Cisco CCNP Enterprise 300-415 ENSDWI – SDWAN Policy Part 3

  1. Multi-topology Control Policy Configuration

In this section we are going to learn that how we can build and implement the control policy. So let’s see that what type of control policies we have. We can see in the slide that we can do service chaining with control policy, we can do traffic engineering. We have extranet feature that is nothing but a route leak between different types of VPN. Say, for example, VPN. Ten and VPN 20 by default, these VPN will not communicate to each other. So you can create route link policy to do the intern communication we can use services and path affinity. We can create arbitrary VPN topology. So in this section, what I want to do that I want to show you one lab related to multitopology support. Multitopology support means that we know that. Okay. Inside SDWAN we have feature that some of the VPN. So for example VPN ten and VPN 20. So let me draw here. So I have one V edge device. I

have VPN ten, I have VPN 20, I have VPN 40. Now this is my corporate VPN. Where what I want to do that all the VPN ten route. First it should go towards the firewall that is in the data center. And then it will go to the destination. Means I want to redirect traffic of VPN ten across all the branches towards the data center firewall. And then it will go to outside.

Likewise for VPN 20 I want to do this hub and its book that we have done in the last lab. That you can set the tlock towards the data center and for rest of the traffic we’ll see later on we’ll go and create different policy for rest of the traffic so let’s do this and let me log in to the we manage all right so what we have to do that? First of all you should go to the configuration and the policies inside this policy what you want? You want to create the centralized policy you can go and click add the policy. In the add policy I want to effect say for example VPN ten. So I have VPN. Ten list. But if you want to create VPN, it’s very easy. You can go and create your own VPN. Say, for example, VPN Ten. You can give the number.

Likewise you can create the VPN list. Then the tlock here you can see that I have one tlock that is Dctlock. So I can use this tlock list that we have used this earlier in our other lab. Then we can create the site list. Yes I want to apply this policy to say for example branch one or maybe all branches so I have list of all the branches but if you want to select it you can select it. So I have all the branches, I have all the data centers so I have all the sites for this particular lab that I want to work on. So I will go next next you can see that I have option to create the control policy. Topology means you can create the control policy. If you know that what exactly you want to do, you can go and use this custom control routes and tlock. So in this case what I want this policy is for example say Hub and spoke for VPN, say for example 20 and then firewall chaining for VPN ten so VPN ten I want to redirect towards the firewall and for VPN 20 I want to use Habaness book. So let me copy and paste this. Now we’ll go and build our rule. So let’s go here and for example, first of all I want to create the rule for VPN ten so what you can do straightforward, you can go to the sequence rule you can match the route so we can match the route of say for example data center and then you can set the parameters. But in this case what I want to do so our case, let me draw here one more time.

So in our case what we wanted actually that different branches that I have, I want to take the route so I have VPN ten and 20. So for example for VPN ten so all the branches VPN ten I want to set towards firewall and all the branches VPN 20 I want to set towards the DCT lock. So that’s why I’ll go and match the site that is related to all branches. So let’s do that. I’ll go ahead to the site and I have that site list that is nothing but all branches. So I can scroll down all branches. Then once you have all the branches you are matching the route you should give the VPN because this is nothing but the VPN ten because the VPN ten in the data center we have the firewall as well. So I’ll go ahead and use the VPN ten. Now I have the match condition I need to take the action. What action you want to take? Action is action. Accept and then you give the service what type of service you want to redirect? You want to redirect towards the firewall and that firewall inside the data center actually this is inside VPN ten you can see very straightforward you can go and save this policy. So this was the policy one. So for example for VPN ten towards the firewall correct.

All right so once you have this policy number one then you can go and add one more sequence. This time what you want this time you want to match the route of all the branches and you want to set the tlock. So this time also I’ll go and match the site and in the match site statement if I scroll here all the branches I want to match and then I will choose the VPN. Say we are going to choose the VPN that is nothing but VPN VPN 20, that is maybe PCI VPN? Yes, this is the VPN 20. So once I have this VPN 20 matching all the routes, what you want to do? The action. Action, I want to do that. I want to set the T lock and this tlock is nothing but the DCT lock.

So everything from the VPN 20 will go and hit or whose next hop will be data center tlock. So here I can go and change the name as well. Say for VPN 20 next hop DC tlock. All right. And finally if you want to give the default action, say for example rest of the VPNs or rest of the traffic, we will use the default statement. You can give this great. So now we have the policy, we should go next. Now the next page will be your data policy. So we don’t have data policy at the moment. And then the final page is to apply this policy. So I’ll give the same name as Apply policy as well. So let me go and give the same name. Say, for example, apply policy. This is same name with Apply policy.

Now here you can see your topology has been called and this particular policy I want to apply to the outward direction of all the branches, correct? And I can click add here. If we go and click preview, you can see the rule match the route of all the branches set towards the firewall. Match the route of all the branches but different VPN set towards the data center. And suppose if we have VPN 40 for that also you can write the rule in the upcoming section, we’ll write the rule for VPN 40 as well and then you can go and apply this policy. Okay, so I can go click Save this policy. And before applying this policy, I will log into the devices. So let me go here to the monitor section and the network. So what we want to verify at the moment we don’t have any policy. Let me go and check that also.

So I should have all the policy in the false statement. That means my devices are running in the default mode. Default mode there is no policy. All to all traffic is allowed. So if I go to branch number one and if I go to the travel footing section, inside travel feet section, you can see that you have the option related to trace route. So we can go and quickly do the trace route what you want to trace out. So suppose if you apply this policy, what will happen? That VPN 20. So VPN 20 will use. So VPN 20 will go to the data center and then it will go to the other branch. That is branch two from branch one, correct? So this should be the behavior after applying the policy. Before applying the policy ten and 20, everything will go directly towards VPN, towards branch one, to branch to correct? So I need one destination IP. So for that I need to log into the device and grab the IP.

So let me go to the device and check the IP what IP it has? Let me do this thing. Best option we have, I can go to the SSS terminal as well and I can log into the one of the device from branch one and one of the device from branch two as well. So I logged into branch one and branch two. And if I do the ping and trace route so let me do that. So here we’ll check the IP of the VPN Ten, that is Ten 30 two. So from here I will do the trace route. So let me do that trace route from branch two to branch one. All right. So let’s do the trace route for VPN Ten. Say ten 30? Two. Now you can see that I can reach directly, no problem and vice versa from two to one, one to two.

Likewise, if I go and check the VPN 20, that is Ten 322. So now again if I go and do the trace route, say trace route for VPN 2010 320. Let me see so that IP is ten 322. This should also go directly. You can see direct reachability you have. So now we have two IP inside VPN ten. I have ten 30 two and VPN 20. I have say ten 322. Now after applying the policies, let’s quickly go and activate the policy. So I’ll go here to the hub and spoke and let me activate this policy. These Vsmart are not managed where we manage. So let me quickly go and attach the Vsmart to the V manage and then I can activate the policy. So we’ll go to the templates. Inside the template you can see the Vs Smarts are not attached. So I’ll go ahead and attach them. Sometimes if you attach both the Vs Smart they will throw an error. They try to attach one by one. Sometimes they will attach directly.

It’s not attaching. So what I’ll do, I’ll go back to the template and let’s attach this one by one. So attach the devices, take one by one and you will see that now it will attach next. Likewise, I’ll go back to the template and then again I’ll go and attach the other Vs Smart. All right, next and next I’ll go back to the policies. And now I want to activate the policy. So you can go here and click Activate. Now if those Vs are the configuration has been posted, the policy will get activated. And now I will go to the Say for example Monitor and network. And then I will select the devices. So I can go to branch two from where I have done the testing earlier. I’ll go to the troubleshooting and inside double shooting. We have the option called Race route. Now I have the destination. IP say ten 30. Two. That is inside VPN number ten and you can choose the interface.

Say for example your interface. If you start this now you can see the output, it is not going directly correct. It is going via the data center. This is VPN ten where we are expecting that it will go via the firewall. Likewise if you go and change the IP so if you go and do 22, 22 is the destination for VPN 20. So if you go here and seems I need to go back this time what I will do? I’ll go and use the other IP that is ten 322 VPN is 20 and the interface I’ll use the gig e zero slash three. Now this time because we are using 20, you can see that for this particular VPN, this is going towards the data center that is ten to 23 and then it is going to the destination. So the first VPN is going towards the firewall. Second VPN is going via the data center. Because we have set the data center tlock and then it is going towards to the destination. So the policy is working perfectly right now.

What I can do here next text again to showcase you. If you want to see the more about this thing, you can go here and you can go to the real time and you can verify the routes as well. So if you go and check the route so you can see that I have the IP routes and if you want to filter certain VPN, you can filter it. I want to see this VPN Ten route and for VPN Ten route let’s see that. I want to see the tlock IP. So protocol I will remove say address type I will remove so for example prefix also I’ll remove I just want to show you the next top address and the tlock IP.

So here you can see that for VPN number ten. Because my firewall is in the data center. The tlock IP is the data center IP and even for VPN 20 also because that is also set towards the data center. If you go ahead and check the OMP services. So now you can see that who is the originator. And for VPN Ten and VPN 20 I can see clearly some of the services service route. But generally what is happening when the packet will go to the Vsmart, vsmart will set or sink towards the firewall or any type of services routes. So one last test I want to do here. So let me log into the CLI that is very much faster than this. So let’s do one thing. Let’s just stop here and the verification and some of the testing will do from the CLI the same Lap.

  1. Multi-topology Control Policy Verification

Let me show you verification from this place. So if I go and check show interface description from one of my branch one VH one and if I copy any of the IP inside VPN ten and if I go and do the trace route for VPN, say for example, ten then if I give that IP, you can see that it is going towards the data center and then it is going towards the firewall and then it is going towards the other side from the firewall to the branch. Now if I log into the data center and let me show you the firewall address.

So here if I go and type show and VPN ten you can clearly see the firewall address is the trace route result. You can see going to the firewall and then going to the IREUs interface and then it is going to the branch one. Likewise if you go and trace route this particular IP so now I will go and trace route for VPN number 20 and the other IP, this is directly going via VPN to VPN this is going via the firewall. This is going via VPN to VPN. Now other IP also I have that is the VPN 40 and since we haven’t apply any policy so they should go directly correct?

So now if I go and do this tracer it will show directly it will go so you can see clearly the difference and the power of SDWAN with very small set of policy. One of the VPN, let me mark here one of the VPN, it is going towards the firewall. The other set of VPN, it’s going towards the DC and then going to exit. But the other set of VPN that is still using IPsec VPN to VPN ten l okay and that’s why this is the multitopoly support that we have.

Now what I’ll do that I’ll go to the policy and I’ll deactivate this policy. So let me go here, I’ll go back to the policy and I’ll go ahead and deactivate this policy. So once I deactivate the policy then it will back to the normal. That means that 40 as it is 40 the 20 will also go directly and then the ten will also go directly. So now all these devices are only one hop away. So this is the true verification. We have created the policy for all the VPNs and then we have tested it again rolling back the policy they have their default behavior and within a few seconds you can see that you can implement the policy and you can withdraw the policy.

  1. App-Aware Routing & Direct Internet Access Begins

In section four and four five we have to learn and understand about application ever routing one of the core component of any set van solution we have. That how this application can take decision. If there is a brownout or blackout failures then we have to discuss and think about out the direct internet access. What is the importance of direct internet access at this point of time? Almost all the companies they want that they are 20% to 24% of traffic that exit locally and they do not use the backhauled bandwidth. So from branch you have to go to the data center and again you will come back.

So you are using the bandwidth twice rather than you can go directly and use the internet resources or cloud resources directly which is near to your branch. Because at the moment all the cloud provider or all the application provider hosted over cloud they have their high availability zone or they have their availability zone. So rather going from one location to other location and reach to destination directly from the branch we can go outside. So these are the two very important and interesting topics that is going to be coming up in section number four and four five.

  1. App Aware Routing Basic Introduction

In this section I am going to discuss about Apple routing. Let us start that. You can say that Apple routing is the core of this cloud based Sdvan solutions. Because by the end of day, everything is based on application means. How you can provide intelligent path, how you can provide the SLAs, how you can provide the failover. All these things come under appeal routing in Viptella fabric we have very strong appeal routing policies and various things related to Apple routing. We’ll see one by one in the upcoming recordings. Before I start that appeal routing, I just wanted to tell you that this appeal routing is coming inside data policies and we have some other data policies as well. Like we have centralized data policy, we have localized data policies and then we have Apple routing.

That is again a type of policy. We’ll see that all those things what is centralized policy. Whenever it is coming to centralized policy, that means you are pushing that policy from Vs smart controller and how you can apply that. We have options like we can use like policy, get a policy and then whatever configuration, or we can use like this inside the VPN membership policies. But the centralized data policies means that you are affecting your data plane with help of your Vs smart controller. Now, when it is coming to localized data policy, that means you are building access list and you are doing all those configuration locally to the node. So first of all, you have to build something like policy and an access list like in normal Cisco world, we are applying the access list over interface like either in ingress or egress direction here also you have to use the same.

Okay, now coming our appeal routing and it’s a big. So now we’ll discuss this one by one or step by Stephen’s routing policies. We see all this construct and everything, but I already told you that this policy is something that is really required in a modern network or in any type of SD one solution and why it is required, because it will provide you the best network optimization. That’s the one thing the performance and degradation can be minimized. That is again one very important aspect of modern network. Network cost can be reduced.

That is the overall goal of any infrastructure. Application performance can be increased. You can see all the big things like optimization, performance enhancement, cost reduction and the application performance enhancement. So all these things we have with help of app ever routing and we’ll see what are the ingredients inside this app ever routing. Then we’ll come to know that okay, these things can be achievable how this appeal routing functions. So we have three steps. Step number one that you have to define the policy in terms of SLA. We’ll see that SLA in terms of jitter, loss, delay, we’ll check all these things, then we have option because we are monitoring the application end to end.

So here to monitor this channel we have BFDS. So with help of BFT you will see that how BFT will track all these things. With help of BFD, we are measuring the one way and the round trip loss also the one way and the round trip latency. And according to that we are doing the so you can think that this is the if condition and then the action or you can think that this is the match criteria and then we took the action. What we can do after that map application to a specific tunnel based on the loss and latency that we have measured from step number two maintain a history of loss and latency data that’s very important.

We have a note here that each VH they are supporting up to 40 locks means a VH can have up to four different van network and over these network we have to monitor the loss and the latency and we have to take a track of the history of loss and latency. I have one diagram to show you that how it can be done. So obviously from Vsmart you are pushing the policy to V edge and V edge they have end to end tunnel. Step number one is to define the SLA.

Step number two is to measure the one way or the round trip loss and latency. Step number three that we have to track the history of loss and latency and according to that, since these are the policy implementation phases that according to that your path will be altered. So a channel A versus B-C-D like that and this was the basic introduction of appeal routing and let me stop here in the next or in the subsequent recording I will record the other aspects, other important things of appeal routing.

img