DMVPN
Transcript of DMVPN
Global Network Training Series
Dynamic Multipoint Virtual Private Networks (DMVPN)
01 March 2012
WE HELP BUILD THE WORLD
2WE HELP BUILD THE WORLD
1
Safety Ethical in Thought, Word and Deed Disciplined Thought, Disciplined
Action and Disciplined People Transparency Personal Accountability and
Responsibility
Customers Targeted Markets BHAG Envisioned Future
Value Creation Value Capture Value Selling Be the Best Sustainable
Superior Performance (20-Mile March)
Customers Employees Shareholders Suppliers
Uncompromising Integrity and Ethical Business Practices
Harsco Integrity Framework: Code of Conduct Security Practices Internal Control
To build teams that win with integrity anywhere in the world
Harsco's Core Ideology
Core Values
People – the "A Team" Human Capital Framework:
Global Talent Management System for Recruiting, Developing, Retaining and Assessing Human Capital
Continuous Improvement Continuous Improvement
Discipline through Lean and Six Sigma Methods
Business Transformation
Value Creation Discipline Economic Value Added (EVA®) Value Selling Culture
3
2 4 Safety Practices Global Management Practices
Core Purpose
3WE HELP BUILD THE WORLD
DMVPN: Simple and Secure Branch-to-Branch Communications Technology Overview
Major Benefits On-demand full mesh connectivity with simple hub-and-spoke configuration Automatic IP Security (IPsec) triggering for building an IPsec tunnel Near “Zero-touch” deployment for adding remote sites Reduced latency and bandwidth savings Fully supports enterprise dynamic routing protocols Supports dynamically addressed spokes (remote sites)
Applications Cost-driven use of Internet to replace or backup MPLS-based WAN topologies while
providing platform for distributed applications such as voice (in context of proper engineering design considerations).
Advanced Design Issues Network Design
Design, Redundancy and Scaling Routing
Dynamic routing protocols Encrypting peers
Finding, mapping and authenticating
4WE HELP BUILD THE WORLD
DMVPN: Advanced Design Issues
Network Design – LAN-to-LAN vs DMVPN LAN-to-LAN (GRE Tunnel)
1 tunnel interface configured per remote site Individual access-lists, crypto map polices
and isakmp shared-keys.
5WE HELP BUILD THE WORLD
DMVPN: Advanced Design Issues (continued)
Network Design – LAN-to-LAN vs DMVPN DMVPN (mGRE Tunnel)
1 tunnel interface configured to support all remote sites.
6WE HELP BUILD THE WORLD
Hardware Requirements
Model Recommended Number of Users Switch Ports License
871W 20 4 Need to purchase Advanced IP Services License
881W 20 4 Need to purchase Advanced IP Services License
891W 50 8 Comes with Advanced IP Services License
892W 50 8 Comes with Advanced IP Services License
1841 50 None Need to purchase Advanced IP Services License
1921 50 None Need to purchase Security Feature License
2800 100 None Need to purchase Advanced IP Services License
7WE HELP BUILD THE WORLD
Model Part Number Description US List Price
UK List Price
871 End of Sale: July 15, 2010
881
CISCO881-K9 Cisco 881 Ethernet Sec Router $649 £446
CISCO881W-GN-A-K9 Cisco 881 Ethernet Sec Router 802.11n FCC Comp $999 £686
CISCO881W-GN-E-K9 Cisco 881 Ethernet Sec Router 802.11n ETSI Comp $999 £686
891 CISCO891-K9 Cisco 891 GigaE SecRouter $1,295 £890
CISCO891W-AGN-A-K9 Cisco 891 GigaE SecRouter w/ 802.11n a/b/g FCC Comp $1,845 £1,268
892 CISCO892-K9 Cisco 892 GigaE SecRouter $1,295 £890
CISCO892W-AGN-E-K9 Cisco 892 GigaE SecRouter w/ 802.11n a/b/g ETSI Comp $1,845 £1,268
1800 End of Sale: Nov 1, 2011
1900
CISCO1921-SEC/K9 Cisco1921/K9 with 2GE, SEC License PAK, 512MB DRAM, 256MB Fl $1,695 £1,164
CISCO1941-SEC/K9 Cisco 1941 Security Bundle w/SEC license PAK $2,495 £1,714
C1941W-E-N-SEC/K9 Cisco 1941Security Router, 802.11 a/b/g/n AP ETSI Compliant $2,995 £2,058
CISCO1941W-A/K9 Cisco 1941 Router w/ 802.11 a/b/g/n FCC Compliant WLAN ISM $2,095 £1,439
2800 End of Sale: Nov 1, 2011
880 SL-880-AIS Cisco 880 Advanced IP Services License $150 £103
1900 L-SL-19-SEC-K9= Security E-Delivery PAK for Cisco 1900 $1,000 £687
Hardware Requirements
11WE HELP BUILD THE WORLD
SmartNet Requirements
The following support package for the router should be purchased which provides a warrantee and technical support from Cisco systems.
Minimum of packaged SmartNet 8x5xNBD Recommended for Mission Critical Sites is packaged SmartNet 24x7x4
SmartNet can be purchased and managed though LaSalle in the near future
12WE HELP BUILD THE WORLD
Out of Band Access
All DMVPN routers need to have out of band access. This allows GIS Global Networking Team to connect to the router in the event of an outage and troubleshoot the problem. There are 2 options for Out of Band Access:
Analog Modem
EMEA - USR015630D USRobotics 56K External Data/Fax Modem V92 Americas - USR5686E USRobotics 56K External Data/Fax Modem V92
RJ45 to DB25M cable – Cisco Part Number CAB-AUX-RJ45
3G
If an analog line is not available at a location, a 3G connection might be able to be used to provide out of band access. GIS is researching the equipment that will be needed for this type of access and the price.
13WE HELP BUILD THE WORLD
ISP Service Requirements
We will need business class DSL line or a dedicated internet circuit with at least 1 static (Global Outside) IP address without Network Address Translation (NAT) that we can bind to the external interface of our router (i.e. globally routable address), and a Ethernet presentation provided by the ISP.
With some ADSL circuits the ppp authentication will be required on the router as they ship router/modems with the circuit that will need to run in bridge mode rather than routed mode in order to support the above and provide a connection without NAT.
To preserve the bandwidth on the HADC Internet connections, the DMVPN routers will have a rate limit on HADC Tunnel interfaces only. There will not be a rate limit on traffic between DMVPN locations.
14WE HELP BUILD THE WORLD
ISP Questions
Is this circuit ADSL, SDSL or a dedicated internet circuit? What are the upsteam and downstream bandwidth speeds? Is the circuit provisioned without NAT? Are there any proxies/firewalls or other devices that may negatively impact
the functioning of IPSec traffic on the ISP network? Is/are the IP address(es) assigned static (non-changing)? Is the default gateway for this assigned static (non-changing)? If using DSL, will the IP addressing be assigned dynamically? If using DSL, will the ISP router/modem be required to run in bridge mode to
avoid the use of NAT? If using DSL, will ppp authentcation be required on the Harsco router? What type of physical presentation is provided to the Harsco router (i.e.
Ethernet, RJ-11 etc)? Is the use of IPSec supported on the ISP network?
15WE HELP BUILD THE WORLD
DMVPN Site Preparation and Migration Checklists
Agenda Pre-test checklist
ISP link validation Router licensing and IOS Site-specific configuration details (site name, DHCP scopes, Sites and Services, etc.)
Post-check checklist Fragmentation and MTU Shared (HADC) resource connectivity Login times
Post-migration checklist (GIS use) CiscoWorks What’s Up Gold Netflow Syslog Global Network inventory
16WE HELP BUILD THE WORLD
DMVPN Site Preparation and Migration Checklists
Pre-test checklist ISP link validation
DSL Link with Ethernet handoff and share the bandwidth details to GIS team. Need an Public IP address without NATing . If the Static IP is provided then default gateway should also be provided. If the DSL link terminated as PPPoE then the modem should be configured in a Bridge
mode. Connect a Notebook to the ISP link and do the below check
Check for Internet connectivity If it is a PPPoE and then setup a dial-up profile and validate the DSL account
credentials. MTU test - Ping to Camphill Headend router with below values
Ping 72.20.207.59 - l 1500 – should be working and take down the latency values.
OOB Modem with PSTN connection is required to access the router remotely during migrations/outages.
If OOB access is not available then need a 3G data card connected to a Laptop.
17WE HELP BUILD THE WORLD
DMVPN Site Preparation and Migration Checklists
Pre-test Check-list Router licensing and IOS
Below are the currently identified Router models for L2L sites. For all these below models to support DMVPN we need to upgrade for permanent
license with below IOS versions for those each models respectively.
For 1841 routers we have currently running Advance security license which will not support DMVPN, so we need to upgrade it to Advance IP services license and appropriate IOS image as mentioned in the table.
To upgrade we need router and one server/Desktop in the network, so that we can copy the IOS locally and do the up gradation and at the same time we need console access as well.
Sl.No Router Model IOS version IOS File name IOS file size DRA
M
FLASH
1 871W 15.0(1)M4 c870-advipservicesk9-mz.150-1.M4.bin 25.25Mb 192 36
2 881W 15.0(1)M4 c880data-universalk9-mz.150-1.M4.bin 27.14Mb 256 128
3 891W 15.0(1)M4 c890-universalk9-mz.150-1.M4.bin 28.73Mb 512 256
4 892W 15.0(1)M4 c890-universalk9-mz.150-1.M4.bin 28.73Mb 512 256
5 1841 15.0(1)M4 c1841-advipservicesk9-mz.150-1.M4.bin 39.77Mb 256 64
18WE HELP BUILD THE WORLD
DMVPN Site Preparation and Migration Checklists Pre-test Check-list Pre-test Check-list
Site-specific configuration details (site name, DHCP scopes, Sites and Services, etc.)
TSM need to provide Site Code details GIS will provide the DHCP scope details and raise GDM to create the DHCP scopes and verify these
subnets are added in the sites and Services.
19WE HELP BUILD THE WORLD
DMVPN Site Preparation and Migration Checklists
Post-check checklist Fragmentation and MTU
Already covered in pre-test checklist, but need to ensure that all Intranet applications are working from the site, which can be done during UAT
Shared (HADC) resource connectivity Ping test to both the Data Center servers from PC. Internet /Intranet applications performance. Tracert to both the Data Center servers to verify it is selecting the correct path. User acceptance test
UAT and other checks like Login times Login to Harsco Network from cold boot and note response times Response Time:_______________________________________ Obtain details of the Local Ip Addressing Scheme. Use the ipconfig / all Ping the local Default Gateway Ping the DHCP Server 10.10.0.1 / 10.14.0.1 / 10.10.0.2 Tracert 10.10.0.1/10.14.0.1/10.10.0.2 Tracert/ping to 10.42.4.254 (DMVPN) Login to Harsco Network from cold boot and note response times Test All Divisional Applications which is specific to your regional operation. Test Any Local WAN / LAN Printing Test All Shared Servies From Tier 1 Data Centre Email Portal http://portal.harsco.com Hyperion ASEP Test internet browsing tracert www.bbc.co.uk
20WE HELP BUILD THE WORLD
DMVPN Site Preparation and Migration Checklists
Post-migration checklist (GIS use) CiscoWorks
GIS Network team will ensure to update those newly added Router inventory details into it and further fine tune the other parameters to ensure configuration archives happens on regular basis
What’s Up Gold GIS Network team will further also add this new device into tool as eell for further
monitoring and other interface BW reports
Netflow This tool is helpful for capacity planning to find out top-talker in the network, so
Network team will configured required parameter on the router LAN interfaces.
Syslog This is monitoring tool to capture device generated logs to store in a database which
further help to look into during any incident cases related to the devices. Network team will ensure to configure on the device for the same.
Global Network inventory Network team have inventory database maintained for all site devices globally and will
update the list accordingly once site is successfully completed with migration.