SD-WAN Lab Note Part 1
Fundamental knowledge and Topology
Onboarding vEdges to the Controllers
Service VPN Overview, Connected and Static Routes
Templates Overview, Single vEdge Site setup and Development
Dual-vEdge Site and MPLS Only Site Templates
Service VPN1 Connected Routes via CLI and Templates
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Fundamental knowledge and Topology
Required Images:
C:.
├───vios-adventerprisek9-m.SPA.156-2.T
│ vios-adventerprisek9-m.vmdk.SPA.156-2.T.qcow2
│
├───viosl2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E
│ vios_l2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E
│
├───vtbond-18.4
│ viptela-edge-18.4.4-genericx86-64.qcow2
│
├───vtedge-18.4
│ viptela-edge-18.4.4-genericx86-64.qcow2
│
├───vtmgmt-18.4
│ viptela-vmanage-18.4.4-genericx86-64.qcow2
│
└───vtsmart-18.4
viptela-smart-18.4.4-genericx86-64.qcow2
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
SD-Wan Controllers Setup
vManage
admin/admin
1
Y
vmanage# conf t
vmanage(config)# system
vmanage(config-system)# hostname vManage
vmanage(config-system)# system-ip 10.100.0.10
vmanage(config-system)# site-id 100
vmanage(config-system)# organization-name lab
vmanage(config-system)# vbond 223.1.1.11
vmanage(config-system)# commit
vmanage(config-system)# exit
vmanage(config)# vpn 0
vmanage(config-vpn-0)# interface eth0
vmanage(config-interface-eth0)# ip add 223.1.1.10/24
vmanage(config-interface-eth0)# no sh
vmanage(config-interface-eth0)# tunnel-interface
vmanage(config-tunnel-interface)# allow-service all
vmanage(config-tunnel-interface)# commit
Commit complete.
vmanage(config-tunnel-interface)# exit
vmanage(config-interface-eth0)# exit
vmanage(config-vpn-0)# ip route 0.0.0.0/0 223.1.1.1
vmanage(config-vpn-0)# commit
Commit complete.
interface eth1
ip address 10.61.91.179/25
no shutdown
!
ip route 10.8.20.0/24 10.61.91.148
vmanage#vshell
vmanage:~$ vi /home/admin/PKI.ca
-----BEGIN CERTIFICATE-----
MIICDzCCAXigAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExByb290
Y2EubGFiLmxvY2FsMB4XDTI0MDEyNjIxNTgwMVoXDTI3MDEyNTIxNTgwMVowGzEZ
MBcGA1UEAxMQcm9vdGNhLmxhYi5sb2NhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAvob8MVCCngFRza8e3nlVZ7YA4CEGzSdwrePB3QI3ZftNr52ewwgPwO0R
Nnc1UgdWAaVLC6WpVFTLXgd2Z/Alhy7HGQ/qZBgnRKPtbCaqEE9Xd2xgCHgptDYT
YmpVuKvwVFs0lGO/BgYo9bZaHx2PixeBHWSCEJr3illUS8WKLHECAwEAAaNjMGEw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUsYly
DysXyMBuZTYpz+rXBNtq91kwHQYDVR0OBBYEFLGJcg8rF8jAbmU2Kc/q1wTbavdZ
MA0GCSqGSIb3DQEBCwUAA4GBAD1qCoSGlqzdDHeJMMTnCJHtDspa7RLHyh3eVDGJ
zAjwlRvlBT6OMeSPJBtvA81qoGyPGOabN8Y8xe9u7mJPIo3dMJ3uh7SpwO/wwKUt
AKY3lMitHwMxA5gtXNR/XpeZuBmA+UaDUecruSJxqt8xCboAZ6ZLDhNF9rVdvrUo
KvIb
-----END CERTIFICATE-----
~
~
~
~
~
~
~
~
"PKI.ca" 15 lines, 775 characters written
vmanage:~$ exit
Exit
vmanage# request root-cert-chain install home/admin/PKI.ca
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/PKI.ca via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
IOS-CA#crypto pki server PKI request pkcs10 terminal
PKCS10 request in base64 or pem
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE REQUEST-----
MIIDKDCCAhACAQAwgacxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTEMMAoGA1UE
BxMDTllDMQwwCgYDVQQLEwNsYWIxDDAKBgNVBAoTA2xhYjFBMD8GA1UEAxM4dm1h
bmFnZS0yODc0YmQxMi0xMWFkLTQ0OWItYmE5My0xMTI4MDlhMTViODgtMC5sYWIu
bG9jYWwxHjAcBgkqhkiG9w0BCQEWD2FkbWluQGxhYi5sb2NhbDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANBSD+Mjj3ezKDYWryRnvTxDbHQFVksJlUSw
M2SCTBLOf+RBkGKQ1FTjjWPtFFZNq+tTl8+zL/fXjj/RMjS403rSn7M0N9laqP52
717FIJlKpDfF01feoBJHiD6m3YzMzZpCnZ6A5ao9oCe0/LelCDX4YUh/xNU8ku3i
fvqWy2b+SIf5iUHZrT3kOxWs4xDybaxc+aHyGNCIE0GNx6htfBRj0q5JnRWaTQj6
Xlg4ul/zPXhf/SNVO4ZItmqkSCyiosnnZO3Hef9fsIw/hsy1lGNLtOTXzDmB/cvX
gqeTvr4jB2F3MxPAHBZR7IH828qUvR1SkYSqLyzGR2CsWS72b1ECAwEAAaA7MDkG
CSqGSIb3DQEJDjEsMCowCQYDVR0TBAIwADAdBgNVHQ4EFgQUbsQ6fHnnF7cP72LM
xBWGzuSHFU8wDQYJKoZIhvcNAQELBQADggEBAFS4SPu5I8GSLvUcTCeMsZg/7Mit
fd8h2KHlstPKw5lr59RO4HeXR8H7xs9WxnrZoQOrpH4E5a9KENG0zUGmyYIpvY94
tc+0n7wG5qkXhzfNbNkQzMu7PPLMZEbExEdmiUpqlj8B9wIqBHqv9+1epdJ+jfP4
QaKRaYOMmxGGWsQpE2CZOZLVaTZiPOcGhBUzPELcFDDCsh2+XLVTgb5fDLDXu+iv
527pj9PwHbH/DfZr6ktw1fsq88khiAPLSSJT8UJUukxWccf47tcYJlgXpbRC7ixR
XEGhhaXbTrufQim6bp6NrlvGX52OPyKlueNV9c6e+BzZZas5q09saYlRUHc=
-----END CERTIFICATE REQUEST-----
quit
% Granted certificate:
-----BEGIN CERTIFICATE-----
MIIDEDCCAnmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExByb290
Y2EubGFiLmxvY2FsMB4XDTI0MDEyNjIzNDE1NFoXDTI1MDEyNTIzNDE1NFowgacx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTEMMAoGA1UEBxMDTllDMQwwCgYDVQQL
EwNsYWIxDDAKBgNVBAoTA2xhYjFBMD8GA1UEAxM4dm1hbmFnZS0yODc0YmQxMi0x
MWFkLTQ0OWItYmE5My0xMTI4MDlhMTViODgtMC5sYWIubG9jYWwxHjAcBgkqhkiG
9w0BCQEWD2FkbWluQGxhYi5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANBSD+Mjj3ezKDYWryRnvTxDbHQFVksJlUSwM2SCTBLOf+RBkGKQ1FTj
jWPtFFZNq+tTl8+zL/fXjj/RMjS403rSn7M0N9laqP52717FIJlKpDfF01feoBJH
iD6m3YzMzZpCnZ6A5ao9oCe0/LelCDX4YUh/xNU8ku3ifvqWy2b+SIf5iUHZrT3k
OxWs4xDybaxc+aHyGNCIE0GNx6htfBRj0q5JnRWaTQj6Xlg4ul/zPXhf/SNVO4ZI
tmqkSCyiosnnZO3Hef9fsIw/hsy1lGNLtOTXzDmB/cvXgqeTvr4jB2F3MxPAHBZR
7IH828qUvR1SkYSqLyzGR2CsWS72b1ECAwEAAaNTMFEwDwYDVR0TAQH/BAUwAwEB
/zAfBgNVHSMEGDAWgBSxiXIPKxfIwG5lNinP6tcE22r3WTAdBgNVHQ4EFgQUbsQ6
fHnnF7cP72LMxBWGzuSHFU8wDQYJKoZIhvcNAQELBQADgYEAlOQVXOiZZKkTPYmn
Lv27dL3EkzNOInUvpD10hP/S6DZFlIXIwhuaH5Y/Q5TC0smPKcEYVdNNAB2XPdzs
B0p3VxJ5i3gO7CyKkCvl1tyotqSf03sEr0ddkUIdqAi8ZSq4ay4P7P6+0dVY/D5M
s8u+2DKmkIx3V/SedolmsBlxsm0=
-----END CERTIFICATE-----
vBond
config t
system
host-name vBond
system-ip 10.100.0.11
site-id 100
organization-name lab
vbond 223.1.1.11 local
Commit
vpn 0
interface ge0/0
ip address 223.1.1.11/24
tunnel-interface
encapsulation ipsec
allow-service all
no shutdown
!
ip route 0.0.0.0/0 223.1.1.1
Commit
vBond# vshell
vBond:~$ vi /home/admin/PKI.ca
-----BEGIN CERTIFICATE-----
MIICDzCCAXigAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExByb290
Y2EubGFiLmxvY2FsMB4XDTI0MDEyNjIxNTgwMVoXDTI3MDEyNTIxNTgwMVowGzEZ
MBcGA1UEAxMQcm9vdGNhLmxhYi5sb2NhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAvob8MVCCngFRza8e3nlVZ7YA4CEGzSdwrePB3QI3ZftNr52ewwgPwO0R
Nnc1UgdWAaVLC6WpVFTLXgd2Z/Alhy7HGQ/qZBgnRKPtbCaqEE9Xd2xgCHgptDYT
YmpVuKvwVFs0lGO/BgYo9bZaHx2PixeBHWSCEJr3illUS8WKLHECAwEAAaNjMGEw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUsYly
DysXyMBuZTYpz+rXBNtq91kwHQYDVR0OBBYEFLGJcg8rF8jAbmU2Kc/q1wTbavdZ
MA0GCSqGSIb3DQEBCwUAA4GBAD1qCoSGlqzdDHeJMMTnCJHtDspa7RLHyh3eVDGJ
zAjwlRvlBT6OMeSPJBtvA81qoGyPGOabN8Y8xe9u7mJPIo3dMJ3uh7SpwO/wwKUt
AKY3lMitHwMxA5gtXNR/XpeZuBmA+UaDUecruSJxqt8xCboAZ6ZLDhNF9rVdvrUo
KvIb
-----END CERTIFICATE-----
~
~
~
~
~
~
~
"PKI.ca" 16 lines, 776 characters written
vBond:~$ exit
exit
vBond# request root-cert-chain install home/admin/PKI.ca
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/PKI.ca via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
OS-CA#crypto pki server PKI request pkcs10 terminal
PKCS10 request in base64 or pem
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE REQUEST-----
MIIDJjCCAg4CAQAwgaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTEMMAoGA1UE
BxMDTllDMQwwCgYDVQQLEwNsYWIxDDAKBgNVBAoTA2xhYjE/MD0GA1UEAxM2dmJv
bmQtMjhlMzQ1MjgtMmQ3Ny00YjljLTg1OTYtOWJlMjE0OGM5NTA4LTAubGFiLmxv
Y2FsMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBsYWIubG9jYWwwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDOmhvTQGZ4CX1x/7OXZUhOb3C/F5L3RWX7Iey5
L1vhYbeBCO4DgniSBRpwF4OpPRFoa9e0Br58/waN/ApxjIXj0w+Opcs9xZBKGKXr
elvf0z6hNQ0UqgCijKkDSWTid8NVfZalQf7HUQsoqutMFz1KRg2jp6051+93PrmC
anYQRtg1xL1Ygv43r+z3AqG+5FDjAWiNo89QKo3booxjsRNiQZInqhCq4Nef23Z4
NcKnJT4aJ5tcxvchEblYUhVZm2SfldWorNi2JtrlLVsIdfrwkbi4c1xuxAfQjCVi
fkN1gqGonwFh4L2I5vzydfqvGB2G50YEfHMlsNxIUddwxFVXAgMBAAGgOzA5Bgkq
hkiG9w0BCQ4xLDAqMAkGA1UdEwQCMAAwHQYDVR0OBBYEFJEI7pHDMyGLfGWVrsiw
K+FvsRjwMA0GCSqGSIb3DQEBCwUAA4IBAQCp3qjAdRFbkUixJx2HiHGUo46J2elS
1+S1S3E6CA5iZeZbsDcFiLg+7KlRTaoanXAVo7WTlVpWRr/feurdmYoOUv+sQcvy
8i/fIadv5qStq3dVrd1BqgR6xr+8kQBHUhiTywDCozNL8ItshrqvZFdeiqSu3aJD
NpJQHxIZRd2gXvfow+t/J39jDadoGRzpj2xntjSTZg78T6rdMDm60OW6g1XoBqy0
FL6FLhnxi+1sYq6JoVeLs+FhJbzD5A+hKms8+zo7rv6cAmFu0n/sOmSDhA7r3BrF
/ko2MZGOciKoogAq0rTlRUkEAbPq+MrenWFmMHa9c4WwhfdvmgorVfNP
-----END CERTIFICATE REQUEST-----
quit
% Granted certificate:
-----BEGIN CERTIFICATE-----
MIIDDjCCAnegAwIBAgIBAzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExByb290
Y2EubGFiLmxvY2FsMB4XDTI0MDEyNzAwMDUyNloXDTI1MDEyNjAwMDUyNlowgaUx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTEMMAoGA1UEBxMDTllDMQwwCgYDVQQL
EwNsYWIxDDAKBgNVBAoTA2xhYjE/MD0GA1UEAxM2dmJvbmQtMjhlMzQ1MjgtMmQ3
Ny00YjljLTg1OTYtOWJlMjE0OGM5NTA4LTAubGFiLmxvY2FsMR4wHAYJKoZIhvcN
AQkBFg9hZG1pbkBsYWIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDOmhvTQGZ4CX1x/7OXZUhOb3C/F5L3RWX7Iey5L1vhYbeBCO4DgniSBRpw
F4OpPRFoa9e0Br58/waN/ApxjIXj0w+Opcs9xZBKGKXrelvf0z6hNQ0UqgCijKkD
SWTid8NVfZalQf7HUQsoqutMFz1KRg2jp6051+93PrmCanYQRtg1xL1Ygv43r+z3
AqG+5FDjAWiNo89QKo3booxjsRNiQZInqhCq4Nef23Z4NcKnJT4aJ5tcxvchEblY
UhVZm2SfldWorNi2JtrlLVsIdfrwkbi4c1xuxAfQjCVifkN1gqGonwFh4L2I5vzy
dfqvGB2G50YEfHMlsNxIUddwxFVXAgMBAAGjUzBRMA8GA1UdEwEB/wQFMAMBAf8w
HwYDVR0jBBgwFoAUsYlyDysXyMBuZTYpz+rXBNtq91kwHQYDVR0OBBYEFJEI7pHD
MyGLfGWVrsiwK+FvsRjwMA0GCSqGSIb3DQEBCwUAA4GBAILEKFMR04dFqabI3UZX
omyzTAfcP895kGj1f/ExW245F2fC8lCYM/bn0TLPs3hEuweVnHhR2EfwH0eZRIpQ
M+jPYPs9PbUrcj+4eMlpkzRWj1uqtlv4utyWlC+STZ7O21a9GYIHR5XGOdPoB49g
9E2ePfIS9/PgHrVN+Lg2RF66
-----END CERTIFICATE-----
vmanage# show control connections
PEER PEER PEER
PEER PEER PEER CONFIGURED SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION REMOTE COLOR STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vbond dtls 10.100.0.11 10.100.0.11 0 0 223.1.1.11 12346 223.1.1.11 12346 lab default up 0:08:06:26
1 vbond dtls 0.0.0.0 - 0 0 223.1.1.11 12346 223.1.1.11 12346 lab default up 0:08:06:26
vBond# show orchestrator connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC ORGANIZATION
INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE NAME UPTIME
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vmanage dtls 10.100.0.10 100 0 223.1.1.10 12346 223.1.1.10 12346 default up lab 0:08:07:06
0 vmanage dtls 10.100.0.10 100 0 223.1.1.10 12446 223.1.1.10 12446 default up lab 0:08:07:06
vSmart
system
host-name vSmart
system-ip 10.100.0.12
site-id 100
admin-tech-on-failure
organization-name lab
vbond 223.1.1.11
!
vpn 0
interface eth0
ip address 223.1.1.12/24
tunnel-interface
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 223.1.1.1
vshell
vSmart:~$ vi /home/admin/PKI.ca
-----BEGIN CERTIFICATE-----
MIICDzCCAXigAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExByb290
Y2EubGFiLmxvY2FsMB4XDTI0MDEyNjIxNTgwMVoXDTI3MDEyNTIxNTgwMVowGzEZ
MBcGA1UEAxMQcm9vdGNhLmxhYi5sb2NhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAvob8MVCCngFRza8e3nlVZ7YA4CEGzSdwrePB3QI3ZftNr52ewwgPwO0R
Nnc1UgdWAaVLC6WpVFTLXgd2Z/Alhy7HGQ/qZBgnRKPtbCaqEE9Xd2xgCHgptDYT
YmpVuKvwVFs0lGO/BgYo9bZaHx2PixeBHWSCEJr3illUS8WKLHECAwEAAaNjMGEw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUsYly
DysXyMBuZTYpz+rXBNtq91kwHQYDVR0OBBYEFLGJcg8rF8jAbmU2Kc/q1wTbavdZ
MA0GCSqGSIb3DQEBCwUAA4GBAD1qCoSGlqzdDHeJMMTnCJHtDspa7RLHyh3eVDGJ
zAjwlRvlBT6OMeSPJBtvA81qoGyPGOabN8Y8xe9u7mJPIo3dMJ3uh7SpwO/wwKUt
AKY3lMitHwMxA5gtXNR/XpeZuBmA+UaDUecruSJxqt8xCboAZ6ZLDhNF9rVdvrUo
KvIb
-----END CERTIFICATE-----
~
~
~
~
~
~
~
~
~
"PKI.ca" [New File] 14 lines, 774 characters written
vSmart:~$ exit
exit
vSmart# request root-cert-chain install home/admin/PKI.ca
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/PKI.ca via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
Result:
USE Microsoft CA for signing and CA. Use Base 64 encoded
vManage# show control connections
PEER PEER PEER
PEER PEER PEER CONFIGURED SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION REMOTE COLOR STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vsmart dtls 10.100.0.12 10.100.0.12 100 1 223.1.1.12 12346 223.1.1.12 12346 lab default up 0:00:02:23
0 vbond dtls 10.100.0.11 10.100.0.11 0 0 223.1.1.11 12346 223.1.1.11 12346 lab default up 0:00:04:18
1 vbond dtls 0.0.0.0 - 0 0 223.1.1.11 12346 223.1.1.11 12346 lab default up 0:00:04:18
2 vbond dtls 0.0.0.0 - 0 0 223.1.1.11 12346 223.1.1.11 12346 lab default up 0:00:04:18
3 vbond dtls 0.0.0.0 - 0 0 223.1.1.11 12346 223.1.1.11 12346 lab default up 0:00:04:19
vBond# show orchestrator connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC ORGANIZATION
INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE NAME UPTIME
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vsmart dtls 10.100.0.12 100 1 223.1.1.12 12346 223.1.1.12 12346 default up lab 0:00:03:22
0 vsmart dtls 10.100.0.12 100 1 223.1.1.12 12446 223.1.1.12 12446 default up lab 0:00:03:22
0 vmanage dtls 10.100.0.10 100 0 223.1.1.10 12346 223.1.1.10 12346 default up lab 0:00:04:59
0 vmanage dtls 10.100.0.10 100 0 223.1.1.10 12446 223.1.1.10 12446 default up lab 0:00:04:59
0 vmanage dtls 10.100.0.10 100 0 223.1.1.10 12546 223.1.1.10 12546 default up lab 0:00:04:59
0 vmanage dtls 10.100.0.10 100 0 223.1.1.10 12646 223.1.1.10 12646 default up lab 0:00:04:59
vSmart# show control connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE UPTIME
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vbond dtls 0.0.0.0 0 0 223.1.1.11 12346 223.1.1.11 12346 default up 0:00:03:52
0 vmanage dtls 10.100.0.10 100 0 223.1.1.10 12346 223.1.1.10 12346 default up 0:00:03:34
1 vbond dtls 0.0.0.0 0 0 223.1.1.11 12346 223.1.1.11 12346 default up 0:00:03:52
DC-SW
interface GigabitEthernet0/2 GigabitEthernet0/3 GigabitEthernet1/0
switchport access vlan 223
switchport mode access
spanning-tree portfast edge
!
interface Vlan223
ip address 223.1.1.1 255.255.255.0
GigabitEthernet0/0 192.1.20.2 YES manual up up
GigabitEthernet0/1 172.31.20.2 YES manual up up
DC-SW#show vlan bri
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/0, Gi0/1, Gi1/1, Gi1/2
Gi1/3
223 VLAN0223 active Gi0/2, Gi0/3, Gi1/0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Onboarding vEdges to the Controllers
vEdge1
vEdge1
system
host-name vEdge1
system-ip 10.12.0.1
site-id 12
no route-consistency-check
organization-name lab
vbond 223.1.1.11
!
vpn 0
interface ge0/0
ip address 192.1.1.2/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 172.31.11.2/24
tunnel-interface
encapsulation ipsec
color mpls
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 192.1.1.1
vEdge1# vshell
vEdge1:~$ vi /home/admin/PKI.ca
-----BEGIN CERTIFICATE-----
MIIDaTCCAlGgAwIBAgIQN3ie0PKTF7tJuBKY6PFMujANBgkqhkiG9w0BAQsFADBH
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRkZW1vMRgw
FgYDVQQDEw9kZW1vLVdJTjIwMTYtQ0EwHhcNMjMwODE4MjM1NjMwWhcNMjgwODE5
MDAwNjMwWjBHMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZ
FgRkZW1vMRgwFgYDVQQDEw9kZW1vLVdJTjIwMTYtQ0EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCpcZwrkp+RE9xfnyidREOArAkWYqC1XHW2yUwbCiHN
FhlhdtnSNBm28axFJtagpaPARA5qeswN0Q/00w8s8E3YK4kNQ15BN5LcMhDmvH5q
K0p59qOCWS6QicHdukW8DJtDTOz1do55Xf11XsFB9nzPgnyzkYuZlDj9xEIi+kSC
8TBoJ6H5YbVNIMqgjrFjbJ//x7Wy/yYFzv9v66WkQSTreD//ymEi25awp/jPhmU7
0G6wgDicUGN2T2kbZidfY2MGjV52um+OYXW4Lb5Jx0C5t7V9nK+KZNNX9y4TI0rH
v/46+FfkUFNMp1AB7GrAjtBRCK4mHSdRpajunnTFrPInAgMBAAGjUTBPMAsGA1Ud
DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBShs8TTQcllqbFVcCXD
aldmu07nljAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAp8mu
RoceLeLz3kpV8Hq33v9/HGfmb1qLheLVXEsD16byWsQSMGwsinWRTjkXF8G1somQ
fN80Hl60bL36iG6gKuanYTjvn4SG/SmzTG/YtUhVmUv6pbW7KFCnP6rcAmM+TfQn
6k7BejZOrlaJtxZu5Q3SkRMKbU6VNvaYDAboureTfFRCRh19Jenp+VAwG2R/tDHf
M17efEgXMhQZ8CH22Scty5r/D4XhPWYBoX21c8bv/l+WZsSb5XKEAKX4l5yDCPGH
OZToimcS6EYjyiqgCHDNDnTtFkB1pFp2/A7Y5bDvVGIuOymEzA4zUHJ69epKSP01
2AganVyNNU5mtyI8CQ==
-----END CERTIFICATE-----
~
~
"PKI.ca" [New File] 21 lines, 1245 characters written
vEdge1:~$ exit
exit
vEdge1# request root-cert-chain install home/admin/PKI.ca
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/PKI.ca via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
DC-SW(config)#ip route 0.0.0.0 0.0.0.0 192.1.20.1
INET(config)#ip route 223.1.1.0 255.255.255.0 192.1.20.2
vEdge1# request csr upload home/admin/csr.txt
Uploading CSR via VPN 0
Enter organization-unit name : lab
Re-enter organization-unit name : lab
Generating private/public pair and CSR for this vedge device
Generating CSR for this vedge device ........[DONE]
Copying ... /home/admin/csr.txt via VPN 0
CSR upload successful
vshell
vEdge2:~$ more csr.txt
vEdge1:~$ cat <<"" > cert.txt
> -----BEGIN CERTIFICATE-----
> MIIGAjCCBOqgAwIBAgITIgAAACrFpnpdJg9jkwAAAAAAKjANBgkqhkiG9w0BAQsF
> ADBHMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRkZW1v
> MRgwFgYDVQQDEw9kZW1vLVdJTjIwMTYtQ0EwHhcNMjQwMTI3MjAxNjQ3WhcNMjYw
> MTI2MjAxNjQ3WjCBwDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
> ETAPBgNVBAcTCFNhbiBKb3NlMRQwEgYDVQQKEwt2SVB0ZWxhIEluYzEMMAoGA1UE
> CxMDbGFiMUEwPwYDVQQDEzh2ZWRnZS1kNzE5YTFhZS1iYzdlLTRhYTItOWY5Ni02
> MGY2ZmRiMDk5ZGYtMC52aXB0ZWxhLmNvbTEiMCAGCSqGSIb3DQEJARYTc3VwcG9y
> dEB2aXB0ZWxhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOJA
> TOB8glm9a0Db+BAWJOSR4zcw9DnBANJIYzIo3760HkzeNtfZjNORLJ+AQ8GH/+BO
> XyoTFQe+06v4fAJ63S+Ndi/dS/xlQT+6IuqsEvWyd1QbWeKuybzPwBIJlC7Mnkf6
> Xl9A+r5Chh6jGycvVUq6/LyacGsoSChXypwptk4IPMolhajllNbRev1R0soCQGmM
> ED1m/2Is/kJ4qbllm3n3D3rNeFpjOPqigkNKJXQSFkMHjyE2qADyB46j79vb4CsB
> l+YR+bRNlimLWI4C5+Z/q/g+41cueSrMlemsF325Zt6wVf4XjUWOXakOZn3ucV36
> i/FPVPWwqaHXP2jZnHsCAwEAAaOCAmswggJnMB0GA1UdDgQWBBTCJ8/Jqe2UgHUt
> jFwZHQS/VsQPUzAfBgNVHSMEGDAWgBShs8TTQcllqbFVcCXDaldmu07nljCBzAYD
> VR0fBIHEMIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1kZW1vLVdJTjIwMTYtQ0Es
> Q049V2luMjAxNixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049
> U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1kZW1vLERDPWxvY2FsP2NlcnRp
> ZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmli
> dXRpb25Qb2ludDCBwAYIKwYBBQUHAQEEgbMwgbAwga0GCCsGAQUFBzAChoGgbGRh
> cDovLy9DTj1kZW1vLVdJTjIwMTYtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUy
> MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9ZGVtbyxE
> Qz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
> dGlvbkF1dGhvcml0eTAOBgNVHQ8BAf8EBAMCBaAwOwYJKwYBBAGCNxUHBC4wLAYk
> KwYBBAGCNxUIh8zpeIfY7FuG4ZEGhueZL+KgTAXliHOCmptDAgFkAgEDMB0GA1Ud
> JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgkrBgEEAYI3FQoEGjAYMAoGCCsG
> AQUFBwMBMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBZ5o0sbFzKbT23
> ZPBTnBHjQGAoNyAHTArTiZfOYZ307O/sLbtdi/fvDFu6c0WTrkF08PZ4GwMKBlh7
> z+oBIHi5eJpftt262AKSbbBTEhCe2+5wlnkka0apBgPzknTTbSiX+hB86KsRfzgw
> FRWBHi33Kw85R68F9dn1pPc11ubUavJmuk5F5ggwTpJENwWcXxYiDQNUXYAk8VeW
> 20SZYvc2EpVZ8FFxjtrRsaaSZpEzgLW3X8mYqzAgvIO0uXC9ExUYlQK2xkGcuC+n
> l8Dd2WXBEOmwww8+MOfzp+mWws68NCx5jLBdO2zQBSCr4HXpXOTCFieZkAbrYO71
> 0Ra0qkXw
> -----END CERTIFICATE-----
>
vEdge1:~$ exit
exit
vEdge1# request certificate install home/admin/cert.txt
Installing certificate via VPN 0
Copying ... /home/admin/cert.txt via VPN 0
Successfully installed the certificate
vEdge1# show certificate serial
Chassis number: d719a1ae-bc7e-4aa2-9f96-60f6fdb099df serial number: 220000002AC5A67A5D260F639300000000002A
vManage# request vedge add chassis-num d719a1ae-bc7e-4aa2-9f96-60f6fdb099df serial-num 220000002AC5A67A5D260F639300000000002A
vBond# request vedge add chassis-num d719a1ae-bc7e-4aa2-9f96-60f6fdb099df serial-num 220000002AC5A67A5D260F639300000000002A
vSmart# show control connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE UPTIME
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vbond dtls 0.0.0.0 0 0 223.1.1.11 12346 223.1.1.11 12346 default up 0:01:23:56
0 vmanage dtls 10.100.0.10 100 0 223.1.1.10 12346 223.1.1.10 12346 default up 0:01:00:03
1 vedge dtls 10.12.0.1 12 1 192.1.1.2 12366 192.1.1.2 12366 public-internet up 0:00:00:20
1 vbond dtls 0.0.0.0 0 0 223.1.1.11 12346 223.1.1.11 12346 default up 0:01:23:56
vSmart# show omp peers
R -> routes received
I -> routes installed
S -> routes sent
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.12.0.1 vedge 1 1 12 up 0:00:00:58 0/0/0
vEdge2
system
host-name vEdge2
system-ip 10.12.0.2
site-id 12
organization-name lab
vbond 223.1.1.11
!
vpn 0
interface ge0/0
ip address 192.1.2.2/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 172.31.12.2/24
tunnel-interface
encapsulation ipsec
color mpls
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 192.1.2.1
Repeat to enroll CA/signing cert, refer to vEdge1 section…
vSmart# show omp peers
R -> routes received
I -> routes installed
S -> routes sent
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.12.0.1 vedge 1 1 12 up 0:01:00:56 0/0/0
10.12.0.2 vedge 1 1 12 up 0:00:00:00 0/0/0
vEdge3
system
host-name vEdge3
system-ip 10.3.0.1
site-id 3
organization-name lab
vbond 223.1.1.11
!
vpn 0
interface ge0/0
ip address 192.1.3.2/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 172.31.13.2/24
tunnel-interface
encapsulation ipsec
color mpls
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 192.1.3.1
Repeat to enroll CA/signing cert, refer to vEdge1 section…
vSmart# show omp peers
R -> routes received
I -> routes installed
S -> routes sent
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.3.0.1 vedge 1 1 3 up 0:00:00:20 0/0/0
10.12.0.1 vedge 1 1 12 up 0:01:18:24 0/0/0
10.12.0.2 vedge 1 1 12 up 0:00:17:28 0/0/0
vEdge4
system
host-name vEdge4
system-ip 10.4.0.1
site-id 4
organization-name lab
vbond 223.1.1.11
!
vpn 0
interface ge0/0
ip address 192.1.4.2/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 172.31.14.2/24
tunnel-interface
encapsulation ipsec
color mpls
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 192.1.4.1
Repeat to enroll CA/signing cert, refer to vEdge1 section…
vSmart# show omp peers
R -> routes received
I -> routes installed
S -> routes sent
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.3.0.1 vedge 1 1 3 up 0:00:19:34 0/0/0
10.4.0.1 vedge 1 1 4 up 0:00:11:38 0/0/0
10.12.0.1 vedge 1 1 12 up 0:00:00:01 0/0/0
10.12.0.2 vedge 1 1 12 up 0:00:36:42 0/0/0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Brining up MPLS Transport
DC-SW
router bgp 65100
bgp log-neighbor-changes
network 223.1.1.0
neighbor 172.31.20.1 remote-as 100
MPLS
router bgp 100
bgp log-neighbor-changes
neighbor 172.31.11.2 remote-as 65012
neighbor 172.31.12.2 remote-as 65012
neighbor 172.31.13.2 remote-as 65003
neighbor 172.31.14.2 remote-as 65004
neighbor 172.31.15.2 remote-as 65005
neighbor 172.31.20.2 remote-as 65100
vEdge5
system
host-name vEdge5
system-ip 10.5.0.1
site-id 5
organization-name lab
vbond 223.1.1.11
!
vpn 0
interface ge0/1
ip address 172.31.15.2/24
tunnel-interface
encapsulation ipsec
color mpls
allow-service all
!
no shutdown
!
vpn 0
router
bgp 65005
address-family ipv4-unicast
network 172.31.15.0/24
!
neighbor 172.31.15.1
no shutdown
remote-as 100
address-family ipv4-unicast
vEdge5# show bgp summary
vpn 0
bgp-router-identifier 10.5.0.1
local-as 65005
rib-entries 3
rib-memory 336
total-peers 1
peer-memory 4816
Local-soo SoO:0:5
ignore-soo
MSG MSG OUT PREFIX PREFIX PREFIX
NEIGHBOR AS RCVD SENT Q UPTIME RCVD VALID INSTALLED STATE
---------------------------------------------------------------------------------------------------------
172.31.15.1 100 20 23 0 0:00:12:33 1 1 1 established
vEdge5# show bgp route
bgp routes-table vpn 0 172.31.15.0/24
info 0
nexthop 0.0.0.0
metric 0
weight 32768
origin igp
as-path Local
path-status valid,best
tag 0
bgp routes-table vpn 0 223.1.1.0/24
info 0
nexthop 172.31.15.1
weight 0
origin igp
as-path "100 65100"
path-status valid,best,external
tag 0
Repeat to enroll CA/signing cert, refer to vEdge1 section…
vSmart# show omp peers
R -> routes received
I -> routes installed
S -> routes sent
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.3.0.1 vedge 1 1 3 up 0:00:14:53 0/0/0
10.4.0.1 vedge 1 1 4 up 0:00:54:09 0/0/0
10.5.0.1 vedge 1 1 5 up 0:00:00:46 0/0/0
10.12.0.1 vedge 1 1 12 up 0:00:42:32 0/0/0
10.12.0.2 vedge 1 1 12 up 0:01:19:13 0/0/0
vEdge5# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 10.100.0.12 100 1 223.1.1.12 12346 223.1.1.12 12346 mpls No up 0:00:00:02 0
vbond dtls 0.0.0.0 0 0 223.1.1.11 12346 223.1.1.11 12346 mpls - up 0:00:00:19 0
vmanage dtls 10.100.0.10 100 0 223.1.1.10 12346 223.1.1.10 12346 mpls No up 0:00:00:02 0
vEdge1-4 BGP for MPLS
vpn 0
router
bgp 650__
neighbor 172.31.__.1
no shutdown
remote-as 100
address-family ipv4-unicast
exit
exit
address-family ipv4-unicast
network 172.31.__.0/24
MPLS#show ip bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.31.11.2 4 65012 7 12 6 0 0 00:03:41 1
172.31.12.2 4 65012 6 11 6 0 0 00:02:32 1
172.31.13.2 4 65003 4 9 6 0 0 00:00:45 1
172.31.14.2 4 65004 3 8 6 0 0 00:00:08 0
172.31.15.2 4 65005 33 36 6 0 0 00:27:53 1
172.31.20.2 4 65100 25 32 6 0 0 00:21:31 1
MPLS To Internet connections
INET(config)#ip route 172.31.0.0 255.255.0.0 101.0.0.2
MPLS(config)#ip route 192.1.0.0 255.255.0.0 101.0.0.1
vEdge1# ping 172.31.12.2 source ge0/0
Ping in VPN 0
PING 172.31.12.2 (172.31.12.2) from 192.1.1.2 : 56(84) bytes of data.
64 bytes from 172.31.12.2: icmp_seq=1 ttl=63 time=36.8 ms
64 bytes from 172.31.12.2: icmp_seq=2 ttl=63 time=28.1 ms
Color Restrict
vEdge 1-4
vpn 0
interface ge0/0
tunnel-interface
color public-internet restrict
!
!
interface ge0/1
tunnel-interface
color mpls restrict
vEdge 5
vpn 0
!
interface ge0/0
shutdown
!
interface ge0/1
tunnel-interface
color mpls restrict
vEdge1# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.3.0.1 3 up mpls mpls 172.31.11.2 172.31.13.2 12426 ipsec 7 1000 0:00:48:28 0
10.3.0.1 3 up public-internet public-internet 192.1.1.2 192.1.3.2 12386 ipsec 7 1000 0:01:12:50 0
10.4.0.1 4 up mpls mpls 172.31.11.2 172.31.14.2 12406 ipsec 7 1000 0:00:47:40 0
10.4.0.1 4 up public-internet public-internet 192.1.1.2 192.1.4.2 12386 ipsec 7 1000 0:01:12:51 0
10.5.0.1 5 up mpls mpls 172.31.11.2 172.31.15.2 12386 ipsec 7 1000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN Overview, Connected and Static Routes
vEdge 1
vpn 1
interface ge0/6
ip address 10.1.16.1/24
no shutdown
vEdge1# show ip route
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
0 0.0.0.0/0 static - ge0/0 192.1.1.1 - - - - F,S
0 10.12.0.1/32 connected - system - - - - - F,S
0 172.31.11.0/24 connected - ge0/1 - - - - - F,S
0 172.31.13.0/24 bgp e ge0/1 172.31.11.1 - - - - F,S
0 172.31.14.0/24 bgp e ge0/1 172.31.11.1 - - - - F,S
0 172.31.15.0/24 bgp e ge0/1 172.31.11.1 - - - - F,S
0 192.1.1.0/24 connected - ge0/0 - - - - - F,S
0 223.1.1.0/24 bgp e ge0/1 172.31.11.1 - - - - F,S
1 10.1.16.0/24 connected - ge0/6 - - - - - F,S
vSmart# show omp route
---------------------------------------------------
omp route entries for vpn 1 route 10.1.16.0/24
---------------------------------------------------
RECEIVED FROM:
peer 10.12.0.1
path-id 66
label 1003
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 10.12.0.1
type installed
tloc 10.12.0.1, mpls, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
vEdge 3
vpn 1
interface ge0/4
ip address 10.3.13.1/24
no shutdown
vEdge3# show omp peers
R -> routes received
I -> routes installed
S -> routes sent
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.100.0.12 vsmart 1 1 100 up 0:17:16:11 2/2/2
vEdge1# show ip route
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
0 0.0.0.0/0 static - ge0/0 192.1.1.1 - - - - F,S
0 10.12.0.1/32 connected - system - - - - - F,S
0 172.31.11.0/24 connected - ge0/1 - - - - - F,S
0 172.31.13.0/24 bgp e ge0/1 172.31.11.1 - - - - F,S
0 172.31.14.0/24 bgp e ge0/1 172.31.11.1 - - - - F,S
0 172.31.15.0/24 bgp e ge0/1 172.31.11.1 - - - - F,S
0 192.1.1.0/24 connected - ge0/0 - - - - - F,S
0 223.1.1.0/24 bgp e ge0/1 172.31.11.1 - - - - F,S
1 10.1.16.0/24 connected - ge0/6 - - - - - F,S
1 10.3.13.0/24 omp - - - - 10.3.0.1 mpls ipsec F,S
1 10.3.13.0/24 omp - - - - 10.3.0.1 public-internet ipsec F,S
vEdge3# show ip route
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
0 0.0.0.0/0 static - ge0/0 192.1.3.1 - - - - F,S
0 10.3.0.1/32 connected - system - - - - - F,S
0 172.31.11.0/24 bgp e ge0/1 172.31.13.1 - - - - F,S
0 172.31.12.0/24 bgp e ge0/1 172.31.13.1 - - - - F,S
0 172.31.13.0/24 connected - ge0/1 - - - - - F,S
0 172.31.14.0/24 bgp e ge0/1 172.31.13.1 - - - - F,S
0 172.31.15.0/24 bgp e ge0/1 172.31.13.1 - - - - F,S
0 192.1.3.0/24 connected - ge0/0 - - - - - F,S
0 223.1.1.0/24 bgp e ge0/1 172.31.13.1 - - - - F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.3.13.0/24 connected - ge0/4 - - - - - F,S
IOS7 & IOS13
IOS7(config)#ip route 0.0.0.0 0.0.0.0 10.1.16.1
IOS13(config)#ip route 0.0.0.0 0.0.0.0 10.3.13.1
IOS7#ping 10.3.13.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.13.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/42/56 ms
IOS7#traceroute
Protocol [ip]:
Target IP address: 10.3.13.2
Ingress traceroute [n]:
Source address:
Numeric display [n]: y
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.3.13.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.16.1 6 msec 8 msec 8 msec
2 10.3.13.1 21 msec 24 msec 27 msec
3 10.3.13.2 42 msec * 22 msec
vEdge 4
vpn 1
interface ge0/4
ip address 10.5.15.1/24
no shutdown
vEdge 5
vpn 1
interface ge0/4
ip address 10.5.14.1/24
no shutdown
vEdge4# show ip route
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
0 0.0.0.0/0 static - ge0/0 192.1.4.1 - - - - F,S
0 10.4.0.1/32 connected - system - - - - - F,S
0 172.31.11.0/24 bgp e ge0/1 172.31.14.1 - - - - F,S
0 172.31.12.0/24 bgp e ge0/1 172.31.14.1 - - - - F,S
0 172.31.13.0/24 bgp e ge0/1 172.31.14.1 - - - - F,S
0 172.31.14.0/24 connected - ge0/1 - - - - - F,S
0 172.31.15.0/24 bgp e ge0/1 172.31.14.1 - - - - F,S
0 192.1.4.0/24 connected - ge0/0 - - - - - F,S
0 223.1.1.0/24 bgp e ge0/1 172.31.14.1 - - - - F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.3.13.0/24 omp - - - - 10.3.0.1 mpls ipsec F,S
1 10.3.13.0/24 omp - - - - 10.3.0.1 public-internet ipsec F,S
1 10.4.15.0/24 connected - ge0/4 - - - - - F,S
1 10.5.14.0/24 omp - - - - 10.5.0.1 mpls ipsec F,S
IOS14#traceroute 10.3.13.2 numeric
Type escape sequence to abort.
Tracing the route to 10.3.13.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.5.14.1 24 msec 19 msec 5 msec
2 10.3.13.1 64 msec 46 msec 40 msec
3 10.3.13.2 55 msec * 66 msec
Static Route
IOS7/13/14/15#show ip int bri
…
Loopback0 …. up
Loopback1 …. up
vEdge1(config)# vpn 1
vEdge1(config-vpn-1)# ip route 10.1.0.0/24 10.1.16.2
vEdge1(config-vpn-1)# commit
vEdge3(config)# vpn 1
vEdge3(config-vpn-1)# ip route 10.3.130.0/24 10.3.13.2
vEdge3(config-vpn-1)# commit
vEdge4# show ip route vpn 1
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 10.1.0.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.0.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.3.13.0/24 omp - - - - 10.3.0.1 mpls ipsec F,S
1 10.3.13.0/24 omp - - - - 10.3.0.1 public-internet ipsec F,S
1 10.3.130.0/24 omp - - - - 10.3.0.1 mpls ipsec F,S
1 10.3.130.0/24 omp - - - - 10.3.0.1 public-internet ipsec F,S
1 10.4.15.0/24 connected - ge0/4 - - - - - F,S
1 10.5.14.0/24 omp - - - - 10.5.0.1 mpls ipsec F,S
vSmart# show omp peers
R -> routes received
I -> routes installed
S -> routes sent
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.3.0.1 vedge 1 1 3 up 0:18:07:17 4/0/7
10.4.0.1 vedge 1 1 4 up 0:18:46:33 2/0/9
10.5.0.1 vedge 1 1 5 up 0:17:53:10 1/0/10
10.12.0.1 vedge 1 1 12 up 0:01:19:13 4/0/7
10.12.0.2 vedge 1 1 12 up 0:19:11:37 0/0/0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Templates Overview, Single vEdge Site setup and Development
vEdge_System_Template
vEdge_Banner_Template
vEdge_VPN0_Template
vEdge_VPN512_Template
Remote default route
vEdge_VPN0_Int_G0/0_Template
vEdge_VPN0_Int_G0/1_Template
vEdge_VPN0_Int_G0/0_Template
vEdge_VPN512_Int_Eth0_Template
vEdge_VPN0_BGP_Template
ALL Templates
vEdge_Single_Device_Template
Verify
vEdge3# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.4.0.1 4 up mpls mpls 172.31.13.2 172.31.14.2 12406 ipsec 7 1000 0:00:01:10 1
10.4.0.1 4 up public-internet public-internet 192.1.3.2 192.1.4.2 12386 ipsec 7 1000 0:00:01:28 1
10.5.0.1 5 up mpls mpls 172.31.13.2 172.31.15.2 12386 ipsec 7 1000 0:00:01:10 1
10.12.0.1 12 up mpls mpls 172.31.13.2 172.31.11.2 12346 ipsec 7 1000 0:00:01:10 6
10.12.0.1 12 up public-internet public-internet 192.1.3.2 192.1.1.2 12346 ipsec 7 1000 0:00:01:29 5
10.12.0.2 12 up mpls mpls 172.31.13.2 172.31.12.2 12406 ipsec 7 1000 0:00:01:10 1
10.12.0.2 12 up public-internet public-internet 192.1.3.2 192.1.2.2 12386 ipsec 7 1000 0:00:01:29 1
vEdge3# show ipsec outbound-connections
SOURCE SOURCE DEST DEST REMOTE REMOTE AUTHENTICATION NEGOTIATED
IP PORT IP PORT SPI TUNNEL MTU TLOC ADDRESS TLOC COLOR USED KEY HASH ENCRYPTION ALGORITHM TC SPIs
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
172.31.13.2 12426 172.31.11.2 12346 256 1441 10.12.0.1 mpls AH_SHA1_HMAC *****50f7 AES-GCM-256 8
172.31.13.2 12426 172.31.12.2 12406 259 1441 10.12.0.2 mpls AH_SHA1_HMAC *****830d AES-GCM-256 8
172.31.13.2 12426 172.31.14.2 12406 261 1441 10.4.0.1 mpls AH_SHA1_HMAC *****7223 AES-GCM-256 8
172.31.13.2 12426 172.31.15.2 12386 260 1441 10.5.0.1 mpls AH_SHA1_HMAC *****9cf3 AES-GCM-256 8
192.1.3.2 12386 192.1.1.2 12346 256 1441 10.12.0.1 public-internet AH_SHA1_HMAC *****4c6a AES-GCM-256 8
192.1.3.2 12386 192.1.2.2 12386 260 1441 10.12.0.2 public-internet AH_SHA1_HMAC *****9556 AES-GCM-256 8
192.1.3.2 12386 192.1.4.2 12386 262 1441 10.4.0.1 public-internet AH_SHA1_HMAC *****cc9d AES-GCM-256 8
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Dual-vEdge Site and MPLS Only Site Templates
vEdge_Dual_Site_VPN0_Template
vEdge_Dual_Site_VPN0_Int_G0/0_Template
vEdge_Dual_Site_VPN0_Int_G0/1_Template
vEdge_Dual_Site_VPN512_Template
vEdge_Dual_Site_VPN512_Int_Eth0_Template
vEdge_Dual_Site_VPN0_BGP_Template
vEdge_Dual_Site_Device_Template
Assign "vEdge_Dual_Site_Device_Template" to vEdge 2 (vEdge 1 is example with CLI)
vEdge_MPLS_Only_VPN0_Template
vEdge_MPLS_Only_VPN0_Int_G0/1_Template
vEdge_MPLS_Only_VPN0_BGP_Template
vEdge_MPLS_Only_VPN512_Template
vEdge_MPLS_Only_VPN512_Int_Eth0_Template
vEdge_MPLS_Only_Device_Template
vEdge5# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.3.0.1 3 up mpls mpls 172.31.15.2 172.31.13.2 12426 ipsec 7 1000 0:00:00:40 2
10.4.0.1 4 up mpls mpls 172.31.15.2 172.31.14.2 12406 ipsec 7 1000 0:00:00:40 2
10.12.0.1 12 up mpls mpls 172.31.15.2 172.31.11.2 12346 ipsec 7 1000 0:00:00:40 7
10.12.0.2 12 up mpls mpls 172.31.15.2 172.31.12.2 12406 ipsec 7 1000 0:00:00:40 2
vEdge5# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 10.100.0.12 100 1 223.1.1.12 12346 223.1.1.12 12346 mpls No up 0:00:00:51 0
vbond dtls 0.0.0.0 0 0 223.1.1.11 12346 223.1.1.11 12346 mpls - up 0:00:00:52 0
vmanage dtls 10.100.0.10 100 0 223.1.1.10 12346 223.1.1.10 12346 mpls No up 0:00:00:51 0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 Connected Routes via CLI and Templates
vEdge1
Sending route 10.1.16.0/24 through TLOC "Internet" and "MPLS" to vSmart;
vSmart distributes routes to other vEdges
vEdge1(config)# vpn 1
vEdge1(config-vpn-1)# int ge0/6
vEdge1(config-interface-ge0/6)# ip add 10.1.16.1/24
vEdge1(config-interface-ge0/6)# no shut
vEdge1(config-interface-ge0/6)# commit
vEdge1# show omp peers
R -> routes received
I -> routes installed
S -> routes sent
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.100.0.12 vsmart 1 1 100 up 0:04:36:38 0/0/2
vEdge_Single_Site_VPN1_Template
vEdge_Dual_Site_VPN1_Template
vEdge_MPLS_Only_VPN1_Template
vEdge_Single_Site_VPN1_Int_G0/X_Template
vEdge_Dual_Site_VPN1_Int_G0/X_Template
vEdge_MPLS_Only_VPN1_Int_G0/X_Template
Assign newly created service VPN template to below device templates
vEdge 3
vEdge 4
Verify
vEdge3# show run vpn 1
vpn 1
interface ge0/4
ip address 10.3.13.1/24
no shutdown
!
vEdge4# sh run vpn 1
vpn 1
interface ge0/4
ip address 10.4.15.1/24
no shutdown
!
vEdge4# show ip route
…
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 10.1.16.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.3.13.0/24 omp - - - - 10.3.0.1 mpls ipsec F,S
1 10.3.13.0/24 omp - - - - 10.3.0.1 public-internet ipsec F,S
1 10.4.15.0/24 connected - ge0/4 - - - - - F,S
vEdge3# show ip route
…
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 10.1.16.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.3.13.0/24 connected - ge0/4 - - - - - F,S
1 10.4.15.0/24 omp - - - - 10.4.0.1 mpls ipsec F,S
1 10.4.15.0/24 omp - - - - 10.4.0.1 public-internet ipsec F,S
vSmart# show omp peers
R -> routes received
I -> routes installed
S -> routes sent
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.3.0.1 vedge 1 1 3 up 2:00:13:27 2/0/4
10.4.0.1 vedge 1 1 4 up 2:00:52:43 2/0/4
10.5.0.1 vedge 1 1 5 up 0:02:34:28 0/0/0
10.12.0.1 vedge 1 1 12 up 0:05:43:16 2/0/4
10.12.0.2 vedge 1 1 12 up 2:01:17:47 0/0/0
Dual-site device template to vEdge 2
vEdge2# show run vpn 1
vpn 1
interface ge0/6
ip address 10.2.16.1/24
no shutdown
!
vSmart# show omp peers
…
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.3.0.1 vedge 1 1 3 up 2:00:50:17 2/0/6
10.4.0.1 vedge 1 1 4 up 2:01:29:33 2/0/6
10.5.0.1 vedge 1 1 5 up 0:03:11:18 0/0/0
10.12.0.1 vedge 1 1 12 up 0:06:20:06 2/0/6
10.12.0.2 vedge 1 1 12 up 0:00:27:52 2/0/6
vEdge1# show ip route vpn 1
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 10.1.16.0/24 connected - ge0/6 - - - - - F,S
1 10.3.13.0/24 omp - - - - 10.3.0.1 public-internet ipsec F,S
1 10.4.15.0/24 omp - - - - 10.4.0.1 public-internet ipsec F,S
vEdge1# show omp route 10.2.16.0/24
---------------------------------------------------
omp route entries for vpn 1 route 10.2.16.0/24
---------------------------------------------------
RECEIVED FROM:
peer 10.100.0.12
path-id 31
label 1003
status Inv,U
loss-reason tloc-id
lost-to-peer 10.100.0.12
lost-to-path-id 32
Attributes:
originator 10.12.0.2
type installed
tloc 10.12.0.2, public-internet, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
RECEIVED FROM:
peer 10.100.0.12
path-id 32
label 1003
status Inv,U
loss-reason ultimate-tloc-id
lost-to-peer 10.100.0.12
lost-to-path-id 31
Attributes:
originator 10.12.0.2
type installed
tloc 10.12.0.2, mpls, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
vEdge 1 is not receving 10.2.16.0/24 because it is coming from the same site.
MPLS-Only device template to vEdge 5
vEdge5# show run vpn 1
vpn 1
interface ge0/4
ip address 10.5.14.1/24
no shutdown
vEdge5# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 10.1.16.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.2.16.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.3.13.0/24 omp - - - - 10.3.0.1 mpls ipsec F,S
1 10.4.15.0/24 omp - - - - 10.4.0.1 mpls ipsec F,S
1 10.5.14.0/24 connected - ge0/4 - - - - - F,S
vSmart# show omp peers
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.3.0.1 vedge 1 1 3 up 2:01:02:00 2/0/7
10.4.0.1 vedge 1 1 4 up 2:01:41:16 2/0/7
10.5.0.1 vedge 1 1 5 up 0:03:23:01 1/0/8
10.12.0.1 vedge 1 1 12 down-in-gr 2/0/0
10.12.0.2 vedge 1 1 12 up 0:00:09:07 2/0/7
IOS7#traceroute 10.3.13.2 numeric
Type escape sequence to abort.
Tracing the route to 10.3.13.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.16.1 4 msec 9 msec 2 msec
2 10.3.13.1 25 msec 30 msec 20 msec
3 10.3.13.2 43 msec * 35 msec
No comments:
Post a Comment