Designing Voice-Enabled IPSec VPNs - · PDF fileIPSec/GRE add overhead to IP packets •...
Transcript of Designing Voice-Enabled IPSec VPNs - · PDF fileIPSec/GRE add overhead to IP packets •...
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
1© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Designing Voice-Enabled IPSec VPNs
Session VVT-2011
222© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Agenda
• Overview
• Planning and Design
• Performance
• Pitfalls and Troubleshooting
• Summary
• Appendix
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
333© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Service Provider/Internet
IPSecVPN Tunnels
SOHO VPN(Small Office Home Office)
Teleworker
SOHO VPN(Small Office Home Office)
Teleworker
Site to Site VPNLarge/Small
Branch
Site to Site VPNLarge/Small
Branch
VPN Headend
Voice-Enabled IPSec VPNsDeployment Model
• Voice over IP (VoIP) • Quality of Service (QoS)• IP Security (IPSec)
Central Site
Remote Access (SW Client)
Remote Access (SW Client)
444© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Overview
• Bandwidth provisioningIPSec/GRE add overhead to IP packets
• Voice over IP (VoIP) benefits fromIPSec encryption hardware acceleration
Quality of Service (QoS)
• QoS and IPSec interaction
• Service Provider capabilities
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
555© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
WAN Topology—Site to Site
• End-to-end QoS available to
Enterprise
Service provider
CiscoCallManager
CiscoCallManager
WAN Aggregation
Cisco 17xx 26xx 36xx 37xx
IPSec Branch Routers Certificate
Authority CertificateAuthority
IPSec Head EndsIPSec Head Ends
Frame Relay/Internet T1 Service Provider
666© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
WAN Topology—SOHO
DSLAM/IP DSL Switch
Cable Modem
DSL Bridge
Cisco 837/831/17xx
ATMATMATMATM
IPSec SOHO Routers
Broadband Router
Broadband
Cable (DOCSIS 1.0) and DSL (PPPoE) in Service Provider’s Network Best Effort—No QoS
IPSec Head EndsIPSec Head Ends
CertificateAuthority CertificateAuthority
Service ProviderService Provider
CiscoCallManager
CiscoCallManager
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
777© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Agenda
• Overview
• Planning and Design
• Performance
• Pitfalls and Troubleshooting
• Summary
• Appendix
888© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
General Design Recommendations
• Voice and data transportIPSec tunnel or transport mode for Generic Routing Encapulation (GRE) tunnels—site to site
IPSec only—SOHO and teleworker
• Head-end redundancyMultiple crypto peers and IKE Keepalive
Routing protocol/GRE Keepalive
• Strong crypto (3DES)/hardware acceleration
• QoS-enabled by Enterprise/Service Provider
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
999© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Planning and Design
• Voice over IP
• QoS
• IPSec
• Service Provider
• Tools
101010© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Voice over IP
• Packets arrive at a constant rate
• Arrival rate in “per call” increments
• Quality a function ofLatency—over 250ms people will speak at same time
Jitter—jitter buffer manages reasonable jitter
Drops—less noticeable when spread over time
Consistency—does performance level vary widely
• Additional call can’t degrade existing calls (Call Admission Control) CAC
An Application with Special RequirementsAn Application with Special Requirements
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
111111© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
VoIP Design Parameters
• G.729 CODEC (Coder-Decoder) recommended for <= T1 links
• CAC not changed from traditional deployments
• FRF.12/LFI for low speed (<768Kbps) links
• Shaping use a 10ms interval, Frame, MLPPP, CBWFQ
• No changes required to CallManager or IP phone
• Hardware encryption accelerators required for predictable latency and jitter
• Compressed RTP (cRTP) will not compress encrypted packets
121212© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Hardware Encryption Acceleration
• Jitter more than 50% lower with HW encryption
• Critical for VoIP to minimize latency and jitter
• Supported by all classes of products, 83x through 65xx
Cisco 800 Series Performance ExampleCisco 800 Series Performance Example
02468
10121416
192kbps 256kbps
Link Speed
Ave
rag
e Ji
tter
(ms)
806 (SW)
831 (HW)
0
50
100
150
200
250
300
350
192kbps 256kbps
Link Speed
Ave
rag
e D
elay
(m
s)
806 (SW)
831 (HW)
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
131313© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
IPSec and cRTP
Identify RTPTraffic
Compression
Configured Queuing
Configured Queuing
Classify
RTP Compressor
RTP Compressor
Transmit Queue
Output Line
IPHIPHUDPUDPRTPRTP12 8 20
5IP DataIP Data
IP DataIP Data
Traffic Destined
for Interface
RTP/UDP/IP Header Is Encrypted when Packet Reaches Compressor
RTP/UDP/IP Header Is Encrypted when Packet Reaches Compressor
XX
Huh?Huh?RTP Traffic (Video, Audio, etc.)
RTP Traffic (Video, Audio, etc.)
Non-RTPNon-RTP
141414© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
VPN SiteVPN Site Head-End VPN
Head-End VPN
IPSec and cRTP
cRTP Functions Hop by Hop Low Speed LinkscRTP Functions Hop by Hop Low Speed Links
IPSec Tunnels Often Span Multiple Hops
Development Is Underway to Compress Headers Prior to Encryption
Development Is Underway to Compress Headers Prior to Encryption
cRTP Not Recommended on High-Speed Links
Link Efficiency at the Expense of CPU Consumption Link Efficiency at the Expense of CPU Consumption
IPSec Tunnel
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
151515© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
IPHdr
20
20
IPHdr
ESPPad/NHGREGREESP
Hdr
G.711 CODEC with GRE and IPSec
G.711200 Bytes
IP GRE 224 Bytes
IPSec ESP Tunnel Mode 280 Bytes
GRE IPHdr
16012820
160
16020 1282088 122–257Encrypted
Authenticated
IPSecHdr
IPSecHdr UDPUDP
UDPUDP VoiceVoice
VoiceVoice
VoiceVoice
RTPIPHdr
RTP
RTP
GRE IP Hdr
ESPAuth
ESPIV
UDPUDPGREGRE
4
12820 4
161616© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
G.729 CODEC with GRE and IPSec
G.72960 Bytes UDPUDP VoiceVoiceRTPIP
Hdr
VoiceVoiceRTPGRE IP Hdr UDPUDPGREGRE
ESPPad/NHGREGREESP
HdrGRE IP
HdrIPSecHdr
IPSecHdr UDPUDP VoiceVoiceRTP ESP
AuthESPIV
20
20
20Encrypted
Authenticated
IP GRE 84 Bytes
IPSec ESP Tunnel Mode 136 Bytes
12820
20 12820 4
20 128202088 122–2574
IPHdr
IPHdr
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
171717© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
IPHdr
G.729 CODEC IPSec Only No GRE
Encrypted
Authenticated
G.72960 Bytes UDPUDP VoiceVoiceRTP
VoiceVoiceRTPUDPUDP ESPPad/NH
ESPAuth
122–257
ESPIV
IPHdr
IPSec ESP Tunnel Mode
112 Bytes
ESPHdr
IPSecHdr
IPSecHdr
2012820
2020 12820 8 8
181818© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
G.729 CODEC IPSec NAT Transparency
NAT Transparency Is Enabled by Default Beginning in 12.2(13)T
NAT Transparency Is Enabled by Default Beginning in 12.2(13)T
This Feature Adds 16 Bytesper Packet or 6,400 Bps PerG.729 Call
no crypto ipsec nat-transparency udp-encapsulation
G.72960 Bytes UDPUDP VoiceVoiceRTPIP
Hdr
20
IPHdr
128
VoiceVoiceRTPUDPUDP
20
ESPPad/NH
ESPAuth
122–257
ESPHdr
88
ESPIV
UDPHdrUDPHdr
8 8
Non-IKE Mkr
IPHdrIP
Hdr
20
IPSec ESP Tunnel Mode UDP Encapsulation 128 Bytes
Encrypted
Authenticated
2012820
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
191919© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
VoIP + IPSec Bandwidth Calculation
114K to 128K
Bits/sec
114K to 128K
Bits/sec
Adding Layer 2
Overhead
Adding Layer 2
Overhead
IPSec Tunnel Mode
IPSec Tunnel Mode
GRE and IPSec Tunnel Mode
GRE and IPSec Tunnel ModeppsppsCODECCODEC
G.711G.711
G.729G.729
5050
5050
280 Bytes per Packet280 Bytes per Packet
112,000 Bits/sec112,000 Bits/sec
256 Bytes per Packet256 Bytes per Packet
102,400 Bits/sec102,400 Bits/sec
136 Bytes per Packet136 Bytes per Packet
54,400 Bits/sec54,400
Bits/sec
112 Bytes per Packet112 Bytes per Packet
44,800 Bits/sec44,800
Bits/sec
56K to 64K
Bits/sec
56K to 64K
Bits/sec
esp-3des esp-sha-hmacesp-3des esp-sha-hmac
202020© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
00 01 00 01 00 72 00 72 00 21 00 21
Session ID Protocol (IP)
PPPoE/PPP HeaderPPPoE/PPP Header
G.729 Packet DSL/PPPoE/IPSec
1111
45 B8 ….. 45 B8 …..
10 Bytes AAL5 HeaderAAL5 Header
Ethernet HeaderEthernet Header
14 Bytes
0000
Type/Ver PPP Payload
Length (114)
8 Bytes
…. IP Packet - IPSec Encrypted G.729
…. IP Packet - IPSec Encrypted G.729
112 Bytes
IP PacketIP Packet
(144 = 112 + 8 + 14 + 10)
AAL5 TrailerAAL5 Trailer8 Bytes
40 Bytes
Total 192 Bytes/48 per Cell = 4 Cells = 53 * 4 = 212 BytesTotal 192 Bytes/48 per Cell = 4 Cells = 53 * 4 = 212 Bytes G.711 = 7 cellsG.711 = 7 cells
00 00 00 90 E0 64 A7 F6
Destination MAC Source MAC Type/Length
PPPoE837’s Ethernet MACPPPoE Headend[*]
88 6400 02 8A 09 07 9B00 09 7B 3F 60 38
40 Bytes Padding
SNAP EthertypeRFC1483
Pad
00 80 C2 00 07 00 00
LLC
AA AA 03
CRC Length
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
212121© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
VoiceQuality
IP Phones and Voice Quality
• Site to site—Frame Relay and T1Latency, jitter and drops will be similar for TX path and RX path as QoS policy and link speeds are symmetric
• SOHO—DSL and Cable—non-QoS SPAsymmetric links—downstream link rarely congested and lack of QoS downstream minor impact
Symmetric links—congestion on downstream link likely and lack of QoS apparent as latency, jitter and drops
Cell Shaping on Uplink—Hierarchical CBWFQ—Effectively Influences Uplink Data Traffic to Minimize Impact on VoIPShaping on Uplink—Hierarchical CBWFQ—Effectively Influences Uplink Data Traffic to Minimize Impact on VoIP
Toll
222222© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Voice Quality Ranges—Cable/DSL
ProvisionedBandwidth
ProvisionedBandwidth
Cell Phone Quality
Cell Phone Quality
Near Toll Quality
Near Toll Quality
*
4M/2M
1.5/384K
1,472K/256K
1,024/256K
Ave. Up/DownJitter 4.8msLatency 16msDrops < 1/10th%
*
Ave. Up/DownJitter 10msLatency 300msDrops 1%
*
The Jitter/Latency/Drop Values Are from a Lab Test Environment Simulating DSL and Cable Configurations—No Downlink QoS, QoS on Uplink, Using a Voice and Data Traffic Profile—but No Service Provider Delay Jitter, Drops—Usability in the Cell Phone Quality Range Is High Subjective
864K/160K
512K/128K512K/128K
144K/144K144K/144K
128K/128K128K/128K
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
232323© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Latency/Delay Budget
Campus Branch Office
ServiceProvider
Hardware-Based Encryption Adds Minimal LatencyHardware-Based Encryption Adds Minimal Latency
Latency < 150ms Ideal < 250ms Acceptable
CODECCODEC
10–50ms10–50ms
Queuing
Variable
Encrypt
Minimal 2–10ms
SerializationSerialization
VariableVariable
Propagation and Network
6.3 µs/Km +Network
Delay
Decrypt
Minimal 2–10ms
Jitter BufferJitter Buffer
20–100 ms20–100 ms
242424© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Spoke-to-Spoke Delay Budget
• Doubles the delay budget outside of CODEC and jitter buffer
• Full mesh issue similar to Frame Relay deployments
• In this illustration—round trip time 88 milliseconds measured between the two router’s Ethernet interfaces
Encrypt
DecryptEncrypt
Decrypt
Cable384K/1.5M
Cable384K/1.5M
DSL256K/1.4M
DSL256K/1.4M
831831 17511751
3725(s) w/AIM3725(s) w/AIM
10.81.2.1/2910.81.2.1/2910.81.2.9/2910.81.2.9/29
Tier 1 ISPTier 1 ISP
Tier 2 ISPTier 2 ISPTier 2 ISPTier 2 ISP
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
252525© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Serialization Delay
• Fragmenting large data packets and interleaving voice packets between the data fragments minimizes the serialization delay
• Addressed by layer 2 technologies:Link Fragmentation and Interleaving (LFI): multilink PPPFRF.12: Frame Relay
VoiceVoice Data
Data Data VoiceVoice Data VoiceVoice
Before
After
However, the Predominate Service Offering of DSL Providers Is PPPoEwhich Has No LFI Standard
Assuming Most Cable Providers Are DOCSIS 1.0 or DOCSIS1.0+which Has No LFI Either
DOCSIS 1.1 Provides Fragmentationand QoS
1500 Byte Frame at 56K214 ms Serialization Delay
262626© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Serialization Delay
Use Layer 4—Transport Layer
interface Ethernet0
ip tcp adjust-mss 542
VoiceVoice Data
Data Data VoiceVoice Data VoiceVoice
Before
After
1500 Byte Frame at 56K214 ms Serialization Delay
How Can You Influence Data Packet Sizes without a Layer 2 Fragmentation Technique?How Can You Influence Data Packet Sizes without a Layer 2 Fragmentation Technique?
Router Can Override the TCP MSS (Maximum Segment Size) and Reduce Data Packet Size
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
272727© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Serialization Delay
Approximate Maximum Delay Values Based on Uplink Line Rate and Segment Size
Common DSL and Cable
Line RateKbps
Line RateKbps
512Byte512Byte
640Byte640Byte
768Byte768Byte
1500Byte1500Byte
128128
256256
384384
512512
768768
32 ms32 ms
16 ms16 ms
12 ms12 ms
8 ms8 ms
6 ms6 ms
40 ms40 ms
20 ms20 ms
14 ms14 ms
10 ms10 ms
8 ms8 ms
48 ms48 ms
24 ms24 ms
16 ms16 ms
12 ms12 ms
8 ms8 ms
92 ms92 ms
46 ms46 ms
32 ms32 ms
24 ms24 ms
16 ms16 ms
ip tcp adjust-mssip tcp adjust-mss
282828© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
PPPoE
8
IP TCP Adjust-MSS Value DSL/PPPoE
582 Bytes
IPSec ESPTunnel ModeSHA-1 3DES 632 Bytes
14 Cells Total
MSS Value 542 Minimize Padding—IPSec and AAL5
MSS Value 542 Minimize Padding—IPSec and AAL5
672 Bytes
5422020
TCPTCP MSS SizeMSS SizeIP
20
IP
20
TCPTCPESPAuth
12
ESPSeq
84
ESPIV
IPSecHdr
IPSecHdr
20 4
ESP SPI
542
MSS SizeMSS SizePAD0
ESPPad
Len/NH
2
10
AAL5 Encrypted PacketEncrypted Packet
632
Ethernet Header
14 00
Pad AAL5 Trailer
8
SAR PDU 48 BytesSAR PDU 48 Bytes
ATM Hdr
ATM Hdr
SAR PDU 48 BytesSAR PDU 48 Bytes
ATM Hdr
SAR PDU 48 BytesSAR PDU 48 Bytes
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
292929© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Impact of Adjusting TCP MSS
256K DSL
ip tcp adjust-mss 542 70%
76%
582 Bytes
8,299 Packets 4,828,588 Bytes [*]
1399 Bytes
3,309 Packets 4,628,988 Bytes [*]
ftp: 4,496,620 Bytes Sent in 200.13 Sec or 179.76 Kbits/sec
ftp: 4,496,620 Bytes Sent in 183.74 Sec or 195.76 Kbits/sec
ftp: 4,496,620 Bytes Sent in 200.13 Sec or 179.76 Kbits/sec
ftp: 4,496,620 Bytes Sent in 183.74 Sec or 195.76 Kbits/sec
PC’s MTU Set—1,400 Bytes (MSS 1360)
[*] Average Packet Size Layer 3—Number of Packets—Total Bytes—as Reported by Netflow[*] Average Packet Size Layer 3—Number of Packets—Total Bytes—as Reported by Netflow
Comparing Two File Transfers—
Using an 837 on 1.4M/256k DSL Circuit over Internet and IPSec Tunnel
Percentages Show Effective Payload Throughput of DSL Trained Rate
303030© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Planning and Design
• Voice over IP
• QoS
• IPSec
• Service Provider
• Tools
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
313131© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
QoS Design Parameters
• No changes required to:Campus QoS configurationTraffic classification scheme
• WAN edge QoS analogous to IP Telephony deployment with private WAN
Class-Based Weighted Fair Queuing (CBWFQ)Link Fragmentation and Interleave (LFI) for links <768kbps
Traffic shaping (as appropriate)
• QoS service policy definition must consider additional bandwidth requirements due to VPN
cRTP bandwidth conservation no longer applicable
323232© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
QoS Design Parameter Overview
Service Provider
Cisco IOSPlatform
Cisco IOSPlatform
QoS Service Policy Must Consider IPSec Overhead
Head Quarters
Branch
Campus QoS
Continue to Use Established Campus Re-commendations
WAN Edge QoS
CBWFQ/Traffic ShapingLow-Latency QueuingLFI/FRF.12Ip tcp adjust-mss
Service Provider
CBWFQLow-latency Queuing WRED/MDRROverprovision
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
333333© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
VPN SiteVPN Site VPN SiteVPN Site
PAK_PRIORITY
• Cisco IOS maintains Internal Packet Priority Tag, PAK_PRIORITY, within a router
• EIGRP hello packets are PAK_PRIORITY_HIGH• EIGRP is per hop, but GRE hides intermediate routers
• Intermediate (SP) routers can only prioritize EIGRP hello packets on ToS byte, PAK_PRIORITY does not apply
• http://www.cisco.com/warp/public/105/rtgupdates.html
GRE (Logical) Tunnel
Immediate (Service Provider) Routers
343434© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
VPN SiteVPN Site VPN SiteVPN Site(Service Provider)
IKE Packets—Control Plane for IPSec
• One IPSec tunnel to each head-end, a transmit (encrypt) and receive (decrypt) security association (SA) to each head-end router
• Also an IKE SA between the branch and each head-end
• The encrypted packets inherit the ToS byte of the original packet
• IKE packets are originated with ToS = 0 (0x00)
IPSec Tunnel
IPSec Tunnel
(Service Provider) Routers
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
353535© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
class-map match-all VOICEmatch ip dscp ef
class-map match-any CALL-SETUPmatch ip dscp af31 match ip dscp cs3
class-map match-any INTERNETWORK-CONTROLmatch ip dscp cs6 match access-group name IKE
class-map match-all TRANSACTIONAL-DATAmatch ip dscp af21
ToS Byte DSCP Reference Chart
7 56 4 3 2 1 0
IP PrecedenceIP Precedence PriorityPriority
DSCPDSCP
Least Signifi -cant Bit
ToS Byte
TOS HexTOS Hex TOS Decimal TOS Decimal IP PrecedenceIP Precedence Class-map NameClass-map Name DSCPDSCP BinaryBinary
20200000
4048
E0E0
C0C0
B8B8
A0A0
8080
6868
6060
323200
6472
224224
192192
184184
160160128128
104104
9696
1 Priority1 Priority0 Routine0 Routine
2 Immediate
7 Network Control7 Network Control
5 Critical5 Critical
4 Flash Override4 Flash Override
3 Flash3 Flash
Transactional -data
Internetwork-ControlInternetwork-Control
VOICEVOICE
CALL-SETUPCALL-SETUP
CALL-SETUPCALL-SETUP
CS1CS1DefaultDefault
CS2AF21
CS7CS7
CS6CS6
EFEF
CS5CS5
CS4CS4
AF31AF31
CS3CS3
00100000001000000000000000000000
0100000001001000
1110000011100000
1100000011000000
1011100010111000
1010000010100000
1000000010000000
0110100001101000
0110000001100000
6 Internetwork Control6 Internetwork Control
363636© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Enterprise/SP Edge QoS
• Class-Based Weighted Fair Queuing CBWFQ/LLQ-enabled on WAN interface
• Link Fragmentation and Interleaving (LFI /FRF.12) configured where required
• Traffic shaping configured where required
• No support for cRTP for VoIP
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
373737© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
IPHdr VoiceVoiceRTPUDPUDPGREGRE
ToS Byte Copy for GRE and IPSec
Layer 3 IPV4
IP Precedence = 5
ToS Byte
DSCP = EF
ToS Byte from Original Packet
0x B8 Binary 10111000
GRE IP Hdr
IPHdr
ESPPad/NHGREGREESP
HdrGRE IP
Hdr UDPUDP VoiceVoiceRTP ESPAuth
ESPIV
ToS Byte from GRE Header
IPSecHdr
IPSecHdr
VersionLength Len ID Offset TTL Proto FCS IP-SA IP-DA
077 12233445566
383838© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
ToS Byte for VoIP Applications
IP Phones—7960
Softphone
dial-peer voice 10 voip
ip qos dscp ef media
ip qos dscp af31 signaling
Voice GWConfigurable…verify
DSCP ef/IP Precedence 5 media
DSCP af31/IP Precedence 3 signaling
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
393939© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
QoS Pre-Classify• Independent of ToS byte copy to
IPSec IP header
• Maintains pre-encapsulated IP header for output QoS policy—port, protocol, src/dst IP address, etc.
• Apply to both crypto map and IP GRE tunnel—or just crypto map if no IP GRE tunnel
!crypto map static-map 10 ipsec-isakmpqos pre-classify!interface Tunnel1ip address 10.62.139.198 255.255.255.252qos pre-classifydelay 60000tunnel source 192.168.91.2tunnel destination 192.168.252.1crypto map static-map!
IP Data IP Data
VoIP VoIP ** **
**
IPSec Router
Router Can Make QoS Decisions Basedon Encrypted Elements in the Packets
** **
Unencrypted Encrypted D
V
DV DV DV DV
404040© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
%$#*&1
%$#*& 2
%$#*& N
CloneClone
Particle2
ParticleN
Particle1
QoS Pre-Classify
Input Interface
Crypto Engine
Output Interface
PacketPacket CloneClone
Clone ParticleClone Particle
Encrypted PacketEncrypted Packet
QoS ClassificationQoS Classification
class-map match-all TRANSACTIONAL -DATA
description Order Entry Application TN3270
match access-group 123
access-list 123 permit tcp any host 10.45.15.1 eq telnet
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
414141© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
!
class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
match access-group name IKE
class-map match-all TRANSACTIONAL-DATA
match ip dscp af21
!Voice Target33% of Link for Site to Site and Small Office
[*] Teleworker Model Will Provision One G.729 Call per Remote Router
Includes GRE and IPSec Headers/Trailers and Layer 2
Overhead
Includes GRE and IPSec Headers/Trailers and Layer 2
Overhead
Bandwidth Allocation
Traffic Categories
Internetwork-control
5%
Call-Setup2%
Not Allocated
38%
Voice 33% [*]
Voice 33% [*]
Transactional Data22%
Transactional Data22%
424242© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Policy-map
policy-map llq-branch
class CALL-SETUP
bandwidth percent 2
class TRANSACTIONAL-DATA
bandwidth percent 22
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority 504 # Nine G.729
class class-default
fair-queue
17xx/26xx/36xx/37xx Site-to-Site17xx/26xx/36xx/37xx Site-to-Site
interface Serial0/0
bandwidth 1544
ip address 192.168.154.2 255.255.255.252
service-policy output llq-branch
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
434343© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
interface Ethernet 1
description Outside
…
service-policy output Shaper
Hierarchical Class-Based Weighted Fair Queuing (CBWFQ)
DSL/Cable
(Bridge) MODEM
policy-map llq-branch
class CALL-SETUP
bandwidth percent 2
class TRANSACTIONAL -DATA
bandwidth percent 22
class INTERNETWORK-CONTROL
bandwidth percent 5
class VOICE
priority 64 # One G.729
class class-default
fair-queue
random-detect
policy-map Shaper
class class-default
shape average 182400 1824 0
service-policy llq-branchPar
ent
(Sh
apin
g)
Ch
ild (Q
ueu
ing
)
For 256K ADSL Trained Rate—Target Bit Rate 182400 with Bits per Interval 1/100 (1824) to Yield 10ms Interval
Shaper Provides Congestion FeedbackShaper Provides Congestion Feedback
444444© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Shaping Illustration (184,200 bps)
G.729 Call—831 behind Cable MODEM This Graph Is the View from the PC’s Perspective, Note How the Throughput
Increases when the Call Completes; 128K + 56K = 184K
128 Kbps128 Kbps
184 Kbps184 KbpsCall Completed ->Call Completed ->
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
454545© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Planning and Design
• Voice over IP
• QoS
• IPSec
• Service Provider
• Tools
464646© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Voice-Enabled IPSec VPNs
• Site to SiteIP GRE with IPSec tunnel or transport mode
Pre-shared keys
• SOHOIPSec only with dynamic crypto maps—IKE dead peer detection—reverse route injectionDigital certificates
• Secure Hash Algorithm (SHA)—HMAC• Strong (3DES) encryption for Internet Key Exchange (IKE)
and IPSec• Diffie-Hellman Group 2 (1024-bit) for IKE• Default lifetimes for IKE (24hr) and IPSec (1hr)
No Changes from a Typical VPN Deployment ConfigurationNo Changes from a Typical VPN Deployment Configuration
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
474747© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Anti-Replay Window
• Designed to identify packet capture/replay by 3rd party—message integrity
• Sender assigns sequence number per Security Association (SA) to encrypted packets
• Receiver maintains 64 packet sliding window
• Window marks packets as received or not
• Window moves to right to include higher sequence numbers
• Packets to the left of the window are dropped
484848© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
1 2 4 64 65 66 673
Anti-ReplayDrop
Anti-Replay in Action
64 Packet Sliding Window
OutsideWindow
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
494949© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Anti-Replay and QoS Interaction
Expected ResultsExpected Results
DefaultServicePolicyDefaultServicePolicy
TunedServicePolicyTunedServicePolicy
DSCP BasedAnti-ReplayWindow
DSCP BasedAnti-ReplayWindow
Anti-Replay Drops .5–1.5% Total PacketsService Policy Drops Minimal
Anti-Replay Drops .5–1.5% Total PacketsService Policy Drops Minimal
Anti-Replay Drops 1/10th% Total PacketsTRANSACTIONAL-DATA Drops Minimal
Class-default Drops 1%
Anti-Replay Drops 1/10th% Total PacketsTRANSACTIONAL-DATA Drops Minimal
Class-default Drops 1%
Anti-Repay Drops EliminatedService Policy Drops Similar to
Non-ipsec Network
Anti-Repay Drops EliminatedService Policy Drops Similar to
Non-ipsec Network
ConfigurationConfiguration
Future DevelopmentFuture Development
505050© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
AES—Advanced Encryption Standard(Rijndael)
• Bandwidth provisioning changes16 byte IV for ESP-AES vs. 8 byte IV for ESP-3DES
AES CBC (Cipher Block Chaining) mode
60 byte G.729 call encrypts to 144 bytes vs. 136 for 3DES
• Verify AES is supported by platform’s hardware acceleration module
• To enable AES, your router must support IPSec and long keys (the "k9" subsystem)
• Performance difference between AES and 3DES using hardware acceleration is much less than when encryption is done in software
crypto ipsec transform-set FOO esp-aes esp-sha-hmac
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
515151© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Planning and Design
• Voice over IP
• QoS
• IPSec
• Service Provider
• Tools
525252© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
No SLA for VoiceNo SLA for Voice
Non QoS Broadband Access
Service Provider OfferingsService ProviderService Provider
Ent EdgeRouter
Ent EdgeRouter CoreCore
Voice
Data
Toll Quality
Cell to Toll Quality—Edge QoS
Edge QoS Edge QoS
Edge QoSEdge QoS Edge QoSEdge QoS
Edge QoSEdge QoSEdge QoSEdge QoS
Edge QoS Edge QoSEdge QoSEdge QoSEdge QoS Core QoSCore QoS
SOHO/Teleworker
Site to SiteOver ProvisionedOver Provisioned
SLA for VoiceSLA for Voice
EnterpriseEnterprise EnterpriseEnterprise
Current OfferingsCurrent Offerings
Edge QoS
Ent EdgeRouter
Ent EdgeRouter
QoS Broadband Access (DOCSIS 1.1)Edge QoSEdge QoS Edge QoSEdge QoSNear Future
Near Future
Voice
Data
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
535353© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Service Provider Recommendations
• New Cisco powered network designation created—“IP multiservice VPN”
Delivers end-to-end service level agreements to ensure voice/video quality
• Service level agreement (per CPN Service Provider document)
Packet loss <= .5%Delay <= 60ms one way delayJitter <= 20ms
• SP’s are responsible for meeting the terms of the SLA’s they provide to enterprises
Similar to private Frame Relay today
• Contiguous service provider recommended
545454© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Cisco Powered Network Service Providers VPN/IP Multiservice
http://www.cisco.com/pcgi-bin/cpn/cpn_pub_bassrch.pl
VPN/IP Multiservice
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
555555© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
crypto map test 1 ipsec-isakmp set peer x.x.x.xset peer x.y.y.y
Head-End Redundancy IPSec Reverse Route Injection
Corporate Intranet
If the Head-End Peers Share a Common Point in the Enterprise Topology, You Can Advertise a Summary Route to the Core for the Teleworker Subnets
x.x.x.x
x.y.y.y
10.1.1.0/2910.1.1.0/2910.1.1.8/2910.1.1.8/29
10.1.0.0/1610.1.0.0/16
Teleworker ‘Link Flaps’ Are Hidden from the Network CoreTeleworker ‘Link Flaps’ Are Hidden from the Network Core
TeleworkersTeleworkers
Internet
565656© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Head-End Redundancy IPSec Reverse Route Injection
x.y.y.y
10.1.1.8/2910.1.1.8/29
When Peers Are Separated, at Least One of the Head-Ends Must Inject the More Specific Routes into the Core
Teleworker ‘Link Flaps’ Seen in the Network CoreTeleworker ‘Link Flaps’ Seen in the Network Core
10.1.1.0/2910.1.1.0/2910.1.1.8/2910.1.1.8/29
10.1.0.0/1610.1.0.0/16
crypto map test 1 ipsec-isakmp set peer x.x.x.xset peer x.y.y.y
x.x.x.x
TeleworkersTeleworkers
Corporate Intranet
Internet
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
575757© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Load Sharing
Options Include
• Un-equal cost logical links with per-packet to physical links
Packets of IPSec Security Association (SA) traverse multiple paths to peer
• Per-packet to equal cost logical links with affinity to physical links
Packets of any one call traverse multiple links
• Logical links with bundled physical links
Inverse Multiplexing over ATM (IMA)/Multilink PPP)
Packets of any one call remain in same IPSec SA and bundled physical link
• Per-source/dest (CEF) equal cost logical links with affinity to physical links
Packets of any one call remain in same IPSec SA and physical link
Assuming Multiple IPSec/GRE Tunnels and Multiple Physical (T1) LinksAssuming Multiple IPSec/GRE Tunnels and Multiple Physical (T1) Links
585858© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Planning and Design
• Voice over IP
• QoS
• IPSec
• Service Provider
• Tools
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
595959© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Monitoring Tools
• Service Assurance Agent (SAA) www.cisco.com/go/saa
• Netflow www.cisco.com/go/netflow
• Internetwork Performance Monitor (IPM)www.cisco.com/go/ipm
• NetIQ Chariot™
www.netiq.com
606060© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Service Assurance Agent (SAA)www.cisco.com/go/saa
• Embedded software within Cisco IOS devices which performs active monitoring
• Measures SLA (Service Level Agreements) and aids in troubleshooting
• For Voice/IPSec can be used via CLI to:
Generate network traffic to establish IPSec tunnels in dynamic crypto map configurations
History will log RTT (Round Trip Times) and packet loss for debugging
Measures latency and jitter by simulating voice calls
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
616161© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Sample SAA Configuration
rtr 12type echo protocol ipIcmpEcho 172.26.1.2 source-ipaddr 10.81.2.1request-data-size 164tos 192frequency 90lives-of-history-kept 1buckets-of-history-kept 60filter-for-history allrtr schedule 12 start-time
now life forever
joeking-vpn#show rtr operational-state 12Entry number: 12Modification time: 16:29:55.298 est Wed Mar 5 2003Number of operations attempted: 5559Number of operations skipped: 0Current seconds left in Life: ForeverOperational state of entry: ActiveLast time this entry was reset: NeverConnection loss occurred: FALSETimeout occurred: FALSEOver thresholds occurred: FALSELatest RTT (milliseconds): 44Latest operation start time: 11:26:55.301 est Tue Mar Latest operation return code: OKRTT Values:RTTAvg: 44 RTTMin: 44 RTTMax: 44NumOfRTT: 1 RTTSum: 44 RTTSum2: 1936
Every 90 Seconds Source anICMP off the Inside InterfaceToS Is Internetwork Control
Every 90 Seconds Source anICMP off the Inside InterfaceToS Is Internetwork Control
show rtr history tabularshow rtr history tabular
For Dynamic Crypto Maps Builds/Maintains IPSec SAsFor Dynamic Crypto Maps Builds/Maintains IPSec SAs
626262© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
rtr 18type jitter dest-ipaddr 10.81.2.9 dest-port 9
source -ipaddr 10.81.2.1 source-port 9 num-packets 200
request-data-size 172tos 184frequency 600rtr schedule 18 start-time
now life forever
joeking-vpn#show rtr operational -state 18RTT Values:NumOfRTT: 200 RTTAvg: 91 RTTMin: 89 RTTMax: 119RTTSum: 18323 RTTSum2: 1680195Packet Loss Values:PacketLossSD: 0 PacketLossDS: 0PacketOutOfSequence: 0 PacketMIA: 0 PacketLateArr …Jitter Values:MinOfPositivesSD: 1 MaxOfPositivesSD: 8NumOfPositivesSD: 60 SumOfPositivesSD: 159 MinOfNegativesSD: 1 MaxOfNegativesSD: 8NumOfNegativesSD: 63 SumOfNegativesSD: 161 MinOfPositivesDS: 1 MaxOfPositivesDS: 25NumOfPositivesDS: 83 SumOfPositivesDS: 252 MinOfNegativesDS: 1 MaxOfNegativesDS: 18NumOfNegativesDS: 69 SumOfNegativesDS: 250
SAA Configuration—UDP Jitter
SD = Source to Dest
DS = Dest to Source
( 159 + 161 )/200 = 1.6ms
Average Jitter of All Test Packets Source to Dest
1
3
21 2 3
Lower = Better
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
636363© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Netflowwww.cisco.com/go/netflow
!interface FastEthernet0/0description Insideip address 10.81.2.1 255.255.255.248…ip route-cache flow…!interface Ethernet0/0description Outsideip address dhcp…ip route-cache flow…end Use Extensively as a Stand-Alone Tool for Traffic and
Application Analysis on Remote and Head-End Routers
Netflow Provides a Metering Base for
• Usage-based network billing
• Network monitoring
• Network planning
• Network traffic accounting
• Troubleshooting
646464© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
joeking-vpn#show ip cache verb flowIP packet size distribution (1325939 total packets):…Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-Telnet 174 0.0 66 45 0.0 25.8 12.9TCP-WWW 642 0.0 13 322 0.0 1.9 3.9TCP-other 82850 0.1 2 112 0.2 0.1 15.4UDP-DNS 55 0.0 1 66 0.0 0.5 15.4…IP-other 23360 0.0 23 233 0.6 12.2 15.4Total: 183895 0.2 7 194 1.6 1.7 15.4
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveFa0/0 10.81.2.4 Et0/0 64.102.2.71 06 68 18 1C714 /29 0 07D0 /0 0 192.168.1.1 52 0.0Et0/0 64.102.87.106 Local 10.81.2.1 06 00 18 208BD /0 0 0017 /29 0 0.0.0.0 41 0.1Et0/0 xx.102.223.3 Local 192.168.1.102 32 00 10 301D439 /0 0 E999 /0 0 0.0.0.0 207 60.8Et0/0 10.81.2.9 Local 10.81.2.1 11 B8 10 2000009 /0 0 0009 /29 0 0.0.0.0 200 4.0
Netflow—Interactive Monitoring
This Illustrates How to Use Netflow to Verify the UDP Jitter Probe Protocol = 0x11 UDP Tos=0xb8 DSCP=EF 200 Packets in the Flow
Active for 4 Seconds and the Layer 3 Size Was 200 Bytes
This Illustrates How to Use Netflow to Verify the UDP Jitter Probe Protocol = 0x11 UDP Tos=0xb8 DSCP=EF 200 Packets in the Flow
Active for 4 Seconds and the Layer 3 Size Was 200 Bytes
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
656565© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Internetwork Performance Monitor (IPM) www.cisco.com/go/ipm
Interfaces with SAA Display Network Latency, Jitter, Availability, Packet Loss, and Errors
IPM Is a Network Response Time and Availability Troubleshooting Application
666666© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
IPM (Internetwork Performance Monitor) Hop by Hop Performance Troubleshooting
• Cisco IOS SA Agent provides performance analysis of each hop in the path between two networked devices
• IPSec tunnels will overlay the service provider portion of the network—with the exception of the CPE routers
• IPSec tunnels will appear as ‘one hop’ to IPM/SAA
• IPM hop by hop feature provides a means for the enterprise to verify the service provider is within the SLA
Service Provider
IPSec Tunnels
IPM Source DeviceIPM Source Device IPM Source DevicesIPM Source Devices
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
676767© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Agenda
• Overview
• Planning and Design
• Performance
• Pitfalls and Troubleshooting
• Summary
• Appendix
686868© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Enterprise Solutions Engineering Design/Test Topology
Universal Broadband Router Cisco ubr 7111
Chariot™ End-Point(s)
End-Point(s) and 7960 IP Phones
Cable Modem 925
DSL Bridge 837
Cisco 837
Cisco 831
PPPoE SessionPPPoE Session
FastEthernet
IPSec Head Ends
Empirix
Packet Sphere™
Model 200
65xx Site to SiteSite to Site
7200VXR 3660 37x5
75XX WAN Aggregation
Cisco 17xx 26xx 36xx 37xx
480+ Branch Routers
StratacomFrame-Relay/HDLC128K to E1 Speeds
Call Manager
CertificateAuthority
ATMATMATMATM
SOHOSOHO
IP DSL Switch Cisco 6015
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
696969© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
ESE Solution Test Traffic Profile (512K) Excludes GRE and IPSec Headers/Trailers
Percent of Bytes with Average Packet SizePercent of Bytes with Average Packet Size
NetFlow™ Protocol-Port-ToS Aggregation Exported and Summarized NetFlow™ Protocol-Port-ToS Aggregation Exported and Summarized
89 (TN3270) .2%
131 (DNS) 2.8%72 (WWW)
4.2%109 (WWW-2 Immed)
5.3%
45 (POP3) .3%
45 (FTP Get) 1.9%
889 (TN3270).9%
1016 (TN3270-2 Immed) .9%
60 (VoIP) 22.2%
124 (DNS) 2.1%
176 (WWW) 5.9%
377 (WWW-2 Immed) 10.2%
462 (POP3) 3.4%
1052 (FTP Get) 53.5%
1052 (FTP Get) 53.5%
44 (FTP Put) 1.0%
Downstream Upstream
Average Packet Size = 188 Average Packet Size = 144
60 (VoIP) 27.4%
1044 (FTP Put) 57.6%
1044 (FTP Put) 57.6%
89 (TN3270-2 Immed).2%
707070© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Head-End Performance DetailConverged Traffic, QoS-Enabled1
1 Qos-Enabled, but on a Separate WAN Aggregation Device at Central Site2 End-to-End Latency through the Network, Incl. Head-End, Cloud, and Branch3 6500 Reported % Is Backplane Utilization
6500 Is IPSec Only All Others Are IPSec and GRE6500 Is IPSec Only All Others Are IPSec and GRE
181875%75%16.016.07.27.26060AIMAIM--111137453745
212180%80%25.425.413.113.1109109VAMVAM72007200--300300
212180%80%34.834.818.718.7156156VAMVAM72007200--400400
181880%80%49.349.328.828.8240240VAMVAM72007200--G1G1
161620%20%86786741741741404140VPN SvcVPN Svc65006500
Average Average EndEnd--toto--End End
LatencyLatency2 2
(ms)(ms)
Total CPU or Total CPU or Backplane Backplane UtilizationUtilization33
Data Data MbpsMbps
Voice Voice MbpsMbps
# of # of G.729 G.729 CallsCalls
VPN HW VPN HW AccelAccel
ProductProduct
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
717171© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
High-End Branch Performance DetailConverged Traffic, QoS-Enabled
*End-to-End Latency through the Network, Incl. Head-End, WAN, and Branch
CPUCPU
CPUCPU
CPUCPU
CPUCPU
Limiting Limiting FactorFactor
10M10M
10M10M
25M25M
25M25M
Max Max Line Line RateRate
4474%74%9.79.76.76.76060AIMAIM--IIII36603660
4479%79%10.010.06.76.76060AIMAIM--IIII26912691
3360%60%10.010.06.76.76060AIMAIM--IIII37253725
3375%75%25.125.116.816.8150150AIMAIM--IIII37453745
Average EndAverage End--toto--end Latencyend Latency2 2
(ms)(ms)
Total CPU Total CPU BiBi--Dir Dir Data Data MbpsMbps
BiBi--Dir Dir Voice Voice MbpsMbps
# of # of G.729 G.729 CallsCalls
VPN HW VPN HW AccelAccel
ProductProduct
727272© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
ESE Teleworker Traffic Profile Excludes IPSec Headers/Trailers
Percent of Bytes with Average Packet SizePercent of Bytes with Average Packet Size
NetFlow™ Protocol-Port-ToS Aggregation—10 Minute Chariot Test831 PPPoE G.729—837 as a DSL Bridge
NetFlow™ Protocol-Port-ToS Aggregation—10 Minute Chariot Test831 PPPoE G.729—837 as a DSL Bridge
Downstream 38 Megabytes1.4Mbps
Upstream 7.9 MegabytesShaped to 184 Kbps
Average Packet Size = 376 Bytes
Average Packet Size = 115 Bytes
ip tcp adjust-mss 536ip tcp adjust-mss 536
FTP76%FTP76%
Voice 21.7%
FTP94%FTP94%
Voice 4.5%
[ * ] ICMP DNS TN3270 CALL-SETUP POP3 HTTPTEXT
[ * ] 2.3%
[ * ] 1.5%
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
737373© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
ProductProduct VPN HW Accel
VPN HW Accel
Bi-dir Data kbps
Bi-dir Data kbps
TotalCPUTotalCPU
Avg End-to-End
Latency*
Avg End-to-End
Latency*
LinkRate (K)Down/up
LinkRate (K)Down/up
Teleworker Performance DetailConverged Traffic, QoS (Uplink)
*End-to-End Latency through the Network, Incl. Head-End, WAN, and Branch,It Does Not Include Any Delay Inserted to Simulate a Service Provider Network*End-to-End Latency through the Network, Incl. Head-End, WAN, and Branch,It Does Not Include Any Delay Inserted to Simulate a Service Provider Network
AverageJitter
AverageJitter
Number of G.729
Calls
Number of G.729
Calls
831 HIFN79xx 1 1536/384 Cable 974 16.5ms 4.8ms 53%831 HIFN79xx 1 1536/384 Cable 974 16.5ms 4.8ms 53%
ServiceService
831 HIFN79xx 1 1024/256 Cable 687 14.1ms 4.3ms 45%831 HIFN79xx 1 1024/256 Cable 687 14.1ms 4.3ms 45%
831 HIFN79xx 1 1536/384 ADSL 648 41ms 5.1ms 40%831 HIFN79xx 1 1536/384 ADSL 648 41ms 5.1ms 40%
837 HIFN79xx 1 1536/384 ADSL 764 45ms 7.3ms 53%837 HIFN79xx 1 1536/384 ADSL 764 45ms 7.3ms 53%
831 HIFN79xx 1 1408/256 ADSL 373 43ms 6.2ms 29%831 HIFN79xx 1 1408/256 ADSL 373 43ms 6.2ms 29%
831 HIFN79xx 1 864/160 ADSL 206 54ms 6.2ms 24%831 HIFN79xx 1 864/160 ADSL 206 54ms 6.2ms 24%
The 831 Tests Use a DSL/Cable Bridge to Connect to the Broadband Service, The Qos Configuration Is Hierarchical CBWFQ Using a ShaperThe 831 Tests Use a DSL/Cable Bridge to Connect to the Broadband Service, The Qos Configuration Is Hierarchical CBWFQ Using a Shaper
747474© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Agenda
• Overview
• Planning and Design
• Performance
• Pitfalls and Troubleshooting
• Summary
• Appendix
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
757575© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Troubleshoot the Basics
• Teleworker environment contains troubleshooting issues which are outside the helpdesk’s control
• Examples—home wiring, DSL filters, SP provided termination equipment
This DSL Filter Would Cause an Interface Flap on the 837’s DSL Interface Approximately Every 20 Minutes—Replacing the Filter
Addressed the Problem
This DSL Filter Would Cause an Interface Flap on the 837’s DSL Interface Approximately Every 20 Minutes—Replacing the Filter
Addressed the Problem
767676© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
RFC1918 Addressing/SOHO
• Avoid allocating RFC 1918 addresses at headquarters which may be used at remote locations—remote router will see 192.168.1.0/24 as local
• Duplicating address at remote locations is OKAY
DHCP192.168.1.43/24
DSL Modem—Firewall—Router—NAT/PAT with IPSec Passthru
DSL Modem—Firewall—Router—NAT/PAT with IPSec Passthru
192.168.1.101/24
IPSec TunnelIPSec Tunnel
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
777777© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
IPSec through NAT/PAT
• Residential DSL providers bundle a DSL router/firewall with the service• Cable subscribers install 3rd party Ethernet/Ethernet router/firewalls• However, not all implementations properly support this function!• IPSec transform set which includes ‘AH’ will fail as IP header hashed
Provides for Dynamic NAT/PAT for IPSec
rtr-vpn-1750#show ip nat trans | incl espesp xx.74.162.156:0 192.168.10.7:A336AEF0 xx.102.223.4:0 xx.102.223.4:0esp xx.74.162.156:0 192.168.10.7:0 xx.102.223.4:0 xx.102.223.4:67785E
192.168.10.7 via DHCP xx.102.223.4
10.1.81.0/24 via DHCP
IPSec TunnelIPSec Tunnelxx.74.162.156 via
DHCP or PPPoE
787878© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
gw2(config)#access-list 99 permit 10.81.2.208 0.0.0.7gw2(config)#access-list 99 permit 10.81.4.64 0.0.0.7
gw2#debug ip routing 99 IP routing debugging is on for access list 99
Mar 21 10:03:38 est: RT: del 10.81.4.64/29 via 0.0.0.0, static metric [1/0]
Mar 21 10:03:38 est: RT: delete subnet route to 10.81.4.64/29Mar 21 10:04:02 est: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd
IPSEC packet has invalid spi for destaddr=xx.218.223.4,prot=50, spi=0x3C62D0CC(1013108940), srcaddr=xx.40.46.1
Mar 21 10:04:21 est: RT: add 10.81.4.64/29 via 192.168.81.3, eigrp metric [170/2588160]
Identifying Remote ‘link flaps’Head-End with Dynamic Crypto Maps and DPD/RRI Remote Location Reporting Intermittent Loss of ConnectivityHead-End with Dynamic Crypto Maps and DPD/RRI Remote Location Reporting Intermittent Loss of Connectivity
Remote Subnet Connected to, and Now Learned from, Primary Head-End via EIGRP
Remote Subnet Connected to, and Now Learned from, Primary Head-End via EIGRP
Remote Subnet Being Deleted from This Head-End Routing Table, DPD Removing Route
Remote Subnet Being Deleted from This Head-End Routing Table, DPD Removing Route
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
797979© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Agenda
• Overview
• Planning and Design
• Performance
• Pitfalls and Troubleshooting
• Summary
• Appendix
808080© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Summary
• VoIP over IPSec enables enterprises to use VPNs as transport for voice and data :
Design guide:
www.cisco.com/go/v3pn
Cisco networking solutions:
www.cisco.com/en/US/netsol/
IPSecIPSecVoIP
QoSQoS
V3PN
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
81© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Designing Voice-Enabled IPSec VPNs
Session VVT-2011
828282© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Please Complete Your Evaluation Form
Session VVT-2011
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
838383© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
848484© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Appendix
Enterprise Solutions Engineering Lab
Research Triangle Park, NC
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
858585© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Configuration
• IKE and IPSec
• Frame Relay
• T1
• DSL
• Cable
• Head-End
• Load sharing
• Redundancy
868686© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Voice Enable IPSec
All Cisco IOS Releases Need to Have 3DES IPSec SupportAll Cisco IOS Releases Need to Have 3DES IPSec Support
Recommended Minimum Cisco IOS VersionsRecommended Minimum Cisco IOS Versions
12.2(11)YV12.2(11)YVCisco 830 Series VPN RoutersCisco 830 Series VPN Routers
12.2(4)YB12.2(4)YBCisco 1700 Series VPN RoutersCisco 1700 Series VPN Routers
12.2(11)T112.2(11)T1Cisco 2600 Series VPN RoutersCisco 2600 Series VPN Routers
12.2(11)T112.2(11)T1Cisco 3600 Series VPN RoutersCisco 3600 Series VPN Routers
12.2(11)T112.2(11)T1Cisco 3700 Series VPN RoutersCisco 3700 Series VPN Routers
12.1(9)E12.1(9)ECisco 7100 VPN RoutersCisco 7100 VPN Routers
12.1(9)E12.1(9)ECisco 7200VXR VPN RoutersCisco 7200VXR VPN Routers
SW ReleaseSW ReleaseCisco Product FamilyCisco Product Family
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
878787© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2crypto isakmp key bigsecret address 192.168.252.1crypto isakmp key bigsecret address 192.168.251.1!
Verify Using:show crypto isakmp policy
ISAKMP—Internet Security Association and Key Management Protocol
Crypto IKE Configuration Sample
Triple DESTriple DES
Pre-SharedKeysDiffie-Hellman
Group 21024-bit
888888© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
!crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac!crypto map static-map local-address Serial0/0.1crypto map static-map 10 ipsec-isakmpset peer 192.168.252.1set transform-set vpn-testmatch address vpn-static1qos pre-classifycrypto map static-map 20 ipsec-isakmpset peer 192.168.251.1set transform-set vpn-testmatch address vpn-static2qos pre-classify
!Verify Using:
show crypto mapshow crypto ipsec transform–set
Access-List MatchesGRE Tunnel End-Points
Crypto IPSec Configuration Sample
Encryption—Triple DESAuthentication—SHA
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
898989© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
!
interface Serial0/0.1 point-to-point
ip address 192.168.217.2 255.255.255.252
. . . .
!
ip access-list extended vpn-static1
permit gre host 192.168.217.2 host 192.168.252.1
ip access-list extended vpn-static2
permit gre host 192.168.217.2 host 192.168.251.1
!
Crypto Configurations Sample Branch Access-List
Head-End
Serial0/0.1192.168.217.2Serial0/0.1192.168.217.2 192.168.251.1
192.168.252.1192.168.252.1
Branch
IPSec/GRE PeersIPSec/GRE Peers
IPSec/GRE Peers
909090© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
!interface Tunnel0ip address 10.63.81.194 255.255.255.252ip summary-address eigrp 1 10.63.81.0 255.255.255.0 5qos pre-classifytunnel source 192.168.217.2tunnel destination 192.168.252.1crypto map static-map
!interface Tunnel1ip address 10.63.81.198 255.255.255.252ip summary-address eigrp 1 10.63.81.0 255.255.255.0 5delay 60000qos pre-classifytunnel source 192.168.217.2tunnel destination 192.168.251.1crypto map static-map
Tunnel 1 Delay Is Higher than Default
Crypto Configuration Sample Branch GRE Tunnel Interfaces
PrimaryPrimary
BackupBackup
Head-End
Serial0/0.1192.168.217.2Serial0/0.1192.168.217.2 192.168.251.1
192.168.252.1192.168.252.1
Branch
IPSec/GRE PeersIPSec/GRE Peers
IPSec/GRE Peers
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
919191© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
!
router eigrp 1
network 10.0.0.0
no auto-summary # manual summarization out Tunnel interfaces
eigrp stub summary
eigrp log-neighbor-changes
Crypto Configuration Sample Branch EIGRP
Head-End
Serial0/0.1192.168.217.2Serial0/0.1192.168.217.2 192.168.251.1
192.168.252.1192.168.252.1
Branch
IPSec/GRE PeersIPSec/GRE Peers
IPSec/GRE Peers
929292© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
crypto isakmp policy 1encr 3desgroup 2
crypto isakmp keepalive 10!crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac!crypto map test 10 ipsec-isakmpset peer 192.168.252.1set peer 192.168.252.2set transform-set vpn-testmatch address 103
! qos pre-classify not available in ! c831-k9o3sy6-mz.122-11.YV!interface Ethernet1! No crypto map on PPPoEinterface Dialer1...crypto map test
!access-list 103 permit ip 10.112.12.0 0.0.0.255 10.0.0.0 0.255.255.255
Crypto Configuration SOHO
Head-End
SOHO
IPSec PeersIPSec Peers
Ethernet 1Ethernet 1 192.168.252.2
192.168.252.1192.168.252.1
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
939393© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
!interface Serial0/0bandwidth 512no ip addressencapsulation frame-relayframe-relay traffic-shaping!interface Serial0/0.100 point-to-pointbandwidth 512ip address 192.168.1.1 255.255.255.252frame-relay interface-dlci 100 class ts-branch
crypto map GRE! map-class frame-relay ts-branchno frame-relay adaptive-shapingframe-relay cir 486400frame-relay bc 4864frame-relay be 0frame-relay mincir 486400service-policy output llq-branchframe-relay fragment 640!
Frame RelayTraffic ShapingInterval—10ms
Service Policy Calculated on
mincir
Frame RelayTraffic Shaping
required forFRF.12
Shape to95% CIR
FragmentSize 10ms
WAN Edge QoS Configuration Frame Relay
949494© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Branch Frame Relay Traffic Shaping and LFI Parameters
N/AN/A14592145921459200145920015361536
N/AN/A9728972897280097280010241024
1000100072967296729600729600768768
64064048644864486400486400512512
32032024322432243200243200256256
16016012161216121600121600128128
LFI BytesLFI BytesTS bcTS bcTS TS CIR/minCIRCIR/minCIR
Line Rate Line Rate KbpsKbps
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
959595© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
!policy-map 1536kb
class CALL-SETUPbandwidth percent 2
class TRANSACTIONAL-DATAbandwidth percent 22
class INTERNETWORK-CONTROLbandwidth percent 5
class VOICEpriority 504
class class-defaultfair-queue
!interface Serial0/0bandwidth 1536ip address 192.168.154.2 255.255.255.252service-policy output 1536kbcrypto map static-map
!end
WAN Edge QoS Configuration HDLC
No Layer 2 Fragmentation (LFI/FRF.12) Required on T1 Congestion Feedback Provided by the Clock Rate of the Interface
No Layer 2 Fragmentation (LFI/FRF.12) Required on T1 Congestion Feedback Provided by the Clock Rate of the Interface
Create policy-mapand Apply to
Interface
969696© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
7500 policy-map policy-map 192kb
class CALL-SETUP
bandwidth percent 2
class TRANSACTIONAL-DATA
bandwidth percent 22
queue-limit 16
fair-queue
fair-queue queue-limit 16
class INTERNETWORK-CONTROL
bandwidth percent 5
!
!
!
class VOICE
priority 56
class class-default
fair-queue
fair-queue queue-limit 6
queue-limit 6
75xx Requires WFQ in Bandwidth Classes to Change the Queue-Limit
R1(config-if)#service-policy out FOO
queue-limit is invalid command w/o other queueing feature.
Fair-queue queue-limit Specifies the per Flow Queue Limit—in the Case of a WAN Aggregation Router with IPSec Traffic Flowing thru the Router, WFQ Will Be Creating Flows on the Ipsec Peers Source and Destination IP Addresses, ToS Byte and Protocol (ESP=50), so Enabling WFQ in a Bandwidth Class May Still Only See One Flow in the Class—as a Side Note, QoS Pre-Classify Has No Bearing in This Case
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
979797© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
7500 shaper
policy-map 192kb-shaper
class class-default
shape average 176000 704 0
service-policy 192kb
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_r/qrfcmd9.htm#1102948
Calculations7513(config-pmap-c)#shape average 192000
configured results in ->
shape average 192000 768 768
95% of 192 is 182400
7513(config-pmap-c)#shape average 182400
Target Bit Rate 182400 needs to be multiple of 8000.
so
182400 / 8000 = 22.8, round down to whole number 22*8000 = 176000
7513(config-pmap-c)#shape average 176000
configured results in ->
shape average 176000 704 704
remove the burst excess value
shape average 176000 704 0
704 / 176000 = .004 = 4 milliseconds measurement interval (default)
dCEF Required for VIP InterfacesdCEF Required for VIP Interfaces
989898© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
7500 service-policy
interface Serial4/0/0/1:1
description vpn15-2600-21-240
bandwidth 192
ip address 192.168.80.5 255.255.255.252
load-interval 30
txtx--ringring--limit 1limit 1
serviceservice--policy output 192kbpolicy output 192kb--shapershaper
no fair-queue
!
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
999999© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
17/26/36/37 service-policy
interface Serial0/0
bandwidth 192
ip address 192.168.93.2 255.255.255.252
load-interval 30
tx-ring-limit 1
tx-queue-limit 1 [*]
service-policy output 192kb-shaper
crypto map static-map
TX Ring Is the Unprioritized FIFO Buffer Used to Store Frames before Transmission—Interface Drivers Set Unique Default TX Ring Values Based on the Bandwidth Amount—WIC-1T and WIC-2T Default to Different Values—2 and 1
!
vpnjk-2600-2#show controllers serial 0/0 | include tx_limited
tx_limited=1(2)
vpnjkvpnjk--26002600--2(config)#interface serial 0/02(config)#interface serial 0/0
vpnjkvpnjk--26002600--2(config2(config--if)#txif)#tx--ringring--limit ?limit ?
<1<1--32767> Number (ring limit)32767> Number (ring limit)
vpnjkvpnjk--26002600--2(config2(config--if)#txif)#tx--ringring--limit 1limit 1
!
vpnjk-2600-2#show controllers serial 0/0 | include tx_limited
tx_limited=1(1)
[*] Parser Includes tx-queue-limit by Default[*] Parser Includes tx-queue-limit by Default
100100100© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Rate Limited Syslog Message on Most
Platforms
How to Identify Anti-Replay Drops
CSCdy07256—show pas vam int—Is Missing…
CSCdy34396—…log msg Not Rate Limited
Look at the esp_seq_fail counter pkt_replay_err
vpn18-2600-6#show crypto engine accelerator stat | include esp_seq_failesp_prot_absent: 0 esp_seq_fail: 1775 esp_spi_failure: 0
vpn3-7200-2#show pas isa interfacevpn3-7200-2#show pas vam interface
06:17:00: %HW_VPN-1-HPRXERR: Hardware VPN0/2: Packet Encryption/Decryption error, status=4615
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
101101101© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
TRANSACTIONAL - DATA
Output Service Policy—Default Values
VOICE CALL-SETUP
CLASS-DEFAULT
INTERNETWORK-CONTROL
Max Threshold 64 (Packets) for Each Bandwidth Class
R1#show policy-map | begin class-default
Class class-default
Weighted Fair Queuing
Flow based Fair Queuing
Bandwidth 0 (kbps) Max Threshold 64 (packets)
64 Packet Sliding Window
Anti-Replay
102102102© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
TRANSACTIONAL -DATA
Output Service Policy—Tuned Values
VOICE CALL-SETUP CLASS-
DEFAULT
INTERNETWORK-CONTROL
Queue-limit
Queue-Limit Is Adjusted by Relative Importance of the Class
Goal—Make Service Policy More Aggressive—Drop Rather than DelayGoal—Make Service Policy More Aggressive—Drop Rather than Delay
64 Packet Sliding Window
Anti-Replay
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
103103103© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Anti-Replay Optimized Service PolicyR1#show policy-map
Policy Map llq-branch
Class CALL-SETUP
Weighted Fair Queuing
Bandwidth 2 (%) Max Threshold 64 (packets)
Class TRANSACTIONAL-DATA
Weighted Fair Queuing
Bandwidth 22 (%) Max Threshold 16 (packets)
Class INTERNETWORK-CONTROL
Weighted Fair Queuing
Bandwidth 5 (%) Max Threshold 16 (packets)
Class VOICE
Weighted Fair Queuing
Strict Priority
Bandwidth 168 (kbps) Burst 4200 (Bytes)
Class class-default
Weighted Fair Queuing
Flow based Fair Queuing
Bandwidth 0 (kbps) Max Threshold 6 (packets)
Starting Values
Tune by Observing Ratio of
Drops by
Service Policy vs.
Anti-Replay
Starting Values
Tune by Observing Ratio of
Drops by
Service Policy vs.
Anti-Replay
class class-defaultfair-queuequeue-limit 6
104104104© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
837 DSL/PPPoE Configurationip cef!interface Ethernet0description Insideip address 10.112.11.129 255.255.255.192ip tcp adjust-mss 542hold-queue 40 out
!interface ATM0no ip addressno atm ilmi-keepalivedsl operating-mode autodsl power-cutback 0
!interface ATM0.35 point-to-pointdescription DSLAM ->soho1-7200-1 d1408u256bandwidth 256pvc dsl 0/35vbr-nrt 256 256tx-ring-limit 3pppoe max-sessions 5service-policy output llq-branchpppoe-client dial -pool-number 1
!!
interface Dialer1bandwidth 256ip address negotiatedip access-group 102 inip mtu 1492encapsulation pppip tcp adjust-mss 542dialer pool 1dialer -group 1no cdp enableppp authentication chap callinppp chap hostname [email protected] chap password 7 [removed]ppp ipcp dns requestppp ipcp wins requestcrypto map test
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
105105105© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
831 Cable Configuration
ip cef!interface Ethernet0description Insideip address 10.112.22.129 255.255.255.192ip route-cache flowip tcp adjust-mss 542hold-queue 40 out!
!interface Ethernet1description Outsidebandwidth 256ip address dhcpip access-group 102 inip route-cache flowip tcp adjust-mss 542service-policy output shapercrypto map test!access-list 102 remark --------Inbound interface ACL----------------
access-list 102 permit esp host 192.168.252.1 anyaccess-list 102 permit esp host 192.168.252.2 anyaccess-list 102 permit ip 10.0.0.0 0.255.255.255 10.112.22.0 0.0.0.255access-list 102 permit udp any eq isakmp any eq isakmpaccess-list 102 permit ip host 192.168.252.6 any #Cert Serveraccess-list 102 permit ip host 192.168.200.1 any #ubr7111 CMTS(Cable Modem Termination System)access-list 102 permit ip host 10.113.1.1 anyaccess-list 102 permit icmp any 192.168.200.0 0.0.0.255access-list 102 deny ip any any log
106106106© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
ip cefcrypto isakmp policy 1encr 3descrypto isakmp keepalive 10! ! crypto ipsectransform-set t2 esp-3des esp-sha-hmac! crypto dynamic-map dmap 10set transform-set t2 reverse-route! ! crypto map test local-address Loopback0crypto map test 1 ipsec-isakmp dynamic dmap!
IntranetIntranet
Head End Dynamic Crypto Maps—IPSec Only
InternetInternet
HSRPHSRP
192.168.81.0192.168.81.0
Digital Certificate Config Not ShownDigital Certificate Config Not Shown
IPSec Peer 1IPSec Peer 1
IPSec Peer 2IPSec Peer 2
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
107107107© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Head-End—Dynamic Routing! interface FastEthernet0/0ip address 10.81.0.3 255.255.255.248ip route -cache same-interface # Router on a Stick ip route -cache flowcrypto map test !router eigrp 64redistribute static metric 1000 100 255 1 1500 route -map RRIpassive -interface FastEthernet0/0network 192.168.81.0 # Network of FastEthernet0/1 no auto-summary eigrp log-neighbor-changes!
! route-map RRI permit 10description Redistribute remote subnets from RRImatch ip address 1! access-list 1 permit 10.81.4.0 0.0.3.255access-list 1 deny any
108108108© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
ip route x.x.x.x 255.255.255.255 192.168.80.2ip route x.y.y.y 255.255.255.255 192.168.80.1ip route 10.1.0.0 255.255.0.0 192.168.80.3 ! # 10.1.0.0/16 is advertised into the Intranet# x.x.x.x and x.y.y.y are Internet routable addresses
Head-End—Intranet Route Advertisement
192.168.80.0192.168.80.0
.2.2 .1.1.3.3
Router/FirewallRouter/Firewall
.99.99
10.1.1.0/2910.1.1.0/29
ip route 0.0.0.0 0.0.0.0 192.168.80.99
ip route 10.1.0.0 255.255.0.0 Null0
Both IPSec Peers Default to the Router/Firewall to Avoid Looping Packets for Remote Subnets which DPD Has Removed from the Routing Table
Both IPSec Peers Default to the Router/Firewall to Avoid Looping Packets for Remote Subnets which DPD Has Removed from the Routing Table
IntranetIntranetInternetInternet
HSRPHSRP
192.168.81.0192.168.81.0
IPSec Peer 1 x.y.y.y
IPSec Peer 1 x.y.y.y
IPSec Peer 2 x.x.x.x
IPSec Peer 2 x.x.x.x
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
109109109© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Load SharingEqual Cost Logical Links with Affinity to Physical Links
23.0.218.1
23.0.32.22
23.0.32.23
10.96.0.0 10.2.0.0
GRE Tunnel Interfaces Source from the Loopback0
Destination Addresses Are 23.0.32.22 And 23.0.32.23
The More Specific Host Routes Are Preferred to the BGP Learned Routes when Both Links up
GRE Tunnel Interfaces Source from the Loopback0
Destination Addresses Are 23.0.32.22 And 23.0.32.23
The More Specific Host Routes Are Preferred to the BGP Learned Routes when Both Links up
IPSec/GRE Tunnels
IPSec/GRE Tunnels
ip route 23.0.32.22 255.255.255.255 serial0/0.100
ip route 23.0.32.23 255.255.255.255 serial0/0.101
B 23.0.0.0/8 [20/0] via 23.0.32.6, 5d17h
[20/0] via 23.0.32.2, 5d17h
S 23.0.32.23/32 is directly connected, Serial0/0.101
S 23.0.32.22/32 is directly connected, Serial0/0.100
C 23.0.32.4/30 is directly connected, Serial0/0.101
C 23.0.32.0/30 is directly connected, Serial0/0.100
C 23.0.218.1/32 is directly connected, Loopback0
110110110© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Load Sharing—Head-End Perspective
Equal Cost Logical Links with Affinity to Physical Links
23.0.218.110.96.0.0
Via BGP 23.0.218.1/32
Via EIGRP 23.0.218.0/30
23.0.0.0/8
Via EIGRP 23.0.192.0/19
23.0.0.0/8
Via EIGRP 10.96.0.0/16
Via EIGRP 10.96.0.0/16
router eigrp 23
network 23.0.0.0
distribute-list prefix FOLLOWslash19 in
ip prefix-list FOLLOWslash19 seq 5 deny 23.0.192.0/19 ge 30
ip prefix-list FOLLOWslash19 seq 100 permit 0.0.0.0/0 le 32
IPSec/GRE Tunnels
IPSec/GRE Tunnels
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
111111111© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Availability/Redundancy
Branch#show ip eigrp neighbors
IP-EIGRP neighbors for process 44
H Address Interface Hold Uptime SRTT RTO Q Seq Tye
(sec) (ms) Cnt Num
1 10.0.101.2 Tu1 10 5w0d 92 5000 0 23
0 10.0.100.2 Tu0 10 5w0d 152 5000 0 26
Head-End
Branch
IPSec/GRE PeersTunnel 0
IPSec/GRE PeersTunnel 0
Tunnel 1IPSec/GRE Peers
EIGRP Hellos Maintain IPSec ‘state’ Continually
EIGRP Hellos Maintain IPSec ‘state’ Continually
112112112© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Corporate76 Kbps
INTERNETWORK-CONTROL
12 Kbps
CALL-SETUP5 Kbps
CALL-SETUP5 Kbps
class-default35 Kbps
class-default35 Kbps
VOICE 128 KbpsVOICE
128 Kbps
Pri
ority
Q
ueue
Pri
ority
Q
ueue
Cla
ss-B
ased
W
eigh
ted
Fair
Q
ueu
ing
Cla
ss-B
ased
W
eigh
ted
Fair
Q
ueu
ing
256K
/1.4
M D
SL
25
6K/1
.4M
DS
L
policy-map Split_Tunnelclass CALL-SETUPbandwidth percent 2class INTERNETWORK-CONTROLbandwidth percent 5class VOICEpriority 128 6400
class Corporatebandwidth percent 30class class-defaultfair-queuerandom-detect
interface ATM0.35 point-to-pointpvc dsl 0/35 vbr-nrt 256 256tx-ring-limit 3max-reserved-bandwidth 90service-policy output Split_Tunnelpppoe -client dial-pool-number 1
Traffic to the Internet Is in class-defaultTraffic to the Internet Is in class-default
QoS for Split Tunneling
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
113113113© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
class-map match-all Corporatematch access-group name Corporate
class-map match-all VOICEmatch ip dscp ef
class-map match-any CALL-SETUPmatch ip dscp af31 match ip dscp cs3
class-map match-any INTERNETWORK-CONTROLmatch ip dscp cs6 match access-group name IKE
ip access-list extended Corporatepermit esp any x.102.223.0 0.0.0.7
ip access-list extended IKEpermit udp any eq isakmp any eq isakmp
QoS for Split Tunneling
crypto map test 1 ipsec-isakmp set peer x.102.223.3set peer x.102.223.4set transform-set t1 match address ENCRYPT_This
crypto map test 1 ipsec-isakmp set peer x.102.223.3set peer x.102.223.4set transform-set t1 match address ENCRYPT_This
Packets Other than VOICE, CALL-SETUP, INTERNETWORK-CONTROL in the IPSec Tunnel Will Match on Corporate ACL and Placed in the Corporate Bandwidth Class
Packets Other than VOICE, CALL-SETUP, INTERNETWORK-CONTROL in the IPSec Tunnel Will Match on Corporate ACL and Placed in the Corporate Bandwidth Class
114114114© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Supplemental Information
Enterprise Solutions Engineering Lab
Research Triangle Park, NC
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
115115115© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Abstract
• This session will cover best-practice design guidelines to assist the enterprise customer with a successful voice over IP over IPSec VPN deployment; the agenda includes planning and design issues as they relate to voice over IP, QoS, IPSec and Service Provider considerations; configuration examples will be included for the typical deployment models—site to site, small office and home office using access methods of Frame Relay, Internet T1s, Cable and DSL; head-end redundancy and availability will examined with IPSec only as well as IPSec and GRE tunnels; issues related to traffic load-balancing will also be reviewed
• Performance data from internal testing will be used to guide theattendee on the selecting the appropriate product for the desired link speed and number of users; a section on verification and troubleshooting techniques is included and a review of common pitfalls and lessons learned from customer and internal Cisco deployments
116116116© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Serialization Delay
• Prior to path MTU discovery—IP maximum datagram size for ‘off-net’ traffic was 576 bytes
• TCP maximum segment size is IP max datagram size minus 40 bytes—20bytes IP header + 20bytes for TCP header, 576–40 = 536 bytes
• MSS option only appears in TCP SYN segments, each end announces its MSS, can be different values by direction
interface Ethernet0
ip address 10.81.3.17 255.255.255.248
ip tcp adjust-mss 542
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
117117117© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Output
Interface
Output
Interface
LLQLLQ
Best EffortBest Effort
Crypto Engine QoS
• Crypto engine is a half duplex internal interface• Must process packets from multiple full duplex I/O interfaces• Same input queue for encryption or decryption• LLQ for crypto engine designed to minimize voice latency/jitter• Enabled by presence of CBWFQ service policy• Two queues—Low Latency Queue and best effort • Not a prerequisite to deploying voice over IPSec today• Applicable as CPU speed increases and/or high % of large packets
IP Data IP Data
VoIP VoIP
V DVD D
VVVV
V
OutputInterfaceOutput
Interface
CBWFQ Classification
Crypto EngineCrypto Engine
V
D
D D
118118118© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Displaying Hardware CE Input Queue Drop
7200VXR ISA/VAM
show pas isa int | include bulk_ring_full
show pas vam int | include ppq_full_err
Enq Fails = Total Input Queue Drops Since Counter Cleared
Entries = Number of Packets Queued at Current Time
Enq Fails = Total Input Queue Drops Since Counter Cleared
Entries = Number of Packets Queued at Current Time
2600/3600 AIM (KAOS)
debug crypto engine accelerator kaos stat
show crypto engine accelerator stat | include Enq fails
If Resulting Value Is High And/Or Increasing, Then Over SubscriptionIf Resulting Value Is High And/Or Increasing, Then Over Subscription
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
119119119© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Anti-Replay Is Message Integrity
• Message integrity provided by ESP (Encapsulating Security Protocol) Authentication
• Defined in the IPSec transform-set
• Either by SHA-1 or MD5 HMAC (keyed-Hash Message Authorization Code)
crypto ipsec transform-set NOREPLAY esp-3descrypto ipsec transform-set REPLAY esp-3des esp-sha-hmac !crypto map SKOOT 50 IPSec-isakmp set peer 192.168.3.1set transform-set REPLAY match address 101
!
120120120© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
IP Packet Fragmentation
• Fragmenting router process switches to fragment
• Fragmentation done after encryption, before decryption
• End station re-assembles, could be decrypting router
• Process switching and huge buffer (18024 bytes) to re-assemble
• Use path MTU discovery, manually set MTU or look-ahead fragmentation
show ip traffic | include fragmented
530194 fragmented, 0 couldn't fragment
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
121121121© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
IPSec Transport vs. Tunnel Mode
• Transport mode an option when IPSec and GRE peers terminate on the same router
• Tunnel mode selected for Cisco solution lab testing to provide worst case performance numbers
• Pre-fragmentation for IPSec VPN—12.1(11)E and 12.2(13)T
Feature implemented for IPSec tunnel mode
GRE supported in IPSec tunnel mode
Not implemented for IPSec transport mode
122122122© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
IPSec ESP Tunnel Mode 136 Bytes
IPSec ESP Transport Mode 120 Bytes
Transport vs. Tunnel Size Delta for G.729 Packet
ESPHdr
GRE IPHdr
2020 128202088
IPSecHdr
IPSecHdr UDPUDP VoiceVoiceRTPESP
IVIP
HdrGREGRE
4
ESPPad/NH
122–257
ESPAuth
2012820
UDPUDP VoiceVoiceRTPIPHdrGREGRE
4
ESPPad/NH
122–257
ESPAuth
ESPHdr
20 88
IPSecHdr
IPSecHdr
ESPIV
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
123123123© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Data-over-Cable Service Interface Specifications (DOCSIS) 1.1
• Service Flow/Service Flow Identifier (SFID)Service flows can be assigned QoS parameter set with different characteristics
• Unsolicited Grant Service (UGS)Allows a cable modem to fixed amounts of data at a guaranteed rate—used for Voice over IP
• ClassifiersMaps VoIP and data traffic into the proper service flow
• FragmentationFragments larger data frames and interleaves with VoIP
Docsis 1.1 Positions the Cable Service Providers to Offer Qos-Enabled Services Docsis 1.1 Positions the Cable Service Providers to Offer Qos-Enabled Services
124124124© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
G.729 PacketCable DOCSIS 1.0
6 Bytes DOCSIS HeaderDOCSIS Header
Ethernet HeaderEthernet Header14 Bytes
112 Bytes
Ethernet Trailer Ethernet Trailer 4 Bytes
IPSec Packet IPSec Packet
G.729 = 136 Bytes (54,400 Bps) G.711 = 280 Bytes (112,000 Bps)G.729 = 136 Bytes (54,400 Bps) G.711 = 280 Bytes (112,000 Bps)
[*] Assuming E_HDR (Extended Header) Length=0, Baseline Privacy Adds 5 Bytes [*] Assuming E_HDR (Extended Header) Length=0, Baseline Privacy Adds 5 Bytes
45 B8 ….. 45 B8 …..
…. IP Packet—IPSec Encrypted…. IP Packet—IPSec Encrypted
Destination MAC Source MAC Type/Length
MAC_PARM Length E_HDR[*]FC HCS
CRC
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
125125125© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Chariot™—SAA—Agilent™
Comparison DSL 256K/1.4M
ISP Added Delay Range of 0–60ms
ChariotRFC1889
Jitter
ChariotRFC1889
Jitter
SAAComputed
Jitter
SAAComputed
Jitter
ChariotOne-Way
Delay
ChariotOne-Way
Delay
AgilentOne-Way
Delay
AgilentOne-Way
Delay
230 ms230 msBranch -> HeadBranch -> Head
Head -> BranchHead -> Branch
Branch -> Head
Head -> Branch
135 ms135 ms
Chariot Delay Is LAN to LAN, Agilent Delay Is Ear to Mouth
9.5 ms9.5 ms 6.9 ms6.9 ms 62 ms62 ms
2.5 ms2.5 ms 4.4 ms4.4 ms 25 ms25 ms
274 ms10.3 ms 7.4 ms 93 ms
230 ms2.1 ms 4.7 ms 54 ms
126126126© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Small/Medium Branch Performance Converged Traffic, QoS-Enabled
*End-to-end Latency through the Network, Incl. Head-End, WAN, and Branch 1721 Performance Not Evaluated—Expected Similar to 1751
LatencyLatency
CPUCPU
CPUCPU
CPUCPU
Limiting Limiting FactorFactor
512k512k
1280k1280k
T1T1
T1T1
Max Max Line Line RateRate
181859%59%45245236036033HIFN79xxHIFN79xx831831
262673%73%1025102578478477VPNVPN17511751
222273%73%107510751008100899VPNVPN17601760
222268%68%135613561008100899AIMAIM--EPEP2651XM2651XM
Average EndAverage End--toto--end end
LatencyLatency2 2 (ms)(ms)
TotalTotal
CPUCPU
BiBi--Dir Dir Data Data MbpsMbps
BiBi--Dir Dir Voice Voice MbpsMbps
# of # of G.729 G.729 CallsCalls
VPN HW VPN HW AccelAccel
ProductProduct
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
127127127© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
GRE and Split Tunneling
Loopback Interfaces and WAN Interfaces Are Addressed with a ‘registered’ Address X.X.X.X
10.x.x.0/24 10.x.y.0/24
Cisco IOS Routes the Packet; if Output Interface Has Crypto Map and Packet Matches ACL in Map, Encrypt Packet; Otherwise Send
in the Clear—in the Case of GRE; If the Route Isn’t through the GRE Tunnel Packets Will Be Forwarded Un-Encrypted
Cisco IOS Routes the Packet; if Output Interface Has Crypto Map and Packet Matches ACL in Map, Encrypt Packet; Otherwise Send
in the Clear—in the Case of GRE; If the Route Isn’t through the GRE Tunnel Packets Will Be Forwarded Un-Encrypted
Common Mis-conception That Configuring GRE Tunnels Precludes Using ‘Split’ TunnelingCommon Mis-conception That Configuring GRE Tunnels Precludes Using ‘Split’ Tunneling
IPSec/GRE Tunnels
IPSec/GRE Tunnels
10.x.z.0/30
128128128© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
IKE Keepalive/Dead Peer Detection
• DPD will send an IKE keepalive packet to the peer if no data seen from peer during the keepalive interval
• When configured with GRE and EIGRP (5 second hello interval) , DPD “are you there” should never be sent
• If they are being sent, you are loosing EIGRP hello packets alsolook at show ip eigrp neighbors for hold time below multiples of the hello interval
Jan 16 12:56:51 : ISAKMP (0:1): more than 10 seconds since last inbound data. Sending DPD.Jan 16 12:56:51 : ISAKMP (0:1): DPD Sequence number 0x704EABCBJan 16 12:56:51 : ISAKMP (0:1): sending packet to 141.158.245.134 (R) QM_IDLE
Jan 16 12:56:51 : ISAKMP (0:1): received packet from 141.158.245.134 (R) QM_IDLEJan 16 12:56:51 : ISAKMP (0:1): processing HASH payload. messageID = -1667280517Jan 16 12:56:51 : ISAKMP (0:1): processing NOTIFY R_U_THERE_ACK protocol 1
spi 0, message ID = -1667280517, sa = 82D66828Jan 16 12:56:51 : ISAKMP (0:1): DPD/R_U_THERE_ACK received from peer 141.158.245.134, sequence…
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
129129129© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
SRST for the Small/Home Office
VPN
POTS
!
voice-port 2/0
connection plar 23685
description My Home Phone Line
!
!
dial-peer voice 45 pots
destination-pattern 9
port 2/0
!
call-manager-fallback
ip source-address 10.81.2.1 port 2000
max-ephones 2
max-dn 2
access-code fxo 9
2-368510.81.2.1
1751-V
VIC-2FXO=
Cisco 1751, and 1760 Routers Do Not Come with a PVDM Installed—Cannot Operate VICs Unless a PVDM Is Also Installed—1751-V, and 1760-V Products Are Shipped with PVDMs
Note!Note!
IP Phone Must Initially Register with Call Manager, but Can Place and Receive Calls via POTS Line if VPN Is Down
IP Phone Must Initially Register with Call Manager, but Can Place and Receive Calls via POTS Line if VPN Is Down
DownDown
130130130© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
AES—Advanced Encryption Standard(Rijndael)
• AES in software is much faster than 3DES in software, because the crypto algorithm itself accounts for the majority of the total elapsed time
• AES in hardware is also much faster than 3DES, but the total throughput difference is small—the amount of time spent in the hardware accelerator is trivial compared to the overhead of getting the packets into and out of the crypto engine
Until AES Is Supported in Hardware Crypto Accelerators on All Routers in the Customer Deployment—Cannot Recommend AES
for Voice Enabled IPSec VPNs
Until AES Is Supported in Hardware Crypto Accelerators on All Routers in the Customer Deployment—Cannot Recommend AES
for Voice Enabled IPSec VPNs
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
131131131© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Issues for Voice-Enabled IPSec DMVPN
• DMVPN simplifies head-end configuration
• Designs must consider the practical number of routing protocol neighbors
• Requirement to advertise summary routes to spokes
• CEF and DMVPN require feature enhancements for VoIP deployments
132132132© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2
Crypto Maps—Cisco IOS 12.2(13)T and Later
• Beginning 12.2(13)T—presence of a crypto map on an interface means “encrypt” then “encapsulate” for the interface
• For packets to be encrypted, they must
Be routed out the interface
Match the ACL in the crypto map
• For GRE, configs with crypto map on both the tunnel and physical interface still work—with ‘permit gre’ in the ACL, the packets will be encapsulated in GRE, encrypted, then encapsulated with the layer 2 header
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
133133133© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2