V3PN: Redundancy and Load Sharing Design Guide - Small BranchCable with DSL Backup [Design Zone for IPv6]

Table Of Contents

Small Branch—Cable with DSL Backup

Solution Characteristics

Topology

Failover/Recovery Time

Temporary Failure with Service Restoration

Failure of Primary Path—Recovery over Backup Path

Routing Topology Following Network Recovery

V3PN QoS Service Policy

Performance Results

Implementation and Configuration

Remote Router SAA and Tracking Configuration

Head-end SAA Target

IPSec Head-end Routers

Backup IPSec Peer

Primary IPSec Peers

Remote Router

Show Commands

Cisco IOS Versions Tested

Summary

Small Branch—Cable with DSL Backup

This chapter includes the following sections:

•Solution Characteristics

•Topology

•Failover/Recovery Time

•V3PN QoS Service Policy

•Performance Results

•Implementation and Configuration

•Cisco IOS Versions Tested

•Summary

As enterprise customers begin to deploy IP telephony using broadband as the access media to the small office environment, backup links are required to minimize service disruption. In existing Frame Relay deployments, ISDN was the preferred choice as a dial backup mechanism because it offered sufficient bandwidth, was relatively cost effective, and offered a different technology as the underlying media.

Using different technologies for the primary and backup links isolates the enterprise from the catastrophic failure of one technology taking down both the primary and backup links. Examples of this are the notable Frame Relay failures that were manifest in the total collapse of these networks in the late 1990s. The enterprises that were least impacted by these service outages were those that used ISDN as their backup mechanism. The human and software errors that caused the Frame Relay failures did not impact the ISDN network.

Applying this concept of using alternate technologies to provide backup to the small office, the natural conclusion is to deploy both DSL and cable, as shown in Figure 3-1.

Figure 3-1 DSL with Cable Backup Topology

A small office is likely to have at least one or more "plain old telephone service" (POTS) lines anyway, and enabling one for DSL service adds approximately $50 USD a month. A cable-provided Internet service costs approximately $50 USD a month in addition to a basic cable service if required. A side benefit is cable TV in the employee lounge. Using the Raleigh-Durham, North Carolina market as an example, the small office has available to it a 256-kbps uplink via DSL and 384-kbps uplink via cable for approximately $100 USD a month.

A degree of ISP separation is also present in addition to the alternate technologies of DSL and cable at the local loop. It is likely that the DSL and cable providers connect to different Tier 2 ISPs that in turn likely connect to multiple Tier 1 ISPs. If the head-end Internet connection uses multiple Tier 1 ISPs, the branch offices are isolated to some extent from service disruptions within a particular ISP. Alternately, the enterprise can consider connecting directly to either the IP network of the cable or DSL provider, or to the Tier 2 ISP servicing the broadband provider.

Solution Characteristics

This deployment scenario is applicable to small branch offices that have the following connectivity characteristics:

•Low recurring costs for WAN access

•Desire to use alternate technologies for primary and backup path

•No multiprotocol or IP multicast requirements

•A highly-scalable, redundant, and cost effective head-end IPSec termination

•Encryption required for both primary and backup link

The Reliable Static Routing Backup Using Object Tracking feature is used to trigger a backup connection (in these examples using a cable modem) to be initiated by the remote customer premises equipment (CPE) in scenarios where only static routes are used. Both cable and DSL deployments rely on static routes to reach the service provider as a next hop address.

This feature allows a target to be identified and pinged or probed using Cisco Service Assurance Agent (SAA) over the primary interface. In this example, it is a Cisco IOS router at the head-end location that is reachable only through the IPSec tunnel.

If the pings/probes fail, the static route for the primary path is removed from the routing table, allowing a static route with a higher administrative distance to be inserted into the routing table as an alternate default route. The pings/probes continue to be attempted over the primary interface. If they are successful again, the connection is re-established over the primary interface.

Topology

The topology shown in Figure 3-2 is used as an example. The routers are named as follows:

•IPSec primary head-end routers—vpnjk-2600-8 and vpnjk-2600-9

•IPSec backup path head-end router—vpn-jk2-2691

•Head-end SAA target router—vpnjk-2600-23

•Remote router—vpnjk-1751-1

Figure 3-2 Test Topology—Cable with DSL Backup

This design uses the Cisco IOS feature, Reliable Static Routing Backup Using Object Tracking, to verify connectivity with SAA probes originating from the inside Ethernet LAN address of the remote router through the IPSec tunnel that traverses the DSL provider to the IPSec head-end routers. The SAA probe packets are encrypted and forwarded to the head-end SAA target router. The probe responses follow the return path and the SAA control plane follows the same path as the probe packets.

This configuration provides a backup path over the DSL service provider if the primary path over the cable service provider fails. Connectivity failures of the SAA probes trigger the use of the backup path.

Failover/Recovery Time

This section shows examples of a temporary failure that causes packet loss but recovers before the backup path is activated. The second example illustrates a failure of the primary path of sufficient duration to trigger the use of the backup link.

This section includes the following topics:

•Temporary Failure with Service Restoration

•Failure of Primary Path—Recovery over Backup Path

•Routing Topology Following Network Recovery

Temporary Failure with Service Restoration

An issue associated with on-demand backup links is how to avoid triggering use of the backup path for very short connectivity failures through the primary path. With a keepalive protocol, the network administrator is generally able to configure a keepalive interval and a dead interval. The dead interval effectively controls how many consecutive keepalives are missed before declaring the primary path down.

With the Reliable Static Routing Backup Using Object Tracking feature, the dead interval is controlled by the delay down command within the track statement and the hello interval is configured by the frequency command within the rtr statement. As an illustration, these values are set at 60 and 20 seconds respectively. The IKE keepalive value is 10 seconds with a default of 2 seconds between retries following initial failure.

The following captured commands show the sequence of events and time for a simulated brief link flap for the connection between the network of the broadband service provider network and their ISP.

Here the ISP link fails at 13:26:28:
Dec 19 13:26:28.265 est: %ATM-5-UPDOWN: Interface ATM1/IMA0.1, Changing autovc .
Dec 19 13:26:28.269 est: %BGP-5-ADJCHANGE: neighbor 192.168.129.26 Down Interfap
The IKE keepalives identified the failure at 13:26:51 or approximately 23 seconds later. IKE attempts to contact the secondary peer, assuming an IPSec head-end failure.
vpnjk-1751-1#
Dec 19 13:26:51.422 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer 
192.168.131.8:500       Id: vpnjk-2600-8.ese.cisco.com
With debug track, you can see that the tracking logic has identified a connection failure of the SAA configuration but delays action for 60 seconds. This is 27 seconds from the original link failure.
Dec 19 13:26:55.074 est: Track: 123 Down change delayed for 60 secs
At this point, the original link failure has recovered; this is one minute from the initial link failure.
Dec 19 13:26:53.795 est: %ATM-5-UPDOWN: Interface ATM1/IMA0.1, Changing autovc .
Dec 19 13:27:28.156 est: %BGP-5-ADJCHANGE: neighbor 192.168.129.26 Up 
At this point, the IPSec tunnel has been re-established; however, the new tunnel is with the secondary IPSec head end, vpnjk-2600-9.ese.cisco.com, and the initial IPSec tunnel was with the primary IPSec head-end, vpnjk-2600-8.ese.cisco.com.
Dec 19 13:27:41.754 est: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than 
(2000)msecs (0/0),process = Crypto IKMP.
-Traceback= 802971E8 80294574 8129E55C 81295D6C 81294760 81294304 812906D0 812635A8 
812869FC 81263EC4 8125F278 8125D9F0 8127F120 81 
Dec 19 13:27:42.274 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 
192.168.131.9:500       Id: vpnjk-2600-9.ese.cisco.com
With connectivity established, the SAA UDP probe was successful and the action was aborted. This event occurred 9 seconds before the 60 second track delay expired.
Dec 19 13:27:46.894 est: Track: 123 Down change delay cancelled
At this point, all connectivity has been restored. The only change was a swap of the IPSec tunnel from the primary to the secondary head-end during the brief failure. The IKE keepalive values can be increased if needed. However, recall that the SAA probes are encrypted and require the IPSec tunnel to reach the head-end SAA router.

Failure of Primary Path—Recovery over Backup Path

The following example shows the backup path being activated. First, a failure in the network of the ISP disrupts connectivity.
Jan 30 16:37:40.738 est: %BGP-5-ADJCHANGE: neighbor 192.168.129.29 Down Interface flap
Jan 30 16:37:42.733 est: %LINK-5-CHANGED: Interface Serial0/0, changed state to down
Approximately 39 seconds from the ISP link failure, the tracking logic has identified the failure.
vpnjk-1751-1#
Jan 30 16:37:59.192 est: Track: 123 Down change delayed for 60 secs
Jan 30 16:38:05.776 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer 
192.168.131.9:500       Id: vpnjk-2600-9.ese.cisco.com
One minute later (recall that delay down 60 is configured), the IP route associated with the track subsystem is removed from the routing table. This is a default route to the dialer interface (the primary path). The secondary path is through a cable modem, and the router obtains a default route using DHCP for the interface to the cable provider.
Jan 30 16:38:59.192 est: Track: 123 Down change delay expired
Jan 30 16:38:59.192 est: Track: 123 Change #8 rtr 23, reachability Up->Down
The floating static route to the PPPoE dialer interface is now in the routing table. The DHCP learned route is configured with an administrative distance of 239. The floating static is 240.
vpnjk-1751-1>show rtr op  23  | inc return code
Latest operation return code: No connection
vpnjk-1751-1>show ip route | inc 0.0.0.0
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
     10.0.0.0/25 is subnetted, 1 subnets
S*   0.0.0.0/0 is directly connected, Dialer1
Approximately 96 seconds after the ISP link failure, connectivity has been restored to the backup head-end IPSec peer.
Jan 30 16:39:16.084 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 
192.168.131.4:500       Id: vpn-jk-2691-1.ese.cisco.com
During the failure, a ping was started before the ISP link failure to determine the approximate length of time of the failure, plus or minus 5 seconds. 20 Internet Control Message Protocol (ICMP) packets were lost, or approximately 100 seconds for recovery.
vpnjk-2600-2#ping 10.2.128.5 timeout 5 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.128.5, timeout is 5 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!....................!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!![repetition removed] 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (980/1000), round-trip min/avg/max = 8/15/24 ms
As service in the ISP network is restored, the SAA probe is again able to reach the head-end SAA target router. The remote router configuration includes a host route to the head-end SAA target router using the DHCP learned next hop router, so the SAA probe must connect over the primary interface. When the primary path is restored, successful probe transactions trigger a tracking change in state from down to up. The tracking configuration delays the transition from down to up for 5 seconds.
vpnjk-1751-1>
Jan 30 16:53:14.328 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 
192.168.131.9:500       Id: vpnjk-2600-9.ese.cisco.com
Jan 30 16:53:24.196 est: Track: 123 Up change delayed for 5 secs
Jan 30 16:53:29.196 est: Track: 123 Up change delay expired
Jan 30 16:53:29.196 est: Track: 123 Change #9 rtr 23, reachability Down->Up
There is no advantage in configuring a long up delay because the IPSec tunnel must be established for the SAA probe to complete. There is little or no appreciable packet loss when changing state from down to up, because both the primary and backup path and IPSec tunnel are connected at the same time. The tracking subsystem is simply adding the default route for the primary or DHCP interface to influence the network traffic of the end user. Following is an example of the default route under normal operations.
vpnjk-1751-1>show ip route | begin Gateway
Gateway of last resort is 192.168.33.1 to network 0.0.0.0
     192.168.131.0/24 is variably subnetted, 3 subnets, 2 masks
S       192.168.131.8/31 [1/0] via 192.168.33.1
S       192.168.131.4/32 is directly connected, Dialer1
S       192.168.131.23/32 [1/0] via 192.168.33.1
     10.0.0.0/25 is subnetted, 1 subnets
C       10.0.68.0 is directly connected, FastEthernet0/0
     192.168.17.0/32 is subnetted, 2 subnets
C       192.168.17.1 is directly connected, Dialer1
C       192.168.17.3 is directly connected, Dialer1
C    192.168.33.0/24 is directly connected, Ethernet1/0
S*   0.0.0.0/0 [239/0] via 192.168.33.1
Routing Topology Following Network Recovery

The IPSec IKE and IPSec security associations for the backup interface remain active after the primary interface has been restored. Looking at the routing table of the backup head-end IPSec peer following the link restoration, the RRI injected route remains.
vpn-jk-2691-1#sh ip route static
     10.0.0.0/8 is variably subnetted, 12 subnets, 8 masks
S       10.0.68.0/25 [1/0] via 192.168.17.3
However, the path over the primary IPSec head-end peer is used from the remote LAN to the enterprise intranet backbone router. In this case, 192.168.131.9 is vpnjk-2600-9.ese.cisco.com.
traceroute 10.2.128.5
Type escape sequence to abort.
Tracing the route to 10.2.128.5
  1 10.0.68.5 4 msec 0 msec 4 msec
  2 192.168.131.9 8 msec 8 msec 8 msec
  3 10.2.128.5 8 msec *  8 msec
From the head-end perspective, recovery of the primary path induces a metric change, and debug ip routing was enabled on the enterprise intranet router during recovery. Note that the route to 10.0.68.0/25 is replaced by one with a lower (better) metric over the primary path.
vpnjk-2600-5#
Jan 30 16:53:14 est: RT: del 10.0.68.0/25 via 10.2.120.4, eigrp metric [170/10258432]
Jan 30 16:53:14 est: RT: add 10.0.68.0/25 via 10.2.128.9, eigrp metric [170/6925056]
vpnjk-2600-5#show ip eigrp topology all-links   | begin 10.0.68.0
P 10.0.68.0/25, 1 successors, FD is 6925056, serno 1710
        via 10.2.128.9 (6925056/6922496), FastEthernet0/1.128
        via 10.2.120.4 (10258432/10255872), FastEthernet0/1.120
        via 10.2.124.23 (6927616/6925056), FastEthernet0/1.124
This action is based on the Enhanced Interior Gateway Routing Protocol (EIGRP) configuration of the primary and backup IPSec head-end peers. The backup peer is redistributing the RRI static routes with a bandwidth of 256:
vpn-jk-2691-1#sh run b | beg router eigrp
router eigrp 100
 redistribute static metric 256 1000 255 1 1500 route-map IPSEC_Subnets
However, the primary peers are redistributing the RRI static routes with a bandwidth of 384 kbps:
vpnjk-2600-9#show run brief | begin router eigrp
router eigrp 100
 redistribute static metric 384 1000 255 1 1500 route-map IPSEC_Subnets
In this sample configuration, the trained rate of the DSL connection is 256 kbps uplink and the cable connection is simulating a 384 kbps guaranteed rate.

Note Many cable providers quote a burst rate and not a guaranteed rate in their marketing literature.
vpnjk-2600-5#show ip route 10.0.68.0
Routing entry for 10.0.68.0/25
  Known via "eigrp 100", distance 170, metric 6925056, type external
  Redistributing via eigrp 100
  Last update from 10.2.128.9 on FastEthernet0/1.128, 00:05:05 ago
  Routing Descriptor Blocks:
  * 10.2.128.9, from 10.2.128.9, 00:05:05 ago, via FastEthernet0/1.128
      Route metric is 6925056, traffic share count is 1
      Total delay is 10100 microseconds, minimum bandwidth is 384 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
The above display shows the characteristics of the route when the IPSec tunnel is active on the primary IPSec peer. The minimum bandwidth for the route is 256 kbps when the primary path has failed and the backup IPSec peer has the best route to the remote network.

V3PN QoS Service Policy

The primary path is cable and the backup path is DSL. These technologies vary in the amount of Layer 2 overhead. The priority or LLQ must be configured for the worst case to use a common child service policy, but the parent service policy, the shaper, can be tuned accordingly.

A shaper for both DSL and cable is configured and applied to the respective Ethernet interface.
policy-map Shaper-DSL
 class class-default
  shape average 182400 1824
  service-policy V3PN-Small_Branch
policy-map Shaper-cable
 class class-default
  shape average 364800 3648
  service-policy V3PN-Small_Branch
!         
!         
interface Ethernet0/0
 description to DSL MODEM 
 bandwidth 256
 no ip address
 service-policy output Shaper-DSL
 ...
 pppoe enable
 pppoe-client dial-pool-number 1
!         
interface Ethernet1/0
 description To CABLE MODEM 
 bandwidth 384
 ip dhcp client route track 123
 ip address dhcp
 service-policy output Shaper-cable
 ...
No other special considerations need be given. A common shaper value using the lower of the two values can be used for both cable and DSL to simplify configuration.

Performance Results

The SAA target head-end router must be available to respond to SAA probes for the remote routers to make use of their primary path. Cisco recommends that the CPU of the SAA target head-end router ideally be less than 30 percent busy; 30 percent to 60 percent is acceptable. Over 60 percent busy is not recommended.

A Cisco 26xx series router being used as a dedicated SAA target head-end router is estimated to process 20-30 probes per second and to stay within these CPU requirements. The number of remote routers being serviced by the SAA target head-end router depends on the frequency of the SAA probe from each remote router. The configuration example shown here uses a frequency of 20 seconds between probes, which equates to up to 600 remote routers.

Note If the SAA probe frequency is configured at a value less than the IKE keepalive frequency, the Dead Peer Detection (DPD) logic generally never sends out IKE keepalive packets, because the SAA probes do not allow the IKE worry interval to expire. However, decreasing the SAA probe frequency means more load on the SAA head-end and more packets that must be encrypted and decrypted by the head-end IPSec routers. The network manager has a great deal of latitude in configuring these various timers.

Implementation and Configuration

This section describes the key configuration components. In the following examples, these addressing conventions are used:

•All subnets of 10.0.0.0 addressing represent enterprise internal address space.

•All subnets of 192.168.0.0 addressing represent Internet routable address space.

This section includes the following topics:

•Remote Router SAA and Tracking Configuration

•Head-end SAA Target

•IPSec Head-end Routers

•Remote Router

•Show Commands

Remote Router SAA and Tracking Configuration

The configuration of the remote router is relatively simple; a tracking operation must be configured to associate the DHCP learned default route with the SAA configuration. The cable head-end provides an IP address and default gateway using DHCP. For the DSL interface, the IP address is negotiated using PPP. A floating static default route is configured pointing to the dialer interface.

First, the administrative distance of the default route learned using DHCP is 239, which is set with the ip dhcp-client default-router distance command. Then the tracked object 123 is defined and associated with SAA (rtr) operation 23. The default route to the DHCP router is associated with track 123, via the ip dhcp client route track 123 interface command. This route is removed from the routing table if the SAA destination IP address cannot be reached. The floating static route to Dialer 1 with administrative distance of 240 is inserted in its place.
ip dhcp-client default-router distance 239
!
track 123 rtr 23 reachability
 delay down 60 up 5
!
interface Ethernet1/0
 description To CABLE MODEM 
 bandwidth 384
 ip dhcp client route track 123
 ip address dhcp
!
ip route 0.0.0.0 0.0.0.0 Dialer1 240 name Backup_Path
!
ip route 192.168.131.4 255.255.255.255 Dialer1 name Backup_Peer
!
ip route 192.168.131.23 255.255.255.255 dhcp      # SAA Target Router
ip route 192.168.131.8 255.255.255.254 dhcp       # Primary IPSec Head-ends
!
rtr 23
 type udpEcho dest-ipaddr 192.168.131.23 dest-port 57005 source-ipaddr 10.0.68.5 
source-port 48879
 tos 192
 timeout 1000
 owner TRACK123
 tag Object Tracking
 frequency 20
 lives-of-history-kept 1
 buckets-of-history-kept 10
 filter-for-history failures
rtr schedule 23 start-time now life forever
!
The SAA configuration shows the use of an UDP echo probe rather than an ICMP probe. ICMP probes are required if the head-end target is not a Cisco router with rtr responder configured. Either probe is acceptable, the function of the probe is traverse inside the crypto tunnel to verify the primary path is functional. The UDP source and destination port numbers are arbitrary, decimal 57005 is 0xDEAD in hexadecimal, and decimal 48879 is 0xBEEF. These character strings are easy to identify when looking at port number values shown in hexadecimal.

There is a host route to the SAA target device, 192.168.131.23, using the DHCP learned default gateway as the target. All SAA connection attempts must use the cable or primary interface.

Note While the SAA target device address is in the 192.168.0.0/16 address space, which represents Internet routable address space in these illustrations, the SAA probe is encapsulated inside the IPSec tunnel. The next hop address in the static route for 192.168.131.23 is the DHCP learned default gateway. This routes the probe out the cable or primary interface. The source IP address of the SAA probe is the inside LAN interface which is referenced in the crypto map. The SAA probe therefore is encrypted and transmitted inside the IPSec tunnel

Some optional SAA configuration commands are shown in grey/italics that are explained in a subsequent section.

Head-end SAA Target

To configure the head-end SAA target, include the following in the configuration:
rtr responder
The SAA control plane listens on UDP port 1967, when the default configuration value of control enable is in effect.
vpnjk-2600-23#show ip sockets 
Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF
 17 0.0.0.0             0 10.0.253.4         67   0   0 2211   0 
 88   --listen--          10.0.253.4        100   0   0    0   0 
 17   --listen--          10.0.253.4        123   0   0    1   0 
 17 0.0.0.0             0 10.0.253.4       1967   0   0  211   0
From the remote router, the SAA control plane as well as the probe packets can be identified using NetFlow if enabled on the appropriate interfaces.
vpnjk-1751-1#sh ip cache verb flow | begin SrcIf
SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
Vi1            192.168.131.23  Local          10.0.68.5       11 C0  10       1 
DEAD /0  0                     BEEF /0  0     0.0.0.0                44     0.0
Vi1            192.168.131.8   Local          192.168.17.3    32 00  10       3 
B92C /0  0                     C0FA /0  0     0.0.0.0                96     1.6
Vi1            192.168.131.23  Local          10.0.68.5       11 C0  10       1 
07AF /0  0                     BEEF /0  0     0.0.0.0                36     0.0
The probe packets are 44 bytes (Layer 3) by default. Source port of 0x7AF is decimal 1967. Note that the source port for the control plane and the probe packets are the same value.

IPSec Head-end Routers

This section describes the configuration of IPSec head-end routers.

Backup IPSec Peer

This configuration includes a digital certificate; however, for the purposes of this test, the authentication method over the back-up interface is IKE aggressive mode with pre-shared keys. The keys are not stored on a separate RADIUS server, rather on a keyring defined on this router.
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname vpn-jk-2691-1
!
boot-start-marker
boot system flash c2691-ik9o3s-mz.123-5
boot system flash c2691-ik9o3s-mz.122-13.T10
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 [removed]
!
memory-size iomem 15
clock timezone est -5
clock summer-time edt recurring
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
ip domain name ese.cisco.com
ip host ect-msca 172.26.179.237
ip host harry 172.26.176.10
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
crypto ca trustpoint ect-msca
 enrollment mode ra
 enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll
 crl optional
 auto-enroll 70
!
crypto ca certificate chain ect-msca
 certificate 5D7B2D4300000000003C
 certificate ca 113346B52ACEE8B04ABD5A5C3FED139A
! 
crypto keyring Backup_Sites 
  pre-shared-key hostname Store77.ese.cisco.com  key 00-02-8A-9B-05-33
!
crypto isakmp policy 1
 encr 3des
 group 2
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 10
crypto isakmp profile AGGRESSIVE
   description Profile to test Initiating Aggressive Mode
   keyring Backup_Sites
   self-identity fqdn
   match identity host domain ese.cisco.com
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 
 mode transport
!
crypto dynamic-map DYNO-TEMPLATE 10
 description dynamic crypto map
 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 
 reverse-route
 qos pre-classify
!
!
crypto map DYNO-MAP local-address FastEthernet0/1.100
crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE 
!
!
!
interface FastEthernet0/1
 description dot1q
 no ip address
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/1.100
 description Outside Interface
 encapsulation dot1Q 100
 ip address 192.168.131.4 255.255.255.224
 crypto map DYNO-MAP
!
interface FastEthernet0/1.120
 description Inside Interface
 encapsulation dot1Q 120
 ip address 10.2.120.4 255.255.255.0
!
!                 The bandwidth value of 256 in the metric command is important!
!                 Described previously when illustrating failover.
!
router eigrp 100
 redistribute static metric 256 1000 255 1 1500 route-map IPSEC_Subnets
 network 10.0.0.0
 network 192.168.130.0 0.0.1.255
 no auto-summary
!
no ip http server
no ip http secure-server
ip classless
!
!
access-list 68 permit 10.0.64.0 0.0.63.255
access-list 68 deny   any
!
route-map IPSEC_Subnets permit 10
 match ip address 68
!
rtr responder
!
ntp server 192.168.130.1
!
end
Primary IPSec Peers

The following is the configuration for primary IPSec peers:
!   System image file is "flash:c2600-ik9o3s-mz.122-11.T5"
version 12.2
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname vpnjk-2600-8
!
logging buffered 4096 debugging
enable password 7 [removed]
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
!
!
no ip domain lookup
ip domain name ese.cisco.com
ip host harry 172.26.176.10
ip host ect-msca 172.26.179.237
!
ip audit notify log
ip audit po max-events 100
!
crypto ca trustpoint ect-msca
 enrollment mode ra
 enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll
 auto-enroll 70
crypto ca certificate chain ect-msca
 certificate ca 113346B52ACEE8B04ABD5A5C3FED139A nvram:ect-mscaCA.cer
 certificate 6122A4EC000000000021 nvram:ect-msca.cer
!
crypto isakmp policy 1
 encr 3des
 group 2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 
 mode transport
!
crypto dynamic-map DYNO-TEMPLATE 10
 description dynamic crypto map
 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 
 reverse-route
 qos pre-classify
!
!
crypto map DYNO-MAP local-address FastEthernet0/1.100
crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE 
!
!
interface FastEthernet0/1
 description dot1q
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.100
 description Outside Interface
 encapsulation dot1Q 100
 ip address 192.168.131.8 255.255.255.224
 crypto map DYNO-MAP
!
interface FastEthernet0/1.128
 description Inside Interface
 encapsulation dot1Q 128
 ip address 10.2.128.8 255.255.255.0
!
!                           Bandwidth value for backup IPSec peer is 256
!
router eigrp 100
 redistribute static metric 384 1000 255 1 1500 route-map IPSEC_Subnets
 network 10.0.0.0
 network 192.168.130.0 0.0.1.255
 no auto-summary
 no eigrp log-neighbor-changes
!
ip default-gateway 172.26.156.1
ip classless
no ip http server
!
!
access-list 68 permit 10.0.68.0 0.0.0.255
access-list 68 deny   any
!
route-map IPSEC_Subnets permit 10
 match ip address 68
!
!
ntp server 192.168.130.1
!
end
===================================================================================
!   System image file is "flash:c2600-ik9o3s-mz.122-11.T5"
version 12.2
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname vpnjk-2600-9
!
logging buffered 4096 debugging
enable password 7 1511021F0725
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
!
!
no ip domain lookup
ip domain name ese.cisco.com
ip host harry 172.26.176.10
ip host ect-msca 172.26.179.237
!
ip audit notify log
ip audit po max-events 100
!
crypto ca trustpoint ect-msca
 enrollment mode ra
 enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll
 auto-enroll 70
crypto ca certificate chain ect-msca
 certificate 610BE2E400000000001F nvram:ect-msca.cer
 certificate ca 113346B52ACEE8B04ABD5A5C3FED139A nvram:ect-mscaCA.cer
!
crypto isakmp policy 1
 encr 3des
 group 2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 
 mode transport
!
crypto dynamic-map DYNO-TEMPLATE 10
 description dynamic crypto map
 set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL 
 reverse-route
 qos pre-classify
!
!
crypto map DYNO-MAP local-address FastEthernet0/1.100
crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE 
!
!
interface FastEthernet0/1
 description dot1q
 no ip address
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/1.100
 description Outside Interface
 encapsulation dot1Q 100
 ip address 192.168.131.9 255.255.255.224
 crypto map DYNO-MAP
!
interface FastEthernet0/1.128
 description Inside Interface
 encapsulation dot1Q 128
 ip address 10.2.128.9 255.255.255.0
!
!                           Bandwidth value for backup IPSec peer is 256
!
router eigrp 100
 redistribute static metric 384 1000 255 1 1500 route-map IPSEC_Subnets
 network 10.0.0.0
 network 192.168.130.0 0.0.1.255
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
no ip http server
!
!
access-list 68 permit 10.0.68.0 0.0.0.255
!
route-map IPSEC_Subnets permit 10
 match ip address 68
!
ntp server 192.168.130.1
!
end
Remote Router

The following is the configuration for the remote router. See the specific notes in the following configuration:
!           System image file is "flash:vpn/images/c1700-k9o3sy7-mz.123-2.XE"
version 12.3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname vpnjk-1751-1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 [removed]
!
memory-size iomem 25
clock timezone est -5
clock summer-time edt recurring
no aaa new-model
ip subnet-zero
!
!
!
!
ip telnet source-interface FastEthernet0/0
no ip domain lookup
ip domain name ese.cisco.com
ip host harry 172.26.176.10
ip host ect-msca 172.26.179.237
ip cef
ip audit notify log
ip audit po max-events 100
ip dhcp-client default-router distance 239
!
track 123 rtr 23 reachability
 delay down 60 up 5
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!              Certificates will be used for authentication for the primary path 
!              and IKE Aggressive mode will be used for the backup path
!
crypto ca trustpoint ect-msca
 enrollment mode ra
 enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll
 revocation-check none
!
!
crypto ca certificate chain ect-msca
 certificate 610C436F00000000002C
 certificate ca 113346B52ACEE8B04ABD5A5C3FED139A
! 
!
crypto isakmp policy 1
 encr 3des
 group 2
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 10
!
crypto isakmp peer address 192.168.131.4
 set aggressive-mode password 00-02-8A-9B-05-33
 set aggressive-mode client-endpoint fqdn Store77.ese.cisco.com 
crypto isakmp profile AGGRESSIVE
   description Profile to test Initiating Aggressive Mode
   self-identity fqdn
   match identity host domain ese.cisco.com
   initiate mode aggressive
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 
 mode transport
no crypto ipsec nat-transparency udp-encaps
!
crypto map PRIMARY_LINK 1 ipsec-isakmp 
 description Crypto Map for Primary Path
 set peer 192.168.131.9
 set peer 192.168.131.8
 set transform-set 3DES_SHA_TUNNEL 
 match address CRYPTO_MAP_ACL
 qos pre-classify
!
crypto map BACKUP_LINK 1 ipsec-isakmp 
 description Crypto Map for Backup Path
 set peer 192.168.131.4
 set transform-set 3DES_SHA_TUNNEL 
 match address CRYPTO_MAP_ACL
 qos pre-classify
!
!
!
class-map match-all VOICE
 match ip dscp ef 
class-map match-any CALL-SETUP
 match ip dscp af31 
 match ip dscp cs3 
class-map match-any INTERNETWORK-CONTROL
 match ip dscp cs6 
 match access-group name IKE
class-map match-all TRANSACTIONAL-DATA
 match ip dscp af21 
!
!
policy-map V3PN-Small_Branch
description Note LLQ for ATM/DSL G.729=64K, G.711=128K
 class CALL-SETUP
  bandwidth percent 2
 class INTERNETWORK-CONTROL
  bandwidth percent 5
 class VOICE
  priority 128
 class TRANSACTIONAL-DATA
  bandwidth percent 22
 class class-default
  fair-queue
  random-detect
policy-map Shaper-DSL
 class class-default
  shape average 182400 1824
  service-policy V3PN-Small_Branch
policy-map Shaper-cable
 class class-default
  shape average 364800 3648
  service-policy V3PN-Small_Branch
!
!
!
interface Ethernet0/0
 description to DSL MODEM 
 bandwidth 256
 no ip address
 service-policy output Shaper-DSL
 load-interval 30
 half-duplex
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface FastEthernet0/0
 description Inside 
 ip address 10.0.68.5 255.255.255.128
 no ip proxy-arp
 ip route-cache flow
 ip tcp adjust-mss 542
 load-interval 30
 speed auto
!
interface Ethernet1/0
 description To CABLE MODEM 
 bandwidth 384
 ip dhcp client route track 123
 ip address dhcp
 service-policy output Shaper-cable
 ip route-cache flow
 ip tcp adjust-mss 542
 load-interval 30
 half-duplex
 crypto map PRIMARY_LINK
!
interface Dialer1
 description Outside
 bandwidth 256
 ip address negotiated
 ip mtu 1492
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 542
 load-interval 30
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username cisco789@cisco.com password 0 foo
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map BACKUP_LINK
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 240 name Backup_Path
ip route 192.168.131.4 255.255.255.255 Dialer1 name Backup_Peer
ip route 192.168.131.23 255.255.255.255 dhcp
ip route 192.168.131.8 255.255.255.254 dhcp
no ip http server
no ip http secure-server
!
!
!
ip access-list extended CRYPTO_MAP_ACL
 permit ip 10.0.68.0 0.0.0.127 any
ip access-list extended IKE
 permit udp any eq isakmp any eq isakmp
dialer-list 1 protocol ip permit
!
!
control-plane
!
rtr responder
rtr 23
 type udpEcho dest-ipaddr 192.168.131.23 dest-port 57005 source-ipaddr 10.0.68.5
 tos 192
 timeout 1000
 owner TRACK123
 tag Object Tracking
 frequency 20
 lives-of-history-kept 1
 buckets-of-history-kept 10
 filter-for-history failures
rtr schedule 23 start-time now life forever
!
ntp server 192.168.130.1
!
end
Show Commands

The following optional SAA configuration statements provide for maintaining a history of the last ten failed connection attempts:
 lives-of-history-kept 1
 buckets-of-history-kept 10
 filter-for-history failures
These can be displayed on the remote router as follows:
vpnjk-1751-1#show rtr history  23  full 
Entry number: 23
Life index: 1
Bucket index: 67
Sample time: 14:08:56.369 est Fri Dec 19 2003
RTT (milliseconds): 0
Response return code: No connection
Life index: 1
Bucket index: 68
Sample time: 14:09:16.366 est Fri Dec 19 2003
RTT (milliseconds): 0
Response return code: No connection
Life index: 1
Bucket index: 69
Sample time: 14:09:36.367 est Fri Dec 19 2003
RTT (milliseconds): 0
Response return code: No connection
The time stamps in the display help to identify when network connectivity failures occurred. Use Network Time Protocol (NTP) to maintain accurate time on the remote routers.

Cisco IOS Versions Tested

The following code versions were used during testing:

•Primary IPSec head-ends—c2600-ik9o3s-mz.122-11.T5

•Backup IPSec head-ends—c2691-ik9o3s-mz.123-5

•Cisco 1751—c1700-k9o3sy7-mz.123-2.XE

•SAA target—c2600-ik9o3s3-mz.123-3

The IPSec head-end routers were Cisco 2651s with an Advanced Integration Module (AIM) hardware VPN module. This testing was not intended to scale test head-end performance capabilities. In a customer deployment, using IPSec head-ends with suitable performance characteristics aligned with the number of remote routers is advised.

An available Cisco1760 V3PN bundle (product number: CISCO1760-V3PN/K9) can be used instead of the Cisco 1751.

Reliable Static Routing Backup Using Object Tracking was first introduced in Cisco IOS version 12.3(2)XE.

Summary

The Object Tracking feature of Cisco IOS Software provides a means to deploy both DSL and cable modems to the same remote location for increased availability. Because this feature uses SAA, a network manager can use its protocols and applications in addition to ICMP for verifying connectivity. One advantage to this configuration is its scalability; you can configure a primary and backup IPSec head-end independently from the SAA head-end router, and you can add additional SAA head-ends as required.

	V3PN: Redundancy and Load Sharing Design Guide
	Small BranchCable with DSL Backup
V3PN: Redundancy and Load Sharing Design Guide V3PN: Redundancy and Load-Sharing Introduction Small BranchDSL with ISDN Backup Small BranchCable with DSL Backup Small BranchDSL with Async Backup Small BranchDial Backup to Cisco VPN 3000 Concentrator Small BranchLoad Sharing on Dual Broadband Links Small BranchWireless Broadband Deployment Small BranchDual Hub/Dual DMVPN Large BranchFrame Relay/Broadband Load Sharing and Backup Large Branch--Multilink PPP Large BranchInverse Multiplexing over ATM (IMA) Lab Topology References and Reading Acronyms and Definitions	Download this chapter Small BranchCable with DSL Backup Download the complete book V3PN_Red_Load.pdf (PDF - 4 MB) Table Of Contents Small Branch—Cable with DSL Backup Solution Characteristics Topology Failover/Recovery Time Temporary Failure with Service Restoration Failure of Primary Path—Recovery over Backup Path Routing Topology Following Network Recovery V3PN QoS Service Policy Performance Results Implementation and Configuration Remote Router SAA and Tracking Configuration Head-end SAA Target IPSec Head-end Routers Backup IPSec Peer Primary IPSec Peers Remote Router Show Commands Cisco IOS Versions Tested Summary Small Branch—Cable with DSL Backup This chapter includes the following sections: •Solution Characteristics •Topology •Failover/Recovery Time •V3PN QoS Service Policy •Performance Results •Implementation and Configuration •Cisco IOS Versions Tested •Summary As enterprise customers begin to deploy IP telephony using broadband as the access media to the small office environment, backup links are required to minimize service disruption. In existing Frame Relay deployments, ISDN was the preferred choice as a dial backup mechanism because it offered sufficient bandwidth, was relatively cost effective, and offered a different technology as the underlying media. Using different technologies for the primary and backup links isolates the enterprise from the catastrophic failure of one technology taking down both the primary and backup links. Examples of this are the notable Frame Relay failures that were manifest in the total collapse of these networks in the late 1990s. The enterprises that were least impacted by these service outages were those that used ISDN as their backup mechanism. The human and software errors that caused the Frame Relay failures did not impact the ISDN network. Applying this concept of using alternate technologies to provide backup to the small office, the natural conclusion is to deploy both DSL and cable, as shown in Figure 3-1. Figure 3-1 DSL with Cable Backup Topology A small office is likely to have at least one or more "plain old telephone service" (POTS) lines anyway, and enabling one for DSL service adds approximately $50 USD a month. A cable-provided Internet service costs approximately $50 USD a month in addition to a basic cable service if required. A side benefit is cable TV in the employee lounge. Using the Raleigh-Durham, North Carolina market as an example, the small office has available to it a 256-kbps uplink via DSL and 384-kbps uplink via cable for approximately $100 USD a month. A degree of ISP separation is also present in addition to the alternate technologies of DSL and cable at the local loop. It is likely that the DSL and cable providers connect to different Tier 2 ISPs that in turn likely connect to multiple Tier 1 ISPs. If the head-end Internet connection uses multiple Tier 1 ISPs, the branch offices are isolated to some extent from service disruptions within a particular ISP. Alternately, the enterprise can consider connecting directly to either the IP network of the cable or DSL provider, or to the Tier 2 ISP servicing the broadband provider. Solution Characteristics This deployment scenario is applicable to small branch offices that have the following connectivity characteristics: •Low recurring costs for WAN access •Desire to use alternate technologies for primary and backup path •No multiprotocol or IP multicast requirements •A highly-scalable, redundant, and cost effective head-end IPSec termination •Encryption required for both primary and backup link The Reliable Static Routing Backup Using Object Tracking feature is used to trigger a backup connection (in these examples using a cable modem) to be initiated by the remote customer premises equipment (CPE) in scenarios where only static routes are used. Both cable and DSL deployments rely on static routes to reach the service provider as a next hop address. This feature allows a target to be identified and pinged or probed using Cisco Service Assurance Agent (SAA) over the primary interface. In this example, it is a Cisco IOS router at the head-end location that is reachable only through the IPSec tunnel. If the pings/probes fail, the static route for the primary path is removed from the routing table, allowing a static route with a higher administrative distance to be inserted into the routing table as an alternate default route. The pings/probes continue to be attempted over the primary interface. If they are successful again, the connection is re-established over the primary interface. Topology The topology shown in Figure 3-2 is used as an example. The routers are named as follows: •IPSec primary head-end routers—vpnjk-2600-8 and vpnjk-2600-9 •IPSec backup path head-end router—vpn-jk2-2691 •Head-end SAA target router—vpnjk-2600-23 •Remote router—vpnjk-1751-1 Figure 3-2 Test Topology—Cable with DSL Backup This design uses the Cisco IOS feature, Reliable Static Routing Backup Using Object Tracking, to verify connectivity with SAA probes originating from the inside Ethernet LAN address of the remote router through the IPSec tunnel that traverses the DSL provider to the IPSec head-end routers. The SAA probe packets are encrypted and forwarded to the head-end SAA target router. The probe responses follow the return path and the SAA control plane follows the same path as the probe packets. This configuration provides a backup path over the DSL service provider if the primary path over the cable service provider fails. Connectivity failures of the SAA probes trigger the use of the backup path. Failover/Recovery Time This section shows examples of a temporary failure that causes packet loss but recovers before the backup path is activated. The second example illustrates a failure of the primary path of sufficient duration to trigger the use of the backup link. This section includes the following topics: •Temporary Failure with Service Restoration •Failure of Primary Path—Recovery over Backup Path •Routing Topology Following Network Recovery Temporary Failure with Service Restoration An issue associated with on-demand backup links is how to avoid triggering use of the backup path for very short connectivity failures through the primary path. With a keepalive protocol, the network administrator is generally able to configure a keepalive interval and a dead interval. The dead interval effectively controls how many consecutive keepalives are missed before declaring the primary path down. With the Reliable Static Routing Backup Using Object Tracking feature, the dead interval is controlled by the delay down command within the track statement and the hello interval is configured by the frequency command within the rtr statement. As an illustration, these values are set at 60 and 20 seconds respectively. The IKE keepalive value is 10 seconds with a default of 2 seconds between retries following initial failure. The following captured commands show the sequence of events and time for a simulated brief link flap for the connection between the network of the broadband service provider network and their ISP. Here the ISP link fails at 13:26:28: Dec 19 13:26:28.265 est: %ATM-5-UPDOWN: Interface ATM1/IMA0.1, Changing autovc . Dec 19 13:26:28.269 est: %BGP-5-ADJCHANGE: neighbor 192.168.129.26 Down Interfap The IKE keepalives identified the failure at 13:26:51 or approximately 23 seconds later. IKE attempts to contact the secondary peer, assuming an IPSec head-end failure. vpnjk-1751-1# Dec 19 13:26:51.422 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 192.168.131.8:500 Id: vpnjk-2600-8.ese.cisco.com With debug track, you can see that the tracking logic has identified a connection failure of the SAA configuration but delays action for 60 seconds. This is 27 seconds from the original link failure. Dec 19 13:26:55.074 est: Track: 123 Down change delayed for 60 secs At this point, the original link failure has recovered; this is one minute from the initial link failure. Dec 19 13:26:53.795 est: %ATM-5-UPDOWN: Interface ATM1/IMA0.1, Changing autovc . Dec 19 13:27:28.156 est: %BGP-5-ADJCHANGE: neighbor 192.168.129.26 Up At this point, the IPSec tunnel has been re-established; however, the new tunnel is with the secondary IPSec head end, vpnjk-2600-9.ese.cisco.com, and the initial IPSec tunnel was with the primary IPSec head-end, vpnjk-2600-8.ese.cisco.com. Dec 19 13:27:41.754 est: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (0/0),process = Crypto IKMP. -Traceback= 802971E8 80294574 8129E55C 81295D6C 81294760 81294304 812906D0 812635A8 812869FC 81263EC4 8125F278 8125D9F0 8127F120 81 Dec 19 13:27:42.274 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 192.168.131.9:500 Id: vpnjk-2600-9.ese.cisco.com With connectivity established, the SAA UDP probe was successful and the action was aborted. This event occurred 9 seconds before the 60 second track delay expired. Dec 19 13:27:46.894 est: Track: 123 Down change delay cancelled At this point, all connectivity has been restored. The only change was a swap of the IPSec tunnel from the primary to the secondary head-end during the brief failure. The IKE keepalive values can be increased if needed. However, recall that the SAA probes are encrypted and require the IPSec tunnel to reach the head-end SAA router. Failure of Primary Path—Recovery over Backup Path The following example shows the backup path being activated. First, a failure in the network of the ISP disrupts connectivity. Jan 30 16:37:40.738 est: %BGP-5-ADJCHANGE: neighbor 192.168.129.29 Down Interface flap Jan 30 16:37:42.733 est: %LINK-5-CHANGED: Interface Serial0/0, changed state to down Approximately 39 seconds from the ISP link failure, the tracking logic has identified the failure. vpnjk-1751-1# Jan 30 16:37:59.192 est: Track: 123 Down change delayed for 60 secs Jan 30 16:38:05.776 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 192.168.131.9:500 Id: vpnjk-2600-9.ese.cisco.com One minute later (recall that delay down 60 is configured), the IP route associated with the track subsystem is removed from the routing table. This is a default route to the dialer interface (the primary path). The secondary path is through a cable modem, and the router obtains a default route using DHCP for the interface to the cable provider. Jan 30 16:38:59.192 est: Track: 123 Down change delay expired Jan 30 16:38:59.192 est: Track: 123 Change #8 rtr 23, reachability Up->Down The floating static route to the PPPoE dialer interface is now in the routing table. The DHCP learned route is configured with an administrative distance of 239. The floating static is 240. vpnjk-1751-1>show rtr op 23 \| inc return code Latest operation return code: No connection vpnjk-1751-1>show ip route \| inc 0.0.0.0 Gateway of last resort is 0.0.0.0 to network 0.0.0.0 10.0.0.0/25 is subnetted, 1 subnets S* 0.0.0.0/0 is directly connected, Dialer1 Approximately 96 seconds after the ISP link failure, connectivity has been restored to the backup head-end IPSec peer. Jan 30 16:39:16.084 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 192.168.131.4:500 Id: vpn-jk-2691-1.ese.cisco.com During the failure, a ping was started before the ISP link failure to determine the approximate length of time of the failure, plus or minus 5 seconds. 20 Internet Control Message Protocol (ICMP) packets were lost, or approximately 100 seconds for recovery. vpnjk-2600-2#ping 10.2.128.5 timeout 5 repeat 1000 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 10.2.128.5, timeout is 5 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!....................!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!![repetition removed] !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 98 percent (980/1000), round-trip min/avg/max = 8/15/24 ms As service in the ISP network is restored, the SAA probe is again able to reach the head-end SAA target router. The remote router configuration includes a host route to the head-end SAA target router using the DHCP learned next hop router, so the SAA probe must connect over the primary interface. When the primary path is restored, successful probe transactions trigger a tracking change in state from down to up. The tracking configuration delays the transition from down to up for 5 seconds. vpnjk-1751-1> Jan 30 16:53:14.328 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 192.168.131.9:500 Id: vpnjk-2600-9.ese.cisco.com Jan 30 16:53:24.196 est: Track: 123 Up change delayed for 5 secs Jan 30 16:53:29.196 est: Track: 123 Up change delay expired Jan 30 16:53:29.196 est: Track: 123 Change #9 rtr 23, reachability Down->Up There is no advantage in configuring a long up delay because the IPSec tunnel must be established for the SAA probe to complete. There is little or no appreciable packet loss when changing state from down to up, because both the primary and backup path and IPSec tunnel are connected at the same time. The tracking subsystem is simply adding the default route for the primary or DHCP interface to influence the network traffic of the end user. Following is an example of the default route under normal operations. vpnjk-1751-1>show ip route \| begin Gateway Gateway of last resort is 192.168.33.1 to network 0.0.0.0 192.168.131.0/24 is variably subnetted, 3 subnets, 2 masks S 192.168.131.8/31 [1/0] via 192.168.33.1 S 192.168.131.4/32 is directly connected, Dialer1 S 192.168.131.23/32 [1/0] via 192.168.33.1 10.0.0.0/25 is subnetted, 1 subnets C 10.0.68.0 is directly connected, FastEthernet0/0 192.168.17.0/32 is subnetted, 2 subnets C 192.168.17.1 is directly connected, Dialer1 C 192.168.17.3 is directly connected, Dialer1 C 192.168.33.0/24 is directly connected, Ethernet1/0 S* 0.0.0.0/0 [239/0] via 192.168.33.1 Routing Topology Following Network Recovery The IPSec IKE and IPSec security associations for the backup interface remain active after the primary interface has been restored. Looking at the routing table of the backup head-end IPSec peer following the link restoration, the RRI injected route remains. vpn-jk-2691-1#sh ip route static 10.0.0.0/8 is variably subnetted, 12 subnets, 8 masks S 10.0.68.0/25 [1/0] via 192.168.17.3 However, the path over the primary IPSec head-end peer is used from the remote LAN to the enterprise intranet backbone router. In this case, 192.168.131.9 is vpnjk-2600-9.ese.cisco.com. traceroute 10.2.128.5 Type escape sequence to abort. Tracing the route to 10.2.128.5 1 10.0.68.5 4 msec 0 msec 4 msec 2 192.168.131.9 8 msec 8 msec 8 msec 3 10.2.128.5 8 msec * 8 msec From the head-end perspective, recovery of the primary path induces a metric change, and debug ip routing was enabled on the enterprise intranet router during recovery. Note that the route to 10.0.68.0/25 is replaced by one with a lower (better) metric over the primary path. vpnjk-2600-5# Jan 30 16:53:14 est: RT: del 10.0.68.0/25 via 10.2.120.4, eigrp metric [170/10258432] Jan 30 16:53:14 est: RT: add 10.0.68.0/25 via 10.2.128.9, eigrp metric [170/6925056] vpnjk-2600-5#show ip eigrp topology all-links \| begin 10.0.68.0 P 10.0.68.0/25, 1 successors, FD is 6925056, serno 1710 via 10.2.128.9 (6925056/6922496), FastEthernet0/1.128 via 10.2.120.4 (10258432/10255872), FastEthernet0/1.120 via 10.2.124.23 (6927616/6925056), FastEthernet0/1.124 This action is based on the Enhanced Interior Gateway Routing Protocol (EIGRP) configuration of the primary and backup IPSec head-end peers. The backup peer is redistributing the RRI static routes with a bandwidth of 256: vpn-jk-2691-1#sh run b \| beg router eigrp router eigrp 100 redistribute static metric 256 1000 255 1 1500 route-map IPSEC_Subnets However, the primary peers are redistributing the RRI static routes with a bandwidth of 384 kbps: vpnjk-2600-9#show run brief \| begin router eigrp router eigrp 100 redistribute static metric 384 1000 255 1 1500 route-map IPSEC_Subnets In this sample configuration, the trained rate of the DSL connection is 256 kbps uplink and the cable connection is simulating a 384 kbps guaranteed rate. Note Many cable providers quote a burst rate and not a guaranteed rate in their marketing literature. vpnjk-2600-5#show ip route 10.0.68.0 Routing entry for 10.0.68.0/25 Known via "eigrp 100", distance 170, metric 6925056, type external Redistributing via eigrp 100 Last update from 10.2.128.9 on FastEthernet0/1.128, 00:05:05 ago Routing Descriptor Blocks: * 10.2.128.9, from 10.2.128.9, 00:05:05 ago, via FastEthernet0/1.128 Route metric is 6925056, traffic share count is 1 Total delay is 10100 microseconds, minimum bandwidth is 384 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 The above display shows the characteristics of the route when the IPSec tunnel is active on the primary IPSec peer. The minimum bandwidth for the route is 256 kbps when the primary path has failed and the backup IPSec peer has the best route to the remote network. V3PN QoS Service Policy The primary path is cable and the backup path is DSL. These technologies vary in the amount of Layer 2 overhead. The priority or LLQ must be configured for the worst case to use a common child service policy, but the parent service policy, the shaper, can be tuned accordingly. A shaper for both DSL and cable is configured and applied to the respective Ethernet interface. policy-map Shaper-DSL class class-default shape average 182400 1824 service-policy V3PN-Small_Branch policy-map Shaper-cable class class-default shape average 364800 3648 service-policy V3PN-Small_Branch ! ! interface Ethernet0/0 description to DSL MODEM bandwidth 256 no ip address service-policy output Shaper-DSL ... pppoe enable pppoe-client dial-pool-number 1 ! interface Ethernet1/0 description To CABLE MODEM bandwidth 384 ip dhcp client route track 123 ip address dhcp service-policy output Shaper-cable ... No other special considerations need be given. A common shaper value using the lower of the two values can be used for both cable and DSL to simplify configuration. Performance Results The SAA target head-end router must be available to respond to SAA probes for the remote routers to make use of their primary path. Cisco recommends that the CPU of the SAA target head-end router ideally be less than 30 percent busy; 30 percent to 60 percent is acceptable. Over 60 percent busy is not recommended. A Cisco 26xx series router being used as a dedicated SAA target head-end router is estimated to process 20-30 probes per second and to stay within these CPU requirements. The number of remote routers being serviced by the SAA target head-end router depends on the frequency of the SAA probe from each remote router. The configuration example shown here uses a frequency of 20 seconds between probes, which equates to up to 600 remote routers. Note If the SAA probe frequency is configured at a value less than the IKE keepalive frequency, the Dead Peer Detection (DPD) logic generally never sends out IKE keepalive packets, because the SAA probes do not allow the IKE worry interval to expire. However, decreasing the SAA probe frequency means more load on the SAA head-end and more packets that must be encrypted and decrypted by the head-end IPSec routers. The network manager has a great deal of latitude in configuring these various timers. Implementation and Configuration This section describes the key configuration components. In the following examples, these addressing conventions are used: •All subnets of 10.0.0.0 addressing represent enterprise internal address space. •All subnets of 192.168.0.0 addressing represent Internet routable address space. This section includes the following topics: •Remote Router SAA and Tracking Configuration •Head-end SAA Target •IPSec Head-end Routers •Remote Router •Show Commands Remote Router SAA and Tracking Configuration The configuration of the remote router is relatively simple; a tracking operation must be configured to associate the DHCP learned default route with the SAA configuration. The cable head-end provides an IP address and default gateway using DHCP. For the DSL interface, the IP address is negotiated using PPP. A floating static default route is configured pointing to the dialer interface. First, the administrative distance of the default route learned using DHCP is 239, which is set with the ip dhcp-client default-router distance command. Then the tracked object 123 is defined and associated with SAA (rtr) operation 23. The default route to the DHCP router is associated with track 123, via the ip dhcp client route track 123 interface command. This route is removed from the routing table if the SAA destination IP address cannot be reached. The floating static route to Dialer 1 with administrative distance of 240 is inserted in its place. ip dhcp-client default-router distance 239 ! track 123 rtr 23 reachability delay down 60 up 5 ! interface Ethernet1/0 description To CABLE MODEM bandwidth 384 ip dhcp client route track 123 ip address dhcp ! ip route 0.0.0.0 0.0.0.0 Dialer1 240 name Backup_Path ! ip route 192.168.131.4 255.255.255.255 Dialer1 name Backup_Peer ! ip route 192.168.131.23 255.255.255.255 dhcp # SAA Target Router ip route 192.168.131.8 255.255.255.254 dhcp # Primary IPSec Head-ends ! rtr 23 type udpEcho dest-ipaddr 192.168.131.23 dest-port 57005 source-ipaddr 10.0.68.5 source-port 48879 tos 192 timeout 1000 owner TRACK123 tag Object Tracking frequency 20 lives-of-history-kept 1 buckets-of-history-kept 10 filter-for-history failures rtr schedule 23 start-time now life forever ! The SAA configuration shows the use of an UDP echo probe rather than an ICMP probe. ICMP probes are required if the head-end target is not a Cisco router with rtr responder configured. Either probe is acceptable, the function of the probe is traverse inside the crypto tunnel to verify the primary path is functional. The UDP source and destination port numbers are arbitrary, decimal 57005 is 0xDEAD in hexadecimal, and decimal 48879 is 0xBEEF. These character strings are easy to identify when looking at port number values shown in hexadecimal. There is a host route to the SAA target device, 192.168.131.23, using the DHCP learned default gateway as the target. All SAA connection attempts must use the cable or primary interface. Note While the SAA target device address is in the 192.168.0.0/16 address space, which represents Internet routable address space in these illustrations, the SAA probe is encapsulated inside the IPSec tunnel. The next hop address in the static route for 192.168.131.23 is the DHCP learned default gateway. This routes the probe out the cable or primary interface. The source IP address of the SAA probe is the inside LAN interface which is referenced in the crypto map. The SAA probe therefore is encrypted and transmitted inside the IPSec tunnel Some optional SAA configuration commands are shown in grey/italics that are explained in a subsequent section. Head-end SAA Target To configure the head-end SAA target, include the following in the configuration: rtr responder The SAA control plane listens on UDP port 1967, when the default configuration value of control enable is in effect. vpnjk-2600-23#show ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF 17 0.0.0.0 0 10.0.253.4 67 0 0 2211 0 88 --listen-- 10.0.253.4 100 0 0 0 0 17 --listen-- 10.0.253.4 123 0 0 1 0 17 0.0.0.0 0 10.0.253.4 1967 0 0 211 0 From the remote router, the SAA control plane as well as the probe packets can be identified using NetFlow if enabled on the appropriate interfaces. vpnjk-1751-1#sh ip cache verb flow \| begin SrcIf SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts Port Msk AS Port Msk AS NextHop B/Pk Active Vi1 192.168.131.23 Local 10.0.68.5 11 C0 10 1 DEAD /0 0 BEEF /0 0 0.0.0.0 44 0.0 Vi1 192.168.131.8 Local 192.168.17.3 32 00 10 3 B92C /0 0 C0FA /0 0 0.0.0.0 96 1.6 Vi1 192.168.131.23 Local 10.0.68.5 11 C0 10 1 07AF /0 0 BEEF /0 0 0.0.0.0 36 0.0 The probe packets are 44 bytes (Layer 3) by default. Source port of 0x7AF is decimal 1967. Note that the source port for the control plane and the probe packets are the same value. IPSec Head-end Routers This section describes the configuration of IPSec head-end routers. Backup IPSec Peer This configuration includes a digital certificate; however, for the purposes of this test, the authentication method over the back-up interface is IKE aggressive mode with pre-shared keys. The keys are not stored on a separate RADIUS server, rather on a keyring defined on this router. version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname vpn-jk-2691-1 ! boot-start-marker boot system flash c2691-ik9o3s-mz.123-5 boot system flash c2691-ik9o3s-mz.122-13.T10 boot-end-marker ! logging buffered 4096 debugging enable secret 5 [removed] ! memory-size iomem 15 clock timezone est -5 clock summer-time edt recurring no aaa new-model ip subnet-zero ! ! no ip domain lookup ip domain name ese.cisco.com ip host ect-msca 172.26.179.237 ip host harry 172.26.176.10 ! ip audit notify log ip audit po max-events 100 no ftp-server write-enable ! crypto ca trustpoint ect-msca enrollment mode ra enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll crl optional auto-enroll 70 ! crypto ca certificate chain ect-msca certificate 5D7B2D4300000000003C certificate ca 113346B52ACEE8B04ABD5A5C3FED139A ! crypto keyring Backup_Sites pre-shared-key hostname Store77.ese.cisco.com key 00-02-8A-9B-05-33 ! crypto isakmp policy 1 encr 3des group 2 ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 crypto isakmp keepalive 10 crypto isakmp profile AGGRESSIVE description Profile to test Initiating Aggressive Mode keyring Backup_Sites self-identity fqdn match identity host domain ese.cisco.com ! ! crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac mode transport ! crypto dynamic-map DYNO-TEMPLATE 10 description dynamic crypto map set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL reverse-route qos pre-classify ! ! crypto map DYNO-MAP local-address FastEthernet0/1.100 crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE ! ! ! interface FastEthernet0/1 description dot1q no ip address ip route-cache flow duplex auto speed auto ! interface FastEthernet0/1.100 description Outside Interface encapsulation dot1Q 100 ip address 192.168.131.4 255.255.255.224 crypto map DYNO-MAP ! interface FastEthernet0/1.120 description Inside Interface encapsulation dot1Q 120 ip address 10.2.120.4 255.255.255.0 ! ! The bandwidth value of 256 in the metric command is important! ! Described previously when illustrating failover. ! router eigrp 100 redistribute static metric 256 1000 255 1 1500 route-map IPSEC_Subnets network 10.0.0.0 network 192.168.130.0 0.0.1.255 no auto-summary ! no ip http server no ip http secure-server ip classless ! ! access-list 68 permit 10.0.64.0 0.0.63.255 access-list 68 deny any ! route-map IPSEC_Subnets permit 10 match ip address 68 ! rtr responder ! ntp server 192.168.130.1 ! end Primary IPSec Peers The following is the configuration for primary IPSec peers: ! System image file is "flash:c2600-ik9o3s-mz.122-11.T5" version 12.2 service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption ! hostname vpnjk-2600-8 ! logging buffered 4096 debugging enable password 7 [removed] ! clock timezone est -5 clock summer-time edt recurring ip subnet-zero ! ! no ip domain lookup ip domain name ese.cisco.com ip host harry 172.26.176.10 ip host ect-msca 172.26.179.237 ! ip audit notify log ip audit po max-events 100 ! crypto ca trustpoint ect-msca enrollment mode ra enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll auto-enroll 70 crypto ca certificate chain ect-msca certificate ca 113346B52ACEE8B04ABD5A5C3FED139A nvram:ect-mscaCA.cer certificate 6122A4EC000000000021 nvram:ect-msca.cer ! crypto isakmp policy 1 encr 3des group 2 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac mode transport ! crypto dynamic-map DYNO-TEMPLATE 10 description dynamic crypto map set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL reverse-route qos pre-classify ! ! crypto map DYNO-MAP local-address FastEthernet0/1.100 crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE ! ! interface FastEthernet0/1 description dot1q no ip address duplex auto speed auto ! interface FastEthernet0/1.100 description Outside Interface encapsulation dot1Q 100 ip address 192.168.131.8 255.255.255.224 crypto map DYNO-MAP ! interface FastEthernet0/1.128 description Inside Interface encapsulation dot1Q 128 ip address 10.2.128.8 255.255.255.0 ! ! Bandwidth value for backup IPSec peer is 256 ! router eigrp 100 redistribute static metric 384 1000 255 1 1500 route-map IPSEC_Subnets network 10.0.0.0 network 192.168.130.0 0.0.1.255 no auto-summary no eigrp log-neighbor-changes ! ip default-gateway 172.26.156.1 ip classless no ip http server ! ! access-list 68 permit 10.0.68.0 0.0.0.255 access-list 68 deny any ! route-map IPSEC_Subnets permit 10 match ip address 68 ! ! ntp server 192.168.130.1 ! end =================================================================================== ! System image file is "flash:c2600-ik9o3s-mz.122-11.T5" version 12.2 service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption ! hostname vpnjk-2600-9 ! logging buffered 4096 debugging enable password 7 1511021F0725 ! clock timezone est -5 clock summer-time edt recurring ip subnet-zero ! ! no ip domain lookup ip domain name ese.cisco.com ip host harry 172.26.176.10 ip host ect-msca 172.26.179.237 ! ip audit notify log ip audit po max-events 100 ! crypto ca trustpoint ect-msca enrollment mode ra enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll auto-enroll 70 crypto ca certificate chain ect-msca certificate 610BE2E400000000001F nvram:ect-msca.cer certificate ca 113346B52ACEE8B04ABD5A5C3FED139A nvram:ect-mscaCA.cer ! crypto isakmp policy 1 encr 3des group 2 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac mode transport ! crypto dynamic-map DYNO-TEMPLATE 10 description dynamic crypto map set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL reverse-route qos pre-classify ! ! crypto map DYNO-MAP local-address FastEthernet0/1.100 crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE ! ! interface FastEthernet0/1 description dot1q no ip address ip route-cache flow duplex auto speed auto ! interface FastEthernet0/1.100 description Outside Interface encapsulation dot1Q 100 ip address 192.168.131.9 255.255.255.224 crypto map DYNO-MAP ! interface FastEthernet0/1.128 description Inside Interface encapsulation dot1Q 128 ip address 10.2.128.9 255.255.255.0 ! ! Bandwidth value for backup IPSec peer is 256 ! router eigrp 100 redistribute static metric 384 1000 255 1 1500 route-map IPSEC_Subnets network 10.0.0.0 network 192.168.130.0 0.0.1.255 no auto-summary no eigrp log-neighbor-changes ! ip classless no ip http server ! ! access-list 68 permit 10.0.68.0 0.0.0.255 ! route-map IPSEC_Subnets permit 10 match ip address 68 ! ntp server 192.168.130.1 ! end Remote Router The following is the configuration for the remote router. See the specific notes in the following configuration: ! System image file is "flash:vpn/images/c1700-k9o3sy7-mz.123-2.XE" version 12.3 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone no service password-encryption ! hostname vpnjk-1751-1 ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret 5 [removed] ! memory-size iomem 25 clock timezone est -5 clock summer-time edt recurring no aaa new-model ip subnet-zero ! ! ! ! ip telnet source-interface FastEthernet0/0 no ip domain lookup ip domain name ese.cisco.com ip host harry 172.26.176.10 ip host ect-msca 172.26.179.237 ip cef ip audit notify log ip audit po max-events 100 ip dhcp-client default-router distance 239 ! track 123 rtr 23 reachability delay down 60 up 5 no ftp-server write-enable no scripting tcl init no scripting tcl encdir ! ! Certificates will be used for authentication for the primary path ! and IKE Aggressive mode will be used for the backup path ! crypto ca trustpoint ect-msca enrollment mode ra enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll revocation-check none ! ! crypto ca certificate chain ect-msca certificate 610C436F00000000002C certificate ca 113346B52ACEE8B04ABD5A5C3FED139A ! ! crypto isakmp policy 1 encr 3des group 2 ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 crypto isakmp keepalive 10 ! crypto isakmp peer address 192.168.131.4 set aggressive-mode password 00-02-8A-9B-05-33 set aggressive-mode client-endpoint fqdn Store77.ese.cisco.com crypto isakmp profile AGGRESSIVE description Profile to test Initiating Aggressive Mode self-identity fqdn match identity host domain ese.cisco.com initiate mode aggressive ! ! crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac mode transport no crypto ipsec nat-transparency udp-encaps ! crypto map PRIMARY_LINK 1 ipsec-isakmp description Crypto Map for Primary Path set peer 192.168.131.9 set peer 192.168.131.8 set transform-set 3DES_SHA_TUNNEL match address CRYPTO_MAP_ACL qos pre-classify ! crypto map BACKUP_LINK 1 ipsec-isakmp description Crypto Map for Backup Path set peer 192.168.131.4 set transform-set 3DES_SHA_TUNNEL match address CRYPTO_MAP_ACL qos pre-classify ! ! ! class-map match-all VOICE match ip dscp ef class-map match-any CALL-SETUP match ip dscp af31 match ip dscp cs3 class-map match-any INTERNETWORK-CONTROL match ip dscp cs6 match access-group name IKE class-map match-all TRANSACTIONAL-DATA match ip dscp af21 ! ! policy-map V3PN-Small_Branch description Note LLQ for ATM/DSL G.729=64K, G.711=128K class CALL-SETUP bandwidth percent 2 class INTERNETWORK-CONTROL bandwidth percent 5 class VOICE priority 128 class TRANSACTIONAL-DATA bandwidth percent 22 class class-default fair-queue random-detect policy-map Shaper-DSL class class-default shape average 182400 1824 service-policy V3PN-Small_Branch policy-map Shaper-cable class class-default shape average 364800 3648 service-policy V3PN-Small_Branch ! ! ! interface Ethernet0/0 description to DSL MODEM bandwidth 256 no ip address service-policy output Shaper-DSL load-interval 30 half-duplex pppoe enable pppoe-client dial-pool-number 1 ! interface FastEthernet0/0 description Inside ip address 10.0.68.5 255.255.255.128 no ip proxy-arp ip route-cache flow ip tcp adjust-mss 542 load-interval 30 speed auto ! interface Ethernet1/0 description To CABLE MODEM bandwidth 384 ip dhcp client route track 123 ip address dhcp service-policy output Shaper-cable ip route-cache flow ip tcp adjust-mss 542 load-interval 30 half-duplex crypto map PRIMARY_LINK ! interface Dialer1 description Outside bandwidth 256 ip address negotiated ip mtu 1492 encapsulation ppp ip route-cache flow ip tcp adjust-mss 542 load-interval 30 dialer pool 1 dialer-group 1 no cdp enable ppp authentication pap callin ppp chap refuse ppp pap sent-username cisco789@cisco.com password 0 foo ppp ipcp dns request ppp ipcp wins request crypto map BACKUP_LINK ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 240 name Backup_Path ip route 192.168.131.4 255.255.255.255 Dialer1 name Backup_Peer ip route 192.168.131.23 255.255.255.255 dhcp ip route 192.168.131.8 255.255.255.254 dhcp no ip http server no ip http secure-server ! ! ! ip access-list extended CRYPTO_MAP_ACL permit ip 10.0.68.0 0.0.0.127 any ip access-list extended IKE permit udp any eq isakmp any eq isakmp dialer-list 1 protocol ip permit ! ! control-plane ! rtr responder rtr 23 type udpEcho dest-ipaddr 192.168.131.23 dest-port 57005 source-ipaddr 10.0.68.5 tos 192 timeout 1000 owner TRACK123 tag Object Tracking frequency 20 lives-of-history-kept 1 buckets-of-history-kept 10 filter-for-history failures rtr schedule 23 start-time now life forever ! ntp server 192.168.130.1 ! end Show Commands The following optional SAA configuration statements provide for maintaining a history of the last ten failed connection attempts: lives-of-history-kept 1 buckets-of-history-kept 10 filter-for-history failures These can be displayed on the remote router as follows: vpnjk-1751-1#show rtr history 23 full Entry number: 23 Life index: 1 Bucket index: 67 Sample time: 14:08:56.369 est Fri Dec 19 2003 RTT (milliseconds): 0 Response return code: No connection Life index: 1 Bucket index: 68 Sample time: 14:09:16.366 est Fri Dec 19 2003 RTT (milliseconds): 0 Response return code: No connection Life index: 1 Bucket index: 69 Sample time: 14:09:36.367 est Fri Dec 19 2003 RTT (milliseconds): 0 Response return code: No connection The time stamps in the display help to identify when network connectivity failures occurred. Use Network Time Protocol (NTP) to maintain accurate time on the remote routers. Cisco IOS Versions Tested The following code versions were used during testing: •Primary IPSec head-ends—c2600-ik9o3s-mz.122-11.T5 •Backup IPSec head-ends—c2691-ik9o3s-mz.123-5 •Cisco 1751—c1700-k9o3sy7-mz.123-2.XE •SAA target—c2600-ik9o3s3-mz.123-3 The IPSec head-end routers were Cisco 2651s with an Advanced Integration Module (AIM) hardware VPN module. This testing was not intended to scale test head-end performance capabilities. In a customer deployment, using IPSec head-ends with suitable performance characteristics aligned with the number of remote routers is advised. An available Cisco1760 V3PN bundle (product number: CISCO1760-V3PN/K9) can be used instead of the Cisco 1751. Reliable Static Routing Backup Using Object Tracking was first introduced in Cisco IOS version 12.3(2)XE. Summary The Object Tracking feature of Cisco IOS Software provides a means to deploy both DSL and cable modems to the same remote location for increased availability. Because this feature uses SAA, a network manager can use its protocols and applications in addition to ICMP for verifying connectivity. One advantage to this configuration is its scalability; you can configure a primary and backup IPSec head-end independently from the SAA head-end router, and you can add additional SAA head-ends as required.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks