Configure an SD-WAN Topology Using the SD-WAN Wizard

The SD-WAN wizard allows you to easily configure VPN tunnels between your centralized headquarters and remote branch sites.

Before you begin

Ensure that you review Prerequisites for Using the SD-WAN Wizard and Guidelines and Limitations for Using SD-WAN Wizard.

Procedure

Step 1

Choose Devices > Site To Site, and click Add.

Step 2

Enter a name for the SD-WAN VPN topology in the Topology Name field.

Step 3

Click the SD-WAN Topology radio button and click Create.

Step 4

Configure a hub:

  1. Click Add Hub.

  2. From the Device drop-down list, choose a hub.

  3. Click + next to the Dynamic Virtual Tunnel Interface (DVTI) drop-down list to add a dynamic VTI for the hub.

    The Add Virtual Tunnel Interface dialog box is prepopulated with default configurations. However, you must configure the Tunnel Source, and the Borrow IP Address. For more information, see Add a Dynamic Virtual Tunnel Interface for a Hub.

  4. Click OK.

  5. In the Hub Gateway IP Address field, enter the public IP address of the hub's VPN interface or the tunnel source of the dynamic VTI to which the spokes connect.

    This IP address is auto populated if the interface has a static IP address. If hub is behind a NAT device, you must manually configure the post-NAT IP address.

  6. From the Spoke Tunnel IP Address Pool drop-down list, choose an IP address pool or click + to create an address pool.

    When you add spokes, the wizard auto generates spoke tunnel interfaces, and assigns IP addresses to these spoke interfaces from this IP address pool.

  7. Click Add to save the hub configuration.

  8. (Optional) To add a secondary hub, repeat Step 4a to Step 4f.

  9. Click Next.

Step 5

Configure spokes:

Click Add Spoke to add a single spoke device, or click Add Spokes (Bulk Addition) to add multiple spokes to your topology.

  • Click Add Spoke. In the Add Spoke dialog box, configure the following parameters:

    1. From the Device drop-down list, choose a spoke.

    2. From the VPN Interface drop-down list, choose a WAN-facing or internet-facing physical interface to establish a VPN connection with the hub.

    3. Check the Local Tunnel (IKE) Identity check box to enable a unique and configurable identity for the VPN tunnel from this device to the remote peer. By default, this option is enabled.

    4. Choose one of the following options from the Identity Type drop-down list:

      • Key ID—(Default value) This value is auto populated as <sd-wan topologyname>_<device_IP_address>, for example, sdwantopo1_192.168.0.200. You can also specify a key ID of your choice.

      • Email ID—Specify an email ID up to 127 characters.

      • IP Address—IP address of the spoke's VPN interface.

      • Auto—IP address of the spoke's VPN interface for pre-shared key authentication or the certificate Distinguished Name (DN) for certificate-based authentication.

      • Hostname—Fully qualified hostname of the spoke.

    5. Click Save to save the spoke configuration.

  • Click Add Spokes (Bulk Addition). In the Add Bulk Spokes dialog box, configure the following parameters:

    1. Choose one or more devices from the Available Devices list and click Add to move the devices to Selected Devices.

    2. Use one of the following methods to select the VPN interfaces of the spokes:

      • Click the Interface Name Pattern radio button and specify a string to match the logical name of the internet or WAN interface of the spokes, for example, outside*, wan*.

        If the spoke has multiple interfaces with the same pattern, the first interface that matches the pattern is selected for the topology.

      • Click the Security Zone radio button and choose a security zone with the VPN interfaces of the spokes from the drop-down list, or click + to create a security zone.

    3. Click Next.

      The wizard validates if the spokes have interfaces with the specified pattern. Only the validated devices are added to the topology.

    4. Click Add.

    5. Click Next.

For each spoke, the wizard automatically selects the hub's DVTI as the tunnel source IP address.

Note

If the hub’s tunnel source IP address is an IPv6 address, the wizard automatically selects the first IPv6 address of the spokes' selected interface.​ To edit the IPv6 address of a spoke's tunnel source, click the edit icon next to a spoke, choose an IPv6 address from the IP Address drop-down list, and click Save.

Step 6

Configure authentication settings for the devices in the SD-WAN topology:

  1. Authentication Type—For device authentication, you can use a manual pre-shared key, an auto-generated pre-shared key, or a certificate.

    • Pre-shared Manual Key—Specify the pre-shared key for the VPN connection.

    • Pre-shared Automatic Key—(Default value) The wizard automatically defines the pre-shared key for the VPN connection. Specify the key length in the Pre-shared Key Length field. The range is 1 to 127.

    • Certificate—When you use certificates as the authentication method, the peers obtain digital certificates from a CA server in your PKI infrastructure, and use them to authenticate each other.

  2. Choose one or more algorithms from the Transform Sets drop-down list.

  3. Choose one or more algorithms from the IKEv2 Policies drop-down list.

  4. Click Next.

Step 7

Configure the SD-WAN settings:

This step involves the auto generation of spoke tunnel interfaces, and BGP configuration of the overlay network.

  1. From the Spoke Tunnel Interface Security Zone drop-down list, choose a security zone or click + to create a security zone to which the wizard automatically adds the spokes' auto-generated Static Virtual Tunnel Interfaces (SVTIs).

  2. Check the Enable BGP on the VPN Overlay Topology check box to automate BGP configurations such as neighbor configurations between the overlay tunnel interfaces and basic route redistribution from the directly connected LAN interfaces of the hubs and spokes.

  3. In the Autonomous System Number field, enter an Autonomous System (AS) number.

    AS number is a unique number for a network with a single routing policy. BGP uses AS numbers to identify networks. The spoke's BGP neighbor configuration is generated based on the corresponding hub’s AS number. Range is from 0 to 65536.

    • If all the hubs and spokes are in the same region, by default, 64512 is the AS number.

    • If the primary and secondary hubs are in different regions, the primary hub and the spokes are configured with 64512 as the AS number, and the secondary hub is configured with a different AS number.

  4. In the Community Tag for Local Routes field, enter the BGP community attribute to tag connected and redistributed local routes. This attribute enables easy route filtering.

  5. Check the Redistribute Connected Interfaces check box and choose an interface group from the drop-down list or click + to create an interface group with connected inside or LAN interfaces for BGP route redistribution in the overlay topology.

  6. Check the Enable Multiple Paths for BGP check box to allow multiple BGP routes to be used at the same time to reach the same destination. This option enables BGP to load-balance traffic across multiple links.

  7. (Optional) Check the Secondary Hub is in Different Autonomous System check box. This check box appears only if you have a secondary hub in this topology.

  8. In the Autonomous System Number field, enter the AS number for the secondary hub.

  9. In the Community Tag for Learned Routes field, enter the BGP community attribute to tag routes learned from other SD-WAN peers over the VPN tunnel. This attribute is required only for eBGP configuration when the secondary hub has a different AS number. This field appears only if you have configured two hubs in the SD-WAN topology.

  10. Click Next.

Step 8

Click Finish to save and validate the SD-WAN topology.

You can view the topology in the Site-to-Site VPN Summary page (Devices > Site-to-site VPN). After you deploy the configurations to all the devices, you can see the status of all the tunnels in this page.

What to do next