wan and remote-site deployment using cisco validated designs · wan and remote-site deployment...
TRANSCRIPT
WAN and Remote-Site Deployment using Cisco
Validated DesignsAdam Groudan, Technical Solutions Architect
BRKRST-2040
The ChallengeI want to design and deploy a network….
Which platform should I choose?Many to choose from at each place in the
network
What are the best practices?How do I manage it?
How do I put it all together?
How can I do it quickly?
How can I anticipate what the
network might need to do in the
future so I don’t have to revisit my
design and deployment? ASR1002-X
WAVE-7571
Cisco Validated Designs provide a
framework for design and deployment
guidance based on common use cases.
• WAN CVD Overview
• WAN CVD Design Methodology
• Key Aspects of the Design
• Summary
Agenda
Each design guide addresses
a common deployment issue—
called a use case—that defines
a customer-driven set of
requirements and technology.
Cisco Validated Design Guides
CVD Navigator
Design Overview
Deployment Details
Product and Software Versions
Configuration Files Appendix
Blueprints and overviews for
technical and business
decision-makers.Validate Document
Inside the Design Guide
+
Use Case(s)
Scope
Proficiency
Related CVDs
CVD Navigator
www.cisco.com/go/cvdTechnology/Solution Design Guides
Overview Documents
At-a-Glance Documents
Business Presentations
The Cisco Design Zone
www.cisco.com/go/cvd/wan
Cisco Validated Designs for Enterprise WAN:
MPLS WAN Design Guide
Layer 2 WAN Design Guide
VPN WAN Design Guide
http://www.cisco.com/go/cvd/wan
Design Guide Transports UsageWAN Aggregation
Design Models
MPLS WANMPLS L3 VPN Primary/Secondary
Dual MPLS
MPLS Dynamic
MPLS Static
Layer 2 WANLayer 2 WAN Primary
Trunked Demarcation
Simple Demarcation
VPN WAN Internet/DMVPN Primary/Secondary
Dual DMVPN
DMVPN Only
DMVPN Backup Dedicated
DMVPN Backup Shared
Remote Sites Using Local Internet
Access
Internet/DMVPN
(with Local Internet)Primary/Secondary Remote site only
VPN Remote Site over 3G/4G 3G/4G Internet/DMVPN Primary/Secondary Remote site only
Group Encrypted Transport VPNMPLS L3 VPN
Layer 2 WAN
Primary/Secondary
Primary
Compatible with all design
models
• WAN CVD Overview
• WAN CVD Design Methodology
• Key Aspects of the Design
• Summary
Agenda
Hybrid WAN DesignsTraditional and IWAN
Internet MPLS
Remote Site
DMVPN GETVPN
Internet MPLS
Remote Site
DMVPN DMVPN
Two IPsec TechnologiesGETVPN/MPLS
DMVPN/Internet
Two WAN Routing
DomainsMPLS: eBGP or Static
Internet: iBGP, EIGRP or OSPF
Route Redistribution
Route Filtering Loop Prevention
Active/Standby
WAN PathsPrimary With Backup
One IPsec OverlayDMVPN
One WAN Routing
DomainiBGP, EIGRP, or OSPF
Active/Active
WAN Paths
TRADITIONAL HYBRID
Data Center
IWAN HYBRID
Data Center
ISR
ASR 1000 ASR 1000
ISP A SP B
ISR
ISP A SP B
ASR 1000 ASR 1000
Hierarchical WAN Design
Core/
Distribution
Distribution
Access
Data Center/HQ
Regionalhub
SpokeSite 1
SpokeSite N
...
Regionalhub
SpokeSite 1’
SpokeSite N’
...
Core
SpokeSite 1
SpokeSite N
...
Data Center/HQ
WAN-Aggregation Reference Design
MPLS A MPLS B Layer 2
WAN
ISP A / ISP B
DMVPN Hub
Routers
Internet Edge
DMVPN 1 DMVPN 2
MPLS CE
Routers
Layer 2 WAN
CE Router
WAN Distribution
Layer
Core Layer
Basic Remote
Site
WAN Remote Site Designs
MPLS
Non Redundant
MPLS WAN
MPLS + Internet
WAN
Internet WAN
Internet
DMVPN
Redundant
Links
MPLS
MPLS-A MPLS-B
Internet
DMVPN
Internet
(DMVPN-1)
Internet
(DMVPN-2)
Redundant
Links & Routers
MPLS
MPLS-A MPLS-B
Internet
DMVPN
Internet
(DMVPN-1)
Internet
(DMVPN-2)
WAN Remote Site Designs (MPLS and DMVPN)
VPLS
Non Redundant
VPLS WAN
3G/4G
Internet WAN
3G/4G
(DMVPN)
VPLS + Internet WAN
Redundant
Links
VPLSInternet
(DMVPN)
Redundant
Links & Routers
VPLSInternet
(DMVPN)
MPLS + 3G/4G
Internet WAN
MPLS
3G/4G
(DMVPN) MPLS3G/4G
(DMVPN)
WAN Remote Site Designs (L2, 3G/4G and DMVPN)
Single Router Remote Sites
Add router and transit
network, enable HSRP
Vlan65 – wireless data
Vlan64 - data
Vlan70 – wireless voice
Vlan69 - voice
802.1q Vlan trunk (64-65, 69-70)
No HSRP
Required
Dual Router Remote Sites
Vlan65 – wireless data
Vlan64 - data
Vlan70 – wireless voice
Vlan69 - voice
Vlan99 - transit
802.1q Vlan trunk (64-65, 69-70,
99)
HSRP Vlans
Active HSRP
Router
Vlan Usage Access Layer Only Designs IP Network Assignment (Example)
Vlan65 Wireless Data Yes 10.5.50.0/24
Vlan70 Wireless Voice Yes 10.5.51.0/24
Vlan64 Data 1 Yes 10.5.52.0/24
Vlan69 Voice 1 Yes 10.5.53.0/24
Vlan99 Transit Yes (dual router only) 10.5.48.0/30
WAN Remote Site Reference DesignsAccess Layer Only
Single Router Remote Sites Dual Router Remote Sites
Add distribution layer
802.1q trunk (50)
Vlan50 – router 1 link
802.1q trunk (xx-xx)802.1q trunk (xx-xx)
data
voice
data
voice
802.1q trunk
(54,99)802.1q trunk
(50,99)
Vlan54 – router 2 link
Vlan50 – router 1 link
Vlan99 – transit
802.1q trunk (xx-xx) 802.1q trunk (xx-xx)
data
voice
data
voice
(with transit network
for dual router sites)
WAN Remote Site Reference DesignsDistribution and Access Layer
• WAN CVD Overview
• WAN CVD Design Methodology
• Key Aspects of the Design
• Summary
Agenda
WAN EdgeConnection Methods Compared
WAN
Edge
Router
Core/Distribution Core/Distribution Core/Distribution
Single Logical Control Plane
Port-Channel for H/A
CVD Recommended
All
No static routes
No FHRPs
This Topic Is Covered in Detail in BRKCRS-2030
WANWAN WAN
Optimize Convergence and RedundancyMultichassis EtherChannel
P-to-P Link
Layer 3
Provide Link Redundancy and reduce peering complexity
Tune L3/L4 load-balancing hash to achieve maximum utilization
No L3 reconvergence required when member link failed
No individual flow can go faster than the speed of an individual member of the link
VSS or
3750 Stack
IGP recalc
Channel Member
Removed
Link redundancy achieved through redundant L3 paths
Flow based load-balancing through CEF forwarding across
Routing protocol reconvergence when uplink failed
Convergence time may depends on routing protocol used and the size of routing entries
BGP AS = 65511
MPLS A
AS 65401
DMVPN Hub
Router
DMVPN 1
EIGRP(100)
MPLS CE Router
EIGRP
BGP
eBGP
WAN Distribution
Layer
D 10.5.48.0/21 [90/xxxxx] via 10.4.32.18
10.5.48.0/21
Remote Site
10.4.32.18
WAN Dual-Path Route PreferenceIncorrect Choice of Primary Path (DMVPN)
• eBGP routes are redistributed into EIGRP-100 as external routes with default Administrative Distance =170
• Running same EIGRP AS for both campus and DMVPN network would result in Internet path preferred over MPLS path
Mutual Route Redistribution
BGP AS = 65511
MPLS A
AS 65401
DMVPN Hub
Router
DMVPN 1
EIGRP(200)
MPLS CE Router
EIGRP
BGP
eBGP
WAN Distribution
Layer
D EX 10.5.48.0/21 [170/34304] via 10.4.32.2
EIGRP
EIGRP
10.5.48.0/21
Remote Site
10.4.32.2
WAN Dual-Path Route Preference• Correct Choice of Primary Path (MPLS)
• Multiple EIGRP AS processes can be used to provide control of the routing
EIGRP 100 is used in HQ location (LAN)EIGRP 200 over DMVPN tunnel
• Routes from EIGRP 200 redistributed into EIGRP 100 appear as external route (distance = 170)
MPLS CE router#
router eigrp LAN
address-family ipv4 unicast autonomous-system 100
topology base
default-metric 1000000 10 255 1 1500
EIGRP uses bandwidth and delay metrics if prefix and distance are the same.
If routes from both WAN sources are equal-cost paths use EIGRP delay to modify path preference
DMVPN hub router#
router eigrp LAN
address-family ipv4 unicast autonomous-system 100
topology base
redistribute eigrp 200
BGP AS = 65511
MPLS A
AS 65401
MPLS B
AS 65402
Layer 2
WAN
ISP A / ISP B
DMVPN Hub
Routers
Internet Edge
DMVPN 1
EIGRP(200)
default
DMVPN 2
EIGRP(201)
MPLS CE RoutersLayer 2 WAN
CE Router
EIGRP
BGP
EIGRP
BGP
EIGRP
EIGRP
EIGRP(300)
EIGRP
EIGRP
eBGP eBGP
iBGP
WAN Distribution
Layer
WAN-Aggregation IP Routing Detail
D EX 10.5.48.0/21 [170/xxxx] via 10.4.32.1
MPLS A
DMVPN Hub
Router
DMVPN 1
EIGRP(200)
EIGRP
BGP
eBGP
WAN Distribution Layer
EIGRP
EIGRP
10.5.48.0/21
Remote Site
10.4.32.1
D EX 10.5.48.0/21 [170/xxxx] via 10.4.32.18
10.4.32.18
WAN Dual-Path Route PreferenceIs Route Control Needed?
• After link failure, MPLS CE router learns alternate path to remote site via distribution layer (EIGRP route)
MPLS CE Router
D EX 10.5.48.0/21 [170/xxxx] via 10.4.32.1
MPLS A
DMVPN Hub
Router
DMVPN 1
EIGRP(200)
EIGRP
BGP
eBGP
WAN Distribution
Layer
EIGRP
EIGRP
10.5.48.0/21
Remote Site
10.4.32.1
D EX 10.5.48.0/21 [170/xxxx] via 10.4.32.18
10.4.32.18
WAN Dual-Path Route PreferenceIs Route Control Needed?
• After link restore, MPLS CE router receives BGP advertisement for remote-site route.
• Does BGP route get (re)installed in the route table?
MPLS CE Router
B 10.5.48.0/21 [20/0] via 192.168.3.2
192.168.3.2
No.
EIGRP from distribution layer remains in the table.
X
Yes.
MPLS A
AS 65401
DMVPN Hub
Router
DMVPN 1
EIGRP(200)
EIGRP
BGP
eBGP
WAN Distribution
Layer
EIGRP
EIGRP
10.5.48.0/21
Remote Site
10.4.32.1
Remote-site route is redistributed into BGP with weight = 32768
After link is restored, distribution layer route remains in table due to BGP weight
Routes from distribution layer should be blocked
Also protects from other “backdoor” and routing loop conditions
MPLS CE Router
CE-1#show ip bgp 10.5.48.0 255.255.248.0
BGP routing table entry for 10.5.48.0/21, version 1293
Paths: (3 available, best #3, table default)
Advertised to update-groups:
4 5
65401 65401, (aggregated by 65511 10.5.48.254)
192.168.3.2 from 192.168.3.2 (192.168.100.3)
Origin IGP, localpref 100, valid, external, atomic-aggregate
Local
10.4.32.1 from 0.0.0.0 (10.4.32.1)
Origin incomplete, metric 3584, localpref 100, weight 32768, valid, sourced, best
eBGP route
(no weight defined)
WAN Dual-Path Route PreferenceRoute Control is Needed
router eigrp LAN
address-family ipv4 unicast autonomous-system 100
topology base
default-metric [BW] 100 255 1 1500
distribute-list route-map BLOCK-TAGGED-ROUTES in
redistribute bgp 65511
route-map BLOCK-TAGGED-ROUTES deny 10
match tag 65401 65402
route-map BLOCK-TAGGED-ROUTES permit 20
Best Practice: Route Tag and Filter
• Routes are implicitly tagged when distributed from eBGP to EIGRP with carrier AS
• Configure explicit tags for other routing protocol sources
• Use route-map to block re-learning of WAN routes via the distribution layer (MPLS routes already known via iBGP)
Campus/
Data Center
EIGRP routes from
distribution layer
iBGP
MPLS A
AS 65401
MPLS B
AS 65402
MPLS A MPLS B Layer 2
WAN
ISP A / ISP B
DMVPN Hub
Routers
Internet Edge
DMVPN 1
EIGRP(200)
default
DMVPN 2
EIGRP(201)
MPLS CE RoutersLayer 2 WAN
CE Router
EIGRP
BGP
EIGRP
BGP
EIGRP
EIGRP
EIGRP(300)
EIGRP
EIGRP
eBGP eBGP
iBGP
WAN-Aggregation Router
From WAN towardsCore/Distribution
From Core/Distributiontowards WAN
(Redistribute EIGRP 100)
MPLS A CE Redistribute BGP Block: MPLS-A, MPLS-B, DMVPN
Implicit tag: MPLS-A
MPLS B CE Redistribute: BGP Block: MPLS-A, MPLS-B, DMVPN
Implicit tag: MPLS-B
Layer 2 WAN CE Redistribute: EIGRP Block: DMVPN
Explicit tag: Layer 2 WAN
DMVPN 1 Hub Redistribute EIGRP Accept: Any
Explicit tag: DMVPN
DMVPN 2 Hub Redistribute EIGRP Accept: Any
Explicit tag: DMVPN
WAN-Aggregation Mutual Route Redistribution
MPLS VPN
eBGPBGP
summary
Only requires a single WAN facing routing protocol process
router bgp 65511
bgp router-id 10.255.251.204
network 10.5.60.0 mask 255.255.255.0
network 10.5.61.0 mask 255.255.255.0
network 10.255.251.204 mask 255.255.255.255
network 192.168.3.28 mask 255.255.255.252
aggregate-address 10.5.56.0 255.255.248.0 summary-only
neighbor 192.168.3.30 remote-as 65401
Wired/Wireless
Data Subnets
WAN Remote-Site RoutingSingle-Router, Single-Link, Access Layer only
DMVPN
Internet
Layer 2
EIGRP(200) EIGRP
(300)
EIGRP
summaryEIGRP
summary
Only requires a single WAN facing routing protocol process
WAN Remote-Site RoutingSingle-Router, Single-Link, Access Layer Only
router eigrp WAN-LAYER2
!
address-family ipv4 unicast autonomous-system 300
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/0.38
summary-address 10.5.144.0 255.255.248.0
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.4.38.0 0.0.0.255
network 10.5.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.255.210
eigrp stub connected summary
exit-address-family
Includes all remote-site
networks
Layer 2 WAN
interface
InternetMPLS VPN
DMVPN
EIGRP(200)
EIGRP
summary
BGP
summaryRequires two separate WAN
facing routing protocol processes
router bgp 65511
bgp router-id 10.255.251.201
network 10.5.44.0 mask 255.255.255.0
network 10.5.45.0 mask 255.255.255.0
network 10.255.251.201 mask 255.255.255.255
network 192.168.3.20 mask 255.255.255.252
aggregate-address 10.5.40.0 255.255.248.0 summary-only
neighbor 192.168.3.22 remote-as 65401
WAN Remote-Site RoutingSingle-Router, Dual-Link, Access Layer Only
router eigrp WAN-DMVPN-1
!
address-family ipv4 unicast autonomous-system 200
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10
summary-address 10.5.40.0 255.255.248.0
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.251.201
eigrp stub connected summary
exit-address-family
MPLS VPN A MPLS VPN B
InternetInternet
DMVPN-2DMVPN-1
InternetLayer 2
DMVPN
EIGRP(200)
EIGRP(201) EIGRP
(200)
BGP
summary
BGP
summary
EIGRP
summaryEIGRP
summary
EIGRP
summary
EIGRP
summary
Requires two separate WAN
facing routing protocol processes
(except for dual-MPLS)
WAN Remote-Site RoutingSingle-Router, Dual-Link, Access Layer Only
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Port-channel2.99
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.4.0.0 0.1.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.253.203
exit-address-family
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Port-channel1.99
no passive-interface
exit-af-interface
!
topology base
default-metric 20000 100 255 1 1500
redistribute bgp 65511
exit-af-topology
network 10.4.0.0 0.1.255.255
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.251.203
exit-address-family
MPLS VPN
DMVPN
Internet
EIGRP(200)
eBGP
EIGRP(100)
BGP
EIGRP
EIGRP
EIGRP
BGP
summary EIGRP
summary
Transit network
Requires Separate WAN and LAN
Facing Routing Protocol Processes
One Way Redistribution Is Required.
Summary Routes Make Two-Way
Redistribution Unnecessary
One Way Route Redistribution
WAN Remote-Site RoutingDual-Router, Dual-Link, Access Layer Only
Transit network
MPLS VPN A MPLS VPN B
InternetInternet
DMVPN-1 DMVPN-2
Layer 2
DMVPN
Internet
eBGPeBGP
EIGRP(201)
EIGRP(200)
EIGRP(200)
EIGRP(300)
BGP
EIGRP
iBGP
BGP
EIGRP
EIGRP(100)
EIGRP(100)EIGRP
(100)
EIGRP
EIGRP
EIGRP
EIGRP
EIGRP
EIGRP
EIGRP
EIGRP
BGP
summary
EIGRP
summaries
BGP
summary
EIGRP
summary
EIGRP
summaryEIGRP
summaryEIGRP
summary
Requires Separate WAN and LAN
Facing Routing Protocol Processes
WAN Remote-Site RoutingDual-Router, Dual-Link, Access Layer Only
Vlan64 - data
Active HSRP
Router
10.5.192.0/21
Remote SiteD EX 10.5.192.0/21 [170/xxxx] via 10.5.52.3
10.5.52.0/24
(.2) (.3)
(.1)
Gig0/1.64 Gig0/1.64
2. Received by R1 on Gig0/1.64
R1 R2
1. Host sends packet to HSRP active (10.5.52.1)
4. R1 sends packet to 10.5.52.3, via Gig0/1.64 (hairpin out same interface)
3. R1 does route lookup, next hop 10.5.52.3
6. Packet forwarded to the WAN and final destination
5. Received by R2 on Gig0/1.64Host sending data to remote site
(10.5.52.10 → 10.5.192.10)
If WCCP is enabled inbound on Gig0/1.64
interfaces, this will cause double redirect
Dual-Router WAN Remote-Site DesignTraffic In/Out Same Interface
Vlan64 - data
Active HSRP
Router
10.5.192.0/21
Remote SiteD EX 10.5.192.0/21 [170/xxxx] via 10.5.48.2
10.5.48.0/30
(.2) (.3)
(.1)
Gig0/1.64 Gig0/1.64
2. Received by R1 on Gig0/1.64
R1 R2
1. Host sends packet to HSRP active (10.5.52.1)
4. R1 sends packet to 10.5.48.2, via Gig0/1.99
3. R1 does route lookup, next hop 10.5.48.2
6. Packet forwarded to the WAN and final destination
5. Received by R2 on Gig0/1.99
Host sending data to remote site
(10.5.52.10 → 10.5.192.10)
Vlan99 -
transit
(.1) (.2)
10.5.52.0/24
WCCP is not enabled on the transit
network
Dual-Router WAN Remote Site DesignIntroduce Transit Network
802.1q trunk
(54,99)802.1q trunk
(50,99)
WAN
Vlan54 – router 2 link
Vlan50 – router 1 link
Vlan99 – transit
802.1q trunk (102-103)802.1q trunk (100-101)
802.1q trunk (50)
WAN
Vlan50 – router 1 link
802.1q trunk (100-101)
EIGRP/BGP
EIGRP
EIGRP/BGP
EIGRP
EIGRP/BGP
EIGRPEIGRP
(100)
EIGRP(100)
EIGRP/BGP
summary
EIGRP/BGP
summaries
WAN
802.1q trunk (102-103)
Requires Separate WAN and LAN Facing Routing Protocol Processes
WAN EIGRP Is Either: DMVPN (200/201)
Layer 2 WAN (300)
WAN Remote-Site RoutingDistribution/Access Layer Only
Best Practice: Implement AS-Path FilterPrevent Remote Site from Becoming Transit Network
• Dual carrier sites can unintentionally become transit network during network failure event and causing network congestion due to transit traffic
• Design the network so that transit path between two carriers only occurs at sites with enough bandwidth
• Implement AS-Path filter to allow only locally originated routes to be advertised on the outbound updates for branches that should not be transit
router bgp 65511
neighbor 192.168.4.10 route-map NO-TRANSIT-AS
out
!
ip as-path access-list 10 permit ^$
!
route-map NO-TRANSIT-AS permit 10
match as-path 10
Campus
iBGP
iBGP
R1 R2
MPLS A MPLS B
A B
Best Practice: Stub RoutingImprove Network Stability and Prevent Transit Site
• The stub routing feature improves network stability, reduces resource utilization, and simplifies stub router configuration. Use at all remote sites.
• Implement stub routing to allow only locally originated routes to be advertised on the outbound updates for dual-router sites that should not be transit
router eigrp 200
eigrp stub connected summary
Campus
EIGRP
VPLS/
DMVPN DMVPN
A B
DMVPN Deployment ConsiderationsHow to Accommodate Multiple Default Routers for a VPN Hub Router
• VPN hub has a default route to ASA firewall’s VPN-DMZ interface to reach the Internet
• Remote site policy requires centralized Internet access
• Enable EIGRP between VPN headend & Campus core to propagate default to remote
• Static default (admin distance=1) remains active
• User traffic from remote sites is forwarded to VPN-DMZ (wrong firewall interface for user traffic)
• Adjust admin distances to allow EIGRP default route (to core)
• VPN tunnel drops
VPN-DMZ
Internet Edge
Block
default
default
INSIDE
OUTSIDE
default
default
default
DMVPN Hub
DMVPN
spoke
Internet
VPN-DMZ
Internet Edge
Block
default
default
INSIDE
OUTSIDEdefault
default
default
Enable Front-Door VRF (FVRF) with DMVPN to permit two default routes
The VRF INET-PUBLIC contains the default route to VPN-DMZ Interface needed for Tunnel Establishment
A 2nd default route exists in the Global Routing Table
used by the user traffic to reach Internet
To enforce centralized tunneling the default route is advertised to spokes via Tunnel
Spoke’s tunnel drops due to 2nd default route conflict with the one learned from ISP
EIG
RP
default
DMVPN Deployment over InternetNo Split Tunneling at Remote-Site Location
Internet
VRF: INET-PUBLIC
Best Practice: VRF-Aware DMVPNKeeping the Default Routes in Separate VRFs
• Enable FVRF DMVPN on the Spokes
• Allow the ISP learned Default Route in the VRF INET-PUBLIC and use for tunnel establishment
• Global VRF contains Default Route learned via tunnel. User data traffic follows Tunnel to INSIDE interface on firewall
• Allows for consistent implementation of corporate security policy for all users VPN-DMZ
Internet Edge
Block
default
default
INSIDE
OUTSIDEdefault
default
default
default
EIG
RP
Internet
VRF: INET-PUBLIC
VRF: INET-PUBLIC
Avoid Fragmentation when Tunneling
• IP fragmentation will cause CPU and memory overhead and result in lower throughput performance
• When one fragment of a datagram is dropped, the entire original IP datagram will have to be resent
• Use ‘mode transport’ on transform-set• NHRP requires this for NAT support and it saves 20 bytes of overhead
• Avoid MTU issues with the following best practices• ip mtu 1400 (WAN facing interface or tunnel)
• ip tcp adjust-mss 1360 (WAN facing interface or tunnel)
MTU 1500MTU 1500MTU 1400
Tunnel Setting (esp-aes 256 esp-sha-hmac) Maximum MTU Recommended MTU
GRE/IPSec (Tunnel Mode) 1414 bytes 1400 bytes
GRE/IPSec (Transport Mode) 1434 bytes 1400 bytes
GRE+IPsec
Vlan64 - data
Active HSRP
Router
B* 10.4.0.0/20 [20/0] via 192.168.3.26
10.5.48.0/30
(.2) (.3)
(.1)
Gig0/1.64 Gig0/1.64
2. Received by R1 on Gig0/1.64
R1 R2
1. Host sends packet to HSRP active (10.5.52.1)
3. R1 does route lookup, next hop 192.168.3.26
4. Packet forwarded to the WAN and final destination
Host sending data to primary site
(10.5.52.10 → 10.4.0.x)
Vlan99 - transit
(.1) (.2)
192.168.3.26
Dual-Router WAN Resilient Remote-Site DesignRouting to Primary Site
Vlan64 - data
Active HSRP
Router
D EX 10.4.0.0/20 [170/xxxx] via 10.5.48.2
10.5.48.0/30
(.2) (.3)
(.1)
Gig0/1.64 Gig0/1.64
R1 R2
Host sending data to primary site
(10.5.52.10 → 10.4.0.x)
Vlan99 - transit
(.1) (.2)
192.168.3.26
2. Received by R1 on Gig0/1.64
1. Host sends packet to HSRP active (10.5.52.1)
4. R1 sends packet to 10.5.48.2, via Gig0/1.99
3. R1 does route lookup, next hop 10.5.48.2
6. Packet forwarded to the WAN and final destination
5. Received by R2 on Gig0/1.99
Dual-Router WAN Resilient Remote-Site DesignSuboptimal Routing After Primary WAN Failure
Vlan64 - data
Active HSRP
Router
10.5.48.0/30
(.2) (.3)
(.1)
Gig0/1.64 Gig0/1.64
R1 R2
Host sending data to primary site
(10.5.52.10 → 10.4.0.x)
Vlan99 -
transit
(.1) (.2)
192.168.3.26
R1#
ip sla 100
icmp-echo 192.168.3.26 source-interface GigabitEthernet0/0
timeout 1000
threshold 1000
frequency 15
ip sla schedule 100 life forever start-time now
track 50 ip sla 100 reachability
interface GigabitEthernet0/1.64
encapsulation dot1Q 64
ip address 10.5.52.2 255.255.255.0
standby 1 ip 10.5.52.1
standby 1 priority 110
standby 1 preempt
standby 1 track 50 decrement 10
R2#
interface GigabitEthernet0/1.64
encapsulation dot1Q 64
ip address 10.5.52.3 255.255.255.0
standby 1 ip 10.5.52.1
standby 1 priority 105
standby 1 preempt
B* 10.4.0.0/20 [20/0] via 192.168.3.26
192.168.3.26IP
SLA
Probe
R1
Gig0/0
Dual-Router WAN Resilient Remote-Site DesignEnhanced Object Tracking (EOT) with HSRP
Vlan64 -
data
Active HSRP
Router
10.5.48.0/30
(.2) (.3)
(.1)
Gig0/1.64 Gig0/1.64
R1 R2Vlan99 -
transit
(.1) (.2)R2# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Gi0/1.64 1 105 P Active local 10.5.52.2 10.5.52.1
D EX 10.4.0.0/20 [170/xxxx] via 10.4.34.1
10.4.34.1
R1#
08:59:00.117: %TRACKING-5-STATE: 50 ip sla 100 reachability Up->Down
08:59:01.321: %HSRP-5-STATECHANGE: GigabitEthernet0/1.64 Grp 1 state Active -> Speak
08:59:12.569: %HSRP-5-STATECHANGE: GigabitEthernet0/1.64 Grp 1 state Speak -> Standby
192.168.3.26IP
SLA
Probe
R1
Gig0/0
Dual-Router WAN Resilient Remote-Site DesignEnhanced Object Tracking (EOT) with HSRP (continued)
Dialer1
VP
N T
unnel
3G/4G Wireless WAN
Select 3G or 4GTechnology Option
4G/LTE3G/GSM
1. GSM Specific
Remote Site Router Configuration
1. LTE Specific
Remote Site Router Configuration
1. Configure the WAN remote router
2. Configure VRF Lite
3. Configure the Cellular Interface
4. Configure the Dialer watch-list
5. Configure VRF-Specific Default Routing
6. Apply the Access List
7. Configure ISAKMP and IPSec
8. Configure mGRE Tunnel
9. Configure EIGRP
10. Configure IP Multicast
3G/CDMA
1. CDMA Specific
Remote Site Router Configuration
Remote-Site with 3G or 4G/LTE Wireless WANBest Practice Uses Dialer Watch-list
Vlan64 - data
R1#
chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK"
interface Cellular0/0/0
bandwidth 8000
ip vrf forwarding INET-PUBLIC1
ip address negotiated
ip access-group ACL-INET-PUBLIC in
no ip unreachables
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string LTE
dialer watch-group 1
no peer default ip address
async mode interactive
!
ip route vrf INET-PUBLIC1 0.0.0.0 0.0.0.0 Cellular0/0/0
!
dialer watch-list 1 ip 127.0.0.255 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
!
line 0/0/0
script dialer LTE
modem InOut
no exec
No HSRP
Required
Ce0/0/0
VP
N T
unnel
4G Wireless WAN
R1
Direct IP requires SLIP encapsulation keyword
No PPP authentication parameters required
No profile required
Wireless WAN with 4G/LTEDirect IP Encapsulation
chat-script CDMA "" "ATDT#777" TIMEOUT 30 "CONNECT"
!
interface Cellular0/0/0
bandwidth 1800
ip vrf forwarding INET-PUBLIC1
ip address negotiated
ip access-group ACL-INET-PUBLIC in
no ip unreachables
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string CDMA
dialer watch-group 1
no peer default ip address
async mode interactive
!
ip route vrf INET-PUBLIC1 0.0.0.0 0.0.0.0 Cellular0/0/0
!
dialer watch-list 1 ip 127.0.0.255 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
!
line 0/0/0
script dialer CDMA
modem InOut
no exec
CDMA Example GSM Example
chat-script GSM "" "AT!SCACT=1,1" TIMEOUT 60 "OK“
!
interface Cellular0/0/0
bandwidth 384
ip vrf forwarding INET-PUBLIC1
ip address negotiated
ip access-group ACL-INET-PUBLIC in
no ip unreachables
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string GSM
dialer watch-group 1
no peer default ip address
async mode interactive
!
ip route vrf INET-PUBLIC1 0.0.0.0 0.0.0.0 Cellular0/0/0
!
dialer watch-list 1 ip 127.0.0.255 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
!
line 0/0/0
script dialer GSM
modem InOut
no exec
R1# cellular 0/0/0 gsm profile create 1 isp.cingular
Router with GSM must also create a profile
Wireless WAN with 3G (GSM and CDMA)Different Encapsulation Methods
Vlan64 - data
R1#
ip sla 100
icmp-echo 192.168.3.26 source-interface
GigabitEthernet0/0
timeout 1000
threshold 1000
frequency 15
ip sla schedule 100 life forever start-time now
track 60 ip sla 100 reachability
event manager applet ACTIVATE-4G
event track 60 state down
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/0/0"
action 4 cli command "no shutdown"
action 5 cli command "end"
action 99 syslog msg "Activating 4G interface"
IP SLA
Probe
No HSRP
Required
Ce0/0/0
3G/4G Wireless WAN
R1
R1#
14:22:14: %TRACKING-5-STATE: 60 ip sla 100 reachability Up->Down
14:22:14: %SYS-5-CONFIG_I: Configured from console by on vty0(EEM:ACTIVATE-4G)
14:22:14: %HA_EM-6-LOG: ACTIVATE-3G: Activating 4G interface
14:22:34: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
14:22:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up
14:22:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to up
14:22:40: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
14:22:42: %DUAL-5-NBRCHANGE: EIGRP-IPv4 200: Neighbor 10.4.34.1 (Tunnel11) is up: new adjacency
Note: This method is also compatible with a dual router design (probes are sent from R2)
Wireless WAN with 3G/4G BackupEnhanced Object Tracking (EOT) with EEM Scripts
Vlan64 - data
R1#
event manager applet TIME-OF-DAY-ACTIVATE-3G
event timer cron cron-entry "45 4 * * 1-5"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/0/0"
action 4 cli command "no shutdown"
action 5 cli command "end"
action 99 syslog msg "M-F @ 4:45AM Activating 3G interface“
event manager applet TIME-OF-DAY-DEACTIVATE-3G
event timer cron cron-entry "15 18 * * 1-5"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/0/0"
action 4 cli command "shutdown"
action 5 cli command "end"
action 99 syslog msg "M-F @ 6:15PM Deactivating 3G interface"
No HSRP
Required
Ce0/0/0
VP
N T
unnel
3G/4G Wireless WAN
R1
Limit connection time to reduce usage charges
EEM scripts leverage CRON
Additional scripting or enhancements can allow for manual override for weekend or after hours use.
Wireless WAN with 3G/4G Only LinkTime Based Connection with EEM Scripts
Class of Service Traffic Type DSCP Value(s) Bandwidth (%) Congestion
Avoidance
VOICE Voice traffic ef 10 (PQ)
INTERACTIVE-VIDEO Interactive video
(video conferencing)
cs4
af41
23 (PQ)
CRITICAL-DATA Highly interactive
(such as Telnet, Citrix, and Oracle thin clients)
cs3
af31
15 DSCP based
DATA Data af21 19 DSCP based
SCAVENGER
Scavenger cs1
af11
5
NETWORK-CRITICAL Routing protocols. Operations, administration and
maintenance (OAM) traffic.
cs2
cs6
3
class-default Best effort other 25 random
class-map match-any VOICE
match dscp ef
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any DATA
match dscp af21
class-map match-any SCAVENGER
match dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
class-map match-any BGP-ROUTING
match protocol bgp
policy-map MARK-BGP
class BGP-ROUTING
set dscp cs6
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
class-map match-any NETWORK-CRITICAL
match access-group name ISAKMP
For MPLS CE routers:
For DMVPN routers:
All WANrouters:
WAN Quality of ServiceDefining QoS Classes
CBWFQ
FQ
Low Latency Queuing
Packets In
VOICE
INTERACTIVE-VIDEO
PQ
Layer 3 Queuing Subsystem
CRITICAL-DATA
DATA
SCAVENGER
NETWORK-CRITICAL
class-default
Police
Police
To Layer 2 Queuing
Subsystem
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
Random Early Detection (RED)
Weighted Random Early Detection (WRED)
WAN Quality of ServiceImplementing WAN QoS (Layer 3)
Traffic Shaping
• Policers typically drop traffic
• Shapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops
• Very common with Ethernet WAN, as well as Non-Broadcast Multiple-Access (NBMA) network topologies such as Frame-Relay and ATM
With Traffic Shaping
Without Traffic ShapingLineRate
ShapedRate
Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate
LFI, Shaping and Serialization
Layer 2 Queuing Subsystem
From Layer 3
Queuing Subsystem
policy-map WAN-INTERFACE-G0/0/4
class class-default
shape average 300000000
service-policy WAN
interface GigabitEthernet0/0/4
bandwidth 300000
service-policy output WAN-INTERFACE-G0/0/4
Fragment
Packets OutTXRing
Interleave
Shaping
LFI only typically used at <768 Kbps
WAN Quality of ServiceImplementing WAN QoS (Layer 2)
CE
CE
CE
CE
CE
CE
CE
CE
CE
CE
CE
CE
802.1q
trunk
500 Mbps
50 Mbps
50 Mbps
20 Mbps
20 Mbps
10 Mbps
10 Mbps
Shape only(500 Mbps)
500 Mbps in to DMVPN cloud can easily
overrun the lower speed committed rates at
spoke sites
DMVPN Per Tunnel QoSPer-Site Shaping to Avoid Overruns
policy-map WAN-INTERFACE-G0/0/3-SHAPE-ONLY
class class-default
shape average 500000000
!
interface GigabitEthernet0/0/3
banwidth 100000
service-policy output WAN-INTERFACE-G0/0/3-SHAPE-ONLY
!
interface Tunnel10
nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY
nhrp map group RS-GROUP-20MBPS service-policy output RS-GROUP-20MBPS-POLICY
nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY
policy-map RS-GROUP-50MBPS-POLICY
class class-default
shape average 50000000
service-policy WAN
Separate shaper policies for
each remote-site bandwidth
DMVPN Hub Per Tunnel QoSImplementing Per-Site Traffic Shaping
policy-map RS-GROUP-20MBPS-POLICY
class class-default
shape average 20000000
service-policy WAN
policy-map RS-GROUP-10MBPS-POLICY
class class-default
shape average 10000000
service-policy WAN
List all available policies as map groups on hub tunnel interface
interface GigabitEthernet0/0
bandwidth 50000
service-policy output WAN-INTERFACE-G0/0
!
