How to advertise the subnets of a Branch MD into the VPNC?

MVP
MVP
Requirement:

In AOS 8.x, we can configure different subnets on the BOC MD that are local to the Branch site. Hosts on these subnets on the BOC MD will not be reachable from the VPNC / Data center side.  
 



Solution:

•    In order to send traffic to hosts in certain subnets/VLANs in the Branch, we can advertise those subnets into VPNC via the IPSEC tunnels to the VPNC via the command, 


crypto-local isakmp route ipsec <route-ipsec-map-name> vlan <vlan-value>


Once this command is issued on the BOC, the mentioned VLAN subnets are advertised into the VPNC as static routes (not OSPF). 

•    We do not recommend enabling OSPF in the Branch.
•    If each Branch MD has data links to multiple data VPNCs, same subnets/routes of the Branch should be advertised to all the IPSEC tunnels to make sure those subnets still be reachable when the failover of the Branch data links happens.
 



Configuration:

Below is an example, where we'll advertise the subnets from a Branch MD into the VPNC. 

(Rajaguru-MM) [mynode] #show configuration node-hierarchy 

Default-node is not configured. Autopark is disabled.

Configuration node hierarchy
----------------------------
Config Node                            Type    Name
-----------                            ----    ----
/                                      System  
/md                                    System  
/md/Quantum-Branch                     Group   
/md/Quantum-Branch/00:0b:86:bc:04:87   Device  Quantum-Branch-1
/md/Quantum-VPN-Con                    Group   
/md/Quantum-VPN-Con/00:0b:86:b8:aa:90  Device  VPNCon1
/md/Quantum-VPN-Con/00:0b:86:be:f3:88  Device  VPNCon2
/mm                                    System  
/mm/mynode                             System  

 

Branch has VLAN 10 and VLAN 20 as local subnets. 

(Rajaguru-MM) [mynode] #cd Quantum-Branch-1
(Rajaguru-MM) [00:0b:86:bc:04:87] #mdconnect 

 Redirecting to Managed Device Shell
Last login: Tue Feb 27 23:33:42 2018 from 10.29.163.210
(Quantum-Branch-1) [MDC] #
(Quantum-Branch-1) [MDC] #show ip interface brief 

Interface                   IP Address / IP Netmask        Admin   Protocol   VRRP-IP
vlan 2                         2.2.2.1 / 255.255.255.255   up      up                        
vlan 1                     192.168.5.2 / 255.255.255.0     up      up                        
vlan 10                  192.168.10.33 / 255.255.255.224   up      up                        
vlan 20                  192.168.20.33 / 255.255.255.224   up      up                        
loopback                    unassigned / unassigned        up      up  
mgmt                        unassigned / unassigned        up      down 

DHCP is enabled on VLAN(s) 1
(Quantum-Branch-1) [MDC] #
(Quantum-Branch-1) [MDC] #exit

Exiting Managed Device Shell
(Rajaguru-MM) [00:0b:86:bc:04:87] #


Configuring "crypto-local isakmp route" on the Branch MD to advertise VLAN 10 and 20. 

(Rajaguru-MM) [00:0b:86:bc:04:87] #configure terminal 
Enter Configuration commands, one per line. End with CNTL/Z

(Rajaguru-MM) [00:0b:86:bc:04:87] (config) #
(Rajaguru-MM) [00:0b:86:bc:04:87] (config) #crypto-local isakmp route ipsec default-vpnip-local-ipsecmap vlan 10,20
(Rajaguru-MM) ^[00:0b:86:bc:04:87] (config) #exit
(Rajaguru-MM) ^[00:0b:86:bc:04:87] #write memory 

Saving Configuration...

Partial configuration for /md/Quantum-Branch/00:0b:86:bc:04:87
------------------------------------
Contents of : /flash/ccm/partial/103/p=md=Quantum-Branch=00:0b:86:bc:04:87.cfg
[FILE_INFO] /sc 103

crypto-local isakmp route ipsec default-vpnip-local-ipsecmap vlan 10,20 

Configuration Saved.
(Rajaguru-MM) [00:0b:86:bc:04:87] #


Verification

Verifying the advertised static route on the VPNC. 

(Rajaguru-MM) [00:0b:86:bc:04:87] #cd VPNCon1
(Rajaguru-MM) [00:0b:86:b8:aa:90] #mdconnect 

 Redirecting to Managed Device Shell
Last login: Wed Feb 28 01:17:28 2018 from 10.29.163.210
(VPNCon1) [MDC] #
(VPNCon1) [MDC] #show ip route 

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 10.29.167.1 to network 0.0.0.0 at cost 1
S*    0.0.0.0/0  [1/0] via 10.29.167.1*
S    192.168.10.32/27 [10/0] ipsec map default-vpnip-master-ipsecmap-00:0b:86:bc:04:87
S    192.168.20.32/27 [10/0] ipsec map default-vpnip-master-ipsecmap-00:0b:86:bc:04:87
C    10.29.167.0/24 is directly connected, VLAN1
C    10.29.163.210/32 is an ipsec map default-local-master-ipsecmap
C    2.2.2.1/32 is an ipsec map default-vpnip-master-ipsecmap-00:0b:86:bc:04:87
(VPNCon1) [MDC] #
Version history
Revision #:
2 of 2
Last update:
‎02-28-2018 01:24 AM
Updated by:
 
Labels (1)
Contributors
Comments
Kothandaraman

This document is very useful. 

 

Thank you

 

Kothandaraman.

ManalWong

If the banch subnet show as static router at VPNC, how can I advertise them to my DataCenter network?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: