SD-WAN Lab Note Part 5
Command Line Interface based configuration
Hub and Spoke Topology - TLOC and Route
Traffic Engineering - TLOC Preference
Preferring tloc/site/vedge for default routes
Enforcing Security Perimeters with Service Insertion
Isolating Guest Users from the Corporate WAN
Creating Extranets and Access to Shared Services
Direct Internet Access [DIA] for Guest Users
Protecting Applications from Packet Loss
Application-Aware Routing Policies
Application-Aware Enterprise Firewall
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Command Line Interface based configuration
vEdge2
vEdge2# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 10.100.0.12 100 1 223.1.1.12 12346 223.1.1.12 12346 mpls No up 1:18:08:15 0
vsmart dtls 10.100.0.12 100 1 223.1.1.12 12346 223.1.1.12 12346 public-internet No up 1:18:08:31 0
vbond dtls 0.0.0.0 0 0 223.1.1.11 12346 223.1.1.11 12346 mpls - up 1:18:08:15 0
vbond dtls 0.0.0.0 0 0 223.1.1.11 12346 223.1.1.11 12346 public-internet - - up 1:18:08:31 0
vmanage dtls 10.100.0.10 100 0 223.1.1.10 12346 223.1.1.10 12346 mpls No up 1:18:08:15 0
vEdge2# show omp peers
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
------------------------------------------------------------------------------------------
10.100.0.12 vsmart 1 1 100 up 1:18:58:20 28/26/28
vEdge2# show tunnel statistics
tunnel stats ipsec 172.31.12.2 172.31.13.2 12366 12346
system-ip 10.3.0.1
local-color mpls
remote-color mpls
tunnel-mtu 1441
tx_pkts 303177
tx_octets 41175469
rx_pkts 303177
rx_octets 41176779
tcp-mss-adjust 1361
tunnel stats ipsec 172.31.12.2 172.31.14.2 12366 12346
system-ip 10.4.0.1
local-color mpls
remote-color mpls
tunnel-mtu 1441
tx_pkts 303280
tx_octets 41280940
rx_pkts 303279
rx_octets 41280808
tcp-mss-adjust 1361
tcp-mss-adjust 1361
…
vEdge1# show omp tlocs
---------------------------------------------------
tloc entries for 10.3.0.1
mpls
ipsec
---------------------------------------------------
RECEIVED FROM:
peer 10.100.0.12
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 259
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 172.31.13.2
public-port 12346
private-ip 172.31.13.2
private-port 12346
public-ip ::
public-port 0
private-ip ::
private-port 0
bfd-status up
domain-id not set
site-id 3
overlay-id not set
preference 0
tag not set
stale not set
weight 1
version 3
gen-id 0x80000003
carrier default
restrict 1
groups [ 0 ]
border not set
unknown-attr-len not set
…
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Tunnel Group
Dual sites
Edit Feature template "vEdge_Dual_Site_VPN0_Int_G0/0_Template"
Edit Feature template "vEdge_Dual_Site_VPN0_Int_G0/1_Template"
vEdge2# show run vpn 0
vpn 0
…
interface ge0/0
description INET_Interface
ip address 192.1.2.2/24
tunnel-interface
encapsulation ipsec
group 1
color public-internet
allow-service all
!
no shutdown
!
interface ge0/1
description MPLS_Interface
ip address 172.31.12.2/24
tunnel-interface
encapsulation ipsec
group 2
color mpls
allow-service all
Single site
Edit Feature template "vEdge_VPN0_Int_G0/0_Template"
Edit Feature template "vEdge_VPN0_Int_G0/1_Template"
interface ge0/0
description INET_Interface
ip address 192.1.3.2/24
nat
refresh bi-directional
no block-icmp-error
respond-to-ping
natpool range-start 192.1.3.96 range-end 192.1.3.127
static source-ip 10.3.130.1 translate-ip 192.1.3.127 source-vpn 1
!
tunnel-interface
encapsulation ipsec
group 1
color public-internet
allow-service all
!
no shutdown
!
interface ge0/1
description MPLS_Interface
ip address 172.31.13.2/24
tunnel-interface
encapsulation ipsec
group 2
color mpls
allow-service all
MPLS Only Site
Edit Feature template "vEdge_MPLS_Only_VPN0_Int_G0/1_Template"
vEdge5# show run vpn 0
vpn 0
…
interface ge0/1
description MPLS_Interface
ip address 172.31.15.2/24
tunnel-interface
encapsulation ipsec
group 2
color mpls
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hub and Spoke Topology - TLOC and Route
Create Centralized Policy
Choose Custom Control (Route & TLOC)
Preview
policy
control-policy Hub-and-Spokes
sequence 1
match tloc
site-list Hub
!
action accept
!
!
sequence 11
match route
site-list Hub
prefix-list _AnyIpv4PrefixList
!
action accept
!
!
default-action reject
!
lists
site-list Hub
site-id 12
!
site-list Spokes
site-id 3-5
!
prefix-list _AnyIpv4PrefixList
ip-prefix 0.0.0.0/0 le 32
!
!
!
apply-policy
site-list Spokes
control-policy Hub-and-Spokes out
!
!
