Introduction
In this Lab, user will learn how to provide Internet access to the sites that are
enabled with SD-WAN fabric. User will perform both Internet access via DC and
Local Internet Exit (Direct Internet Access (DIA)).

This lab is built once the overlay comes up and all the required templates are pre-
configured. If it is not done already, user need to perform Overlay bring up Lab and
Templates Lab.

Initial Verification
Test the internet access from a PC connected in Branch1.

Open the Firefox browser from Mgmt-PC (D2) and browse Facebook and google.
Notice that both are failed.

Let’s check if desktop D2 can reach 8.8.8.8

Open the command prompt and tracert 8.8.8.8

Notice that it stopped at B1-R1.

Task
Identify the reason why the trace is stopping at B1-R1.

  Default route
B1-R1 doesn’t have the default route. Hence it is not able to forward the traffic.

Let’s advertise the default route from DC WAN edges using a Null route.

Login to vManage:

Login to the vManage URL.

Username: admin

Password: admin
Go to Configuration>Templates>Feature

The default route needs to created in VPN template and should be only on DC WAN
edges.

Notice that the VPN1 template is attached to two device templates. Click on 2 to see
what are the templaes.

This feature template is attached to DC and cEdge in Branch2 device templates.

We want to add default route to Null0 only on DC WAN edges. If we modify this
template, it will reflect the changes also in B2 WAN edge device.

Copy this VPN1 template and give the below names.

Template Name: DC-VPN1

Description: DC-VPN1

Edit the DC-VPN1 template to create default route to Null0.

Click on New IPv4 Route under IPv4 Route section and configure below.

Prefix (Global): 0.0.0.0/0

Gateway: Null0

Enable Null0 (Global) : On

Click Add and update the template.

Now attach this feature template in DC device template.

Go to Device templates section and edit DC-Template

Under Service VPN section, select DC-VPN1 template as VPN template and update.
Click Next to proceed further.

Click on a device to preview the configuration that will be pushed to the WAN edge.

Notice the default Null0 route and click on Configure Devices

Confirm and OK

Wait until the template push is successful.

 Verification
Let’s verify if B1-R1 received this route.
Navigate to Monitor>Network>B1-R1>Real Time

Select IP Routes from Device Options. Do Not Filter.

Notice that, now B1-R1 received the routes from DC WAN edges.

Let’s verify the from the desktop.

D2:

Still no access to the internet. But this time B1-R1 is forwarding and because of Null0
route in DC WAN edges, the traffic is blackholed.

For this to work, we need to create policy to direct the traffic to NAT enabled Internet
interface in VPN 0, instead of blackholing the traffic by matching Null0 route.

NAT
Now Let’s enable Internet access for Branch using a policy via DC.

Templates
For the internet to work, NAT needs to be enabled on the VPN0 internet interface. In
this lab it is ge0/0.
Ignore if it is already enabled in your lab setup. Just verify.

Navigate to Configuration>Templates>Feature

Edit VPN0-Internet-Interface template

Turn On NAT under NAT section and update the template.

Click Next to Proceed further.

Preview the config by selecting a device and notice that NAT is enabled on ge0/0
which internet connected interface.
Click on Configure Devices, confirm and wait until the template push is successful.

  Policy
Now let’s create a policy to direct the internet traffic to this NAT enabled interface.

Navigate to Configuration>Policies

Click Add Policy

Creating Lists
Data Prefix List:
Name: Local-Subnet

Data Prefix: 10.0.0.0/8

This is the major prefix used in all the branches.

Click Add

Site List:
Name: DC

Site: 10

Click Add
VPN List:
Name: VPN1

VPN: 1

Click Add and Next

Click Next again to proceed further.

We need to Configure Traffic Rules.

Click on Traffic Data, then Add Policy and Create New.

Configure the below Name and Description for the policy.

Name: Internet-Exit

Description: Internet-Exit

Change the default action from drop to Accept for this policy.
Click on Sequence Type to create a Custom Policy

Create a Sequence rule that will Accept the traffic to(Destination) Local-

Subnet Data Prefix List.

Create a second Sequence Rule that will accept traffic from(Source) Local-

Subnet Data Prefix List and send it to NAT enabled interface in VPN0.
Ensure the policy created is matching below and Save the Policy.

Click Next to proceed further.

This policy needs to be applied under main policy. Configure the below names.

Policy Name: LearnEdze-Policy

Policy Description: LearnEdze-Policy

Click on Traffic Data.

Apply Site and VPN List to Internet-Exit policy by clicking on New Site List and
VPN List.
Refer below screen shot and Save the policy.

Preview Policy
Click on (…) and Preview.
Click on OK once policy is verified. Your policy should match the below policy.

policy
data-policy _VPN1_Internet-Exit
vpn-list VPN1
sequence 1
match
destination-data-prefix-list Local-Subnet
!
action accept
!
!
sequence 11
match
source-data-prefix-list Local-Subnet
!
action accept
nat use-vpn 0
nat fallback
!
!
default-action accept
!
lists
data-prefix-list Local-Subnet
ip-prefix 10.0.0.0/8
 !
site-list DC
site-id 10
!
vpn-list VPN1
vpn 1
!
!
!
apply-policy
site-list DC
data-policy _VPN1_Internet-Exit all
!
!
Activating the Policy
Click on (…) and Activate.

Policy will be applied to vSmart. Click Activate

Wait until the policy push to the vSmart is successful.

Verification
VNC to desktop D2 and traceroute to 8.8.8.8

Now notice that the traffic is forwarded to B1-R1>DC>DC-Internet next-hop.

Your trace will be incomplete as any traffic initiated from outside(VPN0) to

inside(VPN1) not allowed

Open the browser and browse Facebook and Google.

Access to Facebook and Google is successful.

Now, we have successfully provided Internet access to branches via DC (Hub
location).

Internet exit from Branch

As we established WAN connectivity for Branch using the Internet, we can use the
same interface for providing internet access instead of going via DC.

Modify the Policy for Local Internet Exit (Direct Internet Access (DIA))

Navigate to Configuration>Policies
Click on the Custom Options and Lists from Top right-hand corner.

Create a New Site List for B1-R1.

Name: B1

Site: 100

Edit the main policy (LearnEdze-Policy)

Click on Traffic Data and edit the rule

Select B1 and update the rule.

Save the policy changes.

Now the modified policy will be pushed to vSmart. Click on Activate.

Wait until the policy push is successful.

Preview the Policy

Click on (…) and Preview
Click OK once the policy verification is completed.

Your policy should match the below policy.

text

policy
data-policy _VPN1_Internet-Exit
vpn-list VPN1
sequence 1
match
destination-data-prefix-list Local-Subnet
!
action accept
!
!
sequence 11
match
source-data-prefix-list Local-Subnet
!
action accept
nat use-vpn 0
nat fallback
!
!
 default-action accept
!
lists
data-prefix-list Local-Subnet
ip-prefix 10.0.0.0/8
!
site-list DC
site-id 10
!
site-list B1-R1
site-id 100
!
vpn-list VPN1
vpn 1
!
!
!
apply-policy
site-list DC
data-policy _VPN1_Internet-Exit all
site-list B1-R1
data-policy _VPN1_Internet-Exit all
!
!

Verification
Open the command prompt and traceroute to 8.8.8.8

Notice now the traffic is forwarded to B1-R1 and B1-R1 internet Interface next-hop.

Open the browser and browse Facebook and Google.

Both Facebook and Google are successful.