Design and Deployment using the Cisco Smart Business Architecture (SBA)

Design and Deployment using the Cisco
Smart Business Architecture (SBA)
Anastasia Marchenko
Systems Engineer Cisco
amarchen@cisco.com

BRKRST-2040

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Design and Deployment Using SBA
Agenda

• SBA WAN Overview

• SBA WAN Design Methodology
• Key Aspects of the Design
• Summary

BRKRST-2040


Cisco Public

2

The Challenge

How can I anticipate what
the network might need to
do in the future so I don’t
have to revisit my design
and deployment?

Which platform should I choose?

How can I do it quickly?

Many to choose from at each place in the network

ASR1000
WAE-7341

What are the best practices?

How do I manage it?
How do I put it all together?

BRKRST-2040


Cisco Public

3

Cisco Smart Business Architecture
Overview
Tested
Optimized

 A reference design, tested, and supported by Cisco
 One architecture to scale for different size organizations
 Multiple tiers to match your organization’s needs without changing the network
architecture

Flexible

 Flexible architecture to help ensure easy migration as the organization grows

Comprehensive

 Seamless support for quick deployment of wired and wireless network access
for data, voice, teleworker, and wireless guest

Secure
Performance

BRKRST-2040

 Security and high availability for corporate information resources, and
Internet-facing applications
 Improved network performance and cost reduction through the use services
like WAN optimization


Cisco Public

4

Cisco SBA Design Overview

BRKRST-2040


Cisco Public

5

SBA WAN Deployment Principles
 Ease of Deployment: Deploy the design consistently across all products
included in the architecture. The configurations used in the deployment
represent a best-practice methodology to enable a fast and resilient
deployment.
 Flexibility and Scalability: The architecture can grow with the organization
without being redesigned.
 Resiliency and Security: The architecture keeps the network operating
even during unplanned outages and attacks.
 Easy to Manage: The deployment guidance includes configuring devices to
be managed by a network management system (NMS) or as unique
elements of the network.
 Advanced Technology Ready: Implementing advanced technologies like
collaboration is easy because the network foundation is already configured
with the required baseline network services.

BRKRST-2040


Cisco Public

6

Borderless Networks SBA Guides for Enterprise:
MPLS WAN Deployment Guide
Layer 2 WAN Deployment Guide
VPN WAN Deployment Guide
http://www.cisco.com/go/sba

Deployment Guide
MPLS WAN

Layer 2 WAN

Usage

WAN Aggregation Design
Models

MPLS L3 VPN

Primary/Secondary

Dual MPLS
MPLS Dynamic
MPLS Static

Layer 2 WAN

Primary

Transports

Trunked Demarcation
Simple Demarcation

VPN WAN

Internet/DMVPN

Primary/Secondary

Dual DMVPN
DMVPN Only
DMVPN Backup Dedicated
DMVPN Backup Shared

VPN Remote Site
over 3G/4G

3G/4G Internet/DMVPN

Primary/Secondary

Remote site only

Group Encrypted
Transport VPN

MPLS L3 VPN
Layer 2 WAN

Primary/Secondary
Primary

Compatible with all design
models

BRKRST-2040


Cisco Public

7

WAN Design and Deployment Using SBA
Agenda


• Summary

BRKRST-2040


Cisco Public

8

Hierarchical WAN Design

SBA ≤ 500 Remote Sites

Core/
Distribution

Data Center
/HQ

Data Center
/HQ

Core

Distribution

Access

BRKRST-2040

Spoke
Site 1

...

Spoke
Site N


Spoke
Site 1

Regional
hub

...

Regional
hub

Spoke
Site N

Spoke
Site 1’

Cisco Public

...

Spoke
Site N’

9

WAN-Aggregation Reference Design
Core Layer

WAN Distribution
Layer

DMVPN Hub
Routers
Internet Edge

Layer 2 WAN
CE Router

MPLS CE
Routers

DMVPN 1 DMVPN 2
MPLS A

BRKRST-2040

MPLS B

ISP A / ISP B

Layer 2
WAN


Cisco Public

10

WAN Remote Site Designs
Basic Remote
Site

BRKRST-2040


Cisco Public

11

WAN Remote Site Designs (MPLS and DMVPN)

MPLS

Redundant Links

Redundant Links
& Routers

MPLS-A

MPLS-B

MPLS-A

MPLS-B

MPLS

Non Redundant

Internet
DMVPN

MPLS

Internet
DMVPN

Internet
(DMVPN-1)

Internet
(DMVPN-2)

Internet
(DMVPN-1)

Internet
(DMVPN-2)

MPLS WAN

MPLS + Internet
WAN

Internet
DMVPN

Internet WAN

BRKRST-2040


Cisco Public

12

WAN Remote Site Designs (L2, 3G/4G and DMVPN)
Non Redundant

Redundant Links

Redundant Links
& Routers

VPLS

VPLS WAN
VPLS

Internet
(DMVPN-1)

MPLS

3G/4G
(DMVPN)

VPLS

Internet
(DMVPN-1)

VPLS + Internet WAN
3G/4G
(DMVPN)

3G/4G
Internet WAN

MPLS

3G/4G
(DMVPN)

MPLS + 3G/4G
Internet WAN
BRKRST-2040


Cisco Public

13

WAN Remote Site Reference Designs
Access Layer Only
Single Router Remote Sites

Dual Router Remote Sites
Add router and transit
network and enable
HSRP
Vlan99 - transit

HSRP Vlans
Active HSRP Router

Vlan64 - data
Vlan65 – wireless data
Vlan69 - voice
Vlan70 – wireless voice

No HSRP
Required

Vlan64 - data
Vlan65 – wireless data
Vlan69 - voice
Vlan70 – wireless voice

802.1q Vlan trunk (64-65, 69-70, 99)

802.1q Vlan trunk (64-65, 69-70)

Vlan

Access Layer Only
Designs

IP Network Assignment (Example)

Vlan65

Wireless Data

Yes

10.5.50.0/24

Vlan70

Wireless Voice

Yes

10.5.51.0/24

Vlan64

Data 1

Yes

10.5.52.0/24

Vlan69

Voice 1

Yes

10.5.53.0/24

Vlan99
BRKRST-2040

Usage

Transit

Yes (dual router only)

10.5.48.0/30


Cisco Public

14

WAN Remote Site Reference Designs
Distribution and Access Layer
Single Router Remote Sites

Dual Router Remote Sites
Add distribution layer
(with transit network
for dual router sites)

802.1q trunk (50,99)

802.1q trunk (54,99)

802.1q trunk (50)
Vlan50 – router 1 link
Vlan99 – transit


802.1q trunk (xx-xx)




data

data

data

data

voice

voice

voice

voice

BRKRST-2040


Cisco Public

15

WAN Remote Site Reference Design
Distribution Layer Wireless LAN Integration

WLAN Controller Required
for Distribution Layer Design
to Support Roaming
Vlan99 – transit
802.1q trunk (50,99)

802.1q trunk (54,99)

802.1q trunk (106, WD, WV)

Vlan106 – management)

802.1q trunk (100, 101)

802.1q trunk (102-103)

VlanWD – wireless data
VlanWV– wireless voice

Vlan100 - data

Vlan102 - data

Vlan101 - voice

Vlan103 - voice

No HSRP
Required
BRKRST-2040


Cisco Public

16

Agenda


• Summary

BRKRST-2040


Cisco Public

17

This Topic Is Covered in Detail
in BRKCRS-2030

WAN Edge
Connection Methods Compared

SBA Recommended
Core/Distribution

Core/Distribution

Core/Distribution

WAN Edge
Router

WAN

WAN

 All
No static routes
No FHRPs
BRKRST-2040


WAN

 Single Logical Control
Plane
 Port-Channel for H/A

Cisco Public

18

Optimize Convergence and Redundancy
Multichassis EtherChannel
VSS or
3750 Stack
Layer 3
P-to-P Link
Channel
Member
Removed

IGP recalc

 Link redundancy achieved through
redundant L3 paths

 Provide Link Redundancy and reduce
peering complexity

 Flow based load-balancing through
CEF forwarding across

 Tune L3/L4 load-balancing
hash to achieve maximum utilization

 Routing protocol reconvergence when
uplink failed

 No L3 reconvergence required when
member link failed

 Convergence time may depends on
routing protocol used and the size of
routing entries

 No individual flow can go faster than the
speed of an individual member of the link

BRKRST-2040


Cisco Public

19

WAN Dual-Path Route Preference
Incorrect Choice of Primary Path (DMVPN)
D

10.5.48.0/21 [90/xxxxx] via 10.4.32.18

• eBGP routes are redistributed into EIGRP-100 as external routes
with default Administrative Distance =170
WAN Distribution
Layer

• Running same EIGRP AS for both campus and DMVPN network
would result in Internet path preferred over MPLS path
10.4.32.18

DMVPN Hub
Router

MPLS CE Router
EIGRP
BGP
BGP AS = 65511

Mutual Route Redistribution
eBGP
EIGRP
(100)

