WE HELP BUILD THE WORLD

Global Network Training Series

Dynamic Multipoint Virtual Private Networks (DMVPN) 01 March 2012

Harsco's Core Ideology Core Purpose

To build teams that win with integrity anywhere in the world
Customers Employees Shareholders Suppliers Value Creation Value Capture Value Selling Be the Best Sustainable Superior Performance (20-Mile March) Safety Ethical in Thought, Word and Deed Disciplined Thought, Disciplined Action and Disciplined People Transparency Personal Accountability and Responsibility Customers Targeted Markets BHAG Envisioned Future

Core Values

1 2

Uncompromising Integrity and Ethical Business Practices

Harsco Integrity Framework: Code of Conduct Safety Practices Security Practices Global Management Practices Internal Control

People the "A Team"

Human Capital Framework: Global Talent Management System for Recruiting, Developing, Retaining and Assessing Human Capital

3 4

Continuous Improvement
Continuous Improvement Discipline through Lean and Six Sigma Methods Business Transformation

Value Creation Discipline

Economic Value Added (EVA) Value Selling Culture

WE HELP BUILD THE WORLD 1

DMVPN: Simple and Secure Branch-to-Branch Communications

Technology Overview

Major Benefits

On-demand full mesh connectivity with simple hub-and-spoke configuration Automatic IP Security (IPsec) triggering for building an IPsec tunnel Near Zero-touch deployment for adding remote sites Reduced latency and bandwidth savings Fully supports enterprise dynamic routing protocols Supports dynamically addressed spokes (remote sites)

Applications

Cost-driven use of Internet to replace or backup MPLS-based WAN topologies while providing platform for distributed applications such as voice (in context of proper engineering design considerations).

Advanced Design Issues

Network Design Design, Redundancy and Scaling Routing Dynamic routing protocols Encrypting peers Finding, mapping and authenticating
WE HELP BUILD THE WORLD 2

DMVPN: Advanced Design Issues

Network Design LAN-to-LAN vs DMVPN

LAN-to-LAN (GRE Tunnel)

1 tunnel interface configured per remote site Individual access-lists, crypto map polices and isakmp shared-keys.

WE HELP BUILD THE WORLD 3

DMVPN: Advanced Design Issues (continued)

Network Design LAN-to-LAN vs DMVPN

DMVPN (mGRE Tunnel)

1 tunnel interface configured to support all remote sites.

WE HELP BUILD THE WORLD 4

Hardware Requirements

Model

Recommended Number of Users

Switch Ports

License

871W 881W 891W 892W 1841 1921 2800

20 20 50 50 50 50 100

4 4 8 8 None None None

Need to purchase Advanced IP Services License Need to purchase Advanced IP Services License Comes with Advanced IP Services License Comes with Advanced IP Services License Need to purchase Advanced IP Services License Need to purchase Security Feature License Need to purchase Advanced IP Services License

WE HELP BUILD THE WORLD 5

Hardware Requirements
Model Part Number Description US List Price UK List Price

871 CISCO881-K9 881 CISCO881W-GN-A-K9 CISCO881W-GN-E-K9 891

End of Sale: July 15, 2010 Cisco 881 Ethernet Sec Router Cisco 881 Ethernet Sec Router 802.11n FCC Comp Cisco 881 Ethernet Sec Router 802.11n ETSI Comp $649 $999 $999 446 686 686

CISCO891-K9
CISCO891W-AGN-A-K9

Cisco 891 GigaE SecRouter

Cisco 891 GigaE SecRouter w/ 802.11n a/b/g FCC Comp Cisco 892 GigaE SecRouter Cisco 892 GigaE SecRouter w/ 802.11n a/b/g ETSI Comp End of Sale: Nov 1, 2011

$1,295
$1,845 $1,295 $1,845

890
1,268 890 1,268

892 1800

CISCO892-K9 CISCO892W-AGN-E-K9

CISCO1921-SEC/K9 1900 CISCO1941-SEC/K9 C1941W-E-N-SEC/K9 CISCO1941W-A/K9 2800

Cisco1921/K9 with 2GE, SEC License PAK, 512MB DRAM, 256MB Fl Cisco 1941 Security Bundle w/SEC license PAK Cisco 1941Security Router, 802.11 a/b/g/n AP ETSI Compliant Cisco 1941 Router w/ 802.11 a/b/g/n FCC Compliant WLAN ISM End of Sale: Nov 1, 2011

$1,695 $2,495 $2,995 $2,095

1,164 1,714 2,058 1,439

880 1900

SL-880-AIS L-SL-19-SEC-K9=

Cisco 880 Advanced IP Services License Security E-Delivery PAK for Cisco 1900

$150 $1,000

103 687

WE HELP BUILD THE WORLD 6

Cisco 871W Router

WE HELP BUILD THE WORLD 7

Cisco 881W Router

WE HELP BUILD THE WORLD 8

Cisco 891W/892W Router

WE HELP BUILD THE WORLD 9

SmartNet Requirements
The following support package for the router should be purchased which provides a warrantee and technical support from Cisco systems.

Minimum of packaged SmartNet 8x5xNBD

Recommended for Mission Critical Sites is packaged SmartNet 24x7x4

SmartNet can be purchased and managed though LaSalle in the near future

WE HELP BUILD THE WORLD 10

Out of Band Access

All DMVPN routers need to have out of band access. This allows GIS Global Networking Team to connect to the router in the event of an outage and troubleshoot the problem. There are 2 options for Out of Band Access:

Analog
Modem

EMEA - USR015630D USRobotics 56K External Data/Fax Modem V92 Americas - USR5686E USRobotics 56K External Data/Fax Modem V92

RJ45 to DB25M cable Cisco Part Number CAB-AUX-RJ45

3G
If an analog line is not available at a location, a 3G connection might be able to be used to provide out of band access. GIS is researching the equipment that will be needed for this type of access and the price.

WE HELP BUILD THE WORLD 11

ISP Service Requirements

We will need business class DSL line or a dedicated internet circuit with at least 1 static (Global Outside) IP address without Network Address Translation (NAT) that we can bind to the external interface of our router (i.e. globally routable address), and a Ethernet presentation provided by the ISP. With some ADSL circuits the ppp authentication will be required on the router as they ship router/modems with the circuit that will need to run in bridge mode rather than routed mode in order to support the above and provide a connection without NAT.

To preserve the bandwidth on the HADC Internet connections, the DMVPN routers will have a rate limit on HADC Tunnel interfaces only. There will not be a rate limit on traffic between DMVPN locations.

WE HELP BUILD THE WORLD 12

ISP Questions

Is this circuit ADSL, SDSL or a dedicated internet circuit? What are the upsteam and downstream bandwidth speeds? Is the circuit provisioned without NAT?

Are there any proxies/firewalls or other devices that may negatively impact the functioning of IPSec traffic on the ISP network?
Is/are the IP address(es) assigned static (non-changing)? Is the default gateway for this assigned static (non-changing)? If using DSL, will the IP addressing be assigned dynamically?

If using DSL, will the ISP router/modem be required to run in bridge mode to avoid the use of NAT?
If using DSL, will ppp authentcation be required on the Harsco router? What type of physical presentation is provided to the Harsco router (i.e. Ethernet, RJ-11 etc)?

Is the use of IPSec supported on the ISP network?

WE HELP BUILD THE WORLD 13

DMVPN Site Preparation and Migration Checklists

Agenda

Pre-test checklist

ISP link validation Router licensing and IOS Site-specific configuration details (site name, DHCP scopes, Sites and Services, etc.)

Post-check checklist

Fragmentation and MTU Shared (HADC) resource connectivity Login times

Post-migration checklist (GIS use)

CiscoWorks Whats Up Gold Netflow Syslog Global Network inventory

WE HELP BUILD THE WORLD 14

DMVPN Site Preparation and Migration Checklists

Pre-test checklist

ISP link validation

DSL Link with Ethernet handoff and share the bandwidth details to GIS team. Need an Public IP address without NATing . If the Static IP is provided then default gateway should also be provided. If the DSL link terminated as PPPoE then the modem should be configured in a Bridge mode. Connect a Notebook to the ISP link and do the below check Check for Internet connectivity If it is a PPPoE and then setup a dial-up profile and validate the DSL account credentials. MTU test - Ping to Camphill Headend router with below values Ping 72.20.207.59 - l 1500 should be working and take down the latency values. OOB Modem with PSTN connection is required to access the router remotely during migrations/outages. If OOB access is not available then need a 3G data card connected to a Laptop.

WE HELP BUILD THE WORLD 15

DMVPN Site Preparation and Migration Checklists

Pre-test Check-list

Router licensing and IOS

Below are the currently identified Router models for L2L sites. For all these below models to support DMVPN we need to upgrade for permanent license with below IOS versions forIOS File name models respectively. FLASH those each Sl.No Router Model IOS version IOS file size DRA

M 1 2 3 4 5

871W 881W 891W 892W 1841

15.0(1)M4 15.0(1)M4 15.0(1)M4 15.0(1)M4 15.0(1)M4

c870-advipservicesk9-mz.150-1.M4.bin c880data-universalk9-mz.150-1.M4.bin c890-universalk9-mz.150-1.M4.bin c890-universalk9-mz.150-1.M4.bin c1841-advipservicesk9-mz.150-1.M4.bin

25.25Mb 27.14Mb 28.73Mb 28.73Mb 39.77Mb

192 256 512 512 256

36 128 256 256 64

For 1841 routers we have currently running Advance security license which will not support DMVPN, so we need to upgrade it to Advance IP services license and appropriate IOS image as mentioned in the table. To upgrade we need router and one server/Desktop in the network, so that we can copy the IOS locally and do the up gradation and at the same time we need console access as well.
WE HELP BUILD THE WORLD 16

DMVPN Site Preparation and Migration Checklists Pre-test Check-list

Pre-test Check-list

Site-specific configuration details (site name, DHCP scopes, Sites and Services, etc.)

TSM need to provide Site Code details GIS will provide the DHCP scope details and raise GDM to create the DHCP scopes and verify these subnets are added in the sites and Services.

WE HELP BUILD THE WORLD 17

DMVPN Site Preparation and Migration Checklists

Post-check checklist

Fragmentation and MTU

Already covered in pre-test checklist, but need to ensure that all Intranet applications are working from the site, which can be done during UAT Ping test to both the Data Center servers from PC. Internet /Intranet applications performance. Tracert to both the Data Center servers to verify it is selecting the correct path. User acceptance test Login to Harsco Network from cold boot and note response times Response Time:_______________________________________ Obtain details of the Local Ip Addressing Scheme. Use the ipconfig / all Ping the local Default Gateway Ping the DHCP Server 10.10.0.1 / 10.14.0.1 / 10.10.0.2 Tracert 10.10.0.1/10.14.0.1/10.10.0.2 Tracert/ping to 10.42.4.254 (DMVPN) Login to Harsco Network from cold boot and note response times Test All Divisional Applications which is specific to your regional operation. Test Any Local WAN / LAN Printing Test All Shared Servies From Tier 1 Data Centre Email Portal http://portal.harsco.com Hyperion ASEP Test internet browsing tracert www.bbc.co.uk WE HELP BUILD THE WORLD 18

Shared (HADC) resource connectivity

UAT and other checks like Login times

DMVPN Site Preparation and Migration Checklists

Post-migration checklist (GIS use)

CiscoWorks

GIS Network team will ensure to update those newly added Router inventory details into it and further fine tune the other parameters to ensure configuration archives happens on regular basis GIS Network team will further also add this new device into tool as eell for further monitoring and other interface BW reports This tool is helpful for capacity planning to find out top-talker in the network, so Network team will configured required parameter on the router LAN interfaces. This is monitoring tool to capture device generated logs to store in a database which further help to look into during any incident cases related to the devices. Network team will ensure to configure on the device for the same. Network team have inventory database maintained for all site devices globally and will update the list accordingly once site is successfully completed with migration.

Whats Up Gold

Netflow

Syslog

Global Network inventory

WE HELP BUILD THE WORLD 19