Návrh inteligentní WAN sítě

Transcription

1 Návrh inteligentní WAN sítě EN2 Jaromír Pilař, CSE

2 Agenda Úvod a základní pilíře inteligentní WAN sítě Tranport Independent Design Inteligentní výběr cesty Shrnutí Presentation Title:

3 Intelligent WAN: Leveraging the Any Transport Secure WAN Transport and Internet Access Hybrid WAN Transport IPsec Secure Branch (IP-VPN) Private Cloud Virtual Private Cloud Direct Internet Access Secure WAN transport for private and virtual private cloud access Leverage local Internet path for public cloud and Internet access Internet Public Cloud Increased WAN transport capacity and cost effectively Improve application performance (right flows to right places)

4 Intelligent WAN: Leveraging the Any Transport So what is new here? Branch Hybrid WAN Transport IPsec Secure Internet as WAN with High Reliability (IP-VPN) SLAs for Business-Critical Applications Private Cloud Virtual Private Cloud Direct Internet Access Secure WAN transport for private and virtual private cloud access Leverage local Internet path for public cloud and Internet access Internet Centralized Security Policy for Internet Access Public Cloud Increased WAN transport capacity and cost effectively Dramatically Lower WAN Costs Without Compromise Improve application performance (right flows to right places)

5 Intelligent WAN Solution Components AVC Internet Private Cloud 3G/4G-LTE Virtual Private Cloud Branch WAAS PfR Public Cloud Transport Independent Intelligent Path Control Application Optimization Secure Connectivity Consistent operational model Simple provider migrations Scalable and modular design DMVPN IPsec overlay design Application best path based on delay, loss, jitter, path preference Load balancing for full utilization of all bandwidth Improved network availability Performance Routing (PfR) AVC: Application monitoring with Application Visibility and Control Per-tunnel Hierarchical QoS WAAS: Application Acceleration and bandwidth savings WAAS: Intelligent Edge Caching with Akamai Connect Certified strong encryption Comprehensive threat defense with ASA and IOS firewall/ips Cloud Web Security (CWS) for scalable secure direct Internet access

6 Transport Independent Design s využitím DMVPN

7 Cisco Intelligent WAN (IWAN) AVC Private Cloud ISR-AX 3G/4G-LTE ASR1000-AX Virtual Private Cloud Branch WAAS kamai PfRv3 Internet Public Cloud Management & Orchestration Transport Independence Intelligent Path Control Application Optimization Secure Connectivity IPSec WAN Overlay Consistent Operational Model Optimal application routing Efficient use of bandwidth Performance monitoring Optimization and Caching NG Strong Encryption Threat Defense DMVPN Performance Routing AVC, HQoS, WAAS, Akamai Suite-B, CWS, ZBFW

8 IWAN Layered Solution CPE-to-CPE overlay enables separation of transport (underlay) and VPN service (overlay) AVC/QoS PfR path selection policies PfR intelligent routing AVC/QoS Point to multipoint WAN connections with secure tunnel overlay architecture Intelligent policy routing to provide cost optimization and dynamic load balancing Perimeter Security Overlay routing over tunnels Overlay tunnels (DMVPN) Transport routing Internet Routing -VPN Routing Perimeter Security

9 Intelligent WAN Deployment Models Dual Hybrid Dual Internet Internet Public Enterprise Public Branch Branch + Internet Branch Internet Internet Highest SLA guarantees Tightly coupled to SP Expensive More BW for key applications Balanced SLA guarantees Moderately priced Best price/performance Most SP flexibility Enterprise responsible for SLAs Consistent VPN Overlay Enables Security Across Transition

10 Hybrid WAN Designs Traditional and IWAN Active/Standby WAN Paths Primary With Backup TRADITIONAL HYBRID Intelligent WAN HYBRID Active/Active WAN Paths Two IPsec Technologies Data Center Data Center One IPsec Overlay GETVPN/ DMVPN/Internet Two WAN Routing Domains : ebgp or Static Internet: ibgp, EIGRP or OSPF Route Redistribution Route Filtering Loop Prevention ISP A DMVPN Internet ASR 1000 ASR 1000 SP V GETVPN ISP A DMVPN Internet ASR 1000 ASR 1000 SP V DMVPN DMVPN One WAN Routing Domain EIGRP or ibgp ISR Branch ISR Branch

