Návrh inteligentní WAN sítě

Similar documents
Intelligent WAN 2.0 Traffic Independent Design and Intelligent Path Selection

Implementing Next Generation Performance Routing PfRv3

IWAN Under the Hood - Next Gen Performance Routing and DMVPN. David Prall, Communication Architect CCIE 6508 (R&S/SP/Security)

Intelligent WAN : CVU update

Intelligent WAN Multiple VRFs Deployment Guide

Cisco Intelligent WAN

Intelligent WAN Multiple Data Center Deployment Guide

PfRv3 Zero SLA Support

ARCHIVED DOCUMENT. - The topics in the document are now covered by more recent content.

Intelligent WAN Deployment Guide

Performance Routing Version 3 Configuration Guide

IWAN APIC-EM Application Cisco Intelligent WAN

IWAN Intelligent WAN, Next Generation Branch Architecture. Lars Thoren Technical Marketing Engineer, ENG

Pressures on the WAN

Intelligent WAN Design Summary

Advanced Concepts of DMVPN (Dynamic Multipoint VPN)

PfRv3 Inter-DC Optimization

DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

REFERENCE NETWORK ARCHITECTURE

Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase

Intelligent WAN Remote Site 4G LTE Deployment Guide

Intelligent WAN High Availability and Scalability Deployment Guide

Deploying and Administering Cisco s Digital Network Architecture (DNA) and Intelligent WAN (IWAN) (DNADDC)

Cisco Multicloud Portfolio: Cloud Connect

Intelligent WAN (IWAN) Design and Deployment

SD-WAN Deployment Guide (CVD)

Cisco Service Advertisement Framework Deployment Guide

Network Automation and Branch Agility The Network Helps Enable Digital Business. Rajinder Singh Product Sales Specialist June 2016

FlexVPN HA Dual Hub Configuration Example

DMVPN for R&S CCIE Candidates

Scalability Considerations

Chapter H through R. loss (PfR), page 28. load-balance, page 23 local (PfR), page 24 logging (PfR), page 26

Cisco Multicloud Portfolio: Cloud Connect

COURSE OUTLINE: Course: CCNP Route Duration: 40 Hours

WAN Edge MPLSoL2 Service

DYNAMIC MULTIPOINT VPN SPOKE TO SPOKE DIRECT TUNNELING

Cisco Group Encrypted Transport VPN

Virtual Private Networks Advanced Technologies

DMVPN to Group Encrypted Transport VPN Migration

Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00

Setting Up OER Network Components

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

Cisco Virtual Office High-Scalability Design

IWAN Security for Remote Site Direct Internet Access and Guest Wireless

Virtual Private Networks Advanced Technologies

A-B I N D E X. backbone networks, fault tolerance, 174

Intelligent WAN. Technology Design Guide

Cloud Intelligent Network

Managing Site-to-Site VPNs: The Basics

Cisco Performance Routing

LARGE SCALE DYNAMIC MULTIPOINT VPN

Cisco IOS Performance Routing Version 3 Command Reference

CCIE R&S LAB CFG H2/A5 (Jacob s & Jameson s)

Dynamic Multipoint VPN Configuration Guide

IWAN AVC/QoS Design. Kelly Fleshner, Communications Architect. CCIE # years BRKRST-2043

PREREQUISITES TARGET AUDIENCE. Length Days: 5

Operating and Monitoring the Network

Migrating Your Existing WAN to Cisco s IWAN

Actualtests questions. Cisco Enterprise Networks Core and WAN Exam

Performance Routing (PfR) Master Controller Redundancy Configuration

Cisco SD-WAN and DNA-C

Optimized Edge Routing Configuration Guide, Cisco IOS Release 15.1MT

Implementing Cisco IP Routing

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

Performance Routing Version 3 Commands

CVP Enterprise Cisco SD-WAN Retail Profile (Hybrid WAN, Segmentation, Zone-Based Firewall, Quality of Service, and Centralized Policies)

CCIE Routing & Switching

Implementing Cisco IP Routing (ROUTE)

IPv6 over DMVPN. Finding Feature Information

Cisco CCNP ROUTE: Implementing Cisco IP Routing (ROUTE) 2.0. Upcoming Dates. Course Description. Course Outline

Deploying Performance Routing

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

Configuring FlexVPN Spoke to Spoke

Sharing IPsec with Tunnel Protection

Implementing Cisco IP Routing (ROUTE)

Zero To Hero CCIE CCNP

Cisco Implementing Cisco IP Routing v2.0 (ROUTE)

Shortcut Switching Enhancements for NHRP in DMVPN Networks

Managing Site-to-Site VPNs

Intelligent WAN. Rupesh Chakkingal Cisco Product Management (Market Strategy) Enterprise Products and Solution

Managing Site-to-Site VPNs: The Basics

Enterprise SD-WAN Financial Profile (Hybrid WAN, Segmentation, Quality of Service, Centralized Policies)

Dynamic Multipoint VPN (DMVPN) Deployment Models

Cisco Exam Questions & Answers

Configuring Basic Performance Routing

Power Your Branch with Intelligent WAN

CCNA Routing and Switching Study Guide Chapters 7 & 21: Wide Area Networks

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

PfRv3 Path of Last Resort

Configuring Advanced BGP

MPLS in the DCN. Introduction CHAPTER

CCIE R&S v5.0. Troubleshooting Lab. Q1. PC 110 cannot access R7/R8, fix the problem so that PC 110 can ping R7

Help! BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Cisco recommends that you have basic knowledge of Performance Routing (PfR).

VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH

Advanced DMVPN Designs

Fundamentals and Deployment of Cisco SD-WAN Duration: 3 Days (24 hours) Prerequisites

Transcription:

Návrh inteligentní WAN sítě EN2 Jaromír Pilař, CSE

Agenda Úvod a základní pilíře inteligentní WAN sítě Tranport Independent Design Inteligentní výběr cesty Shrnutí Presentation Title:

Intelligent WAN: Leveraging the Any Transport Secure WAN Transport and Internet Access Hybrid WAN Transport IPsec Secure Branch (IP-VPN) Private Cloud Virtual Private Cloud Direct Internet Access Secure WAN transport for private and virtual private cloud access Leverage local Internet path for public cloud and Internet access Internet Public Cloud Increased WAN transport capacity and cost effectively Improve application performance (right flows to right places)

Intelligent WAN: Leveraging the Any Transport So what is new here? Branch Hybrid WAN Transport IPsec Secure Internet as WAN with High Reliability (IP-VPN) SLAs for Business-Critical Applications Private Cloud Virtual Private Cloud Direct Internet Access Secure WAN transport for private and virtual private cloud access Leverage local Internet path for public cloud and Internet access Internet Centralized Security Policy for Internet Access Public Cloud Increased WAN transport capacity and cost effectively Dramatically Lower WAN Costs Without Compromise Improve application performance (right flows to right places)

Intelligent WAN Solution Components AVC Internet Private Cloud 3G/4G-LTE Virtual Private Cloud Branch WAAS PfR Public Cloud Transport Independent Intelligent Path Control Application Optimization Secure Connectivity Consistent operational model Simple provider migrations Scalable and modular design DMVPN IPsec overlay design Application best path based on delay, loss, jitter, path preference Load balancing for full utilization of all bandwidth Improved network availability Performance Routing (PfR) AVC: Application monitoring with Application Visibility and Control Per-tunnel Hierarchical QoS WAAS: Application Acceleration and bandwidth savings WAAS: Intelligent Edge Caching with Akamai Connect Certified strong encryption Comprehensive threat defense with ASA and IOS firewall/ips Cloud Web Security (CWS) for scalable secure direct Internet access

Transport Independent Design s využitím DMVPN

Cisco Intelligent WAN (IWAN) AVC Private Cloud ISR-AX 3G/4G-LTE ASR1000-AX Virtual Private Cloud Branch WAAS kamai PfRv3 Internet Public Cloud Management & Orchestration Transport Independence Intelligent Path Control Application Optimization Secure Connectivity IPSec WAN Overlay Consistent Operational Model Optimal application routing Efficient use of bandwidth Performance monitoring Optimization and Caching NG Strong Encryption Threat Defense DMVPN Performance Routing AVC, HQoS, WAAS, Akamai Suite-B, CWS, ZBFW

IWAN Layered Solution CPE-to-CPE overlay enables separation of transport (underlay) and VPN service (overlay) AVC/QoS PfR path selection policies PfR intelligent routing AVC/QoS Point to multipoint WAN connections with secure tunnel overlay architecture Intelligent policy routing to provide cost optimization and dynamic load balancing Perimeter Security Overlay routing over tunnels Overlay tunnels (DMVPN) Transport routing Internet Routing -VPN Routing Perimeter Security

Intelligent WAN Deployment Models Dual Hybrid Dual Internet Internet Public Enterprise Public Branch Branch + Internet Branch Internet Internet Highest SLA guarantees Tightly coupled to SP Expensive More BW for key applications Balanced SLA guarantees Moderately priced Best price/performance Most SP flexibility Enterprise responsible for SLAs Consistent VPN Overlay Enables Security Across Transition

Hybrid WAN Designs Traditional and IWAN Active/Standby WAN Paths Primary With Backup TRADITIONAL HYBRID Intelligent WAN HYBRID Active/Active WAN Paths Two IPsec Technologies Data Center Data Center One IPsec Overlay GETVPN/ DMVPN/Internet Two WAN Routing Domains : ebgp or Static Internet: ibgp, EIGRP or OSPF Route Redistribution Route Filtering Loop Prevention ISP A DMVPN Internet ASR 1000 ASR 1000 SP V GETVPN ISP A DMVPN Internet ASR 1000 ASR 1000 SP V DMVPN DMVPN One WAN Routing Domain EIGRP or ibgp ISR Branch ISR Branch

IWAN Transport independent Design Overview IWAN Prescriptive Design Transport Independent Design based on DMVPN Branch spoke sites establish an IPsec tunnel to and register with the hub site Data traffic flows over the DMVPN tunnels WAN interface IP address used for the tunnel source address (in a Front VRF) One tunnel per user VRF Over the Top Routing BGP or EIGRP are typically used for scalability IP routing exchanges prefix information for each site Per-tunnel QOS is applied to prevent hub site oversubscription to spoke sites IWAN POP1 MC1 R84 R85 R94 R95 R10 R11 R12 R13 10.1.10.0/24 10.1.11.0/24 DCI WAN Core INET IWAN POP2 10.1.12.0/24 10.1.13.0/24 MC2 http://docwiki.cisco.com/wiki/pfr3:solutions:iwan

Using Front Door VRF Keeping the Default Routes in Separate VRFs Customer routing context (Global table) FVRF_SP1 (SP1 routing context) FVRF_SP2 (SP2 routing context) Different default routes possible within global table and towards SP infrastructure Configuration towards SP simplified, allows for simple swap vrf definition FVRF_SP1 address-family ipv4 exit-address-family crypto keyring DMVPN vrf FVRF_SP1 pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 Interface Tunnel0 ip address 172.50.1.1 255.255.255.0 ip nhrp authentication HBfR3lpl ip nhrp map multicast 3.3.3.3 ip nhrp map 172.50.1.254 3.3.3.3 ip nhrp network-id 1 ip nhrp nhs 172.50.1.254 ip nhrp shortcut tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel vrf FVRF_SP1 tunnel protection ipsec profile dmvpn Interface GigabitEthernet 0/0 description WAN interface to ISP in vrf ip address dhcp ip vrf forwarding FVRF_SP1 Interface GigabitEthernet 0/1 description LAN interface In Global Table

Typical IWAN Topology IWAN Domain Group of IWAN sites with common transports and policies 2000 sites per domain, multiple domains for larger scale IWAN POP locations 2+ WAN aggregation locations, also called Transit Sites Each Border Router (BR) is a DMVPN Hub with ibgp or EIGRP routing Summary prefixes with primary and secondary path metrics advertised out to branches Transit routing to other locations with backdoor failover routing between POP locations Dedicated BR per WAN transport IWAN Branch locations Simple consistent configurations 1 or more BRs connected to each transport L2 peering required Peer with each DMVPN Hub, stub routing IWAN POP1 10.1.0.0/16 10.0.0.0/8 BR11 BR12 BR21 BR22 BR31 DC1 10.1.0.0/16 10.2.0.0/16 DMVPN BR41 10.3.3.0/24 10.4.4.0/24 10.5.5.0/24 10.0.0.0/8 WAN Core DC2 DMVPN INET BR51 IWAN POP2 10.2.0.0/16 10.0.0.0/8 BR52

Highly Redundant Large Scale Topology DC1 DC2 IWAN POP1 DCI WAN Core IWAN POP2 BR11 BR12 BR13 BR14 R21 R22 R23 R24 10.1.0.0/16 10.2.0.0/16 10.0.0.0/8 Support for multiple BRs per transport Horizontal scaling and redundancy Support for Multiple POPs Different Prefix Common Prefix DMVPN DMVPN INET BR31 BR41 BR51 BR52 10.1.0.0/16 10.2.0.0/16 10.0.0.0/8 10.3.3.0/24 10.4.4.0/24 10.5.5.0/24

IWAN Topology with Dual Homed POP Border Routers IWAN POP locations Same design as Typical IWAN Topology with dual homed Border Routers Additional redundancy with fewer BRs Larger BRs required to meet performance targets Not supported in IWAN 2.1 Planned for future release IWAN POP1 10.1.0.0/16 10.0.0.0/8 DC1 10.1.0.0/16 10.2.0.0/16 BR11 BR12 BR21 BR22 DMVPN DCI WAN Core DC2 DMVPN INET IWAN POP2 10.2.0.0/16 10.0.0.0/8 BR31 BR41 BR51 BR52 10.3.3.0/24 10.4.4.0/24 10.5.5.0/24 15

IWAN Transport Independent Design Best Practices Private peering with Internet providers Use same Internet provider for hub and spoke sites Avoids Internet Exchange bottlenecks between providers Reduces round trip latency Use a separate DMVPN network per provider Increases availability, separate failure domains Enables PfR to optimize traffic between provider Data Center ASR 1000 ASR 1000 Transport settings Use the same MTU size on all WAN paths Bandwidth settings should match offered rate Use a front-side VRF to separate Internet and internal default routes Routing Protocols EIGRP or BGP for networks over 1000 sites ISP A DMVPN Blue Internet ISP C DMVPN Green Internet security Access-lists or Firewalls to block all but DMVPN tunnel traffic Tunnel source IP addresses should not be registered in DNS making the routers difficult for others to find ISR Branch

DMVPN Best Practice Configuration Use mode transport on transform-set NHRP needs for NAT support and saves 20 bytes MTU issues ip mtu 1400 ip tcp adjust-mss 1360 crypto ipsec fragmentation after-encryption (global) Routing Protocol EIGRP Timers on tunnel interfaces 20/60 BGP Timers default NHRP ip nhrp holdtime 600 ip nhrp registration no-unique (spokes) ISAKMP / IKEv2 Call Admission Control (CAC) (on spokes and hubs) call admission limit percent (hubs) crypto call admission limit {ike {in-negotiation-sa number sa number}} crypto ikev2 limit {max-in-negotiation-sa limit [incoming outgoing] max-sa limit} Keepalives on spokes (GRE tunnel keepalives are not supported) crypto ikev2 dpd 40 5 on-demand / crypto isakmp keepalive 40 5 First timer is twice routing protocol timer, second timer is confirmation and will run 5 times. Total time 40 + (5 * 5) = 65 seconds is greater than routing protocol hold timer. This keeps dead peer detection from running when routing protocol is functioning correctly Invalid-SPI recovery not useful

DMVPN Configuration F-VRF IWAN POP vrf definition IWAN-TRANSPORT-1 address-family ipv4 exit-address-family Front-door VRF definition for Transport MC1 R84 R85 10.0.100.84 10.0.200.85 vrf definition IWAN-TRANSPORT-2 address-family ipv4 exit-address-family Front-door VRF definition for Internet Transport INTERNET 10.0.100.10 10.0.200.10 R10 10.1.10.0/24

DMVPN Configuration IPSec crypto ikev2 keyring DMVPN-KEYRING-1 peer ANY address 0.0.0.0 0.0.0.0 pre-shared-key c1sco123 crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-1 match fvrf IWAN-TRANSPORT-1 match identity remote address 0.0.0.0 authentication remote pre-share authentication local pre-share Maximize window size to eliminate keyring local DMVPN-KEYRING-1 future anti-replay issue crypto ipsec security-association replay window-size 512 crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile DMVPN-PROFILE-1 set transform-set AES256/SHA/TRANSPORT set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-1 crypto ikev2 dpd 40 5 on-demand Required for NAT support Lower overhead Set DPD timers for Branch Configs (65 s 40+5*5 > routing hold timer) MC1 IWAN POP R84 R85 10.0.100.84 10.0.200.85 R10 10.1.10.0/24 INTERNET 10.0.100.10 10.0.200.10

DMVPN Hub Configuration Interfaces & Routing interface GigabitEthernet0/0/3 description -TRANSPORT vrf forwarding IWAN-TRANSPORT-1 ip address 172.16.84.4 255.255.255.0 interface Tunnel100 bandwidth 1000000 ip address 10.0.100.84 255.255.255.0 no ip redirects ip mtu 1400 ip pim nbma-mode ip pim sparse-mode ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp map group RS-20MBPS service-policy output RS-20MBPS-POLICY ip nhrp map group... ip nhrp network-id 100 ip nhrp holdtime 600 ip nhrp redirect ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0/3 tunnel mode gre multipoint tunnel key 101 tunnel vrf IWAN-TRANSPORT-1 tunnel protection ipsec profile DMVPN-PROFILE-1 ip route vrf IWAN-TRANSPORT-1 0.0.0.0 0.0.0.0 172.16.84.8 Put Transport Interface into Front-door VRF Instantiate DMVPN Tunnel Configure interface bandwidth Configure interface MTU Multicast related configuration Add routers automatically QoS gropus DMVPN Network ID: Set DMVPN Phase 3 Map to Physical Interface Tunnel endpoint is in Front-door VRF MC1 Default route for Tunnel endpoints IWAN POP R84 R85 10.0.100.84 10.0.200.85 INTERNET TRANSPORT R84

DMVPN Spoke Configuration Interfaces & Routing Interface GigabitEthernet0/1 vrf forwarding IWAN-TRANSPORT-1 Put Transport Interface into Front-door VRF ip address 10.0.100.10 255.255.255.0 interface Tunnel100 bandwidth 200000 ip address 10.0.100.10 255.255.255.0 no ip redirects ip mtu 1400 ip pim dr-priority 0 Instantiate DMVPN Tunnel Configure interface bandwidth Configure interface MTU Multicast related configuration ip pim nbma-mode ip pim sparse-mode ip nhrp authentication cisco123 ip nhrp group RS-20MBPS ip nhrp network-id 100 ip nhrp holdtime 600 ip nhrp nhs 10.0.100.84 nbma 172.16.84.4 multicast ip nhrp nhs 10.0.100.94 nbma 172.16.94.4 multicast ip nhrp registration no-unique ip nhrp shortcut Assign to QoS group DMVPN Network ID: Multiple DMVPN Hub for Resiliency Set DMVPN Phase 3 Adjust TCP segment size ip tcp adjust-mss 1360 no nhrp route-watch Install shortcuts for path not in RIB if-state nhrp 10.0.100.10 tunnel source GigabitEthernet0/1 NHRP control i/f state R10 10.0.200.10 tunnel mode gre multipoint tunnel key 101 tunnel vrf IWAN-TRANSPORT-1 tunnel protection ipsec profile DMVPN-PROFILE-1 Tunnel endpoint is in Front-door VRF 10.1.10.0/24 ip route vrf IWAN-TRANSPORT-1 0.0.0.0 0.0.0.0 172.16.101.8 Default route for Tunnel endpoints TRANSPORT R10

IWAN Routing Protocols Which protocol should I use? IWAN Profiles are based upon BGP and EIGRP for scalability and optimal Intelligent Path Control Scalability: BGP (Path Vector) and EIGRP (Advanced Distance Vector) provide best scale over large hub-and-spoke topologies like DMVPN OSPF (Link State) maintains a lot of network state which cannot be subdivided easily in large DMVPN networks Intelligent Path Control: PfR can be used with any routing protocols by relying on the routing table (RIB). Requires all valid WAN paths be ECMP so that each valid path is in the RIB. For BGP and EIGRP, PfR can look into protocol s topology information to determine both best paths and secondary paths thus, ECMP is not required.

IWAN Deployment EIGRP Single EIGRP process for Branch, WAN and POP/hub sites Extend Hello/Hold timers for WAN Adjust tunnel interface delay to ensure WAN path preference ( primary, INET secondary) Hubs Disable Split-Horizon Advertise Site summary, enterprise summary, default route to spokes Summary metrics: A summary-metric is used to reduce computational load on the DMVPN hubs. Ingress filter on tunnels. Spokes EIGRP Stub-Site functionality builds on stub functionality that allows a router to advertise itself as a stub to peers on specified WAN interfaces, but allows for it to exchange routes learned on LAN interface Site1 Delay 1000 Set Tunnel Delay to influence best path EIGRP Stub Site R10 R31 R41 DCI WAN Core INET 10.3.3.0/24 10.4.4.0/24 10.5.5.0/24 Site2 R20 Delay 25000 Delay 25000 Delay 25000 Delay 25000 Delay 24000 Delay 24000 R11 R12 R21 R22 Delay 1000 Delay 20000 Delay 2000 Delay 1000 R51 Delay 20000 R52 Delay 24000 Delay 25000 Delay 25000

DMVPN Hub Configuration Routing router eigrp IWAN-EIGRP Use EIGRP named mode address-family ipv4 unicast autonomous-system 400 af-interface default passive-interface Default values for interfaces exit-af-interface LAN interface configuration af-interface Port-channel1 no passive-interface exit-af-interface Tunnel interface configuration af-interface Tunnel10 Summarize WAN address ranges summary-address 10.2.0.0 255.255.0.0 Adjust timers hello-interval 20 hold-time 60 no passive-interface no split-horizon Disable split horizon exit-af-interface Tag routes topology base distribute-list route-map SET-TAG-DMVPN-1 out Port-channel1 distribute-list route-map SET-TAG-ALL out Tunnel10 distribute-list route-map BLOCK-DC2-DMVPN-1 in Tunnel10 exit-af-topology network 10.0.100.0 0.0.0.255 Filter routes network 10.8.0.0 0.0.255.255 eigrp router-id 10.6.32.241 Enable EIGRP for networks exit-address-family MC1 IWAN POP R84 R85 10.0.100.84 10.0.200.85 INTERNET TRANSPORT R84 *) Some parts of configurations not shown (e.g. authentication,...)

DMVPN Spoke Configuration Routing router eigrp IWAN-EIGRP address-family ipv4 unicast autonomous-system 400 af-interface default passive-interface exit-af-interface af-interface Tunnel10 summary-address 10.1.10.0 255.255.255.0 hello-interval 20 hold-time 60 no passive-interface exit-af-interface... topology base distribute-list route-map DMVPN1-BR-IN in Tunnel10 distribute-list route-map DMVPN2-BR-IN in Tunnel11 distribute-list route-map BLOCK-LEARNED out Tunnel10 distribute-list route-map BLOCK-LEARNED out Tunnel11 exit-af-topology network 10.0.100.0 0.0.0.255 network 10.0.200.0 0.0.0.255 network 10.1.10.0 0.0.0.255 network 10.255.0.0 0.0.255.255 eigrp router-id 10.255.241.11 eigrp stub connected summary redistributed exit-address-family Use EIGRP named mode Default values for interfaces Tunnel interface configuration Summarize branch address ranges Adjust timers Tag routes Filter routes Enable EIGRP for networks Enable EIGRP stub feature *) Some parts of configurations not shown (e.g. authentication, Tunnel 11...) 10.0.100.10 10.0.200.10 R10 10.1.10.0/24 TRANSPORT R10

IWAN Deployment BGP A single ibgp routing domain is used Appropriate Hello/Hold timers for WAN Hub DMVPN hub routers function as BGP route-reflectors for the spokes. No BGP peering between RR. BGP dynamic peer feature configured on the route-reflectors Site specific prefixes, Enterprise summary prefix and default route advertised to spokes Set local preference for all prefixes Redistribute BGP into local IGP with a defined metric cost to attract traffic from the central sites to the spokes across. Spokes Peer to Hub/Transit BRs in each DMVPN cloud Mutual redistribution OSPF/BGP Set a route tag to identify routes redistributed from BGP Preferred path is due to highest Local Preference Site1 R10 Metric: 1000 Metric: 2000 OSPF R11 R12 R21 R22 DCI WAN Core INET R31 R41 R51 R52 10.3.3.0/24 10.4.4.0/24 10.5.5.0/24 Site2 R20 Metric: 1000 Metric: 2000 OSPF LP 100000 LP 20000 LP 3000 LP 400 OSPF

Deploying with user VRFs vrf definition TEST1 address-family ipv4 exit-address-family vrf definition TEST2 address-family ipv4 exit-address-family interface Tunnel 101 vrf forwarding TEST1 tunnel key 101 tunnel vrf IWAN-TRANSPORT-1 interface Tunnel 102 vrf forwarding TEST2 tunnel key 102 tunnel vrf IWAN-TRANSPORT-1 MC1 TRANSIT SITE 1 2 1 2 R84 R85 INET DMVPN Tunnel per VRF Over the top routing per VRF SAF Peering per VRF R10 R11 R12 R13 1 2 1 2 1 2 1 2 10.1.12.0/24 10.1.10.0/24 10.1.11.0/24 10.1.13.0/24 Enterprise Branch Sites

Inteligentní výběr cesty s využitím PfRv3

Cisco Intelligent WAN (IWAN) AVC Private Cloud ISR-AX 3G/4G-LTE ASR1000-AX Virtual Private Cloud Branch WAAS kamai PfRv3 Internet Public Cloud Management & Orchestration Transport Independence Intelligent Path Control Application Optimization Secure Connectivity IPSec WAN Overlay Consistent Operational Model Optimal application routing Efficient use of bandwidth Performance monitoring Optimization and Caching NG Strong Encryption Threat Defense DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW

Intelligent Path Control with PfR Enterprise Use-Case Voice, video and critical applications take the best delay, jitter, and/or loss path Private Cloud Branch Other traffic is load balanced to maximize bandwidth Internet PfR monitors network performance and routes applications based on application performance policies PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth Virtual Private Cloud Voice, video and critical applications will be rerouted if the current path degrades below policy thresholds

PfRv3 and Parent Routes Make sure that all Border Routers have a route over each external path to the destination sites PfR will NOT be able to effectively control traffic otherwise. PfRv3 always checks for a parent route before being able to control a Traffic Class. Parent route check is done as follows: Check to see if there is an NHRP shortcut route If not Check in the order of BGP, EIGRP, Static and RIB If at any point, an NHRP short cut route appears, PfRv3 would pick that up and relinquish using the parent route from one of the routing protocols. PfR3 up to 3.15/15.5(2)T supported only one next-hop per multipoint interface. Routing has to be done such that only one next-hop per destination prefix is in the routing table per DMVPN tunnel interface.

