SD-WAN Lab Note Part 3
Service VPN1 NAT Dynamic PAT Local Internet Breakout and OMP
Service VPN1 NAT Static PAT Port Address Translation
Service VPN1 dynamic and Static NAT
vSmart Template Setup and Deployment
Service VPN1 NAT Policy with Centralized Data Policy
Service VPN1 Standard and Extended ACL via CLI
Service VPN1 Standard and Extended ACL via ACL Policy and
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 NAT Dynamic PAT Local Internet Breakout and OMP Internet Failover
vEdge 1
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.1.2/24
nat
vpn1
ip route 0.0.0.0/0 vpn 0
vEdge1# show ip route vpn 1 0.0.0.0/0
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
IOS5#traceroute/ping 8.8.8.8 nu
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.5.6.1 37 msec 19 msec 19 msec
2 192.1.1.1 351 msec 107 msec 23 msec
3 10.61.91.148 24 msec 8 msec 13 msec
Remove default route to vpn 0 because internet traffic default route to ASA:
vEdge1(config)# vpn 1
vEdge1(config-vpn-1)# no ip route 0.0.0.0/0 vpn 0
Additional:
vEdge1 and 2 remove redistribute OSPF into BGP in vpn1
vEdge1 and 2 remove originate default route in OSPF in vpn1
Distribute OSPF external (default routes) to OMP:
vEdge1# show run vpn 1 omp
vpn 1
omp
advertise ospf external
!
!
Advertise ge0/7:
vEdge1# show run vpn 1 router ospf area 0
vpn 1
router
ospf
area 0
interface ge0/7
exit
vEdge 2
Distribute OSPF external (default routes) to OMP:
Edit Feature Template: "vEdge_Dual_Site_VPN1_Template"
vEdge2# show run vpn 1 omp
vpn 1
omp
advertise ospf external
!
!
Edit feature template "vEdge_Dual_Site_VPN1_OSPF_Template" and add ge0/7
vEdge2# show run vpn 1 router ospf area 0
vpn 1
router
ospf
area 0
interface ge0/7
SW17#show ip route 10.5.6.0
Routing entry for 10.5.6.0/24
Known via "ospf 1", distance 110, metric 11, type intra area
Last update from 10.2.16.1 on GigabitEthernet1/2, 00:02:02 ago
Routing Descriptor Blocks:
10.2.16.1, from 10.12.0.1, 00:02:02 ago, via GigabitEthernet1/2
Route metric is 11, traffic share count is 1
* 10.1.16.1, from 10.12.0.1, 00:06:51 ago, via GigabitEthernet1/1
Route metric is 11, traffic share count is 1
Verify
IOS5#traceroute 8.8.8.8 nu
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.5.6.1 16 msec 5 msec 8 msec
2 *
10.1.16.2 24 msec 33 msec
3 10.1.160.1 30 msec 30 msec 31 msec
4 192.1.101.1 68 msec 49 msec 43 msec
5 10.61.91.148 56 msec 62 msec 53 msec
6 192.168.0.1 43 msec * 41 msec
vEdge 3 and 4
Default vEdge 3 and 4 detour to HQ for internet
Edit "vEdge_VPN0_Int_G0/0_Template"
vEdge3# show run vpn 0 int ge0/0
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.3.2/24
nat
vEdge4# show run vpn 0 int ge0/0
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.4.2/24
nat
Edit "vEdge_Single_Site_VPN1_Template" to add VPN default route. This will be the only route in vpn1 (OSPF takes care of the rest)
vEdge 3 and 4# show run vpn 1 ip route
vpn 1
ip route 0.0.0.0/0 vpn 0
IOS15#traceroute 8.8.8.8 nu
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.4.15.1 18 msec 13 msec 19 msec
2 192.1.4.1 30 msec 35 msec 44 msec
3 10.61.91.148 28 msec 28 msec 44 msec
vEdge3# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.1 public-internet ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.2 public-internet ipsec -
1 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
vEdge5# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S
Failover Test
INET(config)#int g0/5
INET(config-if)#sh
vEdge4# show ip route vpn 1 0.0.0.0
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S
Additional: add static routes for ios15
IOS15#traceroute 8.8.8.8 nu
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.4.15.1 13 msec 13 msec 11 msec
2 10.1.0.2 37 msec 49 msec 38 msec
3 10.2.16.2 81 msec 68 msec 66 msec
4 10.1.160.1 65 msec 84 msec 104 msec
5 192.1.101.1 88 msec 68 msec 70 msec
6 10.61.91.148 78 msec 71 msec 86 msec
7 192.168.0.1 52 msec * 80 msec
IOS15#ping 8.8.8.8 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.4.150.1
!!!!!
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 NAT Static PAT Port Address Translation
vEdge 3 and vEdge 4
Edit feature template "vEdge_VPN0_Int_G0/0_Template" for single site
vEdge4# show running-config vpn 0 interface ge0/0
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.4.2/24
nat
refresh bi-directional
no block-icmp-error
respond-to-ping
port-forward port-start 23 port-end 23 proto tcp
private-vpn 1
private-ip-address 10.4.15.2
!
INET#telnet 192.1.4.2
Trying 192.1.4.2 ... Open
….
User Access Verification
Username: admin
Password:
IOS15#show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:15
*578 vty 0 admin idle 00:00:00 192.1.4.1
vEdge4# show ip nat filter | tab
PRIVATE PRIVATE PRIVATE PRIVATE PUBLIC PUBLIC PUBLIC PUBLIC
NAT NAT SOURCE DEST SOURCE DEST SOURCE DEST SOURCE DEST FILTER IDLE OUTBOUND OUTBOUND INBOUND INBOUND
VPN IFNAME VPN PROTOCOL ADDRESS ADDRESS PORT PORT ADDRESS ADDRESS PORT PORT STATE TIMEOUT PACKETS OCTETS PACKETS OCTETS DIRECTION
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
…
0 ge0/0 1 tcp 10.4.15.2 192.1.4.1 23 61626 192.1.4.2 192.1.4.1 23 61626 established 0:00:59:27 57 4964 62 3726 -
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 dynamic and Static NAT
vEdge 3 and vEdge 4
Edit feature template "vEdge_VPN0_Int_G0/0_Template" for single sites
vEdge3# show running-config vpn 0 interface ge0/0
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.3.2/24
nat
refresh bi-directional
no block-icmp-error
respond-to-ping
natpool range-start 192.1.3.96 range-end 192.1.3.127
!
IOS13#traceroute 8.8.8.8 nu
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.3.13.1 15 msec 17 msec 19 msec
2 192.1.3.1 29 msec * *
3 10.61.91.148 76 msec 60 msec 59 msec
4 192.168.0.1 126 msec * 61 msec
vEdge3# show ip nat filter | tab
…
0 ge0/0 1 udp 10.3.13.2 8.8.8.8 49165 33437 192.1.3.96 8.8.8.8 49165 33437 established 0:00:00:15 1 60 1 70
Edit feature template "vEdge_VPN0_Int_G0/0_Template" for single sites again for static NAT
vEdge3# show running-config vpn 0 interface ge0/0
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.3.2/24
nat
…
static source-ip 10.3.130.1 translate-ip 192.1.3.127 source-vpn 1
IOS13#telnet 8.8.8.8 /source-interface lo 0
Trying 8.8.8.8 ... Open
User Access Verification
…
Username: admin
Password:
lab-router#who
Line User Host(s) Idle Location
*132 vty 0 admin idle 00:00:00 192.1.3.127
Interface User Mode Idle Peer Address
INET#telnet 192.1.3.127
Trying 192.1.3.127 ... Open
Username: admin
Password:
…
IOS13#who
Line User Host(s) Idle Location
0 con 0 idle 00:00:21
*578 vty 0 admin idle 00:00:00 192.1.3.1
vEdge3# show ip nat filter | tab
…
0 ge0/0 1 tcp 10.3.130.1 8.8.8.8 54207 23 192.1.3.127 8.8.8.8 54207 23 reset 0:00:00:00 37 2226 26 1615 -
0 ge0/0 1 tcp 10.3.130.1 192.1.3.1 23 64424 192.1.3.127 192.1.3.1 23 64424 established 0:00:59:52 27 3051 32 1926
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vSmart Template Setup and Deployment
vSmart
Create vSmart feature template "vSmart_VPN0_Template"
copy to create "vsmart_VPN512_Template
Remove default route for vpn512
Create feature template "vSmart_VPN0_Eth0_Template"
Copy and Edit template "vSmart_VPN512_Eth1_Template"
Create "vSmart_System_Template"
Create "vSmart_Banner_Template"
Create device template "vSmart_Device_Template"
Attach vSmart to Template
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 NAT Policy with Centralized Data Policy
Centralized Policy adding sites and VPN lists
vEdge 3 and vEdge 4
Edit feature template "vEdge_Single_Site_VPN1_Template" and delete ipv4 default route sends to vpn 0
Create centralized policy
Activate and push down to vSmart
Verify
vEdge3# show policy from-vsmart
from-vsmart data-policy _Service-VPN1_NAT_POLICY
direction from-service
vpn-list Service-VPN1
sequence 1
match
destination-data-prefix-list 10_NETS
action accept
count Counter1_1683033971
sequence 11
match
source-ip 0.0.0.0/0
action accept
count Counter2_1683033971
nat use-vpn 0
no nat fallback
default-action drop
from-vsmart lists vpn-list Service-VPN1
vpn 1
from-vsmart lists data-prefix-list 10_NETS
ip-prefix 10.0.0.0/8
IOS13#ping 8.8.8.8
vEdge3# show policy data-policy-filter
data-policy-filter _Service-VPN1_NAT_POLICY
data-policy-vpnlist Service-VPN1
data-policy-counter Counter1_1683033971
packets 0
bytes 0
data-policy-counter Counter2_1683033971
packets 40
bytes 3588
IOS13#ping 10.1.0.16
vEdge3# show policy data-policy-filter
data-policy-filter _Service-VPN1_NAT_POLICY
data-policy-vpnlist Service-VPN1
data-policy-counter Counter1_1683033971
packets 5
bytes 570
data-policy-counter Counter2_1683033971
packets 96
bytes 7240
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 Standard and Extended ACL via CLI
vEdge 3 and vEdge 4
vEdge3 and 4# show policy from-vsmart
% No entries found.
Shut down INET and MPLS port to vEdge 2 to make sure traffic goes through vEdge1:
vEdge3# show ip route vpn 1 0.0.0.0
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S
IOS13#traceroute 8.8.8.8 source lo 1 numeric
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.3.13.1 7 msec 16 msec 18 msec
2 10.1.0.1 71 msec 43 msec 53 msec
3 10.5.6.2 78 msec 60 msec 88 msec
4 10.2.16.2 99 msec 84 msec 90 msec
5 10.1.160.1 81 msec 70 msec 76 msec
6 192.1.101.1 87 msec 68 msec 101 msec
7 10.61.91.148 95 msec 117 msec 82 ms
vEdge 1
Inbound blocking
vEdge1# show running-config policy
policy
lists
data-prefix-list IOS13_LOOPBACK
ip-prefix 13.13.13.13/32
!
data-prefix-list IOS14_LOOPBACK
ip-prefix 14.14.14.14/32
!
data-prefix-list IOS15_LOOPBACK
ip-prefix 15.15.15.15/32
!
data-prefix-list RFC_1918_10NET
ip-prefix 10.0.0.0/8
!
!
access-list SPOKE_LOOPBACKS
sequence 1
match
source-data-prefix-list IOS13_LOOPBACK
!
action drop
count IOS13_COUNTER
!
!
sequence 2
match
source-data-prefix-list IOS14_LOOPBACK
!
action drop
count IOS14_COUNTER
!
!
sequence 3
match
source-data-prefix-list IOS15_LOOPBACK
!
action drop
count IOS15_COUNTER
!
!
sequence 4
match
source-data-prefix-list RFC_1918_10NET
!
action accept
count 10NET_COUNTER
!
!
default-action accept
!
vEdge1(config-interface-ge0/6)# show configuration
vpn 1
interface ge0/6
access-list SPOKE_LOOPBACKS out
!
!
Verify
IOS13#ping 8.8.8.8 source lo 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 13.13.13.13
.....
vEdge1# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
------------------------------------------------
SPOKE_LOOPBACKS 10NET_COUNTER 15 1124
IOS13_COUNTER 5 500
IOS14_COUNTER 0 0
IOS15_COUNTER 0 0
Outbound blocking
SW17#telnet 10.3.130.1 /source-interface lo 0
Trying 10.3.130.1 ... Open
Policy
access-list BLOCK_IOS13_TELNET
sequence 1
match
destination-data-prefix-list IOS13_LOOPBACK
destination-port 23
protocol 6
!
action drop
count TELNET_COUNTER
!
!
default-action accept
…
vEdge1# show running-config vpn 1 interface ge0/6
vpn 1
interface ge0/6
ip address 10.1.16.1/24
no shutdown
access-list BLOCK_IOS13_TELNET in
!
vEdge1# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
----------------------------------------------------
BLOCK_IOS13_TELNET TELNET_COUNTER 4 240
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 Standard and Extended ACL via ACL Policy and Templates
vEdge 3, 4 & 5
Create data prefix list
Create ACL policy for "IOS13_LOOPBACK" & "IOS15_LOOPBACK"
Edit device template "vEdge_Single_Device_Template"
vEdge3# show running-config policy
policy
lists
data-prefix-list IOS13_LOOPBACK
ip-prefix 13.13.13.13/32
!
data-prefix-list IOS15_LOOPBACK
ip-prefix 15.15.15.15/32
!
!
access-list BLOCK_TELNET
sequence 1
match
destination-port 23
protocol 6
!
action drop
count TELNET_COUNTER
!
!
default-action accept
!
access-list IOS13_LOOPBACK
sequence 1
match
source-data-prefix-list IOS13_LOOPBACK
!
action drop
count IOS13_COUNTER
!
!
default-action accept
!
access-list IOS15_LOOPBACK
sequence 1
match
source-data-prefix-list IOS15_LOOPBACK
!
action drop
count IOS15_COUNTER
!
!
default-action accept
!
Edit feature template "vEdge_Single_Site_VPN1_Int_G0/X_Template"
vEdge3# show run vpn 1 interface ge0/4
vpn 1
interface ge0/4
ip address 10.3.13.1/24
no shutdown
access-list IOS13_LOOPBACK in
access-list BLOCK_TELNET out
!
vEdge4# show running-config vpn 1 interface ge0/4
vpn 1
interface ge0/4
ip address 10.4.15.1/24
no shutdown
access-list IOS15_LOOPBACK in
access-list BLOCK_TELNET out
Test
IOS13#ping 8.8.8.8 source lo 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 13.13.13.13
UUUUU
IOS13#ping 8.8.8.8 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.3.130.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/61/83 ms
IOS15#ping 8.8.8.8 source lo 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 15.15.15.15
UUUUU
Success rate is 0 percent (0/5)
IOS15#ping 8.8.8.8 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.4.150.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 45/58/71 ms
vEdge3# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
------------------------------------------------
BLOCK_TELNET TELNET_COUNTER 0 0
IOS13_LOOPBACK IOS13_COUNTER 23 2460
IOS15_LOOPBACK IOS15_COUNTER 0 0
vEdge4# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
------------------------------------------------
BLOCK_TELNET TELNET_COUNTER 0 0
IOS13_LOOPBACK IOS13_COUNTER 0 0
IOS15_LOOPBACK IOS15_COUNTER 5 570
SW17#telnet 13.13.13.13 /source-interface lo 0
Trying 13.13.13.13 ...
vEdge3# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
------------------------------------------------
BLOCK_TELNET TELNET_COUNTER 4 176
IOS13_LOOPBACK IOS13_COUNTER 23 2460
IOS15_LOOPBACK IOS15_COUNTER 0 0
IOS13(config)#ip http server
IOS13(config)#ip http authentication local
SW17#telnet 10.3.130.1 80 /source-interface lo 0
Trying 10.3.130.1, 80 ... Open
IOS13#show ip http server connection
HTTP server current connections:
local-ipaddress:port remote-ipaddress:port in-bytes out-bytes
10.3.130.1:80 10.1.0.16:43329 0 0
No comments:
Post a Comment