Using External Connectors in Distributed Cloud with AWS and Cisco

Key Concepts

• External Connector: A feature on Customer Edge (CE) sites enabling secure connectivity to third-party entities.
• IPSec VPN: A secure tunnel protocol used for site-to-site connectivity.
• IKE (Internet Key Exchange): Protocols (v2) used for mutual authentication and establishing security associations (Phase 1 and Phase 2).
• BGP (Border Gateway Protocol): A routing protocol used to exchange reachability information between the CE site and the third-party router.
• BGP Routing Policy: A mechanism to filter or manipulate routes using match criteria (prefixes, communities, AS path) and actions (allow, deny, MED, local preference).
• Dead Peer Detection (DPD): A mechanism to verify the availability of a remote peer via keep-alive timers.

1. IPSec VPN Configuration

The demo establishes a tunnel between a CE site (AWS) and a Cisco 8000V router.

• IKE Profiles: The system uses pre-configured IKE Phase 1 and Phase 2 profiles (AES-GCM encryption, Diffie-Hellman groups 19/20).
• Connection Parameters:
  • Mode: Initiator (CE actively brings up the tunnel) or Responder.
  • IKE IDs: Local and remote IDs must match exactly on both peers. The CE uses its tunnel source IP as the local ID.
  • Remote Gateway: The public IP of the Cisco router (44.212.131.89).
  • Tunnel Endpoints: Configured on the CE interface (ENS50) with specific tunnel addresses (172.16.1.2/24 for local, 172.16.1.1/24 for remote).
  • Authentication: Pre-shared key (e.g., "Cisco123").

2. Cisco Router Configuration

The Cisco 8000V configuration must mirror the CE settings:

• IKEv2 Profile: Defines local/remote identities to match the CE site's configuration.
• Transform Sets: Must match the CE’s encryption algorithms (ESP-GCM 256/192/128).
• Tunnel Interface: Configured with the tunnel source (GigabitEthernet 1) and destination (CE public IP), applying the IPSec profile.

3. BGP Peering Setup

Once the tunnel is active, BGP is configured to exchange routes:

• Peer Configuration: The CE is configured with the remote ASN (65001). The peer interface is set to the "external connector" name.
• Passive Mode: Disabled, allowing the CE to actively negotiate BGP with the Cisco router.
• Verification:
  • Dashboard: Shows tunnel status as "Up" and BGP status as "Established."
  • CLI Tools: Commands like show ip bgp neighbors, show ip bgp summary, and show ip bgp neighbor advertise routes are used to validate connectivity and prefix exchange.

4. BGP Routing Policy Framework

The demo demonstrates inbound route filtering to control which prefixes are accepted.

• Methodology: Policies consist of rules with a Match section (Prefix list, AS path, etc.) and an Action section (Allow/Deny).
• Rule Ordering: Rules are processed sequentially. The demo highlights that a "Deny" rule for a specific prefix must be followed by an "Allow" rule for all other prefixes (0.0.0.0/0) to prevent dropping all traffic.
• Application: The policy is applied to the BGP peer in the "Inbound" direction.

5. Notable Statements

• On IKE IDs: "What matters is the matching aspect on both sides... the choice itself does not matter."
• On Security: "In production environments, it is always recommended to use more secure pre-shared keys and rotate them."
• On Policy Logic: "Notice the order of rules is important. We first deny the 10.222.120.0/24 and allow everything else."

Synthesis and Conclusion

The external connector feature simplifies the integration of third-party network infrastructure into a distributed cloud fabric. By leveraging standardized IKEv2 profiles and a structured BGP routing policy engine, administrators can establish secure, scalable site-to-site connectivity. The process relies on strict parameter matching (IKE IDs, encryption suites, and ASNs) and careful policy sequencing to ensure that routing tables are populated only with desired prefixes. For further resources, users are directed to F5’s hybrid multicloud management documentation.