Most Pacific Networks Does NOT conform to Best Practice Network Design! They lack Stability and Security. In this article, we share how you can design your Network for optimal performance in a typical Hub and Spoke Architecture. You can use these design strategies as a blueprint in your Data Network for TPNG or Digicel provided transmission.

A stable, secure and high-performing data network is essential if organisations are to operate efficiently and provide customers, partners and staff members with an enjoyable user experience. By ensuring the network that delivers data, business applications and collaboration systems are robust, Stable, Secure, Scalable and reliable; organisations can increase productivity, enhance user satisfaction and keep costs down.

SO WHAT ARE THE STEPS REQUIRED TO BUILD SUCH A NETWORK?

Although we work with multiple ISPs in PNG; this article has no affiliation to any ISP in PNG. The content in this document is generic and meant to be used ONLY as a guide for building best practice WAN networks.

CONSIDER THE FOLLOWING CASE STUDY:

Customer “WOW-Super” is a new superannuation company in PNG. They are building their local presence by standing up two branches in Wewak and Lae, while the head office is located in Boroko. They have intentions to have wider coverage and expand in the future.

The senior management team have contracted a reputable IT firm to design and build their WAN Data Network using best practice data solutions.

SCOPE BASED ON CUSTOMER REQUIREMENTS

Build a state-of-the-art WAN Data Network with the following considerations:

  • Robust and stable using Dynamic Routing.
  • Use best practise security solutions.
  • Be able to scale and anticipate growth when new branches are added.
  • WAN redundancy using two services providers (example: TPNG and Digicel).
  • One service provider should be primary while the other is back up, with Automatic Failover and high availability.
  • All server connectivity and Internet access will be via the Hub router(s), except for specific servers sitting behind each branch, where optimal routing should be used.
  • It has been deduced from the latency reports supplied by the two ISPs, the link at the branch in Lae has better response time over the TPNG transmission, while the link at Wewak has a better response over Digicel. (NOTE: currently TPNG uses satellite links in Wewak and has a latency of approximately 500 milliseconds; this is considerably higher than Digicel). Therefore, it is prudent to use TPNG as the primary link at Lae and Digicel as the back. And, Digicel as the primary supplier in Wewak and TPNG as the backup.
  • Proactive Network Monitoring and Manage the data network during business hours.

Are you interested in our upcoming workshops to promote and educate customers’ on new data technologies across the Pacific? Would you like to learn how State-Of–The-Art Architecture, Design and Security solutions can help you to take charge of your data network? Then email us today at sales@sprintnetworks.com  for pricing and scheduling. Sprint Networks can show you how these new technologies can benefit you and enhance your data experience. These workshops are scheduled to commence soon, starting in PNG and then branching out to other Islands in the region. Sprint Networks will design these workshops around your current network needs

Figure 1: High-Level Design Overview

Figure 2: High-Level Design Traffic Flow

Note: WOW-Super already has a solid core network. That is, WOW-Super has used best-practise network solutions within their LAN architecture.

Designing best practice LAN networks are not within the scope of this document. If you’re interested to learn how to “Designing best practice LAN networks” contact us today at sales@sprintnetworks.com

ASSUMPTIONS:
At this point let’s assume hardware selection has already been made and the vendor Cisco has been deemed the hardware supplier of choice. The type of hardware selection (i.e. are we using a Router or Switch) will be explained but hardware models will not be discussed, as this is subjective and can vary depending on the design constraints, throughput, budget etc.. Transmission over TPNG will be using the MPLS offering, while over Digicel it will be the wireless radio service with PPPoE encapsulation.

ISP OFFERING:

FOR TPNG:

The current TPNG offering is a flat layer 2 structure with VLAN based segregation for all WOW-Super braches (VPN based offerings are managed services offered by TPNG). Contiguous VLAN spaces for the branches are usually reserved.

TPNG will provision pre-defined VLANs within its core and ensure data integrity and security is maintained. At the braches and at the hub, TPNG will present all ports as access-ports. You could also request Dot1Q tunnels to have aggregated links at the hub, but this could incur separate costs.

Figure 3: Possible Dot1Q aggregated Link at the hub

FOR DIGICEL:

The Digicel network provides connectivity using RF communications from remote sites to a layer 2 backbone network used to interconnect all branches with the hub. Separations of customer networks are achieved through the use of Layer2 VLANs and Layer3 VPNs on the Digicel network. Digicel will provide a PPPoE transmission end-point at the customer CPE. These end-points will have layer 3 address forming point-to-point reachability. A pre-negotiated IP subnet will be used for Layer 3 communication. (we use 172.16.1.0/24)

The APPROACH:

The goal is to have parallel networks over TPNG and Digicel. Therefore, the two service providers (Telikom PNG and Digicel) will provide data services via two (2) distinct networks. (refer to Figure 2 ).

The Figure 2 illustrates the hub and spoke concept that is deployed over the two service providers’ networks. In order to maintain physical and logical separation, a new headend router for each service provider will be introduced at the customer HQ. These new routers will provide the added redundancy and the capability to run two data networks in parallel simultaneously. Thus, fulfilling one of the primary requirements set by the customer

Both Telikom PNG and Digicel will create a new VPN for the WOW-Super network to provide logical separation of WOW-Super traffic from other customers and the internet.

NOTE: A pre-negotiated obligation of both ISPs should be to supply the following items listed below. It is, however, the responsibility of the customer/managed services provider to inquire about these items.

  1. Complete Layer 2 error report for both ISPs (BERT tests) and acceptable thresholds
  2. Static IP allocation on the Client interface on the Digicel PPPoE links (reasons for this will be explained later in the document)
  3. Throughput tests should be performed by the customer end.
  4. Latency reports for Satellite links, fibre and radio links.
  5. Support contact details (this could be obvious but sometimes overlooked)

Some of these items could attract separate costs and therefore should be carefully assessed. This should be stipulated in writing and agreed by the customer, the ISP and the management services team. These items should be part of the ISP’s SLA agreement.

Here’s a summary of the functions that will be performed at both the hub (HQ) and each branch site for both services providers:

AT THE HEAD OFFICE (HQ)

USING TPNG
Installation and configuration of TPNG managed equipment and associated hardware into HQ. (TPNG responsibility)
Installation and configuration of WOW-Super managed equipment that will interface with the TPNG equipment. (WOW-Super responsibility)
Install and integrate the new head-end router PE1 into the WOW-Super network at HQ. This task would involve;

1.       Enabling Layer 1/2 connectivity with SW1 and SW2 switches.

2.       Integrating into OSPF Area 0

3.       Enabling iBGP peering with the core layer devices at HQ.

4.       Verifying that BGP route propagation is functioning as expected;

Hub and branch routers have separate subnets for layer 3 connectivity;
Between the hub and branch, a DMVPN tunnel will be established These tunnels will be transparent to TPNG. Enable DMVPN in Phase 3, so that spoke-to-spoke communication is also possible.
Private Autonomous System Numbers (ASN) will be used;
Each branch will have an IPSec tunnel to the hub to secure the data plane, across the TPNG network that will be used to securely transport WOW-Super production traffic.
Over the IPSec tunnel an eBGP peering will be established;
USING DIGICEL
Installation and configuration of Digicel managed equipment and associated hardware into HQ. (Digicel responsibility)
Installation and configuration of WOW-Super managed equipment that will interface with the Digicel equipment. (WOW-Super responsibility)
Install and integrate the new head-end router PE2 into the WOW-Super network at HQ. This task would involve;

1.       Enabling Layer 1/2 connectivity with SW1 and SW2 switches.

2.       Integrating into OSPF Area 0

3.       Enabling iBGP peering with the core layer devices at HQ.

4.       Verifying that BGP route propagation is functioning as expected;

WOW-Super HQ site (Hub2) will be PPPoE clients and the Digicel edge router within the Digicel Core network will act as the PPPoE server;
The Digicel VPN PE routers will authenticate the PPPoE session using CHAP and pre-defined usernames and passwords. Authentication will occur against a centralised server within the Digicel network;
To provide point-to-point reachability between the PPPoE Dialler interfaces between the hub-site in Boroko and the branch sites eBGP will be used;
DMVPN tunnels will be established between the CPEs using the PPPoE Dialler interfaces as the endpoints (i.e. Tunnel source and destination). These tunnels will be transparent to Digicel;
IPSec tunnels will be built over the DMVPN tunnels using the recommended encryption policies for data security, encryption and decryption, also enable DMVPN in Phase 3;
eBGP peering between the CPEs across the IPSec tunnels will establish a secure data plane across the Digicel network that will be used to securely transport WOW-Super production traffic;
Private Autonomous System Numbers (ASN) will be used;

Table 1: Summary of Design at the Hub routers

AT BRANCH OFFICES

USINGTPNG
Installation and configuration of TPNG managed equipment and associated hardware into each branch site. (TPNG responsibility)
Installation and configuration of WOW-Super managed equipment that will interface with the TPNG equipment. (WOW-Super responsibility)
Install and integrate the new branch routers into each WOW-Super branch network at Lae and Wewak. This connection can be performed on a collapsed distribution and access layer. This task would involve;

1.      Enabling Layer 1/2 connectivity with the branch switch(es).

 

Have a default-route from the branch network switches to the PE router. 
The CPE at each branch will have an eBGP peering to the HQ Hub1;
The branches will have its own DMVPN tunnel towards Hub1 and an eBGP session will be established;
Using BGP preference, Hub1 will be preferred over Hbu2 as the primary traffic path for the branch at Lae to exit the local network;
Private Autonomous System Number (ASN) will be used;
Each branch will have an IPSec tunnel to the hub to secure the data plane, across the TPNG network that will be used to securely transport WOW-Super production traffic.
USING DIGICEL
Installation and configuration of TPNG managed equipment and associated hardware into each branch site. (Digicel responsibility)
Installation and configuration of WOW-Super managed equipment that will interface with the Digicel equipment. (WOW-Super responsibility)
Same router as the corresponding step will be used;
Similar PPPoE transmission connection will be performed as per the HQ, with CHAP as the authentication method;
The CPE at each branch will have an eBGP peering to the HQ Hub2;
The branches will have its own DMVPN tunnel towards Hub2 and an eBGP session will be established;
Using BGP preference, Hub2 will be the preferred for data traffic at Wewak and TPNG will be  the secondary path;
Same Private Autonomous System Number (ASN) will be used;
Each branch will have an IPSec tunnel to the hub to secure the data plane, across the Digicel network that will be used to securely transport WOW-Super production traffic.

Table 2: Summary of Design at the Branch routers

LINK BANDWIDTH ALLOCATION (TPNG & DIGICEL)

Site Service Bandwidth TPNG Service Bandwidth Digicel Comments
HQ 10Mbps 10Mbps This link is the aggregation point for all Branch traffic.

Check the possibility of running two Ethernet interfaces in a bundled to form an EtherChannel running 10Mbps for TPNG.

A single Ethernet interface will be used for Digicel

Lae 4Mbps 4Mbps
Kokopo 1Mbps 1Mbps

Table 3: Example Bandwidth Allocations

IMPLEMENTATION

Best practice design stipulates to have a staged approach during implementation (rather than a big bang approach). Each stage should be tested and verified.

Use the following three (3) stages as a guide when building a Hub-to-Spoke data connection:

  1. Initial Establishment and Testing
  2. Secure Routing Establishment and Testing
  3. Migration of production traffic

STAGE 1 – INITIAL ESTABLISHMENT AND TESTING

LAYER 1, 2 AND 3 DESIGN

Figure 4: Physical setup at Boroko HQ

Once the physical connectivity to the ISP’s NTU’s has been completed and all interface line-protocols are in an upstate, its time to move to the next stage. The second stage will define the configuration of network devices to enable link establishment to the TPNG and Digicel networks from each site and the configuration of layer 2 and 3 reachability between the branch and Head-end site (HQ). The following tasks will be performed under this phase:

HEAD-END (HQ) DESIGN FOR TPNG – HUB 1

Once the proposed physical set up is complete, point-to-point layer 3 links are established over the TPNG’s MPLS core. A new subnet space which is large enough for future growth will be dedicated for this purpose.

Upon completing this configuration Layer 3 reachability should be tested and verified.

interface FastEthernet0/0
description ***** CONNECTION TO TPNG NTU *****
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto

 

BRANCH DESIGN FOR TPNG

At Lae Interface Config:

interface FastEthernet0/0
description ***** CONNECTION TO TPNG NTU *****
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
end

At Wewak Interface Config:

interface FastEthernet0/0
description ***** CONNECTION TO TPNG NTU *****
ip address 192.168.1.3 255.255.255.0
duplex auto
speed auto
end

 

TESTING

HUB1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/13/24 ms

HUB1#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/16 ms

HEAD-END (HQ) AND BRANCHES DESIGN FOR DIGICEL

Once the proposed physical set up is complete, point-to-point layer 3 links are established over the Digicel core. A new subnet space which is large enough for future growth will be dedicated for this purpose. This address space should be mutually agreed by both the customer and Digicel.

Upon completing this configuration, Layer 3 reachability should be tested and verified.

NOTE: The Dialler interfaces are statically assigned, rather than having the Digicel server allocate IPs from a predefined DHCP pool. The reason for this requirement is to bring the Dialler interface up faster once it has recovered from a Layer1/2 failure. Besides, this option provides more flexibility for the customer to manipulate routing properties.

NOTE: in this section and in the subsequent sections the logical interface’s MTU will be adjusted. Assuming the default Ethernet MTU 1500 bytes, we’ll want to lower our MTU on the Dialler interfaces and the tunnel interfaces to avoid unnecessary fragmentation on the CPE.

Take note of the usernames and passwords used in this example. Allocation and distribution of these should be the responsibility of the all concerned partied. The Digicel Server should provide the authentication of the customer dialler requests using CHAP authentication (the strongest possible authentication method).

 

HQ Dialer Config

interface FastEthernet0/0
description ****** CONNECTION TO DIGICEL RF NTU ******
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
end
!
interface Dialer1
description ****** DIALLER CONNECTION TO DIGICEL SERVER ******
ip address 172.16.1.2 255.255.255.0
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp chap hostname wow-super
ppp chap password 0 wow123
end

Dialler Config at Lae

interface FastEthernet0/1
description ****** CONNECTION TO DIGICEL RF NTU ******
no ip address
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
end
!
interface Dialer1
description ****** DIALLER CONNECTION TO DIGICEL SERVER ******
ip address 172.16.1.3 255.255.255.0
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp chap hostname wow-super
ppp chap password 0 wow123
end

Dialler Config at Wewak

interface FastEthernet0/1
description ****** CONNECTION TO DIGICEL RF NTU ******
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
end
!
interface Dialer1
description ****** DIALLER CONNECTION TO DIGICEL SERVER ******
ip address 172.16.1.4 255.255.255.0
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp chap hostname wow-super
ppp chap password 0 wow123
end

TESTING

HUB2#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms

HUB2#ping 172.16.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/32/56 ms

HUB2#ping 172.16.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/31/44 ms

STAGE 2: SECURE ROUTING ESTABLISHMENT AND TESTING

During this phase rather than using stock-standard GRE tunnels with IPSec, we have opted to use a more scalable approach with Dynamic Multipoint VPN (DMVPN) in Phase 3. Why? In conjunction with Next Hop Resolution Protocol (NHRP), it provides an effective solution for dynamic secure overlay networks. It also provides users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints. Therefore, in Phase 3, DMVPN provides the unique ability for spoke-to-spoke communication. This is ideal for our scenario as we need to access files servers sitting at both Lae and Wewak.

  1. This phase of the logical setup will be to build the DMVPN tunnels between the branch sites and the Head-end routers (DMVPN Phase 1/2), then enable IPSec for data encryption and decryption (DMVPN Phase 3). Over IPSec BGP will be enabled to carry data across the TPNG and Digicel networks securely. Best practice DMVPN tunnel parameters are utilised.
  2. To access server(s) behind each branch, the DMVPN tunnels will be tweaked to take the optimal routing path while maintaining the original control plan. The proposed branch and Head-End logical topology for this design is shown in Figure below.
  3. Finally, test Layer 3 reachability

Figure 5: Secure Tunnel Setup over DMVPN

FOR TPNG CONNECTIVITY

DMVPN Tunnel IP Tunnel Source Tunnel Destination
Hub 1 10.1.0.1/24 FastEthernet0/0 gre multipoint
Lae 10.1.0.2/24 FastEthernet0/0 gre multipoint
Wewak 10.1.0.3/24 FastEthernet0/0 gre multipoint

Table 4: DMVPN Tunnel details over TPNG transmission

NOTE: The DMVPN configuration parameters have to match at the hub and the branches. The sample parameters used in this case study might have to be modified to meet your requirements.

DMVPN DESIGN AT HUB1

interface Tunnel10

bandwidth 1000

ip address 10.1.0.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication wowsuper

ip nhrp map multicast dynamic

ip nhrp network-id 123

ip nhrp holdtime 300

ip nhrp redirect

ip tcp adjust-mss 1380

delay 1000

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 123

Tunnel protection IPsec profile TPNG-PROFILE !<<< IPSec config discussed below

end

DMVPN DESIGN AT LAE

interface Tunnel20

bandwidth 1000

ip address 10.1.0.2 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication wowsuper

ip nhrp map 10.1.0.1 192.168.1.1

ip nhrp map multicast 192.168.1.1

ip nhrp network-id 123

ip nhrp holdtime 300

ip nhrp nhs 10.1.0.1

ip nhrp shortcut

ip tcp adjust-mss 1380

delay 1000

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 123

Tunnel protection IPsec profile TPNG-PROFILE !<<< IPSec config discussed below

end

DMVPN DESIGN AT WEWAK

interface Tunnel20

bandwidth 1000

ip address 10.1.0.3 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication wowsuper

ip nhrp map 10.1.0.1 192.168.1.1

ip nhrp map multicast 192.168.1.1

ip nhrp network-id 123

ip nhrp holdtime 300

ip nhrp nhs 10.1.0.1

ip nhrp shortcut

ip tcp adjust-mss 1380

delay 1000

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 123

Tunnel protection IPsec profile TPNG-PROFILE !<<< IPSec config discussed below

end

FOR DIGICEL CONNECTIVITY

DMVPN Tunnel IP Tunnel Source Tunnel Destination
Hub 2 10.2.0.1/24 Dialler 1 gre multipoint
Lae 10.2.0.2/24 Dialler 1 gre multipoint
Wewak 10.2.0.3/24 Dialler 1 gre multipoint

Table 5: DMVPN Tunnel details over Digicel transmission

 

DMVPN DESIGN AT HUB2

interface Tunnel10

ip address 10.2.0.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication wowsuper

ip nhrp map multicast dynamic

ip nhrp network-id 123

ip nhrp holdtime 300

ip nhrp redirect

ip tcp adjust-mss 1380

delay 1000

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 123

Tunnel protection IPsec profile DIGICEL-PROFILE !<<< IPSec config discussed below

end

DMVPN DESIGN AT LAE

interface Tunnel30

bandwidth 1000

ip address 10.2.0.2 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication wowsuper

ip nhrp map 10.2.0.1 172.16.1.2

ip nhrp map multicast 172.16.1.2

ip nhrp network-id 123

ip nhrp holdtime 300

ip nhrp nhs 10.2.0.1

ip nhrp shortcut

ip tcp adjust-mss 1380

delay 1000

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 123

tunnel protection ipsec profile DIGICEL-PROFILE !<<< IPSec config discussed below

end

 

DMVPN DESIGN AT WEWAK

interface Tunnel30

bandwidth 1000

ip address 10.2.0.3 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication wowsuper

ip nhrp map 10.2.0.1 172.16.1.2

ip nhrp map multicast 172.16.1.2

ip nhrp network-id 123

ip nhrp holdtime 300

ip nhrp nhs 10.2.0.1

ip nhrp shortcut

ip tcp adjust-mss 1380

delay 1000

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 123

Tunnel protection ipsec profile DIGICEL-PROFILE !<<< IPSec config discussed below

end

SECURE TUNNELS

In order to protect the data plane and to ensure WOW-Super data traffic gets encrypted IPSec tunnels have been employed for this initial Design and future implementations. These tunnels will have the following characteristics:

The encryption algorithm will be AES.

ISAKMP PARAMETERS

Authentication: pre-share

Group: 2

Encryption: aes

Hash : SHA

Key: wow-super

set transform-set TPNG-TRANS

set transform-set DIGICEL-TRANS

 

IPSec PARAMETERS

Encryption: esp-aes

 

IPSEC CONFIG AT HUB1 FOR TPNG TRANSMISSION

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp key wow-super address 192.168.1.2

crypto isakmp key wow-super address 192.168.1.3

!

crypto ipsec transform-set TPNG-TRANS esp-aes

mode transport

!

crypto ipsec profile TPNG-PROFILE

set transform-set TPNG-TRANS

 

IPSEC CONFIG AT BOTH BRANCHES FOR TPNG TRANSMISSION

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp key wow-super address 192.168.1.1

!

crypto ipsec transform-set TPNG-TRANS esp-aes

mode transport

!

crypto ipsec profile TPNG-PROFILE

set transform-set TPNG-TRANS

 

IPSEC CONFIG AT HUB2 FOR DIGICEL TRANSMISSION

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp key wow-super address 172.16.1.3

crypto isakmp key wow-super address 172.16.1.4

!

crypto ipsec transform-set DIGICEL-TRANS esp-aes

mode transport

!

crypto ipsec profile DIGICEL-PROFILE

set transform-set DIGICEL-TRANS

 

IPSEC CONFIG AT BOTH BRANCHES FOR DIGICEL TRANSMISSION

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp key wow-super address 172.16.1.2

!

crypto ipsec transform-set DIGICEL-TRANS esp-aes

mode transport

!

crypto ipsec profile DIGICEL-PROFILE

set transform-set DIGICEL-TRANS

 

STAGE 3: ROUTING DESIGN AND MIGRATION OF PRODUCTION TRAFFIC

Figure 6: Final Traffic Flow

The above diagram represents the final traffic path. Take note: that we prefer to use TPNG to exit Lae as the primary path (backup via Digicel) and we use Digicel as the primary for Wewak (backup via TPNG).

So how do we achieve this? We use BGP traffic engineering as explained below. We still only advertise a default-route to the spokes (the branches). More specific routes are suppressed using specific route-maps.

 

BGP Design Config at HQ, Hub-1 for TPNG transmission

On Hub1

router bgp 65111

no synchronization

bgp router-id 10.220.1.10

bgp log-neighbor-changes

neighbor TPNG-BRANCH peer-group

neighbor TPNG-BRANCH remote-as 65222

neighbor TPNG-BRANCH route-map DEFAULT out

neighbor 10.1.0.2 peer-group TPNG-BRANCH

neighbor 10.1.0.3 peer-group TPNG-BRANCH

neighbor 10.220.1.1 remote-as 65111

neighbor 10.220.1.1 update-source Loopback0

no auto-summary

!

ip prefix-list DEFAULT seq 10 permit 0.0.0.0/0

no cdp log mismatch duplex

!

route-map DEFAULT permit 10

match ip address prefix-list DEFAULT

 

BGP Design Config at HQ, Hub-2 for Digicel transmission

On Hub2

router bgp 65111

no synchronization

bgp router-id 10.220.1.11

bgp log-neighbor-changes

neighbor DIGICEL-BRANCH peer-group

neighbor DIGICEL-BRANCH remote-as 65222

neighbor DIGICEL-BRANCH route-map DEFAULT out

neighbor 10.2.0.2 peer-group DIGICEL-BRANCH

neighbor 10.2.0.3 peer-group DIGICEL-BRANCH

neighbor 10.220.1.1 remote-as 65111 ! connectivity to the core

neighbor 10.220.1.1 update-source Loopback0

neighbor 172.16.1.1 remote-as 65123 !Digicel Peer

no auto-summary

!

ip prefix-list DEFAULT seq 10 permit 0.0.0.0/0

!

route-map DEFAULT permit 10

match ip address prefix-list DEFAULT

!

On the Spoke at Lae

NOTE: at Lae we manipulate the BGP attributes to prefer TPNG as the preferred exit for all data traffic, while Digicel as the backup. Should the TPNG link fail at any given time and the BGP design is configured correctly, the Digicel link should automatically take over the traffic flow (Assuming this is NOT a power outage). Once the TPNG link is restored, the BGP design should pre-empt the preferred path and all traffic should revert back to TPNG. 

 

router bgp 65222

no synchronization

bgp router-id 10.220.1.15

bgp log-neighbor-changes

network 10.0.55.0 mask 255.255.255.0

neighbor 10.1.0.1 remote-as 65111

neighbor 10.1.0.1 route-map PREFER-TPNG in

neighbor 10.2.0.1 remote-as 65111

neighbor 172.16.1.1 remote-as 65123 !Digicel Peer

!

ip prefix-list DEFAULT-ROUTE seq 10 permit 0.0.0.0/0

!

route-map PREFER-TPNG permit 10

match ip address prefix-list DEFAULT-ROUTE

set local-preference 300

 

On the Spoke at Wewak

NOTE: at Lae we manipulate the BGP attributes to prefer Digicel as the preferred exit for all data traffic, while TPNG as the backup. Should the Digicel link fail at any given time and the BGP design is configured correctly, the TPNG link should automatically take over the traffic flow (Assuming this is NOT a power outage). Once the Digicel link is restored, the BGP design should pre-empt the preferred path and all traffic should revert back to Digicel. 

 

router bgp 65222

no synchronization

bgp router-id 10.220.1.16

bgp log-neighbor-changes

network 10.0.66.0 mask 255.255.255.0

neighbor 10.1.0.1 remote-as 65111

neighbor 10.2.0.1 remote-as 65111

neighbor 10.2.0.1 route-map PREFER-DIGICEL in

neighbor 172.16.1.1 remote-as 65123 !Digicel Peer

!

ip prefix-list DEFAULT-ROUTE seq 10 permit 0.0.0.0/0

no cdp log mismatch duplex

!

route-map PREFER-DIGICEL permit 10

match ip address prefix-list DEFAULT-ROUTE

set local-preference 300

!

!

Testing and verification

The final testing phase will conclude if the design is functioning as predicted. It will also be a sign off on the customer requirements;

During the initial stages of such implementation it is recommended regular monitoring and fine-tuning of the network. Usually this should be a free offering from the managed services company and a cooling off period should be agreed on.

 

Spoke-to-Spoke traffic flow:

Wewak#traceroute 10.0.55.1 <<<< File server sitting at Lae

 

Type escape sequence to abort.

Tracing the route to 10.0.55.1

1 10.2.0.2 [AS 65111] 56 msec * 16 msec

 

Spoke to Internet traffic flow:

 

NOTE: The Core-Router has been configured to simulate as the Internet gateway and DNS server.

Lae#traceroute google.com num <<<< Simulated Internet access

Translating “google.com”…domain server (10.220.1.1) [OK]

Type escape sequence to abort.

Tracing the route to 8.8.8.8

1 10.1.0.1 [AS 65111] 20 msec 16 msec 20 msec

2 10.1.100.1 [AS 65111] 28 msec 16 msec 24 msec

Routing Tables the branches:

Lae#sh ip route

—- Omitted for Clarity —–

Gateway of last resort is 10.1.0.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.16.1.1/32 is directly connected, Dialer1

C 172.16.1.0/24 is directly connected, Dialer1

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.2.0.0/24 is directly connected, Tunnel30

C 10.1.0.0/24 is directly connected, Tunnel20

C 10.0.55.0/24 is directly connected, Loopback55

C 10.220.1.15/32 is directly connected, Loopback0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

B* 0.0.0.0/0 [20/0] via 10.1.0.1, 07:06:50

Wewak#sh ip route

—- Omitted for Clarity —–

Gateway of last resort is 10.2.0.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.16.1.1/32 is directly connected, Dialer1

C 172.16.1.0/24 is directly connected, Dialer1

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.2.0.0/24 is directly connected, Tunnel30

C 10.1.0.0/24 is directly connected, Tunnel20

C 10.0.66.0/24 is directly connected, Loopback66

C 10.220.1.16/32 is directly connected, Loopback0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

B* 0.0.0.0/0 [20/0] via 10.2.0.1, 07:06:59

 

So did we fulfil the customer requirements, here are the requirements again;

  • Robust and stable using Dynamic Routing.
  • Use best practise security solutions
  • Be able to scale and anticipate growth when new branches are added.
  • WAN redundancy using two services providers (example: TPNG and Digicel).
  • One service provider should be primary while the other is backup, with Automatic Failover and high availability.
  • All server connectivity and Internet access will be via the Hub router(s), except for specific servers sitting behind each branch, where optimal routing should be used.
  • Use TPNG as the primary link at Lae and Digicel as back. And, Digicel as the primary supplier in Wewak and TPNG as the backup.
  • Proactive Network Monitoring and Manage the data network during business hours
Sprint Networks

Author Sprint Networks

More posts by Sprint Networks

Leave a Reply