6/18/2023 0 Comments Name mangler advanced examplesActive/Active can only be achieved by splitting the router into multiple inside VRFs (iVRFs) and defining traffic sharing policies on downstream device (e.g. The same requirement for a Hub dictates the use of FlexVPN client block config on all Spokes connecting to that Hub. Active/standby redundancy is quite easy to achieve on a Spoke using floating static routes and IP SLA inside a FVRF. Sometimes sites may have additional WAN links either for redundancy or additional capacity. Neighbor SPOKES fall - over route - map RM - BGP - FALLOVERĬorner case analysis – Multiple WAN links In our case we’ll be using Cisco’s smart defaults on the Spokes and reference the default policy from each configured IKEv2 profile: With these policies its possible to exchange routing information, assign interface-level attributes (QoS, ZBF, iVRF), allocate peer IP addresses and so on. This is where FlexVPN gets its “Flex” portion from. Now that we’ve identified, matched and authenticated both sides, we need to define authorization policies. Once authentication is done, a VTI is created from a configured virtual template interfaceįor a more detailed IKEv2 packet flow analysis refer to documents and.Authentication is done using the certificate associated with a configured trustpoint.IKEv2 profile is chosen based on FVRF and IKEv2 identity of an incoming request (matched by certificate-map).The same certificate is used for both local and remote authentication. ![]() IKEv2 ID is set equal to certificate’s DN.Spoke selects a certificate based on the configured trustpoint (PKI-CLOUD-1).Spoke selects a particular IKEv2 profile based on its interface’s IPSec profile.This is how IKEv2 profile is used on the initiating side (Spoke): Tunnel protection ipsec profile IPSEC - CLOUD - 1 The details of IP address assignment will be discussed in the following sections. IP address for SVTI could be defined statically or assigned by the Hub. Spoke’s SVTI will have both source, destination and FVRF name defined. To get things started you’d need to setup a static VTI (SVTI) on the Spoke and Dynamic VTI (DVTI) on the Hub. Tunnel mode could be either ipsec ipv4 or gre, however NHRP protocol only works over GRE so we’ll stick with the default mode. Both Hubs and Spokes use Virtual Tunnel Interfaces (VTIs) to setup direct communication channels over the WAN. Let’s start with the most basic configuration construct – a tunnel interface. Throughout this section, if configuration is the same for both FlexVPN clouds, I will only include examples for one of them. Instead of providing the full show run outputs here, I’ve decided to split FlexVPN configuration into a number of small building blocks and examine them separately. Front door VRF (FVRF) has been pre-configured on all devices with correct ip address and default route.Įven though PKI setup is not covered in this post, I would still like to include an example of how trustpoint for Cloud 1 will be configured on SPOKE-3:.Organisational Unit (OU) attribute of X.509 certificate will be used to encode site’s bandwidth:.All Spokes have one unique certificate per FlexVPN cloud.All devices in one cloud will have their certificates signed by the same CA and have a common domain portion of the CN attribute (cloud.one or cloud.two).Each FlexVPN cloud has its own Certificate Authority (CA). ![]()
0 Comments
Leave a Reply. |