img img
Practice Exams:
View All
  • Home
  • Cisco CCNP Enterprise 300-415 ENSDWI – Router Deployment Part 2

Cisco CCNP Enterprise 300-415 ENSDWI – Router Deployment Part 2

  1. OMP TLOC Begins Here ..

Now from section three dot two up to three dot four, you can see that we have to measuredly, focus on underlay and overlay plus the redundancy in terms of tlock extension. So in this section first of all three dot two will start with the verification of the data plane tunnels and other verification then the tlock extension. Now tlock is important key factor we have it is the communication channel beneath and above. That means the underlay and overlay. With help of tlock we are doing the communication.

Now again we have to learn and do the labs related to overlay management protocol. And one of the key component of overlay management protocol is the tlock routes as well. So these are the topics I’m going to COVID in upcoming six to eight videos and let’s see how much time it will take to COVID all these topics one by one. So I’ll show you on the upcoming videos and by the end of these videos only one portion will be left related to routing protocols.

  1. Verification Commands

So whatever we have done so far, let us verify via the CLI commands. Now suppose if you want to check the control connection is up or not. What are the things you will check? First of all, we can go the first command that you want to check is show control connection. That will be the first command. Now here you can see in the output show control connection. Let me run one more time that you are getting the DTLs connections between your say I am in the branch. So from my branch router I can see, I can go and check that okay. What are the control devices I am connected with means say Vs Vs smart, Vs Smart Vs smart and we manage? So how the topology is let me quickly refresh the diagram also. So how our setup is that for example, I have one branch where I have two V edge routers.

Suppose this is branch number one that we have. We have two ISP so MPLS and Internet over. These two ISP because I have Vs smart one and I have Vs smart two. So say I am here at the moment over this device. So I have one control connection over MPLS. One control connection over MPLS means two control plane device. So two control connection over MPLS and I have two control connection over internet. Apart from that, I have one V manage also in the network. So I have one connection with the one active connection actually with the V manage. Now here you can ask that why I don’t have one more connection over internet to the we manage. Actually it will be standby. So I don’t have active connection to the V manage controller because that is not needed. So technically my control plane is Vsmart and my data plane devices are V edge.

So that’s why we have direct active tunnels with the Vsmart. But with the management plane I have one active tunnel. It may be over internet, it may be over MPLS, it may be over Lt. It depends that what particular path you choose to reach the we manage later we’ll see that okay you can change the path. Also we have option to do the traffic engineering related to reach to that particular controller. So this was the first thing that you want to check. The second command is that you want to check what is the control connection. Let me show you local properties. So if you go and check the control connection local properties then you’ll get to know much more detailed output. So what is the personality of this device? This is the VH. What is the OG name? Organization? SPOG name certificate status install root Certificate install Certificate valid duration what is the DNS name? What is the site? What is the protocol? What is the port number? System? IP and token was something like OTP.

So now it is invalid because now I have the serial number, et cetera. So you have a detailed information about the connection, local properties. And now I’m going to run one very important command. Generally, we use to run that command to do the double shooting. So that is connection history. If you run the connection history, you can see you have various legend, say for example, bind, PTR, board ID, not initialize, say CRT, VR, flail to verify peer certificate. Now if you scroll down and if you see it tier down and then these like DSC, VDB, no error, et cetera, DC on fail. So these detail about all these things you can go on the top and then you can verify. So what was the DC on fail, et cetera. All these outputs, the full form and what is the meaning of that DTLs connection failure. Suppose if your tunnel is not coming up, it is not working.

Say for example with bond it is showing tea down. That means you can go to the control connection history and you can verify why it is not working, at what time it broke down time in the sense that what was the reason behind that this certificate is not properly installed or what was the time frame last connection was. So those sort of information you will get. Finally, if you want to see the certificate installed in the device, you can go and check the certificate install as well. So you’ll get the full idea about the certificate. Because remember, from the CSR we have generated the dot PIM file. Okay, so this is something certificate that is a dot PIM that I can see here. So these are the things that we can do to verify like basic few commands to verify the control connections and the certificate if I type show history and just to give you the commands that we have done.

So we have done show control, connection, local properties, connection history and certificate install. Now next we have to go and verify in the data plane as well. Now again, in the connection you can see that various fields are there. So what is the peer, what is the peer, peer site, domain, peer, private peer, what is the uptime ID, et cetera. It’s very straightforward. You can go and check like once you run this command, you can see, okay, this is the system IP, this is the site ID, this is the domain ID, this is the VPN, zero IP, private port, public port, etc.

So those things you can go and run the command and most of the things you will find it’s very easy and straightforward that we can go and verify. The next thing is to check the data plane. Now, we have discussed this thing and this is actually used in this type of automation that once you bring up the control plane, whatever data plane devices you have that will come and they will form actually by default full mesh IPsec tunnel.

So that is actually good and say I have two data plan device. Obviously you have your ISP. So you’ll find IPsec connection they will form in between that. Now important thing here to understand is that now these devices, they are not exchanging their key values directly with the other side devices. So what does it mean? Suppose in the normal Cisco environment you have three router and you have a point to multipoint IPsec running on. In that case, what is happening? All the devices they are sending and receiving the keys value, the key value. So they can form the point to point or they can form the IPsec tunnels. Now suppose this is only three devices. What if you have 1000 devices?

That means all the devices they will send the keys 99 99 times and that’s the huge number. Even if the number of sites will grow, even just to manage or just to scale the keys. It’s very difficult with a device how many keys he can exchange and then he can store and then he can track those things. Here we are sending the key to the Vsmart. That is my control plane device and then we are sitting idle. My only job is to send that keys to the Vsmart. Since the Vsmart is working as a router reflector now his responsibility is to forward the key to the different branches from where I want to form the IPsec tunnel. So what he will do, he will send this key to other side and other side key he will send to this side and then they will form the IPsec connection. So now here you can see the complexity is very less in the traditional IPsec configuration.

The complexity is in a square rather in SDWAN it’s only in the key complexity, key exchange complexity and other thing we know that at the moment we bring up the control and data plane, my IPsec will start up and running. So here I can see, although I have different different VPNs, you will study more about that. So I have single pipe over VPN zero. Inside that I have tunnel for VPN 1020 30, et cetera. The important thing here you can see the definition or the points. Each V edge advertised its local IPsec key to whom? To Vsmart. Symmetric encryption keys use asymmetrically. And that’s actually nicer statement. So why? Because then Vsmart is sending these keys here and again he will also send his key here and he will send that key here and then they will form the IPsec tunnel. Okay? So that’s why the symmetric encryption keys use asymmetrically.

That particular statement is true. So once you have your IPsec tunnel, the other thing that is on by default is to track this IPsec tunnel. Now these IPsec tunnels, whatever end to end tunnels I have obviously by default it will be the full mesh IPsec tunnel. Now who will track the liveliness of this particular tunnel? So PFD is there at the moment tunnel is up, BFT start tracking those tunnel, they will send 1 second of hello timer they have by default. They are sending those keep alive to the remote end and they start tracking the tunnel. So if I list some of the features that is coming up at the moment I bring up the fabric is say once you bring up the fabric, then your tunnels like DTLs tunnels are up up not only with the control plane, but with the data plane also your DTLs tunnel will be up up. Third thing will be up and running is the IPsec. You have full mesh IPsec up and running.

The fourth thing that automatically BFD will extract tracking the IPsec tunnel. And we have so many use cases for this particular BFD. This BFD is used not only to check the liveliness, but it is useful inside the app, a routing policies as well where you want to track the application, loss latency, jitter overall performance. Okay, so loss latency and jitter those things you want measure.

So these things will be on by default even later we’ll study that fifth number is the overlay management protocol that will also on so few of the services. Because this is the optimized SD one solution. At the moment we do those things, the other services will start kick off and they will be running. Now, let us go and verify some of the commands related to data plane. So here I am inside the branch one and I can go and I can type show IPsec inbound connection and I can go and check outbound connection. Later we will discuss more about why I have these many number of tunnels.

And we’ll see in the we manage dashboard section I will cover these things that these many tunnels. Why we have other things that I can go and check. That is the show BFT session. So whatever number of tunnels you have, the same number of BFD sessions will be up and running because all the tunnels by default they are tracked by the BFD packets. So for example, I’ll give you one example here. Say I am in branch and I have two routers here, I have two ISP connected, say for example connected to data center DC. So I have one device here, one device here, how many tunnels they will form in just in these number of devices. See, he can go like this, he can go like this.

Now he can go like this, he can go like this. You have four tunnel with one device, okay? And since you have DC one and DC two, so that’s why you are seeing four plus four eight tunnels at the moment the branch two is down. So that’s why if I go and show you the inbound connection, you can see 123-45-6784 over internet and four over MPLS. Now I am at the branch one VH one with help of system IP itself. You can identify that what type of tunnels means from where to where. So already you are in branch One. You are going to DC. VH. One DC. One VH. Two DC. Two. VH. One DC. Two VH. Two. Then to reach TC one VH one, you can go via MPLS. You can go via Internet, and vice versa. You have eight different tunnels, and that’s why you have eight BFD sessions as well. All right? So let’s stop here.

  1. what is OMP?

What is OMP? OMP is nothing but overlay management protocol and OMP is established. Actually in between vs. Smart to VH means the control plane to data plane and vs. Smart to vs. Smart. That means among the data plane devices what is the use of OMP? You can clearly see here that with help of Om MP we can do orchestration of overlay network management. So what does it mean? It means that you can do various stuff in a network. That means you can do the service sharing, traffic engineering, you can manage multiple VPN topologies with respect to or with help of OMP you can do service level routing and later we’ll see that what are the components of OMP. And then you’ll understand fully that with help of OMP I have full control to my underlay.

So whatever routes that underlay is sending to the Vsmart and Vsmart is my OMP peer. So whatever control we have with the underlay and overlay, that is with help of OMP and we’ll see that what are the other components that is helping OMP? Distribution of data plane security. Yes. So whenever the IP sick they are forming the tunnel with help of OMP Vs Smart is sending those keys to different edge devices and control and the distribution of routing policies. Yes, that’s true and that’s why we have OMP inside the infrastructure that with help of OMP we have full control about the routing infrastructure.

So now if I go and draw about the OMP, you’ll see that where exactly this OMP is situated. So let me go and draw our infrastructure. In our infrastructure we have say for example DC one, DC Two. Say for example we have branch one, branch two and then we have the Vsmart. So for Vsmart what I’ll do, I will go and use the cloud. So I have my Vs Smart somewhere here if you see the connection, you will find that the connection that we have, we have multiple ISP and their VPN Zeros.

They are connected to different ISPs. Let me use only one link and with help of say for example VPN Zero all these devices, they can reach to the S devices. So I have my control plane here like this. Now suppose I have vs. One and vs. Two. So where this OMP will come into the picture will find that your OMP PA is between Vs, your OMP PA is from your Vs to your Vs, from your Vs to your V Edge. So your vs. To vs. Smart. So the relationship is like this vs to Vs and Vs two V edge. So for example, if here I have two edge devices, so how many Ompp should this V edge one have? So we’ll see that if we have two Vs Smart that means you have two Ompp. And likewise here if I have two VH here, if I have two VH here, if I have one V edge then overall with respect to Vs One, how many OMP pier you have? You see 123-4567 and one with him.

That means with respect to Vs One, you have eight OMP here. So this is our overall info that we have DC One, we have DC Two, we have Branch One, we have Branch Two, and we have seven S devices. So seven and plus one other Vs. So before moving further, let me log into the one of the Branch device and one of the Vs. And then I’ll show you this Ompp peer output. All right? So I’m in one of the V edge and if I go and type show Ompper. So you will see, and let me clean this diagram first. Here you can see that how many OMP pair you have. And it’s very interesting here to note that although I have Vs One and Vs Two, because the Vs One having the low system it so that’s why I am referring the Vs One. So that means the Branch One he is installing, you can see the install is 44. So Vs One is sending, you can see, you can see from the Vs how many you are installing.

So you are installing inside Branch One, you are installing 44 updates 44 OMP routes. So here you can see that 44 you are installing from the Vs Smart One. Why? Because he has the lower system ID. And then you can think that, okay, Vs Two is there as a backup. So we are receiving 62 from both the Vs. But from one of the Vs you are installing 44, you are installing Zero. And then from your side you are sending six out to both. Okay? So as per the preference means one of the Vs you are giving much more preference. You are installing the route. Now if you want to see the details, you can see what’s the domain ID site ID overlay ID state version staging. You can see the graceful restart and other stuff that we’ll discuss later on. But this is the way we can go and check the Ompp peer.

Now, if I go to Smart Two and if I do show Ompper here, so here you should see seven plus One, correct? So 1234-5671 of the Branch device is not deployed yet. So that’s why it is not showing. So that’s why I have DC one, DC Two and one of the branch, and then one. So that means I have total 123-4567 and one is not deployed. So that’s why this is showing seven. Upcoming section I will deploy one of the Branch. Then you will see ten, 40, one, that is one of the Branch. Now how many he is receiving, you can see, and how many he is sending, you can see. All right, so let’s just stop here. And next section we will discuss more about OMP and types of route.

  1. OMP Route Types

Now let us discuss that what type of OMP routes we have. And let me draw here, so you will understand this. We have actually three different type of OMP routes. And let’s see, that where they are situated. So suppose this is my topology diagram and in this topology diagram it’s like cross connection and all I have my Vs smart here, and let me create some more space here. So I have my Vsmart here and all right, so since all the branches, all the DC and the branches, they have two edge devices, one place, I have only one edge devices. And since all these devices, if you go and see that all these devices, they have their Tlocks, so let me use some other color.

So if he has connection, he has tlock, tlock, T lock, transport locator, that is the three thing system, IP, color and encapsulation. So now, if you go and see the branches, what you will find that in the branch you have different type of route. So you may have service side VPN route, maybe say VPN 1020 and 40. These are nothing but say for example, service side VPN routes, that is with the color green, 10, 20, 40, like that here, also you have 1020 40 here, also you have for example 1020, 40. And in our topology diagram, we have firewall inside the data center in the land infrastructure. Suppose I have firewall here and suppose I have one firewall in the other data center that is a different color, and then I’ll use some other color for the T lock as well.

So for example, blue color is for tlock. So I have transport locator for all these devices. Transport locator, transport locators, I have transport locators. So now, if you see the complete picture, it is in this complete diagram. And if you figure out all type of routes that you have, you will find that you have, first of all, say for example, service side VPN route. Sometimes it is referred as V routes or VIP teller route. The second thing you have is the Lox route, you have tlock, blue color tlock, and thirdly you have firewall or services route, service route.

So now it can be firewall, it can be Insides, it can be any security service, correct? So apart from these three different type of route, you don’t have any other route in your SD one, correct. You may get something from the IGP, from the underlay, maybe OSPF or EIGRP or BGP is running as the underlay, but still, when it will come here, it will become OMP route, service side VPN route, correct. Now, since you have the OMP PA everywhere, so you have the Ompp, all these devices, they are advertising their route, all the three types of routes. So I’ll make these three types of route, as for example ABC. So all those sites they are sending ABC, all those sites they are sending their ABC route to vsmart.

That means the Vsmart has complete database of the OMP route. So OMP routes related to service side VPN, OMP routes related to OMP T logs OMP routes related to service route. You are getting all the routes. Now here we have one question that suppose in the land you have a network. Say for example ten one reach to Vsmart. This particular device can go via this link. Or it can go and reach via this link. Because you have two transport. For example, MPL is an internet. Then how could the Vs smart will know? So let me clean here. First of all, you have to ISP and your edge device. He’s sending one out. You have two routers here. He’s sending 110 one 100:24. So how your Vs smart could know that? Okay, the route that I am getting is coming via MPLS or Internet.

So for that the route. So for example, ten one 10 slash 24 is nothing but the V route. And when he is reaching to the Vsmart, either it can come via MPLS or Internet. That means it can come via this tlock one or this tlock that is tlock two. So that’s why these Tocks are referred as next hop type of attribute inside BGP. So either it can come via tlock one or it can come via tlock two. And we know that tlock one is nothing but says. For example, if this system IP is ten 30 one. So tlock one will be ten 30 one comma MPLS comma IPsec. And this particular site should be ten 30 one comma internet comma IPsec. So with help of tlock, that’s the next shop type of attribute.

The Vsmart come to know that oh, this particular route that I am receiving that is coming via MPLS or Internet. So that’s the significance we have. So in summary, how many routes we have, we have say service side VPN routes that is nothing but V routes. Then you have to lock route the transport locator routes that is nothing but your say for example van facing interface here. And then you have services. These services may be firewall Insides any type of security device routes that may be there inside your data center. That may be inside your data center. So all these routes, they are going to Vsmart. They’ll reach Vsmart. Now the Vsmart has full control. That how he can advertise to other devices. Alright, so these are the routes we have inside the OMP.

  1. OMP Routes Verification

Let us verify all three type of routes inside the OMP. So we have you can see here we have the OMP routes, we have service route and we have tlock route. So I’ll go and log into one of the branch and with help of CLI first and then with help of GUI second, we’ll verify all the routes and different type of things inside the route. So let me log into branch one VH one. So here I am inside the branch one VH one. I can go and type show OMP routes. Say for example VPN 1001st. Now here you can see that it is getting the default route from the Vs smart, one of the Vs smart, the Path ID and the label. This label is actually associated with the VRF or the VPN. The status is CIR. Then you can see the originator and what means inside the attribute you have originator and all different type of attributes like site, added preference, ultimate, T lock, tlock origin metric, et cetera.

Now if you want to see all the legends, you can go and see that CS stands for chosen, I install, I stands for installed, redistributed, rejected, looped, resolved. So if it is a C IR, that means it is chosen, installed and resolved route. Okay. And now you can see the list of routes that we have somewhere you can see which is CIR with help of twelve, but with help of 22 means if you are receiving the routes from the other Vsmart, it is chosen, resolved, but it is not installed. And that’s the key. Some of the routes you can see is invalid and unresolved. So here you can see some of the routes, that is the self originated route. You are not giving preference to Vsmart means you don’t want to learn the same route from the Vsmart. So that’s why it is invalid and unresolved. So like that we can go and see all the parameters inside the OMP routes.

Next I can go here and check the Tlocks. Now the Tlox output, you can see it’s a big output. So what I will do, I will log into the GUI and I’ll walk you through all the components inside the output. Third thing we have the services. So here you can see the services I have say for example, VPN 1020 and 40 from PN means your own, you can see the Path ID. So you can see the Path ID with VPN 1034 and 36, one is for MPLS, one is for Internet. But the label you can see, the label is for ten, it is 1000 and 220 thousand and three and 42,004. And the status is choosing redistributed and resolved. Like here you can refer. All right, so let me log into the we manage and from there also I’ll show you all these outputs. All right, so inside we manage.

If you go to network, first of all, let me walk you through how we can reach their network and you can go to, for example, DC one, VH one inside that you can navigate to real time. Once you are in the real time, we can go and check OMP receive routes say for example I’m interested to so I can go and check receive routes and now you will see that you have all the tables properly. So address, family, VPN, ID prefix from peer path, ID label, status attribute, tlock IP so you have the tlock IPS associated with the routes as well. And once you are associated with the tlock ID IP, you can see the MP LS color, the tlock in cap, the protocol, the metric, the site ID as path you have long list of information you have, so you have the as path overlay ID, OMP tag originator, et cetera. Correct?

So likewise you can go and check let me go and show you this OMP Tlocks. So we have OMP received Tlocks as well. Here you can see again you have the address family, you have a Lox. At the moment you are in the branch one vs one whose system IP is 1001. This is your own IP so your own peer that is yourself only then what is the tlock SPI, what is the authentication type? And if I can fix this screen, you have to do little bit of hard work here. So you try to scroll this or try to suppress these outputs a little bit, try to shift the columns so you can see that what are the other fields we have? All right, so you have this tlock SPI. All right? So you can try to shift and check all the components that we have here better I’ll go here and I will show you so what are the components? You can see the originator, the weight, the preference, the site ID. So for example, I’ll remove the site ID and then I’ll go here and I’ll remove say for example from Pierre.

Now you can see I will go and remove I know that we are using only IP before address family. I’ll remove that then encapsulation we know that we have only I second encapsulation and then the tlock SPI also will remove then I can go ahead and remove the authentication type as well. Most of the places we have the same authentication type. So now you can see that one by one what are the components you have? You can see here I’ll remove the encryption type as well. So now we have much more space here.

Then you have the public port, you have the public IP, private IP, private port, preference, weight so let me remove the preference as well. So now you can see that apart from that you have these many things. So clearly you have the public and private port that is there inside the T lock apart from the public and private ports, you have weight, you have the alternator, you have the preference value as well. So those many things we have inside the tlock, not only it is the transport locator, but it can take certain decisions as well.

Okay next we have the OMP services so let’s go and check the OMP services as well. Inside OMP services you can see here we have less number of things here that is coming in the single screen VPN number and from Pierre Path ID label and I have the firewall as well, so firewall is also in my VPN ten, that IP. I know that location. I know. So if I go and show you the configuration for the DC one and VPN ten you’ll find that inside VPN ten, I have firewall configuration. So if I go here and login let me try to log in. If I do show and VPN ten, clearly you can see here that you have the VPN ten and the service firewall and the IP. So that’s the reason you can see that.

Related posts:

  1. 10 Classy Cloud Storage Services You Can Use for Free
  2. 2018’s Top 10 Certification Exams In IT
  3. 25 Important Project Management Terms That Will Lead You to Success
  4. 98-381 Microsoft Introduction to Python – Arrays
  5. Best Paying TECH Careers In IT
  6. Boost Your Career With Cisco Certifications (Part 2)
  7. Dive into the World of Microsoft MCSE Certifications!
  8. Explore the Best Computer Jobs to Take Your First Step into the Future
  9. Tips To Write A Perfect CV
  10. Top 5 Networking Certifications: Do You Want to Boost Your Career Potential in 2020?

Popular posts

Top Vendors On The IT Certification Market

Top 5 Agile Certifications You Should Pursue in 2020

Case Study Hillary’s HillRaisers raising cash for Obama inauguration

SY0-501 Section 1.1- Implement security configuration parameters on network devices and other technologies.

Your Best Career Path With EC-Council Certification

Job Opportunities For MCSE Certification

Reasons To Get Microsoft MCSA Certification

SY0-501 Section 3.2- Summarize various types of attacks.

SY0-501 Section 6.2- Given a scenario, use appropriate cryptographic methods.

What Should You Know About New Amazon AWS Certified Database – Specialty Exam?

Recent Posts

img