Cisco CCNP Enterprise 300-415 ENSDWI – SDWAN Policy Part 5

  1. SDWAN DIA Design Options

Van is evolving and so as the SDWAN and so as the cloud integration with the SDWAN, because now when we are talking about new van strategy, we are talking about that how this new van or new SDWAN fabric will integrate or adopt the cloud. So it’s not only the evolution of van, but it’s the evolution and the strategy and change in the strategy for the cloud integration with the van. Why it is required, why customers are looking for this, because now, if you go and see the SaaS adoption that is software as a service adoption that is predicted that will go more than 20% in upcoming years. So now what customer want that they don’t want to back all their traffic towards the data center and utilize the round tip link utilization rather directly.

They can go to the cloud and use the cloud hosted application. Doing so, obviously there are some concern that I can’t directly expose to the cloud. So means I can go to the cloud, but I should have the security images, I can use direct cloud access, I can use direct internet access, but it should go via some secure gateway and my corporate traffic or my traffic that is going towards the cloud, that should be secure performance. Customers are concerned and they have the concern. You can see 25% of the customer, they have concern.

So whenever they are sending the traffic towards the cloud, how they are sending directly or backhaul and then it is going to the cloud. In any case, they are concerned about the lost latency and jitter and overall the visibility that once I’m sending or once I’m using the cloud hosted application, what is the visibility, what is the quality of experience, et cetera. So now if we remove these concerns, say if we remove security concern, if we increase the performance, if the cost will decrease, obviously all the customer will use direct internet access or direct cloud access because doing so if we remove the hurdle, that will be the ideal situation for all the customers. Now, here you can see in the diagram that starting with no Dia, no direct internet access, you are back holding your traffic towards the central original hub or data center and then you are going to the cloud or you have the mix of both.

So directly also you are going to the cloud or you’re back hauling the traffic towards GCN, reaching to the cloud or directly you have multiple paths to reach to the cloud. So these are the options that customer have today and customer they have to choose while considering the visibility loss, latency, Jitter and the security concern out of which particular design they are ready to use. Now, we have two use cases at this point of time that dia can be used by the internal employees. So what does it mean? Here we can see in the diagram that there are chances that customer clients, they are the corporate client and for internet access directly they are going and using the internet. That’s the one case. The second case is that they are guest user.

So here you can see in the diagram that I have the guest user and they are not part means they will not form the IPsec tunnel or the traffic will not even go inside the IPsec tunnel to reach to the other side corporate or other side of the branch or maybe data center et cetera. But they want to use the internet. So here you can see the guest user they are using the internet hosted application or they are using the internet. So these are the use cases and the concern later we are going to discuss more and more about the design aspects and what are the use cases we have related to designing the direct internet access plus direct cloud access.

  1. Design – Cisco SD-WAN Direct Internet Access Design Components and Consideration

Let us talk about the design consideration for dia, what are the components and the consideration. In this case we have four different type of architecture. Here you can see that we may have a device having hybrid structure means I have one link that is going to MPLS and the other leg that is going towards internet like this. Or we may have mixed. So again you can see that you have the hybrid but you are using the tlock extension in between. Or you may have dual internet or you may have dual internet with tlock extension transport locator extension correct. So in all the cases there are chances that we can go and consider dia or maybe local breakout. But suppose if you have some classical example where you are not considering the dia so there also we have the option. So let’s talk both of the things we know that we have transport VPN, VPN zero that is working as Ivan front door VRF.

You can do little bit of Google for front door VRF and you will get nice documents, only the outside interface in terms of Ivan they are there to form the say for example DMVPN phase three. And maybe you have different type of colors like red, blue, green or you may have different type of transport like MPLS, internet et cetera et cetera. Now the same logic actually we are using here name is VPN. Behind the scenes VPN is nothing but to VRF or virtual routing forwarding instance Viptilia came with the idea of VPN from zero to five one two where VPN five one two is nothing but your management VPN. Now in the Cisco devices, Cisco ISR other Cisco iOS XC platforms will find that you have VPN 12511 and then you have VPN or VRF from five one three up to these type of VRFs we can go and use.

All right, so now say take the classical case where the branches they want to use the IPsec tunnel to use the internet that is behind the data center. So in that case my Vsmart, once the IPsec tunnel is built, vsmart is advertising default routes to the branch devices and then they are capable or they are able to go and use the internet. So here you can see that the internet traffic is coming. First of all the OMP is sending the OMP routes update to all the Sdband devices. Now when the traffic is interested for internet, you can see that they can go to the internet. Or you will see that case if your internet link is down, then they will go via the MPLS, they will reach to the internet router. From internet router they will go, they will access, they will cross the traffic and they will reach to the internet. So that will be the path.

Here you can see now if this link is down, so obviously the link will go via MPLS somehow it should reach to the gateway and then it has to go and reach to the internet. That will be the preferred path or design. Again in upcoming session we are going to discuss more and more about the breakouts or direct internet access. We’ll discuss more and more. Now here you can see that if you configured Dia, obviously you have to configure the Nat. So this VPN zero I have configured the Nat. Now I have decided that what is the source or what is the destination.

I want to do the net. So the traffic, that internet traffic is coming over VPN zero. The net is happening and then the traffic is going outside to access the internet. Correct? Now here again you can see this diagram. It’s very much clear that you have service side VPN from one to are not seeing here five one, two because that is for management. And then this service side VPN has created to VPN zero because everything is going from VPN zero to the destination. Either it’s a net flow or it’s an IPsec flow. So for example in this case I have two interfaces where we have configured Nat outside and hence the traffic from the service VPN it will come to the net and then from here it will do the local breakout. Okay. Now if you read this document, it will tell that okay, suppose if your internet is down, means your local breakout is down. So in that case what will happen? Suppose this red spot is down. So in this case you can’t directly go and use internet.

So you will use the IPsec tunnel to somehow reach to the internet gateway. From there you will go and use the internet that is behind the firewall inside the backhold regional hub or maybe data center. Correct? Me, you are backholding the traffic towards the data center. So these are the design consideration and you can understand from here that okay, we should create a design for the traffic. Intended internet traffic. Either corporate user wants to use internet or direct cloud access that is the DCA or Die or you have guest user they want to do the local breakout or they want to use the internet. So in both the cases we should provide the correct methodology plus the redundancy so they can use the internet based applications. Correct.

  1. centralized data policy and NAT DIA route to deploy DIA

We have two options here to provide this dia. What we can do that, we can provide this with help of centralized data policy or we can use Nat dia route. So let’s check both of them. The Nat dia routes are actually very easy and straightforward and there is no landslide filter range. So in this case what we are doing here you can see that all the landsite traffic or service side VPN traffic we are sending to VPN zero and over VPN zero we have the net outside so it will go and access the internet resources or resources hosted over cloud. Now the second option we have here is doing dia via the centralized policy. Now in this case we have the filter option, we can filter it. What’s the strategy here is that you categorize the traffic for NetFlow and then you have the traffic categorized for SDWAN or the IPsec overlay network as well. So if you go and check at this point of time you’ll find that you have three flows at least you have three flows over VPN zero. Suppose this is my VPN zero.

So I have nat flow, I have IPsec flow and one flow. We know that we have something called DTLs or TLS for control traffic, correct? So in this case it is very important to design your queue policy because we know that Q zero is used for control traffic. So now you may have DTLs related control traffic, you may have OMP related control traffic, you may have BFT, you may have some sort of net flow. Everything is going via the Q zero. So we should check if any issue is there. We should go and check the Q zero and that’s why it’s very important to optimize the number of control connection. Check how many IPsec tunnels you have, you don’t want any to any and then you have N number of IPsec tunnels. So that’s why things are optimized in SDWAN.

But we should know that how much optimization we need in terms of control channel, in terms of IPsec tunnel, in terms of breakout. All right, so one nice feature we have while using the dia is that how you’re going to track the interfaces or the van interfaces? More precisely we are going to use this with dia. So there are chances that your traffic will get black hole. What are the chances we have here? Suppose you have one branch device and you are doing local breakout. So suppose I am using direct internet access and suppose if this access is down, then how could I know that traffic is unreachable and then I have to redirect the traffic towards some other tunnel or towards IPsec.

So now I can use the IPsec tunnel to send my internet traffic and that will be hosted over data center and then you have the firewalls and then you are using the internet et cetera is how you will get the alternate path if you do not use the tracker. And in that case we have the tracker. What is the use of this tracker? They are constantly sending the probes just to check that tunnel is up or not. If tunnel is not up, then the traffic will get diverted and where it will get diverted here you can see the router withdraws the net route to the internet destination. So it will withdraw the route and reroutes the traffic to the IPsec tunnel that doesn’t have Nat enabled. So now it will withdraw the routes and it will send towards the IPsec tunnel. Now, for this Nat tracker we have some important thing.

What is the minimum requirement? So you should specify the IP address and DNS destination on the internet where you want to send the probe. It’s very important that where you want to send the probe, you decide it first thing. Second consideration here is that by default they are sending the probes after 60 seconds and they are sending the three probes. Now this if you think that this is a little bit more, you can tune it from ten to 600 seconds and then the multiplier you can change from one to ten. So tuning option is there. You want to track the destination IP or DNS, you are sending the probes, you can tune the probe and you can check it.

Now, again, there is one other consideration is that also note that by default the router waits 300 milliseconds to receive a response from the internet destination and that is also changeable from 100 to 1000 milliseconds or 1 second. So these are the consideration that we should take here. So whenever we are using the net we should track it because if the die is down or the Internet is down so we should read out the traffic. Otherwise obviously that’s not complete automation is the band should understand and take the decision. Now in this point of time we should go and check the limitation of Viptella OS plus the iOS XE. Because iOS XE at this point of time again, if Cisco has added but at this point of time they don’t have net tracker in iOS XE. They are doing ECMP to reach out to their destination but they don’t have Natracker. Nettracker is a feature with Whiptail operating system that can be checked with the Cisco or with the design document that Cisco is providing.

  1. Remote site DIA exit Design Considerations

This is the important recording and you can watch it twice or you can save this that later on again you can come and refer this particular recording or the number of slides that I’m going to show you. So what is the remote side design option? Now in the next slide I will show you the diagram, but at the label of L three switch you can differentiate that which traffic is for the guest VRF and which traffic is for global routing. Table. Once you decide that, then what will happen? Here you can see in the diagram. Let me highlight. So I have guest traffic and I have employee traffic. Guests who want to use internet, employee who want to use internet, employee who want to use IPsec tunnel as well.

Now, in case of Guest, suppose if the internet link is down, guest is never be the part of VPN membership policy means Guest traffic will never go and form even they will never be the part of IPsec VPN tunnels. So, if internet link is down, suppose if you have only one link, if it is down, that means guess they will never use internet. Now on the other hand, the employee who want to use the internet, suppose if the interface is down their traffic as per the centralized data policy, they can go via the IPsec tunnel and they have to reach somehow to the internet gateway. So they can go like this by amplice they can go, they can reach to the firewall and they can use the internet. So they still can use the direct internet access if in case of outage or failure.

And that’s why we have different type of VRFs serving different type of policies. In Viptila we used to tell that to VPN but VPN and VR both are the same thing. So here you can see that branch design that your VPN zero net interface is down. So Guest will be go down, but still your corporate traffic will take other route because he has the other option as for the centralized policy and then he can go and use that. Now, suppose again we know that we have two options.

I can use Nat dia route and I can use the centralized data policy to create the dia routes. It’s very important here to understand and that’s the recommendation will come later on. In this particular section, in the summary section, I will summarize that while you are creating such type of rule, you should use the consideration or the recommendation is that we should use the track option. So you track the system interface or you track the VPN zero interface where you are using the internet because if it will go down, then you can reroute the traffic towards the other available IPsec tunnel options. Correct? Now here you can see this is interesting and important. Let’s suppose if you are using Nat dia route, you have to go and if it is a static route you can point towards VPN zero or if it is a dynamic, you should redistribute this nat dia route inside the dynamic.

Now here you see this point number three. It’s very interesting that by default we know that static route ad value is one, but this net dia route has ad of six. We know that OMP has ad of 251. That means that the net dia route has the higher preference over the route that is coming from vsmart. That is nothing but the OMP. Correct? And that’s the reason that your nat thing will happen first means that a routing decision will be taken care of first and then secondly if suppose that is unavailable, then it will go for the OMP route. So that was very interesting and important consideration. Now here you can see this is this type of summary, type of slide.

Now in this diagram, these employees are internet and internal employees. But suppose if you have guest also when we are if you can associate with the guest and they can do the local exit in case of failure of this link, suppose if it is internal employee, then the traffic somehow will go inside the MPLS and then it can go and use the internet. We should use the track interface here. That will be the best practice. So let me quickly summarize that what we have studied and what are the best practices we have in this case.

So first of all, what we can do that we should create the VRF for guest and this will never so neighbor be part of VPN membership policy means inside VPN membership say for example VRF or VPN 40 is a guest VPN and it is not part of VPN means it will never form. It will never form the IPsec channel. That’s for our security safety purpose. Second thing that I have internal user. So internal or corp user they can use dia over VPN zero option I have that I can use with centralized data policy. And with this centralized data policy I have fallback if it is required. So Fallback is MPLS IPsec tunnel correct? Now again, interesting thing here is that we should go and use the track option as well. So these are the design consideration when we are going and using the dia and we should consider all these points.

img