Cisco SD-WAN 003 - SD-WAN VPNs Overview and SD-WAN Controllers Setup

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right everybody in this video we're going to kick off by setting up the ios ca out of the gate because we need to have a root certificate and then we also need a way to take the certificate signing request for the csrs from all the controllers and generate a signed identity certificate once we get all through that we will have all of our devices up and running at the controller site i will talk about how to get all that up and running we'll get all that squared away and go from there so let's start off by setting up the ios ca so i'm going to click on the ios ca where is it at right there so the router is squared away ready to go so the initial steps to get this up and running is we have to do a bootstrap config and get that all squared away so the first thing that we need to do here obviously there's a host name so ios dash ca ca not cs and then we're going to go ahead and generate a crypto key generate rsa key with a label of i'm going to type in pki with a modulus of 2048 and hit the enter key so now ssh will be enabled once it's done doing its processing all right so now that's that part is done the next thing i'm going to do is turn the web server on so i have to turn the web server on in order for the certificate server capability to be enabled so i'm going to type in iphttp server so that's going to allow that to happen so next thing i'm going to do is type in the crypto pki and give it a name and or sorry server and i'm going to give it a name of pki with the enter key and then there's a couple things that i needed to do in order for this to work the way that i needed to i'm going to tell that tell it to point the database to the url database url is going to be stored in flash because i want to be able to hand out and when i do a tftp i want to be able to push the data out to it let's say the database level will be complete i'm also going to type in the issuer name will be cn or common name equals root ca.lab dot local there we go i'm going to give it a hash of shaw 256 i'm going to say the database archive will be pkcs12 with a password of cisco123 last but no um not the very last but i need to type in grant auto meaning i do not want to come in here and manually generate a certificate i'm going to go ahead and just automatically generate certificates and i'll type in no shot okay that's going to go ahead and create the turn this the certificate server process on there it is and we're good to shape there i'm going to exit out of that and i'm going to type in the crypto crypto pki export pki to a format of pem to for the url is going to be placed in flash and it says do you want to export that yes i do do you want to override it yeah we'll go ahead and do that next thing i want to do is say the tftp server capability that this will be running will point to the flash colon pki.ca okay so now everything else is squared away in this particular case i'm good to go so now that i have that in play then the very next step for me to focus on is getting the configurations on the interfaces squared away and go from there so now what i'm going to do is i'm actually going to go back to global config real quick i'm typing crypto pki server and i need crypto pki i need to export the root certificate so export and then the name of the trust point in this case here will be pki question mark in the format of pkcs 12 and i'm going to say via the terminal oh no sorry this would be pem then pem terminal and hit the energy and it's going to generate the certificate i will take the certificate when i get to when it becomes time to actually configure the vmanage i'll go ahead and copy this certificate out this is the certificate of the ca so this is the root certificate so now that i've got that done i'm going to go ahead and turn in interface gig zero zero and i'm going to give it the ip address of ip address of 223.1.1.13 now the reason i'm giving you that specific ip if you look over here on the right hand side of the screen you'll see ios ca is attached to gig one slash three basically what i'm doing is i'm giving whatever the interface name is i'm that's the ip address of the device so it keeps it easy for me to remember so in this case here it's gonna be gig one slash three which means two two three dot one dot one two thirteen v manage will be two two three dot 1.1.10 v bond will be 223.1.1.11 and vsmart will be 223.1.1.12 respectively and i'll go ahead and give that a slash 24 mask and i'm going to go ahead and no shut that interface so we're in good shape there last thing i need to do is actually come in here and type in iprout give it a default route 223 1.1.1 and i'm going to go ahead and save that config in the event that there's a power failure i'm in good shape with that being said that is the certificate authority configuration the next thing i need to do is on the vmanage now the vmanage it's i'm going to go ahead and log in it's admin and then admin again and what i have to do is i actually have to install the operating system for vmanage so when you go to set this up when you go to upload the image to the the the manage image to your eve instance one of the things that you're gonna have to do is you're gonna have to add an additional 100 gig hard drive so there's some there's some documentation on intel's website or i'm sorry on ebeng.net if you were to go take a look at that it'll give you the actual syntax but that 100 gig hard drive is where you're actually going to install the operating system all right sorry uh yeah the operating system and that's where a lot of the database information is going to be kept so what b edges you have um what the templates are going to be configured as so on and so forth so i'm going to go ahead and in here i'm going to choose hard drive one and hit the enter key it says do you want to format it i'm going to say yes and hit the enter key so now we are literally in a hurry up and wait scenario so i'm going to pause the video wait for this to finish and do its thing and then i will bring you guys back in once this is 100 good to go and ready to start we'll go through the actual uh v manage v bond and then v smart configurations in order to get them squared away and get them all set up and i'll explain what's happening where and why it's happening the way that it is all right now that our vmanage is up and running and squared away we can go ahead and log into this guy like so and we're going to go through the steps to actually get the bootstrapping so let me go ahead and get out of the way and we're going to go ahead and go to global config and we're going to begin with the system configuration so system we're going to specify the host name is going to be b manage the system ip in this case here will be on the right hand side of the screen you can see where it says 10 100 0 0 and our connection is on gig once 0 which means our system ip will be 10.100.0.10. our site id will be 100 for the second octet right 100 right there that's 100. our organization is going to be lab and that's pretty much it so we have our host name we have our system ip oh we need to specify the v bond i always forget that and the b bond ip is going to be 223.1.1. and this is going to be 11. we're going to go ahead and commit that config i'm going to jump out of global config and i'm going to go ahead and begin the vpn 0 configuration so vpn 0 is going to be the connectivity that is going to allow for the transport communication so we're going to go and type in vpn0 and then we're going to specify the interfaces that are going to work inside of vpn0 so i'm going to say that interface eth0 give it an ip address of 223.1.1.10 24. i'm going to no shut that interface and then underneath here i need to specify a tunnel interface and then allow service all so that's pretty much all i need to do there i'm going to go ahead and commit that config that's going to be that i'm going to exit out and i'm going to go ahead and give it an ip route of 0 to dot 0.0.0 slash zero to two two three dot 1.1.1 commit that as well you can do it all in one fell swoop or you can with the commits so you can do type in all your commands at one time and then commit or do it in stages like i'm doing it's up to you and how you want to do that now that we have this in play the next thing for me to do is attempt to get the um actually before i do that let me go ahead and get the ethernet one and configure so interface eth1 ip address here is going to be 10.255.1.110 24. no shut and then i'm going to go ahead and commit that config i'm going to go ahead and type in iprout the 10.255.10.0 slash 24 to 10.d55.1.1 commit that as well all right so now i've got vpn0 100 configured now i can move into the process of getting the certificate so now what i should be able to do is type in the command request download via tftp colon for slash forward slash 2223.1.1.13 forward slash pki dot ca remember that is the name of the certificate that i need to download we have the enter key and we should have been able to download the certificate and there's a little trick you can do actually on the router you can type in debug tftp events as well as tftp packets and then if there's anything that happens on the router so if we were to type this command again ios ca should show us that there is some debugs that went back and forth and we're in good shape from two two three one one ten which is what we wanna see so go back to b manage we're gonna type in request root certificate install to home admin and then pki.ca that's where that particular file is downloaded we're going to enter key and the certificate was successfully installed which is a good sign for us everything's working out so far now that we've got the certificate installed now we actually have to go ahead and generate the csr so to do that we're actually going to open up another window so i'm going to pull up google chrome i'm going to bring this over here so we can see it i'm going to type in 10.255.1.110 so that's going to bring up the vmanage i'm going to go in here and type in admin and admin go ahead and let that log in and as you can see we don't have anything going on right now so this is what it looks like when you first get this platform up and running so what i'm going to do is i'm going to click on this guy right here in the upper left click on that that's going to extend expand the side menu click on administration and then settings and then the first thing that i have to do in here is specify the organization name so i'm going to type in or click on edit and here i'm just going to type in lab and then lab again whatever your organization is that's what you would want to type in here so if you're newfoundland.com or something along those lines i'm going to click on save and the next one i'm going to do is going to be v bond even though we configured it via the cli it doesn't show up here i'm going to click on edit and underneath here we're going to type in 223.1.1.11 click on save so now the v bond has been updated and we come down here to controller certificate authorization it's set to manual come over here to edit and click on enterprise root ca so it says confirm cert auth change this setting changes the certificate authority which is used for authentication do you want to continue yes please so we're going to come back over here to the ca i'm going to scroll up just a little bit to where the certificate should be hanging which is right here i'm going to copy all this right here to right there copy all this i'm going to paste it in like so i'm going to click on set csr properties and then here i'm going to type in lab.local and then the organizational unit is lab the organization is lab the city is going to be let's say for example we're going to put in orlando and then florida and then the email is going to be admin at lab.local and then in the country code we're going to say us and the validity will give it we'll give it three years because we want this to last a while i'm going to click on import and save there we go awesome so now that we have that in play we have everything squared away the next thing for me to go do is to actually click on the configuration again and go to certificates and click on controllers so you can see the vmanage is automatically there we can see our system ip and what i need to do is if we were to expand this a little bit so drag this to the right a little bit you can see that nothing's really going on i'm going to go ahead and click on generate csr i'm going to take the csr right here i'm going to copy all of this right here into into my clipboard now if i was running a windows ca server or something else i could download this file and then upload it but or if i was using another like a third like an actual root certificate authority uh publicly reachable one then i could download the file and then upload that so i'm gonna click on close i'm gonna go ahead and jump out of the way we go back to the ca i'm going to type in crypto pki server pki i'm going to request a certificate signing request so i'm going to ask the ca to sign my certificate i'm going to say via pkcs10 via the terminal and hit the enter key i'm going to paste this information into the command line or into the console i should say and then when it gets down to here if it doesn't automatically generate the extra line underneath the end certificate request then you have to hit the enter key type in quit and then after a couple seconds we should get a granted certificate we're going to take this information right here we're going to take it back over here to vmanage but with the vmanage highlighted like it is right now in yellow we're going to click on install certificate and then right here we're going to paste this in and click on install now if i've done everything correctly i should be able to expand this out and refresh it a few times and we should get a success on the install of the certificate and beautiful so it was successfully installed we're gonna click back on certificates and controllers and we can see that the certificate was successfully installed which is what we want to see we go to devices and controllers we'll see that we're in good shape everything looks pretty good now the next step for us to go through and do is to actually go through and set up the v bond so very much the same setup as before so i'm actually going to come over here to b manage show run system and i'm going to grab some of the config out of here i'm literally going to take system and then these few lines of config right here i'm going to open up notepad and i'm going to take these commands and i'm going to paste them in here so i'm going to actually get rid of this one here and this one here admin tech on failure i'm going to get rid of those these are the ones i need so in here it's going to be 10 100 0 11 and then the v manage this will actually be turned over to be the bond and then the at the end of this one i need to type in local and that is it so i'm going to grab all this information right here i'm going to copy it and i'm going to actually paste it into the v bond cli and if you notice on the v bond right here where is this ge0 notice how that is different than all the other ones that say eth0 for b manage and be smart the reason why is because a v edge can also be a v bond and when you go to type in the command local it automatically knows that it's going to be a v bond and that it's going to be the orchestrator and the authenticator for any onboarding the edges so i'm going to go ahead and log in admin and then admin go to global config i'm going to paste that config in just like so i'm going to go ahead and i'm going to commit that config and then i'm going to exit out of the system and go to vpn0 i'm going to type in the interface of ge 0 0 ip address of 223.1.1.11 slash 24. i'm gonna know shut this guy i'm going to specify that it is a tunnel interface and then the encapsulation is going to be ipsec i'm going to allow all the services as well so that i have no problem getting things up and running i'm going to go ahead and exit out of that and that and type in iprout a default route to 223.1.1.1 and i'm going to go ahead and commit that config and that's all i really need to worry about i'm going to go ahead and ping 223.1.1.10 that's great i'm going to ping 13 as well excellent so i i'm able to ping both of those devices my next step in the process is to come over here to configuration devices and then i'm going to add a controller i'm going to add a v bond and here i'm going to type in 223.1. and the username is going to be admin and the password is going to be admin and i'm going to generate a csr so go ahead and do that click on add and then after a couple seconds it should be able to reach out and there it goes so now what i need to go do is on the certificates tab i need to go on the controllers and go through that same process so what i do here is i need to go on the vbond i need to download the certificate so request download tftp colon four slash four slash um two two three dot 1.1.13 forward slash pki dot ca and we can see the ca lit up so we know that the certificate was good so request root certificate install home admin and then pki dot ca there we go and then now that that's been uploaded i can actually go back over here to this guy and i can click on it says csr generator right there let me click on here and say view csr so i can take all this right here copy it click on close go back to the ca and type in request i'm sorry crypto pki server pki request pkcs10 via the terminal and then i'm going to paste in the csr for the v bond i'm going to type in quit with the extra line there and then after a moment we should get a cs uh so science certificate granted which we do we're going to come back over here with the v bond highlighted we're going to click on install certificate and then paste the contents right there click on install give that a couple seconds and then do the refresh process it's going to take a couple seconds and then there we go now we're on board go to certificates controllers and we have it'll go ahead and it'll update here momentarily there we go so it's certificate serial 3 and then site id 100 system ip of 10 100 zero eleven excellent so now what i get to go do is click on v manage and i get to issue show control connections one too many ends there so now we have an active connection to the b bond which is good on the b bond it's show orchestrator connections excellent so i have a b managed connections up and running i know i'm in good shape now the next thing to do is click back on the configuration and devices go to controllers and then i'm going to click on add controller this time it's going to be a be smart to be smart i'm going to type in the 223.1.1.12 admin and then admin and generate the csr i could change the uh the protocol but i'm going to leave it as the default and not change the port click on add give a couple seconds fail to add oh that's because i haven't configured it yet that's right i forgot about that so on the be smart same process come over here and do the initial configs for that same pretty much the exact same config as before so we're going to go ahead and come in here this is going to be av smart dot 12 0.12 and copy all that in so we're going to log in as admin and then admin go to global config and paste that config in like so commit i'm sorry uh no the v bond is dot 11. commit that there we go exit out let me go ahead and minimize this and we're going to go ahead and set up vpn0 and then we're going to go type in interface e0 ip address of 223.1.1.12 24 no shut and then uh interface e0 tunnel interface allow service all exit out of that a couple times put in an ip route to the switch's default gateway 223.1.1.1 and commit so now we're in good shape there so now i should be able to come back over here and do that one more time add there we go so now that i've done that i need to go and do the same thing i did just a moment ago request download tftp colon for slash forward slash 223.1.1.13 forward slash pki.ca and then we're going to do a request root certificate install to home admin pki.ca beautiful now we're going to go over here underneath certificates and controllers we're going to go ahead and click on view csr copy all this information right here into the clipboard go back over here to the ca type in crypto pki server pki request pkcs10 terminal copy paste i should say just paste not copy paste and then here we have a situation where we have to hit the enter key and then type in quit that will gen trigger the this process right here and we're going to go back over here with the v smart highlighted we're going to click on install certificate and then paste that information in and click on install and expand refresh a few times and there we go excellent so now we get to go over to v manage hit the up arrow and now we have a connection to the v smart go to v bond hit the up arrow now we have v smart go to v smart show control connections blamo we have a connection to both v bond and v manage we're in really good shape all right so that it ladies and gentlemen is the control connections up and running so we have all of our controllers online and ready to go so now that we've talked about that i just kind of skipped a little bit in the beginning i jumped the gun just a touch so let's talk about why what vpn 0 really is so let's go ahead and dive into that just a little bit so one of the key concepts here that you need to understand about sd-wan is the concept of the the vpn so with the vpn virtual private network for those of you that come from the cisco world or the juniper world where you're dealing with layer 3 routing segmentation you have the concept on a cisco router known as a v r f virtual routing and forwarding table so what is a vrf well a vrf is to a routing or layer three as a vlan is to layer two so if you wanna provide segmentation on a switch right you gotta switch right here and you wanna place the isolate these two ports from these two ports this way you create vlan 10 and vlan 20. now these two ports are now logically isolated from each other well you can do the same thing with the router you can basically you create a vpn out of the gate you have vpn 0. vpn 0 is again for transport and what that basically means is you are using the connect for the communication basically between all these guys let me go ahead and just highlight all this so basically everything everything inside of this orange area here right this is all transport because it's all communication so it's riding over both internet and via mpls when once we get it all set up because we're gonna have connections over both transports and there was a question i get received earlier do you've got one router how are you providing mpls layer 3 vpn i'm really not all i'm doing is providing a interface that connects these guy devices together via a different transport that's it so it's it's ip there's no actual label traffic there is no multi-protocol bgp so in this case here all the communication between the v edges and the um and technically ending controllers is vpn 0. so vpn 0 is transport now what will end up happening is you'll have multiple interfaces inside of vpn 0. so these interfaces these interfaces these interfaces etc so all these interfaces will all belong to bp and zero so i think you have b think of it like this you have bpn 0 and then you have which is the transport right then you have g e 0 0 and g e 0 1. one connects off to the internet the other one connects up to mpls right that this is communication outbound towards the internet or over the wide area network or whatever it might be that's the first vpn the second vpn we have is vpn five one two we've only configured that here on the vmanage and this is for out of band management so if you want to be able to control your controllers or control your v edges outside of the data plane so instead of having to come in this way or come in this way or come in this way you can actually have vpn 512 so mgmt wired directly into ethernet 0 on the v edge or the v or any of your controller devices and that will provide you out of band management for that device so let's talk a little bit about the service vpn this is where the actual user traffic is going to sit service vpn what is this this is going to be vpns 1 through 5 11 and 5 13 through 65 000 roughly so you have all these vpns that you can use again a vpn equals a vrf and essentially whenever you create a new vpn you're creating a new writing table so you can logically separate traffic based on the vpn and then you can allow leaking between those vpns through what they call vpn segmentation so you can do vrf route leaking if you'd like to do that we'll talk a little bit about that later that's going to be a dedicated video when we talk about how that would work and that's basically what ends up happening so at the end of the day when we go through and start spinning stuff up the vpn 0 is going to allow us to communicate between the v edges that's where your ipsec vpn is going to sit that's where your omp peerings are going to be that's all that type of stuff with the service vpn you're facing the customer or you're facing the internal users so the internal routing so for example vpn vpn one or whatever else is going to be focusing internally and the lan versus out on the lan so we have a way we had to have a way of separating the traffic and we'll take a look at those different details as to how they come into play as we're going along but that's pretty much it really so that's basically how that comes into play and all of that so with that being said ladies and gentlemen that is how you break down the controller implementation and get that all squared away it doesn't take terribly long to get it up and running or working but it's one of those things that once you once you know what to do basically it's a matter of going through and doing that now now we've covered those details let me go ahead and finish up the config real quick because we're not actually done yet so where is that switch so i'm going to come in here and i'm going to create a hostname is going to be dc dash switch and the next thing i need to do is type in vlan 223 and then interface range gig one slash zero through three switch port access vlan 223 switch port mode of access spanning tree port fast okay now that we've done that i'm going to go ahead and type in interface vlan 223 and ip address is going to be 223.1.1.1 24. i'm going to go ahead and no shut that port and then do show ip interface brief okay it's all up so i'm going to do ping 223.1.1.10 i should be able to ping all of them 11 12 and then 13 respectively excellent so that basically means that as we're proceeding forward then we'll be able to talk internally the next thing for me to do is go to interface g 0 0 and type in no switch port so transfer this from a layer 2 port to be a layer 3 port and type an ip address of 192.1.20.2 24. no shut that and then on interface g 0 1 no switch port and then i'm going to type in ip address of 172.31.20.2 24. no shutdown guy even though it doesn't necessarily need it do show ip interface brief excellent so everything is up and running i'm going to do write that config and we're in good shape all right so now that we have all that in play the next thing for me to do is to go and set up the edges so that'll be the next video we walk through setting up the v edges and how all that stuff works and get through those details until next time guys thanks so much for stopping by and i will catch all of you in the next video

Info

Channel: Rob Riker's Tech Channel

Views: 13,218

Rating: 4.9791665 out of 5

Keywords: cisco, sd-wan, sd, wan, software defined wide area network, vManage, vSmart, vBond, controllers, vpns, vrfs, overview, bring up, tls, dtls, certificates, pki, ca

Id: kUZ2w_-zJHg

Channel Id: undefined

Length: 34min 13sec (2053 seconds)

Published: Sat Sep 19 2020