Cisco OTV - Part 5 - Redundancy, Routing across sites, FHRP filtering, Packet tracer

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

ah hey guys welcome to part 5 of this OTB module so in the previous section we had to look at OTB unicast configuration and in this section we are going to take a look at how to build up the redundancy here so you're going to bring up the secondary router of the sides sight green and sight yellow and we will see that how we can make the redundant configuration work here so if we if we talk about the topology briefly this is what we have so we configured CS at 11 and we also configured csr 21 now we are going to configure csr 12 and csr 22 and we will see how the load balancing happening between the VLANs in my case user 12 and 22 they are not configured for ODB yet so I will need to configure the OTV and this time I'll configure directly for the unicast mode all right so at this point to here if you try to reach between the two and host I should be able to reach because I do have connectivity between one of the routers from each side and let me go to CS a 12 and let me take the configuration of what I have this is the LAN set configuration sorry this is the outside interface configuration gigabit one yet and this is the this is the landside configuration so the first thing I do is since I need to extend the land 11 and villain 22 let me configure the Lancer interface with the bridge domain for Bill and 11 bill and 22 after that I will alternate to configure a side villain which I already configured on the cs or 11 so if you can see here show run interface geek - this is the configuration we have which is side villain I need to do the same configuration so I will copy and I will paste it to derivative okay so this is the configuration we have there and the lancet interface now on the other side which is gigabit one I do not need to configure anything specifically because this is already being advertised in The Voice PF let me make sure I can reach the other routers other TV doubters 100.1 dot 11.11 I can reach it same thing for 2121 this is the IP address 21 show IP sorry 100 or to the IP address 100,000 21 21 and then 22 22 this is for the secondary doubter of psych number 2 so I do have reach ability between all the OTP sites from this router so what I'm going to do is I'm going to configure the overlay configuration and let's see how it goes from there so the first thing what if you join interface the join interface would be the interface which is facing the outside interface which is facing the other would be routers in this case this is going to be my give a bit of one then I'm going to configure OTB this is going to be my OTP adjacency server and then unicast Olli because this is also going to give you my secondary adjacent C server then I'm going to configure ot V use a distance the server and then the public IP address the primary IP address would be the CSR 11 which is 100 dot one dot 11.11 so let me put it there and then I need to put the secondary IP address which is my IP address 100.1 or 12 or 12 and unicast Olli now you also need to configure of peach oven service instances awesome because you need to extend that so if we do a service instance 11 Ethernet encapsulation dot1q 11 and this is going to be breach turbine 11 similarly for service instance or 22 for encapsulation dot1q 22 and breach domain 22 if you do a show spanning tree bill 11 spanning tree more PBS tea okay let me make sure that my site villain is also there okay we'll wait for this to be moving to the forwarding state and if you do over interface this is shut down right now I do have the turn interface I do have the adjacent see server configured I have configured this as a secondary one and I do have the breached or been configured here as well so pretty much that's all we need if we compare with the configuration that we have another idea that's all we need let me try to bring up the oval interface now and let's see okay so at this point of time if I go to CSR Levin and if I do what Shoko TVB done it is going to be active for both the villains now if the redundancy work fine then we are expecting the one of the villain to move to the other CSL for the active roles in that case either of 11 or 22 odd or the even villain they would be this guy sees earlier than will be the active forward for active forward and form and the CSR 12 will be the active forward for the other villain so let's see if the OTB instance is coming up or not okay it's going to come up yet sir anything wrong 12 IGMP version 3 okay I think TV site villain I have not defined TV side identifier I need to specify these things on TV side identifier and the Oh TV site identifier has to match with what you have in the same side so in this case if I do this it says the Oh TV side in the identifier is 0 0 0 1 it has to be the same value here and also the Oh TV side VLAN let me see if I configured this at any place no I did not yeah so Oh TV site breach domain 11 this is something also I had to configure so this two things is what you need here one is the site breach domain this is the side VLAN and then the site identifier decide VLAN and the side identified it has to be the same value for both the routers in the same side and it should be different for the different sites now you can see that I have a decency up if I do a show Oh TV adjacent see it shows that I can see both of them I can see the router which is in the same site which is CSR 11 I