Multicast over IPsec VPN Design Guide.pdf

(567 KB) Pobierz

Multicast over IPsec VPN Design Guide

This design guide provides detailed configuration examples for implementing IP multicast (IPmc) in a

QoS-enabled IP Security (IPsec) virtual private network (VPN).

Contents

Introduction

IPmc Requirement in Enterprise Networks

IPsec Deployment with Point-to-Point GRE

Virtual Tunnel Interface

Redundant VPN Headend Design

IPmc Deployment

Topology

Topology Overview

Detailed Topology

Point-to-Point GRE over IPsec Configuration

Common Configuration Commands

IPmc Rendezvous Point and IP PIM Auto-RP Configuration

Headend p2p GRE over IPsec Router

Secondary Campus and Disaster Recovery

Remote Branch Routers

Virtual Tunnel Interface Configuration

VTI Support for IPmc

Topology

Configuration Examples

DMVPN Hub-and-Spoke (mGRE) Configuration

IPmc Deployment Summary

Corporate Headquarters:

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Introduction

Performance Testing

Overview

Topology

Traffic Profile

Configurations

Summary

Appendix A—Output of debug ip pim

Appendix C—IPmc and Dynamic VTI

Appendix B—Output from Last Hop Router rtp9-ese-test

Introduction

This design guide addresses implementing IPmc in a QoS-enabled IPsec VPN WAN for both site-to-site

and small office/home office (SOHO).

This design guide is the fourth in a series of Voice and Video Enabled IPsec VPN (V3PN) design guides

that are available under the general link

http://ww.cisco.com/go/srnd,

which also contains many useful

design guides on QoS, IPmc, and WAN architectures:

•

Voice and Video Enabled IPsec VPN (V3PN) Design Guide

Enterprise Class Teleworker: V3PN for Teleworkers Design Guide

IPsec VPN Redundancy and Load Sharing Design Guide

IPmc Requirement in Enterprise Networks

IPmc is a means to conserve bandwidth and deliver packets to multiple receivers without adding any

additional burden on the source or receivers of the packets. Applications that deliver their data content

using IPmc include videoconferencing, Cisco IP/TV broadcasts, distribution of files or software

packages, real-time price quotes of securities trading, news, and even video feeds from IP video

surveillance cameras.

The distribution of large data files to all branches by means of a mass update is an efficient way to

distribute parts lists, price sheets, or inventory data. Commercial software packages are available to

optimize this file replication process by using IPmc as the transport mechanism. The corporate server

sends one IPmc stream, and the networked routers replicate these packets so that all remote locations

receive a copy of the file. The software can detect packet loss and at the end of the transfer, request an

IP unicast stream of the missing portions to ensure the file is complete and valid.

IPsec Deployment with Point-to-Point GRE

Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the

following:

•

IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to

be supported, an IP encapsulation method must be chosen so that those protocols can be transported

in IP packets.

Multicast over IPsec VPN Design Guide

OL-9028-01

IPmc Deployment

•

IPmc is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol

between two and only two devices, so a service such as multicast is problematic. An IPsec peer

encrypts a packet so that only one other IPsec peer can successfully perform the de-encryption. IPmc

is not compatible with this mode of operation.

Until the introduction of IPsec Virtual Tunnel Interface (VTI), IPsec tunnels were not logical tunnel

interfaces for routing purposes. A point-to-point (p2p) GRE tunnel, on the other hand, is a logical router

interface for purposes of forwarding IP (or any other network protocol) traffic. A tunnel interface can

appear as a next-hop interface in the routing table.

Virtual Tunnel Interface

VTI is introduced in Cisco IOS Release 12.3(14)T. A tunnel interface with the new Cisco IOS interface

tunnel mode ipsec ipv4

command along with the previously introduced tunnel protection interface

command enables the VTI feature.

Note

Tunnel protection alleviates the need to apply crypto maps to the outside interface.

VTI provides for a routable interface (Interface

Tunnel 0)

and therefore supports the encryption of IPmc.

Redundant VPN Headend Design

Because failsafe operation is a mandatory feature in many enterprise networks, redundancy should be

built into headend designs. From each branch location, a minimum of two tunnels should be configured

back to different headend devices. When sizing the headend installation, the failure of a single headend

device should be taken into consideration. When adding an intelligent service such as IPmc, adding

additional headend routers and spreading the load of the VPN terminations across more devices allows

for the headend routers to “share” CPU load, thus making the solution more scalable.

Note

In the interest of clarity and brevity, many of the examples shown in this design guide show only a single

headend router in the topology. It is assumed in a customer deployment that redundant headend routers

are configured similarly to the primary headend configuration shown.

IPmc Deployment

This chapter discusses recommended and optional configurations for IPmc deployments in an encrypted

WAN topology. This section includes the following recommended guidelines:

•

Use multiple rendezvous points (RPs) for high availability

Use IP Protocol Independent Multicast (PIM) sparse mode and IP PIM Auto-RP listener.

Note

Auto-RP is used in the deployment example but is not a requirement; statically configured RP

address can be used instead.

Multicast over IPsec VPN Design Guide

OL-9028-01

IPmc Deployment

•

Disable fast switching of IPmc as required on IPsec routers.

Mark the ToS byte of IPsec packets for proper classification and bandwidth allocation.

The use of GRE keepalives can be used in p2p GRE tunnels to eliminate the need for a routing protocol.

Topology

This section provides a high-level overview as well as details of the topology in use.

Topology Overview

This topology overview divides the network into the following four major components, as shown in

Figure 1:

•

Primary campus

Secondary campus

Disaster recovery hot site

Remote SOHO routers

Topology Overview

Figure 1

Primary Campus

rtp5-esevpn-gw5

rtp5-esevpn-gw4

Cisco 7200VXR

rtp5-esevpn-gw3

Remote

SOHO

Routers

Internet

Secondary Campus

Disaster Recovery

Hot Site

Video-831

VPN4-2651xm-1

Rendezvous Point

10.59.138.1

Rendezvous Point

10.81.7.219

132525

Multicast over IPsec VPN Design Guide

OL-9028-01

IPmc Deployment

Note

The host names and series or model number of routers in this guide are not intended to imply

performance characteristics suitable for all customer deployments. Various models of routers were used

in developing this design guide to provide a variety of configuration examples. For example, a Cisco 831

router is typically deployed at a SOHO location rather than at a disaster recovery site.

The remote SOHO routers establish an IPsec-encrypted p2p GRE tunnel to one or more campus

locations. For purposes of illustration, only one GRE tunnel is configured and shown, but it is assumed

that in an actual customer deployment, a p2p GRE tunnel terminates at both major campus locations.

Another option is for the customer to advertise a network prefix encompassing the IPsec and p2p GRE

headend peer address from both the primary campus and the disaster recovery hot site. In the event of a

failure of the primary campus, the IPsec and p2p GRE headend peer address, router, and configuration

can be brought online at the disaster recovery site.

Two IPmc RPs are configured on routers dedicated for this purpose in the sample topology and are

located at two separate physical locations. The RP IP addresses are not manually configured on the

remote routers, but rather IP PIM Auto-RP is used. The interfaces of the routers are configured as IP PIM

Sparse Mode and the

ip pim autorp listener

global configuration command is used on all remote

routers. This command allows IP PIM Auto-RP to function over IP PIM Sparse Mode interfaces. The

rendezvous points transmit an RP-Discovery to the Cisco discovery multicast group (224.0.1.40). The

remote routers join the 224.0.1.40 group when

ip pim autorp listener

is configured.

The WAN links in this topology consist of broadband DSL and cable for the remote branch routers, DS3

or greater Internet links at the campus, and FastEthernet and GigabitEthernet between the primary,

secondary, and disaster recovery site.

Detailed Topology

In a closer look at the topology, the individual remote routers are identified as well as the p2p GRE tunnel

interface numbers on the headend IPsec and GRE router. All remote routers use the nomenclature of

Tunnel0 for their primary p2p GRE tunnel, and Tunnel1 (where configured) as their backup or secondary

p2p GRE tunnel. (See

Figure 2.)

Multicast over IPsec VPN Design Guide

OL-9028-01

Plik z chomika:

musli_com

Inne pliki z tego folderu:

Cisco Press Voice over Frame ATM and IP.pdf (33645 KB)
Knowledgenet.Cisco.Implementing.Quality.of.Service.QOS.V2.0.pdf (27135 KB)
Cisco Systems - Cisco IP Telephony. Volume 1-2. CIPT2. Student Guide V4.1.pdf.pdf (17103 KB)
VOIP_CISCO_VOICE_OVER_IP_CV.pdf (17051 KB)
Cisco Press - DQOS Exam Certification Guide (642-641 QOS CCIP).pdf (13264 KB)

Multicast over IPsec VPN Design Guide.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: