VERSA SD-WAN DIRECT INTERNET ACCESS(DIA)
I will show how does the client on the branch go out to the internet. I had mentioned how to prepare the branch template in the previous post. If we wanna the client on branch3 directly to go out from branch3. There is only one difference in this template from the previous post.
I will configure it according to the below topology.
DIA is very important for sd-wan. There are some advantages.
to get rid of the unnecessary traffic between center and branch
to reduce the latency
to reduce hub bandwidth which is needed.
But even so, sometimes we want to transport the internet traffic to the center. To transport the internet traffic is effective for some conditions. For example, controlling user traffic may be necessary.
How does Versa do DIA? Versa only do this with one click :) But the background is complicated.
I will try to tell DIA according to the below figure.
When I tick on DIA on Versa Director. Versa Director will push some configuration to the branch device. The two tvi interfaces will be created on Branch3 (Tvi: loopback).
The tvi interfaces belong to different VR.
EBGP connection is installed over these TVIs
The routes in VR are allowed between them with a routing policy. This process is like leaking.
Let's begin to configure DIA
You know Template is everting for Versa. I will prepare the template for DIA.
Workflow>Templates>+
In the previous article, I talked about preparing a branch template. I'm just going to make one point different here. This appears in the below figure. The rest of the template is the same as the previous template.
The branch template is ready.
I need to define the Branch3 device. This part is related to device registration.
Workflow>Devices>+
It may be better to create a new device group because we may not prefer all branches to go directly to the internet.
After the IP address is assigned to Branch3, click the deploy button.
Yes, Branch3 is ready for staging.
After staging the branch3 device is seen in the appliance section.
Troubleshooting;
is everything okay? Let's start interpreting. The two tvi interfaces are seen at the below output. An IP address starting with 169 has been assigned to the TVI interface.
And EBGP session is established between TVI interfaces in different VR
Check the routes in VR. You have to see LAN-VR's route in Internet-Transport-VR. Also, you have to see the default route in LAN-VR.
The default route in -LAN-VR;
When I ping from 192.168.129.10 to the Internet, you will see that it is successful.
CGNAT session on Versa Director;
You can examine the CLI commands on Branch. There is a lot of command in there. One-click and lots of commands.!!! This is amazing.
Bgp part;
set routing-instances internet-Transport-VR policy-options redistribute-to-bgp ST-Policy
set routing-instances internet-Transport-VR protocols bgp 3001 enable-alarms
set routing-instances internet-Transport-VR protocols bgp 3001 router-id 169.254.1.1
set routing-instances internet-Transport-VR protocols bgp 3001 local-as as-number 64513
set routing-instances internet-Transport-VR protocols bgp 3001 group ST_Group type external
set routing-instances internet-Transport-VR protocols bgp 3001 group ST_Group family inet unicast
set routing-instances internet-Transport-VR protocols bgp 3001 group ST_Group neighbor 169.254.0.3 local-address 169.254.0.2
set routing-instances internet-Transport-VR protocols bgp 3001 group ST_Group neighbor 169.254.0.3 peer-as 64514
set routing-instances networktcpip-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP term T4-BGP match protocol bgp
set routing-instances networktcpip-LAN-VR policy-options redistribute-to-bgp Default-Policy-To-BGP
set routing-instances networktcpip-LAN-VR protocols bgp 3014 enable-alarms
set routing-instances networktcpip-LAN-VR protocols bgp 3014 prefix-list Default-Route-Prefix seq 1 address-family ipv4 unicast address-mask 0.0.0.0/0
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy From_ST_internet term Color_ST_Routes action accept
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy From_ST_internet term Color_ST_Routes action community 64513:64513
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy From_ST_internet term Color_ST_Routes action community-action set-specific
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy From_ST_internet term Color_ST_Routes action set-local-preference 120
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy Import-From-LAN-Policy term Reject-SDWAN-Routes match community "(^|,)8009:8009($|,)"
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy Import-From-LAN-Policy term Reject-SDWAN-Routes action reject
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy Import-From-LAN-Policy term Allow-All action accept
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy To_ST_DIA term Allow_Local_LAN match community "(^|,)8009:8009($|,)"
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy To_ST_DIA term Allow_Local_LAN action reject
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy To_ST_DIA term Reject_Cloud_Routes match community .*8013:8013.*
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy To_ST_DIA term Reject_Cloud_Routes action reject
set routing-instances networktcpip-LAN-VR protocols bgp 3014 routing-peer-policy To_ST_DIA term Allow_All action accept
set routing-instances networktcpip-LAN-VR protocols bgp 3014 router-id 169.254.0.2
set routing-instances networktcpip-LAN-VR protocols bgp 3014 local-as as-number 64514
set routing-instances networktcpip-LAN-VR protocols bgp 3014 group ST-Group-1 type external
set routing-instances networktcpip-LAN-VR protocols bgp 3014 group ST-Group-1 family inet unicast
set routing-instances networktcpip-LAN-VR protocols bgp 3014 group ST-Group-1 import From_ST_internet
set routing-instances networktcpip-LAN-VR protocols bgp 3014 group ST-Group-1 export To_ST_DIA
set routing-instances networktcpip-LAN-VR protocols bgp 3014 group ST-Group-1 peer-as 64513
set routing-instances networktcpip-LAN-VR protocols bgp 3014 group ST-Group-1 local-address 169.254.0.3
set routing-instances networktcpip-LAN-VR protocols bgp 3014 group ST-Group-1 neighbor 169.254.0.2
CGNAT part;
set orgs org networktcpip services [ cgnat nextgen-firewall sdwan ]
set orgs org-services networktcpip cgnat pools DIA-Pool-internet routing-instance internet-Transport-VR
set orgs org-services networktcpip cgnat pools DIA-Pool-internet egress-network [ internet ]
set orgs org-services networktcpip cgnat pools DIA-Pool-internet source-port
set orgs org-services networktcpip cgnat pools DIA-Pool-internet source-port random-allocation
set orgs org-services networktcpip cgnat rules DIA-Rule-networktcpip-LAN-VR-internet from
set orgs org-services networktcpip cgnat rules DIA-Rule-networktcpip-LAN-VR-internet from destination-zone [ L-ST-networktcpip-LAN-VR-internet ]
set orgs org-services networktcpip cgnat rules DIA-Rule-networktcpip-LAN-VR-internet then translated
set orgs org-services networktcpip cgnat rules DIA-Rule-networktcpip-LAN-VR-internet then translated translation-type napt-44
set orgs org-services networktcpip cgnat rules DIA-Rule-networktcpip-LAN-VR-internet then translated source-pool DIA-Pool-internet
set orgs org-services networktcpip cgnat rules DIA-Rule-networktcpip-LAN-VR-internet then translated filtering-type none
set orgs org-services networktcpip cgnat rules DIA-Rule-networktcpip-LAN-VR-internet then translated mapping-type none
set orgs org-services networktcpip cgnat rules RFC_1918_NoTranslate precedence 100
set orgs org-services networktcpip cgnat rules RFC_1918_NoTranslate from
set orgs org-services networktcpip cgnat rules RFC_1918_NoTranslate from source-address [ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ]
set orgs org-services networktcpip cgnat rules RFC_1918_NoTranslate from destination-address [ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ]
set orgs org-services networktcpip cgnat rules RFC_1918_NoTranslate then no-translation
Thanks for Reading!
Commenti