wan design principle
TRANSCRIPT
-
8/20/2019 Wan Design Principle
1/100
BRKCRS-2041
WAN Architectures and DesignPrinciples
-
8/20/2019 Wan Design Principle
2/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Housekeeping
We value your feedback- don't forget to complete yoonline session evaluations after each session & comthe Overall Conference Evaluation which will be avaionline from Thursday
Visit the World of Solutions
Please switch off your mobile phones
Please make use of the recycling bins provided
Please remember to wear your badge at all times
-
8/20/2019 Wan Design Principle
3/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Agenda
WAN Technologies & Solutions
WAN Transport Technologies
WAN Overlay Technologies
WAN Optimisation
Wide Area Network Quality of Service
WAN Architecture Design Considerations
Secure WAN Communication with GETVPN
DMVPN Over Internet Deployment
Summary
-
8/20/2019 Wan Design Principle
4/100
WAN Transport Technologies
-
8/20/2019 Wan Design Principle
5/100© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Hierarchical Network Design
Core
Distributio
n
Access
Data Centre /HQ
Regionalhub
SpokeSite 1
SpokeSite N
...
Regionalhub
SpokeSite 1’
SpokeSite N’
...
-
8/20/2019 Wan Design Principle
6/100© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Hierarchical Network Design
Hierarchical design used to be…
Three routed layers
Core, distribution, access
Only one hierarchical structure end-to-end
Hierarchical design has become any design that…
Splits the network up into “places,” or “nodes” Separates these “nodes” by hiding information
Organises these “nodes” around a network core
IE, roughly “hub and spoke” at a macro level
-
8/20/2019 Wan Design Principle
7/100© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
WAN Transport Options
Topologies
Point-point, multi-point
Full/partial mesh
Hub/Spoke or Multi-Tier
Media
Serial, ATM/FR, OC-x
Dark fibre, Lambda
Ethernet
VPN Services for Transport
L2 - Metro-E (p2p, p2mp)
L3 – Private IP VPN
L3 – Public (Internet)
Overlay Options
GRE
DMVPN
L2/L3 VPN over IP
LAN
-
8/20/2019 Wan Design Principle
8/100© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
MPLS VPN Topology
MPLS WAN is provided by a service provider
As seen by the enterprise network, every site is one IP “hop
Equivalent to a full mesh, or to a “hubless” hub-and-spoke
SpokeSite 1
SpokeSite 2
SpokeSite N
SpokeSite Y
SpokeSite X
SpokeSite 1
SpokeSite N
SpokeSite 2
SpokeSite X
Hub Site(The Network)
SpokeSite Y
Equivalent toSP-Provided
MPLS IP WAN
Definition
-
8/20/2019 Wan Design Principle
9/100© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
MPLS VPN
Direct Layer 3 Adjacencies OnlyBetween CE and PE Routers
Layer 3 (L3) Service
CE CEPE PE
local loop
VRF
VRFGlobal
VRF—Virtual Routing and Forwardin
! PE Router – Multiple VRFsip vrf bluerd 65100:10
route-target import 65100:10route-target export 65100:10ip vrf yellowrd 65100:20route-target import 65100:20route-target export 65100:20!interface GigabitEthernet0/1.10ip vrf forwarding blueinterface GigabitEthernet0/1.20ip vrf forwarding yellow
-
8/20/2019 Wan Design Principle
10/100© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
MPLS VPN Design Trends Single Carrier Designs:
Enterprise will home all sites into a single carrier to provide L3 MPLS VPN connectivity.
Pro: Simpler design with consistent features
Con: Bound to single carrier for feature velocityCon: Does not protect against MPLS cloud failure with Single Provider
Dual Carrier Designs:
Enterprise will single or dual home sites into one or both carriers to provide L3 MPLS VPconnectivity.
Pro: Protects against MPLS service failure with Single Provider
Pro: Potential business leverage for better competitive pricingCon: Increased design complexity due to Service Implementation Differences (e.g. QoS,
Topology)
Con: Feature differences between providers could force customer to use least common dfeatures.
Variants of these designs and site connectivity:
Encryption Overlay (e.g. IPSec, DMVPN, GET VPN, etc.)
Sites with On-demand / Permanent backup links
-
8/20/2019 Wan Design Principle
11/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Single Carrier Site Types (Non-Trans
Dual Homed Non Transit
Only advertise local prefixes (Typically with Dual CE routers
BGP design:
EBGP to carrier
IBGP between CEs
Redistribute cloud learned rouinto site IGP
Single Homed Non Transi
Advertise local prefixes andoptionally use default route.
CE1
C1
CE2
AS 64512
C2
CE5
Site IGP
CE3 CE4
AS 64517
AS 200
-
8/20/2019 Wan Design Principle
12/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Dual Carrier: Transit vs. Non Transit
C1
CE2
Prefix Z
AS 64512
C2
CE
Prefix X Prefix Y
SiteIGP
CE3 CE4
AS 64517
Transit
AS 100 AS 200
AS 64545
CE1
To guarantee single homed site
reachability to a dual homedsite experiencing a failure,transit sites had to be elected.
Transit sites would act as aBGP bridge transiting routesbetween the two provider
clouds.
To minimise latency costs oftransits, transits need to beselected with geographicdiversity (e.g. from the East,West and Central US.)
-
8/20/2019 Wan Design Principle
13/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Single Provider Dual Providers
Pro: Common QoS supportmodel
Pro: More fault domains
Pro: Only one vendor to “tune” Pro: More product offerings tobusiness
Pro: Reduced head end circuitsPro: Ability to leverage vendors
for better pricing
Pro: Overall simpler designPro: Nice to have a second
vendor option
Con: Carrier failure could be
catastrophic
Con: Increased Bandwidth
“Paying for bandwidth twice” Con: Do not have another carrier
“in your pocket” Con: Increased overall design
complexity
Con: May be reduced to “common
denominator” between carriers
Resiliency Drivers vs. Simplicity
Single vs. Dual Carriers
-
8/20/2019 Wan Design Principle
14/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Agenda
WAN Technologies & Solutions
WAN Transport TechnologiesWAN Overlay Technologies
WAN Optimisation
Wide Area Network Quality of Service
WAN Architecture Design Considerations
Secure WAN Communication with GETVPN
DMVPN Over Internet Deployment
Summary
-
8/20/2019 Wan Design Principle
15/100
WAN Overlay Technologies
-
8/20/2019 Wan Design Principle
16/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Tunnelling Technologies
IPSec—Encapsulating Security Payload (ESP)
Strong encryptionIP Unicast only
Generic Routing Encapsulation (GRE)
IP Unicast, Multicast, Broadcast
Multiprotocol support
Layer 2 Tunnelling Protocol—Version 3 (L2TPv3)Layer 2 payloads (Ethernet, Serial,…)
Pseudowire capable
Other Tunnelling Technologies – L3VPNomGRE, LISP, OTV
Packet Encapsulation over IP
Tunnels
-
8/20/2019 Wan Design Principle
17/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
IP HDR
Encrypted
ESP HDR
IP HDR
IP Payload
Tunnel mode
Transport mode
ESP
Trailer
ESP
Auth
Authenticated
Encrypted
Authenticated
IPSec ESP
IP Payload
IP Payload
IP HDRESP HDRIP HDRESP
Trailer
ESP
Auth
Transport and Tunnel Modes
20 bytes
30 bytes
54 bytes
2 bytes
2 bytes
-
8/20/2019 Wan Design Principle
18/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
GRE Tunnelling
Original IP header IP payloadGRE header New IP header
20 bytes 20 bytes4 bytes
GRE packet with new IP header: protocol 47 (forwarded using new IP dst)
Original IP header IP payload
20 bytes
Original IP datagram (before forwarding)
! Router A – GRE Exampleinterface Loopback 0ip address 192.168.1.1 255.255.255.255
interface Tunnel0ip address 172.16.1.1 255.255.255.0encapsulation greip mtu 1476tunnel source Loopback0tunnel dest 192.168.2.2
! Router B – GRE Exampleinterface Loopback 0ip address 192.168.2.2 255.255.255.255interface Tunnel0ip address 172.16.1.2 255.255.255.0encapsulation greip mtu 1476tunnel source Loopback0tunnel dest 192.168.1.1
-
8/20/2019 Wan Design Principle
19/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
VPN Technology
EzVPN
Spoke
GET GMDMVPN
Spoke
DMVPN
Spoke
Data Centre
InternetEdge
WANEdge
GET GM GET GM
Positioning EzVPN, DMVPN, GETVPN
MPLS/Private Network
KSKS
GMGM
IPsec IPsec
Internet/
SharedNetwork
*
* Note: DMVPN Can Also Be Used on MPLS/Private Network
-
8/20/2019 Wan Design Principle
20/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
VPN Technology Comparison
EzVPN DMVPN GET VPN
InfrastructureNetwork
Public InternetTransport
Private & Public
InternetTransport
Private IPTransport
Network StyleHub-Spoke;
(Client to Site)
Hub-Spoke andSpoke-to-Spoke;(Site-to-Site)
Any-to-Any;(Site-to-Site)
Routing Reverse-route
Injection Dynamic routing
on tunnels Dynamic routing
on IP WAN
FailoverRedundancy
Stateful HubCrypto Failover
RouteDistributionModel
RouteDistributionModel + Stateful
Encryption Style Peer-to-Peer
Protection Peer-to-Peer
Protection Group
Protection
IP Multicast Multicast
replication athub
Multicastreplication athub
Multicastreplication in IPWAN network
-
8/20/2019 Wan Design Principle
21/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Dynamic Multipoint VPN
Provides full meshed
connectivity with simpleconfiguration of huband spoke
Supports dynamicallyaddressed spokes
Facilitates zero-touchconfiguration for addition ofnew spokes
Features automatic IPsectriggering for building an
IPsec tunnel
Spoke n
Traditional Static Tunnels
DMVPN Tunnels
Static Known IP Addresses
Dynamic Unknown IP Addresses
Hub
VPNSpoke 1
Spoke 2
Secure On-Demand Meshed Tunnels
D i M lti i t VPN (DMVPN)
-
8/20/2019 Wan Design Principle
22/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Dynamic Multipoint VPN (DMVPN)Operational Example
Spoke A 192.168.1.1/24 192.16
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynam
Tunnel0: 10.0.0.
10.0.0.11 172.16.1.10.0.0.12 172.16.2.
192.168.0.1/24
192.168.1.0/24 10.0.0192.168.2.0/24 10.0.0
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Co
10.0.0.1 172.17.0
192.168.2.1 ???
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.
CEF Adjacency
10.0.0.1 172.17.0
10.0.0.11 172.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.
D i M lti i t VPN (DMVPN)
-
8/20/2019 Wan Design Principle
23/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Dynamic Multipoint VPN (DMVPN)Operational Example (cont)
Spoke A
192.168.1.1/24
192.168.
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic
Tunnel0: 10.0.0.12
10.0.0.11 172.16.1.110.0.0.12 172.16.2.1
192.168.0.1/24
192.168.1.0/24 10.0.0.1192.168.2.0/24 10.0.0.1
192.168.0.0/24 Conn.
CEF FIB Table
172.16.1.1
172.16.2.1
NHRP mapping
192.168.1.0/24 Conn.
10.0.0.1 172.17.0.1
192.168.2.0/24 Conn
10.0.0.1 172.17.0.1
192.168.2.1 ???
192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.
CEF Adjacency
10.0.0.1 172.17.0.110.0.0.11 172.16.1.1
10.0.0.11 172.16
10.0.0.11 172.16.1.1
Data packet
NHRP Redirect
NHRP Resolution
10.0.0.1 172.17.0.1
10.0.0.12 172.16
10.0.0.11 172.16.1.1
-
8/20/2019 Wan Design Principle
24/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Network Designs
Hub and spoke Spoke-to-spoke
Server Load Balancing Hierarchical
Spoke-to-hub tunnels
Spoke-to-spoke tunne
2547oDMVPN tunnels
VRF-lite
2547oDMVPN
Any to Any Encryption
-
8/20/2019 Wan Design Principle
25/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Any-to-Any EncryptionBefore and After GET VPN
Scalability—an issue (N^2 problem)
Overlay routing
Any-to-any instant connectivity can’tbe done to scale
Limited QoS
Inefficient Multicast replication
WAN
Multicast
Before: IPSec P2P Tunnels After: Tunnel-Less VPN
Scalable architecture for anyany connectivity and encryp
No overlays—native routing
Any-to-any instant connectiv
Enhanced QoS
Efficient Multicast replication
Public/Private WAN Private WAN
-
8/20/2019 Wan Design Principle
26/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Group Security Functions
GroupMember
Group
Member
Group
Member
Group
Member
Key Server
Routing
Members
Group Member Encryption Devices Route Between Secure/
Unsecure Regions Multicast Participation
Key Server Validate Group Members Manage Security Policy Create Group Keys Distribute Policy/Keys
Routing Member Forwarding Replication
Routing
-
8/20/2019 Wan Design Principle
27/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Group Security Elements
GroupMember
Group
Member
Group
Member
Group
Member
Key Servers
Routing
Members
Key Encryption Key(KEK)
Traffic EncryptionKey (TEK)
Group Policy
RFC3547:Group Domain ofInterpretation(GDOI)
KS CooperativeProtocol
GETVPN Group Key Technology
-
8/20/2019 Wan Design Principle
28/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
GETVPN - Group Key TechnologyOperation Example
Step 1: Group Members (GM)“register” via GDOI (IKE) with the
Key Server (KS)KS authenticates and authorises the GM
KS returns a set of IPsec SAsfor the GM to use
Step 2: Data Plane Encryption
GM exchange encrypted traffic using thegroup keys
The traffic uses IPSec Tunnel Mode with“address preservation”
Step 3: Periodic Rekey of Keys
KS pushes out replacement IPseckeys before current IPsec keys expire;This is called a “rekey”
GM1
GM2
GM3GM4
GM5
GM6
GM7GM8
GM9 KS
GM1
GM2
GM3GM4
GM5
GM6
GM7
GM8
GM9 KS
GM1
GM2
GM3GM4
GM5
GM6
GM7GM8
GM9 KS
-
8/20/2019 Wan Design Principle
29/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
GETVPN Deployment Model
MPLS VPN
MPLS VPN w/ CsC
CE CEPE PE
MPLS VPN over GRE w/ GET VPN
GET Encrypted GRE
CE PE PE CE
GETVPN Segmented WAN
MPLSomGRE with GETVPN
-
8/20/2019 Wan Design Principle
30/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Agenda
WAN Technologies & Solutions
WAN Transport Technologies
WAN Overlay Technologies
WAN Optimisation
Wide Area Network Quality of Service
WAN Architecture Design ConsiderationsSecure WAN Communication with GETVPN
DMVPN Over Internet Deployment
Summary
-
8/20/2019 Wan Design Principle
31/100
WAN Optimisation
The WAN Is the Barrier to Branch
-
8/20/2019 Wan Design Principle
32/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
The WAN Is the Barrier to Branch Application Performance
WAN Packet Loss and Latency =Slow Application Performance =
Keep and manage servers in branch offices ($$$)
Applications aredesigned to workwell on LAN’s
High bandwidth
Low latency
Reliability
WANs have oppositecharacteristics
Low bandwidthHigh latency
Packet loss
Round Trip Time (RTT) ~ 0mS
ClientLAN
SwitchServer
Round Trip Time (RTT) ~ usually measured in milliseconds
ServerClient LANSwitch
LANSwitch
Routed Network
-
8/20/2019 Wan Design Principle
33/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
TCP Behaviour
Time (RTT)Slow start Congestion avoidance
Packet loss Packet loss Packet loss
cwnd
Packet loss TC
Return to maximumthroughput could take a
very long time!
-
8/20/2019 Wan Design Principle
34/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
WAAS—TCP Performance Improvem
Transport Flow Optimisation (TFO) overcomes TCP and WA
Shields nodes connections from WAN conditionsClients experience fast acknowledgement
Minimise perceived packet loss
Eliminate need to use inefficient congestion handling
WAN
LAN TCPBehaviour
LAN TCPBehaviour
Window ScalingLarge Initial Windows
Congestion MgmtImproved Retransmit
WAAS Overview
-
8/20/2019 Wan Design Principle
35/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
WAAS OverviewDRE and LZ Manage Bandwidth Utilisation
Data Redundancy Elimination (DRE) provides advanced
compression to eliminate redundancy from network flowsregardless of application
LZ compression provides generic compression for all traffic
FILE.DOC
DRE CACHE DRE CACHE
FILE.DOC
WAN
LZ LZ
Origin ConnectionOrigin Connection
OptimisedConnection
Encode Decode
Comparing TCP and Transport
-
8/20/2019 Wan Design Principle
36/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
p g pFlow Optimisation
Time (RTT)Slow start Congestion avoidance
cwnd
Cisco TFO provides significant throughputimprovements over standard TCP implementations
I d i Ci WAAS E
-
8/20/2019 Wan Design Principle
37/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Introducing Cisco WAAS ExpressExtend Cisco WAAS product portfolio across ISR G2s
IOS Based, RouterIntegrated WANOptimisation Solution
Simple software featureactivation
Network transparency andintegration with IOS based services
Simple
Part of Cisco WAASportfolio – Leverageexisting WAASdeployment
Easy migration to WAASon SRE as businessneeds grow
Integrated policyprovisioning, monitoringand, reporting
Investment Protection
Defer costly WANBandwidth upgrades
Reduce truck roll costs – IOS integrated solution
Capex savings – Smallbranch footprint
Cost Effective
CiscoWAAS
DataCentre
WAE WAASCentral
ManagerWAN
Branch Office
WAAS
on SRE
Branch Office
WAASExpress
WAAS/WAAS E F t C
-
8/20/2019 Wan Design Principle
38/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
WAAS/WAAS Express Feature Com
Features WAAS Express Cisco WAAS hardware (version 4.2
Auto-discovery of end
nodes
Supported Supported
TFO (TransportOptimisation)
Supported Supported
Compression Supported Supported
DRE (Data RedundancyElimination)
- Memory based.- Non-persistent cache
- Disk based.-Persistent cache.
BIC-TCP Supported Supported
WAAS Central Manager Cisco WAAS Version 4.3.1+ Supported
Application Optimisers None supported Supported
Caching Not Supported Supported
Integrated Branch-WAN Services
-
8/20/2019 Wan Design Principle
39/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
End-to-End Security
WAN Optimisation for Application Performance
Route Optimisation for Application Performance
PerformanceIssues/Brown Out
WAN with PfR
Best Performing Path
Best Metric PathISP1
ISP2
Without Cisco WAASWithout QoS
WAN
EmailERP
Scavenger
VoIP
Email
ERP
Scavenger
VoIP
Branch HQ
AdditionalCapacity
With Cisco WAASWith QoS
EmailERP
ScavengerVoIP
gExample: Delivering Voice over the Network
A d
-
8/20/2019 Wan Design Principle
40/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Agenda
WAN Technologies & Solutions
WAN Transport Technologies
WAN Overlay Technologies
WAN Optimisation
Wide Area Network Quality of Service
WAN Architecture Design ConsiderationsSecure WAN Communication with GETVPN
DMVPN Over Internet Deployment
Summary
-
8/20/2019 Wan Design Principle
41/100
Wide Area Network Quality oService
Quality of Service Operations
-
8/20/2019 Wan Design Principle
42/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
y pHow Does It Work and Essential Elements
Classification and Marking:
The first element to a QoS policy is to classify/identify the traffic that is to be treated differently.
Following classification, marking tools can set an attribute of a frame or packet to a specific value.
Policing:
Determine whether packets are conforming to administratively-defined traffic rates and take actionaccordingly. Such action could include marking, remarking or dropping a packet.
Scheduling (including Queuing and Dropping):
Scheduling tools determine how a frame/packet exits a device. Queuing algorithms are activated onwhen a device is experiencing congestion and are deactivated when the congestion clears.
Classification and
MarkingQueuing and
Dropping
Post-Queuin
Operations
Enabling QoS in the WAN
-
8/20/2019 Wan Design Principle
43/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
gTraffic Profiles and Requirements
Latency ≤ 150 ms
Jitter ≤ 30 ms
Loss ≤ 1%
Bandwidth (30-128Kbps)
One-Way Requirements
Smooth Benign
Drop sensitive
Delay sensitive
UDP priority
Voice
Bandwidth per CallDepends on Codec,
Sampling-Rate,and Layer 2 Media
Bursty Drop sensitive
Delay sensitive
Jitter sensitive
UDP priority
TelePresence
Latency ≤ 200 ms
Jitter ≤ 20 ms
Loss ≤ 0.10%
Bandwidth (5.5-16Mbps)
One-Way Requirements
HD/VC has TighterRequirements than
VoIP in terms of jitter,and BW varies basedon the resolutions
Sm
Be
Dro
De
TC
Data Cla
Mission-
Transac
Bulk Dat
Best Effo
Traffic Data Va
Applica
Bursty
Greedy
Drop sensitive
Delay sensitive
UDP priority
SD Video Conf
Latency ≤ 150 ms
Jitter ≤ 30 ms
Loss ≤ 0.05%
Bandwidth (1Mbps)
One-Way Requirements
SD/VC has the SameRequirements as
VoIP, but HasRadically DifferentTraffic Patterns(BW Varies Greatly)
QoS Considerations
-
8/20/2019 Wan Design Principle
44/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
20 msec
Voice Packets
Bytes
200
600
1000
Audio
Samples
1400
Time
200
600
1000
1400
33 msec
Video PacketsVideo
Frame
Video
Fr ame
Video
Frame
QoS ConsiderationsVoice vs. Video— At the Packet Level
Scheduling Tools
-
8/20/2019 Wan Design Principle
45/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Police
LLQ/CBWFQ Subsystems
CBWFQFragment
Interleave
FQ
Link Fragmentation
and Interleave
Low Latency Queueing
PaPacketsIn
VoIP
IP/VC PQ
Layer 3 Queueing Subsystem Layer 2 Queueing Subsystem
Signalling
Critical
Bulk
Mgmt
Default
TXRing
WAN Edge QoS Design Consideratio
-
8/20/2019 Wan Design Principle
46/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Link-Speed Considerations
Slow speed links (≤ 768 kbps) No offering
Medium speed links (≥ 1 Mbps to< 100 Mbps)
Use hierarchical policies for sub-line-rateEthernet connections to provide shapingand CBWFQ/LLQ
Use software based routers, Cisco
ASR1000, Cisco Catalyst 3750-Metro or6500/7600 WAN modules, LAN ports DONOT provide shaping
High speed links (≥ 100 Mbps) Use hardware queuing via Cisco ASR1000, Cisco Catalyst 3750-Metro or6500/7600 WAN modules
WAN Agg WA
WAN Agg WA
WAN Agg WA
Ethernet WAN
-
8/20/2019 Wan Design Principle
47/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Policing and Shaping
Ethernet WAN ServiceProvider
InboundPolicing
Traffic Sh10/100/1000 Mbps
BHead End
tunnel
Traffic Shaping
-
8/20/2019 Wan Design Principle
48/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Traffic Shaping
Policers typically drop traffic
Shapers typically delay excess traffic, smoothing burstand preventing unnecessary drops
Very common with Ethernet WAN, as well as Non-Broadcast Multiple-Access (NBMA) network topologiessuch as Frame-Relay and ATM
With Traffic Shaping
Without Traffic ShapingLineRate
ShapedRate
Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate
Hierarchical QoS For Subrate ServicH Q S P li I t f t SP Sh CIR
-
8/20/2019 Wan Design Principle
49/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
H-QoS Policy on Interface to SP, Shaper = CIR
Service LevelPolicy-map PARENT
class class-defaultshape average 800000000service-policy output CHILD
Policy-map CHILDclass Voicepolice cir percent 10priority level 1
class Videopolice cir percent 20priority level 2
class Scavbandwidth remaining ratio 1
class class-defaultbandwidth remaining ratio 9
Interface gigabitethernet 0/1service-policy output PARENT
Two Levels MQC
Voice
Video
Best Effort
Scav
MPLS VPN QoS DesignMPLS VPN P t Q S R l
-
8/20/2019 Wan Design Principle
50/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
MPLS VPN
Branch 1
Branch 2
Outbound Policies: Inbound Policies:
HQoS Shaper (if required)+ LLQ for VoIP (EF) Trust DSCP
+ LLQ or CBWFQ for RT-Interactive (CS4)
+ Remark RTI (if necessary) + Restore RT-Interactive to CS4 (if necessary)
+ CBWFQ for Signalling (CS3)
+ Remark Signalling (if necessary) + Restore Signalling to CS3 (if necessary)
≤ 33% of BW
Enterprise Subscriber (Unmanaged CE Routers)
Service Provider:Outbound Policies: Inbound Policies:+ LLQ for Real-Time Trust DSCP
+ CBWFQ for Critical Data Police on a per-Class Basis
CE Routers CE RoutersPE Routers
Campus VPN
Block
E
E
E
E
F
F
F
F
F
E
MPLS VPN Port QoS Roles
QoS ToS Byte Preservation
-
8/20/2019 Wan Design Principle
51/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
IP HDRGRE
HDR
IP HDR
IP Payload
IPSec Tunnel mode
GRE Tunnel
QoS ToS Byte Preservation
IP Payload
IP Payload
ESP HDRIP HDR
GRE & IPSec tunnels
IP HDR
IP HDR
T o S
T o S
T o S
ToS byte is copied to the
new IP Header
GRE/IPSec Network QoS Design
-
8/20/2019 Wan Design Principle
52/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
GRE/IPSec Network QoS Design
Direction of Packet Flow
DSCP AF41
Packet Initially
Marked toDSCP AF41
DSCP AF41
DSCP AF41
By Default ToS
Values is Copied
To IPSec Header
DSCP CS5
DSCP AF41
Top-Most ToS is
Remarked by
on egress
DSCP
Packet dec
To reveal thToS Byte
policy-map WAN-SP-CLASS-OUTPUTclass VOICE priority percent 10class VIDEO-INTERACTIVE
priority percent 23set ip dscp cs5
class NETWORK-MGMT bandwidth percent 5service-policy MARK-BGP
class class-default bandwidth percent 25random-detect
! policy-map Int-Gig-Agg-HE
class class-defaultshape average 1000000000service-policy WAN-Out
Remarks the DSCP value on the
encrypted/encapsulated header on
egress interface
Ethernet WAN QoS DesignHQoS Shaping & Queuing Policy and Operation
-
8/20/2019 Wan Design Principle
53/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
R
policy-map ACCESS-EDGEclass VOIP priority 1000class REALTIME priority 15000
class CALL-SIGNALING bandwidth xclass TRANSACTIONAL bandwidth yclass BULK-DATA bandwidth zclass class-defaultfair-queue
Packets
in
policy-map HQoS-50MBPSclass class-defaultshape average 50000000 1000000service-policy ACCESS-EDGE
CBWFQ
Scheduler
FQ
Call-Signalling CBWFQ
Transactional CBWFQ
Bulk Data CBWFQ
Default Queue
1 Mbps
VoIP
Policer
15 Mbps
REALTIME
Policer
16 Mbps PQ (FIFO Between VoIP and VIDEO)
Class-
Based
Shaper
GEwith a
acce
(e.g
Queuing policies wi l l not engage unless the interface is congested
A shaper will guarantee that traffic will not exceed the contracted rate
A nested queuing policy will force queuing to engage at the contracted suline-rate to prioritise packets prior to shaping
HQoS Shaping & Queuing Policy and Operation
Agenda
-
8/20/2019 Wan Design Principle
54/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Agenda
WAN Technologies & Solutions
WAN Transport TechnologiesWAN Overlay Technologies
WAN Optimisation
Wide Area Network Quality of Service
WAN Architecture Design ConsiderationsSecure WAN Communication with GETVPN
DMVPN Over Internet Deployment
Summary
-
8/20/2019 Wan Design Principle
55/100
WAN Architecture DesignConsiderations
Borderless Network Architecture
-
8/20/2019 Wan Design Principle
56/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Borderless Network Architecture
High Performance WAN Headend
-
8/20/2019 Wan Design Principle
57/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
DataCentre/Campus
WANServices/Distributio
n
High Performance WAN Headend
MPLS A MPLS B
Campus/
Data Centre
WAAS Service
KeyServer
VPN Termination
Internet
WANEdge
Remote BranchTransport & Redundancy Options
-
8/20/2019 Wan Design Principle
58/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
InternetInternet
InternetInternet
Transport & Redundancy Options
MPLS
MPLS WAN
MPLS +
Internet WAN
Internet
Internet WAN
MPLS MPLS MPLS MPLS
MPLS MPLS
Non-Redundant Redundant-
Links
Redundant-
Links & Routers
Routing Topology at Hub Location
-
8/20/2019 Wan Design Principle
59/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
g p gy
MPLS A
Campus/
Data Centre
DMVPN/
InternetMPLS B
iBGP
EIGRP AS200
EIGRP AS 100
eBGP
Summaries +
Default
10.5.0.0/160.0.0.0/0.0.0.0
WAN Edge
-
8/20/2019 Wan Design Principle
60/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
g
All:
No static routes
No FHRPs
WAN
Connection Methods Compared
WAN
WAN
Edge
Route
WAN
Core/Distribution
Si Si
Core/Distribution Core/Distribution
Single LogicalControl Plane
Port-Channel for H/A
Recommended
Optimise Convergence and RedundMultichassis EtherChannel
-
8/20/2019 Wan Design Principle
61/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
SiSi SiSi
P-to-P Link
Layer 3
Provide Link Redundancy and
reduce peering complexity Tune L3/L4 load-balancing
hash to achieve maximum utilisat
No L3 reconvergence required wmember link failed
No individual flow can go faster ththe speed of an individual membeof the link
VSS/3750Stacks
IGP recalc
ChannelMember
Removed
Link redundancy achieved through
redundant L3 paths Flow based load-balancing through CEF
forwarding across
Routing protocol reconvergence whenuplink failed
Convergence time may depends onrouting protocol used and the size ofrouting entries
Best Practice — Summarise at Service Distribution
-
8/20/2019 Wan Design Principle
62/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
interface Port-channel1
description Interface to MPLS-A-CEno switchportip address 10.4.128.1 255.255.255.252ip pim sparse-modeip summary-address eigrp 100 10.5.0.0 255.255.0.0
Summarise at Service Distribution
It is important to force summarisationat the distribution towards WAN Edge
and towards campus & Data Centre
Summarisation limit the number ofpeers an EIGRP router must query(minimise SIA) or the number ofLSAs an OSPF peer must process
MPLS BMPLS A
Campus/
Data Centre
Summaries
Default
10.5.0.0/16
0.0.0.0/0.0.0
Summary
10.5.0.0/1
Dual MPLS Carrier Hub
-
8/20/2019 Wan Design Principle
63/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Run iBGP between the CE routers
Prefixes from carrier-A will be advertised to
carrier-B and vice versa Allows the preservation of AS Path length
so remote sites can choose the best pathto destination
Use IGP (OSPF/EIGRP) for prefix re-advertisement will result in equal-costpaths at remote-site
Use iBGP to Retain AS Path Information
bn-br200-3945-1# sh ip bgp 10.5.128.0/21BGP routing table entry for 10.5.128.0/21, version 71
Paths: (2 available, best #2, table default, RIB-failure(17))
Not advertised to any peer
65401 65401 65402 65402, (aggregated by 65511 10.5.128.254)
10.4.142.26 from 10.4.142.26 (192.168.100.3)
Origin IGP, localpref 100, valid, external, atomic-
aggregate
65402 65402, (aggregated by 65511 10.5.128.254)
10.4.143.26 (metric 51456) from 10.5.0.10 (10.5.0.253)
Origin IGP, metric 0, localpref 100, valid, internal,
atomic-aggregate, best
MPLS B
Campus
iBGP
MPLS A
iBGP
10.5.128
10.5.128.0/21
A B
Best Practice - Implement AS-Path FPrevent Branch Site Becoming Transit Network
-
8/20/2019 Wan Design Principle
64/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Dual carrier sites can unintentionallybecome transit network during networkfailure event and causing network
congestion due to transit traffic
Design the network so that transit pathbetween two carriers only occurs atsites with enough bandwidth
Implement AS-Path filter to allow onlylocally originated routes to beadvertised on the outbound updates for
branches that should not be transit
Prevent Branch Site Becoming Transit Network
router bgp 65511neighbor 10.4.142.26 route-map NO-TRANSIT-AS out!ip as-path access-list 10 permit ^$!route-map NO-TRANSIT-AS permit 10match as-path 10
MPLS B
Campus
iBGP
MPLS A
A B
MPLS + Internet WANPrefer the MPLS Path over Internet
-
8/20/2019 Wan Design Principle
65/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
eBGP routes are redistributed into EIGRP 100as external routes with default Admin Distance170
Running same EIGRP AS for both campus andDMVPN network would result in Internet pathpreferred over MPLS path
Multiple EIGRP AS processes can be used toprovide control of the routing
EIGRP 100 is used in campus locationEIGRP 200 over DMVPN tunnels
Routes from EIGRP 200 redistributed into EIGRP 100appear as external route (distance = 170)
Routes from both WAN sources are equal-costpaths. To prefer MPLS path over DMVPN useeigrp delay to modify path preference
Prefer the MPLS Path over Internet
MPLS A
Campus
EIGRPAS100
Internet
10.4.128.2
eB GP
10.5.48.0/21
EIGRP
AS100
MPLS + Internet WANUse Autonomous System for Path Differentiation
-
8/20/2019 Wan Design Principle
66/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
eBGP routes are redistributed into EIGRP 100 asexternal routes with default Admin Distance 170
Running same EIGRP AS for both campus andDMVPN network would result in Internet pathpreferred over MPLS path
Multiple EIGRP AS processes can be used to providecontrol of the routing
EIGRP 100 is used in campus locationEIGRP 200 over DMVPN tunnels
Routes from EIGRP 200 redistributed into EIGRP 100 appeaas external route (distance = 170)
Routes from both WAN sources are equal-cost pathsTo prefer MPLS path over DMVPN use eigrp delay tomodify path preference
Use Autonomous System for Path Differentiation
MPLS A
Campus
EIGRP
AS100
EIGRP
AS200
Internet
D EX 10.5.48.0/21 [170/28416] via 10.4.128.2,
10.4.128.2
eB GP
10.5.48.0/21
MPLS CE router#
router eigrp 100default-metric 1000000 10 255 1 1500
BGP Weight Metric IssueRouter prefer IGP over eBGP
-
8/20/2019 Wan Design Principle
67/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Dual MPLS VPN Network providingprimary and secondary network
connectivity between locations eBGP peering with MPLS VPN
providers
Preferred path are learned via BGP toremote location with backup pathlearned via IGP
Router prefer IGP over eBGP
MPLS BMPLS A
e
I
10.4.160.0/24
Campus
10.4.160.0/24
R1 R2
Path SelectionAdmin Dist [170] is better than [20] ?
-
8/20/2019 Wan Design Principle
68/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Admin Dist [170] is better than [20] ?
MPLS BMPLS A
eBGP
IGP
10.4.160.0/24
CampusD EX 10.4.160.0/24 [170/3584]....
B 10.4.160.0/24 [20/0]....
R1# show ip routeB 10.4.144.0/24 [20/0] via 10.4.142.2, 01:30:06B 10.4.145.0/24 [20/0] via 10.4.142.2, 01:30:06D EX 10.4.160.0/24 [170/3584] via 10.4.128.9, 00:30:06
10.4.160.0/24
R1R2
BGP Route Selection Criteria
-
8/20/2019 Wan Design Principle
69/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
BGP Prefers Path with:
1. Highest Weight
2. Highest Local PREF
3. Locally originated via network or aggregate BGP
4. Shortest AS_PATH
5. Lowest Origin typeIGP>EGP>INCOMPLETE
6. Lowest MED
7. eBGP over iBGP paths
8. Lowest IGP metric to BGP next hop
BGP Prefers Path with Highest Weig
-
8/20/2019 Wan Design Principle
70/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
ASR1004-1#show ip bgp 10.4.160.0 255.255.255.0BGP routing table entry for 10.4.160.0/24, version 22Paths: (3 available, best #3, table default) Advertised to update-groups:
4 565401 65401
10.4.142.2 from 10.4.142.2 (192.168.100.3)Origin IGP, localpref 200, valid, external
Local10.4.128.1 from 0.0.0.0 (10.4.142.1)
Origin incomplete, metric 26883072, localpref 100, weight 32768, valid, source
Routes redistributed into BGP are considered locallyoriginated and get a default weight of 32768
The eBGP learned prefix has default weight of 0
Path with highest weight is selected
Prefer the eBGP Path over IGPSet the eBGP weight > 32768
-
8/20/2019 Wan Design Principle
71/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
ASR1004-1#show ip bgp 10.4.160.0 255.255.255.0BGP routing table entry for 10.4.160.0/24, version 22Paths: (1 available, best #1, table default) Not advertised to any peer65401 65401
10.4.142.2 from 10.4.142.2 (192.168.100.3)Origin IGP, metric 0, localpref 100, weight 35000, valid, external, best
To resolve this issue set the weights on route learned viaeBGP peer higher than 32768
neighbor 10.4.142.2 weight 35000
Set the eBGP weight > 32768
ASR1004-1#show ip route.... B 10.4.160.0/24 [20/0] via 10.4.142.2, 05:00:06
Agenda
-
8/20/2019 Wan Design Principle
72/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
WAN Technologies & Solutions
WAN Transport TechnologiesWAN Overlay Technologies
WAN Optimisation
Wide Area Network Quality of Service
WAN Architecture Design Considerations
Secure WAN Communication with GETVPN
DMVPN Over Internet Deployment
Summary
-
8/20/2019 Wan Design Principle
73/100
Securing WAN communicatioGET VPN
GETVPN TopologyCOOP K S
-
8/20/2019 Wan Design Principle
74/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
COOP Key ServerWAN Agg SwitchesKey Servers
MPLS BMPLS A
GMGM
GM GMGM GM
Best Practice - High Availability withCooperative Key Servers
-
8/20/2019 Wan Design Principle
75/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Cooperative Key Servers Two or more KSs known as COOP KSs manage a common set
of keys and security policies for GETVPN group members
Group members can register to any one of the available KSs
Cooperative KSs periodically exchange and synchronisegroup’s database, policy and keys
Primary KS is responsible to generate and distribute group keys
GM 1
GM 3
Subnet 1
Subnet 4
Subnet 2
Subnet 3
GM 4
GM 2
Cooperative KS1
IP Network
Cooperative KS2
Transition from Clear-text to GETVPReceive-Only Method
-
8/20/2019 Wan Design Principle
76/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Goal
Incrementally deploy infrastructurewithout encryption
Immediate transition to encryption
controlled by KS
Method
Deploy KS with Receive-only SA’s (don’t encrypt, allow decryption)
Deploy GM throughout infrastructureand monitor rekey processes
Transition KS to Normal SA (encrypt,decrypt)
Assessment
Pro: Simple transition to network-wide encryption
Con: Correct policies imperative
Con: Deferred encryption until all CEare capable of GM functions
permit ip 10.1.4.0 0.0.3.255 10.1.4.0 0.0.3.255
GM
GMGM
GM
KS10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
GM
GMGM
GM
GET
KS
10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
permit ip 10.1.4.0 0.0.1.255 10.1.4.0 0.0.1.255
GET
Group Member
Secured Group Member Interface
-
8/20/2019 Wan Design Principle
77/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
crypto map svn 10 gdoi
-
8/20/2019 Wan Design Principle
78/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
crypto gdoi group secure-wanidentity number 3333
-
8/20/2019 Wan Design Principle
79/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
WAN Technologies & Solutions
WAN Transport Technologies
WAN Overlay Technologies
WAN Optimisation
Wide Area Network Quality of Service
WAN Architecture Design Considerations
Secure WAN Communication with GETVPN
DMVPN Over Internet Deployment
Summary
-
8/20/2019 Wan Design Principle
80/100
DMVPN over Internet Deploy
DMVPN Deployment over InternetMultiple Default Routes for VPN Headend
-
8/20/2019 Wan Design Principle
81/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
VPN Headend has a default route to ASAfirewall’s VPN-DMZ interface to reach Internet
Remote site policy requires centralised Internetaccess
Enable EIGRP between VPN headend & Campuscore to propagate default to remote
Static default (admin dist=0) remains active,
VPN-DMZ is wrong firewall interface for user
traffic
Adjust admin distance so EIGRP route installed(to core)
VPN tunnel drops
p
VPN-DMZ
default
default
OUTS
default
In
def
Int
DMVPN Deployment over Internet
-
8/20/2019 Wan Design Principle
82/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Enable FVRF with DMVPN to separate out thetwo default routes
The RED-VRF contains the default route to VPN-
DMZ Interface needed for Tunnel Establishment
A 2nd default route exist on the Global RoutingTable used by the user data traffic to reachInternet
To prevent split tunnelling the default route isadvertised to spokes via Tunnel
Spoke’s tunnel drops due to 2nd default routeconflict with the one learned from ISP
VPN-DMZ
default
default
IN
OUTSIDE
E I GRP
default
Intern
default
default
Best Practice – VRF-aware DMVPNKeeping the Default Routes in Separate VRFs
No Split Tunnelling at Branch location
-
8/20/2019 Wan Design Principle
83/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Enable FVRF DMVPN on the Spokes
Allow the ISP learned Default Route in
the RED-VRF and used for tunnelestablishment
Global VRF contains Default Routelearned via tunnel. User data trafficfollow Tunnel to INSIDE interface onfirewall
Allow for consistency for implementingcorporate security policy for all users
No Split Tunnelling at Branch location
Int
VPN-DMZ
default
default
OUTS
def
default
E I GRP
default
DMVPN and FVRFDual Default Routes —Packet Flow
Clear-text packets forward GRE+IPsec
-
8/20/2019 Wan Design Principle
84/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Internet
Based on incoming interface, the IPsec packet is directlyassociated with VRF
After decryption the GRE packet is assigned to GRE tunnelin the VRF
GRE decapsulated clear-text packets forwarded using GlobalRouting table
Two routing tables – one global (default) routing table and aseparate routing table for VRF
Clear-text packets forward
using Global Routing Table
Interface I P s
e c
GRE+IPsec
mGRE
Interface
Global
Routing Table
I n t e r f a
c e
DefaultDefaultVRF-RED
DMVPN and FVRFDual Default Routes — Show IP Route Outputs
Clear-text packets forward GRE+IPsec
-
8/20/2019 Wan Design Principle
85/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Internet
Clear-text packets forward
using Global Routing Table
Interface I P s
e c
GRE+IPsec
mGRE
Interface
Global
Routing Table
I n t e r f a
c e
DefaultDefaultVRF-RED
bn-vpn-7206-1#sh ip routeGateway of last resort is 10.4.128.17 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/3328] via 10.4.128.17, 2d22h, Port-channel3
....
bn-vpn-7206-1#sh ip route vrf REDGateway of last resort is 10.4.128.35 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.4.128.35
....
DMVPN and FVRFConfiguration Example
Clear-text packets forwardGRE+IPsec
-
8/20/2019 Wan Design Principle
86/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Internet
using Global Routing Table
Interface I P s
e c
GRE+IPsec
mGRE
Interface
Global
Routing Table
I n t e r f a
c e
DefaultDefaultVRF-RED
ip vrf RED
rd 65512:1
!
crypto keyring DMVPN-KEYRING vrf RED
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123!!
crypto isakmp policy 10encr aes 256
authentication pre-share
group 2
!
crypto isakmp keepalive 30 5
!
crypto isakmp profile FVRF-ISAKMP-RED
keyring DMVPN-KEYRING
match identity address 0.0.0.0RED
!
interface GigabitEthernet0/1
ip vrf forwarding RED
ip address dhcp
!
interface Tunnel10
ip address 10.4.132.201 255.255.254.0
…. tunnel mode gre multipoint
tunnel vrf RED
tunnel protection ipsec profi le DMVPN-PROFILE
!
router eigrp 200
network 10.4.132.0 0.0.0.255
network 10.4.163.0 0.0.0.127
eigrp router-id 10.4.132.201
Best Practices — Enable Dead Peer Detection (DPD)
Informational RFC 3706
-
8/20/2019 Wan Design Principle
87/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Dead Peer Detection (DPD) is a mechanismfor detecting unreachable IKE peers
Each peer’s DPD state is independent of the
others
Without DPD spoke routers will continue toencrypt traffic using old SPI which would bedropped at the hub. May take up to 60minutes for spokes to reconverge
Use ISAKMP keepalives on spokescrypto isakmp keepalives
ISAKMP invalid-SPI-recovery is not useful withDMVPN
ISAKMP keepalive timeout should be greater thanrouting protocol hellos
Not recommended for Hub routers – maycause an increase of CPU overhead withlarge number of peers
Internet
tun10
vpn-7206-1
DMVPN Internet DeploymentDynamic IP Address Assignment on the Spo
-
8/20/2019 Wan Design Principle
88/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Spokes are receiving dynamic addressassignment from the ISP
Spoke reboots and receive a new IP address fromthe ISP, VPN session is established but no trafficpasses
Following error message appears on the spoke
Hub router (NHS) reject registration attemptsfor the same private address that uses adifferent NBMA address
To resolve this issue, configure followingcommand on spoke routers – ip nhrp registrat ion no-unique
Internet
br201-2911 br202-2911
tun0 tun0
tun10
vpn-7206-1
"%NHRP-3-PAKREPLY: Receive Registration
Reply packet with error - unique address
registered already(14)"
Best Practices — Avoid Fragmentation with IPSec VPN
-
8/20/2019 Wan Design Principle
89/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
IP fragmentation will cause CPU and memory overheadand resulting in lowering throughput performance
When one fragment of a datagram is dropped, the entire
original IP datagram will have to be resent Use ‘ mode transport’ on transform-set
NHRP needs for NAT support and saves 20 bytes
Avoid MTU issues with the following best practicesip mtu 1400
ip tcp adjust-mss 1360
MTU 1500MTU 1500MTU 1400
Tunnel Setting
(AES256+SHA)
Minimum MTU Recommended MTU
GRE/IPSec (Tunnel Mode) 1414 bytes 1400 bytes
GRE/IPSec (Transport Mode) 1434 bytes 1400 bytes
GRE+IPsec
Best Practices — Multicast over DM By default router uses OIL to correlate multicast
Multicast
-
8/20/2019 Wan Design Principle
90/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
ygroup join to interface
This causes problem when hub is connected tomultiple spokes over NBMA network
Any spoke that leaves a multicast group wouldcase all the spokes to be pruned off the multicastgroup
Enable PIM NBMA mode under tunnel interfaceon hubs and spokes
ip pim nbma-mode
Allows the router to track multicast joins based on IPaddress instead of interface
Applies only to PIM sparse-mode
Router treats NBMA network as a collection ofpoint-to-point circuits, allowing remote sites to bepruned off traffic flows
Internet
br201-2911 br20
tun10
vpn-7206-1
Multicast
Receiver Rece
Best Practices — Multicast over DM By default router uses OIL to correlate multicast
PIM
Multicast
-
8/20/2019 Wan Design Principle
91/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
ygroup join to interface
This causes problem when hub is connected tomultiple spokes over NBMA network
Any spoke that leaves a multicast group wouldcase all the spokes to be pruned off themulticast group
Enable PIM NBMA mode under tunnel interfaceon hubs and spokes
ip pim nbma-mode
Allows the router to track multicast joins based on IPaddress instead of interface
Applies only to PIM sparse-mode
Router treats NBMA network as a collection ofpoint-to-point circuits, allowing remote sites tobe pruned off traffic flows
Internet
br201-2911
tun10
vpn-7206-1
Receiver R
IGMP
Leave
PIM
Prune
Prune
towards
RP
Deploying WCCP with DMVPN Phas
-
8/20/2019 Wan Design Principle
92/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
DMVPN deployments with WCCP, WCCPintercept is configured on the tunnels
Any packet traveling from spoke-to-spoke, on reaching the tunnel, isintercepted by WCCP and sent to theWAE
This breaks the NHRP condition to send
the redirect.
No dynamic tunnels are established
Internet
62
Deploying WCCP with DMVPN Phas
-
8/20/2019 Wan Design Principle
93/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Remove the WCCP intercept on thetunnel interface on the hub and configure
it on its LAN interface.ip wccp 62 redirect out
Initial spoke-to-spoke traffic hairpinthrough hub without being intercepted byWCCP
Hub creates NHRP redirect message tospoke allows for dynamic spoke-to-spoketunnel setup
Internet
62
Agenda
-
8/20/2019 Wan Design Principle
94/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
WAN Technologies & Solutions
WAN Transport Technologies
WAN Overlay Technologies
WAN Optimisation
Wide Area Network Quality of Service
WAN Architecture Design Considerations
Secure WAN Communication with GETVPN
DMVPN Over Internet Deployment
Summary
-
8/20/2019 Wan Design Principle
95/100
Summary
Key Takeaways
-
8/20/2019 Wan Design Principle
96/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Understand how WAN characteristics can affect your applicBandwidth, latency, loss
Dual carrier designs can provide resiliency but have uniqueconsiderations
A QoS-enabled, highly-available network infrastructure is thfoundation layer of the WAN architecture
Encryption is a foundation component of all WAN designs abe deployed transparently
Understand the how to apply WCCPv2 in the branch netwoenable WAN optimisation appliances.
-
8/20/2019 Wan Design Principle
97/100
Q & A
Complete Your Online SessionEvaluation
-
8/20/2019 Wan Design Principle
98/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
Complete your session evaluation:
Directly from your mobile device by visitingwww.ciscoliveaustralia.com/mobile and loginby entering your username and password
Visit one of the Cisco Live internetstations located throughout the venue
Open a browser on your own computerto access the Cisco Live onsite portal Don’t forget to activateVirtual account for accematerials, communitieslive activities throughouyour account at any intwww.ciscolivevirtual.co
http://www.ciscoliveaustralia.com/mobilehttp://www.ciscolivevirtual.com/http://www.ciscolivevirtual.com/http://www.ciscoliveaustralia.com/mobile
-
8/20/2019 Wan Design Principle
99/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041
-
8/20/2019 Wan Design Principle
100/100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041