Activate
vEdge3# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.12.0.1 12 up mpls mpls 172.31.13.2 172.31.11.2 12346 ipsec 7 1000 0:04:00:48 8
10.12.0.1 12 up public-internet public-internet 192.1.3.2 192.1.1.2 12346 ipsec 7 1000 0:04:01:02 8
10.12.0.2 12 up mpls mpls 172.31.13.2 172.31.12.2 12366 ipsec 7 1000 9:20:50:03 0
10.12.0.2 12 up public-internet public-internet 192.1.3.2 192.1.2.2 12366 ipsec 7 1000 9:20:50:17 0
vEdge5# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.12.0.1 12 up mpls mpls 172.31.15.2 172.31.11.2 12346 ipsec 7 1000 0:04:11:44 8
10.12.0.2 12 up mpls mpls 172.31.15.2 172.31.12.2 12366 ipsec 7 1000 9:21:02:45 0
vEdge3# show ip route vpn 1
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.1 public-internet ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.2 public-internet ipsec -
1 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
1 10.1.0.1/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.0.1/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.1.0.2/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.1.0.2/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.1.160.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.160.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.1.160.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.1.160.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.2.16.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.2.16.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.3.13.0/24 ospf IA ge0/4 - - - - - -
1 10.3.13.0/24 connected - ge0/4 - - - - - F,S
1 10.3.130.1/32 ospf IA ge0/4 10.3.13.2 - - - - F,S
1 10.5.6.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.5.6.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.5.6.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.5.6.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.5.16.2/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.5.16.2/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.5.16.2/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.5.16.2/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 13.13.13.13/32 ospf IA ge0/4 10.3.13.2 - - - - F,S
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hub Spoke & Spoke to Spoke Communications
Creating TLOC LIST
Send adversities to spoke sites
Activate
vEdge3# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.12.0.1 12 up mpls mpls 172.31.13.2 172.31.11.2 12346 ipsec 7 1000 0:06:05:28 8
10.12.0.1 12 up public-internet public-internet 192.1.3.2 192.1.1.2 12346 ipsec 7 1000 0:06:05:42 8
10.12.0.2 12 up mpls mpls 172.31.13.2 172.31.12.2 12366 ipsec 7 1000 9:22:54:43 0
10.12.0.2 12 up public-internet public-internet 192.1.3.2 192.1.2.2 12366 ipsec 7 1000 9:22:54:57 0
Show ip
vEdge3# show ip route vpn 1
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.1 public-internet ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec -
1 0.0.0.0/0 omp - - - - 10.12.0.2 public-internet ipsec -
1 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
1 10.1.0.1/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.0.1/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.1.0.2/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.1.0.2/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.1.160.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.160.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.1.160.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.1.160.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.2.16.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.2.16.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.3.13.0/24 ospf IA ge0/4 - - - - - -
1 10.3.13.0/24 connected - ge0/4 - - - - - F,S
1 10.3.130.1/32 ospf IA ge0/4 10.3.13.2 - - - - F,S
1 10.4.15.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.4.15.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.4.15.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.4.15.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.4.150.1/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.4.150.1/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.4.150.1/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.4.150.1/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.5.6.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.5.6.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.5.6.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.5.6.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.5.14.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.5.14.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.5.14.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.5.14.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.5.16.2/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.5.16.2/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.5.16.2/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.5.16.2/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.5.140.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.5.140.0/24 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.5.140.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.5.140.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.5.140.1/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.5.140.1/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 10.5.140.1/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.5.140.1/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 13.13.13.13/32 ospf IA ge0/4 10.3.13.2 - - - - F,S
1 14.14.14.14/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 14.14.14.14/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 14.14.14.14/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 14.14.14.14/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 15.15.15.15/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 15.15.15.15/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
1 15.15.15.15/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 15.15.15.15/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Traffic Engineering - TLOC Preference
TLOC Sequence
Route Sequence
POLICY TOPOLOGY
vEdge3# show ip route vpn 1 10.1.0.16
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 10.1.0.16/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.1 public-internet ipsec F,S
dge3# show omp tlocs ip 10.12.0.1
---------------------------------------------------
tloc entries for 10.12.0.1
mpls
ipsec
---------------------------------------------------
RECEIVED FROM:
peer 10.100.0.12
…
preference 10
…
---------------------------------------------------
tloc entries for 10.12.0.1
public-internet
ipsec
---------------------------------------------------
RECEIVED FROM:
peer 10.100.0.12
…
preference 10
…
Edge3# show omp tlocs ip 10.12.0.2
---------------------------------------------------
tloc entries for 10.12.0.2
mpls
ipsec
---------------------------------------------------
RECEIVED FROM:
peer 10.100.0.12
…
preference 0
---------------------------------------------------
tloc entries for 10.12.0.2
public-internet
ipsec
---------------------------------------------------
RECEIVED FROM:
peer 10.100.0.12
…
preference 0
PS.
You also can configure preference here
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Preferring tloc/site/vedge for default routes
vEdge1, vEdge2 TLOCS
Prefix
Topology
Policy 1
Policy 2
Activate
vEdge3# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.12.0.1 12 up mpls mpls 172.31.13.2 172.31.11.2 12346 ipsec 7 1000 0:02:59:38 3
10.12.0.1 12 up public-internet public-internet 192.1.3.2 192.1.1.2 12346 ipsec 7 1000 0:02:59:52 3
10.12.0.2 12 up mpls mpls 172.31.13.2 172.31.12.2 12366 ipsec 7 1000 2:22:51:15 0
10.12.0.2 12 up public-internet public-internet 192.1.3.2 192.1.2.2 12366 ipsec 7 1000 2:22:51:15 0
vEdge3# show ip route vpn 1 0.0.0.0
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.1 public-internet ipsec F,S
vEdge3# show omp routes vpn 1 0.0.0.0/0
---------------------------------------------------
omp route entries for vpn 1 route 0.0.0.0/0
---------------------------------------------------
RECEIVED FROM:
peer 10.100.0.12
path-id 1590
label 1003
status R
loss-reason preference
lost-to-peer 10.100.0.12
lost-to-path-id 1727
Attributes:
originator 10.12.0.2
type installed
tloc 10.12.0.2, mpls, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference not set
tag not set
origin-proto OSPF-external-2
origin-metric 1
as-path not set
unknown-attr-len not set
RECEIVED FROM:
peer 10.100.0.12
path-id 1591
label 1003
status R
loss-reason preference
lost-to-peer 10.100.0.12
lost-to-path-id 1727
Attributes:
originator 10.12.0.2
type installed
tloc 10.12.0.2, public-internet, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference not set
tag not set
origin-proto OSPF-external-2
origin-metric 1
as-path not set
unknown-attr-len not set
RECEIVED FROM:
peer 10.100.0.12
path-id 1727
label 1003
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 10.12.0.1
type installed
tloc 10.12.0.1, public-internet, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference 100
tag not set
origin-proto OSPF-external-2
origin-metric 1
as-path not set
unknown-attr-len not set
RECEIVED FROM:
peer 10.100.0.12
path-id 1738
label 1003
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 10.12.0.1
type installed
tloc 10.12.0.1, mpls, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference 100
tag not set
origin-proto OSPF-external-2
origin-metric 1
as-path not set
unknown-attr-len not set
vEdge5# show ip route vpn 1 0.0.0.0
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S
vEdge5# show omp routes vpn 1 0.0.0.0/0
---------------------------------------------------
omp route entries for vpn 1 route 0.0.0.0/0
---------------------------------------------------
RECEIVED FROM:
peer 10.100.0.12
path-id 1546
label 1003
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 10.12.0.2
type installed
tloc 10.12.0.2, mpls, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference 100
tag not set
origin-proto OSPF-external-2
origin-metric 1
as-path not set
unknown-attr-len not set
RECEIVED FROM:
peer 10.100.0.12
path-id 1547
label 1003
status Inv,U
loss-reason invalid
lost-to-peer 10.100.0.12
lost-to-path-id 1699
Attributes:
originator 10.12.0.2
type installed
tloc 10.12.0.2, public-internet, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference 100
tag not set
origin-proto OSPF-external-2
origin-metric 1
as-path not set
unknown-attr-len not set
RECEIVED FROM:
peer 10.100.0.12
path-id 1688
label 1003
status Inv,U
loss-reason preference
lost-to-peer 10.100.0.12
lost-to-path-id 1547
Attributes:
originator 10.12.0.1
type installed
tloc 10.12.0.1, public-internet, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference not set
tag not set
origin-proto OSPF-external-2
origin-metric 1
as-path not set
unknown-attr-len not set
RECEIVED FROM:
peer 10.100.0.12
path-id 1699
label 1003
status R
loss-reason preference
lost-to-peer 10.100.0.12
lost-to-path-id 1546
Attributes:
originator 10.12.0.1
type installed
tloc 10.12.0.1, mpls, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference not set
tag not set
origin-proto OSPF-external-2
origin-metric 1
as-path not set
unknown-attr-len not set
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Regional Mesh Network
Sites for branches-34 and branches-5
TLOCS
Topology-Branches-34
tloc
routes
Topology-Branches-5
tlocs
Routes
vEdge3# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.4.0.1 4 up mpls mpls 172.31.13.2 172.31.14.2 12386 ipsec 7 1000 0:01:27:31 0
10.4.0.1 4 up public-internet public-internet 192.1.3.2 192.1.4.2 12386 ipsec 7 1000 0:01:27:31 0
10.12.0.1 12 up mpls mpls 172.31.13.2 172.31.11.2 12346 ipsec 7 1000 0:00:10:31 0
10.12.0.1 12 down public-internet public-internet 192.1.3.2 192.1.1.2 12346 ipsec 7 1000 NA 1
10.12.0.2 12 up mpls mpls 172.31.13.2 172.31.12.2 12386 ipsec 7 1000 0:01:29:01 0
10.12.0.2 12 up public-internet public-internet 192.1.3.2 192.1.2.2 12386 ipsec 7 1000 0:01:29:01 0
vEdge3# show ip route vpn 1 15.15.15.15
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 15.15.15.15/32 omp - - - - 10.4.0.1 mpls ipsec F,S
1 15.15.15.15/32 omp - - - - 10.4.0.1 public-internet ipsec F,S
vEdge3# show ip route vpn 1 14.14.14.14
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 14.14.14.14/32 omp - - - - 10.12.0.1 mpls ipsec F,S
vEdge5# show bfd sessions
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.12.0.1 12 up mpls mpls 172.31.15.2 172.31.11.2 12346 ipsec 7 1000 0:00:17:20 0
