VPN Load
VPN Load
VPN Load
Design Guide
OL-7102-01
Version 1.0
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and
iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified
Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast,
EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream,
Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare,
SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States
and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0601R)
CONTENTS
CHAPTER
Solution Overview 2
Small Branch Deployments
Large Branch Deployments
2
3
CHAPTER
Solution Characteristics 2
Traffic Encapsulated in IPSec 2
Redundant IPSec Head-ends 2
IPSec Peering 2
GRE Tunnel Controls Dial Backup 3
Digital Certificates and Dynamic Crypto Maps 3
Reverse Route Injection 3
Remote IP RoutingFloating Static and Specific Routes
Head-end IP Routing Requirements 4
Topology
Failover/Recovery Time
8
8
19
19
20
20
Contents
CHAPTER
Failover/Recovery Time 3
Temporary Failure with Service Restoration 4
Failure of Primary PathRecovery over Backup Path
Routing Topology Following Network Recovery 6
V3PN QoS Service Policy
Performance Results
CHAPTER
21
Solution Characteristics
11
CHAPTER
Failover/Recovery Time
Summary
20
13
13
OL-7102-01
Contents
Failover/Recovery Time
Caveats 3
EZVPNTunnel Goes to SS_OPEN State on Re-establishing Connection
RRI Fails to Insert the Appropriate Static Route 5
V3PN QoS Service Policy
Performance Results
CHAPTER
21
23
23
4
5
Contents
CHAPTER
21
22
Caveats 22
CEF Issue 22
Fast Switching Issue
Summary
20
23
25
Topology 2
Single WAN Interface 3
Multi-WAN Interface 3
Failover/Recovery Time
Performance Results 5
Average Jitter Comparison 5
Voice Loss 7
Average Latency 8
Mission Critical Response Time
12
Configuration 13
Multi-WAN Cisco 1711 Router 13
Single WAN Remote Router 19
EZPVN Head-end Server 23
Primary IPSec Head-end 25
Secondary IPSec Head-end 27
Cisco IOS Versions Tested
Caveats 29
EZVPN 29
DHCP Server
28
29
OL-7102-01
Contents
Summary
CHAPTER
30
Failover/Recovery Time
21
22
CHAPTER
30
30
Failover/Recovery Time
Implementation 3
GRE Tunnels 3
Summary Route Advertised 5
Bandwidth and Delay 6
Delay 6
Bandwidth 6
Branch EIGRP and Addressing 8
V3PN: Redundancy and Load Sharing Design Guide
OL-7102-01
Contents
16
Configuration 17
IPSec Head-end Routers 17
2600-22 Router 17
2600-23 Router 19
Branch Cisco 1712 Router 21
Branch Cisco 2600 Router 24
Head-end Campus Router 27
Show Commands
27
CHAPTER
10
28
28
28
Traffic Profile
14
16
Caveats 16
Drops In Class VIDEO-CONFERENCING
Incorrect Packet Classification 17
Summary
CHAPTER
11
16
17
OL-7102-01
Contents
Performance
Summary
APPENDIX
Lab Topology
APPENDIX
Websites 2
Enterprise Solutions Engineering (ESE)
APPENDIX
Contents
10
OL-7102-01
C H A P T E R
Introduction
Solution Overview
1-1
Chapter 1
Introduction
Introduction
This design and implementation guide extends the Cisco Architecture for Voice, Video, and Integrated
Data (AVVID) by enabling applications such as voice and video to be extended to emerging WAN media.
Previous VPN design guides have focused on Internet T1, Frame Relay, and the broadband offerings of
DSL and cable.
This design guide builds on the Voice and Video Enabled IPSec VPN (V3PN) SRND at the following
Url
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/V3PN_SRND/V3PN_SRND
.html.
The pressure to reduce recurring WAN expenses has led to increasing customer acceptance of emerging
WAN media, along with the need to provide design guidance for implementation of broadband as a
backup technology to traditional WAN media. Additionally, customers are implementing broadband
circuits as the primary WAN media and look to traditional dial solutions to provide backup to the
broadband circuit.
Situations in which a single T1 bandwidth is not sufficient but a T3 is more bandwidth and more costly
than required encourage the implementation of multiple T1 circuits. In these instances, customers often
struggle with the best means of providing load sharing when the visibility to individual data flows are
hidden within an IPSec tunnel.
This guide provides guidance for designs in which new broadband offerings are used in conjunction with
traditional WAN media. The focus remains enabling quality of service (QoS) to support voice; however,
some deployments may not offer sufficient bandwidth to provide voice support on all interfaces. These
issues are articulated in this guide.
Many of these designs apply in environments where QoS is enabled to support point-of-sale or financial
transactions in place of voice.
Solution Overview
This solution is delineated in two main components:
1-2
OL-7102-01
Chapter 1
Use of the ip dhcp-client default-router distance command is the key to using a primary interface that
obtains its IP address via DHCP. This feature is listed as a DDTs resolved in 12.3(2)XC.An example is
shown using cable as the primary interface with DSL as the backup interface, but could also be used as
a configuration guide if Async or Basic Rate Interface (BRI) is used in place of the backup DSL
interface. Both Async and BRI configurations are shown in the sample deployments.
The wireless broadband deployment model shows a Cisco 1711 configured with three WAN interfaces:
the wireless broadband interface, an interface to a DSL router, and an Async dial-up interface. You can
connect any of the three interfaces to the router to establish connectivity, or you can connect them all for
high availability.
From an IPSec authentication standpoint, use of digital certificates, EZVPN, and initiating and
responding to Internet Key Exchange (IKE) aggressive mode with pre-shared keys are illustrated. Some
of these features were incorporated in Cisco IOS 12.2(15)T (crypto isakmp profile and crypto
keyring), and responding to IKE aggressive mode is a Cisco IOS 12.3 feature.
One small branch deployment model uses a Cisco IOS IPSec head end for the primary connectivity and
a Cisco VPN 3080 Concentrator for the dial backup connectivity.
There were no surprises with Multilink PPP or IMA: these chapters and the test results are included and
tested as a verification of capability. However, a video conference traffic stream was added in one of the
tests because one rationale for bandwidth greater than a single T1/E1 is to include video conferencing
to a remote location.
The chapter on Frame Relay with broadband load sharing and backup is most applicable for retail store
locations that are currently using a traditional Frame Relay network, but want to take advantage of low
cost broadband connections to supplement the existing bandwidth and provide an always available
backup path. There will be an increasing migration from Frame Relay to broadband, and this method can
also be used as a transition phase that minimizes the risk of a wholesale cutover from one technology to
another.
1-3
Chapter 1
DSL examples show the use of PPP over Ethernet (PPPoE) with the PPPoE session terminating on
the IPSec router. If in customer deployments of DSL, PPPoE is not used or is terminated on a service
provider or separate router, the IPSec router obtains its outside IP address via DHCP from the
upstream router. In this case, the DSL connection is similar to the outside interface configuration
used for cable.
For broadband examples, the IP address of the remote router is dynamically assigned. As such, the
head-end IPSec routers implement dynamic crypto maps.
Some form of QoS is applied to support voice or mission-critical applications. Although voice is not
always a requirement for small branch deployments, mission-critical applications such as credit card
authorizations or other point-of-sale applications benefit from QoS where practical.
If voice cannot be provisioned because of lack of bandwidth, for example with Async backup, some
means of blocking voice is implemented on the router. The goal is to allow voice calls where
possible but never to provide a call appearance but not a reasonable expectation of acceptable voice
quality.
IPSec encryption is implemented not only for user data traffic but also for control plane traffic such
as GRE keepalives or Service Assurance Agent (SAA) probes. Digital certificate and RADIUS
servers are also accessed through an IPSec tunnel from the remote routers to the head end; there
should be no need to expose these servers to the Internet without protection from some firewall and
intrusion detection system (IDS) scheme.
It should be expected and practical to implement multiple head-end devices, WAN and IPSec routers
or concentrators to provide redundancy at the central site. A single link or device failure should not
cause an unrecoverable outage.
This guide provides reasonably complete configuration examples, but assumes the reader is familiar with
other V3PN design guides and best practices of network security.
Each chapter describes a particular deployment model and is intended to be a complete review of the
concepts and configurations required to implement the design.
1-4
OL-7102-01
C H A P T E R
Solution Characteristics
Topology
Failover/Recovery Time
Performance Results
Caveats
Debugging
Summary
2-1
Chapter 2
Solution Characteristics
Solution Characteristics
This section describes the characteristics of the DSL with ISDN backup solution, and includes the
following topics:
IPSec Peering
IPSec Peering
The remote routers use the same head-end IPSec peers for both the primary and backup IPSec security
associations. These head-end peers are identified by different IP addresses in the primary crypto map
and the backup crypto map. This allows including static routes in the remote router configuration to
block IKE packets from reaching the backup head-end peers when the primary path connectivity is
restored. The backup IPSec security associations (SAs) are deleted as is the Reverse Route Injection
(RRI) static route in the head-end for the backup path.
2-2
OL-7102-01
Chapter 2
Note
When using dynamic crypto maps, the access list referenced by the remote crypto map is created
dynamically on the head-end IPSec router with the source and destination references swapped. The RRI
logic inserts a static route into the routing table with the mask configured on the remote router.
IP route selection is always based on the longest prefix match in the routing table. By configuring a more
specific access control list (ACL) in the crypto map for the primary interface than is used for the backup
interface, packets destined for the remote location prefer the most specific route and avoid the backup
IPSec tunnel if both the backup and primary IPSec tunnels are active.
Note that the inside interface of the remote Cisco 1712 router is configured with a /25 mask, the primary
crypto map is configured with a /25 mask, and the backup crypto map is configured with a /24 mask.
This configuration follows the concept of longest prefix match and allows the primary path to be
preferred when both dynamic crypto maps are active on the head-end IPSec routers.
2-3
Chapter 2
Topology
interface Vlan1
description Inside Interface
ip address 10.0.68.1 255.255.255.128
!
ip access-list extended BRI_CRYPTO_MAP_ACL
permit ip 10.0.68.0 0.0.0.255 any
!
ip access-list extended CRYPTO_MAP_ACL
permit ip 10.0.68.0 0.0.0.127 any
The head-end IPSec routers use distinct dynamic crypto map entries and addresses for the primary path
and the backup path. The use of different IP addresses for the primary and backup peers (even though
they terminate on the same router) allows the remote router to configure specific static IP routes to
control the backup function. To conserve physical interfaces on the head-end routers, IEEE 802.1Q
trunks are configured and the head-end IPSec routers use multiple logical sub-interfaces on one physical
interface.
Topology
The topology of this solution is shown in Figure 2-1.
2-4
OL-7102-01
Chapter 2
Enterprise
Intranet Backbone
Telco/Broadband
Service Provider
GRE
GRE Tunnel
IPSec
DSL
IP
Cisco
1712
ATM
ATM
Internet
Bridge/router
(optional)
Dial Backup
-23
WAN
-20
IPSec
ISDN
-8
ISDN
100
104
132006
Figure 2-1
-9
128
The remote router is a Cisco 1712, which is shown connecting to the Internet through its FastEthernet 0
interface to an external DSL modem. The PPPoE session terminates on the 1712. The outside
FastEthernet 0 interface has a QoS service policy applied using hierarchical class-based weighted fair
queueing (CBWFQ). A shaper provides the congestion feedback and queues within the shaped rate. The
service policy for the Basic Rate ISDN interface is tailored for the lower bandwidth and Layer 2
overhead.
The head-end ISP/WAN routers and ISDN head-end routers simply provide connectivity for the IPSec
and GRE head-end routers. The ISDN head-end and IPSec head-end routers share a common VLAN,
shown as VLAN 104. The interfaces in VLAN 104 on the IPSec head-end routers are the IP addresses
referenced in the crypto map on the remote router ISDN interface. Consider VLAN 104 as being the dial
backup encryption. Encryption under normal operations occurs on VLAN 100. Note that the ISP/WAN
routers and the GRE head-end are not required to be configured for VLAN 104. VLAN 100 provides
connectivity for all head-end routers.
The GRE tunnel is shown terminating on the remote 1712 router and on the GRE head-end router. The
GRE tunnel passes through the IPSec head-end.
The crypto map entry on the 1712 is a permit ip 10.0.68.0 0.0.0.127 any. GRE packets will match
this access list, in addition to other IP packets. You do not need to specifically use the permit GRE
command, and you should in fact not configure this, because the RRI logic on the head-end router
expects an IP entry in the access list.
The GRE head-end router follows the RRI injected route advertised by either the primary or backup
IPSec head-end router. When encrypted by the IPSec head-end, the GRE tunnel is encapsulated in the
IPSec tunnel. The GRE tunnel is never established over the dial backup path. This is prevented by the
host route for the GRE endpoint out the dialer interface of the remote router. Recall that a dialer interface
never goes down, even if the PPPoE session is down, so the host route always remains in the routing
table. For the GRE interface to be in an UP/UP state, the GRE packets need to be exchanged over the
primary path. Once the GRE interface is UP/UP, the BRI interface on the remote router is physically
brought down.
2-5
Chapter 2
Failover/Recovery Time
Failover/Recovery Time
With GRE keepalive values of 20 seconds and three retries, and an IKE keepalive value of 10 seconds
with the default of 2 seconds between retries, the time to identify loss of the primary path and recover
over the encrypted ISDN interface is approximately 70 seconds. To demonstrate this, a traceroute was
run to verify the path, a ping from the remote subnet to a head-end device was initiated, and a link in the
ISP core was administratively shut down.
vpnjk-2600-2#traceroute 10.2.128.5
Type escape sequence to abort.
Tracing the route to 10.2.128.5
1 10.0.68.1 0 msec 0 msec 0 msec
2 192.168.131.8 12 msec 12 msec 12 msec
3 10.2.128.5 16 msec * 12 msec
In the above example, the GRE keepalive value of 20 seconds with three retries contributes to the largest
portion of the failover time.
Note
This is a proof of concept failover test; failover with thousands of peers may vary in duration.
During recovery to the primary link, packet loss is minimal, with packet loss for only a few seconds. The
GRE tunnel keepalives must be flowing across the primary IPSec peers before the ISDN interface is
placed back in standby mode and shut down.
2-6
OL-7102-01
Chapter 2
Both B channels are brought up immediately upon activation of the backup link with the ppp multilink
links minimum 2 command. You can also use the dialer load-threshold 1 either command, but this
may not activate the second link as quickly as specifying the minimum links using the PPP multilink
command.
The size of the encrypted voice packet, assuming a G.729 codec, is 112 bytes when specifying Triple
Data Encryption Standard (3DES) and Secure Hash Algorithm (SHA) in the IPSec transform set. IPSec
tunnel mode is required in this configuration.
Note
Although TRANSPORT mode is specified first in the crypto map, TUNNEL mode will be negotiated.
Use the show crypto ipsec sa | inc in use settings command to make sure that tunnel mode is in use.
The priority or Low Latency Queue (LLQ) needs to be provisioned for 112 bytes at 50 packets per second
(pps) with 8 bits per byte or 44,800 kbps. Assuming 6 bytes for Layer 2 Multilink PPP (MLPPP)
overhead, 48 kbps is provisioned for the priority queue. The burst size is increased from the default of
1200 bytes to 2400 bytes to eliminate voice drops observed during performance testing. Use of G.711
codec is not recommended because it requires approximately 104,800 bits per second (bps).
On a Basic Rate ISDN interface, Cisco IOS Software assumes that only 64 kbps is available, even though
the interface provides 128 kbps with both B channels active. The QoS service policy shown in the
following configurations allocates less than the 64 kbps; however, the max-reserved-bandwidth 100
statement needs to be configured on the BRI 0 interface.
To view the counters of the service policy attached to the BRI interface, display the associated
virtual-access interface, as in the following example:
show policy-map interface virtual-access
The virtual-access interfaces are created dynamically and the interface number can be displayed with the
show ip interface brief command.
The tx-ring-limit 1 and ppp multilink fragment delay 10 commands are included in the BRI interface
configuration to reduce voice delay and jitter in the performance test.
Performance Results
The Cisco branch traffic profile was used over the backup path with one G.729 voice call active.The goal
of this testing is to determine encrypted voice performance with multilink PPP and LFI configured on
the BRI interface.
Note
The Cisco 1712 router has not been included in the above guidesbut will be in future updates. The
component of this design that has not been tested is the encryption of voice and data traffic over the
backup path, the Basic Rate ISDN link.
The performance results are shown in Table 2-1.
2-7
Chapter 2
Table 2-1
Cisco 1712
router
Call Leg
Chariot Voice
Drops %
Chariot
One-way Delay
0%
10.7 ms
39 ms
0.04%
11.4 ms
39 ms
These results do not include any service provider simulated delay in the ISDN network. These test results
are as good or better than would be expected for voice over the primary path, based on previous test
results. There is no reason to believe voice quality would not be acceptable when the backup link is
active.
Remote Router
Show Commands
2-8
OL-7102-01
Chapter 2
!
ip route 192.168.131.23 255.255.255.255 Dialer1
!
These displays illustrate the route advertisement from the GRE head-end (vpnjk-2600-23) router and the
advertising IPSec head-end (vpnjk-2600-8) router. The GRE head-end router sees an advertisement for
the remote network, both from 192.168.131.8 (vpnjk-2600-8). Both /24 and /25 masks are advertised,
because the IPSec tunnels for the primary and backup are active.
The following display was taken when the backup link was active and the primary path had just been
restored, but the dynamic crypto map entry of the backup link had not yet been removed from the
head-end.
vpnjk-2600-23>sh ip route 10.0.68.0 255.255.255.0 longer-prefixes
Because IP routing decisions are always made on the longest prefix match, the /25 route to network
10.0.68.0 is followed rather than the /24 route. Recall that VLAN 100 is the primary VLAN and VLAN
104 is the backup VLAN. Interface FastEthernet0/1.100 is in VLAN 100 and FastEthernet0/1.104 is in
VLAN 104. The sub-interface number equates to the VLAN number in these examples.
vpnjk-2600-8#sh ip route 10.0.68.0 255.255.192.0 longer-prefixes
2-9
Chapter 2
S
S
Because of the longest prefix match rule, the keepalive packets of the GRE tunnel keepalive always
prefer the primary path if it is active. If the primary path is not active, the GRE packets from the head to
branch location are sent over the ISDN interface, but recall that the remote router has a host route for the
GRE head-end address to the dialer interface. Because the dialer interface never goes down, the
keepalives are never returned to the head-end over the ISDN interface. This forces the GRE tunnel to use
only the primary path for two-way communications.
2-10
OL-7102-01
Chapter 2
2-11
Chapter 2
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encaps
!
crypto dynamic-map DYNO-TEMPLATE 10
description dynamic crypto map
set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL
reverse-route
qos pre-classify
!
!
crypto map DYNO-MAP local-address FastEthernet0/1.100
crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE
!
crypto map BRI-MAP local-address FastEthernet0/1.104
crypto map BRI-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE
!
!
interface FastEthernet0/1.100
encapsulation dot1Q 100
ip address 192.168.131.9 255.255.255.224
crypto map DYNO-MAP
!
interface FastEthernet0/1.104
encapsulation dot1Q 104
ip address 192.168.131.69 255.255.255.224
crypto map BRI-MAP
!
interface FastEthernet0/1.128
encapsulation dot1Q 128
ip address 10.2.128.9 255.255.255.0
!
router eigrp 100
redistribute static metric 256 1000 255 1 1500 route-map IPSEC_Subnets
network 10.0.0.0
network 192.168.130.0 0.0.1.255
no auto-summary
!
!
access-list 68 permit 10.0.68.0 0.0.0.255
!
route-map IPSEC_Subnets permit 10
match ip address 68
!
end
2-12
OL-7102-01
Chapter 2
Remote Router
Following is the configuration for the remote Cisco 1712 router. The relevant portions of the
configuration are annotated.
!
hostname vpn-jk2-1712-1
!
!
username vpnjk-2600-20 password 0 foo
!
crypto ca trustpoint ect-msca
enrollment mode ra
enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll
revocation-check none
!
!
crypto ca certificate chain ect-msca
certificate 6109335700000000003A
certificate ca 113346B52ACEE8B04ABD5A5C3FED139A
!
!
crypto isakmp policy 1
encr 3des
group 2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encaps
!
!
# The primary crypto map is associated with the Dialer interface
!
# and the peer statements reference VLAN 100 addresses on the
!
# head-end.
!
crypto map TEST local-address Dialer1
crypto map TEST 1 ipsec-isakmp
description Crypto for normal operations
set peer 192.168.131.9
vpn-jk-2600-9 VLAN 100 interface
set peer 192.168.131.8
vpn-jk-2600-8 VLAN 100 interface
set transform-set 3DES_SHA_TUNNEL
match address CRYPTO_MAP_ACL
qos pre-classify
!
!
# The backup crypto map is associated with the BRI0 interface
!
# and the peer statements reference VLAN 104 addresses on the
!
# head-end.
!
crypto map BRI local-address BRI0
crypto map BRI 1 ipsec-isakmp
description Crypto when in dial backup mode
set peer 192.168.131.69
vpn-jk-2600-9 VLAN 104 interface
set peer 192.168.131.68
vpn-jk-2600-8 VLAN 104 interface
set transform-set 3DES_SHA_TUNNEL
match address BRI_CRYPTO_MAP_ACL
qos pre-classify
!
!
class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SETUP
2-13
Chapter 2
2-14
OL-7102-01
Chapter 2
!
!
interface FastEthernet0
description Outside to DSL Modem
bandwidth 256
no ip address
service-policy output Shaper
load-interval 30
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
vlan-id dot1q 1
exit-vlan-config
!
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
!
interface Dialer1
description Outside
bandwidth 256
ip address negotiated
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 542
load-interval 30
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username cisco789@cisco.com password 0 foo
ppp ipcp dns request
ppp ipcp wins request
crypto map TEST
!
!
interface Vlan1
description Inside Interface
ip address 10.0.68.1 255.255.255.128
ip route-cache flow
ip tcp adjust-mss 542
load-interval 30
!
ip classless
!
!
# Two default routers are defined, the route thru the
!
# BRI interface will only be in the routing table when the
!
# BRI interface is UP/UP
2-15
Chapter 2
!
ip route 0.0.0.0 0.0.0.0 10.0.128.2 name BRI_peer_20
ip route 10.0.128.2 255.255.255.255 BRI0
!
ip route 0.0.0.0 0.0.0.0 Dialer1 240
!
!
# This route will force the IKE and IPSec packets to peers
!
# 192.168.131.8 and 192.168.131.9 out Dialer1 interface.
!
# These are the primary peers on VLAN 100
!
ip route 192.168.131.8 255.255.255.254 Dialer1
!
!
# This host route forces the GRE tunnel out the primary path only.
!
ip route 192.168.131.23 255.255.255.255 Dialer1
!
!
# These routes are for the backup IPSec peers on VLAN 104
!
# When the BRI interface is down, the Null0 route will be in the
!
# routing table.
!
ip route 192.168.131.68 255.255.255.254 10.0.128.2
ip route 192.168.131.68 255.255.255.254 Null0 239
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended BRI_CRYPTO_MAP_ACL
permit ip 10.0.68.0 0.0.0.255 any
!
!
!
ip access-list extended CRYPTO_MAP_ACL
permit ip 10.0.68.0 0.0.0.127 any
!
!
access-list 100 deny
icmp any any
access-list 100 permit ip any any
dialer-list 2 protocol ip list 100
!
!
ntp server 192.168.130.1
!
end
Show Commands
Under normal operations over the DSL connection, the routing table for the remote 1712 router appears
as follows:
vpn-jk2-1712-1#sh ip route | begin Gateway
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S
S
S
C
2-16
OL-7102-01
Chapter 2
C
C
S*
In the above display, the 192.168.17.0 address space is allocated to the router using PPPoE. The
192.168.131.0 address space represents the Internet routable address space of the head end. Note the
VLAN 104 head-end address space; 192.168.131.68/31 is being routed to the Null 0 interface during
normal operation. The tunnel interface is UP/UP.
vpn-jk2-1712-1#sh int tu 900
Tunnel900 is up, line protocol is up
Hardware is Tunnel
Description: tunnel to vpn-jk-2600-23
Backup interface BRI0, failure delay 0 sec, secondary disable delay 0 sec,
Next a cable cut failure in the DSL service provider to Tier 1 ISP is simulated.
vpn-jk2-1712-1#sh int tu 900
Tunnel900 is up, line protocol is down
Hardware is Tunnel
Description: tunnel to vpn-jk-2600-23
Backup interface BRI0, failure delay 0 sec, secondary disable delay 0 sec,
During backup mode, the routing table of the remote Cisco 1712 is as follows:
vpn-jk2-1712-1#sh ip route | begin Gateway
Gateway of last resort is 10.0.128.2 to network 0.0.0.0
S
S
S
C
C
C
C
C
S*
In this example, there is no loss of connectivity to the DSL service provider; the failure was simulated
by shutting down the interface connecting the DSL service provider to the Tier 1 ISP in the test topology.
The values that have been added or changed from the normal state example are highlighted.
During dial backup, the remote router has two IPSec SAs (ID=200,201), and an established IKE SA
(ID=164) over the BRI path. The router continues to attempt to re-establish connectivity to the head-end
IPSec peers over the normal path. Their IKE SAs (ID=167,168) are in the connection table.
vpn-jk2-1712-1#show cry eng conn act
ID
164
167
168
200
201
Interface
BRI0
Dialer1
Dialer1
BRI0
BRI0
IP-Address
10.0.128.1
192.168.17.4
192.168.17.4
10.0.128.1
10.0.128.1
State
set
alloc
alloc
set
set
Algorithm
HMAC_SHA+3DES_56_C
NONE
NONE
HMAC_SHA+3DES_56_C
HMAC_SHA+3DES_56_C
Encrypt
0
0
0
0
12
Decrypt
0
0
0
18
0
2-17
Chapter 2
dst
192.168.131.9
192.168.131.68
192.168.131.8
src
192.168.17.4
10.0.128.1
192.168.17.4
state
MM_NO_STATE
QM_IDLE
MM_NO_STATE
conn-id slot
167
0 (deleted)
164
0
168
0
On the head-end IPSec router, when the dial backup is active, there is a dynamic crypto map entry over
the BRI-MAP but none on the primary path (the DYNO-MAP).
vpnjk-2600-8#sh crypto map
Crypto Map: "DYNO-MAP" idb: FastEthernet0/1.100 local address: 192.168.131.8
Crypto Map "DYNO-MAP" 10 ipsec-isakmp
Dynamic map template tag: DYNO-TEMPLATE
Interfaces using crypto map DYNO-MAP:
FastEthernet0/1.100
Crypto Map: "BRI-MAP" idb: FastEthernet0/1.104 local address: 192.168.131.68
Crypto Map "BRI-MAP" 10 ipsec-isakmp
Dynamic map template tag: DYNO-TEMPLATE
Crypto Map "BRI-MAP" 11 ipsec-isakmp
Peer = 10.0.128.1
Extended IP access list
access-list permit ip any 10.0.68.0 0.0.0.255
dynamic (created from dynamic map DYNO-TEMPLATE/10)
Current peer: 10.0.128.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ 3DES_SHA_TRANSPORT, }
Reverse Route Injection Enabled
Interfaces using crypto map BRI-MAP:
FastEthernet0/1.104
During the Chariot performance test, the service policy associated with the virtual access interface was
displayed for the VOICE class.
vpn-jk2-1712-1#show policy-map interface virtual-access 3 out class VOICE
Virtual-Access3
Service-policy output: V3PN-WAN-EDGE-ISDN
Class-map: VOICE (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef
Queueing
Strict Priority
Output Queue: Conversation 40
Bandwidth 48 (kbps) Burst 2400 (Bytes)
(pkts matched/bytes matched) 20454/2372648
(total drops/bytes drops) 0/0
Note that both B channels are fully used during the Chariot performance test, at 50 pps for voice, which
leaves 4849 pps of data.
vpn-jk2-1712-1#show interfaces bri0 1 2 | inc load|rate
reliability 255/255, txload 215/255, rxload 215/255
Queueing strategy: weighted fair [suspended, using FIFO]
30 second input rate 54000 bits/sec, 98 packets/sec
30 second output rate 54000 bits/sec, 99 packets/sec
2-18
OL-7102-01
Chapter 2
IPSec head-endsc2600-ik9o3s-mz.122-11.T5
Cisco 1712c1700-k9o3sy7-mz.122-15.ZL1
The IPSec head-end routers were Cisco 2651s with an Advanced Integration Module (AIM) hardware
VPN module. This testing was not intended to scale test head-end performance capabilities. In a
customer deployment, Cisco recommends using IPSec head-ends with suitable performance
characteristics aligned with the number of remote routers.
An available Cisco 1760 V3PN bundle, (product number: CISCO1760-V3PN/K9) can be used instead
of the 1712, if a Basic Rate ISDN WAN interface card (WIC) is installed. The Cisco 1712 supports ISDN
S/T, an external Network Termination Unit-1 (NTU-1) is required in some locales, which is available
from http:\\www.blackbox.com among other sources.
Caveats
Several DPD/RRI issues were encountered during testing.
When running Cisco IOS 12.2(11)T5, the IPSec head-end router inserts the static routes in the routing
table with a next hop address of 0.0.0.0 as shown.
vpnjk-2600-8#sh ip route static
S
S
This router was using Address Resolution Protocol (ARP) to resolve the MAC address for the remote
network address. The ISDN head-end router (MAC address 0005.9bbf.1901) replied with a proxy ARP.
vpnjk-2600-8#sh arp | inc 10.0.68.1
Internet 10.0.68.1
1
0005.9bbf.1901
ARPA
FastEthernet0/1.100
Proxy ARP was disabled on the ISDN head-end router, while the IPSec head-end continued to use ARP
for the address, and the ISDN head-end router no longer replied.
vpnjk-2600-8#sh arp
Protocol Address
Age (min)
Hardware Addr
Type
Interface
2-19
Chapter 2
Debugging
Internet
Internet
10.0.68.2
10.0.68.1
0
0
Incomplete
Incomplete
ARPA
ARPA
When IP Cisco Express Forwarding (CEF) and proxy ARP were disabled on the ISDN router, RRI
functioned properly.
Debugging
You can enable tunnel keepalive debugging to verify connectivity over the primary path. Cisco
recommends enabling this on the remote router rather than the head-end router if a large number of
tunnels are terminated on the head-end router, because it generates a console message for each tunnel
and each keepalive.
vpnjk-2600-23#debug tunnel keepalive
Tunnel keepalive debugging is on
Nov 25 16:10:29 est: Tunnel900:
ttl=255), counter=1
Nov 25 16:10:29 est: Tunnel900:
ttl=253), resetting counter
Nov 25 16:10:49 est: Tunnel900:
ttl=255), counter=1
Nov 25 16:10:49 est: Tunnel900:
ttl=253), resetting counter
Note the time-to-live (TTL) is 253 for the received keepalive because the keepalive passed through the
IPSec tunnel and thus two routers in total.
Summary
Enterprise customers who currently use Basic Rate ISDN dial backup to provide backup connectivity in
the event their Frame Relay link fails will also want to provide similar backup mechanisms as they
migrate the primary link from Frame Relay to DSL. Because in many cases the DSL connection is
provisioned over the Internet, IPSec encryption may be a requirement for the primary link though it was
not required over a private Frame Relay carrier. An added benefit of this design is that there is no
additional cost of encrypting the Basic Rate ISDN backup link, because the same head-end routers can
be used to encrypt both primary and backup.
Use of the GRE tunnel to trigger dial backup is both a scalable and a reliable means of initiating the
backup link. Not encrypting the data traffic in the GRE tunnel saves both WAN bandwidth and offers
greater head-end scalability, because no routing protocol is required.
2-20
OL-7102-01
C H A P T E R
Solution Characteristics
Topology
Failover/Recovery Time
Performance Results
Summary
As enterprise customers begin to deploy IP telephony using broadband as the access media to the small
office environment, backup links are required to minimize service disruption. In existing Frame Relay
deployments, ISDN was the preferred choice as a dial backup mechanism because it offered sufficient
bandwidth, was relatively cost effective, and offered a different technology as the underlying media.
Using different technologies for the primary and backup links isolates the enterprise from the
catastrophic failure of one technology taking down both the primary and backup links. Examples of this
are the notable Frame Relay failures that were manifest in the total collapse of these networks in the late
1990s. The enterprises that were least impacted by these service outages were those that used ISDN as
their backup mechanism. The human and software errors that caused the Frame Relay failures did not
impact the ISDN network.
Applying this concept of using alternate technologies to provide backup to the small office, the natural
conclusion is to deploy both DSL and cable, as shown in Figure 3-1.
DSL with Cable Backup Topology
DSL
IP
Cisco
1751
IP
IPSec small
office router
Broadband Internet
Service Provider
Cable
Modem
Unix Server
IPsec
Head-end
router(s)
132007
Figure 3-1
3-1
Chapter 3
Solution Characteristics
A small office is likely to have at least one or more plain old telephone service (POTS) lines anyway,
and enabling one for DSL service adds approximately $50 USD a month. A cable-provided Internet
service costs approximately $50 USD a month in addition to a basic cable service if required. A side
benefit is cable TV in the employee lounge. Using the Raleigh-Durham, North Carolina market as an
example, the small office has available to it a 256-kbps uplink via DSL and 384-kbps uplink via cable
for approximately $100 USD a month.
A degree of ISP separation is also present in addition to the alternate technologies of DSL and cable at
the local loop. It is likely that the DSL and cable providers connect to different Tier 2 ISPs that in turn
likely connect to multiple Tier 1 ISPs. If the head-end Internet connection uses multiple Tier 1 ISPs, the
branch offices are isolated to some extent from service disruptions within a particular ISP. Alternately,
the enterprise can consider connecting directly to either the IP network of the cable or DSL provider, or
to the Tier 2 ISP servicing the broadband provider.
Solution Characteristics
This deployment scenario is applicable to small branch offices that have the following connectivity
characteristics:
The Reliable Static Routing Backup Using Object Tracking feature is used to trigger a backup
connection (in these examples using a cable modem) to be initiated by the remote customer premises
equipment (CPE) in scenarios where only static routes are used. Both cable and DSL deployments rely
on static routes to reach the service provider as a next hop address.
This feature allows a target to be identified and pinged or probed using Cisco Service Assurance Agent
(SAA) over the primary interface. In this example, it is a Cisco IOS router at the head-end location that
is reachable only through the IPSec tunnel.
If the pings/probes fail, the static route for the primary path is removed from the routing table, allowing
a static route with a higher administrative distance to be inserted into the routing table as an alternate
default route. The pings/probes continue to be attempted over the primary interface. If they are
successful again, the connection is re-established over the primary interface.
Topology
The topology shown in Figure 3-2 is used as an example. The routers are named as follows:
Remote routervpnjk-1751-1
3-2
OL-7102-01
Chapter 3
Figure 3-2
IPSec
remote router
vpnjk-1751-1
Optional
DSL
Modem
Backup
IPSec
VLAN Head-end
100
vpn-jk2-2691-1
Internet
DSL
Service Provider Service Provider
192.168.16.0/20
VLAN 120
-32
IP
Path of SAA
packets
WAN
routers
Cable
Service Provider
SAA target
router
vpnjk-2600-23
vpnjk-2600-8
192.168.32.0/20
Internet
Service Provider
VLAN 128
Primary vpnjk-2600-9
IPSec
Head-end
vpnjk-2600-5
132008
IP
Enterprise
Intranet Backbone
This design uses the Cisco IOS feature, Reliable Static Routing Backup Using Object Tracking, to verify
connectivity with SAA probes originating from the inside Ethernet LAN address of the remote router
through the IPSec tunnel that traverses the DSL provider to the IPSec head-end routers. The SAA probe
packets are encrypted and forwarded to the head-end SAA target router. The probe responses follow the
return path and the SAA control plane follows the same path as the probe packets.
This configuration provides a backup path over the DSL service provider if the primary path over the
cable service provider fails. Connectivity failures of the SAA probes trigger the use of the backup path.
Failover/Recovery Time
This section shows examples of a temporary failure that causes packet loss but recovers before the
backup path is activated. The second example illustrates a failure of the primary path of sufficient
duration to trigger the use of the backup link.
This section includes the following topics:
3-3
Chapter 3
Failover/Recovery Time
The IKE keepalives identified the failure at 13:26:51 or approximately 23 seconds later. IKE attempts
to contact the secondary peer, assuming an IPSec head-end failure.
vpnjk-1751-1#
Dec 19 13:26:51.422 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.
192.168.131.8:500
Id: vpnjk-2600-8.ese.cisco.com
Peer
With debug track, you can see that the tracking logic has identified a connection failure of the SAA
configuration but delays action for 60 seconds. This is 27 seconds from the original link failure.
Dec 19 13:26:55.074 est: Track: 123 Down change delayed for 60 secs
At this point, the original link failure has recovered; this is one minute from the initial link failure.
Dec 19 13:26:53.795 est: %ATM-5-UPDOWN: Interface ATM1/IMA0.1, Changing autovc .
Dec 19 13:27:28.156 est: %BGP-5-ADJCHANGE: neighbor 192.168.129.26 Up
At this point, the IPSec tunnel has been re-established; however, the new tunnel is with the secondary
IPSec head end, vpnjk-2600-9.ese.cisco.com, and the initial IPSec tunnel was with the primary IPSec
head-end, vpnjk-2600-8.ese.cisco.com.
Dec 19 13:27:41.754 est: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than
(2000)msecs (0/0),process = Crypto IKMP.
-Traceback= 802971E8 80294574 8129E55C 81295D6C 81294760 81294304 812906D0 812635A8
812869FC 81263EC4 8125F278 8125D9F0 8127F120 81 1
Dec 19 13:27:42.274 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP
192.168.131.9:500
Id: vpnjk-2600-9.ese.cisco.com
Peer
With connectivity established, the SAA UDP probe was successful and the action was aborted. This
event occurred 9 seconds before the 60 second track delay expired.
Dec 19 13:27:46.894 est: Track: 123 Down change delay cancelled
1. The CPU HOG messages are an anomaly with the release tested. This is likely because of
CSCec05368-Certificate validation has poor performance.
3-4
OL-7102-01
Chapter 3
At this point, all connectivity has been restored. The only change was a swap of the IPSec tunnel from
the primary to the secondary head-end during the brief failure. The IKE keepalive values can be
increased if needed. However, recall that the SAA probes are encrypted and require the IPSec tunnel to
reach the head-end SAA router.
Approximately 39 seconds from the ISP link failure, the tracking logic has identified the failure.
vpnjk-1751-1#
Jan 30 16:37:59.192 est: Track: 123 Down change delayed for 60 secs
Jan 30 16:38:05.776 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.
192.168.131.9:500
Id: vpnjk-2600-9.ese.cisco.com
Peer
One minute later (recall that delay down 60 is configured), the IP route associated with the track
subsystem is removed from the routing table. This is a default route to the dialer interface (the primary
path). The secondary path is through a cable modem, and the router obtains a default route using DHCP
for the interface to the cable provider.
Jan 30 16:38:59.192 est: Track: 123 Down change delay expired
Jan 30 16:38:59.192 est: Track: 123 Change #8 rtr 23, reachability Up->Down
The floating static route to the PPPoE dialer interface is now in the routing table. The DHCP learned
route is configured with an administrative distance of 239. The floating static is 240.
vpnjk-1751-1>show rtr op 23 | inc return code
Latest operation return code: No connection
vpnjk-1751-1>show ip route | inc 0.0.0.0
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*
Approximately 96 seconds after the ISP link failure, connectivity has been restored to the backup
head-end IPSec peer.
Jan 30 16:39:16.084 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP
192.168.131.4:500
Id: vpn-jk-2691-1.ese.cisco.com
Peer
During the failure, a ping was started before the ISP link failure to determine the approximate length of
time of the failure, plus or minus 5 seconds. 20 Internet Control Message Protocol (ICMP) packets were
lost, or approximately 100 seconds for recovery.
vpnjk-2600-2#ping 10.2.128.5 timeout 5 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.128.5, timeout is 5 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!....................!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!![repetition removed]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (980/1000), round-trip min/avg/max = 8/15/24 ms
3-5
Chapter 3
Failover/Recovery Time
As service in the ISP network is restored, the SAA probe is again able to reach the head-end SAA target
router. The remote router configuration includes a host route to the head-end SAA target router using the
DHCP learned next hop router, so the SAA probe must connect over the primary interface. When the
primary path is restored, successful probe transactions trigger a tracking change in state from down to
up. The tracking configuration delays the transition from down to up for 5 seconds.
vpnjk-1751-1>
Jan 30 16:53:14.328
192.168.131.9:500
Jan 30 16:53:24.196
Jan 30 16:53:29.196
Jan 30 16:53:29.196
There is no advantage in configuring a long up delay because the IPSec tunnel must be established for
the SAA probe to complete. There is little or no appreciable packet loss when changing state from down
to up, because both the primary and backup path and IPSec tunnel are connected at the same time. The
tracking subsystem is simply adding the default route for the primary or DHCP interface to influence the
network traffic of the end user. Following is an example of the default route under normal operations.
vpnjk-1751-1>show ip route | begin Gateway
Gateway of last resort is 192.168.33.1 to network 0.0.0.0
S
S
S
C
C
C
C
S*
However, the path over the primary IPSec head-end peer is used from the remote LAN to the enterprise
intranet backbone router. In this case, 192.168.131.9 is vpnjk-2600-9.ese.cisco.com.
traceroute 10.2.128.5
Type escape sequence to abort.
Tracing the route to 10.2.128.5
1 10.0.68.5 4 msec 0 msec 4 msec
2 192.168.131.9 8 msec 8 msec 8 msec
3 10.2.128.5 8 msec * 8 msec
From the head-end perspective, recovery of the primary path induces a metric change, and debug ip
routing was enabled on the enterprise intranet router during recovery. Note that the route to 10.0.68.0/25
is replaced by one with a lower (better) metric over the primary path.
3-6
OL-7102-01
Chapter 3
vpnjk-2600-5#
Jan 30 16:53:14 est: RT: del 10.0.68.0/25 via 10.2.120.4, eigrp metric [170/10258432]
Jan 30 16:53:14 est: RT: add 10.0.68.0/25 via 10.2.128.9, eigrp metric [170/6925056]
This action is based on the Enhanced Interior Gateway Routing Protocol (EIGRP) configuration of the
primary and backup IPSec head-end peers. The backup peer is redistributing the RRI static routes with
a bandwidth of 256:
vpn-jk-2691-1#sh run b | beg router eigrp
router eigrp 100
redistribute static metric 256 1000 255 1 1500 route-map IPSEC_Subnets
However, the primary peers are redistributing the RRI static routes with a bandwidth of 384 kbps:
vpnjk-2600-9#show run brief | begin router eigrp
router eigrp 100
redistribute static metric 384 1000 255 1 1500 route-map IPSEC_Subnets
In this sample configuration, the trained rate of the DSL connection is 256 kbps uplink and the cable
connection is simulating a 384 kbps guaranteed rate.
Note
Many cable providers quote a burst rate and not a guaranteed rate in their marketing literature.
vpnjk-2600-5#show ip route 10.0.68.0
Routing entry for 10.0.68.0/25
Known via "eigrp 100", distance 170, metric 6925056, type external
Redistributing via eigrp 100
Last update from 10.2.128.9 on FastEthernet0/1.128, 00:05:05 ago
Routing Descriptor Blocks:
* 10.2.128.9, from 10.2.128.9, 00:05:05 ago, via FastEthernet0/1.128
Route metric is 6925056, traffic share count is 1
Total delay is 10100 microseconds, minimum bandwidth is 384 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
The above display shows the characteristics of the route when the IPSec tunnel is active on the primary
IPSec peer. The minimum bandwidth for the route is 256 kbps when the primary path has failed and the
backup IPSec peer has the best route to the remote network.
3-7
Chapter 3
Performance Results
class class-default
shape average 364800 3648
service-policy V3PN-Small_Branch
!
!
interface Ethernet0/0
description to DSL MODEM
bandwidth 256
no ip address
service-policy output Shaper-DSL
pppoe enable
pppoe-client dial-pool-number 1
!
interface Ethernet1/0
description To CABLE MODEM
bandwidth 384
ip dhcp client route track 123
ip address dhcp
service-policy output Shaper-cable
No other special considerations need be given. A common shaper value using the lower of the two values
can be used for both cable and DSL to simplify configuration.
Performance Results
The SAA target head-end router must be available to respond to SAA probes for the remote routers to
make use of their primary path. Cisco recommends that the CPU of the SAA target head-end router
ideally be less than 30 percent busy; 30 percent to 60 percent is acceptable. Over 60 percent busy is not
recommended.
A Cisco 26xx series router being used as a dedicated SAA target head-end router is estimated to process
2030 probes per second and to stay within these CPU requirements. The number of remote routers
being serviced by the SAA target head-end router depends on the frequency of the SAA probe from each
remote router. The configuration example shown here uses a frequency of 20 seconds between probes,
which equates to up to 600 remote routers.
Note
If the SAA probe frequency is configured at a value less than the IKE keepalive frequency, the Dead
Peer Detection (DPD) logic generally never sends out IKE keepalive packets, because the SAA probes
do not allow the IKE worry interval to expire. However, decreasing the SAA probe frequency means
more load on the SAA head-end and more packets that must be encrypted and decrypted by the head-end
IPSec routers. The network manager has a great deal of latitude in configuring these various timers.
3-8
OL-7102-01
Chapter 3
Remote Router
Show Commands
The SAA configuration shows the use of an UDP echo probe rather than an ICMP probe. ICMP probes
are required if the head-end target is not a Cisco router with rtr responder configured. Either probe is
acceptable, the function of the probe is traverse inside the crypto tunnel to verify the primary path is
3-9
Chapter 3
functional. The UDP source and destination port numbers are arbitrary, decimal 57005 is 0xDEAD in
hexadecimal, and decimal 48879 is 0xBEEF. These character strings are easy to identify when looking
at port number values shown in hexadecimal.
There is a host route to the SAA target device, 192.168.131.23, using the DHCP learned default gateway
as the target. All SAA connection attempts must use the cable or primary interface.
Note
While the SAA target device address is in the 192.168.0.0/16 address space, which represents Internet
routable address space in these illustrations, the SAA probe is encapsulated inside the IPSec tunnel. The
next hop address in the static route for 192.168.131.23 is the DHCP learned default gateway. This routes
the probe out the cable or primary interface. The source IP address of the SAA probe is the inside LAN
interface which is referenced in the crypto map. The SAA probe therefore is encrypted and transmitted
inside the IPSec tunnel
Some optional SAA configuration commands are shown in grey/italics that are explained in a subsequent
section.
The SAA control plane listens on UDP port 1967, when the default configuration value of control enable
is in effect.
vpnjk-2600-23#show ip sockets
Proto
Remote
Port
Local
17 0.0.0.0
0 10.0.253.4
88
--listen-10.0.253.4
17
--listen-10.0.253.4
17 0.0.0.0
0 10.0.253.4
Port
67
100
123
1967
From the remote router, the SAA control plane as well as the probe packets can be identified using
NetFlow if enabled on the appropriate interfaces.
vpnjk-1751-1#sh ip cache verb flow | begin SrcIf
SrcIf
Port Msk
Vi1
DEAD /0
Vi1
B92C /0
Vi1
07AF /0
SrcIPaddress
AS
192.168.131.23
0
192.168.131.8
0
192.168.131.23
0
DstIf
Port Msk
Local
BEEF /0
Local
C0FA /0
Local
BEEF /0
AS
0
0
0
DstIPaddress
NextHop
10.0.68.5
0.0.0.0
192.168.17.3
0.0.0.0
10.0.68.5
0.0.0.0
The probe packets are 44 bytes (Layer 3) by default. Source port of 0x7AF is decimal 1967. Note that
the source port for the control plane and the probe packets are the same value.
3-10
OL-7102-01
Chapter 3
3-11
Chapter 3
3-12
OL-7102-01
Chapter 3
3-13
Chapter 3
interface FastEthernet0/1.100
description Outside Interface
encapsulation dot1Q 100
ip address 192.168.131.8 255.255.255.224
crypto map DYNO-MAP
!
interface FastEthernet0/1.128
description Inside Interface
encapsulation dot1Q 128
ip address 10.2.128.8 255.255.255.0
!
!
Bandwidth value for backup IPSec peer is 256
!
router eigrp 100
redistribute static metric 384 1000 255 1 1500 route-map IPSEC_Subnets
network 10.0.0.0
network 192.168.130.0 0.0.1.255
no auto-summary
no eigrp log-neighbor-changes
!
ip default-gateway 172.26.156.1
ip classless
no ip http server
!
!
access-list 68 permit 10.0.68.0 0.0.0.255
access-list 68 deny
any
!
route-map IPSEC_Subnets permit 10
match ip address 68
!
!
ntp server 192.168.130.1
!
end
===================================================================================
!
System image file is "flash:c2600-ik9o3s-mz.122-11.T5"
version 12.2
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname vpnjk-2600-9
!
logging buffered 4096 debugging
enable password 7 1511021F0725
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
!
!
no ip domain lookup
ip domain name ese.cisco.com
ip host harry 172.26.176.10
ip host ect-msca 172.26.179.237
!
ip audit notify log
ip audit po max-events 100
!
crypto ca trustpoint ect-msca
enrollment mode ra
enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll
3-14
OL-7102-01
Chapter 3
auto-enroll 70
crypto ca certificate chain ect-msca
certificate 610BE2E400000000001F nvram:ect-msca.cer
certificate ca 113346B52ACEE8B04ABD5A5C3FED139A nvram:ect-mscaCA.cer
!
crypto isakmp policy 1
encr 3des
group 2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map DYNO-TEMPLATE 10
description dynamic crypto map
set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL
reverse-route
qos pre-classify
!
!
crypto map DYNO-MAP local-address FastEthernet0/1.100
crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE
!
!
interface FastEthernet0/1
description dot1q
no ip address
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1.100
description Outside Interface
encapsulation dot1Q 100
ip address 192.168.131.9 255.255.255.224
crypto map DYNO-MAP
!
interface FastEthernet0/1.128
description Inside Interface
encapsulation dot1Q 128
ip address 10.2.128.9 255.255.255.0
!
!
Bandwidth value for backup IPSec peer is 256
!
router eigrp 100
redistribute static metric 384 1000 255 1 1500 route-map IPSEC_Subnets
network 10.0.0.0
network 192.168.130.0 0.0.1.255
no auto-summary
no eigrp log-neighbor-changes
!
ip classless
no ip http server
!
!
access-list 68 permit 10.0.68.0 0.0.0.255
!
route-map IPSEC_Subnets permit 10
match ip address 68
!
ntp server 192.168.130.1
!
3-15
Chapter 3
end
Remote Router
The following is the configuration for the remote router. See the specific notes in the following
configuration:
!
System image file is "flash:vpn/images/c1700-k9o3sy7-mz.123-2.XE"
version 12.3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname vpnjk-1751-1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 [removed]
!
memory-size iomem 25
clock timezone est -5
clock summer-time edt recurring
no aaa new-model
ip subnet-zero
!
!
!
!
ip telnet source-interface FastEthernet0/0
no ip domain lookup
ip domain name ese.cisco.com
ip host harry 172.26.176.10
ip host ect-msca 172.26.179.237
ip cef
ip audit notify log
ip audit po max-events 100
ip dhcp-client default-router distance 239
!
track 123 rtr 23 reachability
delay down 60 up 5
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
Certificates will be used for authentication for the primary path
!
and IKE Aggressive mode will be used for the backup path
!
crypto ca trustpoint ect-msca
enrollment mode ra
enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll
revocation-check none
!
!
crypto ca certificate chain ect-msca
certificate 610C436F00000000002C
certificate ca 113346B52ACEE8B04ABD5A5C3FED139A
!
!
crypto isakmp policy 1
3-16
OL-7102-01
Chapter 3
encr 3des
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
!
crypto isakmp peer address 192.168.131.4
set aggressive-mode password 00-02-8A-9B-05-33
set aggressive-mode client-endpoint fqdn Store77.ese.cisco.com
crypto isakmp profile AGGRESSIVE
description Profile to test Initiating Aggressive Mode
self-identity fqdn
match identity host domain ese.cisco.com
initiate mode aggressive
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encaps
!
crypto map PRIMARY_LINK 1 ipsec-isakmp
description Crypto Map for Primary Path
set peer 192.168.131.9
set peer 192.168.131.8
set transform-set 3DES_SHA_TUNNEL
match address CRYPTO_MAP_ACL
qos pre-classify
!
crypto map BACKUP_LINK 1 ipsec-isakmp
description Crypto Map for Backup Path
set peer 192.168.131.4
set transform-set 3DES_SHA_TUNNEL
match address CRYPTO_MAP_ACL
qos pre-classify
!
!
!
class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
match access-group name IKE
class-map match-all TRANSACTIONAL-DATA
match ip dscp af21
!
!
policy-map V3PN-Small_Branch
description Note LLQ for ATM/DSL G.729=64K, G.711=128K
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority 128
class TRANSACTIONAL-DATA
bandwidth percent 22
class class-default
3-17
Chapter 3
fair-queue
random-detect
policy-map Shaper-DSL
class class-default
shape average 182400 1824
service-policy V3PN-Small_Branch
policy-map Shaper-cable
class class-default
shape average 364800 3648
service-policy V3PN-Small_Branch
!
!
!
interface Ethernet0/0
description to DSL MODEM
bandwidth 256
no ip address
service-policy output Shaper-DSL
load-interval 30
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/0
description Inside
ip address 10.0.68.5 255.255.255.128
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 542
load-interval 30
speed auto
!
interface Ethernet1/0
description To CABLE MODEM
bandwidth 384
ip dhcp client route track 123
ip address dhcp
service-policy output Shaper-cable
ip route-cache flow
ip tcp adjust-mss 542
load-interval 30
half-duplex
crypto map PRIMARY_LINK
!
interface Dialer1
description Outside
bandwidth 256
ip address negotiated
ip mtu 1492
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 542
load-interval 30
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username cisco789@cisco.com password 0 foo
ppp ipcp dns request
ppp ipcp wins request
crypto map BACKUP_LINK
!
ip classless
3-18
OL-7102-01
Chapter 3
Show Commands
The following optional SAA configuration statements provide for maintaining a history of the last ten
failed connection attempts:
lives-of-history-kept 1
buckets-of-history-kept 10
filter-for-history failures
3-19
Chapter 3
The time stamps in the display help to identify when network connectivity failures occurred. Use
Network Time Protocol (NTP) to maintain accurate time on the remote routers.
Cisco 1751c1700-k9o3sy7-mz.123-2.XE
SAA targetc2600-ik9o3s3-mz.123-3
The IPSec head-end routers were Cisco 2651s with an Advanced Integration Module (AIM) hardware
VPN module. This testing was not intended to scale test head-end performance capabilities. In a
customer deployment, using IPSec head-ends with suitable performance characteristics aligned with the
number of remote routers is advised.
An available Cisco1760 V3PN bundle (product number: CISCO1760-V3PN/K9) can be used instead of
the Cisco 1751.
Reliable Static Routing Backup Using Object Tracking was first introduced in Cisco IOS version
12.3(2)XE.
Summary
The Object Tracking feature of Cisco IOS Software provides a means to deploy both DSL and cable
modems to the same remote location for increased availability. Because this feature uses SAA, a network
manager can use its protocols and applications in addition to ICMP for verifying connectivity. One
advantage to this configuration is its scalability; you can configure a primary and backup IPSec head-end
independently from the SAA head-end router, and you can add additional SAA head-ends as required.
3-20
OL-7102-01
C H A P T E R
Solution Characteristics
Topology
Failover/Recovery Time
Performance Results
Debugging
Summary
Solution Characteristics
This design incorporates techniques described in the previous two chapters but now further reduces the
costs associated with the backup link. With Basic Rate ISDN as the backup link, it is possible to transport
encrypted voice traffic across the backup link. However, installing a Basic Rate ISDN line has
installation costs and ongoing monthly charges as well as possible per-minute charges when the link is
active.
A less costly alternative is to use the plain old telephone service (POTS) line that is necessary for
provisioning the Asymmetric Digital Subscriber Line (ADSL) service to the branch. Rather than
implement an access server at the enterprise head-end location, this design uses the access server of the
ISP. This is a further cost reduction to the enterprise. Some ISPs provide access to their dial network at
no additional cost as part of a DSL subscription. In some cases, 20 hours per month are provided with
DSL service. In other cases, there may be a small fee (less than $10 USD a month) to include dial-up
with the DSL plan. Alternatively, dial-up services can be ordered from a different service provider than
the ISP providing the DSL service. If single-line DSL (SDSL) service is used (SDSL has no baseband
POTS line), a separate POTS line can be installed.
There are two primary disadvantages associated with the cost savings of this design:
Encrypted voice cannot be transported to the enterprise head-end over the Async interface because
the bandwidth is insufficient.
Local loop cable cut will likely take out both the ADSL and POTS line.
4-1
Chapter 4
Topology
However, the integrated WIC-1AM of the Cisco 1711 includes two RJ11 ports: one for the line and the
second for the analog phone handset. The analog line can be used for calls when the dial backup is not
active.
Both the primary and backup links use PPP encapsulation and the IP address is dynamically (negotiated)
assigned by the ISP. For the broadband path, this is through PPPoE; for the Async path, this is through
PPP.
Topology
The topology consists of a Cisco 1711 router at the remote branch location, connected to a DSL bridge
on the FastEthernet 0 interface. The POTS line for the ADSL service is separated using a DSL
filter/splitter and connected to the Async 1 interface.
The ISP that provides DSL service also includes 20 hours of dial access per month at no additional
charge. The same username and password for access to the DSL network is used for the dial backup. At
the head-end location, a pair of IPSec routers are shown in the configuration files; one for the primary
path and the second for the backup path. As in previous sections, a pair of IPSec head-end routers can
be configured for both the primary and backup path and two separate addresses can be assigned.
An SAA target router is used at the head-end location.
Note
This design uses the Cisco IOS feature, Reliable Static Routing Backup Using Object Tracking, to verify
connectivity with SAA probes originating from the inside Ethernet LAN address of the remote router.
The SAA packets traverse the IPSec tunnel. If the tunnel is down and the SAA target is unreachable, dial
backup is triggered. Because this design uses SAA to generate ICMP packets, the IP host can be used in
place of the SAA target router. It is important that this device remains in service because a failure of the
target device causes all branches to attempt a dial backup even though the IPSec tunnel remains
available.
Figure 4-1 shows the devices used in this solution.
Figure 4-1
SAA target
router
Telco/Broadband
Service Provider
Path of SAA packet
IPSec
DSL
IP
Cisco
1711
ATM
ATM
Internet
Bridge required
ISPs
dial server
Enterprise
Intranet Backbone
132009
Dial Backup
POTS
IPsec Head-end
router(s)
4-2
OL-7102-01
Chapter 4
The SAA packets are permitted to reach the head-end only via the DSL interface. This is controlled by
a static host route. The backup crypto map advertises a /28 prefix to the head-end IPSec router and the
primary IPSec router advertises the /29 prefix that is configured on the inside VLAN 1 interface. This
ensures that the return path of the SAA packets uses the IPSec tunnel over the DSL interface if it is
active.
Failover/Recovery Time
The following sample configuration uses 60-second track down delay, a polling frequency of 15 seconds
for the SAA ICMP probe, and an IKE keepalive value of 10 seconds. To test the dial backup, the DSL
cable was removed from the DSL modem. In this display, debug track is enabled. With these
configuration options, connectivity is restored in approximately two minutes from the initial failure.
vpn-jk2-1711-1#show clock
15:17:07.189 est Thu Jan 8 2004
<- Cable was removed at this time
vpn-jk2-1711-1#
Jan 8 15:17:11.577 est: Track: 21 Down change delayed for 60 secs
Jan 8 15:17:28.293 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer
xx.xxx.223.24:500
Id: rtp5-esevpn-gw4.cisco.com
Jan 8 15:17:56.465 est: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
Jan 8 15:17:56.485 est: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
Jan 8 15:17:57.465 est: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1,
changed state to down
Jan 8 15:18:11.577 est: Track: 21 Down change delay expired
Jan 8 15:18:11.577 est: Track: 21 Change #14 rtr 1021, state Up->Down
Jan 8 15:18:57.902 est: %LINK-3-UPDOWN: Interface Async1, changed state to up
Jan 8 15:18:58.906 est: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed
state to up
Jan 8 15:19:04.710 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer
xx.xxx.223.25:500
Id: rtp5-esevpn-gw5.cisco.com
vpn-jk2-1711-1#show clock
15:19:11.954 est Thu Jan 8 2004
<- Connectivity restored via Async interface
During transition from the backup Async to primary DSL connection, the recovery is transparent to data
applications. Following is an example of a continuous ping running from the PC behind the Cisco 1711
as the DSL cable was inserted back into the DSL modem. The transition from Async to DSL can be
identified because the round trip time (RTT) of the ICMP packets decreases substantially from
approximately 200ms to 90ms.
Reply
Reply
Reply
Reply
Reply
Reply
Reply
Reply
Reply
Reply
Reply
Reply
from
from
from
from
from
from
from
from
from
from
from
from
172.26.129.252:
172.26.129.252:
172.26.129.252:
172.26.129.252:
172.26.129.252:
172.26.129.252:
172.26.129.252:
172.26.129.252:
172.26.129.252:
172.26.129.252:
172.26.129.252:
172.26.129.252:
bytes=32
bytes=32
bytes=32
bytes=32
bytes=32
bytes=32
bytes=32
bytes=32
bytes=32
bytes=32
bytes=32
bytes=32
time=231ms TTL=247
time=160ms TTL=247
time=200ms TTL=247
time=90ms TTL=247
time=100ms TTL=247
time=111ms TTL=247
time=90ms TTL=247
time=90ms TTL=247
time=90ms TTL=247
time=90ms TTL=247
time=90ms TTL=247
time=90ms TTL=247
The LCD display on the IP Phone changes to normal state after recovery because the phone is able to
register with the Cisco CallManager over DSL.
4-3
Chapter 4
The same input ACL applied to the primary interface is also applied to the backup interface because both
interfaces connect to the Internet.
Performance Results
No specific QoS policy was applied to the output Async1 interface except for the default value of
weighted fair queueing. Because encrypted voice was not attempted on the backup interface because of
bandwidth constraints, no performance tests were run. During the time the dial backup was active, the
workstation was able to send and receive text email, view web pages, and so on. Note from the previous
section on failover and recovery time, the latency of the Async interface is higher than the broadband
connection. The effective bandwidth of the dial backup link is approximately 24 kbps in these tests.
A specific QoS service policy can be applied on the output to the Async interface to guarantee bandwidth
to mission-critical or transactional applications. However, weighted fair queueing may be sufficient for
these low-volume applications.
4-4
OL-7102-01
Chapter 4
rtr 1021
type echo protocol ipIcmpEcho 10.81.0.26 source-ipaddr 10.81.7.241
tos 192
timeout 1000
owner TRACK 21
frequency 15
lives-of-history-kept 1
buckets-of-history-kept 20
filter-for-history failures
rtr schedule 1021 start-time now life forever
!
4-5
Chapter 4
4-6
OL-7102-01
Chapter 4
enrollment mode ra
enrollment url http://10.81.0.18:80/certsrv/mscep/mscep.dll
revocation-check none
source interface Vlan1
auto-enroll 70
!
!
crypto ca certificate chain ese-vpn-cert
certificate 2ABC84E400000000002A
certificate ca 36092145BAA631BF4763493E714CD857
!
!
crypto isakmp policy 1
encr 3des
group 2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set REPLAY esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map RTP 1 ipsec-isakmp
description RTP Enterprise Class Teleworker
set peer xx.xxx.223.24
set transform-set REPLAY
match address CRYPTO_MAP_ACL
qos pre-classify
!
crypto map ASYNC_BACKUP 1 ipsec-isakmp
description For ASYNC backup interface
set peer xx.xxx.223.25
set transform-set REPLAY
match address CRYPTO_MAP_ACL_BACKUP
qos pre-classify
!
!
!
class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
match access-group name IKE
!
!
policy-map ASYNC_IN
description Allows us to block voice on the Async
class VOICE
police 8000 conform-action drop exceed-action drop
class CALL-SETUP
police 8000 conform-action drop exceed-action drop
policy-map V3PN-teleworker
description Note LLQ for ATM/DSL G.729=64K, G.711=128K
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority 128
class class-default
fair-queue
random-detect
4-7
Chapter 4
policy-map Shaper
class class-default
shape average 182400 1824
service-policy V3PN-teleworker
!
!
!
interface FastEthernet0
description Outside
no ip address
service-policy output Shaper
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
no ip address
vlan-id dot1q 1
exit-vlan-config
!
!
interface FastEthernet2
no ip address
vlan-id dot1q 1
exit-vlan-config
!
!
interface FastEthernet3
no ip address
vlan-id dot1q 1
exit-vlan-config
!
!
interface FastEthernet4
no ip address
vlan-id dot1q 1
exit-vlan-config
!
!
interface Vlan1
description Inside
ip address 10.81.7.241 255.255.255.248
ip inspect CBAC in
ip route-cache flow
ip tcp adjust-mss 542
hold-queue 40 out
!
interface Async1
description EarthLink Dialup Service V34/LAPM/V42B/24000:TX/26400:RX
bandwidth 24
ip address negotiated
ip access-group INPUT_ACL in
service-policy input ASYNC_IN
encapsulation ppp
ip route-cache flow
load-interval 30
dialer in-band
dialer string 6550070
dialer-group 21
async mode dedicated
ppp authentication pap callin
ppp pap sent-username [removed]@mindspring.com password 7 [removed]
4-8
OL-7102-01
Chapter 4
4-9
Chapter 4
access-list 88 deny
any log
access-list 121 remark Define Interesting Traffic
access-list 121 permit ip any any
dialer-list 21 protocol ip list 121
snmp-server community [removed] RW 88
snmp-server trap-source Vlan1
snmp-server location Home Office
snmp-server contact cisco789@cisco.com
snmp-server enable traps tty
!
!
control-plane
!
rtr responder
rtr 12
type echo protocol ipIcmpEcho 172.26.129.252 source-ipaddr 10.81.7.241
request-data-size 164
tos 192
frequency 90
lives-of-history-kept 1
buckets-of-history-kept 60
filter-for-history all
rtr schedule 12 start-time now life forever
rtr 1021
type echo protocol ipIcmpEcho 10.81.0.26 source-ipaddr 10.81.7.241
tos 192
timeout 1000
owner TRACK 21
frequency 15
lives-of-history-kept 1
buckets-of-history-kept 20
filter-for-history failures
rtr schedule 1021 start-time now life forever
banner motd ^C
C i s c o S y s t e m s
||
||
||
||
Cisco Systems, Inc.
||||
||||
IT-Transport
.:|||||||:.......:|||||||:..
US, Asia & Americas support:
+ 1 408 526 8888
EMEA support:
+ 31 020 342 3888
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this
device. All activities performed on this device are logged and
violations of this policy may result in disciplinary action.
^C
!
line con 0
exec-timeout 60 0
login local
stopbits 1
line 1
script dialer MODEM
modem InOut
modem autoconfigure discovery
transport input all
transport output pad udptn telnet rlogin ssh
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
stopbits 1
line vty 0 4
login local
4-10
OL-7102-01
Chapter 4
Debugging
The Async line must reference a chat script. Chat scripts are text sent to the modem to provide
initialization, configuration, and dialing commands. The chat-script MODEM is called by the script
dialer MODEM command configured under line 1.
chat-script MODEM "" "atdt\T" TIMEOUT 60 CONNECT \c
interface Async1
line 1
script dialer MODEM
modem InOut
modem autoconfigure discovery
transport input all
transport output pad udptn telnet rlogin ssh
stopbits 1
speed 115200
flowcontrol hardware
Note that the phone number to dial is 6550070, which is specified under the Async 1 interface
configuration. When debug chat is enabled, you can see this string substituted for the \T command in
the chat script. The following shows a successful dial attempt with debugging enabled:
Jan 8 16:52:35.289
Jan 8 16:52:35.289
t: none
Jan 8 16:52:35.289
Jan 8 16:52:35.293
Jan 8 16:52:35.293
Jan 8 16:52:35.293
Jan 8 16:52:35.293
Jan 8 16:52:55.597
Jan 8 16:52:55.601
Jan 8 16:52:55.601
CHAT1:
CHAT1:
CHAT1:
CHAT1:
CHAT1:
CHAT1:
CHAT1:
CHAT1:
process started
Asserting DTR
Chat script MODEM started
Sending string: atdt\T<6550070>
Expecting string: CONNECT
Completed match for expect: CONNECT
Sending string: \c
Chat script MODEM finished, status = Success
It is also useful to use a reverse Telnet to the Async line to manually send the Hayes AT commands to
the modem to initiate dialing and login during implementation to verify connectivity to the dial-up
service of the ISP. The following example uses the internal WIC-1AM modem on the Cisco 1711:
vpn-jk2-1711-1#telnet 10.81.7.241 2001
Trying 10.81.7.241, 2001 ... Open
4-11
Chapter 4
C i s c o S y s t e m s
||
||
||
||
Cisco Systems, Inc.
||||
||||
IT-Transport
.:|||||||:.......:|||||||:..
US, Asia & Americas support:
+ 1 408 526 8888
EMEA support:
+ 31 020 342 3888
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this
device. All activities performed on this device are logged and
violations of this policy may result in disciplinary action.
ath OK
atdt6550070 CONNECT 115200/V34/LAPM/V42B/24000:TX/26400:RX
EarthLink Dialup Service
After you receive the login prompt, you can interactively enter the username and password or interrupt
the modem with the +++ command and issue the ATH command to hang up the call. A control + shift
+ 6 x command reverts back to exec mode where the line can be cleared.
acn01.nc-greensbo1 login: +++
OK
ath OK
CTL SHIFT 6 x
vpn-jk2-1711-1#clear line 1
[confirm]y [OK]
vpn-jk2-1711-1#
Resuming connection 1 to 10.81.7.241 ... ]
[Connection to 10.81.7.241 closed by foreign host]Deleting login session
Note
For more information on chat scripts, see Creating and Using Modem Chat Scripts at the following URL:
http://www.cisco.com/en/US/docs/ios/dial/configuration/guide/dia_modem_chat_scpts_ps6350_TSD_
Products_Configuration_Guide_Chapter.html.
IPSec head-endsc3725-ik9o3s-mz.122-15.T9
Cisco 1711c1700-k9o3sy7-mz.123-2.XE
SAA targetc2600-adventerprisek9-mz.123-4.T
The IPSec head-end routers were Cisco 3725s with an AIM hardware VPN module. This testing was not
intended to scale test head-end performance capabilities. In a customer deployment, IPSec head-ends
with suitable performance characteristics aligned with the number of remote routers is advised.
The testing was completed using the DSL connection and dial-up account of the author. There is a Cisco
1760 V3PN bundle (product number: CISCO1760-V3PN/K9) that can be used instead of the Cisco 1711.
Reliable Static Routing Backup Using Object Tracking was first introduced in Cisco IOS Software
version 12.3(2)XE.
4-12
OL-7102-01
Chapter 4
Note
During testing, voice quality issues led to filing DDTs: CSCed61266 QoS Service Policy not matching
pkts on PPPoE interface.
Summary
The Object Tracking feature of Cisco IOS provides a means to deploy both DSL and Async modems to
the same remote location for increased availability. Because this feature uses SAA, a network manager
can use its protocols and applications in addition to ICMP for verifying connectivity. One advantage to
this configuration is its scalability; a primary and backup IPSec head-end can be configured
independently to the SAA head-end router, and additional SAA head-ends can be added as required. If
ICMP is used as the SAA probe protocol, any IP host can be used at the head-end.
The use of a dial-up account associated with the ISP DSL account of the site is a very cost effective
means of providing higher availability for low bandwidth transactions such as ATM machines and
point-of-sale terminals while using a central call processing model for an IP phone over the primary
broadband connection.
4-13
Chapter 4
Summary
4-14
OL-7102-01
C H A P T E R
Topology
Failover/Recovery Time
Caveats
Performance Results
Summary
Topology
The topology in Figure 5-1 shows the use of a Cisco 1712 router that includes a Basic Rate ISDN
interface; however, the design can be adapted to use a Cisco 1711 and to dial either the access server of
an Internet Service Provider or an access server provisioned by the enterprise.
5-1
Chapter 5
Failover/Recovery Time
Figure 5-1
Telco/Broadband
Service Provider
IPSec
remote
vpn-jk2-1712-1
Primary IPSec
and
SAA target
100
IP
DSL
ATM
ATM
vpn-jk2-2691-1
Internet
vpn-jk2-3725-1
Bridge required
WAN
Backup
IPSec
vpn-jk2-3640-1
128
Dial Backup
vpn-jk2-3080
ISDN
ISDN
vpnjk-2600-20
vpnjk-2600-5
300
IP
132010
Enterprise
Intranet Backbone
The design shows the use of one Cisco IOS head-end IPSec peer that is also the SAA target device for
the Reliable Static Routing Backup Using Object Tracking feature in Cisco IOS Software.
The enterprise intranet backbone router is configured to route packets to the remote subnets using the
IPSec primary router if the Reverse Route Injection (RRI) network advertisements appear in its routing
table; otherwise, the packets are routed to the Cisco VPN 3000 Concentrator.
The VPN 3000 Concentrator is configured with a default route to the ISDN WAN router; however, for
higher availability, a customer deployment might use a Hot Standby Router Protocol (HSRP) address
shared between a pair of WAN routers, or enable OSPF or RIP on the outside interface and participate
in a dynamic routing protocol with the various WAN routers.
Failover/Recovery Time
Failover and recovery times are similar to the results described in two earlier chapters: Small
BranchDSL with ISDN Backup and Small BranchCable with DSL Backup.
There is a difference in configuration between the ISDN backup in the previous section and this
configuration. As previously described, the Basic Rate ISDN interface is a backup interface for a tunnel
interface, and the interface up/down state is keyed off the tunnel interface state. In this configuration, a
dialer idle-timeout is configured as well as dialer-list that excludes IKE packets as interesting traffic.
access-list
access-list
access-list
access-list
dialer-list
100 remark
100 deny
100 deny
100 permit
2 protocol
5-2
OL-7102-01
Chapter 5
Note
For more information regarding dialer interfaces, see the Cisco IOS Dial Technologies
Configuration Guide at the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_book09186a
0080393bf3.html.
Caveats
This section describes the caveats associated with this design, and includes the following topics:
5-3
Chapter 5
Caveats
This is an example of the state stuck in SS_OPEN. Manually clearing the EZVPN client will
circumvent the problem.
vpn-jk2-1712-1#
Jan 21 16:14:25.043 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer
192.168.131.4:500
Id: vpn-jk-2691-1.ese.ciscom
Jan 21 16:14:31.424 est: Track: 123 Down change delayed for 60 secs
Jan 21 16:15:31.424 est: Track: 123 Down change delay expired
Jan 21 16:15:31.424 est: Track: 123 Change #52 rtr 233, reachability Up->Down
Jan 21 16:15:32.936 est: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
Jan 21 16:15:33.072 est: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Jan 21 16:15:33.152 est: %CRYPTO-4-IKMP_NO_SA: IKE message from 192.168.131.30 has no SA
and is not an initialization offer
Jan 21 16:15:33.992 est: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state to up
Jan 21 16:15:34.088 est: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1,
changed state to up
Jan 21 16:15:36.244 est: %LINK-3-UPDOWN: Interface BRI0:2, changed state to up
Jan 21 16:15:36.248 est: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 9191234567
vpnjk-2600-20
Jan 21 16:15:37.300 est: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed
state to up
vpn-jk2-1712-1#
Jan 21 16:15:42.248 est: %ISDN-6-CONNECT: Interface BRI0:2 is now connected to 9191234567
vpnjk-2600-20A pre-shared key for address!
vpn-jk2-1712-1#
Jan 21 16:15:45.044 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.
192.168.131.30:500
Id: 192.168.131.30
vpn-jk2-1712-1#
vpn-jk2-1712-1#show cry ipsec client ezvpn
Easy VPN Remote Phase: 2
Peer
5-4
OL-7102-01
Chapter 5
Interface
Dialer1
BRI0
Dialer1
BRI0
BRI0
IP-Address
192.168.17.3
10.0.128.1
192.168.17.3
10.0.128.1
10.0.128.1
State
alloc
set
alloc
set
set
Algorithm
NONE
HMAC_MD5+3DES_56_C
NONE
HMAC_MD5+3DES_56_C
HMAC_MD5+3DES_56_C
Encrypt
0
0
0
0
16
Decrypt
0
0
0
9
0
Performance Results
Performance results for the Cisco IOS and VPN concentrator head-ends are shown in Table 5-1.
5-5
Chapter 5
Table 5-1
IPSEC/DPD/RRI Performance
Spokes
BiDirectional
Traffic
(Mbps)
BiDirectional
Traffic
(Kpps)
CPU
Utilization %
Stopping
Point
120
22.5
14.5
80
CPU
500
167
84
89
CPU
138
38.8/39.4
19.6/19.6
80/52
CPU
1040
71.7
31.7
88
CPU
1040
106.7
48.1
81
CPU
1040
108.7
48.7
77
CPU
1040
1029.3
488.7
N/A
VPNSM
These test results are from an IPSec/DPD/RRI test bed configuration using a voice and data traffic mix
from the Cisco branch traffic profile.
In a deployment where the VPN 3080 is acting as a backup head end to provide connectivity for
point-of-sale terminals or cash machines over an Async interface with no voice traffic, these are very
conservative performance numbers.
If the 3080 also supports VPN access by remote users with a VPN software client in addition to
functioning as a backup IPSec head end for remote locations, the performance characteristics vary.
Note
The Cisco PIX OS earlier than Version 7 does not switch a packet in and out the same interface in the
tested release of the code.
5-6
OL-7102-01
Chapter 5
name VPN3080
5-7
Chapter 5
Note: There is a /25 route for each remote subnet active over the primary path. The /18
prefix will always be in the routing table.
vpnjk-2600-5#show ip route
S
10.0.64.0/18 [1/0] via 10.2.128.30
D EX
10.0.68.0/25
[170/10258432] via 10.2.120.4, 00:09:36, FastEthernet0/1.120
5-8
OL-7102-01
Chapter 5
5-9
Chapter 5
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname vpn-jk2-3725-1
!
boot-start-marker
boot system flash c3725-ik9o3s-mz.123-3
boot-end-marker
!
memory-size iomem 15
clock timezone est -5
clock summer-time edt recurring
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
interface Loopback0
ip address 192.168.130.1 255.255.255.255
!
!
interface FastEthernet0/1
description dot1q
no ip address
!
interface FastEthernet0/1.100
description vlan 100
encapsulation dot1Q 100
ip address 192.168.131.1 255.255.255.224
no ip proxy-arp
!
interface FastEthernet0/1.102
description vlan 102
encapsulation dot1Q 102
ip address 192.168.131.33 255.255.255.224
no ip proxy-arp
!
!
interface ATM2/0
description WAN Link to the Internet (AS 65001)
no ip address
no atm ilmi-keepalive
!
interface ATM2/0.235 point-to-point
ip address 192.168.129.6 255.255.255.252
pvc peer235 2/35
vbr-nrt 1000 1000
encapsulation aal5snap
!
!
router eigrp 100
redistribute static metric 100 1000 255 1 1500 route-map QuadZero
redistribute bgp 65030 metric 100 1000 255 1 1500
network 192.168.130.0 0.0.1.255
no auto-summary
5-10
OL-7102-01
Chapter 5
!
router bgp 65030
no synchronization
bgp log-neighbor-changes
network 192.168.130.0 mask 255.255.254.0
network 192.168.230.0 mask 255.255.254.0
neighbor 192.168.129.5 remote-as 65001
neighbor 192.168.130.2 remote-as 65030
neighbor 192.168.130.2 update-source Loopback0
no auto-summary
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Null0 240
#
ip route 192.168.130.0 255.255.254.0 Null0
#
ip route 192.168.230.0 255.255.254.0 Null0
#
!
!
access-list 10 permit 0.0.0.0
!
route-map QuadZero permit 10
#
match ip address 10
!
ntp source Loopback0
ntp master
ntp server 172.26.176.10 source FastEthernet0/0
!
end
5-11
Chapter 5
5-12
OL-7102-01
Chapter 5
class VOICE
priority 48 2400
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class class-default
fair-queue
random-detect
policy-map V3PN-teleworker
description Note LLQ for ATM/DSL G.729=64K, G.711=128K
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority 64
class class-default
fair-queue
random-detect
policy-map Shaper
class class-default
shape average 182400 1824
service-policy V3PN-teleworker
!
interface BRI0
bandwidth 128
ip address 10.0.128.1 255.255.255.252
max-reserved-bandwidth 100
service-policy output V3PN-WAN-EDGE-ISDN
encapsulation ppp
no ip mroute-cache
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
dialer idle-timeout 60
dialer wait-for-carrier-time 10
dialer map ip 10.0.128.2 name vpnjk-2600-20 broadcast 9191234567
dialer map ip 10.0.128.2 name vpnjk-2600-20 broadcast 9194442222
dialer hold-queue 5
dialer-group 2
isdn switch-type basic-5ess
ppp authentication chap
ppp multilink
ppp multilink fragment delay 10
ppp multilink links minimum 2
crypto ipsec client ezvpn VPN3080
!
interface FastEthernet0
description Outside to DSL Modem
bandwidth 256
no ip address
service-policy output Shaper
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
vlan-id dot1q 1
exit-vlan-config
!
!
!
interface Vlan1
5-13
Chapter 5
description Inside
ip address 10.0.68.1 255.255.255.128
ip route-cache flow
ip tcp adjust-mss 542
load-interval 30
crypto ipsec client ezvpn VPN3080 inside
!
!
interface Dialer1
description Outside
bandwidth 256
ip address negotiated
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 542
load-interval 30
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username cisco789@cisco.com password 7 [removed]
ppp ipcp dns request
ppp ipcp wins request
crypto map IOS_2691
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 239 name primary_path track 123
ip route 0.0.0.0 0.0.0.0 10.0.128.2 240 name BRI_peer_20
ip route 10.0.128.2 255.255.255.255 BRI0
!
ip route 192.168.131.4 255.255.255.255 Dialer1 name To2691_head-end
ip route 192.168.131.30 255.255.255.255 10.0.128.2 name To3080_head-end
no ip http server
no ip http secure-server
!
ip access-list extended CRYPTO_MAP_ACL
permit ip 10.0.68.0 0.0.0.127 any
!
access-list 100 remark DIALER LIST, IKE traffic should not be interesting
access-list 100 deny
icmp any any
access-list 100 deny
udp any eq isakmp any eq isakmp
access-list 100 permit ip any any
dialer-list 2 protocol ip list 100
!
rtr responder
!
RTR 12 simply generates traffic to simulate background noise
rtr 12
type echo protocol ipIcmpEcho 10.2.128.5 source-ipaddr 10.0.68.1
frequency 10
rtr schedule 12 start-time now life forever
!
RTR 233 is associated with the object tracking
rtr 233
type udpEcho dest-ipaddr 192.168.131.4 dest-port 57005 source-ipaddr 10.0.68.1 source-port
48879
tos 192
owner TRACK123
tag Object Tracking
frequency 20
lives-of-history-kept 1
buckets-of-history-kept 10
filter-for-history failures
rtr schedule 233 start-time now life forever
!
5-14
OL-7102-01
Chapter 5
!
alias exec
alias exec
alias exec
alias exec
alias exec
!
ntp server
!
end
xa
ca
cc
cz
sz
192.168.130.1
Interfaces
Figure 5-2 shows the VPN 3000 configuration interface.
Figure 5-2
Groups
This section describes the configuration of the groups.
5-15
Chapter 5
Identity
The group configuration of the remote router is defined on the window shown in Figure 5-3.
crypto ipsec client ezvpn VPN3080
connect auto
group SOHO key point_of_sale
mode network-extension
peer 192.168.131.30
username site100 password cisco123
Figure 5-3
IPSec
IKE keepalives are enabled for this group, and the confidence interval (dead interval) is configured at 10
seconds rather than the default of 5 minutes.
A tunnel type of remote access should be configured.
Figure 5-4 shows the IPSec configuration window.
5-16
OL-7102-01
Chapter 5
Figure 5-4
Client Configuration
The IPSec client is permitted to store the password locally. The remote router is disabling NAT-T, so
IPSec over UDP is not negotiated because both ends are not configured for NAT-T.
Figure 5-5 shows the VPN 3000 Client Configuration window.
5-17
Chapter 5
Figure 5-5
Hardware Configuration
Network Extension Mode is permitted, as shown in Figure 5-6.
5-18
OL-7102-01
Chapter 5
Figure 5-6
Users
This section describes the configuration of the users.
Identity
The username for this location is defined as site100. Each location has a unique username.
crypto ipsec client ezvpn VPN3080
connect auto
group SOHO key point_of_sale
mode network-extension
peer 192.168.131.30
username site100 password cisco123
5-19
Chapter 5
Figure 5-7
IPSec
The IPSec client is permitted to store the password locally.
Figure 5-8 shows the IPSec Parameters window.
5-20
OL-7102-01
Chapter 5
Figure 5-8
5-21
Chapter 5
Figure 5-9
System/Tunneling Protocols/IPSec/IKE
The IKE proposal is defined. Encryption strength is 3DES, hash is MD5, and Diffie-Hellman value is
Group 2. The default lifetimes are also configured.
Figure 5-10 shows the Tunneling Protocols window.
5-22
OL-7102-01
Chapter 5
Figure 5-10
IPSec head-endsc2691-ik9o3s-mz.122-13.T10
Cisco 1712c1700-k9o3sy7-mz.123-2.XE
IPSec concentratorvpn3000-4.0.4.A-k9
The IPSec head-end router was a Cisco 2691 with an AIM hardware VPN module. The Cisco VPN 3000
Concentrator was a Cisco 3080 running Version 4.0.4.A.
This testing was not intended to scale test head-end performance capabilities. In a customer deployment,
using IPSec head-ends with suitable performance characteristics aligned with the number of remote
routers is advised.
Summary
This design applies to a small-to-medium-sized business with an existing remote access solution using
a Cisco VPN 3000 Concentrator that wants to leverage this device to provide backup coverage. This
chapter described the head-end routing configuration to demonstrate how you can use a combination of
dynamic and static routing to route packets to the appropriate head-end device. The example in this
section described the use of Basic Rate ISDN for the dial-backup links, but Async dial-up to an ISP can
also be used.
5-23
Chapter 5
Summary
5-24
OL-7102-01
C H A P T E R
Topology
Failover/Recovery Time
Show Commands
Caveats
Summary
Customers frequently want to use both broadband connections when both are available while using the
surviving link should one fail. Historically, customers deployed GRE tunnels and ran a routing protocol
within the GRE tunnel to detect a link failure. However, deploying both load sharing and redundancy for
an IPSec-only configuration can be accomplished using multiple instances of the Reliable Static Routing
Backup Using Object Tracking feature along with the appropriate corresponding static routes.
This solution takes advantage of CEF/fast switching load sharing across two equal cost paths for the
head-end-to-branch path to the remote subnet. From the perspective of the branch router, the load sharing
is accomplished by defining specific routes to the corporate address space over the two broadband
connections.
The example in this chapter does not show a split tunnel configuration, but the static routes included in
the remote router configuration (ip route 128.0.0.0 128.0.0.0 ) are applicable regardless of whether
split tunneling is configured or whether the remote router gains Internet access through the enterprise
core. This route forwards packets for the upper half of the Internet address space out the DSL ISP
connection and the lower half of the Internet address space is reached via the cable ISP, because the
cable ISP is providing a default route using DHCP. In a split tunnel configuration, the packets destined
for the Internet have their source IP address changed to the outside global address by Network Address
Translation (NAT)/Port Network Address Translation (PNAT).
Note
The global address is the IP address assigned to a host on the outside network by the owner of the host.
The address is allocated from a globally routable address or network space.
6-1
Chapter 6
Topology
Because this address space is obtained or allocated by the respective ISP, the return path of the flow is
symmetrical.
The configuration can be easily adapted to use two DSL links terminated on a pair of DSL WAN
Interface Card (WIC) interfaces, or a deployment that uses a pair of DSL routers provided by the ISP for
broadband connectivity where the remote IPSec route of the enterprise customer obtains its default route
and outside IP address using DHCP.
Topology
This section describes two WAN topologies. The first shows the use of cable and DSL. The cable
connection learns an IP address using DHCP and the DSL connection obtains an address using PPPoE
from the respective service providers. The second topology example shows the remote IPSec router
learning an IP address using DHCP for both ISP links.
This section includes the following topics:
6-2
OL-7102-01
Chapter 6
Figure 6-1
DSL
Service Provider
IPSec
remote router
vpnjk-1751-1
IP
Bravo
IPSec
VLAN Head-end
100
vpn-jk2-2691-1
Internet
Service Provider
Bravo
192.168.16.0/20
-32
DSL
Modem
WAN
routers
Cable
Service Provider
Cable
Modem
192.168.32.0/20
192.168.131.4
Internet
Service Provider
VLAN 128
10.2.128.0/24
192.168.131.9
Alpha
Alpha
IPSec
Head-ends
vpnjk-2600-9
vpnjk-2600-5
132020
IP
VLAN 300
10.3.0.0/24
Enterprise
Intranet Backbone
Load sharing between the two IPSec tunnels terminated between the remote router (vpnjk-1751-1), the
Alpha IPSec head-end (vpnjk-2600-9), and the Bravo IPSec head-end (vpn-jk2-2691-1) is a function of
the routing protocol configuration running on VLAN 128. In this example, the Alpha and Bravo IPSec
head-end each redistribute the remote subnet learned by the dynamic crypto map into EIGRP with the
same metric. Because of this, the enterprise intranet backbone router(s) see the remote subnet as two
equal cost paths and inject both into the routing table. Because there are two paths in the routing table,
load sharing is a function of the switching path of the enterprise intranet backbone router(s): Cisco
Express Forwarding (CEF), fast, or process switching.
6-3
Chapter 6
Failover/Recovery Time
Figure 6-2
IPSec
remote router
vpnjk-1751-1
Broadband
router/
DSL Modem
DSL
Service Provider
Bravo
IPSec
VLAN Head-end
100
vpn-jk2-2691-1
Internet
Service Provider
Bravo
192.168.16.0/20
-32
IP
WAN
routers
Cable
Service Provider
192.168.32.0/20
Broadband
router/
Cable modem
192.168.131.4
Internet
Service Provider
VLAN 128
10.2.128.0/24
192.168.131.9
Alpha
Alpha
IPSec
Head-ends
vpnjk-2600-9
vpnjk-2600-5
IP
132021
VLAN 300
10.3.0.0/24
Enterprise
Intranet Backbone
In this topology, DSL links terminate the PPPoE session either on the broadband DSL router or on a
separate broadband router, such as a Linksys EtherFast Cable/DSL Router (BEFSR11). Similarly to
cable deployments, the DHCP address is either supplied by the cable head-end router or a Linksys
BEFSR11 or equivalent.
Failover/Recovery Time
This design implements two IPSec tunnels that are both up and active during normal operations. Both
IPSec tunnels are used to transmit and receive data based on the routing configuration of the floating and
tracked static routes on the remote router and the redistribution of the RRI-injected routes at the
head-end location.
As such, failover and recovery time is a function of the SAA probe frequency, the track delay
configuration, the IKE keepalive and DPD values, and the routing protocol updates at the head-end
location.
The failover and recovery times are similar to the other designs documented in previous chapters of this
guide.
6-4
OL-7102-01
Chapter 6
To offload packets for the upper half of the Internet address space out the DSL connection (the slower
of the two links in this example), this static route is configured on the remote router.
ip route 128.0.0.0 128.0.0.0 Dialer1 name via_ISP_Bravo track 11
Destinations not matched by either of these two routes follow the default route injected into the routing
table using DHCP. This route in the example is learned from the cable ISP.
The return path of the voice packets depends on the metrics of the redistributed static route injected by
the IPSec RRI configuration in the head-end crypto maps.
It is important that the QoS service policies are appropriately configured for different link speeds. Note
that the shaper values shown in the configuration reflect values appropriate for the uplink speed and
Layer 2 (cable/DOCSIS or DSL/ATM-PPPoE-AAL5) overhead.
6-5
Chapter 6
6-6
OL-7102-01
Chapter 6
6-7
Chapter 6
!
!
interface Ethernet0/0
description To DSL MODEM
bandwidth 256
no ip address
service-policy output Shaper-DSL
load-interval 30
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
!
interface Ethernet1/0
description To CABLE MODEM
bandwidth 384
ip dhcp client route track 123
ip address dhcp
service-policy output Shaper-cable
no ip route-cache#
See caveats section, Fast Switching must be disabled
ip tcp adjust-mss 542
load-interval 30
half-duplex
crypto map ISP_Alpha
!
interface Dialer1
description Outside
bandwidth 256
ip address negotiated
ip mtu 1492
encapsulation ppp
no ip route-cache#
See caveats section, Fast Switching must be disabled
ip tcp adjust-mss 542
load-interval 30
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username cisco789@cisco.com password [removed]
ppp ipcp dns request
ppp ipcp wins request
crypto map ISP_Bravo
!
ip classless
!
!
This route sends traffic for the upper half of the IPV4
!
address space out the Dialer interface
!
ip route 128.0.0.0 128.0.0.0 Dialer1 name via_ISP_Bravo track 11
!
!
This route sends the 10.0.0.0 network (Enterprises internal
!
address space in this example out the Cable interface
!
ip route 10.0.0.0 255.0.0.0 0.0.0.0 name via_ISP_Alpha track 123
!
!
Gateway of last resort if default learned via DHCP is unavailable
!
ip route 0.0.0.0 0.0.0.0 Dialer1 240 name Last_resort
!
!
Host route forcing Bravo IPSec head-end out Dialer Interface
!
ip route 192.168.131.4 255.255.255.255 Dialer1 name via_ISP_Bravo
!
6-8
OL-7102-01
Chapter 6
!
Route 192.168.131.8 and 192.168.131.9 to the DHCP learned gateway address
!
ip route 192.168.131.8 255.255.255.254 dhcp
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended CRYPTO_MAP_ACL
permit ip 10.0.68.0 0.0.0.127 any
ip access-list extended IKE
permit udp any eq isakmp any eq isakmp
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
There are two SAA probes configured, one uses ICMP (ping) the other UDP echo.
!
Both source off the inside IP address, and the destination is their respective
!
IPSec head-end routers. There is one probe for each path to the IPSec head-end
!
routers.
!
rtr responder
!
rtr 11
type echo protocol ipIcmpEcho 192.168.131.4 source-ipaddr 10.0.68.5
tos 192
timeout 500
tag For_ISP_Bravo_path
frequency 15
rtr schedule 11 start-time now life forever
!
rtr 23
type udpEcho dest-ipaddr 192.168.131.9 dest-port 57005 source-ipaddr 10.0.68.5
source-port 48879
tos 192
timeout 1000
owner TRACK123
tag For_ISP_Alpha_path
frequency 20
lives-of-history-kept 1
buckets-of-history-kept 10
filter-for-history failures
rtr schedule 23 start-time now life forever
!
line con 0
exec-timeout 60 0
line aux 0
line vty 0 4
password [removed]
login
!
ntp server 192.168.130.1
!
end
6-9
Chapter 6
dhcp
be the DHCP learned gateway
dhcp
6-10
OL-7102-01
Chapter 6
!
!
This head-end is using Certificates and a dynamic crypto map
!
crypto ca trustpoint ect-msca
enrollment mode ra
enrollment url http://ect-msca:80/certsrv/mscep/mscep.dll
auto-enroll 70
crypto ca certificate chain ect-msca
certificate ca 113346B52ACEE8B04ABD5A5C3FED139A nvram:ect-mscaCA.cer
certificate 610BE2E400000000001F nvram:ect-msca.cer
!
crypto isakmp policy 1
encr 3des
group 2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map DYNO-TEMPLATE 10
description dynamic crypto map
set transform-set 3DES_SHA_TRANSPORT 3DES_SHA_TUNNEL
reverse-route
qos pre-classify
!
!
crypto map DYNO-MAP local-address FastEthernet0/1.100
crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE
!
!
interface FastEthernet0/1
description dot1q
no ip address
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1.100
description Outside interface
encapsulation dot1Q 100
ip address 192.168.131.9 255.255.255.224
crypto map DYNO-MAP
!
interface FastEthernet0/1.128
description Inside interface
encapsulation dot1Q 128
ip address 10.2.128.9 255.255.255.0
!
!
Compare the metric of this head-end with the Bravo IPSec head-end
!
they should be the same if you want the Enterprise Intranet Router to
!
see two equal cost paths for the remote subnets.
!
router eigrp 100
redistribute static metric 384 1000 255 1 1500 route-map IPSEC_Subnets
network 10.0.0.0
network 192.168.130.0 0.0.1.255
no auto-summary
eigrp log-neighbor-changes
!
ip classless
no ip http server
!
6-11
Chapter 6
!
access-list 68 permit 10.0.68.0 0.0.0.255
!
route-map IPSEC_Subnets permit 10
match ip address 68
!
!
This router must respond to SAA probes from the remote routers.
!
rtr responder
!
line con 0
exec-timeout 120 0
password [removed]
line aux 0
line vty 0 4
password [removed]
login
!
ntp server 192.168.130.1
!
end
6-12
OL-7102-01
Chapter 6
6-13
Chapter 6
6-14
OL-7102-01
Chapter 6
!
interface FastEthernet0/1
description dot1q
no ip address
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1.128
encapsulation dot1Q 128
ip address 10.2.128.5 255.255.255.0
!
interface FastEthernet0/1.300
encapsulation dot1Q 300
ip address 10.3.0.5 255.255.255.0
!
router eigrp 100
network 10.0.0.0
no auto-summary
no eigrp log-neighbor-warnings
!
no ip http server
no ip http secure-server
rtr responder
!
line con 0
exec-timeout 300 0
password [removed]
login
line aux 0
line vty 0 4
password [removed]
login
!
ntp server 192.168.130.1
!
end
Show Commands
This section describes the results of the show command, and includes the following sections:
6-15
Chapter 6
Show Commands
OK
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Interface
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
FastEthernet0/1.128
Address
10.2.128.4
10.2.128.9
10.2.128.4
10.2.128.9
10.2.128.4
10.2.128.9
10.2.128.4
10.2.128.9
10.2.128.4
10.2.128.9
10.2.128.4
10.2.128.9
10.2.128.4
10.2.128.9
10.2.128.4
10.2.128.9
Packets
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
6-16
OL-7102-01
Chapter 6
destination
191.255.0.1
191.255.0.1
10.2.128.5
10.2.128.5
191.255.0.1
vpnjk-2(TGN:ON,Fa0/1:5/5)#show rate
The rates are since the last rate change during traffic generation.
Summary of traffic stream rates on FastEthernet0/1
ts# template state repeat
1 TCP
on
1
2 UDP
on
1
3 UDP
on
1
4 TCP
on
1
5 UDP
on
1
Totals for FastEthernet0/1
interval/rate
10
10
50
10
10
pps
pps
pps
pps
pps
measured
interval/rate
9.999
9.999
49.999
9.999
9.999
89.999
packets_sent
1880073
2108424
5935746
1129352
291878
11345473
To verify the routing, show the routes for the target networks.
vpnjk-1751-1#show ip route 191.255.0.1
Routing entry for 128.0.0.0/1, supernet
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Dialer1
Route metric is 0, traffic share count is 1
In total, the TGN is generating 90 pps; 30 pps for the DSL provider and 60 pps for the cable provider.
vpnjk-1751-1#show interfaces virtual-access 1 | inc rate
Queueing strategy: fifo
5 minute input rate 1000 bits/sec, 2 packets/sec
5 minute output rate 139000 bits/sec, 30 packets/sec
vpnjk-1751-1#show interfaces ethernet 1/0 | inc rate
Queueing strategy: fifo
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 62000 bits/sec, 60 packets/sec
6-17
Chapter 6
Show Commands
Following the failure, the DHCP-learned default route is removed from the routing table and the floating
static to 0.0.0.0 through the dialer interface is used instead.
vpnjk-1751-1#show ip route | beg Gate
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S
S
S
S
C
C
C
C
S*
S
Observe the interface counters; there are 90 pps being sent out the DSL Virtual-Access 1 interface but
only 83 pps or 181,000 bps out the PPPoE-enabled Ethernet 0/0 interface. The QoS service policy on
this interface is dropping packets because the shaped rate of this interface is 184,200.
vpnjk-1751-1#show int | inc output rate|is up
Ethernet0/0 is up, line protocol is up
30 second output rate 181000 bits/sec, 83 packets/sec
FastEthernet0/0 is up, line protocol is up
30 second output rate 1000 bits/sec, 2 packets/sec
Ethernet1/0 is up, line protocol is up
30 second output rate 0 bits/sec, 0 packets/sec
Virtual-Access1 is up, line protocol is up
5 minute output rate 205000 bits/sec, 90 packets/sec
Dialer1 is up, line protocol is up (spoofing)
30 second output rate 0 bits/sec, 0 packets/sec
Virtual-Access1 is up, line protocol is up
5 minute output rate 205000 bits/sec, 90 packets/sec
This example shows a proper re-routing over the surviving DSL interface with QoS managing the
available bandwidth.
6-18
OL-7102-01
Chapter 6
vpnjk-1751-1#
Mar 10 10:33:39.825
vpnjk-1751-1#
Mar 10 10:33:59.905
192.168.131.4:500
Mar 10 10:34:39.824
Mar 10 10:34:39.824
vpnjk-1751-1#
S
S
S
S
S
C
C
C
C
S*
6-19
Chapter 6
Show Commands
Latest operation return code: OK# SAA probe for ISP Bravo is successful
Entry number: 23
Latest operation return code: OK# SAA probe for ISP Alpha is successful
Because both probes are successful, both default routes are in the routing table.
vpnjk-1751-1#show ip route | begin Gate
Gateway of last resort is 192.168.33.1 to network 0.0.0.0
S
S
C
C
C
S*
S
S
C
C
C
S*
6-20
OL-7102-01
Chapter 6
Observing the above, only the surviving default route remains in the routing table and no packets are
sent out the Alpha (Ethernet 1/0) interface. Note that only 84 pps are sent out the Beta (Ethernet0/0)
interface because of lack of bandwidth for the available load.
vpnjk-1751-1#show interface | inc up|rate
Ethernet0/0 is up, line protocol is up
Half-duplex, 10BaseT
Queueing strategy: fifo
30 second input rate 1000 bits/sec, 2 packets/sec
30 second output rate 179000 bits/sec, 84 packets/sec
FastEthernet0/0 is up, line protocol is up
Full-duplex, 100Mb/s, 100BaseTX/FX
Queueing strategy: fifo
30 second input rate 161000 bits/sec, 90 packets/sec
30 second output rate 1000 bits/sec, 2 packets/sec
Ethernet1/0 is up, line protocol is up
Half-duplex, 10BaseT
Queueing strategy: fifo
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
Connectivity is maintained; however, the QoS policy manages the available bandwidth so that voice and
other critical applications are guaranteed their minimum bandwidth.
S
S
C
C
C
S*
In the following display, it is apparent that no packets are sent out the E0/0 or Bravo ISP interface, while
all 90 pps are forwarded out the Alpha ISP interface.
vpnjk-1751-1#show interface | inc up|rate
Ethernet0/0 is up, line protocol is up
Half-duplex, 10BaseT
Queueing strategy: fifo
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
FastEthernet0/0 is up, line protocol is up
Full-duplex, 100Mb/s, 100BaseTX/FX
Queueing strategy: fifo
30 second input rate 161000 bits/sec, 90 packets/sec
6-21
Chapter 6
These examples demonstrate that load sharing can be accomplished when both links are available, and
that connectivity to the site can be maintained if one link fails.
Caveats
This section describes the issues that were encountered during testing, and includes the following topics:
CEF Issue
Both CEF and fast switching must be disabled (must process switch) on the remote router for load
sharing to function properly when running Cisco IOS Release 12.3(2)XE. In the PPPoE/DHCP
configuration using Cisco IOS Release 12.3(2)XF, process switching must also be enabled. Table 6-1
shows the proper switching path for the solution to function in the two configurations on the two Cisco
IOS releases tested.
Table 6-1
Configuration
12.3(2)XE
12.3(2)XF
DHCP/DHCP
PPPoE/DHCP
Static recursive route pointing at default route is not CEF switched (CSCed29811)
IPSec packets are fast switched on wrong interface with recursive route (CSCed95604)
CEF Issue
During testing, it was discovered that CEF must be disabled on the remote router for packets to follow
any static routes with the default (0.0.0.0) network as the next hop. This type of route requires a recursive
lookup, which means that resolving the appropriate output interface for the route to 10.2.128.5 requires
also resolving the next hop for the 0.0.0.0/0 network.
6-22
OL-7102-01
Chapter 6
In this example, a constant 10 pps is sent to destination IP address of 10.2.128.5. In looking at the routing
table, that destination should match the route 10.0.0.0/8, which is a recursive route to the default network
learned using DHCP on the Ethernet 1/0 interface.
vpnjk-1751-1#show ip route | beg Gateway
Gateway of last resort is 192.168.33.1 to network 0.0.0.0
S
S
S
C
C
C
C
S*
S
When CEF is enabled, and you wait at least 30 seconds for the load interval value to show an accurate
value, you see that CEF drops the packets and does not switch them to 10.2.128.5.
vpnjk-1751-1(config)#ip cef
vpnjk-1751-1(config)#end
vpnjk-1751-1#show int e 1/0 | inc address|rate
Hardware is PQUICC Ethernet, address is 0004.dd0b.c783 (bia 0004.dd0b.c783)
Internet address is 192.168.33.12/24
Queueing strategy: fifo
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
This issue is believed related to CSCed29811static recursive route pointing at default route not cef
switched. For this reason, CEF switching can not be used.
6-23
Chapter 6
Caveats
disabled
disabled
disabled
disabled
enabled
disab
This is true even though the default route learned using DHCP is in the routing table.
vpnjk-1751-1# show ip route | beg Gate
Gateway of last resort is 192.168.33.1 to network 0.0.0.0
6-24
OL-7102-01
Chapter 6
S
S
C
C
C
C
S*
S
As shown by the fast cache, the destination prefix of 10.2.128.0/25 has a next hop of 192.168.33.1.
vpnjk-1751-1# show ip cache
IP routing cache 5 entries, 1020 bytes
139 adds, 134 invalidates, 0 refcounts
Minimum invalidation interval 2 seconds, maximum interval 5 seconds,
quiet interval 3 seconds, threshold 0 requests
Invalidation rate 0 in last second, 0 in last 3 seconds
Last full cache invalidation occurred 01:21:28 ago
Prefix/Length
10.2.128.0/25
191.255.0.1/32
192.168.130.0/24
192.168.131.4/32
192.168.131.9/32
Note
Age
00:40:26
00:50:48
00:16:18
00:37:26
00:01:39
Interface
Ethernet1/0
Dialer1
Ethernet1/0
Dialer1
Ethernet1/0
Next Hop
192.168.33.1
191.255.0.1
192.168.33.1
192.168.131.4
192.168.33.1
Note from the previous interface display that no packets are output on Ethernet 1/0.This issue was filed
as CSCed95604IPSec packets fast switched on wrong interface with recursive route. This issue was
filed as CSCed95604.
Summary
A natural desire of network managers is to load share on both WAN links if both are operational, and to
be able to maintain connectivity on the remaining link should one fail. This design provides that
capability without the use of a routing protocol and GRE tunnels. It is particularly suited to the small
branch location in retail or customer service industries, with or without QoS enabled to support voice.
6-25
Chapter 6
Summary
6-26
OL-7102-01
C H A P T E R
Solution Characteristics
Topology
Failover/Recovery Time
Performance Results
Verification
Configuration
Caveats
Summary
Solution Characteristics
This section describes the characteristics of the small branch wireless broadband deployment solution,
and includes the following topics:
Advantages
Disadvantages
Advantages
DSL deployments require the phone line to be less than 2.5 miles from the central office of the carrier.
To use cable, the residence must be serviced by a cable provider. Both these cases require physical wires,
either twisted pair or coaxial cable. A primary advantage of wireless broadband is mobility; the ability
to connect to the Internet without using a physical circuit.
7-1
Chapter 7
Topology
Broadband wireless is ideal for a SOHO deployment when cable or DSL are not available, or when the
lead time to install is inconvenient, as in the banking and hospitality sectors. Banks are commonly
co-located in supermarkets or high traffic areas, so the network manager of the bank must provide
connectivity for a cash machine or branch office with short lead times. Hotels need basic connectivity at
new locations to handle reservations and credit card transactions. Delays in circuit installation can mean
lost business.
Wireless broadband is also advantageous to an enterprise customer as a backup or alternative means of
connectivity. As an example, this chapter describes a configuration using a Cisco 1711 router with three
WAN interfaces: DSL, wireless broadband, and Async dial-up. If the DSL circuit fails, the wireless
broadband is the preferred path. If both DSL and wireless broadband fail, the router creates an encrypted
tunnel using dial backup.
Disadvantages
One disadvantage of wireless broadband is the lack of coverage guarantee at all times and all locations
within the service area. For example, one location tested by Cisco and described in this chapter was
between two antenna towers, with each tower less that two miles from the residence. Signal strength to
one of the tower locations was limited by terrain and buildings, and was impaired by foliage for the other.
Note
The wireless broadband service provider offers the following caveat: Wireless broadband coverage is
impacted by, among other things, terrain, weather, antenna location, system modification, foliage, and
man-made structures (such as buildings), and can therefore not be predicted precisely at all times.
The wireless modem management software has a signal quality and strength scale of 04. Signal quality
is a more important indicator than signal strength. Using either the built-in antenna or an external reverse
polarity Yagi antenna (purchased separately), testing revealed that quality and strength are in the range
of 12 on a scale of 04.
The wireless broadband service tested offered impressive average latency, meeting or exceeding cable
or DSL performance. The packet loss rate and jitter are generally much higher. For most data
applications, this is not noticeable. In testing, a Linksys web server (camera) is accessed using the
wireless broadband service and the images are of acceptable quality.
Packet loss and jitter can impact the quality of VoIP, and the test results indicated that the voice quality
ranged from very good to very poor. Test results are provided later in this chapter.
Topology
This section describes the following two topologies:
Multi-WAN Interface
The single WAN interface topology uses the wireless broadband as the only WAN interface. The
multi-WAN interface uses the wireless broadband network as an alternate path to the primary DSL
network. The single WAN configuration is used for VoIP performance testing. The standard Chariot
teleworker traffic profile is used. Chariot endpoints are located at the employee residence and Cisco lab.
The test results use the Internet and are representative of a typical deployment and configuration.
For the multi-WAN configuration, a Linksys web camera was the client/host used to answer pings and
to generate network traffic for testing and demonstration.
7-2
OL-7102-01
Chapter 7
Note
The Linksys web camera was not deployed or in use during the VoIP testing.
DMZ network
spouse and child
IP
Internet
Service Provider
Unencrypted
Internet
Service Provider
IPSec tunnel
(encrypted)
Wireless Broadband
Enterprise
campus network
RTP5-ESEVPN-GW4
HSRP active
PKI
PKI
Corporate
network
RTP5-ESEVPN-GW5
HSRP standby
132022
EZVPN
RTP5-ESEVPN-GW3
HSRP listen
The single WAN topology is used for the VoIP performance testing. Only one IPSec peer is defined in
the remote router, and failover and recovery was not a test objective.
Two inside VLANs were defined to implement a physical split tunnel configuration. During the
performance testing, no spouse and child traffic was included in the profile.
Multi-WAN Interface
The multi-WAN interface is shown in Figure 7-2:
7-3
Chapter 7
Failover/Recovery Time
Figure 7-2
Wireless BroadbandMulti-WAN
VLAN 200
DSL
Internet
Service Provider
VLAN 1
Enterprise
campus network
RTP5-ESEVPN-GW4
HSRP active
PKI
Internet
Service Provider
Wireless Broadband
PKI
Async dial-up
Tertiary IPSec tunnel
RTP5-ESEVPN-GW5
HSRP standby
RTP5-ESEVPN-GW3
HSRP listen
132023
EZVPN
The multi-WAN topology takes advantage of key features of the Cisco 1711 router. The Async interface
is configured as dial backup to a head-end Cisco 7200 EZVPN server. The Fast Ethernet 0 interface is
configured to obtain an IP address from the wireless broadband modem using DHCP. The crypto map on
this interface uses RSA keys and a Public-Key Infrastructure (PKI) and Certificate Authority (CA) for
authentication. The primary outside interface is defined as a VLAN (200) to the switch module of the
Cisco 1711. This interface connects to a DSL router and uses a static IP address. DHCP cannot be used
to obtain addresses for a VLAN interface. Authentication also uses RSA keys and a PKI/CA.
A Linksys web camera is attached to the inside or VLAN 1 interface and is used to verify connectivity
and to generate sample network traffic. Both the DSL and wireless broadband links have active IPSec
tunnels and can pass traffic. The Service Assurance Agent (SAA) probes are generating ICMP packets
periodically through their respective tunnels. The Async interface dials the access server of the ISPs only
in the event that both the DSL and wireless broadband links are down.
Failover/Recovery Time
The Cisco IOS Reliable Static Routing Backup Using Object Tracking feature was used to monitor and
control the backup interface function. How quickly a secondary or tertiary interface is brought online is
a function of the configured down value of the track command. In testing, the following parameters
were used:
track 200 rtr 200
delay down 60 up 5
Recovery from a path failure takes at least 60 seconds with these values. They are, however,
configurable.
Note
Enabling debug track can provide a visual indication of the quality of the wireless broadband link.
Assuming the delay down is configured at 60 and the frequency of the SAA object is 15 seconds, four
consecutive SAA packets must be lost for the tracked route to be removed from the routing table. As
7-4
OL-7102-01
Chapter 7
probes are lost, the debug track provides a log message indicating this. If subsequent probes are lost or
are successful, this is also logged by debug track. During periods of high packet loss, the number of
logged messages increases accordingly.
Performance Results
The wireless broadband service tested is the wireless broadband service in the Research Triangle Park,
North Carolina, USA area.
The test locations are Cisco employee residences in the Raleigh-Durham, North Carolina area using the
same IPSec equipment and infrastructure supporting teleworkers over cable and DSL.
These tests results are from a Cisco 1711 router deployed at the employee residence. Cable service
provider -CableBusiness Class Service 3 Mbps/768 kbps is used as a reference. The uplink (or
branch-to-head-end leg) is shaped to 600 kbps.
Also installed is the wireless broadband (Platinum Class) shaped 256 kbps up and unlimited down. The
antenna tower is less than two miles from the residence. Two tests were run; a best case and a worst case.
The best case uses the external Yagi antenna.
The signal strength is 3 of 4 and the signal quality is 4 of 4, on the 04 scale, as displayed by the Mobility
Manager software, not the external LEDs.
The worst case used the supplied antenna (sometimes called a popsicle-stick antenna) shown on the
product literature photo of the modem in Wireless Broadband Modem, page 7-9. In testing, the signal
strength with this antenna is 0 to 1 and signal quality is 0 to 2. The modem is inside the residence.
There are two goal lines on the following performance results charts:
Note
Lab goalValue in lab testing that the performance characteristic should not exceed in a lab
environment with no appreciable impact because of WAN. Jitter target is less than 8 ms and the
latency target is less than 50 ms. Voice packet loss is to be less than 1/2 of one percent.
Internet goalHigher than the lab goal values because there is some ISP-associated loss, latency,
and jitter. These target values are jitter at less than 20 ms, latency at less than 100 ms, and voice
packet loss at less than 1 percent.
The ITU value is 150 ms or less. Latency even up to 250 ms can be acceptable. Latency was not an issue
in any of these tests.
These tests are conducted at a first adopter stage in the wireless broadband service. There is little or no
contention for bandwidth by other subscribers. Results can vary based on a variety of factors, including
environmental or terrain interference. The same holds true for the cable tests; results are influenced by
contention from other subscribers as well as varying degrees of Internet backbone and enterprise campus
traffic.
These test results are intended to represent what a typical user may encounter.
Note
7-5
Chapter 7
Performance Results
Figure 7-3
Average Jitter
Internet goal
20
Branch to
Head-end
Head-end
to Branch
19 ms
18 ms
Cisco
1711
12 ms
10
5 ms
132024
5 ms
Yagi wireless
5 ms
5 ms
Yagi wireless
Lab goal
milliseconds
15
The uplink, or branch-to-head-end jitter values are substantially higher than the baseline using cable.
However, the router on the cable connection was using hierarchical class-based weighted fair queuing
(CBWFQ) and shaped at 600 kbps on the uplink, and the wireless broadband link is shaped at 256 kbps.
Both the cable and wireless broadband link have no service provider guarantee for uplink speed. The
values advertised are for burst or maximum uplink speed. In this environment, both the cable and
wireless broadband links are tested with VoIP and also with a TCP-based throughput utility and a shaped
value is selected that can be conservatively expected to be available most of the time. The goal is not to
overrun a modem or head-end infrastructure and drop packets indiscriminately. Packets should be
intelligently queued within a shaped rate by the remote router.
To add to the objective data, actual VoIP calls are placed using the wireless broadband to subjectively
verify that the voice quality is good.
7-6
OL-7102-01
Chapter 7
Voice Loss
The voice loss is compared between cable and wireless broadband in Figure 7-4:
Figure 7-4
10%
Voice Loss
Head-end to Branch
Branch to Head-end
9%
Percent of bytes
Cisco
1711
<5 %
<5 %
Yagi wireless
132025
<5 %
Yagi wireless
Lab goal
<5 %
Internet goal
1%
1%
The percent of bytes lost for the G.729 voice stream is acceptable for cable and wireless broadband using
the Yagi antenna. Voice loss using the supplied antenna exceeds the target threshold. Nine percent loss
for voice is excessive. Nine percent loss is high even for data-only applications.
Note
Voice codecs can manage single packet loss with concealment algorithms. If consecutive packets are
lost, it is noticeable to the listener.
7-7
Chapter 7
Performance Results
Average Latency
The average latency is compared between cable and wireless broadband in Figure 7-5:
Figure 7-5
Latency
Internet goal
100
Head-end
to Branch
Branch to
Head-end
75
milliseconds
66 ms
Cisco
1711
Lab goal
50
46 ms
34 ms
5 ms 30 ms
33 ms 33 ms
Yagi wireless
Yagi wireless
132026
25
The average latency is very good in all configurations. These values are equivalent to what is typically
seen in broadband deployments.
7-8
OL-7102-01
Chapter 7
Mobility Manager
Note
The Ethernet interface is a 10/100 interface but was tested with Cisco 1711s and not tested with the Cisco
831. The Cisco 831 Ethernet 1 (outside) interface is a 10 Mbps interface and is not a 100 Mbps
FastEthernet interface.
HyperGain HG1910Y
High Performance 1850-1970 MHz 10 dBi Radome Enclosed Yagi Antenna
Part NumberHG1910Y-NF
Wireless LAN Radio PigtailsRP-MMCX Type to N-female 19 in. (LMR/WBC100 cable) part
number CA-PHCABLE2
An N-male to N-male connector is required between the standard Yagi N-female connector and the
N-female pigtail cable that attaches to the MT-1000. Cable length depends on the distance between the
Yagi antenna and the MT-1000.
7-9
Chapter 7
Web
camera
Web
camera
Yagi antenna
Wireless
broadband
modem
F4
VLAN 200
DSL router
(not shown)
Cisco 1711
Wireless
Broadband
Modem
F4
VLAN 200
Console
cable
F1
VLAN 1
Analog
phone line
F0
132028
Analog
phone line
The F4 (interface Fa4) switch port is configured as VLAN 200 and is connected to a Cisco 837 DSL
router (not shown). The F1 (interface Fa1) switch port is configured as VLAN 1 and is connected to the
Linksys Web Camera. The F0 (interface Fa0) port is connected to the wireless broadband modem. The
analog phone line is connected to the DSL splitter.
7-10
OL-7102-01
Chapter 7
With the map remaining facing North, the compass base can be aligned between the Yagi antenna
location and the second tower. The number of degrees indicated by the index mark is the azimuth the
antenna must face (80 degrees in this test). The azimuth between the residence and the first tower is 301
degrees and from the tower to the house is 121 degrees. These values must be 180 degrees different to
be correct.
Figure 7-8 shows the Yagi antenna pointed approximately 80 degrees to the second tower with the
compass and map.
Figure 7-8
Yagi antenna
on tripod
Antenna Locations
House
GPS declination
(auto magnetic)
132029
North (magnetic)
Ideally, the Yagi is attached outside the structure. It saves time by first testing on a tripod or temporary
support before permanently mounting.
Mobility Manager
The wireless broadband service includes Mobility Manager software. This software is installed on a PC,
and the PC Ethernet interface and the wireless broadband modem are connected with a straight-through
Ethernet CAT5 cable. Signal strength and quality are displayed on their own four-point scale to fine-tune
the Yagi antenna.
7-11
Chapter 7
Verification
You can also use the software to upload firmware updates to the modem and to determine its status. You
should also use this software to verify the connection before connecting to a router. Because the modem
contains its own DHCP server, there is no problem moving the cable between a PC and the router
interface configured as a DHCP client. Samples of best and worst case signal strength and quality are
shown in Figure 7-9:
Figure 7-9
Mobility Manager
Verification
For usability with visual and audible confirmation, live voice calls are placed over the wireless
broadband link and a Linksys web camera is viewed. The performance charts for the Chariot test scripts
are described in the performance section. Figure 7-10 shows a screen print of the image from the camera.
7-12
OL-7102-01
Chapter 7
Figure 7-10
In the multi-WAN configuration, the DSL and wireless broadband links are failed, forcing the Cisco
1711 into a dial-up mode. From a head-end campus, the IP address of the web camera is the target of a
ping during the failure scenarios to verify that IKE Keepalive/DPD/RRI is removing routes from the
routing table and also from EIGRP advertisements between the three IPSec head-end routers.
Note
The three IPSec head-end routers exchange routes using the 192.168.82.0 network.
Configuration
This section describes the configurations for the various components of the wireless broadband solution,
and includes the following topics:
7-13
Chapter 7
Configuration
!
hostname vpn-jk2-1711-1
!
boot-start-marker
boot system flash c1700-k9o3sy7-mz.123-2.XF
boot-end-marker
!
logging buffered 2048000 debugging
enable secret 5 $xxxxvvvvvvvvv
!
username ese_vpn_team privilege 15 secret 5 vvvvvvvvvvvv.
clock timezone est -5
clock summer-time edt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip tftp source-interface Vlan1
no ip domain lookup
ip domain name cisco.com
ip host harry 172.26.129.252
ip host rtp5-esevpn-ios-ca 10.81.0.27
ip name-server 207.69.188.185
ip name-server xx.xxx.6.247
ip name-server 171.68.226.120
ip cef
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip audit notify log
ip audit po max-events 100
ip dhcp-client default-router distance 222
!
track 150 rtr 150
delay down 60 up 5
!
track 200 rtr 200
delay down 60 up 5
no ftp-server write-enable
chat-script MODEM "" "atdt\T" TIMEOUT 60 CONNECT \c
!
!
crypto ca trustpoint rtp5-esevpn-ios-ca
enrollment url http://rtp5-esevpn-ios-ca:80
revocation-check none
source interface Vlan1
auto-enroll 70
!
!
crypto ca certificate chain rtp5-esevpn-ios-ca
certificate 23
quit
certificate ca 01
quit
!
!
Refer to status of CSCef87216
crypto isakmp policy 10
encr 3des
7-14
OL-7102-01
Chapter 7
group 2
crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set TUNNEL_3DES_SHA esp-3des esp-sha-hmac
!
!
!
crypto ipsec client ezvpn RTP5-ESEVPN-GW3
connect auto
group EZVPN_Group key [must_match_Group_in_Head-end]
mode network-extension
peer xx.xxx.223.24
username vpn-jk2-1711-1 password [must_match_PW_in_Head-end]
!
!
crypto map RTP5-ESEVPN-GW4 10 ipsec-isakmp
description IPsec Peer for DSL Link
set peer xx.xxx.223.24
set transform-set TUNNEL_3DES_SHA
match address CRYPTO_MAP_ACL
qos pre-classify
!
crypto map RTP5-ESEVPN-GW5 10 ipsec-isakmp
description IPsec Peer for Broadband Wireless
set peer xx.xxx.223.25
set transform-set TUNNEL_3DES_SHA
match address CRYPTO_MAP_ACL
qos pre-classify
!
!
!
class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
match access-group name IKE
class-map match-all TRANSACTIONAL-DATA
match ip dscp af21
!
!
See policy-map BLOCK_VoIP there will be no VoIP on the backup links
!
policy-map BACKUP-INTERFACES
class INTERNETWORK-CONTROL
bandwidth percent 5
set dscp cs6
class TRANSACTIONAL-DATA
bandwidth percent 22
class class-default
fair-queue
random-detect
!
policy-map Shaper-WIRELESS
class class-default
shape average 102400# Interval not set to 10ms as no VoIP on this link.
fair-queue
random-detect
service-policy BACKUP-INTERFACES
!
policy-map BLOCK_VoIP
7-15
Chapter 7
Configuration
7-16
OL-7102-01
Chapter 7
interface Vlan1
description Inside
ip address 10.81.7.225 255.255.255.248
ip inspect CBAC in
ip route-cache flow
ip tcp adjust-mss 542
crypto ipsec client ezvpn RTP5-ESEVPN-GW3 inside
!
interface Vlan200
description Outside to DSL Router
ip address 192.168.2.211 255.255.255.0
ip access-group INPUT_ACL in
service-policy output Shaper-DSL
ip route-cache flow
crypto map RTP5-ESEVPN-GW4
!
interface Async1
description EarthLink Dialup Service V34/LAPM/V42B/24000:TX/26400:RX
bandwidth 24
ip address negotiated
ip access-group INPUT_ACL in
service-policy input BLOCK_VoIP
service-policy output BACKUP-INTERFACES
encapsulation ppp
ip route-cache flow
load-interval 30
dialer in-band
dialer string 6550070
dialer-group 21
async mode dedicated
ppp authentication pap callin
ppp pap sent-username xxxxxx@mindspring.com password 7 vvvvvvvvvvvvvvvv
crypto ipsec client ezvpn RTP5-ESEVPN-GW3
!
ip classless
!
! A default route will be available via DHCP with an administrative distance of 222,
! based on the ip dhcp-client default-router distance 222 command.
!
! The DSL routers IP address is 192.168.2.1
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1 200 name Quad_Zero_via_DSL track 200
ip route 0.0.0.0 0.0.0.0 Async1 240 name DIAL_BACKUP
!
!
! The EZVPN IOS Head-end Server is xx.xxx.223.23
!
ip route xx.xxx.223.23 255.255.255.255 Async1 name DIAL_BACKUP_IPSEC_peer
ip route xx.xxx.223.23 255.255.255.255 Null0 223 name DUMP_when_int_down
!
! The IPSec peer for the DSL link
!
ip route xx.xxx.223.24 255.255.255.255 Vlan200 192.168.2.1 permanent name DSL_router
!
!
! The IPSec peer for the Wireless Broadband link
!
ip route xx.xxx.223.25 255.255.255.255 FastEthernet0 dhcp 222
ip route xx.xxx.223.25 255.255.255.255 Null0 223 name DUMP_when_int_down
!
!
ip route 172.30.30.128 255.255.255.255 FastEthernet0 dhcp# Host route to Wirless MODEM
!
# DHCP Server, See Caveats.
no ip http server
7-17
Chapter 7
Configuration
no ip http secure-server
ip flow-export version 5
!
!
!
ip access-list extended CRYPTO_MAP_ACL
permit ip 10.81.7.224 0.0.0.7 any
ip access-list extended IKE
permit udp any eq isakmp any eq isakmp
ip access-list extended INPUT_ACL
remark Allow IKE and ESP from the RTP headends
permit udp xx.xxx.16 0.0.0.15 any eq isakmp
permit udp xx.xxx.223.16 0.0.0.15 any eq non500-isakmp
permit esp xx.xxx.223.16 0.0.0.15 any
remark Cisco Corporate Subnets (not complete)
permit ip xxx.44.0.0 0.0.255.255 10.81.7.224 0.0.0.7
permit ip xxx.68.0.0 0.3.255.255 10.81.7.224 0.0.0.7
permit ip xxx.16.0.0 0.15.255.255 10.81.7.224 0.0.0.7
permit ip xxx.168.0.0 0.0.255.255 10.81.7.224 0.0.0.7
permit ip xxx.107.0.0 0.0.255.255 10.81.7.224 0.0.0.7
permit ip xx.100.0.0 0.3.255.255 10.81.7.224 0.0.0.7
permit ip xx.104.0.0 0.0.255.255 10.81.7.224 0.0.0.7
permit ip xx.0.0.0 0.255.255.255 10.81.7.224 0.0.0.7
permit udp any any eq bootpc
remark NTP ACLs
permit udp 192.5.41.40 0.0.0.1 eq ntp any
permit udp host 216.210.169.40 eq ntp any
remark SSH from RTP Ridge
permit tcp xx.xxx.87.0 0.0.0.255 any eq 22
permit icmp any any
deny
ip any any
access-list 121 remark Define Interesting Traffic
access-list 121 permit ip any any
dialer-list 21 protocol ip list 121
!
control-plane
!
rtr responder
rtr 12
type echo protocol ipIcmpEcho xxx.26.129.252 source-ipaddr 10.81.7.225
request-data-size 164
tos 192
frequency 90
lives-of-history-kept 1
buckets-of-history-kept 60
filter-for-history all
rtr schedule 12 life forever start-time now
rtr 150
type echo protocol ipIcmpEcho xx.102.223.25 source-ipaddr 10.81.7.225
tos 192
timeout 500
owner vpn-jk2-1711-1
tag TRACKING_PROBE_FOR_WIRELESS_BROADBAND
frequency 15
lives-of-history-kept 1
buckets-of-history-kept 20
filter-for-history failures
rtr schedule 150 life forever start-time now
!
rtr 200
type echo protocol ipIcmpEcho xx.xxx.223.24 source-ipaddr 10.81.7.225
tos 192
timeout 200
owner vpn-jk2-1711-1
7-18
OL-7102-01
Chapter 7
tag TRACKING_PROBE_FOR_DSL
frequency 15
lives-of-history-kept 1
buckets-of-history-kept 20
filter-for-history failures
rtr schedule 200 life forever start-time now
!
alias exec vlandata vlan database
!
line con 0
exec-timeout 60 0
login local
stopbits 1
line 1
script dialer MODEM
modem InOut
modem autoconfigure discovery
transport input all
transport output pad udptn telnet rlogin ssh
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
stopbits 1
line vty 0 4
login local
transport input ssh
!
exception memory minimum 786432
ntp clock-period 17179979
ntp server 192.5.41.41
ntp server 192.5.41.40
ntp server 216.210.169.40
ntp server 10.81.254.202 source Vlan1
end
7-19
Chapter 7
Configuration
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool Client
# Corporate Network Address space, not NAT
network 10.81.7.168 255.255.255.248
default-router 10.81.7.169
dns-server xx.xxx.6.247 171.68.226.120
domain-name cisco.com
option 150 ip xx.xxx.2.93
netbios-name-server 171.68.235.228 171.68.235.229
!
ip dhcp pool SpouseChild# Spouse and Child will be NAT/pNATed
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
ip telnet source-interface Vlan1
ip tftp source-interface Vlan1
no ip domain lookup
ip domain name cisco.com
ip host harry 172.26.129.252
ip host rtp5-esevpn-ios-ca 10.81.0.27
ip name-server 207.69.188.185
ip name-server xx.xxx.6.247
ip cef
ip inspect max-incomplete high 1400
ip inspect one-minute high 1400
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip ips po max-events 100
ip ssh source-interface Vlan1
!
!
crypto pki trustpoint rtp5-esevpn-ios-ca
enrollment url http://rtp5-esevpn-ios-ca:80
revocation-check none
source interface Vlan1
auto-enroll 70
!
!
crypto pki certificate chain rtp5-esevpn-ios-ca
certificate 16
certificate ca 01
!
!
class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
match access-group name IKE
!
policy-map V3PN-teleworker
7-20
OL-7102-01
Chapter 7
7-21
Chapter 7
Configuration
!
interface FastEthernet4
description TO-AP-VLAN1or2 based off of AP login
switchport mode trunk
no ip address
load-interval 30
vlan-range dot1q 1 2
description this port can be VLAN 1 or 2
exit-vlan-config
!
!
! Inside Interface ip tcp adjust-mss 542 was not defined
!
interface Vlan1
description Inside
ip address 10.81.7.169 255.255.255.248
ip inspect CBAC in
load-interval 30
!
!
!
! This address space will be NAT/pNATed and is unencrypted to the Internet
!
interface Vlan2
description SpouseChild lanside
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip inspect CBAC in
ip virtual-reassembly
load-interval 30
!
!
interface Async1
no ip address
shutdown
!
ip classless
!
! This address 172.30.30.128 is the DHCP server on the MODEM
!
ip route 172.30.30.128 255.255.255.255 FastEthernet0 65.76.244.213
!
ip nat inside source list pNAT_ACL interface FastEthernet0 overload
!
!
ip access-list extended CRYPTO_MAP_ACL
permit ip 10.81.7.168 0.0.0.7 any
ip access-list extended IKE
permit udp any eq isakmp any eq isakmp
ip access-list extended INPUT_ACL
remark Allow IKE and ESP from the RTP headends
permit udp xx.xxx.223.16 0.0.0.15 any eq isakmp
permit udp xx.xxx.223.16 0.0.0.15 eq isakmp any
permit esp xx.xxx.223.16 0.0.0.15 any
remark double ACL check not applicable in this IOS version
permit udp any any eq bootpc
remark NTP ACLs
permit udp 192.5.41.40 0.0.0.1 eq ntp any
permit udp host 216.210.169.40 eq ntp any
remark SSH from RTP Ridge
permit tcp xx.xxx.87.0 0.0.0.255 any eq 22
permit icmp any any
deny
ip any any
ip access-list extended INPUT_ACL_out
7-22
OL-7102-01
Chapter 7
7-23
Chapter 7
Configuration
certificate 21
certificate ca 01
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp client configuration address-pool local dynpool
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group EZVPN_Group
key [must_match_Group_in_remote]
dns xx.xxx.6.247 171.68.226.120
domain cisco.com
pool dynpool
save-password
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac
!
crypto dynamic-map DYNOMAP 10
set transform-set 3DES_SHA_TUNNEL
reverse-route
!
!
crypto map EZmap local-address Loopback0
crypto map EZmap client authentication list RTP_ezvpn_user
crypto map EZmap isakmp authorization list RTP_ezvpn_group
crypto map EZmap client configuration address respond
crypto map EZmap 10 ipsec-isakmp dynamic DYNOMAP
!
!
!
controller ISA 2/1
!
!
!
interface Loopback0
description Public address
ip address xx.xxx.223.23 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
description Private
ip address 10.81.0.23 255.255.255.240
ip access-group DoS_Input_Queue_Wedge in
ip route-cache same-interface
ip route-cache flow
duplex full
speed 100
standby 1 ip 10.81.0.20
standby 1 priority 90# This router has the least favorable priority.
standby 1 preempt
standby 1 authentication eSeVpN
crypto map EZmap
!
interface FastEthernet1/1
7-24
OL-7102-01
Chapter 7
7-25
Chapter 7
Configuration
7-26
OL-7102-01
Chapter 7
no eigrp log-neighbor-warnings
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.81.0.17
ip route 10.81.7.0 255.255.255.0 Null0
access-list 1 permit 10.81.7.0 0.0.0.255
access-list 1 deny
any log
!
route-map RRI permit 10
description Redistribute remote subnets from RRI
match ip address 1
!
end
7-27
Chapter 7
interface Loopback0
description Public address
ip address xx.xxx.223.25 255.255.255.255
!
interface FastEthernet0/0
description Private
ip address 10.81.0.25 255.255.255.240
ip access-group DoS_Input_Queue_Wedge in
no ip redirects
service-policy input INGRESS_POLICY
ip route-cache same-interface
ip route-cache flow
load-interval 30
speed 100
full-duplex
standby 1 ip 10.81.0.20
standby 1 preempt # Default HSRP priority is 100
standby 1 authentication eSeVpN
crypto map RTP
!
interface FastEthernet0/1
description VLAN 101 RTP5-Alpha-GW1
ip address 192.168.82.25 255.255.255.0
speed 100
full-duplex
!
router eigrp 64
redistribute static metric 1000 100 255 1 1500 route-map RRI
network 192.168.82.0
no auto-summary
no eigrp log-neighbor-warnings
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.81.0.17
ip route 10.81.7.0 255.255.255.0 Null0
!
access-list 1 permit 10.81.7.0 0.0.0.255
access-list 1 deny
any log
!
route-map RRI permit 10
description Redistribute remote subnets from RRI
match ip address 1
!
end
DSL routerc837-k9o3sy6-mz.123-4.T3
rtp5-esevpn-gw3c7200-ik9o3s-mz.123-4.T3
rtp5-esevpn-gw4c3725-adventerprisek9-mz.123-7.11.T
rtp5-esevpn-gw5c3725-adventerprisek9-mz.123-7.11.T
7-28
OL-7102-01
Chapter 7
Caveats
Cisco no longer supports the use, or need for, LAN Access Mobility (LAM), and it was not used in these
configurations and tests with the wireless modem.
This section describes the issues encountered during testing, and includes the following sections:
EZVPN
DHCP Server
EZVPN
Initially, Cisco IOS version 12.3(8)T4 was installed on the Cisco 1711 router, but because of a software
issue, an IKE policy could not be present in the router configuration if EZVPN was also being used as
an authentication method.DDTS CSCef87216 was filed accordingly. Cisco IOS version 12.3(2)XF did
not exhibit this issue.
DHCP Server
The wireless broadband modem provides a local DHCP server to supply an IP address to the host or
router attached. Although the IP address provided for the default gateway and the DHCP client is an
Internet routable address, (in this example 65.76.244.214), the IP address of the DHCP server is not. The
address of the DHCP server is always 172.30.30.128, as shown in the following display.
vpn-jk2-1711-1#show dhcp lease
Temp IP addr: 65.76.244.214 for peer on Interface: FastEthernet0
Temp sub net mask: 255.0.0.0
DHCP Lease server: 172.30.30.128, state: 3 Bound
DHCP transaction id: 2324
Lease: 60 secs, Renewal: 30 secs, Rebind: 52 secs
Temp default-gateway addr: 65.76.244.213
Next timer fires after: 00:00:27
Retry count: 0
Client-ID: cisco-000d.bd64.8aa4-Fa0
Client-ID hex dump: 636973636F2D303030642E626436342E
386161342D466130
Hostname: vpn-jk2-1711-1
On a multi-WAN configuration, for the router to use the correct interface to reach the DHCP server
address, a static host route is required as shown:
ip route
The assigned address has a short lease time of 60 seconds, meaning that the router or PC must request a
renewal every 30 seconds, as shown in the following debug.
vpn-jk2-1711-1#debug dhcp
7-29
Chapter 7
Summary
Without the host route to the DHCP lease server, the DHCP request follows the default route to the DSL
link. Because the address is an RFC 1918 address, it is not routed over the Internet. The end result is that
the DHCP lease is not renewed and the router outside interface flaps continuously.
Summary
Wireless broadband is best suited for its target market of providing mobility to a single PC with either
an external or PCMCIA modem. This chapter focused on using an external modem with an attached
router. Likely deployment situations are small offices seeking rapid deployment of equipment or
multiple WAN interfaces for availability. Voice was also tested to determine the viability of deployments
for teleworkers. If sufficient signal strength and quality are available and interference because of
environmental or terrain is not an issue, voice quality ranges from good to very good. However, like all
wireless media, consistency and availability are often an issue.
7-30
OL-7102-01
C H A P T E R
Note
This is a hub-and-spoke deployment; spoke-to-spoke was not tested or rrecommended for VoIP.
The dual hub/dual DMVPN design provides head-end redundancy by configuring two DMVPN clouds
on a remote router, with each cloud having a separate IPSec head-end router.
This chapter describes the changes that result from adding VoIP to configuration examples that initially
support only data.
Note
IP telephony is supported only on a best effort basis, so the configurations that include VoIP are not
complete.
This chapter includes the following sections:
Solution Characteristics
Topology
Failover/Recovery Time
Performance Testing
Test Topology
Summary
Solution Characteristics
This design solution applies in situations where customers require VoIP, and IP multicast applications
are supported. The final configuration represents a dual hub and dual DMVPN clouds supporting a VoIP
deployment.
8-1
Chapter 8
Topology
This deployment scenario is applicable to teleworkers or small branch offices that have the following
connectivity characteristics:
IP multicast requirements
VoIP support
Test results are presented to describe voice quality with and without the recommended changes
implemented to enhance the initial configuration of the customer.
This chapter also describes a case study in which the initial customer configuration in tested to validate
support for VoIP.
Topology
The initial customer configuration consists of a single DMVPN cloud with a single campus head-end
router providing connectivity for the population of teleworkers. This topology is shown in Figure 8-1.
Figure 8-1
DMVPN 10090
10.0.90.0/24
Internet
IP
132032
Enterprise
Intranet Backbone
Because the customer configuration must now support VoIP, a second DMVPN cloud is needed to
increase availability for the remote locations. The dual hub/dual DMVPN cloud design is selected over
a dual hub/single DMVPN cloud because the topology provides more control of the packet routing
between the two head-end peers.
The recommended topology is shown in Figure 8-2:
8-2
OL-7102-01
Chapter 8
Figure 8-2
DMVPN 10090
10.0.90.0/24
Internet
IP
DMVPN 10091
10.0.91.0/24
132033
Enterprise
Intranet Backbone
The dual hub/dual DMVPN topology has the advantage of providing two tunnel interfaces in the remote
branch (teleworker) routers. Because the remote routers, or spokes, have a routing protocol neighbor
relationship on two separate interfaces, the two paths can be influenced by interface specific values.
Depending on the routing protocol in use, you can implement cost, bandwidth, delay, metric offset, or
summary advertisements on the individual tunnel interfaces to influence which head-end router is the
preferred path. From a manual load sharing perspective, half the population of spoke routers can use
DMVPN cloud 10090 as their preferred path with cloud 10091 as the backup. The other half of the
spokes can use cloud 10091 as the preferred path and cloud 10090 as backup.
With a distance vector routing protocol such as EIGRP, it is very easy to add a third DMVPN cloud, and
to divide the population of spoke routers so that one third prefers the first cloud, one third prefers the
second, and the final one third prefers the last cloud. The backup cloud for the spoke is spread across the
other clouds and their respective head-end routers.
Failover/Recovery Time
When EIGRP is the routing protocol on the mGRE tunnels, detection of a head-end or path failure by
the remote router is based on the configured routing protocol dead interval (interface configuration
command ip hold-time eigrp ), which by default is 15 seconds. Other protocols, such as RIP, OSPF,
and so on, have their own default values and can be configured by the network manager.
One currently-known issue with dual hub/dual DMVPN cloud configurations is that the second Internet
Key Exchange (IKE) security association (SA) may be deleted. If the peer associated with the
UP-NO-IKE status is reloaded, connectivity is not restored until the IPSec SAs age out, because there is
no IKE SA to send keepalive/dead peer detection (DPD) messages.
As a result of this, the second IKE SA must re-key each time the IPSec SA expires. By default, the IKE
lifetime is 24 hours and the IPSec lifetime is one hour. From a head-end performance standpoint (CPU
consumption), that means 24 times more IKE processing than necessary.For more information on the
problem and for a status update or resolution, please refer to CSCeg18278. This defect is identified as
CSCed18278-IKE SSA delected in dual hub, dual DMVPN cloud configuration.
8-3
Chapter 8
In various V3PN design guides, QoS service policies are defined to allocate bandwidth based on
IPSec-protected GRE and direct IPSec encapsulation respectively.
Note
For more information, see the V3PN design guide at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/V3PN_SRND/V3PN_SRND
.html.
IPSec-protected GRE tunnels are commonly deployed for site-to-site communications, and direct IPSec
encapsulation is well-suited for teleworkers.
Note
IPSec encapsulation is also known as an IPSec-only deployment (no GRE). Teleworker deployments
generally do not need multicast or multiprotocol support and thus do not reap any benefit from GRE
encapsulation and its additional overhead.
DMVPN has been heavily marketed to customers, and it is one option for deployments that require IP
multicast applications to the teleworker desktop (DMVPN does not support multiprotocol but only IP
multicast). Examples of these deployments include video surveillance applications using IP multicast
and financial brokerage house applications that are implemented using IP multicast.
In a small office small home (SOHO) deployment, it is common to see the VPN router deployed behind
a personal firewall such as a Linksys BEFSR41 EtherFast Cable/DSL Router. This architecture is
deployed at the residence of the teleworker because it allows the teleworker to control the username and
password of the PPP over Ethernet (PPPoE) session, simplifies configuration of the enterprise-managed
VPN router, and provides a spouse and child network over the common broadband connection.
The deployment scenario assumes the following:
The topology may include a Network Address Translation (NAT)/Port Network Address Translation
(pNAT) personal firewall device.
PPPoE is typical on the DSL deployments, and Data Over Cable Service Interface Specifications
(DOCSIS) 1.0 is typical for cable.
The uplink data rates are at or below 768 kbps and as such, voice packets are subject to serialization
delay.
Because of these factors, the configuration is optimized for the worst case scenario, which is DSL using
PPPoE at an uplink data rate below 768 kbps. The ip tcp adjust-mss command is used to minimize the
lack of Layer 2 link fragmentation and interleaving.
The goal is to select an optimum value for ip tcp adjust-mss that minimizes both the IPSec padding and
ATM adaption layer (AAL) 5 padding. The diagrams in the following section show the individual field
lengths and their relationship to the underlying ATM cells on a DSL deployment.
8-4
OL-7102-01
Chapter 8
The encrypted mGRE encapsulated packets for both G.729 and a TCP packet are shown in Figure 8-3.
Figure 8-3
IP
Hdr
ESP
Hdr
ESP
IV
20
GRE
G.729
mGRE
62
IP
Hdr
UDP
RTP
VOICE
20
12
20
ESP
ESP
pad Pad/NH Auth
2
12
120
ESP
Hdr
ESP
IV
20
IP
Hdr
TCP
20
20
672
payload pad
574
mss
ESP
ESP
Pad/NH Auth
2
12
132034
IP
Hdr
GRE
TCP
mGRE
614
This encrypted IP packet, when encapsulated in PPPoE/AAL5/ATM cells for a DSL deployment, is
shown in Figure 8-4.
8-5
Chapter 8
Figure 8-4
DSL/PPPoE Encapsulation
PPPo/
AAL5 Ethernet EPPP
Header Header Header
10 Byte 14 Byte
8 Byte
AAL5
padding
IP Packet
AAL5
Trailer
8 Byte
. Encrypted IP packet
32
Byte
-ATM Cells
48
bytes
15
-ATM Cells
132035
8
Byte
672 bytes
53
bytes
The result is that a G.729 packet requires four ATM cells, and a TCP packet with a maximum segment
size (MSS) of 574 requires 15 ATM cells. There are 8 bytes of AAL5 padding in the last cell. This
configuration does not assume Network Address Translation Traversal (NAT-T), but rather the IP header
is Extended Services Platform (ESP), protocol 50. NAT-T is optimized so that when no NAT device is
detected between the IPSec peers, UDP encapsulation is not used to avoid the additional overhead of the
additional UDP header. This configuration shows IKE packets on UDP port 500 and ESP (protocol 50)
for the IPSec tunnel.
The above Cisco IOS configuration command is enabled by default. The encrypted mGRE encapsulated
packets for both G.729 and a TCP packet are shown in Figure 8-5.
8-6
OL-7102-01
Chapter 8
Figure 8-5
IP
Hdr
ESP
Hdr
ESP
IV
20
GRE
G.729
mGRE
62
IP
Hdr
UDP
RTP
VOICE
20
12
20
ESP
ESP
pad Pad/NH Auth
2
12
128
With NAT-T
HDP
Hdr
8
ESP
Hdr
ESP
IV
20
IP
Hdr
TCP
20
20
680
payload pad
574
mss
ESP
ESP
Pad/NH Auth
2
12
132036
IP
Hdr
GRE
TCP
mGRE
614
In this example, the TCP packets have a padding of 0 for IPSec. The IP header is UDP with source and
destination port 4500. The NAT/pNAT device may change the IP address and port number. Using the show
crypto ipsec sa detail | inc peer command on the head-end router shows the source port and IP address
derived from NAT-T.
Note
Because both IKE and ESP packets share the same UDP port number (4500), IKE packets have a
Non-ESP marker field consisting of 4 bytes zero filled that aligns with the Service Provider Interface
(SPI) field of an ESP packet. Because the SPI cannot be all zeros, this enable the receiver to distinguish
between an ESP and IKE packet. As such, the additional overhead of NAT-T is the 8 byte UDP header
for ESP packets, and 12 bytes for IKE packets (8 bytes for the UDP header and an additional 4 bytes for
the non-ESP Marker).There is also an additional packet, a NAT-keepalive packet, which is a UDP packet,
port number 4500, with a single byte field with a value of 0xFF. The receiver ignores these packets;
however, they serve to keep the NAT/pNAT device translation table fresh.
These encrypted IP packets, when encapsulated in PPPoE/AAL5/ATM cells for a DSL deployment, are
shown in Figure 8-6.
8-7
Chapter 8
Figure 8-6
PPPo/
AAL5 Ethernet EPPP
Header Header Header
10 Byte 14 Byte
8 Byte
IP Packet
AAL5
padding
AAL5
Trailer
8 Byte
. Encrypted IP packet
24
Byte
-ATM Cells
48
bytes
15
-ATM Cells
132037
680 bytes
53
bytes
The result is a G.729 packet that requires four ATM cells, and a TCP packet with an MSS of 574 that
requires 15 ATM cells. There are zero bytes AAL5 padding in the last cell. The TCP MSS value of 574
is used so that with or without NAT-T negotiated, the TCP packets always require 15 ATM cells. This
simplifies the task by generalizing the configuration of the remote router.
ip route-cache flow
ip tcp adjust-mss 574
Note
Performance results with this change and the other recommended changes are shown in a subsequent
section.
8-8
OL-7102-01
Chapter 8
ip mtu 1408
1408 is an optimal IP MTU value for deployments, whether or not they include PPPoE, NAT-T, 3DES,
or Advanced Encryption Standard (AES)-128. In the previous section, the remote router adjusts the MSS
value for TCP sessions to and from the remote site. Although this eliminates any fragmentation issues
for the majority of the data traffic, there still might be UDP applications that generate some MTU-sized
packets. Ideally, these should be fragmented by the router before encryption.
Changing the IP MTU of the tunnel interface effectively forces fragmentation before encryption.
Fragmenting after encryption means that the decrypting router must reassemble the fragments before
they can be decrypted. This requirement means that the decrypting router must process switch the
fragmented packets and allocate a huge buffer in memory to assemble the fragments, which negatively
impacts performance, especially if the decrypting router is the head-end crypto aggregation point that
decrypts for multiple remote or spoke routers. Fragmenting before encryption forces the receiving
workstation to re-assemble the fragments instead.
Given a tunnel interface with an IP MTU of 1408, the largest UDP packet that can be encapsulated
without fragmentation is 1380 bytes of payload plus 28 bytes for IP and UDP headers. This
encapsulation process is shown in Figure 8-7.
mGRE and IPSec Encapsulation
GRE
mGRE
mGRE encapsulation
UDP
Hdr
20
payload
1380
1408
IP MTU 1408
IPSec encapsulation
With
NAT-T
IP
Hdr
With
AES-128
IP
Hdr
UDP
Hdr
ESP
Hdr
20
3DES
IV
1416
pad
2
ESP
ESP
Pad/NH Auth
2
16
1476-1484
12
132038
Figure 8-7
With PPPoE (commonly used with residential DSL offerings), a maximum encrypted packet size of 1492
is preferred because PPPoE includes an 8-byte header.
8-9
Chapter 8
Note
Ethernet has a maximum payload size of 1500 octets. The PPPoE header is six octets and the PPP
protocol ID is two octets, so the PPP MTU must not be greater than 1492. For more information, see
RFC 2516 at the following URL: http://www.rfc-archive.org/getrfc.php?rfc=2516.
AES-128 has a 16-byte initialization vector (IV) as compared to 8 bytes for 3DES. If the remote router
is behind a personal firewall, an additional UDP header is also present. The size of the ESP pad varies
depending on the payload size being encrypted and whether the encryption algorithm is 3DES or AES.
There are some rules for identifying fragmentation and determining whether it is pre- or post-encryption.
The topology in Figure 8-8 is shown as a reference:
Figure 8-8
Fragmentation Illustration
Logical
mGRE
interface
Enterprise campus network
Physical
Output
interface
132039
IP
Physical
Input
interface
Assume that the workstation in the enterprise campus network is generating packets to the remote
teleworker home network at a constant rate with no other traffic present.
Note
A test tool or application that can be configured to generate a UDP packet at a configured size and at a
constant rate in packets per second is useful for this illustration.
Fragmentation can be identified by observations on the head-end router.
workstation.
show interface [output interface] | include rate shows an output rate twice the number of
8-10
OL-7102-01
Chapter 8
Class-map Configuration
In this case study, the customer has configured match statements in the class map that were not relevant
and redundant. As a best practice, these extraneous entries should be removed.
For example, the initial customer configuration is as follows:
class-map
match ip
match ip
match ip
match ip
class-map
match ip
match ip
match ip
match-any ISC_OUT_Cisco-IT_voice_call-setup
dscp af31
dscp af32
dscp cs3
precedence 3
match-any ISC_OUT_Cisco-IT_voice_voice
dscp ef
dscp cs5
precedence 5
Matching on Differentiated Services Code Point (DSCP) value of CS5 and also on IP Precedence of 5
is redundant.
Note
Section 4.2 of RFC 2474 describes the use of CS (Class Selector) codepoints to provide backward
compatibility matching of IP Precedence values. See RFC 2474 at the following URL:
http://www.rfc-archive.org/getrfc.php?rfc=2474
For example, see the following configuration, given this sample class map and an IP phone generating
packets for call setup with DSCP value of CS3 or IP Precedence 3:
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
match ip precedence 3
R1#show pol int e 0/0 output | beg CALL-SETUP
Class-map: CALL-SETUP (match-any)
5 packets, 306 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp af31
0 packets, 0 bytes
30 second rate 0 bps
Match: ip dscp cs3
5 packets, 306 bytes
30 second rate 0 bps
Match: ip precedence 3
0 packets, 0 bytes
30 second rate 0 bps
From the above display, observe that no packets are matching IP Precedence 3, but rather DSCP value
of CS3. The following displays shows the order reversed in the class map:
class-map match-any CALL-SETUP
match ip dscp af31
match ip precedence 3
match ip dscp cs3
8-11
Chapter 8
In the above configuration, there are no matches on the DSCP value of CS3, but rather the match for IP
Precedence 3 selects the packets.
Additionally, the customer call-setup class contains a match for AF32. Because the target configuration
is for a remote router supporting an IP phone, there is no expectation that AF32 packets will ever be seen
at this point in the topology. The DSCP value of AF32 is generally seen only if the traffic is out of
contract and was remarked from AF31 to AF32 by a router.
Note
According to RFC 2597 (Assured Forwarding PHB Group), AF31 has a lower drop probability than
AF32 and the act of remarking from AF31 to AF32 is an indication of congestion within the per-hop
behavior (PHB) group. See more information on RFC 2597 at the following URL:
http://www.rfc-archive.org/getrfc.php?rfc=2597
Because this configuration is for the router that provides network access for the phone, and the phone
either generates AF31 or CS3 for its call-setup traffic, no remarking is possible.
Assuming a Cisco IP phone, match ip dscp cs5 can also be eliminated, because the firmware of the
phone always generates DSCP values of EF for the voice media stream.
The proposed configuration can be reduced to the following:
class-map match-any ISC_OUT_Cisco-IT_voice_call-setup
match ip dscp cs3
match ip dscp af31
There now is only one entry for the voice class map, the match-any is changed to match-all, and the
default value is for a one entry class-map.
8-12
OL-7102-01
Chapter 8
It is extremely unlikely that the Ethernet interfaces on these routers will ever experience congestion.
Weighted fair queueing (WFQ) is only recommended for interfaces clocked below 2 Mbps. In fact, Cisco
83x and 17xx routers are gated by CPU consumption before 10 Mbps Ethernet interfaces can be
congested. The default of FIFO queueing on the Ethernet interfaces is recommended. To remove WFQ
from the interface, enter no fair-queue while in interface configuration mode.
This is a very useful feature for diagnosing voice quality issues for a teleworker. However, some
optimization is suggested to reduce the overhead and to optimize the data collection aspect.
132040
IP
8-13
Chapter 8
For this reason, the number of packets are reduced to a more manageable value of 20 packets
(codec-numpackets 20). The probe runs every 300 seconds or five minutes and marks the simulated
voice stream with a ToS of decimal 184 (hex B8) or DSCP EF as would be the case with a real voice
stream. The priority or Low Latency Queueing (LLQ) is adjusted to accommodate this additional traffic.
The codec-size value of 32 is the default value and does not show in the running configuration. It is
included here to illustrate that the codec size would be the sum of the RTP header plus the payload, or
voice sample. Figure 8-10 shows the fields of the SAA-generated packet:
Figure 8-10
60 bytes
SAA
UDP
20 bytes
8 bytes
RTP
payload
12 bytes
20 bytes
codec-size 32
132041
IP
Assuming a DMVPN or mGRE encapsulation, look at the NetFlow display while the SAA probe is
running to verify packet sizes:
R1#show ip cache verb flow
...
SrcIf
SrcIPaddress
Port Msk AS
DstIf
Port Msk AS
DstIPaddress
NextHop
Et1
0000 /0
Local
0000 /0
192.168.128.207 2F B8
0.0.0.0
10
88
21
0.3
Tu0
DBA2 /0
Local
07AF /0
10.0.94.1
0.0.0.0
11 B8
10
80
1
0.0
Tu0
DBA2 /0
Local
4000 /0
10.0.94.1
0.0.0.0
11 B8
10
60
20
0.3
192.168.131.16
10.0.90.16
10.0.90.16
The first flow is Protocol (Pr) hex 2F or decimal 47, GRE. The ToS byte from the unencrypted packet is
copied to the GRE header and as such, this GRE packet is marked DSCP EF or hex B8. There are 21
packets in this flow: one SAA control packet and the 20 packets simulating voice. The B/Pk shows the
average number of bytes per packet, including the IP/GRE headers.
8-14
OL-7102-01
Chapter 8
The second line of the display has a destination port address of hex 7AF or decimal 1967. Port 1967 is
enabled when rtr responder is configured and the remote router is listening on this UDP port. By
default, control enable is enabled, and it must be enabled for this SAA probe to function properly. This
packet is the control plane for the SAA probe.
The third line in the display is the SAA-generated simulated voice packets. There are 20, as specified
above. They have a destination UDP (hex 11 or decimal 17) port number of hex 4000 or decimal 16384,
as specified in the SAA configuration above. Because all these packets are the same size, the average
B/Pk is 60, which is the size of each packet from the packet decode in the previous figure.
In the above configuration, a log entry is generated if the average jitter from destination to source
(teleworker to head-end) rises above 8 ms and again when it falls below 7 ms. The roundtrip time
thresholds (RTTs) are 150 ms and 149 ms, and with the jitter from source to destination (head-end to
teleworker), the reaction is triggered if the jitter rises above 6 ms and again if it falls below 5 ms.
The head-end to teleworker jitter values are lower that the teleworker to head-end path because most
residential broadband services have greater bandwidth from the Internet, and the jitter typically is less
in that direction. The values selected vary from deployment to deployment.
8-15
Chapter 8
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority 154
class class-default
fair-queue
random-detect
policy-map Shaper
class class-default
shape average 182400 1824
service-policy V3PN_DMVPN_Teleworker
!
Comparison testing determined the impact of this SAA probe on latency, drops, and jitter of the real
voice (RTP) stream. Branch to head-end jitter increases one millisecond, from 9.2 ms to 10.2 ms, and
approximately 20 ms are added to the branch to head-end latency. The head-end to branch values were
for all practical purposes unchanged. Voice drops are not an issue. However, the release under test was
exposed to CSCeg34495 which is a packet classification issue identified as CSCeg34495. It is possible
that the performance characteristics would actually be better than described using a Cisco IOS release
not exposed to this issue.
Routing
Before discussing access control for this implementation, it is necessary to describe the IP routing
configuration. The enterprise security policy specifies that access to Internet services is via the head-end
enterprise campus network. This is often referred to as split tunneling not being permitted.
That implies that the remote teleworker PC needs to follow a default route learned via the mGRE tunnel
interface rather than from the DHCP server that supplied the outside IP addressing information to the
VPN router.
The routing information sources are described and shown in Figure 8-11.
Note
dhcp 1
eigrp 5
IP
192.168.131.16
132042
10.0.94.0/24
dynamic rp 6
eigrp 4
8-16
OL-7102-01
Chapter 8
The teleworker VPN router learns a default gateway from the DHCP server of the ISP.
2.
The teleworker VPN router supplies a default gateway and serves IP addressing and other options
to the IP phone and workstation using a local DHCP pool.
!
ip dhcp pool TELEWORKER
network 10.0.94.0 255.255.255.0
default-router 10.0.94.1
dns-server 10.2.120.253 10.2.120.252
domain-name ese.cisco.com
option 150 ip 10.2.120.254
!
3.
The teleworker VPN router is configured with a static route to the head-end tunnel endpoint. In this
example, 192.168.131.16 and 192.168.131.17 are placeholders for the head-end tunnel endpoint
addresses. In an actual deployment, they would be Internet-routable addresses.
The above is required because there will be two sources of a default route, one from the Internet and
one from the mGRE tunnel. The VPN router must have more specific routes to servers that must be
reached outside the VPN tunnel, rather than using the default route learned inside the IP tunnel.
4.
The teleworker VPN router learns a default route using the GRE tunnel from the head-end campus
router. The default administrative distance for an EIGRP internal/external route is 90/170, and 254
for a DHCP learned route. The default route learned through the GRE tunnel is overridden because
it has a lower administrative distance than the default route learned using DHCP.
5.
The head-end campus router learns an advertisement through the GRE tunnel for the subnet of the
remote branch teleworker router.
6.
The head-end campus router must learn either from a static default route or more likely from some
dynamic routing protocol of the outside Internet routable address of the remote teleworker.
The difference between IPSec-protected GRE and direct IPSec encapsulation is related to determining
whether a packet is encrypted. In the case of IPSec-protected GRE tunnels, all packets routed through
the tunnel is encrypted, so it is the routing table of the remote router that determines if a packet is
encrypted. In direct IPSec encapsulation, any packet that matches the access list specified in the crypto
map is encrypted. So routing determines only whether the packet exits an interface with an applied
8-17
Chapter 8
crypto map, not whether it is actually encrypted. This is a subtle but important difference, because it
allows the network administrator to use the head-end routing protocol configuration to control the
encryption selection process on the remote routers.
Access Control
The initial customer configuration consists of inbound ACLs on the outside physical interface. There are
no inbound access lists on the tunnel interface. Also, the configuration includes both Transport layer
(TCP and UDP) inspection as well as Application layer inspection.
The initial configuration is as follows:
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
Typically, Transport layer inspection is sufficient for most deployments. With TCP and UDP inspection,
the return path packets must match an existing session initiated from the protected (or inside) network.
The source and destination IP addresses and port numbers must match in reverse of the session initiated
by the inside client.
Note
For more information, see the following URL (which requires a Cisco password):
http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_white_paper09186a008009465
8.shtml
Application layer inspection takes precedence over Network layer inspection, and is required if the
specific application (such as FTP) uses different port numbers than specified by the session initiator in
the return packets.
The customer security policy is such that split tunneling is not permitted. All Internet access for devices
on the remote subnet must be through the corporation campus head-end. Because private addressing is
in use, the campus head-end location must use NAT/pNAT to determine any Internet access required.
The address of the return packets from the Internet server or application is the Internet routable address,
and as such, Context-based Access Control (CBAC) must be configured to permit Internet access , but
only for TCP, UDP, and FTP initially. Additional Application layer inspection can be added as required.
An example of this topology is represented in Figure 8-12.
8-18
OL-7102-01
Chapter 8
Figure 8-12
Internet
10.0.94.0/24
DMVPN 10090
10.0.90.0/24
NAT/pNAT
IP
10.0.0.0/8
Campus
network
132043
DMVPN 10091
10.0.91.0/24
The tunnel interfaces have inbound access lists, and CBAC is enabled on the inside Ethernet interface of
the remote branch teleworker router. If the inbound access list entry does not specifically permit the
packet, the CBAC configuration must have entered a dynamic entry into the access list to permit packets
from the enterprise campus head-end to access the remote router subnet.
This layered security approach affords a more stringent posture than what is typically implemented in
the enterprise campus network.
The recommended configuration is as follows:
!
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
!
interface Tunnel0
8-19
Chapter 8
Performance Testing
permit
permit
remark
permit
permit
remark
permit
deny
!
ip access-list extended TUNNEL_INBOUND_ACL
permit ip 10.0.0.0 0.0.0.255 10.0.94.0 0.0.0.255
permit icmp any any
permit eigrp any any
permit igmp any any
permit pim any any
deny
ip any any log
!
line vty 0 4
login local
transport input ssh
Note
The log option is useful initially to identify any ports and protocols that are missing from the
implementation but are needed for the deployment. After testing, it is recommended to remote this
option to spare the overhead of process switching the matches on the entry and the resulting syslog
chatter.
Performance Testing
Performance tests were conducted using the customer initial configuration and the enhanced (revised)
configuration described in this section. There are also test results using the revised configuration with
and without a Linksys BEFSR41 personal firewall between the IPSec peers with NAT-T enabled.
Table 8-1 describes these tests.
Table 8-1
Configuration
Revised Configuration
WFQ enabled
FIFO
Class-map configuration
Extraneous entries
Optimized
TCP MSS
Not configured
574
Access control
N/A
8-20
OL-7102-01
Chapter 8
Jitter
Latency
Lab goal
50
50 ms
47 ms
milliseconds
30
Cisco
831
20
Branch to
Head-end
13.2 ms
Lab goal
10
10 ms
10.2 ms
Revised
4.2 ms
Original
5 ms
132044
3.2 ms
Head-end
to Branch
Revised
Original
The ESE lab testbed uses a goal of 50 ms as the average Chariot reported latency and 810 ms as the
average jitter for acceptable VoIP quality. In a customer deployment, acceptable VoIP quality can be
obtained when both latency and jitter are observed at higher values. The lab is a controlled and optimal
environment and these somewhat conservative goals are the standard.
In most teleworker environments, the data rates are asymmetrical; both branch router to head-end router
and the reverse are reported. In this test, a simulated 256 kbps/1.4 Mbps data rate was assumed. The 831
output interface was shaped at 182,400 bps. Because of the higher downlink data rate, latency and jitter
are generally not an issue for this half of the call leg. The downlink values are shown in the diagram but
are subdued and behind the uplink or branch to head-end values.
In either configuration, the latency is similar, and near the 50 ms goal.
Average jitter for the revised configuration is 10.2 ms and 13.2 ms for the original configuration, or
approximately a 22 percent improvement. At higher data rates, this difference would be less as the link
speed approaches 768 kbps, and serialization or blocking delay becomes less of an issue.
Impact of NAT-T
NAT-T mode is enabled by default in Cisco IOS routers, and if during the initial IKE exchange on UDP
500, a NAT/pNAT device is detected between the IPSec peers, these peers exchange both IKE and IPSec
packets encapsulated in UDP on port 4500. If no NAT/pNAT device exists between the peers, the normal
8-21
Chapter 8
Test Topology
behavior of IKE on UDP 500 and IPSec ESP in protocol 50 is used. A Linksys BEFSR41 EtherFast
Cable/DSL Router with 4-Port Switch is inserted between the IPSec peers and a performance test is run
with the revised configuration. (See Figure 8-14.)
Figure 8-14
Impact of NAT-T
Latency
Jitter
100
Branch to Head-end
Branch to Head-end
milliseconds
75
Cisco
831
Lab goal
50
50 ms
51 ms
ESP
NAT-T
25
9.8 ms
ESP
NAT-T
132045
Lab goal
10.2 ms
Simply stated, the results were similar enough to indicate that the additional router and the NAT/pNAT
translation on the UDP 4500 packets did not impact latency and jitter of the VoIP stream to a measurable
degree.
Test Topology
Figure 8-15 shows the topology under test:
8-22
OL-7102-01
Chapter 8
Test Topology
VLAN
226
VLAN
224
VLAN
100
10.0.94.1
vpn-jk2-831-1
vpn-jk3-2651xm-6
vpn-jk3-2651xm-1
.16
-6
-3725-1
DHCP
VLAN
220
AS 65030
VLAN 51
192.168.128.0/18
vpn-jk2-831-2
-7206-1
DMVPN
1.4Mbps Shaper
.17
-7
10.0.94.60 Netra
10.0.94.61 Penguin
VLAN 52
192.168.192.0/18
-3640-1
vpn-jk3-2651xm-7
-7206-2
10.2.120.60 Netra
10.2.120.61 Penguin
-2
302
VLAN
120
-5
IP
IP
-1
Pagent/ Chariot
-11
300
132046
Figure 8-15
8-23
Chapter 8
!
!
no ip domain lookup
ip domain name ese.cisco.com
ip host JOEL_KING_LAB_ca_server 192.168.131.25
ip cef
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip ips po max-events 100
no ftp-server write-enable
!
crypto pki trustpoint ESE_JK_RACK
enrollment url http://JOEL_KING_LAB_ca_server:80
revocation-check none
!
!
crypto pki certificate chain ESE_JK_RACK
certificate 03
[removed]
quit
certificate ca 01
[removed]
quit
!
!
class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
match access-group name IKE
!
!
policy-map V3PN_DMVPN_Teleworker
description G.729=~64K G.711=~128K Plus 26K for IP SLA (SAA)
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority 154
class class-default
fair-queue
random-detect
policy-map Shaper
class class-default
shape average 182400 1824
service-policy V3PN_DMVPN_Teleworker
!
!
!
crypto isakmp policy 10
encr 3des
crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set TRANSPORT_3DES_SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set TUNNEL_3DES_SHA esp-3des esp-sha-hmac
!
8-24
OL-7102-01
Chapter 8
8-25
Chapter 8
ip access-group INBOUND_ACL in
service-policy output Shaper
ip route-cache flow
load-interval 30
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
router eigrp 100
network 10.0.0.0
no auto-summary
# Manual summarization on the interfaces
!
ip classless
ip route 172.26.0.0 255.255.0.0 10.0.94.2
ip route 192.168.131.16 255.255.255.254 dhcp
!
no ip http server
no ip http secure-server
!
!
ip access-list extended IKE
permit udp any eq isakmp any eq isakmp
ip access-list extended INBOUND_ACL
permit udp any eq isakmp any eq isakmp
permit udp 192.168.131.0 0.0.0.31 eq non500-isakmp any eq non500-isakmp
permit esp 192.168.131.0 0.0.0.31 any
permit gre 192.168.131.0 0.0.0.31 any
permit udp any any eq bootpc
remark NTP ACLs
permit udp any eq ntp any eq ntp
permit icmp any any
remark SSH
permit tcp 192.168.131.0 0.0.0.31 any eq 22
deny
ip any any
ip access-list extended TUNNEL_INBOUND_ACL
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit icmp any any
permit eigrp any any
permit igmp any any
permit pim any any
deny
ip any any
snmp-server community private RW
snmp-server community public RO
snmp-server system-shutdown
snmp-server enable traps tty
!
8-26
OL-7102-01
Chapter 8
control-plane
!
call admission limit 99
# Included simply to show it is configurable
call admission load 1 10 # Included simply to show it is configurable
rtr responder
alias exec conact show cry eng conn act
alias exec shintb sh ip int brief
alias exec shacl show access-list
alias exec clacl clear access-list counters
alias exec shisa show crypto isa sa
alias exec stcon ping 10.2.120.16 source 10.0.94.1 repeat 15
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password [removed]
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
ntp server 192.168.130.1
end
8-27
Chapter 8
no ftp-server write-enable
!
!
crypto pki trustpoint ESE_JK_RACK
enrollment url http://cisco123_LAB_ca_server:80
revocation-check crl
!
!
crypto pki certificate chain ESE_JK_RACK
certificate 04
[removed]
quit
certificate ca 01
[removed]
quit
!
crypto isakmp policy 1
encr 3des
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TRANSPORT_3DES_SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set TUNNEL_3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile ECT_PROFILE_1
set transform-set TRANSPORT_3DES_SHA TUNNEL_3DES_SHA
!
!
crypto call admission limit ike sa 65536 # Included simply to show it is configurable
!
!
interface Tunnel0
description DMVPN
bandwidth 2000
ip address 10.0.90.16 255.255.255.0
ip access-group TUNNEL_INBOUND_ACL in
no ip redirects
ip mtu 1408
no ip next-hop-self eigrp 100
ip pim nbma-mode
ip pim sparse-dense-mode
ip multicast rate-limit out 768
ip nhrp map multicast dynamic
ip nhrp network-id 10090
ip nhrp holdtime 600
ip nhrp server-only
no ip split-horizon eigrp 100
load-interval 30
delay 2000
tunnel source FastEthernet0/1.100
tunnel mode gre multipoint
tunnel key 10090
tunnel protection ipsec profile ECT_PROFILE_1
!
interface FastEthernet0/0
description FlashNet156
ip address 172.26.157.36 255.255.254.0
load-interval 30
duplex auto
speed auto
!
!
interface FastEthernet0/1.100
8-28
OL-7102-01
Chapter 8
8-29
Chapter 8
line con 0
exec-timeout 120 0
line aux 0
line vty 0 4
exec-timeout 0 0
password [removed]
login
!
ntp server 192.168.130.1
!
end
Branch routersc831-k9o3sy6-mz.123-8.T5
Head-end routersc2600-advsecurityk9-mz.123-8.T5
Summary
Although many customers often take the approach of implementing a pilot deployment without head-end
redundancy, saying they will address redundancy later, all new installations should plan for and
implement multiple head-ends from the beginning. An example of the importance of this approach lies
in the fact the testing found and filed the software defect CSCeg18278. With the lead time to debug and
obtain a software image incorporating the fix perhaps several months away, early detection of any
outstanding issues minimizes their impact on deployment schedules.
The same also applies to implementations that are for data-only today, but VoIP will be added later. This
may mean eExtensive re-work of the deployed remote routers configuration may be necessary to
accommodate VoIP in the future. With some minor revisions to the customer configuration, VoIP can be
planned for and provisioned from the start, rather than later in a hurried manner.
These customer configurations were not dramatically wrong, but a few minor changes would have
enhanced the performance of VoIP. As is often the case with networks, there is seldom only one problem
and they tend not to cause a total failure of network connectivity. Generally, there are multiple issues
that lead to a problem, and constant assessment of the network and its configuration serve to maintain
reliability, availability, and good performance.
8-30
OL-7102-01
C H A P T E R
Solution Characteristics
Topology
Failover/Recovery Time
Implementation
Verification
Configuration
Show Commands
Caveats
Summary
9-1
Chapter 9
Solution Characteristics
Solution Characteristics
This solution is applicable to small branch offices that have the following connectivity characteristics:
Note
Encryption for both the existing Frame Relay and the broadband link, or only for the broadband link
According to CCO and its Feature Navigator, Gateway Load Balancing Protocol (GLBP) is documented
as included in the Cisco 2600 12.2(15)T images; however, c2600-ik9o3s3-mz.122-15.T9 does not
include GLBP support. The Cisco 1712 router used in testing did include GLBP support in the 12.3(7)T
(c1700-k9o3sy7-mz.123-7.T) image. Because the Cisco 2600 series is commonly deployed in the
solution topology, and some customers may need to encrypt packets on the Frame Relay WAN link,
GLBP was not included as part of this solution.
Topology
Figure 9-1 shows the topology described in this section:
Figure 9-1
One or more
VLANs with HSRP
Broadband
IPsec
Head-end
router(s)
Internet
IP
Modem
IPsec
remote
router(s)
DSLAM/
UBR
WAN
routers
Enterprise
Core
IP
132047
Frame-Relay
IPSec and generic routing encapsulation (GRE) tunnels are terminated on both remote routers: the Frame
Relay router and the broadband router. Because the backup and load sharing function does not depend
on anything other than HSRP-tracked interfaces and routing protocol metrics, the design concepts can
be adapted to work with an unencrypted Frame Relay network or an encrypted link on the Frame Relay
network.
If the Frame Relay network is not encrypted and GRE tunnels are not used, using the same routing
protocol on both WAN topologies simplifies the design and implementation.
9-2
OL-7102-01
Chapter 9
Failover/Recovery Time
The failover and recovery time for this configuration depends on the hello and hold time implemented
by the customer for HSRP, GRE keepalive, and the routing protocol used within the GRE tunnel. In this
example, EIGRP is used.
The HSRP default hello time is 3 seconds and the hold time is 10 seconds. For EIGRP, the default hello
time is 5 seconds and the hold time is 15 seconds. The GRE keepalives are typically set at 10 seconds
with retries at 3 or a hold time of 30 seconds.
These values are acceptable to most customer deployments; however, they can be changed as required.
Implementation
This section explains how the router configurations implement load sharing and backup over the Frame
Relay and broadband connection. The GRE tunnels are encrypted. The complete configuration files are
shown in a following section, but here the focus is on the interface delay and bandwidth configuration
for the GRE and LAN interfaces of the remote routers.
This section includes the following topics:
GRE Tunnels
GRE Tunnels
In Figure 9-2, two GRE tunnels are defined from each remote router to a head-end GRE/IPSec peer. This
configuration provides maximum availability because the site maintains connectivity in the event that
one remote router and one head-end router are out of service at the same time.
9-3
Chapter 9
Implementation
Figure 9-2
2600-22
Broadband
1712-1
Internet
IP
Modem
2600-23
DSLAM/UBR
2600-18
IP
Frame-Relay
132048
2600-5
2600-20
The WAN cloud depictions are removed from the topology in Figure 9-3 to reduce the complexity of the
drawing. Tunnel names and IP addresses have been added.
Figure 9-3
Tunnel 0
10.0.68.146/30
1712-1
Tunnel 900
10.0.68.133/30
Tunnel 1
10.0.68.138/30
2600-22
IP
2600-23
Tunnel 900
10.0.68.134/30
Tunnel 0
10.0.68.145/30
Tunnel 901
10.0.68.142/30
2600-18
IP
Tunnel 901
10.0.68.141/30
132049
2600-5
Tunnel 1
10.0.68.137/30
The GRE interface numbers on the branch and head-end routers are the same on both ends; Tunnel 1 on
remote router 2600-18 connects to Tunnel 1 on head-end router 2600-22. This nomenclature facilitates
troubleshooting. The IP addresses for the tunnel interfaces are allocated out of the address space for the
remote location. In this example, each remote is allocated an address on a /22 network boundary. The
tunnel addressing is allocated from that address space. The loopback interfaces are allocated from that
address space and are the inside VLANS. In this example, the inside VLAN is address 10.0.68.0/25.
9-4
OL-7102-01
Chapter 9
2600-22
1712-1
Tunnel 900
IP
2600-23
Tunnel 0
2600-18
IP
Tunnel 901
Tunnel 1
interface Tunnelnnn
...
ip summary-address eigrp 1068 10.0.0.0 255.0.0.0 5
132050
2600-5
In this example, an advertisement to 10.0.0.0/8 is used. One or more networks or a default network can
be advertised. If a default network is advertised, the broadband router requires specific routes to its
GRE/IPSec peers pointing out the outside/broadband interface. For example, the 1712-1 router
configuration in the configuration samples has a default route to the PPPoE (Dialer) interface as shown:
ip route 0.0.0.0 0.0.0.0 Dialer1 239 name Broadband
The GRE and IPSec peer statements refer to 192.168.131.22 and 192.168.131.23.
vpn-jk2-1712-1#show run | inc set peer|tunnel dest
set peer 192.168.131.22
set peer 192.168.131.23
tunnel destination 192.168.131.22
tunnel destination 192.168.131.23
The configuration needs to be changed to eliminate the default route and to include the host specific (host
routes or /32 routes) to the head-end peers, as follows:
no ip route 0.0.0.0 0.0.0.0 Dialer1 239 name Broadband
ip route 192.168.131.22 255.255.255.255 Dialer1 239 name Broadband22
ip route 192.168.131.23 255.255.255.255 Dialer1 239 name Broadband23
If the configuration is using Dynamic Host Configuration Protocol (DHCP) rather than PPP over
Ethernet (PPPoE) to obtain the outside IP address, the host specific route references the DHCP keyword
instead, as follows.
ip route 192.168.131.22 255.255.255.255 dhcp
ip route 192.168.131.23 255.255.255.255 dhcp
9-5
Chapter 9
Implementation
Delay
EIGRP calculates delay as the cumulative delay; you add up the delay from all the routers that learned
the network advertisement.
The delay value is based on the input interface of the receiving router, not the output interface of the
sending router. There is no requirement that the values match, but best practice is to make them match
unless you have a specific reason not to do so.
Units are the following:
One rule of thumb is that whatever you type is multiplied by 10 when displayed by the router.
Bandwidth
EIGRP uses the minimum bandwidth for all the links to a network. Like delay, this is derived from the
input interface. Because the default value is 9 kbps for a tunnel interface and this topology is always
using tunnel interfaces, the bandwidth value does not really come into play.
The default and modified values for bandwidth and delay on the remote routers are examined. Figure 9-5
highlights these values.
Frame Relay/Broadband-Delay/Bandwidth Values
interface Vlan1
bandwdith100000*
delay 10
end
1712-1
HSRP STANDBY
interface FastEthernet0/1.204
bandwdith100000*
delay 10*
end
HSRP ACTIVE
Router
* default values
interface Tunnel900
bandwidth 9*
delay 50000*
interface Tunnel0
bandwidth 9*
delay 49990
2600-18
interface Tunnel901
bandwidth 9*
delay 50010
interface Tunnel1
bandwidth 9*
delay 50000*
132051
Figure 9-5
9-6
OL-7102-01
Chapter 9
The values chosen are selected so that the HSRP active router, in this example 2600-18, calculates a route
for network advertisements learned via Tunnel 1 with the same metric as an advertisement for the same
network from router 1712-1 over the inside LAN interface.
From the perspective of the 2600-18 router, an advertisement for 10.0.0.0/8 has an EIGRP metric of
297244416. This value is derived from a minimum bandwidth value of 9 kbps and a total delay value of
500,000. The total delay in microseconds is determined by adding the values from the show interface
command. In this example, the Tunnel 0 interface on 1712-1 has a delay of 499,900 microseconds and
the FastEthernet 0/1.204 of the 2600-18 router has a delay of 100 microseconds.
Following is a Perl program to facilitate this calculation. This program calculates the EIGRP metric and
derives the same value as a Cisco IOS router. It is executed with a minimum bandwidth of 9 kbps and
sums the two delays of 499,900 and 100 microseconds:
D:\>perl eigrp.pl 9 499900 100
297244416
#
#
eigrp.pl
#
# Usage: eigrp.pl Minimum_bandwidth_in_Kbit Total_delay_in_microseconds
#
#
eigrp.pl 10000 1280
#
# or
#
eigrp.pl 10000 1000 200 80
#
# Author: cisco789@cisco.com CCIE 1846
#
# Version 1.0 25 July 2000
#
# The path with the smallest metric is the best path.
#
$minBW = $ARGV[0];
$sumDLY = 0;
foreach $i (1 .. $#ARGV) {
#
# Delay
#
$sumDLY = $sumDLY + $ARGV[$i];
}
#
# We are expecting delay input in microseconds, (as from the interface
# or default-metric command) not tenths of microseconds.
#
$sumDLY = $sumDLY / 10;
#
# Bandwidth
#
$iBW = 10000000 / $minBW;
$iBW = sprintf("%9d",$iBW);
#
$EIGRPmetric = ($iBW + $sumDLY) * 256;
#
print "$EIGRPmetric";
exit;
#
# Notes:
#
# Cisco routers do not perform floating point math, so at each stage
# in the calculation, you will need to round down to the
# nearest integer (whole number) to calculate the metrics the
9-7
Chapter 9
Implementation
router eigrp1068
network 10.0.0.0
distribute-list VLAN_ONLY out Tunnel0
distribute-list VLAN_ONLY out Tunnel900
no auto-summary
no eigrp log-neighbor-warnings
1712-1
!
Used on both routers
ip access-list standard VLAN_ONLY
permit 10.0.68.0 0.0.0.128
!
router eigrp1068
passive-interface Serial0/0.100
passive-interface Serial0/0.101
network 10.0.0.0
distribute-list VLAN_ONLY out Tunnel1
distribute-list VLAN_ONLY out Tunnel901
no auto-summary
no eigrp log-neighbor-warnings
!
interface Tunnel900
bandwidth 9*
delay 50000*
interface Tunnel0
bandwidth 9*
delay 49990
2600-18
interface Tunnel901
bandwidth 9*
delay 50010
interface Tunnel1
bandwidth 9*
delay 50000*
132052
Figure 9-6
* default values
The addressing scheme has allocated a /22 network for the remote site. The loopback interfaces for the
two remote routers are allocated from that address block as well as all VLANs in use.
1712-1#show run | inc interface|tunnel source|ip address
interface Tunnel0
ip address 10.0.68.145 255.255.255.252
tunnel source Loopback0
interface Tunnel900
ip address 10.0.68.133 255.255.255.252
tunnel source Loopback0
interface Loopback0
ip address 10.0.68.129 255.255.255.255
interface Vlan1
ip address 10.0.68.1 255.255.255.128
interface Dialer1
ip address negotiated
To prevent recursive routing issues, distribution lists are configured on the remote routers, so only the
VLAN interface(s) are advertised to the head-end routers. If the loopback interface address is included
in the advertisement to the head-end, the tunnel is changed to down by Cisco IOS to avoid recursive
routing issues.
9-8
OL-7102-01
Chapter 9
Note
If you choose to use this technique, it is important in this design to specify the out Tunneln and include
a distribute list for each tunnel interface that resides on this router. If the more generic form of
distribute-list VLAN_ONLYout is used and the interface is not specified, the two remote routers do not
advertise the 10.0.0.0/8 network to each other over the inside LAN interface. This prevents the intended
load sharing from working. The HSRP active router must receive an advertisement for the head-end
network(s) from both the EIGRP neighbors on its tunnel interfaces as well as from the HSRP standby
router over the inside LAN interface.
The above EIGRP and IP addressing is shown because many traditional Frame Relay deployments
allocated their WAN, VLAN, and loopback interfaces from a contiguous address block allocated to each
remote location. This design is intended to introduce broadband as a backup and also load sharing into
an existing deployment.
A more simplistic configuration is to allocate the loopback interface that serves as the GRE tunnel source
for the remote routers from an address block not allocated to the remote location. For example, assuming
that this location has been allocated 10.0.68.0/22 addressing, the Loopback 0 interface for this site can
be 10.0.252.1 /32 and 10.0.252.2 / 32 for the next site.
The advantage in this lies in the elimination of the distribution list commands on the remote routers. The
network statement under router EIGRP 1068 can be changed from the following:
network 10.0.0.0
to the following:
network 10.0.68.0 0.0.3.255
The IPSec/GRE head-end routers, deploying dynamic crypto maps in a GRE configuration, can simply
have a summary route for the following:
ip route 10.0.252.0 255.255.252.0
This results in all the GRE tunnel destination addresses being routed out the interface with the dynamic
crypto map applied.
Remember the simple rule to eliminate recursive routing errors with GRE interfaces: do not advertise a
route through the tunnel that will include the tunnel endpoint. If you find it necessary to do so, you must
have a more specific network advertisement to the tunnel endpoint that is not through the tunnel interface
itself.
Also, for network management purposes, a second loopback address (Loopback 1) can be allocated from
the /22 address block of the site.
9-9
Chapter 9
Implementation
Figure 9-7
HSRP ACTIVE
132053
2600-18
Router 2600-18, the HSRP active router, has two routes in its routing table to network 10.0.0.0:
vpnjk-2600-18#show ip route 10.0.0.0 255.0.0.0
Routing entry for 10.0.0.0/8
Known via "eigrp 1068", distance 90, metric 297246976, type internal
Redistributing via eigrp 1068
Last update from 10.0.68.138 on Tunnel1, 20:01:07 ago
Routing Descriptor Blocks:
* 10.0.68.1, from 10.0.68.1, 20:01:07 ago, via FastEthernet0/1.204
Route metric is 297246976, traffic share count is 1
Total delay is 500100 microseconds, minimum bandwidth is 9 Kbit
Reliability 255/255, minimum MTU 1468 bytes
Loading 1/255, Hops 2
10.0.68.138, from 10.0.68.138, 20:01:07 ago, via Tunnel1
Route metric is 297246976, traffic share count is 1
Total delay is 500100 microseconds, minimum bandwidth is 9 Kbit
Reliability 255/255, minimum MTU 1476 bytes
Loading 1/255, Hops 1
These two equal cost paths are used to load share packets by Cisco Express Forwarding (CEF) per
source, per destination load sharing, or by fast switching per destination. Per packet load sharing can be
accomplished by process switching or CEF per packet; however, this is not recommended because of the
increased likelihood of incurring out-of-order packets in this topology. The two WANs may have
dramatically different latency characteristics.
vpnjk-2600-18#show ip eigrp topology 10.0.0.0 255.0.0.0
IP-EIGRP (AS 1068): Topology entry for 10.0.0.0/8
State is Passive, Query origin flag is 1, 2 Successor(s), FD is 297246976
Routing Descriptor Blocks:
10.0.68.138 (Tunnel1), from 10.0.68.138, Send flag is 0x0
Composite metric is (297246976/28160), Route is Internal
Vector metric:
Minimum bandwidth is 9 Kbit
Total delay is 500100 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1476
Hop count is 1
10.0.68.1 (FastEthernet0/1.204), from 10.0.68.1, Send flag is 0x0
Composite metric is (297246976/297244416), Route is Internal
Vector metric:
9-10
OL-7102-01
Chapter 9
Note
The first composite metric number is the EIGRP metric that represents the cost to the destination. The
second number is the EIGRP metric that this peer advertised.
9-11
Chapter 9
Implementation
Figure 9-8
2600-22
1712-1
Tunnel 900
Delay 50000
IP
2600-23
Tunnel 0
Delay 49990
2600-18
IP
132054
2600-5
Tunnel 901
Delay 50010
Tunnel 1
Delay 50000
This is not necessarily a bad practice. The Frame Relay link on router 2600-18 has a Committed
Information Rate (CIR) of 512 kbps/512 kbps and a port speed of 1 Mbps, and the broadband link is 768
kbps/3 Mbps. The broadband path can provide substantially more bandwidth.
However, if the Frame Relay network generally provides access to the remote location at port speed and
if the broadband network is aDSL at 256 kbps/1.4 Mbps, it is better to at least load share or to prefer the
Frame Relay network. DSL is typically provisioned over ATM, which has substantially more Layer 2
overhead than Frame Relay.
Now on router 2600-23, the delay value on Tunnel 901 is changed to advertise an equal cost path to
router 2600-5.
vpnjk-2600-23#config t
Enter configuration commands, one per line.
vpnjk-2600-23(config)#interface tunnel 901
vpnjk-2600-23(config-if)#delay 49990
9-12
OL-7102-01
Chapter 9
vpnjk-2600-23(config-if)#end
vpnjk-2600-5#show ip route 10.0.68.0
Routing entry for 10.0.68.0/25
Known via "eigrp 1068", distance 90, metric 297246976, type internal
Redistributing via eigrp 1068
Last update from 10.2.124.23 on FastEthernet0/1.124, 00:00:07 ago
Routing Descriptor Blocks:
* 10.2.124.22, from 10.2.124.22, 00:00:07 ago, via FastEthernet0/1.124
Route metric is 297246976, traffic share count is 1
Total delay is 500100 microseconds, minimum bandwidth is 9 Kbit
Reliability 255/255, minimum MTU 1476 bytes
Loading 1/255, Hops 2
10.2.124.23, from 10.2.124.23, 00:00:07 ago, via FastEthernet0/1.124
Route metric is 297246976, traffic share count is 1
Total delay is 500100 microseconds, minimum bandwidth is 9 Kbit
Reliability 255/255, minimum MTU 1476 bytes
Loading 1/255, Hops 2
Now both WAN paths are used for the return path, as shown in Figure 9-9:
Figure 9-9
2600-22
1712-1
Tunnel 900
Delay 50000
IP
2600-23
Tunnel 0
Delay 49990
2600-18
IP
2600-5
132055
Tunnel 901
Delay 49990
Tunnel 901
Delay 50010
Tunnel 1
Delay 50000
Note that although Tunnel 0 and Tunnel 1 terminate on different branch routers, they both terminate on
the same head-end router; that is, 2600-22. While load-sharing across WAN links, a single head-end
router is decrypting all traffic from this branch.
This is not necessarily bad, because a good design implements sufficient crypto capacity to service all
remote branches on one surviving head-end. However, on the next branch, the network manager should
use delay values on the 900 series tunnel interfaces (902 and 903 perhaps) to prefer them over tunnel
interfaces 2 and 3. This spreads the load more equally across all head-end routers.
9-13
Chapter 9
Verification
Verification
This section describes two methods of verification, and includes the following topics:
Load Sharing
Load Sharing
To demonstrate the load sharing, an IP traffic stream is generated with a traffic generation IOS router to
simulate three traffic streams (ts#) from a single source IP address to three separate destination IP
addresses.
ts#
1 UDP
2 UDP
3 UDP
B8
B8
B8
tos
60
60
60
The degree of load sharing, or the balance of packets between the two uplinks, depends on the number
of hosts on the LAN and the number of flows. With one file transfer as the only traffic on the network
between two hosts, only a single path is used; however, in this topology, per packet load sharing is not
recommended because the likelihood of out-of-order packets is very likely given the dissimilar WAN
links in the topology.
Figure 9-10 shows how the 110 packets per second (pps) were split between the two uplinks: 50 pps on
the Frame Relay network and 60 pps on the broadband network.
Figure 9-10
Frame Relay/BroadbandVerification
Vlan 1
1712-1
Tunnel 900
Tunnel 0
IP traffic
stream
IP
IP
60 pps
2600-18
110 pps
Tunnel 901
Tunnel 1
50 pps
132056
FastEthernet0/1
The following list is a summary of the show interface commands issued to the routers under test.
Router 1712:
Vlan1
Vlan1 is up, line protocol is up
9-14
OL-7102-01
Chapter 9
management traffic as well as the load interval account for slight variations in the packet rates)
30 second output rate 1000 bps, 2 pps
Tunnel 0
Tunnel 0 is up, line protocol is up
MTU 1514 bytes, BW 9 kbps, DLY 499900 usec,
30 second input rate 0 bps, 0 pps
30 second output rate 40000 bps, 60 pps
Tunnel 900
Router 2600-18:
FastEthernet0/1
FastEthernet0/1 is up, line protocol is up
MTU 1500 bytes, BW 100000 kbps, DLY 100 usec,
5 minute input rate 74000 bps, 119 pps
5 minute output rate 37000 bps, 60 pps
Tunnel 1
Tunnel1 is up, line protocol is up
MTU 1514 bytes, BW 9 kbps, DLY 500000 usec,
30 second input rate 0 bps, 0 pps
30 second output rate 33000 bps, 50 pps
Tunnel 901
No test traffic routed out this interface
9-15
Chapter 9
Verification
Figure 9-11
Interface Vlan 1
1712-1
Tunnel 900
Tunnel 0
IP
2600-18
IP
Interface
FastEthernet0/1
Tunnel 1
132057
Tunnel 901
The NetFlow display shows that two of the flows are being sent back over the FastEthernet interface to
the 1712 router supporting the broadband connection.
vpnjk-2600-18#show ip cache flow | beg SrcIf
SrcIf
SrcIPaddress
DstIf
DstIPaddress
Fa0/1.204
10.0.68.2
Fa0/1.204
10.2.124.16
Fa0/1.204
10.0.68.2
Tu1
10.2.124.5
Fa0/1.204
10.0.68.2
Fa0/1.204
10.2.124.9
Fa0/1.204
10.0.68.1
Null
224.0.0.10
Note
The CEF exact-route command does not require traffic to be flowing to display the exact route. In fact,
this command was used to verify which IP addresses to configure for the destination addresses on the
traffic streams to generate this illustration.
9-16
OL-7102-01
Chapter 9
Table 9-1
Failure Scenario
Result
Configuration
This section describes the configuration of the components of the Frame Relay/broadband load sharing and
backup solution, and includes the following topics:
2600-22 Router
This is the first head-end router configuration:
! System image file is "flash:c2600-ik9o3s3-mz.122-15.T9"
version 12.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname vpnjk-2600-22
!
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
ip cef
!
9-17
Chapter 9
Configuration
!
crypto keyring GREEN
pre-shared-key hostname vpnjk-2600-18.ese.cisco.com key nosxlerx
pre-shared-key hostname vpn-jk2-1712-1.ese.cisco.com key siexrrax
!
crypto isakmp policy 10
encr 3des
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
# This config will respond to IKE Aggressive Mode
group 2
crypto isakmp keepalive 10
crypto isakmp profile AGGRESSIVE
description Profile for IKE Aggressive Mode
keyring GREEN
self-identity fqdn
match identity host domain ese.cisco.com
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map DYNO-TEMPLATE 10
description dynamic crypto map
set transform-set 3DES_SHA_TUNNEL
match address GRE # This is an optional statement, see Caveats section
!
!
crypto map DYNO-MAP local-address FastEthernet0/1.100
crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE
!
!
interface Tunnel0
description 1712
ip address 10.0.68.146 255.255.255.252
ip summary-address eigrp 1068 10.0.0.0 255.0.0.0 5
delay 49990
keepalive 10 3
tunnel source 192.168.131.22
tunnel destination 10.0.68.129
!
!
interface Tunnel1
description to 2600-18
ip address 10.0.68.138 255.255.255.252
ip summary-address eigrp 1068 10.0.0.0 255.0.0.0 5
keepalive 10 3
tunnel source 192.168.131.22
tunnel destination 10.0.68.253
!
interface FastEthernet0/1
description dot1q
no ip address
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1.100
encapsulation dot1Q 100
ip address 192.168.131.22 255.255.255.224
crypto map DYNO-MAP
9-18
OL-7102-01
Chapter 9
!
interface FastEthernet0/1.124
encapsulation dot1Q 124
ip address 10.2.124.22 255.255.255.0
standby ip 10.2.124.99
!
router eigrp 100
network 10.0.0.0
network 192.168.130.0 0.0.1.255
no auto-summary
!
router eigrp 1068
# This AS is used for the Tunnel interfaces
network 10.0.0.0
no auto-summary
!
ip classless
!
!
If a crypto ACL is used, define one ACL line for each tunnel interface
!
ip access-list extended GRE
permit gre host 192.168.131.22 host 10.0.68.253
permit gre host 192.168.131.22 host 10.0.68.129
!
!
rtr responder
alias exec shca show crypto ipsec sa det | inc eer|life
!
ntp server 192.168.130.1
!
end
2600-23 Router
This is the second head-end router configuration:
! System image file is "flash:c2600-ik9o3s3-mz.122-15.T9"
version 12.2
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
!
hostname vpnjk-2600-23
!
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
!
!
!
crypto keyring GREEN
pre-shared-key hostname vpnjk-2600-18.ese.cisco.com key nosxlerx
pre-shared-key hostname vpn-jk2-1712-1.ese.cisco.com key siexrrax
!
crypto isakmp policy 10
encr 3des
authentication pre-share
# This config will respond to IKE Aggressive Mode
group 2
crypto isakmp keepalive 10
crypto isakmp profile AGGRESSIVE
description Profile to test Initiating Aggressive Mode
9-19
Chapter 9
Configuration
keyring GREEN
self-identity fqdn
match identity host domain ese.cisco.com
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encaps
!
crypto dynamic-map DYNO-TEMPLATE 10
description dynamic crypto map
set transform-set 3DES_SHA_TUNNEL
match address GRE
# This is an optional statement, see Caveats section
qos pre-classify
!
!
crypto map DYNO-MAP local-address FastEthernet0/1.100
crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE
!
!
!
interface Tunnel900
description Tunnel to vpn-jk2-1712-1
ip address 10.0.68.134 255.255.255.252
ip summary-address eigrp 1068 10.0.0.0 255.0.0.0 5
keepalive 10 3
tunnel source 192.168.131.23
tunnel destination 10.0.68.129
!
interface Tunnel901
description Tunnel to 2600-18 [over Frame]
ip address 10.0.68.142 255.255.255.252
ip summary-address eigrp 1068 10.0.0.0 255.0.0.0 5
delay 50010
keepalive 10 3
tunnel source 192.168.131.23
tunnel destination 10.0.68.253
!
interface FastEthernet0/1
description dot1q
no ip address
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1.100
description vlan 100
encapsulation dot1Q 100
ip address 192.168.131.23 255.255.255.224
crypto map DYNO-MAP
!
!
interface FastEthernet0/1.124
description vlan 124
encapsulation dot1Q 124
ip address 10.2.124.23 255.255.255.0
standby ip 10.2.124.99
standby priority 110
!
router eigrp 1068
# This AS is used for the Tunnel interfaces
network 10.0.0.0
no auto-summary
!
9-20
OL-7102-01
Chapter 9
Note
A complete configuration for this router has not been shown; among other items, a V3PN service policy
has not been included in its entirety!
9-21
Chapter 9
Configuration
9-22
OL-7102-01
Chapter 9
ip route-cache flow
ip tcp adjust-mss 542
load-interval 30
delay 10
standby 68 ip 10.0.68.126
standby 68 priority 81
standby 68 preempt
!
interface Dialer1
description Outside
bandwidth 256
ip address negotiated
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 542
load-interval 30
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username foo@cisco.com password 7
ppp ipcp dns request
ppp ipcp wins request
crypto map BROADBAND
!
router eigrp 1068
network 10.0.0.0
distribute-list VLAN_ONLY out Tunnel0
distribute-list VLAN_ONLY out Tunnel900
no auto-summary
no eigrp log-neighbor-warnings
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 239 name Broadband
!
!
ip access-list standard VLAN_ONLY
permit 10.0.68.0 0.0.0.128
!
ip access-list extended GRE_to_22
permit gre host 10.0.68.129 host 192.168.131.22
ip access-list extended GRE_to_23
permit gre host 10.0.68.129 host 192.168.131.23
!
!
control-plane
!
rtr responder
rtr 99
type echo protocol ipIcmpEcho 10.2.124.99 source-ipaddr 10.0.68.1
tos 192
frequency 10
rtr schedule 99 life forever start-time now
!
end
9-23
Chapter 9
Configuration
9-24
OL-7102-01
Chapter 9
match ip dscp ef
class-map match-any
match ip dscp af31
match ip dscp cs3
class-map match-any
match ip dscp cs6
match access-group
class-map match-all
match ip dscp af21
CALL-SETUP
INTERNETWORK-CONTROL
name IKE
TRANSACTIONAL-DATA
!
!
policy-map TEST
class VOICE
priority 168
class INTERNETWORK-CONTROL
bandwidth percent 5
set dscp cs6
class TRANSACTIONAL-DATA
bandwidth percent 22
class class-default
fair-queue
!
!
!
!
interface Loopback0
ip address 10.0.68.253 255.255.255.255
!
interface Tunnel1
description to 2600-22
bandwidth 9
# This is the default value for a tunnel
ip address 10.0.68.137 255.255.255.252
load-interval 30
qos pre-classify
keepalive 10 3
tunnel source Loopback0
tunnel destination 192.168.131.22
!
interface Tunnel901
description 2600-23
ip address 10.0.68.141 255.255.255.252
load-interval 30
delay 50010
qos pre-classify
keepalive 10 3
tunnel source Loopback0
tunnel destination 192.168.131.23
!
interface Serial0/0
bandwidth 2000
no ip address
encapsulation frame-relay
load-interval 30
frame-relay traffic-shaping
frame-relay lmi-type cisco
!
Note: One physical interface, two PVCs
interface Serial0/0.100 point-to-point
description to vpn-jk-2600-20
bandwidth 512
ip address 10.0.65.1 255.255.255.252
frame-relay class ts-branch
frame-relay interface-dlci 100
class ts-branch
crypto map FRAME
9-25
Chapter 9
Configuration
!
interface Serial0/0.101 point-to-point
description to vpn-jk2-3640-1
bandwidth 512
ip address 10.0.65.5 255.255.255.252
frame-relay interface-dlci 101
class ts-branch
crypto map FRAME
!
interface FastEthernet0/1
no ip address
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1.204
description VLAN 204
encapsulation dot1Q 204
ip address 10.0.68.18 255.255.255.128
standby 68 ip 10.0.68.126
standby 68 preempt
standby 68 track Tunnel1 20
# If this interface goes down, HSRP priority will
!
# decrease by 20. Note the 1712 has a default priority
!
# of 81, which is 19 less than this routers default
!
# value of 100.
standby 68 track Tunnel901
!
!
EIGRP is used to learn and advertise routes on the LAN and Tunnels
!
router eigrp 1068
passive-interface Serial0/0.100
passive-interface Serial0/0.101
network 10.0.0.0
distribute-list VLAN_ONLY out Tunnel1
distribute-list VLAN_ONLY out Tunnel901
no auto-summary
no eigrp log-neighbor-warnings
!
!
RIP is used to learn a route to 192.168.130.0/23, the IPSec/GRE head-ends
!
So RIP V2 is our WAN (Frame-Relay) routing protocol
router rip
version 2
passive-interface FastEthernet0/1.204
passive-interface Tunnel1
passive-interface Tunnel901
network 10.0.0.0
no auto-summary
!
!
ip access-list standard VLAN_ONLY
permit 10.0.68.0 0.0.0.128
!
ip access-list extended GRE_to_22
permit gre host 10.0.68.253 host 192.168.131.22
ip access-list extended GRE_to_23
permit gre host 10.0.68.253 host 192.168.131.23
ip access-list extended IKE
permit udp any eq isakmp any eq isakmp
!
!
map-class frame-relay ts-branch
frame-relay cir 486400
frame-relay bc 4864
frame-relay be 0
9-26
OL-7102-01
Chapter 9
Note
This is an abbreviated configuration. The only role for the head-end campus router in this configuration
is to demonstrate the ability to load share from campus to remote LAN network. This router and the two
IPSec/GRE head-end routers are EIGRP neighbors.
!
hostname vpnjk-2600-5
!
!
interface FastEthernet0/1.124
encapsulation dot1Q 124
ip address 10.2.124.5 255.255.255.0
!
!
router eigrp 1068
network 10.0.0.0
no auto-summary
!
end
Show Commands
This section contains Cisco IOS show commands as an illustration of Routing Information Protocol
Version 2 (RIP V2) configured on the Frame Relay network.
Some customers run RIP on their Frame Relay deployments because of its slower convergence and
perhaps less CPU and memory requirements than other protocols. Because of this, RIP V2 is configured
on the Frame Relay network so that the remote router can learn how to reach the network address of the
GRE and IPSec head-end routers in this configuration.
The Frame Relay router has one physical interface with two permanent virtual circuits (PVCs) to the
enterprise head-end routers. Because of this, there are two RIP learned routes in the routing table.
vpnjk-2600-18#show ip route rip
R
192.168.130.0/23 [120/1] via 10.0.65.2, 00:00:14, Serial0/0.100
[120/1] via 10.0.65.6, 00:00:21, Serial0/0.101
The above RIP route provides reachability for these destination addresses.
vpnjk-2600-18#show run | inc set peer|tunnel destination
set peer 192.168.131.22
set peer 192.168.131.23
tunnel destination 192.168.131.22
tunnel destination 192.168.131.23
9-27
Chapter 9
vpnjk-2600-23c2600-ik9o3s3-mz.122-15.T9
vpnjk-2600-22c2600-ik9o3s3-mz.122-15.T9
vpnjk-2600-18c2600-ik9o3s3-mz.122-15.T9
vpn-jk2-1712-1c1700-k9o3sy7-mz.123-7.T
Caveats
In the IPSec/GRE head-end configuration examples, dynamic crypto maps are used for the head-end
routers rather than static crypto maps. This is desirable because it saves head-end configuration lines,
and therefore configuration s ize and complexity. Because the topology runs both a routing protocol and
GRE keepalives in the tunnel interfaces, the IPSec tunnels are up and active at all times because of the
keepalives, so there is no technical reason that the head-end router must have a static crypto map.
Note
There may be no need to run both a Layer 2 and Layer 3 keepalive when one might suffice. If the Layer
3 keepalives are lost, the EIGRP neighbor goes down; if the GRE keepalives are lost, the tunnel interface
goes down. It may be desirable from a network management standpoint to be able to generate a Simple
Network Management Protocol (SNMP) trap when the GRE interface goes down.
On the dynamic crypto map, there is no need to specify an access list. When the IPSec tunnel comes up,
the remote router supplies the necessary access list and the reverse of it is dynamically entered in the
head-end crypto map entry.
As long as the remote peer is up, the GRE keepalives are encrypted and sent to the remote peer. If the
remote peer IPSec tunnel is not up, the head-end router sends GRE keepalives toward the Internet, and
because there is no crypto map access list statically defined, they are sent out the interface unencrypted.
User data traffic is not sent unencrypted, because the tunnel must be up before any user data is sent, but
GRE keepalives are sent unencrypted.
Most ISPs and enterprise customers block RFC 1918 addressing from reaching the Internet, and in the
configuration described in this chapter, RFC 1918 addresses are used for the tunnel source at the remote
router so that these unencrypted GRE packets can be blocked from reaching the Internet.
Even if unencrypted GRE keepalive packets reach an Internet router, it is unlikely to present a serious
security exposure; however, be aware of the implications of not specifying an ACL on a dynamic crypto
map with GRE tunnels.
Summary
With the increased availability of broadband WAN at price points that are similar to Basic Rate ISDN,
enterprise customers will look to this new technology to offer increased bandwidth for both backup and
load sharing applications.
9-28
OL-7102-01
C H A P T E R
10
Note
An Erlang is a unit of telecommunications traffic measurement. An Erlang represents the continuous use
of one voice path. Erlang traffic measurements (or estimates) can be used to determine how many
concurrent voice calls should be provisioned between multiple network locations.
This chapter includes the following sections:
Topology
Traffic Profile
Show Commands
Caveats
Summary
Topology
The topology under test, as shown in Figure 10-1, contains two Cisco 3725 routers with two serial
interfaces (WIC-2T) clocked internally.
10-1
Chapter 10
Traffic Profile
Figure 10-1
Multilink2
Chariot
Endpoints
vpn-jk2-3725-3
vpn-jk2-3725-4
vpn-jk-2600-5
IP
132058
IP
Chariot
Endpoints
The clockrate 1300000 command is used on one router serial interface to provide clocking for the lab
testing. A rate of 1.536 M or 1.544 M is not supported by Cisco IOS for this interface type when clocked
internally.
In testing, it is assumed that a branch of this size requires a separate router to increase the availability of
the site. In other words, it was not assumed the second T1 was for availability, but rather as a capacity
requirement.
Traffic Profile
The traffic profile in these tests include the typical ESE Enterprise Mix (EMIX) -G.729 voice calls,
transactional data (TN3270 and HTTP), and best effort including HTTP, SMTP, DNS, and FTP.
Simulated Video Conferencing is also included. As part of the standard Chariot tests, an H.261
NetMeeting video conference stream is included and was modified for these tests. The H.261 video
coding standard was designed for data rates that are multiples of 64 kbps, and is sometimes called
p x 64 kbps (p is in the range 130). This video codec was designed for ISDN lines, which add
capacity in increments of 64 kbps.
The default Chariot test has a buffer size of 522 bytes. The Layer 3 size of these UDP packets as reported
by NetFlow is approximately 559 bytes, the difference being the IP, UDP, and Chariot headers included
in the Layer 3 size of the packet. Note that this 559-byte packet does not include GRE, crypto, or PPP
encapsulation headers. When using IPSec transport mode, the packet is 626 bytes or 650 bytes per packet
using IPSec tunnel mode.
The Chariot target data rate is configured at 256 kbps, which equates to a video data stream of
approximately 58 pps. The Chariot file size for this video stream is 2,088,000 bytes. In the caveats
section, the testing ramifications of this file size are explored in more detail.
Shown in Figure 10-2 is a representation of the traffic flow used in these tests. The branch to head-end
flows are shown. The head-end to branch flows are similar in percentages. The average packet size is
shown for the respective categories.
Note
The Cisco 6729 IP Phone was used for voice and NetMeeting for video only (no audio).
10-2
OL-7102-01
Chapter 10
Figure 10-2
DNS
126
17%
0%
11%
Voice 60
FTP-PUT
1052 bytes
132059
FTP-PUT
acks 45
1%
71%
Note that in this traffic profile, the QoS service policy is provisioned for voice and video in percentages
of link bandwidth:
class VOICE
priority percent 18
class VIDEO-CONFERENCING
priority percent 15
The Call Admission Control parameters for this test limit the number of concurrent voice calls to less
than 18 percent of the available bandwidth, and the data rate of the video stream is sufficient for the
allocated bandwidth. In the test results documented in this chapter, the number of concurrent G.729
voice calls is eight. At approximately 56 kbps per call, the priority queue should have at least 448 kbps
(56 * 8).
vpn-jk2-3725-4#show policy-map interface multilink 2 out class VOICE
Multilink2
Service-policy output: V3PN_Branch
Class-map: VOICE (match-all)
96040 packets, 8450920 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 18 (%)
Bandwidth 468 (kbps) Burst 11700 (Bytes)
(pkts matched/bytes matched) 96041/13445040
(total drops/bytes drops) 0/0
Calculating an adequate size of the priority (LLQ) queue for encrypted video is not as straightforward
as for voice. Where voice packets are a fixed size, video packets can vary in size. As such, the crypto
overhead as a percentage of the unencrypted video packet varies based on the size of the packet. Smaller
packets have a higher percentage of crypto overhead than do large packets.
The rule of thumb for provisioning the video LLQ requirements is to add 20 percent to the configured
video data rate. Table 10-1 illustrates the crypto overhead associated with the packet size distribution of
a typical video stream.
10-3
Chapter 10
Traffic Profile
Table 10-1
Packet size
distribution
(bytes)1
V3PNVideo Provisioning
% of Packets2
Assuming video
packet of N bytes
IPSec tunnel
mode and GRE
byte increase
Percent increase
10251518
37%
1025
1104
8%
5131024
20%
513
592
15%3
257512
8%
257
336
31%
129256
34%
129
208
61%
The Chariot video stream simulated a 256 kbps video stream. Given that the average packet size in that
stream falls between 500 to 600 bytes, the crypto overhead can be assumed to be approximately 15
percent. Adding 15 percent crypto overhead to the video stream and then adding 20 percent to
accommodate video bursts, you should allocate at least 353 kbps. In testing, the recommended 15
percent bandwidth allocation for the 2.6 M link is 390 kbps, which is sufficient for the 256 kbps video
stream.
vpn-jk2-3725-4# show policy-map interface multilink 2 out class VIDEO-CONFERENCING
Multilink2
Service-policy output: V3PN_Branch
Class-map: VIDEO-CONFERENCING (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp af41
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 15 (%)
Bandwidth 390 (kbps) Burst 9750 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
In testing, this proved to be an acceptable allocation for the video stream. Note that both the VOICE and
VIDEO-CONFERENCING display show the same Output Queue Conversation number of 264. There is
only one Strict Priority queue. Although voice and video are provisioned separately, they share the same
queue. For this reason, interactive video conferencing is not recommended on link speeds that have
serialization (blocking) delay issues; namely, links below 768 kbps.
10-4
OL-7102-01
Chapter 10
The bandwidth values above are calculated from the derived multilink bandwidth:
vpn-jk2-3725-4#show int multilink 2 | inc BW
MTU 1500 bytes, BW 2600 Kbit, DLY 100000 usec,
The multilink bandwidth is derived from the member links, which in this case are two serial interfaces:
vpn-jk2-3725-4#show interface serial 1/0 | inc BW
MTU 1500 bytes, BW 1300 Kbit, DLY 20000 usec,
vpn-jk2-3725-4#show interface serial 1/1 | inc BW
MTU 1500 bytes, BW 1300 Kbit, DLY 20000 usec,
If the second T1 is installed for availability rather than capacity, it is better to specify the voice and video
bandwidth of the LLQ in absolute kbps values rather than a percentage.
For testing, three QoS service polices were tested. The legend on the chart lists them as default WRED,
Tuned WRED, and Voice + Video Tuned WRED. These test iterations and their policy map
configurations are shown in Table 10-2:
10-5
Chapter 10
Table 10-2
Test Iteration
Policy Map
Default WRED
policy-map V3PN_Branch
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority percent 33
class TRANSACTIONAL-DATA
bandwidth percent 22
class class-default
fair-queue
random-detect
Tuned WRED
policy-map V3PN_Branch
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority percent 33
class TRANSACTIONAL-DATA
bandwidth percent 22
class class-default
fair-queue
random-detect dscp-based
random-detect dscp 0
4
10
10
policy-map V3PN_Branch
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority percent 18
class TRANSACTIONAL-DATA
bandwidth percent 22
class VIDEO-CONFERENCING
priority percent 15
class class-default
fair-queue
random-detect dscp-based
random-detect dscp 0
4
10
10
The rationale for testing the tuned Weighted Random Early Detection (WRED) was to apply the concept
originally tested in the Voice and Video Enabled IPSec VPN (V3PN) Design Guide, where IPSec
anti-replay drops were reduced by decreasing the queue-limit in the individual bandwidth classes from
a default of 64 packets to much lower values.
Note
See the Voice and Video Enabled IPSec VPN (V3PN) Design Guide at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/V3PN_SRND/V3PN_SRND
.html.
Because the queue-limit command is not germane with WRED enabled, the minimum and maximum
thresholds for the best effort traffic in class default. The command format is the following:
10-6
OL-7102-01
Chapter 10
As can be seen in Table 10-2, the min-threshold was set at 4 packets, max-threshold was set at 10
packets, and the default of .1 or 10 percent was not changed.
With WRED enabled but using default values, no drops were encountered on the output service policy,
with the min-threshold at 4 and max-threshold at 10. In general, the anti-replay drops decreased slightly
and output interface queue drops were registered.
However, it is important to note that anti-replay drops on all tests, using Multilink PPP or Inverse
Multiplexing over ATM (IMA) were always less than 1 percent of packets decrypted given these link
speeds of 2.63 M. In these tests, the priority or LLQ does not exceed 33 percent of the link.
Table 10-3 shows the relevant performance metrics:
Table 10-3
Performance Metrics
Voice
milliseconds1
Number data
Jitter
Latency
(goal <8) (goal< 50)
G.729
Calls
Mbps
in/out
Default WRED
2.4
7.9
15
2.4 M
Tuned WRED
2.5
6.3
15
2.5 M
2.3
6.7
CPU
3.4 M
28%
28%
2
21%
In all three tests, voice jitter and latency was well below the testing goal of 8 ms and 50 ms respectively.
Voice lost is not shown, but was approaching 0 percent in all tests.
The hardware encryption acceleration module was an AIM-VPN/EPII VPN Hardware Module. The
router had 248832K/13312K bytes of memory.
Remote Router
Head-end Router
Remote Router
Following is the remote router configuration:
!
version
service
service
service
!
12.3
timestamps debug datetime msec
timestamps log datetime msec
password-encryption
10-7
Chapter 10
hostname vpn-jk2-3725-3
!
boot-start-marker
boot system flash:c3725-ik9o3s-mz.123-6
boot-end-marker
!
enable secret 5 [removed]
!
clock timezone est -5
clock summer-time edt recurring
no network-clock-participate slot 1
no network-clock-participate slot 2
no network-clock-participate wic 0
no network-clock-participate wic 1
no network-clock-participate wic 2
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
!
ip cef
no ip domain lookup
ip domain name ese.cisco.com
ip host ect-msca 172.26.179.237
ip host harry 172.26.176.10
!
ip audit po max-events 100
no ftp-server write-enable
!
!
class-map match-all VOICE
match ip dscp ef
class-map match-all VIDEO-CONFERENCING
match ip dscp af41
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
match access-group name IKE
class-map match-all TRANSACTIONAL-DATA
match ip dscp af21
!
!
policy-map V3PN_Branch
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority percent 18
# See previous section for changes between test iterations
class TRANSACTIONAL-DATA
bandwidth percent 22
class VIDEO-CONFERENCING
priority percent 15
class class-default
fair-queue
random-detect dscp-based
random-detect dscp 0
4
10
10
!
!
!
crypto isakmp policy 20
encr 3des
10-8
OL-7102-01
Chapter 10
authentication pre-share
group 2
crypto isakmp keepalive 10
!
crypto isakmp peer address 192.168.255.3
set aggressive-mode password 77-80-69_24.1_WW-748
set aggressive-mode client-endpoint fqdn Store_223.ese.cisco.com
crypto isakmp profile AGGRESSIVE
description _
self-identity fqdn
match identity host domain ese.cisco.com
initiate mode aggressive
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map PRIMARY_LINK 1 ipsec-isakmp
description Crypto Map for Primary Path
set peer 192.168.255.3
set transform-set 3DES_SHA_TUNNEL
match address GRE_MAP_ACL
qos pre-classify
!
interface Loopback0
description lo0
ip address 10.0.80.254 255.255.255.255
!
interface Multilink2
description Multilink2
bandwidth 2600
# See V3PN Service Policy Section
ip address 192.168.193.18 255.255.255.252
service-policy output V3PN_Branch
ip route-cache flow
load-interval 30
ppp multilink
ppp multilink slippage msec 26
ppp multilink links minimum 2
ppp multilink group 2
crypto map PRIMARY_LINK
!
interface Tunnel0
description Tunnel0
# Note no crypto map on Tunnel interface
ip address 10.0.80.250 255.255.255.252
qos pre-classify
keepalive 10 3
# No routing protocol configured,
!
# rather GRE keepalive
tunnel source Loopback0
tunnel destination 192.168.255.3
!
interface FastEthernet0/1
description FastEthernet0/1
no ip address
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1.212
description FastEthernet0/1.212
encapsulation dot1Q 212
ip address 10.0.80.1 255.255.255.128
!
interface Serial1/0
10-9
Chapter 10
description Serial1/0
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 2
!
interface Serial1/1
description Serial1/1
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 2
!
ip http server
no ip http secure-server
ip classless
!
No routing protocol configured on this router.
ip route 0.0.0.0 0.0.0.0 Multilink2 249
ip route 10.3.0.0 255.255.255.128 Tunnel0 237
!
ip access-list extended CRYPTO_MAP_ACL
permit ip 10.0.80.0 0.0.0.127 any
ip access-list extended GRE_MAP_ACL
permit gre host 10.0.80.254 host 192.168.255.3
ip access-list extended IKE
permit udp any eq isakmp any eq isakmp
!
snmp-server community private RW
snmp-server community public RO
snmp-server system-shutdown
snmp-server enable traps tty
!
!
line con 0
exec-timeout 120 0
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password 7 [removed]
login
transport preferred all
transport input all
transport output all
!
ntp source FastEthernet0/1.212
!
end
Head-end Router
Following is the head-end router configuration:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname vpn-jk2-3725-4
10-10
OL-7102-01
Chapter 10
!
boot-start-marker
boot system flash:c3725-ik9o3s-mz.123-6
boot-end-marker
!
enable secret 5 [removed]
!
clock timezone est -5
clock summer-time edt recurring
no network-clock-participate slot 1
no network-clock-participate slot 2
no network-clock-participate wic 0
no network-clock-participate wic 1
no network-clock-participate wic 2
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
!
ip cef
no ip domain lookup
ip domain name ese.cisco.com
ip host ect-msca 172.26.179.237
ip host harry 172.26.176.10
!
ip audit po max-events 100
no ftp-server write-enable
!
!
class-map match-all VOICE
match ip dscp ef
class-map match-all VIDEO-CONFERENCING
match ip dscp af41
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
match access-group name IKE
class-map match-all TRANSACTIONAL-DATA
match ip dscp af21
!
!
policy-map V3PN_Branch
# See comments in remote routers policy-map configuration
class CALL-SETUP
bandwidth percent 2
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority percent 18
class TRANSACTIONAL-DATA
bandwidth percent 22
class VIDEO-CONFERENCING
priority percent 15
class class-default
fair-queue
random-detect dscp-based
random-detect dscp 0
4
10
10
!
!
crypto keyring Purple_Stores
pre-shared-key hostname Store_223.ese.cisco.com key 77-80-69_24.1_WW-748
!
crypto isakmp policy 20
10-11
Chapter 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile AGGRESSIVE
description _
keyring Purple_Stores
self-identity fqdn
match identity host domain ese.cisco.com
!
!
crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto dynamic-map DYNO-TEMPLATE 10
# Dynamic Crypto Maps with GRE and IKE Aggressive
description dynamic crypto map
# mode in this configuration
set transform-set 3DES_SHA_TUNNEL
qos pre-classify
!
!
crypto map DYNO-MAP local-address Loopback0
crypto map DYNO-MAP 10 ipsec-isakmp dynamic DYNO-TEMPLATE
!
!
!
interface Loopback0
description lo0
ip address 192.168.255.3 255.255.255.255
!
interface Multilink2
description Multilink2
bandwidth 2600
ip address 192.168.193.17 255.255.255.252
service-policy output V3PN_Branch
ip route-cache flow
load-interval 30
ppp multilink
ppp multilink slippage msec 26
ppp multilink links minimum 2
ppp multilink group 2
crypto map DYNO-MAP
!
interface Tunnel0
description Tunnel0
ip address 10.0.80.249 255.255.255.252
qos pre-classify
keepalive 10 3
tunnel source Loopback0
tunnel destination 10.0.80.254
!
interface FastEthernet1/0
description dot1q
no ip address
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet1/0.128
encapsulation dot1Q 128
ip address 10.2.128.3 255.255.255.0
!
interface Serial1/0
description Serial1/0
10-12
OL-7102-01
Chapter 10
no ip address
encapsulation ppp
clockrate 1300000
ppp multilink
ppp multilink group 2
!
interface Serial1/1
description Serial1/1
no ip address
encapsulation ppp
clockrate 1300000
ppp multilink
ppp multilink group 2
!
router eigrp 100
redistribute static metric 2600 1000 255 1 1500 route-map PERMIT_80
network 10.0.0.0
!
# We should have included a passive interface command
!
# because we are not expecting to form a neighbor relationship
!
# across the GRE tunnel
distribute-list 10 in FastEthernet1/0.128
no auto-summary
no eigrp log-neighbor-warnings
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Multilink2 249
ip route 10.0.80.0 255.255.255.128 Tunnel0 237
!
!
!
ip access-list extended IKE
permit udp any eq isakmp any eq isakmp
access-list 10 permit 10.3.0.0
access-list 10 deny
any
access-list 80 permit 10.0.80.0
!
route-map PERMIT_80 permit 10
description To only allow 10.0.80.0/24
match ip address 80
!
snmp-server community private RW
snmp-server community public RO
snmp-server system-shutdown
snmp-server enable traps tty
!
!
line con 0
exec-timeout 120 0
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password 7 [removed]
login
transport preferred all
transport input all
transport output all
!
ntp server 192.168.130.1
!
10-13
Chapter 10
Show Commands
end
Show Commands
According to the interface counters, the interface is running in the 8084 percent utilization range with
a load interval of 30 seconds.
Multilink2 is up, line protocol is up
Hardware is multilink group interface
Description: Multilink2
Internet address is 192.168.193.18/30
MTU 1500 bytes, BW 2600 Kbit, DLY 100000 usec,
reliability 255/255, txload 207/255, rxload 214/255
Encapsulation PPP, LCP Open, multilink Open
Open: CDPCP, IPCP, loopback not set
DTR is pulsed for 2 seconds on reset
Last input 00:00:07, output never, output hang never
Last clearing of "show interface" counters 00:02:25
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1570
Queueing strategy: weighted fair
Output queue: 6/1000/64/1570 (size/max total/threshold/drops)
Conversations 1/4/256 (active/max active/max total)
Reserved Conversations 3/3 (allocated/max allocated)
Available Bandwidth 338 kilobits/sec
30 second input rate 2185000 bits/sec, 683 packets/sec
30 second output rate 2111000 bits/sec, 682 packets/sec
99861 packets input, 39534594 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
100101 packets output, 39145904 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
10-14
OL-7102-01
Chapter 10
Transmitted
pkts/bytes
0/0
0/0
0/0
0/0
0/0
Random drop
pkts/bytes
0/0
0/0
0/0
0/0
0/0
Tail drop
pkts/bytes
0/0
0/0
0/0
0/0
0/0
Minimum Maximum
thresh thresh
32
40
28
40
24
40
32
40
28
40
Mark
prob
1/10
1/10
1/10
1/10
1/10
10-15
Chapter 10
af23
af31
af32
af33
af41
af42
af43
cs1
cs2
cs3
cs4
cs5
cs6
cs7
ef
rsvp
default
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
23/2912
0/0
0/0
0/0
33049/25916882
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
963/825988
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
24
32
28
24
32
28
24
22
24
26
28
30
32
34
36
36
4
40
40
40
40
40
40
40
40
40
40
40
40
40
40
40
40
10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
Caveats
This section describes the caveats to the Multilink PPP solution, and includes the following topics:
10-16
OL-7102-01
Chapter 10
The 16 packets dropped in this test all occurred in the last few seconds of the video stream when the
session was closing, so this loss behavior is thus marked against the test tool and is not an issue with
Cisco IOS or configuration.
Summary
This chapter includes performance results and configuration examples for features that have not been
tested by ESE to date. These include interactive video conferencing in the traffic profile and the use of
Multilink PPP for data rates above E1 but less than T3. WRED has also been included in class default,
where the initial V3PN site-to-site testing used a fair queue configuration. Tuning the WRED parameters
was also tested. Although various router hardware platforms were not exhaustively tested (only the Cisco
3725 was tested), the viability of encrypted voice and video was demonstrated. Also, note that the
incidence of anti-replay drops in a higher data rate multilink configuration exhibits similar
characteristics to the sub-E1/T1 rates previously tested.
10-17
Chapter 10
Summary
10-18
OL-7102-01
C H A P T E R
11
Topology
Performance
Summary
Topology
The topology is identical to the previous section with the exception of replacing the Multilink PPP
configured dual serial links with IMA adapters. (See Figure 11-1.)
Figure 11-1
ATM2/IMA0.1
point-to-point
Chariot
Endpoints
vpn-jk2-3725-3
vpn-jk2-3725-4
vpn-jk-2600-5
IP
132060
IP
Chariot
Endpoints
11-1
Chapter 11
Head-end Router
Following is the head-end router configuration:
!
hostname vpn-jk2-3725-4
!
interface ATM2/0
description ATM2/0
no ip address
no atm ilmi-keepalive
ima-group 0
clock source internal
no scrambling-payload
!
interface ATM2/1
description ATM2/1
no ip address
no atm ilmi-keepalive
ima-group 0
clock source internal
no scrambling-payload
!
interface ATM2/2
no ip address
shutdown
no atm ilmi-keepalive
clock source internal
no scrambling-payload
!
interface ATM2/3
no ip address
shutdown
no atm ilmi-keepalive
clock source internal
no scrambling-payload
!
interface ATM2/IMA0
description ATM2/IMA0
no ip address
ip route-cache flow
load-interval 30
no atm ilmi-keepalive
ima active-links-minimum 2
ima clock-mode common 0
ima differential-delay-maximum 26
# Default value is 25ms, 26 used so it will
!
# show in the configuration
interface ATM2/IMA0.1 point-to-point
description ATM2/IMA0.1
bandwidth 3072
ip address 192.168.193.13 255.255.255.252
crypto map DYNO-MAP
# Same dynamic crypto map/tunnel interface as MLPPP
pvc YELLOW 0/100
vbr-nrt 3072 3072
# Highest value supported.
oam-pvc manage
11-2
OL-7102-01
Chapter 11
oam retry 5 5 5
service-policy output V3PN_Branch
# Same as MLPPP
!
!
ip route 0.0.0.0 0.0.0.0 ATM2/IMA0.1 250
ip route 10.0.80.0 255.255.255.128 Tunnel0 237
...
end
Remote Router
Following is the remote router configuration:
!
hostname vpn-jk2-3725-3
!
interface ATM2/0
description ATM2/0
no ip address
no atm ilmi-keepalive
ima-group 0
no scrambling-payload
!
interface ATM2/1
description ATM2/1
no ip address
no atm ilmi-keepalive
ima-group 0
no scrambling-payload
!
interface ATM2/2
no ip address
shutdown
no atm ilmi-keepalive
no scrambling-payload
!
interface ATM2/3
no ip address
shutdown
no atm ilmi-keepalive
no scrambling-payload
!
interface ATM2/IMA0
description ATM2/IMA0
no ip address
ip route-cache flow
load-interval 30
no atm ilmi-keepalive
ima active-links-minimum 2
ima clock-mode common 0
ima differential-delay-maximum 26
!
interface ATM2/IMA0.1 point-to-point
description ATM2/IMA0.1
bandwidth 3072
ip address 192.168.193.14 255.255.255.252
crypto map PRIMARY_LINK
pvc YELLOW 0/100
vbr-nrt 3072 3072
oam-pvc manage
oam retry 5 5 5
11-3
Chapter 11
Performance
end
Performance
The performance results shown in Table 11-1 were produced using similar traffic profiles and QoS
policies as described in Chapter 10, Large BranchMultilink PPP.
Table 11-1
Cisco 3725
ATM/ATA
2 links 3072 Kbps total
Voice
milliseconds
Number data
Jitter
Latency
(goal <8) )goal< 50)
G.729
Calls
Mbps
in/out
Default WRED
5.4
16.7
15
2.9M
22%
Tuned WRED
5.3
14.1
15
2.9M
23%
Voice + Video
4.7
14.4
3.9M
19%
CPU
Tuned WRED
Because the amount of raw bandwidth was slightly higher in the IMA configuration, one additional voice
call was added in the IMA voice and video test. The Chariot test for the IMA testing included
proportionally more flows of the same applications as well.
In the PVC configuration for the IMA subinterface, the vbr-nrt parameter was configured at the highest
configurable value, 3072 kbps, while the Multilink PPP interfaces were clocked individually at
1,300,000. This difference accounts for the slightly higher throughput of data in the test results. However
recall that the ATM cell tax is appreciable higher than the overhead associated with Multilink PPP, so
that the gain in bandwidth is offset to some extent.
It should be noted that although the voice latency in these tests was well within the goal of being less
than 50 ms, it was higher than the Multilink PPP values. However overall CPU averaged lower.
Summary
These performance results along with the Multilink PPP results demonstrate the viability of V3PN with
data rates above E1.
11-4
OL-7102-01
A P P E N D I X
Lab Topology
Figure A-1shows the lab topology used as the basis for this design guide.
Figure A-1
Lab Topology
-28
HDLC
-24
HDLC
-1711-1
-6
-3725-1
DMVPN
AS 65003
-1712-1
224
220
-2691-1
-4
DSL SP
-1751-1
AS 65030
VLAN
100
VLAN 51
-3 192.168.128.0/18
-7
192.168.16.0/20
Cable Service
Provider
AS 65004
-27
192.168.32.0/20
-22
VLAN 52
192.168.192.0/18
-3640-1
GRE
-7206-2
124
-23
-8
IPsec
208
102
-30
-29
120
-9
128
-20
212
104
-26
-25
216
Frame-Relay
-18
-2
3080
Service Provider
-5
IP
300
302
132061
10.0.64.0/18
-11
IP
-1
Pagent/ Chariot
-19
A-1
Appendix A
Lab Topology
A-2
OL-7102-01
A P P E N D I X
Documents
For best-practice information on designing and implementing enterprise IP Security (IPSec) virtual
private networks (VPNs), see the following URL:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_packages_list.html.
B-1
Appendix B
Websites
Websites
NetFlowhttp://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
B-2
OL-7102-01
A P P E N D I X
Definition
3DES
ACL
AES
AH
Authentication header
AIM
ATM
AVVID
CA
Certificate authority
CAC
CANI
CAR
CBWFQ
CEF
CPE
cRTP
DES
DLSw
DMZ
De-militarized zone
DNS
DSL
EIGRP
ESP
FIFO
FR
Frame Relay
FRTS
FTP
GRE
C-1
Appendix C
Term
Definition
IKE
IOS
IP
Internet Protocol
IPMc
IP Multicast
IPSec
IP Security
IP GRE
See GRE
ISA
ISM
ISP
Layer 2
Layer 3
Layer 4
LFI
LLQ
L2TP
MDRR
MLPPP
MPLS
MTU
NAT
NetFlow
OSPF
PAT
PBR
Policy-Based Routing
PE
Premises equipment
PPTP
PVC
QoS
Quality of service
RTP
Real-Time Protocol
SA
Security association
SHA-1
SLA
SNMP
SOHO
SRST
TCP
TED
C-2
OL-7102-01
Appendix C
Term
Definition
ToS
Type of service
UDP
VAD
VoIP
Voice over IP
V PN
VAM
VPN
WAN
WRED
C-3
Appendix C
C-4
OL-7102-01