Professional Documents
Culture Documents
ASD - 9.04-v1.32 - Student and Lab Guide
ASD - 9.04-v1.32 - Student and Lab Guide
ASD - 9.04-v1.32 - Student and Lab Guide
Trademark Notification
The following are trademarks of Silver Peak (acquired by Aruba, a Hewlett Packard Enterprise
company, in 2020): Silver Peak SystemsTM, the Silver Peak logo, Network Memory™, Silver Peak
NX-Series™, Silver Peak VX-Series™, Silver Peak VRX-Series™, Silver Peak Unity EdgeConnect™, Silver
Peak Orchestrator™, Aruba EdgeConnect™, Aruba Orchestrator™, and Aruba Boost™. All trademark
rights reserved. All other brand or product names are trademarks or registered trademarks
of their respective companies or organizations.
THIS DOCUMENTATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SILVER
PEAK (ACQUIRED BY ARUBA, A HEWLETT PACKARD ENTERPRISE COMPANY, IN 2020). ASSUMES
NO RESPONSIBILITY FOR ERRORS OR OMISSIONS IN THIS DOCUMENTATION OR OTHER
DOCUMENTS WHICH ARE REFERENCED BY OR LINKED TO THIS DOCUMENTATION. REFERENCES
TO CORPORATIONS, THEIR SERVICES AND PRODUCTS, ARE PROVIDED “AS IS” WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. IN NO EVENT SHALL SILVER PEAK
(ACQUIRED BY ARUBA, A HEWLETT PACKARD ENTERPRISE COMPANY, IN 2020). BE LIABLE FOR
ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY
DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM LOSS OF
USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON
ANY THEORY OF LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OF THIS
DOCUMENTATION. THIS DOCUMENTATION MAY INCLUDE TECHNICAL OR OTHER INACCURACIES
OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION
HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THE
DOCUMENTATION. SILVER PEAK (ACQUIRED BY ARUBA, A HEWLETT PACKARD ENTERPRISE
COMPANY, IN 2020). MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)
AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENTATION AT ANY TIME
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 2 of 175
REALTIME O R K I N G op R A F T
Table of Contents
LAB 1: LAB FAMILIARIZATION AND LICENSING DEVICES ............................................... 4
REVIEW #1: PATH AND ROUTE SELECTION & MONITORING ................................................. 18
REVIEW #2: POLICIES ................................................................................................................. 20
REVIEW #3: LOOPBACK INTERFACES ...................................................................................... 21
REVIEW #4: HIGH AVAILABILITY ................................................................................................ 22
LAB 2: CREATE ORCHESTRATED LOOPBACKS ............................................................. 23
LAB 3: CONFIGURING EDGEHA ........................................................................................ 29
REVIEW #5: INTERNET BREAKOUT AND TRAFFIC CLASSIFICATION.................................... 39
REVIEW #6: IP SLA ...................................................................................................................... 40
LAB 4: LOCAL INTERNET BREAKOUT .............................................................................. 41
REVIEW #7: BGP .......................................................................................................................... 71
LAB 5: BGP .......................................................................................................................... 72
REVIEW #8: OSPF ........................................................................................................................ 87
LAB 6: OSPF ........................................................................................................................ 88
REVIEW #9: ROUTE MAPS .......................................................................................................... 97
LAB 7: ROUTE MAPS .......................................................................................................... 98
REVIEW #10: REGIONS ............................................................................................................... 118
LAB 8: REGIONS ............................................................................................................... 120
REVIEW #11: SECURITY FEATURES ......................................................................................... 136
REVIEW #12: ZONE BASED FIREWALL ..................................................................................... 137
LAB 9: ZONE BASED FIREWALL ..................................................................................... 138
REVIEW #13: ASYMMETRY & FLOW REDIRECTION ................................................................ 153
LAB 10: SEGMENTATION (VRF) ....................................................................................... 154
APPENDIX A: CONNECTING TO READYTECH FOR INSTRUCTOR-LED TRAINING (ILT)
STUDENTS ............................................................................................................ 167
APPENDIX B: SOLUTIONS TO COMMON ISSUES ..................................................................... 168
APPENDIX C: 221 – ASD 9.X LAB TOPOLOGY ........................................................................... 174
APPENDIX D: TABLE OF USERNAMES AND PASSWORDS ..................................................... 175
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 3 of 175
REALTIME O R K I N G op R A F T
Objectives
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 4 of 175
REALTIME O R K I N G op R A F T
PLEASE NOTE: This lab guide is used for both the Instructor-Led Course (221a) and
the Self-Paced Course (221b).
Whenever instructions are specific to each course, you will see them separated in a Table as
shown below:
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 5 of 175
REALTIME O R K I N G op R A F T
Task 1: Review Lab Topology
1. You can view the PDF of
the Lab Topology directly
from the Landing Desktop
2. The 3rd tab in Chrome
also opens the same file
by default
£ Username: Administrator
£ Password: Speak-123
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 6 of 175
REALTIME O R K I N G op R A F T
Note there are various viewing options from the Desktop drop-down menu such as Best fit, Scale
to fit, Detach window and Full screen mode. Try which works best for your display.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 7 of 175
REALTIME O R K I N G op R A F T
Task 3: Verify all of the Virtual Machines are Set Up
b. Click Advanced.
£ Username: root
£ Password: Training1!
6. Click on Log in
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 8 of 175
REALTIME O R K I N G op R A F T
7. At the top-left, if not yet expanded, Click on the
Navigator button
221a: INSTRUCTOR-LED
221b: SELF-PACED STUDENTS
STUDENTS
If any of your VMs are not up, Take a break, then recheck the list in a little while.
inform the Instructor. Remember that a full deployment can take 3+ hours.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 9 of 175
REALTIME O R K I N G op R A F T
If some are in the state, turn them on one at a time.
a. Click Advanced.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 10 of 175
REALTIME O R K I N G op R A F T
b. Click Proceed to 192.168.1.254 (unsafe).
Again, You may need to scroll down a bit to see this one.
£ Username: admin
£ Password: Speak-123
1) Return to VMware.
A) Select the checkbox next to it’s name
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 11 of 175
REALTIME O R K I N G op R A F T
E) After about 4 minutes, refresh your browser window to make sure the
Orchestrator login screen is displayed.
Note: This would be a good time for a quick break
Refresh the browser as needed until you see the login screen on the Orchestrator tab in
your browser. Again, this can take several minutes after the VM reboot finishes while
background tasks bring up the Orchestrator web server.
£ Site 1: Singapore
£ Site 2: Mumbai
£ Site 3: Santa Clara
b. Preconfigure Appliances tab is open listing all 5
(five) devices
£ Their Status should be: Pending Discovery
c. The upper right side will not show any alarms
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 12 of 175
REALTIME O R K I N G op R A F T
Task 5: Access the Landing Desktop with this Windows Navigation Tip
19. You can get to the desktop quickly by
Clicking on the desktop icon next to the
magnifying glass (beside the Windows
Start button).
20. This is a toggle button which will allow you to easily hide/unhide active windows to
view the lab topology.
21. Click on the icon to display the Landing PC Desktop
23. When the script completes, it will display the ASD Lab 1 – Setup Log.txt file.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 13 of 175
REALTIME O R K I N G op R A F T
25. Click on the black Command Prompt window and Press any key to continue.
a. Close the Notepad file.
© For our lab, you need to do all configuration and steps in this Student and Lab
Guide on the Student Landing Desktop.
© If you haven’t noticed yet, the Windows Task Bar and application windows
are Orange, to help indicate you are actually working on the Landing Desktop
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 14 of 175
REALTIME O R K I N G op R A F T
32. The 3 Sites will contain the following in Tree View:
34. After 10+ minutes, appliances will show Finished under the Status column, Close the
Preconfigure Appliances Tab
Task 8: Verify the Orchestrator can reach the Cloud Portal and is
Registered
35. Open the Cloud Portal Licensing tab
from the Search Menu bar next to the
Support tab: type lice
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 15 of 175
REALTIME O R K I N G op R A F T
36. It should show
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 16 of 175
REALTIME O R K I N G op R A F T
£ Notice that all the appliances have all the overlays applied, except for ECV-2
which is missing one.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 17 of 175
REALTIME O R K I N G op R A F T
2) T/F – Silver Peak can exchange routes with a Cisco Router via Subnet Sharing
3) T/F – In a subnet table, all else being equal, the route with the lowest metric is
preferred.
6) Is it possible for a static route to only be applied to LAN-to-WAN traffic? If so, which
tag would it have?
