ENCOR - SD-WAN Advanced Services

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

happy wednesday everybody i hope everyone's having a great week so far we are wrapping up sd-wan this week we have been exploring sd-wan for several sessions now i believe this is the third session and so we are discussing sd-wan advanced services kind of the catch-all really we spent a lot of time looking at the general architecture of sd-wan in this uh session we're going to be talking about all of the little special things that make sd-wan that much more effective at helping us manage and maintain our wide area networks um just uh let's take a look at the agenda here i suppose so we're going to be talking about a lot of things today we've got zero touch provisioning to look at zero trust model a lot of zeros for whatever reason uh edge redundancy dpi on-ramp that's like cloud services v analytics so uh yeah a lot to cover as usual so um as always be sure to chime into the chat this has been pre-recorded but i am here live in the chat ready to answer any questions you may have given that this is an encore study group if we are talking about something that you're not quite studying right now but you've got some questions about some other things that you're working on then toss those into the chat because whether it's me or somebody else we can chime in and maybe help get you through whatever issue that you're hitting so all right with uh without further ado oh wait my whiteboard is again not quite ready there we go all right let's take a look at some of these sd-wan advanced services so um one of the first concepts that we're going to be talking about here is this zero touch provisioning which really has two words for it so the idea is this we want to be able to send a router out to a remote site and if this was traditional networking i tell you what i've done so many of these where i've just had to go out to a new site let's say we're spinning a new site up or what have you and and i got to go out and i got a provision a router or a layer 3 switch or something but just to get initial configuration on i mean maybe maybe i could you know have it shipped to my desk and you know i do the configuration and i give it to a lower level tech and maybe they can run up and just plug it in and hopefully it works but usually there's some level of me needing to go on site involved with deploying a new location and so with a wide area network router wouldn't it be lovely wouldn't it be lovely if i could ship this router out to that site have somebody plug it into power and plug it into the network right i mean we do have to have network connections but then just have it automatically come online have automatically download the configuration that's exactly what we can do in an sd-wan environment we have two different related technologies for this we have zero touch provisioning or ztp and we have and play or pnp and technically it's plug and play connect so the difference between these has to do with the fact that zero touch provisioning is a viptela in other words a v-edge technology and plug-and-play connect this is cisco's technology so this would be for c edges so for those who maybe haven't seen the other videos in the series cisco acquired this sd-wan solution from a company called viptela and so when we look at all of the different components we've got things like v smart and v edge and v uh monitor i'm at monitor v manage i can't spell there we go um v manage i don't know i'm sure that works and then um what am i forgetting v manage v smart v edge v bond the glue that holds it all together all of these v's here stand for viptela and so all of these devices are what viptela made and this v edge specifically is a router now cisco is a company that's been making routers literally since they were created um cisco being created not routers necessarily almost and so they know how to make a router and so the one component in the solution that they did not need is the v edge and so they are deprecating the v edge in fact i just so i recorded some uh some you know working for cbt nuggets i recorded some nuggets or some videos for um encore about what may time frame it's september now so i mean like three or four months ago i recorded a video on the v edges and the different models that there are and i just want to record a very similar video for the sd-wan content that we're going to be releasing here within a few a few weeks here hopefully and they ch like some of the edges had disappeared like cisco is decker like uh deprecating them they're they're getting rid of them they're end of sailing them and so they're trying to get rid of all of the viptela hardware and software that was router related okay all these other components the vsmart the vmanage the v bond they're not going anywhere we need those um to make the solution work so all that to say we have some customers out there that the edge routers are v edges and we have some customers out there who have v edge well i should say a mix a mix of v edges and c edges i guess i didn't say it but c edge would be the cisco version of the hardware so if you deploy a viptela router which is still branded cisco at this point but a piece of viptela made hardware that would be a v edge if you're going to do it with a cisco made piece of hardware that would be a c edge and so these c edges are usually the the typical candidates that we buy from cisco an integrated services router or an aggregation services router or maybe even a csr a cloud services router that would be a virtual version of a an asr and so really what we have here is we've got two different worlds that cisco's kind of trying to bring together okay so the idea here is this that we are going to use this concept of either zero touch provisioning or plug-and-play connect to bring this device online automatically all right so here's here's the process for this okay we are going to connect this device into our wan circuit whatever that is and we do need to obtain a dhcp address and with that we need a dns server mapping and the reason for that is because in order to go out and do the automatic download we have to go out to the appropriate website and we're going to the appropriate website we need name resolution and so we're going to go out we're going to get our dhp address get our dns server and we're going to resolve a a very specific url and that is oh what is it for cisco device helper that's right so for cisco that would be device helper devicehelper.cisco.com and for viptela's is a little easy to remember it's ztp.viptela.com those are the two different uh urls that we're going to use in order to figure out hey where can i go download my configuration and assuming there's a config out there it's going to go out to one of those two locations and pull the configuration down and specifically the configuration at that point would be the v bond address because keep in mind that the v bond is again i just mentioned earlier right it's the glue that holds this all together it's the first part of the whole fabric bring up process so an edge edge router will go out uh to the v bond the v bond will tell it where all the other controllers are the the v manager will push its config down to the to the v edge and the v smarts it'll form routing relationships with the v smarts and so um all we really need is the v bond address i mean that's the the biggest piece of configuration that we need all right so how exactly does this get out into well get into cisco servers essentially is what's going to have to happen right specifically we have a concept or not a concept necessarily i guess but this plug-and-play connect concept we have a portal if you go to software.cisco.com you will find that there is a plug-and-play connect portal we can use that portal to input information on that router so there is still work to be done and it says zero touch provision i actually like plug and play connect better because the idea of zero touch provisioning kind of makes it seem like it's just gonna go out and download a generic config or something it's gonna automatically do stuff and i never need literally it says zero touch right i mean i shouldn't have to touch this at all but uh yeah i'm going to have to touch it i'm going to have to do some amount of configuration and most of that's going to be done via that plug and play connect portal so i will go out there i will register the device provided serial number it's chassis id and i'm trying to think if there's anything else that you really have to oh well and the other thing you have to do didn't think about that is uh well it's actually it's right here vmanage i have to get in here and i have to create the configuration for that router because again that router is going to get the v bond address and then it's going to pull i'm sorry it's going to pull the v bond address from cisco that's going to go out to the v bond which i guess is over here now it's going to go out to the v bond and then the v manage will push the configuration down well that configuration has to be configured it has to be there and so i'm going to put the configuration onto vmanage first so this is my two main steps i have to do i have to get into vmanage i have to make sure there's a configuration in place and in sd-wan world we do that via templates so i need to make sure that we have a config in place on vmanage we also have to make sure that we've configured the plug-and-play connect portal for this device one thing worth noting by the way is that um even if we're doing viptela stuff like the edge we're still going to go into the plug and play connect portal cisco on the back end will push information down to the zero touch provisioning server that would be viptela's original server set and so even though we're going to a different server with viptela hardware we still download the same information okay so um that is one automatic provisioning option we do have one other uh option i suppose that's worth pointing out we have what's called the bootstrap option and the bootstrap option is c edge only does not work with viptela and the idea is that we will actually um provide a configuration on the device so that it has a chance of which i think how to say this what we're going to do is we're going to go out to this plug-and-play connect uh wait wait no no v manage portal right yes wait getting all mixed up here now um the bootstrap option yes it is okay so we go to vmanage and we create a config file on vfvmanage vmanage gives us the option to create this configuration file this configuration file needs to be named very specifically uh whoops cisco dot sdwan.cfg and by the way if you're going to do anything with an asr 1002x make sure you do the proper reading it's actually different it's like cisco sd-wan underscore cloud underscore init i think something like that let me see real quick i've got it written down somewhere yeah it is it's a cisco sd-wan underscore cloud underscore init dot config the 1002 x does not support plug-and-play for whatever reason as they see edge so you kind of have to do bootstrapping if you're going to do it and it requires a different config file name so 1002x is just a little bit of an odd beast just be warned about that if you're ever going to be doing any of this with a 1002x but we take this configuration file and we can either load it into the boot flash of that router or we can place it onto a usb stick and plug that usb stick in of course that assumes it's a physical router at that point and so either way what we're doing is we're essentially pre-provisioning that v-bond information and some basic configuration as well and and so when the router boots up it'll check for a config file we'll check its usb to see if there is a config named cisco sdwin.cfg and if there is it'll boot it up if not at that point it'll initiate the well i guess it's a c edge so it'll only initiate the plug and play connect option but the idea is that's our progression right we start with bootstrapping we check for a file if there's no file then we go to ztp and plug and play connect and if uh if nothing works there if the plug-and-play connect option doesn't work then it'll fall back on our you know manual configuration and we can't always do still a manual configuration so my initial scenario where i have to ship a router to my desk and configure it i mean that's always an option we can always do it that way incidentally by the way bootstrapping is a good option if for whatever reason our wand service provider remember we said we needed dhcp services not all land service providers can provide dhcp services so that can be a a big killer of the bootstrap i'm sorry of the plug plug-and-play connect process but um if we want to emulate the plug-and-play connect process then that was where we would rely on bootstrapping with viptela we don't have bootstrapping and we just have to go straight to uh straight to manual configuration okay any thoughts or questions on that be sure to chime into the chat and do my best to answer those uh oh yeah here yeah okay we're doing all right so let's talk about what happens at the point where our router now has through some means plug-and-play connect or manual configuration what have you we know where the v bond ip address is we've received the v bond ip so we're going to do is we're going to reach out to the v bond now the v bond has a very specific set of responsibilities one of which is to authenticate this device now if i don't know about you i mean i'm not a security guy i don't deal with a ton of certificate issues a lot of us in i.t have come from various backgrounds and such but if you've been in networking for a long time and you don't specifically play with security you probably aren't super comfortable with certificates and such but this is a very certificate heavy process that we're about to describe all right the reality is that we have a certificate that comes pre-installed on the c edge or the v edge and we have a certificate that comes pre-installed with the v bond and we're going to use these certificates to mutually authenticate each other at the very beginning so think about this from this router's perspective right here we just spun ourselves up we again we we extracted that v bond ip address somehow this is all i know i don't know where my v bandage is i don't know where my v smarts are i don't know where other v edges and c edges are i am blind to the rest of the network i haven't actually been allowed to get onto the network yet um i need to authenticate with this v bond controller so the first thing we're going to do is do the cert exchanges right we're going to make sure that we are who we say we are and again what's key about this is that it's a mutual authentication process so the v bond yes is authenticating the edge device whether it's a c edge or a v edge and that's important because we don't want rogue devices showing up i don't necessarily want to risk having a junior engineer pull a router out of my closet and plug it in and oops i just added it to the sd-wan fabric that would be the innocent version of a rogue router we mean by all rights could have somebody trying to maliciously add their router in why not make it a you know one of my branches you know if i'm an organization i've got thousands or maybe even tens of thousands of branches um it would be it seems like it would be a pretty easy you know concept to be able to toss a router in there and try to join their network obviously wouldn't be that easy but at the same time it's just one more one more step of security is a good thing so i want to make sure that the edge is good but the edge needs to make sure that the v bond is the appropriate v bond that the v bond is not a again a malicious rogue v bond that it's not accidentally oops we configured the wrong v-bond controller so we are going to mutually authenticate each other the edge device will authenticate the v-bond controller using its certificate now the way the certificate gets onto the edge device and the way that we do all this that's a very complicated multi-step process um in a lot of cases if it's especially if it's a physical device it's going to be fairly straightforward if you haven't uh like an organizational uh enterprise certificate that you're going to want to put on the edge device you don't want to use the baked in certificate then that's a whole process because we obviously have to update the v bond with that information and and so it gets i mean frankly if you're going to set up an sd-wan lab this is the hardest part of setting up an sd-wan lab it's just getting these devices to talk to each other i wish you could just disable this for the sake of the lab environment just being able to say okay i'm just going to skip all this and get my v bond talking to my v edge and my vh talking to my v manage but for better or worse again it's more secure this way for better probably cisco viptela they do not allow us to simply connect these devices we've got to get the certificates loaded so that means going to linux cli potentially and cranking out root certificates and such all right so um that's step one and the authentication process here's step two step two of the authentication process is me as the network admin going to that plug and play connect site and adding this router into the process now if i'm using plug and play connect then i'll have already added it in there but just be aware this is still how we have to do this this gives me a file the ability to download a file that i can upload into the v bond and this v bond is going to use that file as a white list now incidentally whoops hold up i skipped a step this is important this file actually gets uploaded into vmanage now the way this file gets uploaded to vmanage is there's one of two choices i can manually take that file and put it onto vmanage and that's in most cases what we're going to do but you can actually directly connect our smart licensing portal which is tied to plug and play connect i can plug i can tie vmanage to my smart licensing portal and then therefore every time i add a router into my list vmanage will be updated all right so once v manage has a list of routers it will push that white list to v bond v bond again is going to use that white list to determine whether this edge is allowed or not so not only are we checking the authentication of the of the certificates but then the second step is to check against that white list so again it's quite an endeavor to spin up a lab environment from scratch and start getting this going obviously once the once the fabric is up and running and everything is good you know adding routers to it is a fairly straightforward process and it's something that we all get used to at some point but again just when you're used to just firing up routers and switches in a lab and connecting them together this can be a huge barrier to really even just getting started having some fun with sd-wan in the lab all right so if this all goes well and certificates are good and the the white list passes at that point v bond is going to push down the information about where the v manages where the the smarts are there might be multiple v smarts and then um also the the the edge information which actually is going to come from the v smarts i believe so either way um we're going to get our controller information from b v bond and we're going to reach out now so now i've got a connection to v manage now i've got a connection to all of my v smarts they're my they're in a lot of cases are going to be multiple vsmarts all right and these connections by the way worth noting if you're going to go take an exam v bond has to be a dttl the dt dtt dtls connection has to be a datagram uh transport layer security so the dtls dtls connection is udp based and whereas a tls connection is tcp based so we can use tls for a vmanage and vsmart and we can use dtls now we truly get to choose when we build those connections we get to define whether those are going to be tls or dtls and dtls is just lighter weight and you know you can choose for yourself whether you want to go with dtls or tls connections i suppose but with the v bond for whatever reason we don't support tls it's dtls only so it's just kind of one of those oddities that we need to understand but the key point in all this is that these connections between the edge device and the controllers these are all super secure locked down these are in encrypted tunnels just like our edge to edge communications are going to be an ipsec the edge to controller information is going to be within a secure encapsulated tunnel that would be the dtls or tls connections all right so at that point we're going to then reach out and start to form relationships with other edge devices so what does that look like all right so um this is get we're going to start getting into the edge redundancy conversation here in a moment but for now when you've got a router and you have multiple wan clouds so maybe win one maybe when two and maybe win three all right now i'm trying to connect to this router up here let's say we've got connections to all three of these wan circuits so here's an interesting question how many tunnels are formed between these two routers generally speaking when we're talking about this we're going to say that there are three tunnels we form a tunnel between every set of routers that we want connections between and we're going to make as many ipsec tunnels as there are when service providers that's technically true but also techn but also with a caveat technically speaking this router is going to try to form a relationship with every other t-lock on that router from every t-lock on the local router now a t-lock is an interesting concept it's sort of it's sort of an end point it's sort of an endpoint and it's tied to a specific circuit so basically a specific service provider but it's also not an ip address okay um so this this gives people some amount of confusion but the idea is this i've got a t-lock on every one let me just do it like this i've got a how can i do this let me get rid of those tunnels for a moment oh did i have to there we go that's what i wanted ah all right there we go so i got a t-lock i have a t-lock for every wan circuit um coming into my router that's the idea okay here's the problem a t-lock itself consists of the system ip address not the interface ip but the system ip address it consists of a concept we call color color is essentially a string that describes the lan circuit so we have a drop down menu when we're connecting uh up to a wind circuit we get to decide what color it is so it can literally be a color there are some colors like red green blue blue then we have like gold silver bronze and such that would be if we're like comparing our wind circuits like they're all internet circuits and ones just you know we got good better best but color can also be a description it could be mpls it could be biz internet for example or public internet and so we've got this color concept that describes or that i shouldn't say it describes it i mean it does describe it but the purpose is that each one of these wan circuits is going to get a different color which again amounts to a string and then the last facet of a t-lock is encapsulation type encapsulation type we always describe them as ipsec tunnels news flash we can't actually configure them as gre tunnels but we lose the encryption of ipsec and so in most cases we're never going to use gre so every one of these t-locks is going to consist of this tuple of information the system ip the color and the encapsulation type so the only difference between these three t-locks that i have colored in here is the color um we don't actually have different ip addresses among the different t-locks so this isn't a scenario like for those who have done for example um i'm trying to think of an example here uh r-lock so r-locks in lisp if you've studied software-defined access or you've studied list from a service provider perspective you have this concept of routing locators the routing locator essentially equates to a loopback ip address on a switch and so i know that an ip address is attached to a specific r-lock and then i can just route towards that r-lock because it's an ip address vxlan is going to have something similar because we have these vxlan tunneling endpoints the vteps i know that my device i'm trying to get to is behind this vxlan tunneling endpoint and so i can just target its ip address and go to it a t-lock does not include the ip address this isn't tied to a loopback on the router it's not tied it is they're tied to a physical uh interface but they're not well like they're not they're they don't include that ip address as part of the t-lock okay instead what we have is we are also advertising not only our t-locks but then we advertise a t-lock route to the v-smart so the v-smart's up here it's listening to omp advertisements that's the routing protocol we're running overlay management protocol and i send my omp routes to the smarts including not only the routes behind like like subnet a right that would be my client subnet i let it know about that that's an omp route but i also give it a t-lock route and the t-lock route tells me or tells not tells me tells the rest of the world in other words the v smart's going to pass it along to the other router hey when you're trying to get to this t-lock go to this physical ip address okay that was a little bit of a tangent it's not super important other than to understand that t-locks themselves are not routable interfaces they are are tunneling at they are tunneling endpoints we are going to build tunnels between them but we we're going to use the t-lock route to tell us how to get to the other t-locks all right let me tell you why i explained all that all right because this other rider is also going to have three t-locks the reason i explained all that is because we are not just going to form by default we are not simply going to form three ip sec tunnels one to one with you know doing the one-to-one relationship with my t-locks every t-lock is going to try to make an ipsec tunnel to every other t-lock on the remote router what that means is this t-lock on the left is actually going to try to form a relationship with the middle t-lock and with the right-most t-lock and same thing here i'm going to try to form relationships with these guys and try to form relationships with those so we actually have a full mesh potentially of ipsec uh tunnels among all of our different t-locks so when we have um boy i don't even know is that nine one two three four five six seven eight nine tunnels yeah i mean we have three different devices going to three i'm sorry three different t-locks going to e each one's going to three different t-locks on the other side we're going to have nine nine different ipsec tunnels so that's the default behavior however there's a reason why we usually draw our networks like this to say that there's only three ipsec tunnels and the reason for that is because there's an air gap between most of these wind service providers in order for this t-lock right here to oh there goes my camera in order for this t-lock right here on the bottom left to get to the middle t-lock up at the top i somehow have to bridge this air gap now if there's truly an air gap there between maybe an mpls and an internet service provider then i don't need to worry about cross color t-locks cross-color ipsec tunnels forming where i do need to worry about this is when wan 2 is an internet service provider and win3 is also an internet service provider chances are there's not an air gap because it's just one giant global routing table in the internet right i mean it's truly just two different uh two different circuits that connect me to the global internet and so if that's the case really there is no air gap here when 2 and when 3 are basically the same i'm just using again different circuits and therefore i will be able to form a full mesh of ipsec tunnels among the t-locks that are connected to my internet circuits okay so anytime my wan circuits my wan service providers are sharing a network with one another i'm going to end up with way more tunnels than i was maybe expecting so may write that down in the back of your head this is behavior we can change we can make it so we lock it down to colors and so in that case even though it's the global internet i'd still only have three tunnels most cases were probably going to do this but you know technically speaking it does give us better resiliency to allow it to form tunnels across different