IPSec for Redundant DMVPN with VRF

Similar Messages

• Dual IPsec for redundant purpose (Not Dual ISPs)

    Chapter user (Branch user) usually access data through route #1. When ISP1 is down (route 1), I like to use backup ipsec tunnel (automatically) if possible.
    I saw many articles regarding "One interface with multiple IPsec tunnels"
  http://thelostpackets.blogspot.com/2011/11/multi-point-ipsec-vpn-tunnel.html
    However my requirement is little different because remote IP address is same (10.0.0.0/8) for both IPsec tunnels. VA ---- MPLS ---- MD are connected through MPLS, so remote IP is same.

  May I know what is the difference between
  8GB 1600MHz SODIMM 1.35V    and    8GB 1600MHz SODIMM as you have specified ..  And will Kingston be a good replacement the factory fitted Hynix brand ??
  My laptop is 64 bit Win 8.1 OS

• DMVPN with IPSec

  Hi
  I set the IPSec on the DMVPN on HUb and Spokes as follow bellow, But I get the Error on All DMVPN end points.
  I am using CSR1000v on a rack rentals site.
  R18(config-if)#
  *Jan  2 02:18:24.458: %ACE-3-TRANSERR: IOSXE-ESP(11): IKEA trans 0x63; opcode 0x60; param 0x2F; error 0x5; retry cnt 0
  *Jan  2 02:18:24.459: %ACE-3-TRANSERR: IOSXE-ESP(11): IKEA trans 0x65; opcode 0x60; param 0x30; error 0x5; retry cnt 0
  R18(config-if)#
  EIGRP does not come up. But removing The IPsec profile from the Tunn1l 100 interfaces brings the EIGRP up and DMVPN works fine.
  Any suggestions ?
  The configs are:
  R18
  crypto isakmp policy 18
   encr aes 192
   hash sha256
   authentication pre-share
   group 5
  crypto isakmp key DmvPn!23 address 89.211.116.16     
  crypto isakmp key DmvPn!23 address 89.211.117.17  
  crypto ipsec transform-set TRANS_SET esp-aes esp-sha-hmac 
   mode transport
  crypto ipsec profile CRY_PROFILE
   set transform-set TRANS_SET
  int tu 100
   tunnel protection ipsec profile CRY_PROFILE
  R16
  crypto isakmp policy 16
   encr aes 192
   hash sha256
   authentication pre-share
   group 5
  crypto isakmp key DmvPn!23 address 202.4.180.0   
  crypto ipsec transform-set TRANS_SET esp-aes esp-sha-hmac 
   mode transport
  crypto ipsec profile CRY_PROFILE
   set transform-set TRANS_SET
  int tu 100
   tunnel protection ipsec profile CRY_PROFILE
  R17
  crypto isakmp policy 17
   encr aes 192
   hash sha256
   authentication pre-share
   group 5
  crypto isakmp key DmvPn!23 address 202.4.180.0   
  crypto ipsec transform-set TRANS_SET  esp-aes esp-sha-hmac 
   mode transport
  crypto ipsec profile CRY_PROFIL
  crypto ipsec profile CRY_PROFILE
   set transform-set TRANS_SET
  int tu 100
   tunnel protection ipsec profile CRY_PROFILE
  R18
  interface Tunnel100
   ip address 172.100.123.18 255.255.255.0
   no ip redirects
   ip mtu 1400
   ip nhrp authentication NHRPKEY
   ip nhrp map multicast dynamic
   ip nhrp network-id 123
   ip nhrp holdtime 300
   ip tcp adjust-mss 1360
   tunnel source 202.4.180.0
   tunnel mode gre multipoint
   tunnel key 123
   tunnel protection ipsec profile CRY_PROFILE
  R16
  interface Tunnel100
   ip address 172.100.123.16 255.255.255.0
   no ip redirects
   ip mtu 1400
   ip nhrp authentication NHRPKEY
   ip nhrp map 172.100.123.18 202.4.180.0
   ip nhrp map multicast 202.4.180.0
   ip nhrp nhs 172.100.123.18
   ip nhrp network-id 123
   ip nhrp holdtime 300
   ip tcp adjust-mss 1360
   tunnel source 89.211.116.16
   tunnel mode gre multipoint
   tunnel key 123
   tunnel protection ipsec profile CRY_PROFIL
  R17
  interface Tunnel100
   ip address 172.100.123.17 255.255.255.0
   no ip redirects
   ip mtu 1400
   ip nhrp authentication NHRPKEY
   ip nhrp map 172.100.123.18 202.4.180.0
   ip nhrp map multicast 202.4.180.0
   ip nhrp nhs 172.100.123.18
   ip nhrp network-id 123
   ip nhrp holdtime 300
   ip tcp adjust-mss 1360
   tunnel source 89.211.117.17
   tunnel mode gre multipoint
   tunnel key 123
   tunnel protection ipsec profile CRY_PROFIL

  Thanks guys for your inputs. I had it solved. The issue is with CSR 1000v platform is that it somehow does not like AH-SHA-HMAC so I changed to using ESP-SHA-HMAC instead.
  Thanks & Regards,
  Saleh

• VRF-Aware IPSec for Remote Access

  Dear All,
  Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?
  I am trying to implement this feature on a PE which has MPLS enabled
  on the Internet facing interface.
  With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.
  I will be really grateful for any comment or any pointers for what could
  be possibly wrong with the configuration below:
  aaa new-model
  aaa authentication login USER-AUTHENTICATION local
  aaa authorization network GROUP-AUTHORISATION local
  crypto keyring test-1
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group test-1
  key test-1
  domain test.com
  pool cpe-1
  acl 101
  crypto isakmp profile test-1
  vrf test-1
  keyring test-1
  match identity group test-1
  client authentication list USER-AUTHENTICATION
  isakmp authorization list GROUP-AUTHORISATION
  client configuration address initiate
  client configuration address respond
  client configuration group test-1
  crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
  ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
  crypto dynamic-map test-1 1
  set transform-set test-1
  set isakmp-profile test-1
  reverse-route remote-peer
  Internet facing interface
  interface GigabitEthernet4/0/0
  ip address x.x.x.x 255.255.255.240
  ip router isis
  mpls ip
  crypto map IPSEC-AWARE-VRF
  Customer facing interface
  interface GigabitEthernet1/0/0.1
  encapsulation dot1Q 100
  ip vrf forwarding test-1
  ip address 110.110.110.1 255.255.255.0
  Kind regards,
  ZH

  Million thanks for this.
  This now works after disabling CEF on the public facing interface.
  Regards,
  Zahid

• Sharing global routing table with vrf for intra-as traffic

  We have a network block of 10.201.0.0/16 which is divided into two subnet 10.201.0.0/18 and 10.201.192.0/18. We are getting a internet feed for each subnet.
  10.201.192.0/18 is in global routing table, and 10.201.0.0/18 is in a vrf-lite green.
  I am thinking doing the following:
  ...........HUB
  VL199/....\VL198
  SPOKE1 SPOKE2
  Hub and spoke are from perspective of vrf green.
  For vrf green in the HUB:
  ip route vrf green 10.201.0.0 255.255 255.192 vlan 199
  ip route vrf green 10.201.64.0 255.255.255.192 vlan198
  SPOKE1
  ip route 0.0.0.0 0.0.0.0 vlan199
  SPOKE2
  ip route 0.0.0.0 0.0.0.0 vlan198
  Suppose we already get the 2 internet feeds to HUB route with vrf green and global routing table. This should get vrf green going.
  But we also have global routing table on the HUB router.
  We would like to have 10.201.0.0/16 communicating with each other, and only keep internet default separated.
  How should we get to 10.201.0.0/18 from global routing table and how should we get to 10.201.192.0/18 from SPOKE[12]?

  In my lab, I have 2 ports configured.
  int gi1/2
  ip vrf forward green
  ip address 10.201.192.253 255.255.255.252
  int gi1/1
  ip address 10.201.192.254 255.255.255.252
  ip route 10.201.0.0 255.255.192.0 gi1/2
  ip route vrf 10.201.192.0 255.255.192.0 gi1/1 10.201.192.254
  This way, from vrf green to global has go through HUB. and vrf greens will also go through greens.
  Is there any other much elegant way for this purpose?

