Tuesday, September 22, 2015

MacSec over OTV (on VxLAN) + QoS

Cisco IOS-XE does not support Macsec encryption across a L3 backbone. I mean, that is what IPSec is for. Right ? Macsec is L2 encryption, plain and simple.

OTV and VxLAN are both L2 backbone extension protocols across a L3 backbone, which means connecting a direct cable between your data center in LA and data centre in Bangalore, but using the internet. :-)



1RU_H router :

otv site bridge-domain 501
otv site-identifier 0000.0000.0501
!
key chain k1 macsec
 key 01
   cryptographic-algorithm aes-128-cmac
   key-string 12345678901234567890123456789012
!
class-map match-all costest
 match qos-group 1
class-map match-all cos
 match cos  5
!
policy-map cos
 class cos
  set qos-group 1
policy-map costest
 class costest
  set cos 5
!
!
interface Overlay400
 no ip address
 otv join-interface TenGigabitEthernet0/0/1.10
 otv use-adjacency-server 10.3.1.2 unicast-only
 no otv isis hello padding always
 service instance 400 ethernet
  encapsulation dot1q 400
  bridge-domain 400
 !
interface TenGigabitEthernet0/0/0
 description " CONNECTED TO LOCAL LAN "
 no ip address
 cdp enable
 service instance 400 ethernet
  encapsulation dot1q 400
  bridge-domain 400
!
 service instance 501 ethernet
  encapsulation dot1q 501
  bridge-domain 501
!
interface TenGigabitEthernet0/0/0.1
 encapsulation dot1Q 1 native
 ip address 108.0.1.1 255.255.255.0
 ip pim dense-mode
!
interface TenGigabitEthernet0/0/1.10
 encapsulation dot1Q 10
 ip address 10.3.1.1 255.255.255.0
 ip mtu 1468
 ip pim sparse-dense-mode
 ip ospf 501 area 400
 eapol destination-address broadcast-address
 mka pre-shared-key key-chain k1
 macsec
 service-policy input costest
!
ip route 107.0.0.0 255.255.255.0 TenGigabitEthernet0/0/1.10




PE RTR CONFIG (Both the routers will have the similar VxLAN config and IGP / BGP reachability should be configured)

bridge-domain 1
 member vni 5010
 member TenGigabitEthernet0/2/0 service-instance 1
!
interface Loopback1
 ip address 11.11.11.1 255.255.255.255
!
interface nve1
 no ip address
 member vni 5010
  ingress-replication 22.22.22.1                   ! Loopback 1 address of other PE router
 !
 source-interface Loopback1
!
interface TenGigabitEthernet0/2/0
 no ip address
 service instance 1 ethernet
  encapsulation dot1q 10
  rewrite ingress tag pop 1 symmetric         ! Remove this cmd if L2 COS QoS is there on CE rtrs
!


1RU_D CONFIG :

 otv site bridge-domain 500
!
otv site-identifier 0000.0000.0500
!
key chain k1 macsec
 key 01
   cryptographic-algorithm aes-128-cmac
   key-string 12345678901234567890123456789012
!
class-map match-all costest
 match qos-group 1
class-map match-all cos
 match cos  5
!
policy-map cos
 class cos
  set qos-group 1
policy-map costest
 class costest
  set cos 5
!
interface Overlay400
 no ip address
 otv join-interface TenGigabitEthernet0/0/1.10
 otv adjacency-server unicast-only
 no otv isis hello padding always
 service instance 400 ethernet
  encapsulation dot1q 400
  bridge-domain 400
!
!
interface TenGigabitEthernet0/0/0
 description " CONNECTED TO SPIRENT CARD 3 PORT DOWN "
 no ip address
 cdp enable
 service instance 400 ethernet
  encapsulation dot1q 400
  bridge-domain 400
 !
 service instance 500 ethernet
  encapsulation dot1q 500
  bridge-domain 500
!
interface TenGigabitEthernet0/0/0.1
 encapsulation dot1Q 1 native
 ip address 107.0.1.1 255.255.255.0
 ip pim sparse-dense-mode
 ip igmp join-group 239.0.0.1
!
interface TenGigabitEthernet0/0/1
 no ip address
 macsec dot1q-in-clear 1
!
interface TenGigabitEthernet0/0/1.10
 encapsulation dot1Q 10
 ip address 10.3.1.2 255.255.255.0
 ip mtu 1468
 ip pim sparse-dense-mode
 ip ospf 500 area 400
 eapol destination-address broadcast-address
 mka pre-shared-key key-chain k1
 macsec
 service-policy output costest
!
ip route 108.0.0.0 255.255.255.0 TenGigabitEthernet0/0/1.10

Saturday, November 15, 2014

CCIE Study : IGP Summary Default Metric

A lot of confusion arises from the default metric in OSPF when ABR summarizes the routes. Consolidating some documents I found on the internet in a single blogpost.






Accd to the above post, everything (by default) uses lowest IGP metric (of all the component/subordinate routes) except OSPFv3. This is what is the observed behavior on Cisco Routers by default. This is where the confusion arises. RFC 2328 says that OSPF should use the highest metric of all the component routes for the summary route. I found an explanation for this behavior (copied directly from Cisco's website):

 RFC 1583  called for calculating the metric for summary routes based on the minimum       metric of the component paths available.  RFC       2178  (now obsoleted by       RFC 2328 )       changed the specified method for calculating metrics for summary routes so the       component of the summary with the maximum (or largest) cost would determine the       cost of the summary.
Prior to IOS 12.0, Cisco was compliant with the then-current       RFC 1583 . As       of IOS 12.0, Cisco changed the behavior of OSPF to be compliant with the new       standard, RFC       2328 . This situation created the possibility of sub-optimal routing if       all of the ABRs in an area were not upgraded to the new code at the same time.       In order to address this potential problem, a command has been added to the       OSPF configuration of Cisco IOS that allows you to selectively disable       compatibility with RFC 2328 . The new configuration command is under       router ospf, and has the following syntax:
[no] compatible rfc1583 

So, in case of OSPFv2, Cisco follows the older RFC 1583 and not the latest RFC 2328.