Advanced Ipsec Deployments and Concepts of DMVPN Networks: Session Sec-4010
Advanced Ipsec Deployments and Concepts of DMVPN Networks: Session Sec-4010
Advanced Ipsec Deployments and Concepts of DMVPN Networks: Session Sec-4010
SESSION SEC-4010
SEC-4010 9830_06_2004_X2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Agenda
Advanced Design DMVPN Details Example DMVPN Deployments Interaction with other Features Management Performance and Futures
SEC-4010 9830_06_2004_X2
ADVANCED DESIGN
SEC-4010 9830_06_2004_X2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Routing
Dynamic routing protocols
Encryption peers
Finding, mapping and authenticating
Management
Deploying, Monitoring, and Maintaining
SEC-4010 9830_06_2004_X2
Network Design
Hub-and-spoke
All VPN traffic must go via hub Hub bandwidth and CPU utilization limit VPN Number of tunnels = O(n)
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Hubs can be interconnected directly over physical links, mGRE tunnels or p-pGRE tunnels. Hub routers may pass routing information for DMVPN network through any of these paths.
SEC-4010 9830_06_2004_X2
Hub routers must exchange routing information for DMVPN network through mGRE tunnel interfaces. Hub routers point to other hub routers as NHSs in a daisy-chain or pair wise fashion
Used for forwarding NHRP packets and data packets while dynamic spoke-spoke tunnels are being created
SEC-4010 9830_06_2004_X2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
DMVPN IP networks
IP routing updates only traverse hub-and-spoke tunnels IP data packets traverse both hub-and-spoke and direct dynamic spoke-spoke tunnels Routing protocol doesnt monitor state of spoke-spoke tunnels
SEC-4010 9830_06_2004_X2
10
OSPF
Okay for hub-and-spoke, maximum of 2 hubs for spoke-spoke Less control, medium overhead, faster convergence
RIP
Okay for hub-and-spoke and spoke-spoke Okay control, medium overhead, slower convergence
ODR
Good for hub-and-spoke (non-split tunneling), no spoke-spoke Less control, low overhead, slower convergence, most scalable
BGP
Okay for hub-and-spoke and spoke-spoke Good control, lower overhead, slower convergence, static neighbor configuration
SEC-4010 9830_06_2004_X2
11
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Dynamic Spoke-spoke
EIGRP
no ip split-horizon eigrp <as> no ip next-hop-self eigrp <as> no auto-summary
OSPF
ip ospf network point-multipoint
RIP
no ip split-horizon
OSPF
ip ospf network broadcast ip ospf priority (2(hub)|0(spoke))
ODR
distribute-list <acl> out
RIP
no ip split-horizon no auto-summary
BGP
Hub is route reflector next-hop self
BGP
Hub is route reflector
SEC-4010 9830_06_2004_X2
12
Finding/Mapping Peers
Two layers of IP addresses
VPN layer, IP infrastructure (NBMA) layer
Authenticating peers
Pre-shared keys, certificates
SEC-4010 9830_06_2004_X2
13
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
14
NHRP Registration
Dynamically register spokes VPN to NBMA address mapping with hub (NHS).
NHRP Resolutions
Dynamically resolve remote spokes VPN to NBMA mapping to build spoke-spoke tunnels. CEF switching Forwarded along NHS path (spoke hub hub) Process switching Forwarded along routed path (spoke hub hub spoke)
SEC-4010 9830_06_2004_X2 15
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Authenticating Peers
Pre-shared keys Hub-and-spoke only Wildcard pre-shared keys Insecure Certificates
Certificate Authority/Server (CA/CS) Certificate distributionenrollment Manual (terminal, tftp), Automatic (SCEP) Some requirements for use Accurate timeNTP, SNTP Check for revocationcrl optional
SEC-4010 9830_06_2004_X2
16
SEC-4010 9830_06_2004_X2
17
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Agenda
Advanced Design DMVPN Details Example DMVPN Deployments Interaction with other Features Management Performance and Futures
SEC-4010 9830_06_2004_X2
18
DMVPN DETAILS
SEC-4010 9830_06_2004_X2
19
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-4010 9830_06_2004_X2
20
SEC-4010 9830_06_2004_X2
21
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
NHRP Overview
NBMA Next Hop Resolution Protocol
RFC2332
Resolve IP to NBMA address mappings for hosts/routers directly connected to an NBMA; and determine egress points from the NBMA when the destination is not directly connected to the NBMA.
SEC-4010 9830_06_2004_X2
22
NHRP Functionality
Address mapping/resolution
Next Hop Client (NHC) registration with Next Hop Server (NHS) Resolution of VPN to NBMA mapping Routing: NHRP: destination VPN IP next-hop NBMA address
VPN IP next-hop
Short-cut forwarding
Single hop instead of multiple hops across NBMA network NHRP Resolution requests/replies forwarded via NHS
SEC-4010 9830_06_2004_X2
23
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
10.0.0.11 10.0.0.12
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1
10.0.0.1
SEC-4010 9830_06_2004_X2
24
Encrypted
SEC-4010 9830_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
Encrypted
25
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-4010 9830_06_2004_X2
26
CEF switching
IP Next-hop from routing table Next-hop Next-hop hub spoke data packets via hub data packets direct
Data packets via hub while spoke-spoke tunnel is coming up, then direct
SEC-4010 9830_06_2004_X2
27
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-4010 9830_06_2004_X2
28
SEC-4010 9830_06_2004_X2
29
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
30
SEC-4010 9830_06_2004_X2
31
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Encrypted
SEC-4010 9830_06_2004_X2
32
10.0.0.11 10.0.0.12
Spoke B .1 192.168.2.0/24
Web .37
10.0.0.1 172.17.0.1 (*) 10.0.0.12 172.16.2.1 192.168.1.0/24 172.16.1.1 (l) 192.168.2.0/24 192.168.2.37/32 172.16.2.1 ??? 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.1 Conn. 10.0.0.12
10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 192.168.1.0/24 192.168.1.25/32 172.16.1.1 ??? 192.168.2.0/24 172.16.2.1 (l) 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.1 10.0.0.11 Conn.
33
SEC-4010 9830_06_2004_X2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
NHRP Res. Request NHRP Res. Reply NHRP Res. Request NHRP Res. Reply IKE Initialization IKE Initialization
IKE/IPsec Established
Encrypted
SEC-4010 9830_06_2004_X2
34
10.0.0.11 10.0.0.12
192.168.1.1/24
Spoke A
Spoke B
192.168.2.1/24
10.0.0.1 10.0.0.12
10.0.0.1 10.0.0.11
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
IPsec SA Table
show crypto ipsec sa { | include Tag|peer|spi|endpt }
SEC-4010 9830_06_2004_X2
36
Spoke A
SEC-4010 9830_06_2004_X2
37
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Spoke A
SEC-4010 9830_06_2004_X2
38
Spoke A
Spoke1#sho crypto map Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp Profile name: vpnprof SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N ,Transform sets={trans1, } Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp, PROFILE INSTANCE. Peer = 172.17.0.1, access-list permit gre host 172.16.1.2 host 172.17.0.1 SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Transform sets={trans1, } Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp, PROFILE INSTANCE. Peer = 172.16.2.2, access-list permit gre host 172.16.1.2 host 172.16.2.2 SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Transform sets={trans1, }
SEC-4010 9830_06_2004_X2
39
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Spoke A
SEC-4010 9830_06_2004_X2
40
Spoke A
SpokeA# show ip route C C D C D S* 172.16.1.0/30 is directly connected, Serial1/0 10.0.0.0/24 is directly connected, Tunnel0 192.168.0.0/24 [90/297372416] via 10.0.0.1, 00:42:34, Tunnel0 192.168.1.0/24 is directly connected, Ethernet0/0 192.168.2.0/24 [90/297321216] via 10.0.0.12, 00:42:34, Tunnel0 0.0.0.0/0 [1/0] via 172.16.1.1
SEC-4010 9830_06_2004_X2
41
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Agenda
Advanced Design DMVPN Details Example DMVPN Deployments Interaction with other Features Management Performance and Futures
SEC-4010 9830_06_2004_X2
42
SEC-4010 9830_06_2004_X2
43
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
DMVPN Multi-hub
Redundancy, Scaling NHRP Resolution Forwarding
SEC-4010 9830_06_2004_X2
44
SEC-4010 9830_06_2004_X2
45
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
.1
.37 Web
192.168.2.0/24
.1 192.168.1.0/24
Spoke A .25
...
= Dynamic&Temporary Spoke-to-spoke IPsec tunnels
46
PC
SEC-4010 9830_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
..
47
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
OSPF Routing
SEC-4010 9830_06_2004_X2
48
OSPF Routing
SEC-4010 9830_06_2004_X2
49
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
OSPF Routing
SEC-4010 9830_06_2004_X2
OSPF Routing
SEC-4010 9830_06_2004_X2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Hub 2
C C C O O
172.17.0.4/30 is directly connected, Serial1/0 10.0.0.0/24 is directly connected, Tunnel0 192.168.0.0/24 is directly connected, Ethernet0/0 192.168.1.0/24 [110/115] via 10.0.0.11, 00:42:02, Tunnel0 192.168.2.0/24 [110/115] via 10.0.0.12, 00:42:02, Tunnel0 ... S* 0.0.0.0/0 [1/0] via 172.17.0.6
SEC-4010 9830_06_2004_X2
52
Spoke B
C 172.16.2.0.0/30 is directly connected, Serial1/0 C 10.0.0.0/24 is directly connected, Tunnel0 O IA 192.168.0.0/24 [110/110] via 10.0.0.1, 00:53:14, Tunnel0 O 192.168.1.0/24 [110/110] via 10.0.0.11, 00:53:14, Tunnel0 C 192.168.2.0/24 is directly connected, Ethernet0/0 ... S* 0.0.0.0/0 [1/0] via 172.16.2.2
SEC-4010 9830_06_2004_X2
53
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Hub 2
SEC-4010 9830_06_2004_X2
54
Spoke B
SEC-4010 9830_06_2004_X2
55
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Hub redundancy
Must lose both before spoke isolated
SEC-4010 9830_06_2004_X2
56
DMVPN Multi-hub
Redundancy, Scaling NHRP Resolution Forwarding
SEC-4010 9830_06_2004_X2
57
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-4010 9830_06_2004_X2
58
SEC-4010 9830_06_2004_X2
59
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
DMVPN Multi-Hub
Single DMVPN Multi-hub, Single mGRE tunnel on all nodes
.2 .3 Physical: 172.17.0.5 Tunnel0: 10.0.0.2 .1 Physical: 172.17.0.9 Tunnel0: 10.0.0.3 192.168.0.0/24
.1 192.168.3.0/24
.1 192.168.1.0/24
SEC-4010 9830_06_2004_X2
Spoke A
...
Spoke B .1 192.168.2.0/24
60
EIGRP Routing
SEC-4010 9830_06_2004_X2
..
61
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
EIGRP Routing
SEC-4010 9830_06_2004_X2
62
EIGRP Routing
SEC-4010 9830_06_2004_X2
63
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
EIGRP Routing
SEC-4010 9830_06_2004_X2
64
EIGRP Routing
SEC-4010 9830_06_2004_X2
65
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
EIGRP Routing
SEC-4010 9830_06_2004_X2
66
Hub1
10.0.0.2/32, NBMA addr: 172.17.0.5 (stat, auth, used) 10.0.0.3/32, NBMA addr: 172.17.0.9 (dyn, auth, uniq, reg) 10.0.0.11/32, NBMA addr: 172.16.1.2 (dyn, auth, uniq, reg) 10.0.0.13/32, NBMA addr: 172.16.3.2 (no-socket) (dyn, router) 10.0.0.1/32, NBMA addr: 172.17.0.1 (dyn, auth, uniq, reg) 10.0.0.3/32, NBMA addr: 172.17.0.9 (stat, auth, used) 10.0.0.11/32, NBMA addr: 172.16.1.2 (no-socket) (dyn, router) 10.0.0.12/32, NBMA addr: 172.16.2.2 (dyn, auth, uniq, reg) 10.0.0.1/32, NBMA addr: 172.17.0.1 (stat, auth, used) 10.0.0.2/32, NBMA addr: 172.17.0.5 (dyn, auth, uniq, reg) 10.0.0.11/32, NBMA addr: 172.16.1.2 (no-socket) (dyn, router) 10.0.0.13/32, NBMA addr: 172.16.3.2 (dyn, auth, uniq, reg)
Hub 2
Hub 3
SEC-4010 9830_06_2004_X2
67
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Spoke A
10.0.0.1/32, Tunnel0 created 1d10h, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.13/32, Tunnel0 created 00:00:12, expire 00:04:18 Type: dynamic, Flags: router used NBMA address: 172.16.3.2 10.0.0.3/32, Tunnel0 created 1d10h, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.9 10.0.0.11/32, Tunnel0 created 00:00:54, expire 00:03:36 Type: dynamic, Flags: router NBMA address: 172.16.1.2
Spoke C
SEC-4010 9830_06_2004_X2
68
Daisy-chaining
Currently fragilelose one hub and cant create new dynamic spoke-spoke tunnels
Consider setting up smaller regional DMVPN networks interconnected with dedicated high speed physical links
Probably will give better performance then cross-country spoke-spoke dynamic tunnels
SEC-4010 9830_06_2004_X2
69
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
DMVPN Multi-hub
Redundancy, Scaling NHRP Resolution Forwarding
SEC-4010 9830_06_2004_X2
70
Routing
Use EIGRP for routing between hub (MWAM) and spoke Use BGP for routing between hubs
SEC-4010 9830_06_2004_X2
71
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
MFSC SLB
VIP 172.18.7.32 VLAN 100 10.1.1.0 .2 .3 .1 .1 .4 .5 .6 .7
MWAM
172.18.7.32 172.18.7.32 172.18.7.32 172.18.7.32 172.18.7.32 172.18.7.32
P h y s i c a l
I n t e r f a c e s
SEC-4010 9830_06_2004_X2
72
SLB
SEC-4010 9830_06_2004_X2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
...
! interface Vlan10 ip address 10.1.0.1 255.255.255.0 crypto map cm ! interface Vlan11 no ip address crypto connect vlan 10 ! interface Vlan100 ip address 10.1.1.1 255.255.255.0
SEC-4010 9830_06_2004_X2
74
SEC-4010 9830_06_2004_X2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
EIGRP Routing
SEC-4010 9830_06_2004_X2
76
SEC-4010 9830_06_2004_X2
77
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Agenda
Advanced Design DMVPN Details Example DMVPN Deployments Interaction with other Features Management Performance and Futures
SEC-4010 9830_06_2004_X2
78
SEC-4010 9830_06_2004_X2
79
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
VRF
Tunnel packets in VRF Data traffic in VRF
QoS
Multipoint GRE Interfaces
SEC-4010 9830_06_2004_X2
80
Spoke-spoke dynamic tunnels are not supported to/from NAT translated spokesspoke-spoke traffic goes via the hub
SEC-4010 9830_06_2004_X2
81
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
NAT: 172.16.2.1 NAT: 172.16.1.1 Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 172.18.101.1
172.18.102.2
192.168.1.1/24
10.0.0.1 10.0.0.12
172.17.0.1 172.16.2.1
10.0.0.1 10.0.0.11
172.17.0.1 172.16.1.1
SEC-4010 9830_06_2004_X2
82
NAT: 172.16.2.1 NAT: 172.16.1.1 Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 172.18.101.1
172.18.102.2
192.168.1.1/24
10.0.0.1 10.0.0.12
172.17.0.1 172.17.0.1
10.0.0.1 10.0.0.11
172.17.0.1 172.17.0.1
SEC-4010 9830_06_2004_X2
83
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
GRE tunnel packets use VRF routing table Data packets use global routing table after GRE decapsulation Routing protocol updates use global routing table NHRP uses global routing table for forwarding NHRP control packets
SEC-4010 9830_06_2004_X2
84
Data packets injected into VRF after GRE decapsulation Routing protocol updates use VRF routing table NHRP uses VRF routing table for forwarding NHRP control packets GRE tunnel packets use global routing table for forwarding Can use both vrf-forwarding and tunnel vrf
SEC-4010 9830_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
85
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-4010 9830_06_2004_X2
86
SEC-4010 9830_06_2004_X2
87
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
88
SEC-4010 9830_06_2004_X2
89
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Agenda
Advanced Design DMVPN Details Example DMVPN Deployments Interaction with other Features Management Performance and Futures
SEC-4010 9830_06_2004_X2
90
MANAGEMENT
SEC-4010 9830_06_2004_X2
91
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-4010 9830_06_2004_X2
92
Security
Public Key Infrastructure
PKI-AAA Integration Auto Enrolment Multiple Trust Points Secure RSA Private Key
Network Integration
DMVPN
Dynamic Addressing for Spoke-to-Hub On-Demand Spoke-toSpoke Tunnels
Management
Touchless Provisioning (ISC)
Bootstrap PKI Certificates Dynamic Addressing and Call Home Policy Push for IPsec, QoS, Firewall, IDS, NAT, Routing Hub-and-spoke, full and partial mesh topologies
V3PN
QoS VoIP Video Multicast
Enterprise Aggregation
Cisco 37xx, 72xx series
Resiliency
Self-Healing and Load Balancing
Scalability
Full Mesh up to 1000 Sites
SEC-4010 9830_06_2004_X2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-4010 9830_06_2004_X2
94
Automatic CA enrolment for PKI certificates Dedicated management tunnel facilitates outsourcing of management Per-user or per-group configuration policies Email notification on spoke events: config change, or policy audit violations
SEC-4010 9830_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
95
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
QoS provisioning NAT configuration deployment PKI-based end-to-end authentication and audit checks
96
Network-based IPsec
IOS Router
SEC-4010 9830_06_2004_X2
VPN 3000
IDS
CA Servers
IOS Certificate Server - bootstrap certificate Production CA Server - certificate for data tunnels
97
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
98
Bootstrap in the corporate network requires less end-user intervention EzSDD provides total automatic device deployment without initial bootstrapping home routers in the corporate network
SEC-4010 9830_06_2004_X2
99
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-4010 9830_06_2004_X2
100
EzSDD
User submits request via on-line forms Once request is approved, the following is created
AAA profile for user and device authentication ISC configuration for initial bootstrap using EzSDD ISC full security policy for data traffic
User takes the router home with instructions on how to activate service from home User brings the router online
SEC-4010 9830_06_2004_X2
101
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
EzSDD (Cont.)
User connects to the EzSDD server and authenticates using one-time password EzSDD server gets the initial configuration for the management tunnel from ISC and pushes to the home router Management tunnel comes up triggering CNS agent which connects to IE2100 IE2100 notifies ISC that device is online ISC pushes down the full data tunnel configuration, including data tunnel certificate, security policies, and full DMVPN configurations
SEC-4010 9830_06_2004_X2
102
Deployment in Action
1.
Linux, MAC, MS-Windows PC WLAN/TKIP
Remote routers call home and management tunnel is set up. Management server authenticates remote router using certificate authority and AAA servers. Management server pushes policy including new certificate. Remote router establishes primary data tunnel, access to corporate resources. Secondary tunnel established, stays active for instant failover. When required, remote router establishes direct spoke-tospoke tunnel with other authorized remotes and torn down after use.
103
2.
On-Demand Peer 1. Call Home 6. On-Demand Tunnel
3.
ISP
5. Secondary Tunnel 4. Data Tunnel
4.
5.
2. Authenticate
Internal Network
2004 Cisco Systems, Inc. All rights reserved.
6.
SEC-4010 9830_06_2004_X2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-4010 9830_06_2004_X2
104
Agenda
Advanced Design DMVPN Details Example DMVPN Deployments Interaction with other Features Management Performance and Futures
SEC-4010 9830_06_2004_X2
105
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-4010 9830_06_2004_X2
106
SEC-4010 9830_06_2004_X2
107
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Platforms
6500/7600 with VPNSM and MWAM or 7200 Farm (DMVPN Hub) 7204/6, 36xx, 37xx, 26xx, 17xx 83x support in 12.3T
SEC-4010 9830_06_2004_X2
108
109
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Benefits
Removes restrictions for routing protocols Allows route summarization, OSPF support for >2 hubs Removes Hub daisy-chaining Forward NHRP packets via ip next-hop rather then NHS
SEC-4010 9830_06_2004_X2
110
Futures QoS
Current issues
Anti-replay QoS per spoke Overrun local encryption engine
Enhancements
Move QoS to after IPsec SA selection but before encryption Packets ordered correctly before being encrypted Packets policed/shaped per peer (IKE identity) QoS queues protect encryption engine
111
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Futures Management
New DMVPN tunnel concept
Encompasses NHRP, Crypto Socket, IPsec Crypto map and IPsec SA data structures. New show and debug commands Possibly a new MIB
SEC-4010 9830_06_2004_X2
112
Q and A
SEC-4010 9830_06_2004_X2
113
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Recommended Reading
Continue your Networkers learning experience with further reading for this session from Cisco Press. Check the Recommended Reading flyer for suggested books.
Available on-site at the Cisco Company Store
SEC-4010 9830_06_2004_X2
114
WHY:
WHERE: Go to the Internet stations located throughout the Convention Center HOW: Winners will be posted on the onsite Networkers Website; four winners per day
SEC-4010 9830_06_2004_X2
115
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SEC-2012 8115_05_2003_c2
116
Some Extras
IOS Configuration Examples
Single DMVPN Dual Hub Single DMVPN Multi-hub
SEC-4010 9830_06_2004_X2
117
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
.1
.37 Web
192.168.2.0/24
.1 192.168.1.0/24
Spoke A .25
...
= Dynamic&Temporary Spoke-to-spoke IPsec tunnels
118
PC
SEC-4010 9830_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
..
119
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
120
121
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
122
123
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
124
125
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
126
.1 192.168.3.0/24
.1 192.168.1.0/24
SEC-4010 9830_06_2004_X2
Spoke A
...
Spoke B .1 192.168.2.0/24
127
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
..
128
129
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
130
131
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
132
133
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
134
SEC-4010 9830_06_2004_X2
135
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
136
SEC-4010 9830_06_2004_X2
137
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
138
SEC-4010 9830_06_2004_X2
139
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr