Cisco SD-WAN 015 - Service VPN1 OSPF Network Types, Authentication via CLI and Templates

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how's it going everybody in this video we're going to be focusing on some just minor enhancements to ospf for things like the network type and for authentication from both a cli and a vmanage template basis and you might ask well why does this really even matter well it's not specific to vmanage or cli or sd-wan in general it's more or less how would you do it through the vmanage and through the cli just so you know how but also just so you're aware of some of the enhancements to it because uh just knowing the basics like if you have a ccna level of understanding with ospf so you know what ospf does you've got a basic understanding of how the discovery the neighbor discovery process works how the links date databases are exchanged and then how spf runs and how to enable ospf on a particular interface those are all great basic understandings but if you want to take that a little bit to the next level maybe start diving a little bit into your cc and p-level training that's basically what this is going to be for so the configuration on the cli will go pretty quick obviously because the commands are simple to type in the commands or the feature template development is going to take a little bit longer to get working simply for the fact that it's through gui we have to wait for it to get pushed and those things so what i'm going to do is i'm going to walk you guys through just the basics of the reason why we would change the network type and the reason why we would enable authentication so let me pull up the command line and let's take a look at the switch because the um the ios data spf database is a little easier to read so we're going to show show ipospf database and what you're going to see in here for this section right here right not this section up here we're not looking at this and we're not looking down here we're looking right here which is the net link states this ladies and gentlemen are your type 2 lsas what are type 2 lsas those are the designated router lsas so this is the if you were to look at these outputs and see what's going on what you're going to see are the devices that are connected on a particular link and who's in charge of controlling the routing updates so what does the designated router do well at a high level excuse me what it basically does is instead of you having a scenario where you have three four five six routers connected to the same lan segment instead of everybody going out and trying to exchange writing information with everybody else kind of a full mesh type of design you there's an election process or a delegation of who's going to do that and that's called a designator router so for those of you that like to go out and do a little bit of drinking at night you probably heard that it doesn't need a driver the designated driver doesn't drink right so they're sober to drive well here it's kind of the same similar concept where you have a dedicated device that is going to handle all of the routing updates for a particular lan segment so you a router can be a designated router for multiple physical lan segments or it could just be one for one lan segment it really depends on how many physical links you have but in this case here switch 16 it has a higher ip address so if we were to look at these details and look at the net link states the network and look at this this is the designated router outputs so let me go ahead and show this a little bit more what you're going to get is you're going to see on the connection 10 116 right so this is the connection to the edge one you're going to see that we have two devices the attach router is vh1 and switch 16. for the connection to the asa we have the asa and we have the switch for um the connection to the vh2 we have the edge two and we have the switch 16. and for the connection to router 5 we have router 5. now what's cool about this is it tells you who the dr is it says right here is 10 5 16 16 is the designated router which means switch 16 for the connection down to the router 5 connection happens to be the designated router for the case where we're dealing with the connection to vh2 vh2 happens to be the designated router okay we come up a little bit higher for the connection to the asa who's the designated router switch 16 is because his ip address is the advertising is this guy if we come up a little bit higher we can see that in this case here the edge one happens to be the designated router for the connection to vh1 so as you can see when you run into situations like that if you're going to run the broadcast mode which assumes that you're going to be connecting to more than one potential ospf peer over the same physical connection so if you're in the same subnet right 10.1.1.0.24 you could have potentially 250 ospf adjacencies you know one to every device in that vlan and realistically speaking that's not going to happen right but the potential is there if we wanted to create it now in this case here if we did not want to deal with the type 2 lsa let's say for instance one side is a type 2 lsa the other side is doesn't doesn't advertise type 2 lsas so what happens if you don't advertise a type 2 lsa well that means that your network type is not going to be broadcast or nbma on the cisco router side and as far as i know i don't think the v8s support non-broadcast multi-access but non-broadcast multi-access and broadcasts are the same you use the same lsas so type 2 is an option in this case here we want to flip it over so we're not using the mode of broadcast so we're not going to use a type 2 lsa we're not going to be relying on a designated router to fix this it's actually really really easy if we were to go to uh switch 6 and we're going to sorry switch 16 and type in interface gig 0 0 and type in ip ospf network type we have a couple of options right now by default we are broadcast that's what it is by default we have non-broadcast right non-broadcast means that you're not going to be sending this traffic over a broadcast-enabled network so for example frame relay would be a very popular solution for that when your broadcast wasn't enabled for frame rearway networks non-broadcast means you're going to have to define who you're going to appear with through the neighbor statement we're not going to get into any of that right now but for case you were wondering that's how that would work then you have point-to-point and point-to-multi-point so there's also another one out here point to multipoint and then non-broadcast but we're not going to talk about that either we're going to simply create point to point so this is going to eliminate the type 2 lsa okay so i'm going to go ahead and type that command in and that's going to cause the adjacency to go down and on some boxes it'll bring it back up right so we can see that right here it says the network type mismatch indicating a potential network type mismatch so what's happening here essentially is the cisco router or cisco switch side is the connection between switch 16 and vh1 on switch 16 side is the network type of point to point but on the v edge one side it's still broadcast so to fix this we're going to go over to vh1 i'm going to log in real quick hopefully i type that in right apparently not admin admin again of course it would admin admin there we go so we're gonna go to global config vpn 1 router ospf area 0 interface ge 0 2 and then underneath here we're going to specify network and point to point right so we're going to hit the enter key and commit that can commit that change okay so now if we go back to switch 16 we can see that it went to full whoops i did not mean to do that let's pull up the cli again we can see that it went to full again now in situations where you have a network type mismatch so one type is advertising a d uh the dr lsa the other side is not what ended up happening is the adjacency will still come up as you saw but and the database exchange will still happen however when they go to to check on what's being exchanged between one device and the other if one device is propagating drl says and the other side is not there's going to be a mismatch in the type of lsa that have been exchanged one side will have one one side won't have what that other side has and spf will not run fpsp will stop at that point and go well we we're not synced up and that's where that network type mismatch error occurs and you have to fix that so be cognizant of those details when you start when you start playing around with this stuff make sure that you have everything dialed in the way it needs to if you're not going to use the broadcast mode so i'm going to go ahead and do the same thing on um interface gig zero source one so interface g zero slash one i'm gonna go ahead and hit the up arrow and do this and you can see that now this has been affected now so it's to go down they're going to go through the process i'm not writing the debugs but if there were debugs running you would see that the database exchange was happening and now we go back to loading full now to fix this i'm going to pull up vmanage i'm going to go ahead and log in get rid of this little piece right here and then i'm going to update the update the template for that so under templates underneath feature templates i'm going to go grab the dual site vpn template for vpn one right there i'm going to edit that and then underneath the the area i'm going to edit this for the interface and then underneath the interface i'm going to click on the advanced options and then underneath here for the network type i'm going to change this to be device specific and it's going to be you i mean you could set it to global and be point to point if you wanted to but in this case here you know i'll just go ahead and do it there so we don't have to mess with it down the road i'm going to go ahead and save the changes and then save the changes again and then update and then as soon as i do that i'm going to go ahead and see the edit device template we can see that since it's global it's not going to show up here we're going to click on next and then click on this guy right here to see the updates and you'll see that the propagation will work as we've described so it'll just change the network to be point to point give that a couple seconds to show up config diff we'll go underneath here and you can see that the network point to point so we're going to go ahead and configure devices and we'll wait just a moment for it to do its thing and push its update out that'll be a pretty quick update because we're not updating a whole lot i'll go ahead and pause until it's done okay so the update is done so we can see that hopefully everything is squared away now and it went down and came back up again and if we do show iprout we should be receiving routes in that just came in a couple seconds ago so we are getting the right type of stuff so now if we do a show ip ospf database again you'll notice that the type 2 lsa so the remember the summary let's scroll up here a little bit you'll notice that the net link states these guys right here they're minimized right so if we come down here and we hit the up arrow the ospf database the network right they're still that's weird why is that showing up that way oh i'm sorry i'm see i made a mistake i was reading that wrong they're still here but they're here for the connections to the asa this is the asas connection and this is down to router 5. so we're still using type we're still using the mode of broadcast on those interfaces but the connections down to the v edges have gone away because we're no longer using the type 2 lsa so it cleans up the ospf database and it makes the ospf database not work as hard so just keep those things in mind okay so the next one i'm going to show you is going to be authentication so type one authentication or clear text so on the via so we'll do this on here real quick and what i'm gonna do is i'm gonna show you how to do v edge one i'm gonna show you guys how to do i'll do type one on both first and then i'll flip it over to type 2 on both so you guys can see how it works on both because i want you to see the cli and through the the config of um through the the template so in this case here we're going to go look at uh interface g zero zero so our adjacency towards um these guys are gonna go down so i'm gonna type in ipospf and then the command is gonna be authentication and i'm going to hit the enter key and then i'm going to come back here dash key and it's going to be cisco123 for example okay so that's going to enable authentication at the interface level if we do show ipospf interface g040 it's going to say simple password authentication is enabled okay so now i'm going to do the same thing so do show run interface gig 0.0 our ospf adjacency will eventually go down so i'm going to grab these couple lines interface g 0 1 i'm going to go ahead and paste those commands in there i'm going to go back to the edge 1 and underneath this interface i'm going to specify authentication and it's going to be type and it's going to be simple and i'm going to come back here to be the authentication key will be cisco123 so if we do a quick show config fairly simple configuration right i'm going to go ahead and i'm going to commit that config and on switch 16 we can see that the adjacency went down and then as soon as that commit pushes we should be able to get the authentication back up and we're in good shape so that's how you do it with the cli fairly really really simple right but we can see the connection going to vh2 is down now so to fix that we're going to go click on the manage go back to templates underneath the dual site for i'm sorry for feature template i'm going to go to here ospf template i'm going to edit that i'm going to go down to area and i'm going to go i'm going to edit this underneath interface and i'm going to expand advanced options i'm going to come down here to authentication type i'm going to say in this case here we'll say device specific and the authentication key for this guy was going to be like that so that's going to be device specific so we're going to populate that information so we're good to go there all right so we've got those changes in place so let's just recap real quick what we're doing we're enabling authentication of the uh simple type and we're gonna be sending the key of cisco one two three so i'm gonna save changes save changes again and then what i'm gonna go do is update and give that a couple seconds to do its thing i'm going to come in here i'm going to edit the device template and down here at the bottom we're going to see the authentication type we're going to choose simple and for the key we're going to type in cisco123 okay that's the key it's clear text authentication so in other words if you were to wireshark capture this you would see the authentication mechanism going back and forth because it's clear text that's why it's type one authentication obviously not very strong so don't use type 1 authentication but i'm showing it to you only for the fact that if you get tested on it you you know and they say what's there between type 1 and type 2 or clear text and whatever now you're going to know so i'm going to click on update and then click on next i'll grab the device real quick and we'll wait for the config div to pop up all right the config diff shows us that we're going to be doing the exact same thing we did on the v edge 1 authentication type simple authentication authentication key cisco one two three i'm gonna go ahead and configure devices we'll go ahead and push that config down and i'll bring you guys back in when we're good to go okay so we should be just about there i wanted it to be live for you when it came up so you should have caught that that it's good to go there we have we have the success so we know we're squared away that we have authentication type of cisco going we're good to go there and that i mean that simple type that's um clear text yeah type one authentication which is clear text for cisco all right so the next type of authentication we're gonna take a look at is gonna be md5 so again we're gonna start on the cisco side and then we'll configure this to be under the v edge side so you can see what that looks like um i'm going to change the mode and i'm not going to take it off and put it back on so we're going to do that real quick so we're going to do interface gig 0 0 first and type in ipospf authentication authentication here is a little bit different authentication we're gonna say message digest and then underneath here we back up a couple and then we say uh we remove authentication completely and then we type in message digest key we give it a key id we'll say key one and then it's gonna use the md5 algorithm and then we're gonna specify cisco one two three and that's our configuration so do show run interface gig zero zero we can see and we're gonna actually remove this one here because it's got uh both of them here so we're gonna removed remove this guy which is clear text we're going to remove him because we're no longer using this is the command you would use to implement just clear text authentication when you want to use md5 you add this command in so there we have that so do show ip ospf interface g zero zero we're gonna see now we're using cryptographic authentication and enabled youngest key is id one so they both have to use key id one so if for example where that comes into play with the different keys as if you're using a key chain and you wanted to use rotation to swap between keys to keep your authentication strong never worked with it in production but it is something i've tested out it's not very difficult to understand but you'd have to create a key chain first and then attach the key chain to the key configuration underneath the interface and then apply that not that difficult but it's something you would probably want to play with but right now we're just going to keep it pretty simple with md5 authentication so the next thing i'm going to do is on the v edge 1 side i'm going to go underneath here i'm going to type in no authentication type simple and no authentication key key authentication authentication key cisco one two three i wish they would have done a little bit something different with the syntax but you know it is what it is i'm gonna go ahead and commit that real quick and i'm gonna type in authentication is gonna be message digest and then message digest key key id1 and then md5 and then the password which will be cisco123 but then you also have to do authentication type and it's gonna be message digest and message digest well i guess you could type it all on one command from the looks of it i don't think i've ever done that so let's do a show config make sure yep and then we're going to commit that config and that should bring our connection to switch 16 back up there it goes so we're good to go that's how you do message digest authentication there so now let's go do the same thing on gig001 so i'm going to go to uh interface gig001 and i'm going to do show run interface gig001 i'm going to go ahead and get rid of the config real quick and there we have it and i'm gonna go ahead and basically copy and paste these two lines of config in like so and then i'm gonna go back to here i'm gonna go template i'm gonna go dual site only i'm gonna edit this i'm sorry feature template not device template uh grab a feature template i'm gonna grab the ospf one because it does say tell you the type right there i'm gonna edit this under area and then edit hit the little pencil underneath the interface and under advanced options we're going to keep the type here but we're going to remove the key we're going to set this to default and then underneath here the key id we're going to set the device specific message digest key and i'm going to put at the end here id key id and then i'm going to put underneath here device specific because then the device says ospf md5 we'll go with that because that makes it easier to understand i'm going to click on save changes so just to recap authentication type will be type this will be md5 right then the key id we need to specify that which will be key id1 and then the actual message uh the ospf md5 it's key so i'm actually let me stretch this out just a little bit so we have a little more room to work with come underneath here and then underneath the key md5 um we'll type in key not the key so this will make it easier to understand md5 key versus the key id or should i use yeah that'll work i'll know what to type in and then we're going to go ahead and say save changes save changes again click on update and then after it goes ahead to this point we're going to go ahead and edit the device template we'll switch this to the message digest the key id will be one and the message the message itself the key will be cisco123 and you can see that it stars it all out click on update next and then configure devices we'll do a quick push on that and we'll bring you guys back here in just a second all right so i wanted to bring you guys back in before it went live and there you go now we're good to go sometimes the template shows that it's not ready but in reality it really is so there we have it so we do show ip ospf interface g 0 1 we can see that we're using cryptographic authentication and key id of one so that ladies and gentlemen is how you change the network type and you specify clear text type 1 and md5 or type 2 or cryptographic authentication for system for ospf on both the ios and the b edges pretty straightforward stuff so if you have any comments or questions please leave me a comment in the comment section below please like share and subscribe and i'll catch all of you guys in the next video

Info

Channel: Rob Riker's Tech Channel

Views: 1,248

Rating: undefined out of 5

Keywords: cisco, sd-wan, sd, wan, ospf, vedge, cli, template, authentication, clear text, md5, network types, point to point

Id: KVu3omXS-to

Channel Id: undefined

Length: 24min 55sec (1495 seconds)

Published: Wed Sep 30 2020