wind surf service providers you know for example if if this circuit goes down up at the top this middle internet circuit why should i shut down this ipsec tunnel instead i'm sorry well why should i shut down this t-lock effectively because if i have a connection this way then this t-lock can stay online even though it lost one of its ipsec tunnels and so the the the more we can control the more i'm trying to say here the the more options we give our sd-wan environment the better off we're going to be from an application routing perspective which we're going to be talking about here in a moment um because otherwise i mean if it just goes down and this t-lock doesn't have anything then i only have two choices but if the t-log stays up even though it's sort of going about things oddly i still have all three of my choices when i bring a packet in and needing to forward it out all right so about halfway done and we're done with oh we're not even done with this section huh all right very good so that's general t-lock and ipsec establishment all right let's uh let's move on to what we really needed to talk about which is t-lock extensions so this is a great scenario but however uh let's say that this is headquarters and i am not comfortable with having all three of my you know i've got this crazy amount of resiliency i've got three separate wan circuits all coming into one router i mean i'm no expert but i think a second router here makes a lot of sense okay so i'm going to go and erase some of these i can't erase these circuits let me do this i'm just going to simplify this drawing so then get rid of the drawing there we go all right let's simplify this so i've got two different routers at one site and let's say i have two different win circuits when one when two and then i've got some kind of downstream network all right so if i have this scenario again let's just say this is headquarters uh first and foremost i can run vrrp between these two routers as the first type of redundancy protocol if my users are using the routers as a default gateway then i would want to do this so i've got resiliency as far as my default gateway is concerned if i don't have my users down there maybe i have like a layer 3 switch and my users are hanging off of the layer 3 switch then maybe i'll just run a native routing protocol with that layer 3 switch like ospf or eigrp if it's a c edge i can do that or even bgp but i might even run vrrp in that situation it just sort of depends on how i want to set up my routing domain it matters a little bit less in an sd-wan environment because both of these routers are supposed to have ipsec tunnels to both of these wind circuit providers and therein lies the question of how i'm supposed to configure this area right here because i've got two different wand circuits how should i connect these to these two different routers well cisco gives us a couple of options the first of which is called meshed let me just draw that as a different color if we have a meshed connection then as you can imagine we're going to have some meshed connections here uh we would be able to bring well if if we're going to do it this way we would bring two separate wand circuits in i should have pointed down here we will bring a circuit each circuit into one router basically we're bringing winds one and two into router one and we're bringing winds one and two and two router two this allows us to build our ipsec tunnels in a straightforward manner i've got ipsec tunnel 1 ipsec tunnel 2 out of router 1. and then router 2 is going to do the same thing i've got ipsec tunnel here and ipsec tunnel here those those ipsec tunnels would be built to every single other router by the way so uh just keep that in mind as well as we think through sd-wan so if i've got a router over here they'd build four tunnels to that router if we had a tunnel or a router over here they would build four total tunnels to that router as well assuming there's an air gap in here of course oh the caveats they are mounting okay so that that's great um that's what you should do that's what we should all do if we can but what if we cannot what if we only get one circuit connection maybe the service writer is giving a slash 30 address a network if they're giving a slash 30 network i've only got one ip address that i can use and so i can't actually even if i bring it into a little switch i can't split it up between between the two routers so i've got ones that may maybe it's not slash 30 but maybe they only support one physical handoff or you know even at that point you could probably still put a switch in but the idea is this if we cannot get a fully meshed set of connections if we can only do this we're bringing wan1 into router 1 and wan 2 into router 2 well we still want to create those ipsec tunnels we still need to create those ipsec tunnels and so the way we're going to do this is we're going to leverage a concept that we call a t-lock extension the t-lock extension is going to allow me to create a local t-lock that allows me then to create my ipsec tunnels so if i look at it this way i can still create an ipsec tunnel you know the the straightforward ones right but now my router on the left can form a ipsec tunnel this way by building a t-lock here so i didn't really draw my t-locks as dots there we go and then i can also create a t-lock here that allows me to create an ipsec tunnel out whoops out this way all right so effectively what we have in the end if i were to draw this again effectively what i have is this how's that look does that look familiar even though the physical network has changed i no longer have a full mesh of connections my logical network didn't change at all my overlay stayed the same remember this whole concept of you know sd wan software defined when remember a key component of that is the idea that we have an overlay and the overlay consists of tunnels in our case ipsec tunnels in some scenarios it might be vxlan tunnels etc i mean we've got all kinds of different situations there but either way we have tunnels that form an overlay and then we have an underlay and the underlay is the actual physical world but the idea that we said from the beginning when we define software-defined networking was to say that the overlay is really the network that i want and it shouldn't matter what my underlay is the underlay is actually what i have but i'm going to build an overlay so that i can have the network that i want regardless of the network that i have does that make sense so it doesn't matter remember i showed you a mesh connection and now we've got this uh this t-lock extension all right two different options that result in the exact same thing now obviously we do still have to configure the t-lock extension so it it does take some amount of intentionality around our configuration and such but the end goal is the same we want to have an ipsec tunnel from every one of my routers out to every other router in the fabric per win circuit and we still accomplish that incidentally by the way i didn't mention this but we do actually configure these routers with the same site id and that allows them to know not to form ipsec tunnels to each other because technically they could do that right they could form an ipsec tunnel to each other well technically it would be like through wan one or what have you um we don't want that that doesn't make any sense so the site id is what helps us identify that okay any questions on t-lock extensions or t-locks in general uh chime into the chat we'll get you taken care of we are covering a lot today i say that i feel like i say that every week but it never feels like we've got enough time to talk about everything that we need to talk about but i guess that's the idea of a one-hour study group session um let's see here next is the packing session okay so now that we have see how this keeps building on itself so now that we have in fact i'm just gonna i'm just gonna make this simple let's say we have one router and we have two circuits and we're building our ipsec tunnels actually here i've got my subnet a here with my users users we'll call it subnet a i don't know that we really needed to designate a subnet a for what we're doing but the idea here is i'm going to another router somewhere i'm going to form an ipsec tunnel out to it out when provider a and i'm going to perform or create an ipsec tunnel out uh the second wind provider so that would be a band provider b so we've got an a connection we've got a b connection so here's here's an interesting thought when in traditional networking if i want to load balance across those links how can i load balance that and boy does that open a world of conversation because i mean i could very simply deploy routing based load balancing and i could have a routing protocol running and especially since i'm running tunnels you know i mean if if it was traditional maybe like a dmvpn situation i just run the igrp and eigrp would um it would tell me which one's better and if one is not better than the other then i could do equal cost load balancing i could even use unequal cost load balancing with the igrp right but none of those actually are testing the quality of the link now with cisco i could set up ipsla and i could run tests across that and this is essentially by the way what iwan was for those who don't know before cisco bought viptela they had this solution called intelligent wan iwan uh everybody was coming out with these sd-wan solutions and cisco's like we've had these solutions for for years it's performance-based routing and ipsla and eiurp and and bgp configuration and and all this and so cisco tried to effectively do what cisco sometimes does and and not be able to see that the ease of use was a big part of sd-wan so i win was not an easy to use solution in fact i heard countless stories of iowan deployments turning into viptela deployments or turning into a competitor deployment because iwan was simply very very not user friendly and but but technically speaking we were able to do a whole lot of this with cisco traditional cisco routing it just wasn't all managed very well so where's i going with that uh let's see here oh application right so again we we've got this concept of like cisco ipsla that we could run we've got all kinds of things but the reality is from a traditional even i went inside traditional routing if i were to say that hey i want my voiceover ip traffic to take the mpls link unless the mpls link is having some major issues then i would like you to swing the voip traffic out to use the internet link and the internet link by the way is going to need the qos setup on it so that i can handle the voice over ip traffic but then once the mpls circuit starts behaving again i want to swing it back that's complicated that's very very difficult um because again i've got to have the qos established on both sides i've got to be able to recognize when mpls is online i've got to be able to swing it over um that's it's very very complicated and then if i told you again i'm thinking like i'm the i.t director or something here like i want you to do this with every application i want some of my applications to always use the internet link but if the internet link goes down i would like those applications to swing over to use mpls some of the applications are not mission critical i would never want them on the mpls because the internet circuit is 100 meg and the mpls circuit is only 20 meg or what have you right i mean like these are the these are the conversations the business level conversations that we've never been able to have because we didn't have sd-wan it's not that we couldn't do it it's just that it was so hard and so complicated and even if we got it working on day one right like let's say we just got some consultants in and we just rocked out for three months and we got this you know i don't know how many tens or hundreds of thousands of dollars we spend on engineering services and um and just time spent and everything we get it all working and then guess what like a month later we get a new application and a month after that we get a new land circuit somewhere and and all of these changes start happening and maintain managing and maintaining that policy over time is a nightmare and so sometimes that's the hardest part about having a complicated um solution like that is it's not necessarily the initial deployment but the idea that we could possibly manage maintain it over time is just it's just unrealistic so all of that to say fortunately as you can imagine sd-wan makes this a whole lot easier sd-wan has this concept of application routing application routing is going to allow us to do exactly what i was just describing we want to be able to route on a per application basis across different links depending on the day basically you know is it is it is the pls circuit having a good day or a bad day is the internet circuit having a good day or a bad day and so if i have if i if i'm having a good day i suppose then i want this application let's say it's voice over ipa again i want voice over ip to hit that router and get redirected out the appropriate link following this methodology of swinging it back and forth on an as needed basis so we talked last week about the different types of application routing how you can do like active stand or you can do active active where you're just load balancing across both links you can do ipsla based you can do application aware routing and such and so there's different options that we can do there but here's the question how does this router know that this is voice over ip traffic um classification of network traffic would have been one of the harder parts of deploying what we just talked about before in traditional networking like how are we identifying voice over ip packets versus database packets versus email packets that that's going to be one of the challenges that we'd have to address well sd-wan we have two different ways of identifying applications for identification we have the really the fallback method i'll say is the six tuple concept we have the source and destination ip address we have the source and destination ports i'll put ips and ports then we have the dscp tag from a qs perspective and then we have the protocol number now that's great we can identify applications that way but it's not super accurate i i mean at least it's not it's going to take a lot of work to make sure that we're properly identifying our traffic meanwhile we also have another option so six tuples option number one the preferred option number two is deep packet inspection or dpi these routers come with a database full of information on how to identify specific applications and that list of applications is constantly growing as you can imagine when you update your version of sd-wan software new dpi inspection parameters or what have you get forwarded down to the router and that database gets more full and it's able to identify even more applications biggest problem with dpi is it requires a license so we need to make sure we're fully licensed to uh to be able to leverage deepak inspection it's not something that unfortunately uh comes with the native sd-wan product so uh but that said if you're a large enough organization that you have enough routers that it makes sense to deploy application aware routing then you're probably going to license your routers for dpi at that point i mean that it's not just that you're licensing dpi you're also licensing several other things at once including like additional topologies with your ipsec tunnels and such and so once you get up to that level it's just going to be one of these things that you're going to have in all likelihood but the idea is this so now i've got dpi or even the six tuple and so i can identify the traffic as it comes in and then i can send it out whichever link is most appropriate now here's the crazy thing and this is something that it's more just something to plant in your back of your head all right i'm not going to say that everybody out there is replacing their mpls circuits with internet links but at the same time some organizations are finding success with this if you think about it mpls costs a lot of money a lot of money we're talking thousands of dollars a month in some remote locations and in in most places these days you're probably in more like the hundreds a month but you think about an internet circuit i mean internet circuit is cheap and yet look at this this is not at all unrealistic to say i mean it's probably unrealistic that the internet would be that small these days i mean you can get hundreds of megs of internet circuit raw internet circuit for a fraction of the price of an mpls circuit that's a fraction of the bandwidth so it's kind of this weird thing where you pay less and you get more the reason we go with mpls though is because there's a third factor and that would be reliability and mpls is super reliable compared to the internet which is just best effort and so my voice over ip traffic is so important that i would never send it out in an internet link i would only ever send it on mpls but here's what's interesting what if instead of getting that mpls link i already get two or maybe even three internet circuits and what if they were truly different internet service providers going through different paths to get to the public internet if one of my internet circuits is having a bad day i could swing it over all of my traffic my voice over ip traffic at least i could swing that over to a different internet circuit and so there are a lot of companies that like for for the most mission critical applications you're probably still going to want mpls if you're hospital if you're you know doctor's office you know there there are you know law enforcement and such they're going to be situations where you need the reliability of mpls but in a lot of cases some you could actually explore the possibility of leveraging two internet circuits there's a lot of opinions out there about that some people are like no way never do it but there are again i mean you can't deny there are some use cases out there where organizations are actually saving so much money by replacing mpls circuits that they are able to pay for their sd-wan uh you know hundreds of thousands of dollars worth of sd-wan technology that they're investing in gets paid off in a matter of months because the amount of money they save from mpls circuit payments which is which is insane so it's one of the things you have to look at your own organization and try to decide if it makes sense but if you're trying to cross-justify sd-wan to your bosses that might be one area that you'd take a look at just you know obviously keeping in mind full you know disclosures and all of that right like i'm not telling you to go out and replace your mpls circuits this is simply something that you can look into okay whoo all right so we're at a little less than 10 minutes left we've got two more things to cover but they're both pretty quick um of course you can dive deep into either one of these but i just wasn't planning on drilling too deep into either one of these uh the first is this concept of on-ramp now cisco creates and of course this came from viptela but still there are two different types of on-ramps there's on-ramp for is infrastructure as a service and on-ramp for sas software as a service these are ways that we can use sd-wan to make our network not our network make our communications with our cloud more efficient which it seems really odd like wait a second i can i can make my communications to the cloud more efficient by deploying sd-wan that doesn't seem intuitive at first but here's how this works is the idea of is on on-ramp for is is that it will automatically deploy a uh an edge device i was going to say v edge but really it's just a v address the edge into the cloud so the idea is i might have a bunch of vms in a cloud space like microsoft azure amazon etc actually i think those are the only two vendors that are supported at this point unless one has been added since last i saw but the idea is that you can go into cloud on-ramp for ias within vmanage it'll automatically push it'll push an edge router onto your virtual machine network and connect that back into your sd-wan fabric so now your virtual space in a cloud somewhere is actually part of your sd-wan fabric i think that's really cool i i you can do that manually there's there's no harm in doing it yourself you can do exactly what on-ramp for no john i'm trying to say it what you what on-ramp for is does you can do manually as well there's nothing special about is uh on-ramp for is that you you don't get anything extra it's just the automated deployment of these resources on-ramp for sas however that's an interesting one the software as a service says that i have like i think i even used the example when we talked about on-prem versus cloud a few sessions ago i was like i've got my budgeting app and i no longer install my app onto my pc instead i use a cloud service i just point my web browser log in manage my budget there that's a software as a service concept because i'm not running the application anymore on my home pc i just point my web browser to it it's running in somebody else's data center somewhere so if i have that concept this takes a little bit of drawing out here i'm just going to do one way in circuit for now just for simplicity sake what if i had a scenario like this where i have um i think how exactly i do this what if i had internet at all of these locations and so i'm going to connect my user is coming in i'm trying to access my software as a service well what this router is doing is it is actually targeting a primary and a secondary internet link so assumedly this would be my primary and maybe that would be my secondary and i'm sending sort of a ping of sorts to that software as a service provider and i'm trying to figure out really ultimately what's the best way for me to reach that software as a service provider if this is a worldwide situation and maybe this is in a completely different country and that internet circuit is just better even with the latency in here which it does take into account it takes this connection into account adds that to the internet circuit here and compares that with the native connection it might decide to send that to another location and take advantage of the better internet so it actually improves our ability to use software as a service from the perspective of i've got multiple you know i like the word on-ramp honestly it's like i've got multiple on-ramps to the internet which on-ramp should i choose should i choose the one that's close by or am i going to get on there and get stuck in a traffic jam or should i drive a little ways and jump on the the on-ramp there and then it's actually a much faster journey i have no idea if that analogy worked or not but that's the concept of on-ramp cloud-on-ramp for for software as a service so again it's weird because there's two different on-ramp services that they're both cloud-related but they have nothing to do with each other they're very different with how they operate but just understand that is is more about auto-deploying edge devices into the cloud and software as a service is more about trying to figure out the best path to my cloud provider and last but not least and there's not a whole lot to say about this at this point is hold up i'll write it out the analytics all right the analytics this is a module that must be purchased from cisco so again license i gotta buy my license to get v manage and it's supposed to say module there we go uh what this does is it gives me capacity planning gives me a lot of reporting it gives me a much greater visibility into what's happening in my sd-wan environment now from what i've heard v analytics when cisco acquired it wasn't quite in a great spot but i think it's been getting a lot better cisco's been investing a lot of effort into improving that so if you if you gave that a shot early on and you're like it just doesn't really do much it might be worth checking out again and you might be able to get a demo license from your cisco team if you reach out to them but what this is doing is it's also going to um be monitoring the uh the the different wan links and it's gonna be taking wait wait a second oh whoops yeah that's okay never mind i forgot to mention this with the uh with the on-ramp for sas that's most likely on my notes i'm like wait i'm in the wrong section there's this concept of viptela quality of experience vqoe that software as a service concept was going to be comparing the vqoe out the different links so basically that's that number that it's comparing to try to figure out what best link is it's rated from 0 to 10. and and this concept of vqoa is being monitored well you can see the vqoe for the whole system by using v analytics so v analytics gives you a lot of it's just like give a dashboard of different um tools that we can use to try to figure out what's going on in our sd1 environment a given time so we look at the vqoe actually on a per application basis using v analytics so i can look at my voice over ip and say hey what level of quality of experience am i getting today versus yesterday versus a month ago is my experience going up is it going down is it maintaining a good level right and then truly you can log in take a look sometimes and say oh wait a second my this application is doing really well but this application is doing really poorly why would that application be doing poorly maybe i should check my application routing policies maybe it's getting routed out a bad direction i mean who knows i can see downtime statistics i can see um just application again i mentioned capacity planning so you're looking at like how is my bandwidth doing am i at 60 capacity am i 80 capacity at peak hours so the analytics module is again it's when cisco started i think it was more of a dream of where this could go but it's actually come a long way towards providing a deep analytics into your sd-wan space which is honestly it's something that we all wish we had for for every aspect of our network to be able to wrap our arms around it tell what's happening it goes beyond the dashboarding that we get on vmanage okay well i think we're going to potentially wrap up on time today how about that so um and then my camera said it's time to go let's go so um hey thank you very much everyone for hanging out with us we'll again it's been a long conversation on sd-wan there was a lot to cover over the last three sessions there's even more we could cover so for those who don't know i'm an instructor on cbt nuggets cbt nuggets is a site that we've got training content from cisco to microsoft to comptia to you name it you know go out and check out our portfolio cbtnuggets.com and if you want more information on sd-wan or encore in general we've got an entire encore course there um the sd-wan material that's within encores is about i mean it's going to be a little bit deeper than what we were able to cover because this is just fly-by-hour-long conversations but i do personally i'm the one who does a lot of the sd-wan white boarding and such and from an encore perspective but then again very excited that within the next few weeks we're going to have an entire sd-wan course um out and released hopefully um i keep saying the next few weeks but you know ideally in the next month or two we'll we'll see just depends on how long it takes to process and get it out there but i'm very excited for it um working with nox hutchinson keith barker um super excited to be working with those guys on on this topic so um i'm gonna hang out in the chat for another five or ten minutes so if anybody's got any questions be sure to stick around and ask those otherwise oh very important we are taking a break in two weeks so we're ending sd-wan we're going to start sd access another very exciting topic but i'm going to go ahead and take one week off as we kind of prepare for that and so even though i'd say one week off it's every other week right so our next session will actually be i believe it's october 21st i believe that's what it is uh maybe it'll the ending side will tell you when it is [Laughter] but it's in four weeks from today so i look forward to seeing you there until then take care bye-bye [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] you

Info

Channel: KishSquared

Views: 1,288

Rating: 5 out of 5

Keywords: cisco, sdwan, encor, ccnp

Id: -uHiN_HPPAc

Channel Id: undefined

Length: 69min 9sec (4149 seconds)

Published: Wed Sep 23 2020