Configure Strict Hub and Spoke Topology
Configure Strict Hub and Spoke Topology
Task: Configure the Topology to work like Strict Hub and Spoke based network where there are three Subnet for each VPN.
- VPN 10: Corp-VPN
- VPN 20: Sec-PCIVPN
- VPN 40: Guest-VPN
Topology should work like follows:
- For all VPN 10 : All Branch VPN 10 traffic must go to DC and then to Branch and VPN 10 traffic must not go Branch to Branch , All DC must send a default route to each branch for outside traffic.
- For VPN 20: Each Branch must have VPN 20 routes for other branch having Next HOP: DC-TLOC
- For VPN 40: No direct communication between branch to branch to any VPN, This VPN should have default route to access Internet only
For VPN 10 : Advertise branches routes to DC and not to another branch , DC will advertise default route to each branch so that if branch wants to talk to another branch , branch will send the traffic to DC by default route and DC will then route traffic back to remote branch
For VPN 20 : Branch will advertise VPN 20 routes to vSmart and in return vSmart will advertise those VPN 20 routes by setting Next hop as DC-TLOC , so in branch to branch communication via VPN 20 , Branch will send traffic to DC and DC will route it to branch.
For VPN 40 : No communication between branch , so restrict routes exchange between them ,and advertise only default routes in VPN 40 for direct internet access.
Before configuring Hub and spoke topology, let’s verify that all the branches are able to reach to other branches directly over VPN 10 and VPN 20 over IPSEC tunnel.
vManage | Monitor | Network | Select BR2-VEDGE1 | Tunnel
This will show that the BR2-VEDGE has full Mesh IPSEC tunnel to all other branches and DC sites.
Select Troubleshooting | PING | under connectivity Section
Select destination IP: 10.3.0.21 (Branch 1), VPN 10 and Source Interface in VPN 10 | Start
So same activity for VPN 20
For VPN 10 Select | trace Route | destination IP 10.4.0.21 | VPN 10 | Select Source Interface | Start
Now Create Application or Groups of interest for all components like DC, Sites, DC-TLOC, Data-Prefix Group.
vManage | Configuration | Policies | centralized Policy | Add Policy
Data-Prefix Group: Contains all RFC1918 Prefixes and all other prefixes known for this Topology
Site Group: Contains All-Branch List, All-DC-hub list Site IDs.
DC-TLOC: Contains all TLOC from two DC vEdge Devices
VPN-Group: contains all VPN group for VPN 10 (Corp-VPN), VPN 20 (Sec-PCIVPN), and VPN 40 (Guest-VPN).
Click Next to move to Configure Topology and VPN Membership Section, here we will configure Custom Control Topology, this topology allow to manipulate OMP and TLOC routes on vSmart.
Click on Add topology | Custom Control (Route & TLOC)
Name: dclessons-con-Multi-topology | Select Sequence Type | TLOC
Name Sequence Type: AllowAllDCTLOC | Match Site List: All-DC-hub | Action | Accept | Save Match & Action
Name Sequence Type: Reject all-TLOC | Action | Reject | Save Match & Action
Name Sequence Type: Route-VPN10 | Match Site List: All-branches, VPN-List: corp-VPN | Action Reject | Save Match & Action
Name Sequence Type: VPN20NextHOP | Match Site List: All-branches, VPN-List: Sec-pciVPN | Action Accept | Set TLOC DC-TLOCS | Save Match & Action
Name Sequence Type: DefaultAction | Action Accept | Save Match & Action
Click on Save Control Policy
Click on VPN Membership to define the scope of rules which was just created in topology configuration.
VPN Membership | Add VPN Membership Policy | name VPN10-VPN20 | Site List All-Branches | VPN list corp-VPN , Sec-pciVPN | Save
Click Next , to go to Configure Traffic Rule section , this section allows you to create policies to manipulate data or application specific traffic, here we will configure single traffic data rule which will be later applied to VPN 40. This rule will block access to any IP from VPN 40.
Select Traffic Data | Add policy | Create New | DenyAllPrivateSubnet-1918 | Sequence type | Application Firewall | Deny1918Prefixes
Name Sequence Type: DenyVPN40 | Match All-Prefixes | Action Drop
Select Sequence Type: Default Action | Action Accept
Click on Save Data Policy | Select Next to go to Apply Policy to Sites & VPN | Name dclessons-con-multitopology
Select | Topology | Outbound Site List All-Branches | Add
Select | Traffic Data | New Site List & VPN List | From Service | Site List All-Branches | VPN-List Guest-VPN | Add
This is done to associate data policy which was created to VPN 40, as soon as Traffic Data is selected you will Deny1918Prefixes under this option and now this needs to be assigned to Site and VPN List.
Click on Save Policy.
Policy Activation & Testing:
Navigate Configuration | Policies | Select your Newly Created Policy: dclessons-con-multitopology | Three Dots | Click Activate
vManage | Monitor | Network | BR2-VEDGE1 | Troubleshooting | Traceroute | From BR2 to BR1
Destination IP 10.3.0.21 (Branch 1) | VPN 10 | Source Interface for VPN 10 | Start
You will see that Inter Branch traffic will now traverse DC for VPN 10.
Check Same for VPN 20