Tuesday, December 23, 2014

GET VPN - part nine (exception)




Let’s consider scenario where we need to block traffic between some LANs but we don’t want to change proxy to not increase number of Security Association (SA).
My requirements are:
  • ACL should be the same - access-list 102 permit ip 20.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
  • permit LAN1-spoke1 (20.33.33.33) to LAN1-spoke2 (20.44.44.44)
  • deny LAN1-spoke1 (20.33.33.33) to LAN1-spoke3 (20.55.55.55)
One of the recommend method is ‘match’ statement under a crypto map:

access-list 120 deny   ip host 20.33.33.33 host 20.55.55.55 

before I apply this access list I need to be sure I can ping hosts between sites:
 
R5#ping vrf RED 20.33.33.33 source 20.55.55.55
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 20.55.55.55
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/98/100 ms
R5#
 
 
R4#ping vrf RED 20.33.33.33 source 20.44.44.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 20.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/110/136 ms
R4#

As you see I can ping from both sites. Let’s apply the ACL:
 
R3#sh run int fa0/0.3
Building configuration...

Current configuration : 140 bytes
!
interface FastEthernet0/0.3
 encapsulation dot1Q 73
 ip vrf forwarding RED
 ip address 27.27.27.2 255.255.255.0
 crypto map MAPA-RED
end

R3#

Remember to choose the correct crypto map !
 
crypto map MAPA-RED 10 gdoi
 set group GDOI-GROUP-RED
 match address 120

and repeat the same test:
 
R5#ping vrf RED 20.33.33.33 source 20.55.55.55
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 20.55.55.55
.....
Success rate is 0 percent (0/5)
R5#
 
 
R4#ping vrf RED 20.33.33.33 source 20.44.44.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 20.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/106/132 ms
R4#

As you see above the new exception works as expected. More information about the GET VPN solution you find here:

http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html

No comments:

Post a Comment