Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Brksec-3036 (2015)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 172

Advanced IPsec designs with

FlexVPN
BRKSEC-3036

Frederic Detienne
Distinguished Engineer
Agenda
• FlexVPN in a nutshell
• Shortcut Switching
• Backup with Routing
• Per Branch Features
• End-to-End VRF Separation with MPLSoFlex
• Backup Mechanisms and Load Balancing
• Conclusion

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
FlexVPN Quick Recap
crypto ikev2 profile default

IKEv2 CLI Overview identity local address 10.0.0.1


identity local fqdn local.cisco.com
IKEv2 Profile – extensive CLI identity local email local@cisco.com
identity local dn

Self Identity Control match identity remote address 10.0.1.1


match identity remote fqdn remote.cisco.com
match identity remote fqdn domain cisco.com
Matching on peer match identity remote email remote@cisco.com
match identity remote email domain cisco.com
identity or certificate match certificate certificate_map

match fvrf red


Matching on local match address local 172.168.1.1
address and front VRF
authentication local pre-share [key <KEY>]
authentication local rsa-sig
Asymmetric local and authentication local eap
remote authentication
methods authentication remote pre-share [key <KEY>]
authentication remote rsa-sig
IOS based and AAA authentication remote eap
based Pre-Shared
keyring local <IOSkeyring>
Keyring
keyring aaa <AAAlist>

pki trustpoint <trustpoint_name>


BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Basic Negotiation
HDR, SAi1, KEi, Ni
Initiator Responder

HDR, SAr1, KEr, Nr [Certreq]

HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}

HDR, SK {IDr, [Cert], AUTH, TSi, TSr}

HDR – IKE Header SK– payload encrypted and integrity protected


SA[i/r] – cryptographic algorithms the peer proposes/accepts ID[i/r]
Length – Initiator/Responder Identity
KE[i/r] – Initator Key Exchange material Cert(req) – Certificate (request)
N[i/r] – Initiator/Responder Nonce AUTH – Authentication data
SA - Includes SA, Proposal and Transform Info to Create the 1st CHILD_SA
Ts[i/r] – Traffic Selector as src/dst proxies
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Profile Match Statements

HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Profile Match Statements

HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}

match identity remote address


172.16.0.1
router.cisco.com match identity remote fqdn
router@cisco.com
… match identity remote email

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Profile Match Statements
match certificate <certificate map>

SubjectName:
• CN=RouterName
• O=Cisco
• OU=Engineering
HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr} IssuerName:
• CN=PKI Server
• O=Cisco
• OU=IT

match identity remote address


172.16.0.1
router.cisco.com match identity remote fqdn
router@cisco.com
… match identity remote email

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPsec CLI Overview
Tunnel Protection

IPsec transform
crypto ipsec transform-set default esp-aes 128 esp-sha-hmac

crypto ipsec profile default


IPsec profile defines SA
parameters and points to
set transform-set default
IKEv2 profile set crypto ikev2 profile default

Dynamic and Static


interface Virtual-Template1 type tunnel
point-to-point interfaces ip unnumbered Loopback0
tunnel protection ipsec profile default
Static point-to-point
interfaces
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Ethernet0/0
Tunnel protection links tunnel destination 172.16.2.1
to IPsec profile tunnel protection ipsec profile default

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Introducing Smart Defaults
Intelligent, reconfigurable defaults
crypto ipsec transform-set default crypto ikev2 profile default
match identity remote address 10.0.1.1
esp-aes 128 esp-sha-hmac authentication local rsa-sig
authentication remote rsa-sig
crypto ipsec profile default aaa authorization user cert list default default
set transform-set default pki trustpoint TP
set crypto ikev2 profile default !
interface Tunnel0
crypto ikev2 proposal default ip address 192.168.0.1 255.255.255.252
encryption aes-cbc-256 aes-cbc-128 3des tunnel protection ipsec profile default What you need to
specify
integrity sha512 sha 256 sha1 md5
group 5 2

crypto ikev2 policy default


match fvrf any
proposal default

crypto ikev2 authorization policy default


route set interface
These constructs are
route accept any the Smart Defaults

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Packet Forwarding and Interface Creation
IKEv2 and AAA (optional)
Basic Packet Forwarding

Layer 5+ IKE AAA BGP

Layer 4

Layer 3 Routing

Layer 2 Output
features
Input
features Encapsulation

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IKE Flow Creation
optional
Layer 5+ IKE AAA BGP

Layer 4 Remote private


networks added to
routing table

Layer 3

Layer 2 Virtual-Access
Interface (Tunnel)
created by IKEv2

IPsec Security
Association
applied here

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Packet Forwarding – Tunnels & Features

Layer 5+ IKE AAA BGP

Layer 4
Post-encapsulation
(Tunnel Protection)

Layer 3 Routing Routing

Layer 2
Output features Output features
Input Encapsulation
(applied to (applied to
features Encapsulation
clear text encrypted packet)
packet)

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Generic Profile Derivation
Expanded Example (not recommended)
Selects
IKEv2 profile

R1.cisco.com
IDi=R1.cisco.com, Auth, TSi, TSr, Fetch Profile Profile 1
keyring aaa <list> name-mangler <m>
CFG_Req(IP4_ADDRESS, IP4_NETWORK…)

On Hub or on RADIUS
OK Authen. profile
Auth
Only for Fetch Profile Profile 2

(or a mix)
authentication aaa authorization user psk <list>

User profile

Activate config- Fetch Profile


Profile 3
exchange aaa authorization group psk <list> G

Group profile

RIB Final Profile On Hub


IDr, cert, Auth, TSi, TSr,
Virtual-Access Virtual-Template
CFG_Reply(IP4_ADDRESS=10.0.0.1,
IP4_SUBNET=0.0.0.0/0,
IP4_SUBNET=10.0.0.254/32)
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Shortcut Switching
With IKEv2 Routing
FlexVPN Mesh –
Network Diagram with Hub Resiliency
192.168.100.0/24

.1 .2 .254

172.16.0.1 172.16.0.2
Virtual-Access
Interfaces

Static Tunnel
Virtual-Access Interface
Interfaces

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Hub & Spoke Bootstrap – Config Exchange
192.168.100.0/24
.1 .254

192.168.1.0/24
172.16.1.1 172.16.0.1

SA Prop (AES-256, SHA-1, DH 5), KEi, Ni

SA Prop (AES-256, SHA-1, DH 5), KEr, Nr


Interfaces

Ethernet0/0: 172.16.1.1 Ethernet0/0: 172.16.0.1

Interfaces
Ethernet0/1: 192.168.1.1 IDi=Spoke1.cisco.com, Auth, TSi, TSr, Ethernet0/1: 192.168.100.1
Tunnel0: 10.0.0.1 Loopback0: 10.0.0.254/32
CFG_Req(IP4_SUBNET…) VirtualAccess1: 10.0.0.254/32
Spoke Assigned Address
(optional)
IDr, cert, Auth, TSi, TSr,
Routing Table

Routing Table
172.16.0.1/32  172.16.1.254 (E0/0) 0.0.0.0/0  172.16.0.254 (E0/0)
192.168.1.0/24  Ethernet 0/1 CFG_Reply(IP4_SUBNET=10.0.0.254/32, 192.168.0.0/16; 192.168.100.0/24  Ethernet 0/1
10.0.0.254/32  Tunnel 0 IP4_ADDRESS=10.0.0.1) 10.0.0.1/32  VirtualAccess1
192.168.0.0/16  Tunnel 0 CFG_set(IP4_SUBNET=10.0.0.1/32, 192.168.1.0/24, 192.168.1.0/24  VirtualAccess1
10.0.0.1/32)
Supernet covering all CFG_ack()
spokes LAN prefixes
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
FlexVPN Hub and Spoke – IKE Route Exchange
C 10.0.0.254  Loopback0 C 10.0.0.253  Loopback0
Routing Table

Routing Table
C 192.168.100.0/24  Eth0 C 192.168.100.0/24  Eth0
S 192.168.0.0/16  Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16  Tunnel100
S 10.0.0.0/8  Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8  Tunnel100
S 10.0.0.1  V-Access1 S 10.0.0.2  V-Access1
S 192.168.1.0/24  V-Access1 Tunnel 100 S 192.168.2.0/24  V-Access1

Physical: 172.16.0.1 Physical: 172.16.0.2


Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Physical: 172.16.1.1 Physical: 172.16.2.1


Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 C 192.168.2.0/24  Eth0
Routing Table

Routing Table
C 10.0.0.1  Tunnel0 C 10.0.0.2  Tunnel1
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0
S 10.0.0.254/32  Tunnel0 S 10.0.0.253/32  Tunnel1
S 192.168.0.0/16  Tunnel0 S 192.168.0.0/16  Tunnel1

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
FlexVPN Mesh – Indirection
C 10.0.0.254  Loopback0 C 10.0.0.253  Loopback0
Routing Table

Routing Table
C 192.168.100.0/24  Eth0 C 192.168.100.0/24  Eth0
S 192.168.0.0/16  Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16  Tunnel100
S 10.0.0.0/8  Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8  Tunnel100
S 10.0.0.1  V-Access1 S 10.0.0.2  V-Access1
S 192.168.1.0/24  V-Access1 Tunnel 100 S 192.168.2.0/24  V-Access1

Physical: 172.16.0.1 Physical: 172.16.0.2


Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Physical: 172.16.1.1 Physical: 172.16.2.1


Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 C 192.168.2.0/24  Eth0
Routing Table

Routing Table
C 10.0.0.1  Tunnel0 C 10.0.0.2  Tunnel1
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0
S 10.0.0.254/32  Tunnel0 S 10.0.0.253/32  Tunnel1
S 192.168.0.0/16  Tunnel0 S 192.168.0.0/16  Tunnel1

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
FlexVPN Mesh – Resolution
C 10.0.0.254  Loopback0 C 10.0.0.253  Loopback0
Routing Table

Routing Table
C 192.168.100.0/24  Eth0 C 192.168.100.0/24  Eth0
S 192.168.0.0/16  Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16  Tunnel100
S 10.0.0.0/8  Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8  Tunnel100
S 10.0.0.1  V-Access1 S 10.0.0.2  V-Access1
S 192.168.1.0/24  V-Access1 Tunnel 100 S 192.168.2.0/24  V-Access1

Physical: 172.16.0.1 Resolution Physical: 172.16.0.2


Tunnel: 10.0.0.254 (192.168.2.2) Tunnel: 10.0.0.253

Physical: 172.16.1.1 Physical: 172.16.2.1


Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table

NHRP Table
10.0.0.2/32  172.16.2.1 Resolution Reply 10.0.0.1  172.16.1.1
192.168.2.0/24  172.16.2.1 (192.168.2.0/24)

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 C 192.168.2.0/24  Eth0
C 10.0.0.1  Tunnel0 C 10.0.0.2  Tunnel1
Routing Table

Routing Table
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0
S 10.0.0.254/32  Tunnel0 S 10.0.0.253/32  Tunnel1
S 192.168.0.0/16  Tunnel0 S 192.168.0.0/16  Tunnel1
H/S 10.0.0.2/32  V-Access1 H/S 10.0.0.1/32  V-Access1
H/S 192.168.2.0/24
BRKSEC-3036
 V-Access1
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
FlexVPN Mesh – Shortcut Forwarding
C 10.0.0.254  Loopback0 C 10.0.0.253  Loopback0
Routing Table

Routing Table
C 192.168.100.0/24  Eth0 C 192.168.100.0/24  Eth0
S 192.168.0.0/16  Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16  Tunnel100
S 10.0.0.0/8  Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8  Tunnel100
S 10.0.0.1  V-Access1 S 10.0.0.2  V-Access1
S 192.168.1.0/24  V-Access1 Tunnel 100 S 192.168.2.0/24  V-Access1

Physical: 172.16.0.1 Physical: 172.16.0.2


Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Physical: 172.16.1.1 Physical: 172.16.2.1


Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table

NHRP Table
10.0.0.2/32  172.16.2.1 10.0.0.1  172.16.1.1
192.168.2.0/24  172.16.2.1
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 C 192.168.2.0/24  Eth0
C 10.0.0.1  Tunnel0 C 10.0.0.2  Tunnel1
Routing Table

Routing Table
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0
S 10.0.0.254/32  Tunnel0 S 10.0.0.253/32  Tunnel1
S 192.168.0.0/16  Tunnel0 S 192.168.0.0/16  Tunnel1
H/S 10.0.0.2/32  V-Access1 H/S 10.0.0.1/32  V-Access1
H/S 192.168.2.0/24
BRKSEC-3036
 V-Access1
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
FlexVPN Mesh (IKEv2 Routing)
Hub 1 Configuration Static per-spoke
Accept connections features applied here

crypto ikev2 profile default from Spokes interface Virtual-Template1 type tunnel
match identity remote fqdn domain cisco.com ip unnumbered Loopback0
identity local fqdn Hub1.cisco.com ip nhrp network-id 1 NHRP is the magic
All V-Access will be in the
authentication remote rsa-sig Local or AAA spoke profiles
ip nhrp redirect same network-id
authentication local rsa-sig supported. Can even control ip access-group AllowMyBGP in
QoS, ZBF, NHRP redirect,
pki trustpoint TP network-id, … tunnel protection ipsec profile default
dpd 10 2 on-demand ! Hub 1 dedicated
aaa authorization group cert list default default interface Loopback0 overlay address
virtual-template 1 ip address 10.0.0.254 255.255.255.255
! !
Inter-Hub link
crypto ikev2 authorization policy default interface Tunnel100 (not encrypted)
route set remote 10.0.0.0 255.0.0.0 ip unnumbered Loopback0
route set remote 192.168.0.0 255.255.0.0 ip nhrp network-id 1 Same NHRP network-
ip nhrp redirect id on v-access and
inter-hub link
tunnel source Ethernet0/1
tunnel destination 192.168.100.2
These prefixes can also be Defines which prefixes
set by RADIUS should be protected

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
FlexVPN Mesh (IKEv2 Routing)
Hub 2 Configuration
crypto ikev2 profile default interface Virtual-Template1 type tunnel
match identity remote fqdn domain cisco.com ip unnumbered Loopback0
identity local fqdn Hub2.cisco.com ip nhrp network-id 1
authentication remote rsa-sig ip nhrp redirect
authentication local rsa-sig Dedicated Identity ip access-group AllowMyBGP in
pki trustpoint TP (optional) tunnel protection ipsec profile default
dpd 10 2 on-demand ! Dedicated Overlay
aaa authorization group cert list default default interface Loopback0 Address
virtual-template 1 ip address 10.0.0.254 255.255.255.255
! !
crypto ikev2 authorization policy default interface Tunnel100
route set remote 10.0.0.0 255.0.0.0 ip unnumbered Loopback0
route set remote 192.168.0.0 255.255.0.0 ip nhrp network-id 1
ip nhrp redirect
tunnel source Ethernet0/1
tunnel destination 192.168.100.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
FlexVPN Mesh (IKEv2 Routing) QoS
Everywhere!

Spoke Configuration
interface Loopback0
ip address 10.0.0.2 255.255.255.255

interface Tunnel0
Tunnel to Hub 1
crypto ikev2 profile default ip unnumbered Loopback0
match identity remote fqdn domain cisco.com ip nhrp network-id 1

QoS can be applied here


identity local fqdn Spoke2.cisco.com ip nhrp shortcut virtual-template 1
authentication remote rsa-sig tunnel source Ethernet0/0
authentication local rsa-sig tunnel destination 172.16.0.1
Needed for tunnel tunnel protection ipsec profile default
pki trustpoint TP
dpd 10 2 on-demand address exchange !
aaa authorization group cert list default default interface Tunnel1 Tunnel1 to Hub 2
virtual-template 1 ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
crypto ikev2 authorization policy default tunnel source Ethernet0/0
route set interface tunnel destination 172.16.0.2
route set interface e0/0 tunnel protection ipsec profile default

interface Virtual-Template1 type tunnel


ip unnumbered Loopback0
ip nhrp network-id 1
V-Template to clone for
spoke-spoke tunnels ip nhrp shortcut virtual-template 1
tunnel protection ipsec profile default

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Shortcut Switching
With a routing protocol (BGP)
FlexVPN Mesh with BGP Routing
C 10.0.0.254  Loopback0 C 10.0.0.253  Loopback0
Routing Table

Routing Table
C 192.168.100.0/24  Eth0 C 192.168.100.0/24  Eth0
S 192.168.0.0/16  Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16  Tunnel100
S 10.0.0.0/8  Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8  Tunnel100
S 10.0.0.1  V-Access1 S 10.0.0.2  V-Access1
B 192.168.1.0/24  10.0.0.1 Tunnel 100 B 192.168.2.0/24  10.0.0.2

Physical: 172.16.0.1 Physical: 172.16.0.2


Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Physical: 172.16.1.1 Physical: 172.16.2.1


Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 C 192.168.2.0/24  Eth0
Routing Table

Routing Table
C 10.0.0.1  Tunnel0 C 10.0.0.2  Tunnel1
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0
S 10.0.0.254/32  Tunnel0 S 10.0.0.253/32  Tunnel1
B 192.168.0.0/16  10.0.0.254 B 192.168.0.0/16  10.0.0.253

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
FlexVPN Mesh (BGP) – Hub 1
crypto ikev2 profile default Accept connections
match identity remote fqdn domain cisco.com from Spokes
identity local fqdn Hub1.cisco.com
authentication remote rsa-sig
authentication local rsa-sig Local or AAA spoke profiles
pki trustpoint TP supported. Can even control QoS, ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2
NHRP redirect, network-id, …
dpd 10 2 on-demand ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2
aaa authorization group cert list default default Dynamically accept spoke
virtual-template 1 router bgp 1
BGP peering!
Static per-per config here… bgp log-neighbor-changes
interface Virtual-Template1 type tunnel bgp listen range 10.0.0.0/24 peer-group Flex
ip unnumbered Loopback0 !
ip access-group AllowMyBGP in address-family ipv4
NHRP is the magic
ip nhrp network-id 1 All V-Access will be in the neighbor Flex peer-group
ip nhrp redirect same network-id neighbor Flex remote-as 1
tunnel protection ipsec profile default neighbor Flex timers 5 15
neighbor Flex next-hop-self all
interface Loopback0 Hub 1 dedicated overlay address redistribute static route-map rm
ip address 10.0.0.254 255.255.255.255 exit-address-family
!
route-map filters static routes
interface Tunnel100 Inter-Hub link route-map rm permit 10 to redistribute in BGP
(not encrypted) match tag 2
ip unnumbered Loopback0
ip nhrp network-id 1
Same NHRP network-
ip nhrp redirect id on v-access and
tunnel source Ethernet0/1 inter-hub link
tunnel destination 192.168.100.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
FlexVPN Mesh (BGP) – Hub 2
crypto ikev2 profile default
ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2
match identity remote fqdn domain cisco.com
ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2
identity local fqdn Hub2.cisco.com
authentication remote rsa-sig
router bgp 1
authentication local rsa-sig Dedicated Identity
bgp log-neighbor-changes
pki trustpoint TP (optional) bgp listen range 10.0.0.0/24 peer-group Flex
dpd 10 2 on-demand
!
aaa authorization group cert list default default
address-family ipv4
virtual-template 1
redistribute static route-map rm
neighbor Flex peer-group
interface Virtual-Template1 type tunnel
neighbor Flex remote-as 1
ip unnumbered Loopback0
neighbor Flex timers 5 15
ip access-group AllowMyBGP in
neighbor Flex next-hop-self all
ip nhrp network-id 1
exit-address-family
ip nhrp redirect
!
tunnel protection ipsec profile default
route-map rm permit 10
Dedicated Overlay Address match tag 2
interface Loopback0
ip address 10.0.0.253 255.255.255.255

interface Tunnel100
ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp redirect
tunnel source Ethernet0/1
tunnel destination 192.168.100.1
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
QoS

FlexVPN Mesh (BGP) – Spoke


Everywhere!

crypto ikev2 profile default interface Loopback0


match identity remote fqdn domain cisco.com ip address 10.0.0.2 255.255.255.255
identity local fqdn Spoke2.cisco.com
authentication remote rsa-sig interface Tunnel0
authentication local rsa-sig Tunnel to Hub 1
Needed for tunnel ip unnumbered Loopback0
pki trustpoint TP ip nhrp network-id 1
dpd 10 2 on-demand address exchange

QoS can be applied here


ip nhrp shortcut virtual-template 1
aaa authorization group cert list default default tunnel source Ethernet0/0
virtual-template 1 tunnel destination 172.16.0.1
tunnel protection ipsec profile default
router bgp 1 !
bgp log-neighbor-changes interface Tunnel1 Tunnel1 to Hub 2
neighbor 10.0.0.253 remote-as 1 ip unnumbered Loopback0
neighbor 10.0.0.253 timers 5 15 ip nhrp network-id 1
neighbor 10.0.0.254 remote-as 1 ip nhrp shortcut virtual-template 1
neighbor 10.0.0.254 timers 5 15 tunnel source Ethernet0/0
! tunnel destination 172.16.0.2
address-family ipv4 tunnel protection ipsec profile default
network 192.168.2.0
neighbor 10.0.0.253 activate interface Virtual-Template1 type tunnel
neighbor 10.0.0.254 activate ip unnumbered Loopback0
maximum-paths ibgp 2 ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
V-Template to clone for
spoke-spoke tunnels tunnel protection ipsec profile default

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Routed Redundancy

33
FlexVPN Backup
Routing Based Multi-Hub Resiliency (1)
192.168.100.0/24

.1 .2
172.16.0.1 172.16.0.2

Tunnels to both hubs


are constantly active

Traffic can transit via either


tunnel (active-standby) or both
tunnels (load-balancing)

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
FlexVPN Backup
Routing Based Multi-Hub Resiliency (2)
192.168.100.0/24

.1 .2
172.16.0.1 172.16.0.2
Hub 1 fails,
Tunnels go down

Traffic goes through


remaining tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Demo – BGP failover
Inter-hub BGP – BFD keepalives
C 10.0.0.254  Loopback0 router bgp 1 router bgp 1 C 10.0.0.253  Loopback0
C 192.168.100.0/24  Eth0 neighbor 192.168.0.2 remote-as 1 neighbor 192.168.0.2 C
remote-as 1
192.168.100.0/24  Eth0
Routing Table

Routing Table
S 192.168.0.0/16  Null0 tag 2 neighbor 192.168.0.2 fall-over bfd neighbor 192.168.0.1 fall-over bfd
S 192.168.0.0/16 Null0 tag 2
S 10.0.0.0/8  Null0 tag 2 Hub 1 Hub 2 S 10.0.0.0/8  Null0 tag 2
S 1.0.0.1/32  Null0 tag 2 .1 192.168.100.0/24 .2 S 1.0.0.2/32  Null0 tag 2
B 1.0.0.2/32  Tunnel100 Dummy prefix… B 1.0.0.1/32  Tunnel100
magic ingredient  .1 Tunnel 100 .2
192.168.0.0/30
Physical: 172.16.0.1 Physical: 172.16.0.2
Tunnel: 10.0.0.254 Tunnel: 10.0.0.253
interface Tunnel100 interface Tunnel100
bfd interval 500 min_rx 50 multiplier 3 bfd interval 500 min_rx 50 multiplier 3

Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 C 192.168.2.0/24  Eth0
Routing Table

Routing Table
C 10.0.0.1  Tunnel0 C 10.0.0.2  Tunnel1
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Spokes Connect – Next-Hop w/ High Distance
C 10.0.0.254  Loopback0 router bgp 1 C 10.0.0.253  Loopback0
C 192.168.100.0/24  Eth0
tag 2 routes got redistributed in redistribute static route-map TAG2 C 192.168.100.0/24  Eth0
Routing Table

Routing Table
S 192.168.0.0/16  Null0 tag 2
BGP and advertised to the spokes route-map TAG2 S 192.168.0.0/16  Null0 tag 2
S 10.0.0.0/8  Null0 tag 2 Hub 1 match tag 2 Hub 2 S 10.0.0.0/8  Null0 tag 2
S 1.0.0.1/32  Null0 tag 2 .1 192.168.100.0/24 .2 S 1.0.0.2/32  Null0 tag 2
B 1.0.0.2/32  Tunnel100 B 1.0.0.1/32  Tunnel100
S 10.0.0.1  V-Access1 .1 Tunnel 100 .2 S 10.0.0.1  V-Access1
S 10.0.0.2  V-Access2 S 10.0.0.2  V-Access2
192.168.0.0/30
B 192.168.1.0/24  10.0.0.1 B 192.168.1.0/24  10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
B 192.168.2.0/24  10.0.0.2 B 192.168.2.0/24  10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254

Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 crypto ikev2 authorization policy default C 192.168.2.0/24  Eth0
Routing Table

Routing Table
C 10.0.0.1  Tunnel0 route accept any distance 210 C 10.0.0.2  Tunnel1
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0
S 10.0.0.254/32  Tunnel0 dist. 210 S 10.0.0.254/32  Tunnel0 dist. 210
S 10.0.0.253/32  Tunnel1 dist. 210 S 10.0.0.253/32  Tunnel1 dist. 210
B 192.168.0.0/16  10.0.0.254 dist. 200 B 192.168.0.0/16  10.0.0.254 dist. 200

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Traffic Flows – recursive routing applies
C 10.0.0.254  Loopback0 C 10.0.0.253  Loopback0
C 192.168.100.0/24  Eth0 C 192.168.100.0/24  Eth0
Routing Table

Routing Table
S 192.168.0.0/16  Null0 tag 2 S 192.168.0.0/16  Null0 tag 2
S 10.0.0.0/8  Tunnel100 Hub 1 Hub 2 S 10.0.0.0/8  Tunnel100
S 1.0.0.1/32  Null0 tag 2 .1 192.168.100.0/24 .2 S 1.0.0.2/32  Null0 tag 2
B 1.0.0.2/32  Tunnel100 B 1.0.0.1/32  Tunnel100
S 10.0.0.1  V-Access1 .1 Tunnel 100 .2 S 10.0.0.1  V-Access1
S 10.0.0.2  V-Access2 S 10.0.0.2  V-Access2
192.168.0.0/30
B 192.168.1.0/24  10.0.0.1 B 192.168.1.0/24  10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
B 192.168.2.0/24  10.0.0.2 B 192.168.2.0/24  10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254

Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 C 192.168.2.0/24  Eth0
Routing Table

Routing Table
C 10.0.0.1  Tunnel0 C 10.0.0.2  Tunnel1
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0
S 10.0.0.254/32  Tunnel0 dist. 210 S 10.0.0.254/32  Tunnel0 dist. 210
S 10.0.0.253/32  Tunnel1 dist. 210 S 10.0.0.253/32  Tunnel1 dist. 210
B 192.168.0.0/16  10.0.0.254 dist. 200 B 192.168.0.0/16  10.0.0.254 dist. 200

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Say Hub 1 Crashed…
C 10.0.0.253  Loopback0
C 192.168.100.0/24  Eth0

Routing Table
S 192.168.0.0/16  Tunnel100 tag 2
Hub 1 Hub 2 S 10.0.0.0/8  Null0 tag 2
.1 192.168.100.0/24 .2 S 1.0.0.2/32  Null0 tag 2
B 1.0.0.1/32  Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1  V-Access1
S 10.0.0.2  V-Access2
192.168.0.0/30
B 192.168.1.0/24  10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1

after 0.5 seconds: B 192.168.2.0/24  10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
%BGP-5-ADJCHANGE: neighbor 192.168.0.1 Down

Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 C 192.168.2.0/24  Eth0
Routing Table

Routing Table
C 10.0.0.1  Tunnel0 C 10.0.0.2  Tunnel1
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0
S 10.0.0.254/32  Tunnel0 dist. 210 S 10.0.0.254/32  Tunnel0 dist. 210
S 10.0.0.253/32  Tunnel1 dist. 210 S 10.0.0.253/32  Tunnel1 dist. 210
B 192.168.0.0/16  10.0.0.254 dist. 200 B 192.168.0.0/16  10.0.0.254 dist. 200

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
We have achieved High-Availability
track timer msec 500 C 10.0.0.253  Loopback0
track 1 ip route 1.0.0.1 255.255.255.255 reachability C 192.168.100.0/24  Eth0

Routing Table
track 2 list boolean and S 192.168.0.0/16  Tunnel100 tag 2
object 1 not
Hub 1 Hub 2 S 10.0.0.0/8  Null0 tag 2
ip route 10.0.0.254
.1 192.168.100.0/24
255.255.255.255 Null0 tag .2
2 track 2 S 1.0.0.2/32  Null0 tag 2
B 1.0.0.1/32  Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1  V-Access1
S 10.0.0.2  V-Access2
192.168.0.0/30
B 192.168.1.0/24  10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
Takes ~Tunnel:
1s B 192.168.2.0/24  10.0.0.2
10.0.0.253
Tunnel: 10.0.0.254
S 10.0.0.254/32  Null0 tag 2 track 2

Almost
immediate Depends on
# of spokes Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 C 192.168.2.0/24  Eth0
Routing Table

Routing Table
C 10.0.0.1  Tunnel0 C 10.0.0.2  Tunnel1
S 0.0.0.0/0  Dialer0 Removed because exact
S 0.0.0.0/0  Dialer0
match with lower admin
S 10.0.0.254/32  Tunnel1 dist. 210 S 10.0.0.254/32  Tunnel0 dist. 210
distance exists
S 10.0.0.253/32  Tunnel1 dist. 210 S 10.0.0.253/32  Tunnel1 dist. 210
B 192.168.0.0/16  10.0.0.254 dist. 200 B 192.168.0.0/16  10.0.0.254 dist. 200
B 10.0.0.254/32  10.0.0.253 dist. 200 B 10.0.0.254/32  10.0.0.253 dist. 200
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
We have achieved High-Availability
C 10.0.0.253  Loopback0
C 192.168.100.0/24  Eth0

Routing Table
S 192.168.0.0/16  Tunnel100 tag 2
Hub 1 Hub 2 S 10.0.0.0/8  Null 0 tag 2
.1 192.168.100.0/24 .2 S 1.0.0.2/32  Null0
B 1.0.0.1/32  Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1  V-Access1
S 10.0.0.2  V-Access2
192.168.0.0/30
B 192.168.1.0/24  10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
B 192.168.2.0/24  10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
S 10.0.0.254/32  Null0 tag 2 track 2

Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24  Eth0 C 192.168.2.0/24  Eth0
Routing Table

Routing Table
C 10.0.0.1  Tunnel0 C 10.0.0.2  Tunnel1
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0

S 10.0.0.253/32  Tunnel1 dist. 210 S 10.0.0.253/32  Tunnel1 dist. 210


B 192.168.0.0/16  10.0.0.254 dist. 200 B 192.168.0.0/16  10.0.0.254 dist. 200
B 10.0.0.254/32  10.0.0.253 dist. 200 B 10.0.0.254/32  10.0.0.253 dist. 200
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
AAA, VRF lite, QoS and other features…
Provisioning Per-Peer Features
Central and Distributed Models Option #1:
Features on
Option #2: Group
Virtual-Template
profiles on IOS
192.168.100.0/24
Some spokes .1 .254
with high
bandwidth
172.16.0.1
Option #3: Central Service
Some spokes Policy enforcement on
belong to VRF RADIUS
Red

Some spokes
belong to VRF Some spokes
Blue with low
bandwidth

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
VRF Injection 192.168.100.0/24

Hub injects traffic in chosen VRF 192.168.100.0/24

192.168.100.0/24
Hub private interface(s) in Inside VRF (light) .1 .1 .1 .2 .2 .2
MPLS IP (hub PE)

Virtual-Access in iVRF 172.16.1.254 172.16.1.253


Wan in Global Routing Table
or Front VRF

Optional VRF on spokes


(Not in this example)

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Inside-VRF and Front-VRF

Layer 5+ IKE AAA BGP

Layer 4 Remote protected


prefix added to
iVRF table
Global Routing VRF Red VRF Blue VRF
Front Door VRFGreen
Layer 3 Table aka fVRF
Inside VRF
aka iVRF

Layer 2 Applied by IKEv2:


vrf forwarding Red
tunnel vrf Blue
Virtual-Access
Interface (Tunnel)
created by IKEv2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Inside-VRF and Front-VRF

Layer 5+ IKE AAA BGP

Layer 4 Post-encapsulation
Tunnel Protection (encrypt)

Global Routing VRF Red VRF Blue VRF Green


Layer 3 Table

Layer 2 Input Output


Output
features features
features

Tunnel
Encapsulation

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
QoS in a Nutshell –
Hierarchical Shaper
Each Hub V-Access Needs Its Own Policy
Parent Shaper limits
total Bandwidth

Bandwidth
Priority Queuing Reservation

Fair Queuing

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Step 1 – Define Policy Map(s)
class-map Control
match ip precedence 6
class-map Voice
match ip precedence 5

policy-map SubPolicy
class Control
20Kbps Guaranteed to Control
bandwidth 20
class Voice
60% of Bandwidth for Voice
priority percent 60

1Mbps to each tunnel 5Mbps to each tunnel


policy-map Silver policy-map Gold
class class-default class class-default
shape average 1000000 shape average 5000000
service-policy SubPolicy service-policy SubPolicy

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
iVRF + fVRF + QoS + …

Layer 5+ IKE AAA BGP

Layer 4
Routes applied here…

Global Routing VRF Red VRF Blue VRF Green


Layer 3 Table

Layer 2 Applied by IKEv2:


vrf forwarding Red
tunnel vrf Blue
service-policy out Gold
Any feature can be applied
here: MTU, NAT, NHRP
network-id, NHRP
redirect, FW Zone, QoS,
VRF, ACL…

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Heavy Configuration

VRF Injection – Hub Configuration


Option 1: Mapping with In-IOS configuration (without AAA)

Dedicated IKEv2
profile
crypto ikev2 profile BLUE crypto ikev2 profile RED crypto ikev2 profile GREEN
match identity fqdn domain blue match identity fqdn domain red match identity fqdn domain green
authentication local rsa-sig FQDN Domain authentication local rsa-sig authentication local rsa-sig
authentication remote rsa-sig is differentiator authentication remote rsa-sig authentication remote rsa-sig
pki trustpoint CA pki trustpoint CA pki trustpoint CA
dpd 10 2 on-demand dpd 10 2 on-demand dpd 10 2 on-demand
aaa authorization group cert list default default aaa authorization group cert list default default aaa authorization group cert list default default
virtual-template 1 virtual-template 2 virtual-template 3
Virtual-Template in VRF
interface virtual-template1 type tunnel interface virtual-template2 type tunnel interface virtual-template3 type tunnel
vrf forwarding BLUE vrf forwarding RED vrf forwarding GREEN
ip unnumbered loopback1 Loopback in VRF ip unnumbered loopback2 ip unnumbered loopback3
service-policy Gold out service-policy Gold out service-policy Silver out
tunnel protection ipsec profile default tunnel protection ipsec profile default tunnel protection ipsec profile default

Add NHRP,
ACL’s,…

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
VRF Injection – Hub Configuration
Group profiles on IOS
Option 2: Mapping with AAA group based configuration
aaa attribute list blue
attribute type interface-config ”vrf forwarding BLUE”
attribute type interface-config ”ip unnumbered loopback1”
aaa new-model attribute type interface-config ”service-policy Gold out”
Profiles on IOS aaa authorization network default local
crypto ikev2 authorization policy blue
crypto ikev2 profile default aaa attribute list blue
Common IKEv2 match identity any route set interface
profile identity local fqdn Hub1.cisco.com
authentication local rsa-sig aaa attribute list red
authentication remote rsa-sig attribute type interface-config ”vrf forwarding RED”
Profile name attribute type interface-config ”ip unnumbered loopback2”
extracted from pki trustpoint CA
attribute type interface-config ”service-policy Silver out”
dpd 10 2 on-demand
Domain Name aaa authorization group cert default name-mangler dom crypto ikev2 authorization policy red
virtual-template 1 aaa attribute list red
route set interface
interface virtual-template1 type tunnel
Vanilla Virtual- tunnel protection ipsec profile default aaa attribute list green
Template attribute type interface-config ”vrf forwarding GREEN”
attribute type interface-config ”ip unnumbered loopback3”
crypto ikev2 name-mangler dom attribute type interface-config ”service-policy GOLD out”
fqdn domain
crypto ikev2 authorization policy green
aaa attribute list green
route set interface
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
VRF Injection – Hub Configuration
Option 3: RADIUS based profiles Group profiles on RADIUS
Could be per peer profiles
or group+peer (derivation)

Profiles stored on aaa new-model Profile “blue” / password “cisco”


ipsec:route-accept=any
RADIUS server aaa authorization network default group RADIUS

RADIUS Group Profiles


ipsec:route-set=interface

aaa group server radius RADIUS
ip:interface-config=“vrf forwarding BLUE”
server-private 192.168.100.2 auth-port 1812
ip:interface-config=“ip unnumbered loopback 1”
acct-port 1813 key cisco123 ip:interface-config=“service-policy Gold out”
Common IKEv2
crypto ikev2 profile default
profile match identity any Profile “red” / password “cisco”
identity local fqdn Hub1.cisco.com ipsec:route-accept=any
authentication local rsa-sig ipsec:route-set=interface
Profile name authentication remote rsa-sig ip:interface-config=“vrf forwarding RED”
ip:interface-config=“ip unnumbered loopback 2”
extracted from pki trustpoint CA
ip:interface-config=“service-policy Silver out”
Domain Name aaa authorization group cert default name-mangler dom
virtual-template 1
Profile “green” / password “cisco”
interface virtual-template1 type tunnel ipsec:route-accept=any
Vanilla Virtual- tunnel protection ipsec profile default ipsec:route-set=interface
Template ip:interface-config=“vrf forwarding GREEN”
crypto ikev2 name-mangler dom ip:interface-config=“ip unnumbered loopback 3”
fqdn domain ip:interface-config=“service-policy Gold out”

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
VRF Injection – Hub Configuration
For both options: BGP and VRF configurations
ip route vrf BLUE 10.0.0.0 255.0.0.0 Null0 vrf definition BLUE
ip route vrf BLUE 192.168.0.0 255.255.0.0 Null0 rd 1:1
Attract summaries address-family ipv4
and drops non- ip route vrf RED 10.0.0.0 255.0.0.0 Null0 address-family ipv6
ip route vrf RED 192.168.0.0 255.255.0.0 Null0
reachable prefixes
interface Loopback1
ip route vrf GREEN 10.0.0.0 255.0.0.0 Null0
ip route vrf GREEN 192.168.0.0 255.255.0.0 Null0 vrf forwarding BLUE
ip address 10.0.0.254 255.255.255.255
BGP dynamic peering
router bgp 1
bgp listen range 10.1.0.0/16 peer-group BluePeer
These address can bgp listen range 10.2.0.0/16 peer-group RedPeer vrf definition RED
not currently overlap bgp listen range 10.3.0.0/16 peer-group GreenPeer rd 2:2
! address-family ipv4
address-family ipv4 vrf BLUE address-family ipv6
Follow CSCtw69765. redistribute static
neighbor BluePeer peer-group
neighbor BluePeer remote-as 1 interface Loopback2
Each VRF has its own exit-address-family vrf forwarding RED
control section. ! ip address 10.0.0.254 255.255.255.255
address-family ipv4 vrf RED
redistribute static
Activate peer group in neighbor RedPeer peer-group
its corresponding VRF vrf definition GREEN
neighbor RedPeer remote-as 1
exit-address-family rd 3:3
! address-family ipv4
address-family ipv4 vrf GREEN address-family ipv6
Redistributes above redistribute static
statics into BGP neighbor GreenPeer peer-group interface Loopback3
neighbor GreenPeer remote-as 1 vrf forwarding GREEN
exit-address-family ip address 10.0.0.254 255.255.255.255
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
VRF Injection – Spoke Configuration
Vanilla IKE and BGP configurations
Profiles stored on aaa new-model
RADIUS server aaa authorization network default local

crypto ikev2 profile default


Plain simple IKEv2
profile match identity remote fqdn Hub1.cisco.com Basic iBGP configuration
match identity remote fqdn Hub2.cisco.com
identity local fqdn spoke1.RED
IKEv2 Identity authentication remote rsa-sig
Defines Group
authentication local rsa-sig
pki trustpoint TP router bgp 1
Just necessary for dpd 10 2 on-demand bgp log-neighbor-changes
config exchange aaa authorization group cert list default default network 192.168.0.0 mask 255.255.0.0
! neighbor Hub peer-group
interface Loopback0 iBGP
ip address 10.1.0.2 255.255.255.255 neighbor Hub remote-as 1
! neighbor Hub next-hop-self
Tunnel to Hub1 interface Tunnel0 neighbor 10.0.0.253 peer-group Hub
ip unnumbered Loopback0 neighbor 10.0.0.254 peer-group Hub
tunnel source Ethernet0/0
maximum-paths ibgp 2 Two Hubs…
tunnel destination 172.16.1.1
tunnel protection ipsec profile default
! Equal Cost Load Balancing
Tunnel to Hub2 interface Tunnel1
ip unnumbered Loopback0
tunnel source Ethernet0/0
tunnel destination 172.16.4.1
BRKSEC-3036 tunnel
© 2015 Cisco and/or protection ipsec
its affiliates. All rights profile default
reserved. Cisco Public 55
Multi-tenant Hybrid Access
Use Case: Mixed Client & Branch Access
RADIUS/EAP Server
 Requirements: (in management VRF)

 Single responder for software


Multiple VRFs behind hub
clients & remote branches (spokes)
 Spoke-to-spoke tunnels enabled FlexVPN Hub
on a per-branch basis
IPsec tunnels
 VRF enforced per user/branch
 Branches use IKE certificates, clients Internet
use EAP (password or TLS certificates) Bob (VRF blue)
Tom (VRF green)
shortcut
 Proposed solution: tunnel

 Single IKEv2 profile & V-Template


Branch A (VRF red)
 Differentiated AAA authorization Joe (VRF blue)
depending on authentication method Branch B (VRF red)

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Server Configuration
RADIUS-based EAP authentication aaa new-model
aaa authentication login my-rad group my-rad
and AAA authorization aaa authorization network my-rad group my-rad
!
Match on FQDN domain for branches crypto ikev2 profile default
Match statements for clients match identity remote fqdn domain example.com
match identity remote {key-id | email | address} ...
(depending on allowed client types) identity local dn
Allow peers to authenticate using authentication remote rsa-sig
either EAP or certificates authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint my-ca
User authorization using attributes aaa authentication eap my-rad
returned during EAP authentication aaa authorization user eap cached
Branch authorization using RADIUS aaa authorization user cert list my-rad
virtual-template 1 auto mode
Automatic detection of tunnel mode1 !
(pure IPsec tunnel mode for clients, GRE/IPsec for interface Virtual-Template1 type tunnel
branches/spokes)
no ip address
[no need to specify tunnel mode]
tunnel protection ipsec profile default

1 Starting with IOS-XE 3.12S

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
RADIUS Server Configuration
Clients can perform password-based joe
or TLS-based EAP authentication cleartext-password=c1sc0!
(TLS: RADIUS account = CN or UPN) ipsec:addr-pool=blue
ip:interface-config=vrf forwarding blue
ip:interface-config=ip unnumbered Loopback1
User attributes returned by RADIUS ip:interface-config=service-policy output blue-pol
with successful EAP authentication ip:interface-config=...

Branch attributes returned by RADIUS branch1.example.com


during AAA authorization step ip:interface-config=vrf forwarding red
ip:interface-config=ip unnumbered Loopback3
Add/remove NHRP to enable/disable ip:interface-config=ip nhrp network-id 3
spoke-to-spoke tunnels per branch ip:interface-config=ip nhrp redirect
ipsec:route-set=prefix 192.168.0.0 255.255.0.0
Exchange prefixes via IKEv2 routing, ipsec:route-accept=any
branch prefix(es) controlled by branch
branch2.example.com
ip:interface-config=vrf forwarding green
ip:interface-config=ip unnumbered Loopback2
Branch prefix controlled by AAA server ipsec:route-set=prefix 192.168.0.0 255.255.0.0
(installed as local static route) ipsec:route-set=local 192.168.1.0 255.255.255.0

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Accounting & Change of Authorization
AAA Accounting

We know lot about Spoke1


192.168.100.0/24
.1 .254
Spoke 1: 21:52 02-Jan-2015 to 22:50 03-Jan 2015 200.7 MB in 442.7 MB out
Spoke 1: 21:53 01-Jan-2015 to 21:50 02-Jan-2015 231.1 MB in 401.2 MB out Spoke 1 stands out…
Spoke 1: 21:52 31-Dec-2014 to 21:50 01-Jan-2014 216.4 MB in 398.8 MB out
Spoke 1: 10:34 12-Oct-2014 to 21:50 31-Dec-2014 90.12 GB in 180.6 GB out
Spoke 1: 10:34 11-Jun-2014 to 21:50 12-Oct-2014 0.75 TB in 1.21 TB out
… Spoke
172.16.0.1
1:Connected 22:51 03-Jan 2015 123.6 MB in 207.2 MB out
Spoke 2: Connected 11:12 12-Oct 2014 403.1 GB in 880.1 GB out
Spoke 3: Connected 22:34 12-Oct 2014 450.5 GB in 832.0 GB out
Spoke 4: Connected 16:51 11-Oct 2014 539.7 GB in 989.4 GB out
Since 31 Dec, Spoke 1 has been Spoke 5: Connected 10:34 10-Oct 2014 245.3 GB in 103.8 GB out
disconnecting and reconnecting Spoke 6: Connected 10:34 13-Nov 2014 245.3 GB in 872.6 GB out
every 24 hours…

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Activating AAA Accounting
And why it is a good idea too…

A Good Idea ?

• Because it is simple!
aaa group server radius MyRADIUS
server-private 192.168.104.101 key cisco
• Captures even short lived sessions
aaa accounting network ACCT start-stop group MyRADIUS  event driven vs. polling (e.g. SNMP)
crypto ikev2 profile default • Reliable protocol (acknowledged)
match identity fqdn domain mycompany.com
authentication local rsa-sig  more reliable than SNMP traps
authentication remote rsa-sig
pki trustpoint TP • Maps the identity to the statistics
aaa authorization group cert list default default  no more crossing tables (IPID)
aaa accounting cert ACCT Tell IKEv2 to report session status
virtual-template 1 • You may need it anyway
– Authorization, IP pool…

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Demo – AAA CoA
A simplistic configuration
RADIUS based Authentication, Authorization and Accounting

aaa group server radius ISE


server-private 192.168.104.101 key CISCO
!
aaa authentication login ISE group ISE
aaa authorization network ISE group ISE
aaa accounting network ISE start-stop group ISE
!
aaa server radius dynamic-author
client 192.168.104.101 server-key CISCO
auth-type all
!

crypto ikev2 profile default


match identity remote any
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint TRUSTPOINT EAP Authentication
aaa authentication eap ISE
aaa authorization user eap cached Authorization
aaa accounting eap ISE
virtual-template 1
Accounting (optional but recommended)

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
How CoA works
Session is set up – V-Access is populated Unique ID, generated by IOS

ACCESS (Request, Audit Session ID, username, password)

Possibly more (if EAP)

ACCESS (Accept, Profile)

192.168.100.0/24
.1 .254

ip access-list 100 in
service-policy Gold out

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Accounting
Session is set up – Accounting Starts
Unique ID, generated by IOS

ACCT (Audit Session ID, START, params…)

ACCT (Audit Session ID, ACK)

192.168.100.0/24
.1 .254

ip access-list 100 in
service-policy Gold out

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
CoA – Packet of Disconnect Accounting tells the administrator
Remote clearing of a session whether it is worth sending…
(session status)

CoA (Disconnect-Request, Audit Session ID)

CoA (Disconnect-Request ACK, Audit Session ID)

Session is terminated 192.168.100.0/24


.1 .254

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
CoA – Change of Authorization
The Real Thing ™

CoA (CoA-Request, Audit Session ID, new profile)

CoA (CoA-Request ACK, Audit Session ID)

Session is updated 192.168.100.0/24


.1 .254

ip access-list 100 in
service-policy Gold
Silverout
out

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
MPLS over FlexVPN
Now Featuring Shortcut Switching
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
`
Objective: end-to-end VRF separation 192.168.100.0/24
.1 .1 .1 .2 .2 .2

172.16.1.254 172.16.1.253

.1 .1 .1
192.168.1.0/24
192.168.1.0/24
192.168.1.0/24
.1 .1 .1 .1 .1 .1
192.168.2.0/24 192.168.3.0/24
192.168.2.0/24 192.168.3.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24 192.168.3.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24
Going LDP Free 192.168.100.0/24
Hub private interface(s) in inside VRF .1 .1 .1 .2 .2 .2
or MPLS

Virtual-Access’ in GRT, run MPLS 172.16.1.254 172.16.1.253

Tunnels create “back-to-back” links


 LDP not needed !!

Spoke tunnels run MPLS

Private interfaces in VRF’s


.1 .1 .1
192.168.1.0/24
192.168.1.0/24
192.168.1.0/24
.1 .1 .1 .1 .1 .1
192.168.2.0/24 192.168.3.0/24
192.168.2.0/24 192.168.3.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24 192.168.3.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24 Prefix Nxt-hop Label

Extreme Summarization 192.168.100.0/24 192.168.0.0/16 - 30


.1 .1 .1 Prefix Nxt-hop Label
192.168.0.0/16 - 40

172.16.1.254

Prefix Nxt-hop Label


192.168.1.0 - 31 Prefix Nxt-hop Label
192.168.2.0 - 32
Prefix Nxt-hop Label
192.168.1.0 - 41 Prefix Nxt-hop Label
192.168.2.0 - 42

.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24 Prefix Nxt-hop Label

Summary Label Exchange 192.168.100.0/24 192.168.1.0 10.0.0.1 31


.1 .1 .1 192.168.2.0 10.0.0.2 32
192.168.0.0/16 - 30

Prefix Nxt-hop Label


172.16.1.254 192.168.1.0 10.0.0.1 41
192.168.2.0 10.0.0.2 42
192.168.0.0/16 - 40
Prefix Nxt-hop Label
192.168.1.0 - 31 Prefix Nxt-hop Label

192.168.0.0/16 10.0.0.254 30 192.168.2.0 - 32


192.168.0.0/16 10.0.0.254 30
Prefix Nxt-hop Label
192.168.1.0 - 41 Prefix Nxt-hop Label
192.168.0.0/16 10.0.0.254 40 192.168.2.0 - 42
192.168.0.0/16 10.0.0.254 40

.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
MPLS VPN o Flex
Hub & Spoke FIB’s and LFIB’s
10.0.0.1 10.0.0.2 10.0.0.254

.1 .1 .1 .1 .1 .1
192.168.1.0/24 192.168.2.0/24 192.168.100.0/24
Prefix Adjacency Prefix Adjacency Prefix Adjacency

VRF FIBs
VRF FIBs

192.168.1.0/24 192.168.2.0/24 192.168.100.0/24

VRF FIBs
192.168.1.0/24 Glean (e0) 192.168.2.0/24 Glean (e0) 192.168.1.0/24 10.0.0.1 31
192.168.0.0/16 10.0.0.254 30 192.168.0.0/16 10.0.0.254 30 192.168.2.0/24 10.0.0.2 32
Prefix Adjacency Prefix Adjacency Prefix Adjacency
192.168.1.0/24 Glean (e1) 192.168.2.0/24 Glean (e1) 192.168.1.0/24 10.0.0.1 41
192.168.0.0/16 10.0.0.254 40 192.168.0.0/16 10.0.0.254 40 192.168.2.0/24 10.0.0.2 42

Prefix Adjacency Prefix Adjacency Prefix Adjacency


FIB

FIB
FIB

10.0.0.254 Tunnel0 (Null) 10.0.0.254 Tunnel0 (Null) 10.0.0.1 VA-1 (Null)


0.0.0.0/0 Dialer0 0.0.0.0/0 Dialer0 10.0.0.2 VA-2 (Null)
0.0.0.0 Dialer0

Loc. Out I/F Loc. Out I/F Loc. Out I/F


LFIB

LFIB
LFIB

31 POP VRF RED 32 POP VRF RED 30 POP VRF RED


41 POP VRF BLUE 42 POP VRF BLUE 40 POP VRF BLUE
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24

Spoke  Hub 192.168.100.0/24


.1 .1 .1
IP Packet
S= 192.168.1.2 D= 192.168.2.2
172.16.1.254
GRE/IPsec Loc. Out I/F
Label = 30 30 POP vrf RED

IP Packet 40 POP vrf BLUEe1

S= 192.168.1.2 D= 192.168.2.2

Prefix Adjacency
10.0.0.1/32 For Us (lo0)
10.0.0.254/32 Impl-Null (Tun0)

Prefix Adjacency
192.168.1.0/24 Glean (e0)
192.168.0.0/16 10.0.0.254 30

.1 .1 .1 IP Packet
192.168.1.0/24
S= 192.168.1.2 D= 192.168.2.2 .1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24 Prefix Adjacency
192.168.1.0/24 10.0.0.1 31
Hub  Spoke 192.168.100.0/24
192.168.2.0/24 10.0.0.2 32
.1 .1 .1
192.168.0.0/16 Glean (e0)
IP Packet
S= 192.168.1.2 D= 192.168.2.2
172.16.1.254
Prefix Adjacency
10.0.0.1/32 Impl-Null (Va1)
10.0.0.2/32 Impl-Null (VA2)

GRE/IPsec
Label = 32
IP Packet
S= 192.168.1.2 D= 192.168.2.2

.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24

Spoke Packet Decap 192.168.100.0/24


.1 .1 .1

172.16.1.254

GRE/IPsec
Label = 32
IP Packet
S= 192.168.1.2 D= 192.168.2.2

Loc. Out I/F


32 POP vrf RED
42 POP vrf BLUE

.1 .1 .1 Prefix Adjacency
192.168.1.0/24
192.168.2.0/24 e0/1.1 .1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.0.0/16 10.0.0.254 30 IP Packet
192.168.1.0/24 192.168.2.0/24
S= 192.168.1.2 D= 192.168.2.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24

Enhanced Indirection Notification 192.168.100.0/24


.1 .1 .1

VRF Label associated


172.16.1.254 to 192.168.1.2 in VRF
RED
GRE/IPsec
Label 31 MPLS Generic
GAL Label 13 Associated channel
NHRP Redirect
Label
IP (192.168.1.2192.168.2.2)

.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24

Enhanced Shortcut Resolution (1) 192.168.100.0/24


.1 .1 .1

VRF Label associated


172.16.1.254 to 192.168.0.0 in VRF
RED
GRE/IPsec
Label 30
GAL Label 13
NHRP Resolution (ReqID 1)
10.0.0.1/32  172.16.1.1
? 192.168.2.2

.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24

Enhanced Shortcut Resolution (2) 192.168.100.0/24


.1 .1 .1

172.16.1.254
VRF Label associated to
192.168.0.0 in VRF RED
GRE/IPsec
Label 32
GAL Label 13 FIB
NHRP Resolution (ReqID 1)
Prefix Adjacency
10.0.0.1  172.16.1.1
10.0.0.254 Tunnel0 (Null)
192.168.2.2 ?
0.0.0.0/0 Dialer0
10.0.0.1/32 VAccess1 (Null)

.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24

Enhanced Shortcut Resolution (3) 192.168.100.0/24


.1 .1 .1

172.16.1.254

Prefix Adjacency Local VRF Label for


192.168.1.0/24 Glean (e0) 192.168.2.0/24 in VRF
192.168.0.0/16 10.0.0.254 30 GRE/IPsec RED
192.168.2.0/24 10.0.0.2 32 NHRP Resolution Reply (ReqID 1)
192.168.2.0/24 Label 32
Prefix Adjacency 10.0.0.2/32 (Null) Prefix Adjacency
10.0.0.254 Tunnel0 (Null) 10.0.0.254 Tunnel0 (Null)
0.0.0.0/0 Dialer0 0.0.0.0/0 Dialer0
10.0.0.2/32 VAccess1 (Null) NHRP Resolution Reply 10.0.0.1/32 VAccess1 (Null)

.1 .1 .1
192.168.1.0/24
.1 .1 .1
192.168.1.0/24 192.168.2.0/24
192.168.1.0/24 192.168.2.0/24
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24

Spoke  Spoke Forwarding 192.168.100.0/24


.1 .1 .1

172.16.1.254

Prefix Adjacency
192.168.1.0/24 Glean (e0)
192.168.0.0/16 10.0.0.254 30
192.168.2.0/24 10.0.0.2 32

Prefix Adjacency
10.0.0.254 Tunnel0 (Null)
0.0.0.0/0 Dialer0
10.0.0.2/32 VAccess1 (Null)

.1 .1 .1
192.168.1.0/24
IP Packet .1 .1 .1
192.168.1.0/24 192.168.2.0/24
S= 192.168.1.2 D= 192.168.2.2 IP Packet
192.168.1.0/24 192.168.2.0/24
S= 192.168.1.2 D= 192.168.2.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
192.168.100.0/24
MPLS VPN o Flex 192.168.100.0/24

Spoke  Spoke Forwarding 192.168.100.0/24


.1 .1 .1 MPLS FlexMesh
in 3.11 (Nov 2013) and
15.4(2)T (Feb 2014)

172.16.1.254

Prefix Adjacency
192.168.1.0/24 Glean (e0) Loc. Out I/F
192.168.0.0/16 10.0.0.254 30 32 POP vrf RED
192.168.2.0/24 10.0.0.2 32 42 POP vrf BLUE

Prefix Adjacency
Prefix Adjacency
192.168.2.0/24 e0/1.1
10.0.0.254 Tunnel0 (Null) GRE/IPsec
192.168.0.0/16 10.0.0.254 30
0.0.0.0/0 Dialer0 Label = 32
10.0.0.2/32 VAccess1 (Null) IP Packet
S= 192.168.1.2 D= 192.168.2.2

.1 .1 .1
192.168.1.0/24
IP Packet .1 .1 .1
192.168.1.0/24 192.168.2.0/24
S= 192.168.1.2 D= 192.168.2.2 IP Packet
192.168.1.0/24 192.168.2.0/24
S= 192.168.1.2 D= 192.168.2.2
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 192.168.2.0/24
Hub VRF’s & IKEv2 Profile 192.168.100.0/24

192.168.100.0/24
Detailed view
192.168.100.0/24
.1 .1 .1 .2 .2 .2 A vanilla IKEv2
Profile
rf definition Blue
v
rd 1:1
crypto ikev2 profile default
route-target export 1:1 match identity remote fqdn domain cisco.com
route-target import 1:1 identity local fqdn hub1.cisco.com
address-family ipv4 authentication remote rsa-sig
address-family ipv6 authentication local rsa-sig
pki trustpoint TP
dpd 10 2 on-demand
vrf definition Red aaa authorization group cert list default default
rd 2:2 Route-Targets allow BGP virtual-template 1
route-target export 2:2 to map VRF prefixes
between peers
route-target import 2:2
address-family ipv4
address-family ipv6

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub Routing 192.168.100.0/24

192.168.100.0/24
BGP and Interfaces
192.168.100.0/24
ip route 0.0.0.0 0.0.0.0 172.16.1.2
.1 .1 .1 .2 .2 .2
ip route vrf Blue 192.168.0.0 255.255.0.0 Null0
ip route vrf Red 192.168.0.0 255.255.0.0 Null0

router bgp 1
bgp log-neighbor-changes
bgp listen range 10.0.0.0/16 peer-group Flex
interface Virtual-Template1 type tunnel
neighbor Flex peer-group
ip unnumbered Loopback0 neighbor Flex remote-as 1
ip nhrp network-id 1 neighbor Flex timers 5 15
ip nhrp redirect Activate NHRP redirects and
mpls nhrp give NHRP control over MPLS
address-family vpnv4
tunnel protection ipsec profile default neighbor Flex activate
neighbor Flex send-community extended
interface Ethernet0/0
ip address 172.16.1.254 255.255.255.0 address-family ipv4 vrf Blue
network 192.168.0.0 mask 255.255.0.0
interface Loopback0
ip address 10.0.0.254 255.255.255.255 address-family ipv4 vrf Red
network 192.168.0.0 mask 255.255.0.0
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoke VRF’s and Interfaces
Detailed view
Matches both
hubs
rf definition Blue
v
rd 1:1 crypto ikev2 profile default
route-target export 1:1 match identity remote fqdn domain cisco.com
route-target import 1:1 identity local fqdn R2.cisco.com
address-family ipv4 authentication remote rsa-sig
.1 .1 .1 authentication local rsa-sig
address-family ipv6 192.168.1.0/24 pki trustpoint TP
192.168.1.0/24 dpd 10 2 on-demand
vrf definition Red 192.168.1.0/24 aaa authorization group cert list default default
rd 2:2
route-target export 2:2
route-target import 2:2
address-family ipv4
Mind Hub-Spoke route-
address-family ipv6 target correspondence

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoke Routing Configuration
BGP and Static Routes
Same as on Hub: Start MPLS 
ip route 0.0.0.0 0.0.0.0 172.16.2.2
interface Tunnel0 forwarding without LDP
ip unnumbered Loopback0 router bgp 1
ip nhrp network-id 1 bgp log-neighbor-changes
ip nhrp shortcut virtual-template 1 neighbor Flex peer-group
mpls nhrp neighbor Flex remote-as 1
tunnel source Ethernet0/0 neighbor Flex timers 5 15
tunnel destination 172.16.1.254 neighbor 10.0.0.253 peer-group Flex
tunnel protection ipsec profile default neighbor 10.0.0.254 peer-group Flex
.1 .1 .1 Activate VPNv4
192.168.1.0/24 address-family vpnv4
interface Tunnel1
(same as Tunnel0 – points to hub 2) 192.168.1.0/24 neighbor Flex send-community extended
neighbor 10.0.0.253 activate
192.168.1.0/24 neighbor 10.0.0.254 activate
interface Virtual-Template 1 type tunnel
ip unnumbered Loopback0 Advertise each VRF
ip nhrp network-id 1 address-family ipv4 vrf Blue
ip nhrp shortcut virtual-template 1 redistribute connected
mpls nhrp
maximum-paths ibgp 2
tunnel protection ipsec profile default
WAN Interface can be in address-family ipv4 vrf Red
Front VRF redistribute connected
interface Ethernet0/0 maximum-paths ibgp 2
ip address 172.16.2.1 255.255.255.0
Tunnels and Loopback in
interface Loopback0 Global Routing Table
ip address 10.0.0.2 255.255.255.255
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub FIB and LFIB 192.168.100.0/24

192.168.100.0/24
Hub1#show ip cef vrf Red detail | s label
192.168.100.0/24
192.168.2.0/24, epoch 0, flags rib defined all labels .1 .1 .1
recursive via 10.0.0.2 label 16
attached to Virtual-Access2
192.168.3.0/24, epoch 0, flags rib defined all labels
recursive via 10.0.0.3 label 16
attached to Virtual-Access1
Hub1#show ip cef vrf Blue detail | s label
192.168.2.0/24, epoch 0, flags rib defined all labels
recursive via 10.0.0.2 label 17
attached to Virtual-Access2
192.168.3.0/24, epoch 0, flags rib defined all labels
recursive via 10.0.0.3 label 17
attached to Virtual-Access1
Hub1#show mpls forwarding table
Local Outgoing Prefix Bytes Label Outgoing Next
Hop
Label Label or Tunnel Id Switched interface
16 Pop Label IPv4 VRF[V] 0 aggregate/Red
17 Pop Label IPv4 VRF[V] 0 aggregate/Blue
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoke FIB and LFIB
Spoke1#show ip cef vrf Red detail | s label
192.168.0.0/16, epoch 0, flags rib defined all labels, per-
destination sharing
recursive via 10.0.0.253 label 16
attached to Tunnel1
recursive via 10.0.0.254 label 16
attached to Tunnel0
.1 .1 .1
Spoke1#show ip cef vrf Blue detail | s label 192.168.1.0/24
192.168.0.0/16, epoch 0, flags rib defined all labels, per- 192.168.1.0/24
destination sharing 192.168.1.0/24
recursive via 10.0.0.253 label 17
attached to Tunnel1
recursive via 10.0.0.254 label 17
attached to Tunnel0
Spoke1#show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next
Hop
Label Label or Tunnel Id Switched interface
16 Pop Label IPv4 VRF[V] 0 aggregate/Red
17 Pop Label IPv4 VRF[V] 0 aggregate/Blue
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Non-Routed Backup Mechanisms

90
FlexVPN Backup Peers (1)
192.168.100.0/24

.1 .2
Tunnels are set up 172.16.0.1 172.16.0.2
to a primary Hub

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
FlexVPN Backup Peers (2)
192.168.100.0/24

.1 .2
Hub 1 Fails 172.16.0.1 172.16.0.2

New tunnels are set up


to a backup Hub

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Also works
with Routing

FlexVPN Backup Peers (3) – Spoke Config. Protocol

aaa authorization network default local Powerful Peer Syntax


peer <n> <ip>
crypto ikev2 profile default peer <n> <ip> track <x>
match certificate HUBMAP peer <n> <fqdn>
identity local fqdn Spoke1.cisco.com peer <n> <fqdn> track <x>
authentication remote rsa-sig
authentication local pre-shared
Nth source selected only if
keyring local
pki trustpoint CA corresponding track object is up
aaa authorization group cert list default default
Detect Hub Failure dpd 30 2 on-demand
RADIUS Backup List Attribute
crypto ikev2 client flexvpn default ipsec:ipsec-backup-gateway
client connect tunnel 0
To Primary Hub peer 1 172.16.1.254 Up to 10 backup gateways pushed by
peer 2 172.16.1.253
To Secondary Hub config-exchange
interface Tunnel0
Destination ip address negotiated
tunnel source FastEthernet0/0 crypto ikev2 authorization policy default
managed by tunnel destination dynamic route set interface
FlexVPN tunnel protection ipsec profile default route set access-list 99

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
FlexVPN Downloadable Backup Peer List
Static Peer List
Downloadable Peer List
(Locally Configured)  Peer 1 is selected initially
(sequence number based)
Seq 10: Peer 1
 If Peer 1 fails, Peer 2 is selected
(sequence number based)
Seq 20: Peer 2
 Upon connection to Peer 2, a downloadable
peer list is received
Seq 30: Peer 3 Seq 10: Peer 2.1
 Upon failure of Peer 2, Peer 2.1 then 2.2
are selected (part of downloadable peer list)
Seq 20: Peer 2.2

 Downloadable list peers are used until


last downloadable list peer fails

 Upon successful connection to next peer in


static list is deleted

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup – Re-activation of Primary Peer
 Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
 Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
FlexVPN Backup Groups
crypto ikev2 flexvpn client remote1
• Warrant that a peer, belonging to different peer-lists in peer 1 10.0.0.1
the same backup group, is never active in multiple peer-list at a given time peer 2 10.0.0.2
peer 3 10.0.0.3
backup group 1
client connect Tunnel0
crypto ikev2 flexvpn client remote2
peer 1 10.0.0.1
Hub 1
peer 2 10.0.0.2
10.0.0.1 peer 3 10.0.0.3
Tu0 Service Provider 1 backup group 1
client connect Tunnel1
Hub 2 !
interface Tunnel0
Client 10.0.0.2 ip address negotiated
Tu1
Service Provider 2 …
tunnel destination dynamic
Hub 3 …
interface Tunnel1
10.0.0.3
ip address negotiated

tunnel destination dynamic

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
FlexVPN Backup Groups
crypto ikev2 flexvpn client remote1
• Warrant that a peer, belonging to different peer-lists in peer 1 10.0.0.1
the same backup group, is never active in multiple peer-list at a given time peer 2 10.0.0.2
peer 3 10.0.0.3
backup group 1
client connect Tunnel0
crypto ikev2 flexvpn client remote2
peer 1 10.0.0.1
Hub 1
peer 2 10.0.0.2
10.0.0.1 peer 3 10.0.0.3
Tu0 Service Provider 1 backup group 1
client connect Tunnel1
Hub 2 !
interface Tunnel0
Client 10.0.0.2 ip address negotiated
Tu1
Service Provider 2 …
tunnel destination dynamic
Hub 3 …
interface Tunnel1
10.0.0.3
ip address negotiated

tunnel destination dynamic

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
FlexVPN Backup Groups
crypto ikev2 flexvpn client remote1
• Warrant that a peer, belonging to different peer-lists in peer 1 10.0.0.1
the same backup group, is never active in multiple peer-list at a given time peer 2 10.0.0.2
peer 3 10.0.0.3
backup group 1
client connect Tunnel0
crypto ikev2 flexvpn client remote2
peer 1 10.0.0.1
Hub 1
peer 2 10.0.0.2
10.0.0.1 peer 3 10.0.0.3
Tu0 Service Provider 1 backup group 1
client connect Tunnel1
Hub 2 !
interface Tunnel0
Client 10.0.0.2 ip address negotiated
Tu1
Service Provider 2 …
tunnel destination dynamic
Hub 3 …
interface Tunnel1
10.0.0.3
ip address negotiated

tunnel destination dynamic

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
FlexVPN Backup Groups
crypto ikev2 flexvpn client remote1
• Warrant that a peer, belonging to different peer-lists in peer 1 10.0.0.1
the same backup group, is never active in multiple peer-list at a given time peer 2 10.0.0.2
peer 3 10.0.0.3
backup group 1
client connect Tunnel0
crypto ikev2 flexvpn client remote2
peer 1 10.0.0.1
Hub 1
peer 2 10.0.0.2
10.0.0.1 peer 3 10.0.0.3 10.0.0.1 cannot be used as
Tu0 Service Provider 1 backup group 1 already active in remote1
client connect Tunnel1 peer-list from same group
Hub 2 !
interface Tunnel0
Client 10.0.0.2 ip address negotiated
Tu1
Service Provider 2 …
tunnel destination dynamic
Hub 3 …
interface Tunnel1
10.0.0.3
ip address negotiated

tunnel destination dynamic

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
FlexVPN Tunnel Pivot
• Use when different Service Providers are used to connect to remote host

track 1 ip sla 1 reachability

crypto ikev2 flexvpn client remote1


peer 10.0.0.1
Service Provider 1 source 1 interface GigabitEthernet0/0 track 1
GigE0/0
source 2 interface FastEthernet2/0
client connect tunnel 0

interface Tunnel0
Client Hub ip address negotiated
FastE2/0
Service Provider 2 …
tunnel source dynamic
tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
FlexVPN Load Balancer

113
FlexVPN Load-Balancer Bootstrap
LAN

Slave Hub 2 Master Hub 1 Slave Hub 3

Standby Active Standby


CLB CLB
.12 Registration .5 .11 Registration .13

10.0.0.0/24 HSRP Election

1. HSRP Active Router election 2. CLB Registration


Winner takes over the VIP (“.5”) HSRP Standby become CLB Slaves
WAN and register to Master (HSRP Active)

On Hub 1:
*Nov 20 12:43:58.488: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.13 connected.
*Nov 20 12:43:58.493: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.12 connected.

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
FlexVPN Load-Balancer Client Connection
LAN
2. CLB Master selects the LLG 3. CLB Master sends a redirect
(Hub 3) to client to Hub 3

Slave Hub 2 Master Hub 1 Slave Hub 3

Standby Active Standby


.12 .5 .11 .13

10.0.0.0/24

WAN
1. Client sends IKE SA_INIT with
REDIRECT_SUPPORTED to
VIP (.5)

4. Client establishes IKEv2


session with LLG Hub (Hub 3)

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
FlexVPN Load-Balancer – Hub 1 Configuration
crypto ikev2 redirect gateway init
Activates the sending of IKEv2 redirects during SA_INIT
! • Configuration of slave hubs is almost identical (except HSRP priority)!
crypto ikev2 profile default
match identity remote fqdn domain cisco.com !
identity local fqdn Hub1.cisco.com interface Ethernet0/0
authentication remote rsa-sig ip address 10.0.0.11 255.255.255.0
authentication local rsa-sig standby 1 ip 10.0.0.5
pki trustpoint TP standby 1 name vpngw HSRP Group Name must match
dpd 10 2 on-demand ! IKEv2 Cluster configuration
aaa authorization group cert list default default interface Loopback0
virtual-template 1 ip address 172.16.1.11 255.255.255.0
! !
crypto ikev2 authorization policy default interface Virtual-Template1 type tunnel
route set interface ip unnumbered Loopback0
! ip mtu 1400
crypto ikev2 cluster tunnel source Ethernet1/0
standby-group vpngw tunnel protection ipsec profile default
slave max-session 10
no shutdown

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
FlexVPN Load-Balancer – Client Configuration
crypto ikev2 authorization policy default
route set interface Activates IKEv2 redirection support and limit
! redirect count (DoS prevention)
crypto ikev2 redirect client max-redirects 10
!
crypto ikev2 profile default
match identity remote fqdn domain cisco.com interface Tunnel0
identity local fqdn Spoke2.cisco.com ip address 172.16.1.100 255.255.255.0
authentication remote rsa-sig ip mtu 1400
authentication local rsa-sig tunnel source Ethernet0/0
pki trustpoint TP tunnel destination dynamic
dpd 10 2 on-demand tunnel protection ipsec profile default
aaa authorization group cert list default default
virtual-template 1
!
crypto ikev2 client flexvpn VPN_LB
peer 1 10.0.0.5
client connect Tunnel0

FlexVPN Peer configured with


the VIP address only

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
FlexVPN Load-Balancer
• Redirects inbound IKEv2 negotiation to Least Loaded Gateway (LLG)
• Implements RFC 5685
• Redirect is performed during IKEv2 SA_INIT, IKE_AUTH
• Rely on HSRP for device failure detection and master selection
• Rely on Cisco Load Balancing (CLB) protocol (TCP/2012) to report load to
cluster master
• Available since 15.2(4)M

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 ?
Site-to-site configuration
IPv6 and OSPF

2001:db8:beef::/64
2001:db8:cafe::/64

172.16.1.1 172.16.2.1

… …

ipv6 unicast-routing ipv6 unicast-routing


A matter of activating ipv6 on the interface
interface Tunnel0 interface Tunnel0
ipv6 ospf 1 area 0 ipv6 ospf 1 area 0
tunnel source FastEthernet0/0 tunnel source FastEthernet0/0
tunnel destination 172.16.2.1 tunnel destination 172.16.1.1
tunnel protection ipsec profile default tunnel protection ipsec profile default

interface E0/0 interface E0/0


ipv6 address 2001:db8:cafe::1/64 ipv6 address 2001:db8:beef::1/64
ipv6 ospf 1 area 0 ipv6 ospf 1 area 0

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Routing IPv6 with IKEv2 or BGP
One peering, for both
IPv4 and IPv6
crypto ikev2 profile default router bgp 1
match identity remote fqdn domain cisco.com bgp log-neighbor-changes
identity local fqdn Hub1.cisco.com bgp listen range 1.1.1.0/24 peer-group Flex
authentication remote rsa-sig neighbor Flex peer-group
authentication local rsa-sig neighbor Flex remote-as 1
pki trustpoint TP !
dpd 10 2 on-demand address-family ipv4
… redistribute static route-map rm
virtual-template 1 neighbor Flex activate
! exit-address-family
crypto ikev2 authorization policy default !
route set remote ipv6 2001::/64 address-family ipv6
route set remote ipv6 2002::/64 redistribute static route-map rm
neighbor Flex activate
exit-address-family

Same as v4… just


specify ipv6 

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Tunnel modes made easy
crypto ikev2 profile prof1

virtual template 1
interface virtual-template 1

tunnel mode ipsec ipv4

crypto ikev2 profile prof2


crypto ikev2 profile default

virtual template 2 …
interface virtual-template 2 virtual template 1 auto mode

tunnel mode ipsec ipv6
interface virtual-template 1
crypto ikev2 profile prof3 …

virtual template 3
interface virtual-template 3

tunnel mode gre ip

crypto ikev2 profile prof4



virtual template 4
interface virtual-template 4

tunnel mode gre ipv6

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
IPv6-only Experimental SSID (with NAT64)

SSID: IPV6ONLYEXP
PASS: iknowbesteffort
Addressing: SLAAC + stateless DHCPv6
Offsite NAT64 (Thanks to Go6 Institute)

Questions/support: @ayourtch
Hashtag: #IPV6ONLYEXP
SLA: it’s in the password 
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Before we part…
Route Exchange Protocol Selection
Branch-Hub Use case

IKEv2 Simple, large scale Static (No Simple branches Identity-based Lossy networks High density hubs
redistribution (< 20 prefixes) route filtering
IGPIKE)
BGP Simple to complex, Dynamic Complex branches Powerful route Lossy networks High density hubs
large scale (Redistribution (> 20 prefixes) filtering – not up to 350K routes
IGP  BGP) identity based
EIGRP Simple to complex Dynamic Semi-complex Intermediate route Lossless networks < 5000 prefixes at
not (Redistribution branches filtering – not (very rare) hub
recommended IGP  IGP) (> 20 prefixes) identity based
at large scale

Hub-Hub Use case


BGP Large amount of Road to scalability Powerful route
prefixes (up to filtering
1M)
IGP (EIGRP, OSPF) < 5000 prefixes Perceived simplicity
total

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
High-End Scalability & performances – 3.12+
Bump from 4,000 to 10,000 spokes/hub with FlexVPN in 3.12 (RP2 only)

3.12+ ISR 4451 ASR 1001 ASR 1001-X ASR 1002-X ASR 1000 ASR 1000 ASR 1000 ASR 1000 ASR 1000 ASR 1000
w/out QoS ESP5 ESP10 ESP20 ESP40 ESP100 ESP200

Throughput 1.2 / 1.8 / 1 Gbps 1.8 / 1 Gbps 4 / 4 Gbps 1.8 / 1 Gbps 4 / 2.5 Gbps 7 / 6 Gbps 11 / 7.4 29 / 16 59 / 78
(Max / IMIX) 0.8Gbps Gbps Gbps Gbps

Max 2,000 4,000 4,000 10,000 4,000 4,000 10,000 10,000 10,000 10,000
tunnels (RP2) RP1: 1,000 RP1: 1,000 RP1: 1,000

EIGRP 2,000 4,000 4,000 4,000 4,000 4,000 4,000 4,000 4,000 4,000
1000 1000 1000 1000 1000 1000 1000 1000 1000 1000
neighbors recommended recommended recommended recommended recommended recommended recommended recommended recommended recommended

IKE 2,000 4,000 4,000 10,000 4,000 4,000 10,000 10,000 10,000 10,000
Routing

BGP 2,000 4,000 4,000 10,000 4,000 4,000 10,000 10,000 10,000 10,000
neighbors

QoS 10% crypto 16K Q 16K Q 128K Q 128K Q 128K Q 128K Q 128K Q 128K Q 128K Q
throughput No crypto No crypto No crypto No crypto No crypto No crypto No crypto No crypto No crypto
decrease impact impact impact impact impact impact impact impact impact

(*) (*)

(*) No AES-GCM nor SHA-2 in forwarding plane

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
FlexVPN - ISR G2 Scalability
Platform Sec-K9 SEC-K9 + HSEC-K9
Recommended Max Recommended Max
3945E Up to 225 Up to 225 Up to 2000 Up to 3000
3925E Up to 225 Up to 225 Up to 1500 Up to 3000
3945 Up to 225 Up to 225 Up to 1000 Up to 2000
3925 Up to 225 Up to 225 Up to 750 Up to 1500
2951 Up to 225 Up to 225 Up to 500 Up to 1000
2921 Up to 225 Up to 225 Up to 400 Up to 900
2911 Up to 225 Up to 225 HSEC-K9 license does not apply since
the max. encrypted tunnel count is below
2901 Up to 150 Up to 225
the restricted limits.
1941 Up to 150 Up to 225
1921 TBD TBD

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
FlexVPN - ISR G2 Performances 75% CPU, IMIX,
IPsec/AES, single
tunnel
Platform Sec-K9 (Mbps) SEC-K9 + HSEC-K9 (Mbps)
Recommended Max Recommended Max
3945E Up to 170 Up to 170 Up to 670 Up to 1503
3925E Up to 170 Up to 170 Up to 477 Up to 1497
3945 Up to 170 Up to 170 Up to 179 Up to 848
3925 Up to 154 Up to 170 Up to 154 Up to 770
2951 Up to 103 Up to 170 Up to 103 Up to 228
2921 Up to 72 Up to 170 Up to 72 Up to 207
2911 Up to 61 Up to 164 HSEC-K9 license does not apply since
the max. encrypted tunnel count is below
2901 Up to 53 Up to 154
the restricted limits.
1941 Up to 48 Up to 156
1921 Up to 44 N/A
891 Up to 66 N/A
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.

• All surveys can be completed via


the Cisco Live Mobile App or the
Communication Stations

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Multicast over FlexVPN
Focusing on a single VRF 192.168.100.0/24
Sources can be in several places Source
behind Hub
Hub private interface(s) in Inside VRF (light) .1 .2

Virtual-Access in iVRF 172.16.1.254 172.16.1.253

No VRF on spokes
(for this example)
192.168.1.0/24

Source
behind192.168.4.0/24
Spoke
192.168.2.0/24
192.168.3.0/24
Source behind spoke
is our focus now
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
PIM Sparse-Mode Overview
Focus on a pair of spokes and source behind spoke
192.168.100.0/24 Anycast Rendez-
Vous Point
.1 .2
10.0.0.254 10.0.0.253
10.0.0.252 10.0.0.252

Anycast Rendez-
V-A 1 V-A 2 Vous Point V-A 2 V-A 1

Tunnel 0 Tunnel 0 Tunnel 1


10.0.0.2 Tunnel 1 10.0.0.3

192.168.2.0/24 192.168.3.0/24

192.168.2.2 192.168.3.2

client source
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
PIM Sparse-Mode Overview
The Unicast Routing Table and MuRIB
192.168.100.0/24
Tunnel 100 Tunnel 100
.1 .2
10.0.0.254 10.0.0.253
S 10.0.0.2  V-Access 1 10.0.0.252 10.0.0.2  V-Access 1
S 10.0.0.252
S 10.0.0.3  V-Access 2 S 10.0.0.3  V-Access 2
B 192.168.2.0/24  10.0.0.2 B 192.168.2.0/24  10.0.0.2
B 192.168.3.0/24  10.0.0.3 V-A 1 V-A 2 V-A 2 V-A 1 B 192.168.3.0/24  10.0.0. 3
S 192.168.0.0/16  Tunnel 100 S 192.168.0.0/16  Tunnel 100
S 10.0.0.0/8  Tunnel 100 S 10.0.0.0/8  Tunnel 100

S 10.0.0.254  Tunnel 0 Tunnel 0 Tunnel 0 Tunnel 1S 10.0.0.254  Tunnel 0


S 10.0.0.253  Tunnel 110.0.0.2 Tunnel 1 10.0.0.3 S 10.0.0.253  Tunnel 1
B 10.0.0.0/8  10.0.0.254 B 10.0.0.0/8  10.0.0.254
B 10.0.0.0/8  10.0.0.253 B 10.0.0.0/8  10.0.0.253
B 192.168.0.0/16  10.0.0.254 B 192.168.0.0/16  10.0.0.254
B 192.168.0.0/16  10.0.0.253 B 192.168.0.0/16  10.0.0.253
C 192.168.2.0/24  E0/1 192.168.3.0/24 C 192.168.3.0/24  E0/1
192.168.2.0/24

192.168.3.1 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
PIM Sparse-Mode Overview
PIM Join 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Virtual-Access1, Forward/Sparse,  V-A 1 V-A
06:37:18/00:03:28 2 V-A 2 V-A 1

PIM Join
239.0.0.1
RPF Lookup
Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC 10.0.0.252 (RP) Tunnel 0 Tunnel 1
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3
Outgoing interface list:
Ethernet0/1, Forward/Sparse,  06:37:18/00:02:43

192.168.2.0/24
IGMP Join 192.168.3.0/24
239.0.0.1

192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
PIM Sparse-Mode Overview
Registration 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
V-A 1 V-A
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28 2 V-A 2 V-A 1

Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel 0 Tunnel 1
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3
Outgoing interface list:
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43

192.168.2.0/24 192.168.3.0/24

192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
PIM Sparse-Mode Overview
Registration 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
V-A 1 V-A
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28 2 V-A 2 V-A 1

Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 1
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF
Outgoing interface list: Incoming interface: Tunnel1, RPF nbr 10.0.0.253
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Outgoing interface list: Null

192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1

192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
PIM Sparse-Mode Overview
Registration 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
V-A 1 V-A
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28 2 V-A 2 V-A 1

Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 1
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: PFT
Incoming interface: Tunnel1, RPF nbr 10.0.0.253
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Incominginterface
Outgoing interface:
list:Ethernet0/1,
Null RPF nbr 0.0.0.0, Regist.
Outgoing interface list: Null

192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1

192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
PIM Sparse-Mode Overview
Registration 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:03:14/stopped, RP 10.0.0.252, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:01:08/00:02:53, flags: PA
Outgoing interface list: Null
V-A 1 V-A
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28 2 V-A 2 Incoming
V-A 1interface: Virtual-Access1, RPF nbr 10.0.0.3
Outgoing interface list: Null

Register
(192.168.3.2, 239.0.0.1)

Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 1
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: PFT
Incoming interface: Tunnel1, RPF nbr 10.0.0.253
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Incominginterface
Outgoing interface:
list:Ethernet0/1,
Null RPF nbr 0.0.0.0, Regist.
Outgoing interface list: Null

192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1

192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
PIM Sparse Mode Overview
MSDP Update 192.168.100.0/24
.1 MSDP .2
10.0.0.254 10.0.0.253
(192.168.3.2, 239.0.0.1)
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:03:14/stopped, RP 10.0.0.252, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: M Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:01:08/00:02:53, flags: PA
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Outgoing interface list: Null
V-A 1
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28
Outgoing interface list:
V-A 2 V-A 2 Incoming
V-A 1interface: Virtual-Access1, RPF nbr 10.0.0.3
Outgoing interface list: Null
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07

192.168.3.2  239.0.0.1

Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 1
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: PFT
Outgoing interface list: Incoming
Incominginterface:
interface:Tunnel1, RPF nbr
Ethernet0/1, RPF10.0.0.253
nbr 0.0.0.0
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Outgoing
Outgoinginterface
interfacelist:
list:Null
Tunnel1, Forward/Sparse, 00:02:04/00:03:23

192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1

192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
PIM Sparse-Mode Overview
Linking the Shared and Source Tree192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: M Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:01:08/00:02:53, flags: PA
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Outgoing interface list: Null
V-A 1
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28
Outgoing interface list:
V-A 2 V-A 2 Incoming
V-A 1interface: Virtual-Access1, RPF nbr 10.0.0.3
Outgoing interface list: Null
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07

192.168.3.2  239.0.0.1

Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing interface list: Incoming
Incominginterface:
interface:Tunnel1, RPF nbr
Ethernet0/1, RPF10.0.0.253
nbr 0.0.0.0
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Outgoing
Outgoinginterface
interfacelist:
list:Null
Tunnel1, Forward/Sparse, 00:02:04/00:03:23

192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1

192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
PIM Sparse-Mode Overview
Linking the Shared and Source Tree192.168.100.0/24
.1 PIM Join .2
10.0.0.254 (192.168.3.2, 239.0.0.1)10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: M (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: PA
Outgoing interface list: (192.168.3.2, 239.0.0.1), 00:01:08/00:02:53, flags: PA
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
V-A 1
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:28
Outgoing interface list:
V-A 2 V-A 2 Outgoing
V-A interface
Incoming 1 Null
interface: Virtual-Access1, RPF nbr 10.0.0.3
Outgoing interface list:
Outgoing interface list: Null
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

192.168.3.2  239.0.0.1

Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 0 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing interface list: Incoming
Incominginterface:
interface:Tunnel1, RPF nbr
Ethernet0/1, RPF10.0.0.253
nbr 0.0.0.0
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Outgoing
Outgoinginterface
interfacelist:
list:Null
Tunnel1, Forward/Sparse, 00:02:04/00:03:23

192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1

192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
PIM Sparse-Mode Overview
Multicast Traffic Flows End-to-End 192.168.100.0/24
10.0.0.254
.1 192.168.3.2  239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

192.168.3.2  239.0.0.1

Tunnel
(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, 0
flags: SJC Tunnel
(*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface: Tunnel0,10.0.0.2
RPF nbr 10.0.0.254 Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing interface list: Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1, Forward/Sparse, 06:37:18/00:02:43 Outgoing interface
Outgoing list:list:
interface Null
Tunnel1, Forward/Sparse, 00:02:04/00:03:23

192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1
192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
PIM Sparse-Mode Overview
Multicast Traffic Flows End-to-End 192.168.100.0/24
10.0.0.254
.1 192.168.3.2  239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

192.168.3.2  239.0.0.1 192.168.3.2  239.0.0.1

(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, Tunnel 0


flags: SJC Tunnel
(*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: JT Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Tunnel0, RPF nbr 10.0.0.254 Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23

192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1
192.168.3.2  239.0.0.1
192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Scenario 1 – Shortcut Tunnel is Created
E.g. Due to Unicast 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: JT Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Tunnel0, RPF nbr 10.0.0.254 Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23
S 10.0.0.254  Tunnel 0 S 10.0.0.254  Tunnel 0
S 10.0.0.253  Tunnel 1 192.168.3.0/24 S 10.0.0.253  Tunnel 1
B 10.0.0.0/8  10.0.0.254192.168.2.0/24 B 10.0.0.0/8  10.0.0.254
B 10.0.0.0/8  10.0.0.253 B 10.0.0.0/8  10.0.0.253
B 192.168.0.0/16  10.0.0.254 B 192.168.0.0/16  10.0.0.254
B 192.168.0.0/16  10.0.0.253 192.168.2.2 192.168.3.2 B 192.168.0.0/16  10.0.0.253
C 192.168.2.0/24  E0/1 C 192.168.3.0/24  E0/1

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Scenario 1 – Shortcut Tunnel is Created
E.g. Due to Unicast 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: JT Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Tunnel0, RPF nbr 10.0.0.254 Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23
S 10.0.0.254  Tunnel 0 S 10.0.0.254  Tunnel 0
S 10.0.0.253  Tunnel 1 192.168.3.0/24 S 10.0.0.253  Tunnel 1
B 10.0.0.0/8  10.0.0.254192.168.2.0/24 B 10.0.0.0/8  10.0.0.254
B 10.0.0.0/8  10.0.0.253 B 10.0.0.0/8  10.0.0.253
B 192.168.0.0/16  10.0.0.254 B 192.168.0.0/16  10.0.0.254
B 192.168.0.0/16  10.0.0.253 192.168.2.2 192.168.3.2 B 192.168.0.0/16  10.0.0.253
C 192.168.2.0/24  E0/1 C 192.168.3.0/24  E0/1

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Scenario 1 – Shortcut Tunnel is Created
E.g. Due to Unicast 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: JT Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Tunnel0, RPF nbr 10.0.0.254 Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23
S 10.0.0.254  Tunnel 0 S 10.0.0.254  Tunnel 0
S 10.0.0.253  Tunnel 1 192.168.3.0/24 S 10.0.0.253  Tunnel 1
B 10.0.0.0/8  10.0.0.254192.168.2.0/24 B 10.0.0.0/8  10.0.0.254
B 10.0.0.0/8  10.0.0.253 B 10.0.0.0/8  10.0.0.253
B 192.168.0.0/16  10.0.0.254 B 192.168.0.0/16  10.0.0.254
B 192.168.0.0/16  10.0.0.253 192.168.2.2 192.168.3.2 B 192.168.0.0/16  10.0.0.253
C 192.168.2.0/24  E0/1 C 192.168.3.0/24  E0/1
H 192.168.3.0/24  VA1 H 192.168.2.0/24  VA1
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Situation – Shortcut Tunnel is Created
RPF Topology Changes 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: JT Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Tunnel0, RPF nbr 10.0.0.254 Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23
S 10.0.0.254  Tunnel 0 S 10.0.0.254  Tunnel 0
S 10.0.0.253  Tunnel 1 192.168.3.0/24 S 10.0.0.253  Tunnel 1
B 10.0.0.0/8  10.0.0.254 192.168.2.0/24 B 10.0.0.0/8  10.0.0.254
B 10.0.0.0/8  10.0.0.253 B 10.0.0.0/8  10.0.0.253
B 192.168.0.0/16  10.0.0.254 B 192.168.0.0/16  10.0.0.254
B 192.168.0.0/16  10.0.0.253 192.168.2.2 192.168.3.2 B 192.168.0.0/16  10.0.0.253
C 192.168.2.0/24  E0/1 C 192.168.3.0/24  E0/1
H 192.168.3.0/24  VA1 H 192.168.2.0/24  VA1
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Situation – Shortcut Tunnel is Created
RPF Topology Changes 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: JT Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Tunnel0, RPF nbr 10.0.0.254 Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Not PIM Tunnel1, Forward/Sparse, 00:02:04/00:03:23
S 10.0.0.254  Tunnel 0 Enabled S 10.0.0.254  Tunnel 0
S 10.0.0.253  Tunnel 1 192.168.3.0/24 S 10.0.0.253  Tunnel 1
B 10.0.0.0/8  10.0.0.254 192.168.2.0/24 B 10.0.0.0/8  10.0.0.254
B 10.0.0.0/8  10.0.0.253 B 10.0.0.0/8  10.0.0.253
B 192.168.0.0/16  10.0.0.254 B 192.168.0.0/16  10.0.0.254
B 192.168.0.0/16  10.0.0.253 192.168.2.2 192.168.3.2 B 192.168.0.0/16  10.0.0.253
C 192.168.2.0/24  E0/1 C 192.168.3.0/24  E0/1
H 192.168.3.0/24  VA1 H 192.168.2.0/24  VA1
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Situation – Shortcut Tunnel is Created
RPF Topology Changes 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: J
JT Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Tunnel0,
Null, RPFRPF
nbr Null
nbr 10.0.0.254 Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50
RPF Lookup Not PIM Tunnel1, Forward/Sparse, 00:02:04/00:03:23
S 10.0.0.254  Tunnel 0 Fails Enabled S 10.0.0.254  Tunnel 0
S 10.0.0.253  Tunnel 1 192.168.3.0/24 S 10.0.0.253  Tunnel 1
B 10.0.0.0/8  10.0.0.254 192.168.2.0/24 B 10.0.0.0/8  10.0.0.254
B 10.0.0.0/8  10.0.0.253 B 10.0.0.0/8  10.0.0.253
B 192.168.0.0/16  10.0.0.254 B 192.168.0.0/16  10.0.0.254
B 192.168.0.0/16  10.0.0.253 192.168.2.2 192.168.3.2 B 192.168.0.0/16  10.0.0.253
C 192.168.2.0/24  E0/1 C 192.168.3.0/24  E0/1
H 192.168.3.0/24  VA1 H 192.168.2.0/24  VA1
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Situation – Shortcut Tunnel is Created
Traffic Flows but this is odd… 192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: J Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Null, RPF nbr Null Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23

192.168.2.0/24 192.168.3.0/24

192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Situation – Shortcut Tunnel is Created
Traffic Flows but this is odd… 192.168.100.0/24
10.0.0.254
.1 192.168.3.2  239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

192.168.3.2  239.0.0.1 192.168.3.2  239.0.0.1

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: J Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Null, RPF nbr Null Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23

192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1
192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Situation – Shortcut Tunnel is Created
Traffic Flows but this is odd… 192.168.100.0/24
10.0.0.254
.1 192.168.3.2  239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

192.168.3.2  239.0.0.1 192.168.3.2  239.0.0.1

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: J Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Null, RPF nbr Null Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23
(*,G) Entry
is used
192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1
192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Situation – Shortcut Tunnel is Created
Traffic Flows but this is odd… 192.168.100.0/24
10.0.0.254
.1 192.168.3.2  239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

192.168.3.2  239.0.0.1 192.168.3.2  239.0.0.1

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: J Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Null, RPF nbr Null Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23
(*,G) Entry
is used
192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1
192.168.3.2  239.0.0.1
192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Situation – Shortcut Tunnel is Created Clumsy
Traffic Flows but this is odd… 192.168.100.0/24
10.0.0.254
.1 192.168.3.2  239.0.0.1
10.0.0.253
.2
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

192.168.3.2  239.0.0.1 192.168.3.2  239.0.0.1

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2, Tunnel0,
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51, flags: J Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
interface:list:
Null, RPF nbr Null Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing Forward/Sparse,
interface list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23
(*,G) Entry
is used
192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1
192.168.3.2  239.0.0.1
192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
15.3(1)T
Recommendation – SAFI 2 & SAFI 129
Hub will remote-control Spoke’s MuRIB via BGP

BGP Default Route


overrides NHRP route!
(despite shorter prefix)
Spoke RIB Spoke MuRIB
S 10.0.0.254  Tunnel 0 RIB unchanged B 0.0.0.0/0  Tunnel 0
S 10.0.0.253  Tunnel 1 B 0.0.0.0/0  Tunnel 1
B 10.0.0.0/8  10.0.0.254 S 10.0.0.254  Tunnel 0
B 10.0.0.0/8  10.0.0.253 S 10.0.0.253  Tunnel 1
MuRIB changed
B 192.168.0.0/16  10.0.0.254 C 192.168.2.0/24  E0/1
B 192.168.0.0/16  10.0.0.253
C 192.168.2.0/24  E0/1
H 192.168.3.0/24  VA1

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Scenario 1 – Update
Traffic Flows more naturally with SAFI 129 / SAFI 2
192.168.100.0/24
.1 .2
10.0.0.254 10.0.0.253
(*, 239.0.0.1), 00:03:28, RP 10.0.0.252, flags: S 10.0.0.252 10.0.0.252
(*, 239.0.0.1), 00:01:08/stopped, RP 10.0.0.252, flags: SP
Incoming
Incominginterface:
interface:Null,
Null,RPF
RPFnbr
nbr0.0.0.0
0.0.0.0
(192.168.3.2, 239.0.0.1), 00:02:37, flags: MT (192.168.3.2,
Incoming 239.0.0.1),
interface: Null, RPF00:01:08/00:03:27,
nbr 0.0.0.0 flags: TA
Outgoing
Outgoinginterface
interfacelist:
list:
Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface:
list: Virtual-Access1, RPF nbr 10.0.0.3
Virtual-Access1, Forward/Sparse, 00:03:28
Outgoing interface list:
V-A 1 V-A 2 V-A 2 Outgoing
V-A interface
1
Outgoing interface list:
Null

Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

Tunnel 0 V-Access1 Tunnel


(*, 239.0.0.1), 00:02:43, RP 10.0.0.252, flags: SJC (*, 1 Tunnel
239.0.0.1), 0
00:00:35/stopped, RP 10.0.0.252, flags:
Incoming interface:
(192.168.3.2,
(192.168.3.2, Tunnel0,
239.0.0.1),
239.0.0.1), RPF nbr 10.0.0.254
10.0.0.2
00:02:08/00:00:51,
00:02:08/00:00:51, flags:
flags: JT JT Tunnel 1 10.0.0.3 SPF(192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: FT
Outgoing
Incominginterface
Incoming interface:list:
interface: Tunnel0,RPF
Tunnel0, RPF nbr
nbr 10.0.0.254, mbgp
10.0.0.254 Incoming interface:
Incoming Tunnel1,
interface: RPF nbr
Ethernet0/1, 10.0.0.253
RPF nbr 0.0.0.0
Ethernet0/1,
Outgoing
Outgoing Forward/Sparse,
interface
interface list:
list: 06:37:18/00:02:43 V-Access1 Outgoing interface
Outgoing list:list:
interface Null
Ethernet0/1, Forward/Sparse,
Forward/Sparse,00:02:08/00:02:50
00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23

B 0.0.0.0/0  Tunnel 0 More B 0.0.0.0/0  Tunnel 0


192.168.3.0/24
B 0.0.0.0/0  Tunnel 1 192.168.2.0/24 B 0.0.0.0/0  Tunnel 1
S 10.0.0.254  Tunnel 0
natural  S 10.0.0.254  Tunnel 0
S 10.0.0.253  Tunnel 1 S 10.0.0.253  Tunnel 1
C 192.168.2.0/24  E0/1 192.168.2.2 192.168.3.2 C 192.168.2.0/24  E0/1

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Flex & Sparse-Mode – Hub Configuration
Hub 1 – Flex, Multicast and Interfaces
crypto ikev2 profile default vrf definition RED
match identity remote fqdn domain cisco.com rd 2:2
identity local fqdn Hub1.cisco.com address-family ipv4
authentication remote rsa-sig
authentication local rsa-sig address-family ipv6
pki trustpoint TP
dpd 10 2 on-demand interface Loopback0
aaa authorization group cert list default default vrf forwarding RED
virtual-template 1 ip address 10.0.0.254 255.255.255.255
! Anycast Rendez-
interface Virtual-Template1 type tunnel interface Loopback1
vrf forwarding RED Vous Point Loopback
ip unnumbered Loopback0 vrf forwarding RED
ip access-group AllowMyBGP in ip address 10.0.0.252 255.255.255.255
ip pim sparse-mode Activate Sparse-Mode !
ip nhrp network-id 1 interface Tunnel100
ip nhrp redirect vrf forwarding RED
tunnel protection ipsec profile default ip unnumbered Loopback0
ip pim sparse-mode Activate Sparse-Mode
ip nhrp network-id 1
ip nhrp redirect
Rendez-Vous tunnel source Ethernet0/1
ip pim vrf RED rp-address 10.0.0.252 Point Definition tunnel destination 192.168.100.2
tunnel vrf ivrf
ip msdp vrf RED peer 10.0.0.253 connect-source Loopback0
ip msdp vrf RED cache-sa-state
MSDP for RP
synchronization

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Flex & Sparse-Mode – Hub Configuration
Hub 2 – Flex, Multicast and Interfaces
crypto ikev2 profile default vrf definition RED
match identity remote fqdn domain cisco.com rd 2:2
identity local fqdn Hub2.cisco.com address-family ipv4
authentication remote rsa-sig
authentication local rsa-sig address-family ipv6
pki trustpoint TP
dpd 10 2 on-demand interface Loopback0
aaa authorization group cert list default default vrf forwarding RED
virtual-template 1 ip address 10.0.0.253 255.255.255.255
! Anycast Rendez-
interface Virtual-Template1 type tunnel interface Loopback1
vrf forwarding RED Vous Point Loopback
ip unnumbered Loopback0 vrf forwarding RED
ip access-group AllowMyBGP in ip address 10.0.0.252 255.255.255.255
ip pim sparse-mode !
ip nhrp network-id 1 interface Tunnel100 Same address!!
ip nhrp redirect vrf forwarding RED (Anycast)
tunnel protection ipsec profile default ip unnumbered Loopback0
ip pim sparse-mode
ip nhrp network-id 1
ip nhrp redirect
ip pim vrf RED rp-address 10.0.0.252 tunnel source Ethernet0/1
tunnel destination 192.168.100.2
tunnel vrf ivrf
ip msdp vrf RED peer 10.0.0.254 connect-source Loopback0
ip msdp vrf RED cache-sa-state

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Flex & Sparse-Mode – Hub Configuration
Hubs Common BGP Configuration – With SAFI 2 and SAFI 129
ip route vrf RED 10.0.0.0 255.0.0.0 Tunnel100 tag 2
ip route vrf RED 192.168.0.0 255.255.0.0 Tunnel100 tag
2

router bgp 1
bgp log-neighbor-changes
bgp listen range 10.0.0.0/24 peer-group Flex
!
address-family ipv4 vrf RED
redistribute static route-map rm Vanilla BGP
neighbor Flex peer-group
neighbor Flex remote-as 1 Configuration
neighbor Flex next-hop-self all
exit-address-family
!
address-family ipv4 multicast vrf ivrf Use mBGP to
neighbor Flex peer-group advertise a prefix in
neighbor Flex remote-as 1
neighbor Flex default-originate the MuRIB only
exit-address-family

route-map rm permit 10 Default Originate


match tag 2 does the trick

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Flex & Sparse-Mode – Spoke Configuration
Client/Receiver and Source Spoke interface Loopback0
crypto ikev2 profile default ip address 10.0.0.2 255.255.255.255
match identity remote fqdn domain cisco.com
identity local fqdn Spoke2.cisco.com interface Tunnel0
authentication remote rsa-sig ip unnumbered Loopback0 Activate PIM on
authentication local rsa-sig ip pim sparse-mode Tunnel Interfaces
pki trustpoint TP ip nhrp network-id 1
dpd 10 2 on-demand ip nhrp shortcut virtual-template 1
aaa authorization group cert list default default tunnel source Ethernet0/0
virtual-template 1 tunnel destination 172.16.1.1
tunnel protection ipsec profile default
Rendez-Vous !
ip pim rp-address 10.0.0.252 Point Definition interface Tunnel1
ip unnumbered Loopback0
router bgp 1 Activate PIM on
ip pim sparse-mode
bgp log-neighbor-changes Tunnel Interfaces
ip nhrp network-id 1
neighbor 10.0.0.253 remote-as 1 ip nhrp shortcut virtual-template 1
neighbor 10.0.0.254 remote-as 1 tunnel source Ethernet0/0
address-family ipv4 tunnel destination 172.16.4.1
network 192.168.2.0 tunnel protection ipsec profile default
neighbor 10.0.0.253 activate
neighbor 10.0.0.254 activate interface Virtual-Template1 type tunnel
maximum-paths ibgp 2 ip unnumbered Loopback0
address-family ipv4 multicast No PIM on
ip nhrp network-id 1
neighbor 10.0.0.253 activate Receive SAFI2 & V-Template!
ip nhrp shortcut virtual-template 1
neighbor 10.0.0.254 activate SAFI129 tunnel protection ipsec profile default
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
PIM SSM Overview SSM
Recommended
Super Simple – Shared Tree is the Source Tree
192.168.100.0/24
.1 PIM Join .2
10.0.0.254 (192.168.3.2 , 239.0.0.1)
10.0.0.253

(192.168.3.2, 239.0.0.1), 00:02:37, flags:T (192.168.3.2, 239.0.0.1), 00:01:08/00:03:27, flags:T


Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface: Virtual-Access1, RPF nbr 10.0.0.3
Outgoing interface list:
V-A 1 V-A 2 V-A 2 V-A 1
Outgoing interface list:
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

PIM Join PIM Join


(192.168.3.2 , 239.0.0.1) (192.168.3.2 , 239.0.0.1)

Tunnel 0 Tunnel 1 Tunnel 0


10.0.0.2
(192.168.3.2, 239.0.0.1), 00:02:08/00:00:51, flags: Tunnel 1 10.0.0.3 (192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: sT
sTI Incoming interface: Ethernet0/1, RPF nbr 0.0.0.0
Incoming interface: Tunnel0, RPF nbr 10.0.0.254
Outgoing interface list: Outgoing interface list:
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23

192.168.2.0/24 192.168.3.0/24
IGMP Join
(192.168.3.2 , 239.0.0.1)
192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
PIM SSM Overview
No Tree Modification with Multicast Traffic
192.168.100.0/24
10.0.0.254
.1 192.168.3.2  239.0.0.1
10.0.0.253
.2

(192.168.3.2, 239.0.0.1), 00:02:37, flags: T (192.168.3.2, 239.0.0.1), 00:01:08/00:03:27, flags: T


Incoming interface: Tunnel100, RPF nbr 10.0.0.253 Incoming interface: Virtual-Access1, RPF nbr 10.0.0.3
Outgoing interface list:
V-A 1 V-A 2 V-A 2 V-A 1
Outgoing interface list:
Virtual-Access1, Forward/Sparse, 06:37:18/00:03:07 Tunnel100, Forward/Sparse, 00:02:02/00:03:26

192.168.3.2  239.0.0.1 192.168.3.2  239.0.0.1

Tunnel 0 Tunnel 1 Tunnel 0


10.0.0.2
(192.168.3.2, 239.0.0.1), 00:02:08/00:00:51, flags: Tunnel 1 10.0.0.3 (192.168.3.2, 239.0.0.1), 00:00:35/00:02:24, flags: sT
sTI Incoming interface: Ethernet0/1, RPF nbr 0.0.0.0
Incoming interface: Tunnel0, RPF nbr 10.0.0.254
Outgoing interface list: Outgoing interface list:
Ethernet0/1, Forward/Sparse, 00:02:08/00:02:50 Tunnel1, Forward/Sparse, 00:02:04/00:03:23

192.168.2.0/24 192.168.3.0/24
192.168.3.2  239.0.0.1
192.168.3.2  239.0.0.1
192.168.2.2 192.168.3.2

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Flex & SSM – Hub Configuration
No Rendez-Vous
Hubs (Common Config) – Flex, Multicast and Interfaces Point Anycast

crypto ikev2 profile default


match identity remote fqdn domain cisco.com vrf definition RED
identity local fqdn Hub1.cisco.com
authentication remote rsa-sig rd 2:2
authentication local rsa-sig address-family ipv4
pki trustpoint TP address-family ipv6
dpd 10 2 on-demand
aaa authorization group cert list default default
virtual-template 1 interface Loopback0
vrf forwarding RED
interface Virtual-Template1 type tunnel ip address 10.0.0.254 255.255.255.255
vrf forwarding RED !
ip unnumbered Loopback0
ip access-group AllowMyBGP in Activate Sparse-Mode interface Tunnel100
ip pim sparse-mode vrf forwarding RED
ip nhrp network-id 1 ip unnumbered Loopback0
ip nhrp redirect
tunnel protection ipsec profile default
No Rendez- ip pim sparse-mode
Vous Point ip nhrp network-id 1 Activate Sparse-Mode
ip nhrp redirect
tunnel source Ethernet0/1
ip pim ssm range 1
No MSDP tunnel destination 192.168.100.2
access-list 1 permit 239.0.0.0 0.255.255.255 tunnel vrf ivrf

Activate SSM for


Group Range

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Flex & SSM – Hub Configuration
Hubs Common BGP Configuration – With SAFI 2 and SAFI 129
ip route vrf RED 10.0.0.0 255.0.0.0 Tunnel100 tag 2
ip route vrf RED 192.168.0.0 255.255.0.0 Tunnel100 tag No Change Here
2

router bgp 1
bgp log-neighbor-changes
bgp listen range 10.0.0.0/24 peer-group Flex
!
address-family ipv4 vrf RED
redistribute static route-map rm Vanilla BGP
neighbor Flex peer-group
neighbor Flex remote-as 1 Configuration
neighbor Flex next-hop-self all
exit-address-family
!
address-family ipv4 multicast vrf ivrf Use mBGP to
neighbor Flex peer-group advertise a prefix in
neighbor Flex remote-as 1
neighbor Flex default-originate the MuRIB only
exit-address-family

route-map rm permit 10 Default Originate


match tag 2 does the trick

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Flex & SSM – Spoke Configuration
Client/Receiver and Source Spoke interface Ethernet0/1
ip address 192.168.2.0 255.255.255.0 IGMPv3 on receiver
crypto ikev2 profile default ip igmp version 3 facing interfaces
match identity remote fqdn domain cisco.com
identity local fqdn Spoke2.cisco.com interface Tunnel0
authentication remote rsa-sig ip unnumbered Loopback0 Activate PIM on
authentication local rsa-sig ip pim sparse-mode Tunnel Interfaces
pki trustpoint TP ip nhrp network-id 1
dpd 10 2 on-demand ip nhrp shortcut virtual-template 1
aaa authorization group cert list default default tunnel source Ethernet0/0
virtual-template 1 tunnel destination 172.16.1.1
tunnel protection ipsec profile default
Activate SSM for !
ip pim ssm range 1 Group Range interface Tunnel1
access-list 1 permit 239.0.0.0 0.255.255.255
ip unnumbered Loopback0 Activate PIM on
ip pim sparse-mode Tunnel Interfaces
router bgp 1
ip nhrp network-id 1
bgp log-neighbor-changes
ip nhrp shortcut virtual-template 1
neighbor 10.0.0.253 remote-as 1
tunnel source Ethernet0/0
neighbor 10.0.0.254 remote-as 1
tunnel destination 172.16.4.1
address-family ipv4
tunnel protection ipsec profile default
network 192.168.2.0
neighbor 10.0.0.253 activate
interface Virtual-Template1 type tunnel
neighbor 10.0.0.254 activate
ip unnumbered Loopback0 No PIM on
maximum-paths ibgp 2
ip nhrp network-id 1 V-Template!
address-family ipv4 multicast Receive SAFI2 &
ip nhrp shortcut virtual-template 1
neighbor 10.0.0.253 activate SAFI129
tunnel protection ipsec profile default
neighbor 10.0.0.254 activate
BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
CLI of Interest
show ip mroute [vrf red] show ip route multicast [vrf red]
IP Multicast Routing Table Routing Table: multicast
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
Connected, D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
L - Local, P - Pruned, R - RP-bit set, F - Register flag, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
Extranet, ia - IS-IS inter area, * - candidate default, U - per-user static route
X - Proxy Join Timer Running, A - Candidate for MSDP o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
Advertisement, + - replicated route, % - next hop override
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender, Gateway of last resort is 172.16.2.2 to network 0.0.0.0
Y - Joined MDT-data group, y - Sending to MDT-data group, S* + 0.0.0.0/0 [254/0] via 172.16.2.2
G - Received BGP C-Mroute, g - Sent BGP C-Mroute, 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
Q - Received BGP S-A Route, q - Sent BGP S-A Route, B + 10.0.0.0/8 [200/0] via 10.0.0.254, 00:44:32
V - RD & Vector, v - Vector [200/0] via 10.0.0.253, 00:44:32
L 10.0.0.2/32 is directly connected, Loopback0
Outgoing interface flags: H - Hardware switched, A - Assert winner S + 10.0.0.253/32 is directly connected, Tunnel1
Timers: Uptime/Expires S + 10.0.0.254/32 is directly connected, Tunnel0
Interface state: Interface, Next-Hop or VCD, State/Mode 172.16.0.0/32 is subnetted, 1 subnets
L 172.16.2.1 is directly connected, Ethernet0/0
B + 192.168.0.0/16 [200/0] via 10.0.0.254, 00:44:32
(*, 239.0.0.1), 01:02:37/00:02:15, RP 10.0.0.252, flags: SJC [200/0] via 10.0.0.253, 00:44:32
Incoming interface: Tunnel0, RPF nbr 10.0.0.254 192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
Outgoing interface list: C 192.168.2.0/24 is directly connected, Ethernet0/1
L 192.168.2.1/32 is directly connected, Ethernet0/1
Ethernet0/1, Forward/Sparse, 01:02:37/00:02:15

show ip msdp [vrf red] sa-cache


MSDP Source-Active Cache - 1 entries
(192.168.3.2, 239.0.0.1), RP 192.168.100.4, BGP/AS 1, 00:00:03/00:05:56, Peer 10.0.0.253

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
ISE CoA demo
ISE – Authorization Policies

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE – Authorization Profile

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CoA Terminating

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CoA Terminating

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CoA Terminating

Client shows up as connected

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CoA Terminating

Terminate session
with CoA

BRKSEC-3036 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

You might also like