can also see the same other router sees the 21 which is in different side but if I do a show Oh TV it shows that it is not forward capable it is not ready and it is not the ad server if you do show ODB VLAN it is inactive for both and still see us at 11 if you do a show for the reveal and this is still active for both of them now let's wait for a few minutes as we need to do as you have seen from the previous videos that we need to wait for say two four minutes after doing a no shirt on the O TV interface for the control plane to be built so we will wait for the time and after that we will see how it is converging I'm gonna pause the recording for a few minutes and I'll come back alright I waited for about two two to three minutes so now if I do a show or TV output on the csr one two you can see that it is now forward capable it says i'm forward ready and it also says that I'm the backup ad server even though I'm not the ad server but I'm the backup and then it says I am ad capable right if you look at this now show Oh TV VLAN you can see that now it is active four billion 22 and inactive for real and 11 if we go to CSR 11 I'm expecting to see the opposite it is going to be active for villain 11 and not for will enter 22 if you go here so you can see that it is active for real and 11 and it is inactive for VLAN 22 so essentially this is being a load balance now for the violent eleven traffic the CSR 11 is going to be the active forward and for VLAN 20 to the CSR 1/2 is going to be the active forward now if we want to test the connectivity if we do ping 192 168 or 123 not 11 - this is for Bill and 11 I still have the connectivity and if I do 22.2 which is for VLAN 22 I still have the reachability if we do a show OTB route breach torment 11 you can see it is there if we do the same thing for 22 you will see that it is not being learned anymore it will be are gone because if you do here so TV Beethoven 11 show TV route breach 722 you can see that now it is being learned here and if we do this song if you do the same thing for 11 here it is not being learned so basically all these MAC addresses what you are seeing here this is going to be the forwarding router for VLAN 20 - and this is going to be the forwarding router for bill and 11 so if I do a TV site and now Oh TV site now it is able to see their other router in the OTB site which is 11 and 12 it says that both of them the MAC address the system ID the ad enabled and if we give a show TV it says that ok this is this is how it is right here if you do a show TV on CSI 21 so it says yeah I think this is fine if we do a show Oh TV route for brainstorm and 11 and bridge from in 22 so yeah I do have reach ability or at this point of time from villain 11 2011 and then VLAN 22 to be line 22 so I think this is this is working as expected as we expect to what we need to do now is we need to configure similarly the csr 22 as well here also if we do a show run interface in here be to the external interface is configured and you can see I can reach 1.11 dot and I can also reach 2.21 21 so I have the external visibility but I have not configured the Lancer interface or I have not configured anything for the TV specific configuration here so if you do a show run interface gigabit one this is basically the land facing interface which is this side here I need to configure that here on csr 22 so I'm gonna do is I go to csr 21 I will see what configuration I have there I'll just simply copy and paste it this is basically I'm going to extend veal and 1122 and also I need to configure the side wheel which is 2 2 2 on the LAN physical interface so if I do it the physique one and then this configuration no shirt that's all I need for the land physic interface spanning tree mode PBS tea after that I will need to configure mo TV side identifier and the Snyder identifier is going to be the same as we have if we do a section o TV this is the site identifier which is zero zero zero zero zero zero two and then the bridge ID which is site bridge domain these two parameters then to match between the root out two routers in the same site so I'm going to configure the same thing here after that I will go to configure I'm going to configure interface overlay one TV join interface this is going to be gigabit to then ODB use adjacency server and the configuration would be I can put it here it should be 100 dot one dot 11.11 this is the primary and then 100 dot one dot 1212 this is the secondary unicast only and then bridge domain I need to define which is service instance 11 Ethernet encapsulation dot1q 11 bridge domain 11 similarly service instance of 22 Ethernet encapsulation 22 and breach domain 22 I you know okay so this is configured 111 to LV unicast mode and you can see that all my three additions he came up the reason why it is 3 because from this router perspective it is one CS the 21 one for CS 11 one for CS at 12 so total 3 Edison see what I could see if I do a show TV Edison see you can see everything there if I do a show TV site as of now it is not ready so if I do a show TV this is still not forward capable the control plane is being built so again I need to wait for a couple of minutes before we can move forward so let me pause the recording again for two to three minutes we'll come back alright back now this is this is completely converged if you do a show who TV on CSI 22 which we just configured you can see that the forward capable is yes this is forward ready this is the back up ad server and