************************************************************* 0. Pre-requisites ************************************************************* 1. Controller Onboarding 2. Underlay Networking (MPLS & Internet) 3. WAN Edge Onboarding 4. VPN 0 & VPN 512 for the WAN Edges (DXB-vEdge-1), (LON-vEdge-2) & (LA-cEdge-3) ************************************************************* Lab # 1 - Creating the Service VPNs - London ************************************************************* =================================== 1. Create the feature Templates =================================== +++++++++++++++++++++++++++++++++++++++++++ VPN Templates - Common for Dubai & London +++++++++++++++++++++++++++++++++++++++++++ Name: VE-VPN-10 ID: 10 Name: VE-VPN-20 ID: 20 +++++++++++++++++++++++++++++++++++++++++++ VPN Interface Templates +++++++++++++++++++++++++++++++++++++++++++ Name: VE-VPNINT-G2-LON Shutdown: Global -> No Shut Interface: ge0/2 Static: Global -> 172.16.102.2/24 Name: VE-VPNINT-G3-LON Shutdown: Global -> No Shut Interface: ge0/3 Static: Global -> 10.10.102.2/24 +++++++++++++++++++++++++++++++++++++++++++ OSPF Templates +++++++++++++++++++++++++++++++++++++++++++ Name: VE-OSPF-10-LON Redistribute: Global -> OMP Area: 0 Interface: ge0/2 Name: VE-OSPF-20-LON Redistribute: Global -> OMP Area: 0 Interface: ge0/3 ************************************************************* Lab # 2 - Re-configuring Device Template for London ************************************************************* ===================================================== 1. Edit the VE-DEV-TEMP-LON to add the service VPN ===================================================== Service VPNs: ------------- +++++++++++++ VE-VPN-10 +++++++++++++ VE-VPNINT-G2-LON VE-OSPF-10-LON +++++++++++++ VE-VPN-20 +++++++++++++ VE-VPNINT-G3-LON VE-OSPF-20-LON ************************************************************* Lab # 3 - Creating the Service VPNs - London ************************************************************* =================================== 1. Create the feature Templates =================================== +++++++++++++++++++++++++++++++++++++++++++ VPN Interface - Physical Template - DUBAI +++++++++++++++++++++++++++++++++++++++++++ Name: VE-VPNINT-G2-DXB Shutdown: Global -> No Shut Interface: ge0/2 Note: Applied to VPN 0 +++++++++++++++++++++++++++++++++++++++++++ VPN Sub-Interface Templates +++++++++++++++++++++++++++++++++++++++++++ Name: VE-VPNINT-G2.10-DXB Shutdown: Global -> No Shut Interface: ge0/2.10 Static: Global -> 172.16.101.1/24 MTU: 1496 Name: VE-VPNINT-G2.20-DXB Shutdown: Global -> No Shut Interface: ge0/2.20 Static: Global -> 10.10.101.1/24 MTU: 1496 +++++++++++++++++++++++++++++++++++++++++++ OSPF Templates +++++++++++++++++++++++++++++++++++++++++++ Name: VE-OSPF-10-DXB Redistribute: Global -> OMP Area: 0 Interface: ge0/2.10 Name: VE-OSPF-20-DXB Redistribute: Global -> OMP Area: 0 Interface: ge0/2.20 ************************************************************* Lab # 4 - Re-configuring Device Template for Dubai ************************************************************* ===================================================== 1. Edit the VE-DEV-TEMP-DXB to add the service VPN ===================================================== Service VPNs: ------------- +++++++++++++ VE-VPN-10 +++++++++++++ VE-VPNINT-G2.10-DXB VE-OSPF-10-DXB +++++++++++++ VE-VPN-20 +++++++++++++ VE-VPNINT-G2.20-DXB VE-OSPF-20-DXB ************************************************************* Lab # 5 - Configure the Internal Switch (SW1) for Dubai ************************************************************* ================================================================= 1. Configure the Link on the switch towards the vEdge as a Trunk ================================================================= Interface E 0/0 switchport trunk encapsulation dot1q switchport mode trunk ============================================================================= 2. Configure the Links towards the internal routers in the appropriate VLANs ============================================================================= vlan 10,20 ! Interface E 0/1 switchport mode access switchport access vlan 10 ! Interface E 0/2 switchport mode access switchport access vlan 20 ************************************************************* Lab # 6 - Creating the Service VPNs - LA ************************************************************* =================================== 1. Create the feature Templates =================================== +++++++++++++++++++++++++++++++++++++++++++ VPN Templates - LA +++++++++++++++++++++++++++++++++++++++++++ Name: CE-VPN-10 ID: 10 Name: CE-VPN-20 ID: 20 +++++++++++++++++++++++++++++++++++++++++++ VPN Interface - Physical Template - LA +++++++++++++++++++++++++++++++++++++++++++ Name: CE-VPNINT-G3-LA Shutdown: Global -> No Shut Interface: GigabitEthernet3 Note: Applied to VPN 0 +++++++++++++++++++++++++++++++++++++++++++ VPN Sub-Interface Templates +++++++++++++++++++++++++++++++++++++++++++ Name: CE-VPNINT-G3.10-LA Shutdown: Global -> No Shut Interface: GigabitEthernet3.10 Static: Global -> 172.16.103.3/24 MTU: 1496 Name: CE-VPNINT-G3.20-LA Shutdown: Global -> No Shut Interface: GigabitEthernet3.20 Static: Global -> 10.10.103.3/24 MTU: 1496 +++++++++++++++++++++++++++++++++++++++++++ OSPF Templates +++++++++++++++++++++++++++++++++++++++++++ Name: CE-OSPF-10-LA Redistribute: Global -> OMP Area: 0 Interface: GigabitEthernet3.10 Name: CE-OSPF-20-LA Redistribute: Global -> OMP Area: 0 Interface: GigabitEthernet3.20 ************************************************************* Lab # 7 - Re-configuring Device Template for LA ************************************************************* ===================================================== 1. Edit the CE-DEV-TEMP-LA to add the service VPN ===================================================== Service VPNs: ------------- +++++++++++++ CE-VPN-10 +++++++++++++ CE-VPNINT-G3.10-LA CE-OSPF-10-LA +++++++++++++ CE-VPN-20 +++++++++++++ CE-VPNINT-G3.20-LA CE-OSPF-20-LA ************************************************************* Lab # 8 - Configure the Internal Switch (SW3) for LA ************************************************************* ================================================================= 1. Configure the Link on the switch towards the vEdge as a Trunk ================================================================= Interface E 0/0 switchport trunk encapsulation dot1q switchport mode trunk ============================================================================= 2. Configure the Links towards the internal routers in the appropriate VLANs ============================================================================= vlan 10,20 ! Interface E 0/1 switchport mode access switchport access vlan 10 ! Interface E 0/2 switchport mode access switchport access vlan 20 ************************************************************* Lab # 9 - Configure Route Leaking between VPN 10 & 20 ************************************************************* ================================================================= 1. Configure the vSmart in a Template ================================================================= -> Execute the Show Run command on the vSmart device. -> Highlight and copy the config. -> Create a Device Template for vSmart using a CLI Template -> Paste the copied config. -> Attach the vSmart to this template. ================================================================= 2. Configure the Appropriate Lists ================================================================= VPN List: ------------ Name: VPN-10 ID: 10 Name: VPN-20 ID: 20 Site List: ------------ Name: DUBAI ID: 1 Name: LONDON ID: 2 Name: LA ID: 3 Prefix List: ------------ Name: PL-VPN-10 Prefix: 172.16.0.0/16 le 32 Name: PL-VPN-20 Prefix: 10.10.0.0/16 le 32 ================================================================= 3. Create a Topology Policy ================================================================= Custom Control Topology Policy ----------------------------------- Name: ROUTE-LEAKING-10-20 Desctiption: ROUTE-LEAKING-10-20 Route Policy # 1 --------------------- Condition: VPN ID: VPN-10 Prefix: PL-VPN-10 Action: Export To: VPN-20 Route Policy # 2 --------------------- Condition: VPN ID: VPN-20 Prefix: PL-VPN-20 Action: Export To: VPN-10 Default --------------------- Action: Accept ================================================================= 4. Create the Centralized Policy ================================================================= Name: CENTRAL-POLICY Topology Policy: Import the ROUTE-LEAKING-10-20 policy created in the previous step Apply the policy to incoming routes from the 3 Sites: ------------------------------------------------------- Site List: DUBAI, LONDON & LA -> Activate the policy