5.6 Cisco SD WAN Cloud onRamp for IaaS, Part 2 Configuration Overview

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] let's go quickly and see what are the configuration steps that are required to configure this as I mentioned everything starts from be managed when you start in the V manage you have a choice are you configuring AWS or are you configuring Microsoft Azure in this particular case if we go down the AWS route you have to provide credentials these are the credentials for the for the account that you're trying to have V manage control for you so these are credentials an AWS admin would provide these credentials to a person administrating the V manage if it's the same person then of course that person would go inside the AWS ec2 console and they would create the API key and the secret key and those would be inserted into here for logging in as I mentioned everything is completely automated there's a couple of things you have to provide in order for the script to go and do its job through this massive API calls in to the AWS environment so you have to provide a few things basic things like a name you have to provide which version of the wedge you want to take remember this is taken from the marketplace choose which version you want to be taken from the marketplace how much scale would you like that gateway VPC have by choosing the appropriate instance size for this particular one edge device to be deployed at you have to be licensed for two when edge devices so you are picking them up from the marketplace but you do have to have those as licensed devices so I'm picking two for redundancy I an option to define the cider block that is assigned to this gay to VPC not every deployment needs that mostly we say people just keep those as default um but in some particular cases you may want to customize it so you have to see for a particular deployment what would be the use case behind it mostly a gay to the PC itself the cider block that is assigned to the gay TV PC is not something that is visible in the MSD when fabric it's not something that is routable in the sd1 fabric there could be particular cases for example when you have a when edge device inside the Gateway VPC that needs to get connectivity into for example a triple a server for authentication the triple a server maybe over an SD when fabric in which case you want to make sure that this when edge can communicate to the triple a server and for that communication to occur the return traffic needs to end up in the in the in the proper place right so the cider block that is a sign here may become important if you're not doing netting right so there are certain cases where this cider block may be important in most cases it is not just pay attention the next what we have to do is we have to map the map the host VP sees right so before we map them we discover them and this is the account info if you remember API key and a secret key those are the credentials that are used to login into the account perform the configurations but also discover the existing hosts VP sees that we can link them into the sd1 fabric right so I'm the V manage basically walking the account extracting those host V PCs and allowing you to check mark which ones would you like to actually be part of the cloud on ram set up after that you need to map those host V pcs in to the gay to EVC so it's a next step that you take out of the V pieces that you've chosen in a previous step allows you to choose which ones you would actually want to map to which one of the of the V PC gateways you can have multiple V PC gateways per region for the for the purposes of higher availability and more importantly higher scale the gay TV pc has an IPSec connections into the into the VG w s-- for that purpose this is the VG w we're connecting to this is the VPN where the IPSec tunnels are extended from so this is on the topic of a segmentation that you can extend certain VPNs that exists in the sto and fabric into the AWS environment all right in this particular case we're extending VPN one into the into the AWS environment and host three pcs there is also the route propagation option that that you have to actually check to enable in order to advertise the default route into the host V PC if you can recall this default route is something that gets injected through bgp session into the VG w from the from the gateway v pc in order to draw the traffic out of the host v pcs into the rest of the environment the last step is sort of like a verification step to make sure that you know what you're doing and the script goes to work performs this massive API calls from V manage into AWS at the end of the run it presents you this what you see in here is that you have the gate EVP c1 as I said you can have multiple for higher throughput two devices are in that gay 2 V PC both of them are up this gate of EPC is linked to the host V pcs - both of them are reachable so this gives you a summary view inside the configuration section of V managed under cloud on-ramp you get that you get this representation as your environment grows and you get more Gateway pieces spun up more more environments you want to onboard obviously this view can get bigger right different accounts that you are trying to link into the into the cloud on-ramp so but each one of them will give you this nice real-time representation of what you have configured and the health of it of course you can go and customize things after after the fact and make some changes that may have not been taken care of by the script obviously the script doesn't lock you out from any changes so you can still go and you can edit things and or click on click on each one of those numbers in here and you can actually go and perform additional configuration steps after the script had finished its run write depends on your particular deployment now for for the Microsoft assure the process is very very similar we start from V managed with select Microsoft Azure as you can see in here the parameters that are requested are different and Microsoft your administrator would provide those values to the sto an administrator these are part of the account settings inside Microsoft Azure if it's the same person who is doing administration for both the Microsoft Azure environment and the sd1 then that person would have to have those things there's a useful link in here in regard to where those parameters are and what needed in order to set set those up as you can see there's quite a few here that you need to provide in order for the V manage to be linked into and being able to to connect into this Microsoft Azure account again this this portion looks very similar as you can see we need to provide the name the version of the when H device being taken again this comes from the marketplace how much capacity would you like that v nets gateway have the license and the potential customization of the cider block if you recall exactly just in case of AWS if there is a certain traffic that gets generated from the when H device inside that transit v-net such as Triple A NTP SNMP there is if there's no netting performed in order for the return traffic to come back in you have to make sure this cider block is actually routable in the sd1 fabric again an optional customization discover the host V Nets again walk the account discover which which host V Nets we want to include inside the sto n fabric inside this cloud on RAM setup map those V Nets into the V net gateway another piece of configuration as you can see something different from AWS is that we provide the name that is the same we provide the VPN that is the same remember those IPSec tunnels that we talked about in case of AWS that process is automated inside AWS in case of Microsoft Azure that process is not automated in Microsoft Azure so we have to prompt the administrator for the subnets that are going to be allocated to those tunnel interfaces on both our side the side of the when edge and the side of the VPN gateway on those host V Nets so we have for the reason we have four is because every single one edge that is resident inside that v-net gateway has to IPSec tunnels for every host v-net if you remember we said we're doubling the number of IPSec tunnels between a single when edge inside the V net gateway and the VPN gateway inside the host v-net that's when you have to and then you also have to for the other when edge device inside the gate with EPC right so to refresh your memory this is H 1 this is H 2 this is the VPN gateway that exists inside the host v-net - IPSec tunnels for redundancy these are the subnets these are the subnets that need to be allocated to those IPSec tunnels on both the when edge side and the remote side in addition you have things like BGP autonomous system number again you did not have to provide that in case of AWS it's automated on AWS side in case of Microsoft Azure it's not automated you have to provide the autonomous system number for BGP process and you have to provide a subnet out of the cider block assigned to the host v-net so if i have host v-net and if you remember i need to instantiate this VPN gateway entity i need to assign a subnet here that is going to be used for this VPN gateway entity again in AWS you do not have to specify that explicitly AWS takes care of that in case of micro switcher you do that is why you have to specify this block again this differences are because Microsoft Azure requires those things and there cannot be automated through API calls or they can be automated but they're not assumed they have to be customized that's why you have we have to prompt the administrator for those things final verification and the screen that shows you the status again as we talked about before number of the we call them sometimes we call them transit minutes sometimes we call them gay to V Nets so you can see those being kind of interchangeably used within within the graphical user interface and also within the documentation but we have gateway or transit Vee nets quantity of one both when edge when edge devices are in their number of mapped host V nets is - both are up again you want to perform customizations there is a button there or you can click on any one of those numbers and customize those specific elements so as you can see in this particular video we have really taken a detailed look into the cloud on-ramp functionality that allows you to extend the st1 fabric to the doorstep of those popular infrastructure as a service applications such as AWS and microsoft azure and the key points were how easy it is to do that through a fully automated workflow in the V manage tool and how we extend the advantages of Sdn of the Sdn fabric that exists within the customer environment to those cloud applications in regard to security segmentation quality of service application rerouting etc so I hope you enjoyed this video and have a great day you

Info

Channel: 鴻愜意

Views: 634

Rating: undefined out of 5

Keywords:

Id: 5u5rOsJD-KE

Channel Id: undefined

Length: 16min 5sec (965 seconds)

Published: Sun Jun 28 2020