SD-WAN Lab Note Part 3

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Service VPN1 NAT Dynamic PAT Local Internet Breakout and OMP Internet Failover

vEdge 1

vpn 0

interface ge0/0

description INET_Interface

ip address 192.1.1.2/24

nat

vpn1

ip route 0.0.0.0/0 vpn 0

vEdge1# show ip route vpn 1 0.0.0.0/0

PROTOCOL NEXTHOP NEXTHOP NEXTHOP

VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS

---------------------------------------------------------------------------------------------------------------------------------------------

1 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S

IOS5#traceroute/ping 8.8.8.8 nu

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

1 10.5.6.1 37 msec 19 msec 19 msec

2 192.1.1.1 351 msec 107 msec 23 msec

3 10.61.91.148 24 msec 8 msec 13 msec

Remove default route to vpn 0 because internet traffic default route to ASA:

vEdge1(config)# vpn 1

vEdge1(config-vpn-1)# no ip route 0.0.0.0/0 vpn 0

Additional:

vEdge1 and 2 remove redistribute OSPF into BGP in vpn1

vEdge1 and 2 remove originate default route in OSPF in vpn1

Distribute OSPF external (default routes) to OMP:

vEdge1# show run vpn 1 omp

vpn 1

omp

advertise ospf external

Advertise ge0/7:

vEdge1# show run vpn 1 router ospf area 0

vpn 1

router

ospf

area 0

interface ge0/7

exit

vEdge 2

Distribute OSPF external (default routes) to OMP:

Edit Feature Template: "vEdge_Dual_Site_VPN1_Template"

vEdge2# show run vpn 1 omp

vpn 1

omp

advertise ospf external

Edit feature template "vEdge_Dual_Site_VPN1_OSPF_Template" and add ge0/7

vEdge2# show run vpn 1 router ospf area 0

vpn 1

router

ospf

area 0

interface ge0/7

SW17#show ip route 10.5.6.0

Routing entry for 10.5.6.0/24

Known via "ospf 1", distance 110, metric 11, type intra area

Last update from 10.2.16.1 on GigabitEthernet1/2, 00:02:02 ago

Routing Descriptor Blocks:

10.2.16.1, from 10.12.0.1, 00:02:02 ago, via GigabitEthernet1/2

Route metric is 11, traffic share count is 1

* 10.1.16.1, from 10.12.0.1, 00:06:51 ago, via GigabitEthernet1/1

Route metric is 11, traffic share count is 1

Verify

IOS5#traceroute 8.8.8.8 nu

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

1 10.5.6.1 16 msec 5 msec 8 msec

2 *

10.1.16.2 24 msec 33 msec

3 10.1.160.1 30 msec 30 msec 31 msec

4 192.1.101.1 68 msec 49 msec 43 msec

5 10.61.91.148 56 msec 62 msec 53 msec

6 192.168.0.1 43 msec * 41 msec

vEdge 3 and 4

Default vEdge 3 and 4 detour to HQ for internet

Edit "vEdge_VPN0_Int_G0/0_Template"

vEdge3# show run vpn 0 int ge0/0

vpn 0

interface ge0/0

description INET_Interface

ip address 192.1.3.2/24

nat

vEdge4# show run vpn 0 int ge0/0

vpn 0

interface ge0/0

description INET_Interface

ip address 192.1.4.2/24

nat

Edit "vEdge_Single_Site_VPN1_Template" to add VPN default route. This will be the only route in vpn1 (OSPF takes care of the rest)

vEdge 3 and 4# show run vpn 1 ip route

vpn 1

ip route 0.0.0.0/0 vpn 0

IOS15#traceroute 8.8.8.8 nu

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

1 10.4.15.1 18 msec 13 msec 19 msec

2 192.1.4.1 30 msec 35 msec 44 msec

3 10.61.91.148 28 msec 28 msec 44 msec

vEdge3# show ip route vpn 1

PROTOCOL NEXTHOP NEXTHOP NEXTHOP

VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS

---------------------------------------------------------------------------------------------------------------------------------------------

1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec -

1 0.0.0.0/0 omp - - - - 10.12.0.1 public-internet ipsec -

1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec -

1 0.0.0.0/0 omp - - - - 10.12.0.2 public-internet ipsec -

1 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S

vEdge5# show ip route vpn 1

PROTOCOL NEXTHOP NEXTHOP NEXTHOP

VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS

---------------------------------------------------------------------------------------------------------------------------------------------

1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S

1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S

Failover Test

INET(config)#int g0/5

INET(config-if)#sh

vEdge4# show ip route vpn 1 0.0.0.0

PROTOCOL NEXTHOP NEXTHOP NEXTHOP

VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS

------------------------------------------------------------------------------------------------------------------------------

1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S

1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S

Additional: add static routes for ios15

IOS15#traceroute 8.8.8.8 nu

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

1 10.4.15.1 13 msec 13 msec 11 msec

2 10.1.0.2 37 msec 49 msec 38 msec

3 10.2.16.2 81 msec 68 msec 66 msec

4 10.1.160.1 65 msec 84 msec 104 msec

5 192.1.101.1 88 msec 68 msec 70 msec

6 10.61.91.148 78 msec 71 msec 86 msec

7 192.168.0.1 52 msec * 80 msec

IOS15#ping 8.8.8.8 source lo 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.4.150.1

!!!!!

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Service VPN1 NAT Static PAT Port Address Translation

vEdge 3 and vEdge 4

Edit feature template "vEdge_VPN0_Int_G0/0_Template" for single site

vEdge4# show running-config vpn 0 interface ge0/0

vpn 0

interface ge0/0

description INET_Interface

ip address 192.1.4.2/24

nat

refresh bi-directional

no block-icmp-error

respond-to-ping

port-forward port-start 23 port-end 23 proto tcp

private-vpn 1

private-ip-address 10.4.15.2

INET#telnet 192.1.4.2

Trying 192.1.4.2 ... Open

….

User Access Verification

Username: admin

Password:

IOS15#show users

Line User Host(s) Idle Location

0 con 0 idle 00:00:15

*578 vty 0 admin idle 00:00:00 192.1.4.1

vEdge4# show ip nat filter | tab

PRIVATE PRIVATE PRIVATE PRIVATE PUBLIC PUBLIC PUBLIC PUBLIC

NAT NAT SOURCE DEST SOURCE DEST SOURCE DEST SOURCE DEST FILTER IDLE OUTBOUND OUTBOUND INBOUND INBOUND

VPN IFNAME VPN PROTOCOL ADDRESS ADDRESS PORT PORT ADDRESS ADDRESS PORT PORT STATE TIMEOUT PACKETS OCTETS PACKETS OCTETS DIRECTION

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

…

0 ge0/0 1 tcp 10.4.15.2 192.1.4.1 23 61626 192.1.4.2 192.1.4.1 23 61626 established 0:00:59:27 57 4964 62 3726 -

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Service VPN1 dynamic and Static NAT

vEdge 3 and vEdge 4

Edit feature template "vEdge_VPN0_Int_G0/0_Template" for single sites

vEdge3# show running-config vpn 0 interface ge0/0

vpn 0

interface ge0/0

description INET_Interface

ip address 192.1.3.2/24

nat

refresh bi-directional

no block-icmp-error

respond-to-ping

natpool range-start 192.1.3.96 range-end 192.1.3.127

IOS13#traceroute 8.8.8.8 nu

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

1 10.3.13.1 15 msec 17 msec 19 msec

2 192.1.3.1 29 msec * *

3 10.61.91.148 76 msec 60 msec 59 msec

4 192.168.0.1 126 msec * 61 msec

vEdge3# show ip nat filter | tab

…

0 ge0/0 1 udp 10.3.13.2 8.8.8.8 49165 33437 192.1.3.96 8.8.8.8 49165 33437 established 0:00:00:15 1 60 1 70

Edit feature template "vEdge_VPN0_Int_G0/0_Template" for single sites again for static NAT

vEdge3# show running-config vpn 0 interface ge0/0

vpn 0

interface ge0/0

description INET_Interface

ip address 192.1.3.2/24

nat

…

static source-ip 10.3.130.1 translate-ip 192.1.3.127 source-vpn 1

IOS13#telnet 8.8.8.8 /source-interface lo 0

Trying 8.8.8.8 ... Open

User Access Verification

…

Username: admin

Password:

lab-router#who

Line User Host(s) Idle Location

*132 vty 0 admin idle 00:00:00 192.1.3.127

Interface User Mode Idle Peer Address

INET#telnet 192.1.3.127

Trying 192.1.3.127 ... Open

Username: admin

Password:

…

IOS13#who

Line User Host(s) Idle Location

0 con 0 idle 00:00:21

*578 vty 0 admin idle 00:00:00 192.1.3.1

vEdge3# show ip nat filter | tab

…

0 ge0/0 1 tcp 10.3.130.1 8.8.8.8 54207 23 192.1.3.127 8.8.8.8 54207 23 reset 0:00:00:00 37 2226 26 1615 -

0 ge0/0 1 tcp 10.3.130.1 192.1.3.1 23 64424 192.1.3.127 192.1.3.1 23 64424 established 0:00:59:52 27 3051 32 1926

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

vSmart Template Setup and Deployment

vSmart

Create vSmart feature template "vSmart_VPN0_Template"

copy to create "vsmart_VPN512_Template

Remove default route for vpn512

Create feature template "vSmart_VPN0_Eth0_Template"

Copy and Edit template "vSmart_VPN512_Eth1_Template"

Create "vSmart_System_Template"

Create "vSmart_Banner_Template"

Create device template "vSmart_Device_Template"

Attach vSmart to Template

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Service VPN1 NAT Policy with Centralized Data Policy

Centralized Policy adding sites and VPN lists

vEdge 3 and vEdge 4

Edit feature template "vEdge_Single_Site_VPN1_Template" and delete ipv4 default route sends to vpn 0

Create centralized policy

Activate and push down to vSmart

Verify

vEdge3# show policy from-vsmart

from-vsmart data-policy _Service-VPN1_NAT_POLICY

direction from-service

vpn-list Service-VPN1

sequence 1

match

destination-data-prefix-list 10_NETS

action accept

count Counter1_1683033971

sequence 11

match

source-ip 0.0.0.0/0

action accept

count Counter2_1683033971

nat use-vpn 0

no nat fallback

default-action drop

from-vsmart lists vpn-list Service-VPN1

vpn 1

from-vsmart lists data-prefix-list 10_NETS

ip-prefix 10.0.0.0/8

IOS13#ping 8.8.8.8

vEdge3# show policy data-policy-filter

data-policy-filter _Service-VPN1_NAT_POLICY

data-policy-vpnlist Service-VPN1

data-policy-counter Counter1_1683033971

packets 0

bytes 0

data-policy-counter Counter2_1683033971

packets 40

bytes 3588

IOS13#ping 10.1.0.16

vEdge3# show policy data-policy-filter

data-policy-filter _Service-VPN1_NAT_POLICY

data-policy-vpnlist Service-VPN1

data-policy-counter Counter1_1683033971

packets 5

bytes 570

data-policy-counter Counter2_1683033971

packets 96

bytes 7240

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Service VPN1 Standard and Extended ACL via CLI

vEdge 3 and vEdge 4

vEdge3 and 4# show policy from-vsmart

% No entries found.

Shut down INET and MPLS port to vEdge 2 to make sure traffic goes through vEdge1:

vEdge3# show ip route vpn 1 0.0.0.0

PROTOCOL NEXTHOP NEXTHOP NEXTHOP

VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS

------------------------------------------------------------------------------------------------------------------------------

1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S

1 0.0.0.0/0 omp - - - - 10.12.0.1 public-internet ipsec F,S

1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S

IOS13#traceroute 8.8.8.8 source lo 1 numeric

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

1 10.3.13.1 7 msec 16 msec 18 msec

2 10.1.0.1 71 msec 43 msec 53 msec

3 10.5.6.2 78 msec 60 msec 88 msec

4 10.2.16.2 99 msec 84 msec 90 msec

5 10.1.160.1 81 msec 70 msec 76 msec

6 192.1.101.1 87 msec 68 msec 101 msec

7 10.61.91.148 95 msec 117 msec 82 ms

vEdge 1

Inbound blocking

vEdge1# show running-config policy

policy

lists

data-prefix-list IOS13_LOOPBACK

ip-prefix 13.13.13.13/32

data-prefix-list IOS14_LOOPBACK

ip-prefix 14.14.14.14/32

data-prefix-list IOS15_LOOPBACK

ip-prefix 15.15.15.15/32

data-prefix-list RFC_1918_10NET

ip-prefix 10.0.0.0/8

access-list SPOKE_LOOPBACKS

sequence 1

match

source-data-prefix-list IOS13_LOOPBACK

action drop

count IOS13_COUNTER

sequence 2

match

source-data-prefix-list IOS14_LOOPBACK

action drop

count IOS14_COUNTER

sequence 3

match

source-data-prefix-list IOS15_LOOPBACK

action drop

count IOS15_COUNTER

sequence 4

match

source-data-prefix-list RFC_1918_10NET

action accept

count 10NET_COUNTER

default-action accept

vEdge1(config-interface-ge0/6)# show configuration

vpn 1

interface ge0/6

access-list SPOKE_LOOPBACKS out

Verify

IOS13#ping 8.8.8.8 source lo 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 13.13.13.13

.....

vEdge1# show policy access-list-counters

NAME COUNTER NAME PACKETS BYTES

------------------------------------------------

SPOKE_LOOPBACKS 10NET_COUNTER 15 1124

IOS13_COUNTER 5 500

IOS14_COUNTER 0 0

IOS15_COUNTER 0 0

Outbound blocking

SW17#telnet 10.3.130.1 /source-interface lo 0

Trying 10.3.130.1 ... Open

Policy

access-list BLOCK_IOS13_TELNET

sequence 1

match

destination-data-prefix-list IOS13_LOOPBACK

destination-port 23

protocol 6

action drop

count TELNET_COUNTER

default-action accept

…

vEdge1# show running-config vpn 1 interface ge0/6

vpn 1

interface ge0/6

ip address 10.1.16.1/24

no shutdown

access-list BLOCK_IOS13_TELNET in

vEdge1# show policy access-list-counters

NAME COUNTER NAME PACKETS BYTES

----------------------------------------------------

BLOCK_IOS13_TELNET TELNET_COUNTER 4 240

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Service VPN1 Standard and Extended ACL via ACL Policy and Templates

vEdge 3, 4 & 5

Create data prefix list

Create ACL policy for "IOS13_LOOPBACK" & "IOS15_LOOPBACK"

Edit device template "vEdge_Single_Device_Template"

vEdge3# show running-config policy

policy

lists

data-prefix-list IOS13_LOOPBACK

ip-prefix 13.13.13.13/32

data-prefix-list IOS15_LOOPBACK

ip-prefix 15.15.15.15/32

access-list BLOCK_TELNET

sequence 1

match

destination-port 23

protocol 6

action drop

count TELNET_COUNTER

default-action accept

access-list IOS13_LOOPBACK

sequence 1

match

source-data-prefix-list IOS13_LOOPBACK

action drop

count IOS13_COUNTER

default-action accept

access-list IOS15_LOOPBACK

sequence 1

match

source-data-prefix-list IOS15_LOOPBACK

action drop

count IOS15_COUNTER

default-action accept

Edit feature template "vEdge_Single_Site_VPN1_Int_G0/X_Template"

vEdge3# show run vpn 1 interface ge0/4

vpn 1

interface ge0/4

ip address 10.3.13.1/24

no shutdown

access-list IOS13_LOOPBACK in

access-list BLOCK_TELNET out

vEdge4# show running-config vpn 1 interface ge0/4

vpn 1

interface ge0/4

ip address 10.4.15.1/24

no shutdown

access-list IOS15_LOOPBACK in

access-list BLOCK_TELNET out

Test

IOS13#ping 8.8.8.8 source lo 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 13.13.13.13

UUUUU

IOS13#ping 8.8.8.8 source lo 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.3.130.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 50/61/83 ms

IOS15#ping 8.8.8.8 source lo 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 15.15.15.15

UUUUU

Success rate is 0 percent (0/5)

IOS15#ping 8.8.8.8 source lo 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.4.150.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 45/58/71 ms

vEdge3# show policy access-list-counters

NAME COUNTER NAME PACKETS BYTES

------------------------------------------------

BLOCK_TELNET TELNET_COUNTER 0 0

IOS13_LOOPBACK IOS13_COUNTER 23 2460

IOS15_LOOPBACK IOS15_COUNTER 0 0

vEdge4# show policy access-list-counters

NAME COUNTER NAME PACKETS BYTES

------------------------------------------------

BLOCK_TELNET TELNET_COUNTER 0 0

IOS13_LOOPBACK IOS13_COUNTER 0 0

IOS15_LOOPBACK IOS15_COUNTER 5 570

SW17#telnet 13.13.13.13 /source-interface lo 0

Trying 13.13.13.13 ...

vEdge3# show policy access-list-counters

NAME COUNTER NAME PACKETS BYTES

------------------------------------------------

BLOCK_TELNET TELNET_COUNTER 4 176

IOS13_LOOPBACK IOS13_COUNTER 23 2460

IOS15_LOOPBACK IOS15_COUNTER 0 0

IOS13(config)#ip http server

IOS13(config)#ip http authentication local

SW17#telnet 10.3.130.1 80 /source-interface lo 0

Trying 10.3.130.1, 80 ... Open

IOS13#show ip http server connection

HTTP server current connections:

local-ipaddress:port remote-ipaddress:port in-bytes out-bytes

10.3.130.1:80 10.1.0.16:43329 0 0

UC Valley

Tuesday 6 February 2024

SD-WAN Lab Note Part 3

Service VPN1 NAT Dynamic PAT Local Internet Breakout and OMP Internet Failover

Service VPN1 NAT Static PAT Port Address Translation

Service VPN1 dynamic and Static NAT

Service VPN1 NAT Policy with Centralized Data Policy

Centralized Policy adding sites and VPN lists

Verify

Service VPN1 Standard and Extended ACL via CLI

Inbound blocking

Verify

Outbound blocking

Service VPN1 Standard and Extended ACL via ACL Policy and Templates

vEdge 3, 4 & 5

Test

No comments:

Post a Comment