DMVPN

Global Network Training Series

Dynamic Multipoint Virtual Private Networks (DMVPN)

01 March 2012

WE HELP BUILD THE WORLD

2WE HELP BUILD THE WORLD

1

Safety Ethical in Thought, Word and Deed Disciplined Thought, Disciplined

Action and Disciplined People Transparency Personal Accountability and

Responsibility

Customers Targeted Markets BHAG Envisioned Future

Value Creation Value Capture Value Selling Be the Best Sustainable

Superior Performance (20-Mile March)

Customers Employees Shareholders Suppliers

Uncompromising Integrity and Ethical Business Practices

Harsco Integrity Framework: Code of Conduct Security Practices Internal Control

To build teams that win with integrity anywhere in the world

Harsco's Core Ideology

Core Values

People – the "A Team" Human Capital Framework:

Global Talent Management System for Recruiting, Developing, Retaining and Assessing Human Capital

Continuous Improvement Continuous Improvement

Discipline through Lean and Six Sigma Methods

Business Transformation

Value Creation Discipline Economic Value Added (EVA®) Value Selling Culture

3

2 4 Safety Practices Global Management Practices

Core Purpose


DMVPN: Simple and Secure Branch-to-Branch Communications Technology Overview

Major Benefits On-demand full mesh connectivity with simple hub-and-spoke configuration Automatic IP Security (IPsec) triggering for building an IPsec tunnel Near “Zero-touch” deployment for adding remote sites Reduced latency and bandwidth savings Fully supports enterprise dynamic routing protocols Supports dynamically addressed spokes (remote sites)

Applications Cost-driven use of Internet to replace or backup MPLS-based WAN topologies while

providing platform for distributed applications such as voice (in context of proper engineering design considerations).

Advanced Design Issues Network Design

Design, Redundancy and Scaling Routing

Dynamic routing protocols Encrypting peers

Finding, mapping and authenticating


DMVPN: Advanced Design Issues

Network Design – LAN-to-LAN vs DMVPN LAN-to-LAN (GRE Tunnel)

1 tunnel interface configured per remote site Individual access-lists, crypto map polices

and isakmp shared-keys.


DMVPN: Advanced Design Issues (continued)

Network Design – LAN-to-LAN vs DMVPN DMVPN (mGRE Tunnel)

1 tunnel interface configured to support all remote sites.


Hardware Requirements

Model Recommended Number of Users Switch Ports License

871W 20 4 Need to purchase Advanced IP Services License

881W 20 4 Need to purchase Advanced IP Services License

891W 50 8 Comes with Advanced IP Services License

892W 50 8 Comes with Advanced IP Services License

1841 50 None Need to purchase Advanced IP Services License

1921 50 None Need to purchase Security Feature License

2800 100 None Need to purchase Advanced IP Services License


Model Part Number Description US List Price

UK List Price

871 End of Sale: July 15, 2010

881

CISCO881-K9 Cisco 881 Ethernet Sec Router $649 £446

CISCO881W-GN-A-K9 Cisco 881 Ethernet Sec Router 802.11n FCC Comp $999 £686

CISCO881W-GN-E-K9 Cisco 881 Ethernet Sec Router 802.11n ETSI Comp $999 £686

891 CISCO891-K9 Cisco 891 GigaE SecRouter $1,295 £890

CISCO891W-AGN-A-K9 Cisco 891 GigaE SecRouter w/ 802.11n a/b/g FCC Comp $1,845 £1,268

892 CISCO892-K9 Cisco 892 GigaE SecRouter $1,295 £890

CISCO892W-AGN-E-K9 Cisco 892 GigaE SecRouter w/ 802.11n a/b/g ETSI Comp $1,845 £1,268

1800 End of Sale: Nov 1, 2011

1900

CISCO1921-SEC/K9 Cisco1921/K9 with 2GE, SEC License PAK, 512MB DRAM, 256MB Fl $1,695 £1,164

CISCO1941-SEC/K9 Cisco 1941 Security Bundle w/SEC license PAK $2,495 £1,714

C1941W-E-N-SEC/K9 Cisco 1941Security Router, 802.11 a/b/g/n AP ETSI Compliant $2,995 £2,058

CISCO1941W-A/K9 Cisco 1941 Router w/ 802.11 a/b/g/n FCC Compliant WLAN ISM $2,095 £1,439

2800 End of Sale: Nov 1, 2011

880 SL-880-AIS Cisco 880 Advanced IP Services License $150 £103

1900 L-SL-19-SEC-K9= Security E-Delivery PAK for Cisco 1900 $1,000 £687

Hardware Requirements


Cisco 871W Router


Cisco 881W Router


Cisco 891W/892W Router


SmartNet Requirements

The following support package for the router should be purchased which provides a warrantee and technical support from Cisco systems.

Minimum of packaged SmartNet 8x5xNBD Recommended for Mission Critical Sites is packaged SmartNet 24x7x4

SmartNet can be purchased and managed though LaSalle in the near future


Out of Band Access

All DMVPN routers need to have out of band access. This allows GIS Global Networking Team to connect to the router in the event of an outage and troubleshoot the problem. There are 2 options for Out of Band Access:

Analog Modem

EMEA - USR015630D USRobotics 56K External Data/Fax Modem V92 Americas - USR5686E USRobotics 56K External Data/Fax Modem V92

RJ45 to DB25M cable – Cisco Part Number CAB-AUX-RJ45

3G

If an analog line is not available at a location, a 3G connection might be able to be used to provide out of band access. GIS is researching the equipment that will be needed for this type of access and the price.


ISP Service Requirements

We will need business class DSL line or a dedicated internet circuit with at least 1 static (Global Outside) IP address without Network Address Translation (NAT) that we can bind to the external interface of our router (i.e. globally routable address), and a Ethernet presentation provided by the ISP.

With some ADSL circuits the ppp authentication will be required on the router as they ship router/modems with the circuit that will need to run in bridge mode rather than routed mode in order to support the above and provide a connection without NAT.

To preserve the bandwidth on the HADC Internet connections, the DMVPN routers will have a rate limit on HADC Tunnel interfaces only. There will not be a rate limit on traffic between DMVPN locations.


ISP Questions

Is this circuit ADSL, SDSL or a dedicated internet circuit? What are the upsteam and downstream bandwidth speeds? Is the circuit provisioned without NAT? Are there any proxies/firewalls or other devices that may negatively impact

the functioning of IPSec traffic on the ISP network? Is/are the IP address(es) assigned static (non-changing)? Is the default gateway for this assigned static (non-changing)? If using DSL, will the IP addressing be assigned dynamically? If using DSL, will the ISP router/modem be required to run in bridge mode to

avoid the use of NAT? If using DSL, will ppp authentcation be required on the Harsco router? What type of physical presentation is provided to the Harsco router (i.e.

Ethernet, RJ-11 etc)? Is the use of IPSec supported on the ISP network?


DMVPN Site Preparation and Migration Checklists

Agenda Pre-test checklist

ISP link validation Router licensing and IOS Site-specific configuration details (site name, DHCP scopes, Sites and Services, etc.)

Post-check checklist Fragmentation and MTU Shared (HADC) resource connectivity Login times

Post-migration checklist (GIS use) CiscoWorks What’s Up Gold Netflow Syslog Global Network inventory



Pre-test checklist ISP link validation

DSL Link with Ethernet handoff and share the bandwidth details to GIS team. Need an Public IP address without NATing . If the Static IP is provided then default gateway should also be provided. If the DSL link terminated as PPPoE then the modem should be configured in a Bridge

mode. Connect a Notebook to the ISP link and do the below check

Check for Internet connectivity If it is a PPPoE and then setup a dial-up profile and validate the DSL account

credentials. MTU test - Ping to Camphill Headend router with below values

Ping 72.20.207.59 - l 1500 – should be working and take down the latency values.

OOB Modem with PSTN connection is required to access the router remotely during migrations/outages.

If OOB access is not available then need a 3G data card connected to a Laptop.



Pre-test Check-list Router licensing and IOS

Below are the currently identified Router models for L2L sites. For all these below models to support DMVPN we need to upgrade for permanent

license with below IOS versions for those each models respectively.

For 1841 routers we have currently running Advance security license which will not support DMVPN, so we need to upgrade it to Advance IP services license and appropriate IOS image as mentioned in the table.

To upgrade we need router and one server/Desktop in the network, so that we can copy the IOS locally and do the up gradation and at the same time we need console access as well.

Sl.No Router Model IOS version IOS File name IOS file size DRA

M

FLASH

1 871W 15.0(1)M4 c870-advipservicesk9-mz.150-1.M4.bin 25.25Mb 192 36

2 881W 15.0(1)M4 c880data-universalk9-mz.150-1.M4.bin 27.14Mb 256 128

3 891W 15.0(1)M4 c890-universalk9-mz.150-1.M4.bin 28.73Mb 512 256

4 892W 15.0(1)M4 c890-universalk9-mz.150-1.M4.bin 28.73Mb 512 256

5 1841 15.0(1)M4 c1841-advipservicesk9-mz.150-1.M4.bin 39.77Mb 256 64


DMVPN Site Preparation and Migration Checklists Pre-test Check-list Pre-test Check-list

Site-specific configuration details (site name, DHCP scopes, Sites and Services, etc.)

TSM need to provide Site Code details GIS will provide the DHCP scope details and raise GDM to create the DHCP scopes and verify these

subnets are added in the sites and Services.



Post-check checklist Fragmentation and MTU

Already covered in pre-test checklist, but need to ensure that all Intranet applications are working from the site, which can be done during UAT

Shared (HADC) resource connectivity Ping test to both the Data Center servers from PC. Internet /Intranet applications performance. Tracert to both the Data Center servers to verify it is selecting the correct path. User acceptance test

UAT and other checks like Login times Login to Harsco Network from cold boot and note response times Response Time:_______________________________________ Obtain details of the Local Ip Addressing Scheme. Use the ipconfig / all Ping the local Default Gateway Ping the DHCP Server 10.10.0.1 / 10.14.0.1 / 10.10.0.2 Tracert 10.10.0.1/10.14.0.1/10.10.0.2 Tracert/ping to 10.42.4.254 (DMVPN) Login to Harsco Network from cold boot and note response times Test All Divisional Applications which is specific to your regional operation. Test Any Local WAN / LAN Printing Test All Shared Servies From Tier 1 Data Centre Email Portal http://portal.harsco.com Hyperion ASEP Test internet browsing tracert www.bbc.co.uk



Post-migration checklist (GIS use) CiscoWorks

GIS Network team will ensure to update those newly added Router inventory details into it and further fine tune the other parameters to ensure configuration archives happens on regular basis

What’s Up Gold GIS Network team will further also add this new device into tool as eell for further

monitoring and other interface BW reports

Netflow This tool is helpful for capacity planning to find out top-talker in the network, so

Network team will configured required parameter on the router LAN interfaces.

Syslog This is monitoring tool to capture device generated logs to store in a database which

further help to look into during any incident cases related to the devices. Network team will ensure to configure on the device for the same.

Global Network inventory Network team have inventory database maintained for all site devices globally and will

update the list accordingly once site is successfully completed with migration.

DMVPN

Documents

Transcript of DMVPN