How to verify Cisco IPSEC tunnel ISAKMP phase

Once you are done configuring the IPSEC VPN tunnel, we will need to verify the connectivity between sites. So, will discuss these commands in bit detail.

Show crypto isakmp sa

Above command will tell us the status of our ISAKMP negotiations, here are some of the common ISAKMP SA statuses

The following four modes are found in IKE main mode

  • MM_NO_STATE – ISAKMP SA process has started but has not continued to form (typically due to a connectivity issue with the peer)
  • MM_SA_SETUP – Both peers agree on ISAKMP SA parameters and will move along the process
  • MM_KEY_EXCH – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a mis-matched authentication type or PSK, if it does not proceed to the next step)
  • MM_KEY_AUTH – ISAKMP SA’s have been authenticated in main mode and will proceed to QM_IDLE immediately

The following three modes are found in IKE aggressive mode

  • AG_NO_STATE – ISAKMP SA process has started but has not continued to form (typically do to a connectivity issue with the peer)
  • AG_INIT_EXCH – Peers have exchanged their first set of packets in aggressive mode, but have not authenticated yet
  • AG_AUTH – ISAKMP SA’s have been authenticated in aggressive mode and will proceed to QM_IDLE immediately

The following mode is found in IKE Quick Mode, phase 2

  • QM_IDLE – The ISAKMP SA is idle and authenticated

What is VxLAN

VxLAN stands for Virtual Extensible LAN. We used VLAN to extened the address space. But with VLAN, we have a hard limit of 4000 usable VLANs. This is an issue with service providers. They may have to maintain several VLANs per customer, which exhausts the address space quickly. To work around this VLAN ID’s can be reused on different switches, or technologies like Q-in-Q can be used.

VxLAN does not have this limitation. It uses a 24-bit header, which gives us about 16 million VNI’s to use. A VNI is the identifier for the LAN segment, similar to a VLAN ID. With an address space this large, an ID can be assigned to a customer, and it can remain unique across the entire network.

VxLAN separates the VNI from the physical network. This means no trunking across the infrastructure is needed. This is done by making each VNI a virtual overlay network. The core network, or underlay, runs at layer-3. VNI’s are layer-2 and run across the layer-3 network. To make this possible, VxLAN switches encapsulate layer-2 frames in layer-3 packets.

There are several advantages to this. As already mentioned, the core network does not have any layer-2 links. This means no trunking and no spanning-tree. Also, VNI’s can be stretched from one end of the network to another. This greatly simplifies mobility and allows hosts to have layer-2 adjacency.

Continue reading “What is VxLAN”

Spine/Leaf Topology

The Spine/Leaf Topology is commonly used in the IP underlay network. It’s quite different to the traditional hierarchy. Keep in mind that this is an architecture, and is not specific to VxLAN. Other technologies like FabricPath may also use spine/leaf.

This architecture uses two layers- the Spine layer and the Leaf layer.

The Leaf layer is where hosts and other devices connect. The leaf layer handles all the VxLAN functions, like creating the virtual networks, and mapping VLANs to VNIs.

The Spine layer is used for transport. The only thing that connects to spine switches is leaf switches. All links to the spine switches are routed links. This creates many ECMP paths, which can be managed by a routing protocol. The spine switches just pass traffic and are unaware that VxLAN even exists.