Cisco SD-WAN 031 - Service VPN1 VPN Segmentation Overview and Deployment

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how's it going everybody in this video we're going to take a look at our next topic when it comes to the sd-wan deployment which is vpn segmentation this is actually going to be it's going to take a little while to go through because there's a lot of details that we need to go through and lay out but basically the idea of what we're going to do is take a look at how you can separate traffic from one another now remember when i talked about this earlier in the series that a vpn is actually just a different term that viptela used and cisco has maintained as they move forward a vpn is a vrf right and a vrf is just another routing table that is created whenever a new vpn is set up so by default on a like a cisco router or cisco switch that's enabled for routing and you do a show ip route that is the global routing table also known as the default vrf or the default or the default vpn however you want to whatever helps you correlate the two together at the end of the day it's just a different routing table that's all that it is now for those of you that are familiar with mpls vpns this is very very similar to what you guys have already seen if you're not familiar with mpls vpns and you've ever done a thing called vrf lite where you create a vrf and you apply to a port to separate the traffic somehow well i've worked with a lot of customers where i've actually created a internet brf and i've created a wan vrf where they were placed was actually on the internet facing interface and the wan facing interface so that we could do things like do things like dmvpn where we could have a dmvpn tunnel set up over internet and a dmvpn tunnel set up over mpls and all the traffic that was learned although i should say all the routes that were learned over at dmvpn were on the land facing connection so it allowed us to separate the private land connectivity and the internet connectivity from the internal routing so it's logical separation there all the routes are still sitting on the same device but they're logically separated into vrfs so what we're going to be doing here is a very similar situation we go ahead and pull this over we already have a vrf on these interfaces right here here that's what vpn 0 is right we have vpn0 over here on vmanage we have this guy right here which is vpn 512 right for doing our management or out of band management those are the two vpns out of the gate we've created vpn one and vpn one is enabled on this interface right here this interface right here this interface right here this interface right here so all the interfaces we've already played with now we have six and seven that are not being used over here we have this guy right here that's not being used and then on all these other ones we have gig 4 and gig 3 which are going to be used for vpn 100 and vpn 101. now do we have a specific use case or a reason why we're going to be using those individual those independent vpns really it's just a matter of having something different right it's another vpn i wanted to do more than just another vpn i wanted to give a little bit more scale but just a touch more complexity than a single vpn maybe you might be wondering well how come you have additional physical interfaces how come you're not using sub interfaces well in my testing i tried that for those of you that follow me on twitter i tried to do that a while back and there's a really weird situation that pops up where if you want to configure say gig zero slash two to do sub interfaces you have to put gig002 actually inside of vpn 0 and then you can go create the sub interfaces inside the service vpn i was like what it didn't make no sense to me whatsoever and then any type of 802.1q encapsulated traffic so a sub-interface between v-edge 5 and ios 14. i wasn't able to set the v the vlan i wasn't able to set the encapsulation i had nothing no dot one queue tagging nothing was available at least nothing i could find so i chalked this up to okay sub interfaces aren't going to work in this solution which is normally what i would do because you can totally put say gig zero zero slash 2.10 into a different vrf and allow logical segmentation to come into play that's 100 possible matter of fact and if you check out the service writer content that i did a while back we often do that we would take a sub interface we would take it and put it into a different different vrf or different vpn to provide segmentation between customer and customer b but i don't want to get into like how mpls works and stuff like that but that was just how i accomplished that now the way this is going to work is we have to go out and we have to create additional vpns we have to create the templates we have to create the the interfaces for them we have to create the routing for it all that type of stuff so it's going to take a little bit to go through and set up okay once we get that all set up through templatization or templating however you want to refer to it then we'll go through and take a look at doing the policy to it the policy is rather involved it does take some time to go through and basically what will end up happening is out of the gate we're going to have a couple of vpns we'll have vpn 1 100 and 101 okay this one's already running out of the gate good to go 100 and 101 are what we're going to add but by default there won't be any communication from 1 to 100 or 1 to 101 or there there won't be any inter brf communication will just not happen right this will not this won't work right or this communication right here none of this will work so we're gonna have to enable it so we'll create a policy this will be a topology pile or vpn membership policy or we'll create the policy and we'll basically set it up to where okay i want to allow traffic from vpn one to be able to leak into vpn 100 and 101 and traffic from vpn 100 will be able to leak into 101 and 100 and vpn one we'll take a look at exactly how that gets set up before we can do any of that we have to go through and create the templates we have to go ahead and push them to the v edges it's going to take a little bit of time so i'm going to do that that's going to be the very first thing that we do in this video is go through and set that up so i'm gonna walk you guys through all the the different sites that we're gonna go do that on get that all squared away and then we're gonna push them down to the b edges if we're not past the 35-40 minute mark that i'll continue doing the the policy because the policy in and of itself isn't very difficult but i don't want to have a super super long video on vpn segmentation so let's go ahead and knock this process out it's going to take us a little bit to do so without any further ado let's dive into the config and get this bad boy started i'm going to go ahead and get out of the way i'm going to go ahead and pull up v manage right here and here we are on that i'm going to actually disable the policy that we have created for the traffic data policy for the net rule that we created in a previous video that's actually still enabled so to disable a policy you go to policies here and we can see that the nat policy is still enabled just click on it come over here to the the three dots and deactivate and then just it's gonna actually pull the config off and then we'll be in good shape so it's gonna take a couple seconds for that to happen so what i'm going to go do is while that's working i'm going to go to templates and click on feature templates now there's nothing here really i mean other than we've already created right so we have our vpn 0 for the dual site and everything else is looking pretty good what i'm going to go do is i'm going to start creating templates for each one of the config connections because what we have to do is for the dual site we're have to create multiple connections we're gonna have to create the vpn 100 template we're going to create the the interfaces we'll have to create the routing so we'll do that on all of them and then we're just going to we're going to create them on vpn 100 for each site and then vpn 101 for each site and then work our way down as we go because it'll just be a matter of copying so let's go ahead and actually do that so for service vpn 1 i'm going to go grab say vpn1 right here i'm going to go ahead and i'm going to copy this one so for dual side i'm going to copy it and i'm going to come in here and say 100 i'm going to copy that and then paste that so bpm100 so we know it's dual side for vpn 100 copy that okay now that we have a vpn 100 created i'm then going to come up and i've got to create a template for the interface so i'm going to scoot this guy over and we have gig06 and gig zero seven now if you look over here on the left hand side you see 10 1 100 right that's what i'm hovering over well that's going to associate to gig zero zero since it's an even numbered interface and the interface over here is even numbered okay so gig zero slash six i'm going to create i'm gonna take this pause i'm gonna create this one right here i'm gonna take vpn one gig zero slash two right i'm gonna take this guy and i'm going to copy it copy and this is gonna be vpn 100 and gig zero six i'm gonna copy and paste that in and then copy and then i'm gonna do the same thing for gig zero slash three and i'll just adjust the uh i'm actually let's just do this one real quick so in here for gig zero six i'm gonna come in here and edit this guy well let me edit the template before i i'm i apologize for jumping around but on vpn 100 i just remembered i had to make a quick change on here i'm going to click on here and click on edit and then i need to modify the template the vpn itself this needs to be 100 and then everything else looks pretty good so we're in good shape there i'm going to go ahead and update that it's not applied anywhere so we're not going to push the config the next thing i'm going to go do is dual side vpn 100 interface right i'm going to come over here i'm going to edit and then up here at the top i'm going to go here and do slash 6 and i'm going to where it says the ipv4 address i'm going to click down here device specific and i'm going to change this up to gig 0-6 and vpn 100 like so so now that it's been updated i'm going to click on update and there we go the next thing i'm going to go do because the cool thing about this with the few things that i've already done is that creates um that creates the configuration for where i need it to be so i have gig zero slash six here and gig zero seven here so what i'll be able to do as i'm configuring v for this for vh2 it's going to apply for this one as well so the dual site let me go ahead and organize these the dual sight vpn 100 interface gig 0 6 is going to apply to the edge 1 gig 0 6 as well as vh2 gig zero six that makes it very very easy to work with now all i have to do is come in here on this particular template and for gig zero six come over here and copy and i'm going to go ahead and change this to be 7 and vpn 101 copy and paste copy that so there we go that gets that guy going so we have vpn 101 i'm going to come in here to vpn 100 template i'm going to copy it vpn 101 copy and copy that so that it's now copied and then i'm going to come over here to vpn 101 template i'm going to change this to be vpn 101 update and then i wish they would just organize them in to alphabetical order and then when i come down here gig 0 7 i need to edit this one as well edit and then we're going to change this to be gig 0 7 come down a little bit click on the device specific and change this to be 101 gig zeros dash seven like that click on update and then we're good to go so what we've done so far is we've created the vpn 100 and vpn 101 templates we've created the sub-interface uh the physical interfaces for the ppm 100 and vpn 101 so they'll apply to both the last thing we need to go and do is create a vpn 100 and 101 ospf template so we're going to go ahead and do that now so i'm going to organize these again real quick so it's easy to find vpn one vpn one ospf template we're going to go ahead and copy this change this to be vpn 100 ospf template copy and paste copy and then here we are ospf 100 we're going to come in here we're going to edit this and what we need to do is come down to the area right we need to edit this the two interfaces we're going to remove these two interfaces g2 and geek3 we're going to add interfaces and this one here we're going to type in ge06 click on save changes save changes again and that gets us where we need to be so we're in vpn 100 so that's gig zero six click on update and then i'm going to go ahead and scoot this guy over organize it and then it's going to be vpn 100 ospf template we're going to copy this to make this vpn 101 copy and paste that in there now vpn 101 template for ospf edit and then we're going to come over here to area edit this right here go to the interface and we're going to change this from geek 0 6 to g 0 7. so i just showed you a couple different ways to do it you can either delete the interfaces or you can just update the existing one save changes and update excellent so now that we've done that we're in good shape now this is the that was the probably the more extenuat the more difficult process now we can go ahead and do is we can actually go in and start creating the templates for the other sites based off of what we've already got to configure because we've already got them done so what i will go ahead and do is get that guy squared away so we're going to go grab epm100 template and we're going to go ahead and we're going to copy this guy but instead of being dual site i'm going to say single site copy and paste that in there copy now the cool thing about it is it's already set up for bpm100 right and then for any little minor changes for example the interface we're going to change the name to be say gig zero slash three and that will be for bpm100 so small little subtle updates as we're going along once you have the base in place it makes it a whole lot easier to move forward with so there's that one so we have single site configured vpn 100 right and we don't have to update the vpn 100 because it's already there then we're going to go vpn 100 gig zero slash six template we're gonna go ahead and edit this or i'm sorry copy and this should be this will be gig in this case here on the single sites will be gig four on both because they are uh the even error the even interface gig zero slash four ties to ten three one hundred so let's go ahead and pull v manage back up we're going to say vpn 100 is going to be gig 0 4 we're going to copy and paste that in like so and i'm going to change this to be oops i need to make that single site single site like that copy now that's been created i get to come down here to single site for this guy right here gig four edit because just because you named it doesn't mean it changes the actual interface i'm gonna come over here be gig four and i'm gonna come down here to device specific it's going to be gig four so that changes that information right there update and because the fact that we're dealing with gig four on both that means it's going to apply to bh3 and vh4 so we know we're in good shape there so the next one again is going to go i'm going to grab that's bpn on the single site that's vpn 100 template vpn 100 interface now we have to go to vpn 100 ospf template so in this guy right here vpn 100 ospf template we're going to copy this i'm going to say this will be single site copy and paste copy it makes it a whole lot easier to do the copies than it does to go through and configure them individually right so now we've got that going for single site vpn 100 ospf we're going to come over here edit and we're going to go grab the area adjust this the interface and we're going to change this to be gig zero slash four like that save changes save changes again and then update beautiful so now i've done that to that takes care of the single site for vpn 100. so now i'm going to go do the same thing for vpn 101. so organize them again we're going to grab vpn 101 template actually we can come down here to this guy but it's easier just to grab them from the other side but i'm going to grab vpn 100 template copy that this will be vpn 101 because the naming convention is already pretty much right there i'm just going to go grab it from here copy come down to bpn 101 template i'm going to go grab vpn one on 100 the template for the interface i'm going to copy this this will be vpn 101 but gig 3. copy and paste that in copy now that's done come down here to single site vpn 101 gig three and then last but certainly not least is the ospf template come over here copy change this from vpn 101 ospf 2bpm101 there we go bpm101 ospf copy excellent now i just have to go down to that one to this particular template edit this guy go down to the area configuration and then edit this guy and change this to be gig zero slash three there we go save changes save changes update now the one thing i had to do i think i neglected to do this a moment ago but as i'm sitting thinking about the process let me go back to the interface config real quick and make sure that i've updated the bpm101 for the single site let me edit this guy real quick because i don't think i changed the the actual interface and i did not get three come down here to this guy device specific vpn 101 and gig 0-3 there we go ipv4 address click on update okay now that that's been updated i'll be in good shape there so i've done all that for all the sites up to this point and if i come down to the mpls site this is basically the same concept so here do they gonna go do the same thing so i'll start with vpn let me organize these real quick we'll start off with bpm100 template right we're going to copy copy that i'm going to come over here and say mpls only bpm100 template paste that in copy there we go we're going to come down here to vpn dual site vpn 100 template copy this we're going to change this to be vpn 100 in this case here is a little bit different for the uh for mpls because it's gig 0 3 ties up to we could probably switch it around let's actually go ahead and do that real quick i'll make this 100 this 101 and this 100 just so that matches on other sites vpn 100 this will be us this would be gig four we will copy and actually let me take this real quick and change this to be mpls only mpls only copy and paste that in like so there we are excellent there we are so scroll down a little bit more mpls only we have the last thing we have to do is create the ospf template for 100. copy that real quick change this to be mpls only mpls only copy and paste that in there we go and come down to mpls only we have our configuration so nice thing about this is we don't have to mess with any of the configs right because the interface is already tied to the associated interfaces so for example ospf template is already tied to gig zero slash four so we don't have to update that which makes our life a whole lot easier i am going to go in here and i'm going to carry uh copy vpn 100 and i'm going to update this to be bpm101 vpn 101 copy and paste that in and then i'm going to come down here to the template for mpls only bpm10101 edit that and make sure that i have updated those pieces update and we're in good shape there organize and then if i was to do a quick spot check for vpn 100 gig zero four and go to edit that should all line up gig zero six oh i'm glad that's right i forgot to glad i checked gig four to gig four so there we have it make sure that you update your stuff you don't listen to me for everything make sure you organize your stuff so we have that we'll come down here down here to mpls only we have gig four is now updated to gig four we have that so i'm gonna go grab gig four for vpn 100 i'm gonna copy vpn 101 and this is gonna be gig three like so copy it and then i'm going to come down to this guy right here because this is 101 gig three edit this real quick change this to b3 and here device specific 101 gig 3 and update there we go bring this over just a little bit organize them and we have so we have 100 the template the interface and ospf we have bpm101 the template the interface now we need to go create the ospf template i'm going to go ahead and copy that vpn 101 copy and paste copy all right now that that's good to go come down here to vpn 101 mpls or ospf i'm going to edit and change the interface around area edit interface and make sure this has changed to be gig 0 3 save changes save changes update and one thing you want to make sure is on gig on mpls for all these other ones we're just going to go double check real quick make sure that all the other ones are squared away ospf will edit area edit that interfaces gig zero six so here on mpls it's for vpn 100 this is going to be gig four save changes save changes update all right so we're good to go there so i'm just going to go ahead and do a quick spot check just to make sure everything is looking the way it needs to we've got all of our interfaces created now for all of them which is what we need to have so if i look at the single site for gig zero slash for single site vpn 101 ospf let's just go ahead and just edit that real quick to make sure that it's appropriately set up interfaces okay it is good so we're good to go there so just making sure that i haven't made any mistakes in my configuration now now that we've got the templates all created the next thing for us to go do is go to the device templates and add those additional service vpns to the appropriate devices and go push them so let's go ahead and do that real quick on device we're going to go to dual site burst click on here go to edit and then down here underneath the service vpns we're going to say we're going to add two vpns right here two hit the plus sign bam those vpns are now there i'm gonna go ahead from the drop down and choose the new vpn this is gonna be dual side bpm 100 we're going to add an interface so this will be dual site vpn 100 gig zero six we're going to add an ospf process here come in here this will be dual side vpn 100 ospf template which is what we want and we're good to go now we get to come down here to this will be dual side vpn 101 we're going to go add a vpn interface this will be dual site vpn 101 gig 0 7 and then add ospf we're going to add dual site bpm101 ospf template excellent so now i'm going to go ahead and click on update and then it's going to start asking me for the syntax in order to get all this stuff working so i'm going to go ahead and move this guy over a little bit so we're going to go ahead and click on edit device template and there's a lot there's only a couple lines that we have to add in so here it says bpm 101 and bpm 100 so this there's an error in the configuration so i have to go update this because one of these vpn interfaces has not been updated correctly so let's go ahead and cancel that i made a mistake this is why you double check your work so back to the templates the feature templates and i'm going to go underneath vpn the interface right here let's go check the vpn 101 make sure that he is set up correctly edit bpm101 so he is correct let me go down to the vpn 100 this guy right here is looking like it's supposed to be in a different vpn let's edit this guy gig zero slash seven vpn one so all that stuff is looking correct good so i think i might have been okay now that i'm looking back through the config let's try that one more time actually let me go down to these guys real quick gig seven ospf it was the interface templates that was throwing me off i think i might have been okay i might have overreacted so let me go ahead back to this guy let's go ahead and edit and let's re-add those templates again so we're going to go ahead the service vpn section we're going to go ahead and add to adam so we're going to go we'll add one at a time just to make sure we're not doing anything foolish vpn 100 add ospf we'll add vpn 10100 and then vpn interface and then vpn 100 gig zero six okay uh since we're right here let's just go ahead and add it vpn 101 ospf vpn 101 ospf and then vpn interface we'll add 101 gig zero six or seven excuse me update and then we'll go ahead and get the config updated real quick once it it finishes loading so we'll go ahead and edit this okay so i think i might have been okay let me just do this let me type in 10.100. what's the ip addressing here oops uh this is going to be 10.100. on this side so 10 100.1 is that right i feel like i'm missing some 10 1 100 that's right i thought that was a little off ten dot 1.100.1 24. actually sorry 101. 101 here and 10.1 dot 24 here okay uh we're going to click on update and then we're going to go down to this guy and edit the device template and then down here for vh2 will be the same thing gig 0 6 will be for this ip addressing scheme will be 10.1. bpm 100 in this particular case is going to be 101 this will be 103. dot one because we're dealing with gig zero slash six here i'm sorry this will be seven yeah 103 dot dot two sorry slash 24 and then we'll do 10. 