interface Tunnel10
bandwidth 50000
nhrp group RS-GROUP-50MBPS
tunnel source GigabitEthernet0/0
interface GigabitEthernet0/0
bandwidth 20000
service-policy output WAN-INTERFACE-G0/0
!
interface Tunnel10
bandwidth 20000
nhrp group RS-GROUP-20MBPS
tunnel source GigabitEthernet0/0
interface GigabitEthernet0/0
bandwidth 10000
service-policy output WAN-INTERFACE-G0/0
!
interface Tunnel10
bandwidth 10000
nhrp group RS-GROUP-10MBPS
tunnel source GigabitEthernet0/0
Spoke Tunnel Configurations
50 Mbps spoke
20 Mbps spoke
10 Mbps spoke
Shape(500 Mbps)
50 Mbps
50 Mbps
20 Mbps
20 Mbps
10 Mbps
10 Mbps
per tunnel shapers
parent shaper
CE
CE
CE
CE
CE
CE
CE
CE
CE
CE
CE
CE
802.1q
trunk
500 Mbps
10 Mbps
10 Mbps
50 Mbps
50 Mbps
20 Mbps
20 Mbps
Shape(500 Mbps)
500 Mbps in to WAN can easily overrun the
lower speed committed rates at remote sites
10.5.144.0/21
10.5.152.0/21
10.5.168.0/21
10.5.176.0/21
Layer 2 WAN QoSPer-Site Shaping to Avoid Overruns
policy-map POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS
class NETWORK-CRITICAL
bandwidth percent 3
class CLASS-MAP-RS210
shape average 10000000
service-policy POLICY-MAP-RS210
class CLASS-MAP-RS212
shape average 20000000
service-policy POLICY-MAP-RS212
ip access-list extended RS210-10.5.144.0
permit ip any 10.5.144.0 0.0.7.255
!
class-map match-all CLASS-MAP-RS210
match access-group name RS210-10.5.144.0
policy-map POLICY-MAP-RS210
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
ip access-list extended RS212-10.5.168.0
permit ip any 10.5.168.0 0.0.7.255
!
class-map match-all CLASS-MAP-RS212
match access-group name RS212-10.5.168.0
policy-map POLICY-MAP-RS212
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
Per-Destination
Service Policies
Per-Destination
Class Maps
Shape to 20 Mbps to RS212
Shape to 10 Mbps to RS210
Layer 2 WAN Quality of ServiceImplementing Per-Site Traffic Shaping
policy-map POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS
class NETWORK-CRITICAL
bandwidth percent 3
class CLASS-MAP-RS210
shape average 10000000
service-policy POLICY-MAP-RS210
class CLASS-MAP-RS212
shape average 20000000
service-policy POLICY-MAP-RS212
Shape to 20 Mbps to RS212
Shape to 10 Mbps to RS210
policy-map WAN-INTERFACE-G0/0/4
class class-default
shape average 500000000
service-policy POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS
Shape to 500 Mbps aggregate
Shape(500 Mbps)
10 Mbps
10 Mbps
50 Mbps
50 Mbps
20 Mbps
20 Mbps
child shapers
parent shaper
Layer 2 WAN Quality of ServiceImplementing Per-Site Traffic Shaping (continued)
• WAN CVD Overview
• WAN CVD Design Methodology
• Key Aspects of the Design
• Summary
Agenda
Summary
• The CVD WAN design methodology allows for either a small or large scale initial deployment.
• Flexibility is built into the WAN and remote-site design. Adding additional scale, resiliency or capabilities is straightforward.
•The CVD WAN design uses advanced features and capabilities. Each is documented in a prescriptive manner.
•Route-maps ensure routing stability•F-VRF DMVPN permits spoke-spoke with central tunneling•Multiple WAAS design models•EEM scripts extend capabilities of EOT
Cisco Validated Design Guides - Feedback
http://cvddocs.com/feedback CVD team members will respond to ALL
feedback requests.
We appreciate your feedback and have
updated documents specifically to
address topics that have generated
feedback.
Every CVD guide has a feedback link:
Cisco Validated Designs for Enterprise WAN:
MPLS WAN Design Guide
Layer 2 WAN Design Guide
VPN WAN Design Guide
http://www.cisco.com/go/cvd/wan
Design Guide Transports UsageWAN Aggregation
Design Models
MPLS WANMPLS L3 VPN Primary/Secondary
Dual MPLS
MPLS Dynamic
MPLS Static
Layer 2 WANLayer 2 WAN Primary
Trunked Demarcation
Simple Demarcation
VPN WAN Internet/DMVPN Primary/Secondary
Dual DMVPN
DMVPN Only
DMVPN Backup Dedicated
DMVPN Backup Shared
Remote Sites Using Local Internet
Access
Internet/DMVPN (with
Local Internet)Primary/Secondary Remote site only
VPN Remote Site over 3G/4G 3G/4G Internet/DMVPN Primary/Secondary Remote site only
Group Encrypted Transport VPNMPLS L3 VPN
Layer 2 WAN
Primary/Secondary
Primary
Compatible with all design
models
Now You Can Build This!
Related Sessions
• BRKCRS-2030: Wired LAN Deployment Using the Cisco Validated Design for Campus
• BRKRST-2041: WAN Architectures and Design Principles
• BRKCRS-2042: Highly Available Wide Area Network Design
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
Vlan102 - data
Vlan103 - voice
No HSRP
Required
802.1q trunk
(54,99)802.1q trunk
(50,99)
Vlan54 – router 2 link
Vlan50 – router 1 link
Vlan99 – transit
Vlan100 - data
Vlan101 - voice
VlanWD – wireless data
Vlan106 – management)
VlanWV– wireless voice
802.1q trunk (100, 101) 802.1q trunk (102-103)
802.1q trunk (106, WD,
WV)
WLAN Controller Required
for Distribution Layer
Design to Support Roaming
WAN Remote Site Reference DesignDistribution Layer Wireless LAN Integration
MPLS VPN
DMVPN
Internet
EIGRP(200)
eBGP
EIGR
P(100)
R1 R2
interface Loopback0
ip address 10.5.48.254 255.255.255.255
router bgp 65511
bgp router-id 10.5.48.254
network 10.5.52.0 mask 255.255.255.0
network 10.5.53.0 mask 255.255.255.0
network 192.168.3.20 mask 255.255.255.252
aggregate-address 10.5.48.0 255.255.248.0 summary-only
neighbor 192.168.3.22 remote-as 65401
no auto-summary
interface Loopback0
ip address 10.5.48.253 255.255.255.255
router eigrp 200
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.5.48.253
eigrp stub connected summary
interface Tunnel10
ip summary-address eigrp 200 10.5.48.0 255.255.248.0
BGP
summary
Summaries are advertised via both links, but best path is via
primary.
When primary link is operational both loopbacks are reachable via
primary link.
WAN Remote-Site Loopback RoutingInitial Approach – Loopbacks within Summary Route (1)
EIGRP
summary
MPLS VPN
DMVPN
Internet
EIGRP(200)
eBGP
EIGRP(100)
R1 R2
interface Loopback0
ip address 10.5.48.254 255.255.255.255
router bgp 65511
bgp router-id 10.5.48.254
network 10.5.52.0 mask 255.255.255.0
network 10.5.53.0 mask 255.255.255.0
network 192.168.3.20 mask 255.255.255.252
aggregate-address 10.5.48.0 255.255.248.0 summary-only
neighbor 192.168.3.22 remote-as 65401
no auto-summary
interface Loopback0
ip address 10.5.48.253 255.255.255.255
router eigrp 200
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.5.48.253
eigrp stub connected summary
interface Tunnel10
ip summary-address eigrp 200 10.5.48.0 255.255.248.0
After primary link failure, only summary learned via secondary path
is reachable. Both loopbacks are reachable via secondary path.
WAN Remote-Site Loopback RoutingInitial Approach – Loopbacks within Summary Route (2)
EIGRP
summary
MPLS VPN
DMVPN
Internet
EIGRP(200)
eBGP
EIGR
P(100)
R1 R2
interface Loopback0
ip address 10.5.48.254 255.255.255.255
router bgp 65511
bgp router-id 10.5.48.254
network 10.5.52.0 mask 255.255.255.0
network 10.5.53.0 mask 255.255.255.0
network 192.168.3.20 mask 255.255.255.252
aggregate-address 10.5.48.0 255.255.248.0 summary-only
neighbor 192.168.3.22 remote-as 65401
no auto-summary
interface Loopback0
ip address 10.5.48.253 255.255.255.255
router eigrp 200
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.5.48.253
eigrp stub connected summary
interface Tunnel10
ip summary-address eigrp 200 10.5.48.0 255.255.248.0
If the LAN interconnect between routers goes down and the
primary link remains operational, then summary remains
advertised via the primary link.
R2 has a route to the WAN-aggregation site, but traffic is
returned to R1 (follows best summary route).
WAN Remote-Site Loopback RoutingInitial Approach – Loopbacks within Summary Route (3)
EIGRP
summary
BGP
summary
R2 loopback is unreachable. Traffic from HQ
site is blackholed down primary link.
Must be tolerant of various remote-site failures:
LAN switch failure
Primary or Backup WAN failure
Must work with both single and dual router topologies
WAN Transport(All Sites use 10.255.0.0/16)
Third Octet
Fourth Octet
Examples
Router Loopback0
MPLS A 251 Site # RS203-2921-1 10.255.251.203
MPLS B 252 Site # RS202-2911 10.255.252.202
DMVPN 1 253 Site # RS203-2921-2 10.255.253.203
DMVPN 2 254 Site # RS232.-2921-2 10.255.254.232
MetroE 255 Site # RS213-2911 10.255.255.213
Use unique network range for loopbacks that is not summarized.
Creates a host route (/32) for each WAN remote-site router.
WAN Remote-Site Loopback RoutingEnsure Reachability of Remote-Site Routers for All Failure Scenarios
MPLS VPN
eBGP
router bgp 65511
bgp router-id 10.255.251.204
network 10.255.251.204 mask 255.255.255.255
neighbor 192.168.3.30 remote-as 65401
Loopback
interface Loopback0
ip address 10.255.251.204 255.255.255.255
WAN Remote-Site Loopback RoutingBGP Configuration for Single-Router
DMVPN
Internet
EIGRP(200)
router eigrp 200
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.253.205
interface Loopback0
ip address 10.255.253.205 255.255.255.255
All Loopbacks
WAN Remote-Site Loopback RoutingEIGRP Configuration for Single-Router
InternetMPLS VPN
DMVPN
EIGR
P(200)Choose loopback from address block
of primary link for single-router, dual-
link remote site
interface Loopback0
ip address 10.255.251.201 255.255.255.255
router bgp 65511
bgp router-id 10.255.251.201
network 10.255.251.201 mask 255.255.255.255
neighbor 192.168.3.22 remote-as 65401
Loopback
router eigrp 200
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.251.201
All Loopbacks
WAN Remote-Site Loopback RoutingConfiguration for Single-Router (MPLS with DMVPN Backup)
MPLS VPN
DMVPN
Internet
EIGRP(200)
eBGP
EIGR
P(100)
Uses the LAN facing routing
protocol process to advertise R2
loopback to R1 (and R1 loopback
to R2)
R1 R2
interface Loopback0
ip address 10.255.253.203 255.255.255.255
router eigrp 100
network 10.255.0.0 0.0.255.255
eigrp router-id 10.5.253.203
interface Loopback0
ip address 10.255.251.203 255.255.255.255
router eigrp 100
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.251.203
WAN Remote-Site Loopback RoutingConfiguration for Dual-Router (MPLS with DMVPN Backup)
MPLS VPN
DMVPN
Internet
EIGRP(200)
eBGP
EIGRP(100)
BGP
EIGR
P
EIGRP
EIGRP
router bgp 65511
bgp router-id 10.255.251.203
network 10.255.251.203 mask 255.255.255.255
network 10.255.253.203 mask 255.255.255.255router eigrp 200
network 10.255.0.0 0.0.255.255
redistribute eigrp 100 route-map LOOPBACK-ONLY
eigrp router-id 10.255.253.203
eigrp stub connected summary redistributed
ip access-list standard R1-LOOPBACK
permit 10.255.251.203
route-map LOOPBACK-ONLY permit 10
match ip address R1-LOOPBACK
Two way redistribution is required for
EIGRP WAN routing protocol (on R2)
Only the loopback addresses should
be redistributed from LAN to WAN
R1 R2Both loopbacks need to be explicitly
listed in the BGP configuration.
WAN Remote-Site Loopback Routing(continued) Configuration for Dual-Router (MPLS with DMVPN Backup)