Designing Voice-Enabled IPSec VPNs - · PDF fileIPSec/GRE add overhead to IP packets •...

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

1© 2003, Cisco Systems, Inc. All rights reserved.VVT-2011 7972_05_2003_c2

Designing Voice-Enabled IPSec VPNs

Session VVT-2011


Agenda

• Overview

• Planning and Design

• Performance

• Pitfalls and Troubleshooting

• Summary

• Appendix



Service Provider/Internet

IPSecVPN Tunnels

SOHO VPN(Small Office Home Office)

Teleworker

SOHO VPN(Small Office Home Office)

Teleworker

Site to Site VPNLarge/Small

Branch

Site to Site VPNLarge/Small

Branch

VPN Headend

Voice-Enabled IPSec VPNsDeployment Model

• Voice over IP (VoIP) • Quality of Service (QoS)• IP Security (IPSec)

Central Site

Remote Access (SW Client)

Remote Access (SW Client)


Overview

• Bandwidth provisioningIPSec/GRE add overhead to IP packets

• Voice over IP (VoIP) benefits fromIPSec encryption hardware acceleration

Quality of Service (QoS)

• QoS and IPSec interaction

• Service Provider capabilities



WAN Topology—Site to Site

• End-to-end QoS available to

Enterprise

Service provider

CiscoCallManager

CiscoCallManager

WAN Aggregation

Cisco 17xx 26xx 36xx 37xx

IPSec Branch Routers Certificate

Authority CertificateAuthority

IPSec Head EndsIPSec Head Ends

Frame Relay/Internet T1 Service Provider


WAN Topology—SOHO

DSLAM/IP DSL Switch

Cable Modem

DSL Bridge

Cisco 837/831/17xx

ATMATMATMATM

IPSec SOHO Routers

Broadband Router

Broadband

Cable (DOCSIS 1.0) and DSL (PPPoE) in Service Provider’s Network Best Effort—No QoS

IPSec Head EndsIPSec Head Ends

CertificateAuthority CertificateAuthority

Service ProviderService Provider

CiscoCallManager

CiscoCallManager



Agenda

• Overview


• Performance


• Summary

• Appendix


General Design Recommendations

• Voice and data transportIPSec tunnel or transport mode for Generic Routing Encapulation (GRE) tunnels—site to site

IPSec only—SOHO and teleworker

• Head-end redundancyMultiple crypto peers and IKE Keepalive

Routing protocol/GRE Keepalive

• Strong crypto (3DES)/hardware acceleration

• QoS-enabled by Enterprise/Service Provider



Planning and Design

• Voice over IP

• QoS

• IPSec

• Service Provider

• Tools


Voice over IP

• Packets arrive at a constant rate

• Arrival rate in “per call” increments

• Quality a function ofLatency—over 250ms people will speak at same time

Jitter—jitter buffer manages reasonable jitter

Drops—less noticeable when spread over time

Consistency—does performance level vary widely

• Additional call can’t degrade existing calls (Call Admission Control) CAC

An Application with Special RequirementsAn Application with Special Requirements



VoIP Design Parameters

• G.729 CODEC (Coder-Decoder) recommended for <= T1 links

• CAC not changed from traditional deployments

• FRF.12/LFI for low speed (<768Kbps) links

• Shaping use a 10ms interval, Frame, MLPPP, CBWFQ

• No changes required to CallManager or IP phone

• Hardware encryption accelerators required for predictable latency and jitter

• Compressed RTP (cRTP) will not compress encrypted packets


Hardware Encryption Acceleration

• Jitter more than 50% lower with HW encryption

• Critical for VoIP to minimize latency and jitter

• Supported by all classes of products, 83x through 65xx

Cisco 800 Series Performance ExampleCisco 800 Series Performance Example

02468

10121416

192kbps 256kbps

Link Speed

Ave

rag

e Ji

tter

(ms)

806 (SW)

831 (HW)

0

50

100

150

200

250

300

350

192kbps 256kbps

Link Speed

Ave

rag

e D

elay

(m

s)

806 (SW)

831 (HW)



IPSec and cRTP

Identify RTPTraffic

Compression

Configured Queuing

Configured Queuing

Classify

RTP Compressor

RTP Compressor

Transmit Queue

Output Line

IPHIPHUDPUDPRTPRTP12 8 20

5IP DataIP Data

IP DataIP Data

Traffic Destined

for Interface

RTP/UDP/IP Header Is Encrypted when Packet Reaches Compressor

RTP/UDP/IP Header Is Encrypted when Packet Reaches Compressor

XX

Huh?Huh?RTP Traffic (Video, Audio, etc.)

RTP Traffic (Video, Audio, etc.)

Non-RTPNon-RTP


VPN SiteVPN Site Head-End VPN

Head-End VPN

IPSec and cRTP

cRTP Functions Hop by Hop Low Speed LinkscRTP Functions Hop by Hop Low Speed Links

IPSec Tunnels Often Span Multiple Hops

Development Is Underway to Compress Headers Prior to Encryption

Development Is Underway to Compress Headers Prior to Encryption

cRTP Not Recommended on High-Speed Links

Link Efficiency at the Expense of CPU Consumption Link Efficiency at the Expense of CPU Consumption

IPSec Tunnel



IPHdr

20

20

IPHdr

ESPPad/NHGREGREESP

Hdr

G.711 CODEC with GRE and IPSec

G.711200 Bytes

IP GRE 224 Bytes

IPSec ESP Tunnel Mode 280 Bytes

GRE IPHdr

16012820

160

16020 1282088 122–257Encrypted

Authenticated

IPSecHdr

IPSecHdr UDPUDP

UDPUDP VoiceVoice

VoiceVoice

VoiceVoice

RTPIPHdr

RTP

RTP

GRE IP Hdr

ESPAuth

ESPIV

UDPUDPGREGRE

4

12820 4


G.729 CODEC with GRE and IPSec

G.72960 Bytes UDPUDP VoiceVoiceRTPIP

Hdr

VoiceVoiceRTPGRE IP Hdr UDPUDPGREGRE

ESPPad/NHGREGREESP

HdrGRE IP

HdrIPSecHdr

IPSecHdr UDPUDP VoiceVoiceRTP ESP

AuthESPIV

20

20

20Encrypted

Authenticated

IP GRE 84 Bytes


12820

20 12820 4

20 128202088 122–2574

IPHdr

IPHdr



IPHdr

G.729 CODEC IPSec Only No GRE

Encrypted

Authenticated

G.72960 Bytes UDPUDP VoiceVoiceRTP

VoiceVoiceRTPUDPUDP ESPPad/NH

ESPAuth

122–257

ESPIV

IPHdr

IPSec ESP Tunnel Mode

112 Bytes

ESPHdr

IPSecHdr

IPSecHdr

2012820

2020 12820 8 8


G.729 CODEC IPSec NAT Transparency

NAT Transparency Is Enabled by Default Beginning in 12.2(13)T

NAT Transparency Is Enabled by Default Beginning in 12.2(13)T

This Feature Adds 16 Bytesper Packet or 6,400 Bps PerG.729 Call

no crypto ipsec nat-transparency udp-encapsulation

G.72960 Bytes UDPUDP VoiceVoiceRTPIP

Hdr

20

IPHdr

128

VoiceVoiceRTPUDPUDP

20

ESPPad/NH

ESPAuth

122–257

ESPHdr

88

ESPIV

UDPHdrUDPHdr

8 8

Non-IKE Mkr

IPHdrIP

Hdr

20

IPSec ESP Tunnel Mode UDP Encapsulation 128 Bytes

Encrypted

Authenticated

2012820



VoIP + IPSec Bandwidth Calculation

114K to 128K

Bits/sec

114K to 128K

Bits/sec

Adding Layer 2

Overhead

Adding Layer 2

Overhead

IPSec Tunnel Mode

IPSec Tunnel Mode

GRE and IPSec Tunnel Mode

GRE and IPSec Tunnel ModeppsppsCODECCODEC

G.711G.711

G.729G.729

5050

5050

280 Bytes per Packet280 Bytes per Packet

112,000 Bits/sec112,000 Bits/sec


102,400 Bits/sec102,400 Bits/sec


54,400 Bits/sec54,400

Bits/sec


44,800 Bits/sec44,800

Bits/sec

56K to 64K

Bits/sec

56K to 64K

Bits/sec

esp-3des esp-sha-hmacesp-3des esp-sha-hmac


00 01 00 01 00 72 00 72 00 21 00 21

Session ID Protocol (IP)

PPPoE/PPP HeaderPPPoE/PPP Header

G.729 Packet DSL/PPPoE/IPSec

1111

45 B8 ….. 45 B8 …..

10 Bytes AAL5 HeaderAAL5 Header

Ethernet HeaderEthernet Header

14 Bytes

0000

Type/Ver PPP Payload

Length (114)

8 Bytes

…. IP Packet - IPSec Encrypted G.729

…. IP Packet - IPSec Encrypted G.729

112 Bytes

IP PacketIP Packet

(144 = 112 + 8 + 14 + 10)

AAL5 TrailerAAL5 Trailer8 Bytes

40 Bytes

Total 192 Bytes/48 per Cell = 4 Cells = 53 * 4 = 212 BytesTotal 192 Bytes/48 per Cell = 4 Cells = 53 * 4 = 212 Bytes G.711 = 7 cellsG.711 = 7 cells

00 00 00 90 E0 64 A7 F6

Destination MAC Source MAC Type/Length

PPPoE837’s Ethernet MACPPPoE Headend[*]

88 6400 02 8A 09 07 9B00 09 7B 3F 60 38

40 Bytes Padding

SNAP EthertypeRFC1483

Pad

00 80 C2 00 07 00 00

LLC

AA AA 03

CRC Length



VoiceQuality

IP Phones and Voice Quality

• Site to site—Frame Relay and T1Latency, jitter and drops will be similar for TX path and RX path as QoS policy and link speeds are symmetric

• SOHO—DSL and Cable—non-QoS SPAsymmetric links—downstream link rarely congested and lack of QoS downstream minor impact

Symmetric links—congestion on downstream link likely and lack of QoS apparent as latency, jitter and drops

Cell Shaping on Uplink—Hierarchical CBWFQ—Effectively Influences Uplink Data Traffic to Minimize Impact on VoIPShaping on Uplink—Hierarchical CBWFQ—Effectively Influences Uplink Data Traffic to Minimize Impact on VoIP

Toll


Voice Quality Ranges—Cable/DSL

ProvisionedBandwidth

ProvisionedBandwidth

Cell Phone Quality

Cell Phone Quality

Near Toll Quality

Near Toll Quality

*

4M/2M

1.5/384K

1,472K/256K

1,024/256K

Ave. Up/DownJitter 4.8msLatency 16msDrops < 1/10th%

*

Ave. Up/DownJitter 10msLatency 300msDrops 1%

*

The Jitter/Latency/Drop Values Are from a Lab Test Environment Simulating DSL and Cable Configurations—No Downlink QoS, QoS on Uplink, Using a Voice and Data Traffic Profile—but No Service Provider Delay Jitter, Drops—Usability in the Cell Phone Quality Range Is High Subjective

864K/160K

512K/128K512K/128K

144K/144K144K/144K

128K/128K128K/128K



Latency/Delay Budget

Campus Branch Office

ServiceProvider

Hardware-Based Encryption Adds Minimal LatencyHardware-Based Encryption Adds Minimal Latency

Latency < 150ms Ideal < 250ms Acceptable

CODECCODEC

10–50ms10–50ms

Queuing

Variable

Encrypt

Minimal 2–10ms

SerializationSerialization

VariableVariable

Propagation and Network

6.3 µs/Km +Network

Delay

Decrypt

Minimal 2–10ms

Jitter BufferJitter Buffer

20–100 ms20–100 ms


Spoke-to-Spoke Delay Budget

• Doubles the delay budget outside of CODEC and jitter buffer

• Full mesh issue similar to Frame Relay deployments

• In this illustration—round trip time 88 milliseconds measured between the two router’s Ethernet interfaces

Encrypt

DecryptEncrypt

Decrypt

Cable384K/1.5M

Cable384K/1.5M

DSL256K/1.4M

DSL256K/1.4M

831831 17511751

3725(s) w/AIM3725(s) w/AIM

10.81.2.1/2910.81.2.1/2910.81.2.9/2910.81.2.9/29

Tier 1 ISPTier 1 ISP

Tier 2 ISPTier 2 ISPTier 2 ISPTier 2 ISP



Serialization Delay

• Fragmenting large data packets and interleaving voice packets between the data fragments minimizes the serialization delay

• Addressed by layer 2 technologies:Link Fragmentation and Interleaving (LFI): multilink PPPFRF.12: Frame Relay

VoiceVoice Data

Data Data VoiceVoice Data VoiceVoice

Before

After

However, the Predominate Service Offering of DSL Providers Is PPPoEwhich Has No LFI Standard

Assuming Most Cable Providers Are DOCSIS 1.0 or DOCSIS1.0+which Has No LFI Either

DOCSIS 1.1 Provides Fragmentationand QoS

1500 Byte Frame at 56K214 ms Serialization Delay


Serialization Delay

Use Layer 4—Transport Layer

interface Ethernet0

ip tcp adjust-mss 542

VoiceVoice Data

Data Data VoiceVoice Data VoiceVoice

Before

After

1500 Byte Frame at 56K214 ms Serialization Delay

How Can You Influence Data Packet Sizes without a Layer 2 Fragmentation Technique?How Can You Influence Data Packet Sizes without a Layer 2 Fragmentation Technique?

Router Can Override the TCP MSS (Maximum Segment Size) and Reduce Data Packet Size



Serialization Delay

Approximate Maximum Delay Values Based on Uplink Line Rate and Segment Size

Common DSL and Cable

Line RateKbps

Line RateKbps

512Byte512Byte

640Byte640Byte

768Byte768Byte

1500Byte1500Byte

128128

256256

384384

512512

768768

32 ms32 ms

16 ms16 ms

12 ms12 ms

8 ms8 ms

6 ms6 ms

40 ms40 ms

20 ms20 ms

14 ms14 ms

10 ms10 ms

8 ms8 ms

48 ms48 ms

24 ms24 ms

16 ms16 ms

12 ms12 ms

8 ms8 ms

92 ms92 ms

46 ms46 ms

32 ms32 ms

24 ms24 ms

16 ms16 ms

ip tcp adjust-mssip tcp adjust-mss


PPPoE

8

IP TCP Adjust-MSS Value DSL/PPPoE

582 Bytes

IPSec ESPTunnel ModeSHA-1 3DES 632 Bytes

14 Cells Total

MSS Value 542 Minimize Padding—IPSec and AAL5

MSS Value 542 Minimize Padding—IPSec and AAL5

672 Bytes

5422020

TCPTCP MSS SizeMSS SizeIP

20

IP

20

TCPTCPESPAuth

12

ESPSeq

84

ESPIV

IPSecHdr

IPSecHdr

20 4

ESP SPI

542

MSS SizeMSS SizePAD0

ESPPad

Len/NH

2

10

AAL5 Encrypted PacketEncrypted Packet

632

Ethernet Header

14 00

Pad AAL5 Trailer

8

SAR PDU 48 BytesSAR PDU 48 Bytes

ATM Hdr

ATM Hdr


ATM Hdr




Impact of Adjusting TCP MSS

256K DSL

ip tcp adjust-mss 542 70%

76%

582 Bytes

8,299 Packets 4,828,588 Bytes [*]

1399 Bytes

3,309 Packets 4,628,988 Bytes [*]

ftp: 4,496,620 Bytes Sent in 200.13 Sec or 179.76 Kbits/sec




PC’s MTU Set—1,400 Bytes (MSS 1360)

[*] Average Packet Size Layer 3—Number of Packets—Total Bytes—as Reported by Netflow[*] Average Packet Size Layer 3—Number of Packets—Total Bytes—as Reported by Netflow

Comparing Two File Transfers—

Using an 837 on 1.4M/256k DSL Circuit over Internet and IPSec Tunnel

Percentages Show Effective Payload Throughput of DSL Trained Rate


Planning and Design

• Voice over IP

• QoS

• IPSec


• Tools



QoS Design Parameters

• No changes required to:Campus QoS configurationTraffic classification scheme

• WAN edge QoS analogous to IP Telephony deployment with private WAN

Class-Based Weighted Fair Queuing (CBWFQ)Link Fragmentation and Interleave (LFI) for links <768kbps

Traffic shaping (as appropriate)

• QoS service policy definition must consider additional bandwidth requirements due to VPN

cRTP bandwidth conservation no longer applicable


QoS Design Parameter Overview

Service Provider

Cisco IOSPlatform

Cisco IOSPlatform

QoS Service Policy Must Consider IPSec Overhead

Head Quarters

Branch

Campus QoS

Continue to Use Established Campus Re-commendations

WAN Edge QoS

CBWFQ/Traffic ShapingLow-Latency QueuingLFI/FRF.12Ip tcp adjust-mss

Service Provider

CBWFQLow-latency Queuing WRED/MDRROverprovision



VPN SiteVPN Site VPN SiteVPN Site

PAK_PRIORITY

• Cisco IOS maintains Internal Packet Priority Tag, PAK_PRIORITY, within a router

• EIGRP hello packets are PAK_PRIORITY_HIGH• EIGRP is per hop, but GRE hides intermediate routers

• Intermediate (SP) routers can only prioritize EIGRP hello packets on ToS byte, PAK_PRIORITY does not apply

• http://www.cisco.com/warp/public/105/rtgupdates.html

GRE (Logical) Tunnel

Immediate (Service Provider) Routers


VPN SiteVPN Site VPN SiteVPN Site(Service Provider)

IKE Packets—Control Plane for IPSec

• One IPSec tunnel to each head-end, a transmit (encrypt) and receive (decrypt) security association (SA) to each head-end router

• Also an IKE SA between the branch and each head-end

• The encrypted packets inherit the ToS byte of the original packet

• IKE packets are originated with ToS = 0 (0x00)

IPSec Tunnel

IPSec Tunnel

(Service Provider) Routers



class-map match-all VOICEmatch ip dscp ef

class-map match-any CALL-SETUPmatch ip dscp af31 match ip dscp cs3

class-map match-any INTERNETWORK-CONTROLmatch ip dscp cs6 match access-group name IKE

class-map match-all TRANSACTIONAL-DATAmatch ip dscp af21

ToS Byte DSCP Reference Chart

7 56 4 3 2 1 0

IP PrecedenceIP Precedence PriorityPriority

DSCPDSCP

Least Signifi -cant Bit

ToS Byte

TOS HexTOS Hex TOS Decimal TOS Decimal IP PrecedenceIP Precedence Class-map NameClass-map Name DSCPDSCP BinaryBinary

20200000

4048

E0E0

C0C0

B8B8

A0A0

8080

6868

6060

323200

6472

224224

192192

184184

160160128128

104104

9696

1 Priority1 Priority0 Routine0 Routine

2 Immediate

7 Network Control7 Network Control

5 Critical5 Critical

4 Flash Override4 Flash Override

3 Flash3 Flash

Transactional -data

Internetwork-ControlInternetwork-Control

VOICEVOICE

CALL-SETUPCALL-SETUP

CALL-SETUPCALL-SETUP

CS1CS1DefaultDefault

CS2AF21

CS7CS7

CS6CS6

EFEF

CS5CS5

CS4CS4

AF31AF31

CS3CS3

00100000001000000000000000000000

0100000001001000

1110000011100000

1100000011000000

1011100010111000

1010000010100000

1000000010000000

0110100001101000

0110000001100000

6 Internetwork Control6 Internetwork Control


Enterprise/SP Edge QoS

• Class-Based Weighted Fair Queuing CBWFQ/LLQ-enabled on WAN interface

• Link Fragmentation and Interleaving (LFI /FRF.12) configured where required

• Traffic shaping configured where required

• No support for cRTP for VoIP



IPHdr VoiceVoiceRTPUDPUDPGREGRE

ToS Byte Copy for GRE and IPSec

Layer 3 IPV4

IP Precedence = 5

ToS Byte

DSCP = EF

ToS Byte from Original Packet

0x B8 Binary 10111000

GRE IP Hdr

IPHdr

ESPPad/NHGREGREESP

HdrGRE IP

Hdr UDPUDP VoiceVoiceRTP ESPAuth

ESPIV

ToS Byte from GRE Header

IPSecHdr

IPSecHdr

VersionLength Len ID Offset TTL Proto FCS IP-SA IP-DA

077 12233445566


ToS Byte for VoIP Applications

IP Phones—7960

Softphone

dial-peer voice 10 voip

ip qos dscp ef media

ip qos dscp af31 signaling

Voice GWConfigurable…verify

DSCP ef/IP Precedence 5 media

DSCP af31/IP Precedence 3 signaling



QoS Pre-Classify• Independent of ToS byte copy to

IPSec IP header

• Maintains pre-encapsulated IP header for output QoS policy—port, protocol, src/dst IP address, etc.

• Apply to both crypto map and IP GRE tunnel—or just crypto map if no IP GRE tunnel

!crypto map static-map 10 ipsec-isakmpqos pre-classify!interface Tunnel1ip address 10.62.139.198 255.255.255.252qos pre-classifydelay 60000tunnel source 192.168.91.2tunnel destination 192.168.252.1crypto map static-map!

IP Data IP Data

VoIP VoIP ** **

**

IPSec Router

Router Can Make QoS Decisions Basedon Encrypted Elements in the Packets

** **

Unencrypted Encrypted D

V

DV DV DV DV


%$#*&1

%$#*& 2

%$#*& N

CloneClone

Particle2

ParticleN

Particle1

QoS Pre-Classify

Input Interface

Crypto Engine

Output Interface

PacketPacket CloneClone

Clone ParticleClone Particle

Encrypted PacketEncrypted Packet

QoS ClassificationQoS Classification

class-map match-all TRANSACTIONAL -DATA

description Order Entry Application TN3270

match access-group 123

access-list 123 permit tcp any host 10.45.15.1 eq telnet



!

class-map match-all VOICE

match ip dscp ef

class-map match-any CALL-SETUP

match ip dscp af31

match ip dscp cs3

class-map match-any INTERNETWORK-CONTROL

match ip dscp cs6

match access-group name IKE

class-map match-all TRANSACTIONAL-DATA

match ip dscp af21

!Voice Target33% of Link for Site to Site and Small Office

[*] Teleworker Model Will Provision One G.729 Call per Remote Router

Includes GRE and IPSec Headers/Trailers and Layer 2

Overhead

Includes GRE and IPSec Headers/Trailers and Layer 2

Overhead

Bandwidth Allocation

Traffic Categories

Internetwork-control

5%

Call-Setup2%

Not Allocated

38%

Voice 33% [*]

Voice 33% [*]

Transactional Data22%

Transactional Data22%


Policy-map

policy-map llq-branch

class CALL-SETUP

bandwidth percent 2

class TRANSACTIONAL-DATA

bandwidth percent 22

class INTERNETWORK-CONTROL

bandwidth percent 5

class VOICE

priority 504 # Nine G.729

class class-default

fair-queue

17xx/26xx/36xx/37xx Site-to-Site17xx/26xx/36xx/37xx Site-to-Site

interface Serial0/0

bandwidth 1544

ip address 192.168.154.2 255.255.255.252

service-policy output llq-branch



interface Ethernet 1

description Outside

…

service-policy output Shaper

Hierarchical Class-Based Weighted Fair Queuing (CBWFQ)

DSL/Cable

(Bridge) MODEM

policy-map llq-branch

class CALL-SETUP

bandwidth percent 2

class TRANSACTIONAL -DATA



bandwidth percent 5

class VOICE

priority 64 # One G.729

class class-default

fair-queue

random-detect

policy-map Shaper

class class-default

shape average 182400 1824 0

service-policy llq-branchPar

ent

(Sh

apin

g)

Ch

ild (Q

ueu

ing

)

For 256K ADSL Trained Rate—Target Bit Rate 182400 with Bits per Interval 1/100 (1824) to Yield 10ms Interval

Shaper Provides Congestion FeedbackShaper Provides Congestion Feedback


Shaping Illustration (184,200 bps)

G.729 Call—831 behind Cable MODEM This Graph Is the View from the PC’s Perspective, Note How the Throughput

Increases when the Call Completes; 128K + 56K = 184K

128 Kbps128 Kbps

184 Kbps184 KbpsCall Completed ->Call Completed ->



Planning and Design

• Voice over IP

• QoS

• IPSec


• Tools


Voice-Enabled IPSec VPNs

• Site to SiteIP GRE with IPSec tunnel or transport mode

Pre-shared keys

• SOHOIPSec only with dynamic crypto maps—IKE dead peer detection—reverse route injectionDigital certificates

• Secure Hash Algorithm (SHA)—HMAC• Strong (3DES) encryption for Internet Key Exchange (IKE)

and IPSec• Diffie-Hellman Group 2 (1024-bit) for IKE• Default lifetimes for IKE (24hr) and IPSec (1hr)

No Changes from a Typical VPN Deployment ConfigurationNo Changes from a Typical VPN Deployment Configuration



Anti-Replay Window

• Designed to identify packet capture/replay by 3rd party—message integrity

• Sender assigns sequence number per Security Association (SA) to encrypted packets

• Receiver maintains 64 packet sliding window

• Window marks packets as received or not

• Window moves to right to include higher sequence numbers

• Packets to the left of the window are dropped


1 2 4 64 65 66 673

Anti-ReplayDrop

Anti-Replay in Action

64 Packet Sliding Window

OutsideWindow



Anti-Replay and QoS Interaction

Expected ResultsExpected Results

DefaultServicePolicyDefaultServicePolicy

TunedServicePolicyTunedServicePolicy

DSCP BasedAnti-ReplayWindow

DSCP BasedAnti-ReplayWindow

Anti-Replay Drops .5–1.5% Total PacketsService Policy Drops Minimal

Anti-Replay Drops .5–1.5% Total PacketsService Policy Drops Minimal

Anti-Replay Drops 1/10th% Total PacketsTRANSACTIONAL-DATA Drops Minimal

Class-default Drops 1%

Anti-Replay Drops 1/10th% Total PacketsTRANSACTIONAL-DATA Drops Minimal

Class-default Drops 1%

Anti-Repay Drops EliminatedService Policy Drops Similar to

Non-ipsec Network

Anti-Repay Drops EliminatedService Policy Drops Similar to

Non-ipsec Network

ConfigurationConfiguration

Future DevelopmentFuture Development


AES—Advanced Encryption Standard(Rijndael)

• Bandwidth provisioning changes16 byte IV for ESP-AES vs. 8 byte IV for ESP-3DES

AES CBC (Cipher Block Chaining) mode

60 byte G.729 call encrypts to 144 bytes vs. 136 for 3DES

• Verify AES is supported by platform’s hardware acceleration module

• To enable AES, your router must support IPSec and long keys (the "k9" subsystem)

• Performance difference between AES and 3DES using hardware acceleration is much less than when encryption is done in software

crypto ipsec transform-set FOO esp-aes esp-sha-hmac



Planning and Design

• Voice over IP

• QoS

• IPSec


• Tools


No SLA for VoiceNo SLA for Voice

Non QoS Broadband Access

Service Provider OfferingsService ProviderService Provider

Ent EdgeRouter

Ent EdgeRouter CoreCore

Voice

Data

Toll Quality

Cell to Toll Quality—Edge QoS

Edge QoS Edge QoS

Edge QoSEdge QoS Edge QoSEdge QoS

Edge QoSEdge QoSEdge QoSEdge QoS

Edge QoS Edge QoSEdge QoSEdge QoSEdge QoS Core QoSCore QoS

SOHO/Teleworker

Site to SiteOver ProvisionedOver Provisioned

SLA for VoiceSLA for Voice

EnterpriseEnterprise EnterpriseEnterprise

Current OfferingsCurrent Offerings

Edge QoS

Ent EdgeRouter

Ent EdgeRouter

QoS Broadband Access (DOCSIS 1.1)Edge QoSEdge QoS Edge QoSEdge QoSNear Future

Near Future

Voice

Data



Service Provider Recommendations

• New Cisco powered network designation created—“IP multiservice VPN”

Delivers end-to-end service level agreements to ensure voice/video quality

• Service level agreement (per CPN Service Provider document)

Packet loss <= .5%Delay <= 60ms one way delayJitter <= 20ms

• SP’s are responsible for meeting the terms of the SLA’s they provide to enterprises

Similar to private Frame Relay today

• Contiguous service provider recommended


Cisco Powered Network Service Providers VPN/IP Multiservice

http://www.cisco.com/pcgi-bin/cpn/cpn_pub_bassrch.pl

VPN/IP Multiservice



crypto map test 1 ipsec-isakmp set peer x.x.x.xset peer x.y.y.y

Head-End Redundancy IPSec Reverse Route Injection

Corporate Intranet

If the Head-End Peers Share a Common Point in the Enterprise Topology, You Can Advertise a Summary Route to the Core for the Teleworker Subnets

x.x.x.x

x.y.y.y

10.1.1.0/2910.1.1.0/2910.1.1.8/2910.1.1.8/29

10.1.0.0/1610.1.0.0/16

Teleworker ‘Link Flaps’ Are Hidden from the Network CoreTeleworker ‘Link Flaps’ Are Hidden from the Network Core

TeleworkersTeleworkers

Internet


Head-End Redundancy IPSec Reverse Route Injection

x.y.y.y

10.1.1.8/2910.1.1.8/29

When Peers Are Separated, at Least One of the Head-Ends Must Inject the More Specific Routes into the Core

Teleworker ‘Link Flaps’ Seen in the Network CoreTeleworker ‘Link Flaps’ Seen in the Network Core

10.1.1.0/2910.1.1.0/2910.1.1.8/2910.1.1.8/29

10.1.0.0/1610.1.0.0/16

crypto map test 1 ipsec-isakmp set peer x.x.x.xset peer x.y.y.y

x.x.x.x

TeleworkersTeleworkers

Corporate Intranet

Internet



Load Sharing

Options Include

• Un-equal cost logical links with per-packet to physical links

Packets of IPSec Security Association (SA) traverse multiple paths to peer

• Per-packet to equal cost logical links with affinity to physical links

Packets of any one call traverse multiple links

• Logical links with bundled physical links

Inverse Multiplexing over ATM (IMA)/Multilink PPP)

Packets of any one call remain in same IPSec SA and bundled physical link

• Per-source/dest (CEF) equal cost logical links with affinity to physical links

Packets of any one call remain in same IPSec SA and physical link

Assuming Multiple IPSec/GRE Tunnels and Multiple Physical (T1) LinksAssuming Multiple IPSec/GRE Tunnels and Multiple Physical (T1) Links


Planning and Design

• Voice over IP

• QoS

• IPSec


• Tools



Monitoring Tools

• Service Assurance Agent (SAA) www.cisco.com/go/saa

• Netflow www.cisco.com/go/netflow

• Internetwork Performance Monitor (IPM)www.cisco.com/go/ipm

• NetIQ Chariot™

www.netiq.com


Service Assurance Agent (SAA)www.cisco.com/go/saa

• Embedded software within Cisco IOS devices which performs active monitoring

• Measures SLA (Service Level Agreements) and aids in troubleshooting

• For Voice/IPSec can be used via CLI to:

Generate network traffic to establish IPSec tunnels in dynamic crypto map configurations

History will log RTT (Round Trip Times) and packet loss for debugging

Measures latency and jitter by simulating voice calls



Sample SAA Configuration

rtr 12type echo protocol ipIcmpEcho 172.26.1.2 source-ipaddr 10.81.2.1request-data-size 164tos 192frequency 90lives-of-history-kept 1buckets-of-history-kept 60filter-for-history allrtr schedule 12 start-time

now life forever

joeking-vpn#show rtr operational-state 12Entry number: 12Modification time: 16:29:55.298 est Wed Mar 5 2003Number of operations attempted: 5559Number of operations skipped: 0Current seconds left in Life: ForeverOperational state of entry: ActiveLast time this entry was reset: NeverConnection loss occurred: FALSETimeout occurred: FALSEOver thresholds occurred: FALSELatest RTT (milliseconds): 44Latest operation start time: 11:26:55.301 est Tue Mar Latest operation return code: OKRTT Values:RTTAvg: 44 RTTMin: 44 RTTMax: 44NumOfRTT: 1 RTTSum: 44 RTTSum2: 1936

Every 90 Seconds Source anICMP off the Inside InterfaceToS Is Internetwork Control

Every 90 Seconds Source anICMP off the Inside InterfaceToS Is Internetwork Control

show rtr history tabularshow rtr history tabular

For Dynamic Crypto Maps Builds/Maintains IPSec SAsFor Dynamic Crypto Maps Builds/Maintains IPSec SAs


rtr 18type jitter dest-ipaddr 10.81.2.9 dest-port 9

source -ipaddr 10.81.2.1 source-port 9 num-packets 200

request-data-size 172tos 184frequency 600rtr schedule 18 start-time

now life forever

joeking-vpn#show rtr operational -state 18RTT Values:NumOfRTT: 200 RTTAvg: 91 RTTMin: 89 RTTMax: 119RTTSum: 18323 RTTSum2: 1680195Packet Loss Values:PacketLossSD: 0 PacketLossDS: 0PacketOutOfSequence: 0 PacketMIA: 0 PacketLateArr …Jitter Values:MinOfPositivesSD: 1 MaxOfPositivesSD: 8NumOfPositivesSD: 60 SumOfPositivesSD: 159 MinOfNegativesSD: 1 MaxOfNegativesSD: 8NumOfNegativesSD: 63 SumOfNegativesSD: 161 MinOfPositivesDS: 1 MaxOfPositivesDS: 25NumOfPositivesDS: 83 SumOfPositivesDS: 252 MinOfNegativesDS: 1 MaxOfNegativesDS: 18NumOfNegativesDS: 69 SumOfNegativesDS: 250

SAA Configuration—UDP Jitter

SD = Source to Dest

DS = Dest to Source

( 159 + 161 )/200 = 1.6ms

Average Jitter of All Test Packets Source to Dest

1

3

21 2 3

Lower = Better



Netflowwww.cisco.com/go/netflow

!interface FastEthernet0/0description Insideip address 10.81.2.1 255.255.255.248…ip route-cache flow…!interface Ethernet0/0description Outsideip address dhcp…ip route-cache flow…end Use Extensively as a Stand-Alone Tool for Traffic and

Application Analysis on Remote and Head-End Routers

Netflow Provides a Metering Base for

• Usage-based network billing

• Network monitoring

• Network planning

• Network traffic accounting

• Troubleshooting


joeking-vpn#show ip cache verb flowIP packet size distribution (1325939 total packets):…Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-Telnet 174 0.0 66 45 0.0 25.8 12.9TCP-WWW 642 0.0 13 322 0.0 1.9 3.9TCP-other 82850 0.1 2 112 0.2 0.1 15.4UDP-DNS 55 0.0 1 66 0.0 0.5 15.4…IP-other 23360 0.0 23 233 0.6 12.2 15.4Total: 183895 0.2 7 194 1.6 1.7 15.4

SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveFa0/0 10.81.2.4 Et0/0 64.102.2.71 06 68 18 1C714 /29 0 07D0 /0 0 192.168.1.1 52 0.0Et0/0 64.102.87.106 Local 10.81.2.1 06 00 18 208BD /0 0 0017 /29 0 0.0.0.0 41 0.1Et0/0 xx.102.223.3 Local 192.168.1.102 32 00 10 301D439 /0 0 E999 /0 0 0.0.0.0 207 60.8Et0/0 10.81.2.9 Local 10.81.2.1 11 B8 10 2000009 /0 0 0009 /29 0 0.0.0.0 200 4.0

Netflow—Interactive Monitoring

This Illustrates How to Use Netflow to Verify the UDP Jitter Probe Protocol = 0x11 UDP Tos=0xb8 DSCP=EF 200 Packets in the Flow

Active for 4 Seconds and the Layer 3 Size Was 200 Bytes

This Illustrates How to Use Netflow to Verify the UDP Jitter Probe Protocol = 0x11 UDP Tos=0xb8 DSCP=EF 200 Packets in the Flow

Active for 4 Seconds and the Layer 3 Size Was 200 Bytes



Internetwork Performance Monitor (IPM) www.cisco.com/go/ipm

Interfaces with SAA Display Network Latency, Jitter, Availability, Packet Loss, and Errors

IPM Is a Network Response Time and Availability Troubleshooting Application


IPM (Internetwork Performance Monitor) Hop by Hop Performance Troubleshooting

• Cisco IOS SA Agent provides performance analysis of each hop in the path between two networked devices

• IPSec tunnels will overlay the service provider portion of the network—with the exception of the CPE routers

• IPSec tunnels will appear as ‘one hop’ to IPM/SAA

• IPM hop by hop feature provides a means for the enterprise to verify the service provider is within the SLA

Service Provider

IPSec Tunnels

IPM Source DeviceIPM Source Device IPM Source DevicesIPM Source Devices



Agenda

• Overview


• Performance


• Summary

• Appendix


Enterprise Solutions Engineering Design/Test Topology

Universal Broadband Router Cisco ubr 7111

Chariot™ End-Point(s)

End-Point(s) and 7960 IP Phones

Cable Modem 925

DSL Bridge 837

Cisco 837

Cisco 831

PPPoE SessionPPPoE Session

FastEthernet

IPSec Head Ends

Empirix

Packet Sphere™

Model 200

65xx Site to SiteSite to Site

7200VXR 3660 37x5

75XX WAN Aggregation

Cisco 17xx 26xx 36xx 37xx

480+ Branch Routers

StratacomFrame-Relay/HDLC128K to E1 Speeds

Call Manager

CertificateAuthority

ATMATMATMATM

SOHOSOHO

IP DSL Switch Cisco 6015



ESE Solution Test Traffic Profile (512K) Excludes GRE and IPSec Headers/Trailers

Percent of Bytes with Average Packet SizePercent of Bytes with Average Packet Size

NetFlow™ Protocol-Port-ToS Aggregation Exported and Summarized NetFlow™ Protocol-Port-ToS Aggregation Exported and Summarized

89 (TN3270) .2%

131 (DNS) 2.8%72 (WWW)

4.2%109 (WWW-2 Immed)

5.3%

45 (POP3) .3%

45 (FTP Get) 1.9%

889 (TN3270).9%

1016 (TN3270-2 Immed) .9%

60 (VoIP) 22.2%

124 (DNS) 2.1%

176 (WWW) 5.9%

377 (WWW-2 Immed) 10.2%

462 (POP3) 3.4%

1052 (FTP Get) 53.5%

1052 (FTP Get) 53.5%

44 (FTP Put) 1.0%

Downstream Upstream

Average Packet Size = 188 Average Packet Size = 144

60 (VoIP) 27.4%

1044 (FTP Put) 57.6%

1044 (FTP Put) 57.6%

89 (TN3270-2 Immed).2%


Head-End Performance DetailConverged Traffic, QoS-Enabled1

1 Qos-Enabled, but on a Separate WAN Aggregation Device at Central Site2 End-to-End Latency through the Network, Incl. Head-End, Cloud, and Branch3 6500 Reported % Is Backplane Utilization

6500 Is IPSec Only All Others Are IPSec and GRE6500 Is IPSec Only All Others Are IPSec and GRE

181875%75%16.016.07.27.26060AIMAIM--111137453745

212180%80%25.425.413.113.1109109VAMVAM72007200--300300

212180%80%34.834.818.718.7156156VAMVAM72007200--400400

181880%80%49.349.328.828.8240240VAMVAM72007200--G1G1

161620%20%86786741741741404140VPN SvcVPN Svc65006500

Average Average EndEnd--toto--End End

LatencyLatency2 2

(ms)(ms)

