Cisco SD-WAN 022 - Service VPN1 NAT Policy with Centralized Data Policy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how's it going everybody in this video we're going to take a look at our next nat topic which is going to move away from the templates configuration that we've been leveraging for the la the past few variations and we're going to be looking at a centralized data policy now this is one of the first times that i've dove into this so it was a little bit like huh okay but when you start diving into the operations of it it's actually not that bad the idea is traffic from vh3 or vh4 is going to be policy driven so for example traffic from ios 13 that is internet destined so going to the internet so pinging 1.2.3.4 or doing a trace route or whatever opening up a telnet a ping whatever the my case might be that is not rfc 1918 so outside of our private ip address ranges that traffic will be sent out vpn 0 to nat via policy so we are going to get rid of our static route that's configured in vpn 1 to point to bpm0 we're going to get rid of that to prove that it's actually working the way that we say it is we're going to create that vpn policy to make sure that vpn one traffic just into the internet is actually sent on vpn0 we're also going to create another vpn policy that says if the traffic matches anything 10 net because that's what we're running internally is all 10 nets if that traffic is the destination we're going to send it over the vpn that's basically what we're going to accomplish here so that is essentially what we're going to do so let's go ahead and dive into the config i'm going to go ahead and pull up vmanage real quick vmanage is right here the first thing i need to do is go to the templates real quick go to features and i'm going to organize this so that vpn one right here we are not going to send the default route to vpn 0. so i'm going to go ipv4 route and i'm just going to go ahead and delete this guy go ahead and update that push the config out so we're just going to next configure devices and push this out to the devices so we're in good shape there all right so i'm going to pause while that happens all right so that's been pushed if we check the config on the cli we go to vh3 we hit the up arrow do a show ip route um actually let's do this show up you rob vpn we no longer have a nat route in the routing table right so that's gone now we just get the default routes from omp so now what i'm going to do is i'm going to co-create our policy and the policy itself is actually very versatile report we're going to come over here to policies and i have a hub and spoke policy in here already but that's just me testing just pretend like you don't see that at the moment i'm going to come over here to custom options and i'm going to go to lists so you can do this or you can come in here and define your list this way or you can go to centralize policy and then click on add policy and then go to data prefix and get there the same way i'm going to add a data prefix in here called uh 10 nets and i'm just going to come in here and do 10.0.0.0.8. something very very simple click on add okay now the next thing i need to go do is i'm going to bypass the the configured topology and vpn membership because this is not a control policy okay so i'm not trying to do any type of route override but i will configure a traffic rules so not application we're routing but i will come over here to traffic data and i'll click on add policy create new and here i'm going to call this uh nat policy copy and paste this in like so i'm going to add a sequence type of custom and then add a sequence rule now what i want to do is in the destination data prefix portion of it i'm going to come in here and say if it's 10 nets i'm going to simply click on with on the actions tab click on accept and i'm also going to add a counter i'm just going to call this counter one okay because you if you you can add a counter to whatever you want for the most part where if you name it it's going to be unique so counter one counter two counter three and then when you go take a look at it on the v edges you can see what traffic is hitting which policy so i'm going to go ahead and save match and continue now i'm going to go ahead i'm going to i'm going to copy that but i'm going to edit and i'm going to say if traffic is going anywhere else okay i am going to actually close i'm going to kill that match condition so i want to match on anything the actions itself i'm going to come in here and say nat vpn i'm going to map vpn to the bpn 0 but i'm going to call this counter 2 because it's going to be the second option here save match and continue so the way this works is the traffic is heading via the to anything in the ten net so i don't care where it's going inside of it's a corporate it's a corporate connection so it's going to be going to any of the sites whether it's the data center whether it's hq over to the um vh5 wherever it's going it's the destination of 10 anything go ahead and send it via the sd-wan policy so send it over the overlay to the remote sites this bottom one here says anything else go ahead and just send it over to bpn0 so i'm going to go just make sure that it's actually doing that vpn 0 save matching continue we can expand this out so it should say vpn 0. we're not going to do fallback that doesn't seem to work i have tested it it doesn't seem to work i'm going to go ahead and save data policy and now i need to go to the next step which is to apply it to sites and vpns so right here i'm going to come in here and call it the nat policy right come down here copy and paste on traffic data i'm going to let me this should have been something different but it's okay i'm going to add new uh new site this is going to be from the service bps so this is going to be inbound from the routers so this is going to be traffic that is coming from traffic going this way so traffic going to 10.1.0.16 so switch 16's loopback address right this guy right here this should ride over actually let me bring this down just a little bit more so you guys can see it in its entirety this traffic right here actually let me back this up a little bit change the color this traffic should flow to the v edge this way if it's going to 10.1.0.16 but if i have traffic going to 1.2.3.4 that traffic should go out locally to the internet okay hopefully that makes sense actually let me clear that up a little bit if i have traffic going to let me swap the color real quick if i have traffic going to 10.1.0.16 it should ride over sd-wan and go this way but if i have traffic going to 1.2.3.4 that traffic should go out locally to the internet that's how the traffic should flow should work okay now now that we've covered that let's go ahead and bring the va vmanage back up one thing that i will mention to you is that there's supposed to be a failover option available to it i don't know where the failure is occurring but for some reason um maybe it's the version of code i'm running maybe it's my configuration i haven't been able to pinpoint the problem yet but you should be able to fail over to internet at the hq site so in the event that local internet goes down that you should be able to ride over the sd-wan topology and then terminate at the hq site that is not actually happening when i tested it out it is what it is but um this is how you can separate traffic from vpn versus internet traffic so we're gonna go ahead and finish this up real quick this is going to be from the surface vpn this is the site list that we're going to create here i'm going to say b edge 3 and b edge 4 that's where i want to apply this to and i'm going to say from site vpn list it's going to be vpn 1. you can ignore some of the other ones you see there i'm going to go ahead and click on add and then save policy now the policy has been saved i'm going to go ahead and click here on the nap policy and i'm going to go ahead and activate it and push it down to the be smart now this is a tr this is a centralized data policy which means it will be pushed down to the v edges we'll take a look at that here in just a moment all right the config has been pushed so we pull back up our config and we look at the show policy from vsmart we can see that we have a policy deployed it's called vpn onenet policy we can see that we are matching on 10 nets right 10 nets is right here we have 10 nets we can see the 10 8 coming across we can see we're accepting it and we've got counter one associated to that then in sequence 11 we're matching on any destination other than that we're going to send it out and use nat use vpn0 okay and i've got two different counters associated to that so to do the show policy policy and then you have the option of doing the data policy filter and hitting the enter key and you can see that there are a couple of policy counters here so we already see traffic hitting the second one which means there's traffic going out to the internet so we go to ios 13 and i come in here and i try to ping 1.2.3.4 i'm able to go out if i look at vh3 hit the up arrow i am sending traffic out to the internet right if i go to here and i telnet to 1.2.3.4 log in as rob and cisco who i'm coming in as dot 96 right so the dynamic nap policies that we had before are still working if i look back at vh3 and i do a show ipnat filter pipe tab we can see that that connection is going out locally right and if we do a sh hit the up arrow a couple times and look at the filter we can see the traffic is going out to the internet excellent so it's working as we would expect it to go back to 13 exit out okay the next test for me to go do would be to do a ping to 10.1.0.16. so that's going to ride over to the hq site so that's working if we look at vh3 and hit the up arrow now we can see that these policies are kicking in so the counter one so policy one if we look at the policy again we can see the policy one is sending it over the vpn so we're going over at the sd-wan overlay so we have that in play now if i come over here and i do a telnet connection if i do a trace route excuse me to one dot or 10.1.0.16 numerically we should ride over where here we're hitting v edge 2 and then eventually we're hitting switch 16 attached to vh2 and we're getting to where we need to go which is what we want to see okay so that's working the way that we intended it to be so that's working now the next step up for us to go through and do would be to do a telnet connection telnet to 10.1.0.16 okay so it basically won't let us do it because we don't have a password enabled so let's go ahead and fix that real quick config t line vty 0 space 4. we'll type in login local transport input is all username rob privilege level 15 password is cisco something very simple go back to 13 do that one more time blammo we get our login credentials and i of course type in the password wrong you think for as many times as i typed in cisco i'd get it right go back to vh3 look at the filter we can see lots and lots of packets are going over over here so that in a nutshell ladies and gentlemen is how that would work pretty simple stuff when you think about it overall and how it operates not much more to it than that it's a centralized data policy for nat so that's basically what i wanted to cover in this video pretty straightforward stuff so if you guys have any questions on that please leave a comment in the comment section below and until next time guys take her easy

Info

Channel: Rob Riker's Tech Channel

Views: 1,639

Rating: undefined out of 5

Keywords: cisco, sd-wan, sd, wan, nat, centralized, data, policy, omp, vpn

Id: pPObQhUbxSs

Channel Id: undefined

Length: 13min 6sec (786 seconds)

Published: Wed Oct 07 2020