SD-WAN with Centralized Applications -

Contents

In this lab user will learn to how to configure Hub and Spoke using OpenVPN (SSLVPN) with Centralized Application.

VPNs are essential for central application due to several reasons:

Improved Performance: Centralized applications can be accessed more reliably and with better performance due to SD-WAN’s intelligent path selection and traffic routing.
Enhanced Security: Centralized security policies can be applied across the network, ensuring consistent protection for all applications.
Simplified Management: Network administrators can manage the entire network, including application policies, through a single interface.

RansNet SD-WAN is particularly beneficial for organizations with multiple branches or cloud-based applications, as it provides a more efficient and flexible way to connect users to applications.

Required Lab Materials

Public IP – Static for WAN port
CMG appliance – 1 nos
HSA / XE / UA – 1 nos or 2 nos or more, based on requirement
Webserver or any application server
Branch Internet – Open internet connection
RansNet mfusion [portal10.ransnet.com] login credential for sd-wan management.
RansNet Gateway LAN IP to be changed to 172.17.100.1/24 with DHCP release
Web Application server [WAS] – The WAS will be connected to the Gateway LAN port.

Prerequisite

Upgrade the firmware of CMG/HSA/UA/XE to the latest stable version. Refer to upgrade Host’s firm ware link.
Provision CMG/HSA/UA/XE to mfusion. Refer to Provision mbox appliance link.

Procedure

Configure CMG [Gateway]

STEP 1 – Configure WAN

Navigate to ‘Orchestrator > Gateway‘, and click on the Gateway MAC address.
Navigate to ‘Network‘ tab, Click on ‘Interface’ sub-menu and Configure WAN / ETH0 / Port1 with static ip address. Refer to New Ethernet Interface link.

STEP 2 – Configure SD-WAN SSLVPN

Navigate to SD-WAN tab > Click on VPN menu

Click on ‘Add VPN Instance‘ button to configure new instance.

Configure the ‘VPN Instance‘, key-in the fields for the SSL VPN.
- The main fields as listed below
  - VPN Instance ID
  - Gateway IP / FQDN
  - VPN Topology
  - VPN Network Mode
  - VPN Protocol
  - VPN Options
  - OpenVPN Encryption
  - VPN Address Pool & VPN Port number
  - Gateway Network/Prefix – Select the Gateway LAN network from the dropdown (172.17.100.1/24).

Click on then then button to push the configuration to CMG.

Configure Branch CPE [HSA / UA / XE]

STEP 3 – Configure WAN interface

Configure WAN / ETH0 / Port1 with static ip address. Refer to New Ethernet Interface link.

STEP 4 – Configure Network Route

Navigate to ‘Network‘ tab > ‘Static Routing‘ sub-menu.
Select Network/Prefix option from the IPv4 Route Destination field and configure the below routes. Click on button after configuring each route.
- Default route with higher distance [Select IPv4 Administrative Distance (point 5) to configure distance]
  - ex: ip route 0.0.0.0/0 nexthop 192.168.1.254 distance 250 – Code for console interface
- Route to SD-WAN Gateway
  - ex: ip route 17.5.7.8/32 nexthop 192.168.1.254 – Code for console interface
- Route to portal.ransnet.com
  - ex: ip route 118.189.175.170/32 nexthop 192.168.1.254 – Code for console interface
- Route DNS through default gateway to internet if VPN tunnel fails.
  - ex: ip route 8.8.8.8/32 nexthop 192.168.1.254 – Code for console interface

Click on then button to push the config to the Branch CPE.

Configure Firewall Rule for Tap Interface

STEP 5 – Configure snat Rule for tap interface

Navigate to ‘Security‘ tab > ‘Firewall Policies‘ menu
In the ‘SNAT/Masquerade‘ section, Click on button to add a snat firewall rule.
- ex: firewall-snat 105 overload outbound tap1 – Code for console interface

Click on then then button to push the configuration to the Branch CPE.

Configure VPN Instance in Branch CPE

STEP 6 – Configure VPN Instance

Navigate to ‘SD-WAN‘ tab > click on ‘VPN‘ menu
From the ‘VPN Instances‘ section, Click on button
Select the ‘VPN Instance ID‘ from the dropdown.

Click on then then button to push the configuration to the Branch CPE.