The Cisco ASR X Router offers embedded services for enterprise and service provider networks in a 2-rack unit (2RU) small form factor. It is integrated with. ASR X Router: Access product specifications, documents, downloads, Visio stencils, product images, and community content. Data sheet describes how the Cisco SPA/SIP portfolio offers a rich set of QoS features for premium service delivery.
|Published (Last):||3 August 2013|
|PDF File Size:||15.42 Mb|
|ePub File Size:||16.91 Mb|
|Price:||Free* [*Free Regsitration Required]|
This information is provided as an example only. Please note that this guide is not meant to be a comprehensive overview of IPsec and assumes azr familiarity with the IPsec protocol.
The topology outlined by this guide is a basic site-to-site IPsec VPN tunnel configuration using the referenced device:.
The configuration samples which follow will include numerous value substitutions provided for the purpose of example dayasheet. Any references to IP addresses, device IDs, shared secrets or keys account information or project names should be replaced with the appropriate values for your environment when following this guide. This guide is not meant to be a comprehensive setup overview for the device referenced, but rather is only cisck to assist in the creation of IPsec connectivity to Google Cloud Platform GCP VPC networks.
The following is a high-level overview of the configuration process which will be covered:. Click Create to create the gateway, Cloud Router, and all tunnels, though tunnels will not connect until you’ve configured the peer router as well. Configure your firewall rules to allow inbound traffic from the peer network subnets, and you must configure the peer network firewall to allow inbound traffic from your Compute Engine prefixes.
Create a custom VPC network.
Cisco ASR 1000 Series Aggregation Services Routers: What is an ASR Router?
You can also use auto VPC network, make sure there is no conflict with your local network range. Create a VPN gateway in the desired region. Normally, this is the catasheet that contains the instances you want to reach. Make a note of the created address for use in datashest steps.
Use the static IP address vpn-static-ip you reserved earlier. This step generates a forwarding rule named fr-espfr-udpfr-udp resp. Create Cloud Router as shown below:. You also need to supply the shared secret. The default, and preferred, IKE version is 2. The following example sets IKE version to 2. After you run this command, resources are allocated for this VPN tunnel, but it is not yet passing traffic.
The netmask length is recommended to be Make sure each tunnel has a unique pair of IPs. Alternatively, you can leave –ip-address and –mask-length blank, and leave –peer-ip-address blank in the next step, and IP addresses will be automatically generated for you.
You can use your public ASN or private ASN — that you are not already using in the peer network. It must belong to same subnet as the GCP-side interface. The upcoming section provide details to both in detail below:.
Peer IP address — Enter your on-premises public IP address here, with the above mentioned topology it ast Go to the Firewall rules page. Normally, this is the region that contains the instances you wish to reach. You can repeat this command to add multiple ranges to the VPN tunnel. The region must be the same as for the tunnel.
This section provides the base network configuration of Cisco ASR to establish network connectivity. At least one internal facing interface is required to connect to your own network, and one external facing interface is required to connect to GCP. A sample interface configuration is provided below for reference:. The default proposal associated with the default policy is used for negotiation. An IKEv2 policy with no proposal is considered incomplete. In this block, the following parameters are set:.
DPD — set the dataeheet peer detection interval and retry interval, if there are no response from the peer, the SA created for that peer is deleted. Set to 60 seconds keepalive interval and 5 seconds retry interval as recommended configuration on ASR router.
Create IPsec security-association SA rules. A security association is a relationship between two or more entities that describes how the entities will use security services to communicate securely. During tunnel establishment, the two peers negotiate security associations that govern authentication, encryption, encapsulation, and key management.
These negotiations involve two asg The following commands set the SA lifetime and timing parameters. A transform set represents a certain combination of security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
In this block, the following parameters are set. Dataseet Lifetime – set the lifetime of the security associations after which a reconnection will occur. Set to seconds as recommended configuration on ASR router. A tunnel interface is configured to be the logical interface associated with the tunnel.
All traffic routed to the tunnel interface will be encrypted and transmitted to the GCP. Similarly, traffic from the GCP will be logically received on this interface.
Association with the IPsec security association is done through the tunnel protection command. With these recommended settings, TCP sessions quickly scale back to byte IP packets so the packets will “fit” in the tunnel. The GCP will announce the prefix corresponding to your Cloud. To advertise additional prefixes to GCP, copy the “network” statement and identify the prefix you wish to advertise.
Make sure the prefix is present in the routing table of the ASR with a valid next-hop. Check Best practices for further recommendations on peer configurations.
To save the running configuration and set it as the default startup, run the following command on Cisco IOS terminal:. If a Cloud VPN tunnel goes down, it restarts automatically. If an entire virtual device fails, Cloud VPN automatically instantiates a new one with the same configuration, so you don’t need to build two Cloud VPN gateways. The new gateway and tunnel connect automatically. To ensure symmetry in your traffic flow, you can configure MED to influence the inbound traffic from GCP for the same tunnel you are sending outbound traffic to.
Note that lower the MED, higher the preference. If you are using static routing then instead of BGP configurations mentioned above, you can change the metric higher the metric lower the preference for your static route as shown below:. With dynamic routing you have an option to define advertised-route-priority, lower priority is preferred.
More details can be found here. When using static routing GCP provides you an option to customize the priority in case there are multiple routes with the same prefix length.
In order to have symmetric traffic flow make sure that you set the priority of your secondary tunnel to higher value than the primary tunnel default priority is To define the route priority run the below command. To increase the VPN throughput the recommendation is to add multiple Cloud VPN gateway on the same region to load balance the traffic across the tunnels. The 2 VPN tunnels configuration example here is built based on the IPsec tunnel and BGP configuration illustrated above, can be expanded to more tunnels if required.
The ASR router run cef load balancing based on source and destination ip address hash, each VPN tunnels will be treated as an equal cost path by routing, it can support up to 16 equal cost paths load balancing. GCP does ECMP by default so there is no additional configuration required apart from creating x number of tunnels where x depends on your throughput requirements.
Cisco ASR Router Datasheet and Installation
Be sure to use the inside interface on the ASR Please refer to the troubleshooting Datassheet made easy for. Please refer to the following documentation for ASR Platform feature configuration guide and datasheet:.
Environment overview The equipment used in the creation of this guide is as follows: Before you begin Overview The configuration samples which follow will include numerous value substitutions provided for the purpose of example only. The following is a high-level overview of the configuration process which will be covered: Click Create VPN connection.
Populate the following fields for the gateway: Name — The name of the VPN dataaheet. This name is dztasheet in the console and used in by the gcloud command-line tool to reference the gateway.
In this case it is vpn-scale-test-ciscoa custom VPC network. Region — The region where you want to locate the VPN gateway. If you don’t have a static external IP address, you can create one by clicking New static IP address in the pull-down menu.
Selected vpn-scale-test0 for this guide. Populate fields for at least one tunnel: Peer IP address — Shared Secret — Character string used in establishing encryption for that tunnel. You must enter the same shared secret into both VPN gateways. If the VPN gateway device on the peer side of the tunnel doesn’t generate one automatically, you can make one up.
Cloud router — Select Create cloud routerthen populate the following fields. When you are done, click Save and continue. Name — The name of the Cloud Router. This name is displayed in the console and used by the gcloud command-line tool to reference the router.
It can be any private ASN you are not already using.