Rate this lesson

Cisco SD-WAN Service VPN are subnets and services distributed behind SD-WAN network which communicate over SD-WAN infrastructure. in other words, the LAN part of SD-WAN infrastructure that is not yet ready in our topology. This section is devoted to create LAN section of the SD-WAN infrastructure using Service VPN.

SD-WAN Service VPN Concept

Just to review, we have already configured SD-WAN controllers and WAN Edge routers over internet transport. we have changed the configuration mode from CLI to vManage. Then we have added the second transport, MPLS. there is just one step to complete our SD-WAN infrastructure.


We have not still configured the LAN section of SD-WAN infrastructure which host real service and also users who use these services. This is done through Service VPN in cisco SD-WAN Architecture.

This is called Service VPN because they are configured in a different VRF as the default VRF to which interfaces connected to WAN transports are assigned.

Service VPN
Service VPN

Subnets in Service VPN are advertised between WAN edge routers via OMP routing protocol and with the help of the vSmart controller. OMP routing protocol will be discussed in the next section.

If you are familiar with MPLS VPN Service, Service VPN in SD-WAN infrastructure is similar to VPN Services in MPLS network. in MPLS, VPN Services are advertised through BGP protocol between PE routers. in SD-WAN, OMP routing protocol is used. In MPLS, Services are connected to PE routers. in SD-WAN, Services are connected to WAN Edge routers.  in MPLS, route reflector is used to advertise BGP routes between PE routers. in SD-WAN, vSmart is has the role of route reflector.

MPLS VPN Services
MPLS VPN Services

We will simulate LAN section of SD-WAN infrastructure with loopback interfaces.  We will create a new VPN in addition to VPN 0 and VPN 512 for the purpose of Service VPN, here VPN 10. Then we will assign loopback interfaces to this new VPN service, here loopback10 interface. 

SD-WAN Basic Topology: Service VPN and Loopback Interface
SD-WAN Basic Topology: Service VPN and Loopback Interface

IP address of interfaces belonging to the new VPN service is in the range of in site1 to in site4.

These two steps, adding new VPN service and adding loopback interface inside VPN service, is what will be done in this section to complete SD-WAN infrastructure.

The Configuration will be sone through SD-WAN template because the configuration mode of the SD-WAN infrastructure has already been changed from CLI to vManage.

Service VPN routing concept, is discussed in the next section. This section is only intended to complete our SD-WAN infrastructure by adding Service VPN.

Add Service VPN using SD-WAN Templates

Let’s implement Service VPN with adding required feature template.

device type: csr1000v

Template: Cisco VPN

Template Name: CSR1000v_VPN10

Description: CSR1000v_VPN10

Section: Basic Configuration

VPN Global 10
name Global VPN10

Another feature template must be added for the LAN interface of WAN Edge routers within Service VPN, which is simulated here with the loopback10 interface.

device type: csr1000v

Template: Cisco VPN Interface Ethernet

Template Name: CSR1000v_Interface_LAN

Description: CSR1000v_Interface_LAN

Section: Basic Configuration

shutdown Global No
Interface Name Global Loopback10
Description Global *** LAN ***
IP Address/ Prefix Length Device Specific

Now these two new feature templated must be added into existing device templated attached to WAN routers.

Template Name: CSR1000v_Device_Template

Description: CSR1000v_Device_Template

Section: Service VPN

Cisco VPN CSR1000v_VPN10
Visco VPN Interface Ethernet CSR1000v_interface_LAN

In this step you will be asked to enter the value of the device-specific parameters. IP address of loopback10 interface must be configured, based on the topology.

Loopback10 IP Address

When applying the configuration, it can be seen that a new VRF is created with RD and RT values like what we do in MPLS VPN Services and also Loopback 10 interface is assigned to this new VRF.

Service VPN in CLI
Service VPN in CLI
Assign Interface to Service VPN
Assign Interface to Service VPN

In this section, we have completed our SD-WAN infrastructure. from now on we can work on real WAN requirements like topology, security and QoS configurations.

Back to: Implementing Cisco SD-WAN Solutions > Completion of the SD-WAN topology

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment