Skip to main content
Versa Networks

SD-WAN–SSE Hub Integration

  1. Last updated
  2. Save as PDF

This article describes how to integrate the Versa cloud-hosted Secure Service Edge (SSE) provided by Versa Concerto into an existing on-premises Versa Director SD-WAN deployment to create a unified SD-WAN–SSE solution, also called a SASE solution. Two commonly architectures for a united SD-WAN–SSE solution are the SD-WAN SSE hub interconnect architecture and the branch SSE tunnel architecture.

The SD-WAN–SSE hub interconnect architecture, illustrated in the following figure, leverages the SD-WAN SSE hubs that are already deployed in the customer SD-WAN environment. This architecture extends the on-premises, Director-managed SD-WAN to the Versa cloud-hosted SSE environment. It uses SSE hub deployments that are close to or colocated with Versa-hosts cloud gateways. The Versa-hosted cloud gateway connects to the SSE hub using GRE or IPsec tunnels, which allows for secure and scalable user internet access and for work-from-anywhere (WFA) access to customer-hosted applications

Intro1.png

The branch SSE tunnel architecture, which is illustrated in the following figure, leverages GRE and IPsec tunnel connectivity between the Versa-hosted cloud Gateway and on-premises SD-WAN branches to provide secure user internet access and WFA access to customer hosted applications. Tunnels are configured for each SD-WAN branch as required by Versa Secure Private Access (VSPA) and Versa Secure Internet Access (VSIA). 

Intro2.png

This article describes the SD-WAN SSE hub interconnect architecture, providing examples of how to provision the necessary components and software.For information about the branch SSE tunnel architecture, see Versa Secure SD-WAN Integration with SSE

Customer SD-WAN–SSE Hub Deployment Overview

In the SD-WAN–SSE hub interconnect architecture, the customer SD-WAN is extended by leveraging SSE hub deployments that are close to or colocated with Versa SSE cloud gateways. The following are some of the advantages by extending an SD-WAN network to SSE cloud gateways:

  • Full SD-WAN feature set, including multitenancy, load balancing, SLA-based traffic steering, SLA aggressive monitoring, forward error correction (FEC), class of service/quality of service (CoS/QoS), adaptive shaping, and workflow templates
  • Common SD-WAN control and forwarding (data) planes between customer-managed SSE hubs and the customer's data center and branch locations
  • Simplified traffic paths based on SD-WAN spoke groups and regions.
  • Leverages standard SD-WAN data center and branch high-availability (HA) connectivity
  • Can be used with both Versa Secure Private Access (VSPA), which connects an organization's employees working from anywhere to enterprise applications hosted in the enterprise environment, private clouds, or public clouds, and with Versa Secure Internet Access (VSIA), which provides protection for all traffic bound for the internet and SaaS bound traffic.
  • Horizontally scalable.
  • Minimizes architectural and configuration complexity.

2-intro.png

This section provides an overview of the components required for configuring SD-WAN SSE hub interconnection:

  • Connectivity between the Versa Cloud Gateway (VCG) and the customer hub
  • Site-to-site tunnels and the configuration of BGP AS numbers
  • Dynamic routing and traffic flow
  • Versa secure access, either private access (VSPA) or internet access (VSIA)

Connectivity between the VCG and the Customer Hub

To facilitate connectivity between SSE and the SD-WAN, you configure redundant site-to-site IPsec tunnels and EBGP between the VCG enterprise LAN-VR and the SD-WAN SSE hub customer LAN-VR, as illustrated in the following figure. You configure VCGs using the Versa Concerto GUI, and you configure the SD-WAN SSE hubs using the GUI on the on-premises Director node.

2-sec1.png

You deploy a minimum of two customer SSE hubs per region, using full-mesh IPsec site-to-site tunnels and EBGP dynamic routing to connect to the regional VCGs. For SSE-to-SD-WAN connectivity, you can use either an active–standby or active–active traffic path model. By default, Layer 3 symmetric forwarding is enabled on Versa Cloud Gateways.

You use customer SD-WAN spoke groups to leverage SSE hubs. The prefixes learned from the VCGs are redistributed to the relevant LAN-Export VR of SSE hubs, allowing for simplified configuration of the SD-WAN traffic path.

For the active–standby traffic path model:

  • Customer leverages EBGP metrics to establish the traffic path.
  • VCGs are configured with the following:
    • Export policies for advertisements towards the customer SSE hubs. For export policies for the configuration example in this article, the local AS number of the active device is prepended once, and for the standby the local AS number is prepended twice.
    • Import policies for advertisements received from customer SSE hubs. In this example, the local AS number of the active device is prepended once, and for the standby it is prepended twice.
  • BGP communities are marked on all inbound and outbound prefixes. You can use communities for traffic path engineering and loop prevention.

For the active–active traffic path model:

  • Customer leverages equal-cost EBGP metrics to establish traffic paths.
  • As mentioned previously, Layer 3 symmetric forwarding is enabled by default on VCGs.

For more information about the active–standby and active–active traffic path models, see Versa Secure Private Access and Versa Secure Internet Access, below.

Site-To-Site Tunnel Configuration and BGP ASN Assignment

The customer manages and configures IP address assignment for the VCP and the customer SD-WAN hub IP address assignment, as illustrated in the following figure.

2-sec2.png

The VCG (Concerto) IPsec TVI interface numbering is configured by default when you configure site-to-site tunnels.

The customer configures the SD-WAN SSE hub (Director) IPSec TVI interface numbering. It is recommended that you use TVI interface numbering that does not conflict with workflow-generated TVI interfaces. For example, use tvi-15/number, where tvi-15/1999 is the highest acceptable interface number.

TVI IP addresses on both the VCG (Concerto) and SD-WAN SSE hub (Director) are assigned from the customer-managed IP address space. Versa TVI interfaces support the /31 subnet mask length. Do not use the IP address space 169.254.0.0/16, because it may conflict with the workflow-generated configuration.

The customer configures IKE and IPsec parameters. Versa Networks supports IKEv1 and IKEv2. The Concerto and Director GUIs list additional parameters.

The customer configures EBGP between the necessary LAN-VRs, leveraging customer-assigned tunnel IP neighbor addresses and customer-assigned BGP AS numbers.

Customer-specific BGP attributes are configured on both the VCG (Concerto) and SD-WAN SSE hub (Director), as required.

Dynamic Routing Configuration and Traffic Flow

You use dynamic routing, configuring EBGP between VCGs and customer SSE hubs. You configure EBGP peering between the TVI IP addresses. You can use either the active–standby and the active–active traffic path model.

The configurations for the VCGs (on Concerto) and the customer SSE hubs (on Director) are customer managed. Customers can configure these environments to meet their requirements. The configuration sections at the end of this article provide detailed examples of configurations that customers can use.

Versa Secure Private Access (VSPA)

VSPA is a software-defined, cloud-managed, cloud-delivered, private access service that efficiently connects enterprise WFA users with distributed private applications without compromising security or user experience. You can configure the connectivity between VCGs and customer SSE hubs using either the active–standby and the active–active traffic path model.

VSPA with the Active–Standby Traffic Model

In the active–standby traffic path model, you configure an active traffic path and a standby traffic path on each VCG and customer SSE hub. The following figure shows the configuration required on the VCGs to facilitate a designated traffic path configuration control point. As mentioned previously, the customer manages the VCG and customer SSE hub configurations, and they create configuration to meet their specific requirements.

2-sec4-vspa1.png

2-sec4-vspa2.png

You can find example configuration corresponding to these figures in Configure VSPA, below. In the example configuration, Community C is configured as follows to provide a loop prevention mechanism:

  • VCG export policy is applied to the active traffic path (SSE VCG-A: A1 and SSE VCG-B: B1).
    • Community C is matched and is rejected (that is, not advertised) for traffic destined to customer SSE hubs.
    • VSPA user prefixes (VSPA-A and VSPA-B) are matched, prepended once, marked with community C, and accepted (that is, advertised) for traffic destined to customer SSE hubs.
  • VCG export policy is applied to the standby traffic path (SSE VCG-A: A2 and SSE VCG-B: B2).
    • Community C is matched and is rejected (that is, not advertised) for traffic destined to customer SSE hubs.
    • VSPA user prefixes (VSPA-A and VSPA-B) are matched, prepended twice, marked with community C, and accepted (that is, advertised (accept) destined to customer SSE hubs.
  • VCG import policy is applied to the active traffic path (SSE VCG-A: A3 and SSE VCG-B: B3).
    • Community C is matched and rejected.
    • All other prefixes advertised by the customer SSE hub advertised are prepended once, marked with community C and with community 64513:64513, which is the default Versa DIA community, and accepted.
  • VCG import policy applied to the standby traffic path (SSE VCG-A: A4 and SSE VCG-B: B4).
    • Community C is matched and rejected.
    • All other prefixes advertised by the customer SSE hub are prepended twice, marked with community C and with community 64513:64513, and accepted.

The following figure shows the active–standby steady-state traffic flow for VSPA.

2-sec4-vspa3.png

If the active traffic path fails, the standby traffic path is used for connectivity. The following figure illustrates the failure of the active traffic path between SSE VCG-A and customer SSE Hub CPE-A. The identical traffic path failover would occur if the active traffic path between SSE VGC-A and SSE hub CPE-B were to fail.

2-sec4-vspa4.png

VSPA with the Active–Active Traffic Model

In the active–active traffic path model, you configure each VCG and customer SSE hub with two redundant active traffic paths. In the example configuration described later in this article, you perform the configuration on the VCGs to facilitate a control point for the designated traffic path configuration. As mentioned previously, the customer manages the VCG and customer SSE hub configurations, and they create configurations to meet their specific requirements.

2-sec4-vspa5.png

2-sec4-vspa6.png

You can find example configuration corresponding to these figures in Configure VSPA, below. In the example configuration, Community C is configured as follows to provide a loop prevention mechanism:

  • VCG export policy is applied to active–active traffic paths.
    • Community C is matched and is rejected (that is, not advertised) for traffic destined to customer SSE hubs.
    • VSPA user prefixes (VSPA-A and VSPA-B) are matched, marked with community C, and accepted (that is, advertised) for traffic destined to customer SSE hubs.
  • VCG import policy is applied to active traffic paths.
    • Community C is matched and rejected.
    • All other prefixes advertised by the customer SSE hub are marked with community C and with community 64513:64513, which is the default Versa DIA community, and accepted.

The following figure shows the active–active steady-state traffic flow.

2-sec4-vspa7.png

If either of the active traffic path fails, the other active traffic path is used for connectivity. The following figure illustrates the failure of the active traffic path between SSE VCG-A and customer SSE Hub CPE-A.

2-sec4-vspa8.png

Versa Secure Internet Access (VSIA)

VSIA is a Versa cloud-managed service that helps secure enterprise sites, home offices, and traveling users who are accessing distributed applications without compromising either security and the user experience. For VSIA, you can configure connectivity between VCG and customer SSE hubs for both the active–standby and active–active traffic path models.

The Versa client extends SD-WAN to client devices and provides configuration flexibility to ensure the best application and internet experience to WFA customers. This article does not include the Versa client configuration.

VSIA with the Active–Standby Traffic Model

In the active–standby traffic path model, which is illustrated in the following figures, you configure each VCG and customer SSE hub with an active traffic path and a standby traffic path. For the example discussed later in this article, you perform that configuration on the VCGs to facilitate a designated traffic path configuration control point. As mentioned previously, the customer manages the VCG and customer SSE hub configurations, and they create configurations to meet their specific requirements.

The example discussed in this article uses dynamic routing, specifically, EBGP. You can use static routing instead of of dynamic routing. For the static routing active–standby model, you configure the SSE hub static routes to prefer the static default route towards the active VCG. You configure IP SLA or SaaS monitors (for example, to monitor the VCG next hop, internet-based DNS server, and specific SaaS application), and you assign them to default routes to support failover. Layer 3 symmetric forwarding is configured by default on VCGs to ensure traffic path symmetry.

2-sec5-vsia1.png

2-sec5-vsia2.png

You can find example configuration corresponding to these figures in Configure VSIA, below. In the example configuration, Community C is configured as follows to provide a loop prevention mechanism:

  • VCG export policy is applied to the active traffic path (SSE VCG-A: A1 and SSE VCG-B: B1).
    • Community C is matched and is rejected (that is, not advertised) for traffic destined to customer SSE hubs.
    • The default route is matched, prepended once, marked with community C, and accepted (that is, advertised) for traffic destined to customer SSE hubs.
  • VCG export policy is applied to the standby traffic path (SSE VCG-A: A2 and SSE VCG-B: B2).
    • Community C is matched and is rejected (that is, not advertised) for traffic destined to customer SSE hubs.
    • The default route is matched, prepended twice, marked with community C, and accepted (that is, advertised) for traffic destined to customer SSE hubs.
  • VCG import policy is applied to the active traffic path (SSE VCG-A: A3 and SSE VCG-B: B3).
    • Community C is matched and rejected.
    • All other customer prefixes advertised by the SSE hub are prepended once, marked with community C and with community 64513:64113, which is the default Versa DIA community, and accepted.
  • VCG import policy applied to the standby traffic path (SSE VCG-A: A4 and SSE VCG-B: B4).
    • Community C is matched and rejected.
    • All other prefixes advertised by the customer SSE hub are prepended twice, marked with community C and with community 64513:64113, and accepted.