PfRv3 How it Works ISR ASR1K MC Traffic Classes Learning Active TCs MC Performance Measurements MC TC Path BR BR BR BR BR BR Define your Traffic Policy Learn the Traffic Measurement Path Enforcement Define path optimization policies on the Hub MC load balancing, path preference, application metrics DSCP Based Policies Application Based Policies Traffic flowing through the Border Routers (BRs) that match a policy are learned Traffic Classes Unified Performance Monitor Report the measured TC performance metrics to the Master Controller for policy compliance Unified Performance Monitor Master Controller directs BR path changes to keep traffic within policy Route Enforcement module in feature path

PfR Components The Decision Maker: Master Controller (MC) Apply policy, verification, reporting No packet forwarding/ inspection required Standalone of combined with a BR VRF Aware IPv4 only (IPv6 Future) The Forwarding Path: Border Router (BR) Gain network visibility in forwarding path (Learn, measure) Enforce MC s decision (path enforcement) VRF aware IPv4 only (IPv6 Future) MC1 BR1 MC/BR MC/BR BR2 BR

IWAN Domain DC1 DCn Collection of sites that share the same set of policies An IWAN domain includes: A mandatory Hub site, Optional Transit sites, As well as Branch sites. Each site has a unique identifier (Site-Id) Derived from the loopback address of the local MC Central and headquarter sites play a significant role in PfR and are called an IWAN Point of Presence (POP). Each of these sites will have a unique identifier called a POP-ID Each site runs PfR and gets its path control configuration and policies from the logical IWAN domain controller through the IWAN Peering Service IWAN Peering POP1 - HUB Site ID = 10.1.0.10 MC1 BR1 BR2 BR3 BR4 MC/BR Site ID 10.3.0.31 Hub PATH1 MC/BR Site ID 10.4.0.41 DCI WAN Core Transit PATH2 MC/BR POP2 - TRANSIT Site ID = 10.2.0.20 Site ID 10.5.0.51 MC2 BR

Hub Site Located in an enterprise central site or headquarter location. Can act as a transit site to access servers in the datacenters or for spoke-to-spoke traffic A POP Identifier (POP-ID) 0 is automatically assigned to a Hub site. Only one Hub site exists per IWAN domain. The logical domain controller functionality resides on this site s master controller (MC). The master controller (MC) for this site is known as the Hub master controller (Hub MC, HMC) MCs from all other sites (transit or branch) connect to the Hub MC for PfR configuration and policies. Policies Monitors MC1 Path Id 1 POP1 - HUB Site ID = 10.1.0.10 POP-ID 0 POP2 - TRANSIT Site ID = 10.2.0.20 POP-ID 1 BR1 BR2 BR3 BR4 Path INET Id 2 DMVPN MC2 DMVPN INET MC/BR MC/BR MC/BR BR Branch Branch Branch

Policy/Monitor Distribution Policies Monitors DC/MC BR MC/BR BR BRANCH Dual CPE TRANSIT BR INET MC/BR BRANCH Single CPE Domain policies and monitor instances are configured on the Hub MC. Policies are defined per VRF Then distributed to branch sites using the peering infrastructure

Performance Policies - DSCP or App Based domain IWAN vrf default master hub load-balance class MEDIA sequence 10 match application telepresence-media policy real-time-video match application ms-lync policy real-time-video path-preference fallback INET class VOICE sequence 20 match dscp ef policy voice path-preference fallback INET class CRITICAL sequence 30 match dscp af31 policy low-latency-data Policies: DSCP or Application Based Policies (NBAR2) DSCP marking can be used with NBAR2 on the LAN interface (ingress on BR) Default Class is load balanced

Built-in Policy Templates Voice Pre-defined Template Threshold Definition priority 1 one-way-delay threshold 150 (msec) priority 2 packet-loss-rate threshold 1 (%) priority 2 byte-loss-rate threshold 1 (%) priority 3 jitter 30 (msec) Real-time-video priority 1 packet-loss-rate threshold 1 (%) priority 1 byte-loss-rate threshold 1 (%) Low-latency-data priority 2 one-way-delay threshold 150 (msec) priority 3 jitter 20 (msec) priority 1 one-way-delay threshold 100 (msec) priority 2 byte-loss-rate threshold 5 (%) priority 2 packet-loss-rate threshold 5 (%) Pre-defined Template Bulk-data Best-effort scavenger Threshold Definition priority 1 one-way-delay threshold 300 (msec) priority 2 byte-loss-rate threshold 5 (%) priority 2 packet-loss-rate threshold 5 (%) priority 1 one-way-delay threshold 500 (msec) priority 2 byte-loss-rate threshold 10 (%) priority 2 packet-loss-rate threshold 10 (%) priority 1 one-way-delay threshold 500 (msec) priority 2 byte-loss-rate threshold 50 (%) priority 2 packet-loss-rate threshold 50 (%)

Transit Site Located in an enterprise central site or headquarter location. Can act as a transit site to access servers in the datacenters or for spoke-to-spoke traffic A POP Identifier (POP-ID) is configured for each transit site. This POP-ID has to be unique in the domain. The master controller (MC) for this site is known as a Transit Master Controller (Transit MC, TMC) The local MC peers with the Hub MC to get its policies, monitor, configuration and timers POP1 - HUB Site ID = 10.1.0.10 POP-ID 0 MC1 IWAN Peering BR1 BR2 BR3 BR4 DMVPN POP2 - TRANSIT Site ID = 10.2.0.20 POP-ID 1 MC2 Path Id 1 DMVPN INET MC/BR MC/BR MC/BR BR Branch Branch Branch Path INET Id 2

Branch Site These will always be a DMVPN spoke, and are a stub sites where traffic transit is not allowed. The local MC peers with the logical domain controller (aka Hub MC) to get its policies, and monitoring guidelines. POP1 - HUB Site ID = 10.1.0.10 MC1 POP2 - TRANSIT Site ID = 10.2.0.20 MC2 BR1 BR2 BR3 BR4 IWAN Peering DMVPN DMVPN INET MC/BR MC/BR MC/BR BR Branch Branch Branch

WAN Interface Discovery Hub and Transit BRs have path names and path identifier manually defined Path name identifies a Transport Path Identifier (Path-id) is unique per site Hub and Transit BRs send Discovery Packet with path names from to all discovered sites Path Discovery from the Hub Border Routers MC1 Path Path-id 1 HUB SITE Site ID = 10.1.0.10 Hub MC MC2 Transit MC BR1 BR1 BR3 BR4 Path INET Path-id 2 DMVPN TRANSIT SITE Site ID = 10.2.0.20 POP-ID 0 POP-ID 1 Path Path-id 1 DMVPN INET Path INET Path-id 2 WAN Path is detected on the branch - Path Name - POP-ID - Path-Id - DSCP MC/BR MC/BR MC/BR BR 10.3.1.0/24 10.4.1.0/24 10.5.1.0/24

WAN Interface Performance Monitors PfR automatically configures 3 Performance Monitors instances (PMI) over every external interface Monitor1 Site Prefix Learning (egress direction) Monitor2 Aggregate Bandwidth per Traffic Class (egress direction) Monitor3 Performance measurements (ingress direction) 1 2 3 1 2 3 BR 42

Performance Monitoring User Traffic Passive Monitoring MC/BR SITE2 Dual CPE MC SITE1 BR BR BR INET MC/BR SITE3 Single CPE Bandwidth on egress Per Traffic Class (dest-prefix, DSCP, AppName) Performance Monitor Collect Performance Metrics Per Channel - Per DSCP - Per Source and Destination Site - Per Interface

Performance Monitoring Smart Probing Smart Probing MC/BR SITE2 Dual CPE MC SITE1 BR BR BR INET MC/BR SITE3 Single CPE Integrated Smart Probes Traffic driven intelligent on/off Site to site and per DSCP Performance Monitor Collect Performance Metrics Per Channel - Per DSCP - Per Source and Destination Site - Per Interface

Performance Violation MC/BR SITE2 Dual CPE MC SITE1 BR BR BR INET MC/BR SITE3 Single CPE Threshold Crossing Alert (TCA) Sent to source site loss, delay, jitter, unreachable

Performance Violation NetFlow Export MC/BR SITE2 Dual CPE MC SITE1 BR BR BR INET MC/BR SITE3 Single CPE

Policy Decision MC/BR SITE2 Dual CPE MC BR User traffic BR SITE1 BR INET MC/BR SITE3 Single CPE Reroute Traffic to a Secondary Path

Nasazení PfRv3 v síti

PfR Deployment Hub R83 (MC) domain IWAN vrf default master hub source-interface Loopback0 enterprise-prefix prefix-list ENTERPRISE_PREFIX site-prefixes prefix-list DC_PREFIX R83 HUB SITE Site ID = 10.8.3.3 Hub MC POP ID 0 R93 R84 R85 (BRs) domain IWAN vrf default border master 10.8.3.3 source-interface Loopback0 interface Tunnel100 description -- Primary Path -- domain IWAN path path-id 1 domain IWAN vrf default border master 10.8.3.3 source-interface Loopback0 interface Tunnel200 description Secondary Path -- domain IWAN path INET path-id 2 Path Id 1 R84 R85 R94 R95 Path INET Id 2 DMVPN DMVPN INET Hub Site Enterprise Prefix: summary prefix for the entire domain Site Prefix: static definition of prefixes for a site (no automatic learning) - Mandatory R10 R11 R12 R13 10.1.10.0/24 10.1.11.0/24 10.1.12.0/24 10.1.13.0/24

Redundant MC Anycast IP What happens when a MC fails? Traffic forwarded based on routing information ie no drop What happens when the Hub MC fails? Branch MCs keep their configuration and policies Continue to optimize traffic A backup MC can be defined on the hub. Using the same IP address as the primary Routing Protocol is used to make sure BRs and branch MC connect to the primary Stateless redundancy Backup MC will re-learn the traffic MC1 Hub MC 10.8.3.3/32 R84 10.1.10.0/24 10.1.11.0/24 MC2 TRANSIT SITE Backup Hub MC 10.8.3.3/30 R85 INET R10 R11 R12 R13 10.1.12.0/24 10.1.13.0/24

PfR Deployment Transit Site R93 (MC) domain IWAN vrf default master transit 1 source-interface Loopback0 site-prefixes prefix-list DC_PREFIX hub 10.8.3.3 R83 HUB SITE Site ID = 10.8.3.3 TRANSIT SITE Site ID = 10.9.3.3 R93 Transit MC POP ID 1 R94 R95 (BRs) domain IWAN vrf default border master 10.9.3.3 source-interface Loopback0 interface Tunnel100 description -- Primary Path -- domain IWAN path path-id 1 domain IWAN vrf default border master 10.9.3.3 source-interface Loopback0 interface Tunnel200 description Secondary Path -- domain IWAN path INET path-id 2 R84 R85 R94 R95 DMVPN Path Id 1 DMVPN INET Path INET Id 2 Transit Site Site Prefix: static definition of prefixes for a site (no automatic learning) - Mandatory R10 R11 R12 R13 10.1.10.0/24 10.1.11.0/24 10.1.12.0/24 10.1.13.0/24

PfR Deployment Single CPE Branch HUB SITE Site ID = 10.8.3.3 TRANSIT SITE Site ID = 10.9.3.3 R10 domain IWAN vrf default master branch source-interface Loopback0 hub 10.8.3.3 border master local source-interface Loopback0 R83 R93 R84 R85 R94 R95 DMVPN DMVPN INET Single CPE Branch Sites Branch MCs connect to the Hub R10 R11 R12 R13 R10 R11 R12 R13 10.1.10.0/24 10.1.11.0/24 10.1.12.0/24 10.1.13.0/24

PfR Deployment Dual CPE Branch HUB SITE Site ID = 10.8.3.3 TRANSIT SITE Site ID = 10.9.3.3 R12 domain IWAN vrf default master branch source-interface Loopback0 hub 10.8.3.3 border master local source-interface Loopback0 R83 R93 R84 R85 R94 R95 R13 domain IWAN vrf default border master 10.2.12.12 source-interface Loopback0 DMVPN DMVPN INET Dual CPE Branch Sites Branch MCs connect to the Hub R10 R11 R12 R13 R10 R11 R12 R13 10.1.10.0/24 10.1.11.0/24 10.1.12.0/24 10.1.13.0/24

PfR Deployment Hub Policies, Intervals R83 domain one vrf default master hub source-interface Loopback0 site-prefixes prefix-list DC1_PREFIX monitor-interval 4 dscp af31 monitor-interval 4 dscp cs4 monitor-interval 4 dscp af41 monitor-interval 4 dscp ef load-balance enterprise-prefix prefix-list ENTERPRISE_PREFIX class VOICE sequence 10 match dscp ef policy voice path-preference fallback INET class VIDEO sequence 20 match dscp af41 policy custom priority 2 loss threshold 5 priority 1 one-way-delay threshold 150 match dscp cs4 policy custom priority 2 loss threshold 5 priority 1 one-way-delay threshold 150 path-preference fallback INET class CRITICAL sequence 30 match dscp af31 policy low-latency-data path-preference fallback INET Hub Site Policies configured on hub only Monitoring intervals can be adjusted R83 Path Id 1 HUB SITE Site ID = 10.8.3.3 Hub MC POP ID 0 R84 R85 R94 R95 Path INET Id 2 DMVPN R10 R11 R12 R13 10.1.10.0/24 10.1.11.0/24 R93 DMVPN INET 10.1.12.0/24 10.1.13.0/24

Deploying with VRF Hub MC TRANSIT SITE interface Loopback1 vrf forwarding TEST1 interface Loopback2 vrf forwarding TEST2 MC1 GLOBAL: 10.8.3.3 VRF TEST1: 11.8.3.3 VRF TEST2: 12.8.3.3 R84 R85 domain IWAN vrf TEST1 master hub source-interface Loopback1 vrf TEST2 master hub source-interface Loopback2 10.1.10.0/24 10.1.11.0/24 INET R10 R11 R12 R13 10.1.12.0/24 10.1.13.0/24 Enterprise Branch Sites

Deploying with VRF Hub MC Policies domain IWAN vrf TEST1 master hub load-balance class VOICE sequence 10 match dscp ef policy voice path-preference fallback INET class VIDEO sequence 20 match dscp af41 policy voice path-preference fallback INET class CRITICAL sequence 30 match dscp af31 policy low-latency-data [Cont d] vrf TEST2 master hub load-balance class VOICE sequence 10 match dscp ef policy voice path-preference fallback INET class CRITICAL sequence 30 match dscp af31 policy low-latency-data

Deploying with VRF Hub BR domain IWAN vrf TEST1 border master 11.8.3.3 source-interface Loopback1 vrf TEST2 border master 12.8.3.3 source-interface Loopback2 interface Tunnel101 description -- Primary Path vrf forwarding TEST1 domain IWAN path interface Tunnel102 description -- Primary Path vrf forwarding TEST2 domain IWAN path MC1 GLOBAL: 10.8.3.3 VRF TEST1: 11.8.3.3 VRF TEST2: 12.8.3.3 Tu101 Tu102 R84 10.1.10.0/24 10.1.11.0/24 TRANSIT SITE R85 INET R10 R11 R12 R13 10.1.12.0/24 10.1.13.0/24 Enterprise Branch Sites

Deploying with VRF Branch MC/BR TRANSIT SITE R10 domain IWAN vrf TEST1 master branch source-interface Loopback1 hub 11.8.3.3 border master local source-interface Loopback1 vrf TEST2 master branch source-interface Loopback2 hub 12.8.3.3 border master local source-interface Loopback2 MC1 Tu101 Tu102 GLOBAL: 10.8.3.3 VRF TEST1: 11.8.3.3 VRF TEST2: 12.8.3.3 R84 10.1.10.0/24 10.1.11.0/24 R85 INET R10 R11 R12 R13 10.1.12.0/24 10.1.13.0/24 Enterprise Branch Sites

Shrnutí

Intelligent WAN: An Architectural and Systems Approach IWAN is a Solution Architecture Solves a network problem Use Case Driven Systems Development Approach Prescribed. Tested. Interoperable. Bounded Scope and Complexity Enables Automation and Quality NEW Delivers Business Outcomes Reduce WAN costs. Increase bandwidth Improve and Protect application performance Direct Internet Access Guest Access Offload IT Simplification (Cost reduction)

Platform Support Cisco CSR-1000 Cisco ASR-1000 MC BR (1) Cisco ISR G2 family 3900-AX 2900-AX 1900-AX 890 MC BR Cisco ISR 4000 4400 4300 MC BR MC BR (1) XE 3.18

Cisco IWAN Enterprise Management Portfolio Cisco Ecosystem Partners IWAN App Prime Infrastructure Prescriptive Policy Automation Enterprise Network Mgmt and Monitoring Application Aware Performance Mgmt Advanced Orchestration Customer wants considerable automation and operational simplicity Requirements consistent with prescriptive IWAN Validated Design Customer needs customizable IWAN with end-to-end monitoring One Assurance across Cisco portfolio from Branch to Datacenter Customer looking for advanced monitoring and visualization QoS/ PfR/ AVC configuration, Real-time analytics and network troubleshooting Customer wants advanced provisioning, life cycle management, and customized policies System-wide network consistency assurance Lean IT organization IT Network team IT Network team Lean IT OR IT Network team 62

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback