Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Similar documents
Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Cisco Group Encrypted Transport VPN

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

Scalability Considerations

Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase

Managing Site-to-Site VPNs: The Basics

Managing Site-to-Site VPNs

Managing Site-to-Site VPNs: The Basics

Cisco Service Advertisement Framework Deployment Guide

Scalability Considerations

A-B I N D E X. backbone networks, fault tolerance, 174

SCALABLE DMVPN DESIGN AND IMPLEMENTATION GUIDE

LARGE SCALE DYNAMIC MULTIPOINT VPN

DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458

DMVPN for R&S CCIE Candidates

IWAN Security for Remote Site Direct Internet Access and Guest Wireless

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

WAN Edge MPLSoL2 Service

Virtual Private Networks Advanced Technologies

Virtual Private Networks Advanced Technologies

SD-WAN Deployment Guide (CVD)

Cisco Virtual Office High-Scalability Design

Point-to-Point GRE over IPsec Design Guide

Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00

Deploying and Administering Cisco s Digital Network Architecture (DNA) and Intelligent WAN (IWAN) (DNADDC)

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

Cisco 5921 Embedded Services Router

1- and 2-Port Fast Ethernet High-Speed WIC for Cisco Integrated Services Routers

Cisco Cable High-Speed WAN Interface Cards

IPsec Direct Encapsulation VPN Design Guide

MPLS опорни мрежи MPLS core networks

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

Cisco ASR 1000 Series Aggregation Services Routers: QoS Architecture and Solutions

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Implementing Cisco IP Routing (ROUTE)

VPN Cloud. Mako s SD-WAN Technology

VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH

Intelligent WAN Design Summary

Cisco 4-Port ISDN BRI S/T High-Speed WAN Interface Card

Dynamic Multipoint VPN (DMVPN) Deployment Models

FUNDAMENTAL ROUTING CONCEPTS

Cisco Security Manager 4.1: Integrated Security Management for Cisco Firewalls, IPS, and VPN Solutions

Building Service-Aware Networks

How Cisco ASR 1000 Enables Cisco Business Strategies by Providing Capacity and Resiliency for Collaborative Applications

IP Addressing: NHRP Configuration Guide

Cisco IOS Software Release 15M&T Q&A

Hillstone IPSec VPN Solution

Intelligent WAN Multiple VRFs Deployment Guide

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

MPLS in the DCN. Introduction CHAPTER

Setting Up OER Network Components

How Cisco IT Simplified Network Growth with EIGRP

Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

REFERENCE NETWORK ARCHITECTURE

Enterprise SD-WAN Financial Profile (Hybrid WAN, Segmentation, Quality of Service, Centralized Policies)

How to Configure a Hybrid WAN in Parallel to An Existing Traditional Wan Infrastructure

ARCHIVED DOCUMENT. - The topics in the document are now covered by more recent content.

CCIE Routing & Switching

Adaptive QoS over DMVPN

VPN WAN. Technology Design Guide

CVP Enterprise Cisco SD-WAN Retail Profile (Hybrid WAN, Segmentation, Zone-Based Firewall, Quality of Service, and Centralized Policies)

Introducing Campus Networks

IT114 NETWORK+ Learning Unit 1 Objectives: 1, 2 Time In-Class Time Out-Of-Class Hours 2-3. Lectures: Course Introduction and Overview

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

Configuring MPLS and EoMPLS

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

Cisco Integrated Services Virtual Router

Optimized Edge Routing Configuration Guide, Cisco IOS Release 15.1MT

Configuring Virtual Private LAN Services

Intelligent WAN Deployment Guide

Exam: Title : Routing & Switching Exam (RSS) Ver :

WAN Technology & Design. Dr. Nawaporn Wisitpongphan

90 % of WAN decision makers cite their

FlexVPN HA Dual Hub Configuration Example

CCNA. Course Catalog

From Zero Touch Provisioning to Secure Business Intent

Exam Questions

Multicast Technology White Paper

Dynamic Multipoint VPN Configuration Guide

Zero To Hero CCIE CCNP

Chapter 5. Enterprise Data Center Design

Advanced Concepts of DMVPN (Dynamic Multipoint VPN)

BTEC Level 3 Extended Diploma

PREREQUISITES TARGET AUDIENCE. Length Days: 5

Cisco Performance Routing

THE MPLS JOURNEY FROM CONNECTIVITY TO FULL SERVICE NETWORKS. Sangeeta Anand Vice President Product Management Cisco Systems.

Cisco 5921 Embedded Services Router

Cisco Catalyst 6500 Series VPN Services Port Adapter

MPLS over GRE. Finding Feature Information. Prerequisites for MPLS VPN L3VPN over GRE

IPv6 over DMVPN. Finding Feature Information

CCIE Route & Switch Written (CCIERSW) 1.0

DYNAMIC MULTIPOINT VPN SPOKE TO SPOKE DIRECT TUNNELING

Network Capacity Expansion System

Voice of the Customer First American Title SD-WAN Transformation

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

MASERGY S MANAGED SD-WAN

Network Design with latest VPN Technologies

QUESTION: 1 You have been asked to establish a design that will allow your company to migrate from a WAN service to a Layer 3 VPN service. In your des

Transcription:

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Product Overview Cisco Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building scalable enterprise VPNs that support distributed applications such as voice and video (Figure 1). Cisco DMVPN is widely used to combine enterprise branch, teleworker, and extranet connectivity. Major benefits include: On-demand full mesh connectivity with simple hub-and-spoke configuration Automatic IP Security (IPsec) triggering for building an IPsec tunnel Zero-touch deployment for adding remote sites Reduced latency and bandwidth savings Figure 1. Cisco Dynamic Multipoint VPN Cisco DMVPN can be deployed in conjunction with Cisco IOS Firewall and Cisco IOS IPS, as well as quality of service (QoS), IP Multicast, split tunneling, and routing-based failover mechanisms. Large-scale, highly available Cisco DMVPN deployments are made possible by load balancing multiple Cisco DMVPN hubs. Applications Cisco DMVPN is the preferred solution for organizations requiring encrypted WAN connectivity between remote sites. Factors include the cost-driven use of the Internet to replace or provide backup for private leased lines and Frame Relay links, and regulatory pressures requiring encryption of private WAN links. Medium-sized and large enterprises: In industries such as finance, insurance, or retail, numerous sites are typically connected to the corporate headquarters. Critical applications such as bank ATMs and point of sale (POS) machines are deployed over these connections. Cisco DMVPN allows these sites to connect over the Internet, providing privacy and data integrity while meeting the performance requirements of business-critical applications. Enterprise small office/home office (SOHO): Cisco DMVPN provides enhanced integration with QoS that can be used to support both voice and data for employees accessing the network from a SOHO environment. 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 6

Enterprise extranet: Large enterprises frequently require connectivity to many business partners. Cisco DMVPN can be used to secure traffic between the enterprise and various partner sites, providing network segregation by helping to ensure that no spoke-to-spoke traffic is allowed, even through the hub. Enterprise WAN connectivity backup: Cisco DMVPN can be used as a backup solution for private WANs, allowing remote sites to connect securely to the enterprise head-office over Internet links. Service provider VPN services: Cisco DMVPN enables service providers to offer managed VPN services. Traffic from multiple customers can be aggregated in a single provider edge router, and kept isolated using features such as Virtual Routing and Forwarding (VRF). Deployment Scenarios Cisco DMVPN can be deployed in two ways: Hub-and-spoke deployment model: In this traditional topology, remote sites (spokes) are aggregated into a headend VPN device at the corporate headquarters (hub). Traffic from any remote site to other remote sites would need to pass through the headend device. Cisco DMVPN supports dynamic routing, QoS, and IP Multicast while significantly reducing the configuration effort. Figure 2 shows a hub-and-spoke model. Figure 2. Cisco DMVPN Hub-and-Spoke Deployment Model Spoke-to-spoke deployment model: Cisco DMVPN allows the creation of a full-mesh VPN, in which traditional hub-and-spoke connectivity is supplemented by dynamically created IPsec tunnels directly between the spokes. With direct spoke-to-spoke tunnels, traffic between remote sites does not need to traverse the hub; this eliminates additional delays and conserves WAN bandwidth. Spoke-to-spoke capability is supported in a single-hub or multihub environment. Multihub deployments provide increased spoke-to-spoke resiliency and redundancy. Figure 3 shows a spoke-to-spoke model. Figure 3. Cisco DMVPN Spoke-to-Spoke Deployment Model 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 6

The 80:20 traffic rule can be used to determine which model to use: If 80 percent or more of the traffic from the spokes are directed into the hub network itself, deploy the huband-spoke model. If more than 20 percent of the traffic is meant for other spokes, consider the spoke-to-spoke model. For networks with a high volume of IP Multicast traffic, the hub-and-spoke model is usually preferred. Architecture Medium-sized and large-scale site-to-site VPN deployments require support for advanced IP network services such as: IP Multicast: Required for efficient and scalable one-to-many (i.e., Internet broadcast) and many-to-many (i.e., conferencing) communications, and commonly needed by voice, video, and certain data applications Dynamic routing protocols: Typically required in all but the smallest deployments or wherever static routing is not manageable or optimal QoS: Mandatory to ensure performance and quality of voice, video, and real-time data applications Traditionally, supporting these services required tunneling IPsec inside protocols such as Generic Route Encapsulation (GRE), which introduced an overlay network, making it complex to set up and manage, and limiting the scalability of the solution. Indeed, traditional IPsec only supports IP Unicast, making it inefficient to deploy applications that involve one-to-many and many-to-many communications. Cisco DMVPN combines GRE tunneling and IPsec encryption with Next-Hop Resolution Protocol (NHRP) routing in a manner that meets these requirements while reducing the administrative burden (Figure 4). Figure 4. Cisco DMVPN Architecture Key components include: Multipoint GRE (mgre) tunnel interface: Allows a single GRE interface to support multiple IPsec tunnels, simplifying the size and complexity of the configuration. Dynamic discovery of IPsec tunnel endpoints and crypto profiles: Eliminates the need to configure static crypto maps defining every pair of IPsec peers, further simplifying the configuration. NHRP: Allows spokes to be deployed with dynamically assigned public IP addresses (i.e., behind an ISP s router). The hub maintains an NHRP database of the public interface addresses of the each spoke. Each spoke registers its real address when it boots; when it needs to build direct tunnels with other spokes, it queries the NHRP database for real addresses of the destination spokes. 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 6

Features and Benefits Table 1 lists the features and benefits of Cisco DMVPN. Table 1. Feature Cisco DMVPN Features and Benefits Description and Benefit Dynamic Routing over VPN Reduced Configuration Overhead Zero-Touch Deployment Dynamic Spoke-to-Spoke Tunnels Dynamic Addressing for Spoke Routers Network Address Translation (NAT) Traversal IP Multicast Support QoS Support High Availability Scalability Manageability VRF Awareness Multiprotocol Label Switching (MPLS) Support (2547oDMVPN) Enables IP routing tables to be securely distributed between the branch site and the corporate headend over encrypted tunnels. Allows improved reachability without needing to manually define allowed routes. Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) routing protocols are supported. DMVPN eliminates the need to configure crypto maps tied to the physical interface, dramatically simplifying the number of lines of configuration required for a VPN deployment (e.g., for a 1000-site deployment, DMVPN reduces the configuration effort at the hub from 3900 lines to 13 lines). Adding new spokes to the VPN requires no changes at the hub. Simplifies configuration of split tunneling. Centralized configuration change at the hub controls the split tunneling behavior. In traditional IPsec, all the spokes need to be modified. Cisco DMVPN can be deployed in zero-touch deployment models using Easy Secure Device Deployment for secure PKI-based device provisioning. Devices can be bootstrapped remotely, avoiding the need for extensive staging operations. Direct spoke-to-spoke tunnels eliminate the need for spoke-to-spoke traffic to traverse the hub. Reduces latency for voice over IP (VoIP) deployments over DMVPN and improves effective throughput of the hub router. Tunnels are created dynamically when required and torn down after use, allowing the system to scale better (i.e., smaller spokes can participate in the virtual full mesh). Spoke routers can use dynamic IP addresses, a frequent requirement for Internet connections over cable and DSL. DMVPN supports spoke routers running NAT or behind dynamic NAT devices, enabling enhanced security for branch subnets. DMVPN supports IP Multicast traffic (between hub and spokes); native IPsec supports only IP Unicast. This provides efficient and scalable distribution of one-to-many and many-to-many traffic. Cisco DMVPN supports the following advanced QoS mechanismis: Traffic shaping at hub interfaces on a per-spoke or per-spoke-group basis. Hub-to-spoke and spoke-to-spoke QoS policies. Dynamic QoS policies wherein QoS templates are attached automatically to tunnels as they come up. Per-spoke QoS policing, allowing spokes to be differentiated, and protecting the network from being overrun by bandwidth hungry spokes. Cisco DMVPN enables routing-based failover. Dual WAN links and hub redundancy provide higher availability. DMVPN supports dual-hub designs, where each spoke is peered with two hubs, providing rapid failover. Mulitiple hub topologies allow uninterrupted spoke-to-spoke communication in the event of any single hub failure. DMVPN scales to thousands of spokes using server load balancing (SLB). Encryption can be integrated within the SLB device or distributed to dedicated headend VPN routers. Tunnels are load balanced over available hubs. Performance can be scaled incrementally by adding hubs. Hierarchical hub deployments allow enhanced scalability. Manageability support is provided through IPsec (including VRF-aware IPsec) MIB, NHRP MIB, and command-line interface (CLI). VRF-aware DMVPN deployed at the provider edge hubs allows segregation of customer traffic. MPLS networks can be encrypted over DMVPN tunnels. Ease of Deployment and Management Cisco Router and Security Device Manager (SDM) provides advanced wizards to make it easy to configure Cisco DMVPN (Figure 5). Cisco SDM is included in Cisco router security bundles and is an effective tool to configure DMVPN for small deployments or pilot/test environments. 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 6

Figure 5. Cisco Router and Security Device Manager: Wizard-Based Management Cisco Security Manager provides enterprise-class scalable Cisco DMVPN configuration on a wide range of Cisco routers for medium-sized or large installations requiring multispoke management. Some of the DMVPN features supported in Cisco Security Manager include: DMVPN SLB deployment models involving distributed or integrated encryption VRF-aware DMVPN EIGRP, OSPF, Routing Information Protocol (RIP)v2, and on-demand routing (ODR) Cisco IOS Software CLI provides configuration, monitoring, and debugging capabilities for Cisco DMVPN hub-andspoke and spoke-to-spoke configurations. System Requirements Tables 2 and 3 list the hardware and software requirements to install and use Cisco DMVPN. Table 2. Cisco Hardware Platforms That Support Cisco DMVPN Platform Cisco 870 Series Integrated Services Routers* Cisco 1801, 1802, 1803, 1811, 1812, 1841, 2800, 3825, and 3845 Integrated Services Routers Cisco 1841 Integrated Services Routers Cisco 2800 Series Integrated Services Routers Cisco 3825 Integrated Services Routers Cisco 3845 Integrated Services Routers Cisco 1900, 2900, and 3900 Next Generation Integrated Services Routers Cisco 7200 Series Routers Cisco 7200VXR Routers with Network Processing Engine NPE-G2 Cisco 7301 Routers Cisco 7600 Series Routers Cisco Catalyst 6500 Series Switches Cisco ASR 1000 Series Routers VPN Acceleration Module Advanced Integration Module (AIM)-VPN/SSL-1 AIM-VPN/SSL-2 AIM-VPN/SSL-3 AIM-VPN/SSL-3 VPN Acceleration Module 2+ (VAM2+) VPN Services Adapter (VSA) VAM2+ IPsec VPN Shared Port Adapter (SPA) IPsec VPN SPA * Functions as DMVPN spoke only. 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 6

Table 3. Hardware Cisco DMVPN Software Requirements Cisco 870, 1800, 1900, 2800, 2900, 3800, 3900, 7200 Series and Cisco 7301 routers Cisco IOS Software Release Cisco IOS Software Feature Set Cisco IOS Software Release 12.3(2)T or later recommended for Cisco 870, 1800, 2800, 3800, and 7200 Series Routers and Cisco 7301 Routers Cisco IOS Software Release 15.0 or later recommended for Cisco 1900, 2900 and 3900 Series Routers Cisco IOS Software Release 12.2(18)SXE2 or later for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Cisco IOS XE Release 2.0.0 or later for Cisco ASR 1000 Series Routers Advanced Security or higher Cisco ASR 1000 Series Routers also require VPN license Ordering Information All Cisco router security bundles include support for Cisco Easy VPN. For a list of router security bundles, visit http://www.cisco.com/go/securitybundles. To place an order, visit the Cisco Ordering Home Page. To download software, visit the Cisco Software Center at http://www.cisco.com/kobayashi/sw-center/sw-ios.shtml. Cisco and Partner Services for the Branch Services from Cisco and our certified partners can help you transform the branch experience and accelerate business innovation and growth in the Borderless Network. We have the depth and breadth of expertise to create a clear, replicable, optimized branch footprint across technologies. Planning and design services align technology with business goals and can increase the accuracy, speed, and efficiency of deployment. Technical services help improve operational efficiency, save money, and mitigate risk. Optimization services are designed to continuously improve performance and help your team succeed with new technologies. For More Information Visit the Cisco Software Center to download Cisco IOS Software. See the System Requirements section above to determine which Cisco IOS Software Release to download and install. For more information about Cisco DMVPN, visit http://www.cisco.com/go/dmvpn, contact your local Cisco account representative, or send e-mail to ask-stg-ios-pm@cisco.com. Printed in USA C78-468520-01 08/09 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback