This section provides an overview of configuring SD-WAN Edge in a two-arm configuration.
Overview
To configure the SD-WAN Edge in a two-arm configuration:
- Configure and activate Hub 1
- Configure and activate the Hybrid Site-1
- Activate branch-to-Hub tunnel (Hybrid Site-1 to Hub 1)
- Configure and activate Public WAN only Site
- Configure and activate Hub 2
- Configure and activate Hybrid Site-2
The following sections describe the steps in more detail.
Configure and Activate Hub 1
This step helps you understand the typical workflow of how to bring up SD-WAN Edge at the Hub location. SD-WAN Edge is deployed with two interfaces (one interface for each WAN link).
Below is an example of the wiring and IP address information.
Activate the SD-WAN Edge in Default Profile
- Login to the SASE Orchestrator.
- The default VPN profile allows the activation of the SD-WAN Edge.
Activate Hub 1 SD-WAN Edge
- Go to Configure > Edges and add a new SD-WAN Edge. Specify the correct model and the profile (we use the Branch VPN Profile).
- Go to the Hub SD-WAN Edge (DC1-VCE) and follow the normal activation process. If you already have the email feature set up, an activation email will be sent to that email address. Otherwise, you can go to the device setting page to get the activation URL.
- Copy the activation URL and paste that to the browser on the PC connected to the SD-WAN Edge or just click on the activation URL from the PC browser.
- Click on Activate button.
- Now the DC1-VCE data center Hub should be up. Go to Monitor > Edges. Click the Edge Overview tab. The public WAN link capacity is detected along with the correct public IP 238.162.42.202 and ISP.
- Go to Configure > Edges and select DC1-VCE. Go to the Device tab and scroll down to the Interface Settings.
You will see that the registration process notifies the SASE Orchestrator of the static WAN IP address and gateway that was configured through the local UI. The configuration on the SASE Orchestrator will be updated accordingly.
- Scroll down to the WAN Settings section. The Link Type should be automatically identified as Public Wired.
Configure the Private WAN Link on Hub 1 SD-WAN Edge
- Configure the private MPLS Edge WAN interface directly from the SASE Orchestrator. Go to Configure -> Edges and choose DC1-VCE. Go to the Device tab and scroll down to the Interface Settings section. Configure static IP on GE3 as 172.31.2.1/24 and default gateway of 172.31.2.2. Under WAN Overlay, select User Defined Overlay. This will allow us to define a WAN link manually in the next step.
- Under WAN Settings, click the Add User Defined WAN Overlay button (see the following screen capture).
- Define the WAN overlay for the MPLS path. Select the Link Type as Private and specify the next-hop IP (172.31.2.2) of the WAN link in the IP Address field. Choose the GE3 as the interface. Click the Advanced button.
Tip: The Hub site normally has more bandwidth than the branches. If we choose the bandwidth to be auto-discovered, the Hub site will run a bandwidth test with its first peer, e.g. the first branch that comes up, and will end up discovering an incorrect WAN bandwidth. For the Hub site, you should always define the WAN bandwidth manually, and that is done in the advanced settings.
- The private WAN bandwidth is specified in advanced settings. The screen shot below shows an example of 5 Mbps upstream and downstream bandwidth for a symmetric MPLS link at the Hub.
- Validate that the WAN link is configured and save the changes.
You are done with configuring the SD-WAN Edge on the Hub. You will not see the User Defined MPLS overlay that you just added until you activate a branch SD-WAN Edge.
Configure Static Route to LAN Network Behind L3 Switch
Add a static route to the 172.30.0.0/24 subnet through the L3 switch. You need to specify the interface GE3 to use for routing to the next hop. Make sure you select the Advertise check box so other SD-WAN Edge can learn about this subnet behind L3 switch. For more information, see Configure Static Route Settings.
Configure and Activate Hybrid Site-1
This step helps you understand the typical workflow of how to insert the SD-WAN Edge at a Hybrid Site-1. The SD-WAN Edge is inserted off-path and relies on the L3 switch to redirect traffic to it. Below is an example of the wiring and IP address information:
Configure the Private WAN Link on the Hybrid Site-1 SD-WAN Edge
At this point, we need to build the IP connectivity from the SD-WAN Edge towards the L3 switch.
- Go to Configure > Edges, select the Hybrid Site-1-VCE and go to the Device tab and scroll down to the Interface Settings section. Configure static IP on GE3 as 10.12.1.1/24 and default gateway of 10.12.1.2. Under WAN Overlay, select User Defined Overlay. This allows to define a WAN link manually.
- Under the WAN Settings section, click Add User Defined WAN Overlay.
- Define the WAN overlay for the MPLS path. Select the Link Type as Private. Specify the next-hop IP (10.12.1.2) of the WAN link in the IP Address field. Choose the GE3 as the Interface. Click the Advanced button. Tip: Since the Hub has already been set up, it is OK to auto-discover the bandwidth. This branch will run a bandwidth test with the Hub to discover its link bandwidth.
- Set the Bandwidth Measurement to Measure Bandwidth. This will cause the branch SD-WAN Edge to run a bandwidth test with the Hub SD-WAN Edge just like what happens when it connects to the SD-WAN Gateway.
- Validate that the WAN link is configured and save the changes.
Configure Static Route to LAN Network Behind L3 Switch
Add a static route to 192.168.128.0/24 through the L3 switch. You need to specify the Interface GE3. Make sure you select the Advertise check box so other SD-WAN Edge learn about this subnet behind L3 switch.
Activate Branch to Hub Tunnel (Hybrid Site-1 to Hub 1)
This step helps you build the overlay tunnel from the branch into Hub. Note that at this point, you may see that the link is up but this is the tunnel to the SD-WAN Gateway over the Internet path and not the tunnel to the Hub. We must activate Cloud VPN to enable the tunnel from the branch to the Hub to be established.
You are now ready to build the tunnel from the branch into the Hub.
Activate Cloud VPN and Edge to SD-WAN Hub tunnel
- Go to the Configure > Profiles, select Branch VPN Profile and go to the Device tab. Under VPN Service, activate the Cloud VPN and perform the following:
- Under Branch to Hub Site (Permanent VPN), check the Enable check box.
- Under Branch to Branch VPN (Transit & Dynamic), check the Enable check box.
- Under Branch to Branch VPN (Transit & Dynamic), check the Hubs for VPN check box. Doing this will deactivate the data plane through the SD-WAN Gateway for Branch to Branch VPN. The Branch to Branch traffic will first go through one of the Hubs (in the ordered list which you will specify next) while the direct Branch to Branch tunnel is being established.
- At this point, the direct tunnel between the branch and the Hub SD-WAN Edge should come up. The debug command now also shows the direct tunnel between the branch and the Hub.
Configure and Activate Public WAN only Site
This step helps create a Public WAN only Site – a dual Internet site with one DIA and one broadband. Configure the Public WAN only Site-VCE SD-WAN Edge LAN and activate the SD-WAN Edge. There is no configuration required on the WAN because it uses DHCP for both WAN interfaces.
Configure and Activate Hub 2
Configure the Hub 2 SD-WAN Edge to Reach the Internet
- Connect a PC to the SD-WAN Edge and use the browser to point to http://192.168.2.1.
- Configure the Hub SD-WAN Edge to reach the Internet by configuring the first WAN interface, GE2.
Add the Hub 2 SD-WAN Edge to the SASE Orchestrator and Activate
In this step, you will create the second Hub SD-WAN Edge, called DC2.VCE.
- On the SASE Orchestrator, go to Configure > Edges, select New Edge to add a new SD-WAN Edge.
- Go to Configure > Edges, select the SD-WAN Edge that you just created, then go to the Device tab to configure the same Interface and IP you configured in previous step.
Important: Since we are deploying the SD-WAN Edge in one-arm mode (same physical interface but there will be multiple over tunnels from this interface), it is important to specify the WAN Overlay to be User Defined.
- At this point, you need to create the overlay. Under WAN Settings, click Add User Defined WAN Overlay.
- Create an overlay across the public link. In our example, we will use the next-hop IP of 172.29.0.4 to reach the Internet through the firewall. The firewall is already configured to NAT the traffic to 209.116.155.31.
- Add the second overlay across the private network. In this example, we specify the next-hop router 172.29.0.1 and also specify the bandwidth since this is the MPLS leg and DC2-VCE is a Hub. Add a static route to the LAN side subnet, 172.30.128.0/24 through GE2.
- Activate the SD-WAN Edge. After the activation is successful, come back to the Device tab under the edge level configuration. Note the Public IP field is now populated. You should now see the links in the Monitor > Edges, under the Overview tab.
Add the Hub 2 SD-WAN Edge to the Hub List in the Branch VPN Profile
- Go to Configure > Profiles and select the profile Quick Start VPN.
- Go to the Device tab and add this new SD-WAN Edge to a list of Hubs.
Configure and Activate Hybrid Site-2
For more information on activation of Edges, see Activate SD-WAN Edges.