Brksec-3036 (2015)
Brksec-3036 (2015)
Brksec-3036 (2015)
FlexVPN
BRKSEC-3036
Frederic Detienne
Distinguished Engineer
Agenda
• FlexVPN in a nutshell
• Shortcut Switching
• Backup with Routing
• Per Branch Features
• End-to-End VRF Separation with MPLSoFlex
• Backup Mechanisms and Load Balancing
• Conclusion
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
FlexVPN Quick Recap
crypto ikev2 profile default
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Profile Match Statements
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Profile Match Statements
match certificate <certificate map>
SubjectName:
• CN=RouterName
• O=Cisco
• OU=Engineering
HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr} IssuerName:
• CN=PKI Server
• O=Cisco
• OU=IT
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPsec CLI Overview
Tunnel Protection
IPsec transform
crypto ipsec transform-set default esp-aes 128 esp-sha-hmac
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Introducing Smart Defaults
Intelligent, reconfigurable defaults
crypto ipsec transform-set default crypto ikev2 profile default
match identity remote address 10.0.1.1
esp-aes 128 esp-sha-hmac authentication local rsa-sig
authentication remote rsa-sig
crypto ipsec profile default aaa authorization user cert list default default
set transform-set default pki trustpoint TP
set crypto ikev2 profile default !
interface Tunnel0
crypto ikev2 proposal default ip address 192.168.0.1 255.255.255.252
encryption aes-cbc-256 aes-cbc-128 3des tunnel protection ipsec profile default What you need to
specify
integrity sha512 sha 256 sha1 md5
group 5 2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Packet Forwarding and Interface Creation
IKEv2 and AAA (optional)
Basic Packet Forwarding
Layer 4
Layer 3 Routing
Layer 2 Output
features
Input
features Encapsulation
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IKE Flow Creation
optional
Layer 5+ IKE AAA BGP
Layer 3
Layer 2 Virtual-Access
Interface (Tunnel)
created by IKEv2
IPsec Security
Association
applied here
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Packet Forwarding – Tunnels & Features
Layer 4
Post-encapsulation
(Tunnel Protection)
Layer 2
Output features Output features
Input Encapsulation
(applied to (applied to
features Encapsulation
clear text encrypted packet)
packet)
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Generic Profile Derivation
Expanded Example (not recommended)
Selects
IKEv2 profile
R1.cisco.com
IDi=R1.cisco.com, Auth, TSi, TSr, Fetch Profile Profile 1
keyring aaa <list> name-mangler <m>
CFG_Req(IP4_ADDRESS, IP4_NETWORK…)
…
On Hub or on RADIUS
OK Authen. profile
Auth
Only for Fetch Profile Profile 2
(or a mix)
authentication aaa authorization user psk <list>
…
User profile
.1 .2 .254
172.16.0.1 172.16.0.2
Virtual-Access
Interfaces
Static Tunnel
Virtual-Access Interface
Interfaces
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Hub & Spoke Bootstrap – Config Exchange
192.168.100.0/24
.1 .254
192.168.1.0/24
172.16.1.1 172.16.0.1
Interfaces
Ethernet0/1: 192.168.1.1 IDi=Spoke1.cisco.com, Auth, TSi, TSr, Ethernet0/1: 192.168.100.1
Tunnel0: 10.0.0.1 Loopback0: 10.0.0.254/32
CFG_Req(IP4_SUBNET…) VirtualAccess1: 10.0.0.254/32
Spoke Assigned Address
(optional)
IDr, cert, Auth, TSi, TSr,
Routing Table
Routing Table
172.16.0.1/32 172.16.1.254 (E0/0) 0.0.0.0/0 172.16.0.254 (E0/0)
192.168.1.0/24 Ethernet 0/1 CFG_Reply(IP4_SUBNET=10.0.0.254/32, 192.168.0.0/16; 192.168.100.0/24 Ethernet 0/1
10.0.0.254/32 Tunnel 0 IP4_ADDRESS=10.0.0.1) 10.0.0.1/32 VirtualAccess1
192.168.0.0/16 Tunnel 0 CFG_set(IP4_SUBNET=10.0.0.1/32, 192.168.1.0/24, 192.168.1.0/24 VirtualAccess1
10.0.0.1/32)
Supernet covering all CFG_ack()
spokes LAN prefixes
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
FlexVPN Hub and Spoke – IKE Route Exchange
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table
Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
S 192.168.1.0/24 V-Access1 Tunnel 100 S 192.168.2.0/24 V-Access1
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
FlexVPN Mesh – Indirection
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table
Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
S 192.168.1.0/24 V-Access1 Tunnel 100 S 192.168.2.0/24 V-Access1
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
FlexVPN Mesh – Resolution
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table
Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
S 192.168.1.0/24 V-Access1 Tunnel 100 S 192.168.2.0/24 V-Access1
NHRP Table
10.0.0.2/32 172.16.2.1 Resolution Reply 10.0.0.1 172.16.1.1
192.168.2.0/24 172.16.2.1 (192.168.2.0/24)
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
Routing Table
Routing Table
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
H/S 10.0.0.2/32 V-Access1 H/S 10.0.0.1/32 V-Access1
H/S 192.168.2.0/24
BRKSEC-3036
V-Access1
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
FlexVPN Mesh – Shortcut Forwarding
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table
Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
S 192.168.1.0/24 V-Access1 Tunnel 100 S 192.168.2.0/24 V-Access1
NHRP Table
10.0.0.2/32 172.16.2.1 10.0.0.1 172.16.1.1
192.168.2.0/24 172.16.2.1
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
Routing Table
Routing Table
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
H/S 10.0.0.2/32 V-Access1 H/S 10.0.0.1/32 V-Access1
H/S 192.168.2.0/24
BRKSEC-3036
V-Access1
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
FlexVPN Mesh (IKEv2 Routing)
Hub 1 Configuration Static per-spoke
Accept connections features applied here
crypto ikev2 profile default from Spokes interface Virtual-Template1 type tunnel
match identity remote fqdn domain cisco.com ip unnumbered Loopback0
identity local fqdn Hub1.cisco.com ip nhrp network-id 1 NHRP is the magic
All V-Access will be in the
authentication remote rsa-sig Local or AAA spoke profiles
ip nhrp redirect same network-id
authentication local rsa-sig supported. Can even control ip access-group AllowMyBGP in
QoS, ZBF, NHRP redirect,
pki trustpoint TP network-id, … tunnel protection ipsec profile default
dpd 10 2 on-demand ! Hub 1 dedicated
aaa authorization group cert list default default interface Loopback0 overlay address
virtual-template 1 ip address 10.0.0.254 255.255.255.255
! !
Inter-Hub link
crypto ikev2 authorization policy default interface Tunnel100 (not encrypted)
route set remote 10.0.0.0 255.0.0.0 ip unnumbered Loopback0
route set remote 192.168.0.0 255.255.0.0 ip nhrp network-id 1 Same NHRP network-
ip nhrp redirect id on v-access and
inter-hub link
tunnel source Ethernet0/1
tunnel destination 192.168.100.2
These prefixes can also be Defines which prefixes
set by RADIUS should be protected
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
FlexVPN Mesh (IKEv2 Routing)
Hub 2 Configuration
crypto ikev2 profile default interface Virtual-Template1 type tunnel
match identity remote fqdn domain cisco.com ip unnumbered Loopback0
identity local fqdn Hub2.cisco.com ip nhrp network-id 1
authentication remote rsa-sig ip nhrp redirect
authentication local rsa-sig Dedicated Identity ip access-group AllowMyBGP in
pki trustpoint TP (optional) tunnel protection ipsec profile default
dpd 10 2 on-demand ! Dedicated Overlay
aaa authorization group cert list default default interface Loopback0 Address
virtual-template 1 ip address 10.0.0.254 255.255.255.255
! !
crypto ikev2 authorization policy default interface Tunnel100
route set remote 10.0.0.0 255.0.0.0 ip unnumbered Loopback0
route set remote 192.168.0.0 255.255.0.0 ip nhrp network-id 1
ip nhrp redirect
tunnel source Ethernet0/1
tunnel destination 192.168.100.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
FlexVPN Mesh (IKEv2 Routing) QoS
Everywhere!
Spoke Configuration
interface Loopback0
ip address 10.0.0.2 255.255.255.255
interface Tunnel0
Tunnel to Hub 1
crypto ikev2 profile default ip unnumbered Loopback0
match identity remote fqdn domain cisco.com ip nhrp network-id 1
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Shortcut Switching
With a routing protocol (BGP)
FlexVPN Mesh with BGP Routing
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table
Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
B 192.168.1.0/24 10.0.0.1 Tunnel 100 B 192.168.2.0/24 10.0.0.2
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
B 192.168.0.0/16 10.0.0.254 B 192.168.0.0/16 10.0.0.253
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
FlexVPN Mesh (BGP) – Hub 1
crypto ikev2 profile default Accept connections
match identity remote fqdn domain cisco.com from Spokes
identity local fqdn Hub1.cisco.com
authentication remote rsa-sig
authentication local rsa-sig Local or AAA spoke profiles
pki trustpoint TP supported. Can even control QoS, ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2
NHRP redirect, network-id, …
dpd 10 2 on-demand ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2
aaa authorization group cert list default default Dynamically accept spoke
virtual-template 1 router bgp 1
BGP peering!
Static per-per config here… bgp log-neighbor-changes
interface Virtual-Template1 type tunnel bgp listen range 10.0.0.0/24 peer-group Flex
ip unnumbered Loopback0 !
ip access-group AllowMyBGP in address-family ipv4
NHRP is the magic
ip nhrp network-id 1 All V-Access will be in the neighbor Flex peer-group
ip nhrp redirect same network-id neighbor Flex remote-as 1
tunnel protection ipsec profile default neighbor Flex timers 5 15
neighbor Flex next-hop-self all
interface Loopback0 Hub 1 dedicated overlay address redistribute static route-map rm
ip address 10.0.0.254 255.255.255.255 exit-address-family
!
route-map filters static routes
interface Tunnel100 Inter-Hub link route-map rm permit 10 to redistribute in BGP
(not encrypted) match tag 2
ip unnumbered Loopback0
ip nhrp network-id 1
Same NHRP network-
ip nhrp redirect id on v-access and
tunnel source Ethernet0/1 inter-hub link
tunnel destination 192.168.100.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
FlexVPN Mesh (BGP) – Hub 2
crypto ikev2 profile default
ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2
match identity remote fqdn domain cisco.com
ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2
identity local fqdn Hub2.cisco.com
authentication remote rsa-sig
router bgp 1
authentication local rsa-sig Dedicated Identity
bgp log-neighbor-changes
pki trustpoint TP (optional) bgp listen range 10.0.0.0/24 peer-group Flex
dpd 10 2 on-demand
!
aaa authorization group cert list default default
address-family ipv4
virtual-template 1
redistribute static route-map rm
neighbor Flex peer-group
interface Virtual-Template1 type tunnel
neighbor Flex remote-as 1
ip unnumbered Loopback0
neighbor Flex timers 5 15
ip access-group AllowMyBGP in
neighbor Flex next-hop-self all
ip nhrp network-id 1
exit-address-family
ip nhrp redirect
!
tunnel protection ipsec profile default
route-map rm permit 10
Dedicated Overlay Address match tag 2
interface Loopback0
ip address 10.0.0.253 255.255.255.255
interface Tunnel100
ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp redirect
tunnel source Ethernet0/1
tunnel destination 192.168.100.1
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
QoS
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Routed Redundancy
33
FlexVPN Backup
Routing Based Multi-Hub Resiliency (1)
192.168.100.0/24
.1 .2
172.16.0.1 172.16.0.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
FlexVPN Backup
Routing Based Multi-Hub Resiliency (2)
192.168.100.0/24
.1 .2
172.16.0.1 172.16.0.2
Hub 1 fails,
Tunnels go down
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Demo – BGP failover
Inter-hub BGP – BFD keepalives
C 10.0.0.254 Loopback0 router bgp 1 router bgp 1 C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0 neighbor 192.168.0.2 remote-as 1 neighbor 192.168.0.2 C
remote-as 1
192.168.100.0/24 Eth0
Routing Table
Routing Table
S 192.168.0.0/16 Null0 tag 2 neighbor 192.168.0.2 fall-over bfd neighbor 192.168.0.1 fall-over bfd
S 192.168.0.0/16 Null0 tag 2
S 10.0.0.0/8 Null0 tag 2 Hub 1 Hub 2 S 10.0.0.0/8 Null0 tag 2
S 1.0.0.1/32 Null0 tag 2 .1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.2/32 Tunnel100 Dummy prefix… B 1.0.0.1/32 Tunnel100
magic ingredient .1 Tunnel 100 .2
192.168.0.0/30
Physical: 172.16.0.1 Physical: 172.16.0.2
Tunnel: 10.0.0.254 Tunnel: 10.0.0.253
interface Tunnel100 interface Tunnel100
bfd interval 500 min_rx 50 multiplier 3 bfd interval 500 min_rx 50 multiplier 3
Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Spokes Connect – Next-Hop w/ High Distance
C 10.0.0.254 Loopback0 router bgp 1 C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
tag 2 routes got redistributed in redistribute static route-map TAG2 C 192.168.100.0/24 Eth0
Routing Table
Routing Table
S 192.168.0.0/16 Null0 tag 2
BGP and advertised to the spokes route-map TAG2 S 192.168.0.0/16 Null0 tag 2
S 10.0.0.0/8 Null0 tag 2 Hub 1 match tag 2 Hub 2 S 10.0.0.0/8 Null0 tag 2
S 1.0.0.1/32 Null0 tag 2 .1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.2/32 Tunnel100 B 1.0.0.1/32 Tunnel100
S 10.0.0.1 V-Access1 .1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2 S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1 B 192.168.1.0/24 10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
B 192.168.2.0/24 10.0.0.2 B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 crypto ikev2 authorization policy default C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 route accept any distance 210 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 dist. 210 S 10.0.0.254/32 Tunnel0 dist. 210
S 10.0.0.253/32 Tunnel1 dist. 210 S 10.0.0.253/32 Tunnel1 dist. 210
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Traffic Flows – recursive routing applies
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
Routing Table
Routing Table
S 192.168.0.0/16 Null0 tag 2 S 192.168.0.0/16 Null0 tag 2
S 10.0.0.0/8 Tunnel100 Hub 1 Hub 2 S 10.0.0.0/8 Tunnel100
S 1.0.0.1/32 Null0 tag 2 .1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.2/32 Tunnel100 B 1.0.0.1/32 Tunnel100
S 10.0.0.1 V-Access1 .1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2 S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1 B 192.168.1.0/24 10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
B 192.168.2.0/24 10.0.0.2 B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 dist. 210 S 10.0.0.254/32 Tunnel0 dist. 210
S 10.0.0.253/32 Tunnel1 dist. 210 S 10.0.0.253/32 Tunnel1 dist. 210
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Say Hub 1 Crashed…
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
Routing Table
S 192.168.0.0/16 Tunnel100 tag 2
Hub 1 Hub 2 S 10.0.0.0/8 Null0 tag 2
.1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.1/32 Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
after 0.5 seconds: B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
%BGP-5-ADJCHANGE: neighbor 192.168.0.1 Down
Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 dist. 210 S 10.0.0.254/32 Tunnel0 dist. 210
S 10.0.0.253/32 Tunnel1 dist. 210 S 10.0.0.253/32 Tunnel1 dist. 210
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
We have achieved High-Availability
track timer msec 500 C 10.0.0.253 Loopback0
track 1 ip route 1.0.0.1 255.255.255.255 reachability C 192.168.100.0/24 Eth0
Routing Table
track 2 list boolean and S 192.168.0.0/16 Tunnel100 tag 2
object 1 not
Hub 1 Hub 2 S 10.0.0.0/8 Null0 tag 2
ip route 10.0.0.254
.1 192.168.100.0/24
255.255.255.255 Null0 tag .2
2 track 2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.1/32 Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
Takes ~Tunnel:
1s B 192.168.2.0/24 10.0.0.2
10.0.0.253
Tunnel: 10.0.0.254
S 10.0.0.254/32 Null0 tag 2 track 2
Almost
immediate Depends on
# of spokes Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 Removed because exact
S 0.0.0.0/0 Dialer0
match with lower admin
S 10.0.0.254/32 Tunnel1 dist. 210 S 10.0.0.254/32 Tunnel0 dist. 210
distance exists
S 10.0.0.253/32 Tunnel1 dist. 210 S 10.0.0.253/32 Tunnel1 dist. 210
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
B 10.0.0.254/32 10.0.0.253 dist. 200 B 10.0.0.254/32 10.0.0.253 dist. 200
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
We have achieved High-Availability
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
Routing Table
S 192.168.0.0/16 Tunnel100 tag 2
Hub 1 Hub 2 S 10.0.0.0/8 Null 0 tag 2
.1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0
B 1.0.0.1/32 Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
S 10.0.0.254/32 Null0 tag 2 track 2
Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
Some spokes
belong to VRF Some spokes
Blue with low
bandwidth
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
VRF Injection 192.168.100.0/24
192.168.100.0/24
Hub private interface(s) in Inside VRF (light) .1 .1 .1 .2 .2 .2
MPLS IP (hub PE)
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Inside-VRF and Front-VRF
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Inside-VRF and Front-VRF
Layer 4 Post-encapsulation
Tunnel Protection (encrypt)
Tunnel
Encapsulation
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
QoS in a Nutshell –
Hierarchical Shaper
Each Hub V-Access Needs Its Own Policy
Parent Shaper limits
total Bandwidth
Bandwidth
Priority Queuing Reservation
Fair Queuing
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Step 1 – Define Policy Map(s)
class-map Control
match ip precedence 6
class-map Voice
match ip precedence 5
policy-map SubPolicy
class Control
20Kbps Guaranteed to Control
bandwidth 20
class Voice
60% of Bandwidth for Voice
priority percent 60
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
iVRF + fVRF + QoS + …
Layer 4
Routes applied here…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Heavy Configuration
Dedicated IKEv2
profile
crypto ikev2 profile BLUE crypto ikev2 profile RED crypto ikev2 profile GREEN
match identity fqdn domain blue match identity fqdn domain red match identity fqdn domain green
authentication local rsa-sig FQDN Domain authentication local rsa-sig authentication local rsa-sig
authentication remote rsa-sig is differentiator authentication remote rsa-sig authentication remote rsa-sig
pki trustpoint CA pki trustpoint CA pki trustpoint CA
dpd 10 2 on-demand dpd 10 2 on-demand dpd 10 2 on-demand
aaa authorization group cert list default default aaa authorization group cert list default default aaa authorization group cert list default default
virtual-template 1 virtual-template 2 virtual-template 3
Virtual-Template in VRF
interface virtual-template1 type tunnel interface virtual-template2 type tunnel interface virtual-template3 type tunnel
vrf forwarding BLUE vrf forwarding RED vrf forwarding GREEN
ip unnumbered loopback1 Loopback in VRF ip unnumbered loopback2 ip unnumbered loopback3
service-policy Gold out service-policy Gold out service-policy Silver out
tunnel protection ipsec profile default tunnel protection ipsec profile default tunnel protection ipsec profile default
Add NHRP,
ACL’s,…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
VRF Injection – Hub Configuration
Group profiles on IOS
Option 2: Mapping with AAA group based configuration
aaa attribute list blue
attribute type interface-config ”vrf forwarding BLUE”
attribute type interface-config ”ip unnumbered loopback1”
aaa new-model attribute type interface-config ”service-policy Gold out”
Profiles on IOS aaa authorization network default local
crypto ikev2 authorization policy blue
crypto ikev2 profile default aaa attribute list blue
Common IKEv2 match identity any route set interface
profile identity local fqdn Hub1.cisco.com
authentication local rsa-sig aaa attribute list red
authentication remote rsa-sig attribute type interface-config ”vrf forwarding RED”
Profile name attribute type interface-config ”ip unnumbered loopback2”
extracted from pki trustpoint CA
attribute type interface-config ”service-policy Silver out”
dpd 10 2 on-demand
Domain Name aaa authorization group cert default name-mangler dom crypto ikev2 authorization policy red
virtual-template 1 aaa attribute list red
route set interface
interface virtual-template1 type tunnel
Vanilla Virtual- tunnel protection ipsec profile default aaa attribute list green
Template attribute type interface-config ”vrf forwarding GREEN”
attribute type interface-config ”ip unnumbered loopback3”
crypto ikev2 name-mangler dom attribute type interface-config ”service-policy GOLD out”
fqdn domain
crypto ikev2 authorization policy green
aaa attribute list green
route set interface
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
VRF Injection – Hub Configuration
Option 3: RADIUS based profiles Group profiles on RADIUS
Could be per peer profiles
or group+peer (derivation)
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
VRF Injection – Hub Configuration
For both options: BGP and VRF configurations
ip route vrf BLUE 10.0.0.0 255.0.0.0 Null0 vrf definition BLUE
ip route vrf BLUE 192.168.0.0 255.255.0.0 Null0 rd 1:1
Attract summaries address-family ipv4
and drops non- ip route vrf RED 10.0.0.0 255.0.0.0 Null0 address-family ipv6
ip route vrf RED 192.168.0.0 255.255.0.0 Null0
reachable prefixes
interface Loopback1
ip route vrf GREEN 10.0.0.0 255.0.0.0 Null0
ip route vrf GREEN 192.168.0.0 255.255.0.0 Null0 vrf forwarding BLUE
ip address 10.0.0.254 255.255.255.255
BGP dynamic peering
router bgp 1
bgp listen range 10.1.0.0/16 peer-group BluePeer
These address can bgp listen range 10.2.0.0/16 peer-group RedPeer vrf definition RED
not currently overlap bgp listen range 10.3.0.0/16 peer-group GreenPeer rd 2:2
! address-family ipv4
address-family ipv4 vrf BLUE address-family ipv6
Follow CSCtw69765. redistribute static
neighbor BluePeer peer-group
neighbor BluePeer remote-as 1 interface Loopback2
Each VRF has its own exit-address-family vrf forwarding RED
control section. ! ip address 10.0.0.254 255.255.255.255
address-family ipv4 vrf RED
redistribute static
Activate peer group in neighbor RedPeer peer-group
its corresponding VRF vrf definition GREEN
neighbor RedPeer remote-as 1
exit-address-family rd 3:3
! address-family ipv4
address-family ipv4 vrf GREEN address-family ipv6
Redistributes above redistribute static
statics into BGP neighbor GreenPeer peer-group interface Loopback3
neighbor GreenPeer remote-as 1 vrf forwarding GREEN
exit-address-family ip address 10.0.0.254 255.255.255.255
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
VRF Injection – Spoke Configuration
Vanilla IKE and BGP configurations
Profiles stored on aaa new-model
RADIUS server aaa authorization network default local
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Server Configuration
RADIUS-based EAP authentication aaa new-model
aaa authentication login my-rad group my-rad
and AAA authorization aaa authorization network my-rad group my-rad
!
Match on FQDN domain for branches crypto ikev2 profile default
Match statements for clients match identity remote fqdn domain example.com
match identity remote {key-id | email | address} ...
(depending on allowed client types) identity local dn
Allow peers to authenticate using authentication remote rsa-sig
either EAP or certificates authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint my-ca
User authorization using attributes aaa authentication eap my-rad
returned during EAP authentication aaa authorization user eap cached
Branch authorization using RADIUS aaa authorization user cert list my-rad
virtual-template 1 auto mode
Automatic detection of tunnel mode1 !
(pure IPsec tunnel mode for clients, GRE/IPsec for interface Virtual-Template1 type tunnel
branches/spokes)
no ip address
[no need to specify tunnel mode]
tunnel protection ipsec profile default
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
RADIUS Server Configuration
Clients can perform password-based joe
or TLS-based EAP authentication cleartext-password=c1sc0!
(TLS: RADIUS account = CN or UPN) ipsec:addr-pool=blue
ip:interface-config=vrf forwarding blue
ip:interface-config=ip unnumbered Loopback1
User attributes returned by RADIUS ip:interface-config=service-policy output blue-pol
with successful EAP authentication ip:interface-config=...
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Accounting & Change of Authorization
AAA Accounting
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Activating AAA Accounting
And why it is a good idea too…
A Good Idea ?
• Because it is simple!
aaa group server radius MyRADIUS
server-private 192.168.104.101 key cisco
• Captures even short lived sessions
aaa accounting network ACCT start-stop group MyRADIUS event driven vs. polling (e.g. SNMP)
crypto ikev2 profile default • Reliable protocol (acknowledged)
match identity fqdn domain mycompany.com
authentication local rsa-sig more reliable than SNMP traps
authentication remote rsa-sig
pki trustpoint TP • Maps the identity to the statistics
aaa authorization group cert list default default no more crossing tables (IPID)
aaa accounting cert ACCT Tell IKEv2 to report session status
virtual-template 1 • You may need it anyway
– Authorization, IP pool…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Demo – AAA CoA
A simplistic configuration
RADIUS based Authentication, Authorization and Accounting
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
How CoA works
Session is set up – V-Access is populated Unique ID, generated by IOS
192.168.100.0/24
.1 .254
ip access-list 100 in
service-policy Gold out
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Accounting
Session is set up – Accounting Starts
Unique ID, generated by IOS
192.168.100.0/24
.1 .254
ip access-list 100 in
service-policy Gold out
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
CoA – Packet of Disconnect Accounting tells the administrator
Remote clearing of a session whether it is worth sending…
(session status)
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
CoA – Change of Authorization
The Real Thing ™
ip access-list 100 in
service-policy Gold
Silverout
out
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
MPLS over FlexVPN
Now Featuring Shortcut Switching
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
`
Objective: end-to-end VRF separation 192.168.100.0/24
.1 .1 .1 .2 .2 .2
172.16.1.254 172.16.1.253
.1 .1 .1
192.168.1.0/24
192.168.1.0/24
192.168.1.0/24
.1 .1 .1 .1 .1 .1
192.168.2.0/24 192.168.3.0/24
192.168.2.0/24 192.168.3.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24 192.168.3.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
Going LDP Free 192.168.100.0/24
Hub private interface(s) in inside VRF .1 .1 .1 .2 .2 .2
or MPLS
172.16.1.254
.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24 Prefix Nxt-hop Label
.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
MPLS VPN o Flex
Hub & Spoke FIB’s and LFIB’s
10.0.0.1 10.0.0.2 10.0.0.254
.1 .1 .1 .1 .1 .1
192.168.1.0/24 192.168.2.0/24 192.168.100.0/24
Prefix Adjacency Prefix Adjacency Prefix Adjacency
VRF FIBs
VRF FIBs
VRF FIBs
192.168.1.0/24 Glean (e0) 192.168.2.0/24 Glean (e0) 192.168.1.0/24 10.0.0.1 31
192.168.0.0/16 10.0.0.254 30 192.168.0.0/16 10.0.0.254 30 192.168.2.0/24 10.0.0.2 32
Prefix Adjacency Prefix Adjacency Prefix Adjacency
192.168.1.0/24 Glean (e1) 192.168.2.0/24 Glean (e1) 192.168.1.0/24 10.0.0.1 41
192.168.0.0/16 10.0.0.254 40 192.168.0.0/16 10.0.0.254 40 192.168.2.0/24 10.0.0.2 42
FIB
FIB
LFIB
LFIB
S= 192.168.1.2 D= 192.168.2.2
Prefix Adjacency
10.0.0.1/32 For Us (lo0)
10.0.0.254/32 Impl-Null (Tun0)
Prefix Adjacency
192.168.1.0/24 Glean (e0)
192.168.0.0/16 10.0.0.254 30
.1 .1 .1 IP Packet
192.168.1.0/24
S= 192.168.1.2 D= 192.168.2.2 .1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24 Prefix Adjacency
192.168.1.0/24 10.0.0.1 31
Hub Spoke 192.168.100.0/24
192.168.2.0/24 10.0.0.2 32
.1 .1 .1
192.168.0.0/16 Glean (e0)
IP Packet
S= 192.168.1.2 D= 192.168.2.2
172.16.1.254
Prefix Adjacency
10.0.0.1/32 Impl-Null (Va1)
10.0.0.2/32 Impl-Null (VA2)
GRE/IPsec
Label = 32
IP Packet
S= 192.168.1.2 D= 192.168.2.2
.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
172.16.1.254
GRE/IPsec
Label = 32
IP Packet
S= 192.168.1.2 D= 192.168.2.2
.1 .1 .1 Prefix Adjacency
192.168.1.0/24
192.168.2.0/24 e0/1.1 .1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.0.0/16 10.0.0.254 30 IP Packet
192.168.1.0/24 192.168.2.0/24
S= 192.168.1.2 D= 192.168.2.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
172.16.1.254
VRF Label associated to
192.168.0.0 in VRF RED
GRE/IPsec
Label 32
GAL Label 13 FIB
NHRP Resolution (ReqID 1)
Prefix Adjacency
10.0.0.1 172.16.1.1
10.0.0.254 Tunnel0 (Null)
192.168.2.2 ?
0.0.0.0/0 Dialer0
10.0.0.1/32 VAccess1 (Null)
.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
172.16.1.254
.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
172.16.1.254
Prefix Adjacency
192.168.1.0/24 Glean (e0)
192.168.0.0/16 10.0.0.254 30
192.168.2.0/24 10.0.0.2 32
Prefix Adjacency
10.0.0.254 Tunnel0 (Null)
0.0.0.0/0 Dialer0
10.0.0.2/32 VAccess1 (Null)
.1 .1 .1
192.168.1.0/24
IP Packet .1 .1 .1
192.168.1.0/24 192.168.2.0/24
S= 192.168.1.2 D= 192.168.2.2 IP Packet
192.168.1.0/24 192.168.2.0/24
S= 192.168.1.2 D= 192.168.2.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
172.16.1.254
Prefix Adjacency
192.168.1.0/24 Glean (e0) Loc. Out I/F
192.168.0.0/16 10.0.0.254 30 32 POP vrf RED
192.168.2.0/24 10.0.0.2 32 42 POP vrf BLUE
Prefix Adjacency
Prefix Adjacency
192.168.2.0/24 e0/1.1
10.0.0.254 Tunnel0 (Null) GRE/IPsec
192.168.0.0/16 10.0.0.254 30
0.0.0.0/0 Dialer0 Label = 32
10.0.0.2/32 VAccess1 (Null) IP Packet
S= 192.168.1.2 D= 192.168.2.2
.1 .1 .1
192.168.1.0/24
IP Packet .1 .1 .1
192.168.1.0/24 192.168.2.0/24
S= 192.168.1.2 D= 192.168.2.2 IP Packet
192.168.1.0/24 192.168.2.0/24
S= 192.168.1.2 D= 192.168.2.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
Hub VRF’s & IKEv2 Profile 192.168.100.0/24
192.168.100.0/24
Detailed view
192.168.100.0/24
.1 .1 .1 .2 .2 .2 A vanilla IKEv2
Profile
rf definition Blue
v
rd 1:1
crypto ikev2 profile default
route-target export 1:1 match identity remote fqdn domain cisco.com
route-target import 1:1 identity local fqdn hub1.cisco.com
address-family ipv4 authentication remote rsa-sig
address-family ipv6 authentication local rsa-sig
pki trustpoint TP
dpd 10 2 on-demand
vrf definition Red aaa authorization group cert list default default
rd 2:2 Route-Targets allow BGP virtual-template 1
route-target export 2:2 to map VRF prefixes
between peers
route-target import 2:2
address-family ipv4
address-family ipv6
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub Routing 192.168.100.0/24
192.168.100.0/24
BGP and Interfaces
192.168.100.0/24
ip route 0.0.0.0 0.0.0.0 172.16.1.2
.1 .1 .1 .2 .2 .2
ip route vrf Blue 192.168.0.0 255.255.0.0 Null0
ip route vrf Red 192.168.0.0 255.255.0.0 Null0
router bgp 1
bgp log-neighbor-changes
bgp listen range 10.0.0.0/16 peer-group Flex
interface Virtual-Template1 type tunnel
neighbor Flex peer-group
ip unnumbered Loopback0 neighbor Flex remote-as 1
ip nhrp network-id 1 neighbor Flex timers 5 15
ip nhrp redirect Activate NHRP redirects and
mpls nhrp give NHRP control over MPLS
address-family vpnv4
tunnel protection ipsec profile default neighbor Flex activate
neighbor Flex send-community extended
interface Ethernet0/0
ip address 172.16.1.254 255.255.255.0 address-family ipv4 vrf Blue
network 192.168.0.0 mask 255.255.0.0
interface Loopback0
ip address 10.0.0.254 255.255.255.255 address-family ipv4 vrf Red
network 192.168.0.0 mask 255.255.0.0
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoke VRF’s and Interfaces
Detailed view
Matches both
hubs
rf definition Blue
v
rd 1:1 crypto ikev2 profile default
route-target export 1:1 match identity remote fqdn domain cisco.com
route-target import 1:1 identity local fqdn R2.cisco.com
address-family ipv4 authentication remote rsa-sig
.1 .1 .1 authentication local rsa-sig
address-family ipv6 192.168.1.0/24 pki trustpoint TP
192.168.1.0/24 dpd 10 2 on-demand
vrf definition Red 192.168.1.0/24 aaa authorization group cert list default default
rd 2:2
route-target export 2:2
route-target import 2:2
address-family ipv4
Mind Hub-Spoke route-
address-family ipv6 target correspondence
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoke Routing Configuration
BGP and Static Routes
Same as on Hub: Start MPLS
ip route 0.0.0.0 0.0.0.0 172.16.2.2
interface Tunnel0 forwarding without LDP
ip unnumbered Loopback0 router bgp 1
ip nhrp network-id 1 bgp log-neighbor-changes
ip nhrp shortcut virtual-template 1 neighbor Flex peer-group
mpls nhrp neighbor Flex remote-as 1
tunnel source Ethernet0/0 neighbor Flex timers 5 15
tunnel destination 172.16.1.254 neighbor 10.0.0.253 peer-group Flex
tunnel protection ipsec profile default neighbor 10.0.0.254 peer-group Flex
.1 .1 .1 Activate VPNv4
192.168.1.0/24 address-family vpnv4
interface Tunnel1
(same as Tunnel0 – points to hub 2) 192.168.1.0/24 neighbor Flex send-community extended
neighbor 10.0.0.253 activate
192.168.1.0/24 neighbor 10.0.0.254 activate
interface Virtual-Template 1 type tunnel
ip unnumbered Loopback0 Advertise each VRF
ip nhrp network-id 1 address-family ipv4 vrf Blue
ip nhrp shortcut virtual-template 1 redistribute connected
mpls nhrp
maximum-paths ibgp 2
tunnel protection ipsec profile default
