Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Build a Basic Overlay Network

  1. Last updated
  2. Save as PDF

Let’s use a simple network design, one that has two vEdge routers and one vSmart controller, to illustrate how to form a functioning overlay network from Viptela components. In this topology, the vBond orchestrator software has been enabled on one of the vEdge routers. Once you understand a simple network, you can start designing and building more complex topologies.

A Simple Network Topology

The figure below illustrates our simple topology. Here, we have two sites, Site-100 and Site-200. vEdge-1 is the edge device in Site-100, and vEdge-2 is the edge device at Site-200. At each local site, the vEdge router connects to an existing traditional router via a standard Ethernet interface. vEdge-2 is connected to the transport network through a NAT device that also has firewall functionality.

s00022.png

The goal of our design is to create a private network so that Router-1 and Router-2 can be adjacent to each other from a Layer 3 perspective and so that hosts connected to each of these routers can communicate through the private network.

Construct a Basic Network

The following steps allow you to create the simple overlay network depicted in the topology above.

  • Step 1: Perform initial bringup and basic configuration.
  • Step 2: Enable host or service-side interfaces and routing.
  • Step 3: Enable overlay routing over OMP.
  • Step 4: Check the automatic setup of the IPsec data plane.
  • Step 5: Enforce policies.

Let’s look at the steps in a bit more detail.

Step 1: Perform Initial Bringup and Basic Configuration

From the perspective of a network administrator, the initial bringup of the Viptela network components is a straightforward and simple process, involving creating the configurations for each of the network components and ensuring that a few key authentication-related files are in place. From the perspective of user, bringup entails simply powering up the vEdge router and plugging in a cable to connect the router to the network. The remainder of the bringup occurs automatically via a zero-touch-provisioning process.

The network administrator performs the following tasks as part of the initial bringup:

  1. Configure the vBond orchestrator function on one of the vEdge routers in the network. In our example, this is vEdge-1.
  2. Optionally, configure a top-level vBond orchestrator to act as a ZTP server. In this situation, a DNS server must be present in the enterprise network.
  3. Ensure that a DHCP server is present in the enterprise network.
  4. Install the signed certificate on the vManage NMS, and download that certificate to the vBond orchestrator.
  5. Install the vEdge router authorized serial number file on the vManage NMS, and then download it to the vSmart controllers.
  6. From the vManage CLI, create a configuration for each vSmart controller and vEdge router in the overlay network:
    1. ​Configure asystem IP address, which is similar to the router ID address on a traditional router, identifying the Viptela device with an address that is independent of any of the interfaces on the device. System IP addresses must be pre-allocated and must be unique across each vEdge router and vSmart controller. These addresses need not be routable through the network.
    2. Configure site IDs for the various sites in the overlay network. In our example, vEdge-1 is at site-100 and vEdge-2 is at site-200. The vSmart controller can be collocated at a site, or it can be in its own site.
    3. Configure domain IDs. This is an optional step to create clusters. For our example, configure the domain-ID as 1.
    4. ​Configure the IP address or DNS name for the vBond server and the vSmart controller.
    5. Configure WAN interfaces on vEdge-1 and vEdge-2. VPN 0 is the VPN reserved for WAN transport interfaces. IP addresses can be automatically obtained through DHCP. Alternatively, you can configure a default gateway and DNS explicitly.
    6. By default, DTLS and IPsec are enabled on the WAN interfaces.
    7. Save the configuration.

When the vSmart controllers join the network, they are authenticated by the vBond orchestrator, and when vEdge routers join the network, they are authenticated by both the vBond orchestrator and the vSmart controllers. These devices then connect to the vManage NMS, which downloads the configuration to them.

Example Configuration on vEdge-1:

system
  host-name vEdge-1
  system-ip 1.0.0.1
  domain-id 1
  site-id   100
  vbond 75.1.1.1  local
!
vpn 0
  interface ge 0/0
    ip address 75.1.1.1/24
    tunnel-interface
      color default
    no shutdown
  ip route 0.0.0.0/0 75.1.1.254
!