The following figure shows the active–standby steady-state traffic flow for VSIA.

2-sec5-vsia3.png

If the active traffic path fails, the standby traffic path is used for connectivity. The following figure illustrates the failure of the active traffic path between SSE VCG-A and customer SSE Hub CPE-A. The identical traffic path failover would occur if the active traffic path between SSE VGC-A and SSE hub CPE-B were to fail.

2-sec5-vsia4.png

VSIA with the Active–Active Traffic Model

In the active–active model, you configure each VCG and customer SSE hub with two redundant active traffic paths. In the example configuration described later in this article, you perform the configuration on the VCGs to facilitate a control point for the designated traffic path configuration. As mentioned previously, the customer manages the VCG and customer SSE hub configurations, and they create configurations to meet their specific requirements.

The example discussed in this article uses dynamic routing, specifically, EBGP. You can use static routing instead of of dynamic routing. For the static routing active–standby model, you configure the SSE hub static routes to prefer the static default route towards the active VCG. You configure IP SLA or SaaS monitors (for example, to monitor the VCG next hop, internet-based DNS server, and specific SaaS application), and you assign them to default routes to support failover. Layer 3 symmetric forwarding is configured by default on VCGs to ensure traffic path symmetry.

2-sec5-vsia5.png

2-sec5-vsia6.png

You can find example configuration corresponding to these figures in Configure VSIA, below. In the example configuration, Community C is configured as follows to provide a loop prevention mechanism:

  • VCG export policy is applied to the active–active traffic paths.
    • Community C is matched and is rejected (that is, not advertised) for traffic destined to customer SSE hubs.
    • The default route is matched, marked with community C, and accepted (that is, advertised) for traffic destined to customer SSE hubs.
  • VCG import policy is applied to active traffic paths.
    • Community C is matched and rejected.
    • All other customer SSE hub advertised prefixes are marked with community C and with community 64513:64513, which is the default Versa DIA community, and accepted.

The following figure shows the active–active steady-state traffic flow for VSIA.

2-sec5-vsia7.png

If either of the active traffic path fails, the other active traffic path is used for connectivity. The following figure illustrates the failure of the active traffic path between SSE VCG-A and customer SSE Hub CPE-A.

2-sec5-vsia8.png

Configure VSPA

This section provides a VSPA configuration example for the active–standby traffic path model. For this configuration, you do the following:

  • On Versa Concerto, configure BGP peering policies.
  • On Versa Concerto, configure site-to-site tunnels.
  • On Versa Director, configure the SSE hub devices. For these devices, you configure tunnel (TVI) interfaces, VPN profiles, BGP, and route redistribution policies.

If you want to configure the active–active traffic path model instead, the configuration is similar, but you apply the primary BGP peering policies to both tunnel interfaces. Also, you must configure symmetric forwarding on the branches in the customer SD-WAN environment.

Configure BGP Peering Policies Using Versa Concerto

On Versa Concerto, you configure BGP peering policies. You configure export policies to filter the advertisements that are sent to customer SSE hubs and import policies to filter the advertisements that are received from the customer SSE hubs.

To configure the BGP peering policies:

  1. Log in to Versa Concerto.
  2. Go to Configure > Secure Services Edge > Settings, and then click BGP Peer Policies.

    3-sec1-CC-BGP-peer-policies.png
  3. Click + Add Policy Term. The Add BGP Peer Policy screen displays.

    3-sec1-add-BGP-peer-policy.png

From this screen, you configure the import and export policies.

Configure an Export Policy

You configure one export policy (here, called To-SSE-Hub-Primary) that contains two policy terms, one for Community C (here, called VCG-SSE_Hub-Community) and the second for local client prefixes (here, called Local-Client-Prefixes). This export policy applies for advertisements towards customer SSE hubs.

To configure the export policy:

  1. Click + Add under Enter Policy Term. The Add Policy Term screen displays.
  2. Configure an export policy term for Community C:
    1. Click Criteria.

      add-BGP-policy-term-v2-border.png
    2. In the Community field, enter the community string to match, here, 1000:1000.

      3-sec1-match-community.png
    3. Click Action.

      add-BGP-policy-term-Action1-border.png
    4. In the Action field, select Reject.

      3-sec1-match-action.png
    5. Click General Information.

      add-BGP-policy-term-general-information-border.png
    6. Enter a name for the Policy Term, here, VCG-SSE_Hub-Community. Optionally, enter a description for the policy term.

      3-sec1-match-name.png
    7. Click Save.
  3. In the Add BGP Peer Policy screen, click + Add under Enter Policy Term again, to configure a second policy term for local client prefixes. The Add Policy Term screen displays.
    1. Click Criteria.
    2. In the NLRI field, enter the IP prefix of the file. This example uses the IPv4 prefixes 10.10.1.0/24, which is referred to as the VSPA client prefix for VCG-A.

      3-sec1-match-community-2.png
    3. Click Action, and then enter information for the following fields.

      3-sec1-match-action-2.png
       
      Field Description

      Action

      Select Accept.
      Community (Group of Fields)  
      • Community Action
      		 Select Replace all communities with the single community specified by set-community.
      • Community Value
      		 Enter 1000:1000, which is community C.
      AS Path (Group of Fields)  
      • AS Path Action
      		 Select Prepend the local AS path the number of times specified by local AS prepend count.
      • AS Path Prepend
      		 Enter the local AS path for the primary hub, here, 65000. For a secondary hub, use the local AS path multiplied by 2.
    4. Click General Information.
    5. Enter a name for the Policy Term, here, Local-Client-Prefixes. Optionally, enter a description for the policy term.

      3-sec1-match-name-2.png
    6. Click Save.
  4. In the Add BGP Peer Policy screen, click Enter Name, Description & Tags.
  5. Enter a name for the policy, here, To-SSE-Hub-Primary. Optionally, enter a description of the policy and tags to help you search for policies.

    3-sec1-policy-name.png
  6. Click Save.

Configure an Import Policy

You configure one import policy (here, called From-SSE-Hub-Primary) that contains two policy terms, one for Community C (here, called VCG-SSE_Hub-Community) and the second for all other advertised prefixes (here, called Allow-All). This import policy applies for advertisements received from customer SSE hubs.

To configure the import policy:

  1. Click + Add under Enter Policy Term. The Add Policy Term screen displays.
  2. Configure an import policy term for Community C:
    1. Click Criteria.
    2. In the Community field, enter the community to match, here, 1000:1000.

      3-sec2-match-community.png
    3. Click Action.
    4. In the Action field, select Reject.

