View
228
Download
0
Category
Preview:
Citation preview
Industrial IOT Gateways in Secure and Resilient Cellular and VPN Deployments
Kawal Grover, Technical Marketing Engineer
Pawel Cecot, Customer Support Engineer
LTRIOT-2570
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRIOT-2570
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Meet the Team
Pawel CecotCustomer Support Engineer
Kawal Grover Technical Marketing Engineer
• Introduction
• Cisco IR829 Overview
• Cisco IR829 in IoT Deployment Use Cases
• Security and Resiliency of IoT deployments
• Hands-on lab
• IR829 LTE with FlexVPN Lab (physical)
• FlexVPN Lab (virtual)
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRIOT-2570
Utility
• Long distance connection
• Harsh environment
• 3G/4G Backhaul
Manufacturing
• Non Stop Operation
• Flexible Layout Change
• Deterministic Control
• Security
Oil & Gas
• Pipeline Monitoring
• Long distance operation
• Extreme weather
• 3G/4G Backhaul
Transportation/Public Safety
• Incident Response
• Traffic/Signal Monitoring
• Passenger WiFi
• Physical Security
• Video Surveillance
Municipality
• Intelligent Traffic System
• Surveillance
• City-wide WiFi
• Lighting/Energy Mgmt
IR829(Single & Dual LTE)
IR809
Extending Intelligence to Operational Networks
Security High Availability FOGRuggedized
IR807
Cisco IOT Gateway Portfolio
7
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Mobile Routers Portfolio
2xLTE
EDGE
COMPUTEWiFiRUGGEDIZED
OPERATIONSGYROSCOPE &
ACCELEROMETER AVAILABILITYLTEGPS
IR 809
60º
-40ºGlobally
IR 829 Dual LTE
60º
-40º
North
America
& Europe
only
IR 829 Single LTE
60º
-40ºGlobally
60º
-40º
U.S and
Europe
onlyIR 807
LTRIOT-2570 8
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
WLAN 2.4/5GHz
Dimensions: 7.7”x11”x1.73”
(DxWxH)
Temperature:-40C to +60C
Four 10/100/1000Base-T
30W Shared PoE/PoE+
SFP WAN Port
One RJ-45 RS232 Serial Port
One RJ-45 RS232/RS485 Serial Port
USB Type A port
6-32 VDC Power Input
Ignition Sense
Cellular1 MAIN
WLAN 2.4/5 GHzGPS Cellular1 Aux
Accelerometer
and Gyroscope
Cellular 0 MAIN
Mini USB Console SIM0-Modem0
Cellular0 AUX
SIM1-Modem1
Differences in RF
connectors between
single LTE and dual
LTE models
Available US, Europe, Canada
Cisco IR829 Industrial Integrated Services Routers (Dual LTE)
New
LTRIOT-2570
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
WLAN 5GHz
Dimensions: 7.7”x11”x1.73”
(DxWxH)
10.55”x11”x1.73”
(DxWxH)
Temperature:-40C to +60C
Four 10/100/1000Base-T
30W Shared PoE/PoE+
SFP WAN Port
One RJ-45 RS232 Serial Port
One RJ-45 RS232/RS485 Serial Port
USB Type A port
6-32 VDC Power Input
Ignition Sense
WLAN 2.4 GHz
WLAN 5 GHzGPS WLAN 2.4 GHz
Accelerometer
and Gyroscope
Cellular MAIN
Mini USB Console Dual SIM
Cellular AUX
Available Worldwide
Cisco IR829 Industrial Integrated Services Routers (Single LTE)
LTRIOT-2570
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
mSATA SSD FRU
100GB / 50GB*
*FCS 1HCY2018. New hardware IR829M as it requires motherboard changes to IR829
Dimensions: 7.7”x11”x1.73” (DxWxH)
Temperature:-40C to +60C
mSATA SSD
Endurance:100GB: 33TBW
50GB: 18TBW
New Cisco IR829M: mSATA SSD connector + POEFCS
1HCY2018
LTRIOT-2570 11
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pervasive Security
• Services included area firewall, VPN, which requires no additional hardware or client software.
• Hardware encryption, with greater scale
• Cisco IOS offers multiple VPN alternatives, based on the specific deployment needs. Two of the most commonly deployed for IoT is DMVPN and FlexVPN
IOx, Edge Computing
• Enable remote monitoring and controlling at the edge and improve process efficiency by moving the intelligence to edge rather than cloud.
• Scalable application life cycle management Via Fog director
Ruggedized, Purpose Built, Certified
• Ruggedized for Manufacturing, transportation, utilities, oil and gas, mining and municipality.
• Industrial: EN61131-2,Automotive, and SAEJ1455Military: MIL-STD-810G
Services Rich
• Gyroscope/accelerometer
• Dynamic and static routing
• IPV6 support on Ethernet as well as Cellular
• Ignition Power management
IR829 – More Than Just An Industrial Router
LTRIOT-2570 12
Management
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
* Kinetic GW Management: Available for Limited Availability
Branch IT Sophistication Level
Lower
Higher
Sc
ale
of
De
plo
ym
en
t
HigherSimplest
Ease of Management: Cloud, On-Prem and On-Device
Cloud Managed
IR829
Kinetic GW
Management*
Cloud
All
CCP Express
On-Device
<20
Units
Virtualized FND
On-prem on Server
ISR4K with UCSE
100-1K
Units
Field Network
Director
Cisco Prime
SNMP MIBs
On-prem infra
1K+Units
LTRIOT-2570 14
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Configuration Professional Express (CCP Express)Onboard Device Management Shipping
IR8xx
Day to Day router management
Interface information and status
Traffic volume
Device information (Hostname, IOS version etc)
Cisco Active Advisor: Lifecycle information of network inventory
VPN: Advance configuration
Day 0 setup includes
Cellular
WAN
LAN
IOx
WiFi
Security
LTRIOT-2570 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRIOT-2570
Kinetic GMM – Gateway Monitoring
16
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IoT Gateway
App / Container
Edge Control
Apps, Analytics
and Services
MQTT, AMAP, etc..
Networking
OS
VPN
Gateway
Management
Operations
Center
Cisco Cellular Gateway Deployment Model
Cloud
Management
Platform
Secure
Connections
Cellular
Gateway
Connected
Devices
LTRIOT-2570 17
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRIOT-2570
Kinetic GMM – Zero Touch Deployment
19
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRIOT-2570
Kinetic GMM – Location Tracking
20
Cisco IR829 in IoT Deployment Use Cases
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Two concurrent LTE connections for
WAN redundancy and higher throughput
• Two models to cover the U.S and
EMEA regions:
• IR829-2LTE-EA-BK9 – U.S
• IR829-2LTE-EA-EK9 – EMEA
• Load balancing between
two carriers for better user
experience
• Routing based on signal
strength, technology, etc.
Police Cars /
AmbulancesAsset Management
Connected Mass Transit /
Fleet Management
Cisco IR829 Dual Active LTEPurpose built to withstand shock, vibration, humidity, temperature and dust
LTRIOT-2570 24
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRIOT-2570
Cisco IoT Gateway in ActionPolice Car Use Case for IR829
Police Department in US
Business and Technology DriversProvide data, voice & video connectivity to police
vehicle while driving to incident site (mobile) and at
incident site (remote location) to coordinate response
system. Ability to backhaul recorded video over WiFi
once the police vehicle is back at the police station.
Cisco SolutionThe IR829 was deployed on each police vehicle that
provided highly secure connectivity on the move as
well as in remote locations. The ignition management
system on IR829 allowed the router to be powered on
for 15 minutes using battery even when the engine was
turned off to automatically upload the recorded videos
over WiFi backhaul at the police station.
25
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRIOT-2570
Business and Technology DriversPressure to lower the opex and lower cost of operation
with LTE as compared to wireline triggered the
technology upgrade of ATM machines.
Cisco SolutionCisco Dual LTE IR829 for secure, reliable and
redundant LTE connectivity for financial transactions
and ATM inventory management. LTE WAN saves
70% opex as compared to wireline. Compact, rugged
form factor of Dual LTE IR829 meets space and
environmental constraints for cabinet installations.
Video surveillance and incident reporting uses edge
compute (IOx/Fog).
Cisco IoT Gateway in ActionATM Use Case for Dual LTE IR829
Large Bank in US
26
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRIOT-2570
Business and Technology DriversExisting system to monitor fog encountered frequent
breakdowns resulting in safety concerns for commuters
and employees dispatched to close fog gates.
Cisco SolutionCisco IR829 with IOx fog computing for polling
roadside fog sensors in real-time and automated
response per policy at the edge for faster response
rather than sending all the data to control center.
Secure, reliable LTE connectivity for sending relevant
data to regional traffic center for deep learning of big
data. Paving way to additional use cases – Car as a
Sensor and Wrong Way Detection.
Cisco IoT Gateway in ActionRoadside Infrastructure Monitoring Use Case for IR829
Department of Transportation, US
27
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRIOT-2570
Business and Technology DriversTwo way communication between home and grid for
energy delivery over 28,000 distribution miles. 3000
residential rooftops connect to 410 substations.
Cisco SolutionThe IR809 with IEC 61850-3 & IEEE 1613 compliance
won against GE MDS. Monitoring and managing
cellular signal strength, SMS notifications upon
anomalies way key to winning this account. IR809
provided enterprise-class secure VPN connectivity
over cellular, ruggedized to meet harsh Arizona
summer (120F) and ease of management with Cisco
Prime and APIC-EM.
$7200 in saving per resident.
Cisco IoT Gateway in ActionUtility Use Case for IR809
Electric Company in US
28
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Business and Technology DriversWiFi hot spot for bus customers & Serve Dynamic
Media content for targeted Advertising. Generate new
revenue stream for the transportation company.
Cisco SolutionCisco IR829M provides onboard entertainment over
wifi to passengers on the bus. The IOx fog computing
hosts the Wifi Captive portal and Media server
applications. The 100GB Industrial grade mSATA SSD
(field replicable unit) stores large media files such as
movies and advertisements. The passengers can
access Internet on their devices using the Dual LTE
IR829 which support two active LTE WAN access with
different service providers simultaneously.
Cisco IoT Gateway in ActionOnboard Entertainment system and Advertisement
Use Case for Dual LTE IR829M – mSATA SSD (storage) +
IOX (application hosting)
Connect to the
Wi-fi portal
Review terms
and conditions
Gain mobile
internet
connectivity
Access
personalized
media and
content
100GB
mSATA
SSD
IR829M
FCS
1HCY2018
New IR829M hardware for mSATA SSD as it
requires motherboard changes to IR829
LTRIOT-2570 29
Security and Resiliency of IoT Deployments
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IR800 Series Security Features
HARDWAREMechanical & Sensors
HARDWAREProcessors & Electronics
SOFTWAREApplications & Resources
Accelerometer
& Gyroscope*
Input Alarm
for Digital Sensors
GPS Asset Tracking
& Geo Fencing
Sim Card
Locking Plate
Trust Anchor Module
(ACT2 Chipset)
Fast Hardware
Based Encryption
Digital Signage
Validation
Code Signage
Application Level
Firewall
Secure Boot
Cisco Process
(CSDL, Vulnerability
Testing, PSIRT,
TALOS Group)
Hosted App
lifecycle security
with Cisco IOX*
* Not available on IR807LTRIOT-2570 31
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN Security
WAN Security / VPN
• Flex
• DMVPN
• GRE
• IPSEC
• Mobile IP: NEMO &
PMIPv6
• Dynamic routing
Easy Management,
Web UI, Security
Preferences
Easy Scaling,
High Visibility
IR 829 Single LTE
IR 809
IR 829 Dual LTE
ASR 1000
ASR 5500
ASR 9000
IR800 Series Security Features
LTRIOT-2570 32
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33LTRIOT-2570
FlexVPN Technology Overview
• What is FlexVPN?
• IKEv2 based unified VPN that combines Site-to-Site, Remote-Access, Hub-Spoke
and Spoke-Spoke topologies
• FlexVPN highlights
• Unified CLI
• Leverages common IOS Point-to-Point tunnel interface implementation
• Feature-rich: AAA, config-mode, dynamic routing, IPv6
• Simplified configuration using Smart Defaults
• IKEv2 standard compliant – interoperable with non-Cisco implementations
• Easy to learn, deploy, and manage
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN and Interfaces
Hub 1
Spoke 1
Tu0
VT1
VT1
VA1 VA2
VA1
Tu0
VT1VA1
Tu0
Hub 2
Tu0
VA3 Remote Access
Hub & Spoke
Dynamic Mesh
Site to Site
Tu
VT
VA
Static Tunnel
Virtual Template
Virtual Access
VT2
34LTRIOT-2570
Spoke 2 Remote
User
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35LTRIOT-2570
IKEv2 Exchanges Overview
IKE_SA authentication
parameters negotiated
IKE_SA_INIT
(2 messages)
IKE Authentication occurs
and one CHILD_SA created
IKE_AUTH + CREATE_CHILD_SA
(2 messages)
[ Second CHILD_SA created ]CREATE_CHILD_SA
(2 messages)
Protected dataA B
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36LTRIOT-2570
Configuration Payload
Initiator Responder
The server responds with the address
HDR,SK {IDr, AUTH,
CP(CFG_REPLY), SAr2, TSi, TSr}
HDR, SK {IDi, AUTH,
CP(CFG_REQUEST), SAi2, TSi, TSr}
The client asks for the address in IKE_AUTH
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN: IKEv2 Routing
• Route exchange during IKE negotiation is driven from the IKEv2 authorization policy
• This authorization profile is either locally defined or centralized (AAA server)!
• Administrative distance can be modified via route accept any distance <x>
C 192.168.1.0/24 Eth0
C 10.0.0.2 Tunnel0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
S 192.168.0.0/16 Tunnel0Routin
g T
able
C 192.168.100.0/24 Eth0
C 10.0.0.254/32 -> Loopback0
S 0.0.0.0/0 Dialer0
S 192.168.0.0/16 Null0
S 10.0.0.2/32 Tunnel0
S 192.168.1.0/24 Tunnel0
Routin
g T
able
Route Accept?
CFG_SET
CFG_ACK
CFG_REQUEST
CFG_REPLY
Route Accept?
Routes sent to peer are determined by:
interface (‘route set interface’)
access-list (‘route set access-list’)
direct statement (‘route set remote’)
Initiator sends its own routes to the
responder
Initiator Responder
Inbound route filter (by tag or AD) is possible using ‘route accept’
Default is ‘accept any’!
For maximal security, remote routes
can be denied and route addition can
be controlled locally using ‘route set local’
LTRIOT-2570 37
Routing Based Resiliency
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.
39LTRIOT-2570
FlexVPN BackupRouting Based Multi-Hub Resiliency (1)
192.168.100.0/24
2.
Tunnels to
both hubs are
constantly active
Traffic can transit via
either tunnel (active-
standby) or both tunnels
(load-balancing)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.
40LTRIOT-2570
FlexVPN BackupRouting Based Multi-Hub Resiliency (2)
192.168.100.0/24
2.
Hub 1 fails,
Tunnels go down
(IKEv2 liveness,
hold timer,…)
Traffic goes through
remaining tunnel
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.
40LTRIOT-2570
FlexVPN BackupRouting Based Multi-Hub Resiliency (2)
192.168.100.0/24
2.
Hub 1 fails,
Tunnels go down
(IKEv2 liveness,
hold timer,…)
Traffic goes through
remaining tunnel
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.
40LTRIOT-2570
FlexVPN BackupRouting Based Multi-Hub Resiliency (2)
192.168.100.0/24
2.
Hub 1 fails,
Tunnels go down
(IKEv2 liveness,
hold timer,…)
Traffic goes through
remaining tunnel
Non-Routed Backup Mechanisms
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.
44LTRIOT-2570
FlexVPN Backup Peers (1)
192.168.100.0/24
2.
Tunnels are set up
to a primary Hub1
172.16.0.2172.16.0.1
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.
43LTRIOT-2570
FlexVPN Backup Peers (2)
192.168.100.0/24
2.172.16.0.1 172.16.0.2
The primary Hub1
fails
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.
43LTRIOT-2570
FlexVPN Backup Peers (2)
192.168.100.0/24
2.172.16.0.1 172.16.0.2
New tunnels are set up
to a backup Hub2
The primary Hub1
fails
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
RADIUS Backup List Attribute
ipsec:ipsec-backup-gateway
47LTRIOT-2570
FlexVPN Backup Peers (3) – Spoke Config.
Also works with Routing Protocol
crypto ikev2 authorization policy default
route set interface
route set access-list 99
aaa authorization network default local
crypto ikev2 profile default
match certificate HUBMAP
identity local fqdn Spoke1.cisco.com
authentication remote rsa-sig
authentication local pre-shared
keyring local
pki trustpoint CA
aaa authorization group cert list default default
dpd 30 2 on-demand
crypto ikev2 client flexvpn default
client connect tunnel 0
peer 1 172.16.1.254
peer 2 172.16.1.253
interface Tunnel0
ip address negotiated
tunnel source FastEthernet0/0
tunnel destination dynamic
tunnel protection ipsec profile default
Destination
managed by
FlexVPN
Detect Hub Failure
To Primary Hub
To Secondary Hub
Powerful Peer Syntaxpeer reactivate
peer <n> <ip>
peer <n> <ip> track <x>
peer <n> <fqdn> [dynamic [ipv6]]
peer <n> <fqdn> [dynamic …] track <x>
Up to 10 backup gateways pushed by config-exchange
Nth source selected only if corresponding track object is up
Switch back
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Tunnel Pivot
• Use when different Service Providers are used to connect to remote host
Client Hub
Service Provider 2
GigE0/0
FastE2/0
ICMP-echo IP SLA probe
IPsec Tunnel
Tracker state (Up/Down)
Service Provider 1
LTRIOT-2570 45
track 1 ip sla 1 reachability
crypto ikev2 flexvpn client remote1
peer 10.0.0.1
source 1 interface GigabitEthernet0/0 track 1
source 2 interface FastEthernet2/0
client connect tunnel 0
interface Tunnel0
ip address negotiated
…
tunnel source dynamic
tunnel destination dynamic
…
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Tunnel Pivot
• Use when different Service Providers are used to connect to remote host
Client Hub
Service Provider 2
GigE0/0
FastE2/0
ICMP-echo IP SLA probe
IPsec Tunnel
Tracker state (Up/Down)
Service Provider 1
LTRIOT-2570 45
track 1 ip sla 1 reachability
crypto ikev2 flexvpn client remote1
peer 10.0.0.1
source 1 interface GigabitEthernet0/0 track 1
source 2 interface FastEthernet2/0
client connect tunnel 0
interface Tunnel0
ip address negotiated
…
tunnel source dynamic
tunnel destination dynamic
…
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Tunnel Pivot
• Use when different Service Providers are used to connect to remote host
Client Hub
Service Provider 2
GigE0/0
FastE2/0
ICMP-echo IP SLA probe
IPsec Tunnel
Tracker state (Up/Down)
Service Provider 1
LTRIOT-2570 45
track 1 ip sla 1 reachability
crypto ikev2 flexvpn client remote1
peer 10.0.0.1
source 1 interface GigabitEthernet0/0 track 1
source 2 interface FastEthernet2/0
client connect tunnel 0
interface Tunnel0
ip address negotiated
…
tunnel source dynamic
tunnel destination dynamic
…
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Tunnel Pivot
• Use when different Service Providers are used to connect to remote host
Client Hub
Service Provider 2
GigE0/0
FastE2/0
ICMP-echo IP SLA probe
IPsec Tunnel
Tracker state (Up/Down)
Service Provider 1
LTRIOT-2570 45
track 1 ip sla 1 reachability
crypto ikev2 flexvpn client remote1
peer 10.0.0.1
source 1 interface GigabitEthernet0/0 track 1
source 2 interface FastEthernet2/0
client connect tunnel 0
interface Tunnel0
ip address negotiated
…
tunnel source dynamic
tunnel destination dynamic
…
IoT Deployment Lab (physical)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 WAN Connection
LAN Connection
Active IPSEC Tunnel
Standby IPSEC Tunnel
IoT Depolyment Lab Topology
Data Center / Head Router
192.168.101.254/24
Hub-1
Hub-2173.36.209.22/26
192.168.123.123/24
192.168.X.254/24SP
eNodeB
Traffic Flow
LAN Devices
IR829
LTRIOT-2570
192.168.101.1/24
192.168.102.1/24
192.168.102.254/24
173.36.209.21/26
53
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 WAN Connection
LAN Connection
Active IPSEC Tunnel
Standby IPSEC Tunnel
Non-Mission Critical Application
Data Center / Head Router
Hub-1
Hub-2
SP
eNodeB
Traffic Flow
LAN Devices
IR829
192.168.101.254/24
173.36.209.22/26
192.168.123.123/24
192.168.X.254/24
192.168.101.1/24
192.168.102.1/24
192.168.102.254/24
173.36.209.21/26
LTRIOT-2570 48
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 WAN Connection
LAN Connection
Active IPSEC Tunnel
Standby IPSEC Tunnel
Non-Mission Critical Application
Data Center / Head Router
Hub-1
Hub-2
SP
eNodeB
Traffic Flow
LAN Devices
IR829
192.168.101.254/24
173.36.209.22/26
192.168.123.123/24
192.168.X.254/24
192.168.101.1/24
192.168.102.1/24
192.168.102.254/24
173.36.209.21/26
LTRIOT-2570 48
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 WAN Connection
LAN Connection
Active IPSEC Tunnel
Standby IPSEC Tunnel
Non-Mission Critical Application
Data Center / Head Router
Hub-2
SP
eNodeB
Traffic Flow
LAN Devices
IR829
LTRIOT-2570
192.168.101.254/24
173.36.209.22/26
192.168.123.123/24
192.168.X.254/24
192.168.101.1/24
192.168.102.1/24
192.168.102.254/24
173.36.209.21/26
Hub-1
56
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub-1
IPv4 WAN Connection
LAN Connection
Active IPSEC Tunnel
Standby IPSEC Tunnel
Mission Critical Application
Data Center / Head Router
Hub-2
SP
eNodeB
Traffic Flow
LAN Devices
IR829
LTRIOT-2570
192.168.101.254/24
192.168.123.123/24192.168.101.1/24
192.168.102.1/24
192.168.102.254/24
192.168.X.254/24
173.36.209.22/26
173.36.209.21/26
50
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub-1
IPv4 WAN Connection
LAN Connection
Active IPSEC Tunnel
Standby IPSEC Tunnel
Mission Critical Application
Data Center / Head Router
Hub-2
SP
eNodeB
Traffic Flow
LAN Devices
IR829
LTRIOT-2570
192.168.101.254/24
192.168.123.123/24192.168.101.1/24
192.168.102.1/24
192.168.102.254/24
192.168.X.254/24
173.36.209.22/26
173.36.209.21/26
50
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub-1
IPv4 WAN Connection
LAN Connection
Active IPSEC Tunnel
Standby IPSEC Tunnel
Mission Critical Application
Data Center / Head Router
Hub-2
SP
eNodeB
Traffic Flow
LAN Devices
IR829
LTRIOT-2570
192.168.101.254/24
192.168.123.123/24192.168.101.1/24
192.168.102.1/24
192.168.102.254/24
192.168.X.254/24
173.36.209.22/26
173.36.209.21/26
Hub-1
59
FlexVPN Lab (virtual)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
IPv4 WAN Connection
IPv6 WAN Connection
LAN Connection
IPSEC Tunnel
FlexVPN in IoT Lab Topology
Spoke-1
Spoke-2
Hub-2Hub-1
209.1.1.2/24
209.1.2.2/24
172.16.1.0/24
172.16.2.0/24
.2
.1
.1.2
200.1.1.0/24
.2 .3
172.16.0.0/24
.2
.100
209.1.3.2/24
.2
.1172.16.3.0/24
DHCP
Spoke-3
Spk-1-Host
Spk-2-Host
Spk-3-Host
FreeRadius Server
.3
Broadband Backup
LTRIOT-2570 61
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hands-on lab
• Lab access – printed instructions.
• Lab guide
• Desktop
• http://cs.co/LTRIOT-2570
• In IoT Deployment Lab (physical), due to lack of console access, please DO NOT:
• Reload the router.
• Modify the GigabitEthernet1 or Vlan1 configuration.
• Add default/summary routes which can impact the connectivity
• In FlexVPN Lab (virtual) the simulations are already started – skip Step 3.
• 90 min per lab.
62LTRIOT-2570
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRIOT-2570
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
65LTRIOT-2570
Thank you
Recommended