Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Design Zone for WAN/MAN

Multicast over IPSec VPN Design Guide

Downloads

Table Of Contents

Multicast over IPsec VPN Design Guide

Contents

Introduction

Design Guide Structure

IPmc Requirement in Enterprise Networks

IPsec Deployment with Point-to-Point GRE

Virtual Tunnel Interface

Redundant VPN Headend Design

IPmc Deployment

Topology

Topology Overview

Detailed Topology

Point-to-Point GRE over IPsec Configuration

Common Configuration Commands

IPmc Rendezvous Point and IP PIM Auto-RP Configuration

Headend p2p GRE over IPsec Router

Secondary Campus and Disaster Recovery

Remote Branch Routers

Virtual Tunnel Interface Configuration

VTI Support for IPmc

Topology

Configuration Examples

DMVPN Hub-and-Spoke (mGRE) Configuration

IPmc Deployment Summary

Performance Testing

Overview

Topology

Traffic Profile

Configurations

Summary

Appendix A—Output of debug ip pim

Appendix B—Output from Last Hop Router rtp9-ese-test

Appendix C—IPmc and Dynamic VTI


Multicast over IPsec VPN Design Guide

This design guide provides detailed configuration examples for implementing IP multicast (IPmc) in a QoS-enabled IP Security (IPsec) virtual private network (VPN).

Contents

Introduction

Design Guide Structure

This design overview is part of a series of design guides, each based on different technologies for the IPsec VPN WAN architecture. (See Figure 1.) Each technology uses IPsec as the underlying transport mechanism for each VPN.

Figure 1 IPsec VPN WAN Design Guides

IPmc Requirement in Enterprise Networks

IPmc is a means to conserve bandwidth and deliver packets to multiple receivers without adding any additional burden on the source or receivers of the packets. Applications that deliver their data content using IPmc include videoconferencing, Cisco IP/TV broadcasts, distribution of files or software packages, real-time price quotes of securities trading, news, and even video feeds from IP video surveillance cameras.

The distribution of large data files to all branches by means of a mass update is an efficient way to distribute parts lists, price sheets, or inventory data. Commercial software packages are available to optimize this file replication process by using IPmc as the transport mechanism. The corporate server sends one IPmc stream, and the networked routers replicate these packets so that all remote locations receive a copy of the file. The software can detect packet loss and at the end of the transfer, request an IP unicast stream of the missing portions to ensure the file is complete and valid.

IPsec Deployment with Point-to-Point GRE

Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the following:

IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP packets.

IPmc is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol between two and only two devices, so a service such as multicast is problematic. An IPsec peer encrypts a packet so that only one other IPsec peer can successfully perform the de-encryption. IPmc is not compatible with this mode of operation.

Until the introduction of IPsec Virtual Tunnel Interface (VTI), IPsec tunnels were not logical tunnel interfaces for routing purposes. A point-to-point (p2p) GRE tunnel, on the other hand, is a logical router interface for purposes of forwarding IP (or any other network protocol) traffic. A tunnel interface can appear as a next-hop interface in the routing table.

Virtual Tunnel Interface

VTI is introduced in Cisco IOS Release 12.3(14)T. A tunnel interface with the new Cisco IOS interface tunnel mode ipsec ipv4 command along with the previously introduced tunnel protection interface command enables the VTI feature.

Note Tunnel protection alleviates the need to apply crypto maps to the outside interface.

VTI provides for a routable interface (Interface Tunnel 0) and therefore supports the encryption of IPmc.

Redundant VPN Headend Design

Because failsafe operation is a mandatory feature in many enterprise networks, redundancy should be built into headend designs. From each branch location, a minimum of two tunnels should be configured back to different headend devices. When sizing the headend installation, the failure of a single headend device should be taken into consideration. When adding an intelligent service such as IPmc, adding additional headend routers and spreading the load of the VPN terminations across more devices allows for the headend routers to "share" CPU load, thus making the solution more scalable.

Note In the interest of clarity and brevity, many of the examples shown in this design guide show only a single headend router in the topology. It is assumed in a customer deployment that redundant headend routers are configured similarly to the primary headend configuration shown.

IPmc Deployment

This chapter discusses recommended and optional configurations for IPmc deployments in an encrypted WAN topology. This section includes the following recommended guidelines:

Use multiple rendezvous points (RPs) for high availability

Use IP Protocol Independent Multicast (PIM) sparse mode and IP PIM Auto-RP listener.

Note Auto-RP is used in the deployment example but is not a requirement; statically configured RP address can be used instead.

Disable fast switching of IPmc as required on IPsec routers.

Mark the ToS byte of IPsec packets for proper classification and bandwidth allocation.

The use of GRE keepalives can be used in p2p GRE tunnels to eliminate the need for a routing protocol.

Topology

This section provides a high-level overview as well as details of the topology in use.

Topology Overview

This topology overview divides the network into the following four major components, as shown in Figure 2:

Primary campus

Secondary campus

Disaster recovery hot site

Remote SOHO routers

Figure 2 Topology Overview

Note The host names and series or model number of routers in this guide are not intended to imply performance characteristics suitable for all customer deployments. Various models of routers were used in developing this design guide to provide a variety of configuration examples. For example, a Cisco 831 router is typically deployed at a SOHO location rather than at a disaster recovery site.

The remote SOHO routers establish an IPsec-encrypted p2p GRE tunnel to one or more campus locations. For purposes of illustration, only one GRE tunnel is configured and shown, but it is assumed that in an actual customer deployment, a p2p GRE tunnel terminates at both major campus locations. Another option is for the customer to advertise a network prefix encompassing the IPsec and p2p GRE headend peer address from both the primary campus and the disaster recovery hot site. In the event of a failure of the primary campus, the IPsec and p2p GRE headend peer address, router, and configuration can be brought online at the disaster recovery site.

Two IPmc RPs are configured on routers dedicated for this purpose in the sample topology and are located at two separate physical locations. The RP IP addresses are not manually configured on the remote routers, but rather IP PIM Auto-RP is used. The interfaces of the routers are configured as IP PIM Sparse Mode and the ip pim autorp listener global configuration command is used on all remote routers. This command allows IP PIM Auto-RP to function over IP PIM Sparse Mode interfaces. The rendezvous points transmit an RP-Discovery to the Cisco discovery multicast group (224.0.1.40). The remote routers join the 224.0.1.40 group when ip pim autorp listener is configured.

The WAN links in this topology consist of broadband DSL and cable for the remote branch routers, DS3 or greater Internet links at the campus, and FastEthernet and GigabitEthernet between the primary, secondary, and disaster recovery site.

Detailed Topology

In a closer look at the topology, the individual remote routers are identified as well as the p2p GRE tunnel interface numbers on the headend IPsec and GRE router. All remote routers use the nomenclature of Tunnel0 for their primary p2p GRE tunnel, and Tunnel1 (where configured) as their backup or secondary p2p GRE tunnel. (See Figure 3.)

Figure 3 Topology Video Surveillance

The IPsec headend router uses dynamic crypto maps and static p2p GRE tunnels. A DMVPN configuration using multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP) is a suitable alternative, and this configuration is used as discussed in Performance Testing. However, DMVPN and VTI do not support GRE keepalive, which is used in this sample configuration. As such, a dynamic IGP routing protocol such as EIGRP is configured.

To demonstrate the IPmc configuration, several IPmc-capable Panasonic WV-NM100 network color cameras are deployed. These cameras can source MPEG-4 compressed video streams to a configurable UDP unicast or multicast IP address, and are a feature rich and relatively inexpensive means of generating and viewing an IPmc application.

For more information on these cameras, see the following URL: http://www.panasonic.com.

Point-to-Point GRE over IPsec Configuration

This section provides sample configurations used in testing and internal Cisco deployments of IPmc in a teleworker environment. The IPmc application in use consists of IP video surveillance cameras streaming MPEG-4, both from a home office to a campus location and from the campus to the home office.

The following examples are shown:

Configuration commands common to most routers in the topology

IPmc RP configuration

Headend IPsec and p2p GRE router

Secondary campus and disaster recovery

Disaster recovery host site router

Remote branch routers

Common Configuration Commands

The configurations provided in this section are common to most routers in the sample topology, and as such, are provided in this section to avoid repetition in the later sections.

IPmc Commands

On the routers in this topology, IPmc routing is enabled globally, interfaces required to participate in the IPmc domain have IP PIM Sparse Mode enabled, and all routers except the IPmc RP routers are configured as IP PIM Auto-RP listeners. 

!

ip multicast-routing

!

ip pim autorp listener

!

no ip pim dm-fallback

!

interface Ethernet0

 description [Inside Interface]

 ip pim sparse-mode

!

interface Tunnel0

 ip pim sparse-mode

 no ip mroute-cache

!

Note Because of CSCdu87170 ("IP Multicast not working over GRE tunnel when IPsec is enabled"), these configurations all process switch (no ip mroute-cache) IPmc packets.

Without implementing one of the problem circumventions listed, the IPmc encapsulated packets are transmitted out the outside interface in the clear. This presents a security exposure.

The no ip pim dm-fallback command prevents PIM Dense Mode fallback if all rendezvous points fail. This feature was introduced in Cisco IOS release 12.3(4)T.

QoS Configuration

The QoS configuration is similar to configurations used in V3PN deployments. Because the sample IPmc application is video surveillance, a VIDEO-surveillance class is included. Most Cisco IOS router hardware platforms support re-marking the ToS byte on an input interface, and as an illustration, the IPmc address space is remarked to IP Precedence 4 or DSCP value of CS4.

The output service policy allocates bandwidth for video surveillance as a percentage of the shaped rate. The percentage value should be adjusted based on the available bandwidth and the image size, quality, resolution, and encoding.

In this set of tests, voice, video, and data is present on the broadband link concurrently. The link speed in some cases was below 768 Kbps, and the ip tcp adjust-mss command is configured. The value of 542 is used on interfaces with IPsec direct encapsulation or unencrypted packets, and a value of 574 is used on interfaces with p2p GRE or mGRE and IPsec encryption. 

!         

class-map match-all VOICE

 match ip dscp ef 

class-map match-any CALL-SETUP

 match ip dscp af31 

 match ip dscp cs3 

class-map match-any INTERNETWORK-CONTROL

 match ip dscp cs6 

 match access-group name IKE

class-map match-any VIDEO-surveillance

 match ip dscp cs4 

 match access-group name IPmc

!     

ip access-list extended IPmc

 permit udp any 224.0.0.0 15.255.255.255 	# Class `D' address space

!         

ip access-list extended IKE

 permit udp any eq isakmp any eq isakmp

!

policy-map V3PN-teleworker

description Note LLQ for ATM/DSL G.729=64K, G.711=128K

 class CALL-SETUP

  bandwidth percent 2

 class INTERNETWORK-CONTROL

  bandwidth percent 5

 class VOICE

  priority 128

 class VIDEO-surveillance

  bandwidth percent 45											# Value depends on bandwidth and Video image 

  queue-limit 10

 class class-default

  fair-queue

  random-detect

policy-map Shaper

 class class-default

  shape average 608000 6080											# Depends on link speed this value is used on a

											# Business class cable connection that is 768K up

  service-policy V3PN-teleworker

!         

!         

interface Ethernet1

 description Outside

 service-policy output Shaper

 ip route-cache flow

 ip tcp adjust-mss 542

interface Tunnel0

 ip mtu 1408

 ip tcp adjust-mss 574

 qos pre-classify

!

!										# Where supported, Video packets are marked on

!										# ingress. Not all IOS images support this feature

!

policy-map INGRESS

 class VIDEO-surveillance

  set ip dscp cs4

!

!

interface FastEthernet0/1

! 

 service-policy input INGRESS

IPsec Configuration

The IPsec configuration is characterized by the following features:

Digital certificates (PKI)

IKE encrypted with 3DES and Diffie-Hellman group 2

Dead Peer Detection and NAT Transparency (NAT-T) keepalives

IPsec encrypted with 3DES, HMAC of SHA-1, and tunnel mode

The branch router p2p GRE tunnel source is an RFC1918 address on Loopback1

Headend routers use dynamic crypto maps

The outside interface is protected by an input access control list (ACL) where appropriate. Examples of the ACL and the spouse-and-child security configuration are shown in later configuration examples. 

!

crypto pki trustpoint rtp5-esevpn-ios-ca

 enrollment url http://rtp5-esevpn-ios-ca:80

 revocation-check none

 source interface Ethernet0

 auto-enroll 70

!                  

crypto pki certificate chain rtp5-esevpn-ios-ca

 certificate 2E

 certificate ca 01

!                          

crypto isakmp policy 100

 encr 3des

 group 2  

crypto isakmp keepalive 10

crypto isakmp nat keepalive 10

!            

crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 

crypto ipsec transform-set 3DES_SHA_TRANSPORT esp-3des esp-sha-hmac 

 mode transport

!         

crypto map Encrypt_GRE 10 ipsec-isakmp 

 set peer xx.xxx.223.23

 set transform-set 3DES_SHA_TUNNEL 

 match address Encrypt_GRE

!         

ip access-list extended Encrypt_GRE

 permit gre host _tunnel_source  host xx.xxx.223.23

!

interface Loopback1

 description Anchor for GRE tunnel

ip address _tunnel_source  255.255.255.255


!  

interface Tunnel0

 tunnel source Loopback1

 tunnel destination xx.xxx.223.23

!

interface Ethernet1

 description Outside

 ip address dhcp

 ip access-group INPUT_ACL in

 no cdp enable

 crypto map Encrypt_GRE

!         

!

Other Configuration Commands

These configuration commands are not characterized by the previous classifications. Note the following:

Cisco Express Forwarding (CEF) is configured.

Services such has SNMP, Syslog, Telnet, and TFTP are sourced so that they are protected by the encrypted p2p GRE tunnel.

IP SLA, formerly known as Service Assurance Agent (SAA), is configured to provide a history for troubleshooting. 

!

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

clock timezone est -5

clock summer-time edt recurring

no aaa new-model

ip subnet-zero

!

ip telnet source-interface Ethernet0													# Inside Interface

ip tftp source-interface Ethernet0													# Inside Interface

no ip domain lookup

ip domain name cisco.com

!

ip host rtp5-esevpn-ios-ca 10.81.0.27

ip host vpn3-7200-1 10.59.138.1

ip host multicast-RP 10.81.7.219

ip host harry 172.26.129.252

ip host CAMERA2 10.59.138.21

ip host CAMERA1 10.81.7.227

!

ip name-server 207.69.188.185

ip cef

!

ip classless

!         

ip access-list extended INPUT_ACL

 remark Allow IKE and ESP from the RTP headends

 permit udp xx.xxx.223.16 0.0.0.15 any eq isakmp

 permit udp xx.xxx.223.16 0.0.0.15 any eq non500-isakmp

 permit esp xx.xxx.223.16 0.0.0.15 any

 permit gre xx.xxx.223.16 0.0.0.15 any

 permit udp any any eq bootpc

 remark NTP ACLs

 permit udp 192.5.41.40 0.0.0.1 eq ntp any

 permit udp host 216.210.169.40 eq ntp any

 remark SSH 

 permit tcp xx.xxx.87.0 0.0.0.255 any eq 22

 permit icmp any any

 deny   ip any any


no ip http server

no ip http secure-server

ip flow-export version 5

!         

logging source-interface Ethernet0											# Logging will be source always on the inside 

                                      											#  interface so they are encrypted


#

#

rtr responder

rtr 12

 type echo protocol ipIcmpEcho 172.26.129.252 source-ipaddr _Inside_IP_Address_

 request-data-size 164

 tos 192

 frequency 90

 lives-of-history-kept 1

 buckets-of-history-kept 60

 filter-for-history all

rtr schedule 12 life forever start-time now

!

banner motd ^C

   C i s c o S y s t e m s

     ||               ||

     ||               ||       Cisco Systems, Inc.

    ||||             ||||      IT-Transport

 .:|||||||:.......:|||||||:..

  US, Asia & Americas support:    + 1 408 526 8888

 EMEA support:                   + 31 020 342 3888

  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.

 You must have explicit permission to access or configure this

 device. All activities performed on this device are logged and

 violations of this policy may result in disciplinary action.

^C

alias exec scr show running | b crypto isakmp

alias exec wrnet copy run tftp://harry/vpn/ECTW/_hostname_confg

alias exec crylife show cry ipsec sa det | inc eer|life|local|spi

!

line con 0

 exec-timeout 120 0

 login local

 no modem enable													# Cisco 830 Series specific

 transport preferred all

 transport output all

 stopbits 1

line aux 0

 transport preferred all

 transport output all

 stopbits 1

line vty 0 4

 exec-timeout 120 0

 login local

 transport preferred all

 transport input ssh

 transport output all

!

exception memory minimum 786432

scheduler max-task-time 5000

ntp server 192.5.41.41													# External NTP Server

ntp server 192.5.41.40 													# External NTP Server

ntp server 216.210.169.40 													# External NTP Server

ntp server 10.81.254.202 source Ethernet0    													# Internet NTP Server source off "Inside"

end

IPmc Rendezvous Point and IP PIM Auto-RP Configuration

Because this configuration uses IP PIM Sparse Mode, two routers (for availability) in the network core are configured to be RPs. RPs are used by senders to an IPmc group to announce their existence and by receivers of IPmc packets to learn about new senders.

The first hop router for an IPmc source (the video camera in this example) sends an IP PIM register message on behalf of the source to the RP, and the RP acknowledges receipt with a Register-Stop. An example of this exchange is shown in Appendix A—Output of debug ip pim.

The RP address is used by last hop routers (routers with workstations on a LAN interface interested in receiving IPmc packets) to send IP PIM join and prune messages to the RP to inform it about group membership. An example is shown in Appendix B—Output from Last Hop Router rtp9-ese-test.

Rather than manually configuring the RP in all routers, this configuration uses the Cisco IOS features IP PIM Auto-RP and RP-mapping agent. The IP PIM Auto-RP feature eliminates the need for this manual configuration because it automates the distribution of group-to-RP mappings. IP PIM Auto-RP requires the configuration of an RP-mapping agent to arbitrate conflicts between the two RPs. The RP-mapping agent provides consistent group-to-RP mappings to all other routers in the IP PIM network.

Primary 

!

hostname multicast-RP

!

boot-start-marker

boot system flash:c3725-advipservicesk9-mz.123-12

boot-end-marker

!

ip multicast-routing

!

interface FastEthernet0/0

 ip address 10.81.7.219 255.255.255.248

 ip pim sparse-mode

 duplex auto

 speed auto

!

ip route 0.0.0.0 0.0.0.0 10.81.7.217 name video831

!

ip pim send-rp-announce FastEthernet0/0 scope 32 group-list MY_IPmc_Groups

ip pim send-rp-discovery FastEthernet0/0 scope 5

!

ip access-list standard MY_IPmc_Groups

 permit 224.1.1.0 0.0.0.255

!  Do not code a  deny   any 

!

end

Note Do not code an explicit "deny any" in the standard access list My_IPmc_Groups because it forces all groups other than the groups specified on the permit statement into IP PIM Dense Mode throughout the network.

Secondary 

!

hostname vpn3-7200-1

!

boot system flash disk0:c7200-ik9o3s-mz.122-13.6.S

!

!

ip multicast-routing

!

interface FastEthernet1/0

 description vpn4-2651xm-1 for Joel's Multicast Testing

 ip address 10.59.136.13 255.255.255.252

 ip pim sparse-mode

 load-interval 30

 duplex full

 speed 100

!

!

interface GigabitEthernet4/0

 description To vpn3-2948-1

 ip address 10.59.138.1 255.255.254.0

 ip pim sparse-mode

 !

 load-interval 30

 negotiation auto

!

ip route 10.81.7.0 255.255.255.0 10.59.136.14 name ECT_SUBNETS

!

ip pim send-rp-announce GigabitEthernet4/0 scope 16

ip pim send-rp-discovery GigabitEthernet4/0 scope 16

!

end

Headend p2p GRE over IPsec Router

This section provides the configuration of a headend p2p GRE over IPsec router. Only one router is shown, but as previously noted, Cisco recommends having redundant headends for greater availability.

Unlike the configuration of the remote routers, the headend routers require certificate revocation checking. Because this topology includes branches with broadband connections that obtain IP addresses dynamically, the headend router uses a dynamic crypto map.

There is no routing protocol configured on the p2p GRE tunnel interfaces. Rather, static routes to the p2p GRE interfaces are redistributed into EIGRP, and reachability to the remote router is validated by GRE keepalives. The IP maximum transmission unit (MTU) of the p2p GRE interfaces forces fragmentation before encryption if required.

This router is configured as a "router on a stick"; encrypted and de-encrypted packets enter and leave on the same physical interface. In this configuration, there are two other IPsec headend routers, and EIGRP neighbors are formed with these routers on interface FastEthernet1/1. The gateway router to the enterprise campus network (10.81.0.17) advertises a summary address to the core network. This gateway router forwards all packets for the remote subnets to an IP HSRP address (10.81.0.20), and the active IP HSRP router forwards the packets to the appropriate IPsec headend router based on the specific network advertisements from EIGRP. 

