Cisco SD-WAN 005 - Bringing up MPLS Transport

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going everybody in this video we're going to take a look at setting up our secondary transport the mpls cloud and onboarding vh5 to the controllers so the process here is actually pretty straightforward we're going to go ahead and take a look at our current state right and go from there so i'm going to go ahead and pull up the v manage and i'm going to go to monitor network and then come back to dashboard to see if we're in any better shape and we're so kind of in a partial situation and the reason why you see partial is actually rather simple we have additional interfaces right so vh1 v edge 3 v edge four all have multiple transports set up right we have one going out to the internet one going out to mpls but currently only one of those transports has an active session to the controllers up and running so if we were to look at say for example if you look at the command line let me go ahead and jump out of the way and we would look at vh1 and show control connections you're going to see that we have let me go ahead and stretch this out just a little bit so it's easier for you guys to see you'll see that for well why does that oh that's because that's that looks weird anyway you'll see that on the on this circuit right here it says that for mpls it says connect so because it says connect it's trying to connect but it isn't able to establish a connection over the mpls transport so because of that we're only able to get the connection up and running to partially which is why you see control status is set to partial so pretty straightforward right what we're going to go do we're going to go ahead and do is bring up the mpls transport on all of the edges and make sure that they are squared away so i'm going to go ahead and on the v edges i'm going to start on vh5 to get him squared away so i'm going to go to global conf or login first admin and admin go to global config and let me go ahead and do the bootstrapping config real quick on him so i've already got it partially started i don't want to do a default route right i'm not going to do a default route i'm going to come in here and underneath vpn 0 underneath this i'm going to come in here type in router bgp 650 i'm going to type in no shut the neighbor for this configuration is going to be 172.31.15.1 remote as is going to be 100 the address family of ipp 4 unicast and then underneath address family uh let's exit out real quick on that one exit uh exit uh address family and exit again and then address family ipp for unicast we're gonna go ahead and type in network of 172.31.15.0.24 that'll get that connection up and running for us and then we'll be able to connect here but we're still not going to be able to get the the certificate to download because we'll need to get the dc side of the house squared away first because right now the dc side doesn't have bgp configured at all and nor will i have transport reachability to this particular subnet so i won't even be able to go any further than this so what i'll do is i'll literally just copy and paste this out into vh5 i'm going to go ahead and just paste this config in like so assuming that i've done everything correctly if i do a let's go ahead and show config make sure i've done everything right bgp is looks good address family is set up correctly which is what we want and the config is set up correctly ge zero slash one color mpls no shutdown let's go ahead and commit that config there we go so now that guy's squared away so i'm gonna go ahead i'm gonna minimize this and i'm going to go ahead and jump on over to dc switch and show ip interface brief i'm going to go to global config router bgp 65100 neighbor of 172 remote as of 100 and then network of 223.1.1.0 with a slash 24 mask something like this okay now that i have that in play my next goal would be to go to the other of the edges and do the exact same thing so i'm going to go ahead and minimize that right now so if i go back to vh5 and i show bgp summary i have an active session and if i do show bgp routes i have learned the two two three one one zero so show ip route i've learned the 223 route right so i should be able to ping 223.1.1.13 and i can so that means i can bring this guy back up and i can run through these steps right so i can go ahead and do a request for the to download the certificate this way there we go and then i'm going to do the request root certificate chain install home admin pki.ca i'm also going to type in request csr upload home admin csr.txt lab and lab and then i'm going to do a v shell morecsr.txt and i'm going to go and copy this into the ca so [Music] crypto pki server pk pki request pkcs10 via the terminal and paste this in hit the enter key type in quit i'll get a certificate pop out i'll go ahead and grab this and then i'll be able to take that back to vh5 type in cat than sign lesson sign quote quote greater than sign search dot txt paste that in exit out and then request certificate install home admin cert.txt and then show certificate serial so i'm just going to go grab this guy right here and remember zero nine so go back to b manage so it's request the edge add chassis number this guy by serial number zero nine enter key take this information over to v bond and do the same thing paste that in pull up beam manager real quick and on the certificates page on the waynage list this should start to show up we have to wait till it's actually in the v manage and what the certificate installed before we can push the certificate to the be smart there it goes ascending controllers and then after a moment or two or three or four or five there we go all right so now that we have that done if we do show orchestrator connections we should have a fifth v edge which we do which is what we want over mpls we go to the edge and we show control connections we should have a connection to each one of the controllers and we should also have an omp peering to be smart which we do so that means that our connectivity is now working over mpls so i'm going to minimize this i'm going to take the config from vh5 and actually let me go keep this up here i can take this syntax right here and i can edit it to get the other pairings up and running so let's go back to v edge one and get that guy squared away so the edge one is gonna be six five zero one two this would be one seven two thirty one eleven and it'll be 11 like so we'll grab that config like that we'll go ahead and go to global config we'll paste that in well it didn't like that oh admin and an admin must have been too long i'm not under vpn0 okay so admin oh i'm doing the exits that's what's messing me up okay so let's do uh config t vpn zero uh it's there we go so show config there we go so we should be able to commit that there we go and then we'll make this 12 here and 12 here we'll take this information right that we'll go to vh2 admin and admin we'll go ahead and paste this in like so whoops vpn i always forget to do that there we go show command or show config so now we have to exit out of here exit out of here let me do this first move this up to this part and then we'll go ahead and do that so show config there it goes we're going to go ahead and commit that we'll go ahead and move this command right here to be underneath here and now we should be okay to continue moving forward so what i'll do is i'll grab vh3 i'll log in a couple times vpn 0 and then we're going to type in 6503 underneath this guy will be i believe it's 13 yeah it'll be 13. 13 here and then 13 there like so and then paste settings like that show config commit that config as well and then on fort on vh4 this will be 6504 14 and 14. copy and paste this into here admin and admin global config copy and paste oh again vpn 0. it's for some reason i'm having a hard time with that today show config just to verify that it's working correctly and then commit okay so now we have that all squared away what should end up happening now is on v edge one if we were to jump out of global config into a show ip route we should start to see these other routes come through so we'll see 14 15 and we should see 13 here momentarily and once we do we'll be in good shape but we're not i don't have to sit around and wait for that to happen now what we should see back on the v manage is we go back to the dashboard we're going to see some interesting stuff right so now we're split we have everything is a partial wayne connectivity and we're like okay what's going on here this is actually a uh when i saw this i was like what gives bro so it's actually kind of a unique scenario to how this actually works so let me go ahead and actually explain what's happening here because it's not obvious as to what the issue is okay there's 13 so we're in good shape so basically what's happening here and it's i wish there was a more clearly there's some documentation that you can look up but it's not obvious out of the gate so let's let's break this down real quick just so you guys understand the process to it because it wasn't until i actually sat down and was just like okay what gives batman so what we end up having is let me switch this color over to green you need connectivity over both transports right which we do we have so we have this connection right here connects down to here here here here and here respectively right and everything is looking pretty good we come over here we have connections to here here here here and here so all is working right do you ever notice this link right here between the internet router and the mpls router any idea why i randomly connected that between each other well there's actually a legit reason for that and the reason for that is because when you start to set up a v-edge solution in order to connect to the controllers it's automatically going to try to form a connection on the same color to the same color connection over the same transport meaning if you have this guy right here is inet and this guy over here is inet as the color you're going to attempt to form a bfd or ipsec session over that particular transport but if you also are advertising say for instance this transport into or if you configure that under vpn 0 and it's reachable yeah like you can ping it from this direction here what's going to end up happening is the internet connection is also going to try to form a connection with the mpls circuit but in most cases internet and mpls are two logically separated solutions like you're normally never going to co-locate or uh commingle your internet and your mpls transport to work together now that doesn't mean you can't right so there are solutions out there where providers will have an mpls backbone and then they'll provide a particular site or a company with internet access over mpl supplier 3vpn internet over mplsvpn is a very popular service not everybody does that so if you're doing that and that's your solution then this problem would never be a problem because you would have all of your connections up and running so in a case like this we have the control up right the control is working great however you have partial link connectivity because what's happening is you have a connection here on the internet trying to form a connection over mpls so it's trying to go this route but it's being blocked because it can't actually reach it so you're sourcing off 192.112 trying to go to 172-3113 it's never going to work because neither one neither transport has a route to get to the other transport so to fix this we could either do something like this where we allow the sharing of routing information between the two different transports internet to mpls and mpls to internet that's one way to do it and then what will end up happening is the path will take let me switch my color over here to be something more more obvious let's say yellow then you're taking this path if you set it up that way it would work great because then you would be providing bi-directional communication so let's actually go ahead and do that real quick let me go ahead and clear the screen and let me go ahead and get out of the way i'm going to go ahead and so this is the current setup partial when connectivity five control up one is partial not that big of a deal i'm going to go ahead and pull up the command line again and what my goal is to do is on the mpls and internet side of the house so on inet i'm going to go ahead and do a show ip interface brief and i'm going to ping 101.0.0.2 it might not be turned on on the mpls side show ip interface brief it is shut down at the moment so interface gig zero slash six i'm gonna now shut the port bring that guy online okay so now what i'm going to do is go back to inet and try that one more time okay the paint works just fine so i'm going to go ahead and do a show ip route now there is a static route already in here for this if you look right here i said on the internet router so in order to reach anything 172 31 16 go ahead and point towards 101.0.3.2 if i go to the mpls router and do show ip route i should have a static route that does the exact same thing it says static route anything to 192.1 16 go ahead to 101.0.0.1 now that will allow the communication to go back and forth so what will end up happening now if i go to v edge1 for example and i show the show control connections now we see that it's up right it's up and it's been up for about seven seconds which means if i was to ping let's say 172.31.12.2 sourcing from interface let's do ge0 i can ping it so i'm sourcing from this ip right i'm sorry sourcing from this ip but reaching this ip so how do i fix that well it's tend to be not broken but let's do a show bfd sessions and the bfd sessions i have a number of connections up and running so you can see that some of it's up and running some of it's not so that might just take additional time for it to figure itself out let's go ahead and this is not this should take some time to figure itself out not that big of a deal at the moment but if i was to do a trace route to vpn 0 to the ip address i'm going to specify 172.31.12.2 which let me do it this way vpn 0 interface or to send through which so ge 0 0 so ge 0 0 to a destination of 172.31.12.2 i will flow through the internet connection right so bfd sessions eventually this will come online and i'll be able to reach it right now for some reason it's taking its sweet old time coming online not sure why it's being so slow but it is but these are connections where when you have a scenario like this this is where it becomes kind of you have to know what the solution is trying to accomplish so what's happening now if you look here from three from vh3 to vh2 it's trying to go from uh mpls to public internet so i was trying to go bring this over here just a little bit it's trying to go from here let's bring this up it's trying to go from mpls this route over to uh over towards internet so to solve that let's let's test reachability okay let's do a uh if i have a default route right in this case here i if i tried to ping 172.31.12.2 sourcing from ge0 i can reach it right if i do a trace route vpn 0 by interface ge 0 0 to a destination of 172.31.12.2 it's taking the path via mpls and the reason why it's taking that path is because i don't have a secondary default route in the routing table so it's like okay i don't have a i don't have another alternative path so the way that i normally fix this in this particular case let me just take a little bit more of a gander at this situation show bfd sessions they're still down which is what i kind of anticipated so it should technically be working let me double check the config because it needs to be bi-directional so it needs to be so as you can see let's see here any cross transport solution is down at the moment so that means that if i wanted to go from mpls to public internet i'd have to be able to set that up which technically it's working to a degree but the reality of it is in most scenarios you're not going to do this right it's just it's not something that's most companies are going to be comfortable doing managers like green lights they don't like yellow and red so how do we fix this well there's a simple way of doing it and what we're trying to do here on the partial wand side of the house as well as the control is what we're going to do is we're going to basically tell the v edges that they're only going to be able to form bfd sessions with other v-edge devices on the same color so for example vh1 has transported both mpls and internet so if we go to the internet we use the command restrict and add that to the color public internet command so public internet i'm sorry color public internet restrict it's going to only allow the v edge to form control connections and bfd sessions so lan connectivity over public internet and not with any other transports from public internet so it won't try to go to mpls or lte let's go ahead and actually bang that out real quick it doesn't take long to do it's just a matter of doing it whoops so let's go ahead and do this real quick so on vh1 i'm going to go to global config and type in vpn0 interface ge 0 0 and then tunnel interface we're going to type in color public internet and then restrict and then same thing with ge 0 1 tunnel interface color mpls restrict so if we do a show config let me actually i'll get all the way out here show config you'll see that i'm doing this command right here so i'm literally going to take this out right here i'm going to commit it like so let me go ahead and move this over here so we can see this pop up and we're going to let's scoot this over just a little bit so you guys can see this we should start to see stuff come back to life here on the devices so let's go do this to vh2 let's go ahead and exit out to here paste this in commit it vh3 vpn0 vh4 copy and paste that in commit and then on vh5 go to global config vpn 0 interface ge 0 0 1 tunnel interface and then color mpls restrict and then commit that so as time will go on you'll start to see these connections start coming down going from partial link connectivity to full-length connectivity if we go back to three and we jump into here and we do a show bfd sessions you'll only see sessions with other sites along the same transport so you see only mpls mpls only public internet to public internet here we have mpls to mpls so it's working the way that we expect it to so pretty cool stuff there we go now we're on full main connectivity we have partial connectivity this will eventually disappear to be fully connected and stuff like that so let's go to monitor network and we're going to go to vh5 if we go to tunnels you're going to see that it's got connectivity over this the way that it should and if we go back to dashboard this eventually partial what does that say vh5 control connections that's a little weird that it's giving me a hard time there show control connections all right so they're up and they're working show omp peerings okay that's up eventually that should disappear and become a little bit more stable eventually this when i was testing this earlier it was showing up as control up and partial zero so it'll take some time for that to eventually figure itself out i'm not worried about it right now but that's basically where we're at so we've set it up to where we need it to be working so as far as i'm concerned we're we're good right and what we've done let's go ahead and recap what we took a look at we went through on the the v edges we've gone through if we do a show ip route you're gonna see just a number of bgp routes in the writing table which is fine if we look at the edge one and we look at the show ip route we're going to see a bunch of the edges connected that we're connected to we're connected be a a number of veg devices if they're bgp show bfd sessions we're going to have sessions over the connections that we need to have access to and that's working out the way that it needs to beyond that ladies and gentlemen that is pretty much what we did we set a bgp between the the edges and the mpls routers so we're propagating the appropriate routes so that's pretty much where we're at in the next video we're actually going to go through and talk a little bit more about uh the service vpn and some of the capabilities that it uses and stuff like that so that we can understand those details and a little bit better understanding of that until next time guys thanks so much for stopping by and i'll catch you guys in the next video
Info
Channel: Rob Riker's Tech Channel
Views: 5,997
Rating: undefined out of 5
Keywords: cisco, sd-wan, sd, wan, mpls, bgp, transport
Id: SIDz5YLakE4
Channel Id: undefined
Length: 28min 35sec (1715 seconds)
Published: Sun Sep 20 2020
Related Videos
Cisco SD-WAN 006 - Service VPN Overview, Connected and Static Routes
Rob Riker's Tech Channel
5.4K
Let's Talk About Palo Alto - Site to Site VPNs with Cisco Router
Rob Riker's Tech Channel
1.8K
Intro to Cisco SD-WAN | Viptela
Naj Qazi
25K
Cisco SDWAN: Onboarding vEdge Routers - Exploring Zero Touch Provisioning
Terry Vinson CCIEx2
4K
Real World Networking - What is it like to be a REAL NETWORK ENGINEER
Rob Riker's Tech Channel
3.6K
What is SD WAN (and why it's replacing MPLS)
Steve Murphy
9.9K
Cisco SD-WAN on Cisco Routers
Tech Field Day
34K
Cisco SD-WAN 007 - Templates Overview, Single vEdge Sites Setup and Deployment
Rob Riker's Tech Channel
5.4K
Cisco SD-WAN 003 - SD-WAN VPNs Overview and SD-WAN Controllers Setup
Rob Riker's Tech Channel
13K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
Cisco SD-WAN 009 - Service VPN1 Connected Routes via CLI and Templates
Rob Riker's Tech Channel
2.4K
Cisco SD-WAN 031 - Service VPN1 VPN Segmentation Overview and Deployment
Rob Riker's Tech Channel
1.7K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Bidirectional Forwarding Detection
Kevin Wallace Training, LLC
10K
Cisco SD-WAN 004 - Onboarding vEdges to the Controllers
Rob Riker's Tech Channel
9.7K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.