Latest

Cisco Viptela SDWAN: Configure Split DNS with a Centralized Data Policy through CLI

Today we are going to discuss on the Split DNS and the configuration related to it in Cisco Viptela SDWAN environment. It is very important to understand the APP aware routing when a vEdge/cEdge send application traffic to and receive application traffic from a service VPN. These edge devices or router performs a Domain Name System (DNS) lookup to determine how to reach a server for the application. 

Now you have multiple connections through the WAN and If the router does not have reachability to the internet, it sends DNS queries to a router that has internet connection, and that router determines how to reach a server for that application. We can configure a vEdge/cEdge router to be an DIA point and reach internet directly to perform DNS lookups. For this we need to create a policy that configures split DNS and can be used for applications.

While working on the policies, you can create a split DNS policy with either a centralized data policy or an application-aware routing policy.

Fig 1.1- Centralized Policy for Split DNS


Now we are going how to configure the Split DNS policy using CLI as a centralized data policy. We can configure the Split DNS policy as an app aware policy in our next article.

Configure Split DNS with a Centralized Data Policy

Step 1: You need to create a List for that policy, As this is centralized policy it should be configure on the vSmart

NDNA_vSmart(config)# policy 
NDNA_vSmart(config-policy)# lists site-list NDNA (NDNA is a site-list used here)
NDNA_vSmart(config-lists)# site-id 100-105 (100-105 means the sites having 100,101,102,103,104 and 105 site id defined)

Step 2: Create lists of applications or application families for which you want to enable split DNS. Match this list in the data policy

NDNA_vSmart(config)# policy lists 
NDNA_vSmart(config-lists)# app-list NDNA 
NDNA_vSmart(config-app-list)# GCP-apps 

Step 3: Now go to the data policies and Create lists VPNs to which the split DNS policy is to be applied

NDNA_vSmart(config)# policy lists 
NDNA_vSmart(config-lists)# vpn-list NDNA
NDNA_vSmart(config-lists)# vpn 10

Step 4: Create a data policy instance and associate it with a list of VPNs

NDNA_vSmart(config)# policy data-policy NB
NDNA_vSmart(config-data-policy)# vpn-list NDNA

Step 5: Create a series of match–action pair sequences and process the DNS server resolution for the applications

NDNA_vSmart(config-vpn-list)# sequence number 11
NDNA_vSmart(config-sequence)# match dns-app-list NDNA
NDNA_vSmart(config-sequence)# match dns ( request | response )

Step 6: Accept matching packets, optionally counting and logging them and Enable local internet exit and put default action

NDNA_vSmart(config-sequence)# action accept count NB1 
NDNA_vSmart(config-sequence)# action accept nat NB2 use-vpn 0 
NDNA_vSmart(config-sequence)# action accept redirect-dns host
NDNA_vSmart(config- policy-name )# default-action accept

Above the the configuration using the CLI for the Split DNS configuration on centralized policy. You can do it from the GUI as well. We will come up with the next article on configuring the Split DNS using the app aware policy from the CLI and the GUI both.