5 0 0 1 0 cisco crypto. It is assumed that the reader has a basic understanding of IPsec.
This design guide begins with an overview, followed by design recommendations and product selection and performance information. Finally, partial configuration examples are presented. The chart in Figure 1shows the IPsec VPN WAN architecture, which is divided into multiple design guides based on the technologies used. Each technology uses IPsec as the underlying transport mechanism for the VPNs. This document helps you to select the correct technology for the proposed network design. Design and Implementation provides more detail on the design considerations.
Scalability Considerations presents Cisco product options for deploying the design. The primary topology discussed in this document is a hub-and-spoke model. In this deployment, primary enterprise resources are located in a large central site, with a number of smaller sites or branch offices connected directly to the central site over a VPN. A high-level diagram of this topology is shown Figure 2. The design supports a typical converged traffic profile for customers. See the Scalability Considerations for details about the traffic profile used during scalability testing. Built-in redundancy and failover with fast convergence are essential to help ensure high availability and resiliency.
This is discussed further in Design and Implementation. Cisco devices should be maintained at reasonable CPU utilization levels. Scalability Considerations discusses this issue in detail, including recommendations for headend and branch devices and for software versions. The design recommendations assume that the customer deploys current VPN technologies, including hardware-accelerated encryption.
Cost considerations have been taken into account in the proposed design, but not at the expense of necessary performance. However, the concepts and conclusions are valid regardless of the ownership of the edge tunneling equipment, so the recommendations are also useful for VPNs managed by service providers. VPNs can often meet these requirements more cost-effectively and with greater flexibility than private WAN services. VPNs have many applications, including extending reachability of an enterprise WAN, or replacing classic WAN technologies such as leased lines, Frame Relay, and ATM. Cisco high-end VPN routers serve as VPN headend termination devices at a central campus site. Cisco VPN access routers serve as VPN branch termination devices at branch office locations. Cisco VPN routers are a good choice for site-to-site VPN deployments because they can accommodate any network requirement inherited from a Frame Relay or private line network, such as support for latency-sensitive traffic and resiliency.
The network topology of the hub-and-spoke design is shown in Figure 3. The solution is a hub-and-spoke network with multiple headend devices for redundancy. Headends are high-end tunnel aggregation routers that service multiple IPsec tunnels for a prescribed number of branch office locations. In addition to terminating the VPN tunnels at the central site, headends can advertise routes to branch devices using RRI. To ensure authentication and encryption, IPsec tunnels are provisioned to interconnect branch offices to the central site. The way that network resiliency is provided depends on the initial network requirements.
More detailed information is provided in Design and Implementation. Use IPsec in tunnel mode for best performance. Implement DPD to detect loss of communication between peers. Set up QoS service policies, as appropriate, on headend and branch router interfaces to help ensure performance of latency-sensitive applications. The QoS pre-classify feature is helpful in VPN designs where both QoS and IPsec occur on the same system. The network manager should verify that this is operating correctly. Use RRI on headend routers for optimal routing between campus and remote sites.
Configure dynamic crypto maps on headend routers to simplify configuration and provide touchless provisioning of new branches. If high-availability is a requirement, implement a design with redundancy for both headend equipment and WAN circuits. See Branch Office Scalability for more information. The network manager must verify correct operation of the QoS pre-classify feature when both QoS and IPsec occur on the same system.
IPsec direct encapsulation designs can be implemented only in a Single Tier Headend Architecture. Eventually, all Cisco headend platforms will move to the SSO failover functionality. PKI have not been verified with either SSO or SSP. The IPsec tunnel must be initiated by the remote branch in cases where remote routers acquire their address with a dynamically served IP address. The crypto headend cannot initiate the tunnel to the branch.