Cisco SD-WAN 024 - Service VPN1 Standard and Extended ACL via CLI

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how's it going everybody i wanted to transition into the localized policies section now this is going to be kind of it's going to fall underneath the policies portion but because localized policies don't require you to do anything really fancy from a perspective of having a vsmart template that you push from the managed end of the vsmart you're not doing a centralized control policy we will take a look at some other aspects of stuff when it comes to the other policy types and capabilities but right now we're going to be focusing on just localized data policies meaning that whether we created on the edge one and like we did for bgp traffic engineering where we created a policy and you know we went underneath policy we created a route policy we added a sequence and then we basically set the action to accept the routes and then set local preference and then we put the tie the route policy name uh i think it was rp bgp routes and we set it outbound towards the connection towards switch 16. well that was great right it worked out for us but the um yo when we created that on the manage we had to uh create the route policy rule first then create a policy itself and then call the raw policy from that and then we were able to push that policy down to the v edge well we're going to continue that process but we're going to be looking at it from the perspective of an access control list or an acl so we're going to take a look at a couple different examples here as we go forward we're going to look at it from a pseudo how do i word this like kind of like a standard acl where we look at just the ip packet itself so there's not a direct correlation that i found from a standard acl to an extended acl where you would just match on the source traffic and it's all ip traffic so tcp udp icp whatever the case might be where we'll take a look at it from just a all traffic going to a particular destination will get dropped for example and then we're also going to go and say for traffic that is a specific type we're gonna block so for example uh on v edge one we'll do an inbound acl or i'm sorry we'll look at it from both inbound and outbound but for example with uh let's say we block the loopback addresses of all the edges or all the ios routers at the the via the the the branches we block all those the 13 13 to 14 to 15 routes from gaining access to the internet right we'll block that traffic and then we'll create another access list uh inbound on the edge one that will say any traffic from router 5 or router 6 that is going to any of the remote destinations we're going to block telnet access so we'll test it out beforehand make sure it works but then once it's up and running we'll go ahead and use an acl inbound and we'll test that out that shouldn't go uh that should go pretty quick because it's command line and it's usually pretty snappy the v manage portion of where we have to create the policies and then push them down into the box to the appropriate b edges we're going to look at doing that on vh3 and vh4 and vh uh we'll do vh5 and what we're going to basically do is we're going to um i'll give you a couple of examples of how that would work inbound versus outbound and stuff like that because you have to create the go underneath the the policy section go underneath localized you got to create the the access list itself you got to match on the traffic that you want to block or filter then you've got a tie to get a call from an actual policy itself and then you got to push the policy to the v edge then once the policy has been pushed then you can actually go underneath the templates and then call the policy that was pushed to the v edge from the template so that it can actually get applied so there's a lot more leg work on the v managed side than there is and i'm probably going to break it up just so we can see what that looks like so we'll do cli based with that and then we'll take a look at another variation with vmanage where we'll do it via templates so well that's basically how we're going to go about doing that so that being said now that you know what we're going to try to break down we're going to go ahead and dive into those those aspects all right on the edge one we're going to get out of here one of the things that i just did was i re-advertised or i went ahead and i advertised um default routes over um our we took i took the default route that we're learning from asa one via the edge one and i propagated it over to the branch or the spoke the edges and if we look at router 13 and i do a i'm learning a default route so we should have that connectivity up and running now and if i look back at v edge 1 and do a show ip route vpn1 we should be learning the loopback addresses of the remote sites which we are so that means i should be able to block that traffic as we are going forward and things like that so i'm learning those routes in and everything is looking pretty good in terms of the operations and things like that why am i learning those that's a little bit weird let me go to switch 16 and let's do a show ip route how are we learning those routes in we're learning those in via vh2 okay so let me go i don't have that route propagated i don't have v manage setup or i don't have the vh2 setup to push a default route by redistributing omp but let me go ahead and focus on getting this stuff squared away so actually what i need to do is if we were to go to for example let's go to router 13 and i should be able to ping 1.2.3.4 sourcing from loopback 0. and you know what it won't actually that won't work that's my that's my mistake and the reason why it won't work is on the asa if we look at the show access list we're not matching on that traffic we are i'm sorry uh show uh show nat we're not matching on any of that so show run object network we're not matching on those on that traffic itself what i can do is i can create an object of network and call this spoke loopback for art or ios 13. and what i'm going to do is come in here and i'm going to type in since it's a slash 32 i'm going to type in the host of 13.13.13.13 and hit the enter key and then i will type in that and be inside to outside and dynamic interface okay so now if i do the same thing again that is allowed out so now it's being added and all we're all good there i'm gonna do the same thing on asa one i'm gonna hit the up arrow a couple times and just do 14 and before make that a four whoops and we'll go ahead up here and change the the nat statement over so if we do a show run that we should have those guys go and show run object network and so that's working the way we wanted to hit the up arrow one more time a few more times to get uh 15 in there we'll hit the the host ip address will be 15. and oops there we go and then we'll hit the up arrow a couple times to get to the net object there we go so now if i go to 14 and i show ip route and if i do a ping to 1.2.3.4 sourcing from loopback 0 the ping goes through 15 should be the same thing ping 1.2.3.4 sourcing from loopback zero maybe i did not configure that yet let's show iprout okay show ip interface brief ah so interface loopback zero ip address of 15.15.15.15 32. and we're going to go ahead and hit the up arrow and try that ping one more time there it goes so now what i'm going to do is on v edge 1 i'm going to go underneath here under for vpn i'm going to apply this to vpn 1 gig 0 2 and i just have to make sure that the flow goes the way that i need it to so if i do a trace route this way numerically i need to come in i come in 13 i land on one right i come in on one and then i go out towards 16. so my egress point is coming out off of the edge one towards switch 16 and then i'm able to go out to the internet that's important because if you if the traffic is not in that data path then the acl will have no effect so you got to make sure that the traffic is actually coming in on the edge one so when we look back at say vh3 and we look at where the traffic is going we've got to make sure that the traffic is flowing towards one right and if we look at the edge one and we do a do show ip route bpn1 we need to make sure that we are sending traffic uh it's going out gig to there we go that's better now they're being learned technically speaking it shouldn't be coming from switch two i'm not sure why it's still learning it that direction even though vh2 is learning let's log in here real quick show ip route vpn one so there okay so the way that the routing is set up it's a little little unorthodox but from a routing perspective it's being learned at least as long as the b edge can get across it can push the data from 13 to vh3 over to be edge one from a routing perspective and then v switch 16 will push it down to asa 1. so what i'm going to do is i'm going to be edge 1 i'm going to come underneath policy and underneath here i'm going to go and i'm going to set up a access list the name of the acl is going to be we'll set up ios 13 block inet and the hit the enter key and then underneath here let me go ahead and scoot this up just a little bit so we can see it better i'm gonna go ahead and say sequence one i'm going to say match the source data so we're going to create a source data prefix oh the data prefix list i need it that's actually that's right let me go back to one level and back one level here and i want to create a list lists and i'm going to create ads to create a data prefix list that's right i forgot about that so data prefix list underneath here we have to give it a name we're going to call this ios 13. we'll say loopback underneath here we're going to say ipipprefix and the address is going to be 13.13.13.13 32. okay and i'm going to exit out of here and i'm going to do a show config and what i'm going to do is i'm going to create the same thing i'll hit the up arrow let me go ahead and uh since we're at list i'm going to hit the up arrow for data prefix list i'm going to create this would be 14 and then the address we're going to use is going to be 14 14 14 and then 14. like that's a show config there we go and then we're going to exit out once hit the up arrow a couple times until we get back to here then i was 15. and we'll make sure that we use the prefix of 15 15 15 15. we're going to go ahead and exit out show config so now we have our loop our data prefixes have been created i'm going to go ahead and exit out here i'm going to create access list the name of the acl is going to be we'll say uh ios i don't want to create multiple sequence numbers here let's just go ahead and say the access list name in this case here let's tweak the name just a little bit so it's more obvious so we'll type in a spoke spoke loopbacks and underneath here we're going to say sequence 1 we're going to match on the source data prefix list and we're going to call ios 13 and then we're going to um i don't know if you can call multiple i don't think you can i could try we'll grab 14. that's what i thought so we'll grab 13 out of the gate and then i'm going to go ahead and say we'll say sequence 2 we're going to go ahead and match we'll match 14 and then we're going to go up to sequence 3 match and then we're going to say 15. and then we're going to do a show config go ahead and exit out exit out here show config all right so the uh the option here is that we're saying access let's do this or sequence one match router 13's loopback we're going to go ahead and drop it same thing with sequence2 do this we're going to match on router 14 drop it and then we need to come in here and type in the default we're going to come underneath here and say access lists and the name of the access list is spoke loop x underneath here we're going to say the default action will be to accept now you might say okay you've dropped everything else why are you accepting here and they the simple answer is if we block if we don't set a default action what will end up happening is it'll just block everything else because there are basically it's going to be a denied nine deny deny right and we don't want it to be all denies now i could be more specific i could come in here and actually let's do this a little bit differently i can come in here i can say default action is to drop but if i come in here i can create another list for example let me come in here and type in lists and underneath we'll create another data prefix list right and under and we'll give it a name we'll come in and type in rf let's say rfc 1918 underscore uh 10 net something like this we'll type in iprefix will be 10.0.0.0.8. okay we'll get out of that and then we'll go show config one more time and then what we're going to do is the access list that we're creating let's actually back up one more level we'll say that the access list of spoke loopbacks we're going to come underneath here we'll type in sequence 4. underneath here we'll say match and then the source data prefix that we're going to match on is going to be rf rfc191810 net and we're going to we're going to exit out one level to that sequence and then we're going to say action and underneath here we'll say to uh why is it not say well show config i want to action there we go action accept i don't know why it doesn't show it there so show config we can see now that the action is accept so it should receive anything that's 10.0.0.0.8 anything it should be good so we'll be back out to here into a show config and let's do a a very let's take a look at this in more detail so we have the list up here we go underneath the policy process we have our lists these are basically going to be our prefix list that we're going to create so basically our acl entries we need to have something to match on so we match on these particular prefixes right here then we create the access list itself and the first sequence in the acl is we drop well actually let me go ahead and delete that let me go underneath access lists and i'm going to say control a know that out and then block ios 13 block inet and so if we do a show config we're going to delete that so that will no longer be there so just to clean this up we have our list where we're going to match on our traffic that we want to affect and then we're going to say for 13 14 and 15 we're going to drop but on sequence 4 we're going to permit but everything else is going to get dropped so we've got something coming from for example 17216 or 192.168 it will also get dropped so i'm going to go ahead and i should add in a counter which i will go do real quick i'll type in the access list name just so we can see that as it comes in we'll do sequence 1 and we're going to say action is going to be count and characters we'll call this uh ios 13 counter we'll go up to sequence 2 and we're going to count and then it'll be ios 14 counter and then sequence 3 action count ios 14 ios 15 counter and then we'll do sequence 4 action count and then the name of this guy will be um 10 net counter so let's go ahead and exit out of that again show config one more time just so we have something in there that we can match on and there we go so everything's supposed to have a counter we're going to go ahead and i'm going to commit this config now so now they can commit the config has been committed show run policy do show run policy we can see that the config has been placed and now we need to place it outbound so we'll go underneath vpn 1 we'll type in interface ge02 and what i'm going to do is i'm going to type in access list and the name of the access list of spook loopbacks and we're going to specify outbound okay we do a show config we're going underneath the interface and we're going to apply it outbound i'm going to go ahead and commit that config so there we have it so now if i go back over here to 13 i try to do that ping again ping 1.2.3.4 if we do a ping to that that should work all day long but if i ping from a source of loopback zero that will fail if i go back to v edge one and i do a show and it is a what's that command i forgot off the top of my head a show interface uh ge zero slash two one too many zeros there and we're gonna show what's that command i remember let's see show policy show policy access list counters that's right so we can see traffic from uh that has been sent back and forth if we go to 14 and we try to do that again we do a ping 1.2.3.4 that works all day long but if we source it from loopback zero the ping is dropped go back to the edge one we can see that the pings are being dropped in fact and back to 15 while ping 1.2.3.4 it works all day long but if we source it from loopback zero the ping is dropped and there we go so we've proven that the local data policies do work and so we're we're a fair bit into this first video so i'm going to go ahead that's as far as i'm going to take this one so we did a cli base config now let's actually i've got some more time so what we'll do is i'm going to set one up to be uh out we set this outbound on g0 ge02 right what i'm going to do is i'm going to create another axis list and i'm going to apply that inbound on ge03 we'll do that so that r5 and r6 cannot telnet into 13 14 or 15. so let's go ahead and knock that out real quick so what i'm going to do is on 13 show run section line let's just do 13 for the simple fact that it's makes the job a little bit simpler to instead of having to configure it multiple times okay so it's already there so if i go to ios 5 for example and i do a show ip interface brief and i ping uh 13.13.13.13 okay i can ping it so that means i should be able to telnet to it go ahead and log in rob and cisco there we go all right now i'm going to create an acl to block telnet be edge1 go back to global config under policy underneath here i'm going to call a i have to be a bit more specific though now because i need to match on more than just a prefix or more than just the the source address i need now what i'm going to do is i'm going to i don't care about the source right i don't care where the traffic is coming from i care about where the traffic is going to so an extended access list mentality but i'm going to be specific to the transport the protocol and that type of stuff that's what i want to care about now so i'm going to go underneath here and i'm going to call a list underneath here i'm going to call it a i'll still match on a data prefix list right not going to change that up and the prefix list name i'm going to call this guy uh ios 13 telnet underneath here i'm going to say the the ip prefix that i'm going to match on is going to be 13.13.13. 32. you might say well why aren't you just calling it from the loopback well because i want to make it specific to what it is i'm trying to accomplish so i could technically reuse ios 13 as a matter of fact let's go ahead and let's go ahead and do that let's actually not worry about trying to make it specific to the because the prefix list itself is is irrelevant right it's the or you can do however you want but as i'm sitting there looking i was like why do i want to have two prefix lists to call the exact same subnet that doesn't make any sense the acl is where the logic changes so let's go ahead and take care of that access list let me go ahead and get out of that and then we're going to type an access list and then the name of the acl is going to be um we're going to say block ios 13 telnet and underneath here we're going to type in the sequence is going to be sequence one we're going to match underneath here we're going to say the destination destination data prefix list of ios 13 loopback we're also going to match on the the destination port destination port of 23. now we could say also destination or i should say we could match on the protocol and we'd have to know the protocol now the protocol and the port are two different things right so what's the protocol we're going to be using cue the jeopardy theme music so it's tcp which is what protocol protocol 6. so we're going to throw a protocol 6 in there right go ahead and jump out of the way again so we're going to match our protocol 6 so tcp transport to port 23 and then what we're going to do is we're going to do the the action will be to be drop right and we're also going to say count we're going to call this the telnet counter like that get out of there get out of there and then what we're going to do underneath here we're going to say the default action will be to accept because we're blocking telnet but maybe we want to allow web right or we maybe we want to provide snmp or we want maybe we want to copy tftp whatever you want to dream up is your call right but we want to have it set up to where we can filter the traffic based on our needs right so what i'm going to go do is i'm going to go show config so just to recap what we did we're matching on we didn't call create an extra ac a list we're calling an existing prefix list and we're saying we want to match on the protocol or the destination port of 23 so we know it's telnet and we're going to match on the protocol of tcp and we're going to drop it but we're also going to count the packets that are getting dropped the default action is to accept every other type of traffic i'm going to go ahead and i'm going to commit that config underneath the policy you don't have to do that but it's kind of a good idea to do so vpn 1 interface ge 0 3 right and then we're going to type in access list and then the name of it is going to be block telnet to ios 13 and then it's going to be inbound okay so that's basically how that would get so show config on that we're going to go ahead and commit that config now we go back to ios 5 and i hit the up arrow it says that the telnet is unreachable right do it again just to prove it go back to here show policy access list counters for block telnet and we have plenty of we have two packets being blocked but if i go to here sorry here and i let's make sure that 13 is going to accept let's go to iphtp server and then the authentication will be local let's go ahead and give that a shot again we're going to come over here and type in telnet to 13.13.13.13 to the port of 80 and that's open right we look over here at 13 and we do a show ip http server connections we have an active connection from 10.5.6.181 coming inbound and if we look at the edge one and we do that packet counter we're not actually doing a counter for the uh for the default action but we could let's go ahead and add that in real quick let's go to back here policy we're going to show access lists let's actually do access list we're going to grab ios 13 in the default action we're going to accept obviously but underneath here we're going to put in a oh i guess we can't that's fine no big deal um because we can't count there no worries um so we're good to go the point being is we can get through there and everything is happy so that's really the big win that we wanted to have so we tested out inbound and outbound acls via the cli with a localized data policy so what i'm gonna so just to recap what we've covered we're going to do a show policy we're going to have a lot in there show policy or so show run policy excuse me we have a lot in here so as you can see it quickly becomes we're not doing a lot right but it becomes a lot of information we have what we're going to be matching on here right we have our route policy for bgp routes setting the the loop of the local preference to be 1000 we have our block telnet to ios 13 we have our spoke loopbacks where we're going to drop the traffic as it's going towards the asa so we have all that stuff going on that's basically what i wanted to show you guys in this video in the next video we're going to do it via the vmanage and we're going to test out some of those same capabilities but show you the configuration through be managed with the localized data policy we'll have to create the lists we'll have to create the data prefixes we'll have to map them appropriately and we'll have to uh call the paul uh call the the acl from the policy once the policy has been created then we can push the policy down to the v edges that we want to associate to and then we can start doing then we can tie the policies itself to the which calls once the policy is pushed to the v edge then once all that's done we can go underneath the template and call the access list and associate it to the interfaces in whatever direction we need to in order to affect the logic it's a lot to remember it is i completely understand with that i'm on board with those that's basically what we're going to have to do so it's kind of it is what it is so this will be the next video will be a follow-on to this one but we're already half an hour in and there's a lot to do so thanks again stopping by for and hanging out with me in this video and i'll catch all of you guys in the next video

Info

Channel: Rob Riker's Tech Channel

Views: 1,263

Rating: undefined out of 5

Keywords: cisco, sd, wan, sd-wan, network, access-list, access, list, filter, control, cli, standard, extended, acl

Id: SVhKGkZctAw

Channel Id: undefined

Length: 33min 11sec (1991 seconds)

Published: Fri Oct 09 2020