interest >>
3. Click TLOC List >> Add TLOC List >> Enter the List Name as “East_Coast_HUB_TLOC” and click
Add icon 3 times, enter values as per table below and Click Save :
TLOC IP Color Encapsulation

1.1.10.1 Public-internet IPSEC
1.1.10.1 mpls IPSEC
1.1.10.2 mpls IPSEC
4. Click TLOC List >> Add TLOC List >> Enter the List Name as “West_Coast_HUB_TLOC” and click
Add icon 3 times, enter values as per table below and Click Save:

1.1.20.1 mpls IPSEC
1.1.20.2 mpls IPSEC
83
5. Click TLOC List >> Add TLOC List >> Enter the List Name as “East_Coast_Premium_TLOCS” and
click Add icon 3 times, enter values as per table below and Click Save:

1.1.10.1 Gold IPSEC
1.1.10.1 Silver IPSEC
1.1.10.2 Gold IPSEC
6. Click TLOC List >> Add TLOC List >> Enter the List Name as “West_Coast_Premium_TLOCS” and
click Add icon 3 times, enter values as per table below and Click Save:
84
1.1.20.1 Gold IPSEC
1.1.20.2 Gold IPSEC
Note: Due to an UI Issue we are not creating Group of Interest from the Topology view.
7. Go to Configuration >> Topology.
8. Click Create Topology.
9. Enter Topology Name HSD-WAN and Description as Hierarchical SD-WAN >> Click Create
85
10. Click Add Topology >> Hub and Spoke
11. Enter the Name “EAST-COAST-HUB-CP” and select VPN’s “IOT_Devices, Guest, Corporate_Users”
under VPN >> Click Customize Topology >> Click Ok.
12. Select outbound Sites as Site_100 and Click Add Rules >> Expand Sequence 1
86
13. Enter Name “Allow TLOCs from East_Coast_Spokes and West_Coast_Hub” , Type as “TLOC” .
Click Match and select Site.
14. Select Site 200,300 and 400.
15. Click Accept >> Save Match and Actions >> Click Save.
16. Click Add Rule >> Name it “allow all prefixes from East_Coast” >> Click Match and select Site >>
Select Site 400,300.
87
17. Click Accept >> Save Match and Actions >> Save.
18. Click Add Rule >> Name it “rewrite next hop for west_coast sites to east_coast_hubs” >> Click
Match and select Site >> Select Site 500,200.
19. Click Accept >> Click Action >> Select TLOC.
20. Select West_Coast_Premium_TLOCS >> Click Save Match and Actions >> Save.
88
22. Enter the Name “EAST_COAST_BRANCH_SITES” and select VPN’s “IOT_Devices, Guest,
Corporate_Users” under VPN >> Click Customize Topology >> Click Ok.
23. Select outbound Sites as Site_400 , Site_300 and Click Add Rules >> Expand Sequence 1.
24. Enter Name “Allow TLOCs from East_Coast_Sites” , Type as “TLOC” . Click Match and select Site.
89
25. Select Site 100,300 and 400.
27. Expand EAST_COAST_BRANCH_SITES >> Click Add Rules >> Name it “allow all prefixes from
East_Coast” >> Click Match and select Site >> Select Site 400,300.
29. Expand EAST_COAST_BRANCH_SITES >> Click Add Rule >> Name it “rewrite next hop for
west_coast sites to east_coast_hubs” >> Click Match and select Site >> Select Site 500,200.
90
30. Click Accept >> Click Action >> Select TLOC >> Select East_Coast_HUB_TLOC >> Click Save Match
and Actions >> Save.
32. Enter the Name “WEST-COAST-HUB-CP” and select VPN’s “IOT_Devices, Guest,
91
33. Select outbound Sites as Site_200 and Click Add Rules >> Expand Sequence 1
34. Enter Name “Allow TLOCs from west_Coast_Spokes and East_Coast_Hub” , Type as “TLOC”
.Click Match and select Site.
35. Select Site 100,500
92
36. Click Accept >> Save Match and Actions >> Click Save.
37. Expand WEST-COAST-HUB-CP >> Click Add Rule >> Name it “allow all prefixes from
West_Coast” >> Click Match and select Site >> Select Site 500.
93
39. Click Add Rule >> Name it “rewrite next hop for east_coast sites to west_coast_hubs” >> Click
Match and select Site >> Select Site 100,400 & 300.
40. Click Accept >> Click Action >> Select TLOC.
41. Select East_Coast_Premium_TLOCS >> Click Save Match and Actions >> Save.
94
43. Enter the Name “WEST_COAST_BRANCH_SITES” and select VPN’s “IOT_Devices, Guest,
44. Select outbound Sites as Site_500 and Click Add Rules >> Expand Sequence 1.
45. Enter Name “Allow TLOCs from West_Coast_Sites”, Type as “TLOC”. Click Match and select Site.
46. Select Site 200,500.
95
48. Expand WEST_COAST_BRANCH_SITES >> Click Add Rules >> Name it “allow all prefixes from
West_Coast” >> Click Match and select Site >> Select Site 200,500.
50. Expand WEST_COAST_BRANCH_SITES >> Click Add Rule >> Name it “rewrite next hop for
east_coast sites to west_coast_hubs” >> Click Match and select Site >> Select Site 100,300 and
400.
96
51. Click Accept >> Click Action >> Select TLOC >> Select West_Coast_HUB_TLOC >> Click Save
Match and Actions >> Save.
1. Go to Monitor >> Devices >> Click Site400-cE1 >> Troubleshooting.
2. Click Simulate Flows.
3. Enter the following:

• VPN : 10
• Source Interface : GigabitEthernet3 – ipv4- 10.40.1.1
• Destination IP : 10.50.1.1
97
4. Click Simulate. We can see the traffic blackholes, therefore there is no connectivity
between the East Coast and West Coast sites.
5. Go to Configuration >> Topology >> Click 3 dots in front of HSD-WAN >> Click Activate.
6. Click Deploy.
98

• VPN : 10
10. Click Simulate , We can see the traffic passing through the East Coast Hubs
11. Click Troubleshooting >> Traceroute .
99
• VPN : 10
Click Start.
13. You can see that the Traffic is passing through East Coast Hubs to West Coast Hubs in
order to reach West Coast sites from East Coast.
100
Multi Region fabric
Overview
Multi-Region Fabric provides the ability to divide the architecture of the Cisco Catalyst SD-WAN overlay
network into multiple regional networks that operate distinctly from one another, and a central core-
region network for managing inter-regional traffic.
The hierarchical architecture enables you to use different traffic transport service providers for each
region, and for the central core-region network, to optimize cost and traffic performance. It also
simplifies traffic configuration for some scenarios, and provides a robust, adaptive topology that can
help prevent routing failures in specific network scenarios.
Configuring a hierarchical architecture using policies is not an easy task, and MRF significantly reduces
the administrative tasks in building the architecture and opens doors for other features such as
Transport gateway, Router Affinity which greatly reduces complexity in large networks.
In this exercise we will:

• Migrate the hierarchical SDWAN created using policies to hierarchical SDWAN using MRF.
• Demonstrate feature Transport gateway and Router Affinity.
• Demonstrate the Ease of configuring hierarchical networks with MRF.
Configure MRF Border Devices
1. Console to Site300-Ubuntu-VPN10, by selecting Site 300 on the POC Tool and clicking the VM
and selecting Console. Password :viptela
2. Open terminal by clicking the terminal Icon
101
3. Run pings to 100.110.50.2 “ping 100.110.50.2 ” and keep them running.
2. Go to Administration > Settings and enableMulti-Region Fabric setting (By default is disabled)
and click save.
3. Create the Regions to be used in our new MRF topology. Go to Configuration > Network
Hierarchy and you will see that all of Sites in our lab and the Core Region has been auto
populated on the left side pane.
Click on the 3 dots under Global >> Add node >> Select Region.
4. Name the Region as REGION-East_Coast and click ‘Add’ (Make sure that Global is the Parent
Region).
102
5. Click on the 3 dots under Global >> Add node >> Select Region >> Name the Region as REGION-
West_Coast and click ‘Add’ (Make sure that Global is the Parent Region).
6. Configure the vSmart/Controller as follows:
103
Go to Configuration > Templates > Feature Templates and lookup for the vsmart_MRF_system
feature template and click on the three dots on the right side and the click edit.
Edit the new Region ID List field (It appears once MRF is enabled in vManage/Manager settings)
and make it a Device Specific field as “system_region-id-list” and click Update.
Update the Vmsarts as per below information:
• vSmart-1 as dedicated vSmart/Controller for Region-East_Coast.

• vSmart-2 as dedicated vSmart/Controller for Region-West_Coast
• vSmart-3 as dedicated vSmart/Controller for the Core Region.
Click Next >> Configure Devices >> Ok.
Note: We will leave vSmart-4 as flat vSmart without any region assigned to, therefore there’s no need to
configure this one as it has its own template named vSMART-Non-MRF (This is the most important vSmart
to migrate from HSD-WAN to MRF without disruption as it will serve all devices regardless of their region)
7. Go to Monitor > Devices > Site200_cE1 > Real Time >> look up for OMP Peers in the search bar.
Click “Do not Filter”
104
We can see, device only have OMP sessions to vSmart-4 (1.1.1.12) as it acts as a flat vSmart not
associated with any region.
Note: please issue the command “clear sdwan control connections” on the router via console, if you do
not see the above output.
Please refer accessing the device via console on how to console to a device.
It takes some time for the transition.
8. Go to Configuration > Configuration groups > Click 3 dots in front of East_Coast_DC >> Edit.
9. Expand System Profile >> Add Feature >> Multi Region fabric.
10. Enter the following information as per the table below:

name Site100-MRF
105
Region ID Global 1
Role Global Border-router
Migration Mode Global enabled
Click Save on Both devices.
11. Deploy the Configuration by Clicking Associated Devices >> Select Site_100 >> Deploy.
12. Select SITE_100 >> Click Next >> Click CLI Preview
106
13. Select SITE_100 >> New Configuration added can be seen.
Click on X icon and Deploy
14. Go to Monitor > Devices > Site100-cE1 > Real Time and look up for OMP Peers in the
search bar >> Click “Do not Filter”.
Device has OMP session to vSmart-1 (1.1.1.3) that owns Region 1 and vSmart-3 (1.1.1.10) that owns
the CoreRegion 0 and the flat vSmart-4 (1.1.1.12) being used for Migration.
15. Go to Configuration >> Configuration groups >> Click on 3 dots in front of East_Coast_DC >> Edit
.
16. Expand Transport & Management Profile >> Click 3 dots in front of Premium_INET_1 >> Edit
Feature.
107
17. Click Tunnel >> Enable Border >> Save
18. Click 3 dots in front of Premium_INET_2 >> Edit Feature.
108
19. Click Tunnel >> Enable Border >> Save.
20. Click Start Configuration under CLI Profile.
21. Name it
MRF_Core , and enter the below commands >> Hit Save.
109
sdwan
interface GigabitEthernet5
tunnel-interface
region core
tunnel-interface
region core
Hit Save on Both Devices.
22. Deploy the Configuration by going to Associated Devices >> Click SITE_100 >> Deploy.
23. Click Click SITE_100 >> Next >> Click CLI Preview
Click on X icon and Deploy. Check the Deployment Status by clicking “View Deployment Status”
25. Go to Configuration > Configuration groups > Click 3 dots in front of West_Coast_DC >> Edit.
110

name Site200-MRF
Region ID Global 2
Role Global Border-router
28. Deploy the Configuration by going to Associated Devices >> Click SITE_200 >> Deploy
111
29. Click SITE_200 >> Next >> Click CLI Preview
Click on X icon and Deploy . Check Deployment status by clicking “View Deployment Status”.
112
31. Go to Monitor > Devices > Site200-cE1 > Real Time and look up for OMP Peers in the
search bar >> Click “Do not Filter”.
Device has OMP session to vSmart-2 (1.1.1.4) that owns Region 2 and vSmart-3 (1.1.1.10) that owns
the CoreRegion 0 and the flat vSmart-4 (1.1.1.12) being used for Migration.
32. Go to Configuration >> Configuration groups >> Click on 3 dots in front of West_Coast_DC >>
Edit.
33. Expand Transport & Management Profile >> Click 3 dots in front of Premium_INET_1 >> Edit
Feature.
113
35. Click 3 dots in front of Premium_INET_2 >> Edit Feature.
37. Click Start

Configuration under CLI Profile.
114
38. Name it MRF_Core_West, and enter the below commands >> Hit Save.
sdwan
tunnel-interface
region core
tunnel-interface
region core
Click Save on Both Devices.
39. Deploy the Configuration by going to Associated Devices >> Select site SITE_200 >> Deploy.
115
40. Select site SITE_200 >> Next >> Click CLI Preview
Click on X icon and Deploy. Check the Deployment Status “View Deployment Status”
42. To confirm that now the Region 0 Fabric is operational, Go to Monitor > Devices > Site100_cE1 >
Tunnel . You should 2 tunnels per gold and Silver
116
Configure MRF Edge Devices – East_Coast_Region
1. Go to Configuration > Configuration groups > Click 3 dots in front of East_Coast_BR2 >> Edit.

name Site400-MRF
Region ID Global 1
Role Global edge-router
Click Save
4. Deploy the Configuration by going to Associated Devices >> Select SITE_400 >> Deploy
5. Select SITE_400 >> Next >> Click CLI Preview
117
Click on X icon and Deploy.
7. Go to Configuration > Configuration groups > Click 3 dots in front of East_Coast_BR1 >> Edit.
118
name Site300-MRF
Region ID Global 1
10. Deploy the Configuration by going to Associated Devices >> Select SITE_300 >> Deploy
11. Select Site_300 >> Next >> Click CLI Preview
119
Configure MRF Edge Devices – West_Coast_Region
1. Go to Configuration > Configuration groups > Click 3 dots in front of West_Coast_BR1_Tloc_Ext

>> Edit.

name Site500-MRF
Region ID Global 2
120
4. Deploy the Configuration by going to Associated Devices >> Select Site_500 >> Deploy
5. Select SITE_500 >> Next >> Click CLI Preview
At this point the Mulit-Region Fabric has been successfully created with the Migration service enable
providing a seamless migration itself so let’s review.
121
9. Click on Site300-cE1 >> Enter user: admin, password:C1sco12345.
10. Check out put for “show sdwan omp routes 100.110.50.2/32”.
11. Site300-Ubuntu-VPN10, by selecting Site 300 on the POC Tool and clicking the VM and selecting
Console.
12. check that the ping is still running.
This proves we had a seamless migration from Hierarchical SDWAN to MRF.
13. Now let’s deactivate the Centralized Policy HSD-WAN_POLICY, so in vManage go to

Configuration > Topology > HSD-WAN click on the 3 dots and click ‘Deactivate’
122
14. Click Deploy >> Click View Deployment Status >> Ensure It is Success.
15. Go to Tools >> SSH terminal.
16. Click on Site300-cE1 >> Enter user: admin, password:C1sco12345.
17. After disabling the Control Policy now the device receives the OMP prefixes from East Coast
from vSmart-1 (1.1.1.3)that owns and belongs Region 1.As we can see now it provides the
Region Path it must traverse to reach such prefixes being 1 0 2.
123
Transport Gateway
Various devices assigned to the same access region may operate in networks that lack direct
connectivity—so-called disjoint networks. If there is an edge router or a border router that operates in
the same access region, and has connections to the two disjoint networks, you can configure that router
to function as a transport gateway. As a transport gateway, the router provides connectivity to the edge
routers in the disjoint networks.
Without transport gateway functionality, one method for enabling traffic between devices that lack
direct connectivity is to create a control policy that routes traffic between the devices in disjoint
networks using an intermediate device that has connectivity to both networks and configuring specific
routes.
There are problems with this approach:
• Complexity: Configuring a control policy to advertise prefixes is complicated.
• Potential traffic black hole: The control policy cannot detect whether a device or a configured
route is unavailable. This can lead to packet loss if a route becomes unavailable.
When a router is configured to function as a transport gateway, it does the following for each route
between devices within its primary region.
1. Installs each route that it learns from the Cisco SD-WAN Controllers for the access region.
2. Re-originates each route that it learns from the Cisco SD-WAN Controllers, substituting its
own TLOCs as the next hop for the routes. This means that it substitutes its TLOCs as the next
hop for each route and advertises the route to the Cisco SD-WAN Controllers for its region.
Note that this process does not re-originate primary region routes into the core region, or core region
routes into an access region.
The effect of configuring a router as a transport gateway is that it can provide routes for all intra-region
traffic. A device in the network uses the transport gateway route only if it lacks a direct route to the
destination.
In this task we will create a discontinuous data plane between Site 300 and 400 by shutting down the
MPLS Interface in Site300 and then use the Transport Gateway Feature to fix the discontinuous data
plane.
1. Go to Configuration >> Configuration Groups >> East_Coast_BR1 >> Click 3 Dots >> Edit.
124
2. Expand Transport & Management profile >> Edit Regional_MPLS
3. Enable Shutdown >> Save
4. Go to Workflows >> Deploy Configuration Groups >> Next >> Select East_Coast_BR1 >> Next.
5. Select Site_300 >> Next >> Next >> Deploy.
We have shut the MPLS on Site 300 to create a discontinuous data plane.
6. Console to Site300-cE1 >> By right clicking the device >> Console.
125
7. Issue the Command “show sdwan omp routes vpn 10 100.110.40.1/32” >> The Route status
shows Invalid for Site 400 as TLOC’s are not reachable due to discontinuous data plane.
8. Let’s configure the East_Coast_Hubs (Site 100) as transport gateways, Go to Configuration >
Configuration Groups >> East_Coast_DC.>> Click Edit.
9. Expand System Profile >> Edit Basic feature Parcel.
126
10. Enable transport Gateway >> Save on both Devices.
11. Go to Associated Devices >> Click SITE_100>> Deploy.
12. Select Site_100 >> Next >> Deploy. Click View Deployment Status >> Ensure it is success.
14. Issue the Command “show sdwan omp routes vpn 10 100.110.40.1/32” >> The Route status now
shows C,I,R for Site 400 as TLOC’s are reachable due to Site 100 acting as Transport gateway.
15. Ping to 100.110.40.1, starts working.
127
Let’s un shut the MPLS interface in Site300 and disable transport Gateway on Site 100.
16. Go to Configuration > Configuration Groups >> East_Coast_DC.>> Click Edit.
16. Expand System Profile >> Edit Basic feature Parcel.
17. Disable transport Gateway >> Save on both Devices.
18. Go to Configuration >> Configuration Groups >> East_Coast_BR1 >> Click 3 Dots >> Edit.
128
19. Expand Transport & Management profile >> Edit Regional_MPLS
20. Disable Shutdown >> Save
17. Go to Workflows >> Deploy Configuration Groups >> Next >> Select East_Coast_BR1 >> Next.
19. Go to Workflows >> Deploy Configuration Groups >> Next >> Select East_Coast_DC >> Next.
129
Router Affinity Groups
Router affinity groups enable you to specify the order of preference for choosing among multiple
routers that can serve as the next transit hop for a network flow. This applies in circumstances in which
(a) a router is determining its next hop for a flow, and (b) more than one router in the Multi-Region
Fabric architecture can serve as the next hop. There are two aspects to configuring the functionality:
• On a router, assigning a router affinity group ID (a number from 1 to 63).
• On a router, assigning the order of preference for choosing the router for a next hop. This is a
list of affinity group IDs.
When the overlay management protocol (OMP), operating on a router, chooses the best path for a flow,
it does the following:
1. Determines the possible next-hop routers, based on which routers are advertising the prefix
for the destination of the flow. (This is standard OMP functionality.)
2. From the possible next-hop routers, OMP considers the affinity group preferences when
choosing the best path, prioritizing the possible next hop routers accordingly. (This is specific
to affinity group functionality.)
The result is that a router first attempts to use a route to the next-hop device of highest preference, and
if that device is not available, it attempts to use a route to the next-hop device of the next lower
preference. If none of the devices on the affinity preference list are available, then the router attempts
to use a route to any other device that can serve as the next hop. One effect of this is an automatic
failover from one possible next hop router to a different next hop router if the first one is not available.
Affinity groups enable this functionality without requiring complex control policies.
In this task we will define Router Affinity Groups so that way all East Coast Branch sites will prefer
East_Coast_DC router 1 (1.1.10.1) without the need of Centralized Policies or any OMP attribute tweak
to communicate with the West_Coast sites
and selecting Console.
130
2. Tracepath to 100.110.50.2, As you can see based on the ECMP hash it
goes towards Site100_cE1 and Site100_cE2 TLOC in the screenshot
below:
3. Console to Site300-cE1, by selecting Site 300 on the POC Tool and clicking the VM and selecting
Console.
4. Run command “show sdwan omp routes 100.110.50.2/32” >> We can ECMP routes available
towards Site 100 Hubs through transports Public-Internet and MPLS.
5. In the Task we want the Site 300 to prefer 1.1.10.1 (Site100_cE1) router to be preferred to route
the traffic to West_Coast routers. Therefore, we will define Affinity Group to Site 100 routers as
per table below:
131
Router Affinity Group
1
Site100_cE1
2
Site100_cE2
6. Go to Configuration >> Configuration group >> Click 3 dots infornt of East_Coast_DC >> Edit.
7. Expand CLI Add-on Profile >> Click Edit Feature in front of MRF_Core>
8. Add the following Commands:
system
affinity-group affinity-group-number {{affinity_id}}
9. Go to Configuration >> Configuration group >> Click 3 dots infornt of East_Coast_BR1 >> Edit.
10. Click Start Configuration under CLI Profile.
132
11. Name it MRF_Edge , and enter the below commands >> Hit Save.
system
affinity-group preference 1 2
12. Go to Workflows >> Deploy Configuration Group >> Next >> Select East_Coast_DC >> Select
Site_100 >> Next
13. Select Site_100 , and enter the values as per below table and click Next:
133
Router Variable Name Affinity Group
affinity_id 1
Site100_cE1
affinity_id 2
Site100_cE2
14. Click Preview CLI >> Deploy.
15. Go to Workflows >> Deploy Configuration Group >> Next >> Select East_Coast_BR1 >> Next >>
Select Site_300 >> Next
16. Click Next >> Deploy.
17. Go to Configuration > Templates > Click 3 dots in front of vSmart-MRF >> Edit.
18. Click OMP >> Create Template >>
134
19. Name is vSmart_OMP >> scroll down to the Best Path section and enable “Enable Filtering Route
Updates Based on Affinity” >> Click Save.
20. Click Update >> next >> Configure devices >> OK.
21. Console to Site300-cE1, by selecting Site 300 on the POC Tool and clicking the VM and selecting
Console.
22. Run command “show sdwan omp routes 100.110.50.2/32” >> Now only the routes from
Site100_cE1 are in C,I,R state due to Affinity groups and traffic will always pass via Site100_cE1
till the time it advertises the routes.
135
Data Policies (DIA)
Overview
Direct Internet Access can be enabled in a variety of ways using the Cisco SD-WAN solution. We will
enable NAT on the Public-internet interface.
In this lab, we will be deploying DIA using Data Policies using the UX2.0 Workflow.
Data Policy that allows for a great degree of flexibility in deciding how an Internet breakout can be
enabled for a variety of traffic sources and destinations, along with the ability to rely on a backup.
1. Go to Configuration >> Configuration Groups >> East_Coast_BR1 >> Edit
2. Expand Transport & Management profile >> Click Edit Feature by clicking 3 dots in front of
Regional_INET.
3. Click NAT >> Expand IPv4 Settings >> Enable NAT >> Save.
136
4. Click Associated devices >> Site_300 >> deploy.
5. Click Site_300 >> Next >> Deploy.
6. Click “View Deployment Status” >> Wait till its Success.
8. Click Add Policy Group >> Name: Data_Policy_DIA_AAR >> Create.
137
9. Click Application Priority & SLA >> Add Application Priority Policy.
10. Name the Policy: DIA >> Click Create
11. Click “Advanced Layout”. >> Click “Add Trafic Policy”
12. Name it DIA_GUEST_VPN , VPN : Guest , Direction : Service >> Click Add.
138
13. Expand DIA_CORP_VPN, Click “Add Rules”.
14. Expand Rule 1 >> Click “Add Match” >> check Destination >> Data Prefix.
15. Click on Data Prefix >> Create New
139
16. Enter the Name : RFC_1918 , Data Prefix : 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 , Click Save.
17. Select RFC_1918 under Destination Data Prefix
140
18. Click Accept >> Save Match and Actions
19. Click “Add Rule” >> Expand Rule 2.
20. Click Add Match >> Source >> Data Prefix
21. Click Source Data Prefix >> Create New.
141
22. Enter the Name : Site_300_Prefix , Data Prefix : 12.30.1.0/24 , Click Save.
23. Select Site_300_Prefix under Source data Prefix.
24. Click Action Accept >> Click Add Action >> Select NAT VPN.
142
25. Check Fallback >> Click Save Match and Actions.
26. Click Save
27. Select Policy Group >> Expand Data_Policy_DIA_AAR >> Select “DIA” under Application Priority
>>Save
28. Click the Pencil Icon in front of “Associated to”.
143
29. Click Associate Devices.
30. Click Next >> Select Site Site_300 >> Next
31. Click Continue >> Save >> Click “No, I Will do it later.”
32. Click go to View Policy Groups.
144
33. Expand Data_Policy_DIA_AAR >> Click Deploy.
34. Click next >> Next >> Select Site_300 >> Next.
35. Click Preview CLI
36. Click Site_1
37. Click the X icon >> Deploy.
145
2. Enter “show sdwan policy from-vsmart” >> You should see an output as below.
146
4. Open Firefox >> Open Youtube.
147
Data Policies(Enhanced Application Aware Routing)
Overview
Currently, SD-WAN uses BFD for tunnel performance measurements. We take anywhere between 10min
to 60min high convergence times to detect SLA breaches and failover. We can also reduce the poll
interval and multiplier but still the overall detection time is in the order of minutes. If we go lower, we
will have false positives since we rely on only BFD.
20.12/17.12 introduces the capability of EAAR in SD-WAN. This will provide the following capabilities:
1) Improving the PFR measurements: Inline data is used for measurements. Per queue level
accurate measurements provides faster detection in the order of seconds (10sec to 60sec). Best
practice recommendation is to configure app-probe class along with SLA class.
2) Ability to quickly take action to switch to better path: With 10sec poll interval if the tunnel
does not meet the SLA, it will be taken out from SLA forwarding as quickly as 10sec.
3) Ability to dampen the tunnel: If the tunnel is flapping between meeting SLA and not meeting
SLA, now SLA dampening supports monitoring the stability of the transport.
1. Go to Configuration >> Configuration Groups >> East_Coast_BR1>> Click 3 dots >> Edit.
148
2. Expand System Profile >> Click 3 dots in front of basic >> Edit feature.
3. Look for Enhanced App-Aware >> Change it to Aggressive >> Save.
4. Click Associate Devices >> Select Site_300 >> Deploy.
6. Click “View Deployment Status” >> ensure it is Success.
7. Go to Configuration >> Configuration Groups >> East_Coast_DC>> Click 3 dots >> Edit.
149
8. Expand System Profile >> Click 3 dots in front of basic >> Edit feature.
9. Look for Enhanced App-Aware >> Change it to Aggressive >> Save.
10. Click Associated Devices >> Select Site_100 >> Deploy.
12. Click “View Deployment Status” >> ensure it is Success.
150
13. Go to Configuration >> policy groups >> Click Application Priority & SLA Policy >> Click Edit in
front of DIA.
14. Click Add traffic Policy.
15. Policy Name: EAAR , VPN : Corporate_Users >> Direction: Service.
Click Add.
16. Expand EAAR >> Click Add Rules.
151
17. Expand Rule 1 >> Click Match >> Select DSCP
18. Enter DSCP Value 46.
19. Click Accept >> Click Add Action >> Select SLA Class.
152
20. Click SLA Class List >> Create New.
153
21. Enter SLA Class List Name: Critical_Apps, Enter Loss % as 2. Enter 50 for the Latency and 100 for
the Jitter. Click on Save.
22. Select Critical_Apps under SLA Class List, Select “MPLS” as Prederred Color. Click Save Match
and Actions.
23. Click Add Rules under EAAR
24. Expand Rule 2 >> Click Match >> Select DSCP
154
25. Enter DSCP Value 41.
26. Click Accept >> Click Add Action >> Select SLA Class.
155
27. Click SLA Class List >> Create New.
28. Enter SLA Class List Name: Priority_Apps, Enter Loss % as 7. Enter 150 for the Latency and 100
for the Jitter. Click on Save.
156
29. Select Priority_Apps under SLA Class List, Click Save Match and Actions.
30. Click Save.
31. Click Add Rules under EAAR.
32. Expand Rule 3 >> Click on Match >> Select Source >> Data Prefix.
157
33. Click on Source Data Prefix >> Create New.
34. Name the Data Prefix : Site_300_VPN_10 , Data Prefix : 10.30.1.0/24
35. Click Save.
158
36. Select Source Data Prefix : Site_300_VPN_10 , Action : Accept .
37. Click Save Match and Actions.
38. Click Save.
39. Click go to View Policy Groups.
40. Expand Data_Policy_DIA_AAR >> Click Deploy.
41. Click next >> Next >> Select Site_300 >> Next.
42. Click Preview CLI
159
43. Click Site_1
44. Click the X icon >> Deploy.
160
20. Run “show sdwan bfd sessions alt”, You can see the Tunnels Showing the EAAR Flags with Site
100 devices.
21. Run “show sdwan app-route stats remote-system-ip 1.1.10.1” , You can see the SLA Class List ,
Enhanced App-route enabled and mean Latency , Loss, Jitter .
161

• VPN : 10
• Click Advanced Options.
• DSCP : 46
Click Simulate.
25. We can see the traffic is preferring the MPLS Link as it is within the SLA defined.
162
• VPN : 10
• DSCP : 41
Click Simulate.
We can See for traffic tagged with DSCP 41 the traffic is loadbalanced, as we didn’t define a
preferred color and since both the links adhere to the SLA Class.
10. Let’s induce some delay in the MPLS Link and observe the behavior.
Go to Use WAN Emulator 1 on Site 300 to create WAN impairment required to invalidate the
MPLS path from conforming to the set SLA. On POC Tool, navigate to the site, right-
click Site300-WANEmu1, and then select Edit. Click Interfaces, choose eth0, and define
impairment (for example, latency to 100ms). Click OK to close the window and click
on Deploy to commit changes.
163
1
27. Navigate to Monitor >> Network >> Branch1_Site300_CE1>> Troubleshooting >> Simulate Flows
Enter the following:
• VPN : 10
• DSCP : 46
Click Simulate.
Now we can see the solution is preferring the Public Internet rather than MPLS. And the
detection of the MPLS breaching the SLA is very quick almost real time . This is an
enhancement with EAAR that Leagacy AAR’s reaction time could be around 5-10 minutes
though EAAR’s reaction time is 10-60 seconds.
28. Navigate to Monitor >> Network >> Branch1_Site300_CE1>> Troubleshooting >> Simulate Flows
Enter the following:
• VPN : 10
164
• DSCP : 41
Simulate Flows.
The Solution is continuing to Loadbalance between the two TLOCS as we introduced 100ms of
Latency and the Priority Class SLA has a threshold configured for 150 ms Latency.
12. Remove the WAN impairment across the MPLS path. To remove the impairment. On POC Tool,
navigate to the site, right-click Site300-WANEmu1 and select Edit. Click Interfaces, choose eth0,
and delete impairment parameters. Click OK to close the window and click on Deploy to commit
changes.
165
NWPI
Overview
Network-wide path insight provides on-demand end-to-end application-tracing serviceability in

the Cisco Catalyst SD-WAN network. You can obtain and view detailed information at the packet level,
application level, domain level, flow level, and network level. This information provides comprehensive
insights into the operations of your network and can assist with performance analysis, planning, and
troubleshooting.
Benefits of Network-Wide Path Insight:
• End-to-end bidirectional network path visibility for applications over Cisco Catalyst SD-WAN
fabric.
• Real-time network performance measurement and visibility for applications.
• Feature execution insight on Cisco Catalyst SD-WAN device. Example: QoS, SD-WAN Policy, SAIE
flow, and SD-WAN overlay tunneling.
• Validation of application policies.
In this Lab, we will learn how to use the SDWAN NWPI Feature.
NWPI Configuration
1. Go to Administration >> Settings >> Search Data Stream >> Click Edit >> Enabled >> Save.
166
2. Go to Tools >> Network Wide Path Insight.
3. Click New Trace >> Enter Name as : NWPI , Enter Site_id: 300 , VPN :12 .
Expand Monitor settings >> Click DIA Visibility. >> Click Start.
Once you're done, hit the "Start" button. A trace operation will be created on all the cEdge
devices located in that site you choose, and start to collect information we need.
Note: Similar to all other logging/debugging/troubleshooting, specifying additional filters like IP

address, Application, Protocol(TCP or UDP) can help you minimize noise output.
4. Check the status of the trace to running.
167
7. Now go back to SDWAN Manager >> Tools >> NWPI >> Under Insights >> Check Active flows
Note: For each flow, we can see flow tuple (ip/port combination), application, DSCP, network
path, drop rate, latency, jitter and statistics information for both upstream and downstream
directions of the flow. Here in most typical cases, upstream direction is the client to server
direction while downstream direction is the server to client direction.
8. Expand any 1 of the flows where the application shows as “google-service” or youtube.
You can Check the Loss, Drop and Latency along with the interface via which the traffic is exiting.
9. Scroll to INSIGHT – ADVANCED VIEWS
10. Click Upstream

feature >> Click NBAR >> You can check the Traffic.
168
11. You can check the SDWAN Policy being applied along with CEF and Ingress Interface
12. Stop the Trace by clicking Stop in front of NWPI.
169
13. Click Confirm.
170
Unified Security Policy - Site 300
Overview
Cisco SD-WAN solution offers on-box security configuration options with UTD container running
as security services provider on IOS-XE platforms. Service like Zone Based Firewall, IPS/IDS,
URL Filtering, TLS/SSL Decryption, Advanced Malware Protection can be configured directly on
the SDWAN edge, given that the base requirements for the same are met by the SDWAN Edge.
This section of lab guides you through Unified Security Policy configuration and verification.
Unified Security Policy configuration is closer to how the configurations are applied in Firepower
Access Policies and will be de-facto going forward.
Following is the summary of steps:
1. Import UTD Virtual Image in vManage.

2. Review vManage configured as TLS/SSL Proxy CA.
3. Update the NTP server on Site300-cE1
4. Configure Embedded Security Policy.
5. Attach Embedded Security Policy to Policy Groups.
Configuring Security Policies:

1. Go to Maintenance >> Software Repository.
2. Click Virtual Images >> Add New Virtual Image >> vManage
171
3. Click Browse >> Select Download >> secapp-
utd.17.12.01a.1.0.7_SV3.1.55.0_XE17.12.x86_64.tar >> Open
4. Click Upload.
vManage is already configured as SSL proxy CA, this will be utilized during TLS/SSL
decryption lab, in the following steps you will confirm this configuration.
5. Go to Configuration >> Certificates Authority.
172
6. Verify vManage is acting as a Root CA .
7. Go to Configuration > Configuration Groups >> Click 3 dots in front of East_Coast_BR1

>> Click Edit Feature.
8. Expand Transport and Management profile >> Click 3 dots in front of VPN0 >> Edit
Feature.
9. Click DNS >> Select “Yes, I want to add DNS” >> Enter “8.8.8.8” under Primary DNS
Server.
173
10. Click Save.
11. Expand System Profile >> Click 3 dots in front of NTP >> Edit Feature.
12. Click Server>> Click Edit in front of time.google.com.

• Hostname : pool.ntp.org
• Set interface to use to reach NTP server: GigabitEthernet1
174
14. Click Update >> Save.
15. Click 3 dots in front of Global >> Click Edit Feature
16. Enable Domain Lookup >> Click Save.
175
17. Click Associated devices >> Site_300 >> deploy.
18. Click Site_300 >> Next >> Deploy.
19. Click “View Deployment Status” >> Wait till it’s Success.
21. Select Embedded Security >> Add Security Policy.
22. Click Next >> Enter Policy Name: Site_300_Security_Policy >> Click Next
176
23. Select Site “East_Coast_BR1”>> Click Next.
24. Delete the subpolicy for Corporate_Users_zone by clicking Delete Sub-Policy.
Click Yes.
25. Edit the sub Policy >> Guest_zone.
26. Under Match Conditions >> Click Applications.
177
27. Expand Application >> Create New.
28. Name the List : Youtube , Select Youtube from the Application List.
Click Add
29. Select Application Youtube from the drop-down menu under Application.
178
30. Select Action Drop >> Save.
31. Click Add Rule.
32. Select Destination Zone: Untrusted, Action: Inspect, Check Log Events
179
33. Click Select Advanced Inspection Profile >> Create New.
34. Name Profile as Site_300_NGFW >> Click Create New under Intrusion Prevention.
35. Enter the Policy “Site_300_IDS” , Signature Set : Security , Inspection Mode: Protection.
180
Click Add.
36. Click Select Select an URL Filter >> Create New
37. Enter the Policy_Name : Site_300_URLF , Web Category : Social-network , Web

Reputation: Moderate Risk. Click Add.
181
38. Click Select and Advanced Malware Protection >> Create New.
39. Enter the Policy_Name: Site_300_AMP , AMP Cloud Region : EU >> Click Add.
182
40. Select TLS Action: Decrypt >> Click on Select an TLS/SSL Decryption >> Create New.
41. Enter the Name : Site_300_TLS , Select Decrypt for computer-and-internet-info >> Click
Add.
183
42. Click Add.
43. Click Additional Settings on top right.
184
44. Click Create New Under >> TLS/SSL Decryption Policy.
45. Name it TLS_Decrypt >> Click Add .
46. Click Save.
185
47. Click Next >> Submit.
48. Click “View all Security Policies”.
49. Click Policy group >> Expand the DIA Policy >> Click Embedded Security >> Select
“Site_300_Security_Policy”
50. Click Save >> Deploy.
51. Click Next >> Next >> Select SITE_300 >> Next >> Deploy.
52. Click “View Deployment Status”. Ensure it shows Success.
Zone Based Firewall Verification.

1. Console to Site300-Ubuntu-VPN12, by selecting Site 300 on the POC Tool and clicking
the VM and selecting Console.
186
3. Youtube doesn’t open as it is blocked by the Firewall Policy , Rule 1
4. Go to Monitor >> Security.
5. At Firewall Rule Counter >> Select Top Rules -Dropped >> You can see Rule 1 showing
under drop which is for Youtube.
187
6. We can verify the Firewall drop using NWPI as well. Go to Tools Network Wide Path
Insights.
7. Click New Trace >> Trace Name as FW_Trace , Site ID: 300 , VPN: 12 >> Click Start.
8. Go back to Site300-Ubuntu-VPN12 and try to open Youtube.com in new tab.
9. Under Insights for NWPI you can see Youtube DNS failing. Check under both Active
Flows and Completed Flows.
188
10. Check for Youtube(DNS) Failed flow in Completed Flows >> Expand it as per
screenshot below:
11. Scroll down >> Under INSIGHT -Advanced View >> Expand DROP_REPORT and
ZBFW.
We can clearly Figure out the reason for the drop.
189
URL Filtering Verification.
12. Go back to Site300-Ubuntu-VPN12 and try to open HTTP://facebook.com in new tab.

You can see the message due to URL Filtering policy as we blocked social-networking
sites
190
13. Go to Monitor >> Security.
14. Scroll down to URL Filtering >> You can see Social-network being blocked >> Click
View Details to check other URL’s being accessed.
191
AMP Verification.
1. Go back to Site300-Ubuntu-VPN12 and open HTTP://www.tekdense.com in new tab.
2. Click on the Link Downloads > Malware Samples from results.
3. Click
GOOGLE_ADOBE_FLASHPLAYER.EXE.ZIP >> You can see the file cannot be

downloaded.
192
5. Enter “show utd engine standard cache file-inspection” >> You can see the File being
cached and Dropped as it is Malicious.
6. Go to Vmanage >> Monitor >> Security>> You can see the Threats and AMP related
values . It may take around 5-10 mins to pop up.
193
TLS Decryption Verification.
1. Go back to Site300-Ubuntu-VPN12 and open HTTPs://www.cnet.com in new tab.
2. Check the SSL certificate of the website, and notice that this certificate if signed by
vManage RootCA, because of TLS/SSL decryption configuration.
• To do so Go to Lock in the Browser >> Click the “>” Icon.
• Click More Information.
• Click View Certificate >>
194
• You can View the Cert Authority with vManage and Cert Issues to the Cedge.
IPS/IDS Verification.
2. Run “show utd engine standard status”. Ensure the Status is Green and we can observe
that the signature package version is 29.0.c. (This is a community Signature Package,
and has limited coverage against Threats.)
195
3. Go to Vmanage >> Administration >> Settings >> Search for “UTD Snort Subscriber
Signature” >> Click Edit.
4. Enable IPS Signatures >> Click Local
5. Add the
subscription Package File already downloaded to the Jump host by clicking on the
Choose File >> Select “UTD-STD-SIGNATURE-31550-37-S.pkg” >> Open.
Click Add >> Save.
196
Note: Options for downloading UTD signature packages out of band from Cisco.com and uploading them
to Cisco SD-WAN Manager or a remote server and options for custom signatures are available from Cisco
vManage Release 20.10.1 and Cisco IOS XE Catalyst SD-WAN Release 17.10.1a.
6. Go back to the Console for Site300-cE1 >> You will observe Vmanage Logging in and
installing the signature file in the router.
7. Run command “show utd engine standard status” . It shows the updated signature file
which has greater signatures for Threats.
8. Go back to Site300-
Ubuntu-VPN12 >> open terminal and run the following command to trigger the IPS
signature:
197
“curl -v -L -m 10 dfgvx.com”
Since we are running in IDS mode the request was blocked.
9. Go back to the console of Site300-cE1 >> run “show utd engine standard logging
events”. You can observe the Traffic for dfgvx being dropped.
10. Go to vmanage >> Monitor >> Security >> Intrusion Prevention. It may take around 5-10
mins to reflect.
198
SDWAN-Umbrella Integration
Overview
SDWAN integration with Umbrella supports the following two methods of integration:
• DNS redirection to Umbrella – Configure SDWAN edge to redirect DNS queries
coming from LAN subnets/VPNs to Umbrella DNS for resolution. Exceptions can be
defined for local domain resolution. For DNS redirection policy to work properly, DNS
queries must pass through SDWAN edge.
• Umbrella Secure Internet Gateway Integration - Cloud managed Umbrella SIG

service serves not just SD-WAN environments, but a host of other use cases backed by
Cisco SASE. Umbrella SIG provides a host of cloud-based security controls, which
provide secure access to internet and cloud hosted services, without putting significant
computation burden on SD-WAN Edge devices. In this method, IPSEC tunnels are
configured between SDWAN edge and Umbrella platform either in Active/Standby or
Active/Active configuration.
In this lab, we will first configure Site300-cE1 router for DNS redirection to Umbrella, followed by
Umbrella SIG integration. The summary of lab flow is as follows:
• Perform Umbrella Registration

• Configure DNS Security Policy on vManage
• Configure DNS Policy on Umbrella
• Verify DNS Redirection Policies
• Configure SIG-Tunnel workflow
• Add service route in VPN12
• Create policies on Umbrella platform
• Verify Umbrella SIG redirection results
199
Umbrella DNS Redirection
The Cisco Catalyst SD-WAN Umbrella Integration feature provides cloud-based security service
by inspecting the DNS query that is sent to the DNS server through the device. When a host
initiates the traffic and sends a DNS query, the Umbrella Connector in the device intercepts and
inspects the DNS query. If the DNS query is for a local domain, it forwards the query without
changing the DNS packet to the DNS server in the enterprise network. If it is for an external
domain, it adds an Extended DNS (EDNS) record to the query and sends it to Umbrella
Resolver. An EDNS record includes the device identifier information, organization ID and client
IP. Based on this information, Umbrella Cloud applies different policies to the DNS query.
Lab Environment Prep work:
1. From the Cisco SD-WAN Manager Menu, navigate to Configuration=> Configuration

Groups. Edit the East_Coast_BR1.
2. Click on the System Profile: East_Coast_BR1, scroll down to global/Global feature
set and click to three dots on far right to Edit the feature.
3. Under the Services Tab, go to Domain Lookup and choosing Global from the
dropdown menu. Click the button to enable, then click Save.
4. Under the East_Coast_BR1, choose Associated Devices and select SITE_300 and
click Deploy.
5. On the next screen, click on SITE_300>> Next >> Deploy.
6. From the Cisco SD-WAN Manager Menu, navigate to Configuration=>Policy Group.
Go to Application Priority & SLA tab and Edit the DIA policy.
7. Click on DIA_GUEST_VPN>>Add Rules. Set Sequence as 1, Name as Rule 1.
8. Click on Add Match>>DNS>>DNS and select Request from dropdown. Choose
Action as Accept, then click Save Match & Actions>>Save.
Umbrella Registration
1. From Jump host, open chrome and click on the Umbrella SSO bookmark to launch
Umbrella dashboard.
2. On Umbrella dashboard, navigate to Admin => API Keys => Legacy Keys =>
Umbrella Network Devices and click + Generate Token (if the keys are preconfigured,
delete the preconfigured keys and the click + Generate Token).
200
3. Open notepad on Jump host, copy the key and secret to notepad.
4. From the URL in chrome address bar, copy the 6–7 digit
5. number which appears in the URL, and paste it in Notepad as Org ID.
6. On vManage, navigate to Configuration >> Policy Groups, and click on DNS

Security tab. Click Add DNS Security Policy.
7. On the pop-up window, Configure the Policy Name as DNS_SEC_POL and click
Create.
201
8. Click on Manage Umbrella Registration. From Notepad, copy the Organization ID,
Registration Key and Secret to this dialog box, and click Save Changes.
9. Choose Custom VPN Configuration and then click on Add Target VPN. On the pop-up
search & choose Guest as the VPNs and click Save Changes. Click on Save.
10. Navigate to Policy Group Tab and click on Data_Policy_DIA_AAR. Select

DNS_SEC_POL under DNS Security Field and click Save>>Deploy.
11. Go through policy deployment workflow to complete the policy push.
202
Create DNS Policy on Umbrella
1. On Umbrella Dashboard, Navigate to Policies => Management => DNS Policies.
2. Click on sign on top-right side of the screen.

3. Click on
4. Select Network Devices.
5. Click on
6. On Security Settings screen, leave settings as default and click on
7. On Limit Content Access screen, select Custom on left side, under Custom Setting
on right, select Default Settings, and under Content Categories, select Social
Networking and News, and click Next.
203
8. Under Applications to control, Block 4shared and Netflix, and click Next.
9. Click Proceed.
10. On Apply Destination Lists Screen, click Next.

11. Under File Analysis, click Next.
12. Under Block Page Settings, click Next.
13. Configure the Policy Name as Site300 DNS Policy, and click on
14. Expand Site300 DNS Policy and Enable SSL Decryption under Advanced Settings
=> Enable Intelligent Proxy, and click on
204
DNS Redirection Verification
1. In POC Tool, open the console of Site300-Ubuntu-VPN12 PC. Login with password:
viptela.
2. On Site300-Ubuntu-VPN12, open chrome browser and browse to

https://welcome.umbrella.com.
Note: At this stage, you may encounter a certificate error message, this is because the old
certificate for DST CA has expired, and windows updates on this VM are disabled. Ignore the
certificate error message and continue to welcome.umbrella.com
3. On Site300-Ubuntu-VPN12, browse www.facebook.com, www.instagram.com,
www.cnn.com, all these websites will be blocked as they belong to blocked URL
categories.
4. On Site300-Ubuntu-VPN12, browse www.4shared.com, www.netflix.com, these

websites will be blocked, as these applications are blocked by our policy.
5. On Site300-Ubuntu-VPN12, in chrome address bar, browse to

www.tekdefense.com/downloads/malware-samples/
6. From this page try to download a malware file, the download will fail as we have blocked
download of malware files.
7. Go back to Umbrella dashboard and navigate to Reporting => Activity Search
8. Filter based on Blocked Responses on left side panel.
9. Look for the log, which points to facebook, and View Full Details of the log.
This completes the verification tasks for Umbrella DNS Redirection.
205
Umbrella SIG Integration
Cisco Catalyst SD-WAN edge devices support SD-WAN, routing, security, and other LAN
access features that can be managed centrally. On high-end devices, you can enable all these
features while providing the scale and performance required by large enterprises. However, on
lower-end devices, enabling all the security features simultaneously can degrade performance.
To avoid the performance degradation, integrate lower-end devices with Secure Internet
Gateways (SIG) that do most of the processing to secure enterprise traffic. When you integrate
a Cisco Catalyst SD-WAN edge device with a SIG, all client internet traffic, based on routing or
policy, is forwarded to the SIG. In addition, the SIG can also protect roaming users, mobile
users, and BYOD users.
Lab Environment Prep work:
1. From the Cisco SD-WAN Manager Menu, navigate to Configuration=>Policy Group.
Click on Data_Policy_DIA_AAR, remove the DNS_SEC_Pol from DNS Security and
DIA from Application Priority dropdowns. Click on Save.
Configure SIG Credentials

1. Open chrome browser on Jumphost.
2. Click on the Bookmark which reads Umbrella SSO, this will log you into Cisco
Umbrella.
3. Navigate to Admin => API Keys => Legacy Keys => Umbrella Management and click
+ Generate Token (if a key is already created, delete the key and click on + Generate
Token).
4. Open Notepad on Jumphost and copy the Key and Secret to Notepad. From the
Umbrella URL, copy the 6-7 digit number to notepad as Org ID.
Configure SIG Policy Group in vManage:
206
1. On vManage, navigate to Configuration >> Policy Groups >> Secure Internet
Gateway.
2. Click on Add Secure internet Gateway. On the pop-up window, enter the name as
Umbrella_SIG and description as SIG_Policy. Click Create.
3. Ensure Sig Provider is selected as Umbrella. Click on Click here to add Umbrella
credentials.
4. From Notepad, copy the Organization ID, Registration Key and Secret to this dialog
box, and click Add.
207
5. Under the Configuration>> Tunnel, click on Add Tunnel. Enter the values listed below
and click Add.
Field Value
Interface Name ipsec1
Tunnel Source Interface GigabitEthernet1
Data Center Primary
Advanced Options>>TCP MSS 1300
6. Click on Add Tunnel again to add secondary IPsec tunnel, enter the values listed below
and click Add.
Field Value
Interface Name Ipsec2
Tunnel Source Interface GigabitEthernet1
Data Center Secondary
Advanced Options>>TCP MSS 1300
7. Navigate to High Availability Tab and click on Add Interface Pair. On the pop-up
window choose ipsec1 as Active interface and ipsec2 as Backup interface. Click
Add.
208
8. Navigate to Tracker Tab and provide Source IP address as 10.2.6.2, then click Save.
9. Navigate to Policy Group Tab. Click on Data_Policy_DIA_AAR. Under the Secure

Internet Gateway choose Umbrella_SIG and click Save>>Deploy.
10. Go through policy deployment workflow to complete the policy push.
209
Add Service Route to VPN 12
7. Navigate to Configuration >> Configuration Groups => edit East_Coast_BR1

Configuration Group.
8. Under East_Coast_BR1_LAN, edit Guest Lan VPN feature. Navigate to Service Route
tab and click Add Service route.
9. Enter Network Address and Subnet Mask as 0.0.0.0/0, choose Service as SIG and
click Add.
10. Click on Save. Scroll up and go to Associated Devices tab. Select the Site_300 and
click Deploy. Complete the deployment workflow to push the configuration to
Site300_cE1.
Create Policies in Umbrella
1. On Jumphost, open chrome and click use the bookmark Umbrella SSO to login to
Umbrella Cloud.
2. Goto Deployment => Core Identities => Network Tunnels and verify that Site300
Tunnels are in established state (it can take about 20 minutes for the tunnels to show in
Active state), you may continue with the next steps, and check tunnel status after some
time.
210
3. Navigate to Policies >> Management >> Firewall Policy. Click on + Add on top right
side and create a New Rule to deny ICMP traffic, and fill in the values based on
following table:
Field Value
Rule Name ICMP_Deny
Priority Last Before Default
Description Deny ICMP Traffic
Rule Action Block
Protocol ICMP
Logging Logging Enabled
Click on Save
4. Navigate to Policies => Management => Web policy and click +Add on top right side.
211
5. Click Edit followed by Save to configure Ruleset Settings based on following table:
Field Value
Ruleset Name Site300_Web_Policy

Ruleset Identities Select Tunnels
File Type Control Block PDF
HTTPS Inspection Enable HTTPS Inspection
Click Close
1. In POC tool, open console of Site300- Ubuntu-VPN12. Login with password: viptela
2. Open Firefox, and visit URL welcome.umbrella.com, this should confirm that your
traffic is now passing through Umbrella SIG Cloud.
3. Open Firefox, and type tekdefense.
4. Click the link, Downloads > Malware Samples – TekDefense, from search results.
5. Try and download a few malware files less than 10Mb, note that the downloads are
blocked, as these are sample malware files.
212
6. Open Chromium, Try to download a sample PDF using the link
https://www.africau.edu/images/default/sample.pdf or clicking on the Bookmark
“Sample PDF ”, This is a test PDF document, this download will be blocked, as we
have blocked the download of PDF files.
7. On Site300- Ubuntu-VPN12, open Terminal and try to ping www.cisco.com. Note that
the ping will fail, because of the firewall policy, we created.
8. Back on the umbrella portal on Jumphost, navigate to Reporting > Core Reports >
Activity Search.
9. Check the box, which reads blocked, view full details of the blocked activity, and notice
that this is as per our configured policy.
213
This completes the verification tasks for Umbrella SIG Tunnel Configuration & Testing.
214

GPSA-SDWAN-20

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GPSA-SDWAN-20

Uploaded by

Copyright:

Available Formats

Cisco SD-WAN User Guide

Step-by-Step Guide for Partners

Global Partner Solution Advisors (GPSA)

October 30, 2023

1. Login to Dcloud >> Select the Correct Datacenter >> My Hub

3. Launch Google Chrome.

Common name IP Address User Password

Site300-Ubuntu-VPN10 198.18.133.200:30503 ubuntu viptela

Site300-Ubuntu-VPN12 198.18.133.200:30504 ubuntu viptela

Common name IP Address User Password

vSmart-1 198.18.133.200:19003 admin admin

vSmart-2 198.18.133.200:19005 admin admin

Site100-cE2 198.18.133.200:19008 admin C1sco12345

Site200-cE1 198.18.133.200:19011 admin C1sco12345

Site200-cE2 198.18.133.200:19012 admin C1sco12345

Site300-cE1 198.18.133.200:19017 admin C1sco12345

Site400-cE1 198.18.133.200:19021 admin C1sco12345

Site500-cE1 198.18.133.200:19024 admin C1sco12345

Site500-cE2 198.18.133.200:19025 admin C1sco12345

Site100-Core-VPN10 198.18.133.200:19010 admin C1sco12345

Common name IP Address User Password

WAN Edges - Internal

Node System IP Site ID

WAN Edges - External

Node MPLS INET Premium INET1 Premium INET2

Site100-cE2 10.1.3.2/24 10.2.3.2/24 10.3.2.2/24 10.4.2.2/24

Site200-cE1 10.1.4.2/24 10.2.4.2/24 10.20.1.1/24 10.21.1.1/24

Site200-cE2 10.1.5.2/24 10.2.5.2/24 10.20.1.2/24 10.21.1.2/24

Site300-cE1 10.1.6.2/24 10.2.6.2/24 10.30.1.1/24 -

Site400-cE1 10.1.7.2/24 10.2.7.2/24 10.40.1.1/24 -

Site500-cE1 10.1.8.2/24 10.2.8.2/24 10.50.1.1/24 -

Site500-cE2 10.1.9.2/24 10.2.9.2/24 10.50.1.2/24 -

Node System IP Site ID INET Default GW

vBond 1.1.1.2 - 10.2.1.6/24 10.2.1.1

vSmart-1 1.1.1.3 1 10.2.1.5/24 10.2.1.1

vSmart-2 1.1.1.4 1 10.2.1.4/24 10.2.1.1

vSmart-3 1.1.1.10 1 10.2.1.3/24 10.2.1.1

vSmart-4 1.1.1.12 1 10.2.1.224 10.2.1.1

Third Party Devices

Node Type Site VPN IP Address

Site300-WANEmu1 WAN Emulator 300 0 -

Site300-WANEmu2 WAN Emulator 300 0 -

Site300-Core-VPN10 LAN Core Router 300 10 10.30.1.100/24

Site300-Ubuntu-VPN10 Host 300 10 10.30.1.10/24

Site300-Ubuntu-VPN12 Host 300 12 12.30.1.10/24

TRex1-VPN10 Traffic Generator 300 10 10.30.1.50/24

TRex2-VPN10 Traffic Generator 300 10 10.30.1.30/24

Site400-Ubuntu-VPN10 Host 400 10 10.40.1.10/24

Site400-Ubuntu-VPN12 Host 400 12 12.40.1.10/24

Site500-Ubuntu-VPN10 Host 500 10 10.50.1.10/24

Create the new Admin user on vManage

1. Login to vManage and goto Administration >> Manage Users.

2. Click Add User.

3. Enter the following details

• Configuration Group: A configuration group is a logical grouping of features or configurations

1. Navigate to Configuration >> Devices.

3. Similarly Create the below Tags

7. Select Site type as Dual Router.

8. Configure the following parameters.

Section Field Global/Device value

9. Configure WAN Interface as per directions below:

Field Global/Device value

Click on Add to add 2 more Interfaces.

Field Global/Device value