More Related Content
Similar to Design and Deployment using the Cisco Smart Business Architecture (SBA)
Similar to Design and Deployment using the Cisco Smart Business Architecture (SBA) (20)
More from Cisco Russia (20)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
- 1. Design and Deployment using the Cisco
Smart Business Architecture (SBA)
Anastasia Marchenko
Systems Engineer Cisco
amarchen@cisco.com
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
- 2. Design and Deployment Using SBA
Agenda
• SBA WAN Overview
• SBA WAN Design Methodology
• Key Aspects of the Design
• Summary
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
2
- 3. The Challenge
How can I anticipate what
the network might need to
do in the future so I don’t
have to revisit my design
and deployment?
Which platform should I choose?
How can I do it quickly?
Many to choose from at each place in the network
ASR1000
WAE-7341
What are the best practices?
How do I manage it?
How do I put it all together?
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
- 4. Cisco Smart Business Architecture
Overview
Tested
Optimized
A reference design, tested, and supported by Cisco
One architecture to scale for different size organizations
Multiple tiers to match your organization’s needs without changing the network
architecture
Flexible
Flexible architecture to help ensure easy migration as the organization grows
Comprehensive
Seamless support for quick deployment of wired and wireless network access
for data, voice, teleworker, and wireless guest
Secure
Performance
BRKRST-2040
Security and high availability for corporate information resources, and
Internet-facing applications
Improved network performance and cost reduction through the use services
like WAN optimization
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
- 5. Cisco SBA Design Overview
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
5
- 6. SBA WAN Deployment Principles
Ease of Deployment: Deploy the design consistently across all products
included in the architecture. The configurations used in the deployment
represent a best-practice methodology to enable a fast and resilient
deployment.
Flexibility and Scalability: The architecture can grow with the organization
without being redesigned.
Resiliency and Security: The architecture keeps the network operating
even during unplanned outages and attacks.
Easy to Manage: The deployment guidance includes configuring devices to
be managed by a network management system (NMS) or as unique
elements of the network.
Advanced Technology Ready: Implementing advanced technologies like
collaboration is easy because the network foundation is already configured
with the required baseline network services.
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
6
- 7. Borderless Networks SBA Guides for Enterprise:
MPLS WAN Deployment Guide
Layer 2 WAN Deployment Guide
VPN WAN Deployment Guide
http://www.cisco.com/go/sba
Deployment Guide
MPLS WAN
Layer 2 WAN
Usage
WAN Aggregation Design
Models
MPLS L3 VPN
Primary/Secondary
Dual MPLS
MPLS Dynamic
MPLS Static
Layer 2 WAN
Primary
Transports
Trunked Demarcation
Simple Demarcation
VPN WAN
Internet/DMVPN
Primary/Secondary
Dual DMVPN
DMVPN Only
DMVPN Backup Dedicated
DMVPN Backup Shared
VPN Remote Site
over 3G/4G
3G/4G Internet/DMVPN
Primary/Secondary
Remote site only
Group Encrypted
Transport VPN
MPLS L3 VPN
Layer 2 WAN
Primary/Secondary
Primary
Compatible with all design
models
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
- 8. WAN Design and Deployment Using SBA
Agenda
• SBA WAN Overview
• SBA WAN Design Methodology
• Key Aspects of the Design
• Summary
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
- 9. Hierarchical WAN Design
SBA ≤ 500 Remote Sites
Core/
Distribution
Data Center
/HQ
Data Center
/HQ
Core
Distribution
Access
BRKRST-2040
Spoke
Site 1
...
Spoke
Site N
© 2013 Cisco and/or its affiliates. All rights reserved.
Spoke
Site 1
Regional
hub
...
Regional
hub
Spoke
Site N
Spoke
Site 1’
Cisco Public
...
