Saturday, October 14, 2023
HomeIoTIntroducing Cisco Cloud Community Controller on Google Cloud Platform – Half 3

Introducing Cisco Cloud Community Controller on Google Cloud Platform – Half 3


Half 1 and Half 2 of this weblog collection lined native cloud networking and firewall guidelines automation on GCP, and a learn by is advisable for completeness. This ultimate put up of the collection is about enabling exterior entry for cloud sources. Extra particularly, it is going to give attention to how clients can allow exterior connectivity from and to GCP, utilizing both Cloud Native Router or Cisco Cloud Router (CCR) primarily based on Cisco Catalyst 8000v, relying on use case.

By increasing earlier capabilities, Cisco Cloud Community Controller (CNC) will provision routing, automate VPC peering between infra and consumer VPCs, and BGP IPSec connectivity to exterior networks with just a few steps utilizing the identical coverage mannequin.

Situation

This state of affairs will leverage the present configuration constructed beforehand represented by network-a and network-b VPCs. These consumer VPCs will probably be peered with the infra VPC in a hub and spoke structure, the place GCP cloud native routers will probably be provisioned to determine BGP IPSec tunnels with an exterior IPSec gadget. The GCP cloud native routers are composed by the mixture of a Cloud Router and a Excessive-availability (HA) Cloud VPN gateway.

The high-level topology under illustrates the extra connections automated by Cisco CNC.

Scenario

Provisioning Cloud Native Routers

Step one is to allow exterior connectivity beneath Area Administration by deciding on by which area cloud native routers will probably be deployed. For this state of affairs, they are going to be provisioned in the identical area because the Cisco CNC as depicted on the high-level topology. Moreover, default values will probably be used for the IPSec Tunnel Subnet Pool and BGP AS beneath the Hub Community representing the GCP Cloud Router.

The cloud native routers are being provisioned purposely on a special area for example the power of getting a devoted hub community with exterior entry. Nevertheless, they might have been deployed on the identical area because the consumer VPCs.

Provisioning Cloud Native Routers

Observe: a quick overview of the Cisco CNC GUI was supplied on Half 1.

Enabling Exterior Networks

The subsequent step is to create an Exterior Community assemble throughout the infra tenant. That is the place an exterior VRF can be outlined to signify exterior networks linked to on-premises knowledge facilities or distant websites. Any cloud VRF mapped to present VPC networks can leak routes to this exterior VRF or can get routes from it. Along with the exterior VRF definition, that is additionally the place VPN settings are entered with the distant IPSec peer particulars.

The configuration under illustrates the stitching of the exterior VRF and the VPN community throughout the area the place the cloud native routers are being provisioned within the backend. For simplicity, the VRF was named as “external-vrf” however in a manufacturing setting, the identify ought to be outlined properly and aligned to the exterior community as to enhance operations.

Create External Network

The VPN community settings require public IP of the distant IPSec gadget, IKE model, and BGP AS. As indicated earlier, the default subnet pool is getting used.

Add VPN NetworkAs soon as the exterior community is created, Cisco CNC generates a configuration file for the distant IPSec gadget to determine BGP peering and IPSec tunnels with the GCP cloud native routers. Beneath is the choice to obtain the configuration file.

Configuring Exterior IPSec Machine

Because the configuration file supplies a lot of the configuration required for the exterior IPSec gadget, customization is required solely on tunnel supply interface and routing settings the place relevant to match native community necessities. On this instance, the distant IPSec gadget is a digital router utilizing interface GigabitEthernet1. For brevity, solely one of many IPSec tunnels config is proven under together with all the opposite config generated by Cisco CNC.

vrf definition external-vrf
    rd 100:1
    address-family ipv4
    exit-address-family

interface Loopback0
    vrf forwarding external-vrf
    ip deal with 41.41.41.41 255.255.255.255

crypto ikev2 proposal ikev2-1
    encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
    integrity sha512 sha384 sha256 sha1
    group 24 21 20 19 16 15 14 2

crypto ikev2 coverage ikev2-1
    proposal ikev2-1

crypto ikev2 keyring keyring-ifc-3
    peer peer-ikev2-keyring
        deal with 34.124.13.142
        pre-shared-key 49642299083152372839266840799663038731

