Advanced FlexVPN Designs - …d2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKSEC-3013.pdf · Hub &...

Advanced FlexVPN Designs BRKSEC-3013

Frederic Detienne

Distinguished Engineer

© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public

Agenda

3

FlexVPN brief recap

– IKEv2 + AAA

– Shortcut switching example

Per Tunnel QoS

Redundant FlexMesh

Remote Access

– AnyConnect 3.0 Mobile

– Multi-VRF and QoS

End-to-End VRF with MPLSoFlex

FlexVPN Recap IKEv2, Authentication and Authorization


Flex is IKEv2 Only Why Flex now ?

5

NAT-T

DPD ISAKMP RFC2408

DOI RFC2407

IKE RFC2409

IKEv2 RFC5996

Mode-config

Same

Objectives

Authentication

Integrity

Privacy

More Secure

Suite B

Anti-DoS

Authentication

Options EAP

Hybrid Auth

PSK, RSA-Sig

Similar but

Different

Uses UDP ports 500 & 4500

Identity Exchange is Cleaner

Main + Aggressive INITIAL

Ack’ed notifications


Key IKEv2 Differentiators

This matters:

6

More Secure

Suite B

Anti-DoS

Authentication

Options EAP

Hybrid Auth

PSK, RSA-Sig

Similar but

Different

Identity Exchange is Cleaner


FlexVPN Config

7

crypto ikev2 profile default

match identity remote fqdn domain cisco.com

identity local fqdn R1.cisco.com

authentication local rsa-sig

authentication remote eap

pki trustpoint TP sign

aaa authentication eap default

aaa authorization user eap

virtual-template 1

interface Virtual-Template1 type tunnel

ip unnumbered loopback0

tunnel protection ipsec profile default

tunnel mode ipsec ipv4

Remote Access

Hub & Spoke

Interop &

Legacy crypto map peer

Dual Stack v4/v6

ip nhrp network-id 1

All parameters tunable

“per-peer” via AAA

Spoke-Spoke shortcut switching

IKEv2

Parameters


IKEv2 CLI Overview Proposal, Policy and Keyring

8

crypto ikev2 proposal default

encryption aes-cbc-256 aes-cbc-128 3des

integrity sha512 sha 256 sha1 md5

group 5 2

crypto ikev2 policy default

match fvrf any

proposal default

crypto ikev2 keyring IOSKeyring

peer cisco

address 10.0.1.1

pre-shared-key local CISCO

pre-shared-key remote OCSIC

crypto ikev2 authorization policy default

route set interface

route accept any

IKEv2 Proposal

IKEv2 Policy binds

Proposal to peer L3

Keyring supports

asymmetric Pre-Shared-

Keys

Authorization Policy for

local AAA and Mode-

Config exchange


IKEv2 CLI Overview IKEv2 Profile – extensive CLI

9


identity local address 10.0.0.1

identity local fqdn local.cisco.com

identity local email [email protected]

identity local dn

match identity remote address 10.0.1.1

match identity remote fqdn remote.cisco.com


match identity remote email [email protected]

match identity remote email domain cisco.com

match certificate certificate_map

match fvrf red

match address local 172.168.1.1

authentication local pre-share


authentication local eap

authentication remote pre-share

authentication remote rsa-sig

authentication remote eap

keyring local IOSKeyring

keyring aaa AAAlist

pki trustpoint <trustpoint_name>

Matching on peer identity

or certificate

Matching on local

address and front VRF

Self Identity Control

Asymmetric local and

remote authentication

methods

IOS based and AAA

based Pre-Shared

Keyring


IKEv2 Basic Negotiation

Length

Initiator Responder HDR, SAi1, KEi, Ni

HDR – IKE Header

SA[i/r] – cryptographic algorithms the peer proposes/accepts

KE[i/r] – Initator Key Exchange material

N[i/r] – Initiator/Responder Nonce

HDR, SAr1, KEr, Nr [Certreq]

HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}

HDR, SK {IDr, [Cert], AUTH, TSi, TSr}

SK– payload encrypted and integrity protected

ID[i/r] – Initiator/Responder Identity

Cert(req) – Certificate (request)

AUTH – Authentication data

SA - Includes SA, Proposal and Transform Info to Create the 1st CHILD_SA

Ts[i/r] – Traffic Selector as src/dst proxies


IKEv2 Profile Match Statements

HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}

SubjectName:

• CN=RouterName

• O=Cisco

• OU=Engineering

IssuerName:

• CN=PKI Server

• O=Cisco

• OU=IT

172.16.0.1

router.cisco.com

[email protected]

…

match identity remote address

match identity remote fqdn

match identity remote email

match certificate <certificate map>


IPsec CLI Overview Tunnel Protection similar to DMVPN and EasyVPN

12

crypto ipsec transform-set default esp-aes 128 esp-sha-hmac

crypto ipsec profile default

set transform-set default

set crypto ikev2 profile default


ip unnumbered Loopback0


interface Tunnel0

ip address 10.0.0.1 255.255.255.252

tunnel source Ethernet0/0

tunnel destination 172.16.2.1


IPsec profile defines SA

parameters and points to

IKEv2 profile

Transform set unchanged

Tunnel protection links to

to IPsec profile

Dynamic and Static point-

to-point interfaces

Static point-to-point

interfaces


Introducing Smart Defaults Intelligent, reconfigurable defaults

13

crypto ipsec transform-set default

esp-aes 128 esp-sha-hmac







group 5 2


match fvrf any

proposal default


route set interface

route accept any

crypto ikev2 profile default match identity remote address 10.0.1.1 authentication local rsa-sig authentication remote rsa-sig aaa authorization user cert list default default pki trustpoint TP ! interface Tunnel0 ip address 192.168.0.1 255.255.255.252 tunnel protection ipsec profile default

What you need to

specify crypto ipsec transform-set default

esp-aes 128 esp-sha-hmac







group 5 2


match fvrf any

proposal default


route set interface

route accept any

These constructs are the Smart Defaults


Reconfigurable Defaults All defaults can be modified, deactivated and restored

14

Modifying defaults

default crypto ikev2 proposal

default crypto ipsec transform-set

Restoring defaults


encryption aes-cbc-128

hash md5

crypto ipsec transform-set default aes-cbc 256 sha-hmac

Disabling defaults no crypto ikev2 proposal default

no crypto ipsec transform-set default


Simple Hub & Spoke – Network Diagram

192.168.100.0/24

.1

172.16.0.1

.254

Virtual-Access Interfaces

Static Tunnel Interface


Hub & Spoke – Hub configuration IKE Routing, Hybrid Auth, AAA Keyring

16

192.168.100.0/24 .1

aaa group server radius radius

server-private 192.168.100.254

auth-port 1812 acct-port 1813

key cisco123

crypto ikev2 name-mangler extract-host

fqdn hostname

aaa authorization network default group radius

aaa accounting network default start-stop

… group radius



identity local dn


authentication remote pre-shared

keyring aaa default name-mangler extract-host

pki trustpoint CA

aaa authorization user psk cached

virtual-template 1

interface virtual-template1 type tunnel



Per User Authorization

172.16.0.1

.254

Profile: R1 / Password=“cisco”

ipsec:ikev2-password-remote=xyz

framed-ip=10.0.0.1

ipsec:route-set=interface

ipsec:route-set=prefix 192.168.0.0/16

ipsec:route-accept=any

19

2.1

68

.10

1.0

/24

.1

PSK on RADIUS

Summary protected prefix

Creates Virtual-

Access from Virtual-

Template

Framed Address

Hybrid Authentication

Peer Pre-Shared Key


Hub & Spoke – Spoke configuration

17

192.168.100.0/24 .1

172.16.0.1

access-list 99 permit 192.168.1.0 0.0.0.255


[route set interface]

route set access-list 99

crypto ikev2 keyring KR

peer HUB

address 172.16.0.1

pre-shared-key local xyz

aaa authorization network default local


match certificate HUBMAP

identity local fqdn R3-Spoke.cisco.com


authentication local pre-shared

keyring local KR

pki trustpoint CA

aaa authorization group cert list default default

interface Tunnel0

ip address negotiated

tunnel source FastEthernet0/0



Activate config-

exchange

IP address assigned

by hub

.254

19

2.1

68

.1.0

/24

.1

Tunnel initiates

automatically

Spoke protected subnet

IKEv2 routing

Hybrid Authentication

Local Keyring


SA Prop (AES-256, SHA-1, DH 5), KEi, Ni

SA Prop (AES-256, SHA-1, DH 5), KEr, Nr

Hub & Spoke – Config Exchange

18

192.168.100.0/24 .1

Ethernet0/0: 172.16.1.1

Ethernet0/1: 192.168.1.1

Tunnel0:

172.16.0.1/32 172.16.1.254 (E0/0)

Ethernet0/0: 172.16.0.1

Ethernet0/1: 192.168.100.1

Loopback0: 10.0.0.254/32

172.16.0.1 172.16.1.1

0.0.0.0/0 172.16.0.254 (E0/0)

192.168.100.0/24 Ethernet 0/1

IDi=R1.cisco.com, Auth, TSi, TSr,

CFG_Req(IP4_ADDRESS, IP4_NETWORK…)

IDr, cert, Auth, TSi, TSr,

CFG_Reply(IP4_ADDRESS=10.0.0.1,

IP4_SUBNET=192.168.0.0/16,

IP4_SUBNET=10.0.0.254/32)

CFG_set(IP4_SUBNET=10.0.0.1/32,

IPV4_SUBNET=192.168.1.0/24)

CFG_ack()

10.0.0.1

192.168.0.0/16 Tunnel 0 10.0.0.254/32 Tunnel 0

192.168.1.0/24 VirtualAccess1 10.0.0.1/32 VirtualAccess1

VirtualAccess1: 10.0.0.254/32

.254

use

r=R

1

Pa

ssw

ord

=cis

co

ike

v2-p

assw

ord

-rem

ote

=xyz

fra

me

-ip

=1

0.0

.0.1

ipse

c:r

ou

te-s

et=

19

2.1

68

.0.0

/16

ipse

c:r

ou

te-s

et=

inte

rfa

ce

19

2.1

68

.1.0

/24

.1


Hub & Spoke – Profile derivation step-by-step

19

keyring aaa <list> name-mangler <m>

ipsec:ikev2-password-remote=xyz ip:interface-config=policy-map PM out framed-ip=10.0.0.1 ipsec:route-set=interface ipsec:route-set=prefix 192.168.0.0/16 ipsec:route-accept=any

R1

R1.cisco.com access-request R1

aaa authorization user psk cached

AAA profile

access-accept R1



Auth



IP4_SUBNET=192.168.0.0/16,

IP4_SUBNET=10.0.0.254/32)

Virtual-

Template Virtual-Access

OK

User Profile


Generic Profile Derivation Expanded Example (not recommended)

20

keyring aaa <list> name-mangler <m>

…

Profile 1

R1.cisco.com

Fetch Profile

aaa authorization user psk <list>

Authen. profile



Auth



IP4_SUBNET=0.0.0.0/0,

IP4_SUBNET=10.0.0.254/32)

Virtual-Template Virtual-Access

OK

Final Profile

aaa authorization group psk <list> G

Group profile

Fetch Profile

…

Profile 2

Fetch Profile

…

Profile 3

User profile

Only for

authentication

Activate config-

exchange

On

Hu

b o

r on

RA

DIU

S

(or a

mix

)

On Hub

Selects

IKEv2 profile


AAA CLI summary user, group

21

keyring aaa <list> [name-mangler <mangler>] aaa authentication eap <list> aaa authorization user psk cached aaa authorization user psk list <list> {<name> | name-mangler <mangler> } aaa authorization group psk list <list> {<name> | name-mangler <mangler> } aaa authorization user eap cached aaa authorization user eap list <list> {<name> | name-mangler <mangler> } aaa authorization group eap [override] list <list> {<name> | name-mangler <mangler> } aaa authorization user cert list <list> {<name> | name-mangler <mangler> } aaa authorization group cert [override] list <list> {<name> | name-mangler <mangler> } interface virtual-template 1 type tunnel ip unnumbered loopback0 tunnel protection ipsec profile default

Fetches PSK in profile

Profile password: cisco

Authentication against

RADIUS server Re-use authentication

profile (no new query) Fetch new profile (new query)


group overrides user authorization

Fetch new profile (new query)


Profile source can be RADIUS or local

Virtual-Template

configuration always

overridden by AAA

For Your Reference


Name-mangler CLI summary Turns pieces of identity into strings

22

crypto ikev2 name-mangler <mangler>

dn {all | common-name | organization | organization-unit |…}

eap {all | prefix | suffix | dn {common-name | organization | organization-unit}}

email {all | domain | username}

fqdn {all | domain | hostname}

Example identity (FQDN): vpn.cisco.com crypto ikev2 name-mangler mangler fqdn domain cisco.com

For Your Reference

Per Tunnel QoS Centrally Managed


The need for QoS Introducing the Greedy Spoke

24

QoS needed for:

– Sharing network bandwidth

– Marshaling bandwidth usage of applications

– Meeting application latency & speed requirements

Hub

Spoke 1

(greedy)

CE 1

Spoke 2 Spoke 3

Crypto engine or WAN link Interface w/ limited downstream rate

Packets are lost, AND

other spokes are starved

Packets are lost

Most common problem


Provisioning Per Tunnel QoS Central and Distributed Models

25

192.168.100.0/24 .1

172.16.0.1

.254

Policy Maps

defined on Hub

Option #1: Service Policy on Virtual-Template

Option #2: Central Service Policy enforcement by AAA

Some spokes with high

bandwidth

Some spokes with low

bandwidth


Hierarchical Shaper Each Hub V-Access Needs Its Own Policy

26

Parent Shaper limits total Bandwidth

Bandwidth Reservation

Low Latency Queing

Fair Queuing


class-map Control

match ip precedence 6

class-map Voice

match ip precedence 5

policy-map SubPolicy

class Control

bandwidth 20

class Voice

priority percent 60

policy-map Silver

class class-default

shape average 1000000

service-policy SubPolicy

policy-map Gold

class class-default

shape average 5000000

service-policy SubPolicy

Step 1 – Define Policy Map(s)

1Mbps to each tunnel

20Kbps Guaranteed to Control

60% of Bandwidth for Voice

5Mbps to each tunnel


Step 2a – Per Peer QoS Mapping Peer and QoS via AAA

28

Profile “Router1” / password “cisco”



…

ip:interface=config=“service-policy out Gold”




…

ip:interface=config=“service-policy out Silver”




…

ip:interface=config=“service-policy out Silver”


match identity fqdn domain



pki trustpoint CA

dpd 10 2 on-demand

aaa authorization user cert list default name-mangler CN

virtual-template 1




certificate-map Cisco

subject-name co o=Cisco

crypto ikev2 name-mangler CN

dn common-name

RA

DIU

S P

rofile

s

Single vanilla IKEv2 Profile for Everyone

Plain simple Virtual-Template

Common Name to retrieve AAA profile


Step 2b – Per Group QoS Group Based via Local Config

29

crypto ikev2 profile Gold match certificate GoldCertMap authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 interface virtual-template1 type tunnel ip unnumbered loopback0 service-policy output Gold tunnel protection ipsec profile default certificate-map GoldCertMap subject-name co ou=Gold

crypto ikev2 profile Silver match certificate SilverCertMap authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 2 interface virtual-template2 type tunnel ip unnumbered loopback0 service-policy output Silver tunnel protection ipsec profile default certificate-map SilverCertMap subject-name co ou=Silver

Virtual-Template with dedicated QoS config

Create V-Access from dedicated V-Template

Org. Unit used for group mapping

Unlink IPsec profile from IKEv2 profile.

Different in 3.10 – Jul’13

AAA for config exchange only

Dedicated IKEv2 profile for group


no set ikev2-profile default !

FlexMesh with Redundancy Aka Shortcut Switching


FlexMesh – Network Diagram With Hub Resiliency

31

192.168.100.0/24

.1

172.16.0.1

.254 Virtual-Access Interfaces

Static Tunnel Interface

Virtual-Access Interfaces

172.16.0.2

.2


Hub & Spoke bootstrap – Config Exchange

32

192.168.100.0/24

.1

Ethernet0/0: 172.16.1.1

Ethernet0/1: 192.168.1.1

Tunnel0:

172.16.0.1/32 172.16.1.254 (E0/0)

Ethernet0/0: 172.16.0.1

Ethernet0/1: 192.168.100.1

Loopback0: 10.0.0.254/32

172.16.0.1 172.16.1.1

0.0.0.0/0 172.16.0.254 (E0/0)

192.168.100.0/24 Ethernet 0/1

IDi=Spoke1.cisco.com, Auth, TSi, TSr,

CFG_Req(IP4_NETWORK…)


CFG_Reply(IP4_SUBNET=10.0.0.254/32)

CFG_set(IP4_SUBNET=10.0.0.1/32)

CFG_ack()

10.0.0.1

10.0.0.254/32 Tunnel 0

10.0.0.1/32 VirtualAccess1

VirtualAccess1: 10.0.0.254/32

.254

192

.168.1

.0/2

4

SA Prop (AES-256, SHA-1, DH 5), KEi, Ni

SA Prop (AES-256, SHA-1, DH 5), KEr, Nr


IKE & BGP Exchange Routes

33

Spoke 1

192.168.1.0/24

Physical: 172.16.1.1

Tunnel: 10.0.0.1


Tunnel: 10.0.0.2


Tunnel: 10.0.0.254

NHRP table

- NHRP table

-

Spoke 2

192.168.2.0/24

Routing table

C 10.0.0.254 Loopback0

C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100

S 10.0.0.1 V-Access1

B 192.168.1.0/24 V-Access1

Routing table

C 192.168.1.0/24 Eth0

C 10.0.0.1 Tunnel0

S 0.0.0.0/0 Dialer0

S 10.0.0.254/32 Tunnel0

B 192.168.0.0/16 Tunnel0

Routing table

C 192.168.2.0/24 Eth0

C 10.0.0.2 Tunnel1

S 0.0.0.0/0 Dialer0

S 10.0.0.253/32 Tunnel1

B 192.168.0.0/16 Tunnel1

Hub 1

.1


Tunnel: 10.0.0.253

192.168.100.0/24

Routing table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


B 192.168.2.0/29 V-Access1

Hub 2

.2

Tunnel 100


Shortcut Switching (1)

34

Spoke 1

192.168.1.0/24


Tunnel: 10.0.0.1


Tunnel: 10.0.0.2


Tunnel: 10.0.0.254

NHRP table

- NHRP table

-

Spoke 2

192.168.2.0/24

Routing table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


B 192.168.1.0/24 V-Access1

Routing table

C 192.168.1.0/24 Eth0

C 10.0.0.1 Tunnel0

S 0.0.0.0/0 Dialer0

S 10.0.0.254/32 Tunnel0

B 192.168.0.0/16 Tunnel0

Routing table

C 192.168.2.0/24 Eth0

C 10.0.0.2 Tunnel1

S 0.0.0.0/0 Dialer0

S 10.0.0.253/32 Tunnel1

B 192.168.0.0/16 Tunnel1


Tunnel: 10.0.0.253

192.168.100.0/24

Routing table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


B 192.168.2.0/24 V-Access1

Hub 1

.1 Hub 2

.2



35

Spoke 1

192.168.1.0/24


Tunnel: 10.0.0.1


Tunnel: 10.0.0.2


Tunnel: 10.0.0.254

NHRP table

10.0.0.1 172.16.1.1 NHRP table

10.0.0.2/32 172.16.2.1

192.168.2.0/24 172.16.2.1 Spoke 2

192.168.2.0/24

Routing table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


B 192.168.1.0/24 V-Access1

Routing table

C 192.168.1.0/24 Eth0

C 10.0.0.1 Tunnel0

S 0.0.0.0/0 Dialer0

S 10.0.0.254/32 Tunnel0

B 192.168.0.0/16 Tunnel0

S 10.0.0.2/32 V-Access1

H 192.168.2.0/24 V-Access1

Routing table

C 192.168.2.0/24 Eth0

C 10.0.0.2 Tunnel1

S 0.0.0.0/0 Dialer0

S 10.0.0.253/32 Tunnel1

B 192.168.0.0/16 Tunnel1

S 10.0.0.1/32 V-Access1


Tunnel: 10.0.0.253

192.168.100.0/24

Routing table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


B 192.168.2.0/24 V-Access1

Hub 1

.1 Hub 2

.2

Resolution

(192.168.2.2)

Resolution Reply

(192.168.2.0/24)



36

Spoke 1

192.168.1.0/24


Tunnel: 10.0.0.1


Tunnel: 10.0.0.2


Tunnel: 10.0.0.254

NHRP table

10.0.0.1 172.16.1.1 NHRP table

10.0.0.2/32 172.16.2.1

192.168.2.0/24 172.16.2.1 Spoke 2

192.168.2.0/24

Routing table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


B 192.168.1.0/24 V-Access1

Routing table

C 192.168.1.0/24 Eth0

C 10.0.0.1 Tunnel0

S 0.0.0.0/0 Dialer0

S 10.0.0.254/32 Tunnel0

B 192.168.0.0/16 Tunnel0

S 10.0.0.2/32 V-Access1

H 192.168.2.0/24 V-Access1

Routing table

C 192.168.2.0/24 Eth0

C 10.0.0.2 Tunnel1

S 0.0.0.0/0 Dialer0

S 10.0.0.253/32 Tunnel1

B 192.168.0.0/16 Tunnel1

S 10.0.0.1/32 V-Access1


Tunnel: 10.0.0.253

192.168.100.0/24

Routing table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


B 192.168.2.0/24 V-Access1

Hub 1

.1 Hub 2

.2


FlexMesh – Hub Configuration Hub 1

37

crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Hub1.cisco.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip access-group AllowMyBGP in ip nhrp network-id 1 ip nhrp redirect tunnel protection ipsec profile default interface Loopback0 ip address 10.0.0.254 255.255.255.255 interface Tunnel100 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp redirect tunnel source Ethernet0/1 tunnel destination 192.168.100.2

ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2 ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2 router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group Flex ! address-family ipv4 redistribute static route-map rm neighbor Flex peer-group neighbor Flex remote-as 1 neighbor Flex timers 5 15 neighbor Flex next-hop-self all exit-address-family route-map rm permit 10 match tag 2

Also works with IKEv2

Routing

Per spoke QoS supported here too!!

Local or AAA spoke profiles supported. Can even control QoS,

NHRP redirect, network-id, …

Hub 1 dedicated overlay address

Inter-Hub link (not encrypted)

route-map filters static routes to redistribute in

BGP NHRP is the magic

All V-Access will be in the same network-id

Same NHRP network-id on v-access and inter-

hub link

Accept connections from

Spokes

AAA Compatible

Dynamically accept

spokes connections!


FlexMesh – Hub Configuration Hub 2 – almost the same as Hub1

38

crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Hub2.cisco.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip access-group AllowMyBGP in ip nhrp network-id 1 ip nhrp redirect tunnel protection ipsec profile default interface Loopback0 ip address 10.0.0.253 255.255.255.255 interface Tunnel100 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp redirect tunnel source Ethernet0/1 tunnel destination 192.168.100.2

ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2 ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2 router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group Flex ! address-family ipv4 redistribute static route-map rm neighbor Flex peer-group neighbor Flex remote-as 1 neighbor Flex timers 5 15 neighbor Flex next-hop-self all exit-address-family route-map rm permit 10 match tag 2


Routing

Dedicated Identity

(optional)

Dedicated Overlay

Address

AAA Compatible


VRF Injection – Spoke Configuration Client/Receiver and Source Spoke

39



identity local fqdn Spoke2.cisco.com



pki trustpoint TP

dpd 10 2 on-demand


virtual-template 1

interface Loopback0

ip address 10.0.0.2 255.255.255.255

interface Tunnel0



ip nhrp shortcut virtual-template 1




!

interface Tunnel1












router bgp 1

bgp log-neighbor-changes

neighbor 10.0.0.253 remote-as 1

neighbor 10.0.0.253 timers 5 15

neighbor 10.0.0.254 remote-as 1

neighbor 10.0.0.254 timers 5 15

!

address-family ipv4

network 192.168.2.0

neighbor 10.0.0.253 activate

neighbor 10.0.0.254 activate

maximum-paths ibgp 2

QoS Everywhere

Needed for tunnel

address exchange

V-Template to clone for

spoke-spoke tunnels

Tunnel0 to Primary Hub

Tunnel1 to Secondary Hub

QoS can be applied here

FlexVPN VRF Injection VRF Lite


Basic packet forwarding

41

Layer 4

Layer 3

Layer 3

helpers

Layer 2

Layer 5+

Routing

IKE AAA BGP

Input features Output features Encapsulation


Tunnels and features

42

Layer 4

Layer 3

Layer 3

helpers

Layer 2

Layer 5+

Routing Routing

IKE AAA BGP

Input features Output

features Output

features Encapsulation

Statically defined (Tunnel) or instantiated by IKEv2 (V-

Access)

Post-encapsulation Tunnel Protection

Encapsulation


Router with VRF’s

43

Layer 4

Layer 3

Layer 3

helpers

Layer 2

Layer 5+

Global Routing

Table VRF Red VRF Blue VRF Green

IKE AAA BGP


172.16.1.253 172.16.1.254

VRF Injection Hub injects traffic in chosen VRF

44

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

Hub private interface(s) in Inside VRF (light)

MPLS IP (hub PE)

Virtual-Access in iVRF

Optional VRF on spokes

(Not in this example)

Wan in Global Routing Table


VRF and tunneling Hub View

45

Layer 4

Layer 3 Global Routing

Table VRF Red VRF Blue VRF Green

IKE AAA BGP

Layer 3

helpers

Layer 2

Layer 5+


crypto ikev2 profile GREEN

match identity fqdn domain green



pki trustpoint CA

dpd 10 2 on-demand


virtual-template 3


vrf forwarding GREEN



crypto ikev2 profile RED

match identity fqdn domain red



pki trustpoint CA

dpd 10 2 on-demand


virtual-template 2


vrf forwarding RED



VRF Injection – Hub Configuration Option 1: Mapping with In-IOS configuration (without AAA)

46

crypto ikev2 profile BLUE

match identity fqdn domain blue



pki trustpoint CA

dpd 10 2 on-demand


virtual-template 1


vrf forwarding BLUE



Virtual-Template in VRF

FQDN Domain

is differentiator

Loopback in VRF

Dedicated IKEv2 profile

Unlink IPsec profile from IKEv2 profile

Not necessary after 3.10 – Jul’13


no set ikev2-profile default !

Supports QoS

Supports FlexMesh

Add NHRP, QoS…


Supports QoS

Supports FlexMesh VRF Injection – Hub Configuration

Option 2: Mapping with AAA group based configuration

47

aaa new-model

aaa authorization network default group RADIUS

aaa group server radius RADIUS

server-private 192.168.100.2 auth-port 1812

acct-port 1813 key cisco123


match certificate CERT_MAP

identity local fqdn Hub1.cisco.com



pki trustpoint CA

aaa authorization group cert default name-mangler

dom

virtual-template 1



crypto ikev2 name-mangler dom

fqdn domain

crypto pki certificate CERT_MAP

subject co o eq Cisco ou eq Engineering

Vanilla Virtual-

Template

Profiles stored on

RADIUS server

Common IKEv2

profile

Org. Unit used as group

Could use anything else

Profile “blue” / password “cisco”



ip:interface-config=“vrf forwarding BLUE”

ip:interface-config=“ip unnumbered loopback 1”

Profile “red” / password “cisco”



ip:interface-config=“vrf forwarding RED”


Profile “green” / password “cisco”



ip:interface-config=“vrf forwarding GREEN”


Profile name

extracted from

Domain Name

Group profiles on RADIUS Could be per peer profiles or group+peer (derivation)

RA

DIU

S G

rou

p P

rofile

s


VRF Injection – Hub Configuration For both options: BGP and VRF configurations

48

ip route vrf BLUE 10.0.0.0 255.0.0.0 Null0 ip route vrf BLUE 192.168.0.0 255.255.0.0 Null0 ip route vrf RED 10.0.0.0 255.0.0.0 Null0 ip route vrf RED 192.168.0.0 255.255.0.0 Null0 ip route vrf GREEN 10.0.0.0 255.0.0.0 Null0 ip route vrf GREEN 192.168.0.0 255.255.0.0 Null0 router bgp 1 bgp listen range 10.1.0.0/16 peer-group BluePeer bgp listen range 10.2.0.0/16 peer-group RedPeer bgp listen range 10.3.0.0/16 peer-group GreenPeer ! address-family ipv4 vrf BLUE redistribute static neighbor BluePeer peer-group neighbor BluePeer remote-as 1 exit-address-family ! address-family ipv4 vrf RED redistribute static neighbor RedPeer peer-group neighbor RedPeer remote-as 1 exit-address-family ! address-family ipv4 vrf GREEN redistribute static neighbor GreenPeer peer-group neighbor GreenPeer remote-as 1 exit-address-family

BGP dynamic peering

These address can

not currently overlap

Follow CSCtw69765.

Each VRF has its own

control section.

Activate peer group in

its corresponding VRF

Attract summaries

and drops non-

reachable prefixes

Redistributes above

statics into BGP

vrf definition BLUE rd 1:1 address-family ipv4 address-family ipv6 interface Loopback1 vrf forwarding BLUE ip address 10.0.0.254 255.255.255.255

vrf definition RED rd 2:2 address-family ipv4 address-family ipv6 interface Loopback2 vrf forwarding RED ip address 10.0.0.254 255.255.255.255

vrf definition GREEN rd 3:3 address-family ipv4 address-family ipv6 interface Loopback3 vrf forwarding GREEN ip address 10.0.0.254 255.255.255.255


Routing


VRF Injection – Spoke Configuration Vanilla IKE and BGP configurations

49

aaa new-model aaa authorization network default local crypto ikev2 profile default match identity remote fqdn Hub1.cisco.com match identity remote fqdn Hub2.cisco.com identity local fqdn spoke1.RED authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default ! interface Loopback0 ip address 10.1.0.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel destination 172.16.1.1 tunnel protection ipsec profile default ! interface Tunnel1 ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel destination 172.16.4.1 tunnel protection ipsec profile default

Tunnel to Hub2

Profiles stored on RADIUS server

Plain simple IKEv2 profile

router bgp 1


network 192.168.0.0 mask 255.255.0.0

neighbor Hub peer-group

neighbor Hub remote-as 1

neighbor Hub next-hop-self

neighbor 10.0.0.253 peer-group Hub

neighbor 10.0.0.254 peer-group Hub

maximum-paths ibgp 2

Tunnel to Hub1

Just necessary for config exchange

iBGP

Two Hubs…

Basic iBGP configuration

Equal Cost Load Balancing


Routing

IKEv2 Identity Defines Group

FlexVPN VRF with Front VRF VRF lite with iVRF and fVRF


172.16.1.254 172.16.1.253

VRF Injection with Front VRF Adding Front VRF Purple

51

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

Hub private interface(s) in inside VRF (light)

or MPLS IP (hub PE)


Wan Interface in Purple VRF (Front VRF)

Optional VRF on spokes

(independent of Hub)


VRF and tunneling with Front VRF

52

Layer 4

Layer 3 Global Routing

Table VRF Red VRF Purple VRF Green

IKE AAA BGP

Layer 3

helpers

Layer 2

Layer 5+

VRF Blue


VRF Injection – Hub Configuration Front VRF definition

53

vrf definition PURPLE rd 4:4 address-family ipv4 address-family ipv6 interface virtual-template1 type tunnel ip unnumbered loopback1 vrf forwarding BLUE tunnel protection ipsec profile BLUE tunnel vrf PURPLE interface virtual-template2 type tunnel ip unnumbered loopback2 vrf forwarding RED tunnel protection ipsec profile RED tunnel vrf PURPLE interface virtual-template3 type tunnel ip unnumbered loopback3 vrf forwarding GREEN tunnel protection ipsec profile GREEN tunnel vrf PURPLE

Profile “Blue” / password “cisco” Framed-Pool=FlexPool-Blue ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding BLUE” ip:interface-config=“ip unnumbered loopback 1” ip:interface=config=“tunnel vrf PURPLE”

Profile “Red” / password “cisco” Framed-Pool=FlexPool-Red ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding RED” ip:interface-config=“ip unnumbered loopback 2” ip:interface=config=“tunnel vrf PURPLE”

Profile “Green” / password “cisco” Framed-Pool=FlexPool-Green ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding GREEN” ip:interface-config=“ip unnumbered loopback 3” ip:interface=config=“tunnel vrf PURPLE”

AAA Method

In-Config

Method

VRF Based Remote Access Example with AnyConnect 3.0 for Mobile


Remote Access Network Diagram Software Clients connect to a hub

55

172.16.0.1

.254 .253

AnyConnect

Windows7

Strongswan

Racoon2

…

172.16.1.254

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.100.0/24


Remote Access Network Diagram Software Clients connect to a hub

56

172.16.0.1

.254 .253

AnyConnect

172.16.1.254

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.100.0/24

Hub private interface(s) in Inside VRF (light)

MPLS IP (hub PE)



Remote Access – AnyConnect Deployment Considerations

57

192.168.100.0/24 .1 .254

172.16.0.1

Hub Certificate:

Subject:

CN=AC-Server.cisco.com,

OU=TAC, O=Cisco, C=BE

Ext. Key Usage: TLS Web Server

Subj. Alt. Name: AC-Server.cisco..com

…

.253 Issuer CA Subj. CA …

Issuer CA Subj. AC Hub …

Issuer CA Subj. CA …

Fix EKU e.g. by using the

webserver template from

Microsoft Windows 2008 CA

Optional. Use SAN if CN

does not match client

configured HostName

http://<mywindows2008_ca>/certsrv 1- Browse URL

2- Type-in PIN

3- Certificate is installed


AnyConnect on Smartphone Define New Connection

58

Click here

HostName matching Hub certificate CN or SAN


AnyConnect on Smartphone Security Parameters

59

Matches the IKEv2 key-id of the hub (FlexAnyConnect)

Client Authentication method (Hub method is imposed: Certificates)

Supported by IOS Critical


AnyConnect on Smartphone Ready to Connect

60

User Credentials


VRF Injection – Hub Configuration VRF and Global configuration

61

vrf definition BLUE rd 1:1 address-family ipv4 address-family ipv6 ip local pool FlexPool_Blue 10.0.0.0 10.0.0.250 interface Loopback1 vrf forwarding BLUE ip address 10.0.0.254 255.255.255.255 interface Ethernet0/1.1 vrf forwarding BLUE ip address 192.168.100.1

vrf definition RED rd 2:2 address-family ipv4 address-family ipv6 ip local pool FlexPool_Red 10.0.0.0 10.0.0.250 interface Loopback2 vrf forwarding RED ip address 10.0.0.254 255.255.255.255 interface Ethernet0/1.2 vrf forwarding RED ip address 192.168.100.1

vrf definition GREEN rd 3:3 address-family ipv4 address-family ipv6 ip local pool FlexPool_Green 10.0.0.0 10.0.0.250 interface Loopback3 vrf forwarding GREEN ip address 10.0.0.254 255.255.255.255 interface Ethernet0/1.3 vrf forwarding GREEN ip address 192.168.100.1

crypto ipsec transform-set default esp-aes 256 esp-sha-hmac

mode tunnel


tunnel mode ipsec ipv4

tunnel protection ipsec profile default The only RA specific command


Server Configuration – User Authorization Only Option#1: Flat User Space – No group, no profile derivation

62


match identity remote key-id FlexAnyConnect

identity local dn

authentication remote eap query-identity


pki trustpoint anyconnect

dpd 60 2 on-demand

aaa authentication eap GroupAuth

aaa authorization user eap cached

aaa accounting eap Accounting

virtual-template 1

aaa group server radius MyRADIUS

server-private 192.168.100.254 auth-port 1812 acct-port 1813 key cisco123

!

aaa authentication login GroupAuth group MyRADIUS

aaa accounting network Accounting start-stop group MyRADIUS

Fred Cleartext-Password := ”MyPassword”, ip:interface-config=“vrf forwarding BLUE” ip:interface-config=“ip unnumbered Loopback1” ip:interface-config=“service-policy output Silver” Framed-Pool=FlexPool_Blue

Anne Cleartext-Password := ”HerPassword”, ip:interface-config=“vrf forwarding GREEN” ip:interface-config=“ip unnumbered Loopback3” ip:interface-config=“service-policy output Silver” Framed-Pool=FlexPool_Green

RA

DIU

S

Pro

files

IKE Identity


Server Configuration with Static Group Profile Derivation Option#2: Static IKEv2 ID Group Mapping

63

crypto ikev2 profile FlexACBlue


identity local dn




dpd 60 2 on-demand

aaa authentication eap UserAuth

aaa authorization group eap list GroupAuth FlexGroupAC1


virtual-template 1



!

aaa authentication login UserAuth group MyRADIUS

aaa authorization network GroupAuth group MyRADIUS


FlexGroupAC2 Cleartext-Password := ”cisco”, ip:interface-config=“vrf forwarding GREEN” ip:interface-config=“ip unnumbered Loopback3” ip:interface-config=“service-policy output Silver” framed-pool=FlexPool_Green

FlexGroupAC1 Cleartext-Password := ”cisco”, ip:interface-config=“vrf forwarding BLUE” ip:interface-config=“ip unnumbered Loopback1” ip:interface-config=“service-policy output Silver” framed-pool=FlexPool_Blue

RA

DIU

S

Pro

files

IKE Identity 1

crypto ikev2 profile FlexACGreen

match identity remote key-id FlexAnyConnect2

identity local dn




dpd 60 2 on-demand



aaa authorization group eap list GroupAuth FlexGroupAC2


virtual-template 1

IKE Identity 2


Server Configuration with Dynamic Group Profile Derivation Option#3: Dynamic Group – ID Suffix Points to Group (w/ group lock)

64



identity local dn




dpd 60 2 on-demand



aaa authorization group eap list GroupAuth name-mangler GM


virtual-template 1



!

aaa authentication login UserAuth group MyRADIUS

aaa authorization network GroupAuth group MyRADIUS


crypto ikev2 name-mangler GM

eap suffix delimiter @

Fred@Blue

Cleartext-Password := ”MyPassword1”,

ip:interface-config=“service-policy output Silver”

Anne@Red

Cleartext-Password := “HerPassword”,

ip:interface-config=“service-policy output Gold”

RA

DIU

S U

se

r P

rofile

s

Profile “Blue” / password “cisco”

Framed-Pool=FlexPool-Blue

ip:interface-config=“vrf forwarding BLUE”


Profile “Red” / password “cisco”

Framed-Pool=FlexPool-Red

ip:interface-config=“vrf forwarding RED”


Fred@Green Cleartext-Password := ”MyPassword2”, ip:interface-config=“service-policy output Bronze”

Profile “Green” / password “cisco”

Framed-Pool=FlexPool-Green

ip:interface-config=“vrf forwarding GREEN”


RA

DIU

S G

rou

p

Pro

files

Identity


AnyConnect Profile Example (part 1) For Laptops (PC, Mac, Linux)

65

<?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=http://schemas.xmlsoap.org/encoding/

AnyConnectProfile.xsd>

<ClientInitialization>

<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>

<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>

<ShowPreConnectMessage>false</ShowPreConnectMessage>

<CertificateStore>All</CertificateStore>

<CertificateStoreOverride>false</CertificateStoreOverride> <ProxySettings>Native</ProxySettings>

<AllowLocalProxyConnections>true</AllowLocalProxyConnections>

<AuthenticationTimeout>12</AuthenticationTimeout>

<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>

<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>

<LocalLanAccess UserControllable="true">false</LocalLanAccess>

<ClearSmartcardPin UserControllable="true">false</ClearSmartcardPin>

<AutoReconnect UserControllable="false">true

<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>

</AutoReconnect>

<AutoUpdate UserControllable="true">false</AutoUpdate>

<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

<AutomaticVPNPolicy>false</AutomaticVPNPolicy>

<PPPExclusion UserControllable="false">Disable

<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>

</PPPExclusion>

<EnableScripting UserControllable="true">true

<TerminateScriptOnNextEvent>true</TerminateScriptOnNextEvent>

<EnablePostSBLOnConnectScript>true</EnablePostSBLOnConnectScript>

</EnableScripting>

For Your Reference

http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd

http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd


AnyConnect Profile Example (part 2) For Laptops (PC, Mac, Linux)

66

<EnableAutomaticServerSelection UserControllable="false">false

<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>

<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>

</EnableAutomaticServerSelection>

<RetainVpnOnLogoff>false</RetainVpnOnLogoff>

</ClientInitialization>

<ServerList>

<HostEntry>

<HostName>AC Hub</HostName>

<HostAddress>flexanyconnect.cisco.com</HostAddress>

<PrimaryProtocol>IPsec

<StandardAuthenticationOnly>true

<AuthMethodDuringIKENegotiation>EAP-MD5</AuthMethodDuringIKENegotiation>

<IKEIdentity>MyAnyConnect</IKEIdentity>

</StandardAuthenticationOnly>

</PrimaryProtocol>

</HostEntry>

</ServerList>

For Your Reference

MPLS over FlexVPN LDP Free


172.16.1.254 172.16.1.253

MPLS o Flex Objective: end-to-end VRF separation

68

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

.1

192.168.1.0/24

.1

192.168.1.0/24

.1 192.168.1.0/24

.1

192.168.2.0/24

.1

192.168.2.0/24

.1 192.168.2.0/24

.1

192.168.3.0/24

.1

192.168.3.0/24

.1 192.168.3.0/24


172.16.1.254 172.16.1.253

MPLS VPN o Flex Going LDP Free

69

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

Hub private interface(s) in inside VRF

or MPLS

Virtual-Access’ in GRT, run MPLS

Spoke tunnels run MPLS

.1

192.168.1.0/24

.1

192.168.1.0/24

.1 192.168.1.0/24

.1

192.168.2.0/24

.1

192.168.2.0/24

.1 192.168.2.0/24

.1

192.168.3.0/24

.1

192.168.3.0/24

.1 192.168.3.0/24

Private interfaces in VRF’s

Tunnels create “back-to-back” links

LDP not needed !!


172.16.1.254

MPLS VPN o Flex Extreme Summarization

70

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.1.0/24

.1

192.168.1.0/24

.1 192.168.1.0/24

.1

192.168.2.0/24

.1

192.168.2.0/24

.1 192.168.2.0/24

Prefix Nxt-hop Label

192.168.1.0 - 31


192.168.1.0 - 41


192.168.0.0/16 - 30


192.168.0.0/16 - 40


192.168.2.0 - 32


192.168.2.0 - 42


172.16.1.254

MPLS VPN o Flex Summary Label Exchange

71

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.1.0/24

.1

192.168.1.0/24

.1 192.168.1.0/24

.1

192.168.2.0/24

.1

192.168.2.0/24

.1 192.168.2.0/24


192.168.1.0 - 31

192.168.0.0/16 10.0.0.254 30


192.168.1.0 - 41

192.168.0.0/16 10.0.0.254 40


192.168.1.0 10.0.0.1 31

192.168.2.0 10.0.0.2 32

192.168.0.0/16 - 30


192.168.1.0 10.0.0.1 41

192.168.2.0 10.0.0.2 42

192.168.0.0/16 - 40


192.168.2.0 - 32

192.168.0.0/16 10.0.0.254 30


192.168.2.0 - 42

192.168.0.0/16 10.0.0.254 40


MPLS VPN o Flex Hub & Spoke FIB’s and LFIB’s

72

10.0.0.1 10.0.0.254

.1

192.168.1.0/24

.1 192.168.1.0/24

.1

192.168.2.0/24

.1 192.168.2.0/24

Prefix Adjacency

192.168.1.0/24 Glean (e0)

192.168.0.0/24 10.0.0.4 30

Prefix Adjacency

192.168.1.0/24 Glean (e1)

192.168.0.0/24 10.0.0.4 40

Prefix Adjacency

192.168.1.0/24 10.0.0.1 31

192.168.2.0/24 10.0.0.2 32

Prefix Adjacency

192.168.1.0/24 10.0.0.1 41

192.168.2.0/24 10.0.0.2 42

Loc. Out I/F

30 POP VRF RED

31 POP VRF BLUE

Loc. Out I/F

40 POP VRF RED

41 POP VRF BLUE LF

IB

VR

F F

IBs

Prefix Adjacency

10.0.0.254 Tunnel0 (Null)

0.0.0.0/0 Dialer0

Prefix Adjacency

10.0.0.1 VA-1 (Null)

10.0.0.2 VA-2 (Null)

0.0.0.0 Dialer0

FIB

LF

IB

VR

F F

IBs

FIB


172.16.1.254

MPLS VPN o Flex Spoke Hub Packet Forwarding

73

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.1.0/24

.1

192.168.1.0/24

.1 192.168.1.0/24

.1

192.168.2.0/24

.1

192.168.2.0/24

.1 192.168.2.0/24

IP Packet

S= 192.168.1.2 D= 192.168.2.2

Prefix Adjacency

192.168.1.0/24 Glean (e0)

192.168.0.0/16 10.0.0.254 30

Prefix Adjacency

10.0.0.1/32 For Us (lo0)

10.0.0.254/32 Impl-Null (Tun0)

GRE/IPsec

Label = 30

IP Packet

S= 192.168.1.2 D= 192.168.2.2

Loc. Out I/F

30 POP vrf RED

40 POP vrf BLUEe1

IP Packet

S= 192.168.1.2 D= 192.168.2.2


172.16.1.254

MPLS VPN o Flex Hub Spoke Packet Forwarding

74

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.1.0/24

.1

192.168.1.0/24

.1 192.168.1.0/24

.1

192.168.2.0/24

.1

192.168.2.0/24

.1 192.168.2.0/24

GRE/IPsec

Label = 32

IP Packet

S= 192.168.1.2 D= 192.168.2.2

IP Packet

S= 192.168.1.2 D= 192.168.2.2

Prefix Adjacency

10.0.0.1/32 Impl-Null (Va1)

10.0.0.2/32 Impl-Null (VA2)

Prefix Adjacency

192.168.1.0/24 10.0.0.1 31

192.168.2.0/24 10.0.0.2 32

192.168.0.0/16 Glean (e0)


GRE/IPsec

Label = 32

IP Packet

S= 192.168.1.2 D= 192.168.2.2

172.16.1.254

MPLS VPN o Flex Spoke Packet Decap

75

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.1.0/24

.1

192.168.1.0/24

.1 192.168.1.0/24

.1

192.168.2.0/24

.1

192.168.2.0/24

.1 192.168.2.0/24

IP Packet

S= 192.168.1.2 D= 192.168.2.2

Prefix Adjacency

192.168.2.0/24 e0/1.1

192.168.0.0/16 10.0.0.254 30

Loc. Out I/F

32 POP vrf RED

42 POP vrf BLUE

Hub & Spoke Only

MPLS FlexMesh in 3.11

(Nov 2013)


Hub VRF’s and IKEv2 Profile Detailed view

76

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

vrf definition Blue

rd 1:1

route-target export 1:1

route-target import 1:1

address-family ipv4

address-family ipv6

vrf definition Red

rd 2:2



address-family ipv4

address-family ipv6

…

crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn hub1.cisco.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1

A vanilla IKEv2 Profile

Route-Targets allow BGP to map VRF prefixes

between peers


Hub Routing Configuration BGP and Static Routes

77

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

.2 .1

192.168.100.0/24

ip route 0.0.0.0 0.0.0.0 172.16.1.2

ip route vrf Blue 192.168.0.0 255.255.0.0 Null0

ip route vrf Red 192.168.0.0 255.255.0.0 Null0

router bgp 1


bgp listen range 10.0.0.0/16 peer-group Flex

neighbor Flex peer-group

neighbor Flex remote-as 1

neighbor Flex timers 5 15

address-family vpnv4

neighbor Flex activate

neighbor Flex send-community extended

address-family ipv4 vrf Blue

network 192.168.0.0 mask 255.255.0.0

address-family ipv4 vrf Red

network 192.168.0.0 mask 255.255.0.0



mpls bgp forwarding


interface Ethernet0/0

ip address 172.16.1.254 255.255.255.0

interface Loopback0

ip address 10.0.0.254 255.255.255.255

The Magic Trick: Start MPLS forwarding without LDP

V-Access and Loopback in Global Routing Table

Activate VPNv4

Advertise each VRF


Spoke VRF’s and Interfaces Detailed view

78

.1

192.168.1.0/24

.1

192.168.1.0/24

.1 192.168.1.0/24

crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn R2.cisco.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default

Matches both hubs

vrf definition Blue

rd 1:1



address-family ipv4

address-family ipv6

vrf definition Red

rd 2:2



address-family ipv4

address-family ipv6

…

Mind Hub-Spoke route-target correspondence


Spoke Routing Configuration BGP and Static Routes

79

.1

192.168.1.0/24

.1

192.168.1.0/24

.1 192.168.1.0/24

ip route 0.0.0.0 0.0.0.0 172.16.2.2 router bgp 1 bgp log-neighbor-changes neighbor Flex peer-group neighbor Flex remote-as 1 neighbor Flex timers 5 15 neighbor 10.0.0.253 peer-group Flex neighbor 10.0.0.254 peer-group Flex address-family vpnv4 neighbor Flex send-community extended neighbor 10.0.0.253 activate neighbor 10.0.0.254 activate address-family ipv4 vrf Blue redistribute connected maximum-paths ibgp 2 address-family ipv4 vrf Red redistribute connected maximum-paths ibgp 2

interface Tunnel0


mpls bgp forwarding




interface Tunnel1


mpls bgp forwarding




interface Ethernet0/0

ip address 172.16.2.1 255.255.255.0

interface Loopback0

ip address 10.0.0.2 255.255.255.255

Same as on Hub: Start MPLS forwarding without LDP

Tunnels and Loopback in Global Routing Table

Activate VPNv4

Advertise each VRF

WAN Interface can be in Front VRF


Hub Routing Tables FIB and LFIB

80

.1

192.168.100.0/24

.1

192.168.100.0/24

.1

192.168.100.0/24

192.168.2.0/24, epoch 0, flags rib defined all labels

recursive via 10.0.0.2 label 16

attached to Virtual-Access2










Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or Tunnel Id Switched interface

16 Pop Label IPv4 VRF[V] 0 aggregate/Red

17 Pop Label IPv4 VRF[V] 0 aggregate/Blue

Hub1#show ip cef vrf Red detail | s label

Hub1#show ip cef vrf Blue detail | s label

Hub1#show mpls forwarding table


Spoke Routing Tables FIB and LFIB

81

.1

192.168.1.0/24

.1

192.168.1.0/24

.1 192.168.1.0/24

192.168.0.0/16, epoch 0, flags rib defined all labels, per-

destination sharing


attached to Tunnel1


attached to Tunnel0

192.168.0.0/16, epoch 0, flags rib defined all labels, per-

destination sharing


attached to Tunnel1


attached to Tunnel0

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or Tunnel Id Switched interface

16 Pop Label IPv4 VRF[V] 0 aggregate/Red

17 Pop Label IPv4 VRF[V] 0 aggregate/Blue

Spoke1#show ip cef vrf Red detail | s label

Spoke1#show ip cef vrf Blue detail | s label

Spoke1#show mpls forwarding-table

Wrapping up A few things before we part


Route Exchange Protocol Selection

83

Branch-Hub Use case

IKEv2 Simple, large scale Static (No

redistribution

IGPIKE)

Simple branches

(< 20 prefixes)

Identity-based

route filtering

Lossy networks High density hubs

BGP Simple to complex,

large scale

Dynamic

(Redistribution

IGP BGP)

Complex branches

(> 20 prefixes)

Powerful route

filtering – not

identity based

Lossy networks High density hubs

up to 350K routes

EIGRP not

recommended

at large scale

Simple to complex Dynamic

(Redistribution

IGP IGP)

Semi-complex

branches

(> 20 prefixes)

Intermediate route

filtering – not

identity based

Lossless networks

(very rare)

< 5000 prefixes at

hub

Hub-Hub Use case

BGP Large amount of

prefixes (up to

1M)

Road to scalability Powerful route

filtering

IGP (EIGRP, OSPF) < 5000 prefixes

total

Perceived simplicity


Scalability & performances

84

Release 3.5+

w/out QoS

ASR1001 ASR1002-F ASR1000-

ESP5

ASR1000-

ESP10

ASR1000-

ESP20

ASR1000-

ESP40

ASR1000-

ESP100

Throughput

(Max / IMIX)

1.8 / 1Gbps 1 / 0.8 Gbps 1.8 / 1 Gbps 4 / 2.5 Gbps 7 / 6 Gbps 11 / 7.4 Gbps 29 / 16 Gbps

Max tunnels

(RP1 / RP2)

4000 1000 1000 1000 / 4000 1000 / 4000 1000 / 4000 -- / 4000

EIGRP

neighbors

4000 (1000 recommended)

1000 1000 1000 / 4000 (1000 recommended)

1000 / 4000 (1000 recommended)

1000 / 4000 (1000 recommended)

-- / 4000 (1000 recommended)

BGP

neighbors

4000 1000 1000 1000 / 4000 1000 / 4000 1000 / 4000 -- / 4000

Release 3.5

w/ QoS

ASR1001 ASR1000-

ESP20

ASR1000-

ESP40

Throughput

(Max / IMIX)

1.8 / 1Gbps 7 / 6 Gbps 11 / 7.4 Gbps

Max tunnels

(RP2 only)

4000* (16K Queues)

4000 (128K Queues)

4000 (128K Queues)


ISR G2 Scalability

85

Platform Sec-K9 SEC-K9 + HSEC-K9

Recommended Max Recommended Max

3945E Up to 225 Up to 225 Up to 2000 Up to 3000


3945 Up to 225 Up to 225 Up to 1000 Up to 2000




2911 Up to 225 Up to 225 HSEC-K9 license does not apply since

the max. encrypted tunnel count is below

the restricted limits. 2901 Up to 150 Up to 225

1941 Up to 150 Up to 225

1921 TBD TBD


ISR G2 Performances

86

Platform Sec-K9 (Mbps) SEC-K9 + HSEC-K9 (Mbps)

Recommended Max Recommended Max







2911 Up to 61 Up to 164 HSEC-K9 license does not apply since

the max. encrypted tunnel count is below

the restricted limits. 2901 Up to 53 Up to 154

1941 Up to 48 Up to 156

1921 Up to 44 N/A

891 Up to 66 N/A

75% CPU, IMIX,

IPsec/AES, single

tunnel


Maximize your Cisco Live experience with your

free Cisco Live 365 account. Download session

PDFs, view sessions on-demand and participate

in live activities throughout the year. Click the

Enter Cisco Live 365 button in your Cisco Live

portal to log in.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Daily Challenge points for each session evaluation you complete.

Complete your session evaluation online now through either the mobile app or internet kiosk stations.

Note: This slide is now a Layout choice

87

Advanced FlexVPN Designs - …d2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKSEC-3013.pdf · Hub &...

Documents

Transcript of Advanced FlexVPN Designs - …d2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKSEC-3013.pdf · Hub &...