Click here to load reader

Cisco IPsec VPN WAN Design Overview

  • View
    2.803

  • Download
    5

Embed Size (px)

Text of Cisco IPsec VPN WAN Design Overview

IPsec VPN WAN Design OverviewOL-9021-01

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.

CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0612R)IPsec VPN WAN Design Overview 2007 Cisco Systems, Inc. All rights reserved.

CONTENTSIntroduction 7 Target Audience 9 Scope of Work 9 Design Guide Structure

9

IP Security Overview 10 Introduction to IPsec 10 Tunneling Protocols 11 IPsec Protocols 11 Encapsulating Security Protocol 11 Authentication Header (AH) 12 Using ESP and AH Together 13 IPsec Modes 13 Tunnel Mode 13 Transport Mode 14 Internet Key Exchange 15 Security Association 15 IKE Phase One 15 IKE Phase Two 17 Fragmentation Issues 18 Setting MTU on Client and Server Network Interface Cards Path MTU Discovery 20 Interface MTU 20 Look Ahead Fragmentation 20 TCP Maximum Segment Size 20 Why Customers Deploy IPsec VPNs 21 Business Drivers 21 Bandwidth 21 Cost Reduction 21 Security 22 Deployment Flexibility 22 Resiliency 22 Customer Requirements 22 Encryption 22 IKE Authentication 23 Quality of Service 23

19

IPsec VPN WAN Design Overview OL-9021-01

iii

Contents

Interface Level 23 Connection or Session Level 24 IP Multicast 25 Non-IP Protocols 25 Routing 25 Dynamically Addressed Remotes 25 High Availability 26 Headend Failure 26 Site Failure 26 Branch Office Failure 26 Stateful versus Stateless Failover 27 Integrated Security 27 Dynamic Meshing 27 Scalability 28 Provisioning and Management 28 Understanding the Technologies 28 Touchless Provisioning 28 Ongoing Management 29 Service Provider 29 Design Selection 29 IPsec Direct Encapsulation Design 29 Design Overview 30 Advantages 31 Disadvantages 31 Most Common Uses 31 Point-to-Point GRE over IPsec Design 31 Headend ArchitectureSingle Tier Headend versus Dual Tier Headend Design Overview 32 Advantages 33 Disadvantages 34 Most Common Uses 34 Dynamic Multipoint VPNHub-and-Spoke Topology Design 34 Headend ArchitectureSingle Tier Headend versus Dual Tier Headend Design Overview 36 Advantages 37 Disadvantages 37 Most Common Uses 37 Dynamic Multipoint VPNSpoke-to-Spoke Topology Design 38 Design Overview 38 Advantages 39IPsec VPN WAN Design Overview

32

35

iv

OL-9021-01

Contents

Disadvantages 39 Most Common Uses 40 Virtual Tunnel Interface Design 40 Design Overview 40 Advantages 42 Disadvantages 42 Most Common Uses 42 Design Comparison 43 Major Feature Support 43 Platform Support 43 Selecting a Design 44 Scaling a Design 45 Critical Scalability Criteria 45 Number of Branch Offices 45 Connection Speeds 46 IPsec Throughput 46 Routing Peers 48 Quality of Service 48 High Availability 48 IP Multicast 49 Internet Access Strategy 49 Integrated Services 50 Appendix AEvaluating Design Scalability Test Methodology 51 Traffic Mix 51 Finding Limits 52 Conservative Results 52 Cisco Platforms Evaluated 53 Appendix CAcronyms54 51

Appendix BReferences and Recommended Reading

54

IPsec VPN WAN Design Overview OL-9021-01

v

Contents

IPsec VPN WAN Design Overview

vi

OL-9021-01

IPsec VPN WAN Design OverviewThis design guide defines the comprehensive functional components that are required to build a site-to-site virtual private network (VPN) system in the context of enterprise wide area network (WAN) connectivity. This design overview defines, at a high level, the available design choices for building an IPsec VPN WAN, and describes the factors that influence the choice. Individual design guides provide more detailed design and implementation descriptions for each of the major design types. This design overview is part of an ongoing series that addresses VPN solutions using the latest VPN technologies from Cisco, and based on practical design principles that have been tested to scale.

IntroductionThis document serves as a design guide for those intending to deploy a site-to-site VPN based on IP Security (IPsec). The designs presented in this document focus on Cisco IOS VPN router platforms. The primary topology described in this document is a hub-and-spoke design, where the primary enterprise resources are located in a large central site, with a number of smaller sites or branch offices connected directly to the central site over a VPN. A high-level diagram of this topology is shown in Figure 1.

Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Copyright 2006 Cisco Systems, Inc. All rights reserved.

Introduction

Figure 1

Hub-and-Spoke VPN Topology

Medium Branch Offices

Central Site

Small Branch Offices

Internet

Corporate Network132161

Large Branch Offices

The introduction of dynamic multipoint VPN (DMVPN) makes a design with hub-and-spoke connections feasible, as well as the ability to create temporary connections between spoke sites using IPsec encryption. This topology is shown in Figure 2.Figure 2 DMVPN Spoke-to-Spoke VPN Topology

Branches Central Site

Internet

Corporate Network

Branches

Hub-and-spoke tunnel Spoke-to-spoke tunnel

IPsec VPN WAN Design Overview

8

132162

OL-9021-01

Introduction

This design guide begins with an overview of various VPN solutions, followed by critical selection criteria as well as a guide to scaling a solution. Finally, a platform overview is presented.

Target AudienceThis design guide is targeted at systems engineers to provide guidelines and best practices for customer deployments.

Scope of WorkThe following design topologies are currently within the scope of this design guide:

IPsec Direct Encapsulation Point-to-Point (p2p) Generic Route Encapsulation (GRE) over IPsec Dynamic Multipoint VPN (DMVPN) Virtual Tunnel Interface (VTI) Dead Peer Detection (DPD) Reverse Route Injection (RRI) Internet Key Exchange (IKE) authentication using digital signatures or certificates Cisco VPN routers running Cisco IOS EIGRP and OSPF as dynamic Interior Gateway Protocol (IGP) routing protocols across the VPN Quality of service (QoS) and Voice and Video Enabled IPsec VPN (V3PN) Hot Standby Routing Protocol (HSRP) and Stateful Switchover (SSO) as appropriate for high availability IP multicast services over the VPN

The following major features and services are currently within the scope of this design guide:

The following features and services are currently outside the scope of this design overview and the design guides it provides:

Easy VPN authentication and design topology Cisco non-IOS platforms including PIX Series and VPN3000 Series Remote access applications (client-based) Layer 2 tunneling protocols such as Layer 2 Tunneling Protocol (L2TPv3), Point-to-Point Tunneling Protocol (PPTP), and WebVPN (SSL/TLS VPNs) MPLS-based VPNs Network Management

Design Guide StructureThis design overview is part of a series of design guides, each based on different technologies for the IPsec VPN WAN architecture. (See Figure 3.) Each technology uses IPsec as the underlying transport mechanism for each VPN.

IPsec VPN WAN Design Overview OL-9021-01

9

IP Security Overview

Figure 3

IPsec VPN WAN Design Guides

IPsec VPN WAN Design Overview (OL-9021-01) Topologies IPsec Direct Encapsulation Design Guide (OL-9022-01) Service and Specialized Topics IPsec VPN Redundancy and Load Sharing Design Guide (OL-9025-01) Voice