EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

Configuring Segmentation

Configuring Segmentation

Posted on Jan 27, 2020 (0)

Configuring Segmentation

In Cisco Viptela network, VPNs are used to segregate the network traffic and by default two VPN are already available for Transport and management.

To segment and isolate the user network and data traffic locally, there are need to configure and create the additional VPNs. These VPNs are not VPN 0 and VPN 512 but are identified by any another number. In order to enable data traffic, an interface must be associated to VPN and IP address must be assigned to that interface. These interface may connect to local site network and not to WAN transport cloud.

Configure the Transport VPN on a vEdge Router

Configure the WAN transport interface:

vEdge(config)# vpn 0 interface interface-name
vEdge(config-interface)#

Configure a static IPv4 address for the interface:

vEdge(config-interface)# ip address prefix/length
vEdge(config-interface)#

Or you can enable DHCP on the interface so that the interface learn its IP address dynamically:

vEdge(config-interface)# ip dhcp-client [dhcp-distance number]
vEdge(config-interface)#

When an interface learns its IPv4 address from a DHCP server, it can also learn routes with AD 1 by default .To change the default value, include the dhcp-distance option, specifying a distance from 1 through 255.

To enable dual stack, configure a static IPv6 address for the interface:

vEdge(config-interface)# ipv6 address prefix/length
vEdge(config-interface)#

Or you can enable DHCPv6 on the interface so that the interface learn its IP address dynamically:

vEdge(config-interface)# ipv6 dhcp-client [dhcp-distance number] [dhcp-rapid-commit]
vEdge(config-interface)#

When an interface learns its IPv6 address from a DHCPV6 server, it can also learn routes with AD 1 by default .To change the default value, include the dhcp-distance option, specifying a distance from 1 through 255

Enable the interface:

vEdge(config-interface)# no shutdown

Configure the WAN transport tunnel connection:

vEdge(config-interface)# tunnel-interface
vEdge(config-tunnel-interface)#

Configure a color for the tunnel connection as an identifier for the tunnel:

vEdge(config-tunnel-interface)# color color
vEdge(config-tunnel-interface)#

color can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metroethernet, mpls, private1 through private6, public-internet, red, and silver. The default color is default.

Configure the encapsulation to use on tunnel connection:

vEdge(config-tunnel-interface)# encapsulation (gre | ipsec)
vEdge(config-tunnel-interface)#

To configure both IPsec and GRE encapsulation, include two encapsulation commands

Enable DNS service in the VPN by configuring the IP address of a DNS server reachable from VPN 0:

vEdge(config-vpn-0)# dns ip-address (primary | secondary)

The address can be either an IPv4 or IPv6 address. By default, the IP address is for the primary DNS server.

If required configure IPv4 and IPv6 static routes in VPN 0:

vEdge(config-vpn-0)# ip route prefix/length next-hop [administrative-distance]
vEdge(config-vpn-0)# ipv6 route prefix/length next-hop [administrative-distance]

Activate the configuration:

vEdge(config)# commit

Below is the example for VPN0, which has gi0/0 interface configured and other seven interface are also part of VPN 0 as we have not configured yet.

vpn 0
interface ge0/0
ip address 10.10.10.10/24
ipv6 address fd00:2345::/16
tunnel-interface
color biz-internet
encapslation ipsec
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service ntp
no allow-service stun
!
no shutdown
!
interface ge0/1
shutdown
!
interface ge0/2
shutdown
!
interface ge0/3
shutdown
!
interface ge0/4
shutdown
!
interface ge0/5
shutdown
!
interface ge0/6
shutdown
!
interface ge0/7
shutdown
!
!

Now when you create another VPN to carry data traffic , and configure the interface under that VPN , Those Interface will be removed from VPN 0 automatically .

vpn 0
interface ge0/0
ip address 10.10.10.10/24
tunnel-interface
color biz-internet
encapsulation ipsec
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service ntp
no allow-service stun
!
no shutdown
!
interface ge0/1
shutdown
!
interface ge0/2
shutdown
!
interface ge0/4
shutdown
!
interface ge0/5
shutdown
!
interface ge0/6
shutdown
!
interface ge0/7
shutdown
!!
vpn 10
router
ospf
redistribute omp route-policy test-policy
area 0
interface ge0/3
exit
exit
!
!
interface ge0/3
ip address 10.10.11.10/24
no shutdown
!!

Now if you plan to configure sub interface in a VPN , that carries data traffic , main interface must be no shut and main interface must be part of VPN 0.

vpn 0
dns 1.2.3.4 primary
interface ge0/0
address 10.10.10.10/24
tunnel-interface
preference 100
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service stun
!
no shutdown
!
interface ge0/1
shutdown
!
interface ge0/2
shutdown
!
interface ge0/3
no shutdown
!
interface ge0/4
shutdown
!
interface ge0/5
shutdown
!
interface ge0/6
shutdown
!
interface ge0/7
shutdown
!
!
vpn 10
router
ospf
redistribute omp route-policy test-policy
area 0
interface ge0/3.1
exit
exit
!
!
interface ge0/3.1
ip address 10.10.11.1/24
no shutdown
!

Configure the Transport VPN on a vSmart Controller

vEdge(config)# vpn 0 interface interface-name
vEdge(config-interface)#

Configure a static IPv4 address for the interface:

vEdge(config-interface)# ip address prefix/length
vEdge(config-interface)#

Or you can enable DHCP on the interface so that the interface learn its IP address dynamically:

vEdge(config-interface)# ip dhcp-client [dhcp-distance number]
vEdge(config-interface)#

When an interface learns its IPv4 address from a DHCP server, it can also learn routes with AD 1 by default .To change the default value, include the dhcp-distance option, specifying a distance from 1 through 255.

Enable the interface:

vSmart(config-interface)# no shutdown

Enable DNS service in the VPN by configuring the IP address of a DNS server reachable from VPN 0:

vEdge(config-vpn-0)# dns ip-address (primary | secondary)

If required configure IPv4 and IPv6 static routes in VPN 0:

vEdge(config-vpn-0)# ip route prefix/length next-hop [administrative-distance]
vEdge(config-vpn-0)# ipv6 route prefix/length next-hop [administrative-distance]

Configure any other properties specific to the tunnel interface, the interface, or VPN 0.

Activate the configuration:

vSmart(config)# commit

Example :

vpn 0
dns 1.2.3.4 primary
interface eth0
ip dhcp-client
no shutdown
!
interface eth1
ip address 10.10.10.10/24
tunnel-interface
allow-ssh
allow-icmp
!
no shutdown
!
ip route 0.0.0.0/0 10.10.10.11
!

Configure VPNs To Carry Data Traffic

To create a data traffic VPN:

Configure the VPN:

vEdge(config)# vpn number
vEdge(config-vpn)#

The VPN number can be in the range 1 through 511, and 513 through 65535.

Configure at least one interface in the VPN and its IP address:

vEdge(config-vpn)# interface interface-name ip address address/prefix
vEdge(config-interface)#

Activate the interface:

vEdge(config-interface)# no shutdown

Enable DNS service in the VPN by configuring the IP address of a DNS server reachable from that VPN:

vEdge(config-vpn)# dns ip-address

If desired, configure IPv4 static routes in the VPN:

vEdge(config-vpn)# ip route prefix/length next-hop [administrative-distance]

Configure any other properties specific to the interface or to VPN.

Activate the configuration:

vEdge(config)# commit


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.