• Challenge: Spanning Tree Control Between 2 links from Switch DELL M6220 to 2 links towards 2 switches CISCO 3750 connected with an stack (behavior like one switch for redundancy)

  Hello,
  I have an Spanning tree problem when i conect  2 links from Switch DELL M6220 (there are blades to virtual machines too) to 2 links towards 2 switches CISCO 3750 connected with an stack (behavior  like one switch  for redundancy, with one IP of management)
  In dell virtual machine is Spanning tree rapid stp, and in 3750 is Spanning tree mode pvst, cisco says that this is not important, only is longer time to create the tree.
   I dont know but do you like this solutions i want to try on sunday?:
   Could Spanning tree needs to work to send one native vlan to negociate the bdpus? switchport trunk native vlan 250
  Is it better to put spanning-tree guard root in both 3750 in the ports to mitigate DELL to be root in Spanning Tree?
  Is it better to put spanning- tree port-priority in the ports of Swicht Dell?
  ¿could you help me to control the root? ¿Do you think its better another solution? thanks!
   CONFIG WITH PROBLEM
  ======================
  3750: (the 2 ports are of 2 switches 3750s conected with a stack cable, in a show run you can see this)
  interface GigabitEthernet2/0/28
   description VIRTUAL SNMP2
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 4,13,88,250
   switchport mode trunk
   switchport nonegotiate
   logging event trunk-status
   shutdown
  interface GigabitEthernet1/0/43
   description VIRTUAL SNMP1
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 4,13,88,250
   switchport mode trunk
   switchport nonegotiate
   shutdown
  DELL M6220: (its only one swith)
  interface Gi3/0/19
  switchport mode trunk
  switchport trunk allowed vlan 4,13,88,250
  exit
  interface Gi4/0/19
  switchport mode trunk
  switchport trunk allowed vlan 4,13,88,250
  exit

  F.Y.I for catylyst heroes - here is the equivalent config for SG-300 - Vlan1 is required on the allowed list on the catylyst side (3xxx/4xxx/6xxx)
  In this example:
  VLANS - Voice on 188, data on 57, management on 56.
  conf t
  hostname XXX-VOICE-SWXX
  no passwords complexity enable
  username xxxx priv 15 password XXXXX
  enable password xxxxxx
  ip ssh server
  ip telnet server
  crypto key generate rsa
  macro auto disabled
  voice vlan state auto-enabled !(otherwise one switch controls your voice vlan….)
  vlan 56,57,188
  voice vlan id 188
  int vlan 56
  ip address 10.230.56.12 255.255.255.0
  int vlan1
  no ip add dhcp
  ip default-gateway 10.230.56.1
  interface range GE1 - 2
  switchport mode trunk
  channel-group 1 mode auto
  int range fa1 - 24
  switchport mode trunk
  switchport trunk allowed vlan add 188
  switchport trunk native vlan 57
  qos advanced
  qos advanced ports-trusted
  exit
  int Po1
  switchport trunk allowed vlan add 56,57,188
  switchport trunk native vlan 1
  do sh interfaces switchport po1
  !CATYLYST SIDE
  !Must Explicitly allow VLan1, this is not normal for catalysts - or spanning tree will not work ! Even though it’s the native vlan on both sides.
  interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,56,57,189
  switchport mode trunk

• IPsec over GRE in ASR 1000 with VRF

                     Hi
  I´m trying to configure IPsec over GRE tunnel between Cisco 819G remote router and ASR 1002 central router using crypto maps. Currently ASR router has two vrf´s (management vrf and EXTERNOS2 vrf) and in the future we are going to deploy different "virtual" routers from this box. I don´t know why it doesn´t work, tunnel interface doesn´t go up. Taking a view to debugs obtained from ASR router (debug crypto isakmp and debug crypto ipsecI see the following errors:
  Oct  3 13:11:33: IPSEC(validate_proposal_request): proposal part #1
  Oct  3 13:11:33: IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) INBOUND local= 10.255.68.246:0, remote= 10.200.25.106:0,
      local_proxy= 10.255.68.246/255.255.255.255/256/0,
      remote_proxy= 10.200.25.106/255.255.255.255/256/0,
      protocol= ESP, transform= NONE  (Transport),
      lifedur= 0s and 0kb,
      spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  Oct  3 13:11:33: Crypto mapdb : proxy_match
          src addr     : 10.255.68.246
          dst addr     : 10.200.25.106
          protocol     : 0
          src port     : 0
          dst port     : 0
  Oct  3 13:11:33: map_db_check_isakmp_profile profile did not match
  Oct  3 13:11:33: Crypto mapdb : proxy_match
          src addr     : 10.255.68.246
          dst addr     : 10.200.25.106
          protocol     : 0
          src port     : 0
          dst port     : 0
  Oct  3 13:11:33: map_db_check_isakmp_profile profile did not match
  Oct  3 13:11:33: map_db_find_best did not find matching map
  Oct  3 13:11:33: IPSEC(ipsec_process_proposal): proxy identities not supported
  Oct  3 13:11:33: ISAKMP:(35001): IPSec policy invalidated proposal with error 32
  Oct  3 13:11:33: ISAKMP:(35001): phase 2 SA policy not acceptable! (local 10.255.68.246 remote 10.200.25.106)
  anybody could help me to troubleshoot why it doesn´t work?
  I post you involved configuration sections from ASR and 819G routers
  B.R.

  Ops!! I forgot to paste involved routes from both devices.
  ASR router
  ip route vrf EXTERNOS2 10.200.24.0 255.255.248.0 10.255.68.245 tag 6
  ip route vrf EXTERNOS2 185.1.1.0 255.255.255.0 Tunnel21 tag 6          <--- c819G LAN network
  Cisco 819G
  ip route 0.0.0.0 0.0.0.0 Tunnel1
  ip route 10.255.68.246 255.255.255.255 Cellular0
  B.R.

• Setting up IPsec VPNs to use with Cisco Anyconnect

  So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
  I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
  NOTE: We are still testing this ASA and it isn't in production.
  Any help you can give me is much appreciated.
  ASA Version 8.4(2)
  hostname ASA
  domain-name domain.com
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/1
  nameif outside
  security-level 0
  ip address 50.1.1.225 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  no nameif
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  boot system disk0:/asa842-k8.bin
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
  same-security-traffic permit intra-interface
  object network NETWORK_OBJ_192.168.0.224_27
  subnet 192.168.0.224 255.255.255.224
  object-group service VPN
  service-object esp
  service-object tcp destination eq ssh
  service-object tcp destination eq https
  service-object udp destination eq 443
  service-object udp destination eq isakmp
  access-list ips extended permit ip any any
  ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
  no failover
  failover timeout -1
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
  object network LAN
  nat (inside,outside) dynamic interface
  access-group outside_in in interface outside
  route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
  sysopt noproxyarp inside
  sysopt noproxyarp outside
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=ASA
  crl configure
  crypto ca server
  shutdown
  crypto ca certificate chain ASDM_TrustPoint0
  certificate d2c18c4e
      308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
      0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
      f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
      6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
      365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
      f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
      6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
      8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
      37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
      234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
      3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
      03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
      cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
      18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
      beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
      af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 10
  console timeout 0
  management-access inside
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
  anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
  anyconnect profiles VPN disk0:/devpn.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy VPN internal
  group-policy VPN attributes
  wins-server value 50.1.1.17 50.1.1.18
  dns-server value 50.1.1.17 50.1.1.18
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
  default-domain value digitalextremes.com
  webvpn
    anyconnect profiles value VPN type user
    always-on-vpn profile-setting
  username administrator password xxxxxxxxx encrypted privilege 15
  username VPN1 password xxxxxxxxx encrypted
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  address-pool (inside) VPNPool
  address-pool VPNPool
  authorization-server-group LOCAL
  default-group-policy VPN
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  tunnel-group VPN ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  class-map ips
  match access-list ips
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect http
  class ips
    ips inline fail-open
  class class-default
    user-statistics accounting

  Hi Marvin, thanks for the quick reply.
  It appears that we don't have Anyconnect Essentials.
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5510 Security Plus license.
  So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

• How to configure OSPFv3 with VRF in IOS (a guide)

  Hi everybody,
       I recently found myself in need of configuring VRF segregated IPv6 routing with OSPFv3 in a pair of IOS 6500s. After a bit of research, I found that although the latest IOS releases for the 6500 (15.1(1)SY for the Sup720 and Sup2T) support configuring OSPFv3 on VRFs, Cisco has yet to release any documentation pertaining to its configuration other then command references. So, I thought I would share some of the pertinent and important details I discovered along the way to getting this working and collect them all in one place to help out anyone else who is trying to do this.
  1. The first thing you need to do is turn it on. Make sure you have enabled IPv6 routing with the "ipv6 unicast-routing" command and IPv6 VRFs with the "mls ipv6 vrf" command. Without these enabled, everything you try that seems like it should work will fail.
  2. You must use the new style VRF definition commands, the old "ip vrf <name>" commands are for IPv4 only. The new style of configuring the VRFs is "vrf definition <name>", under these VRFs you must specify the IP versions you want to run with the "address-family ipv4" and "address-family ipv6" commands. Also the command to place an interface into these VRFs is slightly different as well. On an interface, you must use the "vrf forwarding <name>" command instead of the old "ip vrf forwarding <name>" command.
  3. For OSPFv3 instances, the VRF is defined after you enter the proccess by using the "address-family ipv6 unicast vrf <name>" command. OSPFv2 instances are still define the VRF at the same time as the process using the traditional "router ospf <proccess> vrf <name>" command.
  4. After you get this all configured the "show ipv6 ospf" commands will no longer work. You need to use the "show ospfv3 vrf" commands instead.
  I have attached a sample configuration of what I did. If anyone out there knows this better than I do, please correct anything I got wrong and/or add anything you think would be helpful. I would just like there to be a good source of info available for this subject, so people don't have to waste their time figuring this out the hard way.
  Best Regards,
  Greg

  Greg,
  Greate information.
  Thanks for posting This!!!
  Reza

• GRE with VRF on MPLS/VPN

  Hi.
  Backbone network is running MPLS/VPN.
  I have one VRF (VRF-A) for client VPN network.
  One requirement is to configure another VRF (VRF-B) for this client for a separate public VRF connection.
  Sub-interfacing not allowed on CE-to-PE due to access provider limitation.
  So GRE is our option.
  CE config:
  Note: CE is running on global. VRF-A is configured at PE.
  But will add VRF-B here for the  requirement.
  interface Tunnel0
    ip vrf forwarding VRF-B
  ip address 10.12.25.22 255.255.255.252
  tunnel source GigabitEthernet0/1
  tunnel destination 10.12.0.133
  PE1 config:
  interface Tunnel0
  ip vrf forwarding VRF-B
  ip address 10.12.25.21 255.255.255.252
  tunnel source Loopback133
  tunnel destination 10.12.26.54
  tunnel vrf VRF-A
  Tunnel works and can ping point-to-point IP address.
  CE LAN IP for VRF-B  is configured as static route at PE1
  PE1:
  ip route vrf VRF-B 192.168.96.0 255.255.255.0 Tunnel0 10.12.25.22
  But from PE2 which is directly connected to PE1 (MPLS/LDP running), connectivity doesnt works.
  From PE2:
  - I can ping tunnel0 interface of PE1
  - I cant ping tunnel0 interface of CE
  Routing is all good and present in the routing table.
  From CE:
  - I can ping any VRF-B loopback interface of PE1
  - But not VRF-B loopback interfaces PE2 (even if routing is all good)
  PE1/PE2 are 7600 SRC3/SRD6.
  Any problem with 7600 on this?
  Need comments/suggestions.

  Hi Allan,
  what is running between PE1 and PE2 ( what I mean is any routing protocol).
  If No, then PE2 has no ways of knowing GRE tunnel IP prefixes and hence I suppose those will not be in its CEF table...
  If Yes, then check are those Prefixes available in LDP table...
  Regards,
  Smitesh

• N7k as redundant core with vpc to 4510/3750 as distribution switch

  Hi - basic question here
  Got 2 qty N7k as redundant core with vpc to 4510 and 3750 as redundand distribution switch running MST. I got stuck with some bad cabling design from our IDF to Datacenter so have 2 access switch whereby each one will have a etherchannel to both distribution 4510 and 3750. My question is this is  a doable design as I am not sure about the vpc upstream on how it effects etherchannel with MST for my distribution and access.
  Thanks

  vPC will be considered as one logical link by both upstream and downstream connected devices
  the question here are you going to run L3 between the distribution and Core devices ? (  this is recommended design ) if yes, then you do not need to worry about MST and VPC if you going to have it L3 from distribution devices up to the Core
  one thing to consider is the distribution switch in your design has big difference in terms of backplane throughput i mean between the 4500 and 3750 !
  if you can have both as 4500 will be better and more consistent design
  Good luck
  if helpful Rate

• GRE keepalives with VRF

  GRE keeplives enabled under tunnel interfaces will put the line protocol of tunnel to down... I have tested this in LAB !!!
  why is it so , what is the workaround to use keepalives with VRF ........

  Hello,
  It is caused by the way how the GRE keepalives work. I suggest reading these two documents first:
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008040a17c.shtml
  In short, a router sending keepalive in essence constructs an IP packet whose source is the remote endpoint and recipient is the router itself. It then encapsulates it using GRE and attaches another IP header to it with the send being itself and destination being the remote end. This packet will be sent to the remote end, there it will be decapsulated and afterwards it will be routed as usual, thereby returning the inner IP packet back to the original sender.
  Obviously, this keepalive mechanism is not integrated with the VRF feature. The keepalive packet may arrive at the remote endpoint but after it is decapsulated the association with the receiving Tunnel interface is obviously lost and the remote endpoint tries to route that packet back using the global routing table, not the VRF in which the tunnel resides. This in turn causes the keepalive packet to never return.
  I am unfortunately not aware of any backup keepalive mechanism for this, apart of running routing protocols over the tunnel with more aggresive hello and dead intervals.
  Best regards,
  Peter

• Redundant installation with 4200 sensors

  Hi
  We are in a process of starting to work on a design with several IPS 4270. The demand is to make the design redundant and with high availability.
  As I am aware of there no redundant support (e.g. no protocol support like HSRP) within the IPS itself but several ways to make a redundant installation. I'm looking for white papers, case studies or design suggestions involving a redundant installation. Could you please guide me where to find such information?
  Thanks
  Johan Kellerman

  Hi,
  See the following white paper:
  "IPS Deployments in Enterprise Data Centers"
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e724b.html
  Regards,

• 2 Switch stack Design for redundancy

  Hi Everyone,
  I need to connect 2 switches in stack which will connect to 2 servers.
  Each server will habe 12 NICs.
  So for Redundancy purposes i can connect 6 ports from server A to Switch 1
                                                                 6 Ports from server A to Switch 2
  Same way i can do
  6 ports from Server B to Switch 1
  6 ports from Server B to switch 2
  IF i go with above design and in case say switch 2 dies then stack will have single switch will it cause any outage?
  Regards
  Mahesh

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  IF i go with above design and in case say switch 2 dies then stack will have single switch will it cause any outage?
  It depends.
  One of your two switches will run in the role of switch master, and if that switch fails, there's a brief impact as control plane function are taken over by the second switch.  Whether this control plane switch over causes any impact to the server hosts depends on switch configuration and how (via L2 or L3) the hosts are communicating to other hosts.  For example, if you're running default, regarding master switch MAC persistence, that MAC will change, which I understand, will drop Etherchannel.

• IOS Version for 2811 - DMVPN Router

  We are running a 2811 centrally for a DMVPN network. This is the routers only function. I have been troubleshooting an issue and wanted to use the Packet Capture Features, but apparently, 12.4(25b) does not support this feature. I found documentation that states 12.4(20)T supports this feature. There are so many 2811 releases...
  Looks like 12.4.22T5(MD) is the latested maintenance release for the T version of the software. Any recommendations?

  It looks like MPLS really does disappear in 12.4 code for the 2651XM (see below). It's too bad because I could use the features and would rather not have to replace a bunch of routers.
  PE#show ver
  System returned to ROM by reload
  System image file is "flash:c2600-spservicesk9-mz.123-18.bin"
  PE#
  PE#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  PE(config)#int fa0/0
  PE(config-if)#mpls ip
  PE(config-if)#tag-switching ip
  PE(config-if)#end
  PE#
  PE#show version
  System returned to ROM by reload
  System image file is "flash:c2600-spservicesk9-mz.124-7a.bin"
  PE#
  PE#config t
  Enter configuration commands, one per line. End with CNTL/Z.
  PE(config)#int fa0/0
  PE(config-if)#mpls ip
  ^
  % Invalid input detected at '^' marker.
  PE(config-if)#tag-switching ip
  ^
  % Invalid input detected at '^' marker.
  PE(config-if)#end
  PE#