Cisco CCNP Enterprise 300-415 ENSDWI – SDWAN Policy Part 2

  1. Use Control Policy to Block subnet

All right? So in this lab, what is the agenda? We have that we are going to create the policy to block certain routes to get advertised, correct? So if I go to branch number one v edge number two and let me show you the configuration here. So in this I have one. So here you can see I have an interface called loopback 77 whose IP is 70 70 77 that is inside VPN number ten. So I can show you the configuration. You can see the configuration inside VPN ten I’m advertising this loop back since I am advertising this loop back, by default the Vsmart will send to everyone. So if I go here to the device list, suppose if I go to first of all branch two VH one and if I go and check that route, even I can go to DC VH one as well both the places you will see that this route is coming. So if I go ahead and check show IP route and that route is nothing but related to VPN 10th, I could filter that and I can show you there. Here you can see it is coming to the DC. Likewise, if I go to the branch too, let me go and log in to this particular branch here you can see. So let’s see this show IP route and VPN ten.

So inside VPN ten I should see that 70 70 70 network. And if you further want to filter this and see this what you can do, show IP out and you give this specific network. So it is coming here what I want, I want to create a policy. After that it will not come to branch two but it should go everywhere, correct? So let’s go to the policies configuration and policies inside that centralized policy I’ll go and add it. So here you will see in the policy building, in policy construction you have four things on the top. So you have to create the interest or group of interest that is nothing but list. You can see list for application, color, data policy prefix, site SLS, TLoG, et cetera. Then the second option that you are seeing here configure topology and VPN members see that is nothing but control policy option. The third thing here configure traffic rules, that is nothing for data policy.

And then finally you need to apply always with respect to site. So what we are going to do here that I will go and create first of all prefix list because this is a control policy. So I’ll go here and I’ll create one prefix say block 77 I’ll give and give the prefix 777-777-7732. Add this then what I want, I want to create one VPN called VPN ten. So I’ll go ahead and create say for example VPN ten, the ID is ten because I want to create the rule with respect to VPN. And here in the bottom you can see I have VPN ten then I’ll go and create site called branch two. So I’ll go here and give the branch to new and the site for branch two is nothing but 400 yes. So now I have all the interesting traffic for my policy I have VPN, I have site, I have prefix I’ll go next. The next page is related to control policy. I want to create custom control policy related to route and tlock the name I will give say for example block say block 77 and the description to say block 77 prefix from branch one to branch two.

Like that you can give any meaningful description. Then I’ll go to the sequence type I want to match the route yes, I want to match it and what you want to do with this? First of all, I want to match the prefix list what’s your prefix? So I need to scroll it a little bit. Let me give some space here. So I want to match the block 77 that’s true. Then I want to match the VPN ten that just now I have created. So let me scroll down VPN ten so these two things I want to match do you want to match any site? I want to match the site but when I apply this, even I can match the site. Also this route belonging to which site? This route belonging to site number one whose site ID is 300. So suppose if you haven’t created the list, you can go and create here. There’s no problem, I can go click here I can create the list. Say for example branch one list or site whatever name we can give. So branch one list his ID is 300 click save and now I can call that. So I’ll go ahead and call branch list.

So now you can see that with the VPN ten with the site 300 with the root that is a prefix 70 70 77 I am matching. So what you want to this match? Once I match this, I want to take action in the action I want to reject it correct, you want to reject it. That’s the policy. So yes, that’s the policy. And before saving this policy, I can give the name here say block loopback 77 you can give any logical name block loop back 77 save the match condition for this statement then I’ll go to default action here I should give accept otherwise it will block everything. Correct. So once I have my policy, I’ll go next. This is the same policy control policy page but the next page, this particular page is related to data policy. So here you can see the application aware routing the traffic data the sea float at the moment we don’t have anything. So I will go next. Now finally you have to apply this policy.

Apply this policy always with respect to site list. So I’ll go here and give the name say block 77 for branch number two and go and give the description so what policy you have? You have the control policy that’s the topology that’s why you have block 77 here you’ll go and live the direction direction is outbound from outbound means from VH smart to VH that’s the direction so where you want to apply this policy? I want to apply this policy to branch to new that is the list that I have created. Click add and click preview if you want to see the CLI equivalence.

So policy control, policy sequence see match the route of this list with this VPN list, with this particular list so you can see we are matching all the list, all the interesting traffic then action reject, default action accept what is the prefix list? 77 what is the branch list? 300 what is the VPN list? That is the ten where you want to apply in this so if I scroll down you can see apply this to branch to new. Branch to new is nothing but 400 so this is the policy construct step by step you can go and verify this click Save policy. Now safe policy doesn’t mean that you have activated this policy you should go to this policy here in the more and you should click Activate.

Now what we manage will do, we manage will push this policy to all the Vsmart and from Vsmart it will get pushed to the branch number two. Because in the applying statement we have taken only one branch that branch is nothing but the branch number two. Now what we’ll do that I’ll go here and I’ll log into the SSH terminal first of all I will go to the Vsmart from where I can show you that this policy is applied and then I’ll go to at least branch number two and data center number one. So branch number two will not get this route but data center one will get this route so we’ll do the verification portion let me go one by one to all these devices. So now in vsmart. If I type show run policy, you will see this policy clearly you can see the entire policy all the steps related to our policy and if I go and type show run apply policy you can see this apply policy statement as well. Then I’ll go to branch number two where I should not receive show IP routes related to VPN ten seven because it should blocked. So I’m not getting that specific route here. But if I run the same command in the data center, if I go here and type so let me log in first show IP route VPN, ten, seven, seven. Then here you should get that you can see we are getting here. And these routes we are not getting here. Although you have some default route that you are learning from the data center, but in this specific route we are not getting so this is one of the example of the control policy.

  1. vSmart Policy Execution & Revision

The best possible way to understand the policy is to do that policy. So now we have seen one of the example of the policy again quickly revise the theory what is happening whenever the policy is processing that policy will be get processed from top to bottom. So first of all it will take sequence number ten, then sequence number 20, likewise it will go down, down and by the end of day we have the default statement, it will check the default statement what is there in the default statement? Now whenever we are applying the Vsmart policy, we are applying always with respect to site list. If it is a control policy, it will be unidirectional, if it is a data policy it will be bi directional. So we have to choose the correct methodology for correct traffic in the correct direction. Now what type of policies we have. We have, say, for example, app route policy. And that’s the coolest thing we have in the SDWAN. SDWAN providing us app route control means with respect to application, I can provide them routing with respect to certain SLA criteria.

And that’s the true power we have inside the app, everywhere routing. So that means that my device, whatever device I have, say, either VH or Ch or any Cisco device, they are able to recognize the application. And that’s true. In case of Ch Cisco devices, we have NBA engine inside that, who is recognizing the application? Inside V Edge, we have deep packet inspection engine that is I think cosmos that V Edge is using to recognizing the application. And due to these enhanced engines that we have application recognition engines we have inside the box, we are able to identify the application and then with help of policy, we can put the SLA and then we can do the path control. We have control policy, we have data policy, we can have membership policy that certain VPN can be part of my corporate traffic or not. I can redirect the traffic with help of service chaining.

I can do Net Flow type of policy. With the net flow template we can convert the net edge devices or we can convert the edge devices to function as a nat. So we can create a nat, say for example inside VPN zero or over VPN zero I can have nat flow. So application aware routing is actually used and it has so many variations that most of the things you’ll find in the course number two where I’ll discuss about appeal routing policy and the lab related to this, then we have the C flow template. C flow template is nothing but you can collect the statistics, you can change somewhere to further analysis, it’s very much similar to the net flow. Again the lab will see later on.

Then we have series of labs related to control policy. With help of control policy I can do service chaining, I can do traffic engineering, I can support multi topology support we have so we have service shining traffic engineering route leak that is the external policy service and path affinity arbitrary VPN topology these many things we can do with respect to control policy service chaining simply you are redirecting the route towards the firewall towards the service devices if it is a control policy again you need to create two policy. One is going from in to out. Other is coming from out to in. Then we can do the traffic engineering means if I want to prefer certain data center towards certain branch or say branch one. Traffic towards data center one. Branch two, traffic towards data center two. I can do that. The other possibility? Suppose if you want that branch one. The primary is data center one and the secondary is data center two. So that also I can do. We can make primary and secondary in terms of routes with respect to Branch and DC.

That I can do with respect of traffic engineering by default. What is happening in the Viptella fabric? That two different service VPN. So for example, VPN ten and 20 across the fabric. They are not communicating until unless we’ll do a route leak in between them. So you should create some control policy and you should do the route leak so Ten and 20 VPN either in the same box or in the other box they will communicate is very much similar to analogy is similar to like VLAN ten and VLAN 20 will not communicate until unless we have some router on a stick or SVIS.

So that’s the route leak policy that we can create. We can leak the route so we can take the VPN, take the route we can export. So here. You can see match the route, match the VPN export match the route, match the VPN export and then you can apply the policy in the indirection then again, we have very important use case related to data policy again that is one of the important policy factor inside the SDWAN so you can create app route policy you can create service chaining you can create C flow you can create traffic policy and counting even in data policy Qu’s is also a type of localized data policy.

So the power of data policy is really good. With respect to service chaining, I can create data policy what is the nice thing about this that now in the service chaining? You don’t need out to in into out policy, because this is bi directional. So once you create or once you redirect towards the security device, you don’t need to create a policy for return traffic. So go and in. Both will be working the same policy then we can create local exit nat so if my users which are guest user which are not member of VPN they can directly go outside to access the cloud resources.

And obviously I can’t send the traffic directly without any firewalling or netting or any security provisioning. So I can create the Nat policy and then the traffic can go outside. Then we have certain examples here. We can see the Nat related example. What? You can do that? You can create the list and say certain IP so this IP only say XYZ IP I am doing the Nat the rest of the traffic is using IPsec VPN so not for all the traffic we are doing the nat for certain traffic say these prefixes belonging to this site it is going outside for public resources and rest of the corporate traffic is using IPsec VPN tunnel to do communication all right, so these type of policies we can create and in the next section I will show you one example related to multi topology support inside the SDWAN fabric so we can stop here and we will continue in the next.

  1. Hub & Spoke Control Policy

In this example I want to show you that how you can create a hub and spoke policy. So this is hub and spoke policy. What is the topology we have at the moment? If you go and check the topology you’ll find that we have branch one there we have two routers. We have branch two where I have one device, one router, then I have DC one where I have two devices and then I have DC two. There I have two Vs devices. In between that we have two transport, one is MPLS, one is internet. So what is happening? What’s the default behavior of SD? One is that by default you have all to all tunnel. So by default you can go to all to all. That means if you have say for example if you have four devices then you have this type of IPsec tunnel. Full mesh means four into three by two that means six if you have seven devices so you can count the number of tunnels you have.

But in this case in hub and spoke case what I want that I don’t want direct tunnel from my edge device to other branch edge device. So from branch one to branch two I don’t want direct tunnel but I want the traffic should go to data center and then it will go to the other branch. That’s the whole idea here I have to do. So before doing this thing we should understand that how these branches first of all they are forming the IP sector. So what is happening that we have intelligence plane or intelligent plane that is the control plane vs smart whatever tlock that these devices have obviously they have the tlock transport locator in that it has the system IP. So for example 1032 and then the encapsulation. So for example IPsec and then the color say MPLS. Likewise here also he has the system IP ten 10 one the color and encapsulation. So say encapsulation is IPsec, color is MPLS or internet. Whatever transport we have over those transport they are forming the Ipsect channel. But how? I am giving my local T lock to him. He is giving his local tlock to Vsmart and then Vsmart doing the exchange.

So to form the IPsec channel I know what is my local T lock, I need a remote tlock and key and these information this remote tlock and key information I am getting from Vsmart. So then I am forming the tunnel. Now somehow if I do not receive the remote tlock, that means I will not form the tunnel. Likewise if this guy will not receive any remote tlock, he will not form the tunnel because to form the tunnel I should receive the TLoG. So in this case what I can do that I can create a policy over Vsmart obviously with help of user interface policy builder inside the we manage so what I will do that I will create one control policy. Say policy control policy name hub and spoke. I’ll go to sequence number ten. I will match the we have option match route and match tlock. So I will match the T lock off site. Say for example 300 and then I will reject it.

Okay, then I’ll go to sequence number. Say for example 20 I’ll match the tlock of site 400, that is branch one, this is branch two and then I’ll reject it. Then I’ll go to the default action accept. That means I’m accepting the TLoG of data center one, that is 100, the site ID 100 and I’m accepting the TLoG of data center two, that is the 200. And then I will apply this policy to the site who is branch one and branch two. Correct. In the outdirections or better, I should apply this policy to all the branches. So all branches, all the data centers so all branch all data centers everywhere. Correct. So I’m going to apply this policy to all the devices, all the site ID.

All right? So let’s do this and before doing this, we should verify that do I have direct tunnel from myself to branch two or not? So for that I have to open the branch number two device here. So let me go ahead to branch number two. Let me log into branch number two and we’ll see that I can reach to him directly or not. So we’ll go ahead and check show interface description. What is there inside VPN ten at least. So ten 30 three. Now if I go here and if I type exit to exit from the V shell, if I ping ten 30 three and that is inside VPN ten and count is say for example two I’m able to reach, then I’ll do the trace route for VPN ten. That is IP is ten 30 three. If it will go directly, that means I have direct tunnel.

So you can see it’s only one hop away. Correct? And if I go and type show IPsec inbound connection, I should see that from branch number two where I am at the moment, I should have direct tunnel to ten three and that’s true. You can see that I have tunnel to watch ten three. So let me show you this local tlock I don’t want, but you can see from ten four I have tunnel to ten three here you can see ten 310 three. That is the direct tunnel that should not be there after applying the policy. And you should not go directly. You should go via the data center. So to create this policy, let’s go to the configuration and policies. We should create the interesting traffic. What is the ACL? So let me decrease the font size a little bit. This much is okay.

All right. So here what I want to do that I should get a site list where I want to match everything. So the site list is, say all sites, including DC. And then this is from 100 to for example, 400. So 100, 200, 300, 400 everything will come into this list. What else I want I don’t have other things because now I have all the sites. I have VPN Ten in the previous policy we have created. If I need VPN ten, I can use it. So let’s go on. I want to create a new policy. Although you have hub and spoke and Miss option there. But I want to create my own custom mid policy. So that is Hub and Spoke. I can give any name. Click here to the sequence. Type what you want to match the tlock with tlock. What are the things you want to match? So let’s click the sequence rule. I want to match the site that is, for example, 300 and any other thing you want to match with this site.

Carrier color Domain ID group ID OMP Tag originator preference tlock no so this particular site, what I want to do in the action because we are already inside tlock so site and tlock we have matched in the action by default, it is reject only. So I can click save. And here I can give saver name, say reject tlock of branch one. And nice thing you can see here, if I save this, I can copy this policy this time. And first of all, let me edit this. Reject the two, you remove this copy statement. And then here you can scroll down, go, click edit, and instead of 300, you give 400. So take the TLoG of 400. Reject it. Action is by default to reject only save these. Two conditions. So now I have these two control condition. I should go inside the default policy where I want to accept it. So go.

Click accept it. Save the control policy. Go. Next. Next one will be the data. Policy that I don’t want now we are inside the main apply page here you can see that the topology that’s the control policy and here I have the policy name itself that is Hub and spoke I want to apply this? Yes, I want to apply this to all the sites including DC. Add this first. Click the preview button and now you can see the policy. So policy match the tlock of 300 rejected. Match the tlock of 400 rejected. Accept all rest all the tlock. You can have the control. You accept it. We have the site list of all the sites and the data center applied to all. Save this policy. Go ahead to Hub and spoke and click activate. From here it will go and push to the Vsmart first and from Vsmart it will go and push to all the selected edge devices.

So suppose if you want to check the locks related to policy pushing you can go and expand this more now you can see that policy is going creating updating from Vsmart to the selected sites and then we’ll go back to our sites and there we will go and check the policy. So I will go and click SSH. See? It a success message. You go and click SSH where I should go to branch one VH. Two. Branch two VH. One. I can go to DC one also and then I will log into the Vsmart as well. Just to show you the policy is pushed to the Vsmart or not. Let me scroll down. I have this vsmart. One. Let’s go and log in one by one. So inside vsmart you can go and type show and policy to see the policy yes the policy has been pushed you can go and verify show and apply policy yes it is there then I can go here to the data center to the branch number one and VH number two. Let me log in so admin and the admin. Now I can go and check show IPsec inbound connection. I should not see ten four here. So ten four.

Is gone if I go and check show interface description because from branch to I will trace route to ten 30 three so I’ll go here finally session is closed because of more than 60 seconds that is the 1 minute. So I’ll go back to branch two and let me log in that one more time. Failed to log in. Somehow we are not able to reach to branch two. Let me give one more chance.

So admin and admin we are inside the branch number two. And what I want to do, I want to do the twist route for this IP. Now you can see it. Try to go to the data center from there it is. Not getting the route towards the other branch. So that’s why it is failing. That’s okay. But our goal is done that now the traffic for the VPN Ten related to ten 30 show IP routes for VPN Ten you’ll. See that we don’t have route towards ten 30 three because now it is not directed towards the one branch to other branch, other branch to other branch. So this is the way that we can go create the policy and apply the policy.

img