CCNP Enterprise

PlAwAnSaI

Administrator
ENterprise designing and implementing Cloud Connectivity:

  1. enhanced Policy-Based Routing (ePBR) is used to direct packets that arrive at an interface to a specified next-hop. It is very useful in managing a large number of configured access lists more efficiently. In ePBR, router drops the traffic packets if the next hop configured in the PBR policy is not reachable. To avoid packet loss in such scenarios, must configure multiple next hops for each access control entry. Here are the steps to configure ePBR for IPv4 using Cisco vManage:
    1. Configure an extended ACL: This step involves defining the network or the host. For example, can permit IPv4 traffic from any source to specific hosts.
    2. Configure a class map that matches the ACL: Class maps match the parameters in the ACLs. For instance, can create a class map of type traffic and match it with the previously created ACL.
    3. Configure the policy map with the action to set the next hop: Policy maps with ePBR then take detailed actions based on the set statements configured. Can configure an ePBR policy map with the class map and set the next hop.
    4. Apply the service policy on the interface: Finally, apply the ePBR policy map to the interface. For example, can apply the policy map to a Gigabit Ethernet interface.
      .
  2. Security groups are a feature in AWS that allow to control the inbound and outbound traffic to instances. They act as a virtual firewall that can filter the traffic based on the source, destination, protocol, and port. Can assign one or more security groups to instances, and each security group can have multiple rules. Security groups are stateful, meaning that they automatically allow the response traffic for any allowed inbound traffic, and vice versa. Security groups are essential for securing nodes in the AWS EKS cluster, as they can prevent unauthorized access to database or other resources. Can also use security groups to isolate nodes from other instances in the same VPC or subnet, or to allow communication between nodes in different clusters or regions.

  3. ExpressRoute is a service that provides a dedicated, private, and high-bandwidth connection between the customer's on-premises network and Microsoft Azure cloud network.
    Private peering is a type of ExpressRoute circuit that allows the customer to access Azure services that are hosted in a virtual network, such as virtual machines, storage, and databases.
    Secure Data Center Interconnect (SDCI) is a Cisco solution that enables secure and scalable connectivity between multiple data centers and cloud providers, using technologies such as MPLS, IPsec, and SD-WAN.
    By using ExpressRoute with private peering and SDCI, the company can achieve the following benefits:
    • High availability: ExpressRoute circuits are redundant and resilient and can be configured with multiple service providers and locations for failover and load balancing. SDCI also provides high availability by using dynamic routing protocols and encryption mechanisms to ensure optimal and secure path selection.
    • Redundancy: ExpressRoute circuits can be paired together to form a redundant connection between the customer's network and Azure. SDCI also supports redundancy by allowing multiple connections between data centers and cloud providers, using different transport technologies and service levels.
    • Low latency: ExpressRoute circuits offer lower latency than public internet connections, as they bypass the congestion and variability of the internet. SDCI also reduces latency by using MPLS and SD-WAN to optimize the performance and quality of service for the traffic between data centers and cloud providers.
      .
  4. To enable the OMP advertisement of BGP routes for a specific VRF instance on a Cisco IOS XE SD-WAN device, the engineer must first configure the global address-family ipv4 and then enable bgp advertisement under the vrf definition. This will allow the device to advertise the BGP routes learned from the cloud provider to the OMP control plane, which will then distribute them to the other SD-WAN devices in the overlay network.

  5. An engineer needs to configure a site-to-site IPsec VPN connection between an on-premises Cisco IOS XE router and Amazon Web Services (AWS).
    Code:
    crypto keyring keyring-vpn-000001
      pre-shared-key address 20.20.20.29 key awskey01
    !
    crypto keyring keyring-vpn-000002
      pre-shared-key address 40.40.40.29 key awskey02
    !
    interface Tunnel1
      ip address 30.30.30.29 255.255.255.252
      tunnel destination 20.20.20.29
    !
    interface Tunnel2
      ip address 30.30.30.33 255.255.255.252
      tunnel destination 40.40.40.29
    !
    Two IP prefixes should be used to configure the AWS routing options are 20.20.20.0/24 & 40.40.40.0/24 because they are the IP prefixes that match the tunnel interfaces on the Cisco IOS XE router. The AWS routing options should include the local and remote IP prefixes that are used for the IPsec tunnel endpoints.

  6. The bgp advertise-best-external command is used to enable the advertisement of the best external path to internal BGP peers. This command is useful when there are multiple exit points from the local AS to other ASes, and the local AS wants to use the closest exit point for each destination. By default, BGP only advertises the best path to its peers, and the best path is usually the one with the lowest IGP metric to the next hop. However, this may not be the optimal path for traffic leaving the local AS, as it may result in suboptimal hot-potato routing or MED oscillations. The bgp advertise-best-external command allows BGP to advertise the best external path, which is the path with the lowest MED among the paths from different neighboring ASes, in addition to the best path. This way, the internal BGP peers can choose the best exit point based on the MED value, rather than the IGP metric.
    Code:
    https://ithitman.blogspot.com/2015/04/configuring-cisco-bgp-best-external.html

  7. The process of configuring a Cisco SD-WAN Cloud Interconnect with Equinix involves several steps:

    Cloud-Interconnect-wEquinix-copy.png
    1. This is the first step where ensure that there is the necessary UUIDs for the required number of Cisco SD-WAN Virtual Edge instances that want to deploy as Interconnect Gateways.
    2. After ensuring the availability of UUIDs, create the necessary network segments.
    3. After setting up the network segments, attach the Cisco SD-WAN Virtual Edge to the Equinix device template.
    4. Finally, create the Interconnect Gateway at the Equinix location that is closest to SD-WAN branch location.
      .
  8. To send traffic into an IPsec tunnel to the cloud VPN gateway, the engineer must configure two actions:
    1. Configure access lists that match the interesting user traffic. This is the traffic that needs to be encrypted and sent over the IPsec tunnel. The access lists are applied to the crypto map that defines the IPsec parameters for the tunnel.
    2. Configure Policy-Based Routing (PBR). This is a technique that allows the engineer to override the routing table and forward packets based on a defined policy. PBR can be used to send specific traffic to the IPsec tunnel interface, regardless of the destination IP address. This is useful when the cloud VPN gateway has a dynamic IP address or when multiple cloud VPN gateways are available for load balancing or redundancy.
      .
  9. An engineer must redistribute IBGP routes into OSPF to connect an on-premises network to a cloud provider.
    Code:
    https://github.com/ThaiCPE/encc/blob/main/README.md
    redistribute bgp 100 ospf 1 command redistributes the routes learned from BGP AS100 into OSPF Area 1, which allows router R3 to advertise those routes to router R2 and connect the on-premises network to the cloud provider.
:cool:
 
Last edited:

PlAwAnSaI

Administrator
9+
  1. Cisco SD-WAN IPsec tunnels are different from native IPsec VPN tunnels in several ways. One of the unique features of Cisco SD-WAN IPsec tunnels is that they support real-time dynamic path selection, which means that they can automatically choose the best path for each application based on the network conditions and policies. This feature improves the performance, reliability, and efficiency of the network traffic. Native IPsec VPN tunnels, on the other hand, do not have this capability and rely on static routing or manual configuration to select the path for each tunnel. This can result in suboptimal performance, increased latency, and higher costs.
:cool:
 
Top