1.102.2 24. let me go ahead and update that let me make sure the other side here is set up right g07 0 0 24 okay cool click on next we're going to go configure devices push that config down to v edge 2 and bh3 alright so yeah vh102 excuse me i'm going to pause while that pushes all right the config has been pushed which is what we wanted to see so if we go down to our v edges we look at here we look at b edge one we log in real quick we do a show run vpn 100. we should see that ospf is set up on that particular interface and we're in good shape and good stuff so now what i get to go do is on this particular interface i'm going to go come over here to router 7. i'm going to take a small break and i'm going to go and configure ios 7 real quick so if you do show run vrf no vrs configured so i'm going to create a couple of brfs bpm100 and vpn 101. i'm going to have a vrf definition of vpn 100 the rd is going to be 1 100 colon 100 and the address family ipv4 unicast that creates the vrf i'm going to create vpn 101 now the rd is going to be 101 101 address family ipv4 unicast that's a local configuration i'm going to type in interface gig 0 zero one type of vrf forwarding is going to be vpn 100 because that's going to be the even so this gig zero size zero vpn 100 ip address in this case here will be 10.1.100.70 no shut it and then i'm going to go do the same thing for gig 2. now that that's in place go to gig 2 brf forwarding is going to be vpn 100 the ip address in this case here will be 10.1.102. i'm sorry uh yeah 102 here in this case here 102.7 and then no shut that'll put those configurations in that place right there i'm going to hit the up arrow and this time i'm going to go to gig zero slash one brl forwarding is going to be the apn 101 the ip addressing for this guy will be 101 no shut give that a couple seconds to do its thing and then last but certainly not least gig three vr forwarding whoops is vpn 101 the ip address here will actually be 103 and no shut that'll bring that up give that a couple seconds to come online so do show ip interface brief they all should line up the way they need to do show vrf the vrfs are applied to the interfaces as they need to be which is what we want now i get to go create a couple of ospf configurations so i'm going to type in router ospf and then the process id is going to be 100 but vrf vpn 100 i would type in network of 10.1.0 0.0.255.255 area 0. okay momentarily we should get an ospf route or adjacency for the vrf aware ospf process i'm going to come up here and do and we just did with gig 2 and we should with gig one or gig zero which we just did hit the up arrow a couple times i'm going to go here and make this vpn ospf 101 for bpn 101 and then hit the up arrow and do this so that'll get our configuration up and running the way we need it to okay now i'm gonna go that's gonna take a couple seconds for it to come online but once it does i'm gonna go ahead and we have our adjacencies up now which is what we want so i'm going to go and create interface loopback 100 vrf forwarding is going to be vpn 100 and ip address is going to be 10.1.7.7 let's do one uh seven let's do uh seven dot ten dot yeah ten dot one dot let's do 70.7 so that it's an eb odd it's an even number and then that'll automatically get advertised into ospf and then we're going to come over here loopback 101 vpn vrf forwarding 101. come over here and make this 71. so they're unique themselves 7d and then one okay so do show ip interface brief do show vrf we can see that those are associated if we come back over here to vh1 we do show ip route vpn 100 we should see those routes coming through right we see 70 dot that all that's looking good if we look at 101 71.7 excellent so that means everything is working up to this point next thing we're going to do is configure this on v edge 3 and vh4 and get them squared away and then the edge 5 and go from there so on v manage right here we're going to log in again real quick and we're going to go to the templates we're gonna go to the single site right here edit and we're gonna go and go to service vpn we're gonna add two vpns here adam and we're going to come over here this is going to be single site bpm100 ospf add single site 100 ospf template and then vpn interface we're going to add single site single site vpn 100 gig004 and then we're going to add vpn a single site vpn 101 template at ospf veg single site vpn 101 ospf template and then vpn interface single site vpn 101 right there click on update and then we're gonna go give that a couple seconds to do its thing let that load real quick we're gonna edit device template fortunately for us it's just the interfaces in this particular case here it's going to be 10.3.101.3 24. and then 10.3.10 or 100.3 24. okay so we've got that separation in place there we're going to click on update and then for vh4 same thing edit device template from down here to 10.4.101.4 24 and 10.4.100.4 24. there we go so now we're squared away we're going to click on update click on next configure devices push the config down to both devices and okay so that'll take a couple of minutes while that's being pushed i'm going to come back over here to ios 13 and do the exact same thing i just did on ios 7. so i'm going to go to config t v rf actually if i just yeah let's do it this way b brf definition is vpn 100 the rd can be 100 colon 100 and then oh i've already got it created do show vrf okay perfect so they're already squared away i forgot that i tested this already and do show run section ospf i should already have ospf configurations in place for this give that a second to pull up which i do bpm100 exactly so beautiful so it's already coming online which is what i want to see and that is exactly what i'm looking for so do show i do show ip route vpn vrf vpn 100 excellent so the routes for the vpns you notice how i'm getting ospf routes from vpn 100 and stuff like that so we know that that's working if i look at vpn 101 same thing there i'm getting routes from vpn 100. did i look at the same one i'm not sure why 70.7 is coming across did i make a mistake on seven's config do show ip do show run interface loopback 101 no that's right this is one of those problems you run into let's check vh3 real quick to make sure the config is right so we do show run vpn 100. okay so that's the mistake i made so you'll notice that this guy right here should be in v this should be bpm 101 should be separated so i made a mistake there so this is where i was talking about where i thought i made an error in my config this is where i actually made it so i actually have to make a modification so let's go actually fix this real quick because this would be potentially allowing traffic to go somewhere it shouldn't be going so think of like a hipaa or a pci compliant i'm allowing connectivity to something i don't want to have access to which i thought was a little weird when i saw here on 13 that i had access to the same subnets twice like i should not have 100 and 101 showing up here for vpn 100 i should only have 100 and 102 showing up so let me go over to here and adjust that configuration on the templates let's go to feature templates and make sure we update that real quick for the single site because things do get mistakes do happen so bpm 100 let's just go ahead and edit this and that's what i thought so this right here never got updated to 101. it's a small oversight on my part but small oversight can also lead to big problems so i'm actually glad you guys got to see an error in my configuration because this would be one of those things where you have a second set of eyes come in and take a look definitely useful click on update so it's going to make me update this config so edit device template so we have to come in here and this guy here is going to be 10.3.101.3 24. update that one and then over here we're going to do edit device template and it's going to be 10.4.101 24. click on update next configure devices push to config okay there we go so while that's working i'm going to go just double check to make sure that the the feature templates for mpls are set up correctly because that makes me wonder now are they set up right mpls only let's grab mpls only vpn 101 make sure that he is right edit he is correct so i double i caught that one but i missed the first one so we have that in play so let's go back to here and let's look at the edge three and do a show run vpn 100 and show run vpn 101 excellent that's better and then on ios 13 we should see vpn 100 a much thinner there we go so the loading is now done come back over here to this guy so i see 100 and 102 right and then i also see traffic coming in from router 4 100. 10.4.100 which is exactly what i would expect to see if i look at 101 i should only see 101 actually isn't learning anything at the moment and i know why i betcha there it goes i hadn't given it enough time so everything's coming across the way that it needs to the last thing we're going to go do real quick is going to go over to the mpls device and get it online because then we can actually do full vpn segmentation everywhere so we're going to go ahead and get that knocked out real quick come back over here to the devices click on mpls right here edit and then we're gonna go add those two vpns so service vpn add the vpns right here two and then hit this the plus sign we're going to go here and vpn plus only vpn 100 add ospf and then mpls bpm100 add the interface and then the mpls vpn 100 gig zero slash four okay next up is going to be vpn 101 add ospf and then mpls only vpn 100 ospf and then add the vpn interface and then we're going to have mpls vpn 100 or 101 right there so we're going to click on update give that a couple seconds to load and then we're going to go ahead and update the template so here we're going to type in uh 10.5.101.5 24 and yeah and then 10.5 dot 100.5 24. click update click next configure devices and let that push out while doing that i'm going to go check on ios 14 make sure he's squared away so show run vrf okay i have the vrf configuration already in place now while that's being pushed one thing i want to talk about real quick is this capability vrf light this is a big deal especially when you're dealing with ospf in terms of a vrf when you have this configuration in place what's going to end up happening is and let me try to think about how to explain this real quick i can i explain this in the mpls layer 3 vpn videos when you're doing uh ospf as a pe to ce routing protocol where you've got multi multiple vrfs and it has to do with the fact that the the routes that are coming in are going to be stopped because of the p bit is it the p bit i believe it's the p bit um there's going to be a flag that's turned on which is going to be the do not propagate flag and what that's going to basically mean is as traffic comes down from vh5 to via to ios 14 it's going to have this flag turned on this flag is going to prevent the routes from leaving the ospf database and being injected in the routing table so when you type in capability bro brf light you're saying you know what i don't care about that flag go ahead and send it to me anyway so let's go ahead and take a look at the configuration so vh5 we get log into him real quick and do a show run vpn 100 that one's squared away and vpn 101. he squared away as well let's go back to f14 show ip interface brief those guys are squared away which is what we want to see now i haven't created additional loopbacks on the v-edges or on the ios devices because the fact that when i go through and set this up i wanted it to look like there were specific routes coming from the hub down to the spokes because we are going to do a free-for-all let everything send be sent to every other vrf so we're going to do like any to any propagation in the event that that's something you want to do and then we'll take a look at allowing just vpn one traffic from the hub site go to the spokes and so basically vpn one to vpn 100 and 101 and then anything coming from 100 and 101 to vpn one we'll take a look at exactly what that looks like so we do a show ipospf neighbors we have that configured on gig zero zero so show run section ospf real quick make sure that that's configured correctly so we have 101 vpn 100 okay that should be squared away so let's see why vh5 is not forming a connection let's look at 100 vpn yep and then we'll look at 14 show ip interface brief okay so show run interface kick zero slash one oh i changed him around that's why i forgot about that that's my mistake so let me go fix that real quick because i swapped the interfaces a moment ago because i made it so that the odd numbered interface right here geek063 would line up with bpm101 so that's not going to work um i'm gonna it's easier for me to configure the changes on um the router here so let me go do a quick show run um real quick and i can just edit this config real quick i'm gonna go ahead and pull up notepad and we're gonna go make a couple quick adjustments real quick so let me just mouse through this stuff real quick and i'm going to go grab from the very top i'll grab the vpns are the vrf's are already created so it's really only the interfaces that need to be updated and so this stuff right here and ospf config everything else is um it's whatever so i'm going to go over here to this guy paste this stuff in move this up a little bit and so we're going to make this 101 make this 100 like so this will be vpn 101 this will be 100 here and then i'm going to change this to be this will be 101. actually i don't want to mess with that because the vrf's already created so i'll just put in here network of 101 and this one will be 100 they'll be a little off but that's okay actually you know what i'll do to make life simple zero here and then uh 255 here same thing here just to make it easier configuration wise there we go and then ospf one we're going to go ahead and type in network of 10.5.14.0.0.0.0.255 area 0. there we go so that all this configuration right here will simply get applied like so we're going to go over here and just paste this in so do show ip interface brief it didn't like something i typed in it says that 101 do show run interface gig zero slash one interface gig zero slash one and the ip address for this guy [Music] is ip address of 10.5.101.14 slash 24. that'll get that up and running momentarily anyway and we'll be in good shape so that's the bpn segmentation so show ip ospf neighbors there we go the neighbors are up show iprout vrf vpn 100 i am learning routes in from via uh so the hq site as well as three and four respectively and vpn 100 same thing there i'm learning stuff in from vpn one vpn 101 um the hq sites and then vh3 and bh4 respectively and if i do just the show ip route we're also learning a bunch of routes in from the rest of the network and vpn one so right now everything's working the way that it's anticipated so right now we're almost at an hour i'm going to go ahead and start the video now in the next video we're going to go ahead and dive into the actual vpn segmentation configuration through the policies which will be a centralized control policy until next time guys thanks so much for stopping by and i'll catch you guys in the next video

Info

Channel: Rob Riker's Tech Channel

Views: 1,728

Rating: undefined out of 5

Keywords: cisco, sd-wan, sd, wan, viptela, omp, vpn, vrf, segmentation, segment, separate

Id: zkVAuyvIHBU

Channel Id: undefined

Length: 53min 59sec (3239 seconds)

Published: Tue Oct 20 2020