Cisco SD-WAN 033 - Service VPN1 Application Aware Routing

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going everybody in this video we're going to take a look at our next topic in our sd-wan series which is going to be application aware routing or aar this is actually a pretty cool feature capability that you normally are not going to see on a regular cisco router it's not that it's not there it's just difficult to actually demonstrate and then verify that it's actually working unless you actually have the applications available to you to play with so we're going to look at a couple different variations here the first variation we're going to look at is going to be using just layer 3 layer 4 mappings so basically we're going to be taking a look at more specifically layer four what the protocol is so tcp udp and then the actual destination that you're trying to reach so we'll match on a protocol so tcp and then a destination port a well-known port like for example telnet or web so port 23 or port 80. these are things that we can actually demonstrate and stuff like that the only drawback to it is when you actually go to demo some of these features and capabilities they don't work quite the way you want them to so it's not like you can do a traceroute and verify that particular traffic flow is going the direction you want it to go so what we're going to do instead is we're going to take advantage of this guy right here we're going to bring over v manage i'm going to go over here to monitor and then network and what i'm going to do is i'm going to grab one of these v edges bh3 is what we're going to demo this on and if you scroll down here to troubleshooting and you click on simulate flows over here okay now i'm going to select the vpn that i want to do this in i'm going to create a bp select bpn1 and the ip address we're going to grab this is going to be the source ip so the interface ip the destination i'm going to choose 10.1.0.16 which happens to be switch 16 loopback 0. something i could reach via the overlay now the application you could choose a particular application here we're not going to do that but if you wanted to you could what i'm going to do is i'm going to click on advanced options and then the service so the traffic is going to be coming from the service so this is basically is outbound towards the fabric tunnel meat is coming inbound from the fabric over the sd-wan tunnel i'm going to choose the protocol of 6 which is tcp the source port could be anything random so i'm going to just choose 2000 the destination pour will be 23 so telnet right i'm going to click on simulate flows and you can see that it chooses to go out both public internet and mpls towards vh1 and vh2 so what this basically means for us is that we know the traffic will take a particular path it will take go out the both t-locks towards the hq site which is what we wanted to do right now what i'm going to go do i'm going to go ahead and update this to be port 80 and do the same thing simulate flows it's going to go look at the routing table and go okay this is how this is going to work for port 80. the destination doesn't need to be enabled for web it just needs to be allowed to send web so the local v edge is going to do some looking in it and say okay is there a reason why i can't there's no nothing restricting it so it should be able to go so i'm going to go over here to policies and i'm going to go ahead and create a policy so i'm going to do this some i've seen some other instructors do it where they create everything over here first i can do the same thing by clicking on add policy and then all of my groups of interest are over here on the left so i'm going to go ahead and talk about some of the ones we need we need a vpn right so i've already got the vpns created so i'm not going to spend a ton of time here so we need which whatever vpns we want to apply this to so yes you could create vpn specific topology so if you want vpn one to do something in vpn 100 or do something else you can do that sitelist i have all of my sites added here for this i'm actually going to get rid of firewall needed because service chaining has not worked out yet for me but we'll talk well that'll be if i can get that to work i will circle back and cover that now the other one we have to go do is going to be the sla class now i've got a few created already and i'm going to walk you through basically how this works i'm going to go ahead and get rid of them real quick just so you guys can see that this was working i did test this already so it does work i'm going to get rid of them i'm going to create a new sla class now i'm not going to get into the specifics of what all the metrics are because they're pretty obvious i'm going to call this the telnet class and loss if something happens that the connectivity is causing you a certain percentage of loss let's say 25 percent right so you're losing a quarter of your telnet packets are getting dropped for example really high latency we're going to say 500 and we'll put in uh 250 for our jitter okay we're going to create that so in the event that any of these variables kick into play you're going to be offered to fail over but prefer something else and we'll talk about that where for example telnet will take the mpls path right we'll set that up because it's going to be something you're going to use internally but web traffic for example you might have it steer out towards public internet and stay that route and only take public internet we'll talk about some of those more detail some of those aspects of it later on but you can pick and choose what you're doing but before you can do that as long as these variables are in spec so you haven't exceeded any of these thresholds then you're going to stay on the preferred path you want it to go if they bug out they go above these thresholds you know 50 loss 100 latency or 500 milliseconds of latency i won't say 300 milliseconds in jitter so which is the variation in delay if any of those variables go out of spec out at a threshold then you'll say okay maybe mpls isn't the best path so let me go ahead and send that over to internet we'll talk about that how that comes into play here in just a minute i'm going to click on add and then i'm going to and these variables that i'm using here are just 100 random there's no rhyme or reason for for them i just happen to to take that so for web i'll say 10 loss we'll say um 150 milliseconds of latency and we'll say 200 milliseconds in jitter we'll add that i'm going to go click on next and now we need to go beyond here right this is if we're doing trying to do traffic control we're not trying to do that we're trying to go into traffic rules to affect the data plane so underneath this guy we need to click on add policy so create new and i'm going to call this aar for telnet and web something very very simple right now in order for this to work i have to add a sequence type which is going to be obviously application where routing i'm going to add a sequence rule and in the match i'm going to match on the protocol so this is going to be a basically a layer 4 match i'm going to commit layer 4 or protocol i'm going to match on protocol 6 which is tcp and then the destination port will be 23. underneath the actions there is no drop here we are going to say the sla class list so we already created that we're going to say telnet and then what we're going to go do is in the preferred color we're going to click down here and we're going to say mpls now you'd see this strict option right here if you use strict if you click on strict you're only going to allow traffic to flow over telling the traffic to flow or mpls and not allowed to fail over to internet because you obviously will internet is i should say when i when i say that you're going to prefer the t-lock writing over mpls right so which is going to be the mpls color but if mpos is really really bad very very sluggish and a lot of degradation on the network if you click on strict you will not allow telnet traffic to ride over the public internet t-lock it's going to use internet as the underlying transport when it goes over the sd-wan fabric to the remote sites so if you click strict just remember that it's not it's basically the same concept as restrict on the color to where you're only going to form a bfd session with other wan edges on that same color you won't try to do cross transport communication so just keep that in mind we'll talk about that here in a little bit later i'm going to go save and match and continue and i'm going to click this little copy icon there i'm going to go ahead and edit i'm going to change this to be port 80 and the class will be web and i'm going to change the color to be public internet so it's going to ride the public internet t-lock and there we go i'm going to click on save matching continue and in default action make sure that it's set to enable and you didn't put some other variable in there i'm going to save aar policy then i'm going to click on next to the policy itself i'm going to click in here well that's supposed to be web not when i can actually rename it real quick let me go ahead and edit that real quick that's going to bother me let's just change that to web real quick okay that's going to make more sense it's not applied yet so we don't have to really worry about it come over here web dash policy and copy and paste that right here and under we have to click on aar application we're routing and click over here and then we have to dictate the sites and so which site and which vpns we want to affect to this i am going to affect vpn one here and you can choose you can put them in in any order do this and then click on here we're going to choose to do vh4 and vh3 so basically our wan edges that have two actual t-locks associated there's a public internet and mpls i'm not going to try to throw it throw a policy at vh5 which only has mpls transport it doesn't make sense to do that the idea here is to be able to fail over an application to a different transport if one app one transport is really really bad we've all been there right so i'm gonna go ahead and click on save or click add and then click save policy okay so we we're gonna go um click on this guy right here and you notice all these other ones are activated it says false which means they're not activated i'm going to click here and click on activate and click activate one more time i'm going to give it a couple seconds this is actually pretty quick because the fact that it's a control policy and once that pushes down to the remote the lan edges will be in good shape so i'm probably not going to need to pause there it goes now i'm going to go back over here to monitor and network i'm going to grab vh3 i'm going to go back down to troubleshooting and i'm going to go to simulate flows i'm going to choose bpn1 and then gig 0 2 and vpn 1. the destination might be 10.1.0.16 and then advanced options protocol 6 from service because this is going to be coming in from the this is inbound to go over the sd-wan fabric 2000 is my destination my source port and port 23 as my destination port so simulate flow and there you go i'm writing over mpls before i had showed both okay now i'm going to change this to be port 80 and click on simulate flow and it shows public internet so right there ladies and gentlemen shows you that our application we're routing is working i can't demo this because it's not going to work the way we need it to because um it's this way here it's it's application specific if i was to try to telnet i could like put some filters in and try to like say okay do we see traffic flying over this particular t-lock do we see traffic flying over this particular t-lock in this case here the beauty the nice thing about this is we get to see what v manage sees so the b managers actually reaching out to the ph saying hey what happens now and the va is going well based off your policy this is what can happen so we're in good shape there now with that being said i'm going to go ahead and change this up a little bit i'm going to go and we're going to take this a little bit deeper because right now we've only done layer three layer four more specifically layer four we've looked at tcp we looked at um and we've looked at the protocol and the port right we have not looked at looking at any deep packet inspection or dpi so we haven't leveraged nbar to do anything right now so this is one of those times where you might want to go deeper so let's go actually take a look at this i'm going to go back over here to policies and i'm going to click on this guy and go to traffic policy and actually before i do that let me create a go back to my lists and i'm right here i've got a chat apps application list here and if we were to come in here and edit this you can see that i've got some applications here i'm actually going to go delete this real quick just so you guys can see how this works and i'm going to go ahead and delete it yup there we go and then i'm going to go back over here to custom options and then traffic policy because it is this is a traffic policy i'm going to come in here and i'm going to add and create a new policy so i'm going to be basically adding a new policy under the under this one so let's say you've already got something right and then you need to add to it this is how you would do that so i'm going to click in here click create new i'm going to call this aar chat apps copy and paste this in i'm going to add a sequence sequence rule and instead of calling the protocol and the destination port like we did for layer 4 inspection we're going to use the packet inspection i'm going to come over here and then here we have a couple of them right we have google we have microsoft i'm going to create one here i'm going to call this chat apps and then application i'm going to come in and then now it's it's a little tricky here you don't click right where i'm clicking right here you click down here in the search bar i wish you i don't know why they did this but okay if you come in here and type in aol you'll get aol messenger if you do i looked up slack slack doesn't show up here which i thought was a little surprising if you look in here and you do like whatsapp whatsapp that's in there as well and then we'll go ahead and we'll do if you type in just chat you get a couple of other ones we'll go ahead and type in google trap just to make it a little bit different than i had before and then we're going to click on save right and now when i now that i've got that in play i have to i have to actually select it so chat apps and then in the actions we have to create the sla class list now we come in here there is nothing here all right we have telnet but we're gonna i'm not going to use that one i'm actually going to come in here i'm going to create a new sla class list i'm going to call this chat apps and the packet loss we'll say is 30 percent latency will be 250 and then jitter will be 300 click on save and then that will automatic we'll go ahead and grab that one the preferred color here we'll say is going to be public internet we'll click on that and we're going to click on strict where we're saying regardless of what happens if this these applications that are listed here are really really bad then public internet is the only transfer we're going to give them but we're not going to allow you to fail over to mpls maybe mpls doesn't have any type of internet connectivity so we're going to go ahead and do that click save match and continue and i'm going to save application where writing policy and then i'm going to go [Music] to the centralized policy and if i click underneath here and i look at the view and click aar it's not here right so i have to go back underneath my traffic policy and underneath traffic data i'm sorry application where routing i have to add that policy because even though it's if i was to come underneath here and say edit right even though i've created it i haven't actually added it here so i need to do click in here and i'm sorry not that uh go underneath traffic rules and then i need to go underneath aar i need to import existing and then click in here and go chat apps click on import now that adds it i'm going to go ahead and save policy changes and now it's going to activate with that before i do that though let me go back over here to network and then we're going to grab the edge 3 under troubleshooting so you can see the before and after right and then i'm going to choose vpn one and then this destination 10.1.0.16 and then the application we can go specifically in here and look at say for example aol messenger and i'm going to simulate flow and it's going to use both right because it can which is what i wanted to do right i wanted to be able to use both if i can equal cost multipath now if i go back over here to policies and i go to the edit here and i go to traffic rules and i add a policy import existing grab sorry chat apps and click on import and then save policy changes and then activate sorry what activate add vpn list oh okay uh policy application application we're routing oh that's right i forgot i have to add we'll go vh4 that's my mistake and then vpn list we'll go add that so you still have to when you're in the editing of the policy if you want to you've added one you still have to go underneath here and map it to wherever it's going to be applied to click on add save policy changes and then activate interesting okay assembly fail duplicate mapping detected interesting okay huh okay well i'll just delete this one and save policy changes let me go back over here to traffic rules and then underneath this one here i will detach this one save policy changes there it goes all right so normally normally you wouldn't do that but because the fact that we're just testing this i'm just showing you how it would work it's not going to hurt anything if it's not there so there we go so we're going to wait for it to push and then once it's done doing that there we go so we're going to come back over here to monitor and network vh3 underneath troubleshooting simulate flows vpn 1 choose the interface and then 10.1.0.16 and then the application we're going to choose is going to be aol messenger simulate flow and now it only takes public internet so that ladies and gentlemen is application we're routing it's not very very complicated as you can see pretty straightforward stuff there are ways to add in a policy but in this case here it gave me a problem with it so i was like okay fine whatever it's a lab i really don't care but if you need to add that into something obviously you'd want to make sure you do that correctly and test it out before you actually go push so that's pretty much it for application we're routing i want to thank you guys for hanging out with me in this video and until next time guys take it easy
Info
Channel: Rob Riker's Tech Channel
Views: 1,843
Rating: undefined out of 5
Keywords: Cisco, sd-wan, aar, application, aware, routing, viptela, omp, network
Id: 33IVSyvvqbM
Channel Id: undefined
Length: 21min 47sec (1307 seconds)
Published: Thu Oct 22 2020
Related Videos
Cisco SD-WAN 007 - Templates Overview, Single vEdge Sites Setup and Deployment
Rob Riker's Tech Channel
5.4K
Cisco SD-WAN 031 - Service VPN1 VPN Segmentation Overview and Deployment
Rob Riker's Tech Channel
1.7K
Application Aware Routing (AAR) in Cisco SD-WAN Demo - (Viptela) Part -2
All About Concepts
4.9K
CCNP SD-WAN Part 02 -- ENSDWI
Giga Networkers CCIE with Me
498
Cisco SD-WAN 008 - Dual vEdge Site and MPLS Only vEdge Site Templates
Rob Riker's Tech Channel
2.6K
Versa Networks SD-WAN || EVE-NG Setup for Home Lab || Part 1
Networks2gether
938
Cisco SD-WAN 019 - Service VPN1 NAT Dynamic PAT Local Internet Breakout and OMP Internet Fail Over
Rob Riker's Tech Channel
2.3K
What is SD-WAN? say GOODBYE to MPLS, DMVPN, iWAN... w/ SDN, Cisco and Viptela
NetworkChuck
422K
Cisco SDWAN - Cloud OnRamp Multicloud (AWS)
ConfigB#
1.2K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.