img img
Practice Exams:
View All
  • Home
  • Cisco CCNP Enterprise 300-415 ENSDWI – SDWAN Policy Part 4

Cisco CCNP Enterprise 300-415 ENSDWI – SDWAN Policy Part 4

  1. App Aware Routing BFD SLA Class

Let us discuss about SLA class. The overall goal of this particular session is to understand that how the Viptilla fabric inside the tunnels they are collecting the information of the applications in terms of loss, latency and jitter. And then in the upcoming session and we’ll see that how we can apply all these things inside your policy. What happened in the Vipela fabric that once your control and data plane is up by default all V edges they have their IPsec tunnels and that is purely mesh. That is pure mish topology. Any to any tunnel we have once this tunnel means this tunnel formation is auto. So once your tunnel will form automatically, the second thing that to track this tunnel via BFT that is also auto. So automatically BFT is there and they will start tracking the tunnels. And the BFT, they are using 1 second of interval to track this tunnel. Now again important thing here to understand that we have tlock. So all the tunnels, they are associated with the tlock.

And these tunnels they know what is the local tunnel. And they know what is the remote say local T lock. And they know what is the remote tlock. And to identify or to differentiate a particular tunnel the BFTS, they are using the color. That is the importance of color. See at this point of time we know that tlock is nothing but three tuple that the system IP encapsulation and finally color.

So that is the importance of color. That color is used by BFT to isolate or to identify a tunnel. And the BFTS they are using 1 second of default hello timer to track this in order so to track this what? To track this automatic IPsec tunnel the tlock informations, both the things that the BFDR are doing means they are checking that the tunnel is up or not. And secondly, they are checking that the tlock is active or not. Because see this tlock is further again imported inside OMP and Vsmart is tracking that. So there are two track. One is tracking for the tunnels and one is tracking for tlock. Because if your tlock is down automatically, your communication with the Vsmart will also tear down. So remember this, there is a default timer 1 second. Then what about the average value?

We have average value that is termed as one bucket and that is by default that is 10 minutes means 600 BFT hello packets are equivalent to one bucket. And this is the average for loss, latency and jitter. This is again user configurable. And we can use this command VFD app route all interval we can change it. I have a summary slide for all these things. So please do not worry. What is the BFT hello packets. What is the BFT bucket name? 600 hello packets. And finally we need to determine the SLA class with help of multiplayer. So what is the use of multiplier? So if suppose if we are using a range of one to six and by default that is six. That means one hello second for BFT.

And then calculating 600 BFT is your one bucket. And finally to calculate the SLA for the multiplier of one to six that means it will take 1 hour by default. All these things are by default value. So 1 second, ten minute and then six multiplier. So by default we have 1 hour to determine the SLA class. And let me show you the summary slide for that. This is again the user’s configurable item and you can use the multiplier and let me show you the summary. This is a summary. So whatever we have discussed so far that BFT hello packets are for 1 second. That’s okay, no problem. We can use this command to change it. This is ranging from one to 6553 5 seconds. That is a big number. Then Pauling or the bucket value by default is 10 minutes. We can change this with help of b of the app route paul intervals and we have this range. And finally we have the multiplier from one to six and we can use this command and we can change it. So all these are very important parameters to determine how app every routing, calculating or collecting the stats with respect to BFT. All these things are related to BFT. You can think that how powerful we have this PFT value is BFT in terms of hello as a BFD color, BFD in terms of bucket as BFT app route paul interval and BFT app route multipliers. So next section will start checking how we can configure all these things.

  1. app aware routing policy configuration 01

As we have studied about this appeal routing policies, let us start building this policy. How we can build this policy? This apple routing policy is a unique type of policy in victel fabric and it is the only policy that the implicit is or the default action is accept all other policies by the end of that policy, if that policy will not match the criteria then it will deny or it will drop the traffic. But in apex routing if nothing will match according to the policy, it will accept that. And that’s why this is a positive type of policy.

That is the one thing. The other thing, this is also a type of centralized policy because we are building this policy at the level of Vsmart and then the VA smart will push that policy to V edges and then it will be applied to a certain VPN or sites. So let us build this policy one by one. Let us try to understand the key components of this appeal routing policies and what are the key components we have. Let me go to the next slide. We know inside Vipela policy that everything will start inside policy. First of all we need to define the list. What type of list we have.

We have list related to prefix sites VPN and also we have list related to applications as well that we’ll see in the upcoming recording. Then we need to define the SLA class which is the loss latency Jitter. Then we need to define our app route policy and say inside app route policy we are calling our VPN and inside that VPN we need to match conditions. So what we have inside VPN. So once we are inside VPN then we have to match criteria and then on that match statement we need to take action. Okay, we’ll see that.

Then finally, if nothing will match to a certain SLA, the packet will forward to some default tunnel with no SLA configuration. Finally, once you have your policy built up, you need to apply your policy and we can apply something like site list and an app route policy, whatever the name of the policy. So we’ll see this example, this policy building here.

Here you can see that first of all we can define list and we’ll see that what is app application and what is app family application, family in the upcoming recording. But these things we already know the prefix list, site list, VPN list. Then we need to define the Jitter latency loss that’s okay. Then we need to define our app route policy. And remember, everything is inside policy. So that is our new object here. That is the app route policy object and then the policy name VPN, match and action.

This can be very interesting. We’ll see in our example case that say my primary is SLA. This if this SLA will not match then it will fall back to secondary. Secondary may be LTE or any Internet connection. Primary may be my MPLS. All these things and fall back conditions will check. Default action is obviously to match any of the tunnel. Then finally, we need to apply this. Apply? Policy, then the site list name and then apply this policy. So all these things one by one, I will discuss in the upcoming recording. Let me stop here. And in the upcoming recording again we’ll go into this policy.

  1. app aware routing policy configuration 02

Let us build our policy. In this particular section we already discuss about the construct and what will be the structure of the policy one by one. Let us see that what we have inside all these things. First of all, let us discuss about this application list. And because this is one of the powerful things inside fabric. In application list we have application name and at the moment Vipela is supporting up to 2300 different applications. So if you check this command we have applied then the app application name, that is the one thing. Or we have application family and the application family can see this is a list of application family that Victori is supporting.

Here you can see all various type of business app applications we have here. Apart from that, in the list segment we have data prefix list that already we know about that data prefix list. Then we have site Identifier, something like 100, 200, 300, VPN list. Whatever service VPNs we have, we can match here. Then the second important parameter is the SLA class. So how we are defining our SLA class in terms of latency and loss. And you can see what is the maximum permissible number. We have one through 1000 millisecond, one 2000 millisecond in terms of latency, zero to 100% in terms of loss.

We can define our SL policy in this fashion. I will show you in the live example as well. Then we have match parameters. So how we are going inside the policy. So we are moving to list. We can create list SLA class. We can create that class. Then the app route policy inside app route policy will get the match and the action segment. In the match segment we can match what are the things we can match? We can match applies obviously the data prefix list, IP destination port and then we have various match criteria like TSCP value protocol number, source data prefix list, source, IP source port all these things we can match. Once we can match those things, then what type of actions we have action. We can count log and we can see this log values like show app log flow, all show app log flows we’ll see after our practical example that how we can verify this app route policies.

Verify in sense what are the operational commands to view all these settings and the match and action parameters. So these things we have in the action, still we have the action parameter. So once the action parameters are done, then what this v edge will do? If we have more than one jet plane tunnel satisfying the same slash criteria then what the v edge will do that it will start load balancing across various path. Because your v edge may have this path. This path. So when the application is coming say app one and it is matching the SLA criteria, then it will start load balancing the applications. Okay? So once we are done with the list, SLA class, app class and inside that we have the match and the action criteria, then obviously we need to apply this and how we can apply this?

We can apply something like apply policy, list name, app route policy and then the policy name. Here we don’t have any inbound or outbound direction that we have in other V smart policies. Why? Because we are applying this. You do not specify a direction either inbound or outbound because this is efforts only in the outbound traffic of the V edge. So again, this is very important thing. So whatever important things I have matched and I have marked all these things as a red or the commands are in the blue. So once we have all these things then we can verify this with various commands that will use those commands and verify all these things. At this point of time I think it will be clear to you that how we can build the policy.

What are the key components of the policies? Say what are the things we have inside policy? Let me just summarize that in a second policy we can define list, then we have SLA class, then we have app route policy, inside that we have VPN, then match action and then we need to apply it via to the site list and then the app route policy. Likewise it will it will go in this hierarchy. So let me close here and in the next section I’ll show you the practical example related to this.

  1. app aware routing policy implementation 01

In this section I’ll show you that how we can create our app route policy and we know what are the key ingredients for this app route policy what are the things we require for that? So we need something called Inside Policy. We need list. Let me create the list first, because in this case, we need VPN list, app list, site list. So let me create that list first and then one by one I’ll show you. That how we can create other things as well, like SLA class, app, route policy, all these stuff. So let us create the list. First, let me open to my Vs Smart Controller. Here what I can do. I can go to policy and I can check. Let me stretch this so you can also see that. Let me double click here. So inside policy, we can create list. And for that you can see that. So I can create list and this time a list name is something VPN list say my VPN because my VPN is VPN ten so I can give name VPN ten I can exit then my second list is something called AppList. If I type cushion mark here you can see that we have this option called appliesT.

I can create like this. Applies. You can give any name say in my case, suppose I’m going to use Https applications if I type question mark here. Now we have option either we can have app or app family. I’m going to use app family for Https and you can see inside Https. We have option what type of app family this belongs to. This belongs to Web let me type cushion mark and then the app family other app family I have is Webmail I can always check with show configuration so for Https I have Web app family and the other half family is Webmail good now I can exit again I can create one app list say for zip traffic what app? I want to add in this app family is actually and you can mark here do we have traffic related to audio and video? So yeah I can mark this as audio and video. I can go to top. I can check my show configuration. Now we have list related to VPN appliesT.

Finally I can create one more list that is related to site list. I can go to policy list, site list say all branch and the site ID I can take a range 300 to 400 likewise I can create site list say my DCDR something like that and then again I can give site ID say from 100 to 200 I can check my configuration. And now I have all my list one by one I will use my list. Now the second step that I’m going to use here is to create my SLA class that also I can create inside policy and I can check my SLA class. I have one SLA something related to website that families that https here I can use latency while I am using latency as 100 I’ll show you that because what I will do for the van link I will increase the latency from 100 to 200 and then we can check our service path. So I’ll show you in few minutes.

Then other SLA class, I want to create say voice video. And for this I am setting the latency as say 50 millisecond. I can go to top show configuration. I’m good with the VPN list, I’m good with the app list. And finally I want to create one other policy. That is my app route policy, my VPN apps, something like that. We can give any logical name. And here I need to call my VPN. And then I need to go inside the sequence, inside sequence number ten. I want to match what? I want to match my app list. And I have my app list, I have my sip app. For this I can give matches done. For this I can give action to log. And here you can see that is the important thing here. So we have two things here. What is the slip glass and what is the backup slip? Preferred color, say preferred color. You know that? For BFT. So how we are monitoring the tenor with help of BFT and BFT with the help of colors, they know that, okay, this is this tlock source and this is this tlock destination.

So this color value is very important and with help of color it can fall back to the backup SLA. And what is the preferred SLA? This simply mean that okay. If this SLA criteria match, this is the primary path. And if this will match, then this is the secondary list of the preferred color for ECMP when primary SLA is not met count bytes. Obviously this is your backup. It’s okay.

So I can give this criteria here something like say my SLA class for voice video SLA and preferred color. What preferred color I have for voice video is MPLS. That’s okay, that’s very natural actually. And my backup is preferred Word. Color is internet. I can go to top here as well. I can show you the configuration. What we have done so far, we have defined our SLA class. Inside SLA class I am going to match my primary and secondary paths. Obviously, that is for the tunnel. So let me stop here and in the next recording I’ll show you that how we can populate this field. Okay? So again I can create sequence 20, then 30 like that. And how we can give primary and the backup path. Let me stop here.

  1. app aware routing policy implementation 02

Let us continue the previous section. So what we have done so far that we have created a list actually we have created lot mini list. We have created list related to VPN. Let me show you where is the list. In this example we have the list sip app all branch, all DC then we have created applies like Https. Also we have applied for other traffic as well. So here you can see that our configuration is here and there but while you are doing the configuration then everything will come step by step. So we have all this list https sip app branches and then we have the VPN list.

That’s the one part. The other part that we have our SLA classes define so I define SLA for web and SLA for voice and video then what I am going to do here that few part of this app route policy I have defined say I use sequence number ten for sip the secondary and the primary tenant path okay. The next I’m going to define for https. That is our web traffic. Then the third portion here. So this is for the web traffic. This is for voice and video. Like that. So step by step by will do. All these things. So let me go back to our configuration template and let us open our Vsmart.

Yeah. So let me continue from where I have left again, I need to go inside policy and then the app ever. Routing and what is the name? Myvpn apps. I have done the configuration related to sequence number ten. I need to go inside VPN. My VPN and then the sequence number 20 I can use this type. I can match. What I want to match. I want to match appliesT. And if you type question mark, you’ll get that information for this, what you want to do. Exit from here I want to set action log my SLA class for web SLA is to prefer color okay? So web SLA is what I want to do.

So this time I can give Bizinternet, okay? And it will fall back to some other traffic as well. So for backup SLA also I can give bid internet because I don’t want to use my MPL circuit here. So for this traffic I can give internet internet no problem and no exception.

Here everything is fine according to the plan. Then I need to go inside sequence number 30 here I’m not matching anything but simply I am giving action. Action. What say? For backup color is obviously my internet. And for all other traffic that is related to voice and video SLA, I’ll prefer MPLS. Let me show you the configuration because everything seems to be too much. But if we exclude what is my SLA class, what is my VPN list then what is the app policy? That is the key component here. App policy. I have my application sip primary is MPLS. I have my application https primary and secondary is internet and then I have my SLA class. Whatever traffic that will meet this SLA, they will prefer MPLS. And we know that this is the positive policy, so we don’t need to define anything.

What is the default action? Default action if they will not match any of the SLA criteria, they will pass, they will allow any of the tunnel so once we have done all these things then finally we need to apply this policy. So how we can apply this because we have branches and inside branches I can use app route policy, my app VPNs that’s okay. Then I can exit from here again I can give side list and then my DCDR app route policy because again here we don’t need to give any direction by default this is in the egress direction in the output direction I can go to top I can check show configuration.

Now we have the full configuration let us validate this and then commit and quit. Now I can go to my branches and we’ll do a few verification but most of the verification will do in the next session. Next recording I can check show policy from my Vs smart and related to app route policy because this is a type of control and data policy mostly this is a data policy.

So that’s why we are able to see here whatever site ID we have given all those branches they have downloaded this policy and according to the applied and the action applies and the action and according to the SLA class they will execute this policy. Okay so I’m going to stop here because in the next recording I want to do the conclusion and the verification so let me stop here in this particular portion and in the next recording will do the verification.

  1. app aware routing policy Verification

Let us do the verification and I’m going to use some simulation in this section as well. So let us do that here. If I go to my V edge device and how we can verify this, I can use show app. If you type question mark you have option either you can use app or you can use app route. I will show you both of them and then we have DPI inspection related to flows and here you can see that we have the flows, we have audio, video means we have application ship RTP. That’s good. I am here in my branch number two and this is my local PC inside VPN ten. Apart from that I can use show flow, show app and then the route we have the SLA class if you want to see it in detail, all the SLS then you can do status and one by one you will get the status of all the traffic from where to where it is going.

So from me if I want to check to the data center how it is going, I can view this information in the tabler format like this and you can see because I have both the link one is Mplist, one is internet. It is showing that okay, I can reach to this. So for example, suppose I am going to my data center one via MPLS path because you can see here the mean loss is 100, latency is zero, zeta is zero. So what if I increase the latency here from zero to say 200, then what will happen? Have they divert their path? Then we need to check it and the other way to check that information is to use a command, something like show policy service path for VPN number ten what is my interface? For VPN ten, what is my source IP? Say 100 410 is my source IP, what is my destination? What protocol I want to check at the moment it is using Internet path for the protocol number one and if I check why it is showing the internet path because here it is showing it is using the MPLS link to reach to this location. So it depends on what type of traffic is going because for Https traffic both the link should be MPLS.

So I have checked different options with this particular branch and everything is going towards internet and it’s very strange. So what you can do here that then if you check the control connection over your V manage, then we’ll come to know that one control is down and it is showing that your MPLS is down. So everything is going towards internet. So no problem, I will do the testing with other branch. So here if I come here and before going there, let me show you Show control connection as well just to verify that one of the link is down here you can see that it is showing that my control is up to reach towards the via smart. But if I go to my we manage dashboard now it is up. Okay? So you can see these things maybe happen. So now my control is up, everything is up. So that’s why it is showing that you have reachability to your controller via both internet and MPLS link. So now if I go and if I check my protocol number 17, that is the UDP. Now this is via MPLS.

Why? Because this RTP packets, they are using this UDP port numbers. If I go back to my show flow and my DPI information show up my DPI flows. So here you can see that your RTP is using protocol UDP and because for this particular RTP SLA, we can check that also. So we are using SLA Apple. Let me show you that SLA. So what I am doing here for video and voice the preferred is MPLS and the backup is internet. So that’s why my RTP if I’m checking the service path, it is going via. Now again, actually my MPLS link is flapping. So that’s why but you can understand this thing. That’s how it is working here. And the control connection is not constant.

So that’s why this is happening. Let me quickly check my show control connection. And this is the thing that you need to verify as well. Show control connection. See my MPLS is gone. So that’s why everything is going towards internet. But anyways, what you can do here to redirect the traffic, obviously if your one link is down, so it will go to the other link. So what I’m going to do here, I’m going to start my venom and in the van interface I’m going to increase the delay for all the interfaces from say 300 I can fix my SLA delay is how much we have configured.

The latency is actually 100 here I am giving more than that. So if this condition will not match so automatically the traffic will fall back to the internet. But here it is showing that everything is going towards through internet. Because my MPLS link is flapping. Now it is up. If I go to my service path MPLS because I have increased the latency so I’ll go back, I need to apply the setting. Setting is applied to a virtual interface. That’s good. Now if I check the traffic internet, if I check the control as up, okay, so now my traffic is going towards that because it is not matching the criteria. And the other way to check this is to check the flow stat. So let me go to show app route.

Let me go there. I can check something like show app route and then the flow value. Let me do that show app route and then I have a stat I can use tab. And here in this field you can see that the latency has been increased. So that’s why it is not going via MPLS, it is falling back to the Internet. The traffic is going towards Internet and the index class here you can see is mapped to Internet. And if we see our index app class so you can see here, index is mapped towards Internet and zero is now that is the default value here. Okay, so we have done lots of things related app route policies and it’s actually very important. So that’s why I took this much time that you can also understand and apply in the real world scenarios. Okay then, thanks for your time.

Related posts:

  1. 5 Easiest Jobs to Make a Successful IT Career
  2. 5 New Microsoft Azure Certifications: Which One Will Look Good on Your Resume?
  3. Cisco Certifications Overview 2018
  4. Discover Top 10 Reliable JavaScript Test Tools and Choose the Best One
  5. Explore the Internet of Things Through Seven IT Skills!
  6. How To Launch A Career In IT
  7. Reasons To Get Microsoft MCSA Certification
  8. SY0-501 Section 1.5 -Given a scenario, troubleshoot security issues related to wireless networking.
  9. Top 10 Most Difficult Tech Jobs To Fill In 2018
  10. What Python Certifications Will Be Good for Your IT Career?

Popular posts

Top Vendors On The IT Certification Market

Top 5 Agile Certifications You Should Pursue in 2020

Case Study Hillary’s HillRaisers raising cash for Obama inauguration

SY0-501 Section 1.1- Implement security configuration parameters on network devices and other technologies.

Your Best Career Path With EC-Council Certification

Job Opportunities For MCSE Certification

Reasons To Get Microsoft MCSA Certification

SY0-501 Section 3.2- Summarize various types of attacks.

SY0-501 Section 6.2- Given a scenario, use appropriate cryptographic methods.

What Should You Know About New Amazon AWS Certified Database – Specialty Exam?

Recent Posts

img