《使用 ThousandEyes 在思科 SD-WAN 中获得可操作可见性的 3 个步骤.pdf》由会员分享,可在线阅读,更多相关《使用 ThousandEyes 在思科 SD-WAN 中获得可操作可见性的 3 个步骤.pdf(43页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveAndraz Piletic,Technical Solutions Architect/InstructorBRKENT-21263 Steps to Gain Actionable Visibility in the Cisco SD-WAN Using ThousandEyes 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Ci
2、sco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343ht
3、tps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENT-21263Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicUse CasesAgent Deployment OptionsSteering Test TrafficConfiguring Tests&Viewing ResultsBRKENT-21264SD-WAN+ThousandEyes 2023 Cisco and/or its affi
4、liates.All rights reserved.Cisco Public#CiscoLiveUse CasesInternal and SaaS ApplicationSD-WAN UnderlaySD-WAN OverlayBranchSD-WAN FabricISPISP 1 1ISP 2Data CenterInternal AppsBRKENT-21266First Step:Deploying Embedded Agents 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDi
5、fferent Agent Deployment OptionsEmbedded on an SD-WAN EdgeEmbedded in a Catalyst 9000 switchVirtual machinePhysical applianceBRKENT-21268 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEmbedded Agent RequirementsPlatformHW RequirementsSW RequirementsBrowserBotManagement*A
6、SR 1001-(H)XASR 1002-(H)XASR 1006-XMinimum 8G of RAM and FlashIOS-XE 17.8.1+Not supportedvManage 20.8+Catalyst 8500(L)Catalyst 8300Catalyst 8200(L)Minimum 8G of RAM and FlashIOS-XE 17.6.1+vManage 20.6+ISR44xx ISR43xxISR42xxISR 1100 x-6GIOS-XE 17.7.1+Catalyst 9300(L)Catalyst 9400SSD module for Browse
7、rBot testsIOS-XE 17.6.1+DNA AdvantageSupported with SSD moduleDNA Center 2.2.2.3+BRKENT-21269 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDeployment OptionsServiceService(VPNn)(VPNn)TunnelTransportTransport(VPN0)(VPN0)Gig0/0/0Gig0/0/1Basic setup(default)Test traffic ro
8、uted via a VPG interface Still behind a NATTest traffic follows best pathServiceService(VPNnVPNn)TunnelTransportTransport(VPN0)(VPN0)Gig0/0/0Gig0/0/1Agent in VPN0Agent in Service VPNTest traffic can follow SD-WAN policiesCan monitor Overlay and Underlay pathsRequires unique subnetBRKENT-212610 2023
9、Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDeploying ThousandEyes Agent Using vManageDownload Agent Software from ThousandEyes portalCopy Account Group TokenUpload Agent Software to vManageDefine ThousandEyes Feature Template in vManageAttach Feature Template to target dev
10、iceBRKENT-212611 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDownloading Agent SoftwareCloud&Enterprise Agents Agent Settings Add New Ent.AgentCisco Application Hosting Routers Download TARNote down the value of the Account Group TokenBRKENT-212612 2023 Cisco and/or it
11、s affiliates.All rights reserved.Cisco Public#CiscoLiveUploading ThousandEyes Agent to vManageBRKENT-212613 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDefining ThousandEyes Feature TemplateSelect supported devices and define ThousandEyes Agent templateIf you dont see
12、the template,you have selected an unsupported device BRKENT-212614 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfiguring a Feature TemplateSet Account Group Token(global)Specify VPNSet device specific variable for Agent IP Address and default gatewayDepending on your
13、 environment,you can set the Advanced settings globally,device specific or defaultBRKENT-212615 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAttaching a Feature Templateinterface VirtualPortGroup4no shutdownvrf forwarding 10ip address 172.16.11.1 255.255.255.252!ioxapp-
14、hosting appid teapp-default-gateway 172.16.11.1 guest-interface 0app-resource dockerprepend-pkg-optsrun-opts 1-e TEAGENT_ACCOUNT_TOKEN=BRKENT2126!app-vnic gateway0 virtualportgroup 4 guest-interface 0guest-ipaddress 172.16.11.2 netmask 255.255.255.252!name-server0 208.67.222.222startBRKENT-212616 20
15、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTroubleshootingcEdge#show app-hosting listApp id State-teRUNNINGcEdge#app-hosting connect appid te session/bin/bashrootte:more/var/log/agent/te-agent.log2022-06-09 10:42:59.307 INFO 20047f00 te.agent.status ThousandEyes Agent s
16、tarting up2022-06-09 10:42:59.309 DEBUG 20047f00 te.agent.AptPackageInterface Initialized APT package interface2022-06-09 10:42:59.309 INFO 20047f00 te.agent.main Agent version 1.138.0 starting.2022-06-09 10:42:59.310 DEBUG 20047f00 te.agent.db Vacuuming database2022-06-09 10:42:59.311 INFO 20047f00
17、 te.agent.db Found version 53,expected version 532022-06-09 10:42:59.322 DEBUG 20047f00 te.agent.DnssecTaskProceessor Agent is not running bind2022-06-09 10:42:59.323 INFO 20047f00 te.agent.main Configured crash report to https:/ 10:42:59.324 INFO 20047f00 te.agent.main Found id 5045162022-06-09 10:
18、42:59.324 INFO 20047f00 te.agent.ClusterMasterAdapter Set clustermaster URL to https:/2022-06-09 10:42:59.324 INFO 20047f00 te.agent.ClusterMasterAdapter Attempting to get controller assignment from https:/2022-06-09 10:43:01.369 INFO 20047f00 te.agent.ClusterMasterAdapter https:/ told us we should
19、talk to controller 2022-06-09 10:43:01.397 DEBUG 20047f00 te.agent.NtpClient Sending NTP packet to pool.ntp.org(193.2.78.228)BRKENT-212617 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInstalling Agent Behind a SIGAgent fails to register due to untrusted certificateManua
20、lly copy/paste the missing root CA in a PEM formatOr transfer it directly(unsecure)cEdge#app-hosting connect appid te session/bin/bash rootcEdge:/#tail/var/log/agent/te-agent.log2023-02-02 09:01:19.890 ERROR d7825f00 te.agent.status Error calling createAgent:Curl error-Peer certificate cannot be aut
21、henticated with given CA certificatesrootcEdge:/#vi/usr/share/ca-certificates/UmbrellaRootCA.pem-BEGIN CERTIFICATE-END CERTIFICATE-rootcEdge:/#curl-insecure https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInstalling Agent Behind a SIG(Cont.)Append a new certificate
22、 name to the configuration fileExecute update-ca-certificates commandRemove specific package(embedded agents only)Restart the agentrootcEdge:/#echo UmbrellaRootCA.pem /etc/ca-certificates.confrootcEdge:/#update-ca-certificatesUpdating certificates in/etc/ssl/certs.rehash:warning:skipping ca-certific
23、ates.crt,it does not contain exactly one certificate or CRL1 added,0 removed;done.rootcEdge:/#apt remove-purge cisco-core-trsbrootcEdge:/#sv restart te-agentBRKENT-212619Second Step:Steering Test Traffic 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCommon ObjectivesBasi
24、c approach:follow preferred/best pathsAdvanced approach:Steer test traffic over redundant overlay tunnelsSteer test traffic over redundant DIA pathsOptions for matching test trafficSource IPsDestination IPs&ports DSCP coloringData PathUserTrafficUserTrafficUserTrafficTestProbesTestProbesData PolicyE
25、valuationRouting TableEvaluationServiceServiceTransportTransportVPGBRKENT-212621 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSteering Test Traffic over Redundant Overlay PathsMPLSInternetSD-WAN tunnel(gold)SD-WAN tunnel(silver)Data CenterWebex CloudSaaSBRKENT-212622 20
26、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSteering Test Traffic over Redundant Overlay Pathsdata-policy Overlay-A2Avpn-list VPN10sequence 1matchdscp 46source-data-prefix-list All_TE_Agentsdestination-data-prefix-list All_TE_Agents!action acceptsetlocal-tloc-listcolor g
27、oldencap ipsecrestrict!sequence 11matchdscp 40source-data-prefix-list All_TE_Agentsdestination-data-prefix-list All_TE_Agents!action acceptsetlocal-tloc-list color silverencap ipsecrestrict!default-action acceptlistsdata-prefix-list All_TE_Agentsip-prefix 192.168.255.0/24!site-list all-sitessite-id
28、1-1000 vpn-list VPN10vpn 10!apply-policysite-list all-sitesdata-policy Overlay-A2A from-serviceBRKENT-212623 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSteering Test Traffic over Redundant DIA PathsISP BISP ASD-WAN tunnel(biz-internet)SD-WAN tunnel(public-internet)Umb
29、rella CloudWebex CloudSaaSBRKENT-212624 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSteering Test Traffic over Redundant DIA Pathsdata-policy VPN10-Redundant-DIA-Pathsvpn-list VPN10sequence 1matchdscp 46source-data-prefix-list All_TE_Agents!action acceptnat use-vpn 0se
30、tlocal-tloc-list color public-internetencap ipsecrestrictdscp 0!sequence 11matchdscp 40source-data-prefix-list All_TE_Agents!action acceptnat use-vpn 0setlocal-tloc-list color biz-internetencap ipsecrestrict!default-action acceptBRKENT-212625Last Step:Configuring Tests 2023 Cisco and/or its affiliat
31、es.All rights reserved.Cisco Public#CiscoLiveNetwork Test:Agent-to-AgentPrefer A2A tests over A2S whenever possibleSupports bidirectional testingDetects asymmetrical pathsSupports also UDPUse different ports or DSCP for matching test traffic with data policyBRKENT-212627 2023 Cisco and/or its affili
32、ates.All rights reserved.Cisco Public#CiscoLiveNetwork Test:A2A Challengesip nat inside source static tcp 192.168.255.2 49153 203.0.113.2 49153 vrf 10 egress-interface GigabitEthernet1ip nat inside source static udp 192.168.255.2 49153 203.0.113.2 49153 vrf 10 egress-interface GigabitEthernet1Single
33、 target IP for testsDifficult to support both overlay&underlay A2A tests concurrentlyMonitoring underlay-reachability of the target agent Place agent directly into the underlay as VA or utilize PAT*(since 20.9)BRKENT-212628 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveN
34、etwork Test:Agent-to-ServerUse when no agent available at test destinationPrefer TCP over ICMPSDWAN underlay interfaces are locked down by defaultUtilize DSCP for data policy actionsWith 1 minute interval measurements can be spread in 1 second intervals BRKENT-212629 2023 Cisco and/or its affiliates
35、.All rights reserved.Cisco Public#CiscoLiveWeb Layer TestsMatching different web test traffic with an SD-WAN data policy becomes a challenge:No DSCP coloring options,source ports settings,etc.Only HTTP Server test supports different source interfaces*BrowserBot is needed for Page Load and Transactio
36、n testsAlternative-Multiple agents in a branchBRKENT-212630 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat about SASE?Secure Internet Gateways(proxies)break network visibilityUtilize web tests for end-to-end application performance and visibilityMonitor underlay to I
37、Psec/GRE gateways using A2S network testsHTTPs/SSL decryption requires additional installation step on agentsImport utilized CA certificate(documentation)BRKENT-212631 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveImproving VisualizationCombine individual tests using mul
38、ti-viewsEnable SNMP on SD-WAN edges and utilize Device Layer monitoringMake sure data policy does not match such traffic for DIA actionBRKENT-212632Demo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSharelinksDual DIA towards CiscoLhttps:/A2A SDWAN Branch(1|3)HQ(UDP)http
39、s:/CiscoL via Umbrella SIGhttps:/BRKENT-212634UMTS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnderlay Measurement and Tracing ServicesQ&A 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSummary1ststep:choose agent deployment model that fits
40、 you best2ndstep:steer test traffic using SD-WAN data policy3rdstep:configure tests and improve test resultsBRKENT-212638 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall
41、event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKENT-212639 2023 Cisco and/or its a
42、ffiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoL
43、ive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive42Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123442 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENT-2126#CiscoLive