Multi-Topology Per VPN

Multi-Topology Per VPN

Posted on Jan 27, 2020 (0)

Multi-Topology Per VPN

Task: Configure the Topology as per following task:

  • VPN 10: Full Mesh (Any Branch can reach to any branch directly)
  • VPN 20: Hub and Spoke, Any branch in this VPN should go to DC and then to Destination Branch
  • VPN 40: VPN 40 should only access to Direct Internet and should not access to any other host in any branch

To achieve this use the following task to Configure above Scenario.



Before Configuring the Template, let’s verify and see how the connectivity is.

Go to vManage | Monitor | Network | BR2-VEDGE1 | Troubleshooting | Traceroute

Enter as Destination | VPN 10 | Source Interface in VPN 10

The above output shows that there is direct path between Branch 1 and Branch 2 in VPN 10.

Same can be verified for VPN 20.

To configure the Template go to Configuration | Policies | Centralized Policy | Add Policy to go to Create group of Interest, This has been already configured so we need to just do next and we will come under Configure Topology and VPN member Section.

Click on Topology | Name it dclessons-MultitopologyperVPN | Add Topology | Select Sequence Type | Route

Name Sequence | Route-4-VPN10 | Match VPN-List Corp-VPN | Action Accept. | Save Match & Action

Click on Sequence type Route | Name Route-4-VPN20 | Match | VPN-List Sec-pci-VPN, Site-List All-Branches | Action Accept, Set TLOC DC-TLOCs | Save Match & Action

Select Default Action: Accept | Save Control Policy

Click on VPN Membership | Add VPN Membership Policy | Name BlockGuestWifiTraffic-vpn40

Select Site-List: All-Branches | VPN-List Corp-VPN, Secpci-VPN | Save

Click next to move to configure traffic Rule policy:

Name Block1918Prefixes | Sequence Type: Application Firewall, Name Block1918Prefixes | Destination Data Prefix: All-Prefixes | Action Drop

Default Action: Accept

Save Data Policy and Move to Next to go to Configure Topology & VPN Membership

Configure Topology & VPN Membership | Name Multi-Topology-Per-VPN-Policy, Select Topology | New Site List | Direction out | Site –List: All-Branches

Select Traffic Data | under Block1918Prefixes Select New Site list & VPN list | Site-List: All-Branches | VPN List: Guest-VPN | Save Policy

Go to Configuration | Centralized Policy | Select the Policy just created | Activate

Now once Policy is activated, Select | Monitor | Network | BR2-VEDGE1| Troubleshooting | Trace route

Enter the details as per below figure and start , you will see that for VPN 10 there is direct path between Branch 1 and Branch 2

Do same for VPN 20 as per below figure, we will see that traffic from Branch 1 to Branch 2 is going through DC.


    You are will be the first.


Please login here to comment.