Total CPU or Total CPU or Backplane Backplane UtilizationUtilization33

Data Data MbpsMbps

Voice Voice MbpsMbps

# of # of G.729 G.729 CallsCalls

VPN HW VPN HW AccelAccel

ProductProduct



High-End Branch Performance DetailConverged Traffic, QoS-Enabled

*End-to-End Latency through the Network, Incl. Head-End, WAN, and Branch

CPUCPU

CPUCPU

CPUCPU

CPUCPU

Limiting Limiting FactorFactor

10M10M

10M10M

25M25M

25M25M

Max Max Line Line RateRate

4474%74%9.79.76.76.76060AIMAIM--IIII36603660

4479%79%10.010.06.76.76060AIMAIM--IIII26912691

3360%60%10.010.06.76.76060AIMAIM--IIII37253725

3375%75%25.125.116.816.8150150AIMAIM--IIII37453745

Average EndAverage End--toto--end Latencyend Latency2 2

(ms)(ms)

Total CPU Total CPU BiBi--Dir Dir Data Data MbpsMbps

BiBi--Dir Dir Voice Voice MbpsMbps



ProductProduct


ESE Teleworker Traffic Profile Excludes IPSec Headers/Trailers

Percent of Bytes with Average Packet SizePercent of Bytes with Average Packet Size

NetFlow™ Protocol-Port-ToS Aggregation—10 Minute Chariot Test831 PPPoE G.729—837 as a DSL Bridge

NetFlow™ Protocol-Port-ToS Aggregation—10 Minute Chariot Test831 PPPoE G.729—837 as a DSL Bridge

Downstream 38 Megabytes1.4Mbps

Upstream 7.9 MegabytesShaped to 184 Kbps

Average Packet Size = 376 Bytes

Average Packet Size = 115 Bytes

ip tcp adjust-mss 536ip tcp adjust-mss 536

FTP76%FTP76%

Voice 21.7%

FTP94%FTP94%

Voice 4.5%

[ * ] ICMP DNS TN3270 CALL-SETUP POP3 HTTPTEXT

[ * ] 2.3%

[ * ] 1.5%



ProductProduct VPN HW Accel

VPN HW Accel

Bi-dir Data kbps

Bi-dir Data kbps

TotalCPUTotalCPU

Avg End-to-End

Latency*

Avg End-to-End

Latency*

LinkRate (K)Down/up

LinkRate (K)Down/up

Teleworker Performance DetailConverged Traffic, QoS (Uplink)

*End-to-End Latency through the Network, Incl. Head-End, WAN, and Branch,It Does Not Include Any Delay Inserted to Simulate a Service Provider Network*End-to-End Latency through the Network, Incl. Head-End, WAN, and Branch,It Does Not Include Any Delay Inserted to Simulate a Service Provider Network

AverageJitter

AverageJitter

Number of G.729

Calls

Number of G.729

Calls

831 HIFN79xx 1 1536/384 Cable 974 16.5ms 4.8ms 53%831 HIFN79xx 1 1536/384 Cable 974 16.5ms 4.8ms 53%

ServiceService

831 HIFN79xx 1 1024/256 Cable 687 14.1ms 4.3ms 45%831 HIFN79xx 1 1024/256 Cable 687 14.1ms 4.3ms 45%

831 HIFN79xx 1 1536/384 ADSL 648 41ms 5.1ms 40%831 HIFN79xx 1 1536/384 ADSL 648 41ms 5.1ms 40%




The 831 Tests Use a DSL/Cable Bridge to Connect to the Broadband Service, The Qos Configuration Is Hierarchical CBWFQ Using a ShaperThe 831 Tests Use a DSL/Cable Bridge to Connect to the Broadband Service, The Qos Configuration Is Hierarchical CBWFQ Using a Shaper


Agenda

• Overview


• Performance


• Summary

• Appendix



Troubleshoot the Basics

• Teleworker environment contains troubleshooting issues which are outside the helpdesk’s control

• Examples—home wiring, DSL filters, SP provided termination equipment

This DSL Filter Would Cause an Interface Flap on the 837’s DSL Interface Approximately Every 20 Minutes—Replacing the Filter

Addressed the Problem

This DSL Filter Would Cause an Interface Flap on the 837’s DSL Interface Approximately Every 20 Minutes—Replacing the Filter

Addressed the Problem


RFC1918 Addressing/SOHO

• Avoid allocating RFC 1918 addresses at headquarters which may be used at remote locations—remote router will see 192.168.1.0/24 as local

• Duplicating address at remote locations is OKAY

DHCP192.168.1.43/24

DSL Modem—Firewall—Router—NAT/PAT with IPSec Passthru

DSL Modem—Firewall—Router—NAT/PAT with IPSec Passthru

192.168.1.101/24

IPSec TunnelIPSec Tunnel



IPSec through NAT/PAT

• Residential DSL providers bundle a DSL router/firewall with the service• Cable subscribers install 3rd party Ethernet/Ethernet router/firewalls• However, not all implementations properly support this function!• IPSec transform set which includes ‘AH’ will fail as IP header hashed

Provides for Dynamic NAT/PAT for IPSec

rtr-vpn-1750#show ip nat trans | incl espesp xx.74.162.156:0 192.168.10.7:A336AEF0 xx.102.223.4:0 xx.102.223.4:0esp xx.74.162.156:0 192.168.10.7:0 xx.102.223.4:0 xx.102.223.4:67785E

192.168.10.7 via DHCP xx.102.223.4

10.1.81.0/24 via DHCP

IPSec TunnelIPSec Tunnelxx.74.162.156 via

DHCP or PPPoE


gw2(config)#access-list 99 permit 10.81.2.208 0.0.0.7gw2(config)#access-list 99 permit 10.81.4.64 0.0.0.7

gw2#debug ip routing 99 IP routing debugging is on for access list 99

Mar 21 10:03:38 est: RT: del 10.81.4.64/29 via 0.0.0.0, static metric [1/0]

Mar 21 10:03:38 est: RT: delete subnet route to 10.81.4.64/29Mar 21 10:04:02 est: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd

IPSEC packet has invalid spi for destaddr=xx.218.223.4,prot=50, spi=0x3C62D0CC(1013108940), srcaddr=xx.40.46.1

Mar 21 10:04:21 est: RT: add 10.81.4.64/29 via 192.168.81.3, eigrp metric [170/2588160]

Identifying Remote ‘link flaps’Head-End with Dynamic Crypto Maps and DPD/RRI Remote Location Reporting Intermittent Loss of ConnectivityHead-End with Dynamic Crypto Maps and DPD/RRI Remote Location Reporting Intermittent Loss of Connectivity

Remote Subnet Connected to, and Now Learned from, Primary Head-End via EIGRP

Remote Subnet Connected to, and Now Learned from, Primary Head-End via EIGRP

Remote Subnet Being Deleted from This Head-End Routing Table, DPD Removing Route

Remote Subnet Being Deleted from This Head-End Routing Table, DPD Removing Route



Agenda

• Overview


• Performance


• Summary

• Appendix


Summary

• VoIP over IPSec enables enterprises to use VPNs as transport for voice and data :

Design guide:

www.cisco.com/go/v3pn

Cisco networking solutions:

www.cisco.com/en/US/netsol/

IPSecIPSecVoIP

QoSQoS

V3PN



Designing Voice-Enabled IPSec VPNs

Session VVT-2011


Please Complete Your Evaluation Form

Session VVT-2011




Appendix

Enterprise Solutions Engineering Lab

Research Triangle Park, NC



Configuration

• IKE and IPSec

• Frame Relay

• T1

• DSL

• Cable

• Head-End

• Load sharing

• Redundancy


Voice Enable IPSec

All Cisco IOS Releases Need to Have 3DES IPSec SupportAll Cisco IOS Releases Need to Have 3DES IPSec Support

Recommended Minimum Cisco IOS VersionsRecommended Minimum Cisco IOS Versions

12.2(11)YV12.2(11)YVCisco 830 Series VPN RoutersCisco 830 Series VPN Routers

12.2(4)YB12.2(4)YBCisco 1700 Series VPN RoutersCisco 1700 Series VPN Routers

12.2(11)T112.2(11)T1Cisco 2600 Series VPN RoutersCisco 2600 Series VPN Routers



12.1(9)E12.1(9)ECisco 7100 VPN RoutersCisco 7100 VPN Routers

12.1(9)E12.1(9)ECisco 7200VXR VPN RoutersCisco 7200VXR VPN Routers

SW ReleaseSW ReleaseCisco Product FamilyCisco Product Family



!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2crypto isakmp key bigsecret address 192.168.252.1crypto isakmp key bigsecret address 192.168.251.1!

Verify Using:show crypto isakmp policy

ISAKMP—Internet Security Association and Key Management Protocol

Crypto IKE Configuration Sample

Triple DESTriple DES

Pre-SharedKeysDiffie-Hellman

Group 21024-bit


!crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac!crypto map static-map local-address Serial0/0.1crypto map static-map 10 ipsec-isakmpset peer 192.168.252.1set transform-set vpn-testmatch address vpn-static1qos pre-classifycrypto map static-map 20 ipsec-isakmpset peer 192.168.251.1set transform-set vpn-testmatch address vpn-static2qos pre-classify

!Verify Using:

show crypto mapshow crypto ipsec transform–set

Access-List MatchesGRE Tunnel End-Points

Crypto IPSec Configuration Sample

Encryption—Triple DESAuthentication—SHA



!

interface Serial0/0.1 point-to-point

ip address 192.168.217.2 255.255.255.252

. . . .

!

ip access-list extended vpn-static1

permit gre host 192.168.217.2 host 192.168.252.1

ip access-list extended vpn-static2

permit gre host 192.168.217.2 host 192.168.251.1

!

Crypto Configurations Sample Branch Access-List

Head-End

Serial0/0.1192.168.217.2Serial0/0.1192.168.217.2 192.168.251.1

192.168.252.1192.168.252.1

Branch

IPSec/GRE PeersIPSec/GRE Peers

IPSec/GRE Peers


!interface Tunnel0ip address 10.63.81.194 255.255.255.252ip summary-address eigrp 1 10.63.81.0 255.255.255.0 5qos pre-classifytunnel source 192.168.217.2tunnel destination 192.168.252.1crypto map static-map

!interface Tunnel1ip address 10.63.81.198 255.255.255.252ip summary-address eigrp 1 10.63.81.0 255.255.255.0 5delay 60000qos pre-classifytunnel source 192.168.217.2tunnel destination 192.168.251.1crypto map static-map

Tunnel 1 Delay Is Higher than Default

Crypto Configuration Sample Branch GRE Tunnel Interfaces

PrimaryPrimary

BackupBackup

Head-End

Serial0/0.1192.168.217.2Serial0/0.1192.168.217.2 192.168.251.1

192.168.252.1192.168.252.1

Branch


IPSec/GRE Peers



!

router eigrp 1

network 10.0.0.0

no auto-summary # manual summarization out Tunnel interfaces

eigrp stub summary

eigrp log-neighbor-changes

Crypto Configuration Sample Branch EIGRP

Head-End

Serial0/0.1192.168.217.2Serial0/0.1192.168.217.2 192.168.251.1

192.168.252.1192.168.252.1

Branch


IPSec/GRE Peers


crypto isakmp policy 1encr 3desgroup 2

crypto isakmp keepalive 10!crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac!crypto map test 10 ipsec-isakmpset peer 192.168.252.1set peer 192.168.252.2set transform-set vpn-testmatch address 103

! qos pre-classify not available in ! c831-k9o3sy6-mz.122-11.YV!interface Ethernet1! No crypto map on PPPoEinterface Dialer1...crypto map test

!access-list 103 permit ip 10.112.12.0 0.0.0.255 10.0.0.0 0.255.255.255

Crypto Configuration SOHO

Head-End

SOHO

IPSec PeersIPSec Peers

Ethernet 1Ethernet 1 192.168.252.2

192.168.252.1192.168.252.1



!interface Serial0/0bandwidth 512no ip addressencapsulation frame-relayframe-relay traffic-shaping!interface Serial0/0.100 point-to-pointbandwidth 512ip address 192.168.1.1 255.255.255.252frame-relay interface-dlci 100 class ts-branch

crypto map GRE! map-class frame-relay ts-branchno frame-relay adaptive-shapingframe-relay cir 486400frame-relay bc 4864frame-relay be 0frame-relay mincir 486400service-policy output llq-branchframe-relay fragment 640!

Frame RelayTraffic ShapingInterval—10ms

Service Policy Calculated on

mincir

Frame RelayTraffic Shaping

required forFRF.12

Shape to95% CIR

FragmentSize 10ms

WAN Edge QoS Configuration Frame Relay


Branch Frame Relay Traffic Shaping and LFI Parameters

N/AN/A14592145921459200145920015361536

N/AN/A9728972897280097280010241024

1000100072967296729600729600768768

64064048644864486400486400512512

32032024322432243200243200256256

16016012161216121600121600128128

LFI BytesLFI BytesTS bcTS bcTS TS CIR/minCIRCIR/minCIR

Line Rate Line Rate KbpsKbps



!policy-map 1536kb

class CALL-SETUPbandwidth percent 2

class TRANSACTIONAL-DATAbandwidth percent 22

class INTERNETWORK-CONTROLbandwidth percent 5

class VOICEpriority 504

class class-defaultfair-queue

!interface Serial0/0bandwidth 1536ip address 192.168.154.2 255.255.255.252service-policy output 1536kbcrypto map static-map

!end

WAN Edge QoS Configuration HDLC

No Layer 2 Fragmentation (LFI/FRF.12) Required on T1 Congestion Feedback Provided by the Clock Rate of the Interface

No Layer 2 Fragmentation (LFI/FRF.12) Required on T1 Congestion Feedback Provided by the Clock Rate of the Interface

Create policy-mapand Apply to

Interface


7500 policy-map policy-map 192kb

class CALL-SETUP

bandwidth percent 2

class TRANSACTIONAL-DATA


queue-limit 16

fair-queue

fair-queue queue-limit 16


bandwidth percent 5

!

!

!

class VOICE

priority 56

class class-default

fair-queue

fair-queue queue-limit 6

queue-limit 6

75xx Requires WFQ in Bandwidth Classes to Change the Queue-Limit

R1(config-if)#service-policy out FOO

queue-limit is invalid command w/o other queueing feature.

Fair-queue queue-limit Specifies the per Flow Queue Limit—in the Case of a WAN Aggregation Router with IPSec Traffic Flowing thru the Router, WFQ Will Be Creating Flows on the Ipsec Peers Source and Destination IP Addresses, ToS Byte and Protocol (ESP=50), so Enabling WFQ in a Bandwidth Class May Still Only See One Flow in the Class—as a Side Note, QoS Pre-Classify Has No Bearing in This Case



7500 shaper

policy-map 192kb-shaper

class class-default


service-policy 192kb

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_r/qrfcmd9.htm#1102948

Calculations7513(config-pmap-c)#shape average 192000

configured results in ->


95% of 192 is 182400

7513(config-pmap-c)#shape average 182400

Target Bit Rate 182400 needs to be multiple of 8000.

so

182400 / 8000 = 22.8, round down to whole number 22*8000 = 176000

7513(config-pmap-c)#shape average 176000

configured results in ->


remove the burst excess value


704 / 176000 = .004 = 4 milliseconds measurement interval (default)

dCEF Required for VIP InterfacesdCEF Required for VIP Interfaces


7500 service-policy

interface Serial4/0/0/1:1

description vpn15-2600-21-240

bandwidth 192

ip address 192.168.80.5 255.255.255.252

load-interval 30

txtx--ringring--limit 1limit 1

serviceservice--policy output 192kbpolicy output 192kb--shapershaper

no fair-queue

!



17/26/36/37 service-policy

interface Serial0/0

bandwidth 192

ip address 192.168.93.2 255.255.255.252

load-interval 30

tx-ring-limit 1

tx-queue-limit 1 [*]

service-policy output 192kb-shaper

crypto map static-map

TX Ring Is the Unprioritized FIFO Buffer Used to Store Frames before Transmission—Interface Drivers Set Unique Default TX Ring Values Based on the Bandwidth Amount—WIC-1T and WIC-2T Default to Different Values—2 and 1

!

vpnjk-2600-2#show controllers serial 0/0 | include tx_limited

tx_limited=1(2)

vpnjkvpnjk--26002600--2(config)#interface serial 0/02(config)#interface serial 0/0

vpnjkvpnjk--26002600--2(config2(config--if)#txif)#tx--ringring--limit ?limit ?

<1<1--32767> Number (ring limit)32767> Number (ring limit)

vpnjkvpnjk--26002600--2(config2(config--if)#txif)#tx--ringring--limit 1limit 1

!

vpnjk-2600-2#show controllers serial 0/0 | include tx_limited

tx_limited=1(1)

[*] Parser Includes tx-queue-limit by Default[*] Parser Includes tx-queue-limit by Default


Rate Limited Syslog Message on Most

Platforms

How to Identify Anti-Replay Drops

CSCdy07256—show pas vam int—Is Missing…

CSCdy34396—…log msg Not Rate Limited

Look at the esp_seq_fail counter pkt_replay_err

vpn18-2600-6#show crypto engine accelerator stat | include esp_seq_failesp_prot_absent: 0 esp_seq_fail: 1775 esp_spi_failure: 0

vpn3-7200-2#show pas isa interfacevpn3-7200-2#show pas vam interface

06:17:00: %HW_VPN-1-HPRXERR: Hardware VPN0/2: Packet Encryption/Decryption error, status=4615



TRANSACTIONAL - DATA

Output Service Policy—Default Values

VOICE CALL-SETUP

CLASS-DEFAULT

INTERNETWORK-CONTROL

Max Threshold 64 (Packets) for Each Bandwidth Class

R1#show policy-map | begin class-default

Class class-default

Weighted Fair Queuing

Flow based Fair Queuing

Bandwidth 0 (kbps) Max Threshold 64 (packets)


Anti-Replay


TRANSACTIONAL -DATA

Output Service Policy—Tuned Values

VOICE CALL-SETUP CLASS-

DEFAULT


Queue-limit

Queue-Limit Is Adjusted by Relative Importance of the Class

Goal—Make Service Policy More Aggressive—Drop Rather than DelayGoal—Make Service Policy More Aggressive—Drop Rather than Delay


Anti-Replay



Anti-Replay Optimized Service PolicyR1#show policy-map

Policy Map llq-branch

Class CALL-SETUP


Bandwidth 2 (%) Max Threshold 64 (packets)

Class TRANSACTIONAL-DATA



Class INTERNETWORK-CONTROL



Class VOICE


Strict Priority

Bandwidth 168 (kbps) Burst 4200 (Bytes)

Class class-default


Flow based Fair Queuing

Bandwidth 0 (kbps) Max Threshold 6 (packets)

Starting Values

Tune by Observing Ratio of

Drops by

Service Policy vs.

Anti-Replay

Starting Values

Tune by Observing Ratio of

Drops by

Service Policy vs.

Anti-Replay

class class-defaultfair-queuequeue-limit 6


837 DSL/PPPoE Configurationip cef!interface Ethernet0description Insideip address 10.112.11.129 255.255.255.192ip tcp adjust-mss 542hold-queue 40 out

!interface ATM0no ip addressno atm ilmi-keepalivedsl operating-mode autodsl power-cutback 0

!interface ATM0.35 point-to-pointdescription DSLAM ->soho1-7200-1 d1408u256bandwidth 256pvc dsl 0/35vbr-nrt 256 256tx-ring-limit 3pppoe max-sessions 5service-policy output llq-branchpppoe-client dial -pool-number 1

!!

interface Dialer1bandwidth 256ip address negotiatedip access-group 102 inip mtu 1492encapsulation pppip tcp adjust-mss 542dialer pool 1dialer -group 1no cdp enableppp authentication chap callinppp chap hostname [email protected] chap password 7 [removed]ppp ipcp dns requestppp ipcp wins requestcrypto map test



831 Cable Configuration

ip cef!interface Ethernet0description Insideip address 10.112.22.129 255.255.255.192ip route-cache flowip tcp adjust-mss 542hold-queue 40 out!

!interface Ethernet1description Outsidebandwidth 256ip address dhcpip access-group 102 inip route-cache flowip tcp adjust-mss 542service-policy output shapercrypto map test!access-list 102 remark --------Inbound interface ACL----------------

access-list 102 permit esp host 192.168.252.1 anyaccess-list 102 permit esp host 192.168.252.2 anyaccess-list 102 permit ip 10.0.0.0 0.255.255.255 10.112.22.0 0.0.0.255access-list 102 permit udp any eq isakmp any eq isakmpaccess-list 102 permit ip host 192.168.252.6 any #Cert Serveraccess-list 102 permit ip host 192.168.200.1 any #ubr7111 CMTS(Cable Modem Termination System)access-list 102 permit ip host 10.113.1.1 anyaccess-list 102 permit icmp any 192.168.200.0 0.0.0.255access-list 102 deny ip any any log


ip cefcrypto isakmp policy 1encr 3descrypto isakmp keepalive 10! ! crypto ipsectransform-set t2 esp-3des esp-sha-hmac! crypto dynamic-map dmap 10set transform-set t2 reverse-route! ! crypto map test local-address Loopback0crypto map test 1 ipsec-isakmp dynamic dmap!

IntranetIntranet

Head End Dynamic Crypto Maps—IPSec Only

InternetInternet

HSRPHSRP

192.168.81.0192.168.81.0

Digital Certificate Config Not ShownDigital Certificate Config Not Shown

IPSec Peer 1IPSec Peer 1

IPSec Peer 2IPSec Peer 2



Head-End—Dynamic Routing! interface FastEthernet0/0ip address 10.81.0.3 255.255.255.248ip route -cache same-interface # Router on a Stick ip route -cache flowcrypto map test !router eigrp 64redistribute static metric 1000 100 255 1 1500 route -map RRIpassive -interface FastEthernet0/0network 192.168.81.0 # Network of FastEthernet0/1 no auto-summary eigrp log-neighbor-changes!

! route-map RRI permit 10description Redistribute remote subnets from RRImatch ip address 1! access-list 1 permit 10.81.4.0 0.0.3.255access-list 1 deny any


ip route x.x.x.x 255.255.255.255 192.168.80.2ip route x.y.y.y 255.255.255.255 192.168.80.1ip route 10.1.0.0 255.255.0.0 192.168.80.3 ! # 10.1.0.0/16 is advertised into the Intranet# x.x.x.x and x.y.y.y are Internet routable addresses

Head-End—Intranet Route Advertisement

192.168.80.0192.168.80.0

.2.2 .1.1.3.3

Router/FirewallRouter/Firewall

.99.99

10.1.1.0/2910.1.1.0/29

ip route 0.0.0.0 0.0.0.0 192.168.80.99

ip route 10.1.0.0 255.255.0.0 Null0

Both IPSec Peers Default to the Router/Firewall to Avoid Looping Packets for Remote Subnets which DPD Has Removed from the Routing Table

Both IPSec Peers Default to the Router/Firewall to Avoid Looping Packets for Remote Subnets which DPD Has Removed from the Routing Table

IntranetIntranetInternetInternet

HSRPHSRP

192.168.81.0192.168.81.0

IPSec Peer 1 x.y.y.y

IPSec Peer 1 x.y.y.y

IPSec Peer 2 x.x.x.x

IPSec Peer 2 x.x.x.x



Load SharingEqual Cost Logical Links with Affinity to Physical Links

23.0.218.1

23.0.32.22

23.0.32.23

10.96.0.0 10.2.0.0

GRE Tunnel Interfaces Source from the Loopback0

Destination Addresses Are 23.0.32.22 And 23.0.32.23

The More Specific Host Routes Are Preferred to the BGP Learned Routes when Both Links up

GRE Tunnel Interfaces Source from the Loopback0

Destination Addresses Are 23.0.32.22 And 23.0.32.23

The More Specific Host Routes Are Preferred to the BGP Learned Routes when Both Links up

IPSec/GRE Tunnels

IPSec/GRE Tunnels

ip route 23.0.32.22 255.255.255.255 serial0/0.100

ip route 23.0.32.23 255.255.255.255 serial0/0.101

B 23.0.0.0/8 [20/0] via 23.0.32.6, 5d17h

[20/0] via 23.0.32.2, 5d17h

S 23.0.32.23/32 is directly connected, Serial0/0.101

S 23.0.32.22/32 is directly connected, Serial0/0.100

C 23.0.32.4/30 is directly connected, Serial0/0.101

C 23.0.32.0/30 is directly connected, Serial0/0.100

C 23.0.218.1/32 is directly connected, Loopback0


Load Sharing—Head-End Perspective

Equal Cost Logical Links with Affinity to Physical Links

23.0.218.110.96.0.0

Via BGP 23.0.218.1/32

Via EIGRP 23.0.218.0/30

23.0.0.0/8

Via EIGRP 23.0.192.0/19

23.0.0.0/8

Via EIGRP 10.96.0.0/16

Via EIGRP 10.96.0.0/16

router eigrp 23

network 23.0.0.0

distribute-list prefix FOLLOWslash19 in

ip prefix-list FOLLOWslash19 seq 5 deny 23.0.192.0/19 ge 30

ip prefix-list FOLLOWslash19 seq 100 permit 0.0.0.0/0 le 32

IPSec/GRE Tunnels

IPSec/GRE Tunnels



Availability/Redundancy

Branch#show ip eigrp neighbors

IP-EIGRP neighbors for process 44

H Address Interface Hold Uptime SRTT RTO Q Seq Tye

(sec) (ms) Cnt Num

1 10.0.101.2 Tu1 10 5w0d 92 5000 0 23

0 10.0.100.2 Tu0 10 5w0d 152 5000 0 26

Head-End

Branch

IPSec/GRE PeersTunnel 0

IPSec/GRE PeersTunnel 0

Tunnel 1IPSec/GRE Peers

EIGRP Hellos Maintain IPSec ‘state’ Continually

EIGRP Hellos Maintain IPSec ‘state’ Continually


Corporate76 Kbps


12 Kbps

CALL-SETUP5 Kbps

CALL-SETUP5 Kbps

class-default35 Kbps

class-default35 Kbps

VOICE 128 KbpsVOICE

128 Kbps

Pri

ority

Q

ueue

Pri

ority

Q

ueue

Cla

ss-B

ased

W

eigh

ted

Fair

Q

ueu

ing

Cla

ss-B

ased

W

eigh

ted

Fair

Q

ueu

ing

256K

/1.4

M D

SL

25

6K/1

.4M

DS

L

policy-map Split_Tunnelclass CALL-SETUPbandwidth percent 2class INTERNETWORK-CONTROLbandwidth percent 5class VOICEpriority 128 6400

class Corporatebandwidth percent 30class class-defaultfair-queuerandom-detect

interface ATM0.35 point-to-pointpvc dsl 0/35 vbr-nrt 256 256tx-ring-limit 3max-reserved-bandwidth 90service-policy output Split_Tunnelpppoe -client dial-pool-number 1

Traffic to the Internet Is in class-defaultTraffic to the Internet Is in class-default

QoS for Split Tunneling



class-map match-all Corporatematch access-group name Corporate

class-map match-all VOICEmatch ip dscp ef

class-map match-any CALL-SETUPmatch ip dscp af31 match ip dscp cs3

class-map match-any INTERNETWORK-CONTROLmatch ip dscp cs6 match access-group name IKE

ip access-list extended Corporatepermit esp any x.102.223.0 0.0.0.7

ip access-list extended IKEpermit udp any eq isakmp any eq isakmp

QoS for Split Tunneling

crypto map test 1 ipsec-isakmp set peer x.102.223.3set peer x.102.223.4set transform-set t1 match address ENCRYPT_This

crypto map test 1 ipsec-isakmp set peer x.102.223.3set peer x.102.223.4set transform-set t1 match address ENCRYPT_This

Packets Other than VOICE, CALL-SETUP, INTERNETWORK-CONTROL in the IPSec Tunnel Will Match on Corporate ACL and Placed in the Corporate Bandwidth Class

Packets Other than VOICE, CALL-SETUP, INTERNETWORK-CONTROL in the IPSec Tunnel Will Match on Corporate ACL and Placed in the Corporate Bandwidth Class


Supplemental Information

Enterprise Solutions Engineering Lab

Research Triangle Park, NC



Abstract

• This session will cover best-practice design guidelines to assist the enterprise customer with a successful voice over IP over IPSec VPN deployment; the agenda includes planning and design issues as they relate to voice over IP, QoS, IPSec and Service Provider considerations; configuration examples will be included for the typical deployment models—site to site, small office and home office using access methods of Frame Relay, Internet T1s, Cable and DSL; head-end redundancy and availability will examined with IPSec only as well as IPSec and GRE tunnels; issues related to traffic load-balancing will also be reviewed

• Performance data from internal testing will be used to guide theattendee on the selecting the appropriate product for the desired link speed and number of users; a section on verification and troubleshooting techniques is included and a review of common pitfalls and lessons learned from customer and internal Cisco deployments


Serialization Delay

• Prior to path MTU discovery—IP maximum datagram size for ‘off-net’ traffic was 576 bytes

• TCP maximum segment size is IP max datagram size minus 40 bytes—20bytes IP header + 20bytes for TCP header, 576–40 = 536 bytes

• MSS option only appears in TCP SYN segments, each end announces its MSS, can be different values by direction

interface Ethernet0

ip address 10.81.3.17 255.255.255.248

ip tcp adjust-mss 542



Output

Interface

Output

Interface

LLQLLQ

Best EffortBest Effort

Crypto Engine QoS

• Crypto engine is a half duplex internal interface• Must process packets from multiple full duplex I/O interfaces• Same input queue for encryption or decryption• LLQ for crypto engine designed to minimize voice latency/jitter• Enabled by presence of CBWFQ service policy• Two queues—Low Latency Queue and best effort • Not a prerequisite to deploying voice over IPSec today• Applicable as CPU speed increases and/or high % of large packets

IP Data IP Data

VoIP VoIP

V DVD D

VVVV

V

OutputInterfaceOutput

Interface

CBWFQ Classification

Crypto EngineCrypto Engine

V

D

D D


Displaying Hardware CE Input Queue Drop

7200VXR ISA/VAM

show pas isa int | include bulk_ring_full

show pas vam int | include ppq_full_err

Enq Fails = Total Input Queue Drops Since Counter Cleared

Entries = Number of Packets Queued at Current Time

Enq Fails = Total Input Queue Drops Since Counter Cleared

Entries = Number of Packets Queued at Current Time

2600/3600 AIM (KAOS)

debug crypto engine accelerator kaos stat

show crypto engine accelerator stat | include Enq fails

If Resulting Value Is High And/Or Increasing, Then Over SubscriptionIf Resulting Value Is High And/Or Increasing, Then Over Subscription



Anti-Replay Is Message Integrity

• Message integrity provided by ESP (Encapsulating Security Protocol) Authentication

• Defined in the IPSec transform-set

• Either by SHA-1 or MD5 HMAC (keyed-Hash Message Authorization Code)

crypto ipsec transform-set NOREPLAY esp-3descrypto ipsec transform-set REPLAY esp-3des esp-sha-hmac !crypto map SKOOT 50 IPSec-isakmp set peer 192.168.3.1set transform-set REPLAY match address 101

!


IP Packet Fragmentation

• Fragmenting router process switches to fragment

• Fragmentation done after encryption, before decryption

• End station re-assembles, could be decrypting router

• Process switching and huge buffer (18024 bytes) to re-assemble

• Use path MTU discovery, manually set MTU or look-ahead fragmentation

show ip traffic | include fragmented

530194 fragmented, 0 couldn't fragment



IPSec Transport vs. Tunnel Mode

• Transport mode an option when IPSec and GRE peers terminate on the same router

• Tunnel mode selected for Cisco solution lab testing to provide worst case performance numbers

• Pre-fragmentation for IPSec VPN—12.1(11)E and 12.2(13)T

Feature implemented for IPSec tunnel mode

GRE supported in IPSec tunnel mode

Not implemented for IPSec transport mode



IPSec ESP Transport Mode 120 Bytes

Transport vs. Tunnel Size Delta for G.729 Packet

ESPHdr

GRE IPHdr

2020 128202088

IPSecHdr

IPSecHdr UDPUDP VoiceVoiceRTPESP

IVIP

HdrGREGRE

4

ESPPad/NH

122–257

ESPAuth

2012820

UDPUDP VoiceVoiceRTPIPHdrGREGRE

4

ESPPad/NH

122–257

ESPAuth

ESPHdr

20 88

IPSecHdr

IPSecHdr

ESPIV



Data-over-Cable Service Interface Specifications (DOCSIS) 1.1

• Service Flow/Service Flow Identifier (SFID)Service flows can be assigned QoS parameter set with different characteristics

• Unsolicited Grant Service (UGS)Allows a cable modem to fixed amounts of data at a guaranteed rate—used for Voice over IP

• ClassifiersMaps VoIP and data traffic into the proper service flow

• FragmentationFragments larger data frames and interleaves with VoIP

Docsis 1.1 Positions the Cable Service Providers to Offer Qos-Enabled Services Docsis 1.1 Positions the Cable Service Providers to Offer Qos-Enabled Services


G.729 PacketCable DOCSIS 1.0

6 Bytes DOCSIS HeaderDOCSIS Header

Ethernet HeaderEthernet Header14 Bytes

112 Bytes

Ethernet Trailer Ethernet Trailer 4 Bytes

IPSec Packet IPSec Packet

G.729 = 136 Bytes (54,400 Bps) G.711 = 280 Bytes (112,000 Bps)G.729 = 136 Bytes (54,400 Bps) G.711 = 280 Bytes (112,000 Bps)

[*] Assuming E_HDR (Extended Header) Length=0, Baseline Privacy Adds 5 Bytes [*] Assuming E_HDR (Extended Header) Length=0, Baseline Privacy Adds 5 Bytes

45 B8 ….. 45 B8 …..

…. IP Packet—IPSec Encrypted…. IP Packet—IPSec Encrypted

Destination MAC Source MAC Type/Length

MAC_PARM Length E_HDR[*]FC HCS

CRC



Chariot™—SAA—Agilent™

Comparison DSL 256K/1.4M

ISP Added Delay Range of 0–60ms

ChariotRFC1889

Jitter

ChariotRFC1889

Jitter

SAAComputed

Jitter

SAAComputed

Jitter

ChariotOne-Way

Delay

ChariotOne-Way

Delay

AgilentOne-Way

Delay

AgilentOne-Way

Delay

230 ms230 msBranch -> HeadBranch -> Head

Head -> BranchHead -> Branch

Branch -> Head

Head -> Branch

135 ms135 ms

Chariot Delay Is LAN to LAN, Agilent Delay Is Ear to Mouth

9.5 ms9.5 ms 6.9 ms6.9 ms 62 ms62 ms

2.5 ms2.5 ms 4.4 ms4.4 ms 25 ms25 ms

274 ms10.3 ms 7.4 ms 93 ms

230 ms2.1 ms 4.7 ms 54 ms


Small/Medium Branch Performance Converged Traffic, QoS-Enabled

*End-to-end Latency through the Network, Incl. Head-End, WAN, and Branch 1721 Performance Not Evaluated—Expected Similar to 1751

LatencyLatency

CPUCPU

CPUCPU

CPUCPU

Limiting Limiting FactorFactor

512k512k

1280k1280k

T1T1

T1T1

Max Max Line Line RateRate

181859%59%45245236036033HIFN79xxHIFN79xx831831

262673%73%1025102578478477VPNVPN17511751

222273%73%107510751008100899VPNVPN17601760

222268%68%135613561008100899AIMAIM--EPEP2651XM2651XM

Average EndAverage End--toto--end end

LatencyLatency2 2 (ms)(ms)

TotalTotal

CPUCPU

BiBi--Dir Dir Data Data MbpsMbps

BiBi--Dir Dir Voice Voice MbpsMbps



ProductProduct



GRE and Split Tunneling

Loopback Interfaces and WAN Interfaces Are Addressed with a ‘registered’ Address X.X.X.X

10.x.x.0/24 10.x.y.0/24

Cisco IOS Routes the Packet; if Output Interface Has Crypto Map and Packet Matches ACL in Map, Encrypt Packet; Otherwise Send

in the Clear—in the Case of GRE; If the Route Isn’t through the GRE Tunnel Packets Will Be Forwarded Un-Encrypted

Cisco IOS Routes the Packet; if Output Interface Has Crypto Map and Packet Matches ACL in Map, Encrypt Packet; Otherwise Send

in the Clear—in the Case of GRE; If the Route Isn’t through the GRE Tunnel Packets Will Be Forwarded Un-Encrypted

Common Mis-conception That Configuring GRE Tunnels Precludes Using ‘Split’ TunnelingCommon Mis-conception That Configuring GRE Tunnels Precludes Using ‘Split’ Tunneling

IPSec/GRE Tunnels

IPSec/GRE Tunnels

10.x.z.0/30


IKE Keepalive/Dead Peer Detection

• DPD will send an IKE keepalive packet to the peer if no data seen from peer during the keepalive interval

• When configured with GRE and EIGRP (5 second hello interval) , DPD “are you there” should never be sent

• If they are being sent, you are loosing EIGRP hello packets alsolook at show ip eigrp neighbors for hold time below multiples of the hello interval

Jan 16 12:56:51 : ISAKMP (0:1): more than 10 seconds since last inbound data. Sending DPD.Jan 16 12:56:51 : ISAKMP (0:1): DPD Sequence number 0x704EABCBJan 16 12:56:51 : ISAKMP (0:1): sending packet to 141.158.245.134 (R) QM_IDLE

Jan 16 12:56:51 : ISAKMP (0:1): received packet from 141.158.245.134 (R) QM_IDLEJan 16 12:56:51 : ISAKMP (0:1): processing HASH payload. messageID = -1667280517Jan 16 12:56:51 : ISAKMP (0:1): processing NOTIFY R_U_THERE_ACK protocol 1

spi 0, message ID = -1667280517, sa = 82D66828Jan 16 12:56:51 : ISAKMP (0:1): DPD/R_U_THERE_ACK received from peer 141.158.245.134, sequence…



SRST for the Small/Home Office

VPN

POTS

!

voice-port 2/0

connection plar 23685

description My Home Phone Line

!

!

dial-peer voice 45 pots

destination-pattern 9

port 2/0

!

call-manager-fallback

ip source-address 10.81.2.1 port 2000

max-ephones 2

max-dn 2

access-code fxo 9

2-368510.81.2.1

1751-V

VIC-2FXO=

Cisco 1751, and 1760 Routers Do Not Come with a PVDM Installed—Cannot Operate VICs Unless a PVDM Is Also Installed—1751-V, and 1760-V Products Are Shipped with PVDMs

Note!Note!

IP Phone Must Initially Register with Call Manager, but Can Place and Receive Calls via POTS Line if VPN Is Down

IP Phone Must Initially Register with Call Manager, but Can Place and Receive Calls via POTS Line if VPN Is Down

DownDown


AES—Advanced Encryption Standard(Rijndael)

• AES in software is much faster than 3DES in software, because the crypto algorithm itself accounts for the majority of the total elapsed time

• AES in hardware is also much faster than 3DES, but the total throughput difference is small—the amount of time spent in the hardware accelerator is trivial compared to the overhead of getting the packets into and out of the crypto engine

Until AES Is Supported in Hardware Crypto Accelerators on All Routers in the Customer Deployment—Cannot Recommend AES

for Voice Enabled IPSec VPNs

Until AES Is Supported in Hardware Crypto Accelerators on All Routers in the Customer Deployment—Cannot Recommend AES

for Voice Enabled IPSec VPNs



Issues for Voice-Enabled IPSec DMVPN

• DMVPN simplifies head-end configuration

• Designs must consider the practical number of routing protocol neighbors

• Requirement to advertise summary routes to spokes

• CEF and DMVPN require feature enhancements for VoIP deployments


Crypto Maps—Cisco IOS 12.2(13)T and Later

• Beginning 12.2(13)T—presence of a crypto map on an interface means “encrypt” then “encapsulate” for the interface

• For packets to be encrypted, they must

Be routed out the interface

Match the ACL in the crypto map

• For GRE, configs with crypto map on both the tunnel and physical interface still work—with ‘permit gre’ in the ACL, the packets will be encapsulated in GRE, encrypted, then encapsulated with the layer 2 header

Designing Voice-Enabled IPSec VPNs - · PDF fileIPSec/GRE add overhead to IP packets •...

Documents

Transcript of Designing Voice-Enabled IPSec VPNs - · PDF fileIPSec/GRE add overhead to IP packets •...