Spoke
Site N’
9
- 10. WAN-Aggregation Reference Design
Core Layer
WAN Distribution
Layer
DMVPN Hub
Routers
Internet Edge
Layer 2 WAN
CE Router
MPLS CE
Routers
DMVPN 1 DMVPN 2
MPLS A
BRKRST-2040
MPLS B
ISP A / ISP B
Layer 2
WAN
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
- 11. WAN Remote Site Designs
Basic Remote
Site
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
- 12. WAN Remote Site Designs (MPLS and DMVPN)
MPLS
Redundant Links
Redundant Links
& Routers
MPLS-A
MPLS-B
MPLS-A
MPLS-B
MPLS
Non Redundant
Internet
DMVPN
MPLS
Internet
DMVPN
Internet
(DMVPN-1)
Internet
(DMVPN-2)
Internet
(DMVPN-1)
Internet
(DMVPN-2)
MPLS WAN
MPLS + Internet
WAN
Internet
DMVPN
Internet WAN
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
- 13. WAN Remote Site Designs (L2, 3G/4G and DMVPN)
Non Redundant
Redundant Links
Redundant Links
& Routers
VPLS
VPLS WAN
VPLS
Internet
(DMVPN-1)
MPLS
3G/4G
(DMVPN)
VPLS
Internet
(DMVPN-1)
VPLS + Internet WAN
3G/4G
(DMVPN)
3G/4G
Internet WAN
MPLS
3G/4G
(DMVPN)
MPLS + 3G/4G
Internet WAN
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
- 14. WAN Remote Site Reference Designs
Access Layer Only
Single Router Remote Sites
Dual Router Remote Sites
Add router and transit
network and enable
HSRP
Vlan99 - transit
HSRP Vlans
Active HSRP Router
Vlan64 - data
Vlan65 – wireless data
Vlan69 - voice
Vlan70 – wireless voice
No HSRP
Required
Vlan64 - data
Vlan65 – wireless data
Vlan69 - voice
Vlan70 – wireless voice
802.1q Vlan trunk (64-65, 69-70, 99)
802.1q Vlan trunk (64-65, 69-70)
Vlan
Access Layer Only
Designs
IP Network Assignment (Example)
Vlan65
Wireless Data
Yes
10.5.50.0/24
Vlan70
Wireless Voice
Yes
10.5.51.0/24
Vlan64
Data 1
Yes
10.5.52.0/24
Vlan69
Voice 1
Yes
10.5.53.0/24
Vlan99
BRKRST-2040
Usage
Transit
Yes (dual router only)
10.5.48.0/30
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
- 15. WAN Remote Site Reference Designs
Distribution and Access Layer
Single Router Remote Sites
Dual Router Remote Sites
Add distribution layer
(with transit network
for dual router sites)
802.1q trunk (50,99)
802.1q trunk (54,99)
802.1q trunk (50)
Vlan50 – router 1 link
Vlan54 – router 2 link
Vlan99 – transit
Vlan50 – router 1 link
802.1q trunk (xx-xx)
802.1q trunk (xx-xx)
802.1q trunk (xx-xx)
802.1q trunk (xx-xx)
data
data
data
data
voice
voice
voice
voice
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
- 16. WAN Remote Site Reference Design
Distribution Layer Wireless LAN Integration
WLAN Controller Required
for Distribution Layer Design
to Support Roaming
Vlan50 – router 1 link
Vlan54 – router 2 link
Vlan99 – transit
802.1q trunk (50,99)
802.1q trunk (54,99)
802.1q trunk (106, WD, WV)
Vlan106 – management)
802.1q trunk (100, 101)
802.1q trunk (102-103)
VlanWD – wireless data
VlanWV– wireless voice
Vlan100 - data
Vlan102 - data
Vlan101 - voice
Vlan103 - voice
No HSRP
Required
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
- 17. WAN Design and Deployment Using SBA
Agenda
• SBA WAN Overview
• SBA WAN Design Methodology
• Key Aspects of the Design
• Summary
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
- 18. This Topic Is Covered in Detail
in BRKCRS-2030
WAN Edge
Connection Methods Compared
SBA Recommended
Core/Distribution
Core/Distribution
Core/Distribution
WAN Edge
Router
WAN
WAN
All
No static routes
No FHRPs
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
WAN
Single Logical Control
Plane
Port-Channel for H/A
Cisco Public
18
- 19. Optimize Convergence and Redundancy
Multichassis EtherChannel
VSS or
3750 Stack
Layer 3
P-to-P Link
Channel
Member
Removed
IGP recalc
Link redundancy achieved through
redundant L3 paths
Provide Link Redundancy and reduce
peering complexity
Flow based load-balancing through
CEF forwarding across
Tune L3/L4 load-balancing
hash to achieve maximum utilization
Routing protocol reconvergence when
uplink failed
No L3 reconvergence required when
member link failed
Convergence time may depends on
routing protocol used and the size of
routing entries
No individual flow can go faster than the
speed of an individual member of the link
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
- 20. WAN Dual-Path Route Preference
Incorrect Choice of Primary Path (DMVPN)
D
10.5.48.0/21 [90/xxxxx] via 10.4.32.18
• eBGP routes are redistributed into EIGRP-100 as external routes
with default Administrative Distance =170
WAN Distribution
Layer
• Running same EIGRP AS for both campus and DMVPN network
would result in Internet path preferred over MPLS path
10.4.32.18
DMVPN Hub
Router
MPLS CE Router
EIGRP
BGP
BGP AS = 65511
Mutual Route Redistribution
eBGP
EIGRP
(100)
MPLS A
AS 65401
DMVPN 1
Remote Site
10.5.48.0/21
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
- 21. WAN Dual-Path Route Preference
Correct Choice of Primary Path (MPLS)
• Multiple EIGRP AS processes can be used to
provide control of the routing
D EX
10.5.48.0/21 [170/34304] via 10.4.32.2
EIGRP 100 is used in HQ location
EIGRP 200 over DMVPN tunnel
WAN Distribution
Layer
• Routes from EIGRP 200 redistributed into EIGRP
100 appear as external route (distance = 170)
10.4.32.2
DMVPN Hub
Router
DMVPN hub router#
router eigrp 100
redistribute eigrp 200
MPLS CE Router
EIGRP
EIGRP uses bandwidth and delay metrics
if prefix and distance are the same.
If routes from both WAN sources are
equal-cost paths use EIGRP delay to
modify path preference
EIGRP
BGP
EIGRP
BGP AS = 65511
eBGP
EIGRP
(200)
MPLS A
AS 65401
MPLS CE router#
router eigrp 100
default-metric 1000000 10 255 1 1500
DMVPN 1
Remote Site
10.5.48.0/21
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
- 22. WAN-Aggregation IP Routing Detail
WAN Distribution
Layer
DMVPN Hub
Routers
Internet Edge
EIGRP
Layer 2 WAN
CE Router
MPLS CE Routers
EIGRP
EIGRP
BGP
iBGP
EIGRP
BGP
EIGRP
EIGRP
eBGP
EIGRP
EIGRP
(200)
BGP AS = 65511
eBGP
default
(201)
EIGRP
(300)
ISP A / ISP B
DMVPN 1
MPLS A
AS 65401
BRKRST-2040
MPLS B
AS 65402
DMVPN 2
Layer 2 WAN
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
- 23. WAN Dual-Path Route Preference
Is Route Control Needed?
D EX
10.5.48.0/21 [170/xxxx] via 10.4.32.18
WAN Distribution Layer
10.4.32.1
D EX
10.4.32.18
10.5.48.0/21 [170/xxxx] via 10.4.32.1
DMVPN Hub
Router
MPLS CE Router
EIGRP
• After link failure, MPLS CE router learns alternate path to remote
site via distribution layer (EIGRP route)
EIGRP
BGP
EIGRP
eBGP
EIGRP
(200)
MPLS A
DMVPN 1
Remote Site
10.5.48.0/21
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
- 24. WAN Dual-Path Route Preference
Is Route Control Needed? Yes.
D EX
10.5.48.0/21 [170/xxxx] via 10.4.32.18
WAN Distribution
Layer
10.4.32.1
D EX
10.4.32.18
10.5.48.0/21 [170/xxxx] via 10.4.32.1
DMVPN Hub
Router
MPLS CE Router
• After link restore, MPLS CE router receives
BGP advertisement for remote-site route.
• Does BGP route get (re)installed in the route
table?
EIGRP
EIGRP
BGP
EIGRP
eBGP
192.168.3.2
EIGRP
X
B
(200)
10.5.48.0/21 [20/0] via 192.168.3.2
MPLS A
DMVPN 1
No.
EIGRP from distribution layer remains in the table.
Remote Site
10.5.48.0/21
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
- 25. WAN Dual-Path Route Preference
Route Control is Needed
CE-1#show ip bgp 10.5.48.0 255.255.248.0
BGP routing table entry for 10.5.48.0/21, version 1293
Paths: (3 available, best #3, table default)
Advertised to update-groups:
WAN Distribution
4
5
Layer
65401 65401, (aggregated by 65511 10.5.48.254)
eBGP route
192.168.3.2 from 192.168.3.2 (192.168.100.3)
(no weight defined)
Origin IGP, localpref 100, valid, external, atomic-aggregate
10.4.32.1
Local
10.4.32.1 from 0.0.0.0 (10.4.32.1)
Origin incomplete, metric 3584, localpref 100, weight 32768, valid, sourced, best
DMVPN Hub
Router
MPLS CE Router
EIGRP
BGP
Remote-site route is redistributed into BGP
with weight = 32768
After link is restored, distribution layer route
remains in table due to BGP weight
EIGRP
EIGRP
eBGP
EIGRP
(200)
MPLS A
AS 65401
DMVPN 1
Routes from distribution layer should be
blocked
Also protects from other “backdoor” and
routing loop conditions
BRKRST-2040
Remote Site
© 2013 Cisco and/or its affiliates. All rights reserved.
10.5.48.0/21
Cisco Public
25
- 26. Best Practice: Route Tag and Filter
• Routes are implicitly tagged when distributed from eBGP to
EIGRP with carrier AS
Campus/
Data Center
• Configure explicit tags for other routing protocol sources
• Use route-map to block re-learning of WAN routes via the
distribution layer (MPLS routes already known via iBGP)
EIGRP routes from
distribution layer
router eigrp 100
distribute-list route-map BLOCK-TAGGED-ROUTES in
default-metric [BW] 100 255 1 1500
redistribute bgp 65511
iBGP
route-map BLOCK-TAGGED-ROUTES deny 10
match tag 65401 65402
route-map BLOCK-TAGGED-ROUTES permit 20
MPLS A
AS 65401
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
MPLS B
AS 65402
26
- 27. WAN-Aggregation Mutual Route Redistribution
WAN-Aggregation
Router
From WAN towards
Core/Distribution
From Core/Distribution
towards WAN
(Redistribute EIGRP 100)
MPLS A CE
Redistribute BGP
Implicit tag: MPLS-A
MPLS B CE
Redistribute: BGP
Implicit tag: MPLS-B
Layer 2 WAN CE
Redistribute: EIGRP
Block: MPLS-A, MPLS-B,
DMVPN
Block: MPLS-A, MPLS-B,
DMVPN
Block: DMVPN
Explicit tag: Layer 2
WAN
DMVPN 1 Hub
Redistribute EIGRP
Accept: Any
DMVPN Hub
Routers
Explicit tag: DMVPN
DMVPN 2 Hub
Redistribute EIGRP
Accept: Any
Explicit tag: DMVPN
EIGRP
Layer 2 WAN
CE Router
MPLS CE Routers
EIGRP
BGP
iBGP
EIGRP
default
EIGRP
BGP
EIGRP
Internet Edge
EIGRP
eBGP
EIGRP
(200)
eBGP
EIGRP
(201)
EIGRP
(300)
ISP A / ISP B
DMVPN 1
MPLS A
BRKRST-2040
MPLS B
DMVPN 2
Layer 2 WAN
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
- 28. WAN Remote-Site Routing
Single-Router, Single-Link, Access Layer only
Only requires a single WAN facing routing protocol process
MPLS VPN
eBGP
BGP
summary
router bgp 65511
bgp router-id 10.5.56.254
network 10.5.60.0 mask 255.255.255.0
Wired/Wireless
Data Subnets
network 10.5.61.0 mask 255.255.255.0
network 192.168.3.28 mask 255.255.255.252
aggregate-address 10.5.56.0 255.255.248.0 summary-only
neighbor 192.168.3.30 remote-as 65401
no auto-summary
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
- 29. WAN Remote-Site Routing
Single-Router, Single-Link, Access Layer Only
Only requires a single WAN facing routing protocol process
DMVPN
Layer 2
Internet
EIGRP EIGRP
summary (200)
EIGRP
(300)
EIGRP
summary
router eigrp 300
network 10.4.38.0 0.0.0.255
Includes all Remote-site
network 10.5.0.0 0.0.255.255
networks
passive-interface default
Layer 2 WAN
no passive-interface GigabitEthernet0/0.38
interface
eigrp router-id 10.5.144.254
eigrp stub connected summary
interface GigabitEthernet0/0.38
ip summary-address eigrp 300 10.5.144.0 255.255.248.0
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
- 30. WAN Remote-Site Routing
Single-Router, Dual-Link, Access Layer Only
DMVPN
EIGRP
MPLS VPN
Requires two separate WAN
facing routing protocol processes
BGP
summary
router bgp 65511
bgp router-id 10.5.40.254
network 10.5.44.0 mask 255.255.255.0
network 10.5.45.0 mask 255.255.255.0
network 192.168.3.20 mask 255.255.255.252
aggregate-address 10.5.40.0 255.255.248.0 summary-only
neighbor 192.168.3.22 remote-as 65401
no auto-summary
BRKRST-2040
(200)
Internet
EIGRP
summary
router eigrp 200
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.5.40.254
eigrp stub connected summary
interface Tunnel10
ip summary-address eigrp 200 10.5.40.0 255.255.248.0
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
- 31. WAN Remote-Site Routing
Single-Router, Dual-Link, Access Layer Only
MPLS VPN A
MPLS VPN B
BGP
summary
BGP
summary
DMVPN-1
BRKRST-2040
EIGRP
(200)
EIGRP
summary
DMVPN
DMVPN-2
EIGRP
Internet
Requires two separate WAN
facing routing protocol processes
(except for dual-MPLS)
(201)
EIGRP
Layer 2
Internet
EIGRP
summary
(200)
Internet
EIGRP
summary
EIGRP
summary
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
- 32. WAN Remote-Site Routing
Dual-Router, Dual-Link, Access Layer Only
DMVPN
Requires Separate WAN and LAN
Facing Routing Protocol Processes
MPLS VPN
Internet
BGP
summary
eBGP
One Way Route Redistribution
EIGRP
summary
EIGRP
(200)
BGP
EIGRP
EIGRP
EIGRP
EIGRP
(100)
One Way Redistribution Is Required.
Summary Routes Make Two-Way
Redistribution Unnecessary
router eigrp 100
default-metric 100000 100 255 1 1500
network 10.5.0.0 0.0.255.255
redistribute bgp 65511
passive-interface default
no passive-interface GigabitEthernet0/1.99
eigrp router-id 10.5.48.254
router eigrp 100
network 10.5.0.0 0.0.255.255
redistribute eigrp 200
passive-interface default
no passive-interface GigabitEthernet0/1.99
eigrp router-id 10.5.48.253
Transit network
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
- 33. WAN Remote-Site Routing
Dual-Router, Dual-Link, Access Layer Only
MPLS VPN A
Requires Separate WAN and LAN
Facing Routing Protocol Processes
MPLS VPN B
BGP
summary
BGP
summary
eBGP
eBGP
iBGP
BGP
BGP
EIGRP
EIGRP
EIGRP
(100)
DMVPN
DMVPN-2
DMVPN-1
Layer 2
Internet
EIGRP
(200)
EIGRP
summary
EIGRP
Internet
Internet
(201)
EIGRP
summary
EIGRP
summaries
EIGRP
EIGRP
summary
EIGRP
(200)
(300)
EIGRP
EIGRP
EIGRP
EIGRP
EIGRP
(100)
BRKRST-2040
EIGRP
summary
© 2013 Cisco and/or its affiliates. All rights reserved.
EIGRP
EIGRP
EIGRP
EIGRP
EIGRP
(100)
Cisco Public
33
- 34. WAN Remote-Site Routing
Distribution/Access Layer Only
Requires Separate WAN and LAN Facing Routing Protocol Processes
WAN EIGRP Is Either: DMVPN (200/201)
Layer 2 WAN (300)
WAN
WAN
EIGRP/BGP
summaries
EIGRP/BGP
summary
EIGRP/BGP
WAN
EIGRP/BGP
Vlan50 – router 1 link
EIGRP
EIGRP/BGP
EIGRP
EIGRP
EIGRP
(100)
EIGRP
802.1q trunk (50)
(100)
802.1q trunk (50,99)
802.1q trunk (54,99)
Vlan50 – router 1 link
Vlan54 – router 2 link
Vlan99 – transit
802.1q trunk (100101)
BRKRST-2040
802.1q trunk (102-103)
802.1q trunk (100-101)
© 2013 Cisco and/or its affiliates. All rights reserved.
802.1q trunk (102-103)
Cisco Public
34
- 35. Best Practice: Implement AS-Path Filter
Prevent Remote Site from Becoming Transit Network
Campus
• Dual carrier sites can unintentionally become transit
network during network failure event and causing
network congestion due to transit traffic
• Design the network so that transit path between two
carriers only occurs at sites with enough bandwidth
• Implement AS-Path filter to allow only locally
originated routes to be advertised on the outbound
updates for branches that should not be transit
iBGP
MPLS A
router bgp 65511
neighbor 192.168.4.10 route-map NO-TRANSIT-AS out
!
ip as-path access-list 10 permit ^$
!
route-map NO-TRANSIT-AS permit 10
match as-path 10
MPLS B
R1
R2
iBGP
B
A
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
- 36. Best Practice: Stub Routing
Improve Network Stability and Prevent Transit Site
Campus
• The stub routing feature improves network stability,
reduces resource utilization, and simplifies stub router
configuration. Use at all remote sites.
• Implement stub routing to allow only locally originated
routes to be advertised on the outbound updates for
dual-router sites that should not be transit
VPLS/
DMVPN
router eigrp 200
eigrp stub connected summary
DMVPN
EIGRP
B
A
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
- 37. WAN Remote-Site Loopback Routing
Initial Approach – Loopbacks within Summary Route (1)
DMVPN
MPLS VPN
Internet
BGP
summary
EIGRP
summary
EIGRP
eBGP
Summaries are advertised via both links, but best path is via primary.
When primary link is operational both loopbacks are reachable via
primary link.
interface Loopback0
ip address 10.5.48.254 255.255.255.255
router bgp 65511
bgp router-id 10.5.48.254
network 10.5.52.0 mask 255.255.255.0
network 10.5.53.0 mask 255.255.255.0
network 192.168.3.20 mask 255.255.255.252
aggregate-address 10.5.48.0 255.255.248.0 summary-only
neighbor 192.168.3.22 remote-as 65401
no auto-summary
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
(200)
R1
R2
EIGRP
(100)
interface Loopback0
ip address 10.5.48.253 255.255.255.255
router eigrp 200
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.5.48.253
eigrp stub connected summary
interface Tunnel10
ip summary-address eigrp 200 10.5.48.0 255.255.248.0
Cisco Public
37
- 41. WAN Remote-Site Loopback Routing
BGP Configuration for Single-Router
MPLS VPN
eBGP
interface Loopback0
ip address 10.255.251.204 255.255.255.255
router bgp 65511
bgp router-id 10.255.251.204
network 10.255.251.204 mask 255.255.255.255
neighbor 192.168.3.30 remote-as 65401
BRKRST-2040
Loopback
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
- 42. WAN Remote-Site Loopback Routing
EIGRP Configuration for Single-Router
DMVPN
Internet
interface Loopback0
ip address 10.255.253.205 255.255.255.255
router eigrp 200
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.253.205
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
EIGRP
(200)
All Loopbacks
Cisco Public
42
- 43. WAN Remote-Site Loopback Routing
Configuration for Single-Router (MPLS with DMVPN Backup)
DMVPN
EIGRP
Choose loopback from address
block of primary link for singlerouter, dual-link remote site
MPLS VPN
(200)
Internet
interface Loopback0
ip address 10.255.251.201 255.255.255.255
router bgp 65511
bgp router-id 10.255.251.201
network 10.255.251.201 mask 255.255.255.255
neighbor 192.168.3.22 remote-as 65401
Loopback
router eigrp 200
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.251.201
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
All Loopbacks
Cisco Public
43
- 44. WAN Remote-Site Loopback Routing
Configuration for Dual-Router (MPLS with DMVPNDMVPN
Backup)
Uses the LAN facing routing
protocol process to advertise R2
loopback to R1 (and R1 loopback
to R2)
MPLS VPN
Internet
EIGRP
(200)
eBGP
R1
R2
EIGRP
(100)
interface Loopback0
ip address 10.255.251.203 255.255.255.255
router eigrp 100
network 10.255.0.0 0.0.255.255
eigrp router-id 10.255.251.203
BRKRST-2040
interface Loopback0
ip address 10.255.253.203 255.255.255.255
router eigrp 100
network 10.255.0.0 0.0.255.255
eigrp router-id 10.5.253.203
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
- 45. WAN Remote-Site Loopback Routing
(continued) Configuration for Dual-Router (MPLS with DMVPN Backup)
DMVPN
MPLS VPN
Internet
EIGRP
(200)
eBGP
R1
Both loopbacks need to be explicitly
listed in the BGP configuration.
EIGRP
EIGRP
EIGRP
R2
EIGRP
(100)
router bgp 65511
bgp router-id 10.255.251.203
network 10.255.251.203 mask 255.255.255.255
network 10.255.253.203 mask 255.255.255.255
Two way redistribution is required for
EIGRP WAN routing protocol (on R2)
Only the loopback addresses should be
redistributed from LAN to WAN
BRKRST-2040
BGP
router eigrp 100
network 10.255.0.0 0.0.255.255
redistribute eigrp 100 route-map LOOPBACK-ONLY
eigrp router-id 10.255.253.203
eigrp stub connected summary redistributed
ip access-list standard R1-LOOPBACK
permit 10.255.251.203
route-map LOOPBACK-ONLY permit 10
match ip address R1-LOOPBACK
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
- 46. DMVPN Deployment Considerations
How to Accommodate Multiple Default Routers for a VPN Hub Router
• VPN hub has a default route to ASA firewall’s VPNDMZ interface to reach the Internet
• Remote site policy requires centralized Internet access
• Enable EIGRP between VPN headend & Campus core
to propagate default to remote
default
INSIDE
default
Internet Edge
Block
DMVPN Hub
• Static default (admin dist=1) remains active
default
VPN-DMZ
• User traffic from remote sites is forwarded to VPNDMZ (wrong firewall interface for user traffic)
OUTSIDE
default
Internet
• Adjust admin distances to allow EIGRP default route
(to core)
• VPN tunnel drops
default
DMVPN
spoke
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
- 47. DMVPN Deployment over Internet
No Split Tunneling at Remote-Site Location
The VRF INET-PUBLIC contains the default route to
VPN-DMZ Interface needed for Tunnel Establishment
default
EIGRP
Enable Front-Door VRF (FVRF) with DMVPN to permit
two default routes
default
VRF: INET-PUBLIC
INSIDE
Internet Edge
Block
A 2nd default route exists in the Global Routing Table
used by the user traffic to reach Internet
default
VPN-DMZ
To enforce centralized tunneling the default route is
advertised to spokes via Tunnel
2nd
Spoke’s tunnel drops due to
with the one learned from ISP
default route conflict
OUTSIDE
default
default
Internet
default
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
47
- 48. Best Practice: VRF-Aware DMVPN
Keeping the Default Routes in Separate VRFs
• Enable FVRF DMVPN on the Spokes
default
EIGRP
• Allow the ISP learned Default Route in the VRF INETPUBLIC and use for tunnel establishment
default
VRF: INET-PUBLIC
• Global VRF contains Default Route learned via tunnel.
User data traffic follows Tunnel to INSIDE interface on
firewall
INSIDE
Internet Edge
Block
default
• Allows for consistent implementation of corporate security
policy for all users
VPN-DMZ
OUTSIDE
default
default
Internet
VRF: INET-PUBLIC
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
default
48
- 49. Avoid Fragmentation when Tunneling
GRE+IPsec
MTU 1500
MTU 1400
MTU 1500
Tunnel Setting (esp-aes 256 esp-shahmac)
Maximum MTU
Recommended
MTU
GRE/IPSec (Tunnel Mode)
1414 bytes
1400 bytes
GRE/IPSec (Transport Mode)
1434 bytes
1400 bytes
• IP fragmentation will cause CPU and memory overhead and result in lower throughput
performance
• When one fragment of a datagram is dropped, the entire original IP datagram will have to be
resent
• Use ‘mode transport’ on transform-set
‒ NHRP requires this for NAT support and it saves 20 bytes of overhead
• Avoid MTU issues with the following best practices
‒ ip mtu 1400 (WAN facing interface or tunnel)
‒ ip tcp adjust-mss 1360 (WAN facing interface or tunnel)
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49
- 50. Remote-Site with 3G or 4G/LTE Wireless WAN
Best Practice Uses Dialer Interface
3G/GSM
Select 3G or 4G
Technology Option
4G/LTE
3G/CDMA
VPN Tunnel
1. GSM Specific
Remote Site Router Configuration
3G/4G
Wireless WAN
1. CDMA Specific
Remote Site Router Configuration
1. LTE Specific
Remote Site Router Configuration
1. Finish the WAN Router Universal Configuration
2. Configure VRF Lite
3. Configure the Cellular Interface
4. Configure the Dialer interface
5. Configure VRF-Specific Default Routing
6. Apply the Access List
7. Configure ISAKMP and IPSec
8. Configure mGRE Tunnel
9. Configure EIGRP
10. Configure IP Multicast
Dialer1
The dialer interface provides a consistent method of configuration
regardless of the chosen wireless technology.
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
50
- 51. Wireless WAN with 3G (GSM and CDMA)
Two PPP Encapsulation Methods
CDMA Example
chat-script CDMA "" "ATDT#777" TIMEOUT 30 "CONNECT"
interface Cellular0/0/0
bandwidth 1800
no ip address
encapsulation ppp
dialer in-band
dialer pool-member 1
no peer default ip address
async mode interactive
no ppp lcp fast-start
!
interface Dialer1
bandwidth 1800
ip vrf forwarding INET-PUBLIC
ip address negotiated
ip access-group ACL-INET-PUBLIC in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string CDMA
dialer persistent
ppp ipcp address accept
!
line 0/0/0
script dialer CDMA
modem InOut
no exec
GSM Example
chat-script GSM "" "ATDT*98*1#" TIMEOUT 30 "CONNECT“
!
interface Cellular0/0/0
bandwidth 384
no ip address
encapsulation ppp
dialer in-band
dialer pool-member 1
no peer default ip address
async mode interactive
no ppp lcp fast-start
!
interface Dialer1
bandwidth 384
ip vrf forwarding INET-PUBLIC
ip address negotiated
ip access-group ACL-INET-PUBLIC in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string GSM
dialer persistent
no ppp lcp fast-start
ppp chap hostname ISP@CINGULARGPRS.COM
ppp chap password 7 02252D752C3323007E1F
ppp ipcp address accept
ppp timeout retry 120
ppp timeout ncp 30
!
line 0/0/0
script dialer GSM
modem InOut
no exec
Router with GSM must also create a profile
R1# cellular 0/0/0 gsm profile create 1 isp.cingular chap ISP@CINGULARGPRS.COM CINGULAR1
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
51
- 52. Wireless WAN with 4G/LTE
Direct IP Encapsulation Instead of PPP
VPN Tunnel
R1#
chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK"
3G/4G Wireless
WAN
Ce0/0/0
R1
No HSRP
Required
Vlan64 - data
LTE recovery script recommended
interface Cellular0/0/0
bandwidth 2000
no ip address
encapsulation slip
dialer in-band
dialer pool-member 1
no peer default ip address
async mode interactive
!
interface Dialer1
bandwidth 2000
ip vrf forwarding INET-PUBLIC
ip address negotiated
ip access-group ACL-INET-PUBLIC in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string LTE
dialer persistent
!
line 0/0/0
script dialer LTE
modem InOut
no exec
Direct IP requires SLIP encapsulation keyword
No PPP authentication parameters required
No profile required
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
- 53. Wireless WAN with 3G/4G Backup
Enhanced Object Tracking (EOT) with EEM Scripts
R1#
ip sla 100
icmp-echo 192.168.3.26 source-interface
GigabitEthernet0/0
timeout 1000
threshold 1000
frequency 15
ip sla schedule 100 life forever start-time now
IP SLA
Probe
3G/4G Wireless
WAN
track 60 ip sla 100 reachability
event manager applet ACTIVATE-3G
event track 60 state down
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/0/0"
action 4 cli command "no shutdown"
action 5 cli command "end"
action 99 syslog msg "Activating 3G interface"
Ce0/0/0
R1
No HSRP
Required
Vlan64 - data
Note: This method is also compatible with a
dual router design (probes are sent from R2)
BRKRST-2040
R1#
14:22:14:
14:22:14:
14:22:14:
14:22:34:
14:22:34:
14:22:34:
14:22:40:
14:22:40:
14:22:42:
%TRACKING-5-STATE: 60 ip sla 100 reachability Up->Down
%SYS-5-CONFIG_I: Configured from console by on vty0(EEM:ACTIVATE-3G)
%HA_EM-6-LOG: ACTIVATE-3G: Activating 3G interface
%LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
%DIALER-6-BIND: Interface Ce0/0/0 bound to profile Di1
%LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to up
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
%DUAL-5-NBRCHANGE: EIGRP-IPv4 200: Neighbor 10.4.34.1 (Tunnel11) is up: new adjacency
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53
- 54. Wireless WAN with 3G/4G Only Link
VPN Tunnel
Time Based Connection with EEM Scripts
3G/4G Wireless
WAN
Ce0/0/0
R1
No HSRP
Required
Vlan64 - data
R1#
event manager applet TIME-OF-DAY-ACTIVATE-3G
event timer cron cron-entry "45 4 * * 1-5"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/0/0"
action 4 cli command "no shutdown"
action 5 cli command "end"
action 99 syslog msg "M-F @ 4:45AM Activating 3G interface“
event manager applet TIME-OF-DAY-DEACTIVATE-3G
event timer cron cron-entry "15 18 * * 1-5"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/0/0"
action 4 cli command "shutdown"
action 5 cli command "end"
action 99 syslog msg "M-F @ 6:15PM Deactivating 3G interface"
Limit connection time to reduce usage charges
EEM scripts leverage CRON
Additional scripting or enhancements can allow for manual override
for weekend or after hours use.
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
- 55. WAN Quality of Service
Defining SBA QoS Classes of Services
Class of Service
Traffic Type
DSCP Value(s)
Bandwidth (%)
ef
Congestion
Avoidance
10 (PQ)
VOICE
Voice traffic
INTERACTIVE-VIDEO
Interactive video
(video conferencing)
cs4
af41
23 (PQ)
CRITICAL-DATA
Highly interactive
(such as Telnet, Citrix, and Oracle thin clients)
cs3
af31
15
DSCP based
DATA
Data
af21
19
DSCP based
Scavenger
cs1
af11
5
NETWORK-CRITICAL
Routing protocols. Operations, administration and
maintenance (OAM) traffic.
cs2
cs6
3
class-default
Best effort
other
25
SCAVENGER
All WAN
routers:
class-map match-any VOICE
match dscp ef
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any DATA
match dscp af21
class-map match-any SCAVENGER
match dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6
BRKRST-2040
For MPLS CE routers:
class-map match-any BGP-ROUTING
match protocol bgp
policy-map MARK-BGP
class BGP-ROUTING
set dscp cs6
For DMVPN routers:
random
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
class-map match-any NETWORK-CRITICAL
match access-group name ISAKMP
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
55
- 56. WAN Design and Deployment Using SBA
Agenda
• SBA WAN Overview
• SBA WAN Design Methodology
• Key Aspects of the Design
• Summary
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
56
- 57. Summary
• The SBA WAN design methodology allows for either a small or large scale
initial deployment.
• Flexibility is built into the WAN and remote-site design. Adding additional scale,
resiliency or capabilities is straightforward.
•The SBA WAN design uses advanced features and capabilities. Each is
documented in a prescriptive manner.
‒Route-maps ensure routing stability
‒F-VRF DMVPN permits spoke-spoke with central tunneling
‒WAAS GRE negotiated return enables shared clusters
‒EEM scripts extend capabilities of EOT
BRKRST-2040
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57