crypto ikev2 profile ikev-profile-ifc-3
    match deal with native interface GigabitEthernet1
    match identification distant deal with 34.124.13.142 255.255.255.255
    identification native deal with 20.253.155.252
    authentication distant pre-share
    authentication native pre-share
    keyring native keyring-ifc-3
    lifetime 3600
    dpd 10 5 periodic

crypto ipsec transform-set ikev-transport-ifc-3 esp-gcm 256
    mode tunnel

crypto ipsec profile ikev-profile-ifc-3
    set transform-set ikev-transport-ifc-3
    set pfs group14
    set ikev2-profile ikev-profile-ifc-3

interface Tunnel300
    vrf forwarding external-vrf
    ip deal with 169.254.0.2 255.255.255.252
    ip mtu 1400
    ip tcp adjust-mss 1400
    tunnel supply GigabitEthernet1
    tunnel mode ipsec ipv4
    tunnel vacation spot 34.124.13.142
    tunnel safety ipsec profile ikev-profile-ifc-3

ip route 34.124.13.142 255.255.255.255 GigabitEthernet1 192.168.0.1

router bgp 65002
    bgp router-id 100
   bgp log-neighbor-changes
    address-family ipv4 vrf external-vrf
        community 41.41.41.41 masks 255.255.255.255
        neighbor 169.254.0.1 remote-as 65534
        neighbor 169.254.0.1 ebgp-multihop 255
        neighbor 169.254.0.1 activate

Verifying Exterior Connectivity standing

As soon as configuration is utilized, there are a couple of methods to confirm BGP peering and IPSec tunnels between GCP and exterior units: through CLI on the IPSec gadget itself and through Cisco CNC GUI on the Exterior Connectivity dashboard.

Verifying External Connectivity status

Within the GCP console (infra mission), beneath Hybrid Connectivity, it reveals each the IPSec and BGP periods are established accordingly by the mixture of a Cloud Router and an HA Cloud VPN gateway automated by Cisco CNC, upon definition of the Exterior Community. Observe that the infra VPC community is called as overlay-1 by default as a part of the Cisco CNC deployment from {the marketplace}.

Route Leaking Between Exterior and VPC Networks

Now that BGP IPSec tunnels are established, let’s configure inter-VRF routing between exterior networks and present consumer VPC networks from earlier sections. This works by enabling VPC peering between the consumer VPCs and the infra VPC internet hosting VPN connections, which can share these VPN connections to exterior websites. Routes obtained on the VPN connections are leaked to consumer VPCs, and consumer VPC routes are marketed on the VPN connections.

Utilizing inter-VRF routing, the route is leaked between the exterior VRF of the VPN connections and the cloud native consumer VRFs. The configuration under illustrates route leaking from external-vrf to network-a.

The reverse route leaking configuration from network-a to external-vrf is filtered with Subnet IP to indicate granularity. Additionally, the identical steps have been carried out for network-b however not depicted for brevity.

Create Leak Route

Along with the present peering between network-a and network-b VPCs, now each consumer VPCs are additionally peered with the infra VPC (overlay-1) as depicted on the high-level topology.

By exploring one of many peering connection particulars, it’s potential to see the exterior subnet 41.41.41.41/32 within the imported routes desk.

On the distant IPSec gadget, the subnets from network-a and network-b VPCs are realized over BGP peering as anticipated.

remote-site#sh bgp vpnv4 unicast vrf external-vrf
<<<output omitted for brevity>>>
     Community          Subsequent Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf external-vrf)
 *>   41.41.41.41/32   0.0.0.0                  0         32768 i
 *    172.16.1.0/24    169.254.0.5            100             0 65534 ?
 *>                    169.254.0.1            100             0 65534 ?
 *    172.16.128.0/24  169.254.0.5            100             0 65534 ?
 *>                    169.254.0.1            100             0 65534 ?
remote-site#

Defining Exterior EPG for the Exterior Community

Up up to now, all routing insurance policies have been automated by Cisco CNC to permit exterior connectivity to and from GCP. Nevertheless, firewall guidelines are additionally required for end-to-end connectivity. That is completed by creating an exterior EPG utilizing subnet choice because the endpoint selector to signify exterior networks. Observe that this exterior EPG can be created throughout the infra tenant and related to the external-vrf created beforehand.

Create EPG

The subsequent step is to use contracts between the exterior EPG and the beforehand created cloud EPGs to permit communication between endpoints in GCP and exterior networks, which on this state of affairs is represented by 41.41.41.41/32 (loopback0 on distant IPSec gadget). As that is occurring throughout completely different tenants, the contract scope is about to world and exported from the engineering tenant to the infra tenant and vice-versa, if permitting visitors to be initiated from each side.

To the cloud connectivity
From the cloud connectivity

On the backend, the mixture of contracts and filters interprets into correct GCP firewall guidelines, as lined in particulars on Half 2 of this collection. For brevity, solely the result is supplied under.

remote-site#ping vrf external-vrf 172.16.1.2 supply lo0
Kind escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet despatched with a supply deal with of 41.41.41.41 !!!!!
Success charge is 100% (5/5), round-trip min/avg/max = 84/84/86 ms
remote-site#ping vrf external-vrf 172.16.128.2 supply lo0
Kind escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.128.2, timeout is 2 seconds:
Packet despatched with a supply deal with of 41.41.41.41 !!!!!
Success charge is 100% (5/5), round-trip min/avg/max = 132/133/138 ms
root@web-server:/residence/marinfer# ping 41.41.41.41
PING 41.41.41.41 (41.41.41.41) 56(84) bytes of information.
64 bytes from 41.41.41.41: icmp_seq=1 ttl=254 time=87.0 ms
64 bytes from 41.41.41.41: icmp_seq=2 ttl=254 time=84.9 ms
64 bytes from 41.41.41.41: icmp_seq=3 ttl=254 time=83.7 ms
64 bytes from 41.41.41.41: icmp_seq=4 ttl=254 time=83.8 ms
root@web-server:/residence/marinfer# 

root@app-server:/residence/marinfer# ping 41.41.41.41
PING 41.41.41.41 (41.41.41.41) 56(84) bytes of information.
64 bytes from 41.41.41.41: icmp_seq=1 ttl=254 time=134 ms
64 bytes from 41.41.41.41: icmp_seq=2 ttl=254 time=132 ms
64 bytes from 41.41.41.41: icmp_seq=3 ttl=254 time=131 ms
64 bytes from 41.41.41.41: icmp_seq=4 ttl=254 time=136 ms
root@app-server:/residence/marinfer#

Superior Routing Capabilities with Cisco Cloud Router

Leveraging native routing capabilities as demonstrated might suffice for some particular use circumstances and be restricted for others. Subsequently, for extra superior routing capabilities, Cisco Cloud Routers might be deployed as a substitute. The provisioning course of is comparatively the identical with CCRs additionally instantiated throughout the infra VPC in a hub and spoke structure. Apart from being able to handle the entire lifecycle of the CCRs from the Cisco CNC, clients may also select completely different tier-based throughput choices primarily based on necessities.

One of many primary use circumstances for leveraging Cisco Cloud Routers is the BGP EVPN assist throughout completely different cloud websites working Cisco CNC, or for hybrid cloud connectivity with on-prem websites when coverage extension is fascinating. The completely different inter-site makes use of circumstances are being documented on particular white papers, and under is a high-level topology illustrating the structure.

GCP Architecture

Abstract

There are a number of methods of enabling exterior entry and hybrid cloud connectivity for cloud sources. Cisco CNC supplies flexibility to clients by giving choices to leverage native routing capabilities or extra superior options with CCR. Moreover, though not lined as a part of this collection, capability to import and handle connectivity to brownfield VPCs can be supported to handle use circumstances with present VPC networks.

In conclusion, this weblog collection introduces Cisco CNC for purchasers to discover and perceive the advantages of leveraging a cloud networking software program to automate and construct their cloud environments on GCP. Furthermore, Cisco CNC makes it straightforward to combine with present cloud automation instruments similar to Terraform by publishing steady supplier updates.

 


Sources

Guides

Cisco Cloud Community Controller for Google Cloud Set up Guides

Cisco Cloud Community Controller for Google Cloud Consumer Guides

Weblog Sequence: Introducing Cisco Cloud Community Controller on Google Cloud Platform

Half 1: Native Cloud Networking Automation

Half 2: Contract-based Routing and Firewall Guidelines Automation

 

Share:



Supply hyperlink

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments