X hits on this document

PDF document

Cisco AVVID Network Infrastructure IP Multicast Design - page 66 / 98

237 views

0 shares

0 downloads

0 comments

66 / 98

Chapter 6

IP Multicast in a Site-to-Site VPN

Site-to-Site VPN Overview

Managing IPSec and GRE Overhead

The use of IPSec and GRE causes some packet expansion. This is a concern when working with MTU-sized packets with either of these protocols. When both protocols are used together, the packet expansion can be 90 bytes or more depending upon the IPSec options and transforms used. This has an effect in two places.

Networks with a high percentage of small packets. A voice-over-IP network is a good example. Because of the higher percentage of packet expansion that is caused with small packets, additional link bandwidth may need to be configured in such a network.

MTU-sized packets. Because of the packet expansion that takes place during the encapsulation/encryption process, these packets will be larger than the MTU of many media types commonly used in networks today. These packets will be fragmented upon forwarding if the MTU of the packet has not been set to a lower value prior to the encryption. A work around for this exists with path MTU discovery, which will dynamically discover the smaller MTU of an encapsulated packet.

Figure 6-1 shows how the IP packet is expanded over the MTU size when GRE and IPSec are added.

Figure 6-1

IPSec/GRE Packet Expansion

IP Packet

IP Hdr

20 bytes

GRE Added

New IP Hdr

GRE

IP Hdr

Data

Large

Data

20

4

20

bytes

bytes

bytes

Large

87042

IPSec Added

New IP

IPSec

New IP

GRE

IP

(Tunnel Mode)

Hdr

Hdr

Hdr

20

32 bytes

20

4

20

bytes

variable

bytes

bytes

bytes

Because fail-safe operation is a mandatory feature in any enterprise network, redundancy should be built into head-end designs. From each branch location, a minimum of two tunnels are configured back to different head end devices. When sizing the head end installation, the failure of a single head end device should be taken into consideration. When adding a intelligent services like IP multicast, adding additional head-end routers and spreading the load of the VPN terminations across more devices will allow for the head-end routers to “share” CPU time, thus making the solution more scalable.

MTU Size

Redundant VPN Head-end Design

Data

Large

Cisco AVVID Network Infrastructure IP Multicast Design

6-2

956651

Document info
Document views237
Page views237
Page last viewedThu Dec 08 19:45:33 UTC 2016
Pages98
Paragraphs2650
Words25637

Comments