wan design principle

8/20/2019 Wan Design Principle

1/100

BRKCRS-2041

WAN Architectures and DesignPrinciples


2/100

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041

Housekeeping

We value your feedback- don't forget to complete yoonline session evaluations after each session & comthe Overall Conference Evaluation which will be avaionline from Thursday

Visit the World of Solutions

Please switch off your mobile phones

Please make use of the recycling bins provided

Please remember to wear your badge at all times


3/100


Agenda

WAN Technologies & Solutions

WAN Transport Technologies

WAN Overlay Technologies

WAN Optimisation

Wide Area Network Quality of Service

WAN Architecture Design Considerations

Secure WAN Communication with GETVPN

DMVPN Over Internet Deployment

Summary


4/100



5/100© 2012 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2041

Hierarchical Network Design

Core

Distributio

n

Access

Data Centre /HQ

Regionalhub

SpokeSite 1

SpokeSite N

...

Regionalhub

SpokeSite 1’

SpokeSite N’

...



Hierarchical Network Design

Hierarchical design used to be…

Three routed layers

Core, distribution, access

Only one hierarchical structure end-to-end

Hierarchical design has become any design that…

Splits the network up into “places,” or “nodes” Separates these “nodes” by hiding information

Organises these “nodes” around a network core

IE, roughly “hub and spoke” at a macro level



WAN Transport Options

Topologies

Point-point, multi-point

Full/partial mesh

Hub/Spoke or Multi-Tier

Media

Serial, ATM/FR, OC-x

Dark fibre, Lambda

Ethernet

VPN Services for Transport

L2 - Metro-E (p2p, p2mp)

L3 – Private IP VPN

L3 – Public (Internet)

Overlay Options

GRE

DMVPN

L2/L3 VPN over IP

LAN



MPLS VPN Topology

MPLS WAN is provided by a service provider

As seen by the enterprise network, every site is one IP “hop

Equivalent to a full mesh, or to a “hubless” hub-and-spoke

SpokeSite 1

SpokeSite 2

SpokeSite N

SpokeSite Y

SpokeSite X

SpokeSite 1

SpokeSite N

SpokeSite 2

SpokeSite X

Hub Site(The Network)

SpokeSite Y

Equivalent toSP-Provided

MPLS IP WAN

Definition



MPLS VPN

Direct Layer 3 Adjacencies OnlyBetween CE and PE Routers

Layer 3 (L3) Service

CE CEPE PE

local loop

VRF

VRFGlobal

VRF—Virtual Routing and Forwardin

! PE Router – Multiple VRFsip vrf bluerd 65100:10

route-target import 65100:10route-target export 65100:10ip vrf yellowrd 65100:20route-target import 65100:20route-target export 65100:20!interface GigabitEthernet0/1.10ip vrf forwarding blueinterface GigabitEthernet0/1.20ip vrf forwarding yellow



MPLS VPN Design Trends Single Carrier Designs:

Enterprise will home all sites into a single carrier to provide L3 MPLS VPN connectivity.

Pro: Simpler design with consistent features

Con: Bound to single carrier for feature velocityCon: Does not protect against MPLS cloud failure with Single Provider

Dual Carrier Designs:

Enterprise will single or dual home sites into one or both carriers to provide L3 MPLS VPconnectivity.

Pro: Protects against MPLS service failure with Single Provider

Pro: Potential business leverage for better competitive pricingCon: Increased design complexity due to Service Implementation Differences (e.g. QoS,

Topology)

Con: Feature differences between providers could force customer to use least common dfeatures.

Variants of these designs and site connectivity:

Encryption Overlay (e.g. IPSec, DMVPN, GET VPN, etc.)

Sites with On-demand / Permanent backup links


11/100


Single Carrier Site Types (Non-Trans

Dual Homed Non Transit

Only advertise local prefixes (Typically with Dual CE routers

BGP design:

EBGP to carrier

IBGP between CEs

Redistribute cloud learned rouinto site IGP

Single Homed Non Transi

Advertise local prefixes andoptionally use default route.

CE1

C1

CE2

AS 64512

C2

CE5

Site IGP

CE3 CE4

AS 64517

AS 200


12/100


Dual Carrier: Transit vs. Non Transit

C1

CE2

Prefix Z

AS 64512

C2

CE

Prefix X Prefix Y

SiteIGP

CE3 CE4

AS 64517

Transit

AS 100 AS 200

AS 64545

CE1

To guarantee single homed site

reachability to a dual homedsite experiencing a failure,transit sites had to be elected.

Transit sites would act as aBGP bridge transiting routesbetween the two provider

clouds.

To minimise latency costs oftransits, transits need to beselected with geographicdiversity (e.g. from the East,West and Central US.)


13/100


Single Provider Dual Providers

Pro: Common QoS supportmodel

Pro: More fault domains

Pro: Only one vendor to “tune” Pro: More product offerings tobusiness

Pro: Reduced head end circuitsPro: Ability to leverage vendors

for better pricing

Pro: Overall simpler designPro: Nice to have a second

vendor option

Con: Carrier failure could be

catastrophic

Con: Increased Bandwidth

“Paying for bandwidth twice” Con: Do not have another carrier

“in your pocket” Con: Increased overall design

complexity

Con: May be reduced to “common

denominator” between carriers

Resiliency Drivers vs. Simplicity

Single vs. Dual Carriers


14/100


Agenda


WAN Transport TechnologiesWAN Overlay Technologies

WAN Optimisation





Summary


15/100



16/100


Tunnelling Technologies

IPSec—Encapsulating Security Payload (ESP)

Strong encryptionIP Unicast only

Generic Routing Encapsulation (GRE)

IP Unicast, Multicast, Broadcast

Multiprotocol support

Layer 2 Tunnelling Protocol—Version 3 (L2TPv3)Layer 2 payloads (Ethernet, Serial,…)

Pseudowire capable

Other Tunnelling Technologies – L3VPNomGRE, LISP, OTV

Packet Encapsulation over IP

Tunnels


17/100


IP HDR

Encrypted

ESP HDR

IP HDR

IP Payload

Tunnel mode

Transport mode

ESP

Trailer

ESP

Auth

Authenticated

Encrypted

Authenticated

IPSec ESP

IP Payload

IP Payload

IP HDRESP HDRIP HDRESP

Trailer

ESP

Auth

Transport and Tunnel Modes

20 bytes

30 bytes

54 bytes

2 bytes

2 bytes


18/100


GRE Tunnelling

Original IP header IP payloadGRE header New IP header

20 bytes 20 bytes4 bytes

GRE packet with new IP header: protocol 47 (forwarded using new IP dst)

Original IP header IP payload

20 bytes

Original IP datagram (before forwarding)

! Router A – GRE Exampleinterface Loopback 0ip address 192.168.1.1 255.255.255.255

interface Tunnel0ip address 172.16.1.1 255.255.255.0encapsulation greip mtu 1476tunnel source Loopback0tunnel dest 192.168.2.2

! Router B – GRE Exampleinterface Loopback 0ip address 192.168.2.2 255.255.255.255interface Tunnel0ip address 172.16.1.2 255.255.255.0encapsulation greip mtu 1476tunnel source Loopback0tunnel dest 192.168.1.1


19/100


VPN Technology

EzVPN

Spoke

GET GMDMVPN

Spoke

DMVPN

Spoke

Data Centre

InternetEdge

WANEdge

GET GM GET GM

Positioning EzVPN, DMVPN, GETVPN

MPLS/Private Network

KSKS

GMGM

IPsec IPsec

Internet/

SharedNetwork

*

* Note: DMVPN Can Also Be Used on MPLS/Private Network


20/100


VPN Technology Comparison

EzVPN DMVPN GET VPN

InfrastructureNetwork

Public InternetTransport

Private & Public

InternetTransport

Private IPTransport

Network StyleHub-Spoke;

(Client to Site)

Hub-Spoke andSpoke-to-Spoke;(Site-to-Site)

Any-to-Any;(Site-to-Site)

Routing Reverse-route

Injection Dynamic routing

on tunnels Dynamic routing

on IP WAN

FailoverRedundancy

Stateful HubCrypto Failover

RouteDistributionModel

RouteDistributionModel + Stateful

Encryption Style Peer-to-Peer

Protection Peer-to-Peer

Protection Group

Protection

IP Multicast Multicast

replication athub

Multicastreplication athub

Multicastreplication in IPWAN network


21/100


Dynamic Multipoint VPN

Provides full meshed

connectivity with simpleconfiguration of huband spoke

Supports dynamicallyaddressed spokes

Facilitates zero-touchconfiguration for addition ofnew spokes

Features automatic IPsectriggering for building an

IPsec tunnel

Spoke n

Traditional Static Tunnels

DMVPN Tunnels

Static Known IP Addresses

Dynamic Unknown IP Addresses

Hub

VPNSpoke 1

Spoke 2

Secure On-Demand Meshed Tunnels

D i M lti i t VPN (DMVPN)


22/100


Dynamic Multipoint VPN (DMVPN)Operational Example

Spoke A 192.168.1.1/24 192.16

Physical: 172.17.0.1

Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynam

Tunnel0: 10.0.0.

10.0.0.11 172.16.1.10.0.0.12 172.16.2.

192.168.0.1/24

192.168.1.0/24 10.0.0192.168.2.0/24 10.0.0

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Co

10.0.0.1 172.17.0

192.168.2.1 ???

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.

CEF Adjacency

10.0.0.1 172.17.0

10.0.0.11 172.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.

D i M lti i t VPN (DMVPN)


23/100


Dynamic Multipoint VPN (DMVPN)Operational Example (cont)

Spoke A

192.168.1.1/24

192.168.

Physical: 172.17.0.1

Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic

Tunnel0: 10.0.0.12

10.0.0.11 172.16.1.110.0.0.12 172.16.2.1

192.168.0.1/24

192.168.1.0/24 10.0.0.1192.168.2.0/24 10.0.0.1

192.168.0.0/24 Conn.

CEF FIB Table

172.16.1.1

172.16.2.1

NHRP mapping

192.168.1.0/24 Conn.

10.0.0.1 172.17.0.1

192.168.2.0/24 Conn

10.0.0.1 172.17.0.1

192.168.2.1 ???

192.168.0.0/16 10.0.0.1192.168.0.0/16 10.0.

CEF Adjacency

10.0.0.1 172.17.0.110.0.0.11 172.16.1.1

10.0.0.11 172.16

10.0.0.11 172.16.1.1

Data packet

NHRP Redirect

NHRP Resolution

10.0.0.1 172.17.0.1

10.0.0.12 172.16

10.0.0.11 172.16.1.1


24/100


Network Designs

Hub and spoke Spoke-to-spoke

Server Load Balancing Hierarchical

Spoke-to-hub tunnels

Spoke-to-spoke tunne

2547oDMVPN tunnels

VRF-lite

2547oDMVPN

Any to Any Encryption


25/100


Any-to-Any EncryptionBefore and After GET VPN

Scalability—an issue (N^2 problem)

Overlay routing

Any-to-any instant connectivity can’tbe done to scale

Limited QoS

Inefficient Multicast replication

WAN

Multicast

Before: IPSec P2P Tunnels After: Tunnel-Less VPN

Scalable architecture for anyany connectivity and encryp

No overlays—native routing

Any-to-any instant connectiv

Enhanced QoS

Efficient Multicast replication

Public/Private WAN Private WAN


26/100


Group Security Functions

GroupMember

Group

Member

Group

Member

Group

Member

Key Server

Routing

Members

Group Member Encryption Devices Route Between Secure/

Unsecure Regions Multicast Participation

Key Server Validate Group Members Manage Security Policy Create Group Keys Distribute Policy/Keys

Routing Member Forwarding Replication

Routing


27/100


Group Security Elements

GroupMember

Group

Member

Group

Member

Group

Member

Key Servers

Routing

Members

Key Encryption Key(KEK)

Traffic EncryptionKey (TEK)

Group Policy

RFC3547:Group Domain ofInterpretation(GDOI)

KS CooperativeProtocol

GETVPN Group Key Technology


28/100


GETVPN - Group Key TechnologyOperation Example

Step 1: Group Members (GM)“register” via GDOI (IKE) with the

Key Server (KS)KS authenticates and authorises the GM

KS returns a set of IPsec SAsfor the GM to use

Step 2: Data Plane Encryption

GM exchange encrypted traffic using thegroup keys

The traffic uses IPSec Tunnel Mode with“address preservation”

Step 3: Periodic Rekey of Keys

KS pushes out replacement IPseckeys before current IPsec keys expire;This is called a “rekey”

GM1

GM2

GM3GM4

GM5

GM6

GM7GM8

GM9 KS

GM1

GM2

GM3GM4

GM5

GM6

GM7

GM8

GM9 KS

GM1

GM2

GM3GM4

GM5

GM6

GM7GM8

GM9 KS


29/100


GETVPN Deployment Model

MPLS VPN

MPLS VPN w/ CsC

CE CEPE PE

MPLS VPN over GRE w/ GET VPN

GET Encrypted GRE

CE PE PE CE

GETVPN Segmented WAN

MPLSomGRE with GETVPN


30/100


Agenda




WAN Optimisation


WAN Architecture Design ConsiderationsSecure WAN Communication with GETVPN


Summary


31/100

WAN Optimisation

The WAN Is the Barrier to Branch


32/100


The WAN Is the Barrier to Branch Application Performance

WAN Packet Loss and Latency =Slow Application Performance =

Keep and manage servers in branch offices ($$$)

Applications aredesigned to workwell on LAN’s

High bandwidth

Low latency

Reliability

WANs have oppositecharacteristics

Low bandwidthHigh latency

Packet loss

Round Trip Time (RTT) ~ 0mS

ClientLAN

SwitchServer

Round Trip Time (RTT) ~ usually measured in milliseconds

ServerClient LANSwitch

LANSwitch

Routed Network


33/100


TCP Behaviour

Time (RTT)Slow start Congestion avoidance

Packet loss Packet loss Packet loss

cwnd

Packet loss TC

Return to maximumthroughput could take a

very long time!


34/100


WAAS—TCP Performance Improvem

Transport Flow Optimisation (TFO) overcomes TCP and WA

Shields nodes connections from WAN conditionsClients experience fast acknowledgement

Minimise perceived packet loss

Eliminate need to use inefficient congestion handling

WAN

LAN TCPBehaviour

LAN TCPBehaviour

Window ScalingLarge Initial Windows

Congestion MgmtImproved Retransmit

WAAS Overview


35/100


WAAS OverviewDRE and LZ Manage Bandwidth Utilisation

Data Redundancy Elimination (DRE) provides advanced

compression to eliminate redundancy from network flowsregardless of application

LZ compression provides generic compression for all traffic

FILE.DOC

DRE CACHE DRE CACHE

FILE.DOC

WAN

LZ LZ

Origin ConnectionOrigin Connection

OptimisedConnection

Encode Decode

Comparing TCP and Transport


36/100


p g pFlow Optimisation

Time (RTT)Slow start Congestion avoidance

cwnd

Cisco TFO provides significant throughputimprovements over standard TCP implementations

I d i Ci WAAS E


37/100


Introducing Cisco WAAS ExpressExtend Cisco WAAS product portfolio across ISR G2s

IOS Based, RouterIntegrated WANOptimisation Solution

Simple software featureactivation

Network transparency andintegration with IOS based services

Simple

Part of Cisco WAASportfolio – Leverageexisting WAASdeployment

Easy migration to WAASon SRE as businessneeds grow

Integrated policyprovisioning, monitoringand, reporting

Investment Protection

Defer costly WANBandwidth upgrades

Reduce truck roll costs – IOS integrated solution

Capex savings – Smallbranch footprint

Cost Effective

CiscoWAAS

DataCentre

WAE WAASCentral

ManagerWAN

Branch Office

WAAS

on SRE

Branch Office

WAASExpress

WAAS/WAAS E F t C


38/100


WAAS/WAAS Express Feature Com

Features WAAS Express Cisco WAAS hardware (version 4.2

Auto-discovery of end

nodes

Supported Supported

TFO (TransportOptimisation)

Supported Supported

Compression Supported Supported

DRE (Data RedundancyElimination)

- Memory based.- Non-persistent cache

- Disk based.-Persistent cache.

BIC-TCP Supported Supported

WAAS Central Manager Cisco WAAS Version 4.3.1+ Supported

Application Optimisers None supported Supported

Caching Not Supported Supported

Integrated Branch-WAN Services


39/100


End-to-End Security

WAN Optimisation for Application Performance

Route Optimisation for Application Performance

PerformanceIssues/Brown Out

WAN with PfR

Best Performing Path

Best Metric PathISP1

ISP2

Without Cisco WAASWithout QoS

WAN

EmailERP

Scavenger

VoIP

Email

ERP

Scavenger

VoIP

Branch HQ

AdditionalCapacity

With Cisco WAASWith QoS

EmailERP

ScavengerVoIP

gExample: Delivering Voice over the Network

A d


40/100


Agenda




WAN Optimisation




Summary


41/100

Wide Area Network Quality oService

Quality of Service Operations


42/100


y pHow Does It Work and Essential Elements

Classification and Marking:

The first element to a QoS policy is to classify/identify the traffic that is to be treated differently.

Following classification, marking tools can set an attribute of a frame or packet to a specific value.

Policing:

Determine whether packets are conforming to administratively-defined traffic rates and take actionaccordingly. Such action could include marking, remarking or dropping a packet.

Scheduling (including Queuing and Dropping):

Scheduling tools determine how a frame/packet exits a device. Queuing algorithms are activated onwhen a device is experiencing congestion and are deactivated when the congestion clears.

Classification and

MarkingQueuing and

Dropping

Post-Queuin

Operations

Enabling QoS in the WAN


43/100


gTraffic Profiles and Requirements

Latency ≤ 150 ms

Jitter ≤ 30 ms

Loss ≤ 1%

Bandwidth (30-128Kbps)

One-Way Requirements

Smooth Benign

Drop sensitive

Delay sensitive

UDP priority

Voice

Bandwidth per CallDepends on Codec,

Sampling-Rate,and Layer 2 Media

Bursty Drop sensitive

Delay sensitive

Jitter sensitive

UDP priority

TelePresence

Latency ≤ 200 ms

Jitter ≤ 20 ms

Loss ≤ 0.10%

Bandwidth (5.5-16Mbps)


HD/VC has TighterRequirements than

VoIP in terms of jitter,and BW varies basedon the resolutions

Sm

Be

Dro

De

TC

Data Cla

Mission-

Transac

Bulk Dat

Best Effo

Traffic Data Va

Applica

Bursty

Greedy

Drop sensitive

Delay sensitive

UDP priority

SD Video Conf

Latency ≤ 150 ms

Jitter ≤ 30 ms

Loss ≤ 0.05%

Bandwidth (1Mbps)


SD/VC has the SameRequirements as

VoIP, but HasRadically DifferentTraffic Patterns(BW Varies Greatly)

QoS Considerations


44/100


20 msec

Voice Packets

Bytes

200

600

1000

Audio

Samples

1400

Time

200

600

1000

1400

33 msec

Video PacketsVideo

Frame

Video

Fr ame

Video

Frame

QoS ConsiderationsVoice vs. Video— At the Packet Level

Scheduling Tools


45/100


Police

LLQ/CBWFQ Subsystems

CBWFQFragment

Interleave

FQ

Link Fragmentation

and Interleave

Low Latency Queueing

PaPacketsIn

VoIP

IP/VC PQ

Layer 3 Queueing Subsystem Layer 2 Queueing Subsystem

Signalling

Critical

Bulk

Mgmt

Default

TXRing

WAN Edge QoS Design Consideratio


46/100


Link-Speed Considerations

Slow speed links (≤ 768 kbps) No offering

Medium speed links (≥ 1 Mbps to< 100 Mbps)

Use hierarchical policies for sub-line-rateEthernet connections to provide shapingand CBWFQ/LLQ

Use software based routers, Cisco

ASR1000, Cisco Catalyst 3750-Metro or6500/7600 WAN modules, LAN ports DONOT provide shaping

High speed links (≥ 100 Mbps) Use hardware queuing via Cisco ASR1000, Cisco Catalyst 3750-Metro or6500/7600 WAN modules

WAN Agg WA

WAN Agg WA

WAN Agg WA

Ethernet WAN


47/100


Policing and Shaping

Ethernet WAN ServiceProvider

InboundPolicing

Traffic Sh10/100/1000 Mbps

BHead End

tunnel

Traffic Shaping


48/100


Traffic Shaping

Policers typically drop traffic

Shapers typically delay excess traffic, smoothing burstand preventing unnecessary drops

Very common with Ethernet WAN, as well as Non-Broadcast Multiple-Access (NBMA) network topologiessuch as Frame-Relay and ATM

With Traffic Shaping

Without Traffic ShapingLineRate

ShapedRate

Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate

Hierarchical QoS For Subrate ServicH Q S P li I t f t SP Sh CIR


49/100


H-QoS Policy on Interface to SP, Shaper = CIR

Service LevelPolicy-map PARENT

class class-defaultshape average 800000000service-policy output CHILD

Policy-map CHILDclass Voicepolice cir percent 10priority level 1

class Videopolice cir percent 20priority level 2

class Scavbandwidth remaining ratio 1

class class-defaultbandwidth remaining ratio 9

Interface gigabitethernet 0/1service-policy output PARENT

Two Levels MQC

Voice

Video

Best Effort

Scav

MPLS VPN QoS DesignMPLS VPN P t Q S R l


50/100


MPLS VPN

Branch 1

Branch 2

Outbound Policies: Inbound Policies:

HQoS Shaper (if required)+ LLQ for VoIP (EF) Trust DSCP

+ LLQ or CBWFQ for RT-Interactive (CS4)

+ Remark RTI (if necessary) + Restore RT-Interactive to CS4 (if necessary)

+ CBWFQ for Signalling (CS3)

+ Remark Signalling (if necessary) + Restore Signalling to CS3 (if necessary)

≤ 33% of BW

Enterprise Subscriber (Unmanaged CE Routers)

Service Provider:Outbound Policies: Inbound Policies:+ LLQ for Real-Time Trust DSCP

+ CBWFQ for Critical Data Police on a per-Class Basis

CE Routers CE RoutersPE Routers

Campus VPN

Block

E

E

E

E

F

F

F

F

F

E

MPLS VPN Port QoS Roles

QoS ToS Byte Preservation


51/100


IP HDRGRE

HDR

IP HDR

IP Payload

IPSec Tunnel mode

GRE Tunnel

QoS ToS Byte Preservation

IP Payload

IP Payload

ESP HDRIP HDR

GRE & IPSec tunnels

IP HDR

IP HDR

T o S

T o S

T o S

ToS byte is copied to the

new IP Header

GRE/IPSec Network QoS Design


52/100


GRE/IPSec Network QoS Design

Direction of Packet Flow

DSCP AF41

Packet Initially

Marked toDSCP AF41

DSCP AF41

DSCP AF41

By Default ToS

Values is Copied

To IPSec Header

DSCP CS5

DSCP AF41

Top-Most ToS is

Remarked by

on egress

DSCP

Packet dec

To reveal thToS Byte

policy-map WAN-SP-CLASS-OUTPUTclass VOICE priority percent 10class VIDEO-INTERACTIVE

priority percent 23set ip dscp cs5

class NETWORK-MGMT bandwidth percent 5service-policy MARK-BGP

class class-default bandwidth percent 25random-detect

! policy-map Int-Gig-Agg-HE

class class-defaultshape average 1000000000service-policy WAN-Out

Remarks the DSCP value on the

encrypted/encapsulated header on

egress interface

Ethernet WAN QoS DesignHQoS Shaping & Queuing Policy and Operation


53/100


R

policy-map ACCESS-EDGEclass VOIP priority 1000class REALTIME priority 15000

class CALL-SIGNALING bandwidth xclass TRANSACTIONAL bandwidth yclass BULK-DATA bandwidth zclass class-defaultfair-queue

Packets

in

policy-map HQoS-50MBPSclass class-defaultshape average 50000000 1000000service-policy ACCESS-EDGE

CBWFQ

Scheduler

FQ

Call-Signalling CBWFQ

Transactional CBWFQ

Bulk Data CBWFQ

Default Queue

1 Mbps

VoIP

Policer

15 Mbps

REALTIME

Policer

16 Mbps PQ (FIFO Between VoIP and VIDEO)

Class-

Based

Shaper

GEwith a

acce

(e.g

Queuing policies wi l l not engage unless the interface is congested

A shaper will guarantee that traffic will not exceed the contracted rate

A nested queuing policy will force queuing to engage at the contracted suline-rate to prioritise packets prior to shaping

HQoS Shaping & Queuing Policy and Operation

Agenda


54/100


Agenda



WAN Optimisation




Summary


55/100

WAN Architecture DesignConsiderations

Borderless Network Architecture


56/100


Borderless Network Architecture

High Performance WAN Headend


57/100


DataCentre/Campus

WANServices/Distributio

n

High Performance WAN Headend

MPLS A MPLS B

Campus/

Data Centre

WAAS Service

KeyServer

VPN Termination

Internet

WANEdge

Remote BranchTransport & Redundancy Options


58/100


InternetInternet

InternetInternet

Transport & Redundancy Options

MPLS

MPLS WAN

MPLS +

Internet WAN

Internet

Internet WAN

MPLS MPLS MPLS MPLS

MPLS MPLS

Non-Redundant Redundant-

Links

Redundant-

Links & Routers

Routing Topology at Hub Location


59/100


g p gy

MPLS A

Campus/

Data Centre

DMVPN/

InternetMPLS B

iBGP

EIGRP AS200

EIGRP AS 100

eBGP

Summaries +

Default

10.5.0.0/160.0.0.0/0.0.0.0

WAN Edge


60/100


g

All:

No static routes

No FHRPs

WAN

Connection Methods Compared

WAN

WAN

Edge

Route

WAN

Core/Distribution

Si Si

Core/Distribution Core/Distribution

Single LogicalControl Plane

Port-Channel for H/A

Recommended

Optimise Convergence and RedundMultichassis EtherChannel


61/100


SiSi SiSi

P-to-P Link

Layer 3

Provide Link Redundancy and

reduce peering complexity Tune L3/L4 load-balancing

hash to achieve maximum utilisat

No L3 reconvergence required wmember link failed

No individual flow can go faster ththe speed of an individual membeof the link

VSS/3750Stacks

IGP recalc

ChannelMember

Removed

Link redundancy achieved through

redundant L3 paths Flow based load-balancing through CEF

forwarding across

Routing protocol reconvergence whenuplink failed

Convergence time may depends onrouting protocol used and the size ofrouting entries

Best Practice — Summarise at Service Distribution


62/100


interface Port-channel1

description Interface to MPLS-A-CEno switchportip address 10.4.128.1 255.255.255.252ip pim sparse-modeip summary-address eigrp 100 10.5.0.0 255.255.0.0

Summarise at Service Distribution

It is important to force summarisationat the distribution towards WAN Edge

and towards campus & Data Centre

Summarisation limit the number ofpeers an EIGRP router must query(minimise SIA) or the number ofLSAs an OSPF peer must process

MPLS BMPLS A

Campus/

Data Centre

Summaries

Default

10.5.0.0/16

0.0.0.0/0.0.0

Summary

10.5.0.0/1

Dual MPLS Carrier Hub


63/100


Run iBGP between the CE routers

Prefixes from carrier-A will be advertised to

carrier-B and vice versa Allows the preservation of AS Path length

so remote sites can choose the best pathto destination

Use IGP (OSPF/EIGRP) for prefix re-advertisement will result in equal-costpaths at remote-site

Use iBGP to Retain AS Path Information

bn-br200-3945-1# sh ip bgp 10.5.128.0/21BGP routing table entry for 10.5.128.0/21, version 71

Paths: (2 available, best #2, table default, RIB-failure(17))

Not advertised to any peer

65401 65401 65402 65402, (aggregated by 65511 10.5.128.254)

10.4.142.26 from 10.4.142.26 (192.168.100.3)

Origin IGP, localpref 100, valid, external, atomic-

aggregate

65402 65402, (aggregated by 65511 10.5.128.254)

10.4.143.26 (metric 51456) from 10.5.0.10 (10.5.0.253)

Origin IGP, metric 0, localpref 100, valid, internal,

atomic-aggregate, best

MPLS B

Campus

iBGP

MPLS A

iBGP

10.5.128

10.5.128.0/21

A B

Best Practice - Implement AS-Path FPrevent Branch Site Becoming Transit Network


64/100


Dual carrier sites can unintentionallybecome transit network during networkfailure event and causing network

congestion due to transit traffic

Design the network so that transit pathbetween two carriers only occurs atsites with enough bandwidth

Implement AS-Path filter to allow onlylocally originated routes to beadvertised on the outbound updates for

branches that should not be transit

Prevent Branch Site Becoming Transit Network

router bgp 65511neighbor 10.4.142.26 route-map NO-TRANSIT-AS out!ip as-path access-list 10 permit ^$!route-map NO-TRANSIT-AS permit 10match as-path 10

MPLS B

Campus

iBGP

MPLS A

A B

MPLS + Internet WANPrefer the MPLS Path over Internet


65/100


eBGP routes are redistributed into EIGRP 100as external routes with default Admin Distance170

Running same EIGRP AS for both campus andDMVPN network would result in Internet pathpreferred over MPLS path

Multiple EIGRP AS processes can be used toprovide control of the routing

EIGRP 100 is used in campus locationEIGRP 200 over DMVPN tunnels

Routes from EIGRP 200 redistributed into EIGRP 100appear as external route (distance = 170)

Routes from both WAN sources are equal-costpaths. To prefer MPLS path over DMVPN useeigrp delay to modify path preference

Prefer the MPLS Path over Internet

MPLS A

Campus

EIGRPAS100

Internet

10.4.128.2

eB GP

10.5.48.0/21

EIGRP

AS100

MPLS + Internet WANUse Autonomous System for Path Differentiation


66/100


eBGP routes are redistributed into EIGRP 100 asexternal routes with default Admin Distance 170

Running same EIGRP AS for both campus andDMVPN network would result in Internet pathpreferred over MPLS path

Multiple EIGRP AS processes can be used to providecontrol of the routing

EIGRP 100 is used in campus locationEIGRP 200 over DMVPN tunnels

Routes from EIGRP 200 redistributed into EIGRP 100 appeaas external route (distance = 170)

Routes from both WAN sources are equal-cost pathsTo prefer MPLS path over DMVPN use eigrp delay tomodify path preference

Use Autonomous System for Path Differentiation

MPLS A

Campus

EIGRP

AS100

EIGRP

AS200

Internet

D EX 10.5.48.0/21 [170/28416] via 10.4.128.2,

10.4.128.2

eB GP

10.5.48.0/21

MPLS CE router#

router eigrp 100default-metric 1000000 10 255 1 1500

BGP Weight Metric IssueRouter prefer IGP over eBGP


67/100


Dual MPLS VPN Network providingprimary and secondary network

connectivity between locations eBGP peering with MPLS VPN

providers

Preferred path are learned via BGP toremote location with backup pathlearned via IGP

Router prefer IGP over eBGP

MPLS BMPLS A

e

I

10.4.160.0/24

Campus

10.4.160.0/24

R1 R2

Path SelectionAdmin Dist [170] is better than [20] ?


68/100


Admin Dist [170] is better than [20] ?

MPLS BMPLS A

eBGP

IGP

10.4.160.0/24

CampusD EX 10.4.160.0/24 [170/3584]....

B 10.4.160.0/24 [20/0]....

R1# show ip routeB 10.4.144.0/24 [20/0] via 10.4.142.2, 01:30:06B 10.4.145.0/24 [20/0] via 10.4.142.2, 01:30:06D EX 10.4.160.0/24 [170/3584] via 10.4.128.9, 00:30:06

10.4.160.0/24

R1R2

BGP Route Selection Criteria


69/100


BGP Prefers Path with:

1. Highest Weight

2. Highest Local PREF

3. Locally originated via network or aggregate BGP

4. Shortest AS_PATH

5. Lowest Origin typeIGP>EGP>INCOMPLETE

6. Lowest MED

7. eBGP over iBGP paths

8. Lowest IGP metric to BGP next hop

BGP Prefers Path with Highest Weig


70/100


ASR1004-1#show ip bgp 10.4.160.0 255.255.255.0BGP routing table entry for 10.4.160.0/24, version 22Paths: (3 available, best #3, table default) Advertised to update-groups:

4 565401 65401

10.4.142.2 from 10.4.142.2 (192.168.100.3)Origin IGP, localpref 200, valid, external

Local10.4.128.1 from 0.0.0.0 (10.4.142.1)

Origin incomplete, metric 26883072, localpref 100, weight 32768, valid, source

Routes redistributed into BGP are considered locallyoriginated and get a default weight of 32768

The eBGP learned prefix has default weight of 0

Path with highest weight is selected

Prefer the eBGP Path over IGPSet the eBGP weight > 32768


71/100


ASR1004-1#show ip bgp 10.4.160.0 255.255.255.0BGP routing table entry for 10.4.160.0/24, version 22Paths: (1 available, best #1, table default) Not advertised to any peer65401 65401

10.4.142.2 from 10.4.142.2 (192.168.100.3)Origin IGP, metric 0, localpref 100, weight 35000, valid, external, best

To resolve this issue set the weights on route learned viaeBGP peer higher than 32768

neighbor 10.4.142.2 weight 35000

Set the eBGP weight > 32768

ASR1004-1#show ip route.... B 10.4.160.0/24 [20/0] via 10.4.142.2, 05:00:06

Agenda


72/100




WAN Optimisation





Summary


73/100

Securing WAN communicatioGET VPN

GETVPN TopologyCOOP K S


74/100


COOP Key ServerWAN Agg SwitchesKey Servers

MPLS BMPLS A

GMGM

GM GMGM GM

Best Practice - High Availability withCooperative Key Servers


75/100


Cooperative Key Servers Two or more KSs known as COOP KSs manage a common set

of keys and security policies for GETVPN group members

Group members can register to any one of the available KSs

Cooperative KSs periodically exchange and synchronisegroup’s database, policy and keys

Primary KS is responsible to generate and distribute group keys

GM 1

GM 3

Subnet 1

Subnet 4

Subnet 2

Subnet 3

GM 4

GM 2

Cooperative KS1

IP Network

Cooperative KS2

Transition from Clear-text to GETVPReceive-Only Method


76/100


Goal

Incrementally deploy infrastructurewithout encryption

Immediate transition to encryption

controlled by KS

Method

Deploy KS with Receive-only SA’s (don’t encrypt, allow decryption)

Deploy GM throughout infrastructureand monitor rekey processes

Transition KS to Normal SA (encrypt,decrypt)

Assessment

Pro: Simple transition to network-wide encryption

Con: Correct policies imperative

Con: Deferred encryption until all CEare capable of GM functions

permit ip 10.1.4.0 0.0.3.255 10.1.4.0 0.0.3.255

GM

GMGM

GM

KS10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

GM

GMGM

GM

GET

KS

10.1.4.0/24

10.1.6.0/24

10.1.5.0/24 10.1.7.0/24

permit ip 10.1.4.0 0.0.1.255 10.1.4.0 0.0.1.255

GET

Group Member

Secured Group Member Interface


77/100


crypto map svn 10 gdoi


78/100


crypto gdoi group secure-wanidentity number 3333


79/100





WAN Optimisation





Summary


80/100

DMVPN over Internet Deploy

DMVPN Deployment over InternetMultiple Default Routes for VPN Headend


81/100


VPN Headend has a default route to ASAfirewall’s VPN-DMZ interface to reach Internet

Remote site policy requires centralised Internetaccess

Enable EIGRP between VPN headend & Campuscore to propagate default to remote

Static default (admin dist=0) remains active,

VPN-DMZ is wrong firewall interface for user

traffic

Adjust admin distance so EIGRP route installed(to core)

VPN tunnel drops

p

VPN-DMZ

default

default

OUTS

default

In

def

Int

DMVPN Deployment over Internet


82/100


Enable FVRF with DMVPN to separate out thetwo default routes

The RED-VRF contains the default route to VPN-

DMZ Interface needed for Tunnel Establishment

A 2nd default route exist on the Global RoutingTable used by the user data traffic to reachInternet

To prevent split tunnelling the default route isadvertised to spokes via Tunnel

Spoke’s tunnel drops due to 2nd default routeconflict with the one learned from ISP

VPN-DMZ

default

default

IN

OUTSIDE

E I GRP

default

Intern

default

default

Best Practice – VRF-aware DMVPNKeeping the Default Routes in Separate VRFs

No Split Tunnelling at Branch location


83/100


Enable FVRF DMVPN on the Spokes

Allow the ISP learned Default Route in

the RED-VRF and used for tunnelestablishment

Global VRF contains Default Routelearned via tunnel. User data trafficfollow Tunnel to INSIDE interface onfirewall

Allow for consistency for implementingcorporate security policy for all users

No Split Tunnelling at Branch location

Int

VPN-DMZ

default

default

OUTS

def

default

E I GRP

default

DMVPN and FVRFDual Default Routes —Packet Flow

Clear-text packets forward GRE+IPsec


84/100


Internet

Based on incoming interface, the IPsec packet is directlyassociated with VRF

After decryption the GRE packet is assigned to GRE tunnelin the VRF

GRE decapsulated clear-text packets forwarded using GlobalRouting table

Two routing tables – one global (default) routing table and aseparate routing table for VRF

Clear-text packets forward

using Global Routing Table

Interface I P s

e c

GRE+IPsec

mGRE

Interface

Global

Routing Table

I n t e r f a

c e

DefaultDefaultVRF-RED

DMVPN and FVRFDual Default Routes — Show IP Route Outputs

Clear-text packets forward GRE+IPsec


85/100


Internet

Clear-text packets forward


Interface I P s

e c

GRE+IPsec

mGRE

Interface

Global

Routing Table

I n t e r f a

c e


bn-vpn-7206-1#sh ip routeGateway of last resort is 10.4.128.17 to network 0.0.0.0

D*EX 0.0.0.0/0 [170/3328] via 10.4.128.17, 2d22h, Port-channel3

....

bn-vpn-7206-1#sh ip route vrf REDGateway of last resort is 10.4.128.35 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.4.128.35

....

DMVPN and FVRFConfiguration Example

Clear-text packets forwardGRE+IPsec


86/100


Internet


Interface I P s

e c

GRE+IPsec

mGRE

Interface

Global

Routing Table

I n t e r f a

c e


ip vrf RED

rd 65512:1

!

crypto keyring DMVPN-KEYRING vrf RED

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123!!

crypto isakmp policy 10encr aes 256

authentication pre-share

group 2

!

crypto isakmp keepalive 30 5

!

crypto isakmp profile FVRF-ISAKMP-RED

keyring DMVPN-KEYRING

match identity address 0.0.0.0RED

!

interface GigabitEthernet0/1

ip vrf forwarding RED

ip address dhcp

!

interface Tunnel10

ip address 10.4.132.201 255.255.254.0

…. tunnel mode gre multipoint

tunnel vrf RED

tunnel protection ipsec profi le DMVPN-PROFILE

!

router eigrp 200

network 10.4.132.0 0.0.0.255

network 10.4.163.0 0.0.0.127

eigrp router-id 10.4.132.201

Best Practices — Enable Dead Peer Detection (DPD)

Informational RFC 3706


87/100


Dead Peer Detection (DPD) is a mechanismfor detecting unreachable IKE peers

Each peer’s DPD state is independent of the

others

Without DPD spoke routers will continue toencrypt traffic using old SPI which would bedropped at the hub. May take up to 60minutes for spokes to reconverge

Use ISAKMP keepalives on spokescrypto isakmp keepalives

ISAKMP invalid-SPI-recovery is not useful withDMVPN

ISAKMP keepalive timeout should be greater thanrouting protocol hellos

Not recommended for Hub routers – maycause an increase of CPU overhead withlarge number of peers

Internet

tun10

vpn-7206-1

DMVPN Internet DeploymentDynamic IP Address Assignment on the Spo


88/100


Spokes are receiving dynamic addressassignment from the ISP

Spoke reboots and receive a new IP address fromthe ISP, VPN session is established but no trafficpasses

Following error message appears on the spoke

Hub router (NHS) reject registration attemptsfor the same private address that uses adifferent NBMA address

To resolve this issue, configure followingcommand on spoke routers – ip nhrp registrat ion no-unique

Internet

br201-2911 br202-2911

tun0 tun0

tun10

vpn-7206-1

"%NHRP-3-PAKREPLY: Receive Registration

Reply packet with error - unique address

registered already(14)"

Best Practices — Avoid Fragmentation with IPSec VPN


89/100


IP fragmentation will cause CPU and memory overheadand resulting in lowering throughput performance

When one fragment of a datagram is dropped, the entire

original IP datagram will have to be resent Use ‘ mode transport’ on transform-set

NHRP needs for NAT support and saves 20 bytes

Avoid MTU issues with the following best practicesip mtu 1400

ip tcp adjust-mss 1360

MTU 1500MTU 1500MTU 1400

Tunnel Setting

(AES256+SHA)

Minimum MTU Recommended MTU

GRE/IPSec (Tunnel Mode) 1414 bytes 1400 bytes

GRE/IPSec (Transport Mode) 1434 bytes 1400 bytes

GRE+IPsec

Best Practices — Multicast over DM By default router uses OIL to correlate multicast

Multicast


90/100


ygroup join to interface

This causes problem when hub is connected tomultiple spokes over NBMA network

Any spoke that leaves a multicast group wouldcase all the spokes to be pruned off the multicastgroup

Enable PIM NBMA mode under tunnel interfaceon hubs and spokes

ip pim nbma-mode

Allows the router to track multicast joins based on IPaddress instead of interface

Applies only to PIM sparse-mode

Router treats NBMA network as a collection ofpoint-to-point circuits, allowing remote sites to bepruned off traffic flows

Internet

br201-2911 br20

tun10

vpn-7206-1

Multicast

Receiver Rece

Best Practices — Multicast over DM By default router uses OIL to correlate multicast

PIM

Multicast


91/100


ygroup join to interface

This causes problem when hub is connected tomultiple spokes over NBMA network

Any spoke that leaves a multicast group wouldcase all the spokes to be pruned off themulticast group

Enable PIM NBMA mode under tunnel interfaceon hubs and spokes

ip pim nbma-mode

Allows the router to track multicast joins based on IPaddress instead of interface

Applies only to PIM sparse-mode

Router treats NBMA network as a collection ofpoint-to-point circuits, allowing remote sites tobe pruned off traffic flows

Internet

br201-2911

tun10

vpn-7206-1

Receiver R

IGMP

Leave

PIM

Prune

Prune

towards

RP

Deploying WCCP with DMVPN Phas


92/100


DMVPN deployments with WCCP, WCCPintercept is configured on the tunnels

Any packet traveling from spoke-to-spoke, on reaching the tunnel, isintercepted by WCCP and sent to theWAE

This breaks the NHRP condition to send

the redirect.

No dynamic tunnels are established

Internet

62

Deploying WCCP with DMVPN Phas


93/100


Remove the WCCP intercept on thetunnel interface on the hub and configure

it on its LAN interface.ip wccp 62 redirect out

Initial spoke-to-spoke traffic hairpinthrough hub without being intercepted byWCCP

Hub creates NHRP redirect message tospoke allows for dynamic spoke-to-spoketunnel setup

Internet

62

Agenda


94/100





WAN Optimisation





Summary


95/100

Summary

Key Takeaways


96/100


Understand how WAN characteristics can affect your applicBandwidth, latency, loss

Dual carrier designs can provide resiliency but have uniqueconsiderations

A QoS-enabled, highly-available network infrastructure is thfoundation layer of the WAN architecture

Encryption is a foundation component of all WAN designs abe deployed transparently

Understand the how to apply WCCPv2 in the branch netwoenable WAN optimisation appliances.


97/100

Q & A

Complete Your Online SessionEvaluation


98/100


Complete your session evaluation:

Directly from your mobile device by visitingwww.ciscoliveaustralia.com/mobile and loginby entering your username and password

Visit one of the Cisco Live internetstations located throughout the venue

Open a browser on your own computerto access the Cisco Live onsite portal Don’t forget to activateVirtual account for accematerials, communitieslive activities throughouyour account at any intwww.ciscolivevirtual.co

http://www.ciscoliveaustralia.com/mobilehttp://www.ciscolivevirtual.com/http://www.ciscolivevirtual.com/http://www.ciscoliveaustralia.com/mobile


99/100



100/100


wan design principle

Documents