LAB Implement Control Policies

LAB Implement Control Policies

Task: 

• Deploy a control policy for defining a hub-and-spoke topology.

• Implement an arbitrary VPN topology.

Topology: 

Solution:

By default, Cisco SD-WAN will build a full mesh of IPsec tunnels between all WAN Edge routers. That means that without a more specific control policy, two WAN Edge routers establish and use an IPsec tunnel to exchange data. The bidirectional data traffic flows directly from one router to the other.

For a network with only two WAN Edge routers or a small number of WAN Edge routers, establishing connections between each pair of routers is not an issue. However, such a solution does not scale. In a network with hundreds or even thousands of branches, establishing a full mesh of IP Security (IPsec) tunnels overtaxes the CPU resources of the individual WAN Edge routers.

You can minimize this overhead by creating a hub-and-spoke type of topology in which one or more WAN Edge routers act as hub sites that receive data traffic from all the spoke or branch routers and redirects the traffic to the proper destination. In this task, you will define and deploy a control policy to establish a hub-and-spoke topology between the hub Site 100 and spoke sites. You will use the Hub-and-Spoke Topology wizard to simplify the control policy creation.

From the Cisco vManage main menu, navigate to Configuration > Policy. The Centralized Policy tab is displayed by default.

Click Add Policy to start building a centralized control policy. After clicking Add Policy, the Create Group of Interest page is displayed with the default Application lists.

Create two site lists. The DC site (100) is the Hub site. The branches (1-4) are the Branches sites.

Click Site in the left pane. Click (+) New Site List and define the lists with the following values.

• Hub: 100

• Branches: 1-4

The policy will reference these lists later. Click Add after each list definition.

Create two VPN lists. The Corporate VPN is 10 and the Contractors VPN is 20.

Click VPN in the left pane. For each of the following lists, click New VPN List and define the VPN lists based on the following values:

• Corporate: VPN 10

• Contractors: VPN 20

Click Add after each list definition. The result of creating the two VPN lists is as follows. Click Next at the bottom of the screen to go to the Configure Topology and VPN Membership step.

Click the Add Topology button. For a simple hub-and-spoke topology, choose the built-in Hub-and-Spoke topology from the drop-down menu.

On the Add Hub-and-Spoke Policy page, define the following topology parameters:

• Name: My_Hub-n-Spoke_Topology_v1

• Description: Hub and spoke topology

• VPN List (to which the policy applies): Corporate

Associate the Hub Site list and Spoke Site list. Click the Add Hub Sites button, choose Hub from the Site List drop-down menu, and click Add.

Click the Add Spoke Sites button, choose Branches from the Site List drop-down menu, and click Add. Click Save Hub-and-Spoke Policy.

Proceed to the Apply Policies to Sites and VPNs step. Click Next at the bottom of the screen to go to the Configure Traffic Rules step.

You will configure a data policy later, so click Next again at the bottom of the screen to go to the Apply Policies to Sites and VPNs step.

The figure shows the Apply Policies to Sites and VPNs window. Provide the following name and description for the policy, and click Save Policy.

• Policy Name: My_Centralized_Policy_v1

• Description: Centralized Policy

Activate the centralized policy to apply the created topology to the Cisco Software-Defined WAN (SD-WAN) fabric. From the More Options menu (...) for My_Centralized_Policy_v1, choose Activate.