10.12.0.2 12 up mpls mpls 172.31.15.2 172.31.12.2 12386 ipsec 7 1000 0:01:35:50 0
vEdge5# show ip route vpn 1 10.1.0.16
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 10.1.0.16/32 omp - - - - 10.12.0.2 mpls ipsec F,S
vEdge5# show ip route vpn 1 15.15.15.15
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------------------------
1 15.15.15.15/32 omp - - - - 10.12.0.2 mpls ipsec F,S
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Enforcing Security Perimeters with Service Insertion
Sites
B2B-TO-DC
Direction
Activate
vEdge3# show ip route vpn 100
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
100 10.1.70.7/32 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.1.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.3.100.0/24 ospf IA ge0/2 - - - - - -
100 10.3.100.0/24 connected - ge0/2 - - - - - F,S
100 10.4.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.4.100.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.4.100.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.5.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.5.100.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.5.100.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
vEdge5# show ip route vpn 100
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
100 10.1.70.7/32 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.3.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.3.100.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.4.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.4.100.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.5.100.0/24 ospf IA ge0/2 - - - - - -
100 10.5.100.0/24 connected - ge0/2 - - - - - F,S
vEdge5# traceroute vpn 100 10.3.100.1
Traceroute 10.3.100.1 in VPN 100
traceroute to 10.3.100.1 (10.3.100.1), 30 hops max, 60 byte packets
1 10.1.102.1 (10.1.102.1) 83.003 ms 67.233 ms 67.232 ms
2 10.3.100.1 (10.3.100.1) 87.949 ms 87.958 ms 87.960 ms
Edit feature template "vEdge_Dual_Site_VPN100_Template"
Update vedge 1 and vedge 2 ip address to vpn100
vSmart# show omp services service FW
ADDRESS PATH
FAMILY VPN SERVICE ORIGINATOR FROM PEER ID LABEL STATUS
--------------------------------------------------------------------------------
ipv4 100 FW 10.12.0.1 10.12.0.1 66 1006 C,I,R
10.12.0.1 69 1006 C,I,R
100 FW 10.12.0.2 10.12.0.2 66 1006 C,I,R
10.12.0.2 69 1006 C,I,R
vEdge1# show omp services service FW
ADDRESS PATH
FAMILY VPN SERVICE ORIGINATOR FROM PEER ID LABEL STATUS
--------------------------------------------------------------------------------
ipv4 100 FW 10.12.0.1 0.0.0.0 66 1006 C,Red,R
0.0.0.0 69 1006 C,Red,R
Edit Topology "B2B-TO-DC" and rename it to "B2B-TO-DC-FW"
vEdge5# show omp routes vpn 100 10.3.100.0/24 received detail
RECEIVED FROM:
peer 10.100.0.12
path-id 599
label 1006
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 10.3.0.1
type installed
tloc 10.12.0.2, mpls, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 3
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
vEdge3# show omp routes vpn 100 10.5.100.0/24 received
RECEIVED FROM:
peer 10.100.0.12
path-id 553
label 1006
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 10.5.0.1
type installed
tloc 10.12.0.2, mpls, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 5
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
vEdge5# show ip route vpn 100
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
100 10.1.70.7/32 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.3.100.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.4.100.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.5.100.0/24 ospf IA ge0/2 - - - - - -
100 10.5.100.0/24 connected - ge0/2 - - - -
DC routes assigned with label 1004
vEdge5# show omp routes vpn 100 10.1.100.0/24
---------------------------------------------------
omp route entries for vpn 100 route 10.1.100.0/24
---------------------------------------------------
RECEIVED FROM:
peer 10.100.0.12
path-id 621
label 1004
status Inv,U
loss-reason invalid
lost-to-peer 10.100.0.12
lost-to-path-id 630
Attributes:
originator 10.12.0.1
type installed
tloc 10.12.0.1, public-internet, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
RECEIVED FROM:
peer 10.100.0.12
path-id 630
label 1004
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 10.12.0.1
type installed
tloc 10.12.0.1, mpls, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 12
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
IOS14#traceroute vrf VPN100 10.3.100.1 source g0/0 numeric
Type escape sequence to abort.
Tracing the route to 10.3.100.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.5.100.1 10 msec 21 msec 22 msec
2 10.1.102.1 50 msec 48 msec 50 msec
3 10.1.102.2 32 msec 44 msec 61 msec <-- service FW
4 10.1.102.1 91 msec 91 msec 98 msec
5 10.3.100.1 159 msec 132 msec 152 msec
vSmart# show running-config policy
policy
lists
site-list Branch345
site-id 3
site-id 4
site-id 5
!
site-list Hub
site-id 12
!
prefix-list _AnyIpv4PrefixList
ip-prefix 0.0.0.0/0 le 32
!
!
control-policy B2B-TO-DC-FW
sequence 1
match tloc
site-list Hub
!
action accept
!
!
sequence 11
match route
prefix-list _AnyIpv4PrefixList
site-list Hub
!
action accept
!
!
sequence 21
match route
prefix-list _AnyIpv4PrefixList
site-list Branch345
!
action accept
set
service FW vpn 100
service tloc 10.12.0.2 color mpls encap ipsec
!
!
!
default-action reject
!
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Isolating Guest Users from the Corporate WAN
Create new centralized policy
Activate
vEdge3# show ip route vpn 100
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
100 10.1.70.7/32 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.1.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.3.100.0/24 ospf IA ge0/2 - - - - - -
100 10.3.100.0/24 connected - ge0/2 - - - - - F,S
100 10.4.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.4.100.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.4.100.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.5.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.5.100.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.5.100.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
vEdge3# show ip route vpn 101
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
101 10.3.101.0/24 ospf IA ge0/3 - - - - - -
101 10.3.101.0/24 connected - ge0/3 - - - - - F,S
vEdge3# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 10.3.13.0/24 ospf IA ge0/4 - - - - - -
1 10.3.13.0/24 connected - ge0/4 - - - - - F,S
1 10.3.130.1/32 ospf IA ge0/4 10.3.13.2 - - - - F,S
1 13.13.13.13/32 ospf IA ge0/4 10.3.13.2 - - - - F,S
VPN1, VPN 101 routes all rejected
vSmart# show omp services
ADDRESS PATH
FAMILY VPN SERVICE ORIGINATOR FROM PEER ID LABEL STATUS
--------------------------------------------------------------------------------
ipv4 1 VPN 10.3.0.1 10.3.0.1 66 1003 Rej,R,Inv
10.3.0.1 69 1003 Rej,R,Inv
1 VPN 10.4.0.1 10.4.0.1 66 1003 Rej,R,Inv
10.4.0.1 69 1003 Rej,R,Inv
1 VPN 10.5.0.1 10.5.0.1 66 1003 Rej,R,Inv
1 VPN 10.12.0.1 10.12.0.1 66 1003 C,I,R
10.12.0.1 69 1003 C,I,R
1 VPN 10.12.0.2 10.12.0.2 66 1003 C,I,R
10.12.0.2 69 1003 C,I,R
100 VPN 10.3.0.1 10.3.0.1 66 1004 C,I,R
10.3.0.1 69 1004 C,I,R
100 VPN 10.4.0.1 10.4.0.1 66 1004 C,I,R
10.4.0.1 69 1004 C,I,R
100 VPN 10.5.0.1 10.5.0.1 66 1004 C,I,R
100 VPN 10.12.0.1 10.12.0.1 66 1004 C,I,R
10.12.0.1 69 1004 C,I,R
100 VPN 10.12.0.2 10.12.0.2 66 1004 C,I,R
10.12.0.2 69 1004 C,I,R
100 FW 10.12.0.1 10.12.0.1 66 1006 C,I,R
10.12.0.1 69 1006 C,I,R
100 FW 10.12.0.2 10.12.0.2 66 1006 C,I,R
10.12.0.2 69 1006 C,I,R
101 VPN 10.3.0.1 10.3.0.1 66 1005 Rej,R,Inv
10.3.0.1 69 1005 Rej,R,Inv
101 VPN 10.4.0.1 10.4.0.1 66 1005 Rej,R,Inv
10.4.0.1 69 1005 Rej,R,Inv
101 VPN 10.5.0.1 10.5.0.1 66 1005 Rej,R,Inv
101 VPN 10.12.0.1 10.12.0.1 66 1005 C,I,R
10.12.0.1 69 1005 C,I,R
101 VPN 10.12.0.2 10.12.0.2 66 1005 C,I,R
10.12.0.2 69 1005 C,I,R
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Creating Different Network Topology per Segment
Create Centralized Policy
vEdge3# show ip route vpn 100
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
100 10.1.70.7/32 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.1.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.3.100.0/24 ospf IA ge0/2 - - - - - -
100 10.3.100.0/24 connected - ge0/2 - - - - - F,S
100 10.4.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.4.100.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.4.100.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.5.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.5.100.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.5.100.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
vEdge3# show ip route vpn 101
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
101 10.1.71.1/32 omp - - - - 10.12.0.1 mpls ipsec F,S
101 10.1.71.1/32 omp - - - - 10.12.0.2 mpls ipsec F,S
101 10.1.71.1/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
101 10.1.101.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
101 10.1.103.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
101 10.1.103.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
101 10.3.101.0/24 ospf IA ge0/3 - - - - - -
101 10.3.101.0/24 connected - ge0/3 - - - - - F,S
101 10.4.101.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
101 10.4.101.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
101 10.4.101.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
101 10.5.101.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
101 10.5.101.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
101 10.5.101.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Creating Extranets and Access to Shared Services
policy
control-policy DC-T-BR
sequence 1
match tloc
site-list Hub
!
action accept
!
!
sequence 11
match tloc
site-list Spokes
!
action accept
!
!
sequence 21
match route
site-list Spokes
prefix-list _AnyIpv4PrefixList
!
action accept
!
!
sequence 31
match route
site-list Hub
prefix-list _AnyIpv4PrefixList
!
action accept
export-to vpn-list VPN1-100
!
!
default-action reject
!
control-policy BR-T-DC
sequence 1
match tloc
site-list Spokes
!
action accept
!
!
sequence 11
match route
site-list Spokes
prefix-list _AnyIpv4PrefixList
!
action accept
export-to vpn-list Service-VPN101
!
!
default-action reject
!
lists
site-list Hub
site-id 12
!
site-list Spokes
site-id 3-5
!
vpn-list Service-VPN101
vpn 101
!
vpn-list VPN1-100
vpn 1
vpn 100
!
prefix-list _AnyIpv4PrefixList
ip-prefix 0.0.0.0/0 le 32
!
!
!
apply-policy
site-list Spokes
control-policy BR-T-DC in
!
site-list Hub
control-policy DC-T-BR in
!
!
Create VPNs
Topology - DC-T-BR : tloc
Topology - DC-T-BR : routes
Topology - BR-T-DC : tlocs
Topology - BR-T-DC : routes
vEdge2# show run vpn 101
…
interface ge0/3
ip address 10.1.103.1/24
…
vEdge1# show run vpn 101
…
interface ge0/3
ip address 10.1.101.1/24
…
DC Sites have all routes from vpn 1 and vpn 100
vEdge2# show ip route vpn 101
Codes Proto-sub-type:
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
101 10.1.71.1/32 ospf IA ge0/3 10.1.103.2 - - - - F,S
101 10.1.101.0/24 ospf IA ge0/3 10.1.103.2 - - - - F,S
101 10.1.103.0/24 ospf IA ge0/3 - - - - - -
101 10.1.103.0/24 connected - ge0/3 - - - - - F,S
101 10.3.13.0/24 omp - - - - 10.3.0.1 mpls ipsec F,S
101 10.3.13.0/24 omp - - - - 10.3.0.1 public-internet ipsec F,S
101 10.3.100.0/24 omp - - - - 10.3.0.1 mpls ipsec F,S
101 10.3.100.0/24 omp - - - - 10.3.0.1 public-internet ipsec F,S
101 10.3.130.1/32 omp - - - - 10.3.0.1 mpls ipsec F,S
101 10.3.130.1/32 omp - - - - 10.3.0.1 public-internet ipsec F,S
101 10.4.15.0/24 omp - - - - 10.4.0.1 mpls ipsec F,S
101 10.4.15.0/24 omp - - - - 10.4.0.1 public-internet ipsec F,S
101 10.4.100.0/24 omp - - - - 10.4.0.1 mpls ipsec F,S
101 10.4.100.0/24 omp - - - - 10.4.0.1 public-internet ipsec F,S
101 10.4.150.1/32 omp - - - - 10.4.0.1 mpls ipsec F,S
101 10.4.150.1/32 omp - - - - 10.4.0.1 public-internet ipsec F,S
101 10.5.14.0/24 omp - - - - 10.5.0.1 mpls ipsec F,S
101 10.5.100.0/24 omp - - - - 10.5.0.1 mpls ipsec F,S
101 10.5.140.0/24 omp - - - - 10.5.0.1 mpls ipsec F,S
101 10.5.140.1/32 omp - - - - 10.5.0.1 mpls ipsec F,S
101 13.13.13.13/32 omp - - - - 10.3.0.1 mpls ipsec F,S
101 13.13.13.13/32 omp - - - - 10.3.0.1 public-internet ipsec F,S
101 14.14.14.14/32 omp - - - - 10.5.0.1 mpls ipsec F,S
101 15.15.15.15/32 omp - - - - 10.4.0.1 mpls ipsec F,S
101 15.15.15.15/32 omp - - - - 10.4.0.1 public-internet ipsec F,S
Branch sites has vpn 101 routes
vEdge3# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 10.1.101.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.103.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.1.103.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Direct Internet Access [DIA] for Guest Users
vEdge 3,4
Edit feature template "vEdge_Single_Site_VPN100_Template"
Edit feature template "vEdge_VPN0_Int_G0/0_Template"
IOS13#tracerout vrf VPN100 8.8.8.8 numeric
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.3.100.1 18 msec 14 msec 13 msec
2 192.1.3.1 33 msec 80 msec 37 msec
3 10.61.91.148 36 msec 39 msec 38 msec
4 192.168.0.1 43 msec * 66 msec
Create Sites
Create COPORATE & GUEST VPN
Topology - B2B-2-DC
Activate
vEdge3# show ip route vpn 100
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
100 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
100 10.1.70.7/32 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.70.7/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.1.100.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
100 10.1.102.0/24 omp - - - - 10.12.0.2 public-internet ipsec F,S
100 10.3.100.0/24 ospf IA ge0/2 - - - - - -
100 10.3.100.0/24 connected - ge0/2 - - - - - F,S
vEdge3# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.12.0.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.2 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.1.0.1/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.0.2/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.1.0.2/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.2 mpls ipsec F,S
1 10.1.0.16/32 omp - - - - 10.12.0.2 public-internet ipsec F,S
1 10.1.16.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.160.0/24 omp - - - - 10.12.0.1 mpls ipsec F,S
1 10.1.160.0/24 omp - - - - 10.12.0.2 mpls ipsec F,S
…
Create data prefix
Edit Centralized policy "DIA-POLICY"
Add data policy
Apply traffic policy to BR and Guest VPN
Save policy
policy
control-policy B2B-2-DC
sequence 1
match tloc
site-list DC
!
action accept
!
!
sequence 11
match route
site-list DC
prefix-list _AnyIpv4PrefixList
!
action accept
!
!
sequence 21
match route
site-list BR
vpn-list CORPORATE
prefix-list _AnyIpv4PrefixList
!
action accept
set
tloc-list HUB-TLOCS
!
!
!
default-action reject
!
data-policy _GUEST_DROP-RFC1918
vpn-list GUEST
sequence 1
match
destination-data-prefix-list RFC1918
!
action drop
count DROP-RFC1918-COUNTER_-908989724
!
!
sequence 11
match
destination-ip 0.0.0.0/0
!
action accept
count Non-RFC1918-Permit_-908989724
!
!
default-action drop
!
lists
data-prefix-list RFC1918
ip-prefix 10.0.0.0/8
ip-prefix 172.16.0.0/12
ip-prefix 192.168.0.0/16
!
site-list BR
site-id 3
site-id 4
!
site-list DC
site-id 12
!
tloc-list HUB-TLOCS
tloc 10.12.0.1 color public-internet encap ipsec
tloc 10.12.0.1 color mpls encap ipsec
tloc 10.12.0.2 color public-internet encap ipsec
tloc 10.12.0.2 color mpls encap ipsec
!
vpn-list CORPORATE
vpn 1
!
vpn-list GUEST
vpn 100
!
prefix-list _AnyIpv4PrefixList
ip-prefix 0.0.0.0/0 le 32
!
!
!
apply-policy
site-list BR
data-policy _GUEST_DROP-RFC1918 from-service
control-policy B2B-2-DC out
!
!DI
Traceroute from Vedge 3 to DC 10.1.0.16 and site 4: 15.15.15.15
Vedge 3 vpn 100 (Guest) to Internet 8.8.8.8
Vedge 3 vpn 100 (Guest) to DC route VPN100 10.1.100.1 (rfc1918): DROP
vEdge3# show policy data-policy-filter
data-policy-filter _GUEST_DROP-RFC1918
data-policy-vpnlist GUEST
data-policy-counter Non-RFC1918-Permit_-908989749
packets 70
bytes 5608
data-policy-counter DROP-RFC1918-COUNTER_-908989749
packets 45
bytes 3510
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Protecting Applications from Packet Loss
FEC Adaptive: Only send FEC information when the loss detected by the system exceeds the packet loss threshold.
FEC Always: Always send FEC information with every transmission.
Centralized Policy
Create new Centralized policy
Policy
data-policy _Service-VPN1_FEC-1
vpn-list Service-VPN1
sequence 1
match
destination-ip 0.0.0.0/0
!
action accept
loss-protect fec-always
count All-Traffic_2107727979
!
!
default-action drop
!
lists
site-list vEdge3
site-id 3
!
site-list vEdge4
site-id 4
!
vpn-list Service-VPN1
vpn 1
!
!
!
apply-policy
site-list vEdge3
data-policy _Service-VPN1_FEC-1 from-service
!
site-list vEdge4
data-policy _Service-VPN1_FEC-1 from-service
!
!
vEdge3# show policy from-vsmart
from-vsmart data-policy _Service-VPN1_FEC-1
direction from-service
vpn-list Service-VPN1
sequence 1
match
destination-ip 0.0.0.0/0
action accept
count All-Traffic_2107727979
loss-protect fec-always
default-action drop
from-vsmart lists vpn-list Service-VPN1
vpn 1
vEdge3# show tunnel statistics fec
tunnel stats ipsec 172.31.13.2 172.31.14.2 12406 12386
fec-rx-data-pkts 387
fec-rx-parity-pkts 96
fec-tx-data-pkts 384
fec-tx-parity-pkts 95
fec-reconstruct-pkts 0
fec-capable true
fec-dynamic false
Parity packet inserted every 4 packets (4*96 = 384 packets sent)
Audio Video Traffic - FEC Adaptive
vEdge3# show policy from-vsmart
from-vsmart data-policy _Service-VPN1_FEC-1
direction from-service
vpn-list Service-VPN1
sequence 1
match
destination-ip 0.0.0.0/0
action accept
count All-Traffic_-1018414682
loss-protect fec-always
set
local-tloc-list
color public-internet
encap ipsec
default-action accept
from-vsmart lists vpn-list Service-VPN1
vpn 1
vEdge3# show tunnel statistics fec
…
tunnel stats ipsec 192.1.3.2 192.1.4.2 12386 12406
fec-rx-data-pkts 102
fec-rx-parity-pkts 24
fec-tx-data-pkts 102
fec-tx-parity-pkts 25
fec-reconstruct-pkts 0
fec-capable true
fec-dynamic false
Creating packet duplication data policy
Edit newly created centralized policy "POLICY-1"
vEdge3# show tunnel statistics packet-duplication
…
tunnel stats ipsec 172.31.13.2 172.31.14.2 12406 12386
pktdup-rx 0
pktdup-rx-other 0
pktdup-rx-this 0
pktdup-tx 195
pktdup-tx-other 0
pktdup-capable true
…
tunnel stats ipsec 192.1.3.2 192.1.4.2 12386 12406
pktdup-rx 0
pktdup-rx-other 0
pktdup-rx-this 0
pktdup-tx 0
pktdup-tx-other 210
pktdup-capable true
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Application-Aware Routing Policies
Create BFD feature template "vEdge-System-BFD"
Default hello interval = 2000
Assign bfd template to all device templates
vEdge1# show run bfd
bfd color mpls
hello-interval 200
multiplier 5
!
bfd color public-internet
hello-interval 200
multiplier 5
!
Configure SLA-Class
Create Application
Create "Apple_AAR" Application Aware Routing
Add policy
Preview
vEdge3# show app-route sla-class
INDEX NAME LOSS LATENCY JITTER
------------------------------------------------------
0 __all_tunnels__ 0 0 0
1 SLA-1 10 30 30
Test unsuccessful
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Localized Policies (ACL, QOS)
ACL
Edit device template "vEdge_Dual_Site_Device_Template"
Edit feature template "vEdge_Dual_Site_VPN1_Int_G0/X_Template"
interface ge0/6
ip address 10.1.16.1/24
no shutdown
access-list ACL1 in
SW17# ping 15.15.15.15 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.15, timeout is 2 seconds:
Packet sent with a source address of 10.1.0.16
UUUUU
Success rate is 0 percent (0/5)
SW17# ping 13.13.13.13 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.13, timeout is 2 seconds:
Packet sent with a source address of 10.1.0.16
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/73/122 ms
vEdge1# show policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
------------------------------------
ACL1 DROP_COUNT 10 1140
PERMIT_COUNT 10 1140
QOS
Create class-map
Edit device template "vEdge_Dual_Site_Device_Template"
Edit feature template "vEdge_Dual_Site_VPN1_Int_G0/X_Template"
vEdge1# show running-config vpn 1 interface ge0/6
vpn 1
interface ge0/6
ip address 10.1.16.1/24
no shutdown
qos-map QOS1
vEdge1# show policy qos-map-info
QOS
MAP INTERFACE
NAME NAME
-----------------
QOS1 ge0/6
vEdge1# show policy qos-scheduler-info
QOS QOS
SCHEDULER BANDWIDTH BUFFER MAP
NAME PERCENT PERCENT QUEUE NAME
--------------------------------------------
QOS1_0 20 20 0 QOS1
QOS1_1 50 50 1 QOS1
QOS1_2 30 30 2 QOS1
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Application-Aware Enterprise Firewall
Site 3/4 and vpn 1/100
Create centralized policy
Verify topology
vEdge3# show ip route vpn 100 15.15.15.15/32
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
100 15.15.15.15/32 omp - - - - 10.4.0.1 mpls ipsec F,S
100 15.15.15.15/32 omp - - - - 10.4.0.1 public-internet ipsec F,S
vEdge3# show ip route vpn 1 10.4.100.0/24
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 10.4.100.0/24 omp - - - - 10.4.0.1 mpls ipsec F,S
1 10.4.100.0/24 omp - - - - 10.4.0.1 public-internet ipsec F,S
Zone-A : VPN-1
Zone-B : VPN-100
A-A Telnet(deny), SSH(permit) INTRA-ZONE
B-B Telnet(deny), SSH(permit) INTRA-ZONE
A-B Telnet(deny), SSH(permit) INTER-ZONE
Define zones
Security> Add Security Policy > custom
Add firewall policy
Edit device template "vEdge_Single_Device_Template"
vEdge3# show running-config policy
policy
zone ZONE-A
vpn 1
!
zone ZONE-B
vpn 100
!
zone-pair ZP_ZONE-A_ZONE-A_TELNET-SSH
source-zone ZONE-A
destination-zone ZONE-A
zone-policy TELNET-SSH
!
zone-pair ZP_ZONE-A_ZONE-B_TELNET-SSH
source-zone ZONE-A
destination-zone ZONE-B
zone-policy TELNET-SSH
!
zone-pair ZP_ZONE-B_ZONE-A_TELNET-SSH
source-zone ZONE-B
destination-zone ZONE-A
zone-policy TELNET-SSH
!
zone-pair ZP_ZONE-B_ZONE-B_TELNET-SSH
source-zone ZONE-B
destination-zone ZONE-B
zone-policy TELNET-SSH
!
zone-based-policy TELNET-SSH
sequence 1
match
destination-port 23
!
action drop
log
!
!
sequence 11
match
destination-port 22
!
action inspect
!
!
default-action drop
!
zone-to-nozone-internet deny
crypto key generate rsa usage-keys label router-key
interface Loopback1
ip address 13.13.13.13 255.255.255.255
end
IOS13#telnet 15.15.15.15 /source-interface lo 0
Trying 15.15.15.15 ...
% Connection timed out; remote host not responding
-------
IOS13#telnet 10.4.100.2 /source-interface lo 0
Trying 10.4.100.2 ...
% Connection timed out; remote host not responding
-------
IOS13(config)#ip ssh source-interface lo 1
IOS13#ssh -l admin -v 2 15.15.15.15
…
IOS15#who
Line User Host(s) Idle Location
0 con 0 idle 00:03:40
*578 vty 0 admin idle 00:00:00 13.13.13.13
-------
IOS13#ssh -l admin -v 2 10.4.100.2
…
IOS15#who
Line User Host(s) Idle Location
0 con 0 idle 00:00:55
*578 vty 0 admin idle 00:00:00 13.13.13.13
vEdge3# show policy zbfw filter-statistics zbfw-policy-counter
NAME COUNTER NAME PACKETS BYTES
--------------------------------------------
TELNET-SSH counter_seq_1 14 840
counter_seq_11 4 240
No comments:
Post a Comment