Upload
cisco
View
14.733
Download
11
Tags:
Embed Size (px)
DESCRIPTION
This session features the Borderless Network Architecture with a focus on WAN design and best practices. The Borderless Network architecture offers an end-to-end design approach for Midsize and Enterprise organizations with key areas of focus including resilient IP forwarding, QoS, mobility, security, and turnkey enablement of voice and rich media services. The cornerstones of the BN design approach are real-world use cases, prescriptive design guidance, and modular architectural components. This session will include the specific design considerations and details of the tested topologies. The Borderless Network WAN session includes a detailed discussion of the head-end WAN edge and remote site design options for up to 500 remote locations. These options include the use of layer 2 and layer 3 WAN transport models, usage of single and dual WAN links, as well as single/dual router edge topologies. Additionally, Internet VPN as both a backup and primary transport option is discussed. Design guidance will include IP addressing and routing protocol best practices, QoS for the WAN edge, IP multicast enablement, and interconnection/interoperabilty with other Borderless Network design blocks (LAN, Internet Edge) as well as access to the Data Center. Other key WAN technologies which are integral to the design are DMVPN and GETVPN for data privacy as well as Wide Area Application Services (WAAS) and WCCP for bandwidth optimization. The design also includes models for both centralized and distributed remote site wireless providing mobility for both internal users and guest access.
Citation preview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2
Cisco Live & Networkers VirtualSpecial Offer – Save $100Cisco Live has a well deserved reputation as one the industry’s best educational values. With hundreds of sessions spanning foureducational programs — Networkers, Developer Networker, Service Provider, IT Management, you can build a custom curriculum that can make you a more valuable asset to your workplace and advance your career goals. Cisco Live and Networkers Virtual immerses you in all facets of Cisco Live, from participating in live keynotes and Super Sessions events to accessing session content to networking with your peers.Visit www.ciscolivevirtual.com and register for Cisco Live and Networkers Virtual. To get $100 USD off the Premier pass, which provides access to hundreds of technical sessions, enter “slideshareFY11”.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3
Agenda� WAN Technologies & Solutions
WAN Transport TechnologiesWAN Overlay TechnologiesWAN OptimizationWide Area Network Quality of Service
� WAN Architecture Design ConsiderationsSecure WAN Communication with GETVPNInternet Backup Connectivity with DMVPNWCCP Implementation Consideration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 4
WAN Transport Technologies
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 5
Hierarchical Network Design
Core
Distribution
Access
Data Center/HQ
Regionalhub
SpokeSite 1
SpokeSite N
...
Regionalhub
SpokeSite 1’
SpokeSite N’
...
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 6
MPLS VPN Topology
� MPLS WAN is provided by a service provider� As seen by the enterprise network, every site is one IP “hop” away� Equivalent to a full mesh, or to a “hubless”hub-and-spoke
SpokeSite 1
SpokeSite 2
SpokeSite N
SpokeSite Y
SpokeSite X
SpokeSite 1
SpokeSite N
SpokeSite 2
SpokeSite X
Hub Site(The Network)
SpokeSite Y
Equivalent toSP-ProvidedMPLS IP WAN
Definition
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 7
MPLS VPN
Direct Layer 2 Adjacencies Only Between CE and PE Routers
Layer 3 (L3) Service
CE CEPE PE
local loop
VRFVRF
Global
VRF—Virtual Routing and Forwarding
! PE Router – Multiple VRFsip vrf bluerd 65100:10route-target import 65100:10route-target export 65100:10ip vrf yellowrd 65100:20route-target import 65100:20route-target export 65100:20!interface GigabitEthernet0/1.10ip vrf forwarding blueinterface GigabitEthernet0/1.20ip vrf forwarding yellow
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 8
MPLS VPN Design Trends� Single Carrier Designs:
Enterprise will home all sites into a single carrier to provide L3 MPLS VPN connectivity.Pro: Simpler design with consistent featuresCon: Bound to single carrier for feature velocityCon: Does not protect against MPLS cloud failure with Single Provider
� Dual Carrier Designs:Enterprise will single or dual home sites into one or both carriers to provide L3 MPLS VPN connectivity.Pro: Protects against MPLS service failure with Single ProviderPro: Potential business leverage for better competitive pricingCon: Increased design complexity due to Service Implementation Differences (e.g. QoS, BGP AS Topology)Con: Feature differences between providers could force customer to use least common denominator features.
� Variants of these designs and site connectivity:Encryption Overlay (e.g. IPSec, DMVPN, GET VPN, etc.)Sites with On-demand / Permanent backup links
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 9
Single Carrier Site Types (Non-Transit)
� Dual Homed Non TransitOnly advertise local prefixes (^$)Typically with Dual CE routersBGP design:
EBGP to carrierIBGP between CEs
Redistribute cloud learned routes into site IGP
� Single Homed Non TransitAdvertise local prefixes and optionally use default route.
CE1
C1
CE2
AS 64512C2
CE5
Site IGP
CE3 CE4
AS 64517
AS 200
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 10
Dual Carrier: Transit vs. Non Transit
C1
CE2
Prefix Z
AS 64512C2
CE5
Prefix X Prefix Y
Site IGP
CE3 CE4
AS 64517
Transit
AS 100 AS 200AS 64545
CE1
� To guarantee single homed site reachability to a dual homed site experiencing a failure, transit sites had to be elected. � Transit sites would act as a BGP bridge transiting routes between the two provider clouds.� To minimize latency costs of transits, transits need to be selected with geographic diversity (e.g. from the East, West and Central US.)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 11
Single Provider Dual ProvidersPro: Common QoS support
model Pro: More fault domains
Pro: Only one vendor to “tune” Pro: More product offerings to business
Pro: Reduced head end circuits Pro: Ability to leverage vendors for better pricing
Pro: Overall simpler design Pro: Nice to have a second vendor option
Con: Carrier failure could be catastrophic
Con: Increased Bandwidth “Paying for bandwidth twice”
Con: Do not have another carrier “in your pocket”
Con: Increased overall design complexityCon: May be reduced to “common
denominator” between carriers
Resiliency Drivers vs. Simplicity
Single vs. Dual Carriers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 12
WAN Overlay Technologies
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 13
Tunneling Technologies� IPSec—Encapsulating Security Payload (ESP)
Strong encryptionIP Unicast only
� Generic Routing Encapsulation (GRE)IP Unicast, Multicast, BroadcastMultiprotocol support
� Layer 2 Tunneling Protocol—Version 3 (L2TPv3)Layer 2 payloads (Ethernet, Serial,…)Pseudowire capable
Packet Encapsulation over IP
Tunnels
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 14
GRE Tunneling
Original IP header IP payloadGRE headerNew IP header20 bytes 20 bytes4 bytes
GRE packet with new IP header: protocol 47 (forwarded using new IP dst)
Original IP header IP payload20 bytes
Original IP datagram (before forwarding)
! Router A – GRE Exampleinterface Loopback 0ip address 192.168.1.1 255.255.255.255interface Tunnel0ip address 172.16.1.1 255.255.255.0encapsulation greip mtu 1476tunnel source Loopback0tunnel dest 192.168.2.2
! Router B – GRE Exampleinterface Loopback 0ip address 192.168.2.2 255.255.255.255
interface Tunnel0ip address 172.16.1.2 255.255.255.0encapsulation greip mtu 1476tunnel source Loopback0tunnel dest 192.168.1.1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 15
IP HDREncrypted
ESP HDR
IP HDR
IP PayloadTunnel mode
Transport modeESP Trailer
ESP Auth
Authenticated
EncryptedAuthenticated
IPSec ESP
IP Payload
IP Payload
IP HDRESP HDRIP HDR ESP Trailer
ESP Auth
Transport and Tunnel Modes
20 bytes
30 bytes
54 bytes
2 bytes
2 bytes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 16
VPN Technology
EzVPN Spoke
GET GMDMVPN Spoke
DMVPN Spoke
Data Center
Internet Edge
WAN Edge
GET GM GET GM
Positioning EzVPN, DMVPN, GETVPN
MPLS/Private Network
KSKS
GMGM
IPsec IPsec
Internet/Shared Network*
This Topic Is Covered in Detail in BRKSEC-2011
* Note: DMVPN Can Also Be Used on MPLS/Private Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 17
VPN Technology Comparison
EzVPN DMVPN GET VPNInfrastructure
Network� Public Internet Transport
� Private & Public Internet Transport
� Private IP Transport
Network Style � Hub-Spoke; (Client to Site)
� Hub-Spoke and Spoke-to-Spoke; (Site-to-Site)
� Any-to-Any; (Site-to-Site)
Routing � Reverse-route Injection
� Dynamic routing on tunnels
� Dynamic routing on IP WAN
Failover Redundancy
� Stateful Hub Crypto Failover
� Route Distribution Model
� Route Distribution Model + Stateful
Encryption Style � Peer-to-Peer Protection
� Peer-to-Peer Protection � Group Protection
IP Multicast � Multicast replication at hub
� Multicast replication at hub
� Multicast replication in IP WAN network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 18
Dynamic Multipoint VPN� Provides full meshed connectivity with simple configuration of hub and spoke� Supports dynamically addressed spokes� Facilitates zero-touch configuration for addition of new spokes� Features automatic IPsec triggering for building an IPsec tunnel
Spoke n
Traditional Static TunnelsDMVPN Tunnels
Static Known IP AddressesDynamic Unknown IP Addresses
Hub
VPNSpoke 1
Spoke 2
Secure On-Demand Meshed Tunnels
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 19
Network Designs
Hub and spoke Spoke-to-spoke
Server Load Balancing Hierarchical
Spoke-to-hub tunnelsSpoke-to-spoke path
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 20
Dynamic Multipoint VPN (DMVPN)Operational Example
Spoke A192.168.1.1/24192.168.2.1/24
Physical: 172.17.0.1Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)Tunnel0: 10.0.0.11
Physical: (dynamic)Tunnel0: 10.0.0.12
10.0.0.11 � 172.16.1.110.0.0.12 � 172.16.2.1192.168.0.1/24
192.168.1.0/24 � 10.0.0.11192.168.2.0/24 � 10.0.0.12192.168.0.0/24 � Conn.
CEF FIB Table
172.16.1.1172.16.2.1
NHRP mapping
192.168.1.0/24 � Conn.
10.0.0.1 � 172.17.0.1192.168.2.0/24 � Conn.
10.0.0.1 � 172.17.0.1192.168.2.1 � ???
192.168.0.0/16 � 10.0.0.1 192.168.0.0/16 � 10.0.0.1
CEF Adjacency
10.0.0.1 � 172.17.0.1
10.0.0.11 � 172.16.1.1
Data packetNHRP RedirectNHRP Resolution
10.0.0.1 � 172.17.0.1
10.0.0.12 � 172.16.2.1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 21
Dynamic Multipoint VPN (DMVPN)Operational Example (cont)
Spoke A192.168.1.1/24192.168.2.1/24
Physical: 172.17.0.1Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)Tunnel0: 10.0.0.11
Physical: (dynamic)Tunnel0: 10.0.0.12
10.0.0.11 � 172.16.1.110.0.0.12 � 172.16.2.1192.168.0.1/24
192.168.1.0/24 � 10.0.0.11192.168.2.0/24 � 10.0.0.12192.168.0.0/24 � Conn.
CEF FIB Table
172.16.1.1172.16.2.1
NHRP mapping
192.168.1.0/24 � Conn.
10.0.0.1 � 172.17.0.1192.168.2.0/24 � Conn.
10.0.0.1 � 172.17.0.1192.168.2.1 � ???
192.168.0.0/16 � 10.0.0.1 192.168.0.0/16 � 10.0.0.1
CEF Adjacency
10.0.0.1 � 172.17.0.110.0.0.11 � 172.16.1.1
10.0.0.11 � 172.16.1.1
10.0.0.11 � 172.16.1.1
Data packetNHRP RedirectNHRP Resolution
10.0.0.1 � 172.17.0.1
10.0.0.12 � 172.16.2.1
10.0.0.11 � 172.16.1.1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 22
Any-to-Any EncryptionBefore and After GET VPN
� Scalability—an issue (N^2 problem)� Overlay routing� Any-to-any instant connectivity can’t be done to scale� Limited QoS� Inefficient Multicast replication
WANWAN
Multicast
Before: IPSec P2P Tunnels After: Tunnel-Less VPN
� Scalable architecture for any-to-any connectivity and encryption� No overlays—native routing� Any-to-any instant connectivity� Enhanced QoS� Efficient Multicast replication
Public/Private WAN Private WAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 23
Group Security Functions
GroupMember
GroupMember
GroupMember
GroupMember
Key Server
RoutingMembers
Group Member� Encryption Devices� Route Between Secure/ Unsecure Regions� Multicast Participation
Key Server� Validate Group Members� Manage Security Policy� Create Group Keys� Distribute Policy/Keys
Routing Member� Forwarding� Replication� Routing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 24
Group Security Elements
GroupMember
GroupMember
GroupMember
GroupMember
Key Servers
RoutingMembers
Key Encryption Key (KEK)Traffic Encryption Key (TEK)
Group Policy
RFC3547:Group Domain of Interpretation (GDOI)
KS Cooperative Protocol
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 25
GETVPN: Innovation—Group Key Technology� Step 1: Group Members (GM) “register” via GDOI (IKE) with the Key Server (KS)KS authenticates and authorizes the GMKS returns a set of IPsec SAs for the GM to use
� Step 2: Data Plane EncryptionGM exchange encrypted traffic using the group keysThe traffic uses IPSec Tunnel Mode with “address preservation”
� Step 3: Periodic Rekey of KeysKS pushes out replacement IPsec keys before current IPsec keys expire; This is called a “rekey”
GM1
GM2
GM3 GM4
GM5
GM6
GM7GM8GM9 KS
GM1
GM2
GM3GM4
GM5
GM6
GM7GM8GM9 KS
GM1
GM2
GM3 GM4
GM5
GM6
GM7GM8GM9 KS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 26
WAN Optimization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 27
The WAN Is the Barrier to Branch Application Performance� Applications are designed to work well on LAN’s
High bandwidthLow latencyReliability
� WANs have opposite characteristics
Low bandwidthHigh latencyPacket loss
Round Trip Time (RTT) ~ 0mS
Client LAN Switch Server
Round Trip Time (RTT) ~ usually measured in milliseconds
ServerClient LAN Switch
LAN Switch
Routed Network
WAN Packet Loss and Latency = Slow Application Performance =
Keep and manage servers in branch offices ($$$)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 28
TCP Behavior
Time (RTT)Slow start Congestion avoidance
Packet loss Packet loss Packet losscwnd
Packet loss TCP
Return to maximumthroughput could take a
very long time!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 29
WAN
WAAS—TCP Performance Improvement� Transport Flow Optimization (TFO) overcomes TCP and WAN bottlenecks� Shields nodes connections from WAN conditions
Clients experience fast acknowledgementMinimize perceived packet lossEliminate need to use inefficient congestion handling
LAN TCPBehavior
LAN TCPBehavior
Window ScalingLarge Initial WindowsCongestion Mgmt
Improved Retransmit
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 30
Comparing TCP and Transport Flow Optimization
Time (RTT)Slow start Congestion avoidance
cwnd
TCP
TFO
Cisco TFO provides significant throughput improvements over standard TCP implementations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 31
WAAS OverviewDRE and LZ Manage Bandwidth Utilization
� Data Redundancy Elimination (DRE) provides advanced compression to eliminate redundancy from network flows regardless of application� LZ compression provides generic compression for all traffic
FILE.DOC
DRE CACHE DRE CACHEFILE.DOC
WAN
LZ LZ
Origin ConnectionOrigin Connection
OptimizedConnection
Encode Decode
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 32
End-to-End Security
WAN Optimization for Application Performance
Route Optimization for Application Performance
Performance Issues/Brown Out
WAN with PfR
Best Performing Path
Best Metric PathISP1
ISP2
Without Cisco WAAS Without QoS
WAN
EmailERP
ScavengerVoIP
EmailERP
Scavenger
VoIP
Branch HQ
AdditionalCapacity
With Cisco WAAS With QoS
Email ERPScavenger
VoIP
Integrated Branch-WAN Services Example: Delivering Voice over the Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 33
Wide Area Network Quality of Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 34
Quality of Service OperationsHow Does It Work and Essential Elements
Classification and Marking
Queuing and Dropping
Post-Queuing Operations
� Classification and Marking:The first element to a QoS policy is to classify/identify the traffic that is to be treated differently. Following classification, marking tools can set an attribute of a frame or packet to a specific value.