11 IWAN Transport independent Design Overview IWAN Prescriptive Design Transport Independent Design based on DMVPN Branch spoke sites establish an IPsec tunnel to and register with the hub site Data traffic flows over the DMVPN tunnels WAN interface IP address used for the tunnel source address (in a Front VRF) One tunnel per user VRF Over the Top Routing BGP or EIGRP are typically used for scalability IP routing exchanges prefix information for each site Per-tunnel QOS is applied to prevent hub site oversubscription to spoke sites IWAN POP1 MC1 R84 R85 R94 R95 R10 R11 R12 R / /24 DCI WAN Core INET IWAN POP / /24 MC2

12 Using Front Door VRF Keeping the Default Routes in Separate VRFs Customer routing context (Global table) FVRF_SP1 (SP1 routing context) FVRF_SP2 (SP2 routing context) Different default routes possible within global table and towards SP infrastructure Configuration towards SP simplified, allows for simple swap vrf definition FVRF_SP1 address-family ipv4 exit-address-family crypto keyring DMVPN vrf FVRF_SP1 pre-shared-key address key cisco123 Interface Tunnel0 ip address ip nhrp authentication HBfR3lpl ip nhrp map multicast ip nhrp map ip nhrp network-id 1 ip nhrp nhs ip nhrp shortcut tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel vrf FVRF_SP1 tunnel protection ipsec profile dmvpn Interface GigabitEthernet 0/0 description WAN interface to ISP in vrf ip address dhcp ip vrf forwarding FVRF_SP1 Interface GigabitEthernet 0/1 description LAN interface In Global Table

13 Typical IWAN Topology IWAN Domain Group of IWAN sites with common transports and policies 2000 sites per domain, multiple domains for larger scale IWAN POP locations 2+ WAN aggregation locations, also called Transit Sites Each Border Router (BR) is a DMVPN Hub with ibgp or EIGRP routing Summary prefixes with primary and secondary path metrics advertised out to branches Transit routing to other locations with backdoor failover routing between POP locations Dedicated BR per WAN transport IWAN Branch locations Simple consistent configurations 1 or more BRs connected to each transport L2 peering required Peer with each DMVPN Hub, stub routing IWAN POP / /8 BR11 BR12 BR21 BR22 BR31 DC / /16 DMVPN BR / / / /8 WAN Core DC2 DMVPN INET BR51 IWAN POP / /8 BR52

14 Highly Redundant Large Scale Topology DC1 DC2 IWAN POP1 DCI WAN Core IWAN POP2 BR11 BR12 BR13 BR14 R21 R22 R23 R / / /8 Support for multiple BRs per transport Horizontal scaling and redundancy Support for Multiple POPs Different Prefix Common Prefix DMVPN DMVPN INET BR31 BR41 BR51 BR / / / / / /24

15 IWAN Topology with Dual Homed POP Border Routers IWAN POP locations Same design as Typical IWAN Topology with dual homed Border Routers Additional redundancy with fewer BRs Larger BRs required to meet performance targets Not supported in IWAN 2.1 Planned for future release IWAN POP / /8 DC / /16 BR11 BR12 BR21 BR22 DMVPN DCI WAN Core DC2 DMVPN INET IWAN POP / /8 BR31 BR41 BR51 BR / / /24 15

16 IWAN Transport Independent Design Best Practices Private peering with Internet providers Use same Internet provider for hub and spoke sites Avoids Internet Exchange bottlenecks between providers Reduces round trip latency Use a separate DMVPN network per provider Increases availability, separate failure domains Enables PfR to optimize traffic between provider Data Center ASR 1000 ASR 1000 Transport settings Use the same MTU size on all WAN paths Bandwidth settings should match offered rate Use a front-side VRF to separate Internet and internal default routes Routing Protocols EIGRP or BGP for networks over 1000 sites ISP A DMVPN Blue Internet ISP C DMVPN Green Internet security Access-lists or Firewalls to block all but DMVPN tunnel traffic Tunnel source IP addresses should not be registered in DNS making the routers difficult for others to find ISR Branch

17 DMVPN Best Practice Configuration Use mode transport on transform-set NHRP needs for NAT support and saves 20 bytes MTU issues ip mtu 1400 ip tcp adjust-mss 1360 crypto ipsec fragmentation after-encryption (global) Routing Protocol EIGRP Timers on tunnel interfaces 20/60 BGP Timers default NHRP ip nhrp holdtime 600 ip nhrp registration no-unique (spokes) ISAKMP / IKEv2 Call Admission Control (CAC) (on spokes and hubs) call admission limit percent (hubs) crypto call admission limit {ike {in-negotiation-sa number sa number}} crypto ikev2 limit {max-in-negotiation-sa limit [incoming outgoing] max-sa limit} Keepalives on spokes (GRE tunnel keepalives are not supported) crypto ikev2 dpd 40 5 on-demand / crypto isakmp keepalive 40 5 First timer is twice routing protocol timer, second timer is confirmation and will run 5 times. Total time 40 + (5 * 5) = 65 seconds is greater than routing protocol hold timer. This keeps dead peer detection from running when routing protocol is functioning correctly Invalid-SPI recovery not useful

18 DMVPN Configuration F-VRF IWAN POP vrf definition IWAN-TRANSPORT-1 address-family ipv4 exit-address-family Front-door VRF definition for Transport MC1 R84 R vrf definition IWAN-TRANSPORT-2 address-family ipv4 exit-address-family Front-door VRF definition for Internet Transport INTERNET R /24

19 DMVPN Configuration IPSec crypto ikev2 keyring DMVPN-KEYRING-1 peer ANY address pre-shared-key c1sco123 crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-1 match fvrf IWAN-TRANSPORT-1 match identity remote address authentication remote pre-share authentication local pre-share Maximize window size to eliminate keyring local DMVPN-KEYRING-1 future anti-replay issue crypto ipsec security-association replay window-size 512 crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile DMVPN-PROFILE-1 set transform-set AES256/SHA/TRANSPORT set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-1 crypto ikev2 dpd 40 5 on-demand Required for NAT support Lower overhead Set DPD timers for Branch Configs (65 s 40+5*5 > routing hold timer) MC1 IWAN POP R84 R R /24 INTERNET

20 DMVPN Hub Configuration Interfaces & Routing interface GigabitEthernet0/0/3 description -TRANSPORT vrf forwarding IWAN-TRANSPORT-1 ip address interface Tunnel100 bandwidth ip address no ip redirects ip mtu 1400 ip pim nbma-mode ip pim sparse-mode ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp map group RS-20MBPS service-policy output RS-20MBPS-POLICY ip nhrp map group... ip nhrp network-id 100 ip nhrp holdtime 600 ip nhrp redirect ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0/3 tunnel mode gre multipoint tunnel key 101 tunnel vrf IWAN-TRANSPORT-1 tunnel protection ipsec profile DMVPN-PROFILE-1 ip route vrf IWAN-TRANSPORT Put Transport Interface into Front-door VRF Instantiate DMVPN Tunnel Configure interface bandwidth Configure interface MTU Multicast related configuration Add routers automatically QoS gropus DMVPN Network ID: Set DMVPN Phase 3 Map to Physical Interface Tunnel endpoint is in Front-door VRF MC1 Default route for Tunnel endpoints IWAN POP R84 R INTERNET TRANSPORT R84

21 DMVPN Spoke Configuration Interfaces & Routing Interface GigabitEthernet0/1 vrf forwarding IWAN-TRANSPORT-1 Put Transport Interface into Front-door VRF ip address interface Tunnel100 bandwidth ip address no ip redirects ip mtu 1400 ip pim dr-priority 0 Instantiate DMVPN Tunnel Configure interface bandwidth Configure interface MTU Multicast related configuration ip pim nbma-mode ip pim sparse-mode ip nhrp authentication cisco123 ip nhrp group RS-20MBPS ip nhrp network-id 100 ip nhrp holdtime 600 ip nhrp nhs nbma multicast ip nhrp nhs nbma multicast ip nhrp registration no-unique ip nhrp shortcut Assign to QoS group DMVPN Network ID: Multiple DMVPN Hub for Resiliency Set DMVPN Phase 3 Adjust TCP segment size ip tcp adjust-mss 1360 no nhrp route-watch Install shortcuts for path not in RIB if-state nhrp tunnel source GigabitEthernet0/1 NHRP control i/f state R tunnel mode gre multipoint tunnel key 101 tunnel vrf IWAN-TRANSPORT-1 tunnel protection ipsec profile DMVPN-PROFILE-1 Tunnel endpoint is in Front-door VRF /24 ip route vrf IWAN-TRANSPORT Default route for Tunnel endpoints TRANSPORT R10

22 IWAN Routing Protocols Which protocol should I use? IWAN Profiles are based upon BGP and EIGRP for scalability and optimal Intelligent Path Control Scalability: BGP (Path Vector) and EIGRP (Advanced Distance Vector) provide best scale over large hub-and-spoke topologies like DMVPN OSPF (Link State) maintains a lot of network state which cannot be subdivided easily in large DMVPN networks Intelligent Path Control: PfR can be used with any routing protocols by relying on the routing table (RIB). Requires all valid WAN paths be ECMP so that each valid path is in the RIB. For BGP and EIGRP, PfR can look into protocol s topology information to determine both best paths and secondary paths thus, ECMP is not required.

23 IWAN Deployment EIGRP Single EIGRP process for Branch, WAN and POP/hub sites Extend Hello/Hold timers for WAN Adjust tunnel interface delay to ensure WAN path preference ( primary, INET secondary) Hubs Disable Split-Horizon Advertise Site summary, enterprise summary, default route to spokes Summary metrics: A summary-metric is used to reduce computational load on the DMVPN hubs. Ingress filter on tunnels. Spokes EIGRP Stub-Site functionality builds on stub functionality that allows a router to advertise itself as a stub to peers on specified WAN interfaces, but allows for it to exchange routes learned on LAN interface Site1 Delay 1000 Set Tunnel Delay to influence best path EIGRP Stub Site R10 R31 R41 DCI WAN Core INET / / /24 Site2 R20 Delay Delay Delay Delay Delay Delay R11 R12 R21 R22 Delay 1000 Delay Delay 2000 Delay 1000 R51 Delay R52 Delay Delay Delay 25000

24 DMVPN Hub Configuration Routing router eigrp IWAN-EIGRP Use EIGRP named mode address-family ipv4 unicast autonomous-system 400 af-interface default passive-interface Default values for interfaces exit-af-interface LAN interface configuration af-interface Port-channel1 no passive-interface exit-af-interface Tunnel interface configuration af-interface Tunnel10 Summarize WAN address ranges summary-address Adjust timers hello-interval 20 hold-time 60 no passive-interface no split-horizon Disable split horizon exit-af-interface Tag routes topology base distribute-list route-map SET-TAG-DMVPN-1 out Port-channel1 distribute-list route-map SET-TAG-ALL out Tunnel10 distribute-list route-map BLOCK-DC2-DMVPN-1 in Tunnel10 exit-af-topology network Filter routes network eigrp router-id Enable EIGRP for networks exit-address-family MC1 IWAN POP R84 R INTERNET TRANSPORT R84 *) Some parts of configurations not shown (e.g. authentication,...)

25 DMVPN Spoke Configuration Routing router eigrp IWAN-EIGRP address-family ipv4 unicast autonomous-system 400 af-interface default passive-interface exit-af-interface af-interface Tunnel10 summary-address hello-interval 20 hold-time 60 no passive-interface exit-af-interface... topology base distribute-list route-map DMVPN1-BR-IN in Tunnel10 distribute-list route-map DMVPN2-BR-IN in Tunnel11 distribute-list route-map BLOCK-LEARNED out Tunnel10 distribute-list route-map BLOCK-LEARNED out Tunnel11 exit-af-topology network network network network eigrp router-id eigrp stub connected summary redistributed exit-address-family Use EIGRP named mode Default values for interfaces Tunnel interface configuration Summarize branch address ranges Adjust timers Tag routes Filter routes Enable EIGRP for networks Enable EIGRP stub feature *) Some parts of configurations not shown (e.g. authentication, Tunnel 11...) R /24 TRANSPORT R10

26 IWAN Deployment BGP A single ibgp routing domain is used Appropriate Hello/Hold timers for WAN Hub DMVPN hub routers function as BGP route-reflectors for the spokes. No BGP peering between RR. BGP dynamic peer feature configured on the route-reflectors Site specific prefixes, Enterprise summary prefix and default route advertised to spokes Set local preference for all prefixes Redistribute BGP into local IGP with a defined metric cost to attract traffic from the central sites to the spokes across. Spokes Peer to Hub/Transit BRs in each DMVPN cloud Mutual redistribution OSPF/BGP Set a route tag to identify routes redistributed from BGP Preferred path is due to highest Local Preference Site1 R10 Metric: 1000 Metric: 2000 OSPF R11 R12 R21 R22 DCI WAN Core INET R31 R41 R51 R / / /24 Site2 R20 Metric: 1000 Metric: 2000 OSPF LP LP LP 3000 LP 400 OSPF

27 Deploying with user VRFs vrf definition TEST1 address-family ipv4 exit-address-family vrf definition TEST2 address-family ipv4 exit-address-family interface Tunnel 101 vrf forwarding TEST1 tunnel key 101 tunnel vrf IWAN-TRANSPORT-1 interface Tunnel 102 vrf forwarding TEST2 tunnel key 102 tunnel vrf IWAN-TRANSPORT-1 MC1 TRANSIT SITE R84 R85 INET DMVPN Tunnel per VRF Over the top routing per VRF SAF Peering per VRF R10 R11 R12 R / / / /24 Enterprise Branch Sites

28 Inteligentní výběr cesty s využitím PfRv3

29 Cisco Intelligent WAN (IWAN) AVC Private Cloud ISR-AX 3G/4G-LTE ASR1000-AX Virtual Private Cloud Branch WAAS kamai PfRv3 Internet Public Cloud Management & Orchestration Transport Independence Intelligent Path Control Application Optimization Secure Connectivity IPSec WAN Overlay Consistent Operational Model Optimal application routing Efficient use of bandwidth Performance monitoring Optimization and Caching NG Strong Encryption Threat Defense DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW

30 Intelligent Path Control with PfR Enterprise Use-Case Voice, video and critical applications take the best delay, jitter, and/or loss path Private Cloud Branch Other traffic is load balanced to maximize bandwidth Internet PfR monitors network performance and routes applications based on application performance policies PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth Virtual Private Cloud Voice, video and critical applications will be rerouted if the current path degrades below policy thresholds

31 PfRv3 and Parent Routes Make sure that all Border Routers have a route over each external path to the destination sites PfR will NOT be able to effectively control traffic otherwise. PfRv3 always checks for a parent route before being able to control a Traffic Class. Parent route check is done as follows: Check to see if there is an NHRP shortcut route If not Check in the order of BGP, EIGRP, Static and RIB If at any point, an NHRP short cut route appears, PfRv3 would pick that up and relinquish using the parent route from one of the routing protocols. PfR3 up to 3.15/15.5(2)T supported only one next-hop per multipoint interface. Routing has to be done such that only one next-hop per destination prefix is in the routing table per DMVPN tunnel interface.

32 PfRv3 How it Works ISR ASR1K MC Traffic Classes Learning Active TCs MC Performance Measurements MC TC Path BR BR BR BR BR BR Define your Traffic Policy Learn the Traffic Measurement Path Enforcement Define path optimization policies on the Hub MC load balancing, path preference, application metrics DSCP Based Policies Application Based Policies Traffic flowing through the Border Routers (BRs) that match a policy are learned Traffic Classes Unified Performance Monitor Report the measured TC performance metrics to the Master Controller for policy compliance Unified Performance Monitor Master Controller directs BR path changes to keep traffic within policy Route Enforcement module in feature path

33 PfR Components The Decision Maker: Master Controller (MC) Apply policy, verification, reporting No packet forwarding/ inspection required Standalone of combined with a BR VRF Aware IPv4 only (IPv6 Future) The Forwarding Path: Border Router (BR) Gain network visibility in forwarding path (Learn, measure) Enforce MC s decision (path enforcement) VRF aware IPv4 only (IPv6 Future) MC1 BR1 MC/BR MC/BR BR2 BR

34 IWAN Domain DC1 DCn Collection of sites that share the same set of policies An IWAN domain includes: A mandatory Hub site, Optional Transit sites, As well as Branch sites. Each site has a unique identifier (Site-Id) Derived from the loopback address of the local MC Central and headquarter sites play a significant role in PfR and are called an IWAN Point of Presence (POP). Each of these sites will have a unique identifier called a POP-ID Each site runs PfR and gets its path control configuration and policies from the logical IWAN domain controller through the IWAN Peering Service IWAN Peering POP1 - HUB Site ID = MC1 BR1 BR2 BR3 BR4 MC/BR Site ID Hub PATH1 MC/BR Site ID DCI WAN Core Transit PATH2 MC/BR POP2 - TRANSIT Site ID = Site ID MC2 BR

35 Hub Site Located in an enterprise central site or headquarter location. Can act as a transit site to access servers in the datacenters or for spoke-to-spoke traffic A POP Identifier (POP-ID) 0 is automatically assigned to a Hub site. Only one Hub site exists per IWAN domain. The logical domain controller functionality resides on this site s master controller (MC). The master controller (MC) for this site is known as the Hub master controller (Hub MC, HMC) MCs from all other sites (transit or branch) connect to the Hub MC for PfR configuration and policies. Policies Monitors MC1 Path Id 1 POP1 - HUB Site ID = POP-ID 0 POP2 - TRANSIT Site ID = POP-ID 1 BR1 BR2 BR3 BR4 Path INET Id 2 DMVPN MC2 DMVPN INET MC/BR MC/BR MC/BR BR Branch Branch Branch

36 Policy/Monitor Distribution Policies Monitors DC/MC BR MC/BR BR BRANCH Dual CPE TRANSIT BR INET MC/BR BRANCH Single CPE Domain policies and monitor instances are configured on the Hub MC. Policies are defined per VRF Then distributed to branch sites using the peering infrastructure

37 Performance Policies - DSCP or App Based domain IWAN vrf default master hub load-balance class MEDIA sequence 10 match application telepresence-media policy real-time-video match application ms-lync policy real-time-video path-preference fallback INET class VOICE sequence 20 match dscp ef policy voice path-preference fallback INET class CRITICAL sequence 30 match dscp af31 policy low-latency-data Policies: DSCP or Application Based Policies (NBAR2) DSCP marking can be used with NBAR2 on the LAN interface (ingress on BR) Default Class is load balanced

38 Built-in Policy Templates Voice Pre-defined Template Threshold Definition priority 1 one-way-delay threshold 150 (msec) priority 2 packet-loss-rate threshold 1 (%) priority 2 byte-loss-rate threshold 1 (%) priority 3 jitter 30 (msec) Real-time-video priority 1 packet-loss-rate threshold 1 (%) priority 1 byte-loss-rate threshold 1 (%) Low-latency-data priority 2 one-way-delay threshold 150 (msec) priority 3 jitter 20 (msec) priority 1 one-way-delay threshold 100 (msec) priority 2 byte-loss-rate threshold 5 (%) priority 2 packet-loss-rate threshold 5 (%) Pre-defined Template Bulk-data Best-effort scavenger Threshold Definition priority 1 one-way-delay threshold 300 (msec) priority 2 byte-loss-rate threshold 5 (%) priority 2 packet-loss-rate threshold 5 (%) priority 1 one-way-delay threshold 500 (msec) priority 2 byte-loss-rate threshold 10 (%) priority 2 packet-loss-rate threshold 10 (%) priority 1 one-way-delay threshold 500 (msec) priority 2 byte-loss-rate threshold 50 (%) priority 2 packet-loss-rate threshold 50 (%)

39 Transit Site Located in an enterprise central site or headquarter location. Can act as a transit site to access servers in the datacenters or for spoke-to-spoke traffic A POP Identifier (POP-ID) is configured for each transit site. This POP-ID has to be unique in the domain. The master controller (MC) for this site is known as a Transit Master Controller (Transit MC, TMC) The local MC peers with the Hub MC to get its policies, monitor, configuration and timers POP1 - HUB Site ID = POP-ID 0 MC1 IWAN Peering BR1 BR2 BR3 BR4 DMVPN POP2 - TRANSIT Site ID = POP-ID 1 MC2 Path Id 1 DMVPN INET MC/BR MC/BR MC/BR BR Branch Branch Branch Path INET Id 2

40 Branch Site These will always be a DMVPN spoke, and are a stub sites where traffic transit is not allowed. The local MC peers with the logical domain controller (aka Hub MC) to get its policies, and monitoring guidelines. POP1 - HUB Site ID = MC1 POP2 - TRANSIT Site ID = MC2 BR1 BR2 BR3 BR4 IWAN Peering DMVPN DMVPN INET MC/BR MC/BR MC/BR BR Branch Branch Branch

41 WAN Interface Discovery Hub and Transit BRs have path names and path identifier manually defined Path name identifies a Transport Path Identifier (Path-id) is unique per site Hub and Transit BRs send Discovery Packet with path names from to all discovered sites Path Discovery from the Hub Border Routers MC1 Path Path-id 1 HUB SITE Site ID = Hub MC MC2 Transit MC BR1 BR1 BR3 BR4 Path INET Path-id 2 DMVPN TRANSIT SITE Site ID = POP-ID 0 POP-ID 1 Path Path-id 1 DMVPN INET Path INET Path-id 2 WAN Path is detected on the branch - Path Name - POP-ID - Path-Id - DSCP MC/BR MC/BR MC/BR BR / / /24

42 WAN Interface Performance Monitors PfR automatically configures 3 Performance Monitors instances (PMI) over every external interface Monitor1 Site Prefix Learning (egress direction) Monitor2 Aggregate Bandwidth per Traffic Class (egress direction) Monitor3 Performance measurements (ingress direction) BR 42

43 Performance Monitoring User Traffic Passive Monitoring MC/BR SITE2 Dual CPE MC SITE1 BR BR BR INET MC/BR SITE3 Single CPE Bandwidth on egress Per Traffic Class (dest-prefix, DSCP, AppName) Performance Monitor Collect Performance Metrics Per Channel - Per DSCP - Per Source and Destination Site - Per Interface

44 Performance Monitoring Smart Probing Smart Probing MC/BR SITE2 Dual CPE MC SITE1 BR BR BR INET MC/BR SITE3 Single CPE Integrated Smart Probes Traffic driven intelligent on/off Site to site and per DSCP Performance Monitor Collect Performance Metrics Per Channel - Per DSCP - Per Source and Destination Site - Per Interface

45 Performance Violation MC/BR SITE2 Dual CPE MC SITE1 BR BR BR INET MC/BR SITE3 Single CPE Threshold Crossing Alert (TCA) Sent to source site loss, delay, jitter, unreachable

46 Performance Violation NetFlow Export MC/BR SITE2 Dual CPE MC SITE1 BR BR BR INET MC/BR SITE3 Single CPE

47 Policy Decision MC/BR SITE2 Dual CPE MC BR User traffic BR SITE1 BR INET MC/BR SITE3 Single CPE Reroute Traffic to a Secondary Path

48 Nasazení PfRv3 v síti

49 PfR Deployment Hub R83 (MC) domain IWAN vrf default master hub source-interface Loopback0 enterprise-prefix prefix-list ENTERPRISE_PREFIX site-prefixes prefix-list DC_PREFIX R83 HUB SITE Site ID = Hub MC POP ID 0 R93 R84 R85 (BRs) domain IWAN vrf default border master source-interface Loopback0 interface Tunnel100 description -- Primary Path -- domain IWAN path path-id 1 domain IWAN vrf default border master source-interface Loopback0 interface Tunnel200 description Secondary Path -- domain IWAN path INET path-id 2 Path Id 1 R84 R85 R94 R95 Path INET Id 2 DMVPN DMVPN INET Hub Site Enterprise Prefix: summary prefix for the entire domain Site Prefix: static definition of prefixes for a site (no automatic learning) - Mandatory R10 R11 R12 R / / / /24

50 Redundant MC Anycast IP What happens when a MC fails? Traffic forwarded based on routing information ie no drop What happens when the Hub MC fails? Branch MCs keep their configuration and policies Continue to optimize traffic A backup MC can be defined on the hub. Using the same IP address as the primary Routing Protocol is used to make sure BRs and branch MC connect to the primary Stateless redundancy Backup MC will re-learn the traffic MC1 Hub MC /32 R / /24 MC2 TRANSIT SITE Backup Hub MC /30 R85 INET R10 R11 R12 R / /24

51 PfR Deployment Transit Site R93 (MC) domain IWAN vrf default master transit 1 source-interface Loopback0 site-prefixes prefix-list DC_PREFIX hub R83 HUB SITE Site ID = TRANSIT SITE Site ID = R93 Transit MC POP ID 1 R94 R95 (BRs) domain IWAN vrf default border master source-interface Loopback0 interface Tunnel100 description -- Primary Path -- domain IWAN path path-id 1 domain IWAN vrf default border master source-interface Loopback0 interface Tunnel200 description Secondary Path -- domain IWAN path INET path-id 2 R84 R85 R94 R95 DMVPN Path Id 1 DMVPN INET Path INET Id 2 Transit Site Site Prefix: static definition of prefixes for a site (no automatic learning) - Mandatory R10 R11 R12 R / / / /24

52 PfR Deployment Single CPE Branch HUB SITE Site ID = TRANSIT SITE Site ID = R10 domain IWAN vrf default master branch source-interface Loopback0 hub border master local source-interface Loopback0 R83 R93 R84 R85 R94 R95 DMVPN DMVPN INET Single CPE Branch Sites Branch MCs connect to the Hub R10 R11 R12 R13 R10 R11 R12 R / / / /24

53 PfR Deployment Dual CPE Branch HUB SITE Site ID = TRANSIT SITE Site ID = R12 domain IWAN vrf default master branch source-interface Loopback0 hub border master local source-interface Loopback0 R83 R93 R84 R85 R94 R95 R13 domain IWAN vrf default border master source-interface Loopback0 DMVPN DMVPN INET Dual CPE Branch Sites Branch MCs connect to the Hub R10 R11 R12 R13 R10 R11 R12 R / / / /24

54 PfR Deployment Hub Policies, Intervals R83 domain one vrf default master hub source-interface Loopback0 site-prefixes prefix-list DC1_PREFIX monitor-interval 4 dscp af31 monitor-interval 4 dscp cs4 monitor-interval 4 dscp af41 monitor-interval 4 dscp ef load-balance enterprise-prefix prefix-list ENTERPRISE_PREFIX class VOICE sequence 10 match dscp ef policy voice path-preference fallback INET class VIDEO sequence 20 match dscp af41 policy custom priority 2 loss threshold 5 priority 1 one-way-delay threshold 150 match dscp cs4 policy custom priority 2 loss threshold 5 priority 1 one-way-delay threshold 150 path-preference fallback INET class CRITICAL sequence 30 match dscp af31 policy low-latency-data path-preference fallback INET Hub Site Policies configured on hub only Monitoring intervals can be adjusted R83 Path Id 1 HUB SITE Site ID = Hub MC POP ID 0 R84 R85 R94 R95 Path INET Id 2 DMVPN R10 R11 R12 R / /24 R93 DMVPN INET / /24

55 Deploying with VRF Hub MC TRANSIT SITE interface Loopback1 vrf forwarding TEST1 interface Loopback2 vrf forwarding TEST2 MC1 GLOBAL: VRF TEST1: VRF TEST2: R84 R85 domain IWAN vrf TEST1 master hub source-interface Loopback1 vrf TEST2 master hub source-interface Loopback / /24 INET R10 R11 R12 R / /24 Enterprise Branch Sites

56 Deploying with VRF Hub MC Policies domain IWAN vrf TEST1 master hub load-balance class VOICE sequence 10 match dscp ef policy voice path-preference fallback INET class VIDEO sequence 20 match dscp af41 policy voice path-preference fallback INET class CRITICAL sequence 30 match dscp af31 policy low-latency-data [Cont d] vrf TEST2 master hub load-balance class VOICE sequence 10 match dscp ef policy voice path-preference fallback INET class CRITICAL sequence 30 match dscp af31 policy low-latency-data

57 Deploying with VRF Hub BR domain IWAN vrf TEST1 border master source-interface Loopback1 vrf TEST2 border master source-interface Loopback2 interface Tunnel101 description -- Primary Path vrf forwarding TEST1 domain IWAN path interface Tunnel102 description -- Primary Path vrf forwarding TEST2 domain IWAN path MC1 GLOBAL: VRF TEST1: VRF TEST2: Tu101 Tu102 R / /24 TRANSIT SITE R85 INET R10 R11 R12 R / /24 Enterprise Branch Sites

58 Deploying with VRF Branch MC/BR TRANSIT SITE R10 domain IWAN vrf TEST1 master branch source-interface Loopback1 hub border master local source-interface Loopback1 vrf TEST2 master branch source-interface Loopback2 hub border master local source-interface Loopback2 MC1 Tu101 Tu102 GLOBAL: VRF TEST1: VRF TEST2: R / /24 R85 INET R10 R11 R12 R / /24 Enterprise Branch Sites

59 Shrnutí

60 Intelligent WAN: An Architectural and Systems Approach IWAN is a Solution Architecture Solves a network problem Use Case Driven Systems Development Approach Prescribed. Tested. Interoperable. Bounded Scope and Complexity Enables Automation and Quality NEW Delivers Business Outcomes Reduce WAN costs. Increase bandwidth Improve and Protect application performance Direct Internet Access Guest Access Offload IT Simplification (Cost reduction)

61 Platform Support Cisco CSR-1000 Cisco ASR-1000 MC BR (1) Cisco ISR G2 family 3900-AX 2900-AX 1900-AX 890 MC BR Cisco ISR MC BR MC BR (1) XE 3.18

62 Cisco IWAN Enterprise Management Portfolio Cisco Ecosystem Partners IWAN App Prime Infrastructure Prescriptive Policy Automation Enterprise Network Mgmt and Monitoring Application Aware Performance Mgmt Advanced Orchestration Customer wants considerable automation and operational simplicity Requirements consistent with prescriptive IWAN Validated Design Customer needs customizable IWAN with end-to-end monitoring One Assurance across Cisco portfolio from Branch to Datacenter Customer looking for advanced monitoring and visualization QoS/ PfR/ AVC configuration, Real-time analytics and network troubleshooting Customer wants advanced provisioning, life cycle management, and customized policies System-wide network consistency assurance Lean IT organization IT Network team IT Network team Lean IT OR IT Network team 62

63