Tải bản đầy đủ - 0 (trang)
Chapter 7. Solutions for Geographic Site-to-Site High Availability

Chapter 7. Solutions for Geographic Site-to-Site High Availability

Tải bản đầy đủ - 0trang

GeographicIPsecVPNHAwithReverseRoute

InjectionandMultipleIPsecPeers

ThisdesignoptionforIPsecVPNGeographicHAleveragestwo

componentstodelivercontinuityofcleartextrouteddomains

acrossanuntrustednetworkinahighlyavailablefashion:

ReverseRouteInjection(RRI)andMultipleIPsecPeering

statements.Eachdeliverscomplementaryfunctionstodeliver

theoverallsolutionRRIisusedtopreserveroutinginformation

acrosstheIPsecVPNtunnel,whilemultipleIPsecpeering

statementsareusedtodeliverredundancy.



SolutionOverviewforRRIwithMultipleIPsec

Peers

InourdiscussionofIPsecVPNHA,youhavelearnedthatitis

importanttopreserveLayer3continuitybetweencleartext

networksoneithersideofanIPsecVPNtunnel.Onemethod

thatwehaveintroducedtopreservethiscontinuityisRRI.

Whentwonetworkswanttocommunicateacrossanuntrusted

intermediatenetworkusinganIPsecVPNtunnelfordata

confidentiality,authenticity,integrity,andnonrepudiation,RRI

canbeconfiguredoneachIPsecVPNtunnelendpointtoinject

routestotheremote(ontheoppositesideoftheIPsecVPN

tunnel)cleartextnetworkbackintoitslocalcleartextrouted

domain.Figure7-1illustratestheinjectionofremoteroutesin

toalocalrouteddomaininanIPsecenvironmentusingRRI.



Figure7-1.SimpleSite-to-SiteIPsecVPNDesign

withRRI



[Viewfullsizeimage]



ThefollowingisanexplanationofthestepsillustratedinFigure

7-1:

1. Host-AonNetworkAsendstraffictoServer-BonNetworkB,

usingadefaultrouteinjectedintothenetworkby

C3845ISR-A.ThistrafficflowcausesC3845ISR-Atoinitiate

anIPsecVPNtunnelnegotiation.

2. C3845ISR-AandBnegotiatePhase1andthenPhase2

IPsecSAswithoneanother,successfullycreatinganIPsec

VPNtunnelbetweenNetworkAandNetworkB.

3. C3845ISR-AandBareconfiguredforRRI.WhenPhase2

SAsaresuccessfullycompletedinstep2,C3845ISR-A

createsstaticroutesforNetworkBintoitsroutingtable.

Likewise,C3845ISR-BinjectsstaticroutesforNetworkA

intoitsroutingtable.

4. TheadministratorsofNetworkAandNetworkBhave

configuredtheirroutingprotocolprocessesonC3845ISR-A

andC3845ISR-Btoredistributestaticroutesintotherouting

protocolsforNetworkAandNetworkB,respectively.The

routingprotocolsdistributetherouteinjectedbyRRIby



sendingRPupdatesbackintotheirRPdomain.



Note

RoutingProtocols(RPs)inthisscenarioarecontainedwithin

NetworksAandB.Thereisnoexchangeofroutingprotocol

updatesacrosstheIPsecVPNtunnelestablishedinStep2

above.MulticasttrafficsuchastheRPtrafficusedinthis

examplecannotbeencryptedinasite-to-siteIPsecVPN.

Instead,inthisexample,RRIisusedtopreserverouting

informationfromNetworkAtoBandviceversaacrossthe

IPsecVPNtunnel.



5. AfterbothRPshaveconvergedtoincludetheRRI-learned

routes,C3845ISR-AusesthestaticroutelearnedbyRRIto

forwardtraffictoServer-Btothenexthopaddressofthe

IPsecVPNpeeronC3845ISR-B.C3845ISR-Breceivesthe

trafficfromC3845ISR-AandforwardsittoServer-B,usinga

routelearnedbyNetwork_B'sIGP.

6. Server-BforwardsthereturntraffictoC3845ISR-B.

C3845ISR-Busesthestaticrouteinitsroutingtablelearned

viaRRIinstep3toforwardthereturntrafficfromServer-B

tothenexthopaddressoftheIPsecVPNtunnelpeerIP

addressonC3845ISR-A.C3845ISR-Areceivesthereturn

trafficfromC3745ISR-BandforwardsittoHost_Ausinga

routelearnedbyNetwork_B'sIGP.



ThisprocessillustratesdynamicRRIinabasicgeographicsiteto-siteIPsecVPNexample.Aswe'lllaterseewhendiscussing

RRIusingmultipleIPsecpeeringstatements,theuseofRRIin

andofitselfdoesnotnecessarilyprovideforIPsecHA.Instead,

RRIisacomponentofHAwhencoupledwithmultiplepeering

statementsorspreadacrossmultipleIPsecVPNtunnel



terminationpointsusingthestatelessorstatefullocalHA

techniquesdiscussedinChapter6.Examples7-1and7-2

illustratethebasicconfigurationandverificationofC3845ISR-A

andB,respectively,forasimplesite-to-siteIPsecVPN

deploymentwithoutgeographicorlocalHA.

Example7-1providesseveralnotableconfigurationtasks

relevanttosuccessfulRRIimplementation.C3845ISR-Ais

configuredtousedynamicRRI(Line9)toinsertthestatic

routescorrespondingtothedestinationIPaddressincrypto

ACL101(Lines8and19)usinganext-hopIPaddressof

200.1.1.2(C3845ISR-A'sIP).Theserouteswillbeinjectedonly

afteranIPsecSAispresentintheC3845ISR-B'ssecurity

associationdatabase(SADB).C3845ISR-AusestheRPEIGRP

AS10topopulatethisrouteintheroutingtableofother

networkednodesinNetworkA.Todothis,theRRI-learned

routesmustberedistributedintotheroutingprotocolby

issuingtheredistributestaticcommandprovidedinLine13of

Example7-1.EnhancedInteriorGatewayRoutingProtocol

(EIGRP)requiresthattheroutesbegivenanEIGRP-specific

metric,whichisaccomplishedeitherbyaddingametricfor

staticroutesonlyorbycreatingadefaultmetricfor

redistributedroutes,asshowninExample7-1,line15.RRIwill

usethedestinationIPnetwork(192.168.2.0/24)incryptoACL

101topopulateastaticrouteintheroutingtable.Thenexthop

forthisroutewillbetheIPsecpeerdefinedinthecryptomap,

200.1.1.2(Example7-1,line6).



Example7-1.SimpleSite-to-SiteRRI(Dynamic)

ConfigurationonC3845ISR-AfromFigure7-1



1C3845ISR-A#showrunning-config

2Buildingconfiguration...

3!

4!

5cryptomapchap7-rri-110IPsec-isakmp

6setpeer200.1.1.2



7settransform-setchap7-rri-1

8matchaddress101

9reverse-route

10!

11!

12routereigrp10

13redistributestatic

14network10.0.0.0

15default-metric1500101281281500

16noauto-summary

17!

18!

19access-list101permitip192.168.1.00.0.0.255192.168.2.00.0.0.255



LikeC3845ISR-AinExample7-1,C3845ISR-Bisconfiguredto

usedynamicRRItoinsertthestaticroutescorrespondingtothe

destinationIPaddressincryptoACL101usinganext-hopIP

addressof200.1.1.1(C3845ISR-A'sIP).Becausetherouteris

configuredfordynamicRRI(Example7-2,line9),theseroutes

willbeinjectedonlyafteranIPsecSAispresentinthe

C3845ISR-B'sSADB.C3845ISR-BusestheRPEIGRPAS10to

populatethisrouteintheroutingtableofothernetworked

nodesinNetworkA.Todothis,theRRI-learnedroutesmustbe

redistributedintotheroutingprotocol.EIGRPrequiresthatthe

routesbegivenanEIGRP-specificmetric,whichisaccomplished

eitherbyaddingametricforstaticroutesonlyorbycreatinga

defaultmetricforredistributedroutesasshownlater.RRIwill

usethedestinationIPnetwork(192.168.1.0/24)incryptoACL

101topopulateastaticrouteintheroutingtable.Thenexthop

forthisroutewillbetheIPsecpeerinthecryptomap,

200.1.1.1.



Example7-2.SimpleSite-to-SiteRRI(Dynamic)

ConfigurationonC3845ISR-BfromFigure7-1



1C3845ISR-B#shrun

2Buildingconfiguration...

3!

4!



5cryptomapchap7-rri-110IPsec-isakmp

6setpeer200.1.1.1

7settransform-setchap7-rri-1

8matchaddress101

9reverse-route

10!

11!

12routereigrp10

13redistributestatic

14network10.0.0.0

15default-metric1500101281281500

16noauto-summary

17!

18!

19access-list101permitip192.168.2.00.0.0.255192.168.1.00.0.0.255



Theprocessandexamplesdiscussedthusfarillustratethe

behaviorofdynamicRRI,wherestaticroutesaredynamically

createduponthecreationofaPhase2IPsecSA.Thereis

anotherformofRRI,calledstaticRRI,whereRRIwillcreate

staticroutesontheIPsecVPNgatewayassoonasacryptomap

referencingavalidcryptoACL,peer,andtransformsetis

appliedtoavalidcryptointerface.

Notethat,intheprocessillustratedinstep1above,theinitial

trafficflowtriggeringtheIPsecVPNtunnelnegotiationusesa

predefineddefaultrouteinjectedbyC3845ISR-A.Intheabove

process,apredefinedrouteisrequired,asdynamicRRIwillnot

injectarouteforhostsonNetworkAtouseuntilaPhase2SA

iscreated(step3).StaticRRI,however,wouldhaveinjected

routesforNetworkBintoNetworkAassoonasthecryptoACL

wasreferencedonavalidcryptomaponavalidcrypto

interface.Therefore,withstaticRRI,theRRIlearnedroutes

couldhavebeenusedinsteadofthepredefineddefaultroute

injectedinstep1.Examples7-3and7-4illustratethe

configurationandverificationofstaticRRIrespectively.



Caution

StaticRRIinjectsaroutebeforetheestablishmentofaPhase2



SA,whichprovidesawayforinterestingtraffictotriggerthe

establishmentofaPhase2SA.However,iftheIPsectunnel

cannotbeestablished(forexample,ifthepathissevered

betweenthetwoIPsectunnelendpoints),trafficdestinedfor

theRRI-learnedstaticroutecouldpotentiallybecomeblackholed,asthatstaticroutewillalwaysexistintheroutingtable

regardlessofthepresenceofanIPsec(Phase2)SAinthe

SADB.



Example7-1,lines5-9,definethecryptomaptobeused.The

cryptomap"chap7-rri-1"applies,ataminimum,thetransform

set,IPsecpeer,andcryptoACLtoacryptointerface.Inthis

example,cryptoacl101definesthetraffictobeincludedin

thecryptoswitchingpathonthisinterface.Thecryptomapalso

appliesthe3DES/MD5-HMACtransformreferencedinthe

transformset"chap7-rri-1"andthepeer200.1.1.2.StaticRRI

isconfiguredonthiscryptomap(Example7-1,line9),

immediatelyinjectingastaticrouteintotheroutingtable.Once

thiscryptomaphasavalidcryptoACL,peer,andtransformset,

theapplicationofthecryptomaptotheinterfacestaticRRI

immediatelyinjectstheappropriatestaticrouteintotherouting

table(seeExample7-4forverification).EIGRPAS10is

configuredtoredistributestaticroutes,whichisrequiredto

injecttheRRIlearnedstaticroutesintothedynamicrouting

protocol.ThiseffectivelyinjectsRRI-learnedstaticroutesfor

NetworkBintotheprivatenetworkbehindC3845ISR-A

(NetworkA).InorderforEIGRPtosuccessfullyredistributethe

staticroutes,ametricmustbedefinedspecifictothe

redistributestaticcommand,orwiththedefault-metric

commandaslistedbelow.ACL101definesthetraffictobe

includedinthecryptoswitchingpath.RRIwillusethe

destinationIPaddressofthecryptoACLdefinedintheACLto

populatetheRRIstaticroutedestinationintheroutingtable.



RRIwillusetheIPsecpeerdefinedinthecryptomapasthe

next-hopIPforthisroute.



Example7-3.StaticRRIConfiguration



1C3845ISR-A#shrun

2Buildingconfiguration...

3!

4!

5cryptomapchap7-rri-110IPsec-isakmp

6setpeer200.1.1.2

7settransform-setchap7-rri-1

8matchaddress101

9reverse-routestatic

10!

11interfaceEthernet0/0

12ipaddress200.1.1.1255.255.255.252

13half-duplex

14cryptomapchap7-rri-1

15!

16!

17routereigrp10

18redistributestatic

19network10.0.0.0

20default-metric1500101281281500

21noauto-summary

22!

23!

24access-list101permitip192.168.1.00.0.0.255192.168.2.00.0.0.255



NotefromtheconsoleoutputinExample7-4,lines18-20,that

aPhase2SAisnotrequiredtoinjectRRI-learnedrouteswith

staticRRIthestaticroutewillexistintheroutingtable

regardlessofwhetherIPsechassuccessfullyestablishedPhase

2SAsornot.AlsonotefromtheconsoleoutputinExample7-4,

line3,thatRRIinsertedastaticrouteimmediately,priortothe

negotiationofIPsecorIKESAs



Example7-4.StaticRRIVerification



1C3845ISR-A(config)#cryptomapchap7-rri-110IPsec-isakmp

2C3845ISR-A(config-crypto-map)#reverse-routestatic

3*Mar100:42:25.431:IPSEC(rte_mgr):VPNRouteAdded192.168.2.0255.255.255.0via

200.1.1.2inIPDEFAULTTABLE

4C3845ISR-A#showcryptoisakmpsa

5dstsrcstateconn-idslot

6

7C3845ISR-A#showcryptoIPsecsa

8

9interface:Ethernet0/0

10Cryptomaptag:chap7-rri-1,localaddr.200.1.1.1

11

12protectedvrf:

13localident(addr/mask/prot/port):(192.168.1.0/255.255.255.0/0/0)

14remoteident(addr/mask/prot/port):(192.168.2.0/255.255.255.0/0/0)

15current_peer:200.1.1.2:500

16PERMIT,flags={origin_is_acl,}

17#pktsencaps:0,#pktsencrypt:0,#pktsdigest0

18#pktsdecaps:0,#pktsdecrypt:0,#pktsverify0

19#pktscompressed:0,#pktsdecompressed:0

20#pktsnotcompressed:0,#pktscompr.failed:0

21#pktsnotdecompressed:0,#pktsdecompressfailed:0

22#senderrors0,#recverrors0

23

24localcryptoendpt.:200.1.1.1,remotecryptoendpt.:200.1.1.2

25pathmtu1500,ipmtu1500,ipmtuidbEthernet0/0

26currentoutboundspi:0

27inboundespsas:

28

29inboundahsas:

30

31inboundpcpsas:

32

33outboundespsas:

34

35outboundahsas:

36

37outboundpcpsas:

38C3845ISR-A#showcryptoengineconnectionsactive

39

40IDInterfaceIP-AddressStateAlgorithmEncryptDecrypt

41C3845ISR-A#showiproutestatic

42S192.168.2.0/24[1/0]via200.1.1.2



Note

ThedefaultbehaviorofRRIinCiscoIOSforstaticcryptomaps

wastoinjectstaticroutesassoonasavalidcryptoACLwas

referencedonavalidcryptointerface.Fordynamiccrypto



maps,thedefaultbehaviorofRRIinCiscoIOSwastoinject

staticroutesuponthesuccessfulcreationofaPhase2SA.In

IOSversions12.3(14)Tandlater,thedefaultbehaviorforboth

staticanddynamiccryptomapsandRRIistoinjectstatic

routesuponthesuccessfulestablishmentofaPhase2SA.



Untilthispointinthechapter,wehavediscussedonlysimple

RRIscenariosusedtopreserveroutingtablecontinuitybetween

twonetworkssituatedonoppositeendsoftheIPsecVPN

tunnel.We'vediscussedhowthiscanbedonewithouttheuse

ofroutingprotocolexchangesacrosstheIPsecVPNtunnelusing

RRI,andthedifferencesbetweenstaticanddynamicRRI

methods.Thesediscussionsandexampleshaveyettoinclude

anymeansofHA.Indeed,allofthemethodspreviouslyare

single-peerdefinitionswithoneterminationateachendofthe

tunnel.Chapter6discussesseveralmethodsofdesigninglocal

HAinIPsecVPNs,andwewillnowexpandthosediscussionsto

includegeographicHAmethodsusingthedefinitionofmultiple

IPsecVPNpeers.Figure7-2illustratesavariationonFigure7-1

thataddsgeographicHAbyaddingmultipleIPsecpeering

statementsonNetwork_A'sIPsecVPNgateway,C3845ISR-A.

ThesepeerspointtotwoseparateIPsecVPNgatewayson

NetworkB,C3845ISR-BandC.(ThenumberstepsinFigure7-2

arediscussedlaterinthissection.)



Figure7-2.GeographicHAwithRRIandMultiple

IPsecPeers



[Viewfullsizeimage]



TheredundancyaddedbydefiningmultiplepeersonIPsecVPN

gatewayC3845ISR-AdoesnotradicallychangetheRRI

processeswe'vediscussedinthesimplerdesignillustratedin

Figure7-1andExample7-1throughExample7-4.However,it

doesheightentheneedfordynamicRRIoverstaticRRI.Thisis

duetothefactthat,whenmultiplepeersaredefined,staticRRI

createstwoidenticalroutestodifferentnext-hopIPaddresses

(theoppositeendoftheIPsecVPNtunnel).Example7-5

illustratesstaticRRIbehaviorwhenmultipleIPsecpeersare

defined,inwhichC3845ISR-Aattemptstodoper-packetload

balancingbetweenmultiplenext-hops(peers)forthesame

RRI-learnedroute.TwopeersdefinedherecausestaticRRIto

injectastaticroutewithtwoequalcostpathsintotherouting

table(onevalidnext-hoptoeachofthedefinedpeers,

200.1.1.2and3,respectively).BecausestaticRRIinjectstwo

entriesintotheroutingtable,onecorrespondingtoavalidpeer

andanothercorrespondingtoadeadpeer,halfofthepackets

aredropped.Thisoccursbecausetherouterattemptstoload-



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 7. Solutions for Geographic Site-to-Site High Availability

Tải bản đầy đủ ngay(0 tr)

×