advanced flexvpn designs
TRANSCRIPT
Advanced FlexVPN Designs BRKSEC-3013
Frederic Detienne
Distinguished Engineer
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Agenda
3
FlexVPN brief recap
– IKEv2 + AAA
– Shortcut switching example
Per Tunnel QoS
Redundant FlexMesh
Remote Access
– AnyConnect 3.0 Mobile
– Multi-VRF and QoS
End-to-End VRF with MPLSoFlex
FlexVPN Recap IKEv2, Authentication and Authorization
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Flex is IKEv2 Only Why Flex now ?
5
NAT-T
DPD ISAKMP RFC2408
DOI RFC2407
IKE RFC2409
IKEv2 RFC5996
Mode-config
Same
Objectives
Authentication
Integrity
Privacy
More Secure
Suite B
Anti-DoS
Authentication
Options EAP
Hybrid Auth
PSK, RSA-Sig
Similar but
Different
Uses UDP ports 500 & 4500
Identity Exchange is Cleaner
Main + Aggressive INITIAL
Ack’ed notifications
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Key IKEv2 Differentiators
This matters:
6
More Secure
Suite B
Anti-DoS
Authentication
Options EAP
Hybrid Auth
PSK, RSA-Sig
Similar but
Different
Identity Exchange is Cleaner
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
FlexVPN Config
7
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn R1.cisco.com
authentication local rsa-sig
authentication remote eap
pki trustpoint TP sign
aaa authentication eap default
aaa authorization user eap
virtual-template 1
interface Virtual-Template1 type tunnel
ip unnumbered loopback0
tunnel protection ipsec profile default
tunnel mode ipsec ipv4
Remote Access
Hub & Spoke
Interop &
Legacy crypto map peer
Dual Stack v4/v6
ip nhrp network-id 1
All parameters tunable
“per-peer” via AAA
Spoke-Spoke shortcut switching
IKEv2
Parameters
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
IKEv2 CLI Overview Proposal, Policy and Keyring
8
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha512 sha 256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 keyring IOSKeyring
peer cisco
address 10.0.1.1
pre-shared-key local CISCO
pre-shared-key remote OCSIC
crypto ikev2 authorization policy default
route set interface
route accept any
IKEv2 Proposal
IKEv2 Policy binds
Proposal to peer L3
Keyring supports
asymmetric Pre-Shared-
Keys
Authorization Policy for
local AAA and Mode-
Config exchange
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
IKEv2 CLI Overview IKEv2 Profile – extensive CLI
9
crypto ikev2 profile default
identity local address 10.0.0.1
identity local fqdn local.cisco.com
identity local email [email protected]
identity local dn
match identity remote address 10.0.1.1
match identity remote fqdn remote.cisco.com
match identity remote fqdn domain cisco.com
match identity remote email [email protected]
match identity remote email domain cisco.com
match certificate certificate_map
match fvrf red
match address local 172.168.1.1
authentication local pre-share
authentication local rsa-sig
authentication local eap
authentication remote pre-share
authentication remote rsa-sig
authentication remote eap
keyring local IOSKeyring
keyring aaa AAAlist
pki trustpoint <trustpoint_name>
Matching on peer identity
or certificate
Matching on local
address and front VRF
Self Identity Control
Asymmetric local and
remote authentication
methods
IOS based and AAA
based Pre-Shared
Keyring
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
IKEv2 Basic Negotiation
Length
Initiator Responder HDR, SAi1, KEi, Ni
HDR – IKE Header
SA[i/r] – cryptographic algorithms the peer proposes/accepts
KE[i/r] – Initator Key Exchange material
N[i/r] – Initiator/Responder Nonce
HDR, SAr1, KEr, Nr [Certreq]
HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}
HDR, SK {IDr, [Cert], AUTH, TSi, TSr}
SK– payload encrypted and integrity protected
ID[i/r] – Initiator/Responder Identity
Cert(req) – Certificate (request)
AUTH – Authentication data
SA - Includes SA, Proposal and Transform Info to Create the 1st CHILD_SA
Ts[i/r] – Traffic Selector as src/dst proxies
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
IKEv2 Profile Match Statements
HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}
SubjectName:
• CN=RouterName
• O=Cisco
• OU=Engineering
IssuerName:
• CN=PKI Server
• O=Cisco
• OU=IT
172.16.0.1
router.cisco.com
…
match identity remote address
match identity remote fqdn
match identity remote email
match certificate <certificate map>
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
IPsec CLI Overview Tunnel Protection similar to DMVPN and EasyVPN
12
crypto ipsec transform-set default esp-aes 128 esp-sha-hmac
crypto ipsec profile default
set transform-set default
set crypto ikev2 profile default
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel protection ipsec profile default
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Ethernet0/0
tunnel destination 172.16.2.1
tunnel protection ipsec profile default
IPsec profile defines SA
parameters and points to
IKEv2 profile
Transform set unchanged
Tunnel protection links to
to IPsec profile
Dynamic and Static point-
to-point interfaces
Static point-to-point
interfaces
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Introducing Smart Defaults Intelligent, reconfigurable defaults
13
crypto ipsec transform-set default
esp-aes 128 esp-sha-hmac
crypto ipsec profile default
set transform-set default
set crypto ikev2 profile default
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha512 sha 256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 authorization policy default
route set interface
route accept any
crypto ikev2 profile default match identity remote address 10.0.1.1 authentication local rsa-sig authentication remote rsa-sig aaa authorization user cert list default default pki trustpoint TP ! interface Tunnel0 ip address 192.168.0.1 255.255.255.252 tunnel protection ipsec profile default
What you need to
specify crypto ipsec transform-set default
esp-aes 128 esp-sha-hmac
crypto ipsec profile default
set transform-set default
set crypto ikev2 profile default
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha512 sha 256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 authorization policy default
route set interface
route accept any
These constructs are the Smart Defaults
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Reconfigurable Defaults All defaults can be modified, deactivated and restored
14
Modifying defaults
default crypto ikev2 proposal
default crypto ipsec transform-set
Restoring defaults
crypto ikev2 proposal default
encryption aes-cbc-128
hash md5
crypto ipsec transform-set default aes-cbc 256 sha-hmac
Disabling defaults no crypto ikev2 proposal default
no crypto ipsec transform-set default
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Simple Hub & Spoke – Network Diagram
192.168.100.0/24
.1
172.16.0.1
.254
Virtual-Access Interfaces
Static Tunnel Interface
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Hub & Spoke – Hub configuration IKE Routing, Hybrid Auth, AAA Keyring
16
192.168.100.0/24 .1
aaa group server radius radius
server-private 192.168.100.254
auth-port 1812 acct-port 1813
key cisco123
crypto ikev2 name-mangler extract-host
fqdn hostname
aaa authorization network default group radius
aaa accounting network default start-stop
… group radius
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local dn
authentication local rsa-sig
authentication remote pre-shared
keyring aaa default name-mangler extract-host
pki trustpoint CA
aaa authorization user psk cached
virtual-template 1
interface virtual-template1 type tunnel
ip unnumbered loopback0
tunnel protection ipsec profile default
Per User Authorization
172.16.0.1
.254
Profile: R1 / Password=“cisco”
ipsec:ikev2-password-remote=xyz
framed-ip=10.0.0.1
ipsec:route-set=interface
ipsec:route-set=prefix 192.168.0.0/16
ipsec:route-accept=any
19
2.1
68
.10
1.0
/24
.1
PSK on RADIUS
Summary protected prefix
Creates Virtual-
Access from Virtual-
Template
Framed Address
Hybrid Authentication
Peer Pre-Shared Key
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Hub & Spoke – Spoke configuration
17
192.168.100.0/24 .1
172.16.0.1
access-list 99 permit 192.168.1.0 0.0.0.255
crypto ikev2 authorization policy default
[route set interface]
route set access-list 99
crypto ikev2 keyring KR
peer HUB
address 172.16.0.1
pre-shared-key local xyz
aaa authorization network default local
crypto ikev2 profile default
match certificate HUBMAP
identity local fqdn R3-Spoke.cisco.com
authentication remote rsa-sig
authentication local pre-shared
keyring local KR
pki trustpoint CA
aaa authorization group cert list default default
interface Tunnel0
ip address negotiated
tunnel source FastEthernet0/0
tunnel destination 172.16.0.1
tunnel protection ipsec profile default
Activate config-
exchange
IP address assigned
by hub
.254
19
2.1
68
.1.0
/24
.1
Tunnel initiates
automatically
Spoke protected subnet
IKEv2 routing
Hybrid Authentication
Local Keyring
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
SA Prop (AES-256, SHA-1, DH 5), KEi, Ni
SA Prop (AES-256, SHA-1, DH 5), KEr, Nr
Hub & Spoke – Config Exchange
18
192.168.100.0/24 .1
Ethernet0/0: 172.16.1.1
Ethernet0/1: 192.168.1.1
Tunnel0:
172.16.0.1/32 172.16.1.254 (E0/0)
Ethernet0/0: 172.16.0.1
Ethernet0/1: 192.168.100.1
Loopback0: 10.0.0.254/32
172.16.0.1 172.16.1.1
0.0.0.0/0 172.16.0.254 (E0/0)
192.168.100.0/24 Ethernet 0/1
IDi=R1.cisco.com, Auth, TSi, TSr,
CFG_Req(IP4_ADDRESS, IP4_NETWORK…)
IDr, cert, Auth, TSi, TSr,
CFG_Reply(IP4_ADDRESS=10.0.0.1,
IP4_SUBNET=192.168.0.0/16,
IP4_SUBNET=10.0.0.254/32)
CFG_set(IP4_SUBNET=10.0.0.1/32,
IPV4_SUBNET=192.168.1.0/24)
CFG_ack()
10.0.0.1
192.168.0.0/16 Tunnel 0 10.0.0.254/32 Tunnel 0
192.168.1.0/24 VirtualAccess1 10.0.0.1/32 VirtualAccess1
VirtualAccess1: 10.0.0.254/32
.254
use
r=R
1
Pa
ssw
ord
=cis
co
ike
v2-p
assw
ord
-rem
ote
=xyz
fra
me
-ip
=1
0.0
.0.1
ipse
c:r
ou
te-s
et=
19
2.1
68
.0.0
/16
ipse
c:r
ou
te-s
et=
inte
rfa
ce
19
2.1
68
.1.0
/24
.1
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Hub & Spoke – Profile derivation step-by-step
19
keyring aaa <list> name-mangler <m>
ipsec:ikev2-password-remote=xyz ip:interface-config=policy-map PM out framed-ip=10.0.0.1 ipsec:route-set=interface ipsec:route-set=prefix 192.168.0.0/16 ipsec:route-accept=any
R1
R1.cisco.com access-request R1
aaa authorization user psk cached
AAA profile
access-accept R1
IDi=R1.cisco.com, Auth, TSi, TSr,
CFG_Req(IP4_ADDRESS, IP4_NETWORK…)
Auth
IDr, cert, Auth, TSi, TSr,
CFG_Reply(IP4_ADDRESS=10.0.0.1,
IP4_SUBNET=192.168.0.0/16,
IP4_SUBNET=10.0.0.254/32)
Virtual-
Template Virtual-Access
OK
User Profile
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Generic Profile Derivation Expanded Example (not recommended)
20
keyring aaa <list> name-mangler <m>
…
Profile 1
R1.cisco.com
Fetch Profile
aaa authorization user psk <list>
Authen. profile
IDi=R1.cisco.com, Auth, TSi, TSr,
CFG_Req(IP4_ADDRESS, IP4_NETWORK…)
Auth
IDr, cert, Auth, TSi, TSr,
CFG_Reply(IP4_ADDRESS=10.0.0.1,
IP4_SUBNET=0.0.0.0/0,
IP4_SUBNET=10.0.0.254/32)
Virtual-Template Virtual-Access
OK
Final Profile
aaa authorization group psk <list> G
Group profile
Fetch Profile
…
Profile 2
Fetch Profile
…
Profile 3
User profile
Only for
authentication
Activate config-
exchange
On
Hu
b o
r on
RA
DIU
S
(or a
mix
)
On Hub
Selects
IKEv2 profile
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
AAA CLI summary user, group
21
keyring aaa <list> [name-mangler <mangler>] aaa authentication eap <list> aaa authorization user psk cached aaa authorization user psk list <list> {<name> | name-mangler <mangler> } aaa authorization group psk list <list> {<name> | name-mangler <mangler> } aaa authorization user eap cached aaa authorization user eap list <list> {<name> | name-mangler <mangler> } aaa authorization group eap [override] list <list> {<name> | name-mangler <mangler> } aaa authorization user cert list <list> {<name> | name-mangler <mangler> } aaa authorization group cert [override] list <list> {<name> | name-mangler <mangler> } interface virtual-template 1 type tunnel ip unnumbered loopback0 tunnel protection ipsec profile default
Fetches PSK in profile
Profile password: cisco
Authentication against
RADIUS server Re-use authentication
profile (no new query) Fetch new profile (new query)
Profile password: cisco
group overrides user authorization
Fetch new profile (new query)
Profile password: cisco
Profile source can be RADIUS or local
Virtual-Template
configuration always
overridden by AAA
For Your Reference
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Name-mangler CLI summary Turns pieces of identity into strings
22
crypto ikev2 name-mangler <mangler>
dn {all | common-name | organization | organization-unit |…}
eap {all | prefix | suffix | dn {common-name | organization | organization-unit}}
email {all | domain | username}
fqdn {all | domain | hostname}
Example identity (FQDN): vpn.cisco.com crypto ikev2 name-mangler mangler fqdn domain cisco.com
For Your Reference
Per Tunnel QoS Centrally Managed
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
The need for QoS Introducing the Greedy Spoke
24
QoS needed for:
– Sharing network bandwidth
– Marshaling bandwidth usage of applications
– Meeting application latency & speed requirements
Hub
Spoke 1
(greedy)
CE 1
Spoke 2 Spoke 3
Crypto engine or WAN link Interface w/ limited downstream rate
Packets are lost, AND
other spokes are starved
Packets are lost
Most common problem
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Provisioning Per Tunnel QoS Central and Distributed Models
25
192.168.100.0/24 .1
172.16.0.1
.254
Policy Maps
defined on Hub
Option #1: Service Policy on Virtual-Template
Option #2: Central Service Policy enforcement by AAA
Some spokes with high
bandwidth
Some spokes with low
bandwidth
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Hierarchical Shaper Each Hub V-Access Needs Its Own Policy
26
Parent Shaper limits total Bandwidth
Bandwidth Reservation
Low Latency Queing
Fair Queuing
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
class-map Control
match ip precedence 6
class-map Voice
match ip precedence 5
policy-map SubPolicy
class Control
bandwidth 20
class Voice
priority percent 60
policy-map Silver
class class-default
shape average 1000000
service-policy SubPolicy
policy-map Gold
class class-default
shape average 5000000
service-policy SubPolicy
Step 1 – Define Policy Map(s)
1Mbps to each tunnel
20Kbps Guaranteed to Control
60% of Bandwidth for Voice
5Mbps to each tunnel
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Step 2a – Per Peer QoS Mapping Peer and QoS via AAA
28
Profile “Router1” / password “cisco”
ipsec:route-accept=any
ipsec:route-set=interface
…
ip:interface=config=“service-policy out Gold”
Profile “Router2” / password “cisco”
ipsec:route-accept=any
ipsec:route-set=interface
…
ip:interface=config=“service-policy out Silver”
Profile “Router3” / password “cisco”
ipsec:route-accept=any
ipsec:route-set=interface
…
ip:interface=config=“service-policy out Silver”
crypto ikev2 profile default
match identity fqdn domain
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
dpd 10 2 on-demand
aaa authorization user cert list default name-mangler CN
virtual-template 1
interface virtual-template1 type tunnel
ip unnumbered loopback0
tunnel protection ipsec profile default
certificate-map Cisco
subject-name co o=Cisco
crypto ikev2 name-mangler CN
dn common-name
RA
DIU
S P
rofile
s
Single vanilla IKEv2 Profile for Everyone
Plain simple Virtual-Template
Common Name to retrieve AAA profile
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Step 2b – Per Group QoS Group Based via Local Config
29
crypto ikev2 profile Gold match certificate GoldCertMap authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 interface virtual-template1 type tunnel ip unnumbered loopback0 service-policy output Gold tunnel protection ipsec profile default certificate-map GoldCertMap subject-name co ou=Gold
crypto ikev2 profile Silver match certificate SilverCertMap authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 2 interface virtual-template2 type tunnel ip unnumbered loopback0 service-policy output Silver tunnel protection ipsec profile default certificate-map SilverCertMap subject-name co ou=Silver
Virtual-Template with dedicated QoS config
Create V-Access from dedicated V-Template
Org. Unit used for group mapping
Unlink IPsec profile from IKEv2 profile.
Different in 3.10 – Jul’13
AAA for config exchange only
Dedicated IKEv2 profile for group
crypto ipsec profile default
no set ikev2-profile default !
FlexMesh with Redundancy Aka Shortcut Switching
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
FlexMesh – Network Diagram With Hub Resiliency
31
192.168.100.0/24
.1
172.16.0.1
.254 Virtual-Access Interfaces
Static Tunnel Interface
Virtual-Access Interfaces
172.16.0.2
.2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Hub & Spoke bootstrap – Config Exchange
32
192.168.100.0/24
.1
Ethernet0/0: 172.16.1.1
Ethernet0/1: 192.168.1.1
Tunnel0:
172.16.0.1/32 172.16.1.254 (E0/0)
Ethernet0/0: 172.16.0.1
Ethernet0/1: 192.168.100.1
Loopback0: 10.0.0.254/32
172.16.0.1 172.16.1.1
0.0.0.0/0 172.16.0.254 (E0/0)
192.168.100.0/24 Ethernet 0/1
IDi=Spoke1.cisco.com, Auth, TSi, TSr,
CFG_Req(IP4_NETWORK…)
IDr, cert, Auth, TSi, TSr,
CFG_Reply(IP4_SUBNET=10.0.0.254/32)
CFG_set(IP4_SUBNET=10.0.0.1/32)
CFG_ack()
10.0.0.1
10.0.0.254/32 Tunnel 0
10.0.0.1/32 VirtualAccess1
VirtualAccess1: 10.0.0.254/32
.254
192
.168.1
.0/2
4
SA Prop (AES-256, SHA-1, DH 5), KEi, Ni
SA Prop (AES-256, SHA-1, DH 5), KEr, Nr
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
IKE & BGP Exchange Routes
33
Spoke 1
192.168.1.0/24
Physical: 172.16.1.1
Tunnel: 10.0.0.1
Physical: 172.16.2.1
Tunnel: 10.0.0.2
Physical: 172.16.0.1
Tunnel: 10.0.0.254
NHRP table
- NHRP table
-
Spoke 2
192.168.2.0/24
Routing table
C 10.0.0.254 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1
B 192.168.1.0/24 V-Access1
Routing table
C 192.168.1.0/24 Eth0
C 10.0.0.1 Tunnel0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
B 192.168.0.0/16 Tunnel0
Routing table
C 192.168.2.0/24 Eth0
C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0
S 10.0.0.253/32 Tunnel1
B 192.168.0.0/16 Tunnel1
Hub 1
.1
Physical: 172.16.0.2
Tunnel: 10.0.0.253
192.168.100.0/24
Routing table
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.2 V-Access1
B 192.168.2.0/29 V-Access1
Hub 2
.2
Tunnel 100
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Shortcut Switching (1)
34
Spoke 1
192.168.1.0/24
Physical: 172.16.1.1
Tunnel: 10.0.0.1
Physical: 172.16.2.1
Tunnel: 10.0.0.2
Physical: 172.16.0.1
Tunnel: 10.0.0.254
NHRP table
- NHRP table
-
Spoke 2
192.168.2.0/24
Routing table
C 10.0.0.254 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1
B 192.168.1.0/24 V-Access1
Routing table
C 192.168.1.0/24 Eth0
C 10.0.0.1 Tunnel0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
B 192.168.0.0/16 Tunnel0
Routing table
C 192.168.2.0/24 Eth0
C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0
S 10.0.0.253/32 Tunnel1
B 192.168.0.0/16 Tunnel1
Physical: 172.16.0.2
Tunnel: 10.0.0.253
192.168.100.0/24
Routing table
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.2 V-Access1
B 192.168.2.0/24 V-Access1
Hub 1
.1 Hub 2
.2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Shortcut Switching (2)
35
Spoke 1
192.168.1.0/24
Physical: 172.16.1.1
Tunnel: 10.0.0.1
Physical: 172.16.2.1
Tunnel: 10.0.0.2
Physical: 172.16.0.1
Tunnel: 10.0.0.254
NHRP table
10.0.0.1 172.16.1.1 NHRP table
10.0.0.2/32 172.16.2.1
192.168.2.0/24 172.16.2.1 Spoke 2
192.168.2.0/24
Routing table
C 10.0.0.254 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1
B 192.168.1.0/24 V-Access1
Routing table
C 192.168.1.0/24 Eth0
C 10.0.0.1 Tunnel0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
B 192.168.0.0/16 Tunnel0
S 10.0.0.2/32 V-Access1
H 192.168.2.0/24 V-Access1
Routing table
C 192.168.2.0/24 Eth0
C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0
S 10.0.0.253/32 Tunnel1
B 192.168.0.0/16 Tunnel1
S 10.0.0.1/32 V-Access1
Physical: 172.16.0.2
Tunnel: 10.0.0.253
192.168.100.0/24
Routing table
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.2 V-Access1
B 192.168.2.0/24 V-Access1
Hub 1
.1 Hub 2
.2
Resolution
(192.168.2.2)
Resolution Reply
(192.168.2.0/24)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Shortcut Switching (3)
36
Spoke 1
192.168.1.0/24
Physical: 172.16.1.1
Tunnel: 10.0.0.1
Physical: 172.16.2.1
Tunnel: 10.0.0.2
Physical: 172.16.0.1
Tunnel: 10.0.0.254
NHRP table
10.0.0.1 172.16.1.1 NHRP table
10.0.0.2/32 172.16.2.1
192.168.2.0/24 172.16.2.1 Spoke 2
192.168.2.0/24
Routing table
C 10.0.0.254 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1
B 192.168.1.0/24 V-Access1
Routing table
C 192.168.1.0/24 Eth0
C 10.0.0.1 Tunnel0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
B 192.168.0.0/16 Tunnel0
S 10.0.0.2/32 V-Access1
H 192.168.2.0/24 V-Access1
Routing table
C 192.168.2.0/24 Eth0
C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0
S 10.0.0.253/32 Tunnel1
B 192.168.0.0/16 Tunnel1
S 10.0.0.1/32 V-Access1
Physical: 172.16.0.2
Tunnel: 10.0.0.253
192.168.100.0/24
Routing table
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.2 V-Access1
B 192.168.2.0/24 V-Access1
Hub 1
.1 Hub 2
.2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
FlexMesh – Hub Configuration Hub 1
37
crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Hub1.cisco.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip access-group AllowMyBGP in ip nhrp network-id 1 ip nhrp redirect tunnel protection ipsec profile default interface Loopback0 ip address 10.0.0.254 255.255.255.255 interface Tunnel100 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp redirect tunnel source Ethernet0/1 tunnel destination 192.168.100.2
ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2 ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2 router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group Flex ! address-family ipv4 redistribute static route-map rm neighbor Flex peer-group neighbor Flex remote-as 1 neighbor Flex timers 5 15 neighbor Flex next-hop-self all exit-address-family route-map rm permit 10 match tag 2
Also works with IKEv2
Routing
Per spoke QoS supported here too!!
Local or AAA spoke profiles supported. Can even control QoS,
NHRP redirect, network-id, …
Hub 1 dedicated overlay address
Inter-Hub link (not encrypted)
route-map filters static routes to redistribute in
BGP NHRP is the magic
All V-Access will be in the same network-id
Same NHRP network-id on v-access and inter-
hub link
Accept connections from
Spokes
AAA Compatible
Dynamically accept
spokes connections!
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
FlexMesh – Hub Configuration Hub 2 – almost the same as Hub1
38
crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Hub2.cisco.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip access-group AllowMyBGP in ip nhrp network-id 1 ip nhrp redirect tunnel protection ipsec profile default interface Loopback0 ip address 10.0.0.253 255.255.255.255 interface Tunnel100 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp redirect tunnel source Ethernet0/1 tunnel destination 192.168.100.2
ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2 ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2 router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group Flex ! address-family ipv4 redistribute static route-map rm neighbor Flex peer-group neighbor Flex remote-as 1 neighbor Flex timers 5 15 neighbor Flex next-hop-self all exit-address-family route-map rm permit 10 match tag 2
Also works with IKEv2
Routing
Dedicated Identity
(optional)
Dedicated Overlay
Address
AAA Compatible
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
VRF Injection – Spoke Configuration Client/Receiver and Source Spoke
39
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn Spoke2.cisco.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint TP
dpd 10 2 on-demand
aaa authorization group cert list default default
virtual-template 1
interface Loopback0
ip address 10.0.0.2 255.255.255.255
interface Tunnel0
ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel source Ethernet0/0
tunnel destination 172.16.0.1
tunnel protection ipsec profile default
!
interface Tunnel1
ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel source Ethernet0/0
tunnel destination 172.16.0.2
tunnel protection ipsec profile default
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel protection ipsec profile default
router bgp 1
bgp log-neighbor-changes
neighbor 10.0.0.253 remote-as 1
neighbor 10.0.0.253 timers 5 15
neighbor 10.0.0.254 remote-as 1
neighbor 10.0.0.254 timers 5 15
!
address-family ipv4
network 192.168.2.0
neighbor 10.0.0.253 activate
neighbor 10.0.0.254 activate
maximum-paths ibgp 2
QoS Everywhere
Needed for tunnel
address exchange
V-Template to clone for
spoke-spoke tunnels
Tunnel0 to Primary Hub
Tunnel1 to Secondary Hub
QoS can be applied here
FlexVPN VRF Injection VRF Lite
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Basic packet forwarding
41
Layer 4
Layer 3
Layer 3
helpers
Layer 2
Layer 5+
Routing
IKE AAA BGP
Input features Output features Encapsulation
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Tunnels and features
42
Layer 4
Layer 3
Layer 3
helpers
Layer 2
Layer 5+
Routing Routing
IKE AAA BGP
Input features Output
features Output
features Encapsulation
Statically defined (Tunnel) or instantiated by IKEv2 (V-
Access)
Post-encapsulation Tunnel Protection
Encapsulation
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Router with VRF’s
43
Layer 4
Layer 3
Layer 3
helpers
Layer 2
Layer 5+
Global Routing
Table VRF Red VRF Blue VRF Green
IKE AAA BGP
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
172.16.1.253 172.16.1.254
VRF Injection Hub injects traffic in chosen VRF
44
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
Hub private interface(s) in Inside VRF (light)
MPLS IP (hub PE)
Virtual-Access in iVRF
Optional VRF on spokes
(Not in this example)
Wan in Global Routing Table
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
VRF and tunneling Hub View
45
Layer 4
Layer 3 Global Routing
Table VRF Red VRF Blue VRF Green
IKE AAA BGP
Layer 3
helpers
Layer 2
Layer 5+
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
crypto ikev2 profile GREEN
match identity fqdn domain green
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
dpd 10 2 on-demand
aaa authorization group cert list default default
virtual-template 3
interface virtual-template3 type tunnel
vrf forwarding GREEN
ip unnumbered loopback3
tunnel protection ipsec profile default
crypto ikev2 profile RED
match identity fqdn domain red
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
dpd 10 2 on-demand
aaa authorization group cert list default default
virtual-template 2
interface virtual-template2 type tunnel
vrf forwarding RED
ip unnumbered loopback2
tunnel protection ipsec profile default
VRF Injection – Hub Configuration Option 1: Mapping with In-IOS configuration (without AAA)
46
crypto ikev2 profile BLUE
match identity fqdn domain blue
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
dpd 10 2 on-demand
aaa authorization group cert list default default
virtual-template 1
interface virtual-template1 type tunnel
vrf forwarding BLUE
ip unnumbered loopback1
tunnel protection ipsec profile default
Virtual-Template in VRF
FQDN Domain
is differentiator
Loopback in VRF
Dedicated IKEv2 profile
Unlink IPsec profile from IKEv2 profile
Not necessary after 3.10 – Jul’13
crypto ipsec profile default
no set ikev2-profile default !
Supports QoS
Supports FlexMesh
Add NHRP, QoS…
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Supports QoS
Supports FlexMesh VRF Injection – Hub Configuration
Option 2: Mapping with AAA group based configuration
47
aaa new-model
aaa authorization network default group RADIUS
aaa group server radius RADIUS
server-private 192.168.100.2 auth-port 1812
acct-port 1813 key cisco123
crypto ikev2 profile default
match certificate CERT_MAP
identity local fqdn Hub1.cisco.com
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
aaa authorization group cert default name-mangler
dom
virtual-template 1
interface virtual-template1 type tunnel
tunnel protection ipsec profile default
crypto ikev2 name-mangler dom
fqdn domain
crypto pki certificate CERT_MAP
subject co o eq Cisco ou eq Engineering
Vanilla Virtual-
Template
Profiles stored on
RADIUS server
Common IKEv2
profile
Org. Unit used as group
Could use anything else
Profile “blue” / password “cisco”
ipsec:route-accept=any
ipsec:route-set=interface
ip:interface-config=“vrf forwarding BLUE”
ip:interface-config=“ip unnumbered loopback 1”
Profile “red” / password “cisco”
ipsec:route-accept=any
ipsec:route-set=interface
ip:interface-config=“vrf forwarding RED”
ip:interface-config=“ip unnumbered loopback 2”
Profile “green” / password “cisco”
ipsec:route-accept=any
ipsec:route-set=interface
ip:interface-config=“vrf forwarding GREEN”
ip:interface-config=“ip unnumbered loopback 3”
Profile name
extracted from
Domain Name
Group profiles on RADIUS Could be per peer profiles or group+peer (derivation)
RA
DIU
S G
rou
p P
rofile
s
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
VRF Injection – Hub Configuration For both options: BGP and VRF configurations
48
ip route vrf BLUE 10.0.0.0 255.0.0.0 Null0 ip route vrf BLUE 192.168.0.0 255.255.0.0 Null0 ip route vrf RED 10.0.0.0 255.0.0.0 Null0 ip route vrf RED 192.168.0.0 255.255.0.0 Null0 ip route vrf GREEN 10.0.0.0 255.0.0.0 Null0 ip route vrf GREEN 192.168.0.0 255.255.0.0 Null0 router bgp 1 bgp listen range 10.1.0.0/16 peer-group BluePeer bgp listen range 10.2.0.0/16 peer-group RedPeer bgp listen range 10.3.0.0/16 peer-group GreenPeer ! address-family ipv4 vrf BLUE redistribute static neighbor BluePeer peer-group neighbor BluePeer remote-as 1 exit-address-family ! address-family ipv4 vrf RED redistribute static neighbor RedPeer peer-group neighbor RedPeer remote-as 1 exit-address-family ! address-family ipv4 vrf GREEN redistribute static neighbor GreenPeer peer-group neighbor GreenPeer remote-as 1 exit-address-family
BGP dynamic peering
These address can
not currently overlap
Follow CSCtw69765.
Each VRF has its own
control section.
Activate peer group in
its corresponding VRF
Attract summaries
and drops non-
reachable prefixes
Redistributes above
statics into BGP
vrf definition BLUE rd 1:1 address-family ipv4 address-family ipv6 interface Loopback1 vrf forwarding BLUE ip address 10.0.0.254 255.255.255.255
vrf definition RED rd 2:2 address-family ipv4 address-family ipv6 interface Loopback2 vrf forwarding RED ip address 10.0.0.254 255.255.255.255
vrf definition GREEN rd 3:3 address-family ipv4 address-family ipv6 interface Loopback3 vrf forwarding GREEN ip address 10.0.0.254 255.255.255.255
Also works with IKEv2
Routing
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
VRF Injection – Spoke Configuration Vanilla IKE and BGP configurations
49
aaa new-model aaa authorization network default local crypto ikev2 profile default match identity remote fqdn Hub1.cisco.com match identity remote fqdn Hub2.cisco.com identity local fqdn spoke1.RED authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default ! interface Loopback0 ip address 10.1.0.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel destination 172.16.1.1 tunnel protection ipsec profile default ! interface Tunnel1 ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel destination 172.16.4.1 tunnel protection ipsec profile default
Tunnel to Hub2
Profiles stored on RADIUS server
Plain simple IKEv2 profile
router bgp 1
bgp log-neighbor-changes
network 192.168.0.0 mask 255.255.0.0
neighbor Hub peer-group
neighbor Hub remote-as 1
neighbor Hub next-hop-self
neighbor 10.0.0.253 peer-group Hub
neighbor 10.0.0.254 peer-group Hub
maximum-paths ibgp 2
Tunnel to Hub1
Just necessary for config exchange
iBGP
Two Hubs…
Basic iBGP configuration
Equal Cost Load Balancing
Also works with IKEv2
Routing
IKEv2 Identity Defines Group
FlexVPN VRF with Front VRF VRF lite with iVRF and fVRF
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
172.16.1.254 172.16.1.253
VRF Injection with Front VRF Adding Front VRF Purple
51
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
Hub private interface(s) in inside VRF (light)
or MPLS IP (hub PE)
Virtual-Access in iVRF
Wan Interface in Purple VRF (Front VRF)
Optional VRF on spokes
(independent of Hub)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
VRF and tunneling with Front VRF
52
Layer 4
Layer 3 Global Routing
Table VRF Red VRF Purple VRF Green
IKE AAA BGP
Layer 3
helpers
Layer 2
Layer 5+
VRF Blue
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
VRF Injection – Hub Configuration Front VRF definition
53
vrf definition PURPLE rd 4:4 address-family ipv4 address-family ipv6 interface virtual-template1 type tunnel ip unnumbered loopback1 vrf forwarding BLUE tunnel protection ipsec profile BLUE tunnel vrf PURPLE interface virtual-template2 type tunnel ip unnumbered loopback2 vrf forwarding RED tunnel protection ipsec profile RED tunnel vrf PURPLE interface virtual-template3 type tunnel ip unnumbered loopback3 vrf forwarding GREEN tunnel protection ipsec profile GREEN tunnel vrf PURPLE
Profile “Blue” / password “cisco” Framed-Pool=FlexPool-Blue ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding BLUE” ip:interface-config=“ip unnumbered loopback 1” ip:interface=config=“tunnel vrf PURPLE”
Profile “Red” / password “cisco” Framed-Pool=FlexPool-Red ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding RED” ip:interface-config=“ip unnumbered loopback 2” ip:interface=config=“tunnel vrf PURPLE”
Profile “Green” / password “cisco” Framed-Pool=FlexPool-Green ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding GREEN” ip:interface-config=“ip unnumbered loopback 3” ip:interface=config=“tunnel vrf PURPLE”
AAA Method
In-Config
Method
VRF Based Remote Access Example with AnyConnect 3.0 for Mobile
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Remote Access Network Diagram Software Clients connect to a hub
55
172.16.0.1
.254 .253
AnyConnect
Windows7
Strongswan
Racoon2
…
172.16.1.254
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.100.0/24
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Remote Access Network Diagram Software Clients connect to a hub
56
172.16.0.1
.254 .253
AnyConnect
172.16.1.254
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.100.0/24
Hub private interface(s) in Inside VRF (light)
MPLS IP (hub PE)
Virtual-Access in iVRF
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Remote Access – AnyConnect Deployment Considerations
57
192.168.100.0/24 .1 .254
172.16.0.1
Hub Certificate:
Subject:
CN=AC-Server.cisco.com,
OU=TAC, O=Cisco, C=BE
Ext. Key Usage: TLS Web Server
Subj. Alt. Name: AC-Server.cisco..com
…
.253 Issuer CA Subj. CA …
Issuer CA Subj. AC Hub …
Issuer CA Subj. CA …
Fix EKU e.g. by using the
webserver template from
Microsoft Windows 2008 CA
Optional. Use SAN if CN
does not match client
configured HostName
http://<mywindows2008_ca>/certsrv 1- Browse URL
2- Type-in PIN
3- Certificate is installed
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
AnyConnect on Smartphone Define New Connection
58
Click here
HostName matching Hub certificate CN or SAN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
AnyConnect on Smartphone Security Parameters
59
Matches the IKEv2 key-id of the hub (FlexAnyConnect)
Client Authentication method (Hub method is imposed: Certificates)
Supported by IOS Critical
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
AnyConnect on Smartphone Ready to Connect
60
User Credentials
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
VRF Injection – Hub Configuration VRF and Global configuration
61
vrf definition BLUE rd 1:1 address-family ipv4 address-family ipv6 ip local pool FlexPool_Blue 10.0.0.0 10.0.0.250 interface Loopback1 vrf forwarding BLUE ip address 10.0.0.254 255.255.255.255 interface Ethernet0/1.1 vrf forwarding BLUE ip address 192.168.100.1
vrf definition RED rd 2:2 address-family ipv4 address-family ipv6 ip local pool FlexPool_Red 10.0.0.0 10.0.0.250 interface Loopback2 vrf forwarding RED ip address 10.0.0.254 255.255.255.255 interface Ethernet0/1.2 vrf forwarding RED ip address 192.168.100.1
vrf definition GREEN rd 3:3 address-family ipv4 address-family ipv6 ip local pool FlexPool_Green 10.0.0.0 10.0.0.250 interface Loopback3 vrf forwarding GREEN ip address 10.0.0.254 255.255.255.255 interface Ethernet0/1.3 vrf forwarding GREEN ip address 192.168.100.1
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
mode tunnel
interface Virtual-Template1 type tunnel
tunnel mode ipsec ipv4
tunnel protection ipsec profile default The only RA specific command
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Server Configuration – User Authorization Only Option#1: Flat User Space – No group, no profile derivation
62
crypto ikev2 profile default
match identity remote key-id FlexAnyConnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint anyconnect
dpd 60 2 on-demand
aaa authentication eap GroupAuth
aaa authorization user eap cached
aaa accounting eap Accounting
virtual-template 1
aaa group server radius MyRADIUS
server-private 192.168.100.254 auth-port 1812 acct-port 1813 key cisco123
!
aaa authentication login GroupAuth group MyRADIUS
aaa accounting network Accounting start-stop group MyRADIUS
Fred Cleartext-Password := ”MyPassword”, ip:interface-config=“vrf forwarding BLUE” ip:interface-config=“ip unnumbered Loopback1” ip:interface-config=“service-policy output Silver” Framed-Pool=FlexPool_Blue
Anne Cleartext-Password := ”HerPassword”, ip:interface-config=“vrf forwarding GREEN” ip:interface-config=“ip unnumbered Loopback3” ip:interface-config=“service-policy output Silver” Framed-Pool=FlexPool_Green
RA
DIU
S
Pro
files
IKE Identity
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Server Configuration with Static Group Profile Derivation Option#2: Static IKEv2 ID Group Mapping
63
crypto ikev2 profile FlexACBlue
match identity remote key-id FlexAnyConnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint anyconnect
dpd 60 2 on-demand
aaa authentication eap UserAuth
aaa authorization group eap list GroupAuth FlexGroupAC1
aaa accounting eap Accounting
virtual-template 1
aaa group server radius MyRADIUS
server-private 192.168.100.254 auth-port 1812 acct-port 1813 key cisco123
!
aaa authentication login UserAuth group MyRADIUS
aaa authorization network GroupAuth group MyRADIUS
aaa accounting network Accounting start-stop group MyRADIUS
FlexGroupAC2 Cleartext-Password := ”cisco”, ip:interface-config=“vrf forwarding GREEN” ip:interface-config=“ip unnumbered Loopback3” ip:interface-config=“service-policy output Silver” framed-pool=FlexPool_Green
FlexGroupAC1 Cleartext-Password := ”cisco”, ip:interface-config=“vrf forwarding BLUE” ip:interface-config=“ip unnumbered Loopback1” ip:interface-config=“service-policy output Silver” framed-pool=FlexPool_Blue
RA
DIU
S
Pro
files
IKE Identity 1
crypto ikev2 profile FlexACGreen
match identity remote key-id FlexAnyConnect2
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint anyconnect
dpd 60 2 on-demand
aaa authentication eap UserAuth
aaa authorization user eap cached
aaa authorization group eap list GroupAuth FlexGroupAC2
aaa accounting eap Accounting
virtual-template 1
IKE Identity 2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Server Configuration with Dynamic Group Profile Derivation Option#3: Dynamic Group – ID Suffix Points to Group (w/ group lock)
64
crypto ikev2 profile default
match identity remote key-id FlexAnyConnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint anyconnect
dpd 60 2 on-demand
aaa authentication eap UserAuth
aaa authorization user eap cached
aaa authorization group eap list GroupAuth name-mangler GM
aaa accounting eap Accounting
virtual-template 1
aaa group server radius MyRADIUS
server-private 192.168.100.254 auth-port 1812 acct-port 1813 key cisco123
!
aaa authentication login UserAuth group MyRADIUS
aaa authorization network GroupAuth group MyRADIUS
aaa accounting network Accounting start-stop group MyRADIUS
crypto ikev2 name-mangler GM
eap suffix delimiter @
Fred@Blue
Cleartext-Password := ”MyPassword1”,
ip:interface-config=“service-policy output Silver”
Anne@Red
Cleartext-Password := “HerPassword”,
ip:interface-config=“service-policy output Gold”
RA
DIU
S U
se
r P
rofile
s
Profile “Blue” / password “cisco”
Framed-Pool=FlexPool-Blue
ip:interface-config=“vrf forwarding BLUE”
ip:interface-config=“ip unnumbered loopback 1”
Profile “Red” / password “cisco”
Framed-Pool=FlexPool-Red
ip:interface-config=“vrf forwarding RED”
ip:interface-config=“ip unnumbered loopback 2”
Fred@Green Cleartext-Password := ”MyPassword2”, ip:interface-config=“service-policy output Bronze”
Profile “Green” / password “cisco”
Framed-Pool=FlexPool-Green
ip:interface-config=“vrf forwarding GREEN”
ip:interface-config=“ip unnumbered loopback 3”
RA
DIU
S G
rou
p
Pro
files
Identity
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
AnyConnect Profile Example (part 1) For Laptops (PC, Mac, Linux)
65
<?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=http://schemas.xmlsoap.org/encoding/
AnyConnectProfile.xsd>
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride> <ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">false</ClearSmartcardPin>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="true">false</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="true">true
<TerminateScriptOnNextEvent>true</TerminateScriptOnNextEvent>
<EnablePostSBLOnConnectScript>true</EnablePostSBLOnConnectScript>
</EnableScripting>
For Your Reference
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
AnyConnect Profile Example (part 2) For Laptops (PC, Mac, Linux)
66
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false</RetainVpnOnLogoff>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>AC Hub</HostName>
<HostAddress>flexanyconnect.cisco.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>EAP-MD5</AuthMethodDuringIKENegotiation>
<IKEIdentity>MyAnyConnect</IKEIdentity>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
For Your Reference
MPLS over FlexVPN LDP Free
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
172.16.1.254 172.16.1.253
MPLS o Flex Objective: end-to-end VRF separation
68
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
.1
192.168.1.0/24
.1
192.168.1.0/24
.1 192.168.1.0/24
.1
192.168.2.0/24
.1
192.168.2.0/24
.1 192.168.2.0/24
.1
192.168.3.0/24
.1
192.168.3.0/24
.1 192.168.3.0/24
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
172.16.1.254 172.16.1.253
MPLS VPN o Flex Going LDP Free
69
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
Hub private interface(s) in inside VRF
or MPLS
Virtual-Access’ in GRT, run MPLS
Spoke tunnels run MPLS
.1
192.168.1.0/24
.1
192.168.1.0/24
.1 192.168.1.0/24
.1
192.168.2.0/24
.1
192.168.2.0/24
.1 192.168.2.0/24
.1
192.168.3.0/24
.1
192.168.3.0/24
.1 192.168.3.0/24
Private interfaces in VRF’s
Tunnels create “back-to-back” links
LDP not needed !!
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
172.16.1.254
MPLS VPN o Flex Extreme Summarization
70
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.1.0/24
.1
192.168.1.0/24
.1 192.168.1.0/24
.1
192.168.2.0/24
.1
192.168.2.0/24
.1 192.168.2.0/24
Prefix Nxt-hop Label
192.168.1.0 - 31
Prefix Nxt-hop Label
192.168.1.0 - 41
Prefix Nxt-hop Label
192.168.0.0/16 - 30
Prefix Nxt-hop Label
192.168.0.0/16 - 40
Prefix Nxt-hop Label
192.168.2.0 - 32
Prefix Nxt-hop Label
192.168.2.0 - 42
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
172.16.1.254
MPLS VPN o Flex Summary Label Exchange
71
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.1.0/24
.1
192.168.1.0/24
.1 192.168.1.0/24
.1
192.168.2.0/24
.1
192.168.2.0/24
.1 192.168.2.0/24
Prefix Nxt-hop Label
192.168.1.0 - 31
192.168.0.0/16 10.0.0.254 30
Prefix Nxt-hop Label
192.168.1.0 - 41
192.168.0.0/16 10.0.0.254 40
Prefix Nxt-hop Label
192.168.1.0 10.0.0.1 31
192.168.2.0 10.0.0.2 32
192.168.0.0/16 - 30
Prefix Nxt-hop Label
192.168.1.0 10.0.0.1 41
192.168.2.0 10.0.0.2 42
192.168.0.0/16 - 40
Prefix Nxt-hop Label
192.168.2.0 - 32
192.168.0.0/16 10.0.0.254 30
Prefix Nxt-hop Label
192.168.2.0 - 42
192.168.0.0/16 10.0.0.254 40
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
MPLS VPN o Flex Hub & Spoke FIB’s and LFIB’s
72
10.0.0.1 10.0.0.254
.1
192.168.1.0/24
.1 192.168.1.0/24
.1
192.168.2.0/24
.1 192.168.2.0/24
Prefix Adjacency
192.168.1.0/24 Glean (e0)
192.168.0.0/24 10.0.0.4 30
Prefix Adjacency
192.168.1.0/24 Glean (e1)
192.168.0.0/24 10.0.0.4 40
Prefix Adjacency
192.168.1.0/24 10.0.0.1 31
192.168.2.0/24 10.0.0.2 32
Prefix Adjacency
192.168.1.0/24 10.0.0.1 41
192.168.2.0/24 10.0.0.2 42
Loc. Out I/F
30 POP VRF RED
31 POP VRF BLUE
Loc. Out I/F
40 POP VRF RED
41 POP VRF BLUE LF
IB
VR
F F
IBs
Prefix Adjacency
10.0.0.254 Tunnel0 (Null)
0.0.0.0/0 Dialer0
Prefix Adjacency
10.0.0.1 VA-1 (Null)
10.0.0.2 VA-2 (Null)
0.0.0.0 Dialer0
FIB
LF
IB
VR
F F
IBs
FIB
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
172.16.1.254
MPLS VPN o Flex Spoke Hub Packet Forwarding
73
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.1.0/24
.1
192.168.1.0/24
.1 192.168.1.0/24
.1
192.168.2.0/24
.1
192.168.2.0/24
.1 192.168.2.0/24
IP Packet
S= 192.168.1.2 D= 192.168.2.2
Prefix Adjacency
192.168.1.0/24 Glean (e0)
192.168.0.0/16 10.0.0.254 30
Prefix Adjacency
10.0.0.1/32 For Us (lo0)
10.0.0.254/32 Impl-Null (Tun0)
GRE/IPsec
Label = 30
IP Packet
S= 192.168.1.2 D= 192.168.2.2
Loc. Out I/F
30 POP vrf RED
40 POP vrf BLUEe1
IP Packet
S= 192.168.1.2 D= 192.168.2.2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
172.16.1.254
MPLS VPN o Flex Hub Spoke Packet Forwarding
74
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.1.0/24
.1
192.168.1.0/24
.1 192.168.1.0/24
.1
192.168.2.0/24
.1
192.168.2.0/24
.1 192.168.2.0/24
GRE/IPsec
Label = 32
IP Packet
S= 192.168.1.2 D= 192.168.2.2
IP Packet
S= 192.168.1.2 D= 192.168.2.2
Prefix Adjacency
10.0.0.1/32 Impl-Null (Va1)
10.0.0.2/32 Impl-Null (VA2)
Prefix Adjacency
192.168.1.0/24 10.0.0.1 31
192.168.2.0/24 10.0.0.2 32
192.168.0.0/16 Glean (e0)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
GRE/IPsec
Label = 32
IP Packet
S= 192.168.1.2 D= 192.168.2.2
172.16.1.254
MPLS VPN o Flex Spoke Packet Decap
75
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.1.0/24
.1
192.168.1.0/24
.1 192.168.1.0/24
.1
192.168.2.0/24
.1
192.168.2.0/24
.1 192.168.2.0/24
IP Packet
S= 192.168.1.2 D= 192.168.2.2
Prefix Adjacency
192.168.2.0/24 e0/1.1
192.168.0.0/16 10.0.0.254 30
Loc. Out I/F
32 POP vrf RED
42 POP vrf BLUE
Hub & Spoke Only
MPLS FlexMesh in 3.11
(Nov 2013)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Hub VRF’s and IKEv2 Profile Detailed view
76
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
vrf definition Blue
rd 1:1
route-target export 1:1
route-target import 1:1
address-family ipv4
address-family ipv6
vrf definition Red
rd 2:2
route-target export 2:2
route-target import 2:2
address-family ipv4
address-family ipv6
…
crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn hub1.cisco.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1
A vanilla IKEv2 Profile
Route-Targets allow BGP to map VRF prefixes
between peers
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Hub Routing Configuration BGP and Static Routes
77
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
.2 .1
192.168.100.0/24
ip route 0.0.0.0 0.0.0.0 172.16.1.2
ip route vrf Blue 192.168.0.0 255.255.0.0 Null0
ip route vrf Red 192.168.0.0 255.255.0.0 Null0
router bgp 1
bgp log-neighbor-changes
bgp listen range 10.0.0.0/16 peer-group Flex
neighbor Flex peer-group
neighbor Flex remote-as 1
neighbor Flex timers 5 15
address-family vpnv4
neighbor Flex activate
neighbor Flex send-community extended
address-family ipv4 vrf Blue
network 192.168.0.0 mask 255.255.0.0
address-family ipv4 vrf Red
network 192.168.0.0 mask 255.255.0.0
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
mpls bgp forwarding
tunnel protection ipsec profile default
interface Ethernet0/0
ip address 172.16.1.254 255.255.255.0
interface Loopback0
ip address 10.0.0.254 255.255.255.255
The Magic Trick: Start MPLS forwarding without LDP
V-Access and Loopback in Global Routing Table
Activate VPNv4
Advertise each VRF
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Spoke VRF’s and Interfaces Detailed view
78
.1
192.168.1.0/24
.1
192.168.1.0/24
.1 192.168.1.0/24
crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn R2.cisco.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default
Matches both hubs
vrf definition Blue
rd 1:1
route-target export 1:1
route-target import 1:1
address-family ipv4
address-family ipv6
vrf definition Red
rd 2:2
route-target export 2:2
route-target import 2:2
address-family ipv4
address-family ipv6
…
Mind Hub-Spoke route-target correspondence
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Spoke Routing Configuration BGP and Static Routes
79
.1
192.168.1.0/24
.1
192.168.1.0/24
.1 192.168.1.0/24
ip route 0.0.0.0 0.0.0.0 172.16.2.2 router bgp 1 bgp log-neighbor-changes neighbor Flex peer-group neighbor Flex remote-as 1 neighbor Flex timers 5 15 neighbor 10.0.0.253 peer-group Flex neighbor 10.0.0.254 peer-group Flex address-family vpnv4 neighbor Flex send-community extended neighbor 10.0.0.253 activate neighbor 10.0.0.254 activate address-family ipv4 vrf Blue redistribute connected maximum-paths ibgp 2 address-family ipv4 vrf Red redistribute connected maximum-paths ibgp 2
interface Tunnel0
ip unnumbered Loopback0
mpls bgp forwarding
tunnel source Ethernet0/0
tunnel destination 172.16.1.254
tunnel protection ipsec profile default
interface Tunnel1
ip unnumbered Loopback0
mpls bgp forwarding
tunnel source Ethernet0/0
tunnel destination 172.16.1.253
tunnel protection ipsec profile default
interface Ethernet0/0
ip address 172.16.2.1 255.255.255.0
interface Loopback0
ip address 10.0.0.2 255.255.255.255
Same as on Hub: Start MPLS forwarding without LDP
Tunnels and Loopback in Global Routing Table
Activate VPNv4
Advertise each VRF
WAN Interface can be in Front VRF
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Hub Routing Tables FIB and LFIB
80
.1
192.168.100.0/24
.1
192.168.100.0/24
.1
192.168.100.0/24
192.168.2.0/24, epoch 0, flags rib defined all labels
recursive via 10.0.0.2 label 16
attached to Virtual-Access2
192.168.3.0/24, epoch 0, flags rib defined all labels
recursive via 10.0.0.3 label 16
attached to Virtual-Access1
192.168.2.0/24, epoch 0, flags rib defined all labels
recursive via 10.0.0.2 label 17
attached to Virtual-Access2
192.168.3.0/24, epoch 0, flags rib defined all labels
recursive via 10.0.0.3 label 17
attached to Virtual-Access1
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label IPv4 VRF[V] 0 aggregate/Red
17 Pop Label IPv4 VRF[V] 0 aggregate/Blue
Hub1#show ip cef vrf Red detail | s label
Hub1#show ip cef vrf Blue detail | s label
Hub1#show mpls forwarding table
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Spoke Routing Tables FIB and LFIB
81
.1
192.168.1.0/24
.1
192.168.1.0/24
.1 192.168.1.0/24
192.168.0.0/16, epoch 0, flags rib defined all labels, per-
destination sharing
recursive via 10.0.0.253 label 16
attached to Tunnel1
recursive via 10.0.0.254 label 16
attached to Tunnel0
192.168.0.0/16, epoch 0, flags rib defined all labels, per-
destination sharing
recursive via 10.0.0.253 label 17
attached to Tunnel1
recursive via 10.0.0.254 label 17
attached to Tunnel0
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label IPv4 VRF[V] 0 aggregate/Red
17 Pop Label IPv4 VRF[V] 0 aggregate/Blue
Spoke1#show ip cef vrf Red detail | s label
Spoke1#show ip cef vrf Blue detail | s label
Spoke1#show mpls forwarding-table
Wrapping up A few things before we part
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Route Exchange Protocol Selection
83
Branch-Hub Use case
IKEv2 Simple, large scale Static (No
redistribution
IGPIKE)
Simple branches
(< 20 prefixes)
Identity-based
route filtering
Lossy networks High density hubs
BGP Simple to complex,
large scale
Dynamic
(Redistribution
IGP BGP)
Complex branches
(> 20 prefixes)
Powerful route
filtering – not
identity based
Lossy networks High density hubs
up to 350K routes
EIGRP not
recommended
at large scale
Simple to complex Dynamic
(Redistribution
IGP IGP)
Semi-complex
branches
(> 20 prefixes)
Intermediate route
filtering – not
identity based
Lossless networks
(very rare)
< 5000 prefixes at
hub
Hub-Hub Use case
BGP Large amount of
prefixes (up to
1M)
Road to scalability Powerful route
filtering
IGP (EIGRP, OSPF) < 5000 prefixes
total
Perceived simplicity
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Scalability & performances
84
Release 3.5+
w/out QoS
ASR1001 ASR1002-F ASR1000-
ESP5
ASR1000-
ESP10
ASR1000-
ESP20
ASR1000-
ESP40
ASR1000-
ESP100
Throughput
(Max / IMIX)
1.8 / 1Gbps 1 / 0.8 Gbps 1.8 / 1 Gbps 4 / 2.5 Gbps 7 / 6 Gbps 11 / 7.4 Gbps 29 / 16 Gbps
Max tunnels
(RP1 / RP2)
4000 1000 1000 1000 / 4000 1000 / 4000 1000 / 4000 -- / 4000
EIGRP
neighbors
4000 (1000 recommended)
1000 1000 1000 / 4000 (1000 recommended)
1000 / 4000 (1000 recommended)
1000 / 4000 (1000 recommended)
-- / 4000 (1000 recommended)
BGP
neighbors
4000 1000 1000 1000 / 4000 1000 / 4000 1000 / 4000 -- / 4000
Release 3.5
w/ QoS
ASR1001 ASR1000-
ESP20
ASR1000-
ESP40
Throughput
(Max / IMIX)
1.8 / 1Gbps 7 / 6 Gbps 11 / 7.4 Gbps
Max tunnels
(RP2 only)
4000* (16K Queues)
4000 (128K Queues)
4000 (128K Queues)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
ISR G2 Scalability
85
Platform Sec-K9 SEC-K9 + HSEC-K9
Recommended Max Recommended Max
3945E Up to 225 Up to 225 Up to 2000 Up to 3000
3925E Up to 225 Up to 225 Up to 1500 Up to 3000
3945 Up to 225 Up to 225 Up to 1000 Up to 2000
3925 Up to 225 Up to 225 Up to 750 Up to 1500
2951 Up to 225 Up to 225 Up to 500 Up to 1000
2921 Up to 225 Up to 225 Up to 400 Up to 900
2911 Up to 225 Up to 225 HSEC-K9 license does not apply since
the max. encrypted tunnel count is below
the restricted limits. 2901 Up to 150 Up to 225
1941 Up to 150 Up to 225
1921 TBD TBD
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
ISR G2 Performances
86
Platform Sec-K9 (Mbps) SEC-K9 + HSEC-K9 (Mbps)
Recommended Max Recommended Max
3945E Up to 170 Up to 170 Up to 670 Up to 1503
3925E Up to 170 Up to 170 Up to 477 Up to 1497
3945 Up to 170 Up to 170 Up to 179 Up to 848
3925 Up to 154 Up to 170 Up to 154 Up to 770
2951 Up to 103 Up to 170 Up to 103 Up to 228
2921 Up to 72 Up to 170 Up to 72 Up to 207
2911 Up to 61 Up to 164 HSEC-K9 license does not apply since
the max. encrypted tunnel count is below
the restricted limits. 2901 Up to 53 Up to 154
1941 Up to 48 Up to 156
1921 Up to 44 N/A
891 Up to 66 N/A
75% CPU, IMIX,
IPsec/AES, single
tunnel
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate
in live activities throughout the year. Click the
Enter Cisco Live 365 button in your Cisco Live
portal to log in.
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Daily Challenge points for each session evaluation you complete.
Complete your session evaluation online now through either the mobile app or internet kiosk stations.
Note: This slide is now a Layout choice
87