7) T/F – It is possible for an appliance to advertise a route that it doesn’t actually use to
route traffic.
8) How can you determine if an appliance has a route to a destination without testing it
with traffic?
9) T/F – You should always use Reset All in the flow table to make sure a connection
gets reset
10) T/F – “Inbound’ traffic is coming from the LAN into the Silver Peak
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 18 of 175
REALTIME O R K I N G op R A F T
11) T/F – An appliance uses the management routing table to route traffic between two
end devices at different sites
12) How do you make sure an appliance knows all the external IP addresses that can be
used to reach the Orchestrator
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 19 of 175
REALTIME O R K I N G op R A F T
2) T/F: Built in optimization policies are in the 10,000 range and will be applied to
unboosted traffic.
6) Is traffic matching an overlay that is boosted always treated exactly the same? If not,
why?
7) What is the default action for traffic flowing between two different security zones?
8) T/F: A built in route policy rule with a priority of 65506 will never be matched if there
is a manual policy with a priority of 999 that matches the traffic
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 20 of 175
REALTIME O R K I N G op R A F T
3) Can more than one group of orchestrated interfaces be created with different interface
and security zone labels?
5) If you decide to use a loopback interface for management, what do you need to do for
this to work properly?
6) Where will a loopback interface used to manage the appliance look for routes to direct
self-originated traffic?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 21 of 175
REALTIME O R K I N G op R A F T
3) If appliance B were to lose its connection to the internet, could it route traffic to
appliance C via MPLS?
4) See animation – If appliance C were to lose its connection to the Internet, could it still
connect users to Office 365 via the one on device B (assuming it’s Internet connection
is up)?
5) When troubleshooting, what do you need to remember fortraffic that is going from
appliance A, across the HA interface to local internet breakout on appliance B?
6) If A and B both had Internet connections on the WAN, and one of the WAN
connections failed, would connections that had to move to the other appliance be
reset if: C
a) They were going in a tunnel to a server
attached to another Silver Peak peer?
Internet
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 22 of 175
REALTIME O R K I N G op R A F T
Objective
© Learn how to create and distribute loopback addresses and use them to test
connectivity in a later lab.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 23 of 175
REALTIME O R K I N G op R A F T
3. Click Select All in the upper right
of the Alarms page
4. Click Clear
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 24 of 175
REALTIME O R K I N G op R A F T
NOTE: By default, the 10.0.0.0/24 subnet is added for the Orchestrator to allocate
loopback addresses from. In 98% of cases you DO NOT want to accept this default
because that subnet is often already in use, so remember to change it to a range
appropriate for your network as demonstrated in this step, if needed.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 25 of 175
REALTIME O R K I N G op R A F T
16. Watch and wait for Orchestration to complete, then close the window.
17. You should see Applied successfully appear at the bottom of the screen.
Notice that the Orchestrator has created a loopback interface on every machine from the
configured range, and assigned a /32 IP address
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 26 of 175
REALTIME O R K I N G op R A F T
As you can see, a loopback interface named lo20000 has been created on every
appliance and an IP address has automatically been assigned from the configured range.
Your addresses may have been assigned differently than shown here. The use of the
20,000 range for address numbering is consistent with other orchestrated objects like
route polices which fall in the 20,000 range.
Note: You cannot edit the assigned address for orchestrated interfaces, although it is
possible to manually add additional loopback interfaces with manually assigned
addresses.
20. Write down the loopback address you created for each appliance.
a. They will most likely NOT be in the same order as the appliance name.
b. For your reference enter them in one or Appliance Loopback Address Table
both of the following:
ECV-1
£ This table to the right
ECV-2
ECV-3
ECV-4
ECV-5
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 27 of 175
REALTIME O R K I N G op R A F T
Task 3: Test reachability between two of the loopback interfaces
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 28 of 175
REALTIME O R K I N G op R A F T
This HA connection uses a data path interface (LAN or WAN, not management port) on each
of the devices to establish a connection between them, and traffic is routed over this
connection.
Objectives
1. Right-click on ECV-2
2. Select Deployment.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 29 of 175
REALTIME O R K I N G op R A F T
4. Select ECV-3 as a Peer.
£ This will update the Total Outbound and Total Inbound at the bottom of the
page to 6,000 kbps. Each appliance needs to be able to handle the total
throughput for the outbound interfaces on both machines since they both have
access to all 3 WAN interfaces.
c. On ECV-2 near the top of the page, change the boost amount to 6,000 kbps
£ This is the total outbound bandwidth for both machines. In our case, we want to
be able to boost all the traffic on either device. We will update the boost amount
on ECV-3 in a moment – it must be done from ECV-3’s deployment screen.
6. Click Apply.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 30 of 175
REALTIME O R K I N G op R A F T
8. Select Deployment
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 31 of 175
REALTIME O R K I N G op R A F T
b. Click Apply
Note: Although we’ve applied enough boost licensing to cover all interfaces in our lab,
since LTE is strictly backup, and it wouldn’t be used unless the other interfaces were
down, you probably wouldn’t license it for boost in a production environment.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 32 of 175
REALTIME O R K I N G op R A F T
b. Click Apply
© In order to keep unnecessary tunnels from being built between the two devices in the
HA pair, you should make the site name the same on each appliance.
© Orchestrator will not build tunnels between two devices with the same site name.
14. Change the site name for ECV-2
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 33 of 175
REALTIME O R K I N G op R A F T
a. Right-click on ECV-2 in Tree View and select
System Information
e. Click Apply
15. Change the site name for ECV-3 the same way
e. Click Apply
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 34 of 175
REALTIME O R K I N G op R A F T
b. Click refresh if needed. It may take a minute or two for the VLANs to get built.
c. Click on the top of the HA Interface column (you may need to scroll the browser
window to the far right) to Sort the interfaces by HA status (Hint: if you Click a 2nd
time, all the HA interfaces will come to the top of the list)
d. Notice that on ECV-2 and ECV-3, VLAN interfaces have been auto configured
(Interface column). VLANs 100, 101 and 102 are in use (e.g. wan1.102 on ECV-2).
One VLAN is in use for each WAN interface passthrough tunnel.
e. IP addresses have automatically been configured in 169.254.1.x/30 subnets.
f. Both ECV-2 and ECV-3 show interfaces with MPLS, LTE and Internet labels, one
making use of the physical wan0 and wan1 connections, and the other making use
of the HA connections (wan2.102, wan1.101, and wan1.100).
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 35 of 175
REALTIME O R K I N G op R A F T
© Remember that only ECV-2 has a physical connection to the MPLS network, even
though ECV-3 shows MPLS1 on the wan2.102 interface. This is because a logical
connection has been created across the HA link so ECV-3 can access MPLS through
ECV-2. Similar connections have been made so ECV-2 can access the INET1 and
LTE on ECV-3.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 36 of 175
REALTIME O R K I N G op R A F T
21. Click on Underlay
22. Sort on Local IP:Port by Clicking on the column heading twice to bring the highest
numbered IP addresses to the top if needed.
Note all the tunnels with 169.254.1.x IP addresses at the top. These are tunnels built
across the HA interfaces to machines across the network, but they are reachable via the
other HA appliance’s WAN interfaces and are terminated on the local HA interface IP
address.
Also note the Remote IP:Port column to the right. This shows where the remote ends of
the tunnels are being terminated. Examine your topology diagram. You’ll see these are
WAN interface IP addresses on other appliances.
24. Again Sort on Local IP by Clicking twice on the Local IP column heading to bring
the HA tunnels to the top.
Note that there are passthrough tunnels built for all the overlays terminating on the HA
interface addresses. There is one PT (passthrough) tunnel for each overlay to each WAN
interface on each of the machines in the HA pair.
If you are doing local internet breakout for traffic going over the HA interface to reach a
WAN interface on a neighboring HA device, it may use one of these passthrough tunnels.
We’ll be doing local internet breakout in a later lab.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 37 of 175
REALTIME O R K I N G op R A F T
© You should have answered that there is not a remote IP. This is because a
passthrough tunnel isn’t really a tunnel.
The way the feature was coded, in the early days, it utilized the same mechanisms as
the tunnels which is why it is inaccurately referenced as a tunnel.
© So, keep in mind, Traffic transiting a passthrough tunnel will be directed to the next
hop router on the local interface where the passthrough tunnel connects to the WAN
or LAN.
25. Close any tabs from this lab if you want to minimize clutter in your Orchestrator view.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 38 of 175
REALTIME O R K I N G op R A F T
1) T/F – An EdgeConnect can snoop DNS lookups and cache the results for domain
based packet classification.
2) T/F – As part of its 1st packet classification strategy, Silver Peak appliances maintain
a cache of millions of domains and addresses that is dynamically updated.
a b
5) T/F – It is necessary to choose at least two primary labels to load balance breakout
traffic across multiple internet service providers?
7) How does an appliance determine if traffic should be eligible for Local Breakout
(assuming all links are up)?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 39 of 175
REALTIME O R K I N G op R A F T
2) T/F – In an IP SLA Ping Address List with 3 destinations, if any one of the
destinations becomes unreachable the IP SLA will be marked DOWN, and the Down
Action will be performed.
3) T/F – It’s possible to configure an IP SLA to monitor reachability of a critical server via
Ping, and raise or clear an alarm, without taking any other action on the appliance.
4) What should you use if the website you’ve chosen to monitor for reachability blocks
ICMP traffic?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 40 of 175
REALTIME O R K I N G op R A F T
Objectives
© Learn to configure a Business Intent Overlay to break out traffic that doesn’t match
the subnets internal to your network.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 41 of 175
REALTIME O R K I N G op R A F T
3. Click the Clear button to eliminate any current filters.
For instance, in this example Asymmetric is selected and we want to clear that filter
We’ll return to the flows table in a moment after generating some traffic.
b. Click Connect
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 42 of 175
REALTIME O R K I N G op R A F T
7. Click Ask Me Later
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 43 of 175
REALTIME O R K I N G op R A F T
Note: If you don’t see anything, use the clear button to clear any preselected filters in the
flow table, then refresh your view.
a. Refer to your topology diagram to see where UBU-1 and TG-1011 exist in relation
to each other in the network.
b. Ping UBU-1 (11.1.1.11). We know from the network topology that the ping will
have to go through ECV-1.
13. Look at the flow in Orchestrator on the flows tab. Refresh if needed
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 44 of 175
REALTIME O R K I N G op R A F T
14. Refresh the flows as needed
15. Look at the outbound tunnel in the flow table – it says Policy Drop.
16. Open the flow detail by Clicking on the icon in the Detail column for the flow
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 45 of 175
REALTIME O R K I N G op R A F T
The flow matched the Default Overlay, as we saw above, and was dropped due to
overlay internet policy. We will examine what that means below.
You can see it’s been classified as an Internet flow, but the WAN routing is Policy drop
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 46 of 175
REALTIME O R K I N G op R A F T
19. In the Search bar, type 11.1.1.
Note: The menu selection is misleading; it actually shows you a list of networks that are
considered “Internal”, not “Internet Traffic”
External networks are defined by because they are not on the list. Any subnets NOT
matching those on this list are considered external Internet traffic.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 47 of 175
REALTIME O R K I N G op R A F T
Task 4: Observe Current Overlay Configuration
© Remember that our ping to the device on the internet matched the DefaultOverlay, so
we’ll start by looking at that.
24. Open the Default Overlay by going to
Configuration à Overlays & Security à
Business Intent Overlays
25. Click on the Breakout Traffic to Internet & Cloud Services section of the
DefaultOverlay
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 48 of 175
REALTIME O R K I N G op R A F T
In the Preferred Policy Order column, the only policy is Backhaul Via Overlay
Internet breakout (Break Out Locally) is not implemented. It is still in the Available Policies
column.
© The flow was dropped because of this. As you can see, if backhaul fails, the policy
below it in the Preferred Policy order is Drop.
27. Scroll down the window and Click Cancel to close the DefaultOverlay configuration
panel.
© We want to allow direct internet breakout from the branches for traffic matching the
RealTime, CriticalApps, and BulkApps overlays.
§ However, for the DefaultOverlay, we want to backhaul traffic from Sites 1 and 2
destined for the Internet to our data center at Site 3 (where there is an upstream
firewall on the internet link)…
§ Unless the connections to the data center are down. In that case, we want to allow
Sites 1 & 2 to break out locally using their own local internet connections for
DefaultOverlay Traffic.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 49 of 175
REALTIME O R K I N G op R A F T
30. Click on the Backhaul policy icon for the RealTime overlay. This will bring up the
Breakout configuration screen for this overlay.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 50 of 175
REALTIME O R K I N G op R A F T
33. Click OK.
34. Configure Internet Breakout for the CriticalApps overlay the same way
a. Click OK to save.
35. Configure Internet Breakout for the BulkApps overlay the same way
a. Click OK to save.
a. Drag the Break Out Locally policy and place it below the Backhaul Via Overlay
as shown below:
Break Out Locally is below Backhaul Via Overlay, unlike the previous BIOs. This should
cause traffic that matches this overlay to be backhauled (even internet breakout traffic) as
a 1st choice, and only broken out locally as a 2nd choice if there is no route or path to
backhaul it.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 51 of 175
REALTIME O R K I N G op R A F T
Note the changes to the Breakout Traffic to Internet & Cloud Services section.
The gold color boxes surrounding the new configuration selections on the right means the
changes are not yet applied.
37. Click Save and Apply Changes to Overlays in the upper left of the Business Intent
Overlays tab.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 52 of 175
REALTIME O R K I N G op R A F T
40. Click on it.
a. Return to the RDP window you opened in Task 1 this lab for TG-1011.
b. Use the CMD (command prompt) window to retry the ping to 11.1.1.11
43. The Ping still fails,
what’s going on?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 53 of 175
REALTIME O R K I N G op R A F T
44. Return to the Orchestrator. Notice that light blue alarms have appeared next to each
of the appliances.
48. Click on the Monitor field for one of the rules. This will bring up a resizable Window
with information about the rule.
49. The heading tells us this was automatically generated by Overlay Manager.
The rule says it is testing connectivity by pinging sp-ipsla.silverpeak.cloud.
This destination is not actually reachable via our lab network. Instead we should be
pinging the IP addresses of the next hop routers (or WAN emulators in our case).
If you look at your topology diagram, these addresses are 10.110.104.1, 10.110.109.1 and
10.110.116.1.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 54 of 175
REALTIME O R K I N G op R A F T
53. Click the pencil icon next to Break Out Locally Using
These Interfaces
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 55 of 175
REALTIME O R K I N G op R A F T
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 56 of 175
REALTIME O R K I N G op R A F T
a. Use the refresh button if needed.
If you don’t see the flow, retry the ping and refresh the display. It may be necessary to
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 57 of 175
REALTIME O R K I N G op R A F T
Click the Clear button also to clear any cached search filters.
Checkpoint
7) Which Overlay is the flow matching? ____________________
8) Which tunnel is the flow tunnel taking? ____________________
The flow is going through a Passthrough tunnel associated with the DefaultOverlay to the
next hop router (10.110.104.1) on wan1.
Note: You should understand that in this case, no route to the destination was needed by
the appliance since the next hop router knew how to route the traffic and how to reach the
source subnet. This may not always be the case.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 58 of 175
REALTIME O R K I N G op R A F T
67. Close the flow detail
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 59 of 175
REALTIME O R K I N G op R A F T
Task 9: Verify that ECV-1 has a route to backhaul the traffic
71. Return to the Routes tab
§ ECV-1 will take the 2nd choice and break out locally instead of backhauling,
§ And it will use the INET1 interface (wan1) that we configured for breakout on the
DefaultOverlay
§ As a result, the traffic will be sent to the next hop router on wan1, which knows
how to get to the destination subnet (which might not always be the case).
In the next task, we will configure a default route at Site 3 so that the traffic can be
backhauled as we intended.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 60 of 175
REALTIME O R K I N G op R A F T
Task 10: Default Routes on The Data Center Routers
Let’s add a default route to ECV-5 to the next hop on the internet using the metric of 53.
72. From the Routes tab, select only ECV-5 in Tree View
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 61 of 175
REALTIME O R K I N G op R A F T
75. Add the default Route
£ Subnet/Mask: 0.0.0.0/0
£ Next Hop: 10.110.116.1
This is the next hop on wan1 (INET1)
£ Interface: blank
£ Metric: 53
Not the default of 50 – we’ll
see why in a moment
£ Tag: ANY
78. The Route should appear in ECV-5 Routes table with a metric of 53.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 62 of 175
REALTIME O R K I N G op R A F T
79. Let’s test the Ping on TG-1011 again
80. Let’s Return to the Flows tab to look at the flows in the flow table
§ from ECV-1 through a DefaultOverlay tunnel to ECV-5 (shown in the top two flows)
§ then ECV-5 is breaking the flow out using a DefaultOverlay passthrough tunnel
(shown in the bottom flow)
§ The return traffic is coming back in through the passthrough tunnel on ECV-5
(bottom flow)
§ And being returned to ECV-1 through the overlay tunnels (top 2 flows)
82. In Tree View, select ECV-5 and let’s take another look at ECV-5’s routing table like we
did above
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 63 of 175
REALTIME O R K I N G op R A F T
83. Sort on Subnet/Mask to get the default routes at the top
10) Why is ECV-5’s new static default route being used instead of the local default route?
11) Why does it have a metric of 53?
85. Click the edit icon next to ECV-4 in one of the items in the table
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 64 of 175
REALTIME O R K I N G op R A F T
86. Click Add Route
£ Subnet/Mask: 0.0.0.0/0
£ Next Hop:
10.110.116.1
This is the next hop on wan1 (INET1)
£ Interface: blank
£ Metric: 50
Default of 50 – this is better than the
metric on ECV-5
£ Tag: ANY
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 65 of 175
REALTIME O R K I N G op R A F T
90. The Route should appear in ECV-4 Routes table
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 66 of 175
REALTIME O R K I N G op R A F T
94. Examine the flow details for each of the 3 flows
§ from ECV-1 through a DefaultOverlay tunnel to ECV-4 (shown in the top two flows)
§ then ECV-4 is breaking the flow out using a DefaultOverlay passthrough tunnel
(shown in the bottom flow)
§ The return traffic is coming back in through the passthrough tunnel on ECV-4
(bottom flow)
§ And being returned to ECV-1 through the overlay tunnels (top 2 flows)
12) Why is this flow now going through ECV-4 instead of ECV-5?
____________________
Answer: I hope you said because the metric from ECV-4 is better. If you view the
routes on ECV-1, you should see both routes, and the one to ECV-4 will have the
© We have just demonstrated the internet traffic that matches the DefaultOverlay is
being backhauled. You saw that an ICMP echo request (Ping) from TG-1011 to UBU-
1 was backhauled before being broken out by the devices at Site 3.
© Now let’s make sure traffic that matches a different overlay is being broken out
directly on the local machine rather than backhauled first. We’ll initiate an FTP
connection from TG-1011 to UBU-1 in this task. FTP should match a different overlay.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 67 of 175
REALTIME O R K I N G op R A F T
95. Go to TG-1011’s RDP desktop
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 68 of 175
REALTIME O R K I N G op R A F T
101. Click and Drag it to the Local Site’s Desktop (lower left)
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 69 of 175
REALTIME O R K I N G op R A F T
© You should have answered BulkApps (not the DefaultOverlay like the Ping) and the
Passthrough_INET1_BulkApps tunnel. See the section of the flow detail you should
have opened below.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 70 of 175
REALTIME O R K I N G op R A F T
5) What are the two Silver Peak BGP Peer types and what is the difference between
them?
6) On the Peer Configuration, what two other items should match the configured peer
type?
7) Which state indicates that a BGP peer has connected completely and an appliance
and can learn and advertise routes to it?
8) Is it possible to connect two Silver Peak appliances at different sites as BGP peers?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 71 of 175
REALTIME O R K I N G op R A F T
LAB 5: BGP
Overview
In this lab, you will configure the CSR router and appliances in the SANTA CLARA region to
be iBGP peers.
© The appliances will advertise subnets learned through subnet sharing between
appliances to the router and become the preferred path for traffic coming from
TG-3511 and TG-11411.
© If the appliances were to go down, then the routes would no longer be advertised to
the CSRs.
© In our lab, ECV-4 and ECV-5 will be iBGP peers with CSR-3x.
© We will use iBGP configuration to illustrate a few points throughout the rest of the
course.
Objectives
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 72 of 175
REALTIME O R K I N G op R A F T
Task 1: Test Connectivity on TG-3511 on
the LAN side
1. Right-click on ECV-5 & select appliance
manager
3. Ping TG-3511
£ IP/Hostname: 10.110.35.11
£ Options: -I 10.110.114.102
4. Click Start and let it run… it should fail.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 73 of 175
REALTIME O R K I N G op R A F T
7. Open the flow details on ECV-5 (click on in the Details column)
8. Reference the Topology Diagram
Do you notice anything strange?
10.110.116.1 is the next hop. Why is the ping going from ECV-5 , Passthrough using the
DefaultOverlay instead of going directly out ECV-5’s lan0 interface to the next hop router?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 74 of 175
REALTIME O R K I N G op R A F T
£ IP address: 10.110.35.11
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 75 of 175
REALTIME O R K I N G op R A F T
Task 3: Configure BGP on ECV-4
16. Select Site 3 – Santa Clara in Tree View
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 76 of 175
REALTIME O R K I N G op R A F T
23. Back at the BGP information screen, click Apply under the BGP Peers table
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 77 of 175
REALTIME O R K I N G op R A F T
28. Back at the BGP information screen, click Apply under the BGP Peers table
a. Use the refresh button to update the peer status. It may take a minute or two.
30. In the Peer State column, both ECV-4 and ECV-5 should have connections to CSR-3x
in the Established state.
If this is not the case, recheck your configuration. A common error is to forget to select the
correct route maps for the peer causing the peer to remain in the IDLE state
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 78 of 175
REALTIME O R K I N G op R A F T
Task 7: Test and View BGP Routing information
Since both ECV-4 and ECV-5 are BGP peers with CSR-3x, they should now both be learning
routes that enable them to reach TG-11411 and TG-3511.
34. Again, search for 10.110.35 to filter the only rows that match that string.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 79 of 175
REALTIME O R K I N G op R A F T
38. Use CTRL-Click to select, ECV-1, ECV-4, and ECV-5 in Tree View
a. Filter on 10.110.35
© We can see in the Type column that the 10.110.35.0/24 routes were learned via IBGP
from CSR-3X (10.110.114.1) because they are BGP peers with it
© We now want to be advertising those routes via subnet sharing in the SD-WAN fabric
because ECV-1, ECV-2 and ECV-3 still need to learn those routes.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 80 of 175
REALTIME O R K I N G op R A F T
43. Click on the icon next to
Priority 65535 to edit the
BGP rule
53. Reference the screenshot below and look at the Type column
a. ECV-1 has two equal cost routes to 10.110.35.0/24. Each from ECV-4 & ECV-5
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 81 of 175
REALTIME O R K I N G op R A F T
Task 11: Use additional Subnet Sharing filters for BGP
© Hmmm… It would be useful if we could know the AS number the BGP routes
originally came from after being redistributed into Subnet Sharing .
54. Clear the Search box to view all routes
59. Use CTRL-Click to select, ECV-1, ECV-4, and ECV-5 in Tree View
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 82 of 175
REALTIME O R K I N G op R A F T
© What do we see?
Note: it may take several minutes for the route filtering changes to take effect.
Since ECV-4 and ECV-5 are both in AS-65001, with the route map for BGP set
to permit, it means they both advertise the subnet shared route with 65001
attached, and since they are filtering out routes with AS number 65001
attached to the route, it has the effect of keeping them from learning local BGP
routes from each other via subnet sharing (which is technically a routing loop).
ECV-1, ECV-2 and ECV-3 are not in AS-65001 so they can learn these routes
over the SD-WAN fabric and use them to make routing decisions.
Note: Although this was a simple fix for this problem, as we’ll see later, there is more than
one way to solve this problem. In an upcoming lab, we’ll demonstrate a different way to
achieve our goal of causing routes learned directly from a local BGP peer to be preferred
over the subnet shared ones.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 83 of 175
REALTIME O R K I N G op R A F T
61. Double-click on the PuTTY icon
on the Landing Desktop
or
69. Press the spacebar until you get back to the CSR-3x# prompt to display the entire
table.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 84 of 175
REALTIME O R K I N G op R A F T
CSR-3x is learning default routes from ECV-4 and ECV-5, but the one from ECV-4 has
the better metric (50 vs 53).
NOTE: If you are missing subnets from the other sites in CSR-3x’s routing table (e.g.
10.110.10.0 and 10.110.107.0) go back and make sure you selected the correct route
maps for the BGP peer in the appliance configurations. You should have selected the
route maps ending in ‘br’ (for branch) not ‘pe’ (for a provider edge router).
One other common error is to forget to check Next Hop Self on the BGP peer
configuration in Lab5, Task 1. This will cause learned routes not to be used by CSR-3x
because a route to the original next hop is not known. The next hop needs be ECV-4 or
ECV-5.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 85 of 175
REALTIME O R K I N G op R A F T
70. Type show ip route to see which routes are actually used by CSR-3x
© show ip route doesn’t show all the routes learned by the router. It shows only
the ones being used.
© In our example, although BGP was learning two default routes, only one is used – the
one from ECV-4 because it advertised the better metric (50 vs. 53).
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 86 of 175
REALTIME O R K I N G op R A F T
5) What metric is used by OSPF routers (and appliances) to determine the most
desirable path, and how is it determined?
8) What state in an OSPF peer adjacency indicates they have sent and received routing
information?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 87 of 175
REALTIME O R K I N G op R A F T
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 87a of 189
REALTIME O R K I N G op R A F T
LAB 6: OSPF
Overview
In this lab, you will configure the CSR-20 router and appliances in Mumbai to be OSPF peers.
© The appliances will advertise subnets learned through subnet sharing between
appliances to the routers, and become the preferred path to optimize traffic.
© If the appliances were to go down, then the routes would no longer be advertised to
the CSRs, and they would use their native L3 routing tables to forward traffic
accordingly.
© Because we will have equal cost paths through both appliances in our environment,
allowing packets for a single flow to be distributed across tunnels to ECV-2 and ECV-
3, we’ll see some asymmetry in this environment.
Note: OSPF is already configured on CSR-20, so you will only need to add the OSPF
configuration to ECV-2 and ECV-3.
Objectives
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 88 of 175
REALTIME O R K I N G op R A F T
3. Click on the edit icon next to ECV-2 in the list to configure OSPF
£ Interface: lan0
£ Area ID: 0.0.0.0
£ Admin Status: UP
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 89 of 175
REALTIME O R K I N G op R A F T
9. Click Apply to set the configuration
10. Let’s do the same thing for ECV-3. Click on the edit icon to configure OSPF
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 90 of 175
REALTIME O R K I N G op R A F T
13. Click Add
£ Interface: lan0
£ Area ID: 0.0.0.0
£ Admin Status: UP
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 91 of 175
REALTIME O R K I N G op R A F T
Task 3: Review the OSPF Configuration Screens
a. Refresh the screen if needed. It may take a minute or two for the connections to
form.
— The Interfaces screen shows the status of each interface that is participating in
OSPF and the appliance’s interface state. In this case ECV-2 became the
backup designated router because it came up before ECV-3. This doesn’t
affect either device’s ability to transport traffic.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 92 of 175
REALTIME O R K I N G op R A F T
21. Click on the Neighbors button
§ A state of Full indicates the connection to the neighbor is complete and they can
share link states with each other.
§ Here you can see the status of each Neighbor. ECV-2 and ECV-3 each have two
neighbors. One Neighbor is CSR-20 (RID 1.1.1.1), and the other neighbor is the
other appliance in the HA configuration.
— It’s important to understand that subnet sharing does not occur over the HA
connection between ECV-2 and ECV-3. They can share routes on the LAN
side through their OSPF connection, however.
§ EdgeConnect appliances currently only support a single area. In our lab, both
ECV-2 and ECV-3 are in the Backbone Area 0 (0.0.0.0).
§ The EdgeConnect does not have to be in Area 0.0.0.0. It can be located at the
edge of the OSPF network in either a Standard Area or a Not-So-Stubby-Area
(NSSA).
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 93 of 175
REALTIME O R K I N G op R A F T
Task 4: Check routes on ECV-2 and ECV-3 to make sure routing
information is getting exchanged
© We want to make sure that ECV-2 and ECV-3 are learning the 10.110.20.0 subnet
from CSR-20
24. Click on the OSPF button to filter the table for only OSPF routes
Note that both ECV-2 and ECV-3 have learned about the 10.110.20.0 subnet.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 94 of 175
REALTIME O R K I N G op R A F T
© OSPF learned routes are coded with a capital “O” to the left of the subnet entry
© As you can see from the displayed route entries:
§ In fact, there are equal cost routes learned for subnets from Site 1 – Singapore
(10.110.10.0//24) and Site 3 – Santa Clara (10.110.35.0/24 and 10.110.114.0/24)
© Wait a second… Sites 1 and 3 are not configured for OSPF. How were those routes
learned?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 95 of 175
REALTIME O R K I N G op R A F T
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 96 of 175
REALTIME O R K I N G op R A F T
5) T/F: OSPF uses inbound and outbound route maps Per Peer.
6) On a single appliance, how many active route maps can you have for:
a) Redistribution into OSPF?
b) Redistribution into Subnet Sharing?
c) Redistribution outbound into BGP?
d) Redistribution inbound from BGP?
7) T/F: Each rule in a route map must use the same Source Protocol
8) Is the choice of set actions the same for each of the rules in every Route Map?
9) T/F: The default outbound BGP PE route map allows you to redistribute subnet
shared routes into BGP into advertisements to that peer.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 97 of 175
REALTIME O R K I N G op R A F T
© An inbound route map controls what is potentially being distributed into the SD-WAN
fabric and being subnet shared between Silver Peak appliances.
§ Route maps that control redistribution into Subnet Sharing (the SD-WAN fabric)
are found on the Routes pages for each appliance.
§ Route maps that control the distribution into other protocols are found on the
configuration page for each protocol.
© BGP is slightly different from OSPF in that it contains inbound and outbound route
maps per Peer.
Note: BGP Peer type selection causes some filtering that is applied before the route
maps. An appliance can advertise subnet shared routes to a branch peer, but not to PE
peer. This is intended to reduce the risk of routing loops in the BGP routing domain.
Objectives
© Configure route maps and how they affect route redistribution and metrics.
© Configure route maps to tag and filter routes
© Adjust metrics for routes being redistributed by multiple appliances to cause adjacent
routers to prefer one over others
Task 1: Adjust the advertised metrics from Subnet Sharing into BGP
ECV-4 and ECV-5 currently both learn subnets from the other appliances and redistribute
them into BGP with unchanged metrics.
In this task, we’ll adjust the outbound advertised metrics for an appliance (ECV-4) to make
the BGP peer (CSR-3x) prefer the other appliance (ECV-5).
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 98 of 175
REALTIME O R K I N G op R A F T
1. Go to (or reopen) the PuTTY window for CSR-3x
Notice the equal cost routes for the networks from ECV-4 (10.110.114.101) and ECV-5
(10.110.114.102) have a metric of 50.
Best practice in network design is to have your routing be deterministic and predictable.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 99 of 175
REALTIME O R K I N G op R A F T
5. Click the edit icon for ECV-4 on the BGP tab.
You can see that the default route map for the BGP
branch peer (the map name ends in _br) permits
advertising from all sources into BGP with no changes.
ECV-4 is learning all the routes from other sites via subnet
sharing (SD-WAN) and it is not running OSPF. Note that
while OSPF route maps had a single selection for all SD-
WAN sourced routes, the BGP route maps allow you to
have more granularity and treat routes that entered the
SD-WAN fabric from different sources (BGP, OSPF,
Local/Static) differently.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 100 of 175
REALTIME O R K I N G op R A F T
8. Edit 65505 (Local/Static) by Clicking the edit icon.
15. Click on to
close any open
route map, peer
edit and ECV-4
BGP edit
windows.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 101 of 175
REALTIME O R K I N G op R A F T
16. From PuTTY for CSR-3x, type show ip bgp.
© Notice that:
§ all subnet shared prefixes from ECV-4 (10.110.114.101) now have a metric of 70
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 102 of 175
REALTIME O R K I N G op R A F T
17. Type show ip route
© That doesn’t work either. What’s different about this particular subnet and how it was
learned?
20. Click on the edit icon for ECV-4 on the BGP tab.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 103 of 175
REALTIME O R K I N G op R A F T
21. Click the edit icon for the BGP Peer 10.110.114.1.
© What is happening?
ANSWER: If you said, it may have to do with the subnet
sharing route map, you’re probably right. Let’s confirm that.
24. Click on at the top right to close the Route Map screen
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 104 of 175
REALTIME O R K I N G op R A F T
26. Click on at the top right to close the BGP Information screen
© We were right!
Although the inbound BGP route map allowed
OSPF learned routes, the Subnet Sharing (SD-
WAN Fabric) Route Map does not.
Let’s change that.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 105 of 175
REALTIME O R K I N G op R A F T
34. Click Apply
35. Click on at the top right to close the SD-WAN Fabric Route Redistribution Maps
screen
36. Click on at the top right to close the Routes – ECV-2 screen
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 106 of 175
REALTIME O R K I N G op R A F T
© As you can see, we now get the 10.110.20.0/24 subnet being advertised via Subnet
Sharing. In fact there are equal cost routes because we configured both ECV-2 and
ECV-3 to redistribute them.
