Octubre 24

Site-to-Site VPN with dual ISP for backup/redundancy

I recently came across this scenario where a customer had two internet links terminating on his ASA from two different ISPs. If his primary link (ISP2) was unavailable, he wanted the Site-to-Site VPN to fail over to the backup link (ISP3). This post shows you how to configure a firewall having two internet links using the SLA monitoring feature to get the required redundancy for the Site-to-Site VPN.

The site having two ISPs (in this case, FW2) is the one that needs major changes. Basic site-to-site configuration remains the same and only additional configuration for the backup peer IP 3.3.3.1 is covered under this post.

Backup Site-to-Site VPN - Peering with 2 peer IPs on a single firewall

On FW1:

2.2.2.1 is the primary peer IP for this VPN whose configuration is already in place and the tunnel is up and working.

1. Create tunnel group for the backup peer IP.

tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 ipsec-attributes
 ikev1 pre-shared-key cisco

2. Add the backup peer IP to the existing crypto map for 2.2.2.1 and make sure the connection-type is set to bi-directional (which is the default).

crypto map outside_map 10 set peer 2.2.2.1 3.3.3.1
crypto map outside_map 10 set connection-type bi-directional

On FW2:

Interface configuration on FW2 firewall.

interface GigabitEthernet0
 description Connected to ISP2 - Primary link
 nameif outside
 security-level 0
 ip address 2.2.2.1 255.255.255.0 
!
interface GigabitEthernet1
 description Connected to ISP3 - Backup link
 nameif outside2
 security-level 0
 ip address 3.3.3.1 255.255.255.0

1. Create an SLA monitor to monitor the gateway IP of ISP2 (primary link). Add a default route pointing towards the gateway IP of ISP3 (secondary link) with an AD value 254. Track it using the SLA monitor.

sla monitor 10
 type echo protocol ipIcmpEcho 2.2.2.2 interface outside
 frequency 5
sla monitor schedule 10 life forever start-time now
!
track 1 rtr 10 reachability
!
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 3.3.3.2 254

2. IKEv1 and ‘crypto map outside_map’ is already enabled and applied on the outside interface. When the ISP2 link goes down, the outside2 interface will be terminating the VPN and the following needs to be done for the VPN to establish. Also check for the connection-type which should be set to bi-directional (be default).

Enable ‘crypto ikev1’ and apply the ‘outside_map’ on the outside2 interface;

Existing config:

crypto ikev1 enable outside
crypto map outside_map interface outside
crypto map outside_map 10 set connection-type bi-directional

Additional config:

crypto ikev1 enable outside2
crypto map outside_map interface outside2

3. Create additional NAT statements for outside2 interface mirroring with your existing NAT.

Existing NAT:

nat (inside,outside) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface

Additional NAT:

nat (inside,outside2) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside2) after-auto source dynamic any interface
Category: CISCO, VPN | Los comentarios están deshabilitados en Site-to-Site VPN with dual ISP for backup/redundancy
Abril 4

Etherchannel (Port Channel) on Cisco ASA

Generally Cisco ASA has one Management interface and four Gigabit Interfaces, but in modern systems and scalable Infrastructures you will need more than four Interfaces. To overcome this limitation you can configure some VLANs and trunk them to an Interfaces. This was a standard solution to this problem, however since ASA version 8.4.2 you are able to use Ether Channel to solve this problem.

The benefit of Ether Channel or Port Channel is that you are able to configure redundancy and load balancing in the same time; all four ASA Interfaces will be bundle to a link in the Layer 2 then you assign all VLANs directly to the Port Channel and so they applied to all Interfaces of ASA .

The ASA distributes the traffics to all Interfaces, which means you have the functioning Load balancing, furthermore if you lost one or two Interface the whole traffics will be distribute to the Interfaces which are available.
If you run the Port Channel on the ASA then you are permitted to make up to 200 VLANs.

Zeichnung2

The Port Channel’s configuration is not really tricky but it is a little bit complex and it will be best if you keep the history of what you have changed to not lose overview of what and why you actually configured.
Here you can see the Port Channel configuration on an ASA 5540 and a Catalyst 2960.
OK, first of all you have the configure the Port Channel on the Catalyst; it is very simple something like that:

!
interface Port-channel1
switchport mode trunk
!

Then I apply the Port Channel configuration, to four catalysts Interfaces which are connected to the ASA (in this case GigabitEthernet1/12 till GigabitEthernet1/15 :

!
interface GigabitEthernet1/12
description UpLink to ASA
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet1/13
description UpLink to ASA
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet1/14
description UpLink to ASA
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet1/15
description UpLink to ASA
switchport mode trunk
channel-group 1 mode on
!

 

Ok we are finish with catalyst configuration; now let’s go to the ASA
Now we have to create the Port Channel:

 

!
interface Port-channel1
no nameif
no security-level
no ip address
!

 

We apply the Port Channel 1 to four Interfaces:
!
interface GigabitEthernet0
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet2
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
channel-group 1 mode on
no nameif
no security-level
no ip address
!
The next steps are very important , for each VLANs you have to create a port-channel sub-Interfaces, in there you define the VLAN ID , IP address and the security-Level , I will show you here one inside and one OUTSIDE sub-interface:
!
interface Port-channel1.10
vlan 10
nameif inside
security-level 100
ip address 192.168.XX.XXX 255.255.255.0
!
and
!
interface Port-channel1.1000
vlan 1000
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!
Well, that is all. !!

It is important to have the same VLAN’s number and VLAN’s ID of both side, there when you have a new VLAN you should apply that configuration in Catalyst first. For debugging and control the Port Channels you can use the :

show port-channel summary
 
Number of channel-groups in use: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-------------------------------------
1 Po1(U) LACP Gi0/0(P) Gi0/1(P) Gi0/2(P) Gi0/3(P)

The command displays the number of Port Channel group and which Interfaces are member to this ; furthermore you can see the Channel-Group Protocol LACP ( Link Aggregation Control Protocol) ;you have to consider that Cisco ASA support LACP only (no PAgP ) ; you get more useful information by using :

Show port-channel detail

 

Group: 1
----------
Ports: 4 Maxports = 16 you see we use four Interfaces (Ports 4) you can extend that up to 16 Physical Interfaces
Port-channels: 1 Max Port-channels= 48 you can configure 48 different Port Channel group
Protocol: LACP/ active
Minimum Links: 2  this is the minimum number of physical Interfaces for a Port Channel Group
Maximum Bundle: 8 you can put maximal 8 physical Interface to a Port Channel
Load balance: src-dst-ip
Ports in the group:
-------------------

For the Catalyst I prefer to use the :

1
sho etherchannel port-channel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
sho etherchannel port-channel
Channel-group listing:
----------------------
Group: 1
----------
Port-channels in the group:
---------------------------
Port-channel: Po1 (Primary Aggregator)
------------
Age of the Port-channel = 761d:02h:50m:21s
Logical slot/port = 5/1 Number of ports = 4
HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = LACP
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gi1/0/45 Active 0
0 00 Gi1/0/46 Active 0
0 00 Gi1/0/47 Active 0
0 00 Gi1/0/48 Active 0
 
Time since last port bundled: 749d:02h:28m:31s Gi1/0/46

Just as the commands in the ASA , the catalyst will show you now the number of Port Channel , port channel status and the physical Interfaces which are applied to this Port Channel group .

Don’t worry about the Spanning-tree Protocol (STP ) on the Catalyst , the STP counts the four EtherChannel’s Interfaces as “one” link like a single port so no member of the EtherChannel will be blocked from STP to prevent looping , I personally use the portfast for each Port Channel member Interface but you have to modify the command for a trunk interface :

1
spanning-tree portfast trunk

 

Category: ASA, CISCO | Los comentarios están deshabilitados en Etherchannel (Port Channel) on Cisco ASA
Enero 15

Configuring HSRP and VRRP on Cisco routers

Have you ever heard the terms “four nines” or “five nines” when dealing with customers or providers? It’s commonplace to hear these phrases which describe availability or uptime within various pieces of a network. Four nines means a network will be available for service 99.99% of the time within the Service Level Timeframe (SLT). Four nines equates to approximately 1 hour (53 minutes) of downtime per year. That’s not an easy number to make in a lot of networks! There are many things that you can do to help you reach your “uptime” goals like putting in physical redundancy, using battery backups and having staff no more than a minute away to fix a problem. You can also configure logical redundancy or fault tolerance in the form of HSRP or VRRP on routers throughout your network. This article will go through a brief overview of each technology and show you how to configure it.

An Overview of HSRP
The Hot Standby Router Protocol (HSRP) is a Cisco protocol which, as detailed in

RFC 2281, allows multiple client gateways to be configured as one “virtual” router. This “virtual” router is configured with a single IP address which is shared among the group along with a virtual MAC address. The idea behind this is, of course, that the client sees its one gateway even if that gateway fails. HSRP elects an active router which forwards the client’s IP packets. A backup or standby router can be configured to take over the forwarding of packets in the event that the active router fails. To track each other, HSRP uses multicast to send its HSRP updates and hellos. I could go on and on about HSRP, but I said this would be brief!

 

An Overview of VRRP
Chances are, if you have a multi-vendor environment and desire the same benefits of HSRP, you will configure the Virtual Router Redundancy Protocol (VRRP) to do this. VRRP, detailed in RFC 3768, operates in the same manner as HSRP does by electing an Active router called the Master among a group of routers and allowing it to be the “keeper” of a virtual IP and MAC. As with HSRP a failure would trigger the standby router (backup) to then become the Master and subsequently forward the client’s traffic. VRRP also uses multicast for its hello mechanism and elections, but unlike HSRP* which uses 224.0.0.2 (This subnet) VRRP uses 224.0.0.18.

*Note: HSRPv2 uses 224.0.0.102

Configuration Time

Now that you have a basic understanding on how each protocol works, let’s look at how to configure them on your Cisco router.
Diagram – 1

Using the diagram above we are going to configure R1 and R2 for HSRP using the virtual IP address of 171.16.6.100 using an authentication key of cisco.

 

R1
R1(config)# interface e0
R1(config-if)# description R1 Ethernet interface for HSRP example – Active
R1(config-if)# ip address 171.16.6.5 255.255.255.0
R1(config-if)# standby 1 ip 171.16.6.100
R1(config-if)# standby 1 priority 110
R1(config-if)# standby 1 preempt
R1(config-if)# standby 1 authentication cisco
R1(config-if)# no shut
R1(config)# router ospf 1
R1(config-router)# network 171.16.6.0 0.0.0.255 area 171.16.6.0
R1(config-router)# network 171.16.2.4 0.0.0.3 area 0.0.0.0
R2
R2(config)# interface e0
R2(config-if)# description R2 Ethernet interface for HSRP example – Standby
R2(config-if)# ip address 171.16.6.6 255.255.255.0
R2(config-if)# standby 1 ip 171.16.6.100
R2(config-if)# standby 1 preempt
R2(config-if)# standby 1 authentication cisco
R2(config-if)# no shut
R2(config)# router ospf 1
R2(config-router)# network 171.16.6.0 0.0.0.255 area 171.16.6.0 
R2(config-router)# network 171.16.7.4 0.0.0.3 area 0.0.0.0

 

We have now configured R1 and R2 for HSRP using the virtual IP address of 171.16.6.100 and the authentication key of cisco. Now let’s take a look at how to configure VRRP using Diagram 1.

 

R1
R1(config)# interface ethernet0
R1(config-if)# description R1 Ethernet interface for VRRP example – Master
R1(config-if)# ip address 171.16.6.5 255.255.255.0
R1(config-if)# vrrp 1 ip 171.16.6.100
R1(config-if)# vrrp 1 priority 110
R1(config-if)# vrrp 1 authentication cisco
R1(config-if)# no shut
R1(config)# router ospf 1
R1(config-router)# network 171.16.6.0 0.0.0.255 area 171.16.6.0
R1(config-router)# network 171.16.2.4 0.0.0.3 area 0.0.0.0
R2
R2(config)# interface e0
R2(config-if)# description R2 Ethernet interface for VRRP example – Backup
R2(config-if)# ip address 171.16.6.6 255.255.255.0
R2(config-if)# vrrp 1 ip 171.16.6.100
R2(config-if)# vrrp 1 authentication cisco
R2(config-if)# no shut
R2(config)# router ospf 1
R2(config-router)# network 171.16.6.0 0.0.0.255 area 171.16.6.0 
R2(config-router)# network 171.16.7.4 0.0.0.3 area 0.0.0.0

 

 

We have now configured both HSRP and VRRP on R1 and R2. Notice in the VRRP example that I did not use the vrrp group preempt command as I did in the HSRP example. This is because preempt is enabled by default for VRRP. If there’s a case when you need to turn preempting off, use the command no vrrp group preempt.

Category: CISCO, NETWORKING | Los comentarios están deshabilitados en Configuring HSRP and VRRP on Cisco routers