Designing Virtual Private Networks © 2004 Cisco Systems, Inc. All rights reserved. Designing Site-to-Site VPNs ARCH v1.29-1.

Презентация:



Advertisements
Похожие презентации
Designing Virtual Private Networks © 2004 Cisco Systems, Inc. All rights reserved. Designing Remote- Access VPNs ARCH v
Advertisements

Designing Enterprise Edge Connectivity © 2004 Cisco Systems, Inc. All rights reserved. Designing the Internet Connectivity Module ARCH v
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Examining Cisco IOS VPNs.
Designing Enterprise Edge Connectivity © 2004 Cisco Systems, Inc. All rights reserved. Designing the Remote Access Module ARCH v
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Cisco High Availability Options.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing VPNs.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Implement the DiffServ QoS Model Implementing QoS Preclassify.
Introducing Cisco Network Service Architectures © 2004 Cisco Systems, Inc. All rights reserved. Introducing the Cisco AVVID Framework ARCH v
Designing Network Management Services © 2004 Cisco Systems, Inc. All rights reserved. Designing the Network Management Architecture ARCH v
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Module Summary VPNs enable network connectivity for an organization, its business partners,
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Module Summary The IKE protocol is a key management protocol standard used in conjunction with.
MAD00558_jv
Designing Enterprise Edge Connectivity © 2004 Cisco Systems, Inc. All rights reserved. Designing the Classic WAN Module ARCH v
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Module Summary Modern enterprise networks have to support various remote connection topologies,
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Module Summary An enterprise requires its network to be highly available to ensure that its.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Designing Remote Connectivity Designing the Enterprise Branch.
Designing Enterprise Campus Networks © 2004 Cisco Systems, Inc. All rights reserved. Designing the Server Farm ARCH v
Designing Enterprise Edge Connectivity © 2004 Cisco Systems, Inc. All rights reserved. Reviewing the Enterprise Edge Network Design Methodology ARCH v
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Module Summary IPsec is designed to provide interoperable, high-quality, cryptographically.
Designing IP Multicast Services © 2004 Cisco Systems, Inc. All rights reserved. Designing IP Multicast Solutions for Enterprise Networks ARCH v
Транксрипт:

Designing Virtual Private Networks © 2004 Cisco Systems, Inc. All rights reserved. Designing Site-to-Site VPNs ARCH v1.29-1

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Site-to-Site VPN Solution Connects branch offices to central site Key characteristics –Full mesh or hub-and-spoke –Tunneling –Routing protocol –Data plus voice and video Devices –Head-end: VPN-enabled routers –Remote: VPN-enabled routers –Hardware encryption Key Objectives VPN product performance, aggregation per head-end, resiliency, and scalability Hardware encryption at remote sites

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Comparing Private WANs and VPNs Private WANSite-to-Site VPN Advantages Reliability Secure Controlled Self-managed Globally available Redundant Less expensive Greater connectivity Simplified WAN Alternative to dial-on-demand for backup Performance Scaling challenge Local skill required Investment in technology Reliance on third parties Requires encryption and client management Lack of control

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Designing Site-to-Site VPN Solutions 1. Determine application and data needs. 2. Design the VPN topology between sites. 3. Incorporate design resiliency and failover mechanisms. 4. Choose head-end products based on predicted VPN capacity requirements.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Hub-and-Spoke VPN Topologies One-to-ManyMany-to-Many

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Simple Full-Mesh VPN Topology

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Hierarchical VPN Topology

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v High-Availability and Resiliency Considerations Implement primary and secondary tunnels between each branch device and the central site for resiliency. Allocate primary tunnels to balance load on head-ends. Allocate secondary tunnels to balance load after failover to surviving head-ends.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Using a Routing Protocol over the VPN The VPN tunnel is now the wire. –Same benefits as a traditional WAN –Same bandwidth and delay considerations With a routing protocol, you can verify that traffic is actually reaching its destination.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Example: Routing Protocol Two tunnels are active simultaneously.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Anticipating Packet Fragmentation IPSec packet fragmentation is needed because IPSec/GRE exceeds MTU size. Fragmentation can dramatically affect head-end throughput performance. Use lookahead IPSec fragmentation features to resolve issues.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v VPN Modes

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Example: Simple Site-to-Site VPN

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Example: Large Site-to-Site VPN

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Summary When designing the site-to-site VPN, you need to design the topology, and incorporate resiliency and failover mechanisms. When remote user or branch office connectivity is critical, downtime for the VPN is not an option. Enterprises need a systemic approach to examine all the essential elements of delivering a high-availability site-to-site VPN. A site-to-site VPN solution will support static routing and dynamic routing protocols that are implemented elsewhere in the network. IPSec and GRE headers increase the size of packets being transported over a VPN. You can implement site-to-site VPNs in both small and large enterprise environments.