§ ECV-1, ECV-4, & ECV-5 learn one each from them which is why there are two
equal cost routes.
41. Return to the PuTTY session for CSR-3X.
Task 5: View the routes on the appliances to verify they come from
OSPF
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 107 of 175
REALTIME O R K I N G op R A F T
45. Click on the OSPF button to view only OSPF originated routes.
46. Sort by the Subnet/Mask columns with 0.0.0.0/0 default routes at the top as shown.
© Notice that there are subnet shared routes for all the non-directly connected lan
subnets in our SD-WAN that originated from OSPF being learned from both ECV-2
and ECV-3.
© In fact, there are duplicates indicating ECV-2 and ECV-3 are advertising the same
subnets.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 108 of 175
REALTIME O R K I N G op R A F T
48. Select All Appliances from Tree View
54. From the Reset Flows dropdown, select Reset All Returned
55. Click the button to confirm you want to Reset Returned Flows
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 109 of 175
REALTIME O R K I N G op R A F T
56. Repeat the previous 3 steps 5-10 times until you see the Ping go towards two
different Outbound Tunnels (ECV-4 and ECV-5)
57. Let’s review the flows in Orchestrator. You will get something similar to this:
© If you recall the route selection criteria, because there are equal cost routes, one will
simply be chosen at random.
58. Select All Appliances from Tree View
© As you can see, ECV-1 has routes via all the other four ECV’s. However, ECV-1 is
forwarding traffic only to ECV-4 and ECV-5 because, even though they all have a
metric of 50, the administrative distance of subnet shared originated routes is 10,
which is better than subnet shared, ospf-originated routes AD of 15.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 110 of 175
REALTIME O R K I N G op R A F T
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 111 of 175
REALTIME O R K I N G op R A F T
67. Verify the tag was set in the Set Actions column
Task 8: Filter and View Tagged Routes from OSPF to Subnet Sharing
72. Select Site 3 – Santa Clara in Tree View
© You can see there are 28/60 prefixes with a Route Tag of 999.
© These are essentially OSPF originated routes that ECV-2 and ECV-3 have shared
over the SD-WAN via subnet sharing (10.110.10.0, 10.110.35.0, 10.110.114.0 and
loopbacks).
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 112 of 175
REALTIME O R K I N G op R A F T
77. From the Routes Table click the edit icon for ECV-2
£ Priority 65500
(so this rule is above others in the list)
£ Source Protocol: OSPF
£ OSPF Tag: (checked)
£ TAG value 999
£ Permit (unchecked)
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 113 of 175
REALTIME O R K I N G op R A F T
A Priority Rule 65500 should show at the top of the Route Map List
82. Click Apply.
83. Click on at the top right to close the SD-WAN Fabric Route Redistribution Maps
screen
84. Click on at the top right to close the Routes – ECV-2 screen
© Note this does not prohibit sharing other OSPF routes learned from CSR-20.
They will not have the 999 tag.
© It only filters routes that originated from the SD-WAN fabric (subnet shared) that are
tagged.
Task 10: Configure Route Map to Filter on OSPF Tag 999 on ECV-3
85. Repeat the previous task for ECV-3 as well
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 114 of 175
REALTIME O R K I N G op R A F T
Again, it may take a few minutes for the route tags to be propagated. Use the Refresh
button if needed.
© Let’s review... this diagram will help explain what you just accomplished in the last few
tasks.
A. ECV-2 added a tag (999) to subnet shared routes that were advertised into the
OSPF routing domain.
B. CSR-20 learns the routes from ECV-2 and adds them to its routing table.
C. ECV-3 also learns the routes from ECV-2 and adds them to its routing table.
D. CSR-20 advertises routes to ECV-2 and ECV-3,
E. ECV-3 adds these routes to the routing table.
F. ECV-3 DENIES routes learned from ECV-2, that originated from ECV-4 or ECV-5,
tagged with 999, and does not redistribute them to other appliances via subnet
sharing.
ECV-3 PERMITS routes learned from CSR-20 because they are untagged and
advertises them into the SD-WAN fabric via subnet sharing.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 115 of 175
REALTIME O R K I N G op R A F T
89. View at the routes on ECV-4 and ECV-5 on the Routes tab.
© If you select ECV-4 and ECV-5 in Tree View, you can see that the prefixes learned
for subnets at Site 3 are learned only from devices that have direct knowledge of
those subnets.
— 10.110.114.0: learned from CSR-3x (10.110.114.1) and from each other via SS
— 10.110.35.0: learned via BGP and SS
© 10.110.20.0 prefixes are still there because ECV-2 and ECV-3 are allowed to
redistribute those into the SD-WAN fabric. They were sourced from CSR-20 and were
not tagged with 999.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 116 of 175
REALTIME O R K I N G op R A F T
Takeaways:
© Each rule can Permit or Deny routes to be distributed into a destination protocol
© Each rule has its own Set Actions applied to Permitted routes which vary by
destination protocol
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 117 of 175
REALTIME O R K I N G op R A F T
2) Is it possible for a device to be a hub in the RealTime overlay, and a spoke in the
DefaultOverlay?
3) T/F: In a region using an overlay configured with a Regional Mesh topology, non-
hub devices will only connect to Hubs in that region.
S2
H2
Hubs Spokes
6) In the same diagram above, will H1 be able to advertise S2’s routes to S1?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 118 of 175
REALTIME O R K I N G op R A F T
Region A Region B
A1 B1
Mesh
Hub A Hub B B2
A3 Spokes
7) Assume all devices use default subnet sharing metrics in this middle diagram and
regional routing is enabled:
a) With what metric will Hub A learn routes advertised by A1?
b) Will A1 learn routes advertised by A3? If so, with what metric? If not, why?
d) Will B1 learn routes advertised by A3? If so, with what metric? If not, why?
e) Will B2 learn routes advertised by B1? If so, with what metric? If not, why?
8) In the diagram below, Region C looses its connection to Region B. Can traffic be
routed from devices in Region C to Region B via Region A?
A B
X
C
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 119 of 175
REALTIME O R K I N G op R A F T
LAB 8: Regions
Overview
Regional routing when enabled, allows you to manage your SD-WAN fabric by dividing it up
into segments called regions. It involves intra-region (within a region) and inter-region
(between two regions) route distribution across the SD-WAN fabric.
© When regional routing is enabled, hubs can re-advertise routes learned from non-
hubs to other non-hubs that are also part of that region using subnet sharing. This is
very different than the way hubs behave when regional routing is disabled. When
regional routing is disabled, hubs will not advertise routes learned via subnet sharing
to other devices.
© You can provide different Business Intent Overlays for each region by enabling
regional routing and customizing BIOS per region.
Objectives
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 120 of 175
REALTIME O R K I N G op R A F T
2. Click on Create Regions
4. Click Save
6. Click Save
8. Click Save
The three Regions you just created now appear in the
Regions list.
9. Click Close
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 121 of 175
REALTIME O R K I N G op R A F T
12. Click in the dialog box to the left of the grayed out Add Hub button
£ ECV-2
£ ECV-3
£ ECV-4
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 122 of 175
REALTIME O R K I N G op R A F T
19. Click on the topology icon
21. Click OK
25. Click OK
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 123 of 175
REALTIME O R K I N G op R A F T
28. Click on Orchestration ETA at the top-right of the Orchestrator
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 124 of 175
REALTIME O R K I N G op R A F T
37. Click Apply
41. Select all the appliances in Tree View to see a summary of what you have done
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 125 of 175
REALTIME O R K I N G op R A F T
44. Click the Regions link for the RealTime overlay
47. Typeping
10.110.10.11 -I
10.110.116.102 to ping
TG-1011 from wan1 on ECV-5
The ping should fail
Why do you suppose the ping is failing? Let’s look at the routes on ECV-5:
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 126 of 175
REALTIME O R K I N G op R A F T
49. Return to the Routes tab in Orchestrator
There is no longer a route to the 10.110.10.0 subnet (refresh if needed to see the update).
In fact, ECV-5 is not learning routes via subnet sharing from any other appliances
although it was previously learning routes from all of them.
© Why is this?
ANSWER: All the appliances are all still part of all overlays and all overlays use a
mesh topology. Let’s check on the effect on tunnel formation.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 127 of 175
REALTIME O R K I N G op R A F T
54. Click on Underlay
Again there are only tunnels to
ECV-4. Does ECV-4 have routes
from other sites?
Now let’s look at connectivity on
ECV-4
b. ECV-4 and ECV-5 are connected via tunnels and can subnet share.
Answer: This only happens if regional routing is enabled. Until regional routing is enabled,
no appliance will re-advertise any routes it learns from another appliance. We will enable
this in the next task.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 128 of 175
REALTIME O R K I N G op R A F T
Task 8: Enable Regional Routing
58. Return to the Regions tab
64. Sort on the Start Time column to view most recent events at
the top.
You can see that enabling regional routing allows devices to redistribute subnets.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 129 of 175
REALTIME O R K I N G op R A F T
68. ECV-5 isn’t learning any routes from the hub in the SANTA CLARA region (ECV-4)!
§ Filter routes from SD-WAN Fabric with Matching Local ASN keeps the local
appliance from using the routes that it learns from other appliances if they include
the local ASN.
§ Include BGP Local ASN to routes sent to SD-WAN Fabric causes all routes (not
just BGP originated routes) to include the local ASN (65001 for ECV-4 and ECV-5)
© Therefore, ECV-4 is filtering routes it learns from the hub ECV-5 because they contain
the local ASN!
In the next task we will solve this problem and learn a way to use Admin Distance to
eliminate the BGP routing issue we solved with one of the checkboxes above.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 130 of 175
REALTIME O R K I N G op R A F T
Task 9: Stop Filtering Routes Based on ASN Number
We were using AS numbers to do filtering before, but now we will accomplish the same
objective by adjusting Administrative Distance.
69. Select only ECV-4 and ECV-5 in Tree View
72. Uncheck the box for Filter Routes From SD-WAN Fabric with Matching Local
ASN
73. Click Apply
© We were using AS numbers to do filtering before, but now we will accomplish the
same objective by adjusting Administrative Distance.
In this task, we will make the metric for BGP routes learned via subnet sharing less
preferred than the ones learned locally from the BGP peer. This solves the problem
we had in the BGP lab where the subnet shared routes were preferred over the routes
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 131 of 175
REALTIME O R K I N G op R A F T
to the same prefixes learned directly from CSR-3x. It also allows ECV-4 and ECV-5 to
advertise BGP routes to each other. This is important because if either appliance
were to lose connectivity to CSR-3x (e.g. if lan0 on either appliance went down), then
it would still be able to reach the 10.11.35.0 and 10.110.114.0 subnets via the other
appliance.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 132 of 175
REALTIME O R K I N G op R A F T
81. Verify that 201 is listed in the correct column
85. Sort on the Subnet/Mask column header by networks with 10.110.10.0/24 at the top
Note that ECV-4 is now learning routes to the 10.110.35.0 and 10.110.114.0 prefixes both
from iBGP via CSR-3x and subnet sharing from ECV-5.
3) Question: ECV-5 is learning the routes from ECV-5 with a metric of 250 and from
CSR-3x with a metric of 250. Which route will be preferred by ECV-5?
Answer: The ones from CSR-3x with a metric of 250 because they have the lower
admin distance (200 vs. 201).
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 133 of 175
REALTIME O R K I N G op R A F T
86. Let’s check the Routing Table for ECV-5. Select only ECV-5 in Tree View.
87. Click the SD-WAN Fabric button (top center) to show only routes learned via Subnet
Sharing.
For example, the 10.110.107.0 subnet was learned by ECV-4 with metrics of 50
and 60 from ECV-2 and ECV-3 respectively. When ECV-4 advertises the
10.110.107.0 subnet to ECV-5 it advertises it with a metric of 100 (50+50). If ECV-
4 was to stop learning the route via ECV-2, but still learn it with a metric of 60 from
ECV-3, then it would advertise the route to ECV-5 with a metric of 110 (50+60).
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 134 of 175
REALTIME O R K I N G op R A F T
Important lesson:
© Remember back in BGP Lab 5, the appliances preferred the subnet shared BGP
routes to the ones learned directly from a peer.
To solve this, we just checked a couple of boxes (Filter Routes from SD-WAN Fabric
with Matching Local ASN and Include BGP Local ASN to routes sent to SD-WAN
Fabric) and got rid of the suboptimal routing we had.
That solution works pretty well where you have two fully meshed peers connecting to
all the appliances at other sites.
© However, once we introduced regional routing and those same two appliances (ECV-
4 and ECV-5) were no longer peered in the network in a full mesh – because ECV-4
is a hub and ECV-5 was not. ECV-5 now needs to learn routes from ECV-4, which the
Filter Routes from SD-WAN Fabric with Matching Local ASN option prevented.
Our original solution wasn’t wrong, it just no longer worked in our new regional
network topology. Regional routing changes the way the network operates, and you
need to be aware of the effects.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 135 of 175
REALTIME O R K I N G op R A F T
1) T/F – If an interface leading to the internet is hardened, local traffic will need to be
backhauled to a data center through a tunnel to connect to Google.
2) T/F – No traffic of any kind is allowed into a hardened interface outside of an IPsec
tunnel.
4) T/F – All the appliances in a network can simultaneously change to a new IPsec
encryption key on a predetermined schedule.
6) Is it possible to limit the address spaces from which logins to Orchestrator are
allowed?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 136 of 175
REALTIME O R K I N G op R A F T
1) What is the default action taken for INTER zone traffic (between devices in different
zones)?
3) When all interfaces and overlays are in the default zone, will the default security
policies always permit traffic to flow between all interfaces and across the wan
through tunnels between appliances?
6) You configure a new rule in a security policy. Some time later, a problem is reported.
What can you do to test whether your new rule caused the problem without deleting
it?
7) How can you tell which rule in a security policy was matched for a flow?
8) In the flow table, what’s a quick way to tell at a glance that a flow was dropped?
9) What’s quick way to find only those flows dropped by the firewall in the flow table?
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 137 of 175
REALTIME O R K I N G op R A F T
Objectives
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 138 of 175
REALTIME O R K I N G op R A F T
Task 2: Create Zone Labels
The first step in setting up a ZBF is configuring the zone names / labels. We will configure the
following zones: Singapore, Mumbai, Santa Clara, and Internet
1. In Orchestrator, open the
Firewall Zones configuration
tab: Configuration à
Overlays & Security à
Security à Firewall Zones
£ Mumbai
£ Santa_Clara
£ INTERNET
6. Click Save
Note: It’s important that you add your zones in the order shown so that later security policy
configuration tasks match what you see in this student guide. Failure to do so may make
your configuration tasks more difficult to match to the directions.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 139 of 175
REALTIME O R K I N G op R A F T
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 140 of 175
REALTIME O R K I N G op R A F T
The Security Policies matrix should now be visible
© Santa_Clara Zone
1. Deny users at Santa Clara to access external FTP sites but allow everything else.
2. Allow users not at Santa Clara to access the TG-11411 FTP server but not the one
on TG-3511
© INTERNET Zone
1. Permit access for all protocols to connect to UBU-1
We will first focus on the Configuration and Policies for Santa Clara and Internet. The next
two Security Policy requirements are optional exercises; time permitting. Your instructor
will let you know if any or all of them should be completed in class.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 141 of 175
REALTIME O R K I N G op R A F T
Note, the policies we create to satisfy the requirements of this lab are only one possible
way to solve the problem. There are many ways you accomplish the same thing. The
solution we’ll implement here is not necessarily considered a set of best practices, it is just
intended to illustrate how the ZBF works and some of the ways it can be used.
We will need to
configure two rules to
achieve this.
© The Edit Rules screen appears. This creates two default rules for you.
— The first one (1000) matches everything and allows it.
— The second rule (65535) is a default Deny that matches everything.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 142 of 175
REALTIME O R K I N G op R A F T
— Any traffic that isn’t explicitly permitted by a previous rule will be dropped by
matching this one.
d. Click Save
18. Under the Action column, click on the dropdown for rule 1000 and change it to deny
19. Additionally, to meet the 2nd part of the requirement, change the action of the default
rule 65535 to allow
20. Click OK
A summary of the first two rules appears where From Santa_Clara and To INTERNET
intersect
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 143 of 175
REALTIME O R K I N G op R A F T
© The second requirement is to allow users not at Santa Clara to access the TG-11411
FTP server but not the one on TG-3511. We should click on the same intersection,
right?
§ Actually no.
© Firewall rules are stateful, we need to configure a rule in the reverse direction.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 144 of 175
REALTIME O R K I N G op R A F T
24. Click More Options
© Refer back to the requirements for this zone pair. What is the next rule we need to
configure?
ANSWER: None, the only requirement was for sources on the Internet to be able to
reach TG-11411’s FTP server.
We don’t need a specific rule to deny FTP traffic to TG-3511. The existing implicit
policy, 65535 already covers that.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 145 of 175
REALTIME O R K I N G op R A F T
The Security Policies matrix should now look like this
§ For the FROM Zone, there are should actually be three of them. Singapore,
Mumbai, AND Santa_Clara
© We will therefore need to create three rules in three separate Security Policies:
1) From Singapore To INTERNET
2) From Mumbai To INTERNET
3) From Santa_Clara To INTERNET
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 146 of 175
REALTIME O R K I N G op R A F T
27. Click on the intersection of From Singapore and To INTERNET
33. For Santa_Clara to INTERNET it already Allows Everything and has a more specific
rule to Deny FTP.
a. You don’t need to do anything else.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 147 of 175
REALTIME O R K I N G op R A F T
b. When complete, your Security Policies Matrix should look similar to this:
34. Click Save to save the Security Policies we just configured to the
ZBF Policies Template Group
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 148 of 175
REALTIME O R K I N G op R A F T
Note: The security policies are not actually doing anything yet, because all the interfaces
and overlays are still in the zone ‘Default’. As a result, traffic is continuing to pass normally
because all intra-zone traffic (traffic between interfaces/overlays in the same zone)
is always permitted by default. That will begin to change in the next tasks when we
change the interface and overlay zones.
£ Host: 10.110.20.11
£ Username: anonymous
£ Password: Speak-123
b. Click Quickconnect
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 149 of 175
REALTIME O R K I N G op R A F T
Task 8: Apply Zone Labels to Interfaces
Now that we have Zone Labels created, we still need to specify what Zone each interface
belongs to.
44. Right-click on ECV-1 in Tree View
46. Configure all LAN and WAN interfaces for their security zone
as illustrated in the Topology Diagram.
£ ECV-1 Singapore
£ ECV-2 and ECV-3 Mumbai
£ ECV-4 and ECV-5 Santa_Clara
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 150 of 175
REALTIME O R K I N G op R A F T
Task 9: Verify Security Policies are being used.
54. Click on the Clear button, in case you have any filters applied
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 151 of 175
REALTIME O R K I N G op R A F T
57. Click on the Details icon
You can now see that the FTP traffic
action was Deny with a reason of Implicit
Policy. That is because the Source and
Destination Zones are different.
OPTIONAL Exercises
© If you’d like to try and configure additional policies, try the following without any
instructions.
Task 10: Configure Policies for the Mumbai Zone (optional – time permitting)
1. Permit anything in the File Sharing application group to access all devices in
TG-3511’s subnets
¨ Open a CIFs shared network folder from on of the TG PCs Desktops
to TG-3511 to validate it works
2. Allow only hosts to reach any host on the Internet or at any other site
¨ Deny PING from the Cisco routers
Task 11: Configure Policies for the Singapore Zone (optional – time permitting)
3. Do not allow any pings outside the zone unless it is destined for one of the CSR
routers
¨ Test that TG-1011 can only ping CSR-20 and CSR-3X
¨ You should not be able to ping any of the other TG’s, Service
Provider Gateways (MPLS, Internet and 4G LTE) or WAN interfaces
of any ECV
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 152 of 175
REALTIME O R K I N G op R A F T
3) T/F: With Flow Redirection the Silver Peaks tell the routers to redirect traffic to the
correct appliance
6) T/F: Flow redirection peers should be in different subnets for high availability reasons.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 153 of 175
REALTIME O R K I N G op R A F T
Objective
© Learn to enable segmentation and configure your segmented network. After that, you
will learn how segmentation has affected routing and reachability, as mentioned in the
previous lab.
5. Open the Apply Templates Groups tab: Configuration à TEMPLATES & POLICIES à
Apply Template Groups
6. Click on the box under the Remove column for ZBF Policies
7. Click Apply
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 154 of 175
REALTIME O R K I N G op R A F T
Task 3: Reassign all Interfaces on all ECV’s to the Default Zone
8. Right-click on ECV-1 in Tree View
9. Select Deployment
10. Configure all LAN and WAN interfaces for the Default zone
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 155 of 175
REALTIME O R K I N G op R A F T
Task 5: Enable Segmentation on Orchestrator
NOTE: Even though we are using ECOS 9.0.6, which has Segmentation enabled by
default, the Segmentation feature has been disabled for the purposes of this class and lab
exercise.
If you were doing this in a production network, you would definitely want to perform this
operation during a scheduled maintenance
window.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 156 of 175
REALTIME O R K I N G op R A F T
© Until you change it, all interfaces, routes etc. are part of the same segment called
Default. This will not change until you add additional segments and change the
appliance configurations.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 157 of 175
REALTIME O R K I N G op R A F T
34. Right-Click on ECV-4 in Tree View
37. Select Seg_A from the list to assign the lan0 interface to Seg_A.
Note that for the WAN interfaces, the segment selection is grayed out. WAN interfaces are
hardcoded to the Default segment and cannot be changed.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 158 of 175
REALTIME O R K I N G op R A F T
Notice that there are now two appliances with interfaces in Seg_A.
46. Highlight All in the Segment field at the top of the table.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 159 of 175
REALTIME O R K I N G op R A F T
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 160 of 175
REALTIME O R K I N G op R A F T
Why does it fail when it worked earlier in our lab? Segmentation you say?
Let’s ask our best friend…
As you probably expected, because we segmented ECV-1, lan0 and wan0 are in different
segments. So, as the Flows tab shows, there is NO ROUTE.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 161 of 175
REALTIME O R K I N G op R A F T
Task 11: Fix Routing from Seg_A to the Default segment
Now that we’ve shown the 10.110.10.x subnet is in a completely different routing domain, just
like any other router, we need to configure a route for traffic to be forwarded
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 162 of 175
REALTIME O R K I N G op R A F T
Notice there is now a Segment column and it shows CSR-3X’s IP address in the Default
Segment.
£ Enable BGP:
£ Autonomous System Number 65001
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 163 of 175
REALTIME O R K I N G op R A F T
66. On the BGP Peers tab, click the Refresh icon
73. Hold the CTRL button and select both ECV-1 and ECV-4
© There is still NO ROUTE and ECV-1 is not seeing the flow at all.
75. Click on the Details icon
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 164 of 175
REALTIME O R K I N G op R A F T
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 165 of 175
REALTIME O R K I N G op R A F T
b. Open a Command Prompt session
c. Ping 10.110.10.11 -t
83. FINALLY SUCCESS!
© You can now see that ECV-1 and ECV-4 are learning their local routes from each
other in Segment Seg_A.
Nice Job!
You have completed all the labs in this course.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 166 of 175
REALTIME O R K I N G op R A F T
_______________________
3. You will need this code for the next two days
5. On the Login page enter the access code your instructor gave you.
6. Click Login
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 167 of 175
REALTIME O R K I N G op R A F T
2. The following directions will help you match the lab environment to your keyboard.
4. Click on the Start on the Landing Desktop in the ReadyTech lab environment (not
your personal device).
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 168 of 175
REALTIME O R K I N G op R A F T
5. In the Search box, type ‘keyboard settings’ then Click on ‘Change keyboards or other
input methods’
6. Note, Only if you can’t type ‘keyboard settings in the search box, do the following (if
you were able to search for keyboard settings, skip to the next step).
7. At the top of the ReadyTech browser window, Click ‘Desktop’, then ‘Enable viewer
toolbar’.
8. Mouse over the small tab that appears at the top of the page. It will expand. Under
‘Keys’, select ‘Open onscreen keyboard’.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 169 of 175
REALTIME O R K I N G op R A F T
9. Click Start again if
needed and then drag
the onscreen
keyboard over the
search menu. Click
on the keys to input
‘keyboard settings’ as
described above.
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 170 of 175
REALTIME O R K I N G op R A F T
12. In this example we’ll add a French Keyboard
16. Click OK
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 171 of 175
REALTIME O R K I N G op R A F T
18. Click OK
19. Click OK
21. In the bottom right of the Landing Desktop in your browser window, Click on EN
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 172 of 175
REALTIME O R K I N G op R A F T
22. Click to select your new language (in this case French)
ASD 9.04-9.03 v1.3 Student & Lab Guide Do Not Replicate Page 173 of 175
INSTRUCTOR VERSION Template Version 2022.01 r1.4
192.168.1.x
192.168.1.x
192.168.1.x
192.168.1.x
192.168.1.x
INSTRUCTOR VERSION
ECV-1, ECV-2, ECV-3, ECV-4, ECV-5 admin Speak-123 The default ID/PW is admin/admin