WAN Interface can be in address-family ipv4 vrf Red
Front VRF redistribute connected
interface Ethernet0/0 maximum-paths ibgp 2
ip address 172.16.2.1 255.255.255.0
Tunnels and Loopback in
interface Loopback0 Global Routing Table
ip address 10.0.0.2 255.255.255.255
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub FIB and LFIB 192.168.100.0/24
192.168.100.0/24
Hub1#show ip cef vrf Red detail | s label
192.168.100.0/24
192.168.2.0/24, epoch 0, flags rib defined all labels .1 .1 .1
recursive via 10.0.0.2 label 16
attached to Virtual-Access2
192.168.3.0/24, epoch 0, flags rib defined all labels
recursive via 10.0.0.3 label 16
attached to Virtual-Access1
Hub1#show ip cef vrf Blue detail | s label
192.168.2.0/24, epoch 0, flags rib defined all labels
recursive via 10.0.0.2 label 17
attached to Virtual-Access2
192.168.3.0/24, epoch 0, flags rib defined all labels
recursive via 10.0.0.3 label 17
attached to Virtual-Access1
Hub1#show mpls forwarding table
Local Outgoing Prefix Bytes Label Outgoing Next
Hop
Label Label or Tunnel Id Switched interface
16 Pop Label IPv4 VRF[V] 0 aggregate/Red
17 Pop Label IPv4 VRF[V] 0 aggregate/Blue
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoke FIB and LFIB
Spoke1#show ip cef vrf Red detail | s label
192.168.0.0/16, epoch 0, flags rib defined all labels, per-
destination sharing
recursive via 10.0.0.253 label 16
attached to Tunnel1
recursive via 10.0.0.254 label 16
attached to Tunnel0
.1 .1 .1
Spoke1#show ip cef vrf Blue detail | s label 192.168.1.0/24
192.168.0.0/16, epoch 0, flags rib defined all labels, per- 192.168.1.0/24
destination sharing 192.168.1.0/24
recursive via 10.0.0.253 label 17
attached to Tunnel1
recursive via 10.0.0.254 label 17
attached to Tunnel0
Spoke1#show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next
Hop
Label Label or Tunnel Id Switched interface
16 Pop Label IPv4 VRF[V] 0 aggregate/Red
17 Pop Label IPv4 VRF[V] 0 aggregate/Blue
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Non-Routed Backup Mechanisms
90
FlexVPN Backup Peers (1)
192.168.100.0/24
.1 .2
Tunnels are set up 172.16.0.1 172.16.0.2
to a primary Hub
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
FlexVPN Backup Peers (2)
192.168.100.0/24
.1 .2
Hub 1 Fails 172.16.0.1 172.16.0.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Also works
with Routing
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
FlexVPN Downloadable Backup Peer List
Static Peer List
Downloadable Peer List
(Locally Configured) Peer 1 is selected initially
(sequence number based)
Seq 10: Peer 1
If Peer 1 fails, Peer 2 is selected
(sequence number based)
Seq 20: Peer 2
Upon connection to Peer 2, a downloadable
peer list is received
Seq 30: Peer 3 Seq 10: Peer 2.1
Upon failure of Peer 2, Peer 2.1 then 2.2
are selected (part of downloadable peer list)
Seq 20: Peer 2.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated
…
10.0.0.3 tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup Groups
crypto ikev2 flexvpn client remote1
• Warrant that a peer, belonging to different peer-lists in peer 1 10.0.0.1
the same backup group, is never active in multiple peer-list at a given time peer 2 10.0.0.2
peer 3 10.0.0.3
backup group 1
client connect Tunnel0
crypto ikev2 flexvpn client remote2
peer 1 10.0.0.1
Hub 1
peer 2 10.0.0.2
10.0.0.1 peer 3 10.0.0.3
Tu0 Service Provider 1 backup group 1
client connect Tunnel1
Hub 2 !
interface Tunnel0
Client 10.0.0.2 ip address negotiated
Tu1
Service Provider 2 …
tunnel destination dynamic
Hub 3 …
interface Tunnel1
10.0.0.3
ip address negotiated
…
tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
FlexVPN Backup Groups
crypto ikev2 flexvpn client remote1
• Warrant that a peer, belonging to different peer-lists in peer 1 10.0.0.1
the same backup group, is never active in multiple peer-list at a given time peer 2 10.0.0.2
peer 3 10.0.0.3
backup group 1
client connect Tunnel0
crypto ikev2 flexvpn client remote2
peer 1 10.0.0.1
Hub 1
peer 2 10.0.0.2
10.0.0.1 peer 3 10.0.0.3
Tu0 Service Provider 1 backup group 1
client connect Tunnel1
Hub 2 !
interface Tunnel0
Client 10.0.0.2 ip address negotiated
Tu1
Service Provider 2 …
tunnel destination dynamic
Hub 3 …
interface Tunnel1
10.0.0.3
ip address negotiated
…
tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
FlexVPN Backup Groups
crypto ikev2 flexvpn client remote1
• Warrant that a peer, belonging to different peer-lists in peer 1 10.0.0.1
the same backup group, is never active in multiple peer-list at a given time peer 2 10.0.0.2
peer 3 10.0.0.3
backup group 1
client connect Tunnel0
crypto ikev2 flexvpn client remote2
peer 1 10.0.0.1
Hub 1
peer 2 10.0.0.2
10.0.0.1 peer 3 10.0.0.3
Tu0 Service Provider 1 backup group 1
client connect Tunnel1
Hub 2 !
interface Tunnel0
Client 10.0.0.2 ip address negotiated
Tu1
Service Provider 2 …
tunnel destination dynamic
Hub 3 …
interface Tunnel1
10.0.0.3
ip address negotiated
…
tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
FlexVPN Backup Groups
crypto ikev2 flexvpn client remote1
• Warrant that a peer, belonging to different peer-lists in peer 1 10.0.0.1
the same backup group, is never active in multiple peer-list at a given time peer 2 10.0.0.2
peer 3 10.0.0.3
backup group 1
client connect Tunnel0
crypto ikev2 flexvpn client remote2
peer 1 10.0.0.1
Hub 1
peer 2 10.0.0.2
10.0.0.1 peer 3 10.0.0.3 10.0.0.1 cannot be used as
Tu0 Service Provider 1 backup group 1 already active in remote1
client connect Tunnel1 peer-list from same group
Hub 2 !
interface Tunnel0
Client 10.0.0.2 ip address negotiated
Tu1
Service Provider 2 …
tunnel destination dynamic
Hub 3 …
interface Tunnel1
10.0.0.3
ip address negotiated
…
tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
FlexVPN Tunnel Pivot
• Use when different Service Providers are used to connect to remote host
interface Tunnel0
Client Hub ip address negotiated
FastE2/0
Service Provider 2 …
tunnel source dynamic
tunnel destination dynamic
…
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
FlexVPN Load Balancer
113
FlexVPN Load-Balancer Bootstrap
LAN
On Hub 1:
*Nov 20 12:43:58.488: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.13 connected.
*Nov 20 12:43:58.493: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.12 connected.
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
FlexVPN Load-Balancer Client Connection
LAN
2. CLB Master selects the LLG 3. CLB Master sends a redirect
(Hub 3) to client to Hub 3
10.0.0.0/24
WAN
1. Client sends IKE SA_INIT with
REDIRECT_SUPPORTED to
VIP (.5)
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
FlexVPN Load-Balancer – Hub 1 Configuration
crypto ikev2 redirect gateway init
Activates the sending of IKEv2 redirects during SA_INIT
! • Configuration of slave hubs is almost identical (except HSRP priority)!
crypto ikev2 profile default
match identity remote fqdn domain cisco.com !
identity local fqdn Hub1.cisco.com interface Ethernet0/0
authentication remote rsa-sig ip address 10.0.0.11 255.255.255.0
authentication local rsa-sig standby 1 ip 10.0.0.5
pki trustpoint TP standby 1 name vpngw HSRP Group Name must match
dpd 10 2 on-demand ! IKEv2 Cluster configuration
aaa authorization group cert list default default interface Loopback0
virtual-template 1 ip address 172.16.1.11 255.255.255.0
! !
crypto ikev2 authorization policy default interface Virtual-Template1 type tunnel
route set interface ip unnumbered Loopback0
! ip mtu 1400
crypto ikev2 cluster tunnel source Ethernet1/0
standby-group vpngw tunnel protection ipsec profile default
slave max-session 10
no shutdown
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
FlexVPN Load-Balancer – Client Configuration
crypto ikev2 authorization policy default
route set interface Activates IKEv2 redirection support and limit
! redirect count (DoS prevention)
crypto ikev2 redirect client max-redirects 10
!
crypto ikev2 profile default
match identity remote fqdn domain cisco.com interface Tunnel0
identity local fqdn Spoke2.cisco.com ip address 172.16.1.100 255.255.255.0
authentication remote rsa-sig ip mtu 1400
authentication local rsa-sig tunnel source Ethernet0/0
pki trustpoint TP tunnel destination dynamic
dpd 10 2 on-demand tunnel protection ipsec profile default
aaa authorization group cert list default default
virtual-template 1
!
crypto ikev2 client flexvpn VPN_LB
peer 1 10.0.0.5
client connect Tunnel0
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
FlexVPN Load-Balancer
• Redirects inbound IKEv2 negotiation to Least Loaded Gateway (LLG)
• Implements RFC 5685
• Redirect is performed during IKEv2 SA_INIT, IKE_AUTH
• Rely on HSRP for device failure detection and master selection
• Rely on Cisco Load Balancing (CLB) protocol (TCP/2012) to report load to
cluster master
• Available since 15.2(4)M
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 ?
Site-to-site configuration
IPv6 and OSPF
2001:db8:beef::/64
2001:db8:cafe::/64
172.16.1.1 172.16.2.1
… …
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Routing IPv6 with IKEv2 or BGP
One peering, for both
IPv4 and IPv6
crypto ikev2 profile default router bgp 1
match identity remote fqdn domain cisco.com bgp log-neighbor-changes
identity local fqdn Hub1.cisco.com bgp listen range 1.1.1.0/24 peer-group Flex
authentication remote rsa-sig neighbor Flex peer-group
authentication local rsa-sig neighbor Flex remote-as 1
pki trustpoint TP !
dpd 10 2 on-demand address-family ipv4
… redistribute static route-map rm
virtual-template 1 neighbor Flex activate
! exit-address-family
crypto ikev2 authorization policy default !
route set remote ipv6 2001::/64 address-family ipv6
route set remote ipv6 2002::/64 redistribute static route-map rm
neighbor Flex activate
exit-address-family
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Tunnel modes made easy
crypto ikev2 profile prof1
…
virtual template 1
interface virtual-template 1
…
tunnel mode ipsec ipv4
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
IPv6-only Experimental SSID (with NAT64)
SSID: IPV6ONLYEXP
PASS: iknowbesteffort
Addressing: SLAAC + stateless DHCPv6
Offsite NAT64 (Thanks to Go6 Institute)
Questions/support: @ayourtch
Hashtag: #IPV6ONLYEXP
SLA: it’s in the password
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Before we part…
Route Exchange Protocol Selection
Branch-Hub Use case
IKEv2 Simple, large scale Static (No Simple branches Identity-based Lossy networks High density hubs
redistribution (< 20 prefixes) route filtering
IGPIKE)
BGP Simple to complex, Dynamic Complex branches Powerful route Lossy networks High density hubs
large scale (Redistribution (> 20 prefixes) filtering – not up to 350K routes
IGP BGP) identity based
EIGRP Simple to complex Dynamic Semi-complex Intermediate route Lossless networks < 5000 prefixes at
not (Redistribution branches filtering – not (very rare) hub
recommended IGP IGP) (> 20 prefixes) identity based
at large scale
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
High-End Scalability & performances – 3.12+
Bump from 4,000 to 10,000 spokes/hub with FlexVPN in 3.12 (RP2 only)
3.12+ ISR 4451 ASR 1001 ASR 1001-X ASR 1002-X ASR 1000 ASR 1000 ASR 1000 ASR 1000 ASR 1000 ASR 1000
w/out QoS ESP5 ESP10 ESP20 ESP40 ESP100 ESP200
Throughput 1.2 / 1.8 / 1 Gbps 1.8 / 1 Gbps 4 / 4 Gbps 1.8 / 1 Gbps 4 / 2.5 Gbps 7 / 6 Gbps 11 / 7.4 29 / 16 59 / 78
(Max / IMIX) 0.8Gbps Gbps Gbps Gbps
Max 2,000 4,000 4,000 10,000 4,000 4,000 10,000 10,000 10,000 10,000
tunnels (RP2) RP1: 1,000 RP1: 1,000 RP1: 1,000
EIGRP 2,000 4,000 4,000 4,000 4,000 4,000 4,000 4,000 4,000 4,000
1000 1000 1000 1000 1000 1000 1000 1000 1000 1000
neighbors recommended recommended recommended recommended recommended recommended recommended recommended recommended recommended
IKE 2,000 4,000 4,000 10,000 4,000 4,000 10,000 10,000 10,000 10,000
Routing
BGP 2,000 4,000 4,000 10,000 4,000 4,000 10,000 10,000 10,000 10,000
neighbors
QoS 10% crypto 16K Q 16K Q 128K Q 128K Q 128K Q 128K Q 128K Q 128K Q 128K Q
throughput No crypto No crypto No crypto No crypto No crypto No crypto No crypto No crypto No crypto
decrease impact impact impact impact impact impact impact impact impact
(*) (*)
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
FlexVPN - ISR G2 Scalability
Platform Sec-K9 SEC-K9 + HSEC-K9
Recommended Max Recommended Max
3945E Up to 225 Up to 225 Up to 2000 Up to 3000
3925E Up to 225 Up to 225 Up to 1500 Up to 3000
3945 Up to 225 Up to 225 Up to 1000 Up to 2000
3925 Up to 225 Up to 225 Up to 750 Up to 1500
2951 Up to 225 Up to 225 Up to 500 Up to 1000
2921 Up to 225 Up to 225 Up to 400 Up to 900
2911 Up to 225 Up to 225 HSEC-K9 license does not apply since
the max. encrypted tunnel count is below
2901 Up to 150 Up to 225
the restricted limits.
1941 Up to 150 Up to 225
1921 TBD TBD
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
FlexVPN - ISR G2 Performances 75% CPU, IMIX,
IPsec/AES, single
tunnel
Platform Sec-K9 (Mbps) SEC-K9 + HSEC-K9 (Mbps)
Recommended Max Recommended Max
3945E Up to 170 Up to 170 Up to 670 Up to 1503
3925E Up to 170 Up to 170 Up to 477 Up to 1497
3945 Up to 170 Up to 170 Up to 179 Up to 848
3925 Up to 154 Up to 170 Up to 154 Up to 770
2951 Up to 103 Up to 170 Up to 103 Up to 228
2921 Up to 72 Up to 170 Up to 72 Up to 207
2911 Up to 61 Up to 164 HSEC-K9 license does not apply since
the max. encrypted tunnel count is below
2901 Up to 53 Up to 154
the restricted limits.
1941 Up to 48 Up to 156
1921 Up to 44 N/A
891 Up to 66 N/A
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Multicast over FlexVPN
Focusing on a single VRF 192.168.100.0/24
Sources can be in several places Source
behind Hub
Hub private interface(s) in Inside VRF (light) .1 .2
No VRF on spokes
(for this example)
192.168.1.0/24
Source
behind192.168.4.0/24
Spoke
192.168.2.0/24
192.168.3.0/24
Source behind spoke
is our focus now
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
PIM Sparse-Mode Overview
Focus on a pair of spokes and source behind spoke
192.168.100.0/24 Anycast Rendez-
Vous Point
.1 .2
10.0.0.254 10.0.0.253
10.0.0.252 10.0.0.252
Anycast Rendez-
V-A 1 V-A 2 Vous Point V-A 2 V-A 1
192.168.2.0/24 192.168.3.0/24
192.168.2.2 192.168.3.2
client source
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
PIM Sparse-Mode Overview
The Unicast Routing Table and MuRIB
192.168.100.0/24
Tunnel 100 Tunnel 100
.1 .2
10.0.0.254 10.0.0.253
S 10.0.0.2 V-Access 1 10.0.0.252 10.0.0.2 V-Access 1
S 10.0.0.252
S 10.0.0.3 V-Access 2 S 10.0.0.3 V-Access 2
B 192.168.2.0/24 10.0.0.2 B 192.168.2.0/24 10.0.0.2
B 192.168.3.0/24 10.0.0.3 V-A 1 V-A 2 V-A 2 V-A 1 B 192.168.3.0/24 10.0.0. 3
S 192.168.0.0/16 Tunnel 100 S 192.168.0.0/16 Tunnel 100
S 10.0.0.0/8 Tunnel 100 S 10.0.0.0/8 Tunnel 100
192.168.3.1 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
PIM Sparse-Mode Overview
PIM Join 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Virtual-Access1, Forward/Sparse, V-A 1 V-A
06:37:18/00:03:28 2 V-A 2 V-A 1
PIM Join
239.0.0.1
RPF Lookup
Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC 10.0.0.252 (RP) Tunnel 0 Tunnel 1
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3
Outgoing interface list:
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43
192.168.2.0/24
IGMP Join 192.168.3.0/24
239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
PIM Sparse-Mode Overview
Registration 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
V-A 1 V-A
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28 2 V-A 2 V-A 1
Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel 0 Tunnel 1
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3
Outgoing interface list:
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43
192.168.2.0/24 192.168.3.0/24
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
PIM Sparse-Mode Overview
Registration 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
V-A 1 V-A
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28 2 V-A 2 V-A 1
Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 1
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF
Outgoing interface list: Incoming interface: Tunnel1, RPF nbr 10.0.0.253
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Outgoing interface list: Null
192.168.2.0/24 192.168.3.0/24
192.168.3.2 239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
PIM Sparse-Mode Overview
Registration 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
V-A 1 V-A
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28 2 V-A 2 V-A 1
Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 1
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: PFT
Incoming interface: Tunnel1, RPF nbr 10.0.0.253
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Incominginterface
Outgoing interface:
list:Ethernet0/1,
Null RPF nbr 0.0.0.0, Regist.
Outgoing interface list: Null
192.168.2.0/24 192.168.3.0/24
192.168.3.2 239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
PIM Sparse-Mode Overview
Registration 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:03:14/stopped, RP 10.0.0.252, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:01:08/00:02:53, flags: PA
Outgoing interface list: Null
V-A 1 V-A
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28 2 V-A 2 Incoming
V-A 1interface: Virtual-Access1, RPF nbr 10.0.0.3
Outgoing interface list: Null
Register
(192.168.3.2, 239.0.0.1)
Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 1
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: PFT
Incoming interface: Tunnel1, RPF nbr 10.0.0.253
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Incominginterface
Outgoing interface:
list:Ethernet0/1,
Null RPF nbr 0.0.0.0, Regist.
Outgoing interface list: Null
192.168.2.0/24 192.168.3.0/24
192.168.3.2 239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
PIM Sparse Mode Overview
MSDP Update 192.168.100.0/24
.1 MSDP .2
10.0.0.254 10.0.0.253
(192.168.3.2, 239.0.0.1)
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:03:14/stopped, RP 10.0.0.252, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: M Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:01:08/00:02:53, flags: PA
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Outgoing interface list: Null
V-A 1
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28
Outgoing interface list:
V-A 2 V-A 2 Incoming
V-A 1interface: Virtual-Access1, RPF nbr 10.0.0.3
Outgoing interface list: Null
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07
192.168.3.2 239.0.0.1
Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 1
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: PFT
Outgoing interface list: Incoming
Incominginterface:
interface:Tunnel1, RPF nbr
Ethernet0/1, RPF10.0.0.253
nbr 0.0.0.0
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Outgoing
Outgoinginterface
interfacelist:
list:Null
Tunnel1, Forward/Sparse, 00:02:04/00:03:23
192.168.2.0/24 192.168.3.0/24
192.168.3.2 239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
PIM Sparse-Mode Overview
Linking the Shared and Source Tree192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: M Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:01:08/00:02:53, flags: PA
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Outgoing interface list: Null
V-A 1
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28
Outgoing interface list:
V-A 2 V-A 2 Incoming
V-A 1interface: Virtual-Access1, RPF nbr 10.0.0.3
Outgoing interface list: Null
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07
192.168.3.2 239.0.0.1
Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing interface list: Incoming
Incominginterface:
interface:Tunnel1, RPF nbr
Ethernet0/1, RPF10.0.0.253
nbr 0.0.0.0
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Outgoing
Outgoinginterface
interfacelist:
list:Null
Tunnel1, Forward/Sparse, 00:02:04/00:03:23
192.168.2.0/24 192.168.3.0/24
192.168.3.2 239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
PIM Sparse-Mode Overview
Linking the Shared and Source Tree192.168.100.0/24
.1 PIM Join .2
10.0.0.254 (192.168.3.2, 239.0.0.1)10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: M (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: PA
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:01:08/00:02:53, flags: PA
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
V-A 1
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28
Outgoing interface list:
V-A 2 V-A 2 Outgoing
V-A interface
Incoming 1 Null
interface: Virtual-Access1, RPF nbr 10.0.0.3
Outgoing interface list:
Outgoing interface list: Null
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26
192.168.3.2 239.0.0.1
Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing interface list: Incoming
Incominginterface:
interface:Tunnel1, RPF nbr
Ethernet0/1, RPF10.0.0.253
nbr 0.0.0.0
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Outgoing
Outgoinginterface
interfacelist:
list:Null
Tunnel1, Forward/Sparse, 00:02:04/00:03:23
192.168.2.0/24 192.168.3.0/24
192.168.3.2 239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
PIM Sparse-Mode Overview
Multicast Traffic Flows End-to-End 192.168.100.0/24
10.0.0.254
.1 192.168.3.2 239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null
192.168.3.2 239.0.0.1
Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing interface list: Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Outgoing interface
Outgoing list:list:
interface Null
Tunnel1, Forward/Sparse, 00:02:04/00:03:23
192.168.2.0/24 192.168.3.0/24
192.168.3.2 239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
PIM Sparse-Mode Overview
Multicast Traffic Flows End-to-End 192.168.100.0/24
10.0.0.254
.1 192.168.3.2 239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null
192.168.2.0/24 192.168.3.0/24
192.168.3.2 239.0.0.1
192.168.3.2 239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Scenario 1 – Shortcut Tunnel is Created
E.g. Due to Unicast 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Scenario 1 – Shortcut Tunnel is Created
E.g. Due to Unicast 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Scenario 1 – Shortcut Tunnel is Created
E.g. Due to Unicast 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null
192.168.2.0/24 192.168.3.0/24
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Situation – Shortcut Tunnel is Created
Traffic Flows but this is odd… 192.168.100.0/24
10.0.0.254
.1 192.168.3.2 239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null
192.168.2.0/24 192.168.3.0/24
192.168.3.2 239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Situation – Shortcut Tunnel is Created
Traffic Flows but this is odd… 192.168.100.0/24
10.0.0.254
.1 192.168.3.2 239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Situation – Shortcut Tunnel is Created
Traffic Flows but this is odd… 192.168.100.0/24
10.0.0.254
.1 192.168.3.2 239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Situation – Shortcut Tunnel is Created Clumsy
Traffic Flows but this is odd… 192.168.100.0/24
10.0.0.254
.1 192.168.3.2 239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
15.3(1)T
Recommendation – SAFI 2 & SAFI 129
Hub will remote-control Spoke’s MuRIB via BGP
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Scenario 1 – Update
Traffic Flows more naturally with SAFI 129 / SAFI 2
192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Flex & Sparse-Mode – Hub Configuration
Hub 1 – Flex, Multicast and Interfaces
crypto ikev2 profile default vrf definition RED
match identity remote fqdn domain cisco.com rd 2:2
identity local fqdn Hub1.cisco.com address-family ipv4
authentication remote rsa-sig
authentication local rsa-sig address-family ipv6
pki trustpoint TP
dpd 10 2 on-demand interface Loopback0
aaa authorization group cert list default default vrf forwarding RED
virtual-template 1 ip address 10.0.0.254 255.255.255.255
! Anycast Rendez-
interface Virtual-Template1 type tunnel interface Loopback1
vrf forwarding RED Vous Point Loopback
ip unnumbered Loopback0 vrf forwarding RED
ip access-group AllowMyBGP in ip address 10.0.0.252 255.255.255.255
ip pim sparse-mode Activate Sparse-Mode !
ip nhrp network-id 1 interface Tunnel100
ip nhrp redirect vrf forwarding RED
tunnel protection ipsec profile default ip unnumbered Loopback0
ip pim sparse-mode Activate Sparse-Mode
ip nhrp network-id 1
ip nhrp redirect
Rendez-Vous tunnel source Ethernet0/1
ip pim vrf RED rp-address 10.0.0.252 Point Definition tunnel destination 192.168.100.2
tunnel vrf ivrf
ip msdp vrf RED peer 10.0.0.253 connect-source Loopback0
ip msdp vrf RED cache-sa-state
MSDP for RP
synchronization
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Flex & Sparse-Mode – Hub Configuration
Hub 2 – Flex, Multicast and Interfaces
crypto ikev2 profile default vrf definition RED
match identity remote fqdn domain cisco.com rd 2:2
identity local fqdn Hub2.cisco.com address-family ipv4
authentication remote rsa-sig
authentication local rsa-sig address-family ipv6
pki trustpoint TP
dpd 10 2 on-demand interface Loopback0
aaa authorization group cert list default default vrf forwarding RED
virtual-template 1 ip address 10.0.0.253 255.255.255.255
! Anycast Rendez-
interface Virtual-Template1 type tunnel interface Loopback1
vrf forwarding RED Vous Point Loopback
ip unnumbered Loopback0 vrf forwarding RED
ip access-group AllowMyBGP in ip address 10.0.0.252 255.255.255.255
ip pim sparse-mode !
ip nhrp network-id 1 interface Tunnel100 Same address!!
ip nhrp redirect vrf forwarding RED (Anycast)
tunnel protection ipsec profile default ip unnumbered Loopback0
ip pim sparse-mode
ip nhrp network-id 1
ip nhrp redirect
ip pim vrf RED rp-address 10.0.0.252 tunnel source Ethernet0/1
tunnel destination 192.168.100.2
tunnel vrf ivrf
ip msdp vrf RED peer 10.0.0.254 connect-source Loopback0
ip msdp vrf RED cache-sa-state
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Flex & Sparse-Mode – Hub Configuration
Hubs Common BGP Configuration – With SAFI 2 and SAFI 129
ip route vrf RED 10.0.0.0 255.0.0.0 Tunnel100 tag 2
ip route vrf RED 192.168.0.0 255.255.0.0 Tunnel100 tag
2
router bgp 1
bgp log-neighbor-changes
bgp listen range 10.0.0.0/24 peer-group Flex
!
address-family ipv4 vrf RED
redistribute static route-map rm Vanilla BGP
neighbor Flex peer-group
neighbor Flex remote-as 1 Configuration
neighbor Flex next-hop-self all
exit-address-family
!
address-family ipv4 multicast vrf ivrf Use mBGP to
neighbor Flex peer-group advertise a prefix in
neighbor Flex remote-as 1
neighbor Flex default-originate the MuRIB only
exit-address-family
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Flex & Sparse-Mode – Spoke Configuration
Client/Receiver and Source Spoke interface Loopback0
crypto ikev2 profile default ip address 10.0.0.2 255.255.255.255
match identity remote fqdn domain cisco.com
identity local fqdn Spoke2.cisco.com interface Tunnel0
authentication remote rsa-sig ip unnumbered Loopback0 Activate PIM on
authentication local rsa-sig ip pim sparse-mode Tunnel Interfaces
pki trustpoint TP ip nhrp network-id 1
dpd 10 2 on-demand ip nhrp shortcut virtual-template 1
aaa authorization group cert list default default tunnel source Ethernet0/0
virtual-template 1 tunnel destination 172.16.1.1
tunnel protection ipsec profile default
Rendez-Vous !
ip pim rp-address 10.0.0.252 Point Definition interface Tunnel1
ip unnumbered Loopback0
router bgp 1 Activate PIM on
ip pim sparse-mode
bgp log-neighbor-changes Tunnel Interfaces
ip nhrp network-id 1
neighbor 10.0.0.253 remote-as 1 ip nhrp shortcut virtual-template 1
neighbor 10.0.0.254 remote-as 1 tunnel source Ethernet0/0
address-family ipv4 tunnel destination 172.16.4.1
network 192.168.2.0 tunnel protection ipsec profile default
neighbor 10.0.0.253 activate
neighbor 10.0.0.254 activate interface Virtual-Template1 type tunnel
maximum-paths ibgp 2 ip unnumbered Loopback0
address-family ipv4 multicast No PIM on
ip nhrp network-id 1
neighbor 10.0.0.253 activate Receive SAFI2 & V-Template!
ip nhrp shortcut virtual-template 1
neighbor 10.0.0.254 activate SAFI129 tunnel protection ipsec profile default
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
PIM SSM Overview SSM
Recommended
Super Simple – Shared Tree is the Source Tree
192.168.100.0/24
.1 PIM Join .2
10.0.0.254 (192.168.3.2 , 239.0.0.1)
10.0.0.253
192.168.2.0/24 192.168.3.0/24
IGMP Join
(192.168.3.2 , 239.0.0.1)
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
PIM SSM Overview
No Tree Modification with Multicast Traffic
192.168.100.0/24
10.0.0.254
.1 192.168.3.2 239.0.0.1
10.0.0.253
.2
192.168.2.0/24 192.168.3.0/24
192.168.3.2 239.0.0.1
192.168.3.2 239.0.0.1
192.168.2.2 192.168.3.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Flex & SSM – Hub Configuration
No Rendez-Vous
Hubs (Common Config) – Flex, Multicast and Interfaces Point Anycast
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Flex & SSM – Hub Configuration
Hubs Common BGP Configuration – With SAFI 2 and SAFI 129
ip route vrf RED 10.0.0.0 255.0.0.0 Tunnel100 tag 2
ip route vrf RED 192.168.0.0 255.255.0.0 Tunnel100 tag No Change Here
2
router bgp 1
bgp log-neighbor-changes
bgp listen range 10.0.0.0/24 peer-group Flex
!
address-family ipv4 vrf RED
redistribute static route-map rm Vanilla BGP
neighbor Flex peer-group
neighbor Flex remote-as 1 Configuration
neighbor Flex next-hop-self all
exit-address-family
!
address-family ipv4 multicast vrf ivrf Use mBGP to
neighbor Flex peer-group advertise a prefix in
neighbor Flex remote-as 1
neighbor Flex default-originate the MuRIB only
exit-address-family
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Flex & SSM – Spoke Configuration
Client/Receiver and Source Spoke interface Ethernet0/1
ip address 192.168.2.0 255.255.255.0 IGMPv3 on receiver
crypto ikev2 profile default ip igmp version 3 facing interfaces
match identity remote fqdn domain cisco.com
identity local fqdn Spoke2.cisco.com interface Tunnel0
authentication remote rsa-sig ip unnumbered Loopback0 Activate PIM on
authentication local rsa-sig ip pim sparse-mode Tunnel Interfaces
pki trustpoint TP ip nhrp network-id 1
dpd 10 2 on-demand ip nhrp shortcut virtual-template 1
aaa authorization group cert list default default tunnel source Ethernet0/0
virtual-template 1 tunnel destination 172.16.1.1
tunnel protection ipsec profile default
Activate SSM for !
ip pim ssm range 1 Group Range interface Tunnel1
access-list 1 permit 239.0.0.0 0.255.255.255
ip unnumbered Loopback0 Activate PIM on
ip pim sparse-mode Tunnel Interfaces
router bgp 1
ip nhrp network-id 1
bgp log-neighbor-changes
ip nhrp shortcut virtual-template 1
neighbor 10.0.0.253 remote-as 1
tunnel source Ethernet0/0
neighbor 10.0.0.254 remote-as 1
tunnel destination 172.16.4.1
address-family ipv4
tunnel protection ipsec profile default
network 192.168.2.0
neighbor 10.0.0.253 activate
interface Virtual-Template1 type tunnel
neighbor 10.0.0.254 activate
ip unnumbered Loopback0 No PIM on
maximum-paths ibgp 2
ip nhrp network-id 1 V-Template!
address-family ipv4 multicast Receive SAFI2 &
ip nhrp shortcut virtual-template 1
neighbor 10.0.0.253 activate SAFI129
tunnel protection ipsec profile default
neighbor 10.0.0.254 activate
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
CLI of Interest
show ip mroute [vrf red] show ip route multicast [vrf red]
IP Multicast Routing Table Routing Table: multicast
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
Connected, D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
L - Local, P - Pruned, R - RP-bit set, F - Register flag, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
Extranet, ia - IS-IS inter area, * - candidate default, U - per-user static route
X - Proxy Join Timer Running, A - Candidate for MSDP o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
Advertisement, + - replicated route, % - next hop override
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender, Gateway of last resort is 172.16.2.2 to network 0.0.0.0
Y - Joined MDT-data group, y - Sending to MDT-data group, S* + 0.0.0.0/0 [254/0] via 172.16.2.2
G - Received BGP C-Mroute, g - Sent BGP C-Mroute, 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
Q - Received BGP S-A Route, q - Sent BGP S-A Route, B + 10.0.0.0/8 [200/0] via 10.0.0.254, 00:44:32
V - RD & Vector, v - Vector [200/0] via 10.0.0.253, 00:44:32
L 10.0.0.2/32 is directly connected, Loopback0
Outgoing interface flags: H - Hardware switched, A - Assert winner S + 10.0.0.253/32 is directly connected, Tunnel1
Timers: Uptime/Expires S + 10.0.0.254/32 is directly connected, Tunnel0
Interface state: Interface, Next-Hop or VCD, State/Mode 172.16.0.0/32 is subnetted, 1 subnets
L 172.16.2.1 is directly connected, Ethernet0/0
B + 192.168.0.0/16 [200/0] via 10.0.0.254, 00:44:32
(*, 239.0.0.1), 01:02:37/00:02:15, RP 10.0.0.252, flags: SJC [200/0] via 10.0.0.253, 00:44:32
Incoming interface: Tunnel0, RPF nbr 10.0.0.254 192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
Outgoing interface list: C 192.168.2.0/24 is directly connected, Ethernet0/1
L 192.168.2.1/32 is directly connected, Ethernet0/1
Ethernet0/1, Forward/Sparse, 01:02:37/00:02:15
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
ISE CoA demo
ISE – Authorization Policies
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE – Authorization Profile
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CoA Terminating
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CoA Terminating
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CoA Terminating
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CoA Terminating
Terminate session
with CoA
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public