Hub and Spoke VPN with VTI, dual hubs, spokes with redundant internet access
From Internetworkpro
Contents |
[edit] Overview
This article describes a VPN design based on Cisco VTI (Virtual Tunnel Interface) tunnel technology. When researching for a scalable VPN Lan-to-Lan tunnel solution, a variety of more (plain IPSec) or less (GRE/DMVPN) standard-conform solutions is available.
VTI does not really compete against traditional or proprietary VPN tunnel solutions, its another proprietary method with its own advantages and disadvantages that completes current deployment options. At a first glance, it provides the same benefits DMVPN offers over the static IPSec "crypto map/ACL" concept. You dont need to specify any crypto map access list definitions, VTI designs use Tunnel interfaces and a routing protocol that decides which traffic is subject for VPN transportation. Furthermore, L2L VTI are pretty much compareable to dial in solutions that are based on interface cloning - virtual templates, back from the old days when you dealt with dial business - or configs found at today's PPPoverSomething broadband aggregation boxes.
This makes it the ideal technology for serving lots of spoke VPN routers. After successful tunnel setup, each spoke is reachable via its own, cloned VirtualAccess interface - with the benefit of applying per-interface (per-spoke) QoS, for example.
Another advantage of VTI over DMVPN is the smaller footprint. Instead of dealing with many potential tunnels (IKE/IPSec SAs pairs) per spoke and double encapsulation (IPSec on top of GRE), VTI relies on standard IPSec protocols (ESP/AH) and builds only a single tunnel that consists of one "0/0" IPSec SA. There are no further proxies for subnets behind each router, the routing protocol is used to advertise which subnets are reachable over the VTI interfaces. This enables VTI to get rid of the additional GRE encapsulation required for DMVPNs - multicast traffic is supported out of the box, for example. There is a slight 4-byte packet overhead introduced by VTI.
On the other hand, VTI does not offer dynamic spoke-spoke tunnel setups (it lacks the NHRP component of the DMVPN solution toolset). Furthermore, its only supported on Cisco components, specifically IOS routers only. Also, GRE tunnels are able to transport more payload types than VTI/cloned Virtual Access interfaces.
In general, VTI tunnel designs are recommended for a small-footprint hub-and-spoke, IOS-based VPN cloud, where direct spoke-spoke tunnels are not required (spoke to spoke traffic is permitted, but always gets relayed through the hub, though).
[edit] Motivation and Design rules
This design is based on some requirements:
- two hubs (to deal with outages at the central side) - spokes with redundant internet uplinks - relieable and fast convergence in case of spoke internet uplink failure - troubleshooting possible for people that dont fit the IPSec guru, but more the enterprise LAN network admin guy scheme - staging of spokes must be a painless, not too complex process
[edit] Spoke Internet uplinks
It was decided to use permanent tunnels over on demand tunnel setup. This is crucial, because having fast and relieable convergence and redundancy requires always-on internet links. It is not acceptable to dial a backup connection in case of primary link failure - just to notice that the backup connection is not functional. In addition, waiting for a backup interface to come up renders the advantage of routing protocols - fast alternative path selection - useless. Also, most if not all link tracking techniques offered by lower end routers are not always relieable and either fail link outage detection or cannot bring up a previously failed interface back into operation (tested features: dialer watch, backup interfaces. ip sla/route tracking - some flavored with floating static routes).
Of course, this requires two permanent active internet links, but lots of todays internet access plans are "flatrate" or at least "per-volume" based; this is just fair game for a cheap backup solution.
Now that there are two Internet links, two paths are available to the internet and to the hub routers at the headquarters. There are some issues with dual internet links terminated at the same router that deserve further discussion.
A router does not tie an interface-assigned IP address stricly to this interface when it comes to packet switching. This means that when sourcing traffic from an interface-assigned IP address, the router will _not_ apply any special logic just because this IP address is configured/assigned there. Its still the well known process that takes place - determine the egress interface etc. based on the destinations IP address, using longest-prefix matching only.
[edit] Routing/Tunnel considerations
For a dual internet link-equipped spoke, both ISPs usually will deliver a default route. These two default routes get installed by the router, and IOS will happily start to load share traffic between the two paths. Even if you source traffic off of one the Internet links assigned IP addresses (negotiated via PPP or DHCP), the router will still load balance. This calls for trouble, because most ISPs filter ingress traffic at their customer border. Traffic that you send to an ISP, sourced from an IP address not assigned by this ISP, gets dropped (otherwise switch to an ISP with more clue).
One possible solution is to use policy based routing for router-generated traffic. PBR will override the default lookup mechanisms of the switching methods by using route-maps that match on source addresses, then set the egress interface based on the match. For spokes that receive dynamic IP addresses from their ISPs, such route-map might be impossible or at least cumbersome to configure.
Another solution is not to accept the default routes offered by the ISPs, but statically route only the IP addresses required for tunnel communication (the hubs IP addresses) via the desired paths, either primary or backup internet access. This is a perfect solution for a hub-and-spoke design, where all traffic originated by a spoke must either be routed over the tunnel to the hub or dropped - there is no need for a 0/0 route at the spokes, pointing toward the internet.
Each tunnel can be designated to terminate at one of the two hub routers. This is fine if the internet access methods used at the spokes are identical in terms of service quality (latency, bandwidth etc.). A possible drawback with such a design is that when the hub serving the spoke tunnels goes down, all spokes will switch to their secondary/backup internet access method, because the second hub only serves the tunnels that get sourced from the spokes backup internet links.
This becomes critical when using backup link technolologies that differ a lot from the primary link technology. For example when using DSL broadband as a primary access path, and UMTS as a backup path, it is advised not to switch to UMTS, even if the primary hub at the central side goes down. The other hub is still available, there is no reason to use the backup link at all spokes because of that.
To overcome this problem, 4 tunnels per spoke are configured. Two of them are sourced off the primary Internet link, where the first one terminates at the primary hub, and the second tunnel terminates at the secondary hub:
The same applies to the other two tunnels, but they are sourced off the backup Internet link. Now the tunnel metric/cost configuration is the basis for path selection, the routing protocol will do its magic:
To provide fast convergence, a routing protocol shall be used over the tunnels (static routes would work, too). For this design, distance vector routing protocols (EIGRP, RIPv2) fit better than link state routing protocols (OSPF), although the hierarchical design offered by OSPF, especially with totally stub areas, seems perfect at a first glance.
OSPF has disadvantages, because in a single area concept, all routers (spokes and the two hubs) will share a common view of the cloud, thus link information from every spokes will get propagated (flooded) through the area. When a spoke flaps, this change is propagated too, and every router will run SPF, which will cause a significant burden if the VTI cloud gets big enough (CPU and traffic-wise).
Of course, its possible to switch to a OSPF multi-area concept, where each spoke belongs to a different area, and the hubs will play the role of the ABRs. These areas will then be configured as totally stub areas, eliminating LSAs from other/external areas. Drawback is that this causes a huge burden to both ABRs (the hubs), because every area requires its own link state database, including its own per-area SPF calculation. This might be attractive if there are only a few spokes, but typical enterprise hub and spoke VPNs have to deliver connectivity to 100+ remote sites (spokes). Its just too resource intensive to attach a ABR to that many different areas.
The alternative is the use of EIGRP or even RIPv2. These distance vector protocols ("hybrid" for EIGRP) dont know the concept of hierarchical network areas, they just rely on information received from neighboring routers ("routing by rumor"). EIGRP was choosen over RIPv2 because of its powerful metric manipulation and its faster reconvergence (and since VTI is Cisco proprietary anyway).
The spokes, acting as EIGRP stub routers, will advertise their LAN-attached networks and their Loopback addresses over the four tunnel interfaces. Both hubs will not advertise the headquarters networks directly. Instead, every headquarters network is hidden behind a general summary network, 0.0.0.0, that get advertised to the spokes. A 0/0 summary was preferred over "default-information", because it doesnt require any additional route-filtering at the hubs with distribute lists to get rid of the more specific prefixes, so the hub config doesnt require modifications when new networks are attached.
EIGRP route metrics are adjusted, eliminating all metric variables but delay (specifically bandwidth). Each of the 4 Tunnel interfaces at the spoke gets a different delay value configured, to prefer routes in this desired order:
1. primary ISP, primary hub 2. primary ISP, secondary hub 3. backup ISP, primary hub 4. backup ISP, secondary hub
In addition, interface delay at the hubs gets adjusted also, to ensure that traffic destined to the spokes always follows the same scheme. This is done at the virtual template interfaces, the cloned virtual access interfaces inherit these bandwidth settings.
Delay values were choosen in way that load sharing traffic over both Tunnels that originate at the spoke primary internet link is possible (variance 2), allowing to load share traffic originating at the spokes between both hubs. Its not beneficial for the Spoke, but for larger installations, distributing the encryption and decryption load between both hubs can be an advantage. To get the full load sharing benefit, both hubs should advertise the spoke networks (original prefix lengths or a summary) to the Headquarters inside domain, to enable load sharing traffic toward the spokes too.
For simplicity, the configuration below uses HSRP. Traffic sourced at the Headaquerters and destined to the spokes will be handed to the standby address. In case the primary hub is still HSRP active, but the most preferred tunnel toward a spoke (primary hub, primary spoke ISP) is down, the next best tunnel is via the secondary hub (still utilizing spokes's primary ISP link). The primary hub needs to forward this traffic to the secondary hub. Instead of using the inside interface and to deal with redirects/suboptimal interface utilization, a dedicated transfer link between both hubs was designed for such traffic flow.
Another interesting challenge is the idea of how to provide the 4 additional IP addresses for the Loopback interfaces that are responsible for tunnel termination at both hubs. These are required to configure different virtual templates (with different delay metric values), thus terminating two unique tunnels per hub. The example below uses 4 /32 addresses from a prefix different that the outside ip network. To keep things simple, each hub advertises its two /32 via BGP to the upstream "test ISP". In real life, you can use any method that fits, for example static routes on the upstream routers or secondary addresses at each hubs outside interface (so addresses from the same subnet). Just change the "tunnel source" line at each virtual template interface to match these addresses.
[edit] Topology
[edit] Configuration
The hub and the spoke configuration contain inline comments. Furthermore, the output of some show commands is provided below, to outline the idea of some redundancy scenarios.
[edit] Hub 1
! hostname Hub1 ! ip cef no ip domain lookup ! virtual-profile virtual-template 1 ! !- Key chain for EIGRP authentication, the same for all hubs/spokes key chain VTI_CHAIN key 10 key-string whocares ! !- Shaping is used to test per spoke QoS features, in combination !- with Policing at ISP2 (to simulate low bandwith backup links) class-map match-all CM_TEST-SHAPE match access-group name ACL_TEST-SHAPE ! policy-map PM_TEST-SHAPE class CM_TEST-SHAPE shape average 8000 1000 0 ! !- one IKE policy for all Spokes crypto isakmp policy 1 encr aes 192 authentication pre-share group 2 ! !- the sample uses a wildcard preshared key !- for production use, please consider the use of certificate-based spoke authentication crypto isakmp key cisco address 0.0.0.0 0.0.0.0 !- DPD and SPI recovery, to provide faster IPSec reconvergence !- the DPD keepalives can be more aggressive in the real world crypto isakmp invalid-spi-recovery crypto isakmp keepalive 120 30 periodic ! !- IKE profiles, used to tie IKE requests to the correct VTI, based on !- the local tunnel address crypto isakmp profile IKE_PROF_DSL_PRI description *** IKE Profile for DSL (primary Hub) *** keyring default match identity address 0.0.0.0 virtual-template 1 local-address 192.0.2.10 crypto isakmp profile IKE_PROF_3G_PRI description *** IKE Profile for 3G (primary Hub) *** keyring default match identity address 0.0.0.0 virtual-template 2 local-address 192.0.2.20 ! crypto ipsec transform-set TR_ESP-AES192-SHA1 esp-aes 192 esp-sha-hmac ! !- IPSec protection suite, used at the VTI interfaces !- couples the IKE profile, the VTI interface and the !- IPSec transform set together crypto ipsec profile IPSEC_PROF_3G_PRI description *** IPSec Profile for 3G (primary Hub) *** set transform-set TR_ESP-AES192-SHA1 set pfs group2 set isakmp-profile IKE_PROF_3G_PRI ! crypto ipsec profile IPSEC_PROF_DSL_PRI description *** IPSec Profile for DSL (primary Hub) *** set transform-set TR_ESP-AES192-SHA1 set pfs group2 set isakmp-profile IKE_PROF_DSL_PRI ! !- Loopback for management and for the Tunnel network !- (Tunnel interfaces are unnumbered) interface Loopback1 description *** This box (primary Hub) *** ip address 198.18.1.1 255.255.255.255 ! !- Loopback address, used as the spoke tunnel destination !- for the 1st preferred tunnel interface Loopback10 description *** Tunnel Source for DSL (primary Hub) *** ip address 192.0.2.10 255.255.255.255 ! !- Loopback address, used as the spoke tunnel destination !- for the 3rd most preferred tunnel interface Loopback20 description *** Tunnel Source for 3G (primary Hub) *** ip address 192.0.2.20 255.255.255.255 ! interface Ethernet0/0 description *** Inside (primary Hub) *** bandwidth 10000 ip address 198.18.18.253 255.255.255.0 half-duplex standby 1 ip 198.18.18.254 standby 1 priority 105 standby 1 preempt ! interface Ethernet0/1 description *** Outside (primary Hub) *** ip address 192.0.2.2 255.255.255.248 half-duplex ! interface Ethernet0/2 description *** Hub Transfer Network (primary Hub) *** bandwidth 10000000 ip address 198.18.17.1 255.255.255.252 half-duplex ! !- the first Virtual Template Interface (1st preferred tunnel) !- Virtual Access interfaces for gets cloned, based on this template ! interface Virtual-Template1 type tunnel description *** Tunnel Template for DSL (primary Hub) *** bandwidth 4000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN ip summary-address eigrp 1 0.0.0.0 0.0.0.0 255 logging event subif-link-status !- delay gets adjusted delay 1000 tunnel source Loopback10 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROF_DSL_PRI ! !- the second Virtual Template Interface (3rd most preferred tunnel) !- Virtual Access interfaces for gets cloned, based on this template ! interface Virtual-Template2 type tunnel description *** Tunnel Template for 3G (primary Hub) *** bandwidth 4000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN ip summary-address eigrp 1 0.0.0.0 0.0.0.0 255 logging event subif-link-status !- delay gets adjusted delay 3000 tunnel source Loopback20 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROF_3G_PRI service-policy output PM_TEST-SHAPE ! router eigrp 1 !- its not possible to use passive-i default, this would disable EIGRP on !- cloned interfaces passive-interface Ethernet0/0 passive-interface Ethernet0/1 network 198.18.0.0 0.0.255.255 !- only delay shall be included in metric calculation metric weights 0 0 0 1 0 0 default-metric 1000 1 255 1 1500 no auto-summary ! !- BGP is not required for VTI, its only used to advertise the !- tunnel endpoint loopbacks to ISP1 in this test scenario router bgp 65535 no synchronization bgp log-neighbor-changes network 192.0.2.10 mask 255.255.255.255 network 192.0.2.20 mask 255.255.255.255 neighbor 192.0.2.1 remote-as 65500 neighbor 192.0.2.3 remote-as 65535 no auto-summary ! !- route the internal data network ip route 198.18.0.0 255.254.0.0 198.18.18.1 ! ip access-list extended ACL_TEST-SHAPE permit icmp any any echo permit icmp any any echo-reply ! end
[edit] Hub 2
! hostname Hub2 ! ip cef no ip domain lookup ! virtual-profile virtual-template 1 ! key chain VTI_CHAIN key 10 key-string whocares ! class-map match-all CM_TEST-SHAPE match access-group name ACL_TEST-SHAPE ! policy-map PM_TEST-SHAPE class CM_TEST-SHAPE shape average 8000 1000 0 ! crypto isakmp policy 1 encr aes 192 authentication pre-share group 2 ! crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 120 30 periodic ! crypto isakmp profile IKE_PROF_DSL_SEC description *** IKE Profile for DSL (secondary Hub) *** keyring default match identity address 0.0.0.0 virtual-template 1 local-address 192.0.2.11 crypto isakmp profile IKE_PROF_3G_SEC description *** IKE Profile for 3G (secondary Hub) *** keyring default match identity address 0.0.0.0 virtual-template 2 local-address 192.0.2.21 ! ! crypto ipsec transform-set TR_ESP-AES192-SHA1 esp-aes 192 esp-sha-hmac ! crypto ipsec profile IPSEC_PROF_3G_SEC description *** IPSec Profile for 3G (secondary Hub) *** set transform-set TR_ESP-AES192-SHA1 set pfs group2 set isakmp-profile IKE_PROF_3G_SEC ! crypto ipsec profile IPSEC_PROF_DSL_SEC description *** IPSec Profile for DSL (secondary Hub) *** set transform-set TR_ESP-AES192-SHA1 set pfs group2 set isakmp-profile IKE_PROF_DSL_SEC ! interface Loopback1 description *** This box (secondary Hub) *** ip address 198.18.1.2 255.255.255.255 ! interface Loopback11 description *** Tunnel Source for DSL (secondary Hub) *** ip address 192.0.2.11 255.255.255.255 ! interface Loopback21 description *** Tunnel Source for 3G (secondary Hub) *** ip address 192.0.2.21 255.255.255.255 ! interface Ethernet0/0 description *** Inside (secondary Hub) *** bandwidth 10000 ip address 198.18.18.252 255.255.255.0 half-duplex standby 1 ip 198.18.18.254 standby 1 preempt ! interface Ethernet0/1 description *** Outside (secondary Hub) *** ip address 192.0.2.3 255.255.255.248 half-duplex ! interface Ethernet0/2 description *** Hub Transfer Network (secondary Hub) *** bandwidth 10000000 ip address 198.18.17.2 255.255.255.252 half-duplex ! interface Virtual-Template1 type tunnel description *** Tunnel Template for DSL (secondary Hub) *** bandwidth 4000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN ip summary-address eigrp 1 0.0.0.0 0.0.0.0 255 logging event subif-link-status delay 2000 tunnel source Loopback11 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROF_DSL_SEC ! interface Virtual-Template2 type tunnel description *** Tunnel Template for 3G (secondary Hub) *** bandwidth 4000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN ip summary-address eigrp 1 0.0.0.0 0.0.0.0 255 logging event subif-link-status delay 4000 tunnel source Loopback21 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROF_3G_SEC service-policy output PM_TEST-SHAPE ! router eigrp 1 passive-interface Ethernet0/0 passive-interface Ethernet0/1 network 198.18.0.0 0.0.255.255 metric weights 0 0 0 1 0 0 no auto-summary ! router bgp 65535 no synchronization bgp log-neighbor-changes network 192.0.2.11 mask 255.255.255.255 network 192.0.2.21 mask 255.255.255.255 neighbor 192.0.2.1 remote-as 65500 neighbor 192.0.2.2 remote-as 65535 no auto-summary ! ip route 198.18.0.0 255.254.0.0 198.18.18.1 ! ip access-list extended ACL_TEST-SHAPE permit icmp any any echo permit icmp any any echo-reply !
[edit] Spoke 1
! hostname Spoke1 ! ip cef ! vpdn enable ! ! ! key chain VTI_CHAIN key 10 key-string whocares ! crypto isakmp policy 1 encr aes 192 authentication pre-share group 2 ! crypto isakmp key cisco address 192.0.2.10 crypto isakmp key cisco address 192.0.2.11 crypto isakmp key cisco address 192.0.2.20 crypto isakmp key cisco address 192.0.2.21 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 120 30 periodic ! crypto ipsec transform-set TR_ESP-AES192-SHA1 esp-aes 192 esp-sha-hmac ! crypto ipsec profile IPSEC_PROF_ALL set transform-set TR_ESP-AES192-SHA1 set pfs group2 ! bba-group pppoe global ! interface Loopback1 description *** This box (Spoke) *** ip address 198.18.248.1 255.255.255.255 ! interface Tunnel10 description *** Tunnel via DSL to primary Hub *** bandwidth 4000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN delay 10 tunnel source Dialer1 tunnel destination 192.0.2.10 tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile IPSEC_PROF_ALL ! interface Tunnel11 description *** Tunnel via DSL to secondary Hub *** bandwidth 4000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN delay 11 tunnel source Dialer1 tunnel destination 192.0.2.11 tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile IPSEC_PROF_ALL ! interface Tunnel20 description *** Tunnel via 3G to primary Hub *** bandwidth 4000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN delay 200 tunnel source Dialer2 tunnel destination 192.0.2.20 tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile IPSEC_PROF_ALL ! interface Tunnel21 description *** Tunnel via 3G to secondary Hub *** bandwidth 4000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN delay 210 tunnel source Dialer2 tunnel destination 192.0.2.21 tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile IPSEC_PROF_ALL ! interface Ethernet0/0 description *** LAN *** ip address 198.19.1.1 255.255.255.0 half-duplex ! interface Ethernet0/1 description *** ISP1 PPPoE/ADSL *** no ip address half-duplex pppoe enable group global pppoe-client dial-pool-number 1 ! interface Serial1/1 description *** ISP2 PPP/3G *** no ip address encapsulation ppp dialer in-band dialer pool-member 2 dialer-group 2 keepalive 10 3 pulse-time 1 ! interface Dialer1 description *** PPPoE/ADSL Dialer *** ip address negotiated encapsulation ppp logging event subif-link-status dialer pool 1 dialer idle-timeout 0 dialer string 1234 dialer persistent dialer-group 1 keepalive 5 ppp authentication pap callin ppp direction callout ppp pap sent-username Spoke1 password 0 cisco ppp ipcp address accept ! interface Dialer2 description *** PPP/3G Dialer *** ip address negotiated encapsulation ppp logging event subif-link-status dialer pool 2 dialer idle-timeout 0 dialer string 1234 dialer persistent dialer-group 2 keepalive 5 ppp authentication pap callin ppp direction callout ppp pap sent-username Spoke1 password 0 cisco1 ppp ipcp address accept ! router eigrp 1 passive-interface default no passive-interface Tunnel10 no passive-interface Tunnel11 no passive-interface Tunnel20 no passive-interface Tunnel21 network 198.18.0.0 0.1.255.255 metric weights 0 0 0 1 0 0 no auto-summary eigrp stub connected summary ! ip route 192.0.2.10 255.255.255.255 Dialer1 ip route 192.0.2.11 255.255.255.255 Dialer1 ip route 192.0.2.20 255.255.255.255 Dialer2 ip route 192.0.2.21 255.255.255.255 Dialer2 ! dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit !
[edit] Spoke 2
! hostname Spoke2 ! ip cef no ip domain lookup ! vpdn enable ! key chain VTI_CHAIN key 10 key-string whocares ! crypto isakmp policy 1 encr aes 192 authentication pre-share group 2 ! crypto isakmp key cisco address 192.0.2.10 crypto isakmp key cisco address 192.0.2.11 crypto isakmp key cisco address 192.0.2.20 crypto isakmp key cisco address 192.0.2.21 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 120 30 periodic ! crypto ipsec transform-set TR_ESP-AES192-SHA1 esp-aes 192 esp-sha-hmac ! crypto ipsec profile IPSEC_PROF_ALL set transform-set TR_ESP-AES192-SHA1 set pfs group2 ! bba-group pppoe global ! interface Loopback1 description *** This box (Spoke) *** ip address 198.18.248.2 255.255.255.255 ! interface Tunnel10 description *** Tunnel via DSL to primary Hub *** bandwidth 4000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN delay 10 tunnel source Dialer1 tunnel destination 192.0.2.10 tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile IPSEC_PROF_ALL ! interface Tunnel11 description *** Tunnel via DSL to secondary Hub *** bandwidth 3000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN delay 11 tunnel source Dialer1 tunnel destination 192.0.2.11 tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile IPSEC_PROF_ALL ! interface Tunnel20 description *** Tunnel via 3G to primary Hub *** bandwidth 2000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN delay 200 tunnel source Dialer2 tunnel destination 192.0.2.20 tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile IPSEC_PROF_ALL ! interface Tunnel21 description *** Tunnel via 3G to secondary Hub *** bandwidth 4000 ip unnumbered Loopback1 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 VTI_CHAIN delay 210 tunnel source Dialer2 tunnel destination 192.0.2.21 tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile IPSEC_PROF_ALL ! interface Ethernet0/0 description *** LAN *** ip address 198.19.2.1 255.255.255.0 half-duplex ! interface Ethernet0/1 description *** ISP1 PPPoE/ADSL *** no ip address half-duplex pppoe enable group global pppoe-client dial-pool-number 1 ! interface Serial1/1 description *** ISP2 PPP/3G *** no ip address encapsulation ppp dialer in-band dialer pool-member 2 dialer-group 1 keepalive 10 3 pulse-time 1 ! interface Dialer1 description *** PPPoE/ADSL Dialer *** ip address negotiated encapsulation ppp logging event subif-link-status dialer pool 1 dialer idle-timeout 0 dialer string 1234 dialer persistent dialer-group 1 keepalive 5 ppp authentication pap callin ppp direction callout ppp pap sent-username Spoke2 password 0 cisco ppp ipcp address accept ! interface Dialer2 description *** PPP/3G Dialer *** ip address negotiated encapsulation ppp logging event subif-link-status dialer pool 2 dialer idle-timeout 0 dialer string 1234 dialer persistent dialer-group 2 keepalive 5 ppp authentication pap callin ppp direction callout ppp pap sent-username Spoke2 password 0 cisco1 ppp ipcp address accept ! router eigrp 1 passive-interface default no passive-interface Tunnel10 no passive-interface Tunnel11 no passive-interface Tunnel20 no passive-interface Tunnel21 network 198.18.0.0 0.1.255.255 metric weights 0 0 0 1 0 0 no auto-summary eigrp stub connected summary ! ip route 192.0.2.10 255.255.255.255 Dialer1 ip route 192.0.2.11 255.255.255.255 Dialer1! hostname ISP1 ! boot-start-marker boot-end-marker ! ! aaa new-model ! ! aaa authentication login default none aaa authentication ppp dial local ! aaa session-id common memory-size iomem 5 ! ! ip cef no ip domain lookup ! ! virtual-profile virtual-template 1 ! vpdn enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! username Spoke1 password 0 cisco username Spoke2 password 0 cisco ! ! ! ! ! ! bba-group pppoe global virtual-template 1 ! ! interface Loopback1 description *** This box *** ip address 192.0.2.127 255.255.255.255 ! interface Serial0/0 description *** Uplink to ISP2, AS 65000 *** ip address 192.0.2.8 255.255.255.254 ip verify unicast source reachable-via rx serial restart-delay 0 clock rate 128000 ! interface Serial0/1 no ip address shutdown serial restart-delay 0 ! interface Serial0/2 no ip address shutdown serial restart-delay 0 ! interface Serial0/3 no ip address serial restart-delay 0 clock rate 128000 ! interface Ethernet1/0 description *** Downstream AS 65535 *** ip address 192.0.2.1 255.255.255.248 ip verify unicast source reachable-via rx half-duplex ! interface Ethernet1/1 description *** Spoke 1 PPPoE *** no ip address half-duplex pppoe enable group global ! interface Ethernet1/2 description *** Spoke 2 PPPoE *** no ip address half-duplex pppoe enable group global ! interface Ethernet1/3 no ip address shutdown half-duplex ! interface Virtual-Template1 description *** Template to clone PPPoE sessions *** ip unnumbered Loopback1 ip verify unicast source reachable-via rx peer default ip address pool DIALPOOL ppp authentication pap dial ! router bgp 65500 no synchronization bgp log-neighbor-changes aggregate-address 192.0.2.64 255.255.255.224 summary-only redistribute connected neighbor 192.0.2.2 remote-as 65535 neighbor 192.0.2.3 remote-as 65535 neighbor 192.0.2.9 remote-as 65000 no auto-summary ! ip local pool DIALPOOL 192.0.2.64 192.0.2.95 ip http server no ip http secure-server ! ! ! ! ! ! ip route 192.0.2.20 255.255.255.255 Dialer2 ip route 192.0.2.21 255.255.255.255 Dialer2 ! dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit !
[edit] ISP 1
! hostname ISP1 ! aaa new-model ! aaa authentication login default none aaa authentication ppp dial local ! ip cef no ip domain lookup ! virtual-profile virtual-template 1 ! vpdn enable ! username Spoke1 password 0 cisco username Spoke2 password 0 cisco ! bba-group pppoe global virtual-template 1 ! interface Loopback1 description *** This box *** ip address 192.0.2.127 255.255.255.255 ! interface Serial0/0 description *** Uplink to ISP2, AS 65000 *** ip address 192.0.2.8 255.255.255.254 ip verify unicast source reachable-via rx serial restart-delay 0 clock rate 128000 ! interface Ethernet1/0 description *** Downstream AS 65535 *** ip address 192.0.2.1 255.255.255.248 ip verify unicast source reachable-via rx half-duplex ! interface Ethernet1/1 description *** Spoke 1 PPPoE *** no ip address half-duplex pppoe enable group global ! interface Ethernet1/2 description *** Spoke 2 PPPoE *** no ip address half-duplex pppoe enable group global ! interface Virtual-Template1 description *** Template to clone PPPoE sessions *** ip unnumbered Loopback1 ip verify unicast source reachable-via rx peer default ip address pool DIALPOOL ppp authentication pap dial ! router bgp 65500 no synchronization bgp log-neighbor-changes aggregate-address 192.0.2.64 255.255.255.224 summary-only redistribute connected neighbor 192.0.2.2 remote-as 65535 neighbor 192.0.2.3 remote-as 65535 neighbor 192.0.2.9 remote-as 65000 no auto-summary ! ip local pool DIALPOOL 192.0.2.64 192.0.2.95 !
[edit] ISP 2
!
hostname ISP2
!
aaa new-model
!
aaa authentication login default none
aaa authentication ppp dial local
!
ip cef
no ip domain lookup
!
virtual-profile virtual-template 1
!
vpdn enable
!
username Spoke1 password 0 cisco1
username Spoke2 password 0 cisco1
!
policy-map PM_POLICE_EGRESS
class class-default
police 16000 conform-action transmit exceed-action drop
policy-map PM_POLICE_INGRESS
class class-default
police 16000 conform-action transmit exceed-action drop
!
bba-group pppoe global
virtual-template 1
!
interface Loopback1
description *** This box ***
ip address 192.0.2.255 255.255.255.255
!
interface Serial0/0
description *** Spoke 1 PPP Dialup (3G) ***
no ip address
ip verify unicast source reachable-via rx
encapsulation ppp
keepalive 10 2
serial restart-delay 120
clock rate 128000
!
interface Serial0/1
description *** Spoke 2 PPP Dialup (3G) ***
no ip address
ip verify unicast source reachable-via rx
encapsulation ppp
keepalive 10 2
serial restart-delay 120
clock rate 128000
!
interface Serial0/2
description *** Uplink to ISP1, AS 65500 ***
ip address 192.0.2.9 255.255.255.254
ip verify unicast source reachable-via rx
serial restart-delay 0
clock rate 128000
!
interface Virtual-Template1
description *** Template to clone PPP/3G sessions ***
ip unnumbered Loopback1
ip verify unicast source reachable-via rx
peer default ip address pool DIALPOOL
ppp authentication pap dial
service-policy input PM_POLICE_INGRESS
service-policy output PM_POLICE_EGRESS
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
aggregate-address 192.0.2.192 255.255.255.224 summary-only
redistribute connected
neighbor 192.0.2.8 remote-as 65500
no auto-summary
!
ip local pool DIALPOOL 192.0.2.192 192.0.2.222
!
[edit] "FW"
! hostname FW ! no ip routing ! interface Ethernet0/0 ip address 198.18.18.1 255.255.255.0 no ip route-cache half-duplex ! ip default-gateway 198.18.18.254 !
