Skip to Content

The overlay and underlay network lab using SD-WAN

The overlay and underlay network lab using SD-WAN

I have covered what is VXLAN and the differences between the overlay and underlay network here, in this blog we are going to take a look at the overlay and underlay in action using nuage sd-wan lab.

The underlay network topology.

Below is the actual underlay network, The Branch 1 NSG is connected to two WAN links both from internet 1 and 2 respectively, so is the NSG2 at the branch-2.

differences between the underlay and overlay

How does the NSG1 at the branch one talks to the NSG2 at Branch2 ?

It uses VXLAN tunneling mechanism between these two branches and passes the overlay traffic.

overlay network using vxlan tunnel

The LAN side of these branches which is the overlay is not aware of the underlay network.

The connection between the Branch-1 and Branch-2 LAN side would go via the VXLAN tunnel.

What if you add one more branch to the topology?
All the branch networks become a full mesh topology and start to send traffic with each other.

As you can see in the diagram above, we are going to use two overlay subnets in this lab, like below.

10.1.1.0/24 – Branch1
10.2.2.0/24 – Branch2

Follow the below steps to create the overlay network in Nuage SD-WAN.

  • Goto the Organisation and click on Networks
  • Click on the plus icon to create L3 Domain, I am naming it as L3 Domain.
creation of overlay network in nuage
  • Drag and drop the zone templates to the domain.
Creation of overlay network in nuage
  • Select the domain you just created and click on the Instantiate domain from down bottom left. I just gave the name Network.
Creation of overlay network
  • Now you can start drag and drop the subnet to the branch networks, eventually it would look like below.
adding subnets to overlay networks.
  • You need to attach the NSG’s to the subnet by attaching Bridge Vport.
attaching the NSG to the overlay network.
  • You just attached the branch-1 LAN side to the overlay, you may do the same steps for the Branch-2 as well.
  • We successfully added the NSG to the overlay network.
branch creation in Nuage SD-WAN

Attaching the end-user machine on the Overlay.

We have already created a VLAN 111 and 222 for Branch-1 and branch-2 LAN side respectively on the underlay gateway as well as on the KVM hosts where we are going to deploy the branch hosts.

I have also deployed Centos and Ubuntu 19.04 for Branch1 and Branch2 respectively, let’s connect both to our network.

  • Going to use Centos as the branch-1 machine, Open the Centos VM and click on properties. On the network select Bridge interface ‘br111’ for the host and apply the changes.
attaching the end hosts in overlay network
  • Do the same thing on the ubuntu host which represents Branch-2 as well, but use br222 for the second host instead of br111.

Now, will you be able to connect the hosts between?

Of course not as we have not configured the IP address on these hosts.
Let’s configure the IP for the hosts from the VSD using the DHCP.

Configuration of DHCP in Nuage VNS

  • goto the enterprise, click on Network, select the subnet and click on the DHCP icon.
  • Create the DHCP scope like below, I intentionally left the first ten IP addresses from the scope.
configuring DHCP on nuage overlay network
  • Do the same thing for the second subnet as well.
  • Now you connect the network in the hosts you would get IP address from those DHCP scopes.

As you can see below, I got an IP address 10.1.1.94 for the Centos from branch-1.

overlay IP on the end host on branch1

And got 10.2.2.235 for the Ubuntu from Branch-2.

overlay IP on the end host on branch2

Allow Overlay communication

In order for the branch to branch communication to happen, you need to allow the ACL policy in VSD.

  • Login to the VSD and click on Policies, create an ingress security policy to allow-all like below.
Ingress ACL policy on nuage SD-WAN
  • Do the same thing for the Egress security policies as well.
Egress Security policies on Nuage SD-WAN

Overlay Communication verification

Lets start pinging the host’s machines.

As you can see I can ping the Branch-2 gateway IP 10.2.2.1 as well as the host IP which is 10.2.2.235

Overlay communication verifcation

Lets verify the same from branch-2

Yes, I can ping the gateway 10.1.1.1 as well as the hosts 10.1.1.94 here as well.

Overlay communication verification

Finally let’s also verify the traceroute of these packets.

When I ran my traceroute with the command mtr 10.1.1.94, you get the below output.
It is just overlay devices and there is no underlay networks in it.

Running traceroute on the overlay network

Same on the other side as well with the command mtr 10.2.2.235

Running traceroute on the overlay network