Intelligent WAN (IWAN) Design and Deployment Adam Groudan, Technical Solutions Architect David Prall, Communications Architect BRKCRS-2002
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, 2017. cs.co/ciscolivebot#sessionid E.g: session ID = BRKCRS-2002 cs.co/ciscolivebot#brkcrs-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demo 1 IWAN with Prime Custom Templates
Demo 1 Topology BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda Demo 1 IWAN with Prime Custom Templates SD-WAN and IWAN Demo 2 IWAN Application Walkthrough IWAN technology Demo 3 - IWAN Live Interactive Configuration Review Next Steps, Q&A 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What problem is the industry trying to solve with SD WAN? to Simplify the administration of the network and find a way for Applications to have greater control over the network BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Design Consideration - Migration Recommended Approach Remote Site Application Visibility ISP-RT Internet WAN New Application Optimization Path Control MSP-RT MPLS Existing New Data Center Roadmap to Success Identify Baseline Transport Independent Intelligent Path Control Simplified Management Understand existing application traffic Determine existing QoS policy Evaluate impact of proposed changes Leverage overlay through existing equipment at data center for transport agnostic redesign Replace remote site equipment or leverage overlay Select test application as candidate for intelligent path control Test blackout and brownout failover scenarios Script creation Automation BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Demo 2 APIC-EM IWAN App Walkthrough
Prebuilt APIC-EM Dual DC Lab Topology Reference Design BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Transport Independent Transport Independent Design Consistent operational model Simple provider migrations Scalable and modular design IPsec routing overlay design F-VRF and DMVPN BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Front Door VRF VRFs have independent routing and forwarding planes Inside Network VRF Global IPSec Tunnel Interface ACL to permit only authorised traffic; i.e. IPsec F-VRF Branch LAN 198.18.128.0/18 Front Door Provider Interface VRF Provider Assigned WAN IP Address 198.10.0.1/30 BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
DMVPN BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
DMVPN The Magic Overlay Branch spoke sites establish an IPsec tunnel to and register with the hub site IP routing exchanges prefix information for each site BGP or EIGRP are typically used for scalability Only the WAN IP addresses need to be known by the WAN transport Physical: 172.17.0.5 Tunnel1: 10.0.1.1 Dual DMVPN Design Single mgre tunnel on Hub, two mgre tunnels on Spokes 192.168.0.0/24 Physical: 172.17.0.1 Tunnel0: 10.0.0.1 Physical: (dynamic) Tunnel0: 10.0.0.12 Tunnel1: 10.0.1.12 WAN interface IP address can be used for the tunnel source address Data traffic flows over the DMVPN tunnels When traffic flows between spoke sites, dynamic site-to-site tunnels are established Per-tunnel QOS can be applied to prevent hub site oversubscription to spoke sites.1 192.168.1.0 /24 Physical: (dynamic) Tunnel0: 10.0.0.11 Tunnel1: 10.0.1.11.1 192.168.3.0/24.1 192.168.2.0 /24 BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
DMVPN Encryption BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Assuring Confidentiality IKEv2 + Strong Cryptography Strong, certified cryptography and IPsec architecture to protect transport Branch AES-256- GCM Internet WAN Edge IKEv2 Anti-replay PKI Private DC Protects from eavesdropping and man-inthe-middle attacks 256-bit Advanced Encryption Standard Elliptical Curve Cryptography (AES-256- GCM) for 192-bit Security Level IKEv2 for secure, trusted transport security establishment Eavesdropper Man-in-the- Middle Uncontrolled Access Strongest authentication and Key exchange algos: ECDSA, ECDH and SHA-2 (SHA-256/384) NSA certified for both unclassified and most-classified information categories BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
QoS BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Remote Site QoS Configuration Inbound Hub Configuration int tunnel X nhrp map group prm-20mbps servicepolicy output prm-dscp#iwan-8#shape#20.0 100 Mbps Data Center DMVPN Hub 1Gbps Ethernet 20Mbps WAN ISPX 20 Mbps 10 Mbps 30 Mbps 10 Mbps Headend IPsec Remote Site Router Spoke 1 Spoke 2 Spoke 3 Spoke 4 20Mbps Spoke Configuration int tunnel X nhrp group nhrp group prm-20mbps Committed Information Rate Per-Tunnel QoS Shaper BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Overlay Routing BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
IWAN Routing Best Practices No peering with MPLS or Internet providers Static routing to providers to establish DMVPN tunnels Simplifies adding or changing WAN transport services Single WAN routing domain BGP or IGP over DMVPN Simplifies deployment and troubleshooting BR DC/MC BR PUBLIC (DMVPN) BR MC BR MPLS (DMVPN) MC/BR MC/BR MC/BR BR BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Intelligent Path Control Intelligent Path Control Dynamic Application best path based on policy and network conditions Load balancing for full utilization of bandwidth Improved availability PfRv3 BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Command Line Review Point 2 Key Operations - Intelligent Path Control with PfR ISR G2 ASR1K MC Traffic Classes Learning Active TCs MC Performance Measurements MC Best Path BR BR BR BR BR BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR Define Your Traffic Policy Learn the Traffic Measurement Path Enforcement Identify Traffic Classes based on Applications or Transport Classifiers ISR G2 and ASR Learn traffic classes flowing through Border Routers (BRs) based on your policy definitions Measure the traffic flow and network performance actively or passively and report metrics to the Master Controller Master Controller commands path changes based on your traffic policy definitions BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Built-in Policy Templates Matching QoS Best Practices Pre-defined Template Threshold Definition Voice priority 1 one-way-delay threshold 150 threshold 150 (msec) priority 2 packet-loss-rate threshold 1 (%) priority 2 byte-loss-rate threshold 1 (%) priority 3 jitter 30 (msec) Pre-defined Template Threshold Definition Real-time-video priority 1 packet-loss-rate threshold 1 (%) priority 1 byte-loss-rate threshold 1 (%) Low-latencydata priority 2 one-way-delay threshold 150 (msec) priority 3 jitter 20 (msec) priority 1 one-way-delay threshold 100 (msec) priority 2 byte-loss-rate threshold 5 (%) priority 2 packet-loss-rate threshold 5 (%) Bulk-data Best-effort scavenger priority 1 one-way-delay threshold 300 (msec) priority 2 byte-loss-rate threshold 5 (%) priority 2 packet-loss-rate threshold 5 (%) priority 1 one-way-delay threshold 500 (msec) priority 2 byte-loss-rate threshold 10 (%) priority 2 packet-loss-rate threshold 10 (%) priority 1 one-way-delay threshold 500 (msec) priority 2 byte-loss-rate threshold 50 (%) priority 2 packet-loss-rate threshold 50 (%) BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Performance Routing Version 3 Route Controller Components The Domain Controller (DC) Discover Peers Advertise policy and services; topology discovery One per domain, Collocated with MC. Domain Controller Master Controller DC/MC MC Master Transit The Master Controller (Route Controller) Verification, reporting and route controller No packet forwarding/ inspection required Determines optimal paths and commands BR to enforce BR BR BR BR The Forwarding Path: Border Router (BR) Gain network visibility in forwarding path (Learn, measure) Enforce MC s decision (path enforcement) Monitoring: IWAN Domain PUBLIC (DMVPN) MPLS (DMVPN) Unified Monitoring - Passive Smart Probes Optimise by: Reachability, Delay, Loss, Jitter, Link Utilization, Load Balancing, Path Preference MC/BR MC/BR MC/BR BR Scaling: recommended 2000 sites max BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Troubleshooting Tip Local Command Logging archive log config logging enable notify syslog contenttype plaintext Add these commands to device configuration before deployment with GUI tools. Archive of executed commands is logged: 677: Sep 13 18:34:33: %PARSER-5-CFGLOG_LOGGEDCMD: User:apic-em logged command:interface Port-channel41 678: Sep 13 18:34:33: %PARSER-5-CFGLOG_LOGGEDCMD: User:apic-em logged command:service-policy input prm-nbar-12-cls 679: Sep 13 18:34:33: %SYS-5-CONFIG_I: Configured from console by apic-em on vty1 (10.5.100.166) 680: Sep 13 18:34:35: %PARSER-5-CFGLOG_LOGGEDCMD: User:apic-em logged command:!exec: enable 681: Sep 13 18:35:01: %PARSER-5-CFGLOG_LOGGEDCMD: User:apic-em logged command:interface Port-channel41 682: Sep 13 18:35:02: %PARSER-5-CFGLOG_LOGGEDCMD: User:apic-em logged command:service-policy input prm-nbar-12-cls 683: Sep 13 18:35:02: %SYS-5-CONFIG_I: Configured from console by apic-em on vty4 (10.5.100.166) BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Demo 3 Live Prebuilt Verification
Q & A
Recommended Reading Available Now BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on www.ciscolive.com/us. Don t forget: Cisco Live sessions will be available for viewing on demand after the event at www.ciscolive.com/online. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Thank you
R&S Related Cisco Education Offerings Course Description Cisco Certification CCIE R&S Advanced Workshops (CIERS-1 & CIERS-2) plus Self Assessments, Workbooks & Labs Implementing Cisco IP Routing v2.0 Implementing Cisco IP Switched Networks V2.0 Troubleshooting and Maintaining Cisco IP Networks v2.0 Interconnecting Cisco Networking Devices: Part 2 (or combined) Interconnecting Cisco Networking Devices: Part 1 Expert level trainings including: instructor led workshops, self assessments, practice labs and CCIE Lab Builder to prepare candidates for the CCIE R&S practical exam. Professional level instructor led trainings to prepare candidates for the CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in self study elearning formats with Cisco Learning Labs. Configure, implement and troubleshoot local and wide-area IPv4 and IPv6 networks. Also available in self study elearning format with Cisco Learning Lab. Installation, configuration, and basic support of a branch network. Also available in self study elearning format with Cisco Learning Lab. CCIE Routing & Switching CCNP Routing & Switching CCNA Routing & Switching CCENT Routing & Switching For more details, please visit: http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Network Programmability Cisco Education Offerings Course Description Cisco Certification Developing with Cisco Network Programmability (NPDEV) Designing and Implementing Cisco Network Programmability (NPDESI) Provides Application Developers with comprehensive curriculum to develop infrastructure programming skills; Addresses needs of software engineers who automate network infrastructure and/or utilize APIs and toolkits to interface with SDN controllers and individual devices Provides network engineers with comprehensive soup-to-nuts curriculum to develop and validate automation and programming skills; Directly addresses the evolving role of network engineers towards more programmability, automation and orchestration Cisco Network Programmability Developer (NPDEV) Specialist Certification Cisco Network Programmability Design and Implementation (NPDESI) Specialist Certification Programming for Network Engineers (PRNE) Learn the fundamentals of Python programming within the context of performing functions relevant to network engineers. Use Network Programming to simplify or automate tasks Recommended pre-requisite for NPDESI and NPDEV Specialist Certifications Cisco Digital Network Architecture Implementation Essentials (DNAIE) This training provides students with the guiding principles and core elements of Cisco s Digital Network Architecture (DNA) architecture and its solution components including; APIC-EM, NFV, Analytics, Security and Fabric. None For more details, please visit: http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth BRKCRS-2002 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34