MPLS A
AS 65401

DMVPN 1

Remote Site

10.5.48.0/21
BRKRST-2040


Cisco Public

20

Correct Choice of Primary Path (MPLS)
• Multiple EIGRP AS processes can be used to
provide control of the routing

D EX

10.5.48.0/21 [170/34304] via 10.4.32.2

EIGRP 100 is used in HQ location
EIGRP 200 over DMVPN tunnel

WAN Distribution
Layer

• Routes from EIGRP 200 redistributed into EIGRP
100 appear as external route (distance = 170)

10.4.32.2
DMVPN Hub
Router

DMVPN hub router#
router eigrp 100
redistribute eigrp 200

MPLS CE Router
EIGRP

 EIGRP uses bandwidth and delay metrics
if prefix and distance are the same.
 If routes from both WAN sources are
equal-cost paths use EIGRP delay to
modify path preference

EIGRP

BGP

EIGRP
BGP AS = 65511

eBGP
EIGRP
(200)

MPLS A
AS 65401

MPLS CE router#
router eigrp 100
default-metric 1000000 10 255 1 1500

DMVPN 1

Remote Site

10.5.48.0/21
BRKRST-2040


Cisco Public

21

WAN-Aggregation IP Routing Detail

WAN Distribution
Layer

DMVPN Hub
Routers
Internet Edge

EIGRP
Layer 2 WAN
CE Router

MPLS CE Routers

EIGRP

EIGRP

BGP

iBGP

EIGRP

BGP

EIGRP

EIGRP

eBGP

EIGRP

EIGRP

(200)

BGP AS = 65511
eBGP

default

(201)

EIGRP
(300)

ISP A / ISP B
DMVPN 1
MPLS A
AS 65401

BRKRST-2040

MPLS B
AS 65402

DMVPN 2

Layer 2 WAN


Cisco Public

22

Is Route Control Needed?
D EX

10.5.48.0/21 [170/xxxx] via 10.4.32.18

WAN Distribution Layer

10.4.32.1

D EX

10.4.32.18

10.5.48.0/21 [170/xxxx] via 10.4.32.1
DMVPN Hub
Router

MPLS CE Router
EIGRP

• After link failure, MPLS CE router learns alternate path to remote
site via distribution layer (EIGRP route)

EIGRP

BGP

EIGRP

eBGP
EIGRP
(200)

MPLS A

DMVPN 1

Remote Site

10.5.48.0/21
BRKRST-2040


Cisco Public

23

Is Route Control Needed? Yes.
D EX

10.5.48.0/21 [170/xxxx] via 10.4.32.18

WAN Distribution
Layer

10.4.32.1



D EX

10.4.32.18

10.5.48.0/21 [170/xxxx] via 10.4.32.1
DMVPN Hub
Router

MPLS CE Router

• After link restore, MPLS CE router receives
BGP advertisement for remote-site route.
• Does BGP route get (re)installed in the route
table?

EIGRP

EIGRP

BGP

EIGRP

eBGP

192.168.3.2
EIGRP

X

B

(200)

10.5.48.0/21 [20/0] via 192.168.3.2
MPLS A

DMVPN 1

No.
EIGRP from distribution layer remains in the table.

Remote Site

10.5.48.0/21
BRKRST-2040


Cisco Public

24

Route Control is Needed
CE-1#show ip bgp 10.5.48.0 255.255.248.0
BGP routing table entry for 10.5.48.0/21, version 1293
Paths: (3 available, best #3, table default)
Advertised to update-groups:
WAN Distribution
4
5
Layer
65401 65401, (aggregated by 65511 10.5.48.254)
eBGP route
192.168.3.2 from 192.168.3.2 (192.168.100.3)
(no weight defined)
Origin IGP, localpref 100, valid, external, atomic-aggregate
10.4.32.1
Local
10.4.32.1 from 0.0.0.0 (10.4.32.1)
Origin incomplete, metric 3584, localpref 100, weight 32768, valid, sourced, best
DMVPN Hub
Router

MPLS CE Router
EIGRP
BGP

 Remote-site route is redistributed into BGP
with weight = 32768
 After link is restored, distribution layer route
remains in table due to BGP weight

EIGRP
EIGRP

eBGP
EIGRP
(200)

MPLS A
AS 65401

DMVPN 1

 Routes from distribution layer should be
blocked
 Also protects from other “backdoor” and
routing loop conditions
BRKRST-2040

Remote Site


10.5.48.0/21
Cisco Public

25

Best Practice: Route Tag and Filter

• Routes are implicitly tagged when distributed from eBGP to
EIGRP with carrier AS

Campus/
Data Center

• Configure explicit tags for other routing protocol sources
• Use route-map to block re-learning of WAN routes via the
distribution layer (MPLS routes already known via iBGP)

EIGRP routes from
distribution layer

router eigrp 100
distribute-list route-map BLOCK-TAGGED-ROUTES in
default-metric [BW] 100 255 1 1500
redistribute bgp 65511

iBGP

route-map BLOCK-TAGGED-ROUTES deny 10
match tag 65401 65402
route-map BLOCK-TAGGED-ROUTES permit 20
MPLS A
AS 65401

BRKRST-2040


Cisco Public

MPLS B
AS 65402

26

WAN-Aggregation Mutual Route Redistribution
WAN-Aggregation
Router

From WAN towards
Core/Distribution

From Core/Distribution
towards WAN
(Redistribute EIGRP 100)

MPLS A CE

Redistribute BGP
Implicit tag: MPLS-A

MPLS B CE

Redistribute: BGP
Implicit tag: MPLS-B

Layer 2 WAN CE

Redistribute: EIGRP

Block: MPLS-A, MPLS-B,
DMVPN
Block: MPLS-A, MPLS-B,
DMVPN
Block: DMVPN

Explicit tag: Layer 2
WAN
DMVPN 1 Hub

Redistribute EIGRP

Accept: Any

DMVPN Hub
Routers

Explicit tag: DMVPN
DMVPN 2 Hub

Redistribute EIGRP

Accept: Any

Explicit tag: DMVPN

EIGRP

Layer 2 WAN
CE Router

MPLS CE Routers
EIGRP

BGP

iBGP

EIGRP

default

EIGRP

BGP

EIGRP

Internet Edge

EIGRP

eBGP

EIGRP

(200)

eBGP

EIGRP

(201)

EIGRP
(300)

ISP A / ISP B
DMVPN 1
MPLS A

BRKRST-2040

MPLS B

DMVPN 2

Layer 2 WAN


Cisco Public

27

WAN Remote-Site Routing
Single-Router, Single-Link, Access Layer only
Only requires a single WAN facing routing protocol process

MPLS VPN

eBGP

BGP
summary

router bgp 65511
bgp router-id 10.5.56.254
network 10.5.60.0 mask 255.255.255.0
Wired/Wireless
Data Subnets
network 10.5.61.0 mask 255.255.255.0
network 192.168.3.28 mask 255.255.255.252
aggregate-address 10.5.56.0 255.255.248.0 summary-only
neighbor 192.168.3.30 remote-as 65401
no auto-summary
BRKRST-2040


Cisco Public

28

Single-Router, Single-Link, Access Layer Only
Only requires a single WAN facing routing protocol process
DMVPN

Layer 2
Internet

EIGRP EIGRP
summary (200)

EIGRP
(300)

EIGRP
summary

router eigrp 300
network 10.4.38.0 0.0.0.255
Includes all Remote-site
network 10.5.0.0 0.0.255.255
networks
passive-interface default
Layer 2 WAN
no passive-interface GigabitEthernet0/0.38
interface
eigrp router-id 10.5.144.254
eigrp stub connected summary
interface GigabitEthernet0/0.38
ip summary-address eigrp 300 10.5.144.0 255.255.248.0
BRKRST-2040


Cisco Public

29

Single-Router, Dual-Link, Access Layer Only

DMVPN

EIGRP
MPLS VPN

Requires two separate WAN
facing routing protocol processes

BGP
summary

router bgp 65511
network 10.5.44.0 mask 255.255.255.0
network 10.5.45.0 mask 255.255.255.0
network 192.168.3.20 mask 255.255.255.252
no auto-summary

BRKRST-2040

(200)

Internet

EIGRP
summary

router eigrp 200
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
no passive-interface Tunnel10
interface Tunnel10


Cisco Public

30

Single-Router, Dual-Link, Access Layer Only

MPLS VPN A

MPLS VPN B

BGP
summary

BGP
summary

DMVPN-1

BRKRST-2040

EIGRP

(200)

EIGRP
summary

DMVPN

DMVPN-2

EIGRP

Internet

Requires two separate WAN
facing routing protocol processes
(except for dual-MPLS)

(201)

EIGRP
Layer 2

Internet

EIGRP
summary

(200)

Internet

EIGRP
summary

EIGRP
summary


Cisco Public

31

Dual-Router, Dual-Link, Access Layer Only

DMVPN

Requires Separate WAN and LAN
Facing Routing Protocol Processes

MPLS VPN
Internet
BGP
summary
eBGP

One Way Route Redistribution

EIGRP
summary

EIGRP
(200)

BGP

EIGRP

EIGRP

EIGRP
EIGRP
(100)

One Way Redistribution Is Required.
Summary Routes Make Two-Way
Redistribution Unnecessary
router eigrp 100
default-metric 100000 100 255 1 1500
network 10.5.0.0 0.0.255.255
redistribute bgp 65511

router eigrp 100
network 10.5.0.0 0.0.255.255
redistribute eigrp 200

Transit network
BRKRST-2040


Cisco Public

32

Dual-Router, Dual-Link, Access Layer Only
MPLS VPN A

Requires Separate WAN and LAN
Facing Routing Protocol Processes

MPLS VPN B
BGP
summary

BGP
summary
eBGP

eBGP

iBGP

BGP

BGP

EIGRP

EIGRP
EIGRP
(100)

DMVPN
DMVPN-2

DMVPN-1

Layer 2
Internet

EIGRP

(200)

EIGRP
summary

EIGRP

Internet

Internet

(201)

EIGRP
summary

EIGRP
summaries

EIGRP

EIGRP
summary

EIGRP
(200)

(300)

EIGRP

EIGRP

EIGRP

EIGRP
EIGRP
(100)

BRKRST-2040

EIGRP
summary


EIGRP

EIGRP

EIGRP

EIGRP
EIGRP
(100)

Cisco Public

33

Distribution/Access Layer Only
Requires Separate WAN and LAN Facing Routing Protocol Processes
WAN EIGRP Is Either: DMVPN (200/201)
Layer 2 WAN (300)
WAN

WAN

EIGRP/BGP
summaries

EIGRP/BGP
summary
EIGRP/BGP

WAN

EIGRP/BGP

EIGRP

EIGRP/BGP

EIGRP

EIGRP
EIGRP
(100)

EIGRP
802.1q trunk (50)

(100)

802.1q trunk (50,99)

802.1q trunk (54,99)
Vlan99 – transit

802.1q trunk (100101)

BRKRST-2040

802.1q trunk (102-103)

802.1q trunk (100-101)


802.1q trunk (102-103)

Cisco Public

34

Best Practice: Implement AS-Path Filter
Prevent Remote Site from Becoming Transit Network
Campus

• Dual carrier sites can unintentionally become transit
network during network failure event and causing
network congestion due to transit traffic

• Design the network so that transit path between two
carriers only occurs at sites with enough bandwidth
• Implement AS-Path filter to allow only locally
originated routes to be advertised on the outbound
updates for branches that should not be transit

iBGP

MPLS A

router bgp 65511
neighbor 192.168.4.10 route-map NO-TRANSIT-AS out
!
ip as-path access-list 10 permit ^$
!
route-map NO-TRANSIT-AS permit 10
match as-path 10

MPLS B

R1

R2

iBGP

B

A
BRKRST-2040


Cisco Public

35

Best Practice: Stub Routing
Improve Network Stability and Prevent Transit Site
Campus

• The stub routing feature improves network stability,
reduces resource utilization, and simplifies stub router
configuration. Use at all remote sites.
• Implement stub routing to allow only locally originated
routes to be advertised on the outbound updates for
dual-router sites that should not be transit
VPLS/
DMVPN

router eigrp 200

DMVPN

EIGRP

B

A
BRKRST-2040


Cisco Public

36

WAN Remote-Site Loopback Routing
Initial Approach – Loopbacks within Summary Route (1)

DMVPN

MPLS VPN
Internet
BGP
summary

EIGRP
summary

EIGRP
eBGP

Summaries are advertised via both links, but best path is via primary.
When primary link is operational both loopbacks are reachable via
primary link.
interface Loopback0
ip address 10.5.48.254 255.255.255.255
router bgp 65511
network 10.5.52.0 mask 255.255.255.0
network 10.5.53.0 mask 255.255.255.0
network 192.168.3.20 mask 255.255.255.252
no auto-summary

BRKRST-2040


(200)

R1

R2
EIGRP
(100)

interface Loopback0
ip address 10.5.48.253 255.255.255.255
router eigrp 200
network 10.4.34.0 0.0.1.255
network 10.5.0.0 0.0.255.255
no passive-interface Tunnel10
interface Tunnel10

Cisco Public

37

BRKRST-2040


Cisco Public

38

BRKRST-2040


Cisco Public

39

BRKRST-2040


Cisco Public

40

BGP Configuration for Single-Router

MPLS VPN

eBGP

interface Loopback0
ip address 10.255.251.204 255.255.255.255

router bgp 65511
bgp router-id 10.255.251.204
network 10.255.251.204 mask 255.255.255.255

BRKRST-2040

Loopback


Cisco Public

41

EIGRP Configuration for Single-Router

DMVPN

Internet

interface Loopback0
ip address 10.255.253.205 255.255.255.255

router eigrp 200
network 10.255.0.0 0.0.255.255

BRKRST-2040


EIGRP
(200)

All Loopbacks

Cisco Public

42

Configuration for Single-Router (MPLS with DMVPN Backup)
DMVPN

EIGRP

Choose loopback from address
block of primary link for singlerouter, dual-link remote site

MPLS VPN

(200)

Internet

interface Loopback0
ip address 10.255.251.201 255.255.255.255

router bgp 65511
bgp router-id 10.255.251.201
network 10.255.251.201 mask 255.255.255.255

Loopback

router eigrp 200
network 10.255.0.0 0.0.255.255

BRKRST-2040


All Loopbacks

Cisco Public

43

Configuration for Dual-Router (MPLS with DMVPNDMVPN
Backup)
Uses the LAN facing routing
protocol process to advertise R2
loopback to R1 (and R1 loopback
to R2)

MPLS VPN
Internet

EIGRP
(200)

eBGP

R1

R2
EIGRP
(100)

interface Loopback0
ip address 10.255.251.203 255.255.255.255
router eigrp 100
network 10.255.0.0 0.0.255.255

BRKRST-2040

interface Loopback0
ip address 10.255.253.203 255.255.255.255
router eigrp 100
network 10.255.0.0 0.0.255.255


Cisco Public

44

(continued) Configuration for Dual-Router (MPLS with DMVPN Backup)
DMVPN
MPLS VPN
Internet

EIGRP
(200)

eBGP

R1

Both loopbacks need to be explicitly
listed in the BGP configuration.

EIGRP

EIGRP

EIGRP

R2

EIGRP
(100)

router bgp 65511
bgp router-id 10.255.251.203
network 10.255.251.203 mask 255.255.255.255
network 10.255.253.203 mask 255.255.255.255

Two way redistribution is required for
EIGRP WAN routing protocol (on R2)
Only the loopback addresses should be
redistributed from LAN to WAN
BRKRST-2040

BGP

router eigrp 100
network 10.255.0.0 0.0.255.255
redistribute eigrp 100 route-map LOOPBACK-ONLY
eigrp stub connected summary redistributed
ip access-list standard R1-LOOPBACK
permit 10.255.251.203
route-map LOOPBACK-ONLY permit 10
match ip address R1-LOOPBACK


Cisco Public

45

DMVPN Deployment Considerations
How to Accommodate Multiple Default Routers for a VPN Hub Router
• VPN hub has a default route to ASA firewall’s VPNDMZ interface to reach the Internet
• Remote site policy requires centralized Internet access
• Enable EIGRP between VPN headend & Campus core
to propagate default to remote

default

INSIDE

default

Internet Edge
Block

DMVPN Hub

• Static default (admin dist=1) remains active

default

VPN-DMZ

• User traffic from remote sites is forwarded to VPNDMZ (wrong firewall interface for user traffic)

OUTSIDE

default

Internet

• Adjust admin distances to allow EIGRP default route
(to core)
• VPN tunnel drops

default

DMVPN
spoke

BRKRST-2040


Cisco Public

46

DMVPN Deployment over Internet
No Split Tunneling at Remote-Site Location

 The VRF INET-PUBLIC contains the default route to
VPN-DMZ Interface needed for Tunnel Establishment

default
EIGRP

 Enable Front-Door VRF (FVRF) with DMVPN to permit
two default routes

default

VRF: INET-PUBLIC

INSIDE
Internet Edge
Block

 A 2nd default route exists in the Global Routing Table
used by the user traffic to reach Internet

default
VPN-DMZ

 To enforce centralized tunneling the default route is
advertised to spokes via Tunnel
2nd

 Spoke’s tunnel drops due to
with the one learned from ISP

default route conflict

OUTSIDE

default

default
Internet

default

BRKRST-2040


Cisco Public

47

Best Practice: VRF-Aware DMVPN
Keeping the Default Routes in Separate VRFs
• Enable FVRF DMVPN on the Spokes
default
EIGRP

• Allow the ISP learned Default Route in the VRF INETPUBLIC and use for tunnel establishment

default

VRF: INET-PUBLIC

• Global VRF contains Default Route learned via tunnel.
User data traffic follows Tunnel to INSIDE interface on
firewall

INSIDE
Internet Edge
Block

default

• Allows for consistent implementation of corporate security
policy for all users

VPN-DMZ
OUTSIDE

default

default
Internet

VRF: INET-PUBLIC

BRKRST-2040


Cisco Public

default

48

Avoid Fragmentation when Tunneling

GRE+IPsec
MTU 1500

MTU 1400

MTU 1500

Tunnel Setting (esp-aes 256 esp-shahmac)

Maximum MTU

Recommended
MTU

GRE/IPSec (Tunnel Mode)

1414 bytes

1400 bytes

GRE/IPSec (Transport Mode)

1434 bytes

1400 bytes

• IP fragmentation will cause CPU and memory overhead and result in lower throughput
performance
• When one fragment of a datagram is dropped, the entire original IP datagram will have to be
resent
• Use ‘mode transport’ on transform-set
‒ NHRP requires this for NAT support and it saves 20 bytes of overhead

• Avoid MTU issues with the following best practices
‒ ip mtu 1400 (WAN facing interface or tunnel)
‒ ip tcp adjust-mss 1360 (WAN facing interface or tunnel)
BRKRST-2040


Cisco Public

49

Remote-Site with 3G or 4G/LTE Wireless WAN
Best Practice Uses Dialer Interface
3G/GSM

Select 3G or 4G
Technology Option

4G/LTE

3G/CDMA

VPN Tunnel

1. GSM Specific
Remote Site Router Configuration

3G/4G
Wireless WAN

1. CDMA Specific

1. LTE Specific

1. Finish the WAN Router Universal Configuration
2. Configure VRF Lite
3. Configure the Cellular Interface
4. Configure the Dialer interface
5. Configure VRF-Specific Default Routing
6. Apply the Access List
7. Configure ISAKMP and IPSec
8. Configure mGRE Tunnel
9. Configure EIGRP
10. Configure IP Multicast

Dialer1

The dialer interface provides a consistent method of configuration
regardless of the chosen wireless technology.
BRKRST-2040


Cisco Public

50

Wireless WAN with 3G (GSM and CDMA)
Two PPP Encapsulation Methods
CDMA Example
chat-script CDMA "" "ATDT#777" TIMEOUT 30 "CONNECT"
interface Cellular0/0/0
bandwidth 1800
no ip address
encapsulation ppp
dialer in-band
dialer pool-member 1
no peer default ip address
async mode interactive
no ppp lcp fast-start
!
interface Dialer1
bandwidth 1800
ip vrf forwarding INET-PUBLIC
ip address negotiated
ip access-group ACL-INET-PUBLIC in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string CDMA
dialer persistent
ppp ipcp address accept
!
line 0/0/0
script dialer CDMA
modem InOut
no exec

GSM Example
chat-script GSM "" "ATDT*98*1#" TIMEOUT 30 "CONNECT“
!
bandwidth 384
no ip address
encapsulation ppp
dialer in-band
!
interface Dialer1
bandwidth 384
encapsulation ppp
dialer pool 1
dialer string GSM
dialer persistent
ppp chap hostname ISP@CINGULARGPRS.COM
ppp chap password 7 02252D752C3323007E1F
ppp ipcp address accept
ppp timeout retry 120
ppp timeout ncp 30
!
line 0/0/0
script dialer GSM
modem InOut
no exec

Router with GSM must also create a profile
R1# cellular 0/0/0 gsm profile create 1 isp.cingular chap ISP@CINGULARGPRS.COM CINGULAR1
BRKRST-2040


Cisco Public

51

Wireless WAN with 4G/LTE
Direct IP Encapsulation Instead of PPP

VPN Tunnel

R1#
chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK"

3G/4G Wireless
WAN

Ce0/0/0
R1

No HSRP
Required
Vlan64 - data

LTE recovery script recommended

bandwidth 2000
no ip address
encapsulation slip
dialer in-band
!
interface Dialer1
bandwidth 2000
encapsulation slip
dialer pool 1
dialer string LTE
dialer persistent
!
line 0/0/0
script dialer LTE
modem InOut
no exec

 Direct IP requires SLIP encapsulation keyword
 No PPP authentication parameters required
 No profile required
BRKRST-2040


Cisco Public

52

Wireless WAN with 3G/4G Backup
Enhanced Object Tracking (EOT) with EEM Scripts
R1#
ip sla 100
icmp-echo 192.168.3.26 source-interface
GigabitEthernet0/0
timeout 1000
threshold 1000
frequency 15
ip sla schedule 100 life forever start-time now

IP SLA
Probe
3G/4G Wireless
WAN

track 60 ip sla 100 reachability
event manager applet ACTIVATE-3G
event track 60 state down
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/0/0"
action 4 cli command "no shutdown"
action 5 cli command "end"
action 99 syslog msg "Activating 3G interface"

Ce0/0/0
R1

No HSRP
Required
Vlan64 - data

Note: This method is also compatible with a
dual router design (probes are sent from R2)

BRKRST-2040

R1#
14:22:14:
14:22:14:
14:22:14:
14:22:34:
14:22:34:
14:22:34:
14:22:40:
14:22:40:
14:22:42:

%TRACKING-5-STATE: 60 ip sla 100 reachability Up->Down
%SYS-5-CONFIG_I: Configured from console by on vty0(EEM:ACTIVATE-3G)
%HA_EM-6-LOG: ACTIVATE-3G: Activating 3G interface
%LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
%DIALER-6-BIND: Interface Ce0/0/0 bound to profile Di1
%LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to up
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
%DUAL-5-NBRCHANGE: EIGRP-IPv4 200: Neighbor 10.4.34.1 (Tunnel11) is up: new adjacency


Cisco Public

53

Wireless WAN with 3G/4G Only Link

VPN Tunnel

Time Based Connection with EEM Scripts

3G/4G Wireless
WAN

Ce0/0/0
R1

No HSRP
Required
Vlan64 - data

R1#
event manager applet TIME-OF-DAY-ACTIVATE-3G
event timer cron cron-entry "45 4 * * 1-5"
action 4 cli command "no shutdown"
action 99 syslog msg "M-F @ 4:45AM Activating 3G interface“
event manager applet TIME-OF-DAY-DEACTIVATE-3G
event timer cron cron-entry "15 18 * * 1-5"
action 4 cli command "shutdown"
action 99 syslog msg "M-F @ 6:15PM Deactivating 3G interface"

 Limit connection time to reduce usage charges
 EEM scripts leverage CRON
 Additional scripting or enhancements can allow for manual override
for weekend or after hours use.
BRKRST-2040


Cisco Public

54

WAN Quality of Service
Defining SBA QoS Classes of Services
Class of Service

Traffic Type

DSCP Value(s)

Bandwidth (%)

ef

Congestion
Avoidance

10 (PQ)

VOICE

Voice traffic

INTERACTIVE-VIDEO

Interactive video
(video conferencing)

cs4
af41

23 (PQ)

CRITICAL-DATA

Highly interactive
(such as Telnet, Citrix, and Oracle thin clients)

cs3
af31

15

DSCP based

DATA

Data

af21

19

DSCP based

Scavenger

cs1
af11

5

NETWORK-CRITICAL

Routing protocols. Operations, administration and
maintenance (OAM) traffic.

cs2
cs6

3

class-default

Best effort

other

25

SCAVENGER

All WAN
routers:

class-map match-any VOICE
match dscp ef
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any DATA
match dscp af21
class-map match-any SCAVENGER
match dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match dscp cs2 cs6

BRKRST-2040

For MPLS CE routers:

class-map match-any BGP-ROUTING
match protocol bgp
policy-map MARK-BGP
class BGP-ROUTING
set dscp cs6

For DMVPN routers:

random

ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
class-map match-any NETWORK-CRITICAL
match access-group name ISAKMP


Cisco Public

55

Agenda


• Summary

BRKRST-2040


Cisco Public

56

Summary

• The SBA WAN design methodology allows for either a small or large scale
initial deployment.
• Flexibility is built into the WAN and remote-site design. Adding additional scale,
resiliency or capabilities is straightforward.
•The SBA WAN design uses advanced features and capabilities. Each is
documented in a prescriptive manner.
‒Route-maps ensure routing stability
‒F-VRF DMVPN permits spoke-spoke with central tunneling
‒WAAS GRE negotiated return enables shared clusters
‒EEM scripts extend capabilities of EOT

BRKRST-2040


Cisco Public

57

Design and Deployment using the Cisco Smart Business Architecture (SBA)

Design and Deployment using the Cisco Smart Business Architecture (SBA)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (9)

Similar to Design and Deployment using the Cisco Smart Business Architecture (SBA)

Similar to Design and Deployment using the Cisco Smart Business Architecture (SBA) (20)

More from Cisco Russia

More from Cisco Russia (20)

Recently uploaded

Recently uploaded (20)

Design and Deployment using the Cisco Smart Business Architecture (SBA)