cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
496
Views
1
Helpful
10
Replies

Certification Internet service via iperf3

mfnmike
Level 1
Level 1

Hello everyone,

We are an ISP providing internet services to customers using multivendor CPEs (Fortirouter, Juniper, Cisco) installed onsite. These CPEs connect over a fiber-optic last-mile to the nearest Provider Edge (PE), where the gateway is configured.

Occasionally, customers report issues such as high latency or not achieving their subscribed bandwidth. To address these concerns, we certify the last-mile connection using iPerf3 for traffic and bandwidth analysis.

Current Process:
To perform this certification, we dispatch a technician to the customer site. The technician connects a PC running iPerf3 as a client and establishes a connection to our iPerf3 server. We temporarily add the customer’s public IP to our firewall to enable communication between the client and server.

Challenge:
We are looking to eliminate the need for dispatching technicians onsite. Ideally, we want to conduct the iPerf3 certification remotely, streamlining the process and reducing operational costs.

Proposed Idea:
One potential solution is setting up one or more GRE tunnels between our infrastructure and the customer CPE. With proper routing, this could enable direct communication between the iPerf3 client (on the CPE or customer-side network) and our iPerf3 server, without requiring a physical technician presence.

Attached is a topology diagram illustrating the proposed setup.

Request for Feedback:

  • Has anyone implemented a similar setup or overcome a similar challenge?
  • Are GRE tunnels the best solution in this scenario, or would another tunneling or routing protocol be more effective?
  • Any potential pitfalls or security concerns we should consider?

We appreciate any insights or suggestions to refine this approach.

Thank you in advance for your time and expertise!

Best regards,

10 Replies 10

What has this to do with Cisco Collaboration products? It’s likely best if you get this post moved to a more suitable place in the community.



Response Signature


Hi Roger, sorry I'm new here, could you please suggest a suitable place and how to move it?, thanks

@mfnmike 

   What you are trying to accomplish is similar to a Hairpinning with GRE tunnel. Traffic must leave one GRE tunnel and return to the other tunnel in order to get back to the ISP.  I am not sure this is possible. 

What you can look additionally is Cisco ThousandEye, which will cost you, of course. And/or see the availability of run the iPerf on the device itself, which is not possible to all devices.

 I know a service provider that use  linux server instead router just to overcome situaltion like this and they say the linux server does not get behind of any router they know. 

Hi Flavio,

Correct, it is like a hairpinning with GRE tunnel on the CPE, building a logical connection between our two linux servers where the Client/Server iPerf3 are running. There is a public IP configured for one of the linux server, and the another public IP will be for the customer configured on the CPE, so the tricky thing here is how can establish that connection over that public IP

Got It. However, technically speaking I dont believe you can make the traffic leave one tunnel and return to the other

actually, the hairpin GRE tunnels method on the CPE works over the L3VPN solution, we are adding the two linux servers into the same customer's VRF, but we can't figure it out how can be possible via Internet solution (using public IPs)

As this is not related to anything within Collaboration and looks to be better suited in the Service Provider section of the community I moved it there.



Response Signature


appreciate it

AshSe
VIP
VIP

Hello @mfnmike 

Your proposed idea of using GRE tunnels to facilitate remote iPerf3 testing is a viable solution, but there are several considerations and alternative approaches to evaluate. Below is a detailed analysis of your proposal, along with feedback and suggestions:


1. Using GRE Tunnels for Remote iPerf3 Certification

GRE (Generic Routing Encapsulation) tunnels can indeed provide a way to establish a virtual point-to-point connection between your infrastructure and the customer CPE. This would allow you to route iPerf3 traffic through the tunnel without requiring a technician onsite.

Advantages of GRE Tunnels:

  • Simplicity: GRE is widely supported by most CPE vendors (Fortinet, Juniper, Cisco), making it a good choice for a multivendor environment.
  • Transparency: GRE encapsulates traffic, allowing you to route iPerf3 traffic without modifying the customer's existing network configuration.
  • Flexibility: GRE tunnels can carry various types of traffic, making them versatile for other diagnostic or management purposes.

Challenges and Considerations:

  1. Configuration Complexity:

    • You would need to configure GRE tunnels on each CPE, which could be time-consuming if done manually. Automating this process (e.g., using scripts or APIs) would be essential.
    • Ensure that the CPEs support GRE and that the configuration is consistent across vendors.
  2. Security Concerns:

    • GRE tunnels do not provide encryption by default, so the traffic between the CPE and your infrastructure could be exposed to interception. To mitigate this, consider using IPsec in conjunction with GRE (GRE over IPsec) to secure the tunnel.
    • Ensure proper firewall rules are in place to restrict access to the GRE tunnel endpoints.
  3. Performance Overhead:

    • GRE encapsulation adds a small amount of overhead, which could slightly impact performance. This is usually negligible but should be tested.
  4. Scalability:

    • If you have a large number of customers, managing and maintaining a large number of GRE tunnels could become operationally complex. Consider whether this approach will scale effectively.

2. Alternative Solutions

While GRE tunnels are a good option, there are other approaches that might be more efficient or easier to implement:

a. L2TP (Layer 2 Tunneling Protocol):

  • L2TP is another tunneling protocol that is widely supported and can be used to establish a virtual connection between your infrastructure and the CPE.
  • Like GRE, L2TP can be combined with IPsec for encryption.
  • It may be simpler to configure on some devices compared to GRE.

b. VPN (IPsec or OpenVPN):

  • Instead of GRE, you could establish an IPsec or OpenVPN connection between your infrastructure and the CPE.
  • This approach provides built-in encryption, addressing the security concerns of GRE.
  • Many CPEs support IPsec or OpenVPN natively, and it may be easier to manage than GRE tunnels in some cases.

c. Reverse iPerf3 Testing:

  • Instead of setting up a tunnel, you could configure the CPE to act as the iPerf3 client and initiate the test to your iPerf3 server. This would eliminate the need for tunneling altogether.
  • Most CPEs support running custom scripts or commands, so you could potentially automate the process of running iPerf3 on the CPE itself.
  • This approach avoids the complexity of managing tunnels but requires that the CPE has sufficient resources to run iPerf3.

d. SD-WAN or Cloud-Based Monitoring Tools:

  • If your CPEs support SD-WAN features, you could leverage built-in performance monitoring tools to measure latency, bandwidth, and packet loss.
  • Alternatively, consider using a cloud-based network monitoring solution (e.g., ThousandEyes, NetBeez) that can perform similar tests without requiring iPerf3.

3. Potential Pitfalls and Security Concerns

Regardless of the approach you choose, there are some general pitfalls and security concerns to address:

a. Firewall Configuration:

  • Ensure that the firewall rules on both the CPE and your infrastructure are configured to allow the necessary traffic (e.g., GRE, IPsec, or iPerf3 traffic).
  • Avoid opening unnecessary ports to minimize the attack surface.

b. Authentication and Access Control:

  • Use strong authentication mechanisms to ensure that only authorized devices can establish tunnels or initiate tests.
  • Consider implementing certificate-based authentication for IPsec or OpenVPN connections.

c. Resource Utilization:

  • Running iPerf3 or maintaining tunnels on the CPE may consume CPU and memory resources. Ensure that the CPE has sufficient capacity to handle these tasks without impacting its primary function.

d. Automation and Management:

  • Automate the configuration and management of tunnels or tests to reduce the risk of human error.
  • Use centralized management tools to monitor and troubleshoot the tunnels or tests.

4. Recommended Approach

Based on your requirements and the considerations above, here is a recommended approach:

  1. Start with Reverse iPerf3 Testing:

    • Configure the CPE to act as the iPerf3 client and initiate tests to your server. This is the simplest and most lightweight solution, as it avoids the need for tunneling.
    • Automate the process using scripts or APIs, and ensure that the CPE has sufficient resources to run iPerf3.
  2. Use GRE or IPsec Tunnels for Advanced Scenarios:

    • If reverse testing is not feasible (e.g., due to CPE limitations), use GRE or IPsec tunnels to establish a virtual connection for iPerf3 traffic.
    • Consider GRE over IPsec if encryption is required.
  3. Evaluate Long-Term Solutions:

    • Explore SD-WAN or cloud-based monitoring tools for a more scalable and automated solution.
    • Consider deploying lightweight agents on the CPEs that can perform network tests and report results to a central server.

5. Conclusion

Your idea of using GRE tunnels is a solid starting point, but it’s important to weigh the complexity and scalability of this approach against alternatives like reverse iPerf3 testing or VPN-based solutions. By automating the process and addressing security concerns, you can streamline the certification process and reduce operational costs effectively.

Hope This Helps!!!

 

AshSe

Forum Tips: 

  1. Insert photos/images inline - don't attach.
  2. Always mark helpful and correct answers, it helps others find what they need.
  3. For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

 

thanks for your response. Below my notes:
- Neither SD-WAN nor cloud-based monitoring tools are available

- Only some of the CPE support iPerf3 itself, such us Cisco ISR43XX and some Fortirouter, but the Juniper ones are not supporting that feature.

- We already have the automation applied for this purpose

- The hardening is already set on our FWs

- That was a good tip set the IPsec tunnel over the GRE to increase the security

But still I don't know how to build that connection, using the Public IP configured on the customer site