Protect your critical network traffic with IPsec, the easy way!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
there is a lot of buzz these days about the term sd for software defined like sd access or sd-wan and in this video i'd like to chat with you about two basic things number one what is the big thing about sd-wan why is it so needed how much does it really help us and second is what the heck is going on with your hair today keith what is up [Music] so let's start with a scenario where we have like a headquarter site right here at site 10 and we have a site 20 site 30 site 40. these could be in you know different cities or even different countries and we want the connectivity to be able to happen between them maybe there's a server here at site 10 and that needs to be reachable by the people over at site 20 or site 40 respectively so here's what we used to do a long long time ago in a galaxy far away i'm talking about 20 years ago we would create ipsec tunnels where we wanted to secure the traffic so this transport network here that could be mpls or the internet or basically any land carrier frame relay if you're going way way back in the time machine but this is just a transport network that rep the cloud represents the connectivity that can exist between these four sites so what we do is we would build ipsec tunnels so ipsec is a a framework of encryption to protect packets as they are cruising over network and here's the tunnels we would build we need to build a tunnel a site-to-site tunnel from site 20 to site 10. in doing that it's pretty tricky because in the old days we'd have to set up what's called a crypto acl that identifies the source and destination traffic and then we'd have to create a crypto map and a transform set and knit that all together and associate with the interface there's a lot of configuration to get it to work now that's just for one tunnel but we have more work to do here so as we continue our discussion here we'd also build an ipsec tunnel here between the 1010 network and the 1030 network between site 10 and 830 and then we'd want an ipsec tunnel here between site 10 and site 40 uh to protect the traffic from 1010 going down to 1040 and vice versa and this would be referred to as a logical hub and spoke because we have the hub up here and then there's remote connectivity down to these spokes however what if there was a server over here at site 30 that somebody say 40 needed to get well they would have to go over the ipsec tunnel to the headquarters location and then be redirected down but that is not as simple as it seems with the old school technology in my cca security exam that is one of the tasks i had to do it looked pretty simple like a hub three spokes no problem they're using firewalls for it but still we have to do is identify okay from site 40 that's 1040 destined to 1030 and then at the hub at the headquarter site site 10 we'd have to configure the cryptoacl to match on that traffic pattern as well it was a nightmare no not good but it even gets worse if we wanted a full mesh we want site 40 to be able to say 30 directly that's again more ipsec tunnel manual configuration so that would look something like this if you want to do a full mesh like that let's see if we have it all um nope we need one more right here so the formula for a full mesh of anything is n and then in parenthesis n minus one divided by two so that means if you have four sites you do four and then four minus one divided by two so if you do the math on that you do the stuff in parentheses first maybe four times three divided by 2 and then at that point we just go left to right so 4 times 3 is 12 divided by 2 is 6. so basically this says to get a full mesh of ipsec tunnels we would use 6 tunnels which is represented here but what happens if we add two or three or four or five more sites now today we have some horsepower where we can handle all those tunnels but the manual configuration of all that is just almost undoable if we were going to do it manually with the old methods of doing it so the question might come up okay keith that sounds like a lot of work a lot of problem and it is how do we solve it alexa stop oh my gosh she's gonna talk to her all right so that's a lot of work and a lot of hassle to get it done so how does sd wan help us to overcome this currently if we have the sd-wan solution from cisco other vendors also have a similar solution to this as well the answer is we just in software define what we want who we want to be able to communicate what's route show up where and it just rains down the configuration check this out now what i'm about to show you is my topology where i've got like six or seven sites and i did not have to configure ipsec on any of them here's what i did with sd-wan i specified that i want these four devices to become part of my sd-wan fabric that basically is a fancy way of saying they're all participating and then these guys came online they checked with the controller the management network they got their configs and then via a dynamic routing protocol called omp it automatically trained all these four devices on exactly who they should peer with what keys they should use and i didn't have to set up any of that and yet the functionality is there so if a device over here at site 10 wants to ping somebody over here at let's say site 20 they can just go ahead and send that traffic it would go to their default gateway which is this edge device in our sd-wan network and this device which is vh10 would take that data encrypt it ship it directly over to device20 would decrypt it and then forward it to this pc so as a test let's imagine this pc it ends in dot 20. it's ipd addresses 10.0.20.20 and also one other term i want to share with you before i demo this is the concept of a vpn now it's going to take a little bit of retraining on our parts to think differently about a vpn so traditionally like a decade or two decades ago we talked about vpns a lot of times we think about an ipsec like a virtual private network or a remote access virtual private network in the context of sd-wan when you hear the word vpn i'd like you to think of a group of routes so if we wanted to include this network and this network and this network and this network in a group like a group of routes we could call that a vpn and we give it a number let's call it vpn 10. and that way all these edge devices they know that they are participating in vpn 10 and they know what routes are reachable in that vpn which again in this context is simply talking about a group of routes so as a demonstration let's just hop over to this edge device on our sd-wan network which is v edge 10 let's take a look at the routes and then we'll try to ping a device over here on this 10.020 network so here i am sitting at vh10 if we did a show iprout it's got quite a large routing table that was mostly populated by this routing protocol omp the overlay management protocol think of omp like the the protocol the language of love between all the edge devices and the controller devices which are up in the cloud and we'll have a separate video just on vsmart and how that works but if we hit the spacebar a few times there's lots of routes and also notice over here on the left that's representing the vpn number so this is basically all the routes that are part of vpn 10 which is a group of routes and here is 10.0.20 right there so vh10 says hey if i need to get to 10.0.20.anything as part of this group of routes called vpn 10 i can do it i'll simply follow the instructions based on my routing table and if we did a show ipsec outbound connections this is going to show us all of the ipsec tunnels that are currently in place between this v-edge device like a router at the edge of our sd-wan network and the other edges that it may need to communicate with so the benefit is all these ipsec tunnels are dynamically built we don't have to manually do any of them and then if we send traffic it's going to automatically encrypt and send that traffic protected over the ipsec tunnel so i'm going to do a ping i'm going to source this from vpn 10 because it has several different groups of routes that it can use and i'm going to ping the ip address of 10.0.20.20 which is over off of site 20. we'll press enter and there it goes now that's being encrypted and protected courtesy of ipsec as it goes from this device this edge device over to the edge device at site 20. and you know it'd be cool let's go ahead and let me do a capture for us as well so let's do the ping again and this time i'm going to go ahead and make it a little bit bigger that way when we see it in the packet capture we say oh yeah there you go there's the pings i'm going to go ahead and send it at a thousand there'll be a little bit of overhead but this will help differentiate it so we can see oh yeah those packets that are being sent from vh10 to vh20 they are being protected by ipsec and here is the capture of that traffic now i put a display filter right here that said please only show me where you have frames that are equal to or greater than a thousand and so all of these are the conversations the pings and the replies between uh the vh10 which is at 1c2 16 10 10 that's its iep address over the cloud network the transport network and one thing you do 16 10.20 is v edge iep address that's reachable over the cloud network or the transport network now in the past traditionally we'd see ipsec as protocol 50 at layer 4. but look at this it's udp and so what happens is that ipsec is actually being encapsulated and then hidden behind a udp header and one of the benefits of sd-wan is that not only did we have the management the control network rain down this information to the edge devices saying hey here's your information for the tunnels but they also rain down the keys to involve and the ports to use so when vh10 wanted to talk to vh20 and ford an encrypted packet it had all the keys all the routes all the information needed it just encrypted it shipped it over and vh20 decrypted it and it on to the final destination so another logical question would be okay with sd-wan uh who is exactly raining down all this information regarding the routing and the vpn information and the keys involved where's that coming from it's coming from a controller network and in that controller network there's a specific device that's in charge of raining down or sending all that detail to all of the edge devices and that device has a name and it is v smart and if you want to know more about vsmart and how that plays this role we'll have a short video coming up on that next so thanks for joining me and i'll see you in the next video i've been down the darkest roads and up in the clouds but i've always felt that something's missing that was until i found you right there in the crowd you came into my life it started
Info
Channel: Keith Barker
Views: 14,282
Rating: undefined out of 5
Keywords: cisco, Cisco Certification, ogit, Keith Barker, sd wan, sd wan cisco, sd wan viptela, sd wan basics, ipsec, cisco sd wan training, cisco sd wan demo, cisco sd wan on eve-ng, cisco sd wan tutorial, cisco sd wan, cisco sdwan viptela, cisco sd wan introduction, sd wan introduction
Id: GmCGP7QH0nE
Channel Id: undefined
Length: 10min 49sec (649 seconds)
Published: Sat Sep 12 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.