Cisco CCNP Enterprise 300-415 ENSDWI – Router Deployment Part 3

  1. OMP & TLOC Attributes

Let us discuss more about OMP and tlock routes. So what is happening? Say in case of OMP, if the device that you will get that is a new device in your site, inside that you will find that OMP configuration will be by default. So OMP and some of the advertised commands will be there. OMP advertise, connected, OMP advertisement is static, those things will be there. You can see connected and static by default will be there. Obviously you can go and change and inside OMP you can advertise say BGP, OSPF, EIGRP, et cetera. Nowadays with the CSR devices, that capability is there. What type of attributes we have inside the OMP? OMP having attributes say tlock, originator, tlock we know that signifies three important things system IP, color, encapsulation, who is the origin so source of the route such as BGP, OSPF, connected, et cetera, who is the originator that originator of that particular route.

Then the preference value, what is the preference? Higher is more preferred and you can see this in the route policy. So whenever you are creating the route policy related to OMP, you can go and give the preference for OMP route. So whatever incoming traffic will be there, they will be preferred A versus B versus C. We’ll check this in the upcoming slide then service site, ID tag and VPN.

So most of these things are SDWAN type of attribute and because OMP is a customized protocol means we don’t have RFC Standard for OMP for the sake of SDW and it is being used the second term or second OMP route we have is the OMP and tlock transport located. Let’s quickly see that. What type of attributes you have with the tlock? In tlock we have several attributes. So we have private address, public address, carrier color why we have private and public addresses? Because maybe we are doing some Nat translation. Inside your transport locator means from one V edge to reach to the Vsmart you may have translation going on. So that’s why it is keeping track of the type of information as well like the public and private addresses, it has three very important things. Say for example color, system IP, color and encapsulation. Apart from that, you can see that it has BGP type of attribute like preference, weight even. We can use tag as well to prevent from the loops or routing loops.

So now let’s just quickly discuss that what’s the importance we have with the weight and the preference. So now for example, suppose you have two link. One link is say for example 100 Mbps, other link is one Mbps. Now, what will happen if you send 100 packets and if you put weight here, for example, weight is ten and here weight is one. As per your actual link speed, you are putting the weight so that’s for the outgoing packets, for example, nine flow, not packet. Because in SDWAN they are not doing packet based load balancing, they are doing the flow based load balancing. So nine flow will prefer the higher bandwidth and one flow will prefer if we have weight one in other direction. So it will go like nine versus one or ten versus one. So ten packet will go in this one direction and then the 11th packet will go in the other direction. Now, what’s the use case of the preference? Actually preference is related to incoming traffic. So suppose if you have preference 100, preference 50 and preference ten and then you have the ten L from this side to other side.

So obviously this preference will be highest preferred means this link will be highest preferred than this link. Then this link, that’s the meaning we have. Either it’s a T lock preference. So you can go and set the tlock preference for incoming traffic or you can go and globally set the OMP route preference. In both the cases we have, higher is the better. All right, so we can stop here and for example in this particular slide it is clearly showing that where is the tlock present. So suppose for example, if you want to see that, what’s the tlock of this particular device? This particular device say for example connected with MPLS. So its tlock is ten 40 one, the color is MPLS and the encapsulation is IPsec. Likewise you can determine the tlock of this. Also the color is say for example internet and then the encapsulation is IPsec. Okay? So again, the Tea lock is nothing but important parameter we have who will provide you transport location and plus who is keeping track of the public and private Iprices as well.

  1. OMP Best Path Selection

Next we have OMP best path selection and loop avoidance. We have certain steps that we can follow to check the OMP is doing the best path selection or some criteria related to loop avoidance. First of all, OMP is checking that OMP route is valid or not. That means an OMP route is invalid if the advertised tlock is undeachable. So if tlock is undeachable, that means the OMP route is not valid. That is the first and the basic check. Then it will check that whatever route that I am learning that is coming from the lower eddy distance. So maybe distance, say for example ten and 20 same route. So the route that is coming with administrative distance ten that will be installed. Then the third criteria is that OMP will go and check the OMP route preference.

Just now we study about OMP and it having three different type of route. OMP v route, OMP tlock route and OMP services route. So inside the OMP V route or VIP teller route, if it is coming with higher router preference, that will be preferred. Now suppose a point number one, two, three is equal, then it will go and check the tlock preference. So first of all they will check the OMP route preference, then it will go and check the tlock route preference. Say for example point number two, three and four are equal. Then OMP will go and check the origin of the route and it will select in this manner. So connected, static, EBGP. OSPF, intra inter, external IBGP, et cetera.

Now suppose if all the points point number three, four, five are equal, then OMP will go and check if the route that having the higher OMP router ID. All right? And say for example, if all the points from . 2 number two to six are equal, then it will go and check OMP route with the higher private IP. This private IP can go and check inside the show OMP T locks. So this is the way that OMP is doing the selection. If for example point number two to seven all these criteria are equal, then what OMP will do that it will go. And you can see if all the attributes are equal. The Vs smart controller choose both of them.

Now, this particular section is very important that a VH router installed an OMP route in the fib only if the tlock to which it points is active. And that’s very important. So what is happening whenever you have IPsec tunnel? This IPsec tunnel at the moment you have BFT mechanism to track this liveliness of this IPsec tunnel. And since you are monitoring that your BFD is down, that means you don’t have active tunnel. Obviously at that time the Vsmart will withdraw that table from you. So here you can see the notes that BFD sessions are established by each V edge router which create a separate BFT session with each of the remote TLoG. If a BFD session becomes inactive, the Vs Smart controller removes from the forwarding table all the routes that point to that TLoG.

So that means, in short, if your BFD is active, if that means your tunnel is active, that means the edge routers, they will install the fifth table. Now then, next, coming onwards, a few slides. We have the features and the capability of OMP. So at the moment we know that between V, say V ismart to Vs Smart and Vs Smart to VH, we have OMP running. So at the moment, between the control plane and the data plane, I have OMP running. Now suppose if due to any reason your Vs Smart will go down, that means if your control plane will go down, the Vs devices, they have the active data plane tunnel. So all my Vs devices, they have the active data plane tunnel.

Still, if your Vs is down and these Vs devices, they will continue forwarding their traffic or their data plane will be up and running by default till 12 hours. If you want, we can use this graceful timer restart. You can set the timer from 1 second up to seven days, but the default is 12 hours. Next, we have few of the timers. So let me go and show you the timers and then I’ll come back to the advertiser.

So we have certain timers inside the OMP. We can use the hold down timers. By default, it is 60 seconds. If you want to change, you can go and use this command timer hold down apart from that, here you can see that we have the hello tolerance value as well. And what is the significance of hello tolerance? So the hold down timer must be at least two times the hello tolerance. So you have the tolerance timer as well. Not only we have the hold down timer, but we have the tolerance as well.

  1. OMP Route Redistribution

In this section we’ll discuss about OMP route redistribution and I will show you on a small output or result related to this. So what we can do that we can redistribute our routes to OMP. So whatever IGP I have I can redistribute to OMP or OMP can be redistributed towards the as well. So how it can be let me show you the configuration as well. Before that you can see that OMP route origin type BGP, we can have external internal OSPF. It can understand external, say external, type one, type two, inter area and inter area, et cetera, when it is coming to the ad distance, the OMP having ad distance of two 50 now.

So in this particular lab, what I want to highlight, say, in my branch number two and VH number one, I have OSPF running inside service VPN ten and we have one network. I will show you in the CLI. So this particular OSPF I am advertising with help of OMP. So if you advertise with help of OMP it will go and reach to the Vs. And now since your Vs is working as a RR route reflector, he will go and advertise to all other VHS. So for example I will go and check inside DC one VH one this OSPF. Now good thing about this OMP that they can understand what is the origin, who is the originator, et cetera. So if I go to DC one and if I check the OMP routes related to VPN Ten I can see what is the origin of the protocol correct first thing. Second thing, suppose if you want to do the reverse direction redistribution means if you want to send your traffic from OMP to OSPF, that is also possible.

You can go to OSPF and then you can use the command redistribute OMP. So let me log into the branch one V edge one and let me show you all those commands first. So here I logged into branch two VH one and if I go and show you the configuration so from OSPF to OMP redistribution you can go to OSPF redistribute OMP, the reverse side. If you want to advertise OSPF inside OMP, you can go and use OMP advertise OSPF.

Now let me show you that what type of routes I have related to OSPF inside VPN Ten. So here I have for example Ten go to say for example DC one and if I go and type show OMP routes VPN Ten and if I give this specific route we can go and verify the output. So here you can see that he is getting the route from the Vsmart, the path ID, the level ID and then the attributes who is the originator, what’s the tlock, what’s the overlay ID. And here you can see OSPF intra area. So this is OSPF intra area. If I go to other site you can see he is also understanding OSPF intra area and the origin metric is matrix value is ten plus the label circuit. So ten plus 111. So clearly you can see this is the install and the resolve route and everywhere we can go and verify those routes. So the order is that the V Edge he is advertising to v edge his OSTF is sending to OMP. Once it is in OMP, vs got that information and then he is sending the OMP route, but with the correct metric value and the protocol type. All right, so now we can stop here because we have covered almost everything related to OMP.

  1. TLOC-Extension Theory

Next we have transport locator extension. So what is happening in this case, that although you have one physical connected interface, but with help of transport locator, you can simulate other transport. So what does it mean? So let me draw the diagram here so it will be very much clear. For example, I have two edge devices and these edge devices, they are connected with two different transport. So what is happening? What about the physical connection that I have? So at the moment I have one connection with one of the transport, for example, MPLS, one of the connection with the internet. Now, if you see this diagram, you see that, okay, you have your VR RP running here and we have seen 1020 and 40 with different interfaces. In this case, if I have to reach to the Vsmart, then with branch one VH one and branch one VH two.

So this is, for example, VH one and this is true, we can see that you can reach via only one transport. That means if this link go down, there is no chance that you can reach to the control plane because logically or physically, also not logically, but physically you have only one connection. So I have one connection either from branch one or branch two. To reach Vs, I can go, I have only one physical connection to reach to the control plane. Now, if we use the concept of transport locator, so what will happen in that case? That MPLS and internet and whatever link VR RP link you have, what you can do here that you can connect back to back cable from branch one VH one to branch two VH two, and you can extend your MPLS control towards Internet.

Likewise you can extend your internet control towards MPLS. But if you have one cable, then you have to create two interfaces, say for example, gigi zero one and zero two, or better that you use two different cables back to back. So in our case, in our topology, if you see the topology, you’ll find that, yes, branch one VH one going towards MPLS, the interface is going towards internet. So this is the internet transport, this is the MPLS transport, these are the interface name and then here you have gig e zero one. Here you have gig e zero slash two.

So this is the topology diagram that we have and if we do the tlock extension so for example, I will go here and I will extend the tlock, for example, here. So you are extending the tlock and here you are receiving as well from here, if you extend the MPLS to tlock here, you have to receive as well. So receive means that you should have because see, this is maybe your private IP addresses. So that’s why you should have proper IP route towards where you are extending. Okay? So what I try to tell here that let me go and log into the devices and I’ll show you the configuration. So first we’ll see the configuration in this section and in the next section I’ll go and configure it.

So here I logged in inside branch one and branch two. At the moment in branch one we have not done the tlock extension configuration. So if you go and check Show and VPN zero you’ll find that we don’t have tlock configured even we haven’t configured one of the interfaces. So if I go here and if I show you Show interface description, let’s see that we haven’t done the configuration one of the interfaces down actually. But if you go to the other side and if you see this configuration you’ll find that we have the tlock configured in the other place. One important point note I want to make here before doing the configuration, it’s very important to understand this that whenever you are extending the tlock, those extended T lock should be part of VPN zero.

Okay? So whatever interfaces, gigi zero slash zero or gigi zero slash one, gigi zero slash two, all are part of VPN zero. Both the directions here also they are part of VPN zero. Everything is inside VPN zero because you are extending the control towards the VPN zero. So that’s why if you go and check Show and VPN zero. So here we’ll see this side, we have the configuration. So what I am extending, I’m extending zero slash one. So IP address over zero slash one. So let me draw also what type of IP schema we have. We have two devices, they are back to back configured. So gig e zero slash one having IPS 1020 21 two. So here he is extending the tlock. That’s the command you can see. And whenever you’re extending the T lock you are giving the IP address of the Van interface and from here also you will go and extend the tlock but in this particular direction. So here also you have the interface say this is gig e zero slash one. This will make e zero slash two. Here we have IP 1010. Say for example one here, two here. Now if you go and see this particular IP and the static route, two, three very important points we have to make. First of all, you are doing the tlock extension configuration.

So over this interface that is gigi zero slash one. You are doing the tlock extension of this interface, correct? That means that over this interface this particular guy, he is receiving the tlock. So his configuration should be very much similar to this particular configuration. That’s very important point, okay? Likewise if you are extending the tlock from here. So this interface who is receiving the tlock, whose configuration is very much similar to this configuration and that is the one thing. Second very important thing is about the IP route.

So here you can see that I am pointing the IP route towards this. So when you are sending the tlock at that time you should have IP disability the same way, same manner. If you are sending the tlock, you should have IP route towards this particular gateway that means if I go and log into the other device I should have IP route otherwise the tlock will not form. So if I go here, I can see this is already there. If it is not there, you have to put it. All right, so what configuration I need now for this particular device here, I have to go and configure one more interface. That is gig e zero slash two. And then I have to assign the IP address. What IP I should give to him. Zero slash two so if you go here and check zero slash two this configuration is 100% correct. There is no problem. You can see it’s like MPLS configuration.

So here let’s see show run and then VPN zero interface gigi interface gigi zero slash one here if you go and see this is also 100% correct that is zero slash one you are receiving so this configuration so that’s the point I was making. So this particular configuration is very much similar to this interface and they should be very much similar to this interface and then your tlock extension will work perfectly. So now what configuration I need? The configuration that I need is very straightforward if I can make in the CLI so what we need to do simply have to go here.

So let me do this configuration. But I will create the GUI or the GUI template or feature template for this. But what we need to do, we have to go to first of all, say VPN zero interface gigi, interface gigi two. And then you should give the IP address that is ten one one. So IP address should be 1010. Sorry, ten 1010, 124 we are using here. We have 24 subnet. And then you have to do the tlock extension and no, shut. That’s it. So then you do the tlock extension related to your Van interface and do the no shut that’s it. If I go to the top and if I type show configuration you can see that this configuration you needed inside VPN zero so let’s just stop here and in the next section we’ll go to the we manage template and we’ll add this. After adding this template we should check the control connection so if I go here and type show control connection so you should see more number of control connection if you go ahead and see show control connection so here you can see that you have only internet and one MPLS connection tried to make with the vBond. But here the number of control connection will increase. Why? Because you are sending the control connection is branch one VH two he is sending the control connection. Here you can see here you have the Internet and here you have the MPLS. But because branch one VH one is not sending the control connection to him so that’s why here we have less number of control. So once we fix this issue means once we create the template and apply this then you will find that here also we have the MPLS and internet both the transport.

  1. TLOC Extension Lab

So let us continue and create the DE lock extension. So we’ll go to the template and inside the branch one I’ll go and click it what I want here that inside the transport and management VPN I need to add one more interface and this interface I want to use as a tlock extension. So we’ll go ahead and create the interface. Let’s go and give all those parameters. So what is this? This is nothing but say VPN zero and this is MPLS tlock. Because I am MPLS I want to extend my MPLS T lock correct and then we’ll go ahead and create this. The interface should be first of all no shutdown.

What’s the interface name? Interface name is nothing but gigi zero slash two but we can verify that. Let’s go and verify gigi zero slash two you can see the IP address. If you want to create IP address as a variable that also possible so let me go and show you that exact template. So here you can see the IP address we are going to put as a variable and tlock extension is gig zero. So let’s do that. Let’s just scroll down and IP address is the variable. I should go and put that value and then if I scroll down then now I have to give the tlock extension.

So this is not the tunnel interface where we don’t have any net simply one thing we need to add that is the tlock extension that is gig e zero that is nothing but the van facing interface. So if you go and scroll you will see by the end almost by the end you have this tlock extension. So here I’ll go and give the global parameter gigi zero that is the van interface click save this now dynamically it will push this configuration to the device because we are doing the dynamic change here.

Now it will ask you that what is the IP address over the tlock extension IP address so that IP address is nothing but let’s give that update and next and push this configuration once you push this configuration and if it is successfully you will see the number of control connection will increase. So now from other side also you are sending the control connection to this side so not only this side has the internet but it will get the MPLS control as well and here you can see that it is increasing. Now you can clearly see that we have the MPLS control from last 3 seconds, 3 seconds et cetera. So this is the way that we can create the tlock extension and once we have the tlock extension that means that virtually logically actually we can create more number of control connection from one to the other.

  1. VRRP OSPF BGP Begins

In section three five we have to learn about various protocol. We’ll start with VRRP, then OSPF and BGP. Now, for all these topics I have created separate lab and separate use case. So better we’ll understand these terminologies in terms of use cases or these protocols in terms of use cases is because whatever VRP, OSPF and BGP we are using now the same thing we have to use inside Cisco stream and Vipela. But there are some tweak. So for OSPF and BGP there is no change,

but OSPF and BGP you have to use as a service side or as an IGP protocol. VRRP, there is some change in VRRP we can track OMP, we can track the prefixes. So you will see in the VRRP lecture that what change there is in VRRP. But OSPF and BGP we don’t have change. Only thing that you have to use inside the IGP or as I GP. And then you have to redistribute these IGP over OMP. Okay, so let’s start with VRRP and then we’ll move to OSPF and finally will check how BGP will be used.

  1. VRRP Theory

Let us discuss about VRRP virtual router redundancy protocol. Now, this is not the new protocol that we are using in the SDWAN fabric it’s the old mechanism of providing the gateway load balancing or providing the virtual gateway used for first hop redundancy protocol. So what does it mean that but say suppose if you have one host in this host you have the IP and the gateway. So this gateway may be here or maybe here but can’t do both. What we are doing that we are gluing all these gateways with one virtual IP, and here we are providing the gateway as a virtual IP according to their VRP priorities and the virtual IP addresses, one will become active, one will become a standby, or one will be the master, one will be the backup. Like that. And then they can choose the active forwarder in one direction. If anything will happen with this particular device automatically this backup will become the active and then the traffic will move in this direction. So in this way you are providing the first hop redundancy to all the devices that is sitting in the land in front.

Now to achieve this particular target we are providing various configuration and there is technology behind that. So what we are doing in the first half redundancy protocol that if we can create multiple groups for example in our case we have VPN 1020 and 40. So for some of the VPN I can make this as active, some of the VPN I can make this as active but some of the VPN I can make this as active. So that means for multi group they can work as an active active so active and backup or master and backup for VPN ten but for VPN 40 this is active and this is the backup VR RP active edge response. So what is happening in case of failure? So suppose if this will go down still you are arping in this direction.

But what will happen at the moment he sends that this active is down and I am the active in this particular network then he is sending the gray to us ARP and that’s why the users they come to know that now I have to go in this particular direction. Now to achieve this particular configuration to this particular target we have various configuration and step by step I’m going to show you all the configuration. You cannot configure VRRP on the interface that is in the transport VPN. So we should configure this inside non transport VPN.

How is this configuration? Configuration looks like in terms of CLI very much like Cisco. So you go to the interface say for example interface give me zero slash three go and define the VRRP group say for example that is ten go and define the virtual IP. So for example ten 30, one is the virtual IP define the priority. Now this priority will define that in these two who is the active and who is the backup, who is the master, who is the backup? So if his priority is 200, higher is better. We’ll see that priority will be from one to two five four.

So if one priority is 200, other priority is only 100. That means he will be the active forwarder. Now, what is new here in this VRRP and the old VRRP? So VRRP flavor inside SDWAN, what is new thing that the SDWAN has added? SDWAN has added track OMP and track prefix list. These are the new things SDWAN has added. The other new optimization in VRRP we have is that if you see the traditional or if you see the existing VRRP that is working in the van, in that you can go and track the interface and you can use some sort of decrement priority. So suppose if priority is 150 and his priority is for example 100, if you decrement the priority to 60 and if this link is down, then this will become -60 means 90. So automatically he will become the active but all these things has been removed in the SDWAN. In the SDWAN, although your priority is high and you are down there is no decrement priority feature. Automatically he will sense with respect to track OMP and track the prefix behind the OMP. So in this case, what is happening that two devices, they are the VR Rpper.

You are tracking the OMP over the active link. For example, if your OMP is down, automatically he will become active. Now, if you are tracking certain prefix behind the OMP behind the overlay still if this particular prefix is unreachable, then the traffic will go in this direction. So if this prefix is unreachable, you will find that OMP is also not working and then the traffic will go in this direction. So in both the cases, either you’re tracking the OMP or you’re tracking something behind the OMP behind the overlay. Both the cases failure scenario, it will automatically fail over and again, if the old member will come back online, then again the old member will become the active. So you can go and give the priority default priority is 100.

You can track the OMP the same way that I have explained to you that you can track the overlay management protocol. Next you can go and track the say track the OMP and next you can go and track the prefix list. The same thing that we have discussed, what about the configuration and the verification? So configuration is again very easy and in the next section I will show you the CLI configuration that is there in the old configuration that we have removed. Now we have attached with the new configuration. So I’ll show you the CLI configuration. But our goal is to create this template or do this via the feature template. And in the existing template that we have, we’ll go and attach inside that. Once we’ll go and attach inside the existing template. Then we’ll go and verify the VRRP interfaces. VRR PvP and ten VPN. Ten interface. So we have various verification commands that we can go and check. So let’s just stop here and in the next section we will see that how we can configure this via the Google.