Cisco SD-WAN 009 - Service VPN1 Connected Routes via CLI and Templates

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going everybody in this video we're going to continue our service vpn portion of the sd-wan course by focusing on getting service vpn 1 up and running we already kind of did this in a previous video with this via the cli and then we converted everything over to templates and we didn't carry over the config so right now all the communication between the b edges is well down right so no no site one can't talk to site two etc so what we're gonna do is we're going to rectify that so i'm gonna show you again via the cli because it's really simple it's just a couple of commands we're gonna get all the connected interfaces up and running and then what we're going to have to do is we're going to do the connected interfaces via the cli first we're going to get that up and running and verify that it is being advertised via omp to the vsmart controller then we're going to flip over to the v manage and then we're going to do it via templates so we're going to create a vpn one template for all three of the different device device site types so single mpls only and then our dual dual connection or dual side i should say once we get that all squared away we can then go ahead and propagate push the call those feature templates from the device template and then push the device template down to the appropriate v edges and get that all squared away it's going to be getting the feature templates up and running and then when we start binding those to the device templates that we're at the push so that'll be a staged approach you won't be able to do everything in one fell swoop because once you update or add a service vpn to the template that's already been pushed to a device you have to push that update down to the device and we'll do that on a device by device basis i should say device template by device template basis once we do that we'll be in good shape so let's go ahead and take a look at the config here so the syntax i went ahead and i got rid of vpn one just so you guys can see what this looks like from an actual configuration standpoint so just so everybody's clear all gig 2 interfaces are going to be configured with this so that means that whoops didn't mean to do that um all the gig 2 interfaces of every device are going to be enabled for vpn 1 and that's going to be where we start our process and then go from there so the first thing we're going to do is via the cli again it's relatively easy with a global config type in vpn1 to create the new vrf for the new vpn and type in interface ge02 ip address of 10.1.16.1 24. no shutting interface and then commit okay it's going to go ahead and commit take a couple seconds and we're going to be in good shape so now we're into a show omp pier to make sure that we're actually advertising two uh two updates so we're sending updates now just so everybody's clear that's the um the way that this works is you're going to have two different routes so it's sending the same route twice we're going to send one out the internet transport so if i do a show ip route you're going to be sending this route right here out the t-lock of internet and the t-lock of mpls let me just draw this out real quick for you let me go ahead and minimize the screen and so we're going to be sending this move my mouse out of the way real quick so the way this is going to work is we're going to take this prefix oops let me make this bigger we're going to take this prefix right here basically advertise all of this and we're going to be sending an update out this way and an update out this way and the reason why it's going to happen it that way is because inside of vpn 0 being the transport we have a tunnel created this way as well as this way going out both transports so we're going to send 10 1 16 let me switch over to a different color that's a little too hard to read we're going to say 10.1.16.0 24 this way and 10.1.16.0 24 this way this way here the vsmart controller will learn it both ways and then he will propagate that information down to the v smart or the other v edges in the network appropriately and then they'll know how to reach the 10 116 both ways one via mpls inet to the t lock ip of 10.12.0.1 and 10.12.0.1 and they'll both be the ipsec encapsulation and this ladies and gentlemen right here this little breakout right here at the bottom of your screen these are your transport locators this is how your this is how the sd-wan fabric is going to determine where to send traffic it's the the edges will always point to the ip address or the system ip of the remote v-edge that advertise the route and then and how to get there so we know how to get there through the the t-lock and we're in good shape there so that's pretty much where that comes into play so that's basically what's happening here let's go ahead and go back to the manage and let's focus on getting b manage squared away so what we're going to do is we're going to start off in templates so underneath configuration templates click on feature templates we need to create three new templates the first one we're going to do is we're going to say vhcloud whereas a vpn and i'm going to say v edge underscore us we'll say in this case your single site vpn one template and we're going to copy and paste that here we're going to say vpn one and right now that's really all we have to do there's nothing more to it than that and we're going to simply advertise the routes that we have associated to us so if i wanted to do static routing i would come underneath here and i would create a static route and we'll do that later on and as far as i'm concerned everything else we're good to go i'm going to go and click on save so now we've created that template so i'm going to go ahead and come down here to vpn single site right here i'm going to go ahead and i'm going to copy that and i'll say this will be a dual site there we go dual site vpn one template copy that and i don't need to do anything else to it right nothing else is necessary for this to happen so again this is the bpn1 interface so let's go ahead and organize those so dual site vpn one template let me go ahead and create one more copy this will be mpls only and then copy and paste that like so all right so now that we've got the the vpn template now we need to add a vpn interface so we're going to go add template vh cloud and then this time it's gonna be vpn interface we're gonna go in here type in vedge single site vpn one int and then underscore g 0 2 template and copy and paste that you can use whatever naming structure you want to have but in this case here this is what i'm going to be using i'm going to go down to here and say global no shut it the interface name is going to be ge02 i'm going to come down the static ip address i'm going to come down here and say it's going to be device specific so vpn underneath here real quick bpn1 g0-2 like so so we know what the ip address is going to be and if we wanted to add any additional capabilities we could we'll come back and we'll do vrrp at a later point in time and so on and so forth if you want to do acls this is how you would actually tie an acl that you created to the interface and things like that so we're going to go ahead and click on save for that i'm going to go ahead and organize this so we're going to grab single site vpn one interface gig zero slash two i'm gonna grab this i'm gonna copy it as well so i'm gonna say this will be a dual site copy and paste that and now that we've got that in play let's go ahead and just double check the config because you never want to assume that you're right all the time always verify what's going on so it should be the same thing because we're not changing anything interesting on it everything should be the same across the board so everything looks good there i'm going to go ahead and say update that even though we didn't do anything the next thing i'm going to do is create uh grab that one more time vpn get 0 2 or is it right there and then i'll create one for bh cloud or for uh the mpls only one so i'm going to copy that one more time and this time it's going to be mpls only copy and paste that look there we go um so mpls only vp1 interface q02 template there we go cool so now we have that in play now what we get to go do now so again now we have the the vpn one template created and we also have the vpn one interface template created for all three of the different sites so i'm gonna go to device and i'm gonna go underneath i'll do the single device one first i'm gonna go ahead and edit and then what i need to do is come underneath here to service vpn this is where if you wanna add internal connectivity this is how you would do that so the number of select number of service vpns to create i'm going to go ahead and click the plus button to get it to add i'm going to choose the bpm that i want to use so it's going to be single site vpn one template i'm going to add a vpn interface so i'm going to come underneath here choose and it's going to be a single site interface gig002 template that's all i'm going to be throwing at this i'm going to go ahead and click on update now what's going to end up happening is it's going to automatically push this update okay so we're going to have to go underneath here and edit the device template and all we really have to do is add the ipv4 address of these sites so in this case here we have 10 3 we're on vh3 so it's going to be 10.3.13.3 24. and we're going to click on update and then do the same thing here edit device template down here it's going to be 10.4.15.4 24. click on update and then click on next so if you click on here on the left-hand side of the screen and once it loads up we should be able to see the config preview is what we're actually going to look like we're going to do a config diff so config diff we're going to scroll down to here and you'll see vpn one gets created interface gig002 is is enabled and then we give it an ip address and we say no shutdown okay i'm going to go ahead and configure devices i'm going to push the update down to both devices and then here momentarily when we look at the edge 3 and log in here and vh4 respectively we're going to do a once the process is done pushing this will take a couple seconds to do but once it's done pushing i'll go ahead and pause while this is happening all right the push was done correctly so if we come over here to vh4 and we do a show run vpn one we should have vpn one added which we do and if we do a show ip route we should have vpn one routes in the routing table so what we have is we have 10 116 by a 10 12 0 1 and we have 10 313 via 10301 so we have it being advertised twice so if we come over here to v smart and we log into vsmart and we do a show omp peers we should see we're receiving two routes from three four and one respectively and we're pushing four out and the reason why we're pushing four out is because we have two peers we're sending the updates to so for every single prefix that you advertise out two different t-locks the v-smart is going to receive two updates in from the update so this is what's received in from the local site and this is what's sent out to the remote sites so for every single prefix that you send with two t locks that it's reachable via you're going to be sending double the updates so we go back to vh3 you can see that show iprout we look at this we're going to see that we're receiving 1016 bolt twice so the v smart is sending four updates to three and four for the route learned from the edge one and then the edge one is receiving four updates for the routes received from three and four and that's basically how this works so that's really at the end of the day that's the real win here we just had to basically enable the template and the route propagation happened for us so let's go ahead and finish up this config let's go back to our templates let's click on device so let's click on dual site we're going to go ahead and click on edit this and again it's the same process as before click on service vpn we're going to go ahead and add a service vpn a single service vpn from down here we're going to say dual site and then we're going to add a vpn interface we're going to say dual site they're not organized are they there there it is gigg02 and click on update give that a couple seconds to do its thing and then we're gonna go so in here i could either click on the edit device template here or i can simply populate the details right here and because it's gonna be associated to this guy right here i'm gonna go ahead and 10 216 so i'm gonna double click in here and type in 10.2.16.2 24. click on next can look at the config diff before we send the updates out and give that a couple seconds to do its thing config disk scroll down here and then we'll see 10 216 2 go ahead and configure devices and it's going to go ahead and we're going to push that config down here as we go i'm going to pause until this is complete okay so now that that's been completed if i hit the up arrow on this guy we should see some more additional information so 10 2 is now advertising uh two updates one prefix but from two different t locks and we're now advertising six because now we have three remote sites we have three four and one so now if i go over to b edge one and i do a show ip route you notice that i'm not receiving 10 to 16 and you may be like well why are you not at receiving 10 to 16. the simple answer is because i'm we're coming from the same site so for those of you that are familiar with the bg bgpas path um loop prevention mechanism where if you've got two route being or being propagated from say as100 and then received by as100 it's going to drop the update because the fact that it's the same as number so this is a very common scenario in large scale bgp route reflection where you need to either turn off do allow asn or have the provider override the aas path but there are ways of overriding it i haven't actually tested it yet but we don't really need to right we don't want to ever go out to the end to the internet or over the sd-wan fabric to come back in the sd-wan fabric at the same site that doesn't make any sense so bg it's kind of it's a loop prevention mechanism that's why we don't see that so let's go ahead and take a look at vh3 though if we look at hit the up arrow we look at show ip route we'll see 10 216 sitting in here with two different t locks right there we have it so we know that it's working that way let's go ahead and finish the configuration off by doing mpls only so we're going to go ahead in here and we're going to edit we're going to add the service vpn add it and then we're going to call mpls only and then we're going to add a vpn interface and we're going to say mpos only gig zero slash two there we go update and then we're going to push the config out after we go ahead and do the ip addressing so 10 4 10 to 5 14. so underneath here is going to be 10.5.14.5 24 and then next okay so there we have that do a quick config diff and see what the differences look like it's going to be the same as we've seen but the reality of it is ladies and gentlemen that as many times as you've seen it it's always good to just verify that it's going to be doing what you expect it to do rather than assuming it's going to do what it you expect it to do and then it doesn't work and you're like hmm okay yeah that's not cool right so we see that it's pushing that we're going to go and configure devices we're going to go ahead and update that let it do its push i'm going to pause until it's done and i'll bring you guys back in here just a moment okay well the config looks good let's go ahead back to be smart and hit the up arrow and guess what now we have it's getting a little interesting now because remember that vh5 only has one t lock for mpls so if we look back here we can see we're receiving routes from everybody so we received one route from 10.501 so we receive 10 514.0024 in from vh5 and then we're going to propagate that down to site 3 site 4 site and site 12. so if i go to v edge one and i hit the up arrow and i do vpn one specifically i'm going to see 10 5 14. and you can see that mpls is the only t lock that it has there you go so everything has now been propagated and everything is good to go so at this point in time i've gotten accomplished everything that i want to accomplish in terms of getting at least basic of a routing connected propagation i should say squared away now they're because we're 20 minutes in and i'm gonna go ahead and stop this video because i don't want it to be i don't like really long videos so keep it as short as i can right get the content out as quick be as concise as i can be so what i'm going to do in the next video is we're going to focus on static routing on each one of the sites we're going to point to the loopback address actually you know what i didn't test anything you guys are like you know it's great that you're advertising routes raw but is anything actually working you know what that's a great question i'll answer that question for you so on router 15 if we look in here to a show ip route we should have a default pointing towards 10 5 10 4 15 4. so if i was to ping 10.5.14.14 gave that a couple seconds to work and i might have to double check the route let's see here oh that's because i show iprout that there's no default route so let's go create an eye default route on router14 so iprout to 10.5.14.5 okay so let's go ahead and save that config real quick go back to five hit the up arrow and you can see there it works now if i was to do a trace route to 10.5.14.14 numerically right and i don't want to source up a loopback address because i don't have any the routing is not set up for yet and i do a numeric you see that i go i hit my default gateway so i hit vh4 and then i immediately get dropped on 10 5 14 5 which is bh5 you're like where's your tunnel interface that's what i thought initially when i started diving into this was like i was so accustomed to seeing a tunnel subnet in the output and then being able to verify the the ipsec vpn connectivity that because like for example for someone like myself that comes from the traditional wan background we're doing dm bpm flex vpn mpls bpn where it's most of my career was weighing focused right maybe some of you are more land focused but i was more wand focused when you see that type of stuff you're expecting to see the tunnel subnet so the gre tunnel for example or the ipsec ipb4 tunnel show up in your trace route right and i didn't see that it was that was that was hard for someone like myself that's accustomed to seeing that to get over that fact that in a traditional land solution you're having to set up manually all the crypto right you set up the dmvpn you set up the routing you set up the ipsec all that type of stuff has to be set up in the ground zero for those of you that are studying for your enterprise infrastructure ccies that was a probably a two or three hour time frame of my route switch lab was getting all that working so the the fact of the matter is with sd-wan you don't have to do any of that right it's automatic 100 automatic so as long as everybody can talk to everybody else vpn sessions come up on their own you don't have to do anything you're just focused on more of the end-to-end connectivity which now we have so let's go ahead and verify a little bit more of the indented connectivity so let's go ahead and do a ping to let's ping 10.3.13.13. give that a couple seconds i wonder if 13. 13's got it and we do a traceroute 2 10.3.13.13. numerically guess what we can reach that all day long as well let's go ahead and do a ping to 10.1.16.16. that works and let's do a trace to that as well there it goes so we have reachability across the board and if we do one more we'll do this 2 16 that should also work that does and if we come back in here and do a trace numerically to it we should be able to get across the board so ladies and gentlemen we do have spoke to spoke communication so what that means for all of you that are maybe just learning sd-wan it's a full mesh any any communication right if you don't want it to be like that so right now dmvp and phase three for all of you folks out there that have been studying dmvpn um i forget the actual term for flexpn it spoke to spoke but there's some additional things you have to go through with that the point being is it's phase three out of the gate with sd-wan if you want it to not be sd-wan part of the noise in the background if you don't want it to be phase three you need to enable hub and spoke to go either phase one or phase two there technically is no phase two but we'll talk about how you can kind of make it a pseudo phase two but it's phase one meaning it's spoke to hub and helped to spoke but no spoke to spoke communication so we'll talk about that in an upcoming video when we get into the policies all right now yeah where we are is what it is so that being said i want to thank you guys for hanging out with me in this video until next time guys take it easy
Info
Channel: Rob Riker's Tech Channel
Views: 2,414
Rating: undefined out of 5
Keywords: cisco, sd-wan, sd, wan, software defined wide area network, service, network, vpn, vrf, omp, viptela, cli, template
Id: _xSN6v7k1s4
Channel Id: undefined
Length: 26min 0sec (1560 seconds)
Published: Thu Sep 24 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.