Tài liệu Voice and Video Enabled IPSec VPN (V3PN) Solution Reference Network Design docx

Contents
v
Voice and Video Enabled IPSec VPN (V
3
PN) SRND
956529
Encrypted Traffic Appears as a Few, Large Flows 4-27
Minimize Out-of-Order Packets 4-27
Load Sharing Design Approach 4-28
Load Sharing from Head-end to Branch 4-30
Service Provider Considerations for Load Sharing 4-32
E911 and 911 Emergency Services 4-33
Survivable Remote Site Telephony 4-33
Design Checklist 4-35
CHAPTER

5 Product Selection 5-1
Scalability Test Methodology 5-2
Traffic Profiles 5-3
Additional Voice Quality Validation 5-5
Head-end Product Selection 5-6
Failover and Head-end Availability 5-6
Performance Under Converged V3PN Traffic Profile 5-7
Impact of QoS on VPN Head-end Performance 5-8
Head-End Scalability and Performance Observations 5-9
Branch Office Product Selection 5-9
Product Applicability by Link Speed 5-10
Performance Under Converged V3PN Traffic Profile 5-11
Branch Scalability and Performance Observations 5-14
Network Performance/Convergence 5-15
Software Releases Evaluated 5-17
CHAPTER

6 Implementation and Configuration 6-1
Routing Protocol, Switching Path and IP GRE Considerations 6-1
Configure Switching Path 6-1
Configure IP GRE Tunnels 6-2
EIGRP Summarization and Network Addressing 6-2
EIGRP hold-time 6-3
IP GRE Tunnel Delay 6-3
QoS Configuration 6-5
Campus QoS—Mapping ToS to CoS 6-5
QoS Trust Boundary 6-6
Configure QoS Class Map 6-6
QoS Policy Map Configuration 6-7
Configuration Example—512 Kbps Branch 6-7

Contents
vi
Voice and Video Enabled IPSec VPN (V
3
PN) SRND
956529
WAN Implementation Considerations 6-9
WAN Aggregation Router Configuration 6-9
Frame Relay Traffic Shaping and FRF.12 (LFI) 6-11
Attach Service Policy to Frame Relay Map Class 6-14
Apply Traffic Shaping to the Output Interface 6-15
Applying Service Policy to HDLC Encapsulated T1 Interfaces 6-16
Combined WAN and IPSec/IP GRE Router Configuration—Cisco 7200 HDLC/HSSI 6-17
IKE and IPSec Configuration 6-19
Configure ISAKMP Policy and Pre-shared Keys 6-20
Configure IPSec Local Address 6-20
Configure IPSec Transform-Set 6-21
Configure Crypto Map 6-21
Apply Crypto Map to Interfaces 6-22
Configuring QoS Pre-Classify 6-23
Implementation and Configuration Checklist 6-24
CHAPTER

7 Verification and Troubleshooting 7-1
Packet Fragmentation 7-1
Displaying Anti-Replay Drops 7-2
Verifying Tunnel Interfaces and EIGRP Neighbors 7-3
How EIGRP calculates RTO values for Tunnel Interfaces 7-4
Using NetFlow to Verify Layer-3 Packet Sizes 7-5
Using NetFlow to Verify ToS Values 7-6
Sample Show Commands for IPSec 7-8
Clearing IPSec and IKE Security Associations 7-10
Sample Show Commands for QoS 7-12
APPENDIX

A Network Diagram Scalability Testbed and Configuration Files A-1
Head-end VPN Router A-2
Branch VPN Router—Frame Relay A-5
Branch VPN Router—HDLC A-8
APPENDIX

B Configuration Supplement—Voice Module, EIGRP Stub, DSCP, HDLC B-1
Voice Module Configuration B-1
Router Configuration—vpn18-2600-2 B-3
Router Configuration—vpn18-2600-3 B-4
Router Configuration—vpn18-2600-4 B-5

Contents
vii
Voice and Video Enabled IPSec VPN (V
3
PN) SRND
956529
Router Configuration—vpn18-2600-8 B-6
Router Configuration—vpn18-2600-9 B-7
Router Configuration—vpn18-2600-10 B-8
Router Configuration—vpn18-2600-6 B-10
APPENDIX

C Configuration Supplement—Dynamic Crypto Maps, Reverse Route Injection C-1
I
NDEX

Contents
viii
Voice and Video Enabled IPSec VPN (V
3
PN) SRND
956529

ix
Voice and Video Enabled IPSec VPN (V
3
PN) SRND
956529
V
3
PN Solution Reference Network Design
Preface
This preface presents the following high level sections:
• About this Publication, page ix
• Obtaining Documentation, page x
• Obtaining Technical Assistance, page xi
About this Publication
This section present s two sections:
• Publication Scope, page ix
• Audience, page ix
Publication Scope
This Solution Reference Network Design (SRND) publication is intended to provide a set of guidelines
for designing, implementing, and deploying Voice and Video Enabled IPSec VPN (V
3
PN) solutions.
This SRND defines the comprehensive functional components required to build a Site-to-Site Enterprise
Virtual Private Network (VPN) solution that can transport IP telephony and video. The Design Guide
identifies the individual hardware requirements and their interconnections, software features,
management needs, and partner dependencies, to enable a customer deployable, manageable, and
maintainable Site-to-Site Enterprise VPN solution.
Audience
This publication is intended to provide guidance to network design specialists, network engineers,
telecommunications systems engineers, and data center network managers responsible for integrating
Cisco V
3
PN technology into existing IP infrastructure or building new V
3
PN-based networking
environments.
Content is presented here with the expectation that Cisco Systems Engineers and Customer Support
Engineers will use the information provided in combination with internal information to facilitate
secure, scalable, and highly available V
3
PN networks.

x
Voice and Video Enabled IPSec VPN (V
3
PN) SRND
956529
V3PN Solution Reference Network Design Preface
Obtaining Documentation
Obtaining Documentation
These sections explain how to obtain documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com
Translated documentation is available at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM
package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may
be more current than printed documentation. The CD-ROM package is available as a single unit or
through an annual subscription.
Ordering Documentation
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Networking Products MarketPlace:
http://www.cisco.com/cgi-bin/order/order_root.pl
• Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription
Store:
http://www.cisco.com/go/subscription
• Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere
in North America, by calling 800 553-NETS (6387).
Documentation Feedback
You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click
the Fax or Email option in the “Leave Feedback” section at the bottom of the page. You can e-mail your
comments to bug-doc@cisco.com. You can submit your comments by mail by using the response card
behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.

xi
Voice and Video Enabled IPSec VPN (V
3
PN) SRND
956529
V3PN Solution Reference Network Design Preface
Obtaining Technical Assistance
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can
obtain online documentation, troubleshooting tips, and sample configurations from online tools by using
the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access
to the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open
access to Cisco information, networking solutions, services, programs, and resources at any time, from
anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a
broad range of features and services to help you with these tasks:
• Streamline business processes and improve productivity
• Resolve technical issues with online support
• Download and test software packages
• Order Cisco learning materials and merchandise
• Register for online skill assessment, training, and certification programs
If you want to obtain customized information and service, you can self-register on Cisco.com. To access
Cisco.com, go to this URL:
http://www.cisco.com
Technical Assistance Center
The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance
with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC
Web Site and the Cisco TAC Escalation Center.
Cisco TAC inquiries are categorized according to the urgency of the issue:
• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,
product installation, or basic product configuration.
• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably
impaired, but most business operations continue.
• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects
of business operations. No workaround is available.
• Priority level 1 (P1)—Your production network is down, and a critical impact to business operations
will occur if service is not restored quickly. No workaround is available.
The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of
service contracts, when applicable.

xii
Voice and Video Enabled IPSec VPN (V
3
PN) SRND
956529
V3PN Solution Reference Network Design Preface
Obtaining Technical Assistance
Cisco TAC Web Site
You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time.
The site provides around-the-clock access to online tools, knowledge bases, and software. To access the
Cisco TAC Web Site, go to this URL:
http://www.cisco.com/tac
All customers, partners, and resellers who have a valid Cisco service contract have complete access to
the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a
Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or
password, go to this URL to register:
http://www.cisco.com/register/
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco
TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC
Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These
classifications are assigned when severe network degradation significantly impacts business operations.
When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer
automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support
services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network
Supported Accounts (NSA). When you call the center, please have available your service agreement
number and your product serial number.
CHAPTER

1-1
Voice and Video Enabled IPSec VPN (V
3
PN) SRND
956529
1
V
3
PN SRND Introduction
This publication extends the Cisco Architecture for Voice, Video, and Integrated Data (AVVID) by
enabling voice and video applications to be transported over a site-to-site IPSec VPN. Just as enterprise
implementers expect to run these applications over a private WAN, such as Frame Relay or ATM, they
also expect to run voice and video across their VPN implementation with the same quality and level of
service. Further, the enterprise implementer should be able to do so and have the VPN be fairly
transparent to these applications.
To provide these capabilities, Cisco designed Voice and Video Enabled IPSec VPN (V
3
PN), which
integrates three core Cisco technologies: IP Telephony, Quality of Service (QoS), and IP Security
(IPSec) VPN. The result is an end-to-end VPN service that can guarantee the timely delivery of
latency-sensitive applications such as voice and video.
This chapter presents the following topics:
• Supporting Designs, page 1-1
• Composite Solution Description, page 1-2
• Solution Benefits, page 1-3
• Solution Scope, page 1-4
• References and Reading, page 1-4
Supporting Designs
V
3
PN is designed to overlay non-disruptively on other core Cisco AVVID designs, including:
• Enterprise Site-to-Site IPSec VPN Design
Guidelines—http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns142/networking_solutions
_design_guidances_list.html
• Enterprise IP Telephony Design
Guidelines—http://www.cisco.com/en/US/netsol/ns110/ns163/ns165/ns268/networking_solutions
_design_guidances_list.html
• Enterprise QoS Design
Guidelines—http://www.cisco.com/application/pdf/en/us/guest/netsol/ns17/c649/ccmigration_091
86a00800d67ed.pdf
This SRND will not cover each of these three technologies in detail, but will instead focus on the
intersection of, integration of, and interactions between these functions of the network. Familiarity with
design and implementation guides for these underlying technologies will be extremely beneficial to the
reader. Please review these guides before attempting to implement a V
3
PN.

1-2
Voice and Video Enabled IPSec VPN (V
3
PN) SRND
956529
Chapter 1 V3PN SRND Introduction
Composite Solution Description
The underlying VPN design principles are based on the SAFE VPN Architecture, therefore the reader
should also first be familiar with that architecture and recommendations. Cisco SAFE documentation
can be found at: http://www.cisco.com/go/safe.
Technical Assistance Center (TAC) Technical Tips are a valuable source of configuration examples for
the technologies deployed in this design guide. Please refer to the Technical Tip section after logging on
the Cisco TAC Cisco.Com page at: http://www.cisco.com/tac.
Composite Solution Description
IPSec VPNs have been deployed as private WAN alternatives for enterprise networks whether managed
by the enterprise themselves or as part of a service provider managed service. Figure 1-1 illustrates the
composite IPSec VPN deployment models that are deployed today:
Figure 1-1 Composite IPSec VPN Deployment Models
Site-to-site IPSec VPN's are used to connect small, medium, and large branch offices to a central location
or locations. This model is referred to in Cisco Enterprise Solutions Engineering Design Guides as
Site-to-Site Branch VPN.
IPSec VPN's can also be used to connect small office/home office (SOHO) locations to corporate
locations. When the VPN connections are static (fixed) in nature this model is referred to as site-to-site
SOHO VPN.
Finally, when the VPN connections are dynamic (session-by-session) this model is referred to as Remote
Access VPN.
IP
M
Remote access (SW client)
SOHO VPN
(small office/home office)
IP
Site to site VPN
large/medium/small branch
Service provider/
internet
IP
Central site
VPN
head-end
IPSec VPN tunnels
81602
Softphone
WAN
aggregation

Xem chi tiết: Tài liệu Voice and Video Enabled IPSec VPN (V3PN) Solution Reference Network Design docx