Documente Academic
Documente Profesional
Documente Cultură
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Mike Sullenberger
Distinguished Engineer, Cisco
Presentation_ID
Cisco Confidential
Please Note
To submit a question just type your question below the slides and click submit
To see the questions with answers please click on the Refresh Q&A button below the slide window and use F11 to remove toolbars and enable a full screen view
This event is fully streamed; the audio is heard via your Flash media player You can download todays presentation by clicking on the Download Presentation button below this slide window To take part in the polls, please disable your pop-up blockers during the event so you may see and answer the questions
Presentation_ID
Cisco Confidential
Mike Sullenberger
Distinguished Engineer, Cisco
Presentation_ID
Cisco Confidential
10
Polling Question 1
What type of IPSec VPN network have you recently worked on, designed or wanted to design?
A. B. C. D. EzVPN DMVPN GETVPN Not sure which to use
Presentation_ID
Cisco Confidential
11
Polling 1 Result
Presentation_ID
Cisco Confidential
12
Agenda
Cisco IPsec VPN Technologies What is DMVPN? Scaling DMVPN DMVPN network topologies
Presentation_ID
Cisco Confidential
13
DMVPN
Peer-to-Peer Protection Hub-Spoke and Dynamic Mesh Site-to-Site Public, Internet IP Transport Large Scale (10,000+, 3000+) Replace, Alternate, Backup for Private/ Public WAN
Get VPN
Group Protection Any-to-Any (Full-Mesh) Site-to-Site
Private IP Transport
Medium Scale (30004000) Encryption for MPLS and Private WAN
Where to Use
Presentation_ID
Cisco Confidential
14
DMVPN
Dynamic Routing on Tunnel Network Active-Active and LoadBalancing via Routing Distributed Dynamic Tunnels Aggregate (Per-Tunnel HubSpoke) Multicast Replication at Hub
Get VPN
Dynamic Routing on IP WAN Route Distribution Model + Stateful Centralized Key (Group) Management Same as Without Encryption Multicast Replication in IP WAN Network
Configuration
QoS
Centralized
Per Peer Multicast Replication at Hub
IP Multicast
Presentation_ID
Cisco Confidential
15
Presentation_ID
Cisco Confidential
16
Dynamic spoke-spoke tunnels for scaling partial/full mesh VPNs Can be used without IPSec Encryption Works with MPLS; GRE tunnels and/or data packets in VRFs and MPLS switching over the tunnels QoSAggregate; Static/Manual per-tunnel Transparent to most data packet level features Wide variety of network designs and options
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
17
DMVPN Phases
Phase1
Hub-and-spoke only functionality Supported from 12.3(8), 12.3(7)T, ASR Release 3 Supported on all platforms*
Phase 2
Dynamic Spoke-spoke functionality Supported from 12.3(8), 12.3(7)T, ASR Release 3 Supported on all platforms*
Phase 3
Dynamic spoke-spoke functionality
Removes some restrictions and complexities of Phase 2 Allows greater variety of DMVPN network designs
Supported from 12.4(6)T, ASR Release 5 Supported on all platforms* except Cat6500
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
18
Hub Placement
Data plane aggregation pointEnterprise
Usually place for data traffic patterns
May be in multiple locations Example: Data Center
19
2. Encryption throughput
Spoke-hub traffic Some spoke-spoke traffic Multicast traffic Replication on hub Multiplication factor 256 Kbps Stream 200 spokes = 51.2 Mbps
Spoke
Encryption throughput
Spoke-hub and spoke-spoke traffic
Presentation_ID
Cisco Confidential
20
Polling Question 2
What is your preferred routing protocol to use over DMVPN?
A. B. C. D. E. EIGRP OSPF RIP/RIP Passive iBGP or eBGP Not sure which to use
Presentation_ID
Cisco Confidential
21
Polling 2 Result
Presentation_ID
Cisco Confidential
22
SLB design using EIGRP or RIPv2 Passive BGP using Route Reflector router farm
RIPv2 ODR
Preferred
7200/6500/3945e
7200/6500/3945e 7200/6500/3945e
500
ASR
ASR
Preferred
ASR
1000 1500 Number of Branches 2000+
Presentation_ID
Cisco Confidential
23
7200
6500
ASR1000
RIPv2
Each DMPVN hub can terminate this many peers
EIGRP
Each DMVPN hub can terminate this many peers
Preferred
7200/6500
500
ASR1000
Number of Branches 1000
Cisco Confidential
1500
2000+
24
Presentation_ID
SLB Design Crypto and MGRE terminated on same device. Throughput N x Hub Platform ASR Multi-Tier Design Crypto terminated on 6500/SPA and mGRE terminated on 7200 (Ph1 or Ph3) 6500 with IPsec SPA as crypto headend or spoke device (DMVPN Ph1 or Ph2) 7200 G2/VSA 3945e 7200/G2 VAM2+
500 M 1.0 G 1.5 G IMIX Throughput 70% Max CPU Not recommended without AS support
2.0 G
Presentation_ID
Cisco Confidential
25
Polling Question 3
For what type of business do you need a DMVPN design?
A. B. C. D. E. F. Small/Medium Business Large Business Home OfficeWork Access Franchise/Point-of-Sale/ATM Extranet ISP
Presentation_ID
Cisco Confidential
26
Polling 3 Result
Presentation_ID
Cisco Confidential
27
Network Virtualization
VRF-lite: DMVPN per VRF 2547oDMVPN: MPLS (VPNs) over Single DMVPN
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
28
Network Designs
Spoke-to-spoke (Phase 2)
VRF-lite
Hierarchical (Phase 3)
Cisco Confidential
2547oDMVPN
29
Large Business
DMVPN Phase 3 hierarchical layer design Dial backup, multiple ISP connections, VRF for non-split-tunneling and group separation 1000-2000 spokes, with dynamic spoke-spoke tunnels
Presentation_ID
Cisco Confidential
30
Extranet
DMVPN Phase 1 hub-and-spoke design No spoke-spoke not even via the hub (using ACLs) Probably <1000 spokes
ISP
DMVPN Phase 3 or SLB designs, MPLS (2547oDMVPN), VRFs Hub-and-spoke and spoke-spoke networks Different size networks (number of spokes), but also supporting many DMVPN networks on the same set of hub routers
Presentation_ID
Cisco Confidential
31
Recommended Releases
17xx, 26xx, 36xx, 37xx, 720x(NPE-G1), 7301:
IOS 12.4 Mainline: 12.4(23)b, 12.4(25)b IOS 12.4 T-train: 12.4(9)T7,12.4(15)T14, 12.4(24)T4
Presentation_ID
Cisco Confidential
32
Resources
Web pages
http://www.cisco.com/go/dmvpn http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a0080 18983e.shtml
Presentation_ID
Cisco Confidential
33
To complete the evaluation, please click on Evaluation button under the slides.
Presentation_ID
Cisco Confidential
34
Q&A
Presentation_ID
Cisco Confidential
35
Topic: Cisco Nexus 5000 & 2000 Series: Configuration & Troubleshooting
Cisco Live and Networkers Virtual Premier Pass: Full Access for $395 USD or 5 Cisco Learning Credits In addition to the benefits of the above pass the Premier pass will give you a wider array of technical programming including hundreds of technical sessions in the Session Catalog. Register today for your Cisco Live and Networkers Virtual Premier pass and start experiencing the power of knowledge for yourself. Cisco Live and Networkers Virtual "A La Carte" Pass: Purchase individual sessions for $45 USD
In addition to the benefits of the free pass, you can purchase individual sessions selected from the hundreds of technical sessions available in the Session Catalog. Register and start experiencing the power of knowledge for yourself.