Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
BRKSEC-3006
Cisco Public
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions Please remember this is a 'non-smoking' venue! Please switch off your mobile phones Please make use of the recycling bins provided Please remember to wear your badge at all times including the Party
Session ID Presentation_ID
Cisco Public
Agenda
DMVPN phases
Phase 2 and phase 3 comparison Shortcut Switching NHRP forwarding
GET vs DMVPN
BRKSEC-3006
Cisco Public
Sessions objectives
DMVPN phase 2 and 3 comparison Large IPsec VPN meshes designs Integrating DMVPN with other features
VRF, PKI, IPv6, QoS
BRKSEC-3006
Cisco Public
BRKSEC-3006
Cisco Public
Nomenclature Transport
Transport Network
Hub 192.168.254.0/24
NBMA Address
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
DMVPN Tunnels
BRKSEC-3006 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Nomenclature Overlay
Overlay network
Hub 192.168.254.0/24
Tunnel Address
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
Overlay/Private Addresses
BRKSEC-3006 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Spoke Registration
ip address 10.0.0.254 255.255.255.0 ip nhrp network-id 1 Hub
192.168.254.0/24
NHRP table 10.0.0.1 172.16.1.1 10.0.0.2 172.16.2.1
t es u eq R
Tunnel:
10.0.0.1
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
ip ip ip ip
BRKSEC-3006
address 10.0.0.1 255.255.255.0 nhrp network-id 1 nhrp map 10.0.0.254 172.16.254.1 nhrp nhs 10.0.0.254
2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Route exchange
Routing table C 10.0.0.0 Tunnel0 D 192.168.0.0/29 10.0.0.1 D 192.168.0.8/29 10.0.0.2
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
IT DEPENDS !!
IT DEPENDS !!
9
BRKSEC-3006
Cisco Public
Hub 192.168.254.0/24
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
Routing table C 192.168.0.0/29 Eth0 C 10.0.0.0 Tunnel0 S 172.16.254.1 Dialer0 D 192.168.0.0/16 10.0.0.254
Routing table C 192.168.0.8/29 Eth0 C 10.0.0.0 Tunnel0 S 172.16.254.1 Dialer0 D 192.168.0.0/16 10.0.0.254
BRKSEC-3006
10
Hub 192.168.254.0/24
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
Routing table C 192.168.0.0/29 Eth0 C 10.0.0.0 Tunnel0 S 0.0.0.0/0 Dialer0 D 192.168.0.8/29 10.0.0.2
Routing table C 192.168.0.8/29 Eth0 C 10.0.0.0 Tunnel0 S 0.0.0.0/0 Dialer0 D 192.168.0.0/29 10.0.0.1
BRKSEC-3006
11
Hub 192.168.254.0/24
Tunnel:
10.0.0.1
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
Routing table C 192.168.0.0/29 Eth0 C 10.0.0.0 Tunnel0 S 0.0.0.0/0 Dialer0 D 192.168.0.8/29 10.0.0.2
Routing table C 192.168.0.8/29 Eth0 C 10.0.0.0 Tunnel0 S 172.16.254.1 Dialer0 D 192.168.0.0/29 10.0.0.1
BRKSEC-3006
Cisco Public
12
Hub 192.168.254.0/24
n io ut l so Re
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
Routing table C 192.168.0.0/29 Eth0 C 10.0.0.0 Tunnel0 S 0.0.0.0/0 Dialer0 D 192.168.0.8/29 10.0.0.2
Routing table C 192.168.0.8/29 Eth0 C 10.0.0.0 Tunnel0 S 172.16.254.1 Dialer0 D 192.168.0.0/29 10.0.0.1
BRKSEC-3006
Cisco Public
13
Hub 192.168.254.0/24
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
Routing table C 192.168.0.0/29 Eth0 C 10.0.0.0 Tunnel0 S 0.0.0.0/0 Dialer0 D 192.168.0.8/29 10.0.0.2
Routing table C 192.168.0.8/29 Eth0 C 10.0.0.0 Tunnel0 S 172.16.254.1 Dialer0 D 192.168.0.0/29 10.0.0.1
BRKSEC-3006
Cisco Public
14
Hub 192.168.254.0/24
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
Routing table C 192.168.0.0/29 Eth0 C 10.0.0.0 Tunnel0 S 0.0.0.0/0 Dialer0 D 192.168.0.0/16 10.0.0.254
Routing table C 192.168.0.8/29 Eth0 C 10.0.0.0 Tunnel0 S 0.0.0.0 Dialer0 D 192.168.0.0/29 10.0.0.254
BRKSEC-3006
15
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
Routing table C 192.168.0.0/29 Eth0 C 10.0.0.0 Tunnel0 S 0.0.0.0/0 Dialer0 D 192.168.0.0/16 10.0.0.254
ip nhrp shortcut
Routing table C 192.168.0.8/29 Eth0 C 10.0.0.0 Tunnel0 S 172.16.254.1 Dialer0 D 192.168.0.0/29 10.0.0.254
BRKSEC-3006
Cisco Public
16
Hub 192.168.254.0/24
Tunnel:
10.0.0.1
Spoke 1 192.168.0.0/29
Spoke 2 192.168.0.8/29
Routing table C 192.168.0.0/29 Eth0 C 10.0.0.0 Tunnel0 S 0.0.0.0/0 Dialer0 D 192.168.0.0/16 10.0.0.254
Routing table C 192.168.0.8/29 Eth0 C 10.0.0.0 Tunnel0 S 172.16.254.1 Dialer0 D 192.168.0.0/29 10.0.0.254
BRKSEC-3006
Cisco Public
17
Hub 192.168.254.0/24
Physical: 172.16.254.1
NHRP table 10.0.0.254 172.16.254.1 Spoke 1 10.0.0.2 172.16.2.1 192.168.0.8/29 172.16.2.1 192.168.0.0/29 Routing table C 192.168.0.0/29 Eth0 C 10.0.0.0 Tunnel0 S 0.0.0.0/0 Dialer0 D 192.168.0.0/16 10.0.0.254
Spoke 2 192.168.0.8/29
Routing table C 192.168.0.8/29 Eth0 C 10.0.0.0 Tunnel0 S 172.16.254.1 Dialer0 D 192.168.0.0/29 10.0.0.254
BRKSEC-3006
Cisco Public
18
Hub 192.168.254.0/24
Spoke 2 192.168.0.8/29
Routing table C 192.168.0.8/29 Eth0 C 10.0.0.0 Tunnel0 S 172.16.254.1 Dialer0 D 192.168.0.0/29 10.0.0.254
BRKSEC-3006
Cisco Public
19
BRKSEC-3006
Cisco Public
20
BRKSEC-3006
Cisco Public
21
Otherwise lookup address in routing table (RIB) If next-hop belongs to same DMVPN
i.e. nhrp network-id of next-hop same as incoming request Treat found next-hop as NHS Forward resolution-request to next-hop
BRKSEC-3006
Cisco Public
22
BRKSEC-3006
Cisco Public
23
Platforms
6500/7600 (12.2(18)SXF4) with VPN-SPA + sup720 No Phase 3 capability yet 7301, 7204/6, 38xx, 37xx, 36xx, 28xx, 26xx, 18xx, 17xx, 87x, 83x Phase 1, 2 & 3
BRKSEC-3006
Cisco Public
24
BRKSEC-3006
Cisco Public
25
BRKSEC-3006
Cisco Public
26
.1
.37 Web
192.168.2.0/24
.1 192.168.1.0/24
Spoke A .25
...
= Dynamic&Temporary Spoke-to-spoke IPsec tunnels
27
PC
BRKSEC-3006
Cisco Public
..