!

hostname rtp5-esevpn-gw3

!

boot-start-marker

boot system disk0:c7200-ik9o3s-mz.123-8.T6

boot-end-marker

!

aaa authentication login default group tacacs+ enable

aaa session-id common

!

ip multicast-routing

!

crypto pki trustpoint rtp5-esevpn-ios-ca

 enrollment url http://rtp5-esevpn-ios-ca:80

 revocation-check crl												# Unlike the remote routers

!												# the headend checks CRLs

 auto-enroll 70

!

controller ISA 2/1

!

crypto isakmp keepalive 10

!

crypto dynamic-map DYNOMAP 10

 set transform-set 3DES_SHA_TUNNEL 

!

crypto map DynamicGRE local-address Loopback0

crypto map DynamicGRE 10 ipsec-isakmp dynamic DYNOMAP 

!

interface Tunnel104

 ip address 10.81.7.192 255.255.255.254

 ip mtu 1408

 ip pim sparse-mode

 no ip mroute-cache

 keepalive 10 3												# There is no routing protocol configured

 tunnel source Loopback0

 tunnel destination 10.81.7.209												# Remote Router Loopback 1

!

interface Tunnel136

 ip address 10.81.7.190 255.255.255.254

 ip mtu 1408

 ip pim sparse-mode

 no ip mroute-cache

 keepalive 10 3												# There is no routing protocol configured

 tunnel source Loopback0

 tunnel destination 10.81.7.214												# Remote Router Loopback 1

!

interface Tunnel212

 ip address 10.81.7.184 255.255.255.254

 ip mtu 1408

 ip pim sparse-mode

 ip route-cache flow										# Netflow enabled on some tunnels for illustration

 no ip mroute-cache

 load-interval 30

 keepalive 10 3												# There is no routing protocol configured

 tunnel source Loopback0

 tunnel destination 10.81.7.212												# Remote Router Loopback 1

!

interface Tunnel216

 ip address 10.81.7.194 255.255.255.254

 ip mtu 1408

 ip pim sparse-mode

 no ip mroute-cache

 keepalive 10 3												# There is no routing protocol configured

 tunnel source Loopback0

 tunnel destination 10.81.7.213												# Remote Router Loopback 1

!

interface Tunnel224

 ip address 10.81.7.188 255.255.255.254

 ip mtu 1408

 ip pim sparse-mode

 no ip mroute-cache

 keepalive 10 3												# There is no routing protocol configured

 tunnel source Loopback0

 tunnel destination 10.81.7.210												# Remote Router Loopback 1

!

interface Tunnel232

 ip address 10.81.7.186 255.255.255.254

 ip mtu 1408

 ip pim sparse-mode

 no ip mroute-cache

 keepalive 10 3												# There is no routing protocol configured

 tunnel source Loopback0

 tunnel destination 10.81.7.211												# Remote Router Loopback 1

!

interface Loopback0

 description Public address

 ip address xx.xxx.223.23 255.255.255.255

!

interface Loopback10

 description Loopback 

 ip address 10.81.7.208 255.255.255.255

 ip pim sparse-mode

!

!

interface FastEthernet1/0

 description Private - Campus Network

 ip address 10.81.0.23 255.255.255.240

 ip route-cache same-interface												# Router on a Stick

 ip route-cache flow

 duplex full

 speed 100

 standby 1 ip 10.81.0.20

 standby 1 priority 90

 standby 1 preempt

 standby 1 authentication [removed]

 crypto map DynamicGRE

!

!												# Exchange routing with IPsec direct DPD/RRI 

!												# headends on this F1/1 interface

!												# See network statement `router eigrp 64'

interface FastEthernet1/1

description VLAN 101 

 ip address 192.168.82.23 255.255.255.0

 duplex full

 speed 100

!

!

router eigrp 64

 redistribute static metric 9 5000 255 1 1408 route-map REMOTE_NETS

 network 192.168.82.0

 no auto-summary

 no eigrp log-neighbor-warnings

!

ip route 0.0.0.0 0.0.0.0 10.81.0.17

ip route 10.81.7.208 255.255.255.248 10.81.0.17 name Remote_loopbacks

!

!		# Instead of running a routing protocol on the Tunnel interface, will

!		# use GRE keepalives and a static route to the respective tunnel interface

!		# for the remote network[s] addresses

!

ip route 10.59.136.12 255.255.255.252 Tunnel212 name LAB_NET

ip route 10.59.138.0 255.255.254.0 Tunnel212 name LAB_NET

ip route 10.81.7.104 255.255.255.248 Tunnel104 name johnjo-1841-vpn

ip route 10.81.7.136 255.255.255.248 Tunnel136 name Video1751

ip route 10.81.7.216 255.255.255.248 Tunnel216 name Video831

ip route 10.81.7.224 255.255.255.248 Tunnel224 name vpn-jk2-1711-vpn

ip route 10.81.7.232 255.255.255.248 Tunnel232 name rtp9-ese-test

!

!

ip pim autorp listener

!

!		# Candidates for redistribution provided the respective tunnel interface is UP/UP

!

ip access-list standard REMOTE_NETS

 permit 10.81.7.0 0.0.0.255										# These networks are in the remote branch locations

 permit 10.59.138.0 0.0.1.255											# This network is in the secondary campus

 permit 10.59.136.12 0.0.0.3											# This network is in the secondary campus

 deny   any

!

ip radius source-interface Loopback0 

!         

route-map REMOTE_NETS permit 10

 description Redistribute remote subnets from static to GRE

 match ip address REMOTE_NETS

!

tacacs-server host xxx.xx.10.137

tacacs-server host xxx.xx.11.123

tacacs-server directed-request

!

radius-server attribute 69 clear

radius-server attribute 6 on-for-login-auth

radius-server host 10.81.0.19 auth-port 1645 acct-port 1646 key 7 [removed]

exception memory fragment 32768

exception memory minimum io 262144

exception memory minimum 1048576

end

Secondary Campus and Disaster Recovery

Two routers in this topology represent secondary and tertiary branch locations.

Secondary Campus

This router supports the secondary campus. The secondary RP, CAMERA_2, and workstations are present at this location. 

!

hostname vpn4-2651xm-1

!

!		System image file is "flash:c2600-advsecurityk9-mz.123-8.T5"

!

interface Tunnel0

 ip address 10.81.7.185 255.255.255.254

 ip pim sparse-mode

 no ip mroute-cache

 load-interval 30

 qos pre-classify

 keepalive 10 3											# There is no routing protocol configured

 tunnel source Loopback1

 tunnel destination xx.xxx.223.23

!

interface Loopback1

 description Anchor for GRE tunnel

 ip address 10.81.7.212 255.255.255.255

!         

interface FastEthernet0/0

 description FlashNet [Outside Interface]

 ip address 172.26.177.250 255.255.252.0

 ip access-group INPUT_ACL in

 service-policy output Shaper										# The shaped value depends on the bandwidth between

!										# this and the primary campus

 load-interval 30

 speed 100

 full-duplex

 crypto map Encrypt_GRE

!

interface FastEthernet0/1

 description To vpn3-7200-1 [Inside Interface]

 ip address 10.59.136.14 255.255.255.252

 ip pim sparse-mode

 service-policy input INGRESS

 no ip mroute-cache

 load-interval 30

 speed 100

 full-duplex

!

ip classless

ip route 0.0.0.0 0.0.0.0 Tunnel0

!

!	The 10.59.138.0/23 network is on GigE 4/0 on vpn3-7200-1, the IPmc RP

!

ip route 10.59.138.0 255.255.254.0 10.59.136.13 name vpn3-7200-1 

ip route 10.81.254.131 255.255.255.255 172.26.176.1 name NTP

ip route 10.81.254.202 255.255.255.255 172.26.176.1 name NTP

ip route xx.xxx.223.23 255.255.255.255 172.26.176.1 name rtp5-esevpn-gw3											# Crypto Peer

ip route 172.26.129.252 255.255.255.255 172.26.176.1 name HARRY

ip pim autorp listener

!

end

Disaster Recovery Host Site Router

This router is the third campus location. It supports the primary RP. 

version 12.3

!

hostname video-831

!

!	System image file is "flash:c831-k9o3sy6-mz.123-8.T5"

!

ip dhcp excluded-address 10.81.7.219											# Address of the IPmc RP on this network

ip dhcp pool Client

   import all

   network 10.81.7.216 255.255.255.248

   default-router 10.81.7.217 

   dns-server xx.xxx.6.247 171.68.226.120 

   domain-name cisco.com

   option 150 ip xx.xxx.2.93 

   netbios-name-server xxx.xx.235.228 xxx.xx.235.229 

!         

interface Tunnel0

 ip address 10.81.7.195 255.255.255.254

 ip mtu 1408

 ip pim sparse-mode

 ip tcp adjust-mss 574

 no ip mroute-cache

 load-interval 30

 qos pre-classify

 keepalive 10 3											# There is no routing protocol configured

!											# Using GRE keepalives instead

 tunnel source Loopback1

 tunnel destination xx.xxx.223.23

!         

interface Loopback1

 description Anchor for GRE tunnel

 ip address 10.81.7.213 255.255.255.255

!         

interface Ethernet0

 description [Inside Interface]

 ip address 10.81.7.217 255.255.255.248

 ip pim sparse-mode

 ip virtual-reassembly

 ip tcp adjust-mss 574

 no ip mroute-cache

 load-interval 30

 no cdp enable

 hold-queue 32 in

!         

interface Ethernet1

 description Outside

 ip address dhcp

 ip access-group INPUT_ACL in

 ip virtual-reassembly

 service-policy output Shaper										# The shaped value depends on the bandwidth between

!										# this and the primary campus

 ip route-cache flow

 ip tcp adjust-mss 542

 load-interval 30

 duplex auto

 no cdp enable

 crypto map Encrypt_GRE

!         

interface FastEthernet1

 no ip address

 duplex auto

 speed auto

!         

interface FastEthernet2

 no ip address

 duplex auto

 speed auto

!         

interface FastEthernet3

 no ip address

 duplex auto

 speed auto

!         

interface FastEthernet4

 no ip address

 duplex auto

 speed auto

!         

ip route 0.0.0.0 0.0.0.0 Tunnel0												# All enterprise packets in tunnel

ip route xx.xxx.223.23 255.255.255.255 dhcp												# Route for headend crypto peer

ip route 192.5.41.40 255.255.255.254 dhcp												# Route for NTP server[s]

!         

end

Remote Branch Routers

Two branch routers are shown: a branch with a camera, CAMERA_1, and a branch with a workstation configured to view both CAMERA_1 and CAMERA_2.

Branch with Camera_1

This branch is also configured to allow direct access to the Internet for a spouse-and-child subnet. All enterprise packets are sent to the campus via the p2p GRE over IPsec tunnel. This type of configuration is also useful for a branch location that needs to provide Internet access for customers or employees. 

!

hostname vpn-jk2-1711-vpn

!

boot-start-marker

boot system flash c1700-k9o3sy7-mz.123-8.T5

boot system flash 

boot-end-marker

!

ip dhcp excluded-address 192.168.1.1 192.168.1.99

!

ip dhcp pool Client												# This is the enterprise subnet

   import all

   network 10.81.7.224 255.255.255.248

   default-router 10.81.7.225 

   dns-server xx.xxx.6.247 171.68.226.120 

   domain-name cisco.com

   option 150 ip 10.59.138.51 

   netbios-name-server xxx.xx.235.228 xxx.xx.235.229 

!

ip dhcp pool SpouseChild												# This is the Spouse and Child subnet

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1 

!

ip flow-cache feature-accelerate												# See VLAN2 Interface comments

ip cef    

!

ip inspect name CBAC tcp

ip inspect name CBAC udp

ip inspect name CBAC ftp

!

!

!

!

class-map match-all SpouseChild

 match access-group name pNAT_ACL

!

policy-map Shaper

 class class-default

  shape average 182400 1824												# DSL with 256K uplink

  service-policy V3PN-teleworker

!

policy-map INGRESS

 class VIDEO-surveillance

  set ip dscp cs4

 class SpouseChild												# On ingress all packets from this network

!												# will be re-marked to best effort

  set ip dscp default

 class class-default


crypto isakmp keepalive 10

crypto isakmp nat keepalive 10												# NAT-T is being used

!

!

interface Tunnel0

 description tunnel 0 

 ip address 10.81.7.189 255.255.255.254

 ip mtu 1408

 ip pim sparse-mode

 ip route-cache flow

 ip tcp adjust-mss 574

 no ip mroute-cache

 load-interval 30

 qos pre-classify

 keepalive 10 3													# There is no routing protocol configured

 tunnel source Loopback1

 tunnel destination xx.xxx.223.23

!

interface Tunnel1

 description Tunnel 1 [secondary tunnel - NOT IMPLEMENTED]

 ip mtu 1408

 ip pim sparse-mode

 ip route-cache flow

 ip tcp adjust-mss 574

 load-interval 30

 qos pre-classify

 keepalive 10 3													# There is no routing protocol configured

 tunnel source Loopback1

!

interface Loopback1

 description Anchor for GRE tunnel

 ip address 10.81.7.210 255.255.255.255

!

interface FastEthernet0

 description Outside

 ip address dhcp

 ip access-group INPUT_ACL in

 ip nat outside

 ip inspect CBAC out

 ip virtual-reassembly

 service-policy output V3PN-teleworker

 ip route-cache flow

 ip tcp adjust-mss 542

 duplex auto

 speed auto

 no cdp enable

 crypto map Encrypt_GRE

!

interface FastEthernet1

 description CORPORATE NETWORK PORT - VLAN 1 by default

 no ip address

!

interface FastEthernet2

 description CORPORATE NETWORK PORT - VLAN 1 by default

 no ip address

!

interface FastEthernet3

 description SPOUSE_CHILD PORT - VLAN 2

 switchport access vlan 2

 no ip address

!

interface FastEthernet4

 description SPOUSE_CHILD PORT - VLAN 2

 switchport access vlan 2

 no ip address

!

interface Vlan1

 description Inside

 ip address 10.81.7.225 255.255.255.248

 ip pim sparse-mode

 service-policy input INGRESS

 ip route-cache flow

 ip tcp adjust-mss 574

 no ip mroute-cache

 load-interval 30

 hold-queue 40 out

!

interface Vlan2

 description SPOUSE_CHILD

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 service-policy input INGRESS

 ip route-cache flow												

 ip tcp adjust-mss 542

 ip policy route-map SPOUSE_CHILD												

 load-interval 30

!

!												# All enterprise packets in tunnel

ip route 0.0.0.0 0.0.0.0 Tunnel0 20 name primary_tunnel								

ip route 0.0.0.0 0.0.0.0 Tunnel1 40 name secondary_tunnel

!

ip route xx.xxx.223.23 255.255.255.255 dhcp												# Route for headend crypto peer

ip route 192.5.41.40 255.255.255.254 dhcp												# Route for NTP server[s]

!

ip nat inside source list pNAT_ACL interface FastEthernet0 overload

ip pim autorp listener

!

ip access-list extended pNAT_ACL

 permit ip 192.168.1.0 0.0.0.255 any

!

route-map SPOUSE_CHILD permit 10

!												

 description Force all SPOUSE_CHILD to Internet unencrypted

 match ip address pNAT_ACL

 set interface FastEthernet0

 set ip next-hop dynamic dhcp

!

alias exec show_vlan_database vlan database

alias exec update_vlan_databas vlan database

!

end

Branch with Workstation

This section shows both the router configuration as well as the software application configuration.

Router Configuration 

!

hostname rtp9-ese-test

!

boot-start-marker

boot system flash c1700-k9o3sy7-mz.123-12a

boot system flash 

boot-end-marker

!

ip host CAMERA2 10.59.138.21

ip host CAMERA1 10.81.7.227

!

ip dhcp pool Client

   import all

   network 10.81.7.232 255.255.255.248

   default-router 10.81.7.233 

   dns-server xx.xxx.6.247 xxx.xx.226.120 

   domain-name cisco.com

   option 150 ip xx.xxx.2.93 

   netbios-name-server xxx.xx.235.228 xxx.xx.235.229 

!

!

interface Loopback1

 description Anchor for GRE tunnel

 ip address 10.81.7.211 255.255.255.255

!

interface Tunnel0

 ip address 10.81.7.187 255.255.255.254

 ip mtu 1408

 ip pim sparse-mode

 ip route-cache flow

 ip tcp adjust-mss 574

 no ip mroute-cache

 load-interval 30

 qos pre-classify

 keepalive 10 3

 tunnel source Loopback1

 tunnel destination xx.xxx.223.23

!

interface Ethernet0/0

 description Outside

 ip address dhcp

 ip access-group INPUT_ACL in

 ip route-cache flow

 ip tcp adjust-mss 542

 load-interval 30

 half-duplex

 no cdp enable

 crypto map Encrypt_GRE

 service-policy output Shaper

!

interface FastEthernet0/0

 description Inside

 ip address 10.81.7.233 255.255.255.248

 ip pim sparse-mode

 ip route-cache flow

 ip tcp adjust-mss 574

 no ip mroute-cache

 load-interval 30

 speed auto

 no keepalive

 service-policy input INGRESS

 hold-queue 40 out

!

ip route 0.0.0.0 0.0.0.0 Tunnel0 40						# All enterprise packets in tunnel

ip route xx.xxx.223.23 255.255.255.255 dhcp							# Route for headend crypto peer

ip route 192.5.41.40 255.255.255.254 dhcp						# Route for NTP server[s]

!

end

Workstation—Network Camera Software Configuration

Camera_1 uses IPmc group 224.1.1.20 and UDP port 5004, while Camera_2 uses IPmc group 224.1.1.21 and UDP port 5004.

Figure 4 shows the Advanced Setup screen for Camera 1 in the foreground, while the background browser is displaying the IPmc transported MPEG-4 image.

Figure 4 Camera 1—Advanced Setup Screen and Background Browser

Virtual Tunnel Interface Configuration

This section shows how the previous configuration example may be implemented using Dynamic Virtual Tunnel Interface (DVTI). The VTI feature can be configured using static tunnels on both the branch and headend routers, or a static tunnel on the branch router and a dynamic tunnel configuration by means of virtual templates on the headend router. This example shows the use of the dynamic feature on the headend routers.

VTI Support for IPmc

To demonstrate a working configuration of VTI support of IPmc, this deployment is implemented over broadband Internet connections and the internal Cisco network.

All routers are configured with IP PIM Sparse Mode and ip pim autorp listener and two RPs. Panasonic video surveillance cameras are deployed as IPmc sources, and the Panasonic IPmc plug-in for a web browser is the sink.

Topology

The basic topology shown in Figure 5 is implemented. It is similar to the sample topology in Figure 3. The main difference is the incorporation of VTI in place of an encrypted p2p GRE tunnel. The GRE keepalive has been replaced with both EIGRP and OSPF. The branch router configuration shown is an EIGRP configuration.

Figure 5 IPmc Topology—VTI

There are two cameras and any branch can view images from both cameras. There are two RPs.

Configuration Examples

The IPmc configuration is identical to the p2p GRE over IPsec configuration in the previous section. The headend router configuration shown now includes the IPmc commands on the virtual template interface rather than a p2p GRE interface. Because the interface is created dynamically, which means a virtual access interface is cloned from the virtual template interface, a dynamic IGP routing protocol must be used instead of redistributing static routes that use the p2p GRE interface as their next hop.

Headend Router Configuration

The following is the relevant portion of the Cisco 7200VXR Series headend router. 

!

hostname rtp5-esevpn-gw3

!

boot-start-marker

boot system disk0:c7200-advipservicesk9-mz.124-2.T1.bin

boot system disk0:

boot-end-marker

!

ip multicast-routing

!

crypto pki trustpoint rtp5-esevpn-ios-ca

 enrollment url http://rtp5-esevpn-ios-ca:80

 revocation-check crl

 auto-enroll 70

!

crypto pki certificate chain rtp5-esevpn-ios-ca

 certificate 21

 certificate ca 01

!

crypto isakmp policy 1

 encr 3des

 group 2

crypto isakmp keepalive 10

!

crypto isakmp profile VTI_1544K

   description TEST for VTI Templates 1.544K

   ca trust-point rtp5-esevpn-ios-ca

   match identity host domain cisco.com

   keepalive 10 retry 2

   virtual-template 154

   local-address Loopback0

crypto ipsec transform-set 3DES_SHA_TUNNEL esp-3des esp-sha-hmac 

crypto ipsec transform-set COMPRESS esp-3des esp-sha-hmac comp-lzs 

!

crypto ipsec profile VirtualTunnelInterface

 set transform-set COMPRESS 3DES_SHA_TUNNEL 

 set isakmp-profile VTI_1544K

!

interface Loopback0

 description Public address

 ip address xx.xxx.223.23 255.255.255.255

!

interface Loopback10

 description Loopback for VTI/Virtual-Template154

 ip address 10.81.7.216 255.255.255.255

 ip pim sparse-mode

!

!

interface Virtual-Template154 type tunnel