1©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
LAR
GE
SCA
LE D
YNA
MIC
M
ULT
IPO
INT
VPN
NO
VEM
BER
200
4
2©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04IN
TRO
DU
CTI
ON
222©
200
4, C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.P
rese
ntat
ion_
ID
3©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Dyn
amic
Mul
tipoi
nt V
PN F
acts
•D
ynam
ic M
ultip
oint
VPN
(DM
VPN
) can
wor
k w
ith
stat
ic ro
utes
but
sho
ws
its p
ower
with
rout
ing
prot
ocol
s•
The
rout
ing
prot
ocol
con
sum
es a
lot o
f CPU
with
so
man
y ne
ighb
ors
•R
esou
rce
cons
umpt
ion
incr
ease
s w
ith th
e nu
mbe
r of
tunn
els
4©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
IPse
c fa
cts
•IP
sec
max
imum
thro
ughp
ut is
bet
ter w
ith la
rge
pack
ets
•O
n m
ediu
m a
nd lo
w p
latfo
rms,
CPU
is im
pact
ed b
y la
rge
SAD
B•
Cis
co re
com
men
ds th
at u
sers
kee
p a
DM
VPN
hub
with
in
reas
onab
le li
mits
•C
onsu
lt yo
ur A
ccou
nt T
eam
abo
ut p
latfo
rm d
etai
ls
Mbp
s
Pack
et s
ize
64 byte
s14
00by
tes
5©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Exam
ple
–C
isco
720
0 Se
ries/
VAM
2
•Th
e C
isco
720
0 Se
ries
Rou
ter i
s a
popu
lar p
latfo
rm
for D
MVP
N•
It ca
n ac
cept
a m
axim
um o
f375
tunn
els
with
out
part
icul
ar a
ttent
ion
(EIG
RP)
•In
that
cas
e, th
e m
ax th
roug
hput
wou
ld b
e42
,000
pps
for 6
4 by
tes
pack
ets
22,0
00 p
psfo
r 140
0 by
tes
pack
ets
6©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Scal
ing
the
Cis
co 7
200
Serie
s/VA
M2
Furt
her
•If
a se
cond
mG
RE
inte
rfac
e is
set
up
on th
e C
isco
72
00 S
erie
s R
oute
r, it
can
acce
pt a
max
imum
of3
50
tunn
els
per i
nter
face
(700
tota
l)•
In th
at c
ase
the
max
thro
ughp
ut is
:40
,000
pps
for 6
4 by
tes
pack
ets
22,0
00 p
psfo
r 140
0 by
tes
pack
ets
•A
third
inte
rfac
e do
es n
otim
prov
e th
ings
7©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Is T
his
Low
?
•Ye
s an
d no
•Th
e th
eore
tical
max
imum
num
ber o
f tun
nels
(Cis
co 7
200
Serie
s / V
AM
2) is
5,0
00 s
o D
MVP
N lo
oks
bad
•Th
e th
eore
tical
max
spe
ed is
250
Mbp
s so
DM
VPN
look
s th
e sa
me
•25
0Mbp
s/70
0 =
350K
bps
per s
poke
•N
ot v
ery
usef
ul b
elow
that
thro
ughp
ut a
nyw
ay
8©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Rem
arks
•Th
is p
rese
ntat
ion
desc
ribes
cur
rent
per
form
ance
•Pe
rfor
man
ces
chan
ge e
very
day
and
pro
toco
ls
evol
ve•
Che
ck w
ith y
our a
ccou
nt te
am to
eva
luat
e th
e be
st
DM
VPN
pla
tform
for y
our n
eeds
•It
is p
ossi
ble
to s
cale
DM
VPN
ver
y hi
ghJu
st w
ait f
or th
e ne
xt c
hapt
er
9©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Sum
mar
y on
DM
VPN
Fitn
ess
•If
man
y sp
okes
with
ver
y lo
w IP
sec
thro
ughp
ut, D
MVP
N m
ay
not b
e a
good
fit
•D
MVP
N s
tart
sto
bec
ome
usef
ul a
t the
edg
e be
twee
n re
mot
e-ac
cess
and
lan-
to-la
n•
DM
VPN
wor
ks b
est f
or s
poke
s th
at n
eed
stat
istic
ally
con
stan
t eq
ual a
cces
s to
cen
tral
reso
urce
sSm
all o
ffice
s, b
ranc
h of
fices
, hot
-spo
ts, a
dmin
istr
atio
ns, s
choo
ls
•M
any
exis
ting
rem
ote-
acce
ss o
r LA
N to
LA
N s
olut
ions
sho
uld
actu
ally
be
DM
VPN
like
net
wor
ks•
DM
VPN
sho
ws
a ne
twor
k w
ith in
tegr
ated
secu
rity
10©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
APP
LIC
ATI
ON
TO
LA
RG
E SC
ALE
IP
SEC
101010©
200
4, C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.P
rese
ntat
ion_
ID
11©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Prob
lem
des
crip
tion
•N
eed
to d
eplo
y a
larg
e D
MVP
N n
etw
ork
Any
num
ber 7
00+
; ten
s of
thou
sand
s al
low
edM
ore
than
just
bas
ic c
onne
ctiv
ity n
eede
d
•Li
mite
d to
hub
and
spo
ke•
Spok
e to
spo
ke v
ia th
e hu
b is
allo
wed
12©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Req
uire
men
ts
•C
onst
rain
tsLA
N to
LA
N
Dyn
amic
IP a
ddre
sses
•So
lutio
n m
ust:
Be
easy
to m
anag
e (d
eplo
ymen
t and
mon
itorin
g)
Rec
over
by
itsel
f
Scal
e to
thou
sand
s of
spo
kes
Allo
w C
isco
rich
feat
ures
(ie:
Cis
co IO
S®In
trus
ion
Prev
entio
n Sy
stem
(IPS
), C
isco
IOS
Fire
wal
l)
13©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Ove
rall
Solu
tion
SLB
bal
ance
s co
nnec
tions
Ow
ns v
irtua
l IP
addr
ess
Spok
es (8
3x)
DM
VPN
bas
edPr
ovid
e Q
oSA
nd F
irew
allin
g
HQ
Edge
of H
Q
Clu
ster
of D
MVP
N h
ubs
Agg
rega
tes
user
tunn
els
Clu
ster
can
be
hete
roge
neou
s
GR
E/IP
sec
tunn
els
IGP
+ N
HR
P
No
spec
ial s
oftw
are
need
ed o
n PC
IP p
hone
s w
ork
out o
f the
box
14©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
The
Load
Bal
ance
r In
Gen
eral
•Lo
ad B
alan
cer o
wns
a V
irtua
l IP
Add
ress
(VIP
)•
Whe
n IK
E or
ESP
pac
kets
are
targ
eted
at t
he V
IP, t
he L
B
choo
ses
a hu
b•
The
hub
choi
ce is
pol
icy
(pre
dict
or)b
ased
:W
eigh
ted
roun
d-ro
bin
Leas
t-con
nect
ions
•O
nce
a de
cisi
on is
mad
e fo
r a “
tunn
el”,
all
subs
eque
nt
pack
ets
go to
the
sam
e hu
b (s
ticky
ness
)•
Onc
e a
deci
sion
is m
ade
for I
KE,
the
sam
e is
mad
e fo
r ESP
(b
uddy
ing)
15©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Hig
h Le
vel D
escr
iptio
n
•Sp
okes
thin
k th
ere
is a
sin
gle
hub
•Th
ey h
ave
an N
HR
P m
ap p
oint
ing
to th
e Lo
ad B
alan
cer’s
Vi
rtua
l IP
Add
ress
•Th
e Lo
ad B
alan
cer i
s co
nfig
ured
in fo
rwar
ding
mod
e (n
o N
AT)
•A
ll th
e hu
bs h
ave
the
sam
e co
nfig
urat
ion
Sam
e Tu
nnel
inte
rfac
e ad
dres
s
Sam
e Lo
opba
ckad
dres
s (=
VIP
)
16©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Topo
logy
with
Add
ress
es
Spok
e A
192.
168.
1.1/
2419
2.16
8.2.
1/24
Load
Bal
ance
rVI
P: 1
72.1
7.0.
1(n
o tu
nnel
)
Spok
e B
Phys
ical
: (dy
nam
ic)1
72.1
6.1.
1Tu
nnel
0: 1
0.0.
0.11
Phys
ical
: (dy
nam
ic)1
72.1
6.2.
1Tu
nnel
0: 1
0.0.
0.12
192.
168.
128.
1/25
Loop
back
: 172
.17.
0.1
Tunn
el0:
10.
0.0.
1/16
10.1
.0.0
/24
.1.2
.3
10.1
.1.0
/24.1
.3.2
Loop
back
: 172
.17.
0.1
Tunn
el0:
10.
0.0.
1/16
17©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Spok
e C
onfig
urat
ion
•Th
e sp
oke
conf
igur
atio
n is
the
sam
e as
with
a
sing
le h
ub•
It ha
s an
NH
RP
map
ip
nhrp
map 10.0.0.1 172.17.0.1
18©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Load
Bal
ance
r
•W
e w
ill s
tudy
Cis
co IO
S So
ftwar
e SL
BR
uns
on m
ostC
isco
IOS
Softw
are
plat
form
s, in
clud
ing
the
Cis
co C
atal
yst®
6500
Ser
ies
Switc
hO
pt fo
r Rel
ease
s 12
.2S
or 1
2.1E
•C
SM 3
.1 o
r abo
ve s
houl
d w
ork
too
but w
e do
not
ne
ed m
ost o
f its
feat
ures
(use
less
)•
Load
bal
anci
ng m
ust b
e ab
le to
do
Laye
r 3 a
nd 4
load
bal
anci
ngU
pper
laye
rs a
re u
sele
ss (e
ncry
pted
)
19©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Cis
co IO
S So
ftwar
e SL
B p
erfo
rman
ces
•C
isco
IOS
Softw
are
SLB
on
a C
isco
Cat
alys
t 650
0 Se
ries
Switc
h (M
SFC
-2)
Can
man
age
1M c
onne
ctio
ns w
/ 128
MB
RA
M
Can
cre
ate
20,0
00 c
onne
ctio
ns p
er s
econ
d
Switc
hes
pack
ets
at 1
0Gbp
s (6
4 by
tes)
•C
isco
IOS
Softw
are
SLB
on
a C
isco
720
0 Se
ries
Rou
ter (
NPE
-40
0) Can
cre
ate
5,00
0 co
nnec
tions
per
sec
ond
Switc
hes
pack
ets
at ½
the
Cis
co E
xpre
ss F
orw
ardi
ng ra
te
(dep
endi
ng o
n ot
her f
eatu
res)
•Sh
ould
not
be
a bo
ttlen
eck
20©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Cis
co IO
S So
ftwar
e SL
B c
lust
er d
efin
ition
ipslbprobe PINGREAL ping
faildetect2
ipslbserverfarmHUBS
failactionpurge
probe PINGREAL
! predictor round-robin
real 10.1.0.2
weight 4
inservice
real 10.1.0.3
weight 4
inservice
Wei
ghte
d ro
und-
robi
nTh
is is
the
defa
ult
If al
l the
hub
s ar
e eq
uiva
lent
, th
e w
eigh
t is
the
sam
e
21©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Cis
co IO
S So
ftwar
e SL
B V
IP d
efin
ition
ipslbvserverESPSLB
virtual 172.17.0.1 esp
serverfarmHUBS
sticky 60 group 1
idle 30
inservice
ipslbvserverIKESLB
virtual 172.17.0.1 udpisakmp
serverfarmHUBS
sticky 60 group 1
idle 30
inservice
Sam
e fa
rmB
uddy
ing
22©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Mon
itorin
g an
d m
anag
ing
SLB-7200#sh ipslb
connections
vserver
protclient real state nat
-------------------------------------------------------------------------------
IKESLB UDP 64.103.8.8:500 10.1.0.2
ESTAB none
ESPSLB ESP 217.136.116.189:0 10.1.0.2
ESTAB none
IKESLB UDP 213.224.65.3:500 10.1.0.2
ESTAB none
ESPSLB ESP 80.200.49.217:0 10.1.0.2
ESTAB none
ESPSLB ESP 217.136.132.202:0 10.1.0.3
ESTAB none
SLB-7200#clear ipslbconnections ?
firewallfarm
Clear connections for a firewallfarm
serverfarm
Clear connections for a specific serverfarm
vserver
Clear connections for a specific virtual server
<cr>
SLB-7200#sh ipslb
reals
real farm name weight state conns
-------------------------------------------------------------------
10.1.0.2 HUBS 4 OPERATIONAL 4
10.1.0.3 HUBS 4 OPERATIONAL 1
23©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Hub
Tun
nel c
onfig
urat
ion
interface Tunnel0
bandwidth 10000
ip
address 10.0.0.1 255.255.0.0
no ip
redirects
ip
mtu1350
ip
nhrp
map multicast dynamic
ip
nhrp
network-id 1
ip
nhrp
holdtime
3600
no ip
split-horizon
no ip
mroute-cache
tunnel source Loopback0
tunnel mode gre
multipoint
tunnel key 1
tunnel protection ipsec
profile tp
end
interface Loopback0
ip
address 172.17.0.1 255.255.255.255
end
interface FastEthernet0/0
ip
address 10.1.0.{2,3} 255.255.255.0
interface FastEthernet0/1
ip
address 10.2.0.{2,3} 255.255.255.0
Mus
t be
sam
e on
all
Mas
k al
low
s 2^
16-2
nod
esMus
t be
sam
e on
all
Mas
k is
/32
24©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Rou
ting
prot
ocol
s
HQ
Spea
ks E
IGR
P 2
Red
istr
ibut
e EI
GR
P 2
into
B
GP
(sum
mar
y)R
edis
trib
ute
float
ing
stat
ic (N
ull0
) int
o EI
GR
P2R
edis
trib
ute
EIG
RP
1 in
to B
GP
(with
filte
ring)
Red
istr
ibut
e B
GP(
sum
mar
ized
)in
to E
IGR
P 1
Spok
es a
re E
IGR
P 1
stub
sTh
ey s
peak
to h
ubs
thru
GR
E/IP
sec
tunn
el
25©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Hub
Rou
ting
prot
ocol
con
figur
atio
n
router eigrp1
redistribute bgp1 metric 1 0 255 20 1400
network 10.0.0.0 0.0.255.255
default-metric 64 2000 255 1 1400
no auto-summary
router bgp1
bgprouter-id 10.2.0.{2,3}
bgplog-neighbor-changes
neighbor 10.0.0.1 remote-as 1
address-family ipv4
redistribute eigrp1 route-map <IGPREDIST>
neighbor 10.2.0.1 activate
neighbor 10.2.0.1 next-hop-self
no auto-summary
no synchronization
bgpredistribute-internal
exit-address-family
26©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Edge
rout
er B
GP
conf
igur
atio
n
router bgp1
no synchronization
bgplog-neighbor-changes
aggregate-address 10.0.0.0 255.0.0.0 summary-only
aggregate-address 192.168.0.0 255.255.0.0 summary-only
redistribute eigrp2
neighbor HUB peer-group
neighbor HUB remote-as 1
neighbor HUB next-hop-self
neighbor 10.0.0.2 peer-group HUB
neighbor 10.0.0.3 peer-group HUB
no auto-summary
27©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Edge
rout
er E
IGR
P co
nfig
urat
ion
•EI
GR
P 2
attr
acts
spo
ke s
ubne
ts to
the
edge
rout
er
•Fl
oatin
g st
atic
rout
e to
Nul
l0 d
isca
rds
pack
ets
to u
ncon
nect
ed
spok
es
iproute 192.168.0.0 255.255.255.127 Null0 254
router eigrp2
redistribute static
network 192.168.1.0 0.0.0.128
no auto-summary
no eigrplog-neighbor-changes
28©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Pack
et F
low
Cor
pora
te
PC1
PC2
1
2
3
4
5
6
7
29©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Res
ult
•Tu
nnel
s re
conn
ect a
utom
atic
ally
•W
orki
ng s
essi
ons
are
not l
ost
•Q
oSal
loca
tes
band
wid
th to
voi
ce
•A
ll ot
her f
eatu
res
are
avai
labl
e•
No
need
to to
uch
the
hubs
whi
le a
ddin
g a
spok
e•
New
hub
s ca
n be
add
ed/re
mov
ed o
n th
e fly
•Si
mpl
e to
dep
loy
•Le
vera
ges
mon
itorin
g in
fras
truc
ture
(int
erfa
ces,
CD
P)
30©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Supp
ort
•Ea
ch fe
atur
e ha
s pl
enty
of n
erd
knob
s fo
r tun
ing
•Ea
ch fe
atur
e ha
s ad
vanc
ed d
ebug
ging
cap
abili
ties
•Ea
ch fe
atur
e ca
n be
trou
bles
hot i
ndep
ende
ntly
31©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
IGP
choi
ces
•B
GP
betw
een
Hub
s an
d Ed
ge is
goo
d du
e to
nu
mbe
r of p
refix
es a
nd fl
exib
ility
•Sc
alin
g th
e IG
P be
twee
n hu
bs a
nd s
poke
s is
the
hard
est p
art
•A
dis
tanc
e ve
ctor
is re
com
men
ded
•EI
GR
P sh
ows
best
resu
lts s
o fa
r but
OD
R is
und
er
test
(lig
htw
eigh
t)
32©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Posi
tioni
ng
•Th
e m
ain
adva
ntag
es o
f the
sol
utio
n ar
e:Vi
rtua
lly li
mitl
ess
scal
ing
Can
be
depl
oyed
in z
ero
touc
h w
ith IS
C a
nd In
telli
gent
Eng
ine
Aut
omat
ic lo
ad m
anag
emen
t
Load
bal
anci
ng A
ND
resi
lienc
e
Mul
tiply
per
form
ance
s by
num
ber o
f hub
s (c
reat
ion
rate
, spe
ed,
max
SA
’s)
No
fork
lift w
hen
upgr
adin
g
Res
ilien
ce in
N+1
33©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Impr
ovem
ents
•It
is p
ossi
ble
to c
olla
pse
the
Load
bal
ance
r and
the
edge
rout
er (h
ubs
in lo
llipo
p)•
If th
e lo
ad b
alan
cer i
s a
Cis
co C
atal
yst 6
500
Serie
s Sw
itch,
this
is e
ven
reco
mm
ende
d as
Lay
er 3
sw
itchi
ngw
ill a
ccel
erat
e sp
oke
to s
poke
traf
fic
34©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04
Rou
ting
Prot
ocol
s
HQ
Spea
ks E
IGR
P 2
Red
istr
ibut
e EI
GR
P 2
into
B
GP
(sum
mar
y)R
edis
trib
ute
float
ing
stat
ic (N
ull0
) int
o EI
GR
P2R
edis
trib
ute
EIG
RP
1 in
to B
GP
(with
filte
ring)
Red
istr
ibut
e B
GP(
sum
mar
ized
)in
to E
IGR
P 1
Spok
es a
re E
IGR
P 1
stub
sTh
ey s
peak
to h
ubs
thru
GR
E/IP
sec
tunn
el
35©
200
4 C
isco
Sys
tem
s, In
c. A
ll rig
hts
rese
rved
.La
rge
Sca
le D
MV
PN
, 11
/04