VTI_Design_Guide.pdf
(
1000 KB
)
Pobierz
Virtual Tunnel Interface (VTI) Design Guide
This design guide is written for systems engineers and support engineers to provide guidelines and best
practices for deploying virtual tunnel interfaces (VTIs).
This design guide defines the comprehensive functional components required to build an enterprise
virtual private network (VPN) solution that can transport IP telephony and video. It identifies the
individual hardware requirements and their interconnections, software features, management needs, and
partner dependencies. This helps a customer deploy a manageable and maintainable enterprise VPN
solution. It is assumed that the reader has a basic understanding of IP Security (IPsec).
This design guide is part of an ongoing series that addresses VPN solutions, using the latest VPN
technologies from Cisco, and based on practical, tested designs.
Contents
Introduction
4
Design Overview
5
Starting Assumptions
5
Design Components
6
Comparing DVTI with other VPN Topologies
Understanding Scalability Results
9
Best Practices and Known Limitations
9
Best Practices Summary
9
General Best Practices
9
Headend Best Practices
10
Branch Office Best Practices
10
Known Limitations Summary
11
General Limitations
11
Headend Limitations
11
Branch Office Limitations
11
7
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2006 Cisco Systems, Inc. All rights reserved.
Contents
Design and Implementation
11
Overview
11
Design Considerations
12
Virtual Tunnel Interface
12
Virtual Template Interface Service
12
Per-Tunnel Features
13
Encapsulation
14
QoS Service Policy
14
Easy VPN with Dynamic Virtual Tunnel Interface Support
16
Configuration and Implementation
25
Topology
25
VTI Configuration Overview
26
QoS Configuration
26
ISAKMP DSCP Value
27
Trustpoints
28
ISAKMP Policy
29
IPsec Profile
30
Headend Router Configuration
30
Branch Router Configuration
32
Dynamic VTI for EZVPN Remote and Server—Dual Tunnel Support
IP Multicast
43
Topology
43
EIGRP Headend Router Configuration
44
EIGRP Branch Router Configuration
44
OSPF and PIM Headend Router Configuration
45
OSPF and PIM Branch Router Configuration
46
Caveats
47
Address Conservation
47
Overview of IP Unnumbered
47
Loopback versus Inside Ethernet/FastEthernet
48
Examples
48
High Availability
49
Interaction with other Networking Functions
49
Network Address Translation and Port Address Translation
50
Dynamic Host Configuration Protocol
50
Firewall Considerations
50
Common Configuration Mistakes
50
Transform Set Matching
51
ISAKMP Policy Matching
51
Scalability Considerations
51
32
Virtual Tunnel Interface (VTI) Design Guide
2
OL-9025-01
Contents
QoS Configuration for Performance Testing
51
Policy Map for Branch and Headend
51
Branch Configuration
52
Headend using Virtual Template Interface
52
Target-Shaped Rate
52
Scaling Recommendations
53
Scalability Test Results (Unicast Only)
54
Scalability Test Methodology
54
Scalability Test Bed Network Diagram
55
Voice Performance for the Control Branch
56
Headend CPU Utilization (by Number of Branches)
Tests Varying the Shaped Rate
57
Scalability Conclusion
58
Software Releases Evaluated and Caveats
58
Scalability Test Bed Configuration Files
58
Cisco 7200VXR Headend Configuration
59
Branch Office Configuration
60
Alternate Method for Scaling Traffic Shaping Using an ATM PA-A3 Interface
Goal
61
Performance Testing Overview
62
QoS Configuration for Performance Testing
62
ATM Shaping Pre-Crypto
64
Testbed Network Topology
64
Test Results
65
Comments and Observations
66
Scalability Test Bed Configuration Files
66
Crypto Cisco 7200VXR Headend Configuration
67
ATM Cisco 7200VXR Headend Configuration
68
Branch Office Configuration
70
Alternate Scaling Using PA ATM-PA3 Conclusion
70
Headend Scale Testing—No QoS on the Logical Interface
Test Overview
71
Test Results
71
Analysis of Performance Data
72
Appendix A—Detailed Test Results
72
Netflow Summary Table
72
Control Branch
72
Branch to Headend Upstream
73
Headend-to-Branch Downstream
74
70
61
56
Virtual Tunnel Interface (VTI) Design Guide
OL-9025-01
3
Introduction
Cisco IOS Software Versions Tested
Caveats and DDTS Filed
75
Line Protocol
75
75
Appendix B—Peer has IPsec Interface Support
76
77
Appendix C—Output for debug crypto ipsec client ezvpn Command
Appendix D—Output for show crypto session detail Command
Appendix D—References
80
81
79
Appendix E—Acronyms and Definitions
Introduction
The IPsec VPN wide area network (WAN) architecture is described in multiple design guides based on
the type of technology used, as shown by the list in
Figure 1:
Figure 1
IPsec VPN WAN Design Guides
IPsec VPN WAN Design Overview
(OL-9021-01)
Topologies
IPsec Direct Encapsulation
Design Guide
(OL-9022-01)
Service and Specialized Topics
IPsec VPN Redundancy and Load Sharing
Design Guide
(OL-9025-01)
Voice and Video IPsec VPN (V3PN): QoS and IPsec
Design Guide
(OL-9027-01)
Multicast over IPsec VPN Design Guide
(OL-9028-01)
Dynamic Multipoint VPN (DMVPN)
Design Guide
(OL-9024-01)
Digital Certification/PKI for IPsec VPN
Design Guide
(OL-9029-01)
Enterprise QoS Design Guide
(OL-9030-01)
Point-to-Point GRE over IPsec
Design Guide
(OL-9023-01)
Each technology uses IPsec as the underlying transport mechanism for each VPN. The operation of IPsec
is outlined in the
IPsec VPN WAN Design Overview,
which also outlines the criteria for selecting a
specific IPsec VPN WAN technology. This document should be used to select the correct technology for
the proposed network design.
This design guide builds on the following series of design guides, which are available at
http://cco.cisco.com/go/srnd/:
•
•
Voice and Video Enabled IPsec VPN (V3PN) Design Guide
Enterprise Class Teleworker: V3PN for Teleworkers Design Guide
Virtual Tunnel Interface (VTI) Design Guide
4
OL-9025-01
148756
Virtual Tunnel Interface (VTI)
Design Guide
(OL-9025-01)
Design Overview
•
•
Enterprise Class Teleworker: Teleworker Design Guide
IPsec V3PN: Redundancy and Load Sharing
This design guide is based on Cisco VPN routers running Cisco IOS software, with IPsec as the
tunneling method, using site-to-site VPN topologies. This guide helps evaluate Cisco VPN product
performance in scalable and resilient designs and addresses the following applications of the solution:
•
•
•
•
Dead Peer Detection (DPD)
Converged data and VoIP traffic requirements
Quality of service (QoS) features enabled
Use of Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF)
as the routing protocol across the VPN
Design Overview
This section provides an overview of the design considerations when implementing VTIs.
Starting Assumptions
Enterprise customers deploy IPsec-based VPNs over public and private networks for secrecy,
authentication, and data integrity. However, IPsec is viewed as a tunnel between two IPsec peers
regardless of the underlying WAN transport.
A VTI is an interface that supports native IPsec tunneling, and allows you to apply interface commands
directly to the IPsec tunnels. The configuration of this tunnel interface is similar to a GRE tunnel
interface and is well understood.
A VTI has most of the properties of a physical interface. It provides a comprehensive solution, creating
dynamic virtual tunnel interfaces (similar to what is currently done in the dialup world) to enable the
deployment of large-scale IPsec networks with minimal configuration.
The design approach presented in this design guide makes several starting assumptions.
•
All performance tests were executed with the following:
–
A hierarchical Class-Based Weighted Fair Queuing (CBWFQ), which provides queuing within
a shaped rate, on the VTI interface pre-crypto on both headend and branch routers
–
Dynamic VTI (DVTI) on headend crypto systems, and static VTI on the branches
•
•
The design supports a typical converged traffic profile for customers (see
Scalability Test Results
(Unicast Only), page 54).
It is assumed that the customer has a need for diverse traffic requirements, such as IP multicast
(IPmc), and support for routing. The use of VTI and routing protocols are also discussed in more
detail in
Design and Implementation, page 11.
Cisco products should be maintained at reasonable CPU utilization levels. This is discussed in more
detail in
Scalability Considerations, page 51,
including recommendations for both headend and
branch routers, and software revisions.
Although costs are certainly considered, the design recommendations assume that the customer
deploys current VPN technologies, including hardware-accelerated encryption.
•
•
Virtual Tunnel Interface (VTI) Design Guide
OL-9025-01
5
Plik z chomika:
musli_com
Inne pliki z tego folderu:
V3PN_Redundancy_Load_Sharing_SRND.pdf
(2624 KB)
GRE_over_IPsec_Design_Guide.pdf
(1029 KB)
V3PN_SRND.pdf
(2611 KB)
IPsec_VPN_WAN_Design.pdf
(618 KB)
Multicast_over_IPsec_Design_Guide.pdf
(567 KB)
Inne foldery tego chomika:
ASA
IPSec VTI
New_CCSP
Old_CCSP
WebSense
Zgłoś jeśli
naruszono regulamin