Cisco SD-WAN 030 - Service VPN1 Hub and Spoke Overview and Setup

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going everybody in this video we're going to go ahead and take a look at our next topic inside of the control policy section by focusing on the centralized policy what we're going to first do is we're going to take the edge one and we're going to convert it from cli managed over to v managed so we're going to apply some templates to it and get it online so that we can take the vsmart templates that we applied to be smart in a previous video and when we go to create a centralized control policy we can apply that and vh1 and vh2 will both take advantage of that we're also going to go through and i'm going to disable the default route propagation of the asa to the rest of the network so basically i'm going to kill the internet connection and the reason i'm going to do that is because when we go through and set up the hub and spoked topology that we're going to be doing here in just a moment we have to set that up or else we won't be able to lock it down to just hub bespoke spoke to hub because currently we have communication going back and forth between everything so right now the way that the network is flowing is if we look at this currently we have communication like this we have communication like this we have communication like this and like this and like that so because we have all this communication going back and forth it's this is what they refer to as full mesh this is how cisco sd-wan works out of the gate which means it's full mesh means that it is going to be any to any all the time right and then there's nothing wrong with that but it isn't always the best way to deploy your network right there are going to be times where a more specific topology is necessary in order for things to work so what we're actually going to do is we're going to lock it down so the default route that's getting advertised from asa to b to switch 16 and switch 16 is propagating to b edge 2 and v edge 1. that actually is getting well if once we move this from cli mode to v manage will actually propagate default routes from both vh1 and vh2 over both t-locks this way so there will be a default route learned on all of these devices right and that if we were to do that that would actually break a specific hub to spoke and spoke to hub communication which would actually allow spoke to spoke communication so when we get done with demonstrating this spoke to spoke or at the hub and spoke to topology we'll go ahead and re-advertise the default route and that will allow us to migrate from what would be known as dmvpn phase one or spoke to hubspot hub bespoke where no spoke to support communication would be allowed then we'll go ahead and see what dmvp and phase 2 is because out of the gate our full mesh is actually dmvpn phase three again any to any communication over the sd-wan fabric so that's what we're gonna do so when we're uh when we get the first hub and spoke topology deployed we're going to allow this communication we'll allow this communication and we'll allow this communication but we will not allow anything spoke to spoke in any capacity like so so any spokesbook communication will be denied in order to allow that to happen we can go ahead and re-advertise the default route from asa that will be learned via ospf on b edge one and two and then be propagated down to the v edges which will allow dmvpn phase two and that's going to be basically the direction we go with it but that being said let's go ahead and dive into this setup so the very first thing i'm going to go ahead and do is i am going to go to the asa so pull this guy up and i'm going to go to asa1 and if we do a show run router ospf i'm going to go underneath here and i'm going to simply type in no default information originate so if i do that i go to be edge one for example admin admin and do a show ip route we should no longer see a default route being propagated which is what i which is what i want to see right so the only default route that i have currently is a static route if we go to b edge 3 and i log in and do a show ip route we're not going to receive a default route over the omp peering which is what i want to see the next thing we're going to go do is on vmanage i'm going to go ahead and i'm going to go to the dashboard and i'm going to go ahead and bring v edge one on as a templatized device so templates and then from device template we're gonna click on the dual site device template i'm gonna come over here and i'm gonna say attach devices going to grab the edge one add that and click on attach and then what i'm going to do is i'm going to go and edit the device template and i've already done this to make sure that it would work so i have a number of capabilities and options that are available to me and i basically have just populated all the information already so all this information is still populated which is what i wanted to do everything is good to go so i'm going to go ahead and click on update next and then i'm going to push that config down to vh1 i'll pause while it is in the process of pushing all right so we can see that everything has been pushed the way we needed it to which is good so if we go back here to devices we should see that the edge one is now a mode of v manage no longer cli okay great the next thing that i need to go do is i need to go through and configure all the things on the policies to get it squared away so let's go ahead and knock that out so the very first thing we're going to go do is click on the policies right here and configuration policies and here we're brought to the centralized policy option and we have localized policies so if we're going to localize policies there's a couple sitting here we will circle back to those at a later point in time centralized policy here we go and what we're going to do is we're going to click on add policy and on the left hand side of your screen and the very first option we have is the create groups of interest so what is it that we're going to try to match on so we're going to match on two different things we're going to match on site and we're going to match on vpn the site is going to determine which sites are going to be affected and then the vpn is going to determine which particular service vpn or vrf are we going to apply these rules to so we're going to create a couple of different sites we're going to create hq which is going to call site 12 which is going to include vh1 and vh2 and then we'll create branches which is going to call size 3 through 5. so basically our hq is going to be vh102 and then the branches are going to be vh345 so we can call hq and branches to apply a basically to every device and then i'm going to create a device uh more sites that's going to be specific to an individual v edge so we'll create a vh3 would be site three vh4 will be side four so on and so forth so if i want to get specific with a particular solution or option i can do that in the vpn we're going to create one vpn because that's all we have right now when we get into vpn segmentation in a later video we'll take a look at how that comes into play so i'm going to go ahead and click on the site and right now i have no sites i'm going to click on new site i'm going to call this hq or let's call this hub hub and then we're going to say site 12. so just do something like that click on add and then i'm going to add a new site called spokes and then i'm going to put in here 3 through five and click on add so we have that so entry is going to be site 12 and size 3 through 5. i'm going to add in here i'm going to say we'll go hq and we'll put in here 12. actually let me do this way we'll do the edge 1 is going to be 12 and then add that and then add a new one for the edge 2 and 12. so yes it is the same site but we can call individual v edges to apply a particular policy to then it's going to be the edge 3 site 3. add that and then new site list will be v edge 4 site 4. but make sure that's a capital e right there click on add and last but certainly not least v five site five okay so now we have all of our sites added so if i want to be creative in some way i can do that and it's gonna give me a lot of flexibility down the road next thing i'm gonna do is click on vpn create a new vpn list and right now we only have one i'm going to call this service dash vpn one and just call one that's all we have click on add and there we go so now i've created my two groups of interest next thing i'm going to go is click on next and this is where we're actually going to create our control policy so in this here we're going to click on topology and choose hub and spoke and then we need to give it a name we're going to come in here and type in the hub and spoke topology and the reason why i like to call a topology and not a policy is because they're technically two different things so a policy is applied to enforce something in topology in in my opinion this is just my verbage is to what's going to be controlled so i call it a topology only for the fact that it's going to dictate what's going to be going on the policy gets applied okay so i'm going to go ahead and the vpn list is going to be service vpn in the hub site i'm going to simply call hub click on add and in the spokes i'm simply going to call spokes and then click on add simple as that now if i wanted to add more details here i could i don't have any pre-pixels configured and i could add advertise the hub t-locks not going to mess with that right now but we will take a look at that later i'm going to click on save hub and spoke policy and that creates the basically the policy for the topology so we've got a topology created for that we're going to go ahead and click on next i'm not going to modify any traffic rules i'm not doing any application aware routing i'm not going to influence traffic in any way and i'm not going to deploy netflow i'm going to click on next to apply policies to sites and vpns i've already gone through and defined that now if i was creating like a custom role then i would actually have to go in and define the sites and the vpns but again it's a topic for another video so what i'm going to go do in here is i'm going to come in and type in the hub and spoke and policy something very simple like that icy and copy and paste that there there we go and that's it i'm going to go ahead and save policy now that i have it created i need to go ahead and apply it so i'm going to click over here on the three dots for more options and click on activate now it's going to get pushed to the available vsmarts that are here so this case here it's going to be the iv smart that we have click on activate and what that's going to do is it's going to push the policy down to the be smart and the vsmart will control the routing updates available to the v edges so now the vh3 will lose all of its let me go ahead and do a quick show ip route there's a whole bunch of stuff that bh3 uh it's actually it looks like it's already taking place because right now we've lost all of our connectivity to the other the other sites so this should be there we go it's done so now i have no access to anything at say branch 5 or vh4 or anything like that so that connectivity is now gone so what i'm going to go do is on router 13. i'm going to come in here and i'm going to ping 10.5.6.69 which is going to be router 5's dhcp assigned address give that a couple seconds and then the tunnel should come online let me see why oh you know why show iprout i don't have a default route so let me go ahead and create one real quick let me go ahead and so because of the fact that i you might be wondering well how come the default rest not there well it's no longer there because i turned it off when i turned off the default information originate on the asa which retracted the default route propagation so the v edges site 3 for the single site locations they're not actually taking advantage of the default information originate always for ospf so they're just simply propagating routes they're not doing that right now so i'm going to go ahead and get that guy squared away so in this case it'll be 10.3.13.3 so now if i now with my default route and play show ip route i have a default route and play i'm going to go ahead and do that ping one more time and i should be able to reach it without any problems there we go so that means i can talk to the hub and the hub can talk back to me but if i tried to ping say 15.15.15.15 the ping is never going to go anywhere it goes up to vh3 and vh3 goes well i'm sorry bro i don't know what to do there's nothing here for me so this will allow me to go through and have all kinds of connectivity from hub to spoke but not spoke to spoke now one thing that we could do is this is dmvp in phase one so spoke to hub and hub bespoke but no spoke spoke traffic at all okay with that being said i could go in here and start adding capabilities for example i could turn on localize nat if i don't want to use the uh if i want to just take advantage of hub to spoke or data center to spoke communications i could now one thing that that does not allow me to do is you'll notice that connectivity from the vmanage site over here so vbh5 and ios 14 i'm not receiving any of those routes either we're not going to really get into preferential stuff yet that'll be coming down the road but if i wanted to enable local internet access on the edges i could still do that and i'll go ahead and basically show you what that would look like but let me go and show you how it would work if we had connectivity set up to where i want to allow connectivity i want to have all the traffic flow flow back to the hq site for example so if i want to allow that to have this is the asa 1 be my internet provider for all of my branch sites for example i could totally do that and on the asa it would be something as simple as doing uh this i'm going to go in i'm going to router ospf 1 and type in default originate and now what should happen is bh3 if i do show ip route i should have default routes now for 2 12 and or 2 v edge 1 and b edge 2 which i do so now what this also enables is dmvpn phase 2 so spoke to spoke traffic via the hub so that means if i go back to ios 13 and i hit the the up arrow and i go if i come here to ping 15 15 15 15 i'll be able to reach it but if i do a trace rod to it i'm going to take a path via these the hubs so i'm going to route from 3 [Music] to up to v edge 1 and then i'm going to go back down towards vh4 and then eventually the vh to ios 15. so phase two does work right and that's what i'm basically doing here by enabling a default route which now flips us from hub and spoke with just spoke to spoke communication so dmvpn phase one by just advertising a default route from the hub site down to the spokes i now enable dmvp in phase 2 but i am going to force traffic to go through the the hub site now this is not the same thing as service insertion so don't get i don't think that's what this is i could force trap to go to the asa but right now i'm not doing that i'll talk about service insertion at a later point in time where i could take this next step forward and i could create a right now the way that it's working is if i go back to ios 13 which i'm right there now if i was to ping 1.2.3.4 i will be able to get there via asa so if i do is to do a telnet to 1.2.3.4 and then do a go ahead and log in real quick and do a show users you're going to see that i'm coming from the public id of the asa right now that all makes sense now because i have that in play let's say i don't want to do that let's say if i want to have traffic go locally right and i want to lock it back down where i don't want to allow phase 2 communications to happen at all so i'm going to go back to the asa i'm going to hit the up arrow and type in no default information originate go back to bh3 and verify that that's taking effect my default routes go away but what i want to go do now is i want to allow local internet breakout so i i want my v edges at the vh3 and vh4 to be able to reach the hq site maybe there's some servers that they need to be able to reach or whatever the case might be but i also want to allow local internet breakout so let's go ahead and get this that's set up so i'm going to go over here to the templates option and i'm going to go underneath feature template and i need to specify the single site location so single site come down here to vpn 0 on gig 0 0 i'm going to enable nat on that interface so i'm going to edit uh that little click on that and i'm going to click on well it's already turned on so i don't have to worry about that and so that i don't now as long as nat is enabled on gig zero zero i'm in good shape i'm going to take a step back to the feature templates and i'm going to make sure that there is a default route so vpn 1 for single site i'm going to go ahead and edit that and on ipv4 route i'm going to go ahead and add an ipv4 route just to default and i'm going to type out vpn and then turn it on so now we'll have a local internet breakout i'm going to click on add and click on update and i'm going to go ahead and just push that out to both devices and get them squared away and running i'll pause while that push is happening all right so the push was done so if we come back over here and hit the up arrow do a show ip route we should have a nat rule in place which we do so now we go back to router 13 and i come up here and i ping 1.2.3.4 i can reach it if i telnet to it i go rob and cisco i do a show users now i should take the local internet connection out and if i exit out and do a pain to 10.5.6.69 i can still paint over the omp peering so i still have connectivity over the sd-wan fabric but if i ping quad 8 or i'm sorry if i ping the 15 15 15 address it's not going to go anywhere because the internet connectivity because it's the default route it's going to catch all saying there's no nothing more specific go ahead and send it out to the internet and the internet's gonna be like i don't know how to reach 15 15 15 15. so sorry for you so that ladies and gentlemen is how you would do hub and spoke um if you added default or propagated default route from your asa or your internet edge to your v edges and the edges have advertised internal routing over omp which they should then you're going to have to propagate that route we'll take a look at doing some modification to where we don't propagate the default route but we still have it at the configuration at the the hq site still has internet connectivity because right now the hq site doesn't have any internet connectivity because i just i turned off the default route i mean i could configure a static default that points to switch 16 and do some static routing but i mean that's in this day and age everything's dynamic nobody unless you're like brand new to networking and static routing is all that you comprehend most people go dynamic routing we'll talk about how that comes into play in a later point in time but for right now where we are right now is the transition point it's for to playing around with some different capabilities and different options because those are things that may come into play and you might need to be to play with and understand so um there's that so until next time guys thanks so much for stopping by and hanging out with me and i'll catch all of you in the next video
Info
Channel: Rob Riker's Tech Channel
Views: 1,310
Rating: undefined out of 5
Keywords: cisco, sd-wan, sd, wan, hub, spoke, control, centralized, policy, network, connection
Id: YJs-u8UIREY
Channel Id: undefined
Length: 22min 46sec (1366 seconds)
Published: Mon Oct 19 2020
Related Videos
Cisco SD-WAN 007 - Templates Overview, Single vEdge Sites Setup and Deployment
Rob Riker's Tech Channel
5.4K
Cisco SD-WAN 031 - Service VPN1 VPN Segmentation Overview and Deployment
Rob Riker's Tech Channel
1.7K
Real World Networking - What is it like to be a REAL NETWORK ENGINEER
Rob Riker's Tech Channel
3.6K
Cisco SD-WAN 002 - Overview of how SD-WAN Operates!
Rob Riker's Tech Channel
14K
Cisco SD-WAN 006 - Service VPN Overview, Connected and Static Routes
Rob Riker's Tech Channel
5.4K
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.6M
Cisco SD-WAN 009 - Service VPN1 Connected Routes via CLI and Templates
Rob Riker's Tech Channel
2.4K
Cisco SD-WAN 027 - Service VPN1 QoS Policing and Shaping via CLI, Local Data Policy and Templates
Rob Riker's Tech Channel
1.4K
Please check out the *NEW* MPLS L3 VPN Video Series (Link Below)
Travis Bonfigli
74K
Redington & Fortinet-FortiGate IPsec VPN:Site-to-Site &Client-to-Site Webinar Session-1st April 2020
Redington Value Distribution
4.7K
Cisco SD-WAN 003 - SD-WAN VPNs Overview and SD-WAN Controllers Setup
Rob Riker's Tech Channel
13K
Fundamentals of SD-WAN
Kevin Wallace Training, LLC
126K
Cisco SD-WAN 019 - Service VPN1 NAT Dynamic PAT Local Internet Breakout and OMP Internet Fail Over
Rob Riker's Tech Channel
2.3K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.2M
Professor Messer - Seven Second Subnetting
Professor Messer
621K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.