The remaining sections in this article describe how to configure additional common functionality on vEdge routers and vSmart controllers. Typically, you configure all functionality at one time, in the configuration that you create on the vManage NMS and that is downloaded to the device when it joins the overlay network. However, to highlight the different functionalities, this article describes the various portions of the configuration separately.

Step 2: Enable Host or Service-Side Interfaces and Routing

From the vManage NMS, you can also configure service-side interfaces and regular routing:

  1. Configure interfaces on vEdge-1 towards the existing traditional router. Assign IP address and put the interface in a non-default VPN. In our example, this is VPN 1. Do the same on vEdge-2.
  2. Configure OSPF or BGP on the vEdge routers towards the existing routers.
  3. Commit.

To check for standard IP reachability, routes, and next hops at the local site, use the standard ping, traceroute, and various show commands on the vManage NMS or from the CLI of the device (if you have a direct connection to the device):

Example Configuration for the Host or Service-side VPN:

vpn 1
  router
    ospf
      redistribute omp
      area 0
        interface ge 0/1
        exit
      exit
    !
  !
  interface ge 0/1
    ip address 10.1.2.12/24
    no shutdown
!

Step 3: Enable Overlay Routing over OMP

All site-local routes are populated on the vEdge routers. Distributed these routes to the other vEdge routers this is done through the vSmart controller, via OMP.

  1. If you are using BGP or if there are OSPF external LSAs, allow OMP to redistribute the BGP routes.
  2. Re-advertise OMP routes into BGP or OSPF.
  3. Commit.

Example Configuration of Overlay Routing over OMP:

omp
  advertise ospf external
!

At this point, vEdge-1 is able to learn about the prefixes from site-200, and vEdge-2 is able to learn about prefixes from site-100. Because all the prefixes are part of VPN 1, the hosts in site-100 and site-200 have reachability with one another. From a Viptela overlay network point of view, this reachability is possible because vEdge-1 advertises a vRoute consisting of the address 10.100.0.0/24 and the TLOC color of default, which we write as {75.1.1.1, default }, to the vSmart controller. In turn, the vSmart controller advertises this vRoute to vEdge-2. The same process happens with prefix 10.200.0.0/24 on vEdge-2.

Step 4: Check the Automatic Setup of the IPsec Data Plane

For every TLOC on a vEdge router, the vEdge router advertises a symmetric key for encryption. The vSmart controller reflects this key automatically and advertises the TLOC with the symmetric key. A two-way IPsec SA is set up as a result (that is, there is a different key in each direction), and data traffic automatically starts to use this IPsec tunnel. Once a tunnel is up, BFD automatically starts on the tunnel. This is done to ensure fast data plane convergence in the event of a failure in the transport network.

Note that the setup of the IPsec data plane happens automatically. No configuration is necessary. Multiple show commands are available to check the SAs and the state of the IPsec tunnel.

Step 5: Enforce Policies

As an optional step, you can create control and data plane policies on the vSmart controller and push them to the vEdge routers. As an example, if the network administrator wants to enforce a policy to divert traffic destined to { vEdge-2, prefix 10.200.0.0/24 } to go to another site say vEdge-3, a control plane policy can be created on the vSmart controller and pushed to the respective vEdge routers. Note that the results of the policy are pushed to the vEdge routers, not the configuration itself.

Example Configuration of Policies:

policy
  lists
    site-list site-100
      site-id 100
    !
    prefix-list my-prefixes
      ip-prefix 10.200.0.0/24
    !
  control-policy TE-thru-vedge3
    sequence 10
      match route
        prefix-list my-prefixes
      !
      action accept
        set
          tloc 1.0.0.3 color default
        !
      !
      default action accept
    !
apply-policy
  site-list site-100
    control-policy TE-thru-vedge3 out
  !
!

Advanced Options

Now that we have looked at basic routing, security, and policy, we can start adding various other elements to the network. You are encouraged to look at the Software category to add elements such as High Availability, Convergence, BFD, QoS, ACLs, segmentation, and advanced policy.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. There are no recommended articles.
  1. Article type
    Topic
    Stage
    Draft
  2. Tags
    1. architecture
    2. bringup
    3. omp
    4. policy