1. Building an SD-WAN Topology for testing in GNS3 - Part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone my name is Devin Adams I'm a four Dannette certified trainer here in Tempe Arizona and yeah I record these videos for my students and in fact I I just got done teaching a class and when they do their labs and all that stuff I always play around myself and try to test new things that I've never tested before and I got pretty frustrated because I could not get the SD when VPN connections to work the way that I wanted them to so in theory here guys and this this lab environment in gns3 if you look on my playlist on the impromptu in to c4 and also the load balancing way on traffic we've gotten to this point so I'm just borrowing this topology because it's already set up here but the whole idea here is that we have a headquarters fortigate and then we have these independent circuits from different Internet service providers all right and the whole point of SD win is that we can throw circuits to the FortiGate and essentially create one logical link and then using health checks and also using rules we can essentially point what kind of traffic goes out each each link and on top of that we can also do it through quality so think of it as not just policy based routing where you get more options of how to routes you can also route based off of the quality of the connection itself which you can't QoS the Internet all right and that's why it's important to have that dynamics to be able to quickly switch links as congestion across one autonomous system might become a little bit more port than the other but anyways that's easy-peasy I have done that numerous of times okay but what if we have a data center or a branch office maybe we have an MPLS connection where we just want certain traffic to go down but what if something within that MPLS network starts acting awry and we want to fall back on a VPN tunnel okay now I've done this before and it's it's it's action not that difficult to comprehend if you're doing it just using standard routing so I think it's called the wind link load balancer demo that I did earlier and that's where we can go ahead and you know have redundant VPN tunnels kick in when the MPLS health check fails okay but to use it with the SD win it's just like kicking it up to the next level right because not only do we have to wait till like an interface goes down or a health check fails now we can simply say hey for some reason if that VPN tunnel is healthier than something that might be happening down the mpls way you know go ahead and automatically kick it in so and I thought this would be pretty straightforward but guys honestly I could not get it to work and I could not find that great of documentation demos for it obviously it does work or when it exists but yeah so that's gonna be my challenge to this weekend so I'm kid-free this weekend and I'm gonna I'm gonna make this happen that's my only goal so anyways so yeah so here we go guys so before we can even get started with having our SD win VPN suck sack tunnels deployed we have to build the topology and that's all that we're gonna do here we're gonna add a branch office down here somewhere okay and then I don't know why my mouse is freaking out and then maybe a branch office over here and then maybe a fake point-to-point connection down here to represent something like MPLS okay so we're not going to do anything with the SD when per se right now we're just gonna get our topology and gns3 ready for the ready for the challenge okay so and guys I'm making this complex because I want the challenge and don't forget this is 48 six oh it is a little different for 6 - that might have to be a different video all right so let's go ahead and build it though all right are you guys ready so first things that we're gonna need here is obviously 240 gates so let's pull out our genus or and I already have had configured knob for the analyzer a 48 600 so we'll drop that there all right and then we'll also drop one up here why not okay that was a little weird loop all right and by the way guys I am NOT a youtuber I don't do these for any kind of gain so these videos suck it's because I wing them and yeah there's a good chance ups not gonna work the way I want it to but this is going to be our data center and it's not uncommon for us to have hosted services privately somewhere else right and so if our headquarters is like in Phoenix Arizona I'm gonna say that this one's going to be in Dallas Texas or something right but I'll just say DC for decades all right and then this wind cloud is really just a link not a wink a Linux router that I've made tons of interfaces on so in this lab environment guys if you see a 10.2 hundred that's our make believe public IP addresses and the reason why I chose a private IP address is because it's getting NAT it out to the real Internet so but I'm just going to go ahead and I'm gonna click I'm gonna use interface 6 I'm gonna connect it to port 1 alright and then I'm going to connect my ethernet 7 to port 1 all right there we go and I'm gonna call this you know what I better start calling them by names if they're just branch offices so this one right here is gonna be a New York City FortiGate and that's just gonna be a little branch office that we have ok and remember here guys the goal is to get everything on one big network but having the path set of pic within our VPN network be determined by the quality of the links that's the whole goal here ok so let's go ahead and simulate the MPLS Network now here I know that there's way more to MPLS but the whole point of MPLS is that you purchase it from a service provider they do MPLS you know forwarding for you across their autonomous system so it essentially feels like it's on a private connection all right on top of that how the classification of packets can be done you can also get a lot of QoS is it cheap it is not so anyways but I promise you coming from a service provider background that we can have issues within our own MPLS network and that's why we want some kind of failover so to simulate that I am going to get one of these um come on buddy get one of these net term boxes again I love this because it's essentially a device that has two interfaces it's like a tiny Linux box but essentially you can control the quality of the bandwidth that's going through it and you can say I want some I'll just open this up real quick to show ya you know I want to limit the bandwidth I want to add some delay I want to have some packet loss so on and so forth and this way we can simulate having problems in our gns3 environment without actually you know I don't know how we'd do that without simulating it anyways it's how we can junk our lines so I'm gonna go ahead and I'm going to rename this to the to the IP address that we're gonna be using now remember MPLS does not hit the internets okay so we're gonna just connect this out to our ports v alright of our FortiGate that's not being used to our Terror term box all right and then from there it's gonna go to our data center and this is going to simulate and I'm gonna go ahead and I'm going to do port 3 because you know what guys we're gonna do an additional an additional what you call it link here eventually to the DC but not yet so and then here I'm just gonna say MPLS MPLS and I'm going to give it a an IP address of 10.10 dot 2.0 to represent our our point-to-point connection back to the data center okay so sounds good to me so let me just do that I might change that a little bit later on but there needs to be some kind of ID address on this way so so 10.10 dot actually you know what that will change later on but for right now just so we have some kind of IP address to remember from there we go okay now we're getting these switches on our internal side if we want to plug in more than one device okay so here we're just going to use G and s3 is built in Ethernet switch which is just our kind of better than nothing switch all right here we go we'll create it within G and s to B itself and you know what I'm not gonna worry about IP addresses on the mpls yeah it's because I know for a fact I want this internal one to be 10.10 to 0/24 because we want to try to keep things as as congruent as we can with our IP addresses so and this is going to pop out port 4 and this is going to act as resources in our data center that we might want to get to all right from our headquarters or from our our New York office okay but these are also going to be resources that we do not want publicly facing and that's the reason why they're gonna be going down IPSec tunnels that's why they're gonna be going down an MPLS Network okay so and to simulate that the easiest way in gns3 is that we just want a box that has services on it okay so instead of having to load up a whole domain controller to get something like a web browser or not a web browser like a web server I love this tool box here that's in gns3 so if you come over here there's a there's a box here I think it's just called tools or something like that I can smell tool box okay and this little box and it just has things like you know a web server I think also FTPS supported so on and so forth and it might just take a second to deploy so there it is and this is going to act as a resource that we're trying to access privately through our VPN / MPLS network alright so I'm just gonna call this server X I don't know guys so I'm also a big believer on when you're doing these things to graphically have them make sense so I'm gonna change our MPLS to be like a hop so just a normal-looking router here okay Oh even better we'll say a label switch router that's appropriate there we go alright and this server here I think there's some like hardcore mainframe icons that we can use so let's do that and that's gonna represent our data center server at least I thought there was let's see here by the way the newer version of gns3 I was reading up on it I'm really excited about it and one of them is that they do have way better icons that are gonna be available here soon some of these have imported and some of them yeah I guess I did and some of them are are a little bit aged but that's okay there we go that's gonna be hard look at that what is that like a an old tower or something like that looks like there should be like a 486 with a turbo button on that thing so anyways yeah there we go so so once again guys the whole idea is that people on our internal network should be able to hit this resource using the best path possible okay so and like I said I'm gonna keep things as simple as I can to begin with and then maybe a bit later on I will add some more more complexities to it so let's go ahead and add another switch here and the switch is going to be for our internal network on our new york FortiGate ok there we go and like I said to keep things congruence it's gonna be 10.10 3.0 for our New York internal office and we're going to plug that right in support three because this branch office is probably only gonna have two redundant connections we're not spending the money on MPLS right and then you know all I'd really need over here I don't need a full Windows machine so I'm gonna take advantage of that um up that's uh what you call it of that tiny Linux build so the one that I like to use is web term just gives you enough for Firefox and a command prompt to ping it's way more richer though than these V pcs ones so here we go I'll just put this right over here alright and then I'm going to configure we going to change our network options here I'm not going to do DHCP so let's go ahead and clear it out this is so it grabs an IP address and we can configure the 48 later on so we just got to take out the hash the hash signs here and then it's going to be ten dot 0 dot 3.10 and the Gateway is going to be 10.0 dots three dots two five four and that's what will eventually give the FortiGate s-- and for our name server i don't know if we can just use our default gateway here but we will why not we'll just use a the four gates we'll have it pass along DNS requests all right there we go all right cool all right so then after that there should be an OK button I'm gonna have to go off-screen to hit ok just because my screen was too big here my resolution there we go hit save and now when this boots up it'll get an IP address that we can actually access it with so and then again guys we're going to change that icon so it makes sense visually maybe to a PC right do we have just like a normal-looking PC here I did import some windows icons yeah do I really want a laptop am i thinking too much about this I am here we go I'll just say it's a Windows box even though it's not anyways see and that's how anal I am I'm like you know what that's gonna bug me because it's not a Windows box we're just gonna have a computer there we go a nice CRT it looks like my old ah my old IBM ps1 that I had alright anyways and we'll just say that this is PC one over in New York alright so take our cabling tool now we'll put it with the switch okay good times there and now guys the machines that are off we just need them to boot up so hole right click and we'll post New York City for the gates and then we'll start booting up DC for to gate now these are using the free VMs when we set them up in the other gns3 lab environment guys if you want to you can download those free VMs and get 15 days every time you turn them on now just because I'm going beyond what would normally be done with a free BM okay I've been dropping my few licenses that I have for my classes in here to use to demo so I'm gonna have to do that as an additional step and in fact you know what I just realized I'm probably gonna want I'm probably going to want net turn boxes also okay in between these links here because remember guys we're gonna have our quality of service affected and then we're going to be able to manipulate that a little bit later on but I'm just not going to do it right now so or should I should I just get that over with you know what why not they're booting anyway so let's go ahead and delete that link let's go ahead and delete that link and let's go ahead and stick a device in between it so we can control the quality of the link because that's the whole idea about SD when guys as the connections become better or worse it should dynamically reroute depending on those SLA health checks that we do so and I am running all this stuff on a seven eight nine year old laptop I came here like spinning right now and wanting to die so well let's go ahead and change those icons - I - just a router I'll just type it up here there we go and they'll just represent a hop and then I believe we're all the way up to 10 dots 206 on this one and I made sure that when I was making this Linux router box that the Ethernet matched up with the third octet so all right so this way we can just junk junk the the line when we need to all right and then same thing here let's go ahead and just attach it to seven in one out the other port one and then we'll get why did I double click on that I didn't even mean to but we'll give it a 10 dot 200 . seven IP address range alright and once again these are going to be representing hops out there on the Internet so alright let's go ahead and change that symbol there to our router again all right I know it's getting too crowded right I'm just gonna see once my laptop actually blows up then all uh then I'll quit doing demos there we go turn that on turn that on and then here make sure that with your gns toolbox that you guys go in there and edit that network configuration so it can actually connect so we are going to give it an IP address of 10.10 dot two dots one hundred all right this is gonna be some kind of server that we're offering in our DC that we're going to be able to get to eventually and so and then huh 10.10 two dots two five four there we go take out these hashes all right there we are so oh man my poor my poor resolution there we go had a save hit a ploy and we'll get that booted up too so all right guys it's been about 20 minutes and I don't like keeping these videos any longer than that so I'm gonna stop it right here okay and once again it was just to get these physically mapped out all right in which we did okay and our whole goal here is gonna eventually be to configure all these things to be accessible through one big you know secured SD win VPN MPLS network and all that jazz so I'm gonna stop it I'm gonna let these things boot and then I'll come back to it once they're all loaded up so because it does take a while on my laptop because it is a laptop and it's old as dirt so one of these days I might get a huge ESXi server with 20 cores and I'm just making them numbers but all right guys so the next video we're gonna configure these piece okay so thanks a lot and I'll see you sometime later so you

Info

Channel: Devin Adams

Views: 42,440

Rating: undefined out of 5

Keywords: GNS3, SD-WAN, FortiGate, IPSec, MPLS, Failover, topology, Demo, LAB

Id: omBvUQOUbFw

Channel Id: undefined

Length: 22min 0sec (1320 seconds)

Published: Sat Sep 21 2019