The latest and greatest - Cisco

The latest and greatest - Cisco

Cisco Support Community Expert Series Webcast Troubleshooting Dynamic Multipoint VPN Hamzah Kardame, CCIE Security Frank DeNofa June 7, 2016 Upcoming Ask the Expert Events IOS-XR Architecture and Troubleshooting Details - https://supportforums.cisco.com/discussion/13025746/ask-expert-ios-xr-architecture-andtroubleshooting Raj Pathak Sudhir Kumar 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Become an Event Top Contributor Participate in Live Interactive

Technical Events and much more http://bit.ly/1jlI93B https://supportforums.cisco.com/expert-corner/top-contributors 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Rate Content Encourage and acknowledge people who generously share their time and expertise Now your ratings on documents, videos, and blogs count give points to the authors!!! So, when you contribute and receive ratings you now get the points in your profile. Help us to recognize the quality content in the community and make your

searches easier. Rate content in the community. https://supportforums.cisco.com/blog/154746 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Cisco Support Community Expert Series Webcast Hamzah Kardame CCIE Security #35596 Frank DeNofa Cisco TAC 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Question Managers Danny Lia Cisco TAC

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Ask the Expert Event following the Webcast Now through June 17th https://supportforums.cisco.com/event/13023496/askexpert-dynamic-multipoint-vpn-dmvpn-troubleshooting Join the discussion for these Ask The Expert Events: http://bit.ly/events-webinar 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Thank You For Joining Us Today! If you would like a copy of the presentation slides, click the PDF file link in the chat box on the right or go to: Need the link here 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

Submit Your Questions Now! Use the Q & A panel to submit your questions and the panel of experts will respond. Please take a moment to complete the survey at the end of the webcast 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Cisco Support Community Expert Series Webcast Troubleshooting Dynamic Multipoint VPN Hamzah Kardame, CCIE Security Frank DeNofa June 7, 2016 DMVPN Phase 1/2/3

Overview Deep Dive on Phase 3 Layered Troubleshooting Approach for DMVPN Agenda Live Demonstration of Phase 3 Operations Troubleshooting Common Scenarios Best Practices QnA 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Which DMVPN phase allows for direct spoke to spoke communication?

Polling Question 1 A. Only Phase 3 B. Phase 1 and Phase 2 C. Phase 2 and Phase 3 D. Phase 1 and Phase 3 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 DMVPN Components Next Hop Resolution Protocol (NHRP) Creates a distributed (NHRP) mapping database of all the spokes tunnel to real (public interface) addresses Multipoint GRE Tunnel Interface (mGRE) Single GRE interface to support multiple GRE/IPsec tunnels Simplifies size and complexity of configuration

IPsec tunnel protection Dynamically creates and applies encryption policies Routing Dynamic advertisement of branch networks; almost all routing protocols are supported 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 DMVPN Example 192.168.0.0/24 .1 Static Spoke-to-hub tunnels Dynamic Spoke-to-spoke tunnels LANs can have private addressing Physical: 172.17.0.1 Tunnel0:

10.0.0.1 Static known IP address Physical: dynamic Tunnel0: 10.0.0.12 Dynamic unknown IP addresses Spoke B .1 Physical: dynamic Tunnel0: 10.0.0.11 Spoke A .1 .. .

192.168.2.0/24 ... 192.168.1.0/24 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 15 Phase 1 Phase 2 Hub and spoke functionality Spoke to spoke functionality

p-pGRE interface on spokes, mGRE on hubs mGRE interface on spokes Direct spoke to spoke data traffic reduces load on hubs Spokes dont need full routing table can summarize on hubs

Spoke must have full routing table no summarization Phase 3 Spoke to spoke functionality Spokes dont need full routing table can summarize Spoke-spoke tunnel triggered by hubs

NHRP routes/nexthops in RIB Spoke-spoke tunnel triggered by spoke itself 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 DMVPN Phase 3 Deep Dive Originating spoke 1. IP Data packet is forwarded out tunnel interface to destination via Hub (NHS) Hub (NHS) 2. Receives and forwards data packet on tunnel interfaces with same NHRP Network-id.

Sends NHRP Redirect message to originating spoke. Originating spoke 3. Receives NHRP redirect message Sends NHRP Resolution Request for Data IP packet destination Destination spoke 4. Receives NHRP Resolution Request Builds spoke-spoke tunnel

Sends NHRP Resolution Reply over spoke-spoke tunnel 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Phase 3 NHRP Redirects Data packet NHRP Redirect NHRP Resolution NHRP mapping 192.168.0.1/24 Physical: 172.17.0.1 Tunnel0: 10.0.0.1 172.16.1.1 172.16.2.1 10.0.0.11 10.0.0.12 192.168.0.0/24 Conn.

192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12 CEF FIB Table Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12 Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 192.168.1.1/24 10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 Spoke A Spoke B 192.168.2.1/24

10.0.0.1 172.17.0.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 18 Phase 3 NHRP Resolution Request Data packet NHRP Redirect NHRP Resolution NHRP mapping 192.168.0.1/24 Physical: 172.17.0.1 Tunnel0: 10.0.0.1 172.16.1.1 172.16.2.1 10.0.0.11

10.0.0.12 192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12 CEF FIB Table Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12 Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 192.168.1.1/24 10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 Spoke A

Spoke B 192.168.2.1/24 10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 19 Phase 3 NHRP Resolution Reply Data packet NHRP Redirect NHRP Resolution NHRP mapping 192.168.0.1/24 Physical: 172.17.0.1 Tunnel0: 10.0.0.1

172.16.1.1 172.16.2.1 10.0.0.11 10.0.0.12 192.168.0.0/24 Conn. 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12 CEF FIB Table Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12 Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 192.168.1.1/24 Spoke A 10.0.0.1 172.17.0.1

10.0.0.12 172.16.2.1 192.168.2.0/24 192.168.2.1 ??? 172.16.2.1 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 Spoke B 192.168.2.1/24 10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.1.0/24 172.16.1.1 192.168.2.0/24 Conn. 192.168.0.0/16 10.0.0.1 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 20

DMVPN Phase 3 Deep Dive When the spoke-spoke DMVPN establishes successfully, NHRP introduces the shortcuts into the routing table in two ways H or NHRP routes % or next-hop override routes These shortcuts allow the router to forward traffic directly over the spoke-spoke DMVPN tunnels rather than over the spoke-hub-spoke path. 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 DMVPN Phase 3 Deep Dive [ NHRP learned prefix-length ] < [current prefix-length in RIB] [ NHRP learned prefix-length ] = [current prefix-length in RIB]

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 DMVPN Phase 3 Deep Dive Spoke1#show ip route eigrp D 21.0.0.0/24 is subnetted, 1 subnets % 21.21.21.0 [90/76800256] via 10.1.1.100, 00:12:12, Tunnel1 Spoke1#show ip route next-hop-override D % 21.0.0.0/24 is subnetted, 1 subnets 21.21.21.0 [90/76800256] via 10.1.1.100, 00:11:16, Tunnel1 [NHO][90/255] via 10.1.1.2, 00:04:42, Tunnel1 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

DMVPN Phase 3 Deep Dive Spoke1#show ip route eigrp 21.0.0.0/16 is subnetted, 1 subnets D 21.21.0.0 [90/76800256] via 10.1.1.100, 00:00:24, Tunnel1 Spoke1#show ip route next-hop-override D H 21.0.0.0/8 is variably subnetted, 2 subnets, 2 masks 21.21.0.0/16 [90/76800256] via 10.1.1.100, 00:01:43, Tunnel1 21.21.21.0/24 [250/255] via 10.1.1.2, 00:00:41, Tunnel1 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Layered Troubleshooting Methodology Physical and routing layer IPsec encryption layerIPsec/ISAKMP GRE encapsulation layerNHRP VPN routing layerrouting and IP data 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

27 DMVPN Layers 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Before You Begin Sync up timestamps between the routers in question. Enable msec level timestamping for debugs and syslogs service timestamps debug datetime msec service timestamps log datetime msec Enable timestamping for show command outputs terminal exec prompt timestamp

Review configuration on both endpoints to ensure that nothing has been missed, altered or incorrectly configured. 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Layered Troubleshooting Methodology 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Layered Troubleshooting Methodology : IPsec Encryption Layer Is the DMVPN tunnel UP? IKEv1 # show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src

172.16.101.1 172.16.21.1 state QM_IDLE conn-id status 1010 ACTIVE IKEv2 # show crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 172.16.1.1/500 172.16.1.2/500 none/none READY Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/53 sec

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Layered Troubleshooting Methodology : IPsec Encryption Layer Check for IPsec SAs via show crypto ipsec or: # show crypto session detail Interface: Tunnel0 Uptime: 00:04:41 Session status: UP-ACTIVE Peer: 172.16.101.1 port 500 fvrf: (none) ivrf: (none) Phase1_id: 172.16.101.1 Desc: (none) Session ID: 0 IKEv1 SA: local 172.16.21.1/500 remote 172.16.101.1/500 Active Capabilities:(none) connid:1050 lifetime:23:55:18 IPSEC FLOW: permit 47 host 172.16.21.1 host 172.16.101.1 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 5 drop 0 life (KB/Sec) 4284407/3318 Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4284407/3318

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Layered Troubleshooting Methodology : GRE Encapsulation Layer All traffic passing over the DMVPN tunnel will be GRE encapsulated and then encrypted NHRP will be the first component to utilize this layer Check if spoke registered successfully with the hub Spoke# show ip nhrp nhs Legend: E=Expecting replies, R=Responding, W=Waiting Tunnel1: 10.1.1.100 RE priority = 0 cluster = 0 10.1.1.123 E priority = 0 cluster = 0

Hub# show ip nhrp 10.1.1.1/32 via 10.1.1.1 Tunnel1 created 00:03:33, expire 01:56:26 Type: dynamic, Flags: unique registered used nhop NBMA address: 172.16.11.100 (Claimed NBMA address: 10.10.10.1) 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Polling Question 2 A DMVPN spoke fails to successfully establish routing protocol neighborship to the hub over the tunnel but pings from the spokes tunnel IP to the hubs tunnel IP work. Which layer(s) do we need to troubleshoot? A. Only the Routing Layer B. Both Encryption and Routing Layers C. Both GRE/NHRP and Routing Layers D. All the four layers

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Troubleshooting A TAC approach Identify the exact issue What traffic is affected? Hub to Spoke? Some Spoke to Spoke? All Spoke to Spoke? Host to host? All Internet-destined traffic? Is routing stable?

How long has the issue been occurring? Any notable changes? Confirm a data plane or control plane issue Does routing look correct? Does NHRP/crypto trigger and complete? Is our data plane path correct? Could there be loss in the path? 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 Troubleshooting

General crypto failures UDP500/4500/ESP traffic blocked in transit ISAKMP profile/IPsec profile misconfigurations While ICMP may pass, its very possible other protocols could be blocked All ISAKMP/IPsec policy settings must match exactly If using PKI for authentication, MM5/MM6 messages will be larger and are subject to fragmentation 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 Troubleshooting

Progression of show crypto isakmp sa states during six packet exchange MM_NO_STATE MM_SA_SETUP MM_KEY_EXCH QM_IDLE 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 Troubleshooting MM1/MM2 failure Typically indicates misconfiguration or UDP500 connectivity issue Crypto_Initiator#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src

state 172.16.101.1 172.16.11.100 MM_NO_STATE conn-id status 0 ACTIVE Crypto_Responder#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 172.16.101.1 172.16.11.100 MM_SA_SETUP conn-id status 0 ACTIVE 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 Troubleshooting

MM5/MM6 failure Typically indicates authentication or UDP4500 connectivity issue Crypto_Initiator#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 172.16.101.1 10.10.10.1 MM_KEY_EXCH conn-id status 1005 ACTIVE Crypto_Responder#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 172.16.101.1

172.16.11.100 MM_KEY_EXCH 172.16.101.1 172.16.21.1 QM_IDLE conn-id status 1007 ACTIVE 1010 ACTIVE ### QM_IDLE MAY BE MISLEADING *Jun 1 14:10:42.703: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.11.100 failed its sanity check or is malformed 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 Troubleshooting NAT issues

While Spoke to Spoke tunneling can work through NAT, there are some caveats If a Spoke is behind dynamic NAT, it must be the peer which initiates crypto in order to create the necessary translations Spoke to Spoke will not build with both Spokes behind dynamic NAT 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 Troubleshooting NHRP issues Barring any configuration issues, NHRP usually fails as a result of an issue external to NHRP (GRE, IPsec, transit network) debug nhrp packet can be helpful in reviewing packet flow 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

51 Troubleshooting Flexible NetFlow (FNF) flow record test-record match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect flow direction collect counter packets flow monitor test-monitor record test-record interface GigabitEthernet2 ip vrf forwarding ISP_1 ip address 172.16.101.1 255.255.255.0 ip flow monitor test-monitor input ip flow monitor test-monitor output negotiation auto end 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

65 Troubleshooting Flexible NetFlow (FNF) Hub1#show flow monitor test-monitor cache format table Cache type: Normal (Platform cache) Cache size: 200000 Current entries: 6 High Watermark: 6 Flows added: Flows aged: IPV4 SRC ADDR =============== 172.16.11.100 172.16.101.1 172.16.101.1 172.16.21.1 172.16.101.1 172.16.101.254 6 0

IPV4 DST ADDR =============== 172.16.101.1 172.16.11.100 172.16.21.1 172.16.101.1 224.0.0.5 224.0.0.5 TRNS SRC PORT ============= 61211 55433 4500 4501 0 0 TRNS DST PORT ============= 52842 59192 4501 4500 0

0 IP PROT ======= 50 50 17 17 89 89 flow dirn ========= Input Output Output Input Output Input pkts ========== 48 47 47

48 23 23 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66 Troubleshooting Flexible NetFlow (FNF) A nifty, TAC trick! Hub1#show flow monitor test-monitor cache format table | include SRC|172.16.21.1 IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT IP PROT flow dirn 172.16.101.1 172.16.21.1 4500 4501 17 Output 172.16.21.1 172.16.101.1 4501 4500 17 Input

pkts 47 48 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67 Troubleshooting - Embedded Packet Capture (EPC) Spoke1(config)#ip access-list extended CAPACL Spoke1(config-ext-nacl)#permit icmp any any Spoke1(config-ext-nacl)#end Spoke1#monitor capture PCAP access-list CAPACL interface GigabitEthernet3 both Spoke1#monitor capture PCAP start *Jun 1 02:31:26.091: %BUFCAP-6-ENABLE: Capture Point PCAP enabled. Spoke1#monitor capture PCAP stop *Jun 1 02:31:53.718: %BUFCAP-6-DISABLE: Capture Point PCAP disabled. Spoke1#monitor capture PCAP limit packet-len ? <64-9500> length(in bytes) : Min 64 : Max 9500 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68

Troubleshooting - Embedded Packet Capture (EPC) Spoke1#show monitor buffer size (KB) : buffer used (KB) : packets in buf : packets dropped : packets per sec : capture PCAP buffer 10240 128 10 0 135 Spoke1#show monitor capture PCAP buffer brief ------------------------------------------------------------# size timestamp source destination protocol ------------------------------------------------------------0 114 0.000000

11.11.11.1 -> 10.1.1.100 ICMP 1 114 0.005004 10.1.1.100 -> 11.11.11.1 ICMP 2 114 0.005996 11.11.11.1 -> 10.1.1.100 ICMP 3 114 0.009002 10.1.1.100 -> 11.11.11.1 ICMP 4 114 0.010009 11.11.11.1 -> 10.1.1.100 ICMP 5 114 0.012999

10.1.1.100 -> 11.11.11.1 ICMP 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70 Troubleshooting - Embedded Packet Capture (EPC) Spoke1#monitor capture bootflash: Location flash: Location ftp: Location http: Location https: Location pram: Location rcp: Location scp: Location

tftp: Location PCAP export ? of the file of the file of the file of the file of the file of the file of the file of the file of the file Spoke1#monitor capture PCAP export tftp://1.1.1.1/capture.pcap 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72 Troubleshooting IOS-XE Packet Trace Useful in troubleshooting data plane path of packets

Shows each feature which we hit in processing (fia-trace) Similar to packet-tracer feature on ASA Download slides for configuration guide and examples 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73 Troubleshooting Example - Topology Hub Information Tunnel1: 10.1.1.100 NBMA: 172.16.101.1 Hub Internet Spoke1 Information

Tunnel1: 10.1.1.1 Real NBMA: 10.10.10.1 NATd NBMA: 172.16.11.100 LAN: 11.11.11.0/24 S1 NAT Spoke1 S2 NAT Spoke2 Information Tunnel2: 10.1.1.2 Real NBMA: 20.20.20.1 NATd NBMA: 172.16.21.1 LAN: 21.21.21.0/24 Spoke2 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80 Troubleshooting Example Physical Configuration All Routers

DMVPN Spoke1 ip vrf ISP_1 interface GigabitEthernet2 ip vrf forwarding ISP_1 ip address 10.10.10.1 255.255.255.0 #### NATd to 172.16.11.x negotiation auto end DMVPN Hub interface GigabitEthernet2 ip vrf forwarding ISP_1 ip address 172.16.101.1 255.255.255.0 negotiation auto end DMVPN Spoke2 interface GigabitEthernet2 ip vrf forwarding ISP_1 ip address 20.20.20.1 255.255.255.0 #### NATd to 172.16.21.x negotiation auto

end 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81 Troubleshooting Example Crypto Configuration crypto keyring ISP_1_KEYRING vrf ISP_1 pre-shared-key address 0.0.0.0 0.0.0.0 key ISP_1_KEY crypto isakmp policy 1 encr aes 256 hash sha256 authentication pre-share crypto isakmp keepalive 10 ##### Spokes Only crypto ipsec transform-set DMVPN-TSET esp-aes 256 esp-sha256-hmac mode transport crypto ipsec profile DMVPN-IPSEC set transform-set DMVPN-TSET 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82

Troubleshooting Example Tunnel Configuration DMVPN Hub DMVPN Spokes interface Tunnel1 bandwidth 50000 ip address 10.1.1.100 255.255.255.0 no ip redirects ip mtu 1400 no ip split-horizon eigrp 1 ip nhrp authentication NHRPAUTH ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp redirect ip summary-address eigrp 1 21.21.0.0 255.255.0.0 ip tcp adjust-mss 1360 delay 100000 tunnel source GigabitEthernet2 tunnel mode gre multipoint tunnel key 1 tunnel vrf ISP_1 tunnel protection ipsec profile DMVPN-IPSEC

interface Tunnel1 bandwidth 50000 ip address 10.1.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NHRPAUTH ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 10.1.1.100 nbma 172.16.101.1 multicast ip nhrp shortcut ip tcp adjust-mss 1360 delay 100000 tunnel source GigabitEthernet2 tunnel mode gre multipoint tunnel key 1 tunnel vrf ISP_1 tunnel protection ipsec profile DMVPN-IPSEC 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83 Troubleshooting Example in VIRL

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84 Polling Question 3 Which port(s)/protocol(s) need to be permitted/opened between two DMVPN endpoints if there is a device present along the network path between them, performing NAT for all traffic? A. UDP 500 and UDP 4500 only B. UDP 500 and ESP/IP Protocol 50 only C. UDP 500, 4500 and ESP/IP Protocol 50 D. Only UDP 4500 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85

Best Practices - General MTU=1400, adjust-MSS=1360 No GRE keepalives, unsupported with tunnel protection GRE tunnel keys with mGRE (unique triplet) Use VRFs to segregate traffic, when possible and convenient 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86 Best Practices - ISAKMP

ISAKMP SA lifetime should be longer than that of IPsec SA lifetime Dead Peer Detection (DPDs) Security Settings Use strong encryption and authentication, such as AES and SHA2 PKI/Certificate based authentication over PSK 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87 Best Practices - IPsec Transform set should be configured for mode transport rather than default of mode tunnel

Use strongest settings supported by all devices Do not combine ESP with AH, only ESP should be used 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88 Best Practices - Routing Unique routing instance for DMVPN cloud Summarization on Hub 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90 Submit Your Questions Now! Use the Q & A panel to submit your questions and our expert will respond

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91 Ask the Expert Event following the Webcast Now through June 17th https://supportforums.cisco.com/event/13023496/askexpert-dynamic-multipoint-vpn-dmvpn-troubleshooting Join the discussion for these Ask The Expert Events: http://bit.ly/events-webinar 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92 Collaborate within our Social Media Facebook- http://bit.ly/csc-facebook Twitter- http://bit.ly/csc-twitter You Tube http://bit.ly/csc-youtube Google+ http://bit.ly/csc-googleplus LinkedIn http://bit.ly/csc-linked-in

Learn About Upcoming Events Instgram http://bit.ly/csc-instagram Newsletter Subscription http://bit.ly/csc-newsletter 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93 Cisco has support communities in other languages! If you speak Spanish, Portuguese, Japanese, Russian or Chinese we invite you to participate and collaborate in your language Spanish https://supportforums.cisco.com/community/spanish Portuguese https://supportforums.cisco.com/community/portuguese

Japanese https://supportforums.cisco.com/community/csc-japan Russian https://supportforums.cisco.com/community/russian Chinese http://www.csc-china.com.cn 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94 More IT Training Videos and Technical Seminars on the Cisco Learning Network View Upcoming Sessions Schedule https://cisco.com/go/techseminars 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 95 Thank you for participating! . Redeem your 35% discount offer by entering code: CSC when checking out: Visit Cisco Press at:

Cisco Press http://bit.ly/csc-ciscopress-2016 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 96 Please take a moment to complete the survey Thank you for Your Time! 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 97

Recently Viewed Presentations

  • Chapter 6

    Chapter 6

    (grains, apothecary unit of weight) confused with metric gram. m (minim) mistaken for mL. Ʒ (dram, apothecary drop) mistaken for 3 (ounce, apothecary symbol) obsolete. ss, ss (apothecary symbol for ½ ) mistaken for 55
  • Elderly in the ED - MEd from the SHED

    Elderly in the ED - MEd from the SHED

    Impression - mechanical fall/mechanical back pain; PLAN - 'For ASET and Physio review a.m. Overnight analgesia' Stable overnight - required ongoing analgesia however. Thoughts? Does the mechanism and apparent injury pattern make sense? What else could have happened?
  • Education Reform - o ESC A

    Education Reform - o ESC A

    The Regional System, and its component parts, must build capacity both vertically and horizontally in a revised and enhanced statewide system of support - support in the design & deployment of education reform initiatives by the state and implementation and...
  • semantic markup - unipi.it

    semantic markup - unipi.it

    After many years of complete disregard - or even disdain and contempt - for LRs, due mainly to the prevalence and influence of the generativist school Pioneering Research Historical notes Automatic acquisition of lexical information from MRDs Was at the...
  • Title

    Title

    Q8. How often do you think that a person has been executed under the death penalty who was, in fact, innocent of the crime he or she was charged with -- do you think this has happened in the past...
  • Lecture 1 - University of California, Berkeley

    Lecture 1 - University of California, Berkeley

    Basic MOSFET Amplifier MOSFET Biasing The voltage at node X is determined by VDD, R1, and R2: Also, Self-Biased MOSFET Stage Note that there is no voltage dropped across RG M1 is operating in the saturation region. MOSFETs as Current...
  • November 29, 2016 SAMPLE ODU PRESENTATION Subtitle or

    November 29, 2016 SAMPLE ODU PRESENTATION Subtitle or

    Any content including a chart, picture, graph or video goes in this space. Text goes here. Bulleted text looks like this. Sub-bullets are as follows. And like this. And like this. And last like this. Content can also go in...
  • Frank W. Baker Media Literacy Symposium

    Frank W. Baker Media Literacy Symposium

    Frank W. Baker Media Literacy Symposium Frank W. Baker [email protected] www.frankwbaker.com What is Media Literacy? Created with Wordle "At the heart of media literacy is the principle of inquiry."