BRKSEC-3006
Cisco Public
28
BRKSEC-3006
Cisco Public
29
Activate RIP
!<x> = 1,2,
BRKSEC-3006
Cisco Public
30
ip sla 1 udp-echo 10.0.0.1 2000 control disable timeout 1000 frequency 1 threshold 21000 ip sla schedule 1 life forever start-time now track 1 rtr 1 reachability ip route 192.168.0.0 255.255.255.0 10.0.0.1 track 1 ip route 10.0.0.0 255.0.0.0 10.0.0.1 track 1 ip route 192.168.0.0 255.255.255.0 10.0.0.2 254 ip route 10.0.0.0 255.0.0.0 10.0.0.2 254 ip route 0.0.0.0 0.0.0.0 Serial 1/0
Monitor SLA probes Primary routes When track 1 is up Floating routes Kick-in if probes fail (floating statics)
Model shown here makes hub1 primary, hub2 backup Track both hubs to make active-active if desired
BRKSEC-3006
Cisco Public
31
BRKSEC-3006
Cisco Public
32
Overall solution
HQ network Aggregation router Cluster of DMVPN hubs Aggregates user tunnels SLB balances connections Owns virtual IP address
Hubs
Spokes
BRKSEC-3006
Cisco Public
33
BRKSEC-3006
Cisco Public
34
When hub chosen for a tunnel, all packets go to the same hub
stickyness
Once a decision is made for IKE, the same is made for ESP
buddying
BRKSEC-3006
Cisco Public
35
.2
Loopback: 172.17.0.1 Tunnel0: 10.0.255.254/16
.1 10.1.1.0/24 10.1.0.0/24 .1
.3
Loopback: 172.17.0.1 Tunnel0: 10.0.255.254/16
.2
.3
Load Balancer VIP: 172.17.0.1 (no tunnel) Physical: (dynamic)172.16.2.1 Tunnel0: 10.0.0.2
192.168.1.1/29
Spoke A
Spoke B
192.168.2.1/29
Supernet: 192.168.0.0/16
BRKSEC-3006 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
36
Load Balancer
We will use an IOS-SLB
IOS SLB runs on top of c7200 or Catalyst6500 As of today, opt for 12.2S or 12.1E releases
The LB must be able to do layer 3 and 4 load balancing. Upper layers are useless (encrypted) Content Switching Module 3.1 or above will work too but we do not need most of its features (layer 5+) ACE is ok but need to disable NAT-T Any SLB will do
BRKSEC-3006
Cisco Public
37
BRKSEC-3006
Cisco Public
38
If all the hubs are equivalent, the weight is the same for all
BRKSEC-3006
Cisco Public
39
Same farm
Buddying
BRKSEC-3006
Cisco Public
40
vserver prot client real state nat ------------------------------------------------------------------------------IKESLB UDP 64.103.8.8:500 10.1.0.2 ESTAB none ESPSLB ESP 217.136.116.189:0 10.1.0.2 ESTAB none IKESLB UDP 213.224.65.3:500 10.1.0.2 ESTAB none ESPSLB ESP 80.200.49.217:0 10.1.0.2 ESTAB none ESPSLB ESP 217.136.132.202:0 10.1.0.3 ESTAB none SLB-7200#clear ip slb firewallfarm Clear serverfarm Clear vserver Clear <cr> connections connections connections connections ? for a firewallfarm for a specific serverfarm for a specific virtual server
SLB-7200#sh ip slb reals real farm name weight state conns ------------------------------------------------------------------10.1.0.2 HUBS 4 OPERATIONAL 4 10.1.0.3 HUBS 4 OPERATIONAL 1
BRKSEC-3006
Cisco Public
41
interface Tunnel0 bandwidth 10000 ip address 10.0.255.254 255.255.0.0 Must be same on all hubs no ip redirects Mask is /32 ip mtu 1400 ip nhrp map multicast dynamic ip nhrp network-id 1 Must be same on all hubs ip nhrp holdtime 3600 Mask allows 216-2 nodes tunnel source Loopback0 tunnel mode gre multipoint tunnel protection ipsec profile tp cdp enable end interface FastEthernet0/0 ip address 10.1.0.{2,3} 255.255.255.0 interface FastEthernet0/1 ip address 10.1.1.{2,3} 255.255.255.0
42
Remember
All the spokes have the same configuration
BRKSEC-3006
Cisco Public
43
172.16.2.1 10.0.0.2
172.16.3.1 10.0.0.3
172.16.4.1 10.0.0.4
Spokes
Spoke 1 Spoke 2 Spoke 3 Spoke 4
44
BRKSEC-3006
Cisco Public
interface Tunnel0 Activate ODR over tunnel Tunnel packet physical cdp enable ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.0.0 255.255.0.0 10.0.0.1 ip route 10.0.0.0 255.0.0.0 10.0.0.1
Spoke A
192.168.1.1/29
BRKSEC-3006
Cisco Public
45
interface Tunnel0 Activate ODR over tunnel Tunnel packet physical cdp enable router odr distribute-list 1 in access-list 1 permit 192.168.0.0 0.0.255.255
router bgp 1 redistribute odr neighbor 10.1.1.1 remote-as 1 neighbor 10.1.1.1 next-hop-self
46
BRKSEC-3006
Cisco Public
router bgp 1 no synchronization bgp log-neighbor-changes aggregate-address 10.0.0.0 255.0.0.0 summary-only aggregate-address 192.168.0.0 255.0.0.0 summary-only neighbor HUB peer-group neighbor HUB remote-as 1 neighbor 10.1.1.2 peer-group HUB neighbor 10.1.1.3 peer-group HUB neighbor <other hubs> peer-group HUB no auto-summary
Hubs
BRKSEC-3006
Cisco Public
47
BRKSEC-3006
Cisco Public
48
aggregation
10.1.1.2 10.1.1.3 10.1.1.2 10.1.1.3
NHRP table 10.0.0.1 172.16.1.1 10.0.0.3 172.16.3.1 Routing table o 192.168.0.0/29 10.0.0.1 o 192.168.0.16/29 10.0.0.3 B 192.168.0.0 10.1.1.1 B 10.0.0.0 10.1.1.1
NHRP table 10.0.0.2 172.16.2.1 10.0.0.4 172.16.4.1 Routing table o 192.168.0.8/29 10.0.0.2 o 192.168.0.24/29 10.0.0.4 B 192.168.0.0/16 10.1.1.1 B 10.0.0.0 10.1.1.1
172.16.2.1 10.0.0.2
172.16.3.1 10.0.0.3
172.16.4.1 10.0.0.4
BRKSEC-3006
Cisco Public
49
Routing table o 192.168.0.0/29 10.0.0.1 o 192.168.16.0/29 10.0.0.3 B 192.168.0.0 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.1 172.16.1.1 10.0.0.3 172.16.3.1
Routing table o 192.168.8.0/29 10.0.0.2 o 192.168.24.0/29 10.0.0.4 B 192.168.0.0/16 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.2 172.16.2.1 10.0.0.4 172.16.4.1
172.16.2.1 10.0.0.2
172.16.3.1 10.0.0.3
172.16.4.1 10.0.0.4
BRKSEC-3006
Cisco Public
50
BRKSEC-3006
Cisco Public
51
Shortcut switching
Spoke configurations get a single extra line:
interface Tunnel0 ip nhrp shortcut ! thats it!!
Spokes on a given hub will create direct tunnels Spokes on different hubs will NOT create tunnels
BRKSEC-3006
Cisco Public
52
Routing table o 192.168.0.0/29 10.0.0.1 o 192.168.16.0/29 10.0.0.3 B 192.168.0.0 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.1 172.16.1.1 10.0.0.3 172.16.3.1
red ire c
Routing table o 192.168.8.0/29 10.0.0.2 o 192.168.24.0/29 10.0.0.4 B 192.168.0.0/16 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.2 172.16.2.1 10.0.0.4 172.16.4.1
172.16.2.1 10.0.0.2
172.16.3.1 10.0.0.3
172.16.4.1 10.0.0.4
BRKSEC-3006
Cisco Public
53
Routing table o 192.168.0.0/29 10.0.0.1 o 192.168.16.0/29 10.0.0.3 B 192.168.0.0 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.1 172.16.1.1 10.0.0.3 172.16.3.1
re s rreolu eq dit io ue r ec st n t
Routing table o 192.168.8.0/29 10.0.0.2 o 192.168.24.0/29 10.0.0.4 B 192.168.0.0/16 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.2 172.16.2.1 10.0.0.4 172.16.4.1
Tunnel:
10.0.0.1
172.16.2.1 10.0.0.2
10.0.0.3
10.0.0.4
BRKSEC-3006
Cisco Public
54
Routing table o 192.168.0.0/29 10.0.0.1 o 192.168.16.0/29 10.0.0.3 B 192.168.0.0 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.1 172.16.1.1 10.0.0.3 172.16.3.1
Routing table o 192.168.8.0/29 10.0.0.2 o 192.168.24.0/29 10.0.0.4 B 192.168.0.0/16 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.2 172.16.2.1 10.0.0.4 172.16.4.1
re s r e o lu qu tio es n t
NHRP table 10.0.255.254 Physical: 172.16.1.1 172.16.0.1 192.168.16.0/29 172.16.3.1 Tunnel: 10.0.0.1 10.0.0.3 172.16.3.1
172.16.2.1 10.0.0.2
NHRP table 10.0.255.254 172.16.4.1 172.16.0.1 172.16.3.1 10.0.0.1 172.16.1.1 10.0.0.4 10.0.0.3 192.168.1.0/29 172.16.1.1
BRKSEC-3006
Cisco Public
55
BRKSEC-3006
Cisco Public
56
.2
Loopback: 172.17.0.1 Tunnel0: 10.0.255.254/16
.1 10.1.1.0/24
.3
Loopback: 172.17.0.1 Tunnel0: 10.0.255.254/16
Tunnel1: 10.1.3.2/24
Tunnel1: 10.1.3.3/24
BRKSEC-3006
Cisco Public
57
.2
Loopback: 172.17.0.1 Tunnel0: 10.0.255.254/16
.1 10.1.1.0/24
.3
Loopback: 172.17.0.1 Tunnel0: 10.0.255.254/16
Hubs exchange their ODR information directly via BGP The exchange occurs over the inter-hub DMVPN
BRKSEC-3006
Cisco Public
58
Routing table o 192.168.8.0/29 10.0.0.2 o 192.168.24.0/29 10.0.0.4 B 192.168.0.0/29 10.1.3.2 B 192.168.16.0/29 10.1.3.2 B 192.168.0.0/16 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.2 172.16.2.1 10.0.0.4 172.16.4.1
red ire c
172.16.2.1 10.0.0.2
172.16.3.1 10.0.0.3
172.16.4.1 10.0.0.4
BRKSEC-3006
Cisco Public
59
Routing table o 192.168.8.0/29 10.0.0.2 o 192.168.24.0/29 10.0.0.4 B 192.168.0.0/29 10.1.3.2 B 192.168.16.0/29 10.1.3.2 B 192.168.0.0/16 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.2 172.16.2.1 10.0.0.4 172.16.4.1
re s rreolu eq d t io ue ir n st ec
172.16.2.1 10.0.0.2
172.16.3.1 10.0.0.3
172.16.4.1 10.0.0.4
BRKSEC-3006
Cisco Public
60
Routing table o 192.168.8.0/29 10.0.0.2 o 192.168.24.0/29 10.0.0.4 B 192.168.0.0/29 10.1.3.2 B 192.168.16.0/29 10.1.3.2 B 192.168.0.0/16 10.1.1.1 B 10.0.0.0 10.1.1.1 NHRP table 10.0.0.2 172.16.2.1 10.0.0.4 172.16.4.1 NHRP table 10.0.255.254 172.16.0.1 10.0.0.1 172.16.1.1 172.16.4.1 192.168.1.0/29 172.16.1.1
NHRP table 10.0.255.254 Physical: 172.16.1.1 172.16.0.1 192.168.24.0/29 172.16.4.1 Tunnel: 10.0.0.1 10.0.0.4 172.16.4.1
re s r e o lu qu tio es n t
172.16.2.1 10.0.0.2
172.16.3.1 10.0.0.3
10.0.0.4
BRKSEC-3006
Cisco Public
61
Adding hubs
BRKSEC-3006
Cisco Public
62
10.1.2.0/24
.2
.3
.1 10.1.1.0/24
.4
.5
Tunnel1: 10.1.3.2/24
Tunnel1: 10.1.3.3/24
Tunnel1: 10.1.3.4/24
Tunnel1: 10.1.3.5/24
BRKSEC-3006
Cisco Public
63
Tunnel1: 10.1.3.1/24
.2
.3
.1 10.1.1.0/24
.4
.5
Tunnel1: 10.1.3.2/24
Tunnel1: 10.1.3.3/24
Tunnel1: 10.1.3.4/24
Tunnel1: 10.1.3.5/24
BRKSEC-3006
Cisco Public
64
Resilience in N+1 No need to touch the hubs while adding a spoke All spokes have the same configuration New hubs can be added/removed on the fly
BGP needs to be told about the new hub EIGRP may be used instead of BGP full automatic
BRKSEC-3006
Cisco Public
65
BRKSEC-3006
Cisco Public
66
BRKSEC-3006
Cisco Public
67
BRKSEC-3006
Cisco Public
68
Routing
BRKSEC-3006
Cisco Public
69
Routing
Routing
BRKSEC-3006
Cisco Public
70
BRKSEC-3006
Cisco Public
71
Layer 4 Layer 3 helpers Layer 3 Layer 2 VRF Global VRF Red VRF Blue VRF Green
BRKSEC-3006
Cisco Public
72
73
VRF tunneling
Layer 5+ IKE AAA
Layer 4 Layer 3 helpers Layer 3 Layer 2 VRF Global VRF Red VRF Blue VRF Green
BRKSEC-3006
Cisco Public
74
75
BRKSEC-3006
Cisco Public
76
BRKSEC-3006
Cisco Public
77
BRKSEC-3006
Cisco Public
78
Group 2 Finance
Certificate Status: Available Certificate Serial Number: 300 Certificate Usage: General Purpose Issuer: cn=blue-lab CA o=CISCO Subject: Name: Router300.cisco.com o=CISCO ou=Finance ou=Finance Validity Date: start date: 14:34:30 UTC Mar 31 2004 end date: 14:34:30 UTC Apr 1 2009 Associated Trustpoints: LaBcA
BRKSEC-3006
Cisco Public
BRKSEC-3006
Cisco Public
80
Certificate maps
We need to map users to their respective tunnels The only useful attribute is the Organization Unit (ou)
crypto pki certificate map engineering_map 10 subject-name co ou = Engineering crypto pki certificate map finance_map 10 subject-name co ou = Finance
BRKSEC-3006
Cisco Public
81
crypto isakmp profile fin-ikmp-prof fin- ikmpset trustpoint LaBcA -ikmp-prof isakmpeng pki isakmp-profile eng-ikmpmatch certificate finance_map
BRKSEC-3006
Cisco Public
82
crypto ipsec profile fin-ipsec-prof fin- ipseccrypto ipsec transform-set high-security set isakmp-profile fin-ikmp-prof isakmpfin- ikmp-
BRKSEC-3006
Cisco Public
83
84
IKE
Finance ISAKMP Profile
Engineering Tunnel
Finance Tunnel
BRKSEC-3006
Cisco Public
85
DMVPN IPv6
BRKSEC-3006
Cisco Public
86
DMVPN IPv6
NHRP supports IPv6 since 12.4(20)T Feature is very similar to v4 support
Registrations, resolutions, Only DMVPN phase 3 is supported no phase 2 design!! No VRF support yet due to routing protocols limitations
BRKSEC-3006
Cisco Public
87
Spoke configuration
Spoke
interface Tunnel0 ipv6 address fe80::2002 link-local ipv6 address 2001::2/64 ipv6 nhrp map 2001::1 172.17.0.1 ipv6 nhrp map multicast 172.17.0.1 ipv6 nhrp nhs 2001::1 ipv6 nhrp network-id 1 tunnel mode gre multipoint tunnel source tunnel protection ipsec profile
IPv4 address or interface Business almost as usual Unique Link-Local address Global or Locally Reachable addr.
BRKSEC-3006
Cisco Public
88
Hub configuration
Hub
interface Tunnel0 ipv6 address fe80::2001 link-local ipv6 address 2001::1/64 ipv6 nhrp network-id 1 ipv6 nhrp map multicast dynamic tunnel mode gre multipoint tunnel protection ipsec profile tunnel source
IPv4 address or interface Business almost as usual Unique Link-Local address Global or Locally Reachable addr.
BRKSEC-3006
Cisco Public
89
Subtle differences
Hub#show ipv6 nhrp 2001::2/128 via 2001::2 Tunnel0 created 00:04:47, expire 01:59:49 Type: dynamic, Flags: unique registered used NBMA address: 1.0.0.2 2001::3/128 via 2001::3 Tunnel0 created 00:04:03, expire 01:59:49 Type: dynamic, Flags: unique registered used NBMA address: 1.0.0.3 FE80::2/128 via 2001::2 Tunnel0 created 00:04:47, expire 01:59:49 Type: dynamic, Flags: unique registered NBMA address: 1.0.0.2 FE80::3/128 via 2001::3 Tunnel0 created 00:04:43, expire 01:59:49 Type: dynamic, Flags: unique registered NBMA address: 1.0.0.3
BRKSEC-3006
Cisco Public
90
Per-tunnel QoS
BRKSEC-3006
Cisco Public
91
BRKSEC-3006
Cisco Public
92
Hub
ISP router
Greedy Spoke 3
The greedy spoke calls for a lot of traffic (VoIP calls, DB x-fer,...) It overruns the hub CE or the WAN link
Packets are dropped Starves other spokes
93
BRKSEC-3006
Cisco Public
94
Access-list 101 permit esp hub class-map tunnel1 match access-group 101 Access-list 102 permit esp hub class-map tunnel2 match access-group 102 Access-list 103 permit esp hub class-map tunnel3 match access-group 103
spoke1
spoke2
spoke3
95
BRKSEC-3006
Cisco Public
96
Per-tunnel QoS
Per Tunnel QoS will apply dynamic per spoke QoS policy on hub
Spokes are be split into groups Groups are mapped to a QoS template
BRKSEC-3006
Cisco Public
97
Policing (dropping) and marking also applied at tunnel Queuing and scheduling happen at the physical interface
QoS policy Classification QoS Policy policing, marking Tunnel 1 - data SA classification Tunnel 1 - voice Tunnel 2 - data Tunnel 2 - voice Tunnel 3 - data Tunnel 3 - voice Crypto Engine Hierachical queueing per Tunnel Data Voice Data Voice Data Voice Derived Interface QoS policy Tunnel 1 policy Tunnel 2 policy Tunnel 2 policy
Physical Interface
BRKSEC-3006
Cisco Public
98
Policy Provisioning via CLI and AAA Available on 7200 and 3800
Catalysts will require next-generation VPN hardware (5g) ASR agenda still TBD
BRKSEC-3006
Cisco Public
99
Group 2
interface Tunnel0 ip nhrp group <name2>
HUB
Policy-map PM2 class class-default shape average 500000 interface Tunnel0 ip nhrp map group <name1> service policy output PM1 ip nhrp map group <name2> service policy output PM2 Offer 500 kbps to each tunnel
BRKSEC-3006
Cisco Public
100
BRKSEC-3006
Cisco Public
101
Hierarchical shaper
Tunnel bandwidth parent policy
Each tunnel is given a maximum bandwidth A shaper provides the backpressure mechanism
BRKSEC-3006
Cisco Public
102
103
BRKSEC-3006
Cisco Public
104
BRKSEC-3006
Cisco Public
105
Group Member
TEK
TEK
IP(s=PC,d=Web) TCP .37 IP(s= PC,d=Web) .1 192.168.3.0/24 Web
TEK TEK
.1 192.168.1.0/24 .25 IP(s=PC,d=Web) TCP IP(s= PC,d=Web) PC 192.168.2.0/24 .1
.37 Web
BRKSEC-3006
Cisco Public
106
Multicast requires replication before encryption usually on hubs GET VPN is a proxy VPN Encrypted packets have the same addresses as the protected packets
Does not isolate address spaces requires end-to-end routing
Transport network takes care of routing packets Multicast can happen in the core if core supports it
BRKSEC-3006 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
107
When the transport network is optimized When the transport network is dumb Some designs link GET and DMVPN
Making DMVPN hubs also Group Members
DMVPN over Internet links to GET over MPLS Takes the best of both worlds
BRKSEC-3006
Cisco Public
108
BRKSEC-3006
Cisco Public
109
DMVPN Enhancements
Previous Limitation
Large routing tables at spokes sometimes caused network instability.
BRKSEC-3006
Cisco Public
110
DMVPN Enhancements
Previous Limitation New Feature & Associated Benefits
DMVPN debug enhancements
Complex troubleshooting All tables with a single show command Per-peer debugging also possible 12.4(9)T
NHRP MIB
Network monitoring difficult or impossible Monitoring of NHRP tables via SNMP 12.4(20)T
DMVPN IPv6
Limited to IPv4 Allows IPv6 in the overlay network 12.4(20)T
Complex QoS configuration. Not working well with dynamic spoke NBMAs.
BRKSEC-3006
Cisco Public
111
Session Summary
BRKSEC-3006
Cisco Public
112
BRKSEC-3006
Cisco Public
113
Summary
Phase 3 subtly different from phase 2
Most visible on the routing topology
BRKSEC-3006
Cisco Public
114
Recommended Sessions
BRKSEC-3006
Cisco Public
115
Recommended sessions
Server Load Balancing Design
BRKAPP-2002 by Floris Gransvarle
BRKSEC-3006
Cisco Public
116
Q and A
BRKSEC-3006
Cisco Public
117
Session ID Presentation_ID
Cisco Public
118
BRKSEC-3006
Cisco Public
119