Aviatrix and Cisco SD-WAN Integration Step by Step! AWS, Azure, GCP, OCI

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right welcome back multi-cloud networking aficionados we're here yet again for an sto an integration video the previous videos on syrup ik and bellow cloud integration went so well and were received so well I've been asked to make one on Cisco Sdn and because that's my background I thought hey this has got to be pretty straightforward and it really is especially on the aviatrix side so let's take a quick look at the test apology for today just like the solar peak architecture we're going to leverage an ST when ingress egress pod called the Cisco Sdn VPC inside that V PC we're placing two V edge routers the Sdn routers and southbounds in this transit V PC we're going to build the Sdn fabric and there's already a branch pre-configured that I have with a V edge cloud in there and a guest VM so that I can use it as a test point so the way this works is going to be very similar to how we did it with solar peak we're going to build standard IPSec tunnels from the aviatrix transit architecture in two different regions west and east transit pods down to the sd1 V PC transit pod and run BGP on top we can dive a little deeper and see exactly how I have this set up just a transit vbc with four subnets two in each availability zone there's gonna be two subnets for the management interfaces and two subnets or the web interfaces basically one on each V edge cloud on that LAN interface over here we're building both the SDM fabric as well as we're leveraging it to source the tunnels the IPSec tunnels n BGP to build network connectivity to the aviatrix transit environment just like we did in silver peak so let's get started so let's start this configuration on the AV hu side if you've been with me for my other videos you'll know that the aviatrix piece of this is really straightforward it's all done under the transit network workflow under the setup section so click setup scroll down to number 3 where we connect to an external device and yes we're gonna run a BGP on top of IB sect and let's select the west transit because that's what we're going to terminate these channels first so the connection name let's just call it West's AV tx2 patella how about that a copy just for later I know that the ASN for BGP is and over here at 6500 9 and yes we only have one transit will leave the algorithms alone we do want to enable the hae mode because we have to get clouds downstream that we want to connect to all right so I know the remote yes let's just do sixty five five five five okay that's gonna be my Vic Telus sides remember that when we configure the Vic teller piece okay so the remote gave the IP I don't know off the top of my head so let's go take a look at it if we go underneath my instances the edge a and scroll down to his eighth one it's right here that's the public IP we're gonna leverage for terminating those IPSec connections all right pre shared key is you guessed that then I went to three-day now that's the one I use for everything because I never forget it alright so local tunnel IP and remote IP will leave alone because will auto-generate those and then download a configuration file to remember them for when we configure the Cisco Vic tell aside and then we go to the same thing over here CC five five five five is the remote a s and the IP on that second guy let's see what his IP is alright this dudes IP for public side is right there got a copy him throw it into here Dana went to feed Dana and leave the tunnel information default because we'll all Renner ate it so I hit connect I'll be done momentarily all done let's do the exact same thing for the East transit environment will call this East and East is sixty five oh three yes leave it alone leave all this alone pretty much everything else stays the same fantastic connect okay and we're done the next step is to check that they were created in the site to cloud section and download those two configuration files here at the are West and East so let's first get the West one what we're gonna do is download its configuration or first you gotta make sure it's that something generic downloads configuration great and next thing we would do is down to configuration for the east as well so go back down to the bottom I'm gonna do East generic download and so you got all it files we need now to build our own custom little document to reference for when we're configuring the Cisco side so we give me five minutes to build a custom doc how do they can reference and I'll be right back okay so I made my little cheat sheet here for when I'm configuring the Cisco side you can see I have all the public eye piece of all the gateways and v edges as well as all the private tunnel IDs and their pairings and the Ike and IPSec parameters I need to put in there just need to have this as a cheat sheet to make it easy for me to throw things in to the configuration okay so just a quick rundown on what we have on the Cisco Sdn side it's a pretty basic set up running so you were running eighteen or nineteen dot 2.2 and we have three LAN edges two of them being our transits and one of them being our branch of the edge alright so I already have a template configured for them just basic stuff so they can build connectivity to each other so you can build the SD LAN fabric what we're gonna do is go and edit those templates and add some IPSec and BGP stuff to them what we're gonna do is create or IPSec interfaces Purvi edge cloud router as well as the bgp configuration so to do this let's just go to the feature section and start building those templates now we have to create a separate template per IP interface don't ask me why I was working for Cisco I asked them to fix this for years they just would not listen so it's a little bit cumbersome but we're gonna get through this together okay so let's add a template and we're going to say this is a V edge cloud yes what we're gonna do is build a VPN IPSec right there VPN IPSec interface you click that and let's click let's go through together this me IPSec interface one okay I'll go through one of these and I'll build the rest out by myself just so you can see how one's done so global no so we shut that down no it's not shut and we're gonna do IPSec one this is going to be device specific for the IP address and say it's IPSec one IP okay and the destination is always going to be G easier zero interface so we can make that a global variable or global value and then the destination is going to be device specific let's call it I'd be sick one dest IP this is fine DPD is gonna be ten and three all right and the eye perch is one yes its main mode but this has to change to twenty eight eight hundred and we're gonna change this guy I believe to shot too and this is gonna be PFS fourteen and a shot the pre Sharkey Dana one two three Dana right it's always what I'd like to use okay and leave these alone that's fine this is gonna be left alone it's 3,600 it's fine this is fine I believe this has to be changed however to cbc sha-1 if that's not correct I'll come back and fix it and let you guys know but appreciate certain it is so this is 14 as well that's it so we're gonna hit save and that IP n that IPSec interface is done what I'm gonna do is just copy this and create four of them so hit copy I'm gonna call this one number two now I'll go and edit all the actual variable names in there myself so I'll give me a second I'll be right back okay now that that's done we can go and configure the BGP template so it's out of template let's type cloud here to do the edge cloud let's find BGP it should be in here somewhere BGP there you are BGP okay and let's create let's call it BGP cloud I don't care what it's called doesn't matter for this lab so shutdown is going to be no AAS number it's going to be you know what it's the same both of these guys let's just do sixty five five five five it's gonna be the boat it's gonna be the same the rotor ID we can leave alone and let it pick itself we leave that alone we don't need to change any of that stuff we don't change the maximum paths actually we can move this if you want we can make this two eight or something that should be okay it doesn't really matter okay we got we got any of your distribution here we never just be OMP into BGP all right okay add that's pretty straightforward right really easy everything else we can leave alone now this is where we need to make sure we're careful is the neighbor can figuration so let's click a new neighbor and we're gonna make this a device-specific neighbor right so let's call it IPSec one neighbor IP yep and then we can leave all that alone the this is gonna be see if you set one neighbor AAS yes you know I don't really need to mess with some of this stuff but we can enable if we want to he's not gonna make a difference that's fine okay don't you mess with wrote policies it's no shut that's good we have advanced options or anything in there I don't think we do where did it go okay nobody mess with the Hangout stuff this is okay oh we do need to change the source interface this exact one there you go everything else here is okay alright add done now we could do that four more times okay so give me a second I'll go back and do that oh one thing I need to change here I changed my keepalive times to ten and thirty okay and that's it let's scroll down and hit save and we're done we should be able to go now and add these feature templates to the device template so let's go ahead and do that right now edit the existing template let's add in those new ones scroll down to the service VPN let's click if you can interface IPSec let's do that four times we need four of them alright the first one I just like one if you said two IP SEC three and I be sick for next step we need to add BGP click BG p HP cloud and we're gonna hit update now it's gonna force us to put in all those values and variables that we've made it made in the template so when you go and throw those all in right now so a couple ways you can do that you can upload a CSV file you can upload an excel file so it populates it for you or you can manually do manually do this so I'll do one of them and then I'll come back I'll do the one on my own and just submit it so you guys don't have to worry about seeing all that give me a second here and here's how it looked when it's all filled out all the variables and values are filled out let's hit update I'll do the same thing for V edge beat I'll be right back so after filling out all the variables I submitted the changes and I have the configuration now I went through it and I did a quick check a spot check and seems to be ok if I made a mistake I'll come back and fix it but let's just submit it and see what happens yes I want to configure both of these ok so let's give it a second and either it'll come back with an error I don't have to go back and fix everything or it will come back all good to go let's see what happens we got our first success that's good news that's hope the other one comes back with success as well I guess I still have my Cisco SD LAN skills after leaving them in December or January alright great so we can wait a couple seconds here and see if our towels come up let's go jump on the aviatrix side and see if they come up under the site to cloud section nothing yet let's give it a little more time I'll pause the video and see if it comes up all right there we go they're up and up now to be honest I had to make one change I made an error in my site to cloud configuration I had to change it to H max sha-1 as the IPSec hashing so that's all good to go and I've brought it up so now that's up we can go to the branch site which is my branch V edge router here and we can run tests all the way to Google so what we're gonna do if we look at the diagram we're gonna run a test from this branch router all the way up the SD went into the SD when transit across the sites of cloud IPSec tunnels into the aviatrix transit architecture we're gonna ride the global encrypted transit full mesh transit to GC p and hitmen in instance in GC P over here ok so this is gonna be fun let's try it out ping leap Ian one we're gonna source is VPN wannabe that's our brash action before I do that let me show you something show I showed in two pipe tab because EVG e 0/1 is in VPN one and the IP is 191 state 10 and 59 / 27 that's my branch subnet my land subnet where I'm testing from now I have a branch PC in there I could test from as well but for some reason I couldn't get into it something happened with my Pam dot Pam and I couldn't get into it anyways I'm just gonna run a test from here because it's the same thing so I'm a ping VPN one and we're gonna do 10.5 - OH - that's my GCP instance 10.5 is the GCP cider BAM look at that I'm going all the way across my patella Sdn into the patella transit across the aviatrix transit environment and hitting GCP I didn't have to configure any routing at all just all I did was bring up the BGP and the sites of cloud IPSec tiles and bam everything end-to-end is configured for me by aviatrix super-fantastic love seeing that happen now if you want to dive a little bit further we can take a look at the routing table here so we see all those 10 1 through 10 5/16 7s those are all my AWS Azure GCP subnets then I'm learning via the site - cloud bgp tunnels and so you can say have 2 next hops here that's really basically from this guy to these two guys as to next hops they have two tunnels with equal cost multi path from here up to there and then from the transit I also have equal cost multi path going on - both aviatrix transit gateways because we support active active across both transit environments we can have higher throughput you can aggregate all those tunnel together and get better throughput how fantastic is that all right cool let's jump into the aviatrix ID and see was configured there if we go to the advanced config section we can go to Diagnostics and we can run on the west transit show IP BGP we should see that subnet the remote subnet showing up in here as well there it is when I - Wednesday 10.30 - / 27 with two next hops I'm doing cost of multipath routing across both of those guys so let's take a look at the East transit because I'm also connected over there same thing I can see those two guys you will cost multi path across it down into the Sdn environment love it love it love it and both the East transit and the each transit H a gateway the West transit and the West trans HT gateway or doing an equal cost multi path load sharing so you get hired through but when you aggregate all those together all those tunnels together lastly I want to show you that that route was propagated via our controller to the GCP transit environment we can do that by going to list and selecting the GCP transit router or aviatrix gateway you're gonna see in here that we've configured the other controller how to get to that remote subnet even though we're not directly connected to it via any connection so if you scroll down you can see here 192 once it's a 10.32 is reachable over our transit active mesh connection to the West transit gateways so basically what I'm saying is that these guys here this guy over here in gcp has a active mesh active active tunneling architecture set up to the west as well as to the east it can get to both ok so that's quite nice and there you have it we integrated Cisco Sdn with the aviatrix of multi cloud networking platform the moment you terminate those tunnels on the aviatrix gateways you get all the benefits of the aviatrix orchestration all the aviatrix unified control and data plane as well as all the service insertion and visibility in everything we offer on the market today please go and take a look at AV Atrix and everything we're providing for customers in their cloud networking and you guys will be really blown away thank you for watching I'm looking forward to talking to you guys next time bye bye

Info

Channel: Dana at Aviatrix

Views: 859

Rating: 5 out of 5

Keywords: cisco, viptela, configure, integration, ipsec, configuration, aviatrix, sdwan, sd-wan

Id: P4Wuh6S5J5k

Channel Id: undefined

Length: 16min 58sec (1018 seconds)

Published: Mon Apr 20 2020