Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1023
Views
0
Helpful
0
Replies

DMVPN + ZBFW + BDI interfaces

Gary Keaney
Level 1
Level 1

‎10-24-2017 07:27 AM - edited ‎03-12-2019 04:39 AM

This may be my first post so I'll try and make it a good one. Been struggling with this for a while now, I thought I was being clever by using Bridge Domain Interfaces to add a bit of resilience to this design, now this choice seems to have come back to bite me.

 

I have an ISR4331 router with both LAN & WAN interfaces connected to a pair of stacked 2960X switches. The switch ports are trunks and STP is enabled on the router, all looks well so far as I can see on the router one of the physical interfaces is being blocked by STP.

 

My issue is when I then added DMVPN configuration. Here's the config;

 

version 16.3
!
class-map type inspect match-any TRACEROUTE
 match access-group name ICMP_TRACE
!
class-map type inspect match-any INTERNET
 match protocol http
 match protocol https
 match protocol dns
 match protocol tcp
 match protocol udp
 match protocol icmp
!
class-map type inspect match-all MANAGEMENT-IN
 match access-group name MANAGEMENT_ACCESS_IN
!
class-map type inspect match-all DMVPN
 match access-group name DMVPN_PROTOCOLS
!
class-map type inspect match-all PINGS
 match protocol icmp
!
class-map type inspect match-all MANAGEMENT-OUT
 match access-group name MANAGEMENT_ACCESS_OUT
!
policy-map type inspect To_Internet
 class type inspect INTERNET
  inspect
 class class-default
  drop
!
policy-map type inspect Outside->Router
 class type inspect DMVPN
  pass
 class type inspect MANAGEMENT-IN
  inspect
 class type inspect TRACEROUTE
  pass
 class class-default
  drop log
!
policy-map type inspect Router->Outside
 class type inspect DMVPN
  pass
 class type inspect MANAGEMENT-OUT
  inspect
 class type inspect PINGS
  inspect
 class class-default
  drop log
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security Inside->Outside source INSIDE destination OUTSIDE
 service-policy type inspect To_Internet
zone-pair security OUTSIDE-TO-SELFZONE source OUTSIDE destination self
 service-policy type inspect Outside->Router
zone-pair security SELFZONE-TO-OUTSIDE source self destination OUTSIDE
 service-policy type inspect Router->Outside
! 
crypto isakmp policy 1
 encr aes
 hash sha256
 authentication pre-share
 group 5
!
crypto isakmp key &somekey% address x.x.x.x  no-xauth
crypto isakmp key &somekey% address x.x.x.x  no-xauth
crypto isakmp key &somekey% address x.x.x.x  no-xauth
!
!
crypto ipsec transform-set ah-sha-hmac esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile TSPGRE
 description GRE Tunnel
 set transform-set ah-sha-hmac 
!
interface Tunnel1
 bandwidth 1000
 ip address 172.16.0.129 255.255.255.128
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 1
 no ip split-horizon eigrp 1
 ip nhrp authentication gre
 ip nhrp network-id 50000
 zone-member security INSIDE
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source BDI666
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile GRE
!
interface GigabitEthernet0/0/0
 no ip address
 negotiation auto
 !
 service instance 666 ethernet
  encapsulation dot1q 666
  rewrite ingress tag pop 1 symmetric
  l2protocol peer stp
  bridge-domain 666
 !
 service instance 1000 ethernet
  encapsulation dot1q 1000
  rewrite ingress tag pop 1 symmetric
  l2protocol peer stp
  bridge-domain 1000
 !
!
interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
 !
 service instance 666 ethernet
  encapsulation dot1q 666
  rewrite ingress tag pop 1 symmetric
  l2protocol peer stp
  bridge-domain 666
 !
 service instance 1000 ethernet
  encapsulation dot1q 1000
  rewrite ingress tag pop 1 symmetric
  l2protocol peer stp
  bridge-domain 1000
!
!
interface BDI666
 ip address <PUBLIC_IP> 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security OUTSIDE
!
interface BDI1000
 ip address 10.13.15.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security INSIDE
!
ip route 0.0.0.0 0.0.0.0 <DG>
!
ip access-list extended DMVPN_PROTOCOLS
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit esp any any
 permit gre any any
 permit eigrp any any
ip access-list extended ICMP_TRACE
 permit icmp any any time-exceeded
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
ip access-list extended MANAGEMENT_ACCESS_IN
 permit tcp <MNGT_SUBNET> 0.0.0.255 any eq 22
 permit tcp <MNGT_SUBNET> 0.0.0.255 any eq ftp
 permit udp <MNGT_SUBNET> 0.0.0.255 any eq snmp
 permit udp <MNGT_SUBNET> 0.0.0.255 any eq tftp
 permit icmp <MNGT_SUBNET> 0.0.0.255 any
ip access-list extended MANAGEMENT_ACCESS_OUT
 permit tcp any <MNGT_SUBNET> 0.0.0.255 eq tacacs
 permit udp any <MNGT_SUBNET> 0.0.0.255 eq snmptrap
 permit udp any <MNGT_SUBNET> 0.0.0.255 eq ntp
 permit icmp any <MNGT_SUBNET> 0.0.0.255
!

I'm using fairly up to date IOS-XE code, specifically this file; isr4300-universalk9.16.03.04.SPA.bin.

So what I've managed to deduce for myslef is that ZBFW inspection is not supported with BDI interfaces; Zone-Based Policy Firewall, Cisco IOS XE Release 3S (Bridge domain interfaces do not support zone-based firewall inspection, including all Layer 4 and Layer 7 inspection.)

 

So is there any workaround possible? Can I use only pass statements (remembering to do both directions) or will this simply not work?

 

Appreciate any and all replies, thanks.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents