SD-WAN Lab Note Part 4
January 25, 2024
5:01 PM
Service VPN1 NAT Dynamic PAT Local Internet Breakout and OMP
Service VPN1 NAT Static PAT Port Address Translation
Service VPN1 dynamic and Static NAT
vSmart Template Setup and Deployment
Service VPN1 NAT Policy with Centralized Data Policy
Service VPN1 Standard and Extended ACL via CLI
Service VPN1 Standard and Extended ACL via ACL Policy and
Service VPN1 QoS Policing and Shaping via CLI, Local Data
Service VPN1 Hub and Spoke Overview and Setup
Service VPN1 VPN Segmentation Overview and Deployment - VPN100 & VPN101
VPN Segmentation with VPN Membership Policies
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 NAT Dynamic PAT Local Internet Breakout and OMP Internet Failover
vEdge 1
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.1.2/24
nat
vpn1
ip route 0.0.0.0/0 vpn 0
vEdge1# show ip route vpn 1 0.0.0.0/0
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
IOS5#traceroute/ping 8.8.8.8 nu
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.5.6.1 37 msec 19 msec 19 msec
2 192.1.1.1 351 msec 107 msec 23 msec
3 10.61.91.148 24 msec 8 msec 13 msec
Remove default route to vpn 0 because internet traffic default route to ASA:
vEdge1(config)# vpn 1
vEdge1(config-vpn-1)# no ip route 0.0.0.0/0 vpn 0
Additional:
vEdge1 and 2 remove redistribute OSPF into BGP in vpn1
vEdge1 and 2 remove originate default route in OSPF in vpn1
Distribute OSPF external (default routes) to OMP:
vEdge1# show run vpn 1 omp
vpn 1
omp
advertise ospf external
!
!
Advertise ge0/7:
vEdge1# show run vpn 1 router ospf area 0
vpn 1
router
ospf
area 0
interface ge0/7
exit
vEdge 2
Distribute OSPF external (default routes) to OMP:
Edit Feature Template: "vEdge_Dual_Site_VPN1_Template"
vEdge2# show run vpn 1 omp
vpn 1
omp
advertise ospf external
!
!
Edit feature template "vEdge_Dual_Site_VPN1_OSPF_Template" and add ge0/7
vEdge2# show run vpn 1 router ospf area 0
vpn 1
router
ospf
area 0
interface ge0/7
SW17#show ip route 10.5.6.0
Routing entry for 10.5.6.0/24
Known via "ospf 1", distance 110, metric 11, type intra area
Last update from 10.2.16.1 on GigabitEthernet1/2, 00:02:02 ago
Routing Descriptor Blocks:
10.2.16.1, from 10.12.0.1, 00:02:02 ago, via GigabitEthernet1/2
Route metric is 11, traffic share count is 1
* 10.1.16.1, from 10.12.0.1, 00:06:51 ago, via GigabitEthernet1/1
Route metric is 11, traffic share count is 1
Verify
IOS5#traceroute 8.8.8.8 nu
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.5.6.1 16 msec 5 msec 8 msec
2 *
10.1.16.2 24 msec 33 msec
3 10.1.160.1 30 msec 30 msec 31 msec
4 192.1.101.1 68 msec 49 msec 43 msec
5 10.61.91.148 56 msec 62 msec 53 msec
6 192.168.0.1 43 msec * 41 msec
vEdge 3 and 4
Default vEdge 3 and 4 detour to HQ for internet
Edit "vEdge_VPN0_Int_G0/0_Template"
vEdge3# show run vpn 0 int ge0/0
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.3.2/24
nat
vEdge4# show run vpn 0 int ge0/0
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.4.2/24
nat
Edit "vEdge_Single_Site_VPN1_Template" to add VPN default route. This will be the only route in vpn1 (OSPF takes care of the rest)
vEdge 3 and 4# show run vpn 1 ip route
vpn 1
ip route 0.0.0.0/0 vpn 0
IOS15#traceroute 8.8.8.8 nu
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.4.15.1 18 msec 13 msec 19 msec
2 192.1.4.1 30 msec 35 msec 44 msec
3 10.61.91.148 28 msec 28 msec 44 msec
vEdge3# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.1 public-internet ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.2 public-internet ipsec -
1 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
vEdge5# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S
Failover Test
INET(config)#int g0/5
INET(config-if)#sh
vEdge4# show ip route vpn 1 0.0.0.0
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S
Additional: add static routes for ios15
IOS15#traceroute 8.8.8.8 nu
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.4.15.1 13 msec 13 msec 11 msec
2 10.1.0.2 37 msec 49 msec 38 msec
3 10.2.16.2 81 msec 68 msec 66 msec
4 10.1.160.1 65 msec 84 msec 104 msec
5 192.1.101.1 88 msec 68 msec 70 msec
6 10.61.91.148 78 msec 71 msec 86 msec
7 192.168.0.1 52 msec * 80 msec
IOS15#ping 8.8.8.8 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.4.150.1
!!!!!
