GRE_over_IPsec_Design_Guide.pdf

(1029 KB) Pobierz

Point-to-Point GRE over IPsec Design

Guide

OL-9023-01

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Networking Academy logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, FrameShare, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the

iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, ScriptBuilder, ScriptShare, SMARTnet, TransPath, Voice LAN, Wavelength Router, and WebViewer are

trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and Discover All That’s Possible are service marks of Cisco Systems, Inc.; and Aironet,

ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco

Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, GigaStack, IOS, IP/TV,

LightStream, MICA, Network Registrar,

Packet,

PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are

registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship

between Cisco and any other company. (0110R)

Point-to-Point GRE over IPsec Design Guide

CONTENTS

Preface

vii

Introduction

vii

Target Audience

viii

Scope of Work

viii

Document Organization

CHAPTER

Point-to-Point GRE over IPsec Design Overview

Starting Assumptions

Design Components

Topology

1-2

1-1

LLQ with Generic Traffic Shaping per p2p GRE Tunnel Interface

1-2

Headend System Architectures

1-3

Single Tier Headend Architecture

1-3

Dual Tier Headend Architecture

1-4

Single Tier Headend Architecture versus Dual Tier Headend Architecture

Branch Router Considerations

1-7

Static p2p GRE over IPsec with a Branch Static Public IP Address

1-7

Static p2p GRE over IPsec with a Branch Dynamic Public IP Address

1-7

High Availability

1-7

1-4

Best Practices and Known Limitations

1-7

Best Practices Summary

1-8

Known Limitations Summary

1-9

CHAPTER

Point-to-Point GRE over IPsec Design and Implementation

Design Considerations

2-1

Topology

2-2

Headend System Architectures

2-2

Single Tier Headend Architecture

2-3

Dual Tier Headend Architecture

2-4

IP Addressing

2-5

Generic Route Encapsulation

2-6

GRE Keepalives

2-6

Using a Routing Protocol across the VPN

2-7

Route Propagation Strategy

2-7

2-1

Point-to-Point GRE over IPsec Design Guide

OL-9023-01

iii

Contents

Crypto Considerations

2-7

IPsec Tunnel versus Transport Mode

Dead Peer Detection

2-8

Configuration and Implementation

2-8

ISAKMP Policy Configuration

2-8

Dead Peer Detection Configuration

2-9

IPsec Transform and Protocol Configuration

2-10

Access Control List Configuration for Encryption

2-11

Crypto Map Configuration

2-12

Applying Crypto Maps

2-13

Tunnel Interface Configuration—Branch Static Public IP Address

2-14

Tunnel Interface Configuration—Branch Dynamic Public IP Address

2-14

GRE Keepalive Configuration

2-15

Routing Protocol Configuration

2-16

Route Propagation Configuration

2-17

High Availability

2-17

Common Elements in all HA Headend Designs

2-18

1+1 (Active-Standby) Failover Headend Resiliency Design

2-18

Load Sharing with Failover Headend Resiliency Design

2-21

N+1 Failover Architecture

2-22

Dual Tier Headend Architecture Effect on Failover

2-23

QoS

2-23

IP Multicast

Interactions with Other Networking Functions

2-23

Network Address Translation and Port Address Translation

2-24

Dynamic Host Configuration Protocol

2-24

Firewall Considerations

2-24

Headend or Branch

2-24

Firewall Feature Set and Inbound ACL

2-25

Double ACL Check Behavior (Before 12.3(8)T)

2-25

Crypto Access Check on Clear-Text Packets Feature (12.3(8)T and Later)

Common Configuration Mistakes

2-26

Crypto Peer Address Matching using PSK

Transform Set Matches

2-26

ISAKMP Policy Matching

2-26

2-25

CHAPTER

Scalability Considerations

3-1

General Scalability Considerations

3-1

IPsec Encryption Throughput

3-1

Point-to-Point GRE over IPsec Design Guide

OL-9023-01

Contents

Packets Per Second—Most Important Factor

3-2

Tunnel Quantity Affects Throughput

3-2

GRE Encapsulation Affects Throughput

3-2

Routing Protocols Affect CPU Overhead

3-2

Headend Scalability

3-3

Tunnel Aggregation Scalability

3-3

Aggregation Scalability

3-4

Customer Requirement Aggregation Scalability Case Studies

Customer Example with 300–500 Branches

3-4

Customer Example with 1000 Branches

3-5

Customer Example with 1000–5000 Branches

3-8

Branch Office Scalability

3-9

3-4

CHAPTER

Scalability Test Results (Unicast Only)

Scalability Test Bed Network Diagram

4-1

Scalability Test Methodology

4-3

Headend Scalability Test Results—p2p GRE over IPsec

Headend Scalability Test Results—p2p GRE Only

4-4

Branch Office Scalability Test Results

4-4

AES versus 3DES Scalability Test Results

4-5

Failover and Convergence Performance

4-6

Software Releases Evaluated

4-7

4-3

CHAPTER

Case Studies

5-1

Static p2p GRE over IPsec with a Branch Dynamic Public IP Address Case Study

Overview

5-1

Sample Topology

5-2

Addressing and Naming Conventions

5-2

Configuration Examples

5-4

p2p GRE Tunnel and Interface Addressing

5-4

Crypto Map Configurations (Crypto Tunnel)

5-5

Headend EIGRP Configuration

5-6

Verification

5-6

Summary

5-7

Moose Widgets Case Study

5-7

Customer Overview

5-7

Design Considerations

5-9

Preliminary Design Considerations

Sizing the Headend

5-10

5-9

Point-to-Point GRE over IPsec Design Guide

OL-9023-01

Plik z chomika:

musli_com

Inne pliki z tego folderu:

V3PN_Redundancy_Load_Sharing_SRND.pdf (2624 KB)
GRE_over_IPsec_Design_Guide.pdf (1029 KB)
V3PN_SRND.pdf (2611 KB)
IPsec_VPN_WAN_Design.pdf (618 KB)
Multicast_over_IPsec_Design_Guide.pdf (567 KB)

GRE_over_IPsec_Design_Guide.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: