Fabric Extend Over IPsec

The following example shows a Fabric Extend deployment using service provider VLAN tunnels and IPsec.
Note

Note

Fabric Extend over IPsec limitations:

  • Only pre-shared authentication key IPsec parameters are user configurable. Other, third-party solutions are not configurable.
  • The key exchange only uses the Internet Key Exchange (IKE) v2 protocol.
  • IPsec support is only added for Fabric Extend tunnels.
  • IPsec is not supported for regular layer 3 routed packets.

Global SPBM for Fabric Extend over IPsec Configuration

The global SPBM parameters must be configured before you can configure the Fabric Extend over IPsec tunnel.

Note

Note

The ipsec command is only available after the auth-key command is configured.

Switch> enable
Switch# configure terminal

Switch(config)# spbm
Switch(config-isis)# router isis
Switch(config-isis)# spbm 1
Switch(config-isis)# spbm 1 nick-name 1.11.40 
Switch(config-isis)# spbm 1 b-vid 2,3 primary 2
Switch(config-isis)# is-type l1
Switch(config-isis)# manual-area c0.2000.0000.00 
Switch(config-isis)# sys-name SwitchB 
Switch(config-isis)# exit

Switch(config)# vlan create 2 type spbm-bvlan
Switch(config)# vlan create 3 type spbm-bvlan
Switch(config)# router isis enable

Fabric Extend tunnel and IPsec configuration

Configuring Fabric Extend over IPsec consists of two primary tasks: configuring the tunnel source address and configuring the logical interface. These tasks must be completed on both ends of the tunnel.

Switch> enable
Switch# configure terminal

Switch(config)# interface GigabitEthernet 1/1
Switch(config-if)# brouter port 1/1 vlan 2500 subnet 192.0.2.0/255.255.255.0 mac-offset 0 
Switch(config-if)# exit

Switch(config)# router isis
Switch(config-isis)# ip-tunnel-source-address 192.0.2.0
Switch(config-isis)# exit

Switch(config)# logical-intf isis 1 dest-ip 198.51.100.0
Switch(config-isis-1-198.51.100.0)# isis
Switch(config-isis-1-198.51.100.0)# isis spbm 1
Switch(config-isis-1-198.51.100.0)# isis enable
Switch(config-isis-1-198.51.100.0)# auth-key 12345678
Switch(config-isis-1-198.51.100.0)# ipsec encryption-key-length 256
Switch(config-isis-1-198.51.100.0)# ipsec
Switch(config-isis-1-198.51.100.0)# exit
Note

Note

Product Notice: 256-bit IPsec Encryption for Fabric Extend Tunnels is only supported on XA1400 Series devices.