Cisco SD-WAN 032 - VPN Segmentation with VPN Membership Policies

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going everybody in this video we're going to take a look at applying policy to our vpn segmentation that we took a look at in the previous video it's actually going to be a lot of fun i have a couple of different scenarios that we're going to walk through and take a look at so let's go ahead and dive right on in so the very first scenario that we're going to look at is going through and if we look at the command line real quick we'll see that and uh pretend like you don't see the asa firewall there i was actually doing some testing it did not go well so service chaining was tested but i'm going to cover that separately so whoops pull this back up so when we look at something like vh3 for example here and we log in here and we do a show ip route we see a bunch of routes coming through right 100 101. everybody's happy right well that's all well and great what we want to do in the very first scenario is potentially remove a vpn from being propagated down to a wan edge so in other words let's say for example that we don't want vpn one information coming from uh we don't want any routes being learned that weren't learned locally so if i i look right here i can see that these these couple right here were learned locally right and everything else was learned via omp from the v smart so i want to remove vpn one from being propagated down to the wand so it's a vh3 and vh4 the process of this is actually relatively straightforward so let's go ahead and take a look at the actual configuration i'm going to pull up the v edge or i should say vmanage and here it is and i'm going to walk you through the scenario i'm going to go over here to policies and i'm going to go ahead and create a new policy this will be a vpn membership depaul or a vpn membership policy i'm going to come over here the first thing i'm going to do is create vpns and as you can see i have a few in here from some previous testing that i've created are done so for example if we only want vpn 1 to be propagated down to the vh3 and vh4 i've already got a vpn configuration here that's already in play so that means that when i do vpn 100 through 101 then i should be able to go through and learn only these vpns in on the vh3 and vh4 i also needed to create a site so i've created some sites so i've got the spokes three through five i've got vh2 vh3 vh4 i've got everything broken out the way that i needed to so what i'm going to go do click is do click next and then underneath the configure topology and be vpn membership i'm going to go ahead and under vpn membership i'm going to create a new policy i'm going to click in here and i'm going to say this policy right here is going to be no vpn one okay something very simple paste that in here the site list that this is going to apply to is going to be i'm going to come down here i'm going to grab i'm going to grab the spokes so what will end up happening is for communication to bh3 vh4 and vh5 we're not going to be learning vpn one in where this is going to apply to i'm going to allow vpn 100 and vpn 101 and that's it that's all i'm going to apply i'm going to click on save and that applies it right so that's good you know vpn1 click on next bypass traffic rules and go to here i'm going to type in no vpn one policy copy and paste that down here and we're in good shape so it is a topology rule so this is going to control the control plane i'm going to click on save policy and on this no vpn one policy come over here and click on activate i'm going to go ahead and push that down to the v edge or i'm sorry v smart which will then push it down to the v edges and v smart is online and the policy doesn't take very long at all to push and there we go so now i'm going to come back over here i'm going to hit the up arrow and i should not have any vpn one routes all i have is the stuff that's local which is what i have so if i check out vadg4 log into him real quick show v show ip route i shouldn't have any vpn one learn routes alert except for what's physically connected to me which is what's happening same with vh5 so log in real quick show ip route and there we go so that ladies and gentlemen tells me that that particular rule is working for vpn segmentation you might say why where would that come into play any number of reasons you know if you don't want to propagate a particular vpn maybe it's not ready to be propagated yet but in this particular case it's working the way that we want it to so we're good to go there now there's another one that we're going to take a look at which is going to be leaking everyone to everyone so we're basically we're going to say you know what even though we've got vpns created i want to be able to allow everybody to communicate with everybody else okay so pretty straightforward process and how we actually go about doing that let's go ahead and actually take a look at how we do it it's very very similar to the one we've already got going so i'm going to go ahead and i'm going to come back to policies and i'm going to deactivate this policy deactivate and so we're going to leak everybody to everybody else so pretty straightforward process so now that's been that'll hurry up and do its thing i'm going to go back over here to policies and i'm going to go create a new policy so i'm going to go ahead and create a policy and i'm going to go click on next actually before i do that let me just double check on vpns i want to make sure that i have a vpn that matches on all of them right so i want to make sure that everything's learning everybody else and then this doesn't apply to a site i'm going to click next this is going to be just a straight up route route-based topology so just a regular topology i'm going to go ahead and create a custom route and t-lock i'm going to come up here and say any to any vpn copy and paste that there i'm going to come in here this is going to be a route based policy i'm going to create a new sequence number and i'm going to say that the vpn that we're going to start from is going to be vpn uh let's see service vpns right here 1 100 and 101. click on that and then on the actions tab i'm going to click to accept and i'm going to say export to service vpns 1 100 101 so i'm going to say everybody's able to talk to everybody else okay i'm going to save matching continue and i'm going to come over here under default action and set this to be accept click on save matching continue and then save control policy i'm going to click next next and come down here and say any to any vpn policy copy and paste that in and i'm going to go and i had to apply this to which particular sites i want to map this to i'm going to come in here this is going to be an inbound connection so i'm going to allow everything to come inbound i'm going to come in here and i'm going to select spokes and hub so i'm gonna allow everybody to talk to everybody else i'm gonna click on add and then save policy and then i have this any to any vpn policy i'm gonna come over here and click on activate so if i come back over here notice how before we had a limiting factor you know a show ip route we're going to have some rounds coming through but once this guy is done pushing which it's almost there give it a couple more seconds to do its operations there we go so now i'm going to come over here and i'm going to look at the routing so on ios 14 for example if i come in here i do a show ip route i should be learning a bunch of routes which i am so i'm learning all those routes plus i'll be learning in traffic from the vpn 100 vpn 101 and so on and so forth so i'm learning everything from everybody that i need to be learning from which is what i want to see right and that's exactly what the idea that we want to have here so if i wanted to take a look at ios 13 for example all right let me go back to 14 and do a show ip route vrf vpn 100 same thing here i should be learning a bunch of routes and i am which is what i want so this just goes to show you that a couple simple rules can make or break your environment this one here says let everybody talk to everybody when would you want to do that maybe you won't but i'd rather as i've been demoing this stuff out this is just one of those ones that was like oh that's easy to figure out so pretty straightforward stuff so let's go ahead and deactivate that policy and any to any vpn i'm going to go ahead and deactivate that guy turn that feature off so that was any to any now i'm going to be more selective i'm going to dictate a specific vpn to a specific vpn propagation so as soon as this guy is done doing its thing what she's done i'm going to go back over here to policies i'm going to click on add policy and this policy remember we want to have vpn right so we have all these what i'm going to do is i'm going to do service vpn 1 to vpn 100 and 101 and i'm also going to do and 101 to vpn one but i'm not going to allow 100 to 100 to 100 to 101 should not work and 101 to 100 shouldn't work so i should be able to send and receive if i'm in vpn one i should receive 100 and 101. if i'm in vpn 100 i should receive vpn one routes but not 101. if i'm in vpn 101 i should receive vpn 1 routes but not vpn 100 routes so if the logic is correct and that should work the way that i'm describing i'm going to click on next this is going to be another topology table so i'm going to come in here and i'm going to create a custom route in t lock come in here and be like vpn 1 2 vpn 1 2 vpn 100 dash vpn 101. we're going to go ahead and create this guy sequence type is going to be a route we're going to add in here we're going to say that the vpn the source vpn will be vpn one and we're going to click on match i'm sorry actions accept and then export to vpn 100 and 101 okay i'm going to go ahead and save match and continue and now that that's in place we have we're matching in service vpn one we're going to send traffic to vpn 100 and 101. i'm going to copy this guy but i'm going to edit it i'm going to say this guy here will be the source is coming from 100 and 101 and i'm going to change this guy to be service bpn1 save matching continue that's really it i'm going to go over here to default action change this guy to be accept and save matching continue save control policy and then i'm going to take this name right here next next and then in here policy copy and paste and then new site list this is going to go to hubs and spokes so hubs and spokes and this will be an inbound list as well so we should be good to go there i'm going to go ahead and click here and click on add and i'm going to save policy that brings me back over here i need to any i'm going to go vpn 1 to 100 101. i'm going to go ahead here and click on activate okay so now if i'm over here on ios 7 and i do a show ip route vpn or vrf vpn 100 i'm learning routes in and this is still not quite done yet there it goes so if i'm on here on ios 7 i should be learning routes in from this is i should be learning in vpn one routes which i am right i am learning 100 routes right here we see all the stuff that's you know coming in through where it's got to go so 10 3 100 um so we're learning a bunch of routes in right which is what i want to see some of this other stuff is in here if we look at this is uh vpn 100 because this is the route that's coming in from but if you look at here i've got vpn this is 10 516 so that's going to be 10 516 where is that coming from 10 5 16. i'm not sure where that's coming from that's weird oh that's this one right here so i'm learning this one in but that's a local route but if i look at say for example i'm learning 10 4 100 in that's been learned in i should also be learning in uh 10 313 so i'm learning in vpn one routes and that's expected because i'm learning those routes and so i'm doing a mutual configuration now if i go over here to 13 and i do a show ip route hit the enter key i'm not learning any routes here right and that's vpn one here which i should not be learning i should be learning vpn if i come over here vrf vpn 100 i should have a whole bunch of routes in here so i've got the routes that are locally learned like i've been learning uh 100 here i've been learning anything that's really long time frame i'm learning the routes in from from vpn 100 over at vh4 but you'll notice that i'm not learning any vpn 101 routes right but i am learning a vpn one routes right here this is a vpn one route this is a vpn one route so it's working the way that it's expected to when would you want to do this well if you have a site that you want to propagate routes to and you want to be selective in how you do it this is one way that you would go about accomplishing that goal so i've showed you how to limit what vpns get processed down to a specific set a location so for example if you don't want a vpn to propagate you could eliminate that so we eliminated vp1 from the propagation with the vpn membership list and then i went through i did a basically everybody's able to talk to everybody else type of scenario that worked and now we're doing we're allowing vpn 101 100 and 101 to be leaked into vpn one and then vpn one routes are able to be learned in on vpn 100 and 101 and if you look over here again on for example if you look over here in 101 you're only going to see a handful of routes you're only going to see the routes that are coming from vpn one right you're not seeing any 100 routes so vpn 100 not here if we look through there are no vpn 100 coming across right so we have vpn one right here but we don't have any vpn 100 which is what i'd expect to see so everything is working in that particular use case so that ladies and gentlemen is vpn segmentation and being able to to cross populate the the vpn routes there are other options available too testing of those has not gone well so i'm pretty much uh there might be some more stuff that i test out and get working that i'll come out with later on but the flow that you guys have seen up to this point where it's been one sd-wan video after another that's pretty much going to after this video it's going to stop so i'm going to start coming out with other content after this video gets released you'll start to see other content start to roll out but if you see sd-wan videos come out after this that's because i was able to figure out how to get something else to work and i'm going to go ahead and show you guys how that would come out when i do get it to work i'll record some content on that and put it together it'll get any new videos will get added to the sd-wan playlist so if you're following that i definitely recommend you follow the playlist and that type of stuff so if you have any questions please let me know but this is pretty much the effective end of well there might be one or two there's going to be some other ones i still have to do test out service chaining i still have to test out t-lock extension and stuff like that but for the most part we're pretty much done with the the flow i think we're near 30 something videos as we speak right now as a matter of fact let me just double check what we've got total so right now we're sitting at with this video right now it's 32. so 32 videos of sd-wan i think is a pretty good series um it'll probably creep up into the 40s isn't what i'm guessing but right now we're done um anything that comes out after this would be me testing something out and working so i do appreciate everybody hanging out with me in these videos and until next time guys thanks so much for stopping by and i'll catch you guys in the next video
Info
Channel: Rob Riker's Tech Channel
Views: 1,130
Rating: undefined out of 5
Keywords: cisco, sd-wan, vpn, segmentation, policies, policy, membership, vmanage, omp, viptela
Id: ehqe733CfPc
Channel Id: undefined
Length: 19min 0sec (1140 seconds)
Published: Wed Oct 21 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.