� Policing:Determine whether packets are conforming to administratively-defined traffic rates and take action accordingly. Such action could include marking, remarking or dropping a packet.
� Scheduling (including Queuing and Dropping):Scheduling tools determine how a frame/packet exits a device. Queuing algorithms are activated only when a device is experiencing congestion and are deactivated when the congestion clears.
� Link Specific Mechanisms (shaping, fragmentation, compression, Tx Ring)Offers network administrators tools to optimize link utilization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 35
Enabling QoS in the WANTraffic Profiles and Requirements
� Latency ≤ 150 ms� Jitter ≤ 30 ms� Loss ≤ 1%One-Way Requirements
� Smooth� Benign� Drop sensitive� Delay sensitive� UDP priority
Voice
Bandwidth per CallDepends on Codec,Sampling-Rate, and Layer 2 Media
� Bursty� Greedy� Drop sensitive� Delay sensitive� UDP priority
Telepresence
� Latency ≤ 150 ms� Jitter ≤ 50 ms� Loss ≤ 0.05%One-Way Requirements
IP/VC has the SameRequirements as VoIP, but HasRadically Different Traffic Patterns (BW Varies Greatly)
� Smooth/bursty� Benign/greedy� Drop insensitive� Delay insensitive� TCP retransmits
Data
Data Classes:Mission-Critical AppsTransactional/Interactive AppsBulk Data AppsBest Effort Apps (Default)
Traffic patterns for Data Vary Among Applications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 36
20 msec
Voice Packets
Bytes
200
600
1000
Audio Samples
1400
Time
200
600
1000
1400
33 msec
Video PacketsVideo Frame
Video Frame
Video Frame
QoS ConsiderationsVoice vs. Video—At the Packet Level
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 37
Police
Scheduling ToolsLLQ/CBWFQ Subsystems
CBWFQ Fragment
Interleave
FQ
Link Fragmentationand Interleave
Low Latency Queueing
PacketsOutPackets
In
VoIPIP/VC PQ
Layer 3 Queueing Subsystem Layer 2 Queueing Subsystem
SignalingCriticalBulkMgmtDefault
TXRing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 38
Traffic Shaping
� Policers typically drop traffic� Shapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops� Very common with Ethernet WAN, as well as Non-Broadcast Multiple-Access (NBMA) network topologies such as Frame-Relay and ATM
With Traffic Shaping
Without Traffic ShapingLineRateShapedRate
Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 39
MPLS VPN
Branch 1
Branch 2
Outbound Policies: Inbound Policies:HQoS Shaper (if required)+ LLQ for VoIP (EF) Trust DSCP+ LLQ or CBWFQ for RT-Interactive (CS4) + Remark RTI (if necessary) + Restore RT-Interactive to CS4 (if necessary)+ CBWFQ for Signaling (CS3)+ Remark Signaling (if necessary) + Restore Signaling to CS3 (if necessary)
≤ 33%of BW
Enterprise Subscriber (Unmanaged CE Routers)
Service Provider:Outbound Policies: Inbound Policies:+ LLQ for Real-Time Trust DSCP+ CBWFQ for Critical Data Police on a per-Class Basis
CE Routers CE RoutersPE Routers
Campus VPNBlock
E
E
E
E
F
F
F
F
F
E
MPLS VPN QoS DesignMPLS VPN Port QoS Roles
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 40
TXRing
policy-map ACCESS-EDGEclass VOIPpriority 1000
class REALTIMEpriority 15000
class CALL-SIGNALINGbandwidth x
class TRANSACTIONALbandwidth y
class BULK-DATAbandwidth z
class class-defaultfair-queue
Packets in
Packetsout
policy-map HQoS-50MBPSclass class-defaultshape average 50000000 1000000service-policy ACCESS-EDGE
CBWFQScheduler
FQ
Call-Signaling CBWFQTransactional CBWFQBulk Data CBWFQDefault Queue
1 Mbps VOIP
Policer
15 Mbps REALTIME
Policer
16 Mbps PQ (FIFO Between VOIP and VIDEO)Class-BasedShaper
GE Interfacewith a sub-line-rate access service (e.g. 50 Mbps)
� Queuing policies will not engage unless the interface is congested� A shaper will guarantee that traffic will not exceed the contracted rate� A nested queuing policy will force queuing to engage at the contracted
sub-line-rate to prioritize packets prior to shaping
Ethernet WAN QoS DesignHQoS Shaping & Queuing Policy and Operation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 41
WAN Architecture Design Considerations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 42
High Availability Design- Multiple/diverse WAN connections- PfR for intelligent path routing of applicationsLatency and Bandwidth Optimization- Upgrade aggregation points to OC3/OC12- Upgrade branches to DS3 or higher- Plan capacity and traffic engineering- Implement IP multicast and/or stream splitting services (e.g. WAAS)Real-Time Application Delivery-implement robust QoS service policies to manage application service levels- Insuring wanted/limiting unwanted bandwidth consumers (tools like PISA)Service Level Assurance- SLAs from SPs - Operationalize SLA tools (e.g. Netflow, IP SLA)
Confidentiality- Comply to security policies with data protection strategies, such as IPSec, DMVPN, GETVPN
WAN Transport Branch Edge
MAN EdgeSite 1
WAN Aggregation
Edge
SONET / SDH
DWDM
MAN EdgeSite 2
Metro Ethernet
MAN Transport
FR/ATM
MPLS
Internet
…
SLAEnterprise WAN Design Best Practices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 43
Borderless Network ArchitectureTwo Thousand to Ten Thousand User Organization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 44
Data Center/ Campus
WAN Services/Distribution
High Performance WAN HeadendOver 100Mbps Aggregate bandwidth, Up to 500 Branchs
MPLS A MPLS B
Campus/Data Center
WAAS Service
Key Servers
VPN Termination
Internet
WAN Edge
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 45
InternetInternet
InternetInternet
Remote Branch Transport & Redundancy Options
MPLS MPLS WAN
MPLS + Internet WAN
Internet
Internet WAN
MPLS MPLS MPLS MPLS
MPLS MPLS
Non-Redundant Redundant-Links Redundant-Links & Routers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 46
Routing Topology at Hub Location
MPLS A
Campus/Data Center
DMVPN/InternetMPLS B
iBGP
EIGRP AS200
EIGRP AS 100
eBGP
Summaries + Default10.5.0.0/160.0.0.0/0.0.0.0
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 47
WAN Edge
� All:No static routesNo FHRPs
WAN
Connection Methods Compared
WAN
WAN Edge
Router
WAN
Core/Distribution
SiSi
Core/Distribution Core/Distribution
� Single Logical Control Plane� Port-Channel for H/A
Recommended
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 48
� Link redundancy achieved through redundant L3 paths� Flow based load-balancing through CEF forwarding across � Routing protocol reconvergence when uplink failed � Convergence time may depends on routing protocol used and the size of routing entries
Optimize Convergence with EtherChannel
SiSi SiSi
P-to-P LinkLayer 3
� Provide Link Redundancy and reduce peering complexity� Tune L3/L4 load-balancing hash to achieve maximum utilization� No L3 reconvergence required when member link failed� No individual flow can go faster than the speed of an individual member of the link
VSS/3750Stacks
IGP recalc
Channel Member
Removed
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 49
interface Port-channel1description Interface to MPLS-A-CEno switchportip address 10.4.128.1 255.255.255.252ip pim sparse-modeip summary-address eigrp 100 10.5.0.0 255.255.0.0
Best Practice—Summarize at Service Distribution� It is important to force summarization at the distribution towards WAN Edge and towards campus & data center� Summarization limit the number of peers an EIGRP router must query (minimize SIA) or the number of LSAs an OSPF peer must process
MPLS BMPLS A
Campus/Data Center
Summaries + Default10.5.0.0/160.0.0.0/0.0.0.0
Summary 10.5.0.0/16
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 50
� Run iBGP between the CE routers � Prefixes from carrier-A will be advertised to carrier-B and vice versa� Allows the preservation of AS Path length so remote sites can choose the best path to destination� Use IGP (OSPF/EIGRP) for prefix re-advertisement will result in equal-cost paths at remote-site
Dual MPLS Carrier HubUse iBGP to Retain AS Path Information
MPLS B
Campus
iBGP
MPLS A
iBGP
10.5.128.0/21
bn-br200-3945-1# sh ip bgp 10.5.128.0/21 BGP routing table entry for 10.5.128.0/21, version 71Paths: (2 available, best #2, table default, RIB-failure(17))Not advertised to any peer65401 65401 65402 65402, (aggregated by 65511 10.5.128.254)10.4.142.26 from 10.4.142.26 (192.168.100.3)Origin IGP, localpref 100, valid, external, atomic-
aggregate65402 65402, (aggregated by 65511 10.5.128.254)10.4.143.26 (metric 51456) from 10.5.0.10 (10.5.0.253)Origin IGP, metric 0, localpref 100, valid, internal,
atomic-aggregate, best
EIGRPE I GR P
10.5.128.0/21
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 51
Best Practice - Implement AS-Path Filter� Dual carrier sites can unintentionally become transit network during network failure event and causing network congestion due to transit traffic� Design the network so that transit path between two carriers only occurs at sites with enough bandwidth� Implement AS-Path filter to allow only locally originated routes to be advertised on the outbound updates for branches that should not be transit
router bgp 65511neighbor 10.4.142.26 route-map NO-TRANSIT-AS out!ip as-path access-list 10 permit ^$!route-map NO-TRANSIT-AS permit 10match as-path 10
MPLS B
Campus
iBGP
MPLS A
Prevent Branch Site Becoming Transit Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 52
EIGRP Metric Calculation - Review� EIGRP Composite MetricEIGRP Metric = 256*([K1*Bw + K2*Bw/(256-Load) + K3*Delay]*[K5/(Reliability + K4)])
Bandwidth [Bw] (minimum along path)Delay (aggregate)Load (1-255)Reliability (1-255)MTU (minimum along path)
� For default bahavior (K1=K3=1), the formula metric is following:metric = bandwidth + delay
� EIGRP uses the following formula to scale the bandwidth & delaybandwidth = (10000000/bandwidth(i)) * 256 delay = delay(i) *256
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 53
Best Practice – Use Delay Parameter to Influence EIGRP Path Selection� EIGRP uses the minimum bandwidth along the path and the total delay to compute routing metrics� Does anything else use these values?
EIGRP also uses interface Bandwidth parameter to avoid congestion by pacing routing updates (default is 50% of bandwidth)Interface Bandwidth parameter is also used for QoS policy calculationPfR leverages Bandwidth parameter
� Delay parameter should always be used to influence EIGRP routing decision
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 54
� eBGP routes are redistributed into EIGRP 100 as external routes with default Admin Distance 170� Running same EIGRP AS for both campus and DMVPN network would result in Internet path preferred over MPLS path� Multiple EIGRP AS processes can be used to provide control of the routing
EIGRP 100 is used in campus locationEIGRP 200 over DMVPN tunnelsRoutes from EIGRP 200 redistributed into EIGRP 100 appear as external route (distance = 170)
� Routes from both WAN sources are equal-cost paths. To prefer MPLS path over DMVPN use eigrp delay to modify path preference
MPLS + Internet WANUse EIGRP Autonomous System for Path Differentiation
MPLS A
Campus
EIGRP AS100
EIGRP AS200
Internet
D EX 10.5.48.0/21 [170/28416] via 10.4.128.2,
10.4.128.2
eBGP
10.5.48.0/21
MPLS CE router#router eigrp 100default-metric 1000000 10 255 1 1500
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 55
Best Practice – Assign Unique Router-ID for Routing Protocols
� For EIGRP & OSPF highest IP address assigned to a loopback is selected as Router-ID. If there are no loopback interface configured, the highest IP address from the other interfaces is selected
� Router-ID can be used as tie breaker for path selection in BGP. Prefer route that come from neighbor with lowest Router-ID
� Duplicate EIGRP Router-ID will not prevent neighbor adjacency from establishing, but can cause redistributed EIGRP external routes with the same RID to be rejected from routing table
� For OSPF and BGP duplicate Router-ID will prevent neighbors from establishing adjacency
� Certain OSPF LSA are tied to RID. When router receive network LSA with LSA ID conflicts with IP address of interface on the router, it will flush the LSA out of the network
� Modification to Router-ID will result in adjacency reset
I am John! I am John! You must be Imposter
X
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 56
BGP Weight Metric IssueRouter prefer IGP over eBGP
MPLS BMPLS A
eBGP eBGP
IGP
E I GRP
� Dual MPLS VPN Network providing primary and secondary network connectivity between locations� eBGP peering with MPLS VPN providers� Preferred path are learned via BGP to remote location with backup path learned via IGP� With default configuration the failover works to the backup IGP path, but reconvergence back to primary path is a problem
10.4.160.0/24
Campus10.4.160.0/24
R1 R2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 57
Path SelectionAdmin Dist [170] is better than [20] ?
MPLS BMPLS A
eBGP eBGP
IGP
10.4.160.0/24
CampusD EX 10.4.160.0/24 [170/3584]....
B 10.4.160.0/24 [20/0]....
R1# show ip routeB 10.4.144.0/24 [20/0] via 10.4.142.2, 01:30:06B 10.4.145.0/24 [20/0] via 10.4.142.2, 01:30:06D EX 10.4.160.0/24 [170/3584] via 10.4.128.9, 00:30:06
EIGR P
10.4.160.0/24
R1 R2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 58
ASR1004-1#show ip bgp 10.4.160.0 255.255.255.0BGP routing table entry for 10.4.160.0/24, version 22Paths: (3 available, best #3, table default)
Advertised to update-groups:4 5
65401 6540110.4.142.2 from 10.4.142.2 (192.168.100.3)
Origin IGP, localpref 200, valid, externalLocal
10.4.128.1 from 0.0.0.0 (10.4.142.1)Origin incomplete, metric 26883072, localpref 100, weight 32768, valid, sourced, best
BGP Route Selection Criteria
BGP Prefers Path with:1.Highest Weight2.Highest Local PREF3.Locally originated via network or aggregate BGP4.Shortest AS_PATH5.Lowest Origin typeIGP>EGP>INCOMPLETE6.Lowest MED7.eBGP over iBGP paths8.Lowest IGP metric to BGP next hop
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 59
ASR1004-1#show ip bgp 10.4.160.0 255.255.255.0BGP routing table entry for 10.4.160.0/24, version 22Paths: (3 available, best #3, table default)
Advertised to update-groups:4 5
65401 6540110.4.142.2 from 10.4.142.2 (192.168.100.3)
Origin IGP, localpref 200, valid, externalLocal
10.4.128.1 from 0.0.0.0 (10.4.142.1)Origin incomplete, metric 26883072, localpref 100, weight 32768, valid, sourced, best
Prefer the eBGP Path over IGPSet the eBGP weight > 32768� IGP (EIGRP) route is redistributed into BGP� Routes redistributed into BGP are considered locally originated and get a default weight of 32768� The eBGP learned prefix has default weight of 0� BGP prefers the path with highest weight and the prefix learned via eBGP is not selected� To resolve this issue set the weights on route learned via eBGP peer higher than 32768
neighbor 10.4.142.2 weight 35000
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 60
Securing WAN communication with GET VPN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 61
GETVPN TopologyCOOP Key Server
WAN Agg SwitchesKey Servers
MPLS BMPLS A
GMGM
GM GM GM GM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 62
Best Practice - High Availability with Cooperative Key Servers� Two or more KSs known as COOP KSs manage a common set of keys and security policies for GETVPN group members
� Group members can register to any one of the available KSs� Cooperative KSs periodically exchange and synchronize group’s database, policy and keys
� Primary KS is responsible to generate and distribute group keys
GM 1
GM 3
Subnet 1
Subnet 4
Subnet 2
Subnet 3
GM 4
GM 2
Cooperative KS1
IP Network
Cooperative KS2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 63
Transition from Clear-text to GETVPNReceive-Only Method� Goal
Incrementally deploy infrastructure without encryptionImmediate transition to encryption controlled by KS
� MethodDeploy KS with Receive-only SA’s (don’t encrypt, allow decryption)Deploy GM throughout infrastructure and monitor rekey processesTransition KS to Normal SA (encrypt, decrypt)
� AssessmentPro: Simple transition to network-wide encryptionCon: Correct policies imperativeCon: Deferred encryption until all CE are capable of GM functions
permit ip 10.1.4.0 0.0.3.255 10.1.4.0 0.0.3.255
GMGM
GM
GM
KS10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
GMGM GM
GMGET
KS10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
permit ip 10.1.4.0 0.0.1.255 10.1.4.0 0.0.1.255
GET
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 64
crypto isakmp key c1sco123 address 10.4.128.151crypto isakmp key c1sco123 address 10.4.128.152crypto isakmp policy 10encr 3desauthentication pre-sharegroup 2!crypto gdoi group GETVPNidentity number 65511server address ipv4 10.4.128.151server address ipv4 10.4.128.152!crypto map dgvpn 10 gdoi set group dgvpn!interface FastEthernet0/0crypto map GETVPN
Group Member ConfigurationMPLS A
Key Server
Group Member
Group Member
GDOI Group
Primary KS Address
Secondary KS Address
GDOI configuration mapped to crypto map
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 65
crypto keyring gdoi1 pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 2!crypto ipsec transform-set AES256/SHA esp-aes 256 esp-sha-hmac!crypto ipsec profile GETVPN-GDOI-PROFILEset security-association lifetime seconds 7200set transform-set AES256/SHA !
IPSec Profile
IPSec Transform
Key Server ConfigurationMPLS A
Key Server
Group Member
Group Member
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 66
crypto gdoi group GETVPNidentity number 65511server localrekey lifetime seconds 86400rekey retransmit 40 number 3rekey authentication mypubkey rsa GETVPN-Keyrekey transport unicastsa ipsec 10profile GETVPN-GDOI-PROFILEmatch address ipv4 GETVPN-MATCH-ACLno replayaddress ipv4 10.4.128.151redundancylocal priority 100peer address ipv4 10.4.128.152
!
GDOI Group ID
RSA Key to authenticate rekeys
Unicast Rekey
Lifetime for Key Encryption Key
Coop Server Config
KS Configuration (Cont.)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 67
ip access-list extended GETVPN-MATCH-ACL!Don’t double encrypt traffic that’s encrypteddeny esp any any! Allow telemetry trafficdeny ip 10.4.0.0 0.1.255.255 10.4.142.0 0.0.1.255deny ip 10.4.142.0 0.0.1.255 10.4.0.0 0.1.255.255deny tcp any any eq tacacsdeny tcp any eq tacacs anydeny tcp any any eq 22deny tcp any eq 22 any!Allow BGP between CE-PE routerdeny tcp any any eq bgpdeny tcp any eq bgp any!Dont encryption ISAKMP trafficdeny udp any eq isakmp any eq isakmp!Don’t encrypt GDOI messagesdeny udp any eq 848 any eq 848!Allow CE-PE to form PIM adjacencydeny pim any 224.0.0.0 0.0.0.255permit ip any any
Access-list denying encryption for ISAKMP, GDOI, BGP, TACACS, SSH packets and permitting encryption for all IP traffic
GET VPN Encryption PolicyAccess-List configuration on KS
Allow communication from internal nets to the PE-CE subnets (summarized):
10.4.0.0/16 to/from 10.4.142.0/24, 10.4.143.0/2410.5.0.0/16 to/from 10.4.142.0/24, 10.4.143.0/24
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 68
DMVPN over Internet Deployment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 69
� Running EIGRP inside the DVMPN using a different AS number than the campus EIGRP� Capable of dynamic spoke-to-spoke tunnel to other Internet attached spokes
DMVPN over Internet Design Consideration
. . .
Internet
tun10
tun10tun10
tun10
vpn-7206-1 vpn-7206-2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 70
� VPN Headend has a default route to ASA firewall’s VPN-DMZ interface to reach Internet
� Remote site policy requires centralized Internet access
� Enable EIGRP between VPN headend & Campus core to propagate default to remote
� Static default (admin dist=0) remains active,
� VPN-DMZ is wrong firewall interface for user traffic
� Adjust admin distance so EIGRP route installed (to core)
� VPN tunnel drops
DMVPN Deployment over Internet
VPN-DMZ
Internet Edge Block
default
default
INSIDE
OUTSIDE
E I G RP
default
Internet
default
default
Internet
Multiple Default Routes for VPN Headend
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 71
DMVPN Deployment over Internet
VPN-DMZ
Internet Edge Block
default
default
INSIDE
OUTSIDE
EIGRP
defaultInternet
default
E I G RP
( 2 0 0 )
default
default
� Enable FVRF with DMVPN to separate out the two default routes
� The RED-VRF contains the default route to VPN-DMZ Interfae needed for Tunnel Establishment
� A 2nd default route exist on the Global Routing Table used by the user data traffic to reach Internet
� To prevent split tunneling the default route is advertised to spokes via Tunnel
� Spoke’s tunnel drops due to 2nddefault route conflict with the one learned from ISP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 72
Internet
� Enable FVRF DMVPN on the Spokes
� Allow the ISP learned Default Route in the RED-VRF and used for tunnel establishment
� Global VRF contains Default Route learned via tunnel. User data traffic follow Tunnel to INSIDE interface on firewall
� Allow for consistency for implementing corporate security policy for all users
Best Practice – VRF-aware DMVPNKeeping the Default Routes in Separate VRFs
VPN-DMZ
Internet Edge Block
default
default
INSIDE
OUTSIDE
EIGRPdefault
default
E I G RP
( 2 0 0 )
default
default
No Split Tunneling at Branch location
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 73
Internet
DMVPN and FVRFDual Default Routes —Packet Flow
� Based on incoming interface, the IPsec packet is directly associated with VRF� After decryption the GRE packet is assigned to GRE tunnel
in the VRF� GRE decapsulated clear-text packets forwarded using Global
Routing table� Two routing tables – one global (default) routing table and a
separate routing table for VRF
Clear-text packets forward using Global Routing Table
Interface IPse
c
GRE+IPsec
mGREInterface
GlobalRouting Table
Interfa
ce
Default DefaultVRF-RED
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 74
Internet
DMVPN and FVRFDual Default Routes — Show IP Route Outputs
Clear-text packets forward using Global Routing Table
Interface IPse
c
GRE+IPsec
mGREInterface
GlobalRouting Table
Interfa
ce
Default DefaultVRF-RED
bn-vpn-7206-1#sh ip routeGateway of last resort is 10.4.128.17 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/3328] via 10.4.128.17, 2d22h, Port-channel3....
bn-vpn-7206-1#sh ip route vrf REDGateway of last resort is 10.4.128.35 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.4.128.35....
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 75
Internet
DMVPN and FVRFConfiguration Example
Clear-text packets forward using Global Routing Table
Interface IPse
c
GRE+IPsec
mGREInterface
GlobalRouting Table
Interfa
ce
Default DefaultVRF-RED
ip vrf INET-PUBLICrd 65512:1!crypto keyring DMVPN-KEYRING vrf INET-PUBLICpre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 2!crypto isakmp keepalive 30 5!crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRINGmatch identity address 0.0.0.0 INET-PUBLIC
!
interface GigabitEthernet0/1ip vrf forwarding INET-PUBLICip address dhcp!interface Tunnel10ip address 10.4.132.201 255.255.254.0….tunnel mode gre multipointtunnel vrf INET-PUBLICtunnel protection ipsec profile DMVPN-PROFILE!router eigrp 200network 10.4.132.0 0.0.0.255network 10.4.163.0 0.0.0.127eigrp router-id 10.4.132.201
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 76
� Dead Peer Detection (DPD) is a mechanism for detecting unreachable IKE peers� Each peer’s DPD state is independent of the others� Without DPD spoke routers will continue to encrypt traffic using old SPI which would be dropped at the hub. May take up to 60 minutes for spokes to reconverge� Use ISAKMP keepalives on spokes
crypto isakmp keepalives <initial> <retry>
ISAKMP invalid-SPI-recovery is not useful with DMVPNISAKMP keepalive timeout should be greater than routing protocol hellos
� Not recommended for Hub routers – may cause an increase of CPU overhead with large number of peers
Best Practices —Enable Dead Peer Detection (DPD)
Internet
br201-2911 br202-2911
tun0 tun0
tun10
vpn-7206-1
Informational RFC 3706Traf f ic Dropped Unt il
new IKE sessions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 77
� Spokes are receiving dynamic address assignment from the ISP� Spoke reboots and receive a new IP address from
the ISP, VPN session is established but no traffic passes� Following error message appears on the spoke
� Hub router (NHS) reject registration attempts for the same private address that uses a different NBMA address� To resolve this issue, configure following command
on spoke routers - ip nhrp registration no-unique
DMVPN Internet Deployment Dynamic IP Address Assignment on the Spokes
Internet
br201-2911 br202-2911
tun0 tun0
tun10
vpn-7206-1
"%NHRP-3-PAKREPLY: Receive Registration Reply packet with error - unique address registered already(14)"
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 78
� IP fragmentation will cause CPU and memory overhead and resulting in lowering throughput performance � When one fragment of a datagram is dropped, the entire
original IP datagram will have to be resent� Use ‘mode transport’ on transform-set
NHRP needs for NAT support and saves 20 bytes� Avoid MTU issues with the following best practices
ip mtu 1400ip tcp adjust-mss 1360crypto ipsec fragmentation after-encryption (global)
Best Practices —Avoid Fragmentation with IPSec VPN
MTU 1500 MTU 1500MTU 1400
Tunnel Setting Minimum MTU Recommended MTUGRE/IPSec (Tunnel Mode) 1440 bytes 1400 bytesGRE/IPSec (Transport Mode) 1420 bytes 1400 bytes
GRE+IPsec
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 79
� By default router uses OIL to correlate multicast group join to interface� This causes problem when hub is connected to multiple spokes over NBMA network� Any spoke that leaves a multicast group would case all the spokes to be pruned off the multicast group� Enable PIM NBMA mode under tunnel interface on hubs and spokes
ip pim nbma-modeAllows the router to track multicast joins based on IP address instead of interfaceApplies only to PIM sparse-mode
� Router treats NBMA network as a collection of point-to-point circuits, allowing remote sites to be pruned off traffic flows
Best Practices — Multicast over DMVPN
Internet
br201-2911 br202-2911
tun10
vpn-7206-1
Multicast
Receiver Receiver
M ul tic as t
M ul ti cast
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 80
� By default router uses OIL to correlate multicast group join to interface� This causes problem when hub is connected to multiple spokes over NBMA network� Any spoke that leaves a multicast group would case all the spokes to be pruned off the multicast group� Enable PIM NBMA mode under tunnel interface on hubs and spokes
ip pim nbma-modeAllows the router to track multicast joins based on IP address instead of interfaceApplies only to PIM sparse-mode
� Router treats NBMA network as a collection of point-to-point circuits, allowing remote sites to be pruned off traffic flows
Best Practices — Multicast over DMVPN
Internet
br201-2911 br202-2911
tun10
vpn-7206-1
Receiver Receiver
IGMPLeave
PIMPrune
M ul tic as t
M ul ti cast
PIMPrune towards RP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 81
WCCP Implementation Consideration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 82
Design Considerations for WAAS Interception and Redirection Mechanisms• Implementation and operational consequences?
Planned Outages? Inline cabling changes are disruptive, WCCP graceful startUnplanned failures? Inline simple, fail to wire, WCCP involves configuration changes to the existing infrastructure
• Placement decisions? WAN Edge, WAN Distribution, Core, Server Distribution, Server Access
Redirecting device used depends on placement decision
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 83
Design Considerations for WAAS Interception and Redirection Mechanisms� Scalability
• Clusters with Load Balancing• Interception Methods• Large Number of Branch Offices to Fan Out and cache
� High Availability• Through Clusters• Loss of single Device absorbed• Convergence Times depending on Integration Technique• Not stateful – WAE loss causes session restart
A
B
A BC
Src Balance 61 62 Dst Balance
e1 e2
r1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 84
WAAS Integration Options� Inline Deployment� Policy-Based Routing (PBR)� Web-Cache Communication Protocol V2 (WCCPv2)� Hardware Load Balancers Inline with C/S Traffic Flow� PBR with HW Load Balancers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 85
WCCP Characteristics� WCCP Reconvergence for failed WAE
• Three failed Hello packets for failover → i.e. 30-40 sec• Traffic partially not forwarded during failure
� Supports asymmetric traffic across WCCP-enabled routers� Supports up to 32 routers and 32 WAEs in a cluster� Redirect-Lists allow granular selection of traffic by use of Extended ACLs� VRF-aware WCCP in IOS
12.4(20)T/15.0M and NX-OS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 86
WCCP Redirect and Return� Redirect Method
WCCP GRE - Entire packet WCCP GRE tunneled to the cache(common cache default)Layer 2 - Frame MAC address rewritten to cache MAC
� Return MethodWCCP GRE – Packet WCCP GRE returned router (may be returned to same router that performed redirect as in WAAS)WCCP Layer 2 – Frame rewritten to router MAC (Not yet supported in WAAS)
� Two assignment methods availableHash
Byte level XOR computation divided into 256 buckets (default)Available on software IOS routers only
MaskBit level AND divided up to 128 buckets (7 bits)Available on all ASIC based L3 switchesAvailable on software routers as of IOS 12.4(20)TOnly method supported for ASR1000 as of IOS 12.2(33)XNF
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 87
Single Carrier Branch
� WCCP intercepted in from client AND in from server� Services balance on source from client and destination from server
to maintain flow symmetry� E1 spoofs C1 to S1� S1 replies to C1� E1 spoofs S1 to C1� E1 must use WCCP GRE return to avoid loops when placed on
client network
C1S1
E1
R1SG 61 In SG 62 In
WAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 88
Dual Router BranchTransparent Client Transit Network Loop
� R1 is HSRP/VRRP primary for clients and WAE
� Routing across client subnet� R1 upstream WAN failure� Packets route across client subnet� R2 intercepts packet a 2nd time and redirects to cache
� E1 receives packet for a 2nd time (WAE drops packet)
� Device – WCCP GRE router� Intercept – In only� Assign – Mask or Hash� Redirect – WCCP GRE� Return – WCCP GRE� Egress – WCCP negotiated
C1S1
E1
R1
R2
6261
6162
WAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 89
Best Practice - Avoid Loop with Transit SubnetDual Router Branch
� R1 is HSRP/VRRP primary for clients and WAE
� Routing across client subnet� R1 upstream WAN failure� Packets route across transit subnet� R2 forwards traffic without intercepting packet a 2nd time
� Device – WCCP GRE router� Intercept – In only� Assign – Mask or Hash� Redirect – WCCP GRE� Return – WCCP GRE� Egress – WCCP negotiated� Routers
Passive interface client subnetRoute on transit subnetUse GRE return
C1S1
E1
R1
R2
6261
6261
WAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 91
Key Takeaways� Understand how WAN characteristics can affect your applications
Bandwidth, latency, loss� Dual carrier designs can provide resiliency but have unique design considerations� A QoS-enabled, highly-available network infrastructure is the foundation layer of the WAN architecture� Encryption is a foundation component of all WAN designs and can be deployed transparently� Understand the how to apply WCCPv2 in the branch network to enable WAN optimization appliances.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 93
WAN Characteristics� Bandwidth
Bandwidth constraints keep applications from performing wellToo much data and too small of a pipe causes congestion, packet loss, and backpressure
� Packet loss, congestion, and retransmissionPacket loss and congestion cause retransmission which hinders application performance and throughputCommonly caused by saturated device transmit queues in the network path
Packet LossCongestion
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 94
Latency� Network latency—the amount of time necessary for a message to traverse the network� Transport latency—the amount of time necessary for the transport mechanism (TCP) to acknowledge and retransmit data � Application latency—“chattiness” of an application protocol causing messages to be exchanged across the network
Round Trip Time (RTT) ~ usually measured in milliseconds
Typically:High Bandwidth Low LatencyLow Bandwidth High Latency
Latency Impairs Application Performance in Three Ways:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 95
G.729A: 25 ms
CODEC
Variable(Can Be Reduced
Using LLQ)
Queuing
Variable(Can Be Reduced
Using LFI)
Serialization
6.3 µs/Km +Network Delay
(Variable)
Propagationand Network
20–50 ms
Jitter Buffer
Enabling QoSElements That Affect End-to-End Delay
IP WANCampus Branch Office
CiscoUnified CommunicationManagerCluster SRST
Router
PSTN
End-to-End Delay (Should Be < 150 ms)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 96
KS System Scalability (7200)
1000 40002000 3000
1 KS - Multicast
Number of GM per Group5000500250
Pre-s
hared
Key
sPu
blic K
ey
1 KS - Unicast
1 KS - Unicast
2 KS - Unicast
1 KS - Multicast
2 KS - Multicast
8 KS - Unicast
7200 Assumptions• Single Key Server• TEK Lifetime = 3600• 5% Registration Windowor 30 sec Window
• PSK Reg. Rate = 100/sec• PKI Reg. Rate = 12/sec
To Be Tested in Phase 1.4 (based on 12.4(22)T
To Be Tested in Phase 1.4 (based on 12.4(22)T
To Be Tested in Phase 1.4 (based on 12.4(22)T
To Be Tested in Phase 1.4 (based on 12.4(22)T
To Be Tested in Phase 1.4
To Be Tested in Phase 1.4
8 KS - Multicast
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 97
KS System Scalability (Other Platforms)
100 400200 300
unicast
Number of GM per Group5005025
Pre-s
hared
Key
s
1841
Platform Assumptions• Single Key Server• Image < 12.4(22)T• 30 sec Registration Window
multicast 2821
unicast multicast 2851
unicast multicast 3825
1000
unicast multicast 3845
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 98
Scheduling ToolsQueuing Algorithms
� Congestion can occur at any point in the network where there are speed mismatches� Routers use Cisco IOS-based software queuing
Low-Latency Queuing (LLQ) used for highest-priority traffic (voice/video)Class-Based Weighted-Fair Queuing (CBWFQ) used for guaranteeing bandwidth to data applications
� Cisco Catalyst switches use hardware queuing
Voice
Video
Data 33
2 2
1 1
This Topic Is Covered in Detail in TECRST-2500
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 99
CBWFQScheduler
FQ
Call-Signaling CBWFQTransactional CBWFQBulk Data CBWFQDefault Queue
TXRing
100 kbps VOIPPolicer
WAN/Branch QoS DesignDual-LLQ Design and Operation
� The implicit LLQ policers allow for the configuration of “multiple” LLQs, even though (“under-the-hood”) all LLQ traffic is serviced by a single strict-priority queue
� This PQ is serviced on a First-In-First-Out basis between the VOIP and VIDEO classes, until the implicit LLQ policing limits of each class have been reached
� In this manner both VOIP and VIDEO receive an EF PHB, but VIDEO cannot interfere with VOIP
400 kbps VIDEOPolicer
100 kbps PQ
policy-map WAN-EDGEclass VOIPpriority 100
class VIDEOpriority 400
class CALL-SIGNALINGbandwidth x
class TRANSACTIONALbandwidth y
class BULK-DATAbandwidth z
class class-defaultfair-queue
500 kbps PQ (FIFO Between VOIP and VIDEO)Packets
inPackets
out
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 100
Enterprise-to-Service Provider WAN QoSWAN QoS Matters!
Aggregation Site
Branch 1
Branch 2
Branch 3
Branch 4
1.544 Mbps6 Mbps
100 Mbps
50 Mbps
7600-SIP-(200,400,600)
10 Mbps
3750 Metro ES Ports
7200
3750 Metro
ISR G2
ASR 1000
SiSi
ASR 1000
7600
Hierarchical QoS Required:� per vlan/subinterface shaping� CBWFQ/LLQ destination
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 101
Internet
DMVPN TopologyHub Configuration
172.17.130.1172.16.130.1
. . .
↑(.1),10.4.163.0/24
↑(.1),10.4.164.0/24
↑(.1),10.4.132.0/24
bn-br201-2811 bn-br202-2811
ip vrf INET-PUBLICrd 65512:1!crypto keyring DMVPN-KEYRING vrf INET-PUBLICpre-shared-key address 0.0.0.0 0.0.0.0 key cisco123!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 2crypto isakmp keepalive 30 5crypto isakmp profile FVRF-ISAKMP-INET-PUBLICkeyring DMVPN-KEYRINGmatch identity address 0.0.0.0 INET-PUBLIC
!crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmacmode transport!crypto ipsec profile DMVPN-PROFILEset security-association lifetime seconds 7200set transform-set AES256/SHA/TRANSPORTset isakmp-profile FVRF-ISAKMP-INET-PUBLIC!interface GigabitEthernetx/xip vrf forwarding INET-PUBLICip address 172.16.130.1 255.255.255.248!interface Tunnel10ip address 10.4.132.1 255.255.255.0no ip redirectsip mtu 1400ip hold-time eigrp 200 35ip pim nbma-modeip pim sparse-modeip nhrp authentication cisco123ip nhrp map multicast dynamicip nhrp network-id 101ip nhrp holdtime 600ip nhrp registration no-uniqueip nhrp redirectno ip split-horizon eigrp 200tunnel source GigabitEthernetx/x/tunnel mode gre multipointtunnel vrf INET-PUBLICtunnel protection ipsec profile DMVPN-PROFILE!router eigrp 200network 10.4.132.0 0.0.0.255redistribute eigrp 100eigrp router-id 10.4.132.1
10.4.132.201
10.4.132.202
vpn-7206-1
tun10
tun0tun0
↑(.1),10.4.133.0/24
tun10
dist-3750-stack
vpn-7206-1 vpn-7206-2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 102
Internet
DMVPN TopologySpoke Configuration
172.17.130.1172.16.130.1
. . .
↑(.1),10.4.163.0/24
↑(.1),10.4.164.0/24
↑(.1),10.4.132.0/24
br201-2911 br202-2911
ip vrf INET-PUBLICrd 65512:1!crypto keyring DMVPN-KEYRING vrf INET-PUBLICpre-shared-key address 0.0.0.0 0.0.0.0 key cisco123!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 2crypto isakmp keepalive 30 5crypto isakmp profile FVRF-ISAKMP-INET-PUBLICkeyring DMVPN-KEYRINGmatch identity address 0.0.0.0 INET-PUBLIC
!crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmacmode transport!crypto ipsec profile DMVPN-PROFILEset security-association lifetime seconds 7200set transform-set AES256/SHA/TRANSPORTset isakmp-profile FVRF-ISAKMP-INET-PUBLIC!interface GigabitEthernet0/1ip vrf forwarding INET-PUBLICip address dhcp!interface Tunnel10ip address 10.4.132.201 255.255.255.0no ip redirectsip mtu 1400ip pim nbma-modeip pim sparse-modeip nhrp authentication cisco123ip nhrp map multicast 172.16.130.1ip nhrp map 10.4.132.1 172.16.130.1ip nhrp network-id 101ip nhrp holdtime 600ip nhrp nhs 10.4.132.1ip nhrp shortcuttunnel source GigabitEthernet0/1tunnel mode gre multipointtunnel vrf INET-PUBLICtunnel protection ipsec profile DMVPN-PROFILE!router eigrp 200network 10.4.132.0 0.0.0.255network 10.4.163.0 0.0.0.127eigrp router-id 10.4.132.201
10.4.132.201
10.4.132.202
br201-2911
tun10
tun0tun0
↑(.1),10.4.133.0/24
tun10
vpn-7206-2vpn-7206-1
dist-3750-stack
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 103
Ethernet WAN QoS DesignMedium-Speed Ethernet WAN Access Configuration
<a 5 to 11 Class Model can be used>!policy-map WAN-EDGE-QUEUING
class VOICEpriority percent 33 ! LLQ Voice
class CALL-SIGNALINGbandwidth percent 5 ! BW guarantee for Call-Signaling
class CRITICAL-DATAbandwidth percent 36 ! Critical Data class gets min 36% BWrandom-detect dscp-based ! Enables DSCP-WRED for Critical-Data class
class SCAVENGERbandwidth percent 1 ! Scavenger class is throttled
class class-defaultbandwidth percent 25 ! Default class gets a 25% BW guaranteerandom-detect ! Enables WRED for class-default
!!policy-map MQC-SHAPING-5MBPS
class class-defaultshape average 4750000 47500 0 ! CIR=95% rate, Bc=CIR/100, Be=0service-policy WAN-EDGE-QUEUING ! Queues packets before shaping
!interface FastEthernet1/0service-policy output MQC-SHAPING-5MBPS ! Attaches the hierarchical MQC policy
!
WAG WAN Service with1-99 Mbps Ethernet Access
BR
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 104
policy-map WAN-EDGE-QUEUINGclass VOICEpriority percent 33 ! LLQ Voice
class CALL-SIGNALINGbandwidth percent 5 ! BW guarantee for Call-Signaling
class CRITICAL-DATAbandwidth percent 36 ! Critical Data class gets min 36% BWrandom-detect dscp-based ! Enables DSCP-WRED
class SCAVENGERbandwidth percent 1 ! Scavenger class is throttled
class class-defaultbandwidth percent 25 ! Default class gets a 25% BW guaranteerandom-detect
policy-map shape-600Mclass class-defaultshape average 600000000 6000000 0 ! CIR = 600Mservice-policy WAN-EDGE-QUEUING ! Hardware based platforms may
! auto-configure the Bcinterface GigabitEthernet0/0bandwidth 600000 ! Interface Bandwidth = Shape Rateservice-policy output shape-600M ! All GE traffic shaped to 600Mbps!
GE 600 Mbps Subrate ServiceHigh-Speed Ethernet WAN Access Configuration
CE
PE
Subrate GE~600 Mbps
WAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 105
WAN Edge QoS Design ConsiderationsLink-Speed Considerations� Slow speed links (≤ 768 kbps)
Voice or video (not both)—three to five class modelLFI mechanism requiredcRTP recommended
� Medium speed links (≤ T1/E1)Voice or video (not both)—five class modelcRTP optional
� High speed links (> T1/E1)Voice and/or video—five to 11 class modelMultiple links require L2 bundling (best) or L3 load-balancingUse newest CPUs for complex QoS policies on DS3/OC3/OC12 links
WAN Agg WAN Service with≤ 768 kbps
BR
WAN Agg WAN Service with1–99 Mbps
BR
WAN Agg WAN Service with≥ 100 Mbps
BR
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 106
Phase 1
• Hub and spoke functionality 12.2(13)T
• Simplified and smaller config for hub & spoke
• Support dynamically address CPE
• Support for multicast traffic from hub to spoke
• Summarize routing at hub
• Spoke to spoke functionality 12.3(4)T
• Single mGRE interface in spokes
• Direct spoke to spoke data traffic reduced load on hub
• Cannot summarize spoke routes on hub
• Route on spoke must have IP next hop of remote spoke
Phase 2 Phase 3
• Architecture and scaling 12.4(6)T
• Increase number of hub with same hub and spoke ratio
• No hub daisy-chain• Spokes don’t need full routing table
• OSPF routing protocol not limited to 2 hubs
• Cannot mix phase 2 and phase 3 in same DMVPN cloud
DMVPN Phases
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 107
Branch WAAS/WAE – Dual Router Branch
ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password c1sco123ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list BN-WAE password c1sco123interface GigabitEthernet0/0description WAN Interface ip address 10.4.142.25 255.255.255.248ip wccp 62 redirect in!interface Port-channel1.50encapsulation dot1Q 50ip address 10.5.0.1 255.255.255.252ip wccp 61 redirect in!ip access-list standard BN-WAEpermit 10.5.1.8permit 10.5.1.9
WCCP 61
WCCP 62
MPLS A
MPLS B
WCCP 62
WCCP 61
ip access-list extended WAAS-REDIRECT-LISTremark WAAS WCCP Mgmt Redirect Listdeny tcp any any eq telnetdeny tcp any any eq 22deny tcp any any eq 161deny tcp any any eq 162deny tcp any any eq 123deny tcp any any eq bgpdeny tcp any any eq tacacsdeny tcp any eq telnet anydeny tcp any eq 22 anydeny tcp any eq 161 anydeny tcp any eq 162 anydeny tcp any eq 123 anydeny tcp any eq bgp anydeny tcp any eq tacacs anypermit tcp any any