      3-sec2-match-action.png
    5. Click General Information
    6. Enter a name for the Policy Term, here, VCG-SSE_Hub-Community. Optionally, enter a description for the policy term.

      3-sec2-match-name.png
    7. Click Save.
  3. In the Add BGP Peer Policy screen, click + Add under Enter Policy Term again, to configure a second policy term for all other advertised prefixes. The Add Policy Term screen displays.
    1. In the Criteria section, leave all entries blank, to match all criteria.

      4-sec1-import-match.png
    2. Click Action, and then enter information for the following fields.

      4-sec1-import-action.png
       
      Field Description

      Action

      Select Accept.
      Community (Group of Fields)  
      • Community Action
      		 Select Replace all communities with the single community specified by set-community.
      • Community Value
      		 Enter 1000:1000 64513:64513. The 64513:64513 is community C.
      AS Path (Group of Fields)  
      • AS Path Action
      		 Select Prepend the local AS path the number of times specified by local AS prepend count.
      • AS Path Prepend
      		 Enter the local AS path for the primary hub, here, 65000. For a secondary hub, use the local AS path multiplied by 2.
    3. Enter a name for the Policy Term, here, Allow-All. Optionally, enter a description for the policy term.

      4-sec1-import-general.png
    4. Click Save.
  4. In the Add BGP Peer Policy screen, click Enter Name, Description & Tags.
  5. Enter a name for the policy, here, From-SSE-Hub-Primary. Optionally, enter a description of the policy and tags to help you search for policies.
  6. Click Save.

Configure Site-to-Site Tunnels Using Versa Concerto

You must configure site-to-site IPsec tunnels for both the active (primary) and the standby (secondary) paths.

To configure the site-to-site IPsec tunnels:

  1. Log in to Versa Concerto.
  2. Go to Configure > Settings > Site-To-Site Tunnels, and then click + Add.

    3-sec3-site_to_site_tunnel.png
  3. In the Add Site-to-Site Tunnel screen, click Step 1, Enter Type, and then enter information for the following fields.
    1. In the Type field, click IPsec.
    2. In the Versa Gateway field, select the VCG that you want to connect to the customer SSE hub.
    3. Enter the remote (SD-WAN) public IP address (or FQDN) of the remote device.

      3-sec3-type.png
    4. Click Next.
  4. In the Step 2, Enter IPSec Information screen, enter information for the following fields. The following screenshots show example values. Modify them as necessary for your deployment.
    1. In the IKE group of fields, select the IKE version, transform, and Diffie-Hellman (DH) group, and enter values for the the dead-peer-detection (DPD) timeout and the IKE rekey time. It is recommended that you should use a strong key exchange transform and DH group.

      3-sec3-ike.png
    2. In the Local group of fields, select the local identity type, enter a value for the identity type, and enter the shared key for the local device.

      3-sec3-local.png
    3. In the Remote group of fields, select the remote identity type, enter a value for the identity type, and enter the shared key for the remote device.

      3-sec3-remote.png
    4. Click Next.
  5. In the Step 3, Enter Address and Routing/Policy Configurations screen, enter information for the following fields.
    1. In the Tunnel Virtual Interface IP Address field, enter the IP address prefix and mask associated with the VCG tunnel to SSE hub tunnel.
    2. In the VPN Name field, select name of the VPN between the VCG and the LAN-VR.
    3. In the MTU field, enter the MTU value of the largest protocol data unit that the port can receive or transmit, here, 1336 bytes.

      3-sec3-ip-add.png
    4. In the Routing Protocol field, select EBGP.
    5. In the Local ASN field, enter the AS number of the local VCG customer.
    6. In the Neighbor Address field, enter the IP address of the SSE hub tunnel that is associated with the VCG-to-SSE hub tunnel.
    7. In the Import/Export Policy field, select the import and export policies, here, From-SSE-Hub-Primary and To-SSE-Hub-Primary.

      3-sec3-routing-protocol.png
    8. Click Next.
  6. In the Step 4, Enter Name, Description and Tags screen, enter a name for the site-to-site configuration. Optionally, enter a description of the site-to-site tunnel and tags to help you search for tunnels.
  7. Click Save.

Configure SSE Hub Devices Using Versa Director

You configure the SSE hub devices on Versa Director. For these devices, you configure tunnel (TVI) interfaces, VPN profiles, BGP, and route redistribution policies.

Configure TVI Interfaces

  1. In Director View:
    1. Select the Configuration tab in the top menu bar.
    2. Select Template > Device Templates.
    3. Select the SSE hub device that terminates the IPsec tunnel from the VOS VCG. The view changes to Template view.

      3-sec4-templates.png
  2. Select the Configuration tab in the top menu bar.
  3. Select Networking > Interfaces > Tunnel in the left menu bar. The following screen displays.

    3-sec4-interfaces.png
  4. Click the + Add icon to add a TVI interface.
  5. Configure the TVI interface to use for the IPsec tunnel. Then, in the Add Tunnel Interface popup window, select the Tunnel tab and enter information for the following fields.
    1. In the Interface field, enter the slot and port numbers for the TVI interface. The highest interface available is tvi-15/19999.
    2. Enter a description, for the tunnel interface, here, SSE-VCG-A-IPsec Tunnel.
    3. Enter the MTU value, here, 1336 bytes.
    4. In the Mode field, select IPsec.
    5. In the Tunnel Type field, select Point-to-Point IPsec tunnel.
    6. In the Subinterfaces table, click Unit 0 to edit it.

      3-sec4-add-tvi.png
    7. In the Edit Subinterface popup window, select the IPv4 tab.
    8. In the IP Address and Mask field, click the gear icon to parameterize the IP address and mask. When you use a device template, enter the IP Address in Workflow > Devices > Device > Bind Data.

      3-sec4-subinterface.png
    9. Click OK.
  6. To configure another TVI interface, repeat Step 5.
  7. Click OK.

The following example shows the CLI commands to add two TVI interfaces (here, tvi-15/100 and tvi-15/101) for the two IPsec tunnels (SSE-VCG-A and SSE-VCG-B).

3-sec4-tvis-cli.png

Add Tunnel Interfaces to Traffic Identification

  1. In Template view, select the Configuration tab in the top menu bar.
  2. Select Others > Organization > Limits in the left menu bar.
  3. Click the organization name. The Edit Organization Limit popup window displays.
  4. Select the Traffic Identification tab, and then select the two TVI interfaces that you configured in Configure TVI Interfaces, above.

    3-sec4-org-limit.png
  5. Click OK.

The following example shows the CLI command to configure TVI interfaces for traffic identification:

3-sec4-org-limit-example.png

Configure VPN Profiles

  1. In Template View, select Configuration in the top menu bar.
  2. Select Services > IPsec > VPN Profiles in the left menu bar.

    3-sec4-vpn.png
  3. Click the + Add icon. The Add IPsec VPN popup window displays.
  4. Select the General tab.

    3-sec4-vpn-general.png
  5. In the VPN Profile Name field, enter a name for the VPN profile.
  6. Select the General tab in the horizontal menu bar, and then enter information for the following fields.
    1. In the VPN Type field, select Site to Site.
    2. In the Tunnel Routing Instance field, select Versa-LAN-VR.
    3. In the Tunnel Interface field, select tvi-15/100.0.
    4. In the Tunnel Payload Family, select IPv4 family.
  7. Select the Local and Peer tab in the horizontal menu bar, and then enter information for the following fields:
    1. In the Routing Instance field, select Internet-1-Transport-VR.
    2. In the Peer group of fields, click Peer IP, and then enter the VCG public IP address, here, 192.168.122.60.
    3. In the Local group of fields, click Local IP, and then enter the local public IP address.

      3-sec4-vpn-local-and-peer.png
  8. In IPsec VPN popup window, select the IKE tab, and the nenter information for the following fields:
    1. In the Version field, select IKE V2.
    2. In the Transform and DH Group group of fields, configure the transform and DH group based on customer requirements.
    3. In the Local Authentication group of fields, configure the local authentication. In the Authentication Type field, select PSK. In the Shared Key field, click the tool icon to parameterize the value. In the Identity Type field, select FQDN. In the FQDN Identity field, click the tool icon to parameterize the value.
    4. In the Peer Authentication group of fields, configure the peer authentication. Use the same values that you configure for local authorization.

      3-sec4-vpn-ike.png
  9. In IPsec VPN popup window, select the IPsec tab, and then, in the Transform group of fields, configure the transform based on customer requirements.
    3-sec4-vpn-ipsec.png
  10. Click OK.

The following example shows the CLI commands to configure the VPN profile:

3-sec4-vpn-cli.png

Configure the Virtual Router

  1. In Template View, select Configuration in the top menu bar.
  2. Select Networking > Virtual Routers in the left menu bar.

    3-sec4-vr.png
  3. Select the virtual router, here, Versa-LAN-VR. The Edit Versa-LAN-VR popup window displays.
  4. Select the Virtual Router Details tab.
  5. In the Interfaces/Networks field, select the TVI interfaces that you configured, here, tvi-15/100.0 and tvi-15/101.0.

    3-sec4-vr-tvi.png
  6. Click OK.

The following example shows the CLI command to configure BGP for VCG-A:

3-sec4-vr-cli.png

Configure BGP

  1. If you are continuing from the previous section, skip to Step 2. Otherwise:
    1. In Template View, select Configuration in the top menu bar.
    2. Select Networking > Virtual Routers in the left menu bar.
    3. Select the virtual router, here, Versa-LAN-VR. The Edit Versa-LAN-VR popup window displays.
  2. Select the BGP tab, and then click the + Add icon. The Add BGP Instance popup window displays.
  3. Select the General tab, and then enter information for the following fields:
    1. In the Instance ID field, enter the BGP instance ID, here, 3611.
    2. In the Router ID field, click the tool icon to parameterize the value.
    3. In the Local AS field, enter the customer-assigned AS number, here, 64514.
    4. In the Local AS Mode field, enter 4.

      3-sec4-vr-bgp.png
  4. Select the Peer Group tab, and then click the + Add icon. In the Add BGP Instance Add Peer Group popup window displays, enter information for the following fields:
    1. In the Name field, enter a name for the peer group, here, VGP-Hub-Group.
    2. In the Type field, select EBGP.

      3-sec4-vr-peer-group.png
  5. Select the Neighbors tab, and then click the + Add icon. The Edit BGP Instance Add Peer Group Add Neighbor popup window displays.
  6. To configure a BGP neighbor for VCG-A, enter information for the following fields:
    1. In the Neighbor IP field, click the tool icon to parameterize the value.
    2. In the Peer AS field, click the tool icon to parameterize the value.
    3. In the Local Address field, click the tool icon to parameterize the value.

      3-sec4-vr-neighbors.png
    4. Click OK.
  7. Repeat Step 6 to configure a BGP neighbor for VCG-B.
  8. Click OK.

The following example shows the CLI commands to configure BGP for VCG-A:

3-sec4-vr-bgp-cli.png

Configure Redistribution Policies

  1. In Template View, select Configuration in the top menu bar.
  2. Select Networking > Virtual Routers in the left menu bar.

    3-sec4-vr.png
  3. Select the virtual router (in this example, Versa-LAN-VR). The Edit Versa-LAN-VR popup window displays.
  4. Select the Redistribution Policies tab, and then click the + Add icon. The Add Redistribution Policy popup window displays.
  5. In the Name field, enter a Name for the Redistribution Policy, here, To-Versa-LAN-VR-Export.

    3-sec4-redist-policy-add.png
  6. In the Terms group of fields, click the + Add icon to add a term. The Add Redistribution Policy Add Term popup window displays.
  7. Select the Match tab, and then enter information for the following fields.
    1. Enter a name for the term, here, SSE-Client-Prefixes.
    2. In the Protocol field, select BGP.
    3. In the Community field, enter the community number, here, 1000:1000, for community C.

      3-sec4-redist-term.png
  8. Select the Action tab and then enter information for the following fields.
    1. In the Accept/Reject field, select Accept.
    2. In the Origin field, select Local EGP.

      3-sec4-redist-action.png
    3. Click OK.
  9. Click the Move-top.pngMove Top icon to move the term to the top of the list of terms in the policy.
  10. Click OK.
  11. Click the + Add icon to configure a second redistribution policy. The Add Redistribution Policy popup window displays.
  12. Enter a Name for the Redistribution Policy, here, Default-Policy-To-BGP.
  13. Click the + Add icon to add a term. The Add Redistribution Policy Add Term popup window displays.
  14. Select the Match tab, and then enter information for the following fields.
    1. Enter a name for the term, here, SSE-Client-Prefixes.
    2. In the Protocol field, select BGP.
    3. In the Community field, enter the community number, here, 1000:1000, for community C.
  15. Select the Action tab, and then enter information for the following fields.
    1. In the Accept/Reject field, select Accept.
    2. In the Community field, enter the community number, here, 8009:8010, which is the standard Versa Hub global community for hub LAN routes.
    3. In the Origin field, select Local EGP.

      3-sec4-redist-action-2.png
  16. Click OK.
  17. Click the Move-top.pngMove Top icon to move the term to the top of the list of terms in the policy.
  18. Click OK.

The following example shows the CLI commands to configure redistribution policies:

3-sec4-redist-cli.png

Traffic Flow Examples

The diagram below shows the steady state traffic flow for the VSPA configuration in active–standby. 

3-sec5-steady-state.png

The following screenshots show session statistics from SSE Hub CPE-A. For information on monitoring sessions, see Monitor VOS Devices in Real Time

3-sec5-steady-gui-1.png

3-sec5-steady-gui-2.png

3-sec5-steady-gui-3.png

The following example shows output for the show orgs org org-name session extensive CLI command on SSE Hub CPE-A: 

3-sec5-steady-cli.png

In the event of a failure on the active traffic path between SSE VCG-A and customer SSE Hub CPE-A, the traffic flow diverts to customer SSE Hub CPE-B, as shown in the diagram below.

3-sec5-link-failure.png

The following screenshots show session statistics for customer SSE Hub CPE-B. For information on monitoring sessions, see Monitor VOS Devices in Real Time

3-sec5-link-failure-gui-1.png

3-sec5-link-failure-gui-2.png

The following example shows output for the show orgs org org-name session extensive CLI command on customer SSE Hub CPE-B: 

3-sec5-link-failure-cli.png

Configure VSIA

This section provides a VSIA configuration example for the active–standby traffic path model. For this configuration, you do the following:

  • On Versa Concerto, configure BGP peering policies.
  • On Versa Concerto, configure site-to-site tunnels.
  • On Versa Director, configure the SSE hub devices. For these devices, you configure tunnel (TVI) interfaces, VPN profiles, BGP, and route redistribution policies.

If you want to configure the active–active traffic path model instead, the configuration is similar, but you apply the primary BGP peering policies to both tunnel interfaces. Also, you must configure symmetric forwarding on the branches in the customer SD-WAN environment.

Configure BGP Peer Policies Using Versa Concerto 

On Versa Concerto, you configure BGP peering policies. You configure export policies to filter the advertisements that are sent to customer SSE hubs and import policies to filter the advertisements that are received from the customer SSE hubs.

To configure the BGP peering policies:

  1. Log in to Versa Concerto. 
  2. Go to Configure > Security Service Edge > Settings, and then click BGP Peer Policies.

    3-sec1-CC-BGP-peer-policies.png
  3. Click + Add Policy Term. The Add BGP Peer Policy screen displays.

    3-sec1-add-BGP-peer-policy.png

From this screen, you configure the import and export policies.

Configure an Export Policy

You configure one export policy (here, called To-SSE-Hub-Primary) that contains two policy terms, one for Community C (here, called VCG-SSE_Hub-Community) and the second for the default route (here, called Default-Route). This export policy applies for advertisements towards customer SSE hubs.

To configure the export policy:

  1. Click + Add under Enter Policy Term. The Add Policy Term screen displays.
  2. Configure an export policy for Community C:
    1. Click Criteria.

      add-BGP-policy-term-v2-border.png
    2. In the Community field, enter the community string to match, here, 1000:1000.

      3-sec1-match-community.png
    3. Click Action.

      add-BGP-policy-term-Action1-border.png
    4. In the Action field, select Reject.

      3-sec1-match-action.png
    5. Click General Information.

      add-BGP-policy-term-general-information-border.png
    6. Enter a name for the Policy Term, here, VCG-SSE_Hub-Community. Optionally, enter a description for the policy term.

      3-sec1-match-name.png
    7. Click Save.
  3. In the Add BGP Peer Policy screen, click + Add under Enter Policy Term again, to configure a second policy term for the default route. The Add Policy Term screen displays.
    1. Click Criteria.
    2. In the NLRI field, enter the IP prefix to match. This example uses prefixes 0.0.0.0/0.

      4-sec1-export-match.png
    3. Click Action, and then enter information for the following fields.

      4-sec1-export-action.png
       
      Field Description
      Action  Select Accept.
      Community (Group of Fields)  
      • Community Action
      		 Select Replace all communities with the single community specified by set-community.
      • Community Value
      		 Enter 1000:1000, which is community C.
      AS Path (Group of Fields)  
      • AS Path Action
      		 Select Prepend the local AS path the number of times specified by local AS prepend count.
      • AS Path Prepend
      		 Enter the local AS path for the primary hub, here, 65000. For a secondary hub, use the local AS path multiplied by 2.
    4. Click General Information.
    5. Enter a name for the Policy Term (here, Default-Route) and a description (optional). 

      4-sec1-export-general.png
    6. Click Save.
  4. In the Add BGP Peer Policy screen, click Enter Name, Description & Tags.
  5. Enter a name for the policy, here, To-SSE-Hub-Primary. Optionally, enter a description of the policy and tags to help you search for policies. 

    3-sec1-policy-name.png
  6. Click Save.

Configure an Import Policy Edit section

You configure one import policy (here, called From-SSE-Hub-Primary) that contains two policy terms, one for Community C (here, called VCG-SSE_Hub-Community) and the second for all other advertised prefixes (here, called Allow-All). This import policy applies for advertisements received from customer SSE hubs.

To configure the import policy:

  1. Click + Add under Enter Policy Term. The Add Policy Term screen displays.
  2. Configure an import policy term for Community C:
    1. Click Criteria.
    2. In the Community field, enter the community to match, here, 1000:1000.
      3-sec2-match-community.png
    3. Click Action.
    4. In the Action field, select Reject.
      3-sec2-match-action.png
    5. Click General Information
    6. Enter a name for the Policy Term, here, VCG-SSE_Hub-Community. Optionally, add a description for the policy term. 
      3-sec2-match-name.png
    7. Click Save.
  3. In the Add BGP Peer Policy screen, click + Add under Enter Policy Term again, to configure a second policy term for all other advertised prefixes. The Add Policy Term screen displays.
  4. Configure the policy term for all other advertised prefixes:
    1. In the Criteria section. leave all entries blank, to match all criteria.
      4-sec1-import-match.png
    2. Click Action, and then enter information for the following fields.

      4-sec1-import-action.png
      Field Description

      Action

      Select Accept.
      Community (Group of Fields)  
      • Community Action
      		 Select Replace all communities with the single community specified by set-community.
      • Community Value
      		 Enter 1000:1000 64513:64513. The 64513:64513 is community C.
      AS Path (Group of Fields)  
      • AS Path Action
      		 Select Prepend the local AS path the number of times specified by local AS prepend count.
      • AS Path Prepend
      		 Enter the local AS path for the primary hub, here, 65000. For a secondary hub, use the local AS path multiplied by 2.
    3. Enter a name for the Policy Term, here, Allow-All. Optionally, enter a description for the policy term.

      4-sec1-import-general.png
    4. Click Save.
  5. In the Add BGP Peer Policy screen, click Enter Name, Description & Tags.
  6. Enter a name for the policy, here, From-SSE-Hub-Primary. Optionally, enter a description of the policy and tags to help you search for policies. 
    4-sec1-import-2.png
  7. Click Save.

Configure Site-to-Site Tunnels Using Versa Concerto 

You must configure site-to-site IPsec tunnels for both the active (primary) and the standby (secondary) paths.

To configure the site-to-site IPsec tunnels:

  1. Log in to Versa Concerto. 
  2. Go to Configure > Security Service Edge > Settings > Site-To-Site Tunnels, and then click + Add.

    3-sec3-site_to_site_tunnel.png
  3. In the Add Site-to-Site Tunnel screen, click Step 1, Enter Type, and then enter information for the following fields.
    1. In the Type field, click IPsec.
    2. In the Versa Gateway field, select the VCG that you want to connect to the customer SSE hub.
    3. Enter the remote (SD-WAN) public IP address (or FQDN) of the remote device.

      3-sec3-type.png
    4. Click Next.
  4. In the Step 2, Enter IPSec Information screen, enter information for the following fields. The following screenshots show example values. Modify them as necessary for your deployment.
    1. In the IKE group of fields, enter the IKE Version, Transform, DH Group, DPD Timeout and IKE Rekey Time. It is recommended that you should use a strong key exchange transform and DH group.
       
      3-sec3-ike.png
    2. In the Local group of fields, select the local identity type, enter a value for the identity type, and enter the shared key for the local device.

      3-sec3-local.png
    3. In the Remote group of fields, select the remote identity type, enter a value for the identity type, and enter the shared key for the remote device.

      3-sec3-remote.png
    4. Click Next.
  5. In the Step 3, Enter Address & Routing / Policy Configurations screen, enter information for the following fields.
    1. In the Tunnel Virtual Interface IP Address field, enter the VCG tunnel IP address and mask associated with the VCG-to-SSE hub tunnel.
    2. In the VPN Name field, select name of the VPN between the VCG and the LAN-VR.
    3. In the MTU field, enter the MTU value of the largest protocol data unit that the port can receive or transmit, here, 1336 bytes. 

      3-sec3-ip-add.png
    4. In the Routing Protocol field, select EBGP.
    5. In the Local ASN field, enter the AS number of the local VCG customer.
    6. In the Neighbor Address field, enter the IP address of the SSE hub tunnel that is associated with the VCG-to-SSE hub tunnel.
    7. In the Import/Export Policy field, select the import and export policies, here, From-SSE-Hub-Primary and To-SSE-Hub-Primary.

      3-sec3-routing-protocol.png
    8. Click Next.
  6. In the Step 4, Enter Name, Description and Tags screen, enter a name for the site-to-site configuration. Optionally, enter a description of the site-to-site tunnel and tags to help you search for tunnels.
  7. Click Save.

Configure SSE Hub Devices Using Versa Director

You configure the SSE hub devices on Versa Director. For these devices, you configure tunnel (TVI) interfaces, VPN profiles, BGP, and route redistribution policies.

Configure TVI Interfaces

  1. In Director View:
    1. Select the Configuration tab in the top menu bar.
    2. Click Template > Device Templates.
    3. Select the SSE hub device that terminates the IPsec tunnel from the VOS VCG. The view changes to Template view.

      3-sec4-templates.png
  2. Select the Configuration tab in the top menu bar. 
  3. Select Networking > Interfaces > Tunnel in the left menu bar. The following screen displays.

    3-sec4-interfaces.png
  4. Click the + Add icon to add a TVI interface. 
  5. Configure the TVI interface to use for the IPsec tunnel:
    1. In the Interface field, enter the slot and port numbers for the TVI interface. The highest interface available is tvi-15/19999.
    2. Enter a description, for the tunnel interface, here, SSE-VCG-A-IPsec Tunnel. 
    3. Enter the MTU value, here, 1336 bytes. 
    4. In the Mode field, select IPsec.
    5. In the Tunnel Type field, select Point-to-point IPsec tunnel.
    6. In the Subinterfaces table, click Unit 0 to edit it.

      3-sec4-add-tvi.png
    7. In the Edit Subinterface popup window, select the IPv4 tab. 
    8. In the IP Address and Mask field, click the gear icon to the right to parameterize the IP address and mask. When you use a device template, enter the IP Address in Workflow > Devices > Device > Bind Data.

      3-sec4-subinterface.png
    9. Click OK.
  6. To configure another TVI interface, repeat Step 5.
  7. Click OK.

The following example shows the CLI commands to add two TVI interfaces (here, tvi-15/100 and tvi-15/101) for the IPsec tunnels (SSE-VCG-A and SSE-VCG-B).
3-sec4-tvis-cli.png

Add Tunnel Interfaces to Traffic Identification

  1. In Template view, select Configuration in the top menu bar.
  2. Select Others > Organization > Limits in the left menu bar. 
  3. Click the organization name. The Edit Organization Limit popup window displays.
  4. Select the Traffic Identification tab, and then select the two TVI interfaces that you configured in Configure TVI Interfaces, above. 

    3-sec4-org-limit.png
  5. Click OK.

The following example shows the CLI command to add TVI interfaces to traffic identification.

3-sec4-org-limit-example.png

Configure VPN Profiles

  1. In Template View, select Configuration in the top menu bar. 
  2. Select Services > IPsec > VPN Profiles in the left menu bar.

    3-sec4-vpn.png
  3. Click the + Add icon. The Add IPsec VPN popup window displays.
  4. Select the General tab.

     3-sec4-vpn-general.png
  5. In the VPN Profile Name field, enter a name for the VPN profile.
  6. Select the General tab in the horizontal menu bar, and then enter information for the following fields.
    1. In the VPN Type field, select Site to Site.
    2. In the Tunnel Routing Instance field, select Versa-LAN-VR.
    3. In the Tunnel Interface field, select tvi-15/100.0.
    4. In the Tunnel Payload Family, select IPv4 family.
  7. Select the Local and Peer tab in the horizontal menu bar, and then enter information for the following fields.
    1. In the Routing Instance field, select Internet-1-Transport-VR. 
    2. In the Peer group of fields, click Peer IP, and then enter the VCG public IP address, here, 192.168.122.60. 
    3. In the Local group of fields, click Local IP, and then enter the local public IP address. 

      3-sec4-vpn-local-and-peer.png
  8. In IPsec VPN popup window, select the IKE tab, and the nenter information for the following fields.
    1. In the Version field, select IKE V2. 
    2. In the Transform and DH Group group of fields, configure the transform and DH group based on customer requirements. 
    3. In the Local Authentication group of fields, configure the local authentication. In the Authentication Type field, select PSK. In the Shared Key field, click the tool icon to parameterize the value. In the Identity Type field, select FQDN. In the FQDN Identify field, click the tool icon to parameterize the value.
    4. In the Peer Authentication group of fields, configure the peer authentication. Use the same values that you configured for local authorization. 3-sec4-vpn-ike.png
  9. In the IPsec VPN popup window, select the IPsec tab, and then, in the Transform group of fields, configure the Transform group of fields based on customer requirements. 
    3-sec4-vpn-ipsec.png
  10. Click OK.

The following example shows the CLI commands to configure the VPN profile.

3-sec4-vpn-cli.png

Configure Virtual Router Details

  1. In Template View, select Configuration in the top menu bar.
  2. Select Networking > Virtual Routers in the left menu. 

    3-sec4-vr.png
  3. Select the virtual router, here, Versa-LAN-VR. The Edit Versa-LAN-VR popup window displays. 
  4. Select the Virtual Router Details tab.
  5. In the Interfaces/Networks field, select the TVI interfaces that you configured, here, tvi-15/100.0 and tvi-15/101.0.
     
    3-sec4-vr-tvi.png
  6. Click OK.

The following example shows the CLI commands to configure BGP for VCG-A:

3-sec4-vr-cli.png

Configure BGP

  1. If you are continuing from the previous section, skip to Step 2. Otherwise:
    1. In Template View, select Configuration in the top menu bar.
    2. Select Networking > Virtual Routers in the left menu bar.
    3. Select the virtual router, here, Versa-LAN-VR. The Edit Versa-LAN-VR popup window displays.
  2. Select the BGP tab and click the + Add icon. The Add BGP Instance popup window displays.
  3. Select the General tab, and then enter information for the following fields.
    1. In the Instance ID field, enter the BGP instance ID, here, 3611.
    2. In the Router ID field, click the tool icon to parameterize the value.
    3. In the Local AS field, enter the customer-assigned AS, here, 64514.
    4. In the Local AS Mode field, enter 4. 

      3-sec4-vr-bgp.png
  4. Select the Peer Group tab, and then click the + Add icon. The Add BGP Instance Add Peer Group popup window displays.
  5. Enter information for the following fields.
    1. In the Name field, enter a name for the peer group, here, VGP-Hub-Group.
    2. In the Type field, enter EBGP.

      3-sec4-vr-peer-group.png
  6. Select the Neighbors tab, and then click the + Add icon. The Edit BGP Instance Add Peer Group Add Neighbor popup window displays.
  7. To configure a BGP neighbor for VCG-A, enter information for the following fields.
    1. In the Neighbor IP field, click the tool icon to parameterize the value.  
    2. In the Peer AS field, click the tool icon to parameterize the value.
    3. In the Local Address field, click the tool icon to parameterize the value. 

      3-sec4-vr-neighbors.png
    4. Click OK.
  8. Repeat Step 7 to configure a BGP neighbor for VCG-B. 
  9. Click OK.

The following example shows the CLI commands to configure BGP for VCG-A:

3-sec4-vr-bgp-cli.png

Configure Redistribution Policies

  1. In Template View, select Configuration in the top menu bar.
  2. Select Networking > Virtual Routers in the left menu. 

    3-sec4-vr.png
  3. Select the virtual router, here, Versa-LAN-VR. The Edit Versa-LAN-VR popup window displays.
  4. Select the Redistribution Policies tab, and then click the + Add icon. The Add Redistribution Policy popup window displays.
  5. In the Name field, enter a name for the Redistribution Policy, here, To-Versa-LAN-VR-Export.

    3-sec4-redist-policy-add.png
  6. In the Terms group of fields, click the + Add icon to add a term. The Add Redistribution Policy Add Term popup window displays.
  7. Select the Match tab, and then enter information for the following fields.
    1. Enter a name for the term, here, SSE-Default-Route.
    2. In the Protocol field, select BGP.
    3. In the Community field, enter the community number, here, 1000:1000, for community C.

      4-sec2-edit-redist-match.png
  8. Select the Action tab, and then enter information for the following fields.
    1. In the Accept/Reject field, select Accept.
    2. In the Origin field, select Local EGP.
    3. Click OK.
  9. Click on the Move-top.pngMove Top icon to move the term to the top of the list. 
  10. Click OK.
  11. Click the + Add icon to configure a second redistribution policy. The Add Redistribution Policy popup window displays.
  12. Enter a Name for the Redistribution Policy, here, Default-Policy-To-BGP.
  13. Click the + Add icon to add a term. The Add Redistribution Policy Add Term popup window displays.
  14. Select the Match tab, and then enter information for the following fields.
    1. Enter a name for the term, here, SSE-Default-Route.
    2. In the Protocol field, select BGP.
    3. In the Community field, enter the community number, here, 1000:1000, for community C.

      4-sec2-redist-match-2.png
  15. Select the Action tab, and then enter information for the following fields.
    1. In the Accept/Reject field, select Reject.

      4-sec2-redist-action-2.png
  16. Click OK.
  17. Click on the Move-top.pngMove Top icon to move the term to the top of the list.
  18. Click OK.

The following example shows the CLI commands to configure redistribution policies:

4-sec2-redist-example.png

Traffic Flow Examples

The diagram below shows the steady state traffic flow for the VSIA configuration in active–standby.  
 

4-sec3-AS-steady-state.png

The following screenshots show session statistics from SSE Hub CPE-A. For information on monitoring sessions, see Monitor VOS Devices in Real Time
 

4-sec3-AS-link-failure-gui-1.png
 

4-sec3-AS-link-failure-gui-2.png
 

4-sec3-AS-link-failure-gui-3.png

The following example shows output for the show orgs org org-name session extensive CLI command on SSE Hub CPE-A: 
 

4-sec3-AS-steady-cli.png

In the event of a failure on the active traffic path between SSE VCG-A and customer SSE Hub CPE-A, the traffic flow diverts to customer SSE Hub CPE-B, as shown in the diagram below.
 

4-sec3-AS-link-failure.png

The following screenshots show session statistics from SSE Hub CPE-A. For information on monitoring sessions, see Monitor VOS Devices in Real Time
 

4-sec3-AS-link-failure-gui-2.png
 

4-sec3-AS-link-failure-gui-2.png
 

4-sec3-AS-link-failure-gui-3.png

The diagram below shows the steady state traffic flow for the VSIA configuration in active–active.
 

4-sec3-AA-steady-state.png
 

The following screenshots show session statistics from SSE Hub CPE-A. For information on monitoring sessions, see Monitor VOS Devices in Real Time
 

4-sec3-AA-steady-gui-1.png
 

4-sec3-AS-link-failure-gui-2.png
 

4-sec3-AS-steady-gui-3.png

The following example shows output for the show orgs org org-name session extensive CLI command on SSE Hub CPE-A: 
 

4-sec3-AA-steady-cli.png
 

4-sec3-AA-steady-cli-2.png

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.