Migrating Your Existing WAN to Cisco s IWAN

Transcription

1

2 Migrating Your Existing WAN to Cisco s IWAN BRKCRS-2007 Brad Edgeworth, CCIE#31574, Systems Mani Ganesan, CCIE#27200, Consulting Systems

3 Introduction Housekeeping Who we are? For your reference only Preferred or Recommended Advanced Class This is not an Introduction to IWAN session This is not an IWAN Design session. Some design aspects will be discussed This session is about how to migrate your existing WAN to Cisco s Intelligent WAN A lot of things will technically work, but IWAN is prescriptive design. The design keeps thing simple.. This session is focused primarily on transport independence and performance routing. Specifically how to deploy it. We tried to keep things in a logical order as much as possible, but there are some couldn t; so STAY AWAKE! BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 BRKCRS-2007: Migrating Your Existing WAN to Cisco s IWAN Sequence of Migration Migration Planning and Tools End State IWAN Concepts: QoS DMVPN and Routing DMVPN Hub Router Placement Strategies Migrating Branch Routers Other Migration Scenarios (Dual MPLS Hybrid Model Migration, IPsec Migration) Performance Routing (PfR)

5 Introduction

6 Intelligent WAN Solution Components AVC Internet Private Cloud 3G/4G-LTE Virtual Private Cloud Branch WAAS PfR MPLS Public Cloud Transport Independent Intelligent Path Control Application Optimization Secure Connectivity Consistent operational model Simple provider migrations Scalable and modular design DMVPN IPsec overlay design Application best path based on delay, loss, jitter, path preference Load balancing for full utilization of all bandwidth Improved network availability Performance Routing (PfR) AVC: Application monitoring with Application Visibility and Control WAAS: Intelligent Edge Caching with Akamai Connect WAAS: Application Acceleration and bandwidth savings Certified strong encryption Comprehensive threat defense with ASA and IOS firewall/ips Cloud Web Security (CWS) for scalable secure direct Internet access

7 Where to start? IWAN is not all or nothing so deploy in phases if that s easier DIA and App Optimization ( WAAS and Akamai ) can be deployed anytime during the process. Start with transport independence before adding path control - DMVPN is needed to run Performance Routing (PfRV3) - Provides us consistent overlay routing across all transports This session is focused on Transport Independence, PfR and Connectivity. This matters the most during migration BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 IWAN Topology Lan Prefixes: /8 (Site Location is 2 nd Octet) HQ is /16 & /16 Remote Sites: / / /16 DMVPN Hub Routers R11 & R21 MPLS Transport R12 & R22 Internet Transport Transport: /16 MPLS /16 Internet DC1 DC2 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Planning the Migration

10 Mastering The Migration People + Process + Technology.. Avoid implementation that doesn t map back to logical design determined necessary to address key requirements. Must have strong understanding of current state environment to ensure implementation success BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Why Migration Planning is critical? Moving all branch traffic from underlay to Overlay tunnels Can be complicated WAN Migration may last for weeks for months Need to Maintain Universal connectivity between legacy and IWAN sites that are migrated Choose the right sites to act as migration sites ( during migration phase ) based on circuit speeds and device capacity What is being migrated? All Branches or leaving some sites on the legacy WAN? BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Where Do We Start Our IWAN Migration? Gather Information and document them Inventory Licenses Software Version Top applications with AVC Existing Routing Design QoS Design Sites with Backdoor Links BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Capacity Management - WAN/Backbone WAN Interface Utilization >60% Dropped Packets > 1% Delay > 1 Internet Carrier 1 VPN Carrier 2 VPN Internet Internet WAN Interface Utilization >75% Dropped Packets > 5% Delay > 2 opco STATE_PROCITY Network Element Name Product ID capacity maxdelay mindelay rxavgutil rxbusy4avgutil txavgutil txbusy4avgutil FXE CO DENVER BKFArspm01 CISCO MB CO Total GA MACON MCNArm01 CISCO MB GA Total MA SOUTH BOSTON BVYArm01 CISCO MB MA Total FXF TN MEMPHIS MEM-2811-SPRINT CISCO MB MEM-2811-VOIP-ATT CISCO MB MB TN Total WAN Interface Utilization >60% Dropped Packets > 1% Delay > 1 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Capacity Management - Branch Branch Optimization Analysis Mon 21 Oct :16 PM ATL-xxx AT&T/SPRINT MPLS Si Si Internet Input Output Protocol 5min (bps) 5min (bps) 5min Max (bps) 5min Max (bps) exchange skype rtp ftp h edonkey Total Media Gateway WLC Access Switches APs Cache Engine V Si Si PC Core/Dist Switches HDTV Signage Branch Optimization Analysis c881#show flow monitor FLOWMON cache agg app name Processed 32 flows Aggregated to 9 flows APP NAME flows bytes pkts ============= ========== ========== ========== prot icmp port http port netbios-ns cisco unclass port ms-wbt port ssh cisco dhcp port dropbox port isakmp Video Conferencing IP Desktop Video Surveillance Camera BRKCRS

15 Capacity Management Branch NBAR View BU3 (top 10 apps) 3Mbps sites Max bps (input) * Max bps (output) * Observations HTTP 2.9Mbps 2Mbps Bandwidth Hog Skype 2.4Mbps 2.2Mbps Unauthorized App/Bandwidth Hog Exchange 2.7Mbps 1.6Mbps Bandwidth Hog FTP 1.9Mbps negligible High Bandwidth Usage edonkey 1Mbps 1Mbps Unauthorized/High Bandwidth Usage RTP 1.3Mbps 750Kbps High Volume/High Bandwidth Usage Novadigm 1.1Mbps 400Kbps Investigate Skinny 1.6Mbps negligible High Volume/High Bandwidth Usage Fasttrack 700Kbps 270Kbps Unauthorized/High Bandwidth Usage Citrix 1.2Mbps negligible High Bandwidth Usage/Monitor Latency BU1 (top 10 apps) 3-6Mbps sites Max bps (input) * Max bps (output) * Observations SYSLOG negligible Max Capacity Bandwidth Hog HTTP Max Capacity 1Mbps Bandwidth Hog Secure HTTP Max Capacity 600Kbps Bandwidth Hog IMAP 950Kbps 700Kbps High Bandwidth Usage SMTP 30Kbps 800Kbps High Bandwidth Usage Exchange 1.7Mbps 400Kbps High Bandwidth Usage Skype 600Kbps 1.2Mbps Unauthorized/High Bandwidth Usage edonkey 250Kbps 600Kbps Unauthorized/High Bandwidth Usage Citrix 450Kbps 200Kbps Monitor Latency Xwindows 500Kbps 500Kbps Check Security Impact Depending on the type of network traffic, DIA deployment could be accelerated. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Application Profile (Branch) Application Weekly Average Kbps Daily Average Kbps Peak Kbps Average Delay Max Delay Voice/Video Variance Classification http ms 9s Transactional secure-http ms 3s Transactional ssl ms 3s Transactional outlook-web-service ms 3s Transactional ldap, cifs, active-directory, sqlnet ms ms Transactional sqlserver ms 68ms Transactional share-point, ms-office-web-apps, ms-office-365, msupdate, oracle-sqlnet, sap ms 36-84ms Transactional rtp ms jitter (97% within) Voice ms-lync ms 124ms Voice webex-meeting, h Interactive Video sip-tls, skinny, rtsp, mgcp, rtcp, rsvp 2 89 VoIP Control youtube ms 2s Streaming Video unknown ms 3s Bulk amazon-instant-video, rtmpt, amazon-web-services, flash-video ms 52ms Bulk video-over-http ms 48ms Bulk binary-over-http ms 11s Bulk facebook, gmail ms ms Bulk itunes ms 3s Bulk audio-over-http ms 40ms Bulk BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 IWAN/Offload Application Benefits Classification* Branch Traffic Volume PfR Primary Path Offload Option VOICE 151 Kbps MPLS N VOIP CONTROL 42 Kbps MPLS N INTERACTIVE_VIDEO 89 Kbps MPLS N STREAMING_VIDEO 3778 Kbps INET Y TRANSACTIONAL_DATA 1711 Kbps MPLS Y (Selected Cloud Apps) BULK_DATA 776 Kbps INET Y IWAN will provide distinct paths to improve the application performance for key transactional and voice/video apps, redirecting bulk and streaming video to the alternate Internet backhaul path CWS and direct offload will then allow cloud apps and general Internet traffic to be directly offloaded avoiding backhaul bandwidth expense BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Migration steps Finalize the Design Deploy IWAN via a POC or Production Pilot Learn the technology Learn the applications Test the migration strategy Collect results from any POC/Production Pilot Identify sites for migration Make changes to infrastructure (if H/W upgrades are needed) Hub deployment Cut-Over Branches Clean-Up BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Tools to simplify Deployment and Migration Application Policy Infrastructure Controller (APIC-EM) Prime Infrastructure IWAN Workflow CLI BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Cisco Intelligent WAN App for APIC-EM Business Policy: App SLA APP DMVPN SLA QoS Security Path Selection NETWORK IT Admin Access Application Network Profile SDN Simple Workflow Templates Zero Touch Provisioning Network, Applications Monitoring Business Level Policies Open Architecture Business Policy Dictates Network Action BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Cisco Prime IWAN Workflows Simplifying Configuration and Deployment Launch the IWAN workflow from the new Converged Menu How can I easily connect new sites to the data center and enable the IWAN technologies? BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 End State IWAN Concepts

23 Dynamic Multipoint VPN Tunneling Technology that uses: mgre, NHRP, and IPsec. DMVPN Hub R11 Zero-touch provisioning Scalable Deployment Dynamic Spoke-to-Spoke Communication DMVPN Spoke R31 R51 DMVPN Spoke Spoke-to-Spoke Tunnels requires traffic to hair-pin on the Hub tunnel interface R41 DMVPN Spoke Provides Transport Independence BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 DMVPN Spoke-To-Spoke Tunnel Creation 1 Traffic has hairpinned on my DMVPN tunnel 2 3 Traffic has hairpinned on my DMVPN tunnel 4 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 DMVPN Spoke-To-Spoke Tunnel Creation (continued) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 End State IWAN Concepts: Quality of Service

27 Need for QoS from IWAN Perspective Replacing expensive MPLS service with business class internet PfR to load balance / provide resiliency / best path DMVPN overlay on MPLS and Internet Up to 2,000 remote sites per hub router in a single domain MPLS transport will have SP QoS, but with Internet transport we assume none BRKRST-2043 IWAN AVC-QoS Design BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 IWAN QoS Requirements Bandwidth Sharing Between Tunnels Shape for Service Rate Shape for Remote Site Last Mile 1.5 Mbps 1.5 Mbps T1 Branch T1 Branch Hub BR GE 80 Mbps Service Rate Per Site Bandwidth Sharing Within Tunnel 45 Mbps 10 Mbps 45 Mbps T3 Branch T3 Branch 10 Mbps Branch BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 DMVPN Per Tunnel QoS Per-Site Shaping to Avoid Overruns Hub to spoke only CE CE 100 Mbps 802.1q trunk Shape only (100 Mbps) 100 Mbps in to DMVPN cloud can easily overrun the lower speed committed rates at spoke sites 50 Mbps 10 Mbps CE CE 50 Mbps CE CE 20 Mbps CE 20 Mbps CE 10 Mbps CE CE BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Per-Tunnel QoS Tunnels created from Hub to Spoke sites will have QoS applied per-tunnel Pre-configured QoS policy applied to the tunnel based on NHRP Group name passed from Spoke to Hub Although many spokes can be put into the same NHRP group, the tunnel traffic for each spoke is measured individually for shaping and policing. Per-tunnel QOS policy controls only Hub to Spoke traffic, it is not bidirectional - Branches run their own QOS policies from spoke side BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 DMVPN Hub Per Tunnel QoS Implementing Per-Site Traffic Shaping policy-map RS-GROUP-50MBPS-POLICY class class-default shape average service-policy WAN policy-map RS-GROUP-20MBPS-POLICY class class-default shape average service-policy WAN policy-map RS-GROUP-10MBPS-POLICY class class-default shape average service-policy WAN Separate shaper policies for each remote-site bandwidth policy-map POLICY-TRANSPORT-1-SHAPE-ONLY class class-default shape average ! interface GigabitEthernet0/0/3 bandwidth service-policy output POLICY-TRANSPORT-1-SHAPE-ONLY Signal from the spoke to the hub to use the correct policy for each remote site interface Tunnel10 nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY nhrp map group RS-GROUP-20MBPS service-policy output RS-GROUP-20MBPS-POLICY nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY 10 Mbps spoke 20 Mbps spoke 50 Mbps spoke 50 Mbps 50 Mbps 20 Mbps 20 Mbps Spoke Tunnel Configurations interface GigabitEthernet0/0 bandwidth service-policy output POLICY-TRANSPORT-1! interface Tunnel10 bandwidth nhrp group RS-GROUP-10MBPS tunnel source GigabitEthernet0/0 tunnel vrf IWAN-TRANSPORT-1 interface GigabitEthernet0/0 bandwidth service-policy output POLICY-TRANSPORT-1! interface Tunnel10 bandwidth nhrp group RS-GROUP-20MBPS tunnel source GigabitEthernet0/0 tunnel vrf IWAN-TRANSPORT-1 interface GigabitEthernet0/0 bandwidth service-policy output POLICY-TRANSPORT-1! interface Tunnel10 bandwidth nhrp group RS-GROUP-50MBPS tunnel source GigabitEthernet0/0 tunnel vrf IWAN-TRANSPORT-1 Per tunnel shapers Parent shaper Shape (100 Mbps) List all available policies as map groups on hub tunnel interface Add a class-default shape-only policy on the hub physical interface 10 Mbps 10 Mbps BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 IPSec Anti-Replay Packets In Crypto Engine (Adds Sequence Number) Decryption side keeps a sliding history of packets received (default is 64 packets) Provides anti-replay protection against an attacker duplicating encrypted packets Increasing the anti-replay window size has no impact on throughput or security The impact on memory is insignificant because only an extra 128 bytes per incoming IPsec SA is needed Enqueue 25 Police Dropped By Policer priority data class-default P1 Queue Tail Drop IWAN Conclusion: Use the maximum replay window-size of 1024 for each supported platform crypto ipsec security-association replay window-size Packets Out BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 PfR Policies rely on QOS marking domain IWAN vrf default master hub load-balance class VOICE sequence 10 match dscp ef policy voice path-preference MPLS fallback INET class INTERACTIVE_VIDEO sequence 20 match dscp cs4 policy real-time-video match dscp af41 policy real-time-video match dscp af42 policy real-time-video match dscp af43 policy real-time-video path-preference MPLS fallback INET class LOW_LATENCY_DATA sequence 30 match dscp cs2 policy low-latency-data match dscp cs3 policy low-latency-data match dscp af21 policy low-latency-data match dscp af22 policy low-latency-data match dscp af23 policy low-latency-data path-preference MPLS fallback INET class BULK_DATA sequence 40 match dscp af11 policy bulk-data match dscp af12 policy bulk-data match dscp af13 policy bulk-data path-preference MPLS fallback INET class SCAVENGER sequence 50 match dscp cs1 policy scavenger path-preference INET fallback MPLS class DEFAULT sequence 60 match dscp default policy best-effort path-preference INET fallback MPLS Create the PfR classes with matching policy names and DSCP values to simplify the configuration Define the path preference for traffic Load balance non-priority traffic IWAN Master Controller BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 QOS settings for PFR QoS is based upon the following logic: Ingress traffic is classified and marked accordingly (if not done elsewhere) Egress traffic is shaped/queue based on QoS marking PFR maps traffic to classes based on the DSCP marking or application names. LAN Traffic should be marked on Ingress or before hitting the BRs As a best practice, use the same class names in PFR that were used for the QoS policies. Match DSCP for each PfR class with the DSCP used for the QoS policies. Ensures DSCP is consistent between QOS and PFR policies Makes it easier to identify the PFR policies BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Enterprise to SP QoS Mapping The Diffserv class view is preserved across the enterprise even though we are treating it differently in the router and sending it to different channels within the SP network. The classes remain intact on the inner header and the outer header is discarded after leaving the tunnel interface BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Enterprise to SP Mapping Default SP Marking class-map match-all MULTIMEDIA_CONFERENCING-NBAR match protocol attribute traffic-class multimedia-conferencing match protocol attribute business-relevance business-relevant! policy-map traffic-marking class MULTIMEDIA_CONFERENCING-NBAR set dscp af41! int gig0/0/0 service-policy in traffic-marking GRE Tunnel Tun Term-A SP Network Gig0/0/ Gig0/0/ Video Flow from Term-A To Term-B Packet View 3 L2 Dest L2 Src Packet View 1 L2 Dest L2 Src Packet View 2 L2 Dest Type L2 Src Type Type GRE IP Header Src IP: Dst IP: DSCP: af41 User IP Header Src IP: Dst IP: DSCP: 0 User IP Header Src IP: Dst IP: DSCP: af41 User IP Header Src IP: Dst IP: DSCP: af41 User Data User Data User Data Tun Term-B DSCP copied Inner-to-Outer Packet View 4 L2 Dest L2 Src Type User IP Header Src IP: Dst IP: DSCP: af41 User Data BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Enterprise to SP Mapping Set dscp outbound on physical (Branch) class-map match-all MULTIMEDIA_CONFERENCING-NBAR match protocol attribute traffic-class multimedia-conferencing match protocol attribute business-relevance business-relevant! policy-map traffic-marking class MULTIMEDIA_CONFERENCING-NBAR set dscp af41! int gig0/0/0 service-policy in traffic-marking class-map INTERACTIVE-VIDEO match dscp af41! policy-map egress-queuing class INTERACTIVE-VIDEO set dscp af31! int gig0/0/1 service-policy out egress-queuing GRE Tunnel Tun Tun Term-A SP Network Term-B Gig0/0/ Gig0/0/ Video Flow from Term-A To Term-B Packet View 3 L2 Dest L2 Src Packet View 1 L2 Dest L2 Src Packet View 2 L2 Dest Type L2 Src Packet View 4 L2 Dest Type Type Src IP: Dst IP: DSCP: af31 L2 Src GRE IP Header Type User IP Header Src IP: Dst IP: DSCP: 0 User IP Header Src IP: Dst IP: DSCP: af41 User IP Header Src IP: Dst IP: DSCP: af41 User IP Header Src IP: Dst IP: DSCP: af41 User Data User Data User Data DSCP copied Inner-to-Outer *BUT* we over-write Outer after the copy User Data BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Enterprise to SP Mapping Set dscp tunnel outbound on tunnel (Hub) class-map match-all MULTIMEDIA_CONFERENCING-NBAR match protocol attribute traffic-class multimedia-conferencing match protocol attribute business-relevance business-relevant! policy-map traffic-marking class MULTIMEDIA_CONFERENCING-NBAR set dscp af41! int gig0/0/0 service-policy in traffic-marking class-map INTERACTIVE-VIDEO match dscp af41! policy-map egress-queuing class INTERACTIVE-VIDEO set dscp tunnel af31! int tun10 service-policy out egress-queuing GRE Tunnel Tun Tun Term-A SP Network Gig0/0/ Gig0/0/ Video Flow from Term-A To Term-B Packet View 3 L2 Dest L2 Src Packet View 1 L2 Dest L2 Src Packet View 2 L2 Dest Type L2 Src Type Type GRE IP Header Src IP: Dst IP: DSCP: af31 User IP Header Src IP: Dst IP: DSCP: 0 User IP Header Src IP: Dst IP: DSCP: af41 User IP Header Src IP: Dst IP: DSCP: af41 User Data User Data User Data Set dscp tunnel means don t copy but instead remember and mark this value once tunnel header is imposed Packet View 4 L2 Dest L2 Src Type User IP Header User Data Term-B Src IP: Dst IP: DSCP: af41 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 DSCP remarking - Impact on PFR channels Use set dscp tunnel on Hub s per tunnel, set dscp remarks inner header at hub Branch policy applied on physical uses set dscp : just remarks Ipsec, inner untouched If set dscp used on hub, DSCP Values for Traffic Class from branch and hub will not be the same, as a result channels will not establish BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 IWAN QOS Summary Hub - Per-Tunnel QoS for Branches, child policy drives per-app bandwidth ( voice, video ) - with per-tunnel, the encapsulating interface ( physical ) supports only a class default shaper Branch - Shaper and Child-Policy on Physical WAN Interface - No shaper required if line-rate interface BRKRST-2043 IWAN AVC-QoS Design Maximize or Disable anti-replay window as queueing is done post encryption - Window size varies with platform. Make as large as possible BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 End State IWAN Concepts: DMVPN Tunnels and Routing

42 Various Acceptable DMVPN Layouts Direct Connection CE Router at Hub and Spoke FW Protects Hub Complex Scenario R11 DMVPN Hub R41 DMVPN Spoke BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Internet Access Models Centralized Access Model Internet and Internal traffic routes across the WAN A simple default route can be used for Internet traffic and Internal traffic Distributed Access Model Internet traffic routes direct to the ISP A simple default route can be used for Internet traffic pointing to ISP Internal traffic routes across the WAN A simple default route can NOT be used for Internal traffic. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Default Route /16 DC /8 Summary Route /16 DC2 Default Route Route Summarization All DMVPN hubs advertise Enterprise prefix summary routes ( /8) for all the LAN and WAN networks Internet Internet DMVPN hubs advertise a default route that provides Internet connectivity. DC Specific Summaries: / /16 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 NHRP Interaction with Route Table Routing Table with Spoke-to-Hub Traffic R31-Spoke#show ip route D C C /8 is variably subnetted, 3 subnets, 3 masks /8 [90/ ] via , 00:29:28, Tunnel100 Summary Route from DMVPN Hub /24 is directly connected, GigabitEthernet0/ /24 is variably subnetted, 2 subnets, 2 masks /24 is directly connected, Tunnel100 Routing Table with Spoke-to-Spoke Traffic R31-Spoke#show ip route /8 is variably subnetted, 4 subnets, 3 masks D /8 [90/ ] via , 00:31:06, Tunnel100 C /24 is directly connected, GigabitEthernet0/2 H /24 [250/255] via , 00:00:22, Tunnel100 NHRP Installed Route /24 is variably subnetted, 3 subnets, 2 masks C /24 is directly connected, Tunnel100 H /32 is directly connected, 00:00:22, Tunnel100 NHRP Installed Route BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 IWAN Routing Protocol Selection Prescriptive design that uses EIGRP or IBGP for scalability. EIGRP and BGP do not flood routes IBGP supports dynamic peers, supports zero-touch DMVPN hub and templatable spoke configuration IBGP allows usage of Local Preference to allow centralized routing policy change DMVPN topologies can support up to 2,000 spokes. Routing protocol must be able scalable. PfR interacts with EIGRP and BGP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 IWAN EIGRP Routing Design Same EIGRP AS # for LAN and WAN DMVPN Hub advertise Default and Summary Route Delay added on to influence PfR uncontrolled traffic EIGRP Stub Site Feature on Branches BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 EIGRP Stub router eigrp IWAN address-family ipv4 unicast autonomous-system 1 eigrp stub BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 EIGRP Stub-Site router eigrp IWAN address-family ipv4 unicast autonomous-system 1 af-interface Tunnel100 stub-site wan-interface exit-af-interface! af-interface Tunnel200 stub-site wan-interface exit-af-interface eigrp stub-site 1:4 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 IWAN Deployment EIGRP Single EIGRP process for Branch, WAN and POP/hub sites Extend Hello/Hold timers for WAN Adjust tunnel interface delay to ensure WAN path preference (MPLS primary, INET secondary)\ Adjust LAN interface delay to ensure proper path selection Hubs Disable Split-Horizon Advertise Site summary, enterprise summary, default route to spokes Summary metrics: A summary-metric is used to reduce computational load on the DMVPN hubs. Ingress filter summary routes on tunnels. Spokes EIGRP Stub-Site functionality builds on stub functionality that allows a router to advertise itself as a stub to peers on specified WAN interfaces, but allows for it to exchange routes learned on LAN interface Site1 R10 Delay 1,000 Set Tunnel Delay to influence best path EIGRP Stub Site R31 MPLS R41 DCI WAN Core INET Site2 R20 Delay Delay Delay Delay 25,000 Delay 24,000 Delay 24,000 R11 R12 R21 R22 Delay 1,000 Delay 20,000 Delay 2,000 Delay 1,000 R51 Delay 20,000 R52 Delay 20,000 Delay 20,100 Delay 20,100 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 IWAN BGP Routing Flow Branches with Directly Connected Branches with Multiple Routers BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 IWAN Deployment BGP on WAN & OSPF on LAN A single ibgp routing domain is used for WAN Appropriate Hello/Hold timers for WAN (20 hello / 60 hold) BGP Neighbor Weight is set to 50k Hub: DMVPN hub routers function as BGP routereflectors for the spokes. BGP dynamic peer feature configured for Tunnel Networks Spokes: Peer to the DMVPN hubs for that transport RR RR For your reference only BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 IWAN Deployment BGP on WAN & OSPF on LAN Traffic Engineering for traffic when PfR is uncontrolled state. Set Local-Preference: 100,000 for first selection (MPLS DC1) 20,000 for second selection (MPLS DC2) 3,000 for third selection (Internet DC1) 400 for fourth selection (Internet DC2) LP LP LP 100,000 RR 3,000 20,000 RR LP 400 R31-Spoke# show bgp ipv4 unicast! Output omitted for brevity Network Next Hop Metric LocPrf Weight Path * i i * i i * i i *>i i * i i * i i * i i *>i i * i / i *>i i * i / i *>i i For your reference only BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 DMVPN Migration: Hub Routers and Routing Logic

55 We did a lot of research in Vegas! Not Everyone s WAN is the same. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Network Traffic Flows During Migration Site-to-Site Traffic in Legacy WAN Site-to-Site Traffic in IWAN Traffic between Legacy and IWAN networks must flow through a migration site. This is located with the DMVPN hubs BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 Three Methods of Hub Deployment or Migration Greenfield Intermediate (IBlock) Condensed New DMVPN Hub Routers New DMVPN Hub Routers Existing CE Routers New Circuits Existing Circuits Existing Circuits Simple Design Medium Design Increased Complexity DMVPN Hub* DMVPN Hub* Spoke Migration is not impacted by the Hub model Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Transport Drawing Connectivity showed logical structure Physical connectivity looks like Sub-Interfaces can separate: P2P traffic (/30 IP on Sub-Interface) Transit switching (VLAN on MLS) The same concept can apply to transport connectivity too BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Greenfield Deployment Greenfield New DMVPN Hub Routers New Circuits Simple Design Not restricted to constraints of existing network The only routing interaction required with the existing network is connectivity to the LAN (Migration Site) Simple Post-Migration Cleanup Removal of CE1 and CE2 Typically used when deploying new circuits or a parallel network BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Greenfield Migration Routing Pattern Benefits: Isolated environment. Changes on CE1 do not impact IWAN environment. Simple routing configuration Easy to troubleshoot and trace packet flows Bandwidth is sized appropriately for DMVPN traffic only. QoS policy on DMVPN hub is separated from Legacy QoS policy Cons: Cost and timeline for new circuits BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Intermediate Deployment Intermediate (IBlock) New DMVPN Hub Routers Existing Circuits Medium Design Some constraints of existing network Existing circuits to SP are used. New links (logical/physical) between CEs and DMVPN hubs are required. CEs must advertise these new links to the SP so that spokes know how to reach the DMVPN hubs. Connectivity to the LAN is straightforward. Post-migration cleanup may be required BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Intermediate Migration Routing Pattern Benefits: Simple routing configuration Easy to troubleshoot and trace packet flows QoS policy on DMVPN hub is separated from Legacy QoS policy Cons: Bandwidth for CE1 to the SP network must be sized accordingly. Changes on CE1 could impact IWAN environment. Some Clean-Up after Migration BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 IWAN Routing Protocol Diagram During Migration EIGRP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 IWAN Routing Protocol Diagram During Migration BGP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Condensed Deployment Condensed Existing CE Routers (verify capability) Existing Circuits Increased Complexity (QoS / Routing) Do not Deviate from the IWAN CVD with this model, or be prepared to face problems or complications during migration BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 Condensed Migration Routing Pattern Benefits: Cost No real Clean-Up after Migration Cons: Outage to all WAN networks is required during cutover. Advanced Routing (VRF Leaking) Hiearchical QoS is Not Supported on transport interface. If needed for legacy network, this prevents pertunnel-qos on DMVPN tunnel. Does your existing WAN have per-tunnel QoS? This could be enabled later BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 Condensed - Leaking Routes Between BGP Global & VRF Tables vrf definition MPLS01 address-family ipv4 import ipv4 unicast map VRF-LEAK-TO-MPLS01 export ipv4 unicast map VRF-LEAK-FROM-MPLS01! These route-maps are used to Permit/Block Routes between the! VRF and Global BGP Tables route-map VRF-LEAK-TO-MPLS01 permit 10 match ip address prefix-list LEAK-TO-MPLS01 route-map VRF-LEAK-FROM-MPLS01 permit 10 match ip address prefix-list LEAK-FROM-MPLS01 ip prefix-list VRF-LEAK-TO-MPLS01 permit /0 le 32 ip prefix-list VRF-LEAK-FROM-MPLS01 permit /0 le 32 router bgp 10 address-family ipv4 vrf MPLS01 neighbor remote-as neighbor activate! The local-as command is not required; but allows you to use a standard ASN! for IWAN and still peer to MPLS SP using the ASN they want you to use neighbor local-as 11 no-prepend replace-as dual-as BRKCRS

68 Condensed - Leaking Routes Between BGP Global & VRF Tables R11-DC1-Hub1#show bgp ipv4 unicast Network Next Hop Metric LocPrf Weight Path *> i *> / i s> / ? s> / ? s> / ? s>i / ? s>i / ? s> / ? s> / ? s> / ? s> / ? BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Condensed - Routing Table with Route Leaking R11-DC1-Hub1#show ip route bgp!snip /8 is variably subnetted, 24 subnets, 4 masks B /8 [19/0], 04:34:53, Null0 B /16 [19/0], 04:34:53, Null0 B /32 [19/0] via , 00:22:19 B /24 [19/0] via , 00:22:19 B /32 [201/0] via (MPLS01), 00:28:19 B /24 [201/0] via (MPLS01), 00:28:19 B /32 [201/0] via (MPLS01), 00:28:19 B /32 [201/0] via (MPLS01), 00:28:19 B /24 [201/0] via (MPLS01), 00:28:19 B /24 [201/0] via (MPLS01), 00:28:19 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 Other Condensed Techniques May Technically Work.. Be aware of your traffic patterns: IWAN to Legacy IWAN to DC Legacy to DC Additional load for transit traffic Clean-up is still needed later on: Encapsulating tunnel IP changes Going off the tried and true path may lead to problems later! BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 Hub Deployment Summary Greenfield Intermediate (IBlock) Condensed DMVPN Hub* DMVPN Hub* Keep It Simple Stupid (KISS). Remember your operations staff. Use Greenfield or IBlock when possible Depending on bandwidth CSR1000Vs could be used Don t go crazy if you go Condensed BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 DMVPN Migration: Branch Routers

73 Branch Pre-Migration Tasks Make a list of what network applications work and what applications do not work before migrating the branch Backup the existing router configurations to the local router & centralized repository. Allow local authentication / authorization. to allow access to the router in a timely manner (assuming that TACACS or radius servers cannot be reached). Allow remote console sessions on routers from the workstation, and any peer routers. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 Branch Migration Activities During the migration the following tasks are done: - DMVPN tunnel configuration - Certificate enrollment if IPsec Tunnel Protection uses PKI - Association of FVRF to the Encapsulating Interface - Routing protocol changes - PfR configuration deployed BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Connectivity During Migration When the FVRF is associated to the transport interface, the IP address is removed from that interface. R31-Site3(config-if)#vrf forwarding MPLS01 % Interface GigabitEthernet0/1 IPv4 disabled and address(es) removed due to enabling VRF MPLS01 R31-Site3(config-if)#ip address If there is a backdoor between sites, migrate those sites together - prevents possibility of route loops and transit routing BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 Assess the Connectivity Model at Branch Depending on the site s connectivity model, the migration could be executed without loss of service to the users at the branch. Single router with single transport Cold Migration Only Single router with dual transport Cold Migration Warm Migration Dual router with dual transport Cold Migration Warm Migration Decide if migrations are remote or on-site 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Migration Scripts Cisco tools use these or can be used for CLI Prevents for Typos/Fat-Fingering Allows for off-site migration Example: EEM script allows for multiple commands to be entered even if console connectivity is lost. event manager applet MIGRATE-PORTION event none action 010 cli command "enable" action 020 cli command "configure terminal" action 030 cli command "interface GigabitEthernet0/2" action 040 cli command "vrf forwarding INET01" action 050 cli command "ip address dhcp! Wait 20 seconds to allow DHCP to get a packet before no shutting tunnel action 060 wait 20 action syslog msg FVRF Associated to Gi0/2" BRKCRS

78 Advanced EEM Script that Configures Routing Too! event manager applet MIGRATE event none action 010 cli command "enable" action 020 cli command "configure terminal"! This section enables the MPLS FVRF and No Shuts the MPLS Tunnel action 030 cli command "interface GigabitEthernet0/1" action 040 cli command "vrf forwarding MPLS01" action 050 cli command "ip address " action 060 cli command "ip route Tunnel " action 070 cli command "interface Tunnel 100" action 080 cli command "no shut"! This section enables the Internet FVRF and No Shuts the Internet Tunnel action 090 cli command "interface GigabitEthernet0/2" action 100 cli command "vrf forwarding INET01" action 110 cli command "ip address dhcp"! The wait command allows for the interface to obtain an IP address from DHCP! Before the Internet DMVPN tunnel is brough online action 120 wait 15 action 130 cli command "interface Tunnel 200" action 140 cli command "no shut" action 150 syslog msg "Interface Configurations Performed "! The last section is to remove the previous routing protocol configuration.! And then configure the routing protocols. Only a portion of this activity! is shown, but this section should be completed based on your design. action 160 cli command "no router bgp 65000" action 170 cli command "no router ospf 1" action 180 cli command "router eigrp IWAN"! Continue with rest of routing protocol configuration action 999 syslog msg "Migration Complete" 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

79 Migrating a Branch Router Configure DMVPN Tunnel will remain down with no FVRF interface Configure EEM applet ** Copy run start ** Reload in 15 Connect back to router Either on Tunnel or FVRF Configure overlay routing The entire process could be captured by an script Remove any existing routing ** reload cancel Execute EEM Verify connectivity ** Recommended for CLI Migrations BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public

80 Post-Migration Cleanup

81 Post- Migration If the final IWAN design does not migrate all devices to IWAN, then stop here! Migration is considered complete once : All of the planned sites are communicating only via overlay tunnels The service provider network is used only for transport between DMVPN routers. The last task is to clean up the environment: Greenfield Remove previous WAN routers Intermediate (IBlock) Removal of link between LAN and CE Routers Potential removal of CE links Condensed Remove BGP Route Leaking Configuration BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 Post-Migration Clean-Up for Intermediate Link Not Needed BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 Removal of the CE Device CE1 could be removed depending on the following factors: Who owns the device? Your organization or the service provider? What additional value does CE1 add to the design or operational perspective? BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 Post Migration Clean up CE Removal While removing CE1, if the cable connecting to the MPLS network & CE1 is pulled from CE1 and plugged into R11, DMVPN connectivity is going to break. R11 s IP address is on the /30 network and the service provider s PE router is on the /30 network. One of the devices will have to change their IP address. DMVPN Spoke mappings is configured to the NBMA Address. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 84

85 Post Migration Clean up How to fix IP Addressing Problem Connectivity is restored by: Re-configure the NHRP on every branch site Either add a second NBMA address (only 1 active at a time on each spoke) Terminate the DMVPN Tunnel on a Loopback Little more complexity in VRF Routing & additional IP addresses consumed. Coordinate IP address change with SP and migrate 1 DMVPN hub at a time. SP would change the IP addressing on the peer link. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 Migration of VPLS or Metro Ethernet Topologies

87 DMVPN Hub Setup for VPLS Migration Router cannot forward L3 and L2 on the same interface Requires Insertion of a Switch from VPLS Hand-off QoS Shaping can be done outbound on newly inserted switch Same Subnet on CE1 and DMVPN FVRF Interface BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 Migration from Dual MPLS to Hybrid Model

89 Migration from Dual MPLS to Hybrid Model Traditional Dual MPLS with Mutual Redistribution between IGP and BGP Install new MPLS1 DMVPN Hub (Just like shown earlier) Install new Internet DMVPN Hub Turn up DMVPN interfaces on MPLS and Internet Hubs Migrate Branch Sites. MPLS1 MPLS1 DMVPN Tunnel Install new Internet Circuit Internet DMVPN Tunnel turned up MPLS2 Shutdown and Circuit termination BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 Clean-Up from Dual MPLS to Hybrid Model Now that all sites have migrated on to IWAN, there is not a need for connectivity to the MPLS SP2. Remove CE2 (Connected to MPLS SP2) Remove the link between MLS5 and CE1 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 Clean-Up from Dual MPLS to Hybrid Model (continued) Now comes the decision to remove CE1 or keep it. If it is removed, then this is what your topology will look like. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 Alternative to Using a Migration Site

93 Alternative to Using a Migration Site Sometimes routing traffic through a Migration site may not work due to: End-to-End Latency Bandwidth at Hubs Where possible, see if you can add another Hub and advertise more specific routes. If that cannot be done, there is another option for routing experts, and requires route leaking at the IWAN branch. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 93

94 Alternative to Using a Migration Site Receiving Routes (IWAN Path) Hub receives the route, but advertises a summary that contains it. Branch receives the hub summary and tags it. That route is not leaked from Global to FVRF /24 Branch tags on receipt and blocked from insertion to FVRF VRF Export Map Blocks Tag BRKCRS

95 Alternative to Using a Migration Site Receiving Routes (Transport Path) Branch receives the branch route in a FVRF routing protocol and tags it. Route is leaked from FVRF into Global. Route is blocked from being advertised to the hubs. Branch tags on receipt and blocked from advertisement to Hub BRKCRS

96 Alternative to Using a Migration Site Receiving Routes Longest match wins. IWAN Branch will go direct through SP transport BRKCRS

97 Alternative to Using a Migration Site Advertising Routes (Branch via Hub) Branch advertises the route to Hub Hub advertises to CE router CE router prepends AS or blocks SP advertises to R /24 AS100:100 BRKCRS

98 Alternative to Using a Migration Site Advertising Routes (Branch) Branch advertises route to SP with BGP community. Branch route is filtered on CE inbound from transport SP advertises route to Migration CE, and is blocked by community. Route via IWAN Path is preferred. SP advertises route to remote branch BRKCRS

99 Alternative to Using a Migration Site Advertising Routes (Branch) Shortest AS-Path Wins Traffic from R31 s transport (leaked) interface is preferred BRKCRS

100 Alternative to Using a Migration Site Advertising Routes (CE) CE advertises routes to SP with BGP Community 100:200 SP advertises route to Remote Branch which accepts the route. SP advertises route to IWAN Branch which discards based on community. IWAN Branch uses Summary Route (via R11) IWAN Branch discards route based on 100:200 BGP Community BRKCRS

101 Keep in Mind About Not Using a Migration Site There is a lot of route tagging and leaking between VRFs. This can cause confusion for operation staff and Junior Network Engineers If this is the path you want to pursue, please engage Cisco or a Cisco Partner for assistance BRKCRS

102 Migration of Existing Point-to-Point IPsec Topologies

103 Migrating P2P IPSEC WAN to IWAN Add the DMVPN hub router into the network R1 DMVPN Hub R2 The placement of hub depends on where the IPSEC tunnels are currently terminated Firewall or a router DMVPN Tunnel If IPSEC is terminated on FW, then place the hub router behind it ( passthrough) Migrate sites based on traffic patterns - Non-transit sites first R3 R4 R5 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 103

104 Important PfR Concepts for IWAN

105 Performance Routing v3 Running in an Enterprise Domain BRKRST-3362 Implementing Performance Routing MC/BR Branch Master Controller BR1 Branch MPLS MC BR2 Central Site MC/BR Internet Branch One Master Controller defined as the Hub MC Centralized location for policy definition Hub Master Controller BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 105

106 Enterprise Domain WAN Edge peers, learns SP SLA, manages congestion Send performance feedback to peers Branch MC/BR MPLS Peering & Coordination at WAN Edge BR1 BR2 Central Site MC Internet Network Discovers the Applications WAN Edge measures application performance BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 106

107 Deploying Intelligent Path Control - Best practices DMVPN is a requirement for the PFR solution - Can t support multiple next-hops and multiple data centers with the same prefix when the carrier is your routing partner Tunnel Bandwidth must be configured (otherwise default is 100kbps) - Load Balancing - Performance classes when first controlled have no bandwidth, but before they can be moved available bandwidth is verified BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 107

108 Deploying Intelligent Path Control Prepare to run PFR Policy Start with a Single Class and Load Balancing disabled - All other classes will follow routing Enable an additional class - Monitor Traffic Classes and Load on the Network ( CPU, Interface Utilization etc..) Enable additional classes and load balancing Three Performance Classes, Voice, Video, and Critical Application, plus Load Balancing is a good start to baseline. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 108

109 Built-in Policy Templates Matching QoS Best Practices Pre-defined Template Threshold Definition Voice priority 1 one-way-delay threshold 150 threshold 150 (msec) priority 2 packet-loss-rate threshold 1 (%) priority 2 byte-loss-rate threshold 1 (%) priority 3 jitter 30 (msec) Pre-defined Template Threshold Definition Real-time-video priority 1 packet-loss-rate threshold 1 (%) priority 1 byte-loss-rate threshold 1 (%) Low-latencydata priority 2 one-way-delay threshold 150 (msec) priority 3 jitter 20 (msec) priority 1 one-way-delay threshold 100 (msec) priority 2 byte-loss-rate threshold 5 (%) priority 2 packet-loss-rate threshold 5 (%) Bulk-data Best-effort scavenger priority 1 one-way-delay threshold 300 (msec) priority 2 byte-loss-rate threshold 5 (%) priority 2 packet-loss-rate threshold 5 (%) priority 1 one-way-delay threshold 500 (msec) priority 2 byte-loss-rate threshold 10 (%) priority 2 packet-loss-rate threshold 10 (%) priority 1 one-way-delay threshold 500 (msec) priority 2 byte-loss-rate threshold 50 (%) priority 2 packet-loss-rate threshold 50 (%) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 109

110 Deploying Intelligent Path Control Prepare to run PFR Ensure Parent Route is present to match site-prefix in PFR Routing Protocols are checked in this order: NHRP, BGP, EIGRP, Static, RIB If a route is found in the BGP table for /8 over your discovered paths and you are looking for /16 which is in EIGRP and the RIB, BGP will be utilized. PfRv3 is an Enterprise Protocol and does not expect multiple routing protocols within a single Enterprise. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 110

111 Deploying Intelligent Path Control - Best Practices Use Standard attributes in site and enterprise prefix-list, they do not support extended prefix-list attributes Examples : ip prefix-list site-prefix seq only permit is supported 5 deny /24 invalid, ip prefix-list site-prefix seq 10 permit /16 le 24 invalid, it will be advertised as /16 alone BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 111

112 Deploying Intelligent Path Control -Best Practices With an increase in number of traffic-classes to the Data Center, Manually break the site-prefix into smaller blocks to increase loadbalancing granularity. ip prefix-list site-prefix seq 5 permit /24 ip prefix-list site-prefix seq 10 permit /20 ip prefix-list site-prefix seq 15 permit /20 ip prefix-list site-prefix seq 20 permit /20 ip prefix-list site-prefix seq 25 permit /16 Longest prefix always wins BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 112

113 Pfr Topology BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 113

114 PFR Enterprise & Site Prefix Lists Branch Site Prefixes Site prefixes for particular sites with PFRv3 enabled Branches learn Site Prefixes Dynamically (or statically configured) PfR Internet **Legacy Site Prefixes Enterprise Prefix Hub Site Prefixes **Placing Legacy Site Prefixes at Hub Sites, provides PfR for half of the path Hubs act as transit sites siteprefix statically defined Without Enterprise-Prefix: all the traffic between PfR sites will be learned as PfR Internet traffic class and delay, jitter, etc. cannot be monitored. * Only Routing is used between Non-PfR and PfR enabled site in Enterprise Prefix BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 114

115 Hubs: Site-Prefix lists before anything is migrated SITE1 PfR Site-Prefix /16 SITE2 PfR Site-Prefix /16 R10 R / /16 Enterprise Prefix /8 Site Prefix is /16 BGP / /8 R11 DMVPN MPLS R12 R21 R22 DMVPN INET / /8 BGP R /24 R /24 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 115

116 Hub1 Site-Prefix Table Before Anything is Migrated Hub MC (R10) domain IWAN vrf default master hub enterprise-prefix prefix-list ENTERPRISE_PREFIX site-prefixes prefix-list SITE_PREFIX! ip prefix-list ENTERPRISE_PREFIX seq 10 permit /8 ip prefix-list SITE_PREFIX seq 10 permit /16 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 116

117 Hub1 Site-Prefix Table Before Anything is Migrated R10-DC1-MC#show domain IWAN master site-prefix Change will be published between 5-60 seconds Next Publish 01:46:29 later Prefix DB Origin: Prefix Flag: S-From SAF; L-Learned; T-Top Level; C-Configured; M- shared Site-id Site-prefix Last Updated DC Bitmap Flag /32 00:13:41 ago 0x1 L /16 00:13:41 ago 0x1 C,M * /8 00:13:41 ago 0x1 T BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 117

118 R31 on Site 3 migrated to IWAN SITE1 PfR Site-Prefix /16 SITE2 PfR Site-Prefix /16 R10 R / /16 Enterprise Prefix /8 Site Prefix is / /16 BGP / /8 R11 DMVPN MPLS R12 R21 R22 R31 DMVPN INET R / /8 BGP / /24 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 118

119 Hub1 Site Prefix Table After R31 is Migrated R10-DC1-MC#show domain IWAN master site-prefix Change will be published between 5-60 seconds Next Publish 01:46:29 later Prefix DB Origin: Prefix Flag: S-From SAF; L-Learned; T-Top Level; C-Configured; M- shared Site-id Site-prefix Last Updated DC Bitmap Flag /32 00:23:41 ago 0x1 L /16 00:23:41 ago 0x1 C,M /32 00:01:11 ago 0x0 S /24 00:01:11 ago 0x0 S * /8 00:23:41 ago 0x1 T BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 119

120 No PFR control for Site 3 to Site 4 traffic ( IWAN to Non-IWAN site ) Routing SITE1 PfR Site-Prefix /16 SITE2 PfR Site-Prefix /16 R10 R / /16 Enterprise Prefix /8 Site Prefix is /16 BGP / /8 R11 DMVPN MPLS R12 R21 R22 DMVPN INET / /8 BGP R /24 R /24 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 120

121 Add /8 to Hub1 Site-Prefix Hub MC (R10) domain IWAN vrf default master hub enterprise-prefix prefix-list ENTERPRISE_PREFIX site-prefixes prefix-list SITE_PREFIX! ip prefix-list ENTERPRISE_PREFIX seq 10 permit /8 ip prefix-list SITE_PREFIX seq 10 permit /16 ip prefix-list SITE_PREFIX seq 20 permit /8 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 121

122 After /8 is added to Hub1 Site-Prefix R10-DC1-MC#show domain IWAN master site-prefix Change will be published between 5-60 seconds Next Publish 01:46:29 later Prefix DB Origin: Prefix Flag: S-From SAF; L-Learned; T-Top Level; C-Configured; M- shared Site-id Site-prefix Last Updated DC Bitmap Flag /32 00:28:42 ago 0x1 L /16 00:28:42 ago 0x1 C,M /32 00:06:19 ago 0x0 S /24 00:06:19 ago 0x0 S * /8 00:00:30 ago 0x1 T Previously this was BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 122

123 PFR After /8 is added to Hub1 Site-Prefix R10 SITE1 PfR Site-Prefix / /16 R20 SITE2 PfR Site-Prefix / / / /16 Enterprise Prefix /8 Site Prefix is / /16 BGP / /8 R11 DMVPN MPLS R12 R21 R22 R31 DMVPN INET R / /8 BGP / /24 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 123

124 Hub1 Site-Prefix Table After Site4 is Migrated R10-DC1-MC#show domain IWAN master site-prefix Change will be published between 5-60 seconds Next Publish 01:46:29 later Prefix DB Origin: Prefix Flag: S-From SAF; L-Learned; T-Top Level; C-Configured; M- shared Site-id Site-prefix Last Updated DC Bitmap Flag /32 00:33:41 ago 0x1 L /16 00:33:41 ago 0x1 C,M /32 00:11:24 ago 0x0 S /24 00:11:24 ago 0x0 S /32 00:01:09 ago 0x0 S /24 00:01:09 ago 0x0 S * /8 00:05:19 ago 0x1 T BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 124

125 R41 on site 4 is migrated to IWAN SITE1 PfR Site-Prefix /16 SITE2 PfR Site-Prefix /16 R10 R / /16 Enterprise Prefix /8 Site Prefix is / /16 BGP / /8 R11 DMVPN MPLS R12 R21 R22 P F R R31 DMVPN INET R / /8 BGP / /24 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 125

126 Deploying Intelligent Path Control Prepare to run PFR Dual Router Branch Must be Layer 2 Adjacent for SAF Establishment Can use static GRE tunnel, dedicated, or dot1q sub-interface BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 126

127 Deploying Intelligent Path Control VRF considerations 5 VRFs supported by default IOS- XE adds support to configure up to 20 VRF s ( requires TCAM re-carving ) Global Table is configured as one vrf default VRF-Lite, no label support BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 127

128 Deploying Intelligent Path Control - Best Practices Spoke-to-spoke Considerations for PFR If the interface does not have routes in the RIB (blind interface), then NHRP will not allow a shortcut to be installed. PfR is verifying Parent Routes via the BGP Table or EIGRP Topology. So NHRP s check must be disabled, no nhrp route-watch Only a NHRP host route to the destination sites site-id, PfR Master Controller source interface, will be installed. PfR will then control traffic on this path. Check using show domain <name> border traffic-class or show ip route overrides pfr BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 128

129 Summary

130 Session Summary Documenting the existing network. Create a high-level migration plan. Deploy a proof-of-concept or production pilot of the network. The first remote site should always be in a lab. This allows for the operational teams to be comfortable with the technology while they start to learn about the actual applications in use in the network. As well, any issues to the IWAN routing architecture should not impact production during this phase. Testing the execution plans in a lab environment and modify accordingly. Deploying DMVPN hub routers. Migrate Branch routers. Post-migration cleanup tasks. Migrating other WAN transports/technologies PfR Ask your boss for a raise! You improved business application responsiveness while saving the company $$$$ BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 130

131 Recommended Reading Coming Soon BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 131

132 Other IWAN Related Sessions TECCRS-2004 Implementing the Intelligent WAN BRKCRS-2000 Intelligent WAN Architecture BRKRST-2043 IWAN AVC/QoS Design BRKCRS-2002 IWAN Design and Deployment Workshop BRKRST-2362 IWAN Implementing Performance Routing (PfRv3) BRKRST-3413 IWAN Serviceability: Deploying/Monitoring/Operating BRKCRS-2007 Migrating Your Existing WAN to Cisco s IWAN BRKRST-2514 IWAN Application Optimization and Provisioning CCSRST-2000 IWAN Migration Case Study BRKNMS-1040 IWAN Management with Cisco Prime Infrastructure BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 132

133 Cisco Live On Demand Cisco Live U.S. Content will be out in about 3-4 weeks BRKCRS

134 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 134