Cisco SD-WAN 019 - Service VPN1 NAT Dynamic PAT Local Internet Breakout and OMP Internet Fail Over

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how's it going everybody in this video we're going to go ahead and take a look at the next topic in our sd-wan series which is going to be nat network address translation so initially we're going to take a look at some of the more common reasons why you would use nat with the v edge solution or should say the sd-wan solution on the v-edge platform the reason why we're going to do that is because there's been a number of since scenarios that i've worked in in other overlay solutions like dm vpn and flex vpn where local internet connectivity is needed where you don't want to send the traffic that doesn't need to go for corporate business over the tunnel to an hq site to be able to grease the internet is that a bad solution no but it's a waste on bandwidth if your mpls or your private land transport um did it's not their high with the speed that it needs to have so a lot of times you can get away with that with like internet service and then run a vpn over the top of the internet service but we're going to take a look at deploying this in a way that where it's net where it's needed we can actually deploy it so in other words we're going to roll this out on vh3 and vh4 via vmanage and modifying the templates i'm going to deploy this on v edge 1 just to show you what it's like to configure it via the cli just so you can see the before and the after and go from there now we're doing local internet breakout so the very first uh scenario that we're going to walk through is let me go ahead and pull my pen tool out real quick is we're going to set up internet connectivity here we're going to enable nat on the gig zero zero interface on vh1 uh we're going to enable nat here and that's going to allow us to send traffic nada traffic out this interface we're also going to create a default route to point to vpn 0 that gig00 is a member of so in other words the vp the default route will look like this zero slash zero with a outgoing interface of g e zero zero and it's going to be for netted traffic so what any traffic that comes in from say ios 5 or ios 6 that is bound to an ip address or a destination ip that is not in our global routing table that can be reached via the sd-wan fabric we're going to send it out to the internet like this i do have a loop back over here on the internet router is 1.2.3.4 which we'll be using for reachability purposes now the asa has a default route on it as well which is where we're going to be sending our internet traffic out of the gate but because the fact that i'm learning that default route which is being advertised to switch 16 which is then pushing that down to vh2 and the edge one respectively because the fact that it's going to be learned via ospf means that i will be able to demonstrate this nat configuration on vh1 without breaking my local internet connectivity because i'm going to be using vh1 as my egress point just to show you what it looks like in the cli once it's once we verify that it's working through vh1 we're actually going to remove the configuration and then default back to asa1 the reason why we're going to do that is because i've advertised the ospf external type 2 routes that which is what this is this is going to be an ospf external type 2 route learned from the asa passes out to switch 16 and switch 16 advertises that to vh1 and vh2 that default route is being sent over both t-locks this way oops this way here and this way here to these guys and from here to here and from here to here as well as to here and to here as well as to here and to here via mpls on vh5 which means vh5 will eventually learn a default route towards either v edge 1 or v edge 2. so we'll be able to give the v edge 5 site internet connectivity once we have the configuration in place for vh1 and we remove it just after we verify that it's working the way we needed to i'm going to flip the config over and we're going to take advantage of the we're actually going to have we're going to have one default route on vh3 and vh4 learn four different ways the first two ways are going to be via vh1 via internet and mpls colors so through those t-locks and then twice via vh2 via public internet and mpls t-locks so we'll learn the default route four different ways i'm going to take the same configuration of vh1 but via templates over here on the edge three and a template here on vh4 which will allow me to test internet failover because what i'm going to do is on the outside interface so ge 0 0 and vpn 0 i'm going to enable it to be an added interface and then i'm going to create a default route on vh3 and vh4 that's going to point to do local internet breakout there as well but if something happens with either gig three or gig four on the internet router the internet runner the upstream link goes down which is a very real possibility local connectivity usually isn't a problem it's usually something further up the internet stream that usually breaks so in the event that the the central office or the point of presence that your internet circuit terminates into goes down or has a problem what end up happening is after a short period of time the bfd sessions will go down and that will remove that static default route that we have pointing to vpn 0 for net connectivity on vh3 and vh4 and actually allow the traffic for internet connectivity to route over the connections the the mpls circuits and plus t locks back to vh1 or 2 depending on which one it prefers and then send that traffic through hq through switch 16 and then eventually out of asa one so the configuration will look something like this let me go ahead and switch my color over real quick to yellow green so initially we're going to go like this right right and we'll do something like something like that to the 1.2.3.4 address but if something happens and these connections go down right so this circuit dies or this circuit dies then we will no longer be able to get there this way or through this path right here we'll have to take a different path which is going to be writing over the mpls t-lock through bh1 or 2 and then out to wherever we got to go so this will be the new path that we'll be taking we'll be writing over the mpls t-lock in order to get to where we've got to go that'll be high availability failover so it'll just will shut down the interfaces on the internet router to simulate an upstream failure it's going to take a couple of minutes for it to fail over so it won't be in an instant configuration and eventually the traffic will fly over the mpls t-lock back to the hq site and terminate using the internet over at the hq site so that's basically what we're going to do in this video let's go ahead and start diving into the config to understand all the details that go into it there's there's a lot to do so let's dive into those that config so i'm going to go ahead and pull up vh1 and vh1 if we look at here we go ahead and add let me admin in right so if we look at a show ip route we don't have anything going on in there right now i did test this out but i removed the config afterwards you can see that i've got a default route in the riding table right so if i was to ping 1.2.3.4 via vpn1 i should be able to reach it pretty easily well that's fun uh actually yeah that should be working i'm not sure why that doesn't respond anyway um that would be the connectivity that we would want to be leveraging for internal usage right for whatever reason it's just not responding not sure why um but at any rate what's going to end up happening is on vh1 i'm going to go to global config and vpn 0 and then interface ge 0 0 i'm going to type in the command nat which turns nat on so that's one thing to keep in mind here if you're going to be the way the internet or nat works on an ios router is very similar to this where you have to go underneath the interface and basically say you're going to be used for nat as long as you understand that you're in good shape you'll be able to process netted traffic and all that good stuff so the outside interface ge 0 0 or whatever interface you're plugging your internet connection into on vpn 0 would need to have the nat command enabled on it i'm going to go ahead and i'm going to commit that command and then i'm going to go ahead and get out of vpn 0 and jump into vpn 1 and the command i'm going to type in is iprout and just a default route because it's got to be this is the destination you're trying to reach so we're like if you don't have a longer match route send it out the edge one in order to get to where you gotta go so i'm gonna go ahead and do that and i'm gonna type in vpn0 simple as that i'm going to go ahead and i'm going to commit that command as well and then after a couple seconds if we look at the show ip route we should see a nat interface added to the writing table which we can and this time here it's learned it's a connected route right so that means i should be able to go to say ios 5 or 6 and if i do a ping to 1.2.3.4 after a couple seconds what should see the ping go out and if we do a telnet to 1.2.3.4 we log in and we do a show users we can see that we are connected via 192.1.1.2 which tells me that our internet connectivity through vh1 is working so we're doing local internet breakout here and if i do same thing from router 6 paying 1.2.3.4 after a couple seconds the ping goes out and everybody's groovy now if we come over here to the v manage and we look at the the network i select the edge one and i look at this in real time and i come in here and i look at nat and i look at filters and i do want to filter anything i should see an active session so from 10.5.6.16 to 1.2.3.4 i have an active connection via tcp and if i scoot this over just a little bit you can see that my destination public port is 23. in other words i'm using telnet to connect now i can back over here and i hit this up here and do a repeat of say 100 and i come back over here and i refresh we should see have an active icmp ping right there so we can see that that's working as expected protocol or designated private source port is one and our destination port should be one as well so it's a it's a ping packet all right so that's local internet breakout on via the cli the configuration is identical on a v edge that's associated via template we're going to go ahead and go set that up and then go from there so let me go ahead and remove this config on v edge one so go to global config and vpn one no ip route zero to zero zero to zero zero vpn zero go ahead and commit that config boom there we go all right now the next thing i'm gonna do is i'm going to go do some verification testing let me go ahead and go to say ios 13 real quick actually let's let me show you vh3 so let me go ahead and do some config here so let's do a show ip route and we can see that we are learning four default routes 10 equations one default route being learned in four different ways right so you can see that we have the dif the t locks that we're learning in from the edge one and two because we've advertised ospf over omp and that's where we're learning those routes from okay so now what i get to go do is on ios 13 if i come in here and i do a show ip route i am learning a default route so i'm going to go and i'm going to ping 1.2.3.4 and i should be able to reach it pretty easily there we go i can i can ping it and if i do a telnet to 1.2.3.4 i log in as rob and cisco i do a show users you can see that my public ip address is actually 192.1.102.2 i'm sorry 101.2 pardon me but here's the thing that ip address is actually associated right here on asa1 which means that i am flowing over the connection the mpls transport or i should say i'm following a key lot that points me back to the hq site and the hq site is getting me routed to the asa and the asa knows how to reach back so if i was to go to the asa which is right here and then do a show con long you'll see an active tcp session for telnet right there there's my telnet session going to the firewall okay all's well all is great now that just proves that it's connecting right so if we go go ahead and exit out here and we'll do the same thing on 15. so i just want to prove to you that it does work this way so we're going to ping 1.2.3.4 we do a telnet to 1.2.3.4 rob and cisco show users and we can see 192.1.101.2 okay so we verified that all the all of my claims are so far panning out so now we're going to go configure vmanage to allow bh3 and bh4 to be both internet breakout devices so to configure that we're going to pull up vmanage and i'm going to bring this over a little bit and i'm going to so we can see the edge 3 and 4 i'm going to go ahead and jump out of the way i'm going to go to the templates tab i'm going to click on feature and the first thing that i have to do underneath the name of the template for a single site or a single site i'm going to come underneath here i'm going to find the vpn 0 template but i actually need the vpn 0 template for the gig zero zero interface so the internet terminating interface in vpn 0. i'm going to come over here i'm going to go ahead and edit this and it's got to be the interface it can't be the vpn 0 configuration itself i'm going to click on nat and i'm simply going to come in here and click on on okay i'm not going to mess with any of these options here i'm just going to click on update what that's going to do is it's going to push the command vpn 0 interface ge0 to and then nat to those devices okay so on the config diff when we come down here a little bit you'll see that underneath here we'll go underneath vpn 0 ge 0 0 and then we're going to just enable nat there configure devices and push it out to both click on ok all right so give that a couple of moments to do its thing all right so the push is done and we're good to go so i'm going to go back to the templates because we're not done yet click on templates i'm going to go to feature template and this time i need to grab the v single site come down here to the vpn one template let me scoot this over just a little bit more so we can see it all so we need the single site vpn one template right because we have to create a default route inside of vpn one to point out the to the vpn 0 and leverage g 0 0. so i'm going to grab this template because we have to create just a default route in there i'm going to go ahead and click on edit and then under ipv4 route i'm going to come down here and click on add route and then 0.000 0 i'm going to select vpn change this to global and turn it on click on add and then update that's going to do this for both v edge 3 and vh4 i'm going to click on next i'm going to do a quick config diff real quick give that a couple of seconds to upload and update look at the config diff and underneath vpn zero we have ipv route default route to vpn0 okay let me configure devices push it to both click on ok and then when that's done being pushed i'll bring you guys back in okay so now the config has been pushed let's go ahead and minimize this and go back to this guy so we're going to go back to 13 i'm going to go ahead and i'm going to ping 1.2.3.4 again okay the ping still works which is good i'm going to go tell that now rob and cisco and we're going to do a show users you'll notice now that i'm not coming from 192.1.101.2 anymore i'm coming from 192.1.3.2 and what ip address is that well that happens to be the g0 interface of vh3 which means i'm pointing all traffic out towards the internet router which is exactly what i'm trying to accomplish here local internet breakout so that's that one so now if i go to vh or ios 15 i do that ping that one works as well let's go ahead and do a telnet rob and cisco show users and now i've got 192.1.4.2 which happens to be the public ip address of vh4 on g00 and vpn 0. so everything that i've trying to do is working the way that it's expected to now if we look at the routing table of vh3 we do a show ip route just to make sure that everybody's on the same page we're going to have this vpn one interface here we have a default route now because it's default route it's going to automatically take precedence because it's connected right we're pointing it out a local interface where you'll notice on the omp learned default routes my next top doesn't point out a local interface it points to a t-lock ip anytime you have to jump more than one hop away then you're technically not connected right so you have to jump over the t or over the ipsec tunnel to the remote t-lock device which is in this case your v81 and vh2 in order to reach the connectivity to the internet routing now what this does enable us though is this enable enables us to enable the failover so i can actually go in and i can shut down the upstream connections on the internet router and i can trigger the failover the failover is slow i'll warn you there um it does take a couple of minutes to trigger and to fail over but once it does our path will then be sent out over the omp peerings to via the mpls t lock the mpls transport to v edge one or two and then out the asa one of the hq site let's go ahead and take care of that so i'm gonna go to the internet router to global config interface range g3 through four and i'm going to go ahead and shut down these connections now it pretty quickly it will detect the failure so we do a show ip route it doesn't show it up here but if we do a show bfd sessions you'll quickly see that the connections are down but it will take some time for them to get to removed in other words this default route will stay in the routing table for a little while this rune right here will stay and so will this nat route but you notice that because the t-lock went down so did all my public internet connect connections i can i only have mpls connections in the routing table at the moment which means that once the local internet breakout failure switches over to use omp only the default route gets removed from the routing table then i will no longer be using the local internet connection to go out to the internet i'll be leveraging the omp connection back to the edge one or two to go out via asa one so let's go ahead and actually take a look at see how long that's going to take so this is going to take a bit i'm going to go ahead and pause until it's completely gone and then i'll bring you guys back in i'm going to try to time it for you all right it took a lot less time than i was anticipating which is awesome so now we can see that the the default route that was pointing at g00 is gone and so is the nat route so if we go back over here to 13 and i come up here and i do the ping the ping still works right but if i do the telnet took a little longer this time rob and cisco and we do a show users i don't know if you can tell but it's actually slower so we have this new connection going on right 192.1.101.2 again that's the asa's ip address up here if we do a if we exit out and we do a trace route to 1.2.3.4 numerically we're going to flow out the asa same thing on 15. if i come over here to 15 i do that ping test again the ping works the telnet works as well show users it works as well we exit out and we do a trace route to 1.2.3.4 numerically we get out to the internet and everybody's everything's groovy right so that ladies and gentlemen is how you would enable local internet breakout via the cli and the templates in order to allow local internet breakout and then to fail back to omp connectivity to flow to the edge at the hq and then hit the hq's internet connection or really a data center it could be it doesn't have to be anything now let's go take a look at vh5 vh5 is also going to have internet connectivity i think i screwed that password up i did so if we look at show ip route we're going to have a default route two of them one through vh1 and one through vh2 and i will be able to go to 14 and in here and do a show ip route i have a default route in my routing table so if i ping 1.2.3.4 give that a couple seconds boom if i do a trace route to 1.2.3.4 numerically boom i get out to the internet all day long so that ladies and gentlemen just verifies the claims that i've been making this entire time when it comes to doing the nat configuration so we're going to continue moving on with other nat features and stuff like that in follow-on videos but for right now we are good to go with local internet breakout until next time guys thanks so much for stopping by and i'll catch you guys in the next video

Info

Channel: Rob Riker's Tech Channel

Views: 2,374

Rating: undefined out of 5

Keywords: cisco, sd-wan, sd, wan, nat, failover, internet, omp, local, breakout

Id: 5HY6YCrwyoU

Channel Id: undefined

Length: 25min 18sec (1518 seconds)

Published: Sun Oct 04 2020