asr1000 and how to fulfill pci dss requirements in …...gi0/0/x ingress i-faces = marki ng gi0/0/2...

Session ITMCCS-2268

ASR1000 and how to fulfill PCI DSS requirements in PBZ bank

Nenad Juras, PBZ

Matija Petrović, IBM

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 3

Agenda

  About Privredna banka Zagreb   PBZ Metro Ethernet network   Implementing new aggregation platform   Improving Quality of Service   PCI DSS and other requirements   GET overview   GET implementation in test environment   GET implementation in production   Issues encountered   Next steps


About Privredna banka Zagreb


About Privredna Banka Zagreb (PBZ)

 Founded 1962

 Acquired 1999 by Banca Commerciale Italiana

 Member of group Intesa Sanpaolo since 2007

 Second largest bank in Croatia, 20% market share

  1,550,000 customers Hyperlink: www.pbz.hr


About Intesa Sanpaolo Group

  Leading banking group in Italy, 17% market share

  5800 branch offices and 11.3 million domestic clients

  1800 branch offices and 8.6 million clients abroad


Privredna banka Zagreb - organization

  5 regions   18 regional centers   203 branch offices  more than 3500

employees in PBZ  more than 4400

employees in PBZ Group


PBZ Metro Ethernet network


Migration to Metro Ethernet

  Migration started in 2006

  Two service providers

  Regional branches connected with redundant ME links from both service providers

  Branch offices connected with ME links & ISDN backup lines

  Cisco 2821 in branch offices, Cisco 3825/45 in regional branches

  IP telephony implemented together with Metro Ethernet


Network topology – Metro Ethernet with ISDN Primary datacenter Secondary datacenter

Regionalbranch

Branch office 2 Branch office 2.....

DWDM DWDM

Branch office 1 Branch office 1

Regionalbranch

ISDN

SiSi SiSi SiSi SiSi


Metro Ethernet challenges

  Two service providers – two technologies (E-Line & E-LAN)

  Shared media with E-LAN   Expensive backup solution – 2 to 4 ISDN

BRA per branch office   Bandwidth difference between primary link

and backup link – 2 Mbps vs. 256-512 Kbps   Voice class traffic limited to backup

bandwidth – requirement of IP Telephony


Metro Ethernet - improving backup   Using ME link from alternative

service provider for backup in branch offices

  Different access technologies – copper and fiber

  Same bandwidth on primary and backup link

  Backup link always active – simple switchover when required

  Additional router port required – HWIC-1FE

  Higher running costs offset with better functionality


Network topology – Metro Ethernet 2 providers

Primary datacenter Secondary datacenter

Regionalbranch


DWDM DWDM


RegionalbranchBranch office 1

Branchoffice 1

SiSi SiSi SiSi SiSi


Implementing new aggregation platform


New platform for Metro Ethernet aggregation

  ASR 1000 platform identified as suitable solution

  presented first time on Cisco Expo 2008

  hierarchical QoS

  high availability features

  support for DMPVN and GET encryption

  high performance with all features on (QoS, IPSec, FW)

  modular design with scalable performance (ESP 5, 10, 20)


ASR 1000 – Production configuration

  ASR 1002 – 4 pcs ESP5 1×SPA-5X1GE 9 GE ports total Advanced Ent. Services FPI, IPSEC

  provider separation

  easier maintenance

  no need for ESP 10 performance


Network topology – ASR 1002 in production


Regionalbranch


DWDM DWDM


RegionalbranchBranch office 1

Branchoffice 1

SiSi SiSi SiSi SiSi

PWRSTAT STBY

ASR1000-ESP10F0 F0

PWR

STAT

ASR 1002

CRIT

MAJ

MIN

ACTV

STAT GE0 GE1 GE2 GE3 BOOT

2 CLASS 1 LASER PRODUCT

BITSCARRIER LINK

3

MGMT CON AUX PWRCC

STAT

PWRSTAT STBY

ASR1000-ESP10F0 F0

PWR

STAT

ASR 1002

CRIT

MAJ

MIN

ACTV



BITSCARRIER LINK

3

MGMT CON AUX PWRCC

STAT

PWRSTAT STBY

ASR1000-ESP10F0 F0

PWR

STAT

ASR 1002

CRIT

MAJ

MIN

ACTV



BITSCARRIER LINK

3

MGMT CON AUX PWRCC

STAT

PWRSTAT STBY

ASR1000-ESP10F0 F0

PWR

STAT

ASR 1002

CRIT

MAJ

MIN

ACTV



BITSCARRIER LINK

3

MGMT CON AUX PWRCC

STAT


Improving Quality of Service


Implementation of hierarchical QoS on ASR WAN Metro Ethernet links

  ASR provides variety of options for implementing QoS

  Main challenge - how to implement appropriate QoS model on WAN links

  Two Metro Ethernet technologies on WAN links E-LAN – shared interface E-Line – subinterfaced

  QoS configuration has to be as uniform as possible for easier maintenance and suitable for future changes

  Design, test and implement hierarchical QoS for each WAN link and for each logical network region


PBZ WAN network topology

Regions accros Croatia – 15 of them , From 5 till 25 branches in region

Zagreb region 52 branches

E-LAN Regional

E-LAN National

E-LAN Regional

E-LINE (Regional, Natonal)

ISDN backup

ASR = Route hubs

Regional hubs

ASR = Route hubs

Branches

ISDN backup hub ISDN backup hub

Branches



QoS configuration – marking interesting traffic

  Traffic is marked on ingress interface from datacenter

  Packets matching done with standard mechanism: ACL and NBAR

  Traffic is classified

  Different classes receivied different dscp marking with ingress policy map according to cisco best practices


QoS configuration – marking interesting traffic - example

NBAR ip nbar port-map custom-03 tcp 2000 2001 2002 ip nbar port-map custom-02 udp 2427 2727 ip nbar port-map custom-02 tcp 2427 2428 2727 ip nbar port-map custom-01 tcp 1645 1646

ACL ip access-list extended APP_CENTAR_POSL_PZ remark /************************************** remark QOS_access_lista za Aplikativni promet deny tcp host 10.100.12.21 any eq www permit tcp 10.100.12.0 0.0.3.255 eq 443 any …. …. ….. permit ip host 10.203.9.43 any

Class maps class-map match-all Voice match protocol rtp audio …. …. class-map match-any APP2POSL_PZ match access-group name APP_CENTAR_POSL_PZ match protocol kerberos

Policy map policy-map OZNACI class Voice set ip dscp ef class Voice-Sig set ip dscp cs3 class Nadzor set ip dscp cs2 class APP2POSL_PZ set ip dscp af21


QoS configuration – marking interesting traffic - example

  Implementation on ingress interfaces

  interface GigabitEthernet0/0/2

service-policy input OZNACI

ip nbar protocol-discovery

  interface GigabitEthernet0/0/3

service-policy input OZNACI

ip nbar protocol-discovery


QoS implementation on ASR routers

Gi0/0/x

Ingress i-faces = marking

Gi0/0/2 Gi0/0/3 Gi0/0/2 Gi0/0/3

X Mbps

RD-ASR0X LA-ASR0X

Metro Ethernet

Regional hub orbranch

0,4 x X Mbps0,4 x X Mbps

Max non-marked traffic from ASR toward regional hub or branch

Ingress i-faces = marking


MAX 0.8X for dscp default traffic


QoS configuration – managing marked traffic on WAN interfaces

Class maps for child policy map class-map match-any WAN_Voice match dscp ef class-map match-any WAN_Voice-Sig match dscp cs3 class-map match-any WAN_Nadzor match dscp cs2 class-map match-any WAN_APP2POSL_PZ match dscp af21

Child policy map policy-map GENERIC-ASR class WAN_Voice priority percent 18 class WAN_Voice-Sig bandwidth percent 2 random-detect class WAN_Nadzor bandwidth percent 5 random-detect class WAN_APP2POSL_PZ bandwidth percent 25 random-detect dscp-based class class-default bandwidth percent 20 random-detect dscp-based police rate percent 40 conform-action transmit exceed-action drop


QoS configuration – managing marked traffic on WAN interfaces

Class maps for parent policy map class-map /router_hostname_branch/region/ match access-group name /

router_hostname_branch/region/ This class map uniqely define region or branch class-map match-any eigrp match ip dscp cs6 Routing packets protection

Parent policy map policy-map WAN_T-COM_GRADSKI class eigrp bandwidth 20

class /router_hostname_branch/region/ shape average 2000000 service-policy GENERIC-ASR

ACL for classes used in parent policy map ip access-list extended /router_hostname_branch/region/ permit ip any 10.X.0.0 0.0.63.255 ->LAN

network on this branch/region

Implementation on egress interface interface GigabitEthernetx/y/z bandwidth 40000 service-policy output WAN_T-COM_GRADSKI


PCI DSS and other requirements


PCI DSS requirements

 Card processing is outsourced to Intesa Sanpaolo Card (ISP Card)

 PCI DSS is currently not implemented in PBZ

 Data from ATMs and POS devices in branch offices transmitted through PBZ Metro Ethernet network

 PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks


Other regulatory requirements

  Intesa Sanpaolo security guidelines: plan the use of appropriate security mechanisms (e.g., cryptography, backup, digital signature) to ensure information confidentiality, integrity and non-repudiation

 Croatian National Bank recommends encrypting network traffic over service provider links

 External IT auditor requires encrypting certain types of network traffic and traffic with third parties


GET overview


What is Group Encrypted Transport VPN (GET VPN)?

 GetVPN (Group Encrypted Transport VPN) has emerged in response to the need for encrypting traffic on the WAN private networks

 GET VPN is a group key based tunnel-less VPN solution for the enterprise network using private MPLS/IP core

 Enables secure end-to-end fully meshed network, for Data, Voice, Video and other applications, using QoS, multicast and existing routing


What is Group Encrypted Transport VPN (GET VPN)?

 Relies on Open standard technologies Group Domain Of Interpretation (GDOI) RFC 3547 Provides cryptographic keys and polices to a group of VPN gateway that share the same security policies

 IPSec encryptions Supports 3DES, AES128/192/256 algorithms


GET VPN components

Group Member

Group Member

Group Member

Group Member

Key Server

Routing Members

Group Member •  Encryption Devices •  Route Between Secure / Unsecure Regions •  Multicast Participation

Key Server •  Validate Group Members •  Manage Security Policy •  Create Group Keys •  Distribute Policy / Keys

Routing Member •  Forwarding •  Replication •  Routing

Note: In PBZ WAN Network Routing Members = Group Members


GET VPN components

  KS – Key server • KS is a central place for creating and maintaining encryption policy within GETVPN • KS is a router on which the configured encryption algorithms, hash algorithms, interesting traffic, rekey timers • KS created and maintained by KEK (Key Encryption Key), TEK (Traffic Encryption Key) keys and pseudo-timer • KS can not be Group Member

  COOP KS • KS is a central point for creating and maintaining encryption policy has important role in GETVPN Network • COOP KS is a protocol that allows synchronization between multiple KS • Only the primary KS distribute policy update in the network


GET VPN components

  GM – Group Member • GM is a router in the network charge encrypt / decrypt IP Traffic • GM is configured only with IKE settings and information about the KS / Group • On GM can be configured necessary exceptions in Global Policy • IPsec policy obtained from KS

  GDOI – Group Domain of Interpretation • GDOI (RFC3547) is a control protocol between the Group Member and Key Server • GDOI used to distribute Group policy and cryptographic keys to group members


GET VPN features

  IP Header Preservation • Unlike IPsec Tunnel or Transport mode, GetVPN copies the original IP header and sets it to the start of an encrypted packet • IP header preservation allows the use of the existing routing in the network, as the QOS and multicast


Step 1: Group Members (GM) “register” via GDOI (IKE) with the Key Server (KS)

KS authenticates & authorizes the GM KS returns a set of IPsec SAs for the GM to use

Step 2: Data Plane Encryption

GM exchange encrypted traffic using the group keys

The traffic uses IPSEC Tunnel Mode with “address preservation”

Step 3: Periodic Rekey of Keys

KS pushes out replacement IPsec keys before current IPsec keys expire. This is called a “rekey”

GETVPN – How does it work


GETVPN benefits

Previous Limitations New Features and Associated Benefits

Multicast traffic encryption was supported through IPsec tunnels:

– Not scalable

– Difficult to troubleshoot

Encryption supported for Native Multicast and

Unicast traffic with Group Security Association

– Allows higher scalability

– Simplifies Troubleshooting

– Extensible standards-based framework

Overlay VPN Network

– Overlay Routing

– Sub-optimal Multicast replication

– Lack of Virtualized QoS

– Peer Mesh of IPSec States

No Overlay

– Leverages Core network for Multicast replication via IP Header Preservation

– Optimal Routing introduced in VPN

– Standard QoS for encrypted traffic

– Global Distributed IPSec State

Full Mesh Connectivity

– Hub and Spoke primary support

– Spoke to Spoke not scalable

Any to Any Instant Enterprise Connectivity

– Leverages core for instant communication

– Optimal for Voice over VPN deployments li

24


Clear-text Transition Methods

 Four methods Receive-Only Selective Inclusion Selective Exclusion Logical Transition


Clear-text: Receive-Only Method   Goal

Incrementally deploy infrastructure without encryption Immediate transition to encryption controlled by KS

  Method Deploy KS with Receive-only SA’s (don’t encrypt, allow decryption) Deploy GM throughout infrastructure and monitor rekey processes Transition KS to Normal SA (encrypt, decrypt)

  Assessment Pro: Simple transition to network-wide encryption Con: Correct policies imperative Con: Deferred encryption until all CE are capable of GM functions

permit ip 10.1.4.0 0.0.3.255 10.1.4.0 0.0.3.255

GM GM

GM

GM

KS 10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

GM GM

GM

GM

GET

KS 10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

permit ip 10.1.4.0 0.0.1.255 10.1.4.0 0.0.1.255

GET GET


Clear-text: Receive-Only with Passive Mode Method   Goal

Incrementally deploy infrastructure without encryption Incrementally transition to encryption controlled by GM

  Method Deploy KS with Receive-only SA’s (don’t encrypt, allow decryption) Deploy GM throughout infrastructure and monitor rekey processes Transition each GM to Passive Mode SA (encrypt, decrypt) Transition KS to Normal Mode Transition each GM to Normal Mode

  Assessment Pro: Simple transition to network-wide encryption Pro: Incremental validation of policies Pro: No flash cut-over Con: Deferred encryption until all CE are capable of GM functions

permit ip any any (receive only)

GM GM

GM

GM

KS 10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

GM GM

GM

GM

GET

KS 10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

permit ip any any (receive only)

GET

GET


Clear-text: Selective Encryption Method   Goal

Incrementally deploy infrastructure and encryption Only encrypt specific traffic

  Method Deploy KS with SA with narrow scope of encryption Expand scope of encryption as sites are added Add sites in groups according to CIDR blocks

  Assessment Pro: Conservative approach to introducing encryption Pro: Incremental introduction of encryption between CE’s Con: Policies can become complex for large networks Con: Requires clean CIDR aggregates to simplify policies Con: Memory constraints based on complex set of SA

permit ip 10.1.4.0 0.0.3.255 10.1.4.0 0.0.3.255

GM GM

GM

GM

GET

KS 10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

GM GM

GM

GM

GET

KS 10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

permit ip 10.1.4.0 0.0.1.255 10.1.4.0 0.0.1.255


Clear-text: Exception Encryption Method   Goal

Incrementally deploy infrastructure and encryption Encrypt all traffic with explicit exceptions

  Method Deploy KS with SA using a global (any-any) scope of encryption Explicitly deny encryption (globally or locally) for all sites not capable of encryption Add sites in groups according to CIDR aggregates

  Assessment Pro: Conservative approach to introducing encryption Pro: Incremental introduction of encryption between CE’s Con: Policies can become complex for large networks Con: Requires clean CIDR aggregates to simplify policies Con: Local deny statements to minimize global policy size

permit ip any any

GM GM

GM

GM

GET

KS 10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

GM GM

GM

GM

GET

KS 10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

deny ip 10.1.6.0 0.0.1.255 permit ip any any


Clear-text: Logical Transition   Goal

Incrementally deploy topological infrastructure and encryption Encrypt all traffic on the new topological infrastructure

  Method Deploy KS with SA using global (any-any) scope of encryption Incorporate transition sites into the encryption system with local deny (any-any) Transition sites from clear-text infrastructure to encrypted infrastructure and remove local deny

  Assessment Pro

Easy transition of individual CE’s No requirement to deal with

CIDR aggregates Simplified policy throughout

transition Con

Requires changing the logical topology

GM GM

GM

GM

GET

KS 10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

permit ip any any

GM

GM GM

GM

GM

GET

KS 10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

permit ip any any

GM


GET implementation in test environment


GETVPN implementation requirements in PBZ WAN network

  preservation of the existing network design and routing

  preservation of Original IP addresses and DSCP

  preservation of the existing QoS

  upgrade existing platforms with the AIM-VPN/SSL modules in regional centers

  SW upgrade to a version that supports all the existing demands on the network as well as new functionality such as a getvpn


GET VPN implementation requirements in PBZ WAN network

Existing platforms New Software Releases AIM module

ASR 1002 3.1.2S

Cisco 2821 12.4(24)T4

Cisco 2821-SRST/K9 12.4(24)T4 AIM-VPN/SSL-2

Cisco 2821-V/K9 12.4(24)T4 AIM-VPN/SSL-2


Cisco 3825-V/K9 12.4(24)T4 AIM-VPN/SSL-3


Key servers

CISCO3825-HSEC/K9 12.4(24)T4 AIM-VPN/SSL-3


GET implementation in test environment (Oct 01-Dec 18)

  test equipment and IOS versions defined

  testing in lab environment •  routing •  QoS •  CPU •  high availability (SW and HW redundancy)


Test environment


GET implementation in production


GET implementation in pilot production (Dec 18-Jan 31)

  testing in production environment: •  installation of KS in primary data center •  installation of KS in secondary data center •  IOS upgrade for routers in pilot regional center (from SP services

to Advanced IP Services) and upgrade with AIM module (AIM-VPN/SSL-3, AIM-VPN/SSL-2)

•  IOS upgrade for routers in pilot branch offices (from IP Base to Advanced Security) – Flash memory upgrade required

•  implementation of encryption on pilot locations •  testing KS coop •  testing routing, QoS, CPU load, application and voice traffic on

pilot locations


GET VPN Topology in Production Environment


Primary KS configuration

crypto isakmp policy 10 encr aes authntication pre-share group 2 crypto isakmp key Cisco address 10.0.0.0 255.0.0.0 crypto isakmp keepalive 15 periodic ! crypto ipsec transform-set VPN esp-aes 256 esp-sha-

hmac ! crypto ipsec profile GDOI set security-association lifetime seconds 7200 set transform-set VPN ! crypto gdoi group GET identity number 1 server local rekey retransmit 40 number 3 rekey authentication mypubkey rsa GETVPN rekey transport unicast authorization address ipv4 50 sa ipsec 1 profile GDOI match address ipv4 KRIPTO_POLICY replay time window-size 5 address ipv4 10.100.200.6 redundancy local priority 100 peer address ipv4 10.200.200.6

ip access-list extended KRIPTO_POLICY remark **Prevent recursive encryption of transitive ESP ** deny esp any any remark **telnet* deny tcp any any eq telnet deny tcp any eq telnet any remark **eigrp* deny eigrp any any remark **isakmp* deny udp any eq isakmp any eq isakmp remark **gdoi** deny udp any eq 848 any eq 848 remark **ssh** deny tcp any eq 22 any deny tcp any any eq 22 remark **tftp** deny udp any eq tftp any deny udp any any eq tftp remark **netflow** deny udp any eq 2055 any deny udp any any eq 2055 remark *domain controller* deny ip any host 10.100.1.253 deny ip any host 10.100.1.254 deny ip any host 10.200.1.254 deny ip host 10.200.1.254 any deny ip host 10.100.1.254 any deny ip host 10.100.1.253 any remark ** dns ** deny udp any any eq domain deny udp any eq domain any remark **ntp** deny udp any any eq ntp deny udp any eq ntp any remark **syslog** deny udp any any eq syslog deny udp any eq syslog any remark **multicast** deny ip any 224.0.0.0 15.255.255.255 permit ip any any


Secondary KS configuration

crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key Cisco address 10.0.0.0 255.0.0.0 crypto isakmp keepalive 15 periodic ! ! crypto ipsec transform-set VPN esp-aes 256 esp-sha-

hmac ! crypto ipsec profile GDOI set security-association lifetime seconds 7200 set transform-set VPN ! crypto gdoi group GET identity number 1 server local rekey retransmit 40 number 3 rekey authentication mypubkey rsa GETVPN rekey transport unicast authorization address ipv4 50 sa ipsec 1 profile GDOI match address ipv4 KRIPTO_POLICY replay time window-size 5 address ipv4 10.200.200.6 redundancy local priority 75 peer address ipv4 10.100.200.6

ip access-list extended KRIPTO_POLICY remark **Prevent recursive encryption of transitive ESP ** deny esp any any remark **telnet* deny tcp any any eq telnet deny tcp any eq telnet any remark **eigrp* deny eigrp any any remark **isakmp* deny udp any eq isakmp any eq isakmp remark **gdoi** deny udp any eq 848 any eq 848 remark **ssh** deny tcp any eq 22 any deny tcp any any eq 22 remark **tftp** deny udp any eq tftp any deny udp any any eq tftp remark **netflow** deny udp any eq 2055 any deny udp any any eq 2055 remark *domain controller* deny ip any host 10.100.1.253 deny ip any host 10.100.1.254 deny ip any host 10.200.1.254 deny ip host 10.200.1.254 any deny ip host 10.100.1.254 any deny ip host 10.100.1.253 any remark ** dns ** deny udp any any eq domain deny udp any eq domain any remark **ntp** deny udp any any eq ntp deny udp any eq ntp any remark **syslog** deny udp any any eq syslog deny udp any eq syslog any remark **multicast** deny ip any 224.0.0.0 15.255.255.255 permit ip any any



ASR crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 1200 crypto isakmp key Cisco address 10.100.200.6 crypto isakmp key Cisco address 10.200.200.6 ! ! crypto gdoi group GET identity number 1 server address ipv4 10.100.200.6 server address ipv4 10.200.200.6 passive ! ! crypto map METRONET local-address Loopback0 crypto map METRONET 10 gdoi set group GET



Regional center ip access-list extended CRYPTO remark novska deny ip any 10.73.0.0 0.0.63.255 remark petrinja deny ip any 10.168.0.0 0.0.63.255 ! crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 1200 crypto isakmp key Cisco address 10.100.200.6 crypto isakmp key Cisco address 10.200.200.6 ! ! crypto gdoi group GET identity number 1 server address ipv4 10.100.200.6 server address ipv4 10.200.200.6 passive ! ! crypto map GETVPN local-address Loopback0 crypto map GETVPN 10 gdoi set group GET match address CRYPTO



Branch Office crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 1200 crypto isakmp key Cisco address 10.100.200.6 crypto isakmp key Cisco address 10.200.200.6 ! ! crypto gdoi group GET identity number 1 server address ipv4 10.100.200.6 server address ipv4 10.200.200.6 passive ! ! crypto map GETVPN local-address Loopback0 crypto map GETVPN 10 gdoi set group GET


Issues encountered


Issues encountered – ASR 1000

Shared interface issue   When ASR receives encrypted traffic which is intended for unencrypted

location ASR drops these packets. ASR is forwarding packets from unencrypted to encrypted location.

•  Cisco has recognized the problem, PBZ and IBM are closely working with Cisco bussines unit – solution expected in future IOS XE release

•  Suggested workaround from Cisco with current IOS XE release is going to be tested after this conference


Other issues encountered

Key server issue   discontinuous subnet entries in crypto ACL on Key server are not

supported - solution does not yet exist, we stopped using discontinuous subnets

Issues with encrypted network traffic

  problem in communication between domain controllers and workstations – this traffic is currently excluded from encryption


Next steps


Next steps

  IOS upgrade for routers in regional centers (from SP services to Advanced IP Services)

  IOS upgrade for routers in branch offices (from IP Base to Advanced Security) – requires Flash memory upgrade

 Continuing implementation of GETVPN


Summary

 GETVPN provides a scalable technology for implementing encryption in enterprise Metro Ethernet networks

 Succesful implementation in limited production environment – minor issues encountered

  “Fine tuning” for full production


Q&A

asr1000 and how to fulfill pci dss requirements in …...gi0/0/x ingress i-faces = marki ng gi0/0/2...

Documents