Cisco SD-WAN 006 - Service VPN Overview, Connected and Static Routes

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how's it going everybody in this video i wanted to begin diving into the service side of the operations because we've got the um the transport side pretty much nailed down at this point so we're going to be focusing on some of the details that go into how things work and what you need to know from an operations perspective of what's going on because for those of you that come from a traditional riding background and you haven't transitioned into vrf aware specific routing and let's say for example you've got your ccna and you're working on your ccnp or you know you've been work you've had a ccmp for a while and you're transitioning to ccie one of the big things that i struggled with when i was studying for my ccie was the vrf aware component of all the writing protocols and that's one of the things that sd-wan here leverages pretty heavily is vrfs so i'm going to be taking a kind of a deeper look at how that works and to try to help you understand how that comes into play to provide the traffic separation so if you don't understand that concept it's going to be kind of important that you do because as you proceed forward there's going to be some outputs that you're going to be seeing that are going to require you to have a back end knowledge of what's going on i'm going to try to help paint that picture but if you so you might need to go back to something like dmvpm which this solution is very similar to dmvp and phase three with it out of the gate once you have all the v edges online and everybody's happy you will have a very much a dm vpn phase three a vrf aware dmvp and phase three specifically solution at hand minus having to spend a ton of time creating vrfs and gre tunnels and dab pn and ipsec and crypto something they could take someone even at my level a couple of hours to set up you know i spent probably an hour and a half building the lab and i'm done like i didn't have to do anything crazy it was just a matter of onboarding some stuff so we'll take a look at those details and how that works so one of the key things let me do a little bit of whiteboard in here to try to help paint the picture but excuse me so one of the main things that i found when i started diving into the solution was not necessarily the complexity but what it was that the sd-wan solution was trying to solve right so the reason why i bring this up now and not earlier or not later is because we're kind of at that transition point between okay we've done we've gotten the controllers up and running all that's good we've got some v edges working all that's good got all that good to go and then we've got connectivity from a control plane perspective and a management plan perspective back to our controllers all that's looking really good and then on top of that we have a bunch of ipsec vpns that are set up between all the devices right everything's looking good there so i'm drawing a bunch of lines in here just to help you understand operationally what's going on so we've got this connection here you got this connection here actually that one doesn't set up right there but we have all these connections going back and forth right so this is where we're currently at so now since we have the transport setup over both internet and mpls now we need to talk about how do we take advantage of those connections that are providing us the connectivity between the edges and how do we take the routes sitting behind the v edges and how do we distribute them so let's take a look at that so the way that viptela does things is much like how dmvpn phase 3 does so dmvpn space 3 is much the same way so specifically vrf aware dmvpn phase three now the idea with dmv piano where are vrf aware dmvp and phase three what that really means is is the interfaces that are facing the internet so these interfaces right here here here here and here they're in a vrf so they're in their own local routing table and it's that routing table is when facing so that basically means that from the inside so this is this would be a regular writing this would be a user specific writing table maybe you create the vrf when for example or whatever other term you want to use right you use vrf when and then you place the interfaces that are going to be facing the lan inside of that vrf and then you do your vrf aware configurations for ipsec and so on and so forth now the idea is that between these connections here so i'm going to draw a line here between here and here for example all this connectivity here is inside the vrf right and that's what vpn0 is doing vpn 0 is the wand right it's actually providing the underlay connectivity it gets you from here to here right it's all the underlay the part that makes sd-wan shine is the ability to take all of this stuff in here right all the internal routing and be able to advertise that over the top let me go to a different site over the top to here right and let me make be specific when i land i'm landing over here i'm not landing uh inside the vrf i'm landing inside of what would be the service vpn now the service vpn is going to be any vpns that are lan facing right so we have users connected to the say for example router 15 here you get users plugged in and then those routes are being propagated to the rest of the network right everything is good to go there in situations like that nowhere no harm no foul but when you run into situations where you need to propagate routes and you're not sure how the vrf comes into play that becomes a problem because the service bpn is also a vrf so for example in this interface right here let's get your gig 0 2 this would be its own vrf and then if i was to do the same thing here on this interface this would be another brf and this guy right here would be another vrf you might say okay i uh vrfs well how is that important it's traffic separation at layer 3. so instead of you going in and taking a bunch of interfaces that are in just physically on the box and then you start giving them ip addresses and places they're automatically injected into the global writing table or the default brf because they are placed inside of the they're created vrfs right so user-created vrfs because they're created that means that they're not going to be placed in the global writing table which means they are everything that's going to be landing inside of them is going to be vrf aware or going to need to be vrf aware static routing multicast ipsec bgp dynamic routing the whole nine yards everything needs to be vr4 snmp dhcp everything so think of it like you're taking a router just like you would a switch and you create a bunch of vlans on that switch and then you're carving that up so the switch is logically then segmented you're doing the exact same thing with the brf okay i want to make sure that it's abundantly clear we're going to start off with a single vrf for a single vpn vpn one and we're going to deploy that everywhere now there's a couple different ways let me go ahead and clear the screen off there's a couple different ways that you can advertise stuff right so the connectivity between here and here for example actually let me do it this way between here and here and between here and here for example in order for this to work you use o m p the overlays management protocol and what ends up happening is this is the control plane as we talked about in a previous video if i was to enable say for instance this link right here on vh1 and i was to enable this link here on vh4 inside of vpn one as soon as i no shut the interface and apply an ip address to it it would this particular prefix right so 10 16.0 24 would automatically get propagated over to here in vpn 1 and show up as a omp route inside of vpn one if you do a show ip route you would see one and then you would see 10.1.16.0 24 via omp right now the same thing would happen here this route right here would get advertised over to this guy and then you would see in here you'd see one and you would see 10.4.15.0 24 via omp right that's how this works so when you're creating a vpn you can have multiple interfaces in the vpn or you can do on the vh cloud devices that we're working with the ability to do sub-interfaces doesn't seem to doesn't seem to work on the v edges i haven't been able to figure out why but they don't seem to work so because they don't seem to work i have to i took an alternative path and i just started using other physical interfaces so that i'd be able to provide the traffic separation but we're not going to worry about vpn segmentation right now that'll be a video that we come up with down the road when i create vpn one and i enable an interface inside of epn1 just by no shutting it and bringing it online omp by default will automatically advertise connected interfaces in that vpn that means that i don't have to do anything other than turn that interface on on both sides so over here good over here good boom those routes have been advertised another way that this works is if i have a let's say i have this link right here let's say this is a routed link of [Music] 10.1.61.0.24 just hypothetically speaking if i want to reach this particular prefix and it's reachable off of the switch i can actually create a static route on the v edge and vpn one to point to this particular prefix and switch 16 is my next top perfect then i would also be able to advertise a static route and it would come across and be learned over here so i would see a 10 161 via omp so on and so forth i can also add in ospf and bgp and we'll take a look at exactly how that works as we proceed forward so i actually want to demonstrate this to you so you guys can see exactly how this works because it if you don't if you've never played with it before it can become kind of daunting we're going to do this with the cli so you guys can see how this works because right now none of the edges are are templatized i'm actually going to go through and i'll throw templates in later on but right now i'm simply working on the cli so let's go ahead and dive into this config real quick and talk about these details so what i'm going to do is on v edge 1 i'm going to take one of the interfaces so gig 0 2 on all the devices and i'm going to advertise those into i'm just going to enable it globally so i'm going to type in admin and admin and i need to create a vpn so if i type in vpn question mark i can pretty much deploy anything i want on this box so i can type in vpn one for example now i've created a vrf right now what i need to go do is i need to actually come in and specify what interface i'm going to work with or what service i'm going to turn on things like that in this case here i'm going to type in interface ge 0 2 and i can go ahead and type an ip address of 10.1.16.1 24 and no shut it okay now in switch 16 since i'm right there show show ip interface brief okay cool it i actually stayed put so i'm happy about that so what i'm going to do is on the edge one now that i've got that configured i'm going to go ahead and i'm going to commit it okay so now it's been configured and committed so now if i do or if i do a show ip route you'll see in here i have 10 1 16 0 24 it's connected right now if i do a show omp peering appears what i'm doing is i'm actually sending routes from the edge one over to v v smart right that's what i'm doing here i'm sending routes over to vsmart if i go to be smart and i log in and show omp peers i should be learning two routes in right if i come up here and show routes i should be learning i should be learning where is it right here 10 116 24. that's been that's been learned right now what i need to do is if i look at the show omp peers you'll notice that i'm not advertising i'm not in not sending those routes to anybody else so let's go ahead and change that let's go to vh3 let's log into vh3 and we're going to go to i think i typed the password wrong admin admin we're going to type in vpn1 and i'm going to specify interface ge02 and ip address of 10.3.13. 24. no shut and let me check on 13 real quick should i have interface brief perfect so now what i get to go do actually let me do show uh interface gig zero zero dot one uh no interface gig zero zero dot one interface gig zero star 0 ip address of 10.3.13.13 24. go ahead and say that real quick so now what i'm going to go do is on vh3 i'm going to go ahead and i'm going to commit that config we'll give it a couple of seconds right come down here do a show omp appears and you can see that i'm sending two routes and i've received two routes right so if i do that we're going to go in here and say show omp routes and if i come down here i don't really like the way that it breaks it down but you know it is what it is so i'm advertising 10 313 and i've also learned 10 116. now if i do a show iprout you're going to see by omp i'm learning 10 116 via both uh twice actually and you're like why am i seeing it twice well i'm learning it from two different t-locks what's a t-lock a t-lock is a grouping of information to help determine where to send traffic so a t-lock basically is a combination of the system ip or basically the device that advertised the route to me in this case here is v edge one i'm learning it from over the mpls color and the public internet color and the encapsulation for the communication between vh1 and vh3 for this communication is going to be ipsec so it's going to be a side-to-side vpn it's basically it's going to be and if you're not sure how to to validate that you can do a show ipsec outbound connections and we're going to have connections to 12.1 you can see that i've got that going out mpls and i've got another one going out public internet so i have two two vpn sessions essentially so what that basically allows me to do is then for any communication from gig02 to uh from vh3 from r13 for example so let's go over here and do show ip route i do have a default gateway let me go check on switch 16 and see if i have a default gateway show ip route i do not let me go ahead and create one ip route to 10.1.16.1 okay so what i should be able to do if i've done everything correctly what you should see is i should be able to ping 10.3.13.13 and it should respond it does now you'll notice that when it did that it paused right so if we go back to b edge 3 and we do show outbound connections right we don't add an additional connection but what we start doing is we start sending traffic back and forth over the vpn tunnel what's happening here is the communication is actually being encrypted as we send the traffic so if we do a trace route the ip and then the target is 10.3.13.13 source address we don't care numeric display yes and then do this you're going to see it's going to leave the next top is 10.1.16.1 which is the inside interface of vh1 on g02 and notice the next top is 10 313. 3 which is the inside interface of vh3 what you don't see is any tunnel there's there's no inter intermediary hops right so it's not 10 1 16 1 to 10 101. whatever there's no dmvpn here there's no gre tunnel here there's no ipsec bpn vti tunnel here none of that exists so it's straight up being punched over the transports from vh1 to vh3 and getting to where it's going to go now if we jump back onto vh1 and we do a show ip route i'll see ten one six i'm sorry ten three thirteen by a both t-locks which means i have equal cost multi-pathing to send the traffic across the wire fine by me i don't care now if we were to take the edge four for example let's go ahead and add him to the party admin and an admin let's go to global config vpn one and then we're typing interface ge zero slash two ip address of 10.4.15.4 24. no shut it and then commit and then take a look at r15 show iprout i have a default route in the writing table all ready to go if i go back to vh4 and i do a show omp piers i should be learning four routes i've sent two right what so you might say why are you how is it sending two i don't get how it's ending two you've got two different egress points you've got one going on mpls and one going out public internet because you have two you're setting the route twice one on each t-lock that's why you see that so you have that in play we're gonna do a show ip route we should have a couple more omp routes right we have 10 10 116 and 10 313 which is what we want to have and we have 10 415. so now if i wanted to go back to writer 15 and i wanted to ping 10.4.15. i'm sorry in this case it would be 10.1.16.16. i could do it and if i wanted to ping 10.3.13.13 i could do that so i have reachability over both connections and they're both point-to-point tunnels which means if i do a trace route to 10.3.13.13 numerically i leave my default gateway of route vh4 and i'm piped immediately over to vh3 vh3 and then to router 13. now if i was to add an additional vrf or a vpn tunnel or i'm sorry just a vpn in general it would propagate right but if i wanted to communicate from say for example let's focus on vh3 at the moment if i wanted to go from v router 13 on gig zero slash two send that traffic or i'm sorry a gig zero star zero if i wanted to send that traffic i'll gig to gig zero slash two and vh3 and have that traffic come back in on or go back out gig zero slash three and come a9 gig zero slash one on router 13 it would not work because i have it's a vrf right two different routing tables i'd have to allow traffic to go between the vpns in order for that to work i tested it out it didn't work not that big of a deal but normally you wouldn't want communication going between vpns anyway it's when you're trying to allow access to and i mean you can don't get me wrong you can allow vrf uh integration between each brfs that is or vpn that is 100 possible but there's usually a reason for it there's usually something you need to reach on a different vpn and you allow routes from that particular vpn to be propagated into a different vpn that's another separate table that's you know that's a vpn segmentation we'll take a look at that in a future video but basically this is what i have going on right nothing crazy but you'll also notice that for the connections that i have i'm doing direct point-to-point so i'm not going i'm not trying to reach a loopback or a lan segment on the routers behind the v edges i'm trying to reach the routers that are directly connected to the v edge so i'm just talking connected connectivity right now and that's it so if i wanted to take this up a notch and start actually doing static routing and point use a static route on the v edges to point to where the connections come in could i do that the answer is 100 yes you can let's go ahead and take a look at doing that so on the edge one i have a loopback address on switch 16. like show ip interface brief the loopback address is 10 116 10 1 0 16 excuse me so if i wanted to reach that i go up the edge 1 and if i wanted to ping it 10 1 0.16 it's like i don't have a route in the routing table for that so i'm going to go ahead and drop it so how do i fix that actually i'm sorry i let me uh end that out let's ping vpn 1 10.1.0.16 it says i i don't know how to reach that so what i can do is i go to global config and type in vpn one and i guess i have an ip route 10.1.0.0 24 via 10.1.16.16. okay i'm going to go ahead and commit that and then if i look at the show om show omp peers i've advertised another route and if i look at bh3 and i do a show omp peers i've learned more routes and if i do a show ip route i should see 10 1 1 0 coming through from router 1. okay awesome so now if i go back to the edge 1 and i hit that up arrow again i try to do that ping it'll respond no problem because now it knows how to reach it let's do the same thing on vh3 let's go to globalconfig vpn1 iprout210.3.130.0624 via 10.3.13.13. if we look over here on v edge 1 and show ip route we should see a 10 1 10 3 130 right there so we know the routes are coming across the board which is what we want to see now if i go to switch 16 and i try to ping 10.3.130.13 i can ping it now i'm picking off the 10 1 16 16. if i try to ping let's hit the up arrow and source it from loopback 0 i'll also be able to reach that because i have static routes enabled on vh3 to get back to it in other words on vh3 and pointing a static route to get to the next to get to the prefix of 103 130 go to the next hop of 10 3 1 13 13 and that's basically how that process comes into play that's some basic connected and static routing not terribly complicated obviously but it's one of those things where you really have to understand what's going on so what's cool about this is i can scale this right i can scale this quite a bit and i'm always going to have multiple egress points right i'm going to have mpls i'm going to have internet and i'm going to be in great shape so when it comes to stuff like that these this is where the power of sd-wan comes into play where i can quickly scale my network and i'm relying on a writing protocol to do it i'm not going to have overhead with i well there is ipsec overhead but i'm not going to have overhead with dmvpn and gre tunnels and eigrp i'm relying on one protocol omp and then the ipsec data plane encryption that it comes with it so that's basically how that comes into play so beyond that let's go ahead and get the rest of these devices up and running actually you know what i'm going to leave it where it's at because i feel like that's a good spot for it and what i'm going to do as we progress is i will take a look at getting the connectivity up and running with ospf and dynamic routing and we'll see exactly how that comes into play so we went ahead and we got dynamic routing or i should say we advertise connected routes and we talked about how the vrf comes into play because that's where we're basically doing we created a vrf on the inside because if we were to look on v edge one right and let's look at this you can see that in inside of vpn 0 we do a show ip route vpn 0. what do we see we only see the wands facing connections right right that's all we see we don't see anything else if we do a show run vpn 1 we only see what routes we've learned via omp omp is propagating traffic from router 3 and from traffic from router 4 and that's how we're learning these prefixes and that's exactly that's fine that's exactly what we're looking for to do because at the end of the day that's what the sd-wan solution is supposed to do it's supposed to take routes from other locations and be able to send them to us securely via omp so we can learn them it's not being routed or routed via omp it's omp is just a control plane that allows the routes of one side to be advertised to another site or multiple sites and for them to learn it but remember none of the the control plane isn't connected between the v edges it's v edge to v smart and then v smart down to v etch so if we look at the v smart and we look at the show omp piers we're learning a number of routes right if we look here we see four received routes from three because that means that again for every prefix that we send we're actually sending it out both transports so therefore we're going to see duplicates of each route if we were to do and you'll notice that in here there is no installed right because all the oh all the vsmart is doing is hosting the control plane it receives omp updates in from the v edges and simply redirects them or reflects them back down to the other v edges that haven't received them and that's what allows the power of this solution to come into play is the ability of propagating the routing information so basically the v smart is basically a gigantic or bgp rot reflector and that's basically how it works so with that being said we're in pretty good shape at this point we can take a look at doing the ospf and getting bgp working internally but i do want to begin taking a look at flipping over to templates because templates on them by themselves are really where the power of sd-wan comes into play so that's basically where we're gonna at this point in time i can the static routes and the connected routes i can have working and i can actually transition the current devices that we have working as it is right now i can transition over to templates relatively easily if i switch over to dynamic writing with ospf or bgp or add multicast or dtp vrrp anything other than a nat that's going to require additional configuration steps but we'll talk about those when we get there so right now we're in good shape i still have to get the um connections for the switches up and running i still have to get the asa configured and i'll show you guys how that works when we come in when it comes to like doing internet breakout and providing uh nat at the v edges for local internet breakout and things like that so until next time guys thanks so much for stopping by and hanging out with me in this video and i'll talk to you guys in the next video

Info

Channel: Rob Riker's Tech Channel

Views: 5,413

Rating: undefined out of 5

Keywords: cisco, sd-wan, sd, wan, service, vpn, connected, static, routes, network, omp, ipsec, bfd

Id: P1GMaRk4wDE

Channel Id: undefined

Length: 31min 21sec (1881 seconds)

Published: Mon Sep 21 2020