then it says that this is ad capable and it is rejecting that who is my addition to serve our primary and the secondary okay so now if you do a show TV VLAN it shows that I'm active for villian 22 and I'm in active for villain 11 and if we go to see SR 21 it will tell the opposite which is I'm active for beer and 11 and I am inactive for villain 22 so this is to make sure the bridging loop doesn't happen only one of them in the side is the forwarder and that's a reason even if you are not forwarding the spanning tree packets over the OTV you were still able to manage the bridging loop I mean it was able to prevent the bridging loop so now if you do show what we're out here for breach domain 22 you should be able to see everything and I want to make sure that when you are trying to reach this two IP addresses 11.2 and 22 turtle you are still able to make it let me clear the ARP for 92.1 23 7.2 and similarly for 22 do let me try to ping yep I can reach it and the same thing for 22 as well yes I can reach it so I have the complete reach ability at this point of time across the sides let me do a write name everywhere okay so the configuration is now saved what I'm gonna do next is show all right here do I have a default gateway I have okay now one thing is in this case in this topology my switches in between which is the core switch here you can see course which 2221 these are running a TRP and similarly in the site one core switch to one course which one 11 and 12 they are running it's syrupy now by default the Oh TV here it is going to forward all the HS are P packets across generally so you you do not want your site to have do not have them do not have the ages are be active locally present on your site you you always want it to be locally present if it is not then if you have a client in real an 11 and client in VLAN 22 what trying to talk to each other within the same site they will need to go all the way to the different side because the Gateway will be on the other side and then it will need to come back which will call which will add latency and this is not a good way optimized way of the design so what you want is you want to make sure that a TRP active and standby it is elected within the site and you are preventing the edges are pickpockets to go from one side to the other side by the through the OTV cloud so that way you make sure that this election is happening locally now in in ASR in in the s or iOS XE the IES is by default is make sure that your your some of your ot VIII size packets are not basically being advertised right related to the HRP but we steam to make some additional changes we need to make some configuration changes what we will do is we will apply a filter we will apply a VLAN filter in this Mac X escrow filter in in the LAN interface of all these routers which is gigabit to here on site one and gigabit one here on site number two just to make sure that my 80 surpise locally present all the time so the configuration that we have is looked like let me put the M this is my CSR 11 this is how the configuration looks like if we do a show run section Mac access list I'm basically denying anything which is a source of my HS RP group address it could be any any group the same thing for vrrp and same thing for GL VP in this case I'm using a teaser P I did not need to use VR P and G LBP but to make it more generic you basically want to make sure you deny any packets coming with a source MAC of those edges RP MAC addresses you just do not want to want them to be forwarded over the OTB you want to stop right there in the land in to fish so what we will do for that is now you need to apply this filter under the bridge torment so you will go to interface in my case this is gigabit too so I'll go to interface gigabit to service and stands 11 Ethernet and then you will need to apply this filter Mac access group and then you put this filter which is OTV filter up HRP in right similarly you do the same thing for 22 as well and apply the same filter that's all you need to do now the same configuration I will be applying on all these routers okay and after that I will need to apply this command if I do a show run interface k2 I will copy this and I will configure it here similarly for 21 it will be given 1 and for 22 it will also be kick 1 alright so now this is configured at this point of time if I now make the host site - let's say I'm going to make it as only VLAN 20 - so I'm gonna change the default gateway why we default gateway 1124 and instead I'm going to configure 22 2254 okay so what I'm doing is I'm making this hosts at side - as in Belen 22 and I'm configuring a default gateway for that and on host number site 1 I'm configuring bill 11 and I have configured a gateway for this in pill and 11 okay so at this point of time if everything works fine I would expect the violent 11 and VLAN 22 to work across the OTB side so here I have Viren 11 in the site number 1 and then I have VLAN 22 here in the cycle number 2 I'm going to ping through that now if you look at the edges RP thing it should always be pointing to the local MAC address this is the 11 254 if we go to see a certain level 3 - a show Oh TV route for bridge domain 11 you can see that I'm no longer so here it says that it is AC 0 B this is your this is your H SRP so why I'm learning it still long maybe it needs to be cleared clear the route no I want is if I run this command here on throw this is for breach domain 22 here I'm not learning anything for it is Rp which is good different if we run this command show TV route breach domain 11 and I do 22 okay let see how it goes so we will try to think one inch to one twenty three dot 22.2 you can see that now I can ping it across the side so you will show my P step 192 what I'm okay I'm going to bring it with the source of my Ethernet okay I'm gonna ping that 192 123 22.3 with the source of Ethernet 0 0 and this is going to be my routed packets if I do a trace route for 192 123 door 22.2 the source of 192 123 dot 11.1 you can see that I'm reaching there directly here and slowly it will be etched out because we have prevented this from being learned I should not be able to learn it on the land of fish okay so at this point of time we do have reach abilities and across the side and the two different VLANs and also we have configured the filtering so for the filtering you need to do some additional step when you do it on the nexus but when you do it on the iOS XC a lot of things are already pre-built nice is the only thing you do is you apply your Mac access list on the land fizzing interface to prevent any traffic coming with the source mac of the edges are being on the mac address so if we begin to a show run interphase gigabit 1 which is a bit too sorry this is this guy so run into fists gigabit - this is your land interface you applied this filter of Mac X's list and then if you do a show maggots list we put this one show Mac Ito access list put this filter you can see that it is denying this traffic which is coming from the LAN interface okay so that's pretty much all know we have to cover here one thing we can talk about is some of the commands like what are the useful commands to summarize it mostly these are the commands you need one is show TV they run show TV site to make sure that you can see the other pier of your view in the same site if any if you did not have another outward in the same side you will not see anyone else you do or show TV VLAN this is to make sure that which we lens this router is that if order for and after that you do a show TV route you can specify the bridge domain specifically if you want to filter it out and then if you want to do a show ot V adjacency you should be able to see all the OTB routers in the in your cloud in in this particular table so those are pretty useful commands which you want to use for troubleshooting and again one thing I wanted to creature it make sure that you do have your m2 sighs sighs taken care of in the analyst because o TV is going to add the extra piece of Sheen on your actual data package so if your application is trying to send a package size of 1500 and no TV is trying to add on top of it then it might not be passed through the network if your network underlying infrastructure doesn't have more than that in size of m2 permitted so make sure that it is taken care of all right the last piece we want to configure is a packet tracer so what we want to do how do we want to capture the packet in in the in the mo TV side router so what we can do let's say that in the CSR 11 now our packet is coming from run interface geek - this is coming on gigabit - so what I can do is I will configure an access list IP access list let's say let's say 90s one zero one permit okay extend it one zero one permit ICMP the source address is 11.1 okay and the destination is going to be 22.2 let's capture just one side that's fine now I will do debug ipv4 condition sorry debug platform condition ipv4 you basically do interface also I want to count capture on the interface which is gigabit - and then you can configure an access list the name of that so this is 1 0 1 and you want to filter out the ingress you do a debug platform conditions start right so this is now started you also configure a few things say for example to go platform back a trace you can do packet no debug back from packet trace packet count you might be let's a thousand packets and if I get dressed so if I knew trace is going to tell you all the Lucas so if I eat trace what it means is this option performs a trace of your additional packet path path data information what it means essentially is this performs and if I ate trace once it is enabled and you can view some of the additional information when the packet is being parsed on your router so it is enable detailed via the FIA trace you can increase that and I is there anything else you needed debug platform condition sorry debug platform back trace start statistics it should believe a platform condition start then now we can look at show platform packet trade statistics and we can send some traffic let's say this ping this and what are we doing in the packet threshold debug we have a packet trace condition Gigabit Ethernet - and the ipv4 ACL show access list 1 0 1 host 192 123 11.1 and going to 22.2 this is this is what I'm trying to do and it says the matching ingress interface gigabit - so let me stop it and if I want to do show platform packet or a summary I don't see anything okay let's not see the packets see what I'm doing wrong the direction is the ingress which is fine and I'm doing it on the router 11 which should be the active for order for VLAN 11 maybe since the routing is being done locally by the landside router it is not going to this router it is actually going to the other router see us at 12 maybe what I will do I will receive the return packet on this guide so if I change the condition which is debug platform condition ingress egress I will - both okay and I'm gonna do and I be access list extended 1 0 1 tour mate ICMP host I am going to allow the reverse path as well which is 192 dot 123 dot 22.2 to 192 123 11.1 okay so now if I do debug platform conditions start and if I do a ping and I also do a trace route let's see if we see something now well this the traffic is basically when it is going from site 1 to side 2 since the routing is being done by the course which in between this is going to be hitting here on this interface so let me try to configure the same thing on here so if i do i pre access list extended 1 0 1 permit ICMP host with me permit I simply Nene [Music] if I do debug platform condition interface gigabit to and ipv4 access list one zero one in the interest debug platform conditions start give up that form condition packet to okay start and show Platt from statistics before you now do show platform packet trace statistics let's try to reach this guy again something is wrong what we are missing maybe when I do debug platform and then condition interface gigabit to you know what what I'm missing is the EFP ID because my traffic is not going to heat the actual interface it is going to heat the service instance of it because this is doing dot1q so the e FB ID it would be it should be 22 and now if I do ipv4 access list one zero one both now it should work so if I do Tibo platform conditions start and now if I do the ping and the traceroute if I now do a statistics now you can see I have got pipe packets match so if I do a show platform and then back at race summary you can see these are the packets I have seen if you want to look at the packet number which is show platform packet trace and if you want to look at the packet in detail so you can do packet number one and then you can do the code and now you can see the complete output so this is what you are seeing is the feature this is because of the FI H stress this is exactly how the packet is being passed internally you don't need to worry about all these things unless you need to really drill down but what is important is you see the path trace you see the input IP address the ingress IP address the egress IP address the source to the destination 11.1 2002 this is ICMP packet and then this is coming on little bit to EF p22 and the state is forward so if this was being dropped you would have seen something else but this is what you want to see this is being forwarded so you can see that this is a pretty useful tool all we have done is access list we have created in this case I have permitted anything but you can do your access list doesn't matter and then if I do a show debug show debug then I have configured an access list on ipv4 access list on gigabit - dot AFB 22 because my traffic is whenever it is hitting here it is already being it routed to VLAN 22 now if I wanted to do it here if I do show debug on siga cert 11 you can see I applied this access list ingress interface so access list 1:01 what I need to do is IP access list extended 1-0-1 permit ICMP host 192 123 dot 11.1 to host a 92 123 22.2 and also 422 sorry 11.2 okay if I do that now this traffic should be seen here the only difference is I also need to apply this in the Gigabit Ethernet SFP sorry yep instance when it will be debug platform conditions and then interface gigabit to TFP 11 ipv4 access list 1 0 1 it should be in rest now if I do conditions start and if I do the ping in the layer 2 which is 192 1 23.11.2014 do a detail that's the packet number 2 in detail decode you can see this is the packet I'm saying this is pretty useful tool you can use it for capturing the packets to on the on the box itself and this is very useful for troubleshooting so having said that and if you want to undo bug you can do and debug all ok it's not gone so you need to actually do on debug debug platform condition stopped and you need to undo bug platform back address interface conditional okay how do i clear everything debug platform conditions clear debug platform clear clear that mom condition fault okay so now my D bugs are all cleared yes now this is the command I need to run clear platform conditional okay let me save the configuration so now all the D bugs are removed but this is this is very very easy tool to use please leverage that and that being said that brings us to the end of this whole module of OTV so if we can summarize it what we have seen is we had a look at the overview of the OTB in the first session the basic overflow or workflow then we took a look at the OTV and early configuration the multicast the unicast configuration we took a look at the OTV in the multicast mode we took a look at the OTV in the unicast mode then I did some official filtering just to make sure we can localize the edges RP active and standby within the site now and then we had to look at the summary of the command the verification commands and then the packet tracer tool which is very important to troubleshoot the problem at times so thank you very much for watching I really really appreciate that if you have anything in your mind or if you if you have anything to comment on please comment on it and I'll go to that thank you so much for your time thank you take care

Info

Channel: CiscoGuy_CCIE

Views: 208

Rating: undefined out of 5

Keywords: cisco, networking, otv, overlay transport virtualization, cisco otv, technology, configuration, troubleshooting, overlay

Id: kvVq3jyqREQ

Channel Id: undefined

Length: 42min 15sec (2535 seconds)

Published: Fri May 22 2020