Central Services Topology

> Question:  Have also seen comments in foreeum like. The best practice for this Hub and Spoke is to use TWO VRF in Hub site – “From-Spoke” and “To-Spoke”

 

This is immaterial implementation detail. Some shops do this, because their automation system abstracts VRF into set of import/export statements and clients share set and hubs share different set. Also if you have hub and spoke in the same PE, you’re going to need another name, if not, single name is fine, but may be more difficult to automate as name does not imply config.

 

ipv4 vrf hubs

  route-target export 42:hubs

  route-target import 42:spokes

ipv4 vrf spokes

  route-target export 42:spokes

  route-target import 42:hubs

 

Now the problem with this approach is that if you have >1 spokes in the same PE, they are able to communicate to each other. To workaround this, you’ll need ‘half duplex VRF’, where ingress and egress RIB/FIB are different.

Packets coming from spokes look at FibA, packets going to spokes look at FibB. FibA has only route to hubs, FibA has only routes to spokes.

 

ip vrf spokesIn

  route-target import 42:hubs

ip vrf spokesOut

  route-target export 42:spokes

ip vrf hubs

   route-target export 42:hubs

   route-target import 42:spokes

 

PE1:

int Spoke1

  ip vrf forwarding spokesIn downstream spokesOut int Spoke2

  ip vrf forwarding spokesIn downstream spokesOut int Hub1

  ip vrf hubs

int Hub2

  ip vrf hubs

 

Cisco VTI IPsec

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-mt-book/sec-cfg-ikev2-flex.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-3s/sec-flex-vpn-xe-3s-book/sec-cfg-flex-serv.html#GUID-DB69AED1-1068-4700-B837-5F2967CCD9D2

https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

https://learningnetwork.cisco.com/thread/127085

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-334CA827-6CC6-4743-9DC8-D4F8F31F79B5

IOS security

no service call-home
no service config
no service dhcp
no service finger
no service old-slip-prompts
no service pad
service password-encryption
no service pt-vty-logging
service sequence-numbers
no service slave-log
no service tcp-keepalives-in
no service tcp-keepalives-out
no service tcp-small-servers
no service telnet-zeroidle
service timestamps
no service udp-small-servers

Cisco Radius VSA

FreeRadius : https://freeradius.org/rfc/rfc2865.html

RADIUS Attributes : https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/bng/configuration/guide/b_bng_cg42asr9k/b_bng_cg42asr9k_appendix_01000.pdf

ASR9k VSA : https://supportforums.cisco.com/t5/service-providers-documents/asr9000-xr-bng-vsa-s-vendor-specific-attributes-and-services/ta-p/3141601

Matching EXP bits in ME3600

For anyone else in the future who may be experiencing a similar issue:

Problem turned out to be QoS ACL matching conditions. Docs here state:

http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-5_1_S/configuration/guide/3800x3600xscg/swqos.html

“Not all IP ACL options are supported in QoS ACLs. Only these protocols are supported for permit actions in an IP ACL: TCP, and UDP

Although you can configure many options in ACLs, only some are supported for QoS ACLs.

For permit protocol , the supported keywords are: tcp , and udp .
For source and destination address, the supported entries are ip-address , any , or host .
For match criteria, the supported keywords are dscp or tos . You can also specify a time-range.”

I ended up having to modify the ACLs to only match on IP and remove the ICMP ACE and it works.

Working on ME3600X-24FS on 15.4(3)S6a and I am testing out a very simple QoS
policy and it’s not working. Here’s my config:

class-map match-all ING-EF-CLASS
match access-group name EF-CLASS-ACL
class-map match-all ING-EF-CLASS-EXP
match mpls experimental topmost 5
!
ip access-list extended EF-CLASS-ACL
permit udp any any dscp ef
permit udp any any dscp cs5
permit udp any any precedence critical
permit icmp any any dscp ef
deny ip any any
!
policy-map ING-UPLINK
class ING-EF-CLASS
set ip dscp ef
class ING-EF-CLASS-EXP
set mpls experimental topmost 5
!
interface GigabitEthernet0/24
no switchport
mtu 9800
ip address 10.0.10.2 255.255.255.252
ip mtu 9100
ip router isis
mpls ip
mpls mtu 9100
service-policy input ING-UPLINK
It seems that every packet on the wire is matching the class ‘ING-EF-CLASS-
EXP’:
ME3600X#sh policy-map interface
GigabitEthernet0/24
Service-policy input: ING-UPLINK
Class-map: ING-EF-CLASS (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group name EF-CLASS-ACL
set dscp 46
Class-map: ING-EF-CLASS-EXP (match-all)
1710 packets, 175484 bytes
30 second offered rate 1000 bps, drop rate 0000 bps
Match: mpls experimental topmost 5
set mpls exp topmost 5
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any

Cisco, NBAR2 Live Updates

NBAR2 Live Updates

Protocol Pack 30 is now available on CCO!

Please Note: minimal required release for protocol pack 28 and up is now:
IOS XE 3.16.4bS Version 15.5(3)Sb4, IOS 15.5(3)M4a.

So- what is new, you ask?

Brand new protocols support:
Splunk: platform for collecting and analyzing machine-generated big data, Google-Downloads: Google downloads and updates services
Webex-Control: WebEx protocol control and signaling traffic
Web-Analytics: Web and mobile analytics and customer engagement platforms.
Office 365 updates.
For 3.16.4 users: Introduced granular app detection over QUIC.
Added support for Wifi-Calling on specific operators.
Various improvements and identification enhancements– Gmail, Crashplan, Mysql, Microsoft-SMS, NTP, Teamspeak.
A bunch of bug fixes, see full list in documentation page
And obviously all of pp 28.0, 29.0 content we released last months:
Cisco IPA-SLA (Internet Protocol Service Level Agreement) recognition.
IKE version 2 support.
Strengthening of Vmware-vSphere, Webex-meeting, Ms-SMS, Cisco-Spark, Acano, apple cloud apps detection.
For 3.16.4 IOS-XE / 15.5(3)M4a IOS users: integrated SIP and DNS-SRV engines updates. Newer versions of the engines improve media sessions, audio-video separation and services detection significantly.
We want to hear what you think!
Got anything you want to share with us? Let us know. We want to hear what you need, what works great for you and what we could do even better. Reply to this email, we’ll take it from there…

Check it out on Cisco.com software download page

https://software.cisco.com/download/navigator.html

1 2 3 14