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 NAT Static PAT Port Address Translation
vEdge 3 and vEdge 4
Edit feature template "vEdge_VPN0_Int_G0/0_Template" for single site
vEdge4# show running-config vpn 0 interface ge0/0
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.4.2/24
nat
refresh bi-directional
no block-icmp-error
respond-to-ping
port-forward port-start 23 port-end 23 proto tcp
private-vpn 1
private-ip-address 10.4.15.2
!
INET#telnet 192.1.4.2
Trying 192.1.4.2 ... Open
….
User Access Verification
Username: admin
Password:
IOS15#show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:15
*578 vty 0 admin idle 00:00:00 192.1.4.1
vEdge4# show ip nat filter | tab
PRIVATE PRIVATE PRIVATE PRIVATE PUBLIC PUBLIC PUBLIC PUBLIC
NAT NAT SOURCE DEST SOURCE DEST SOURCE DEST SOURCE DEST FILTER IDLE OUTBOUND OUTBOUND INBOUND INBOUND
VPN IFNAME VPN PROTOCOL ADDRESS ADDRESS PORT PORT ADDRESS ADDRESS PORT PORT STATE TIMEOUT PACKETS OCTETS PACKETS OCTETS DIRECTION
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
…
0 ge0/0 1 tcp 10.4.15.2 192.1.4.1 23 61626 192.1.4.2 192.1.4.1 23 61626 established 0:00:59:27 57 4964 62 3726 -
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 dynamic and Static NAT
vEdge 3 and vEdge 4
Edit feature template "vEdge_VPN0_Int_G0/0_Template" for single sites
vEdge3# show running-config vpn 0 interface ge0/0
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.3.2/24
nat
refresh bi-directional
no block-icmp-error
respond-to-ping
natpool range-start 192.1.3.96 range-end 192.1.3.127
!
IOS13#traceroute 8.8.8.8 nu
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.3.13.1 15 msec 17 msec 19 msec
2 192.1.3.1 29 msec * *
3 10.61.91.148 76 msec 60 msec 59 msec
4 192.168.0.1 126 msec * 61 msec
vEdge3# show ip nat filter | tab
…
0 ge0/0 1 udp 10.3.13.2 8.8.8.8 49165 33437 192.1.3.96 8.8.8.8 49165 33437 established 0:00:00:15 1 60 1 70
Edit feature template "vEdge_VPN0_Int_G0/0_Template" for single sites again for static NAT
vEdge3# show running-config vpn 0 interface ge0/0
vpn 0
interface ge0/0
description INET_Interface
ip address 192.1.3.2/24
nat
…
static source-ip 10.3.130.1 translate-ip 192.1.3.127 source-vpn 1
IOS13#telnet 8.8.8.8 /source-interface lo 0
Trying 8.8.8.8 ... Open
User Access Verification
…
Username: admin
Password:
lab-router#who
Line User Host(s) Idle Location
*132 vty 0 admin idle 00:00:00 192.1.3.127
Interface User Mode Idle Peer Address
INET#telnet 192.1.3.127
Trying 192.1.3.127 ... Open
Username: admin
Password:
…
IOS13#who
Line User Host(s) Idle Location
0 con 0 idle 00:00:21
*578 vty 0 admin idle 00:00:00 192.1.3.1
vEdge3# show ip nat filter | tab
…
0 ge0/0 1 tcp 10.3.130.1 8.8.8.8 54207 23 192.1.3.127 8.8.8.8 54207 23 reset 0:00:00:00 37 2226 26 1615 -
0 ge0/0 1 tcp 10.3.130.1 192.1.3.1 23 64424 192.1.3.127 192.1.3.1 23 64424 established 0:00:59:52 27 3051 32 1926
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vSmart Template Setup and Deployment
vSmart
Create vSmart feature template "vSmart_VPN0_Template"
copy to create "vsmart_VPN512_Template
Remove default route for vpn512
Create feature template "vSmart_VPN0_Eth0_Template"
Copy and Edit template "vSmart_VPN512_Eth1_Template"
Create "vSmart_System_Template"
Create "vSmart_Banner_Template"
Create device template "vSmart_Device_Template"
Attach vSmart to Template
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 NAT Policy with Centralized Data Policy
Centralized Policy adding sites and VPN lists
vEdge 3 and vEdge 4
Edit feature template "vEdge_Single_Site_VPN1_Template" and delete ipv4 default route sends to vpn 0
Create centralized policy
Activate and push down to vSmart
Verify
vEdge3# show policy from-vsmart
from-vsmart data-policy _Service-VPN1_NAT_POLICY
direction from-service
vpn-list Service-VPN1
sequence 1
match
destination-data-prefix-list 10_NETS
action accept
count Counter1_1683033971
sequence 11
match
source-ip 0.0.0.0/0
action accept
count Counter2_1683033971
nat use-vpn 0
no nat fallback
default-action drop
from-vsmart lists vpn-list Service-VPN1
vpn 1
from-vsmart lists data-prefix-list 10_NETS
ip-prefix 10.0.0.0/8
IOS13#ping 8.8.8.8
vEdge3# show policy data-policy-filter
data-policy-filter _Service-VPN1_NAT_POLICY
data-policy-vpnlist Service-VPN1
data-policy-counter Counter1_1683033971
packets 0
bytes 0
data-policy-counter Counter2_1683033971
packets 40
bytes 3588
IOS13#ping 10.1.0.16
vEdge3# show policy data-policy-filter
data-policy-filter _Service-VPN1_NAT_POLICY
data-policy-vpnlist Service-VPN1
data-policy-counter Counter1_1683033971
packets 5
bytes 570
data-policy-counter Counter2_1683033971
packets 96
bytes 7240
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 Standard and Extended ACL via CLI
vEdge 3 and vEdge 4
vEdge3 and 4# show policy from-vsmart
% No entries found.
Shut down INET and MPLS port to vEdge 2 to make sure traffic goes through vEdge1:
vEdge3# show ip route vpn 1 0.0.0.0
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S
IOS13#traceroute 8.8.8.8 source lo 1 numeric
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.3.13.1 7 msec 16 msec 18 msec
2 10.1.0.1 71 msec 43 msec 53 msec
3 10.5.6.2 78 msec 60 msec 88 msec
4 10.2.16.2 99 msec 84 msec 90 msec
5 10.1.160.1 81 msec 70 msec 76 msec
6 192.1.101.1 87 msec 68 msec 101 msec
7 10.61.91.148 95 msec 117 msec 82 ms
vEdge 1
Inbound blocking
vEdge1# show running-config policy
policy
lists
data-prefix-list IOS13_LOOPBACK
ip-prefix 13.13.13.13/32
!
data-prefix-list IOS14_LOOPBACK
ip-prefix 14.14.14.14/32
!
data-prefix-list IOS15_LOOPBACK
ip-prefix 15.15.15.15/32
!
data-prefix-list RFC_1918_10NET
ip-prefix 10.0.0.0/8
!
!
access-list SPOKE_LOOPBACKS
sequence 1
match
source-data-prefix-list IOS13_LOOPBACK
!
action drop
count IOS13_COUNTER
!
!
sequence 2
match
source-data-prefix-list IOS14_LOOPBACK
!
action drop
count IOS14_COUNTER
!
!
sequence 3
match
source-data-prefix-list IOS15_LOOPBACK
!
action drop
count IOS15_COUNTER
!
!
sequence 4
match
source-data-prefix-list RFC_1918_10NET
!
action accept
count 10NET_COUNTER
!
!
default-action accept
!
vEdge1(config-interface-ge0/6)# show configuration
vpn 1
interface ge0/6
access-list SPOKE_LOOPBACKS out
!
!
Verify
IOS13#ping 8.8.8.8 source lo 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 13.13.13.13
.....
vEdge1# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
------------------------------------------------
SPOKE_LOOPBACKS 10NET_COUNTER 15 1124
IOS13_COUNTER 5 500
IOS14_COUNTER 0 0
IOS15_COUNTER 0 0
Outbound blocking
SW17#telnet 10.3.130.1 /source-interface lo 0
Trying 10.3.130.1 ... Open
Policy
access-list BLOCK_IOS13_TELNET
sequence 1
match
destination-data-prefix-list IOS13_LOOPBACK
destination-port 23
protocol 6
!
action drop
count TELNET_COUNTER
!
!
default-action accept
…
vEdge1# show running-config vpn 1 interface ge0/6
vpn 1
interface ge0/6
ip address 10.1.16.1/24
no shutdown
access-list BLOCK_IOS13_TELNET in
!
vEdge1# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
----------------------------------------------------
BLOCK_IOS13_TELNET TELNET_COUNTER 4 240
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 Standard and Extended ACL via ACL Policy and Templates
vEdge 3, 4 & 5
Create data prefix list
Create ACL policy for "IOS13_LOOPBACK" & "IOS15_LOOPBACK"
Edit device template "vEdge_Single_Device_Template"
vEdge3# show running-config policy
policy
lists
data-prefix-list IOS13_LOOPBACK
ip-prefix 13.13.13.13/32
!
data-prefix-list IOS15_LOOPBACK
ip-prefix 15.15.15.15/32
!
!
access-list BLOCK_TELNET
sequence 1
match
destination-port 23
protocol 6
!
action drop
count TELNET_COUNTER
!
!
default-action accept
!
access-list IOS13_LOOPBACK
sequence 1
match
source-data-prefix-list IOS13_LOOPBACK
!
action drop
count IOS13_COUNTER
!
!
default-action accept
!
access-list IOS15_LOOPBACK
sequence 1
match
source-data-prefix-list IOS15_LOOPBACK
!
action drop
count IOS15_COUNTER
!
!
default-action accept
!
Edit feature template "vEdge_Single_Site_VPN1_Int_G0/X_Template"
vEdge3# show run vpn 1 interface ge0/4
vpn 1
interface ge0/4
ip address 10.3.13.1/24
no shutdown
access-list IOS13_LOOPBACK in
access-list BLOCK_TELNET out
!
vEdge4# show running-config vpn 1 interface ge0/4
vpn 1
interface ge0/4
ip address 10.4.15.1/24
no shutdown
access-list IOS15_LOOPBACK in
access-list BLOCK_TELNET out
Test
IOS13#ping 8.8.8.8 source lo 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 13.13.13.13
UUUUU
IOS13#ping 8.8.8.8 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.3.130.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/61/83 ms
IOS15#ping 8.8.8.8 source lo 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 15.15.15.15
UUUUU
Success rate is 0 percent (0/5)
IOS15#ping 8.8.8.8 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.4.150.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 45/58/71 ms
vEdge3# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
------------------------------------------------
BLOCK_TELNET TELNET_COUNTER 0 0
IOS13_LOOPBACK IOS13_COUNTER 23 2460
IOS15_LOOPBACK IOS15_COUNTER 0 0
vEdge4# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
------------------------------------------------
BLOCK_TELNET TELNET_COUNTER 0 0
IOS13_LOOPBACK IOS13_COUNTER 0 0
IOS15_LOOPBACK IOS15_COUNTER 5 570
SW17#telnet 13.13.13.13 /source-interface lo 0
Trying 13.13.13.13 ...
vEdge3# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
------------------------------------------------
BLOCK_TELNET TELNET_COUNTER 4 176
IOS13_LOOPBACK IOS13_COUNTER 23 2460
IOS15_LOOPBACK IOS15_COUNTER 0 0
IOS13(config)#ip http server
IOS13(config)#ip http authentication local
SW17#telnet 10.3.130.1 80 /source-interface lo 0
Trying 10.3.130.1, 80 ... Open
IOS13#show ip http server connection
HTTP server current connections:
local-ipaddress:port remote-ipaddress:port in-bytes out-bytes
10.3.130.1:80 10.1.0.16:43329 0 0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 QoS Policing and Shaping via CLI, Local Data Policy and Templates
vEdge 1
Policer
Option 1:
vEdge1# show running-config policy
policy
policer POLICE_8Kbps
rate 8000
burst 15000
exceed drop
vEdge1# show run vpn 1 int ge0/6
vpn 1
interface ge0/6
ip address 10.1.16.1/24
no shutdown
policer POLICE_8Kbps in
!
SW17#ping 13.13.13.13 source lo 1 size 1500 rep 100
Type escape sequence to abort.
Sending 100, 1500-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
Packet sent with a source address of 10.5.16.2
!!!!!.!.!!.
vEdge1# show interface detail ge0/6 | in rx-policer-drops
rx-policer-drops 9
Option 2 with ACL:
vEdge1(config)# show configuration
vpn 1
interface ge0/6
access-list ICMP_ACL in
!
!
policy
access-list ICMP_ACL
sequence 1
match
protocol 1
!
action accept
count ICMP_Counter
policer POLICE_8Kbps
!
!
default-action accept
!
SW17#ping 13.13.13.13 source lo 1 size 2500 rep 100
Type escape sequence to abort.
Sending 100, 2500-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
Packet sent with a source address of 10.5.16.2
!!!UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUU
vEdge1# show interface detail ge0/6 | in rx-policer-drops
rx-policer-drops 332
vEdge1# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
----------------------------------------------------
ICMP_ACL ICMP_Counter 15 18390
vEdge 5
Edit template "vEdge_MPLS_Only_VPN0_Int_G0/1_Template" for shaper
vEdge5# show run vpn 0 interface ge0/1
vpn 0
interface ge0/1
…
no shutdown
shaping-rate 8000
Create Local Policy for policer
Edit "vEdge_MPLS_Only_Device_Template"
vEdge5# show running-config policy
policy
policer ICMP_Policer
rate 8000
burst 15000
exceed drop
!
access-list ICMP_ACL
sequence 1
match
protocol 1
!
action accept
count ICMP_COUNTER
policer ICMP_Policer
!
!
default-action accept
!
Edit "vEdge_MPLS_Only_VPN1_Int_G0/X_Template"
vEdge5# show running-config vpn 1 interface ge0/4
vpn 1
interface ge0/4
ip address 10.5.14.1/24
no shutdown
access-list ICMP_ACL in
!
!
IOS14#ping 8.8.8.8 source lo 1 re 100 size 1500
Type escape sequence to abort.
Sending 100, 1500-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 14.14.14.14
!!!!!!!!!!UUUUUUUUUUU!UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUU!UUUUUUUUUUUUUUUUUU
Success rate is 12 percent (12/100), round-trip min/avg/max = 71/119/280 ms
vEdge5# show interface detail ge0/4 | in drop
rx-drops 93
tx-drops 8
rx-arp-reply-drops 0
rx-arp-rate-limit-drops 0
tx-arp-rate-limit-drops 1
rx-arp-non-local-drops 0
tx-no-arp-drops 7
rx-policer-drops 88
rx-non-ip-drops 0
filter-drops 0
mirror-drops 0
cpu-policer-drops 0
tx-icmp-policer-drops 0
tx-icmp-mirrored-drops 0
split-horizon-drops 0
icmp-redirect-tx-drops 0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 Hub and Spoke Overview and Setup
vEdge 1
Attach vEdge1 to "vEdge_Dual_Site_Device_Template"
Add site list
Add VPN 1
Add topology
Import existing topology
Activate
vSmart# show running-config policy
policy
lists
vpn-list Service-VPN1
vpn 1
!
site-list Hub
site-id 12
!
site-list Spokes
site-id 3-5
!
!
control-policy control_893151249
sequence 10
match route
site-list Hub
vpn-list Service-VPN1
!
action accept
!
!
sequence 20
match tloc
site-list Hub
!
action accept
!
!
default-action reject
vEdge3# show ip route vpn 1 0.0.0.0/0
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.2 public-internet ipsec F,S
vEdge3# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.12.0.1 12 down mpls mpls 172.31.13.2 172.31.11.2 12346 ipsec 7 1000 NA 8
10.12.0.1 12 up public-internet public-internet 192.1.3.2 192.1.1.2 12346 ipsec 7 1000 0:02:03:43 7
10.12.0.2 12 up mpls mpls 172.31.13.2 172.31.12.2 12426 ipsec 7 1000 2:06:54:30 0
10.12.0.2 12 up public-internet public-internet 192.1.3.2 192.1.2.2 12366 ipsec 7 1000 2:06:54:12 0
IOS13#traceroute 15.15.15.15 numeric
Type escape sequence to abort.
Tracing the route to 15.15.15.15
VRF info: (vrf in name/id, vrf out name/id)
1 10.3.13.1 18 msec 21 msec 2 msec
2 10.1.0.1 51 msec 20 msec 59 msec --vedge 1
3 10.4.15.1 66 msec 89 msec 77 msec -- vedge 5
4 10.4.15.2 76 msec * 69 msec ---IOS14
vEdge 3 and vEdge 4
Edit "vEdge_Single_Site_VPN1_Template" to enable local internet break out for single site
vEdge3# show run vpn 1 ip route
vpn 1
ip route 0.0.0.0/0 vpn 0
IOS13#telnet 8.8.8.8 /source-interface lo 1
Trying 8.8.8.8 ... Open
Username: admin
Password:
lab-router#who
Line User Host(s) Idle Location
*132 vty 0 admin idle 00:00:00 192.1.3.97
IOS13#ping 15.15.15.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.15, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 VPN Segmentation Overview and Deployment - VPN100 & VPN101
vEdge 1 and vEdge 2
Copy and create "vEdge_Dual_Site_VPN100_Template"
Copy and create "vEdge_Dual_Site_VPN100_Int_G0/2_Template"
Copy and create "vEdge_Dual_Site_VPN101_Int_G0/3_Template"
Copy and create "vEdge_Dual_Site_VPN101_Template"
Copy and create "vEdge_Dual_Site_VPN100_OSPF_Template"
Copy and create "vEdge_Dual_Site_VPN101_OSPF_Template"
Copy and create " vEdge_Single_Site_VPN100_Template"
Copy and create " vEdge_Single_Site_VPN100_Int_G0/2_Template"
Copy and create "vEdge_Single_Site_VPN100_OSPF_Template"
Copy and create "vEdge_Single_Site_VPN101_Template"
…
Copy and create "vEdge_Single_Site_VPN101_Int_G0/3_Template"
…
Copy and create "vEdge_Single_Site_VPN101_OSPF_Template"
…
Copy and create "vEdge_MPLS_Only_VPN100_Template"
…
Copy and create "vEdge_MPLS_Only_VPN100_Int_G0/2_Template"
…
Copy and create "vEdge_MPLS_Only_VPN100_OSPF_Template"
…
Copy and create "vEdge_MPLS_Only_VPN101_Template"
…
Copy and create "vEdge_MPLS_Only_VPN101_Int_G0/3_Template"
…
Copy and create "vEdge_MPLS_Only_VPN101_OSPF_Template"
…
Edit "vEdge_Dual_Site_Device_Template"
vEdge 1
vEdge 2
vEdge1# show run vpn 100
vpn 100
router
ospf
timers spf 200 1000 10000
redistribute omp
area 0
interface ge0/2
exit
exit
!
!
interface ge0/2
ip address 10.1.100.1/24
no shutdown
!
omp
advertise ospf external
!
!
vEdge1# show run vpn 101
vpn 101
router
ospf
timers spf 200 1000 10000
area 0
interface ge0/3
exit
exit
!
!
interface ge0/3
ip address 10.1.101.1/24
no shutdown
!
omp
advertise ospf external
!
!
vEdge2# show run vpn 100
vpn 100
router
ospf
timers spf 200 1000 10000
redistribute omp
area 0
interface ge0/2
exit
exit
!
!
interface ge0/2
ip address 10.1.102.1/24
no shutdown
!
omp
advertise ospf external
!
!
vEdge2# show run vpn 101
vpn 101
router
ospf
timers spf 200 1000 10000
area 0
interface ge0/3
exit
exit
!
!
interface ge0/3
ip address 10.1.103.1/24
no shutdown
!
omp
advertise ospf external
!
!
IOS7
IOS7#show run | s vrf
vrf definition VPN100
rd 100:100
!
address-family ipv4
exit-address-family
vrf definition VPN101
rd 101:101
address-family ipv4
exit-address-family
IOS7#show run int g0/0
interface GigabitEthernet0/0
vrf forwarding VPN100
ip address 10.1.100.2 255.255.255.0
IOS7#show run int g0/1
interface GigabitEthernet0/1
vrf forwarding VPN101
ip address 10.1.101.2 255.255.255.0
IOS7#show run int g0/2
interface GigabitEthernet0/2
vrf forwarding VPN100
ip address 10.1.102.2 255.255.255.0
IOS7#show run int g0/3
interface GigabitEthernet0/3
vrf forwarding VPN101
ip address 10.1.103.2 255.255.255.0
IOS7#show run int lo 100
interface Loopback100
vrf forwarding VPN100
ip address 10.1.70.7 255.255.255.0
IOS7#show run int lo 101
interface Loopback101
vrf forwarding VPN101
ip address 10.1.71.1 255.255.255.0
IOS7#show run | s router ospf
router ospf 100 vrf VPN100
capability vrf-lite
network 10.1.0.0 0.0.255.255 area 0
router ospf 101 vrf VPN101
capability vrf-lite
network 10.1.0.0 0.0.255.255 area 0
IOS7# show ip route vrf VPN100
Routing Table: VPN100
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C 10.1.70.0/24 is directly connected, Loopback100
L 10.1.70.7/32 is directly connected, Loopback100
C 10.1.100.0/24 is directly connected, GigabitEthernet0/0
L 10.1.100.2/32 is directly connected, GigabitEthernet0/0
C 10.1.102.0/24 is directly connected, GigabitEthernet0/2
L 10.1.102.2/32 is directly connected, GigabitEthernet0/2
O E2 10.3.100.0/24
[110/16777214] via 10.1.102.1, 00:00:15, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:15, GigabitEthernet0/0
O E2 10.4.100.0/24
[110/16777214] via 10.1.102.1, 00:00:15, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:15, GigabitEthernet0/0
O E2 10.5.100.0/24
[110/16777214] via 10.1.102.1, 00:00:15, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:15, GigabitEthernet0/0
IOS7#
*Feb 12 13:11:26.121: %OSPF-5-ADJCHG: Process 101, Nbr 10.12.0.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
IOS7#
IOS7#show run | s router ospf
router ospf 100 vrf VPN100
capability vrf-lite
network 10.1.0.0 0.0.255.255 area 0
router ospf 101 vrf VPN101
capability vrf-lite
network 10.1.0.0 0.0.255.255 area 0
IOS7# show ip route vrf VPN100
….
10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C 10.1.70.0/24 is directly connected, Loopback100
L 10.1.70.7/32 is directly connected, Loopback100
C 10.1.100.0/24 is directly connected, GigabitEthernet0/0
L 10.1.100.2/32 is directly connected, GigabitEthernet0/0
C 10.1.102.0/24 is directly connected, GigabitEthernet0/2
L 10.1.102.2/32 is directly connected, GigabitEthernet0/2
O E2 10.3.100.0/24
[110/16777214] via 10.1.102.1, 00:02:10, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:02:10, GigabitEthernet0/0
O E2 10.4.100.0/24
[110/16777214] via 10.1.102.1, 00:02:10, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:02:10, GigabitEthernet0/0
O E2 10.5.100.0/24
[110/16777214] via 10.1.102.1, 00:02:10, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:02:10, GigabitEthernet0/0
IOS7# show ip route vrf VPN101
..
10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C 10.1.71.0/24 is directly connected, Loopback101
L 10.1.71.1/32 is directly connected, Loopback101
C 10.1.101.0/24 is directly connected, GigabitEthernet0/1
L 10.1.101.2/32 is directly connected, GigabitEthernet0/1
C 10.1.103.0/24 is directly connected, GigabitEthernet0/3
L 10.1.103.2/32 is directly connected, GigabitEthernet0/3
O E2 10.3.101.0/24
[110/16777214] via 10.1.103.1, 00:01:49, GigabitEthernet0/3
[110/16777214] via 10.1.101.1, 00:01:49, GigabitEthernet0/1
O E2 10.4.101.0/24
[110/16777214] via 10.1.103.1, 00:01:49, GigabitEthernet0/3
[110/16777214] via 10.1.101.1, 00:01:49, GigabitEthernet0/1
O E2 10.5.101.0/24
[110/16777214] via 10.1.103.1, 00:01:49, GigabitEthernet0/3
[110/16777214] via 10.1.101.1, 00:01:49, GigabitEthernet0/1
Edit "vEdge_Single_Site_Device_Template"
vEdge 3
vEdge 4
Repeat dual site config for IOS routers
Edit "vEdge_MPLS_Onlys_Device_Template"
Repeat dual site config for IOS routers
Deactivate Centralized Policy "Hub_N_Spoke_Policy"
vEdge3# show ip route vpn 100
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
100 10.1.70.7/32 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.1.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.100.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.3.100.0/24 ospf IA ge0/2 - - - - - -
100 10.3.100.0/24 connected - ge0/2 - - - - - F,S
100 10.4.100.0/24 omp - - - - 10.4.0.1 mpls ipsec F,S
100 10.4.100.0/24 omp - - - - 10.4.0.1 public-internet ipsec F,S
100 10.5.100.0/24 omp - - - - 10.5.0.1 mpls ipsec F,S
vEdge3# show ip route vpn 101
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
101 10.1.71.1/32 omp - - - - 10.12.0.1 mpls ipsec F,S
101 10.1.71.1/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
101 10.1.71.1/32 omp - - - - 10.12.0.2 mpls ipsec F,S
101 10.1.71.1/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
101 10.1.101.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
101 10.1.101.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
101 10.1.103.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
101 10.1.103.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
101 10.3.101.0/24 ospf IA ge0/3 - - - - - -
101 10.3.101.0/24 connected - ge0/3 - - - - - F,S
101 10.4.101.0/24 omp - - - - 10.4.0.1 mpls ipsec F,S
101 10.4.101.0/24 omp - - - - 10.4.0.1 public-internet ipsec F,S
101 10.5.101.0/24 omp - - - - 10.5.0.1 mpls ipsec F,S
IOS13#show ip route vrf VPN100
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
O E2 10.1.70.7/32
[110/16777214] via 10.3.100.1, 00:22:22, GigabitEthernet0/1
O E2 10.1.100.0/24
[110/16777214] via 10.3.100.1, 00:08:34, GigabitEthernet0/1
O E2 10.1.102.0/24
[110/16777214] via 10.3.100.1, 00:22:22, GigabitEthernet0/1
C 10.3.100.0/24 is directly connected, GigabitEthernet0/1
L 10.3.100.2/32 is directly connected, GigabitEthernet0/1
O E2 10.4.100.0/24
[110/16777214] via 10.3.100.1, 00:02:04, GigabitEthernet0/1
O E2 10.5.100.0/24
[110/16777214] via 10.3.100.1, 00:02:04, GigabitEthernet0/1
IOS13#show ip route vrf VPN101
Routing Table: VPN101
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
O E2 10.1.71.1/32
[110/16777214] via 10.3.101.1, 00:22:25, GigabitEthernet0/0
O E2 10.1.101.0/24
[110/16777214] via 10.3.101.1, 00:08:37, GigabitEthernet0/0
O E2 10.1.103.0/24
[110/16777214] via 10.3.101.1, 00:22:25, GigabitEthernet0/0
C 10.3.101.0/24 is directly connected, GigabitEthernet0/0
L 10.3.101.2/32 is directly connected, GigabitEthernet0/0
O E2 10.4.101.0/24
[110/16777214] via 10.3.101.1, 00:02:07, GigabitEthernet0/0
O E2 10.5.101.0/24
[110/16777214] via 10.3.101.1, 00:02:07, GigabitEthernet0/0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
VPN Segmentation with VPN Membership Policies
Lab 1 ------------ VPN 1 - spoke sites do not have other routes except locals
vEdge3, 4 & 5
Allow vpn100-101 routes only
Add new centralized policy
Verify - VPN 1 - spoke sites do not have other routes except locals
vEdge3# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
1 10.3.13.0/24 ospf IA ge0/4 - - - - - -
1 10.3.13.0/24 connected - ge0/4 - - - - - F,S
1 10.3.130.1/32 ospf IA ge0/4 10.3.13.2 - - - - F,S
1 13.13.13.13/32 ospf IA ge0/4 10.3.13.2 - - - - F,S
vEdge4# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
1 10.4.15.0/24 ospf IA ge0/4 - - - - - -
1 10.4.15.0/24 connected - ge0/4 - - - - - F,S
1 10.4.150.1/32 ospf IA ge0/4 10.4.15.2 - - - - F,S
1 15.15.15.15/32 ospf IA ge0/4 10.4.15.2 - - - - F,S
vEdge5# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 10.5.14.0/24 ospf IA ge0/4 - - - - - -
1 10.5.14.0/24 connected - ge0/4 - - - - - F,S
1 10.5.140.0/24 static - ge0/4 10.5.14.2 - - - - F,S
1 10.5.140.1/32 ospf IA ge0/4 10.5.14.2 - - - - F,S
1 14.14.14.14/32 ospf IA ge0/4 10.5.14.2 - - - - -
1 14.14.14.14/32 static - ge0/4 10.5.14.2 - - -
Lab 2 ------------ all sites have all routes
Deactivate policy
Create new Centralized Policy
All spokes should have all routes.
Lab 3 ------------ Allow VPN1 routes be leaking to VPN100 & VPN 101
Deactivate centralized policy - "Any_To_Any_Policy"
Activate
Verify
IOS7#show ip route vrf VPN100
Gateway of last resort is 10.1.102.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:43, GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 24 subnets, 2 masks
O E2 10.1.0.1/32
[110/16777214] via 10.1.100.1, 00:00:43, GigabitEthernet0/0
O E2 10.1.0.2/32
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
O E2 10.1.0.16/32
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:43, GigabitEthernet0/0
O E2 10.1.16.0/24
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
C 10.1.70.0/24 is directly connected, Loopback100
L 10.1.70.7/32 is directly connected, Loopback100
C 10.1.100.0/24 is directly connected, GigabitEthernet0/0
L 10.1.100.2/32 is directly connected, GigabitEthernet0/0
C 10.1.102.0/24 is directly connected, GigabitEthernet0/2
L 10.1.102.2/32 is directly connected, GigabitEthernet0/2
O E2 10.1.160.0/24
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:43, GigabitEthernet0/0
O E2 10.2.16.0/24
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
O E2 10.3.13.0/24
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
O E2 10.3.100.0/24
[110/16777214] via 10.1.102.1, 20:07:17, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 04:00:45, GigabitEthernet0/0
O E2 10.3.130.1/32
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
O E2 10.4.15.0/24
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
O E2 10.4.100.0/24
[110/16777214] via 10.1.102.1, 20:07:02, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 04:00:45, GigabitEthernet0/0
O E2 10.4.150.1/32
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
O E2 10.5.6.0/24
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:43, GigabitEthernet0/0
O E2 10.5.14.0/24
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
O E2 10.5.16.2/32
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:43, GigabitEthernet0/0
O E2 10.5.100.0/24
[110/16777214] via 10.1.102.1, 20:08:46, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 04:00:45, GigabitEthernet0/0
O E2 10.5.140.0/24
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
O E2 10.5.140.1/32
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
13.0.0.0/32 is subnetted, 1 subnets
O E2 13.13.13.13
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
14.0.0.0/32 is subnetted, 1 subnets
O E2 14.14.14.14
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
15.0.0.0/32 is subnetted, 1 subnets
O E2 15.15.15.15
[110/16777214] via 10.1.102.1, 00:00:42, GigabitEthernet0/2
[110/16777214] via 10.1.100.1, 00:00:42, GigabitEthernet0/0
IOS7#show ip route vrf VPN101
Same results seeing routes from VPN1…
IOS13#show ip route vrf VPN100 15.15.15.15
Routing Table: VPN100
Routing entry for 15.15.15.15/32
Known via "ospf 100", distance 110, metric 16777214, type extern 2, forward metric 1
Last update from 10.3.100.1 on GigabitEthernet0/1, 00:03:09 ago
Routing Descriptor Blocks:
* 10.3.100.1, from 10.3.0.1, 00:03:09 ago, via GigabitEthernet0/1
Route metric is 16777214, traffic share count is 1
IOS13#show ip route vrf VPN100 14.14.14.14
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Service VPN1 Application Aware Routing
vEdge 3
Create new centralized policy and create SLA class
Activate
Telnet riding over MPLS
Web traffic flying over Internet
Save and activate
No comments:
Post a Comment