Professional Documents
Culture Documents
BRKSEC-3011
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
GET VPN Fundamentals
Key Servers & Group Members
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Tunnel Header Preservation
IP header IP payload
Original IP packet
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Secure Data Plane Unicast
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Secure Data Plane Multicast
GM
GM
GM
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Policies & Rekeys
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Basic Configuration
Key Server Configuration
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Group Member Configuration
interface Ethernet0/0
ip address 192.168.1.14 255.255.255.252
crypto map cmap
Crypto selector for
!
outbound traffic
crypto map cmap 10 gdoi
set group getvpn-wan Local policy for
match address getvpn-exclude traffic encryption
!
ip access-list extended getvpn-exclude
deny ip host 192.168.1.14 host 192.168.1.13
!
crypto gdoi group getvpn-wan
identity number 1
Group definition
server address ipv4 192.168.10.10
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IPsec Group Policies
IPsec Group Policy
IPsec VPN
10.1.0.0/16 10.2.0.0/16
IP VPN
172.16.1.0/24 172.16.2.0/24
GM 1 GM 2
192.168.0.1/32 192.168.0.2/32
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Central IPsec Group Policy
Pushed by KS to all GM's
Required policy on GM1: Combine Required policy on GM2:
permit 10.1.0.0/16 10.2.0.0/16 permit 10.2.0.0/16 10.1.0.0/16
permit 172.16.1.0/24 172.16.2.0/24 permit 172.16.2.0/24 172.16.1.0/24
deny any any deny any any
Resulting global policy on KS:
permit 10.1.0.0/16 10.2.0.0/16
permit 10.2.0.0/16 10.1.0.0/16
permit 172.16.1.0/24 172.16.2.0/24
permit 172.16.2.0/24 172.16.1.0/24
deny any any (implicit)
Resulting policy on GM1: Resulting policy on GM2:
permit 10.1.0.0/16 10.2.0.0/16 permit 10.1.0.0/16 10.2.0.0/16
permit 10.2.0.0/16 10.1.0.0/16 Push Push permit 10.2.0.0/16 10.1.0.0/16
permit 172.16.1.0/24 172.16.2.0/24 permit 172.16.1.0/24 172.16.2.0/24
permit 172.16.2.0/24 172.16.1.0/24
KS permit 172.16.2.0/24 172.16.1.0/24
deny any any deny any any
IPsec VPN
10.1.0.0/16 10.2.0.0/16
IP VPN
172.16.1.0/24 172.16.2.0/24
GM 1 GM 2
192.168.0.1/32 192.168.0.2/32
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Central IPsec Group Policy (2)
Simplify using network summarization
Required policy on GM1: Summarize Required policy on GM2:
permit 10.1.0.0/16 10.2.0.0/16 permit 10.2.0.0/16 10.1.0.0/16
permit 172.16.1.0/24 172.16.2.0/24 permit 172.16.2.0/24 172.16.1.0/24
deny any any deny any any
Simplified global policy on KS:
permit 10.0.0.0/8 10.0.0.0/8
permit 172.16.0.0/16 172.16.0.0/16
deny any any (implicit)
192.168.0.1/32 192.168.0.2/32
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Central IPsec Group Policy (3)
Simplest form using "any-any" ber-summary
Push Push
Resulting policy on GM1: Resulting policy on GM2:
permit any any permit any any
IPsec VPN
10.1.0.0/16 10.2.0.0/16
IP VPN
172.16.1.0/24 172.16.2.0/24
GM 1 GM 2
192.168.0.1/32 192.168.0.2/32
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Local IPsec Policy
Configured on GM
KS
Global Policy
Registration
Local IPsec policy on GM: Concatenated policy on GM:
- Local deny statement(s) (don't encrypt) deny ip host 192.168.0.1 any
deny tcp any any eq ssh
- NO permit statements allowed deny pim any host 224.0.0.13
...
permit ip any any
Resulting policy on GM, in order:
- Local deny
- Global deny
Local policy on GM:
- Global permit deny ip host 192.168.0.1 any
GM
- Implicit deny
ASR1k requires mirrored ACL before 15.1(3)S Local policy on ASR1k pre-15.1(3)S:
deny ip host 192.168.0.1 any
deny ip any host 192.168.0.1
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Central IPsec Group Policy (4)
Combining "any-any" with local policy
Push Push
Resulting policy on GM1: Resulting policy on GM2:
deny 192.168.0.1/32 any deny 192.168.0.2/32 any
permit any any permit any any
Override Override
Local policy on GM1: KS Local policy on GM2:
deny 192.168.0.1/32 any deny 192.168.0.2/32 any
IPsec VPN
10.1.0.0/16 10.2.0.0/16
IP VPN
172.16.1.0/24 172.16.2.0/24
GM 1 GM 2
192.168.0.1/32 192.168.0.2/32
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Recommendations for IPsec Policies
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Common policy exceptions
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Fail-Open & Fail-Close
Unknown
- rebooted
Fail-Open & Fail-Close - misconfigured
- cleared GDOI
Initialization
Fail-Close
GM that has not yet registered with - registering
Fail-Open
- registering
a KS can take 2 possible actions - dropping traffic based
- not encrypting traffic
on fail-close policy
- Fail-open (default): allow all egress
traffic to go in the clear until Registration
registered
- Fail-close: drop some or all egress Rekey Registered
traffic until registered - receiving rekeys
- encrypting traffic
based on IPsec policy Registration
Once initialized, GM remains in fail- TEK Expiring
open or fail-close until registered
Re-Registering
with a KS - registering
- receiving rekeys
GM that cannot re-register upon - encrypting traffic
based on IPsec policy
TEK expiration:
- does not go back to fail-open or TEK Expired
TEK Expired
fail-close - registering
- dropping traffic
- drops egress traffic matching most based on most recent
recent IPsec policy IPsec policy
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Fail-Close Configuration
ACL syntax: permit to drop traffic, deny to let through in the clear
Bootstrap ACL required to allow control plane traffic (incl. GDOI)
Implicit permit ip any any at end of fail-close ACL (drop all traffic)
Default (no match address): permit ip any any
interface Ethernet0/0
ip address 192.168.1.14 255.255.255.252
crypto map cmap
!
crypto map cmap gdoi fail-close
match address getvpn-exclude Need "activate" keyword
activate to enable fail-close policy
crypto map cmap 10 gdoi
set group getvpn-wan
match address getvpn-exclude
! Fail-close ACL can be
ip access-list extended getvpn-exclude shared with local policy
deny udp any any eq 848
deny ospf any any
GDOI traffic must be
...
explicitly excluded
deny ip host 192.168.1.14 host 192.168.1.13
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Fail-Close Logic
getvpn-2
registration site-site-vpn: permit ...
getvpn-1-global: permit ...
getvpn-2-exclude: deny ...
getvpn-2-global: permit ...
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Receive-Only & Passive Mode
Receive-Only & Passive Mode (1)
GM GM
LAN WAN cleartext LAN WAN
encrypted
SND SND
SA SA
Crypto Crypto
Engine Engine
RCV RCV
SA SA
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Receive-Only & Passive Mode (2)
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Time-Based Anti Replay
Time-Based Anti Replay (TBAR)
GM's:
- synchronize pseudo time with KS periodically
(at each rekey or every 2 hours, whichever is shorter)
- tag each packet sent with a pseudo-timestamp
- check in received packets whether pseudo-timestamp falls within window
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Data Plane Encapsulation (1)
TBAR Disabled
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Data Plane Encapsulation (2)
TBAR Enabled
KS
Reference Pseudo-Time Reference Pseudo-Time
Reject Reject
Accept Accept
window window
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
For Your
Data Plane Packet Structure Reference
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
GET VPN Control Plane
GDOI Protocol
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
GDOI Exchanges
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
KS RSA Keypair
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
GDOI Registration & Rekey
GM KS
t = 0s IKE SA IKE Phase 1 GDOI SA IPsec SA IKE SA
IKE authentication
exp.300s exp.300s
Group ID KEK 1 TEK 1
exp.8000s exp.3000s
GDOI authorization
Policies
KS RSA keypair
GDOI SA IPsec SA (priv, PUB)
ACK
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
IPsec & GDOI SA's interface: Ethernet0/0
Crypto map tag: cmap, local addr 10.0.0.10
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
For Your
Control Plane Replay Protection Reference
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
GM Registration
For Your
GM Registration Timings Reference
Initial & Re-Registration
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
For Your
GM Re-Registration Timings Reference
jitter (2%)
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Unicast & Multicast Rekeys
Unicast Rekey Model
GM's that did not get the rekey will re-register before TEK expiry (*)
- compute head start to finish rekey long enough before re-registration:
max(10% TEK lifetime, 90s) + (#retrans * interval) + (5 * #GMs / 50)
GM87
KEK, TEK
REGISTER
GM112
GM137
GM194
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
For Your
Unicast Rekey Scalability Reference
TEK lifetime must be much larger than the time needed to rekey
- recommended TEK lifetime: 2 hours (7200s)
KEK lifetime should be much larger than TEK lifetime
- recommended KEK lifetime: between 3 * TEK lifetime and 24 hours
Pseudo-time sync rekey happens after 120min (not configurable)
Use unicast rekey if not more than a few hundreds of GM's, or if
multicast routing is not available
Unicast rekey bursts can overrun slow links if too many GM's
- no actual delay between batches of 50 GM's (5s is only for timing calc.)
- distribute GM's amongst multiple COOP Key Servers
- reduce size of global policy (#lines in the crypto ACL)
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Multicast Rekey Model
GM54
KEK, TEK
REGISTER
GM108
GM149
GM186
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Policy Changes, Triggered Rekeys & GM Removal
For Your
KEK/TEK Policy Changes Reference
Before 15.2(1)T
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Triggered Rekeys
Since 15.2(1)T
User can wait for next rekey, or trigger a rekey manually from EXEC
router# crypto gdoi ks [group <name>] rekey [replace-now]
- KEK: old SA deleted immediately, new SA takes effect immediately
- TEK: old SA lifetime shortened to 5%, new SA takes effect after expiry
- with replace-now : old SA deleted, new SA takes effect immediately
All GM's must run a compatible version for shortening the old SA
- if not, KS will send a normal rekey (or reject if replace-now)
- check GM versions from KS EXEC with:
show crypto gdoi feature policy-replace
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
GM Removal
Since 15.2(1)T
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Cooperative Key Servers
Key Server Redundancy
GM GM GM GM
GM GM GM GM
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Cooperative Key Servers (1)
Introduction
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Cooperative Key Servers (2)
Election of Primary KS
Election logic: GM
GM
- if a single Primary KS exists, other KS'es remain
Secondary, regardless of their own priority
(no preemption)
- if no Primary, KS with highest priority is elected
- if multiple Primaries, KS with highest priority wins
- if priorities are equal, highest IP address wins
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Cooperative Key Servers (3)
Role of Primary KS
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Cooperative Key Servers (3)
Registrations & Rekeys
KS 3
GM GM KS 3
GM GM
GM GM
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Scalability & Reliability
Recommendations:
- reliable KS identity for registration &
COOP protocol (Loopback interface)
- all GM's that did not get a rekey must be
able to re-register before TEK rollover
- diverse and reliable paths between all KS ( 30s) 30s
Re-registration
- KS-to-KS COOP through out-of-band window (*)
management network
Distribution of GM's:
Backup
- do not exceed KS capacity Primary (30) Secondary
(50) (40)
- N+1 redundancy
Example:
- KS capacity = 1500 GM's
- total nodes = 3000 GM's
- 3 KS handle all GM's (2+1) 1500 1500
(*) timing depends on GM version
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
For Your
COOP Protocol Timers Reference
Retransmit:
- number of retransmissions of announcement messages by Secondary
before marking the Primary as dead (default: 2)
- switchover time for Secondary to become Primary: 30s + (2 x 30s) = 90s
KS 1 (50) KS 3 (30)
PRIMARY PRIMARY
KS 2 (10) KS 4 (10)
GM GM
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Network Merge
KS 1 (50) KS 3 (30)
PRIMARY DEMOTED
PRIMARY
REKEY
KS 2 (10) NEEDED ? KS 4 (10)
GM GM
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
GM Synchronization Upon Merge
If TEK changed:
- Primary KS sends rekey to all GM's with merged TEK's
GM GM
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
IKE Authentication & GDOI Authorization
For Your
IKE Authentication Reference
PKI & PSK
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
ISAKMP Profile
Limitations
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
GDOI Authorization (1)
Address-Based
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
GDOI Authorization (2)
Certificate-Based
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Multiple Groups & Virtualization
Multiple Groups on KS
KS GM mgmt
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Multiple Groups on GM
KS GM mgmt
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Virtualization
Reminder: VRF-aware IPsec
interface GigabitEthernet0/0
ip vrf forwarding blue
crypto map cmap
Decryption Decryption
interface Tunnel1
ip vrf forwarding purple
tunnel source GigabitEthernet0/0 interface GigabitEthernet1/1
tunnel protection ipsec profile vti ip vrf forwarding olive
VRF purple (iVRF, LAN phy.ifc or VLAN) VRF olive (iVRF, LAN phy.ifc or VLAN)
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
GET VPN VRF-Awareness
crypto map purple-map 10 gdoi
set group purple
!
Key Server: crypto map green-map 10 gdoi
set group olive
- no VRF support (all in global) !
interface Ethernet0/0
Group Member (pre-15.0 & ASR1k): ip vrf forwarding purple
crypto map purple-map
- only VRF-lite supported !
interface Ethernet0/1
- iVRF = fVRF ip vrf forwarding olive
crypto map olive-map
- control plane VRF = data plane VRF
- crypto map on single interface
- each GDOI group in a single VRF crypto map blue-map 10 gdoi
set group blue
GM (since 15.0): VRF-aware GDOI !
interface Ethernet0/0
- separate VRF for control plane ip vrf forwarding purple
crypto map blue-map
- same crypto map on multiple ifcs !
interface Ethernet0/1
- same GDOI group in multiple VRFs ip vrf forwarding green
crypto map blue-map
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
VRF-aware GM (1)
Before IOS 15.0
GM (pre-15.0)
crypto gdoi group purple LAN WAN
identity number 2 purple-map
server address ipv4 <KS>
!
crypto gdoi group olive Crypto
ifc ifc
identity number 3 GDOI
server address ipv4 <KS> VRF purple
! KS
crypto map purple-map 10 gdoi VRF olive
set group purple GDOI
ifc ifc
match address except-purple Crypto
!
crypto map olive-map 10 gdoi olive-map
set group olive
match address except-olive
!
interface Ethernet0/0
ip vrf forwarding purple
crypto map purple-map
!
interface Ethernet0/1 1 group per VRF
ip vrf forwarding olive 1 IKE SA per group
crypto map olive-map 1 registration per group
1 rekey per group
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
VRF-aware GM (2)
IOS 15.0 and later: multiple groups, multiple VRFs
GM (15.0+)
crypto gdoi group purple LAN WAN
... purple-map
client registration interface Lo0
!
crypto gdoi group olive Crypto
ifc ifc
...
client registration interface Lo0 VRF purple
!
crypto map purple-map 10 gdoi VRF olive
set group purple ifc ifc
! Crypto
crypto map olive-map 10 gdoi
set group olive olive-map
!
interface Ethernet0/0 GDOI ifc
VRF mgmt
ip vrf forwarding purple KS
crypto map purple-map Rekeys
!
interface Ethernet0/1
ip vrf forwarding olive
crypto map olive-map 1 group per VRF
! 1 IKE SA per KS
interface Loopback0 1 registration per group
ip vrf forwarding mgmt 1 rekey per group
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
VRF-aware GM (3)
IOS 15.0 and later: shared group, multiple VRFs
GM (15.0+)
crypto gdoi group shared LAN WAN
...
client registration interface Lo0
!
crypto map shared-map 10 gdoi Crypto
ifc ifc
set group shared
! VRF purple
interface Ethernet0/0 shared-map
ip vrf forwarding purple VRF olive
crypto map shared-map ifc ifc
! Crypto
interface Ethernet0/1
ip vrf forwarding olive
crypto map shared-map
! GDOI ifc
VRF mgmt
interface Loopback0 KS
ip vrf forwarding mgmt Rekey
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
NAT, Load Balancing & Fragmentation
NAT & NAT-Traversal
NAT allowed NAT allowed
NAT not allowed
Shared group SA
Front-end / back-end load balancing GM
- platform consolidation
LB
IGP
GM GM GM
IGP
LB
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Fragmentation (1)
After/Before Encryption
IP Payload IP Payload
GM
GM
IP ESP IP Payload ESP
GM GM GM GM
IP#2 ..load
IP#1 Pay..
IP Payload
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Fragmentation (2)
Configuration
interface FastEthernet0/0
Objective description WAN interface
ip mtu 1400
- fragment before encryption crypto map getvpn-cmap
!
- encrypt/decrypt IP fragments interface GigabitEthernet1/1
- reassemble on destination host description LAN interface
ip tcp adjust-mss 1380
Fragmentation avoidance
- IP MTU: configure ip mtu on interface
(100 bytes below minimum link MTU)
- TCP MSS: configure ip tcp adjust-mss
on interface (20 bytes below IP MTU)
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Fragmentation (3) Actual
performances
GM Constraints Throughput (Mbps) will vary
ASR1000
Throughput limited by: 8,000
- physical link speed Scale Compressed
2,000
- crypto engine capability
1,500
Packet forwarding metrics: 1,000
3945e
- PPS vs. Mbps 500
Scale Compressed
Impact of fragmentation: 300
3945
- smaller packets: not optimal 250
1
74 512 1000 1400
Packet Size
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
IPv6 Support
IPv6 Support
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
GET VPN Management
GET VPN Management
Cisco Security Manager (CSM)
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
GET VPN Scalability & Positioning
KS Scalability (1)
GM Registrations
Depends
Rate
IKE oversubscribed on KS
Risks
GM's cannot register on time
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
KS Scalability (2)
buffers huge permanent 10
Configuration buffers huge size 65535
!
crypto call admission limit ike in-neg 50
!
COOP announcements: ip access-list extended gdoi
permit udp any eq 848 any eq 848
- optimize huge buffers
!
- avoid 2nd-order fragmentation class-map match-all gdoi-packets
match access-group gdoi
!
Unicast rekeys: policy-map gdoi-shaper
class gdoi-packets
- increase outbound hold-queue shape average <link-speed>
- avoid 2nd-order fragmentation shape max-buffers 4096
set precedence 6
fair-queue
QoS to manage rekey/COOP burst queue-limit 4096
!
GM registrations: interface <register-ifc>
service-policy output gdoi-shaper
- increase inbound hold-queue hold-queue 4096 in
hold-queue 4096 out
- configure IKE Call Admission Control ip mtu 1480
Policy ACLs:
- global policy (KS): "permit" entries, symmetrical & aggregated
- local policy (GM): "deny" entries (all exceptions on GM)
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
For Your
General Scalability Reference
General scalability:
- with old registration timings: 3000 GM's total, 1000 GM's per KS
- with new registration timings: 5000 GM's total, 3000 GM's per KS
Platform numbers taken from Design & Implementation Guide (DIG) on cisco.com
- ISR-G2 numbers pending on new DIG to be published within the next months
(*) PKI scales the same as PSK, but has lower IKE setup rate
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Positioning
FlexVPN
EzVPN DMVPN GET VPN
Infrastructure
Public Internet Transport Public Internet Transport Private IP Transport
Network
Network Style Hub-Spoke (Client) Any-Any (Site-to-Site) Any-Any (Site-to-Site)
Routing Reverse Route Injection Dynamic on tunnels Dynamic on IP WAN
Failover Stateful Hub Crypto Route Distribution Route Distribution
Redundancy Failover Model Model + Stateful
BRKSEC-3011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Recommended Reading