WAN Architectures and Design Principles

27,294 views
27,098 views

Published on

This session features the Borderless Network Architecture with a focus on WAN design and best practices. The Borderless Network architecture offers an end-to-end design approach for Midsize and Enterprise organizations with key areas of focus including resilient IP forwarding, QoS, mobility, security, and turnkey enablement of voice and rich media services. The cornerstones of the BN design approach are real-world use cases, prescriptive design guidance, and modular architectural components. This session will include the specific design considerations and details of the tested topologies.

The Borderless Network WAN session includes a detailed discussion of the head-end WAN edge and remote site design options for up to 500 remote locations. These options include the use of layer 2 and layer 3 WAN transport models, usage of single and dual WAN links, as well as single/dual router edge topologies. Additionally, Internet VPN as both a backup and primary transport option is discussed.

Design guidance will include IP addressing and routing protocol best practices, QoS for the WAN edge, IP multicast enablement, and interconnection/interoperabilty with other Borderless Network design blocks (LAN, Internet Edge) as well as access to the Data Center. Other key WAN technologies which are integral to the design are DMVPN and GETVPN for data privacy as well as Wide Area Application Services (WAAS) and WCCP for bandwidth optimization. The design also includes models for both centralized and distributed remote site wireless providing mobility for both internal users and guest access.

Published in: Technology, Education
2 Comments
18 Likes
Statistics
Notes
  • Hi All, We are planning to start new Salesforce Online batch on this week... If any one interested to attend the demo please register in our website... For this batch we are also provide everyday recorded sessions with Materials. For more information feel free to contact us : siva@keylabstraining.com. For Course Content and Recorded Demo Click Here : http://www.keylabstraining.com/salesforce-online-training-hyderabad-bangalore
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • good
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
27,294
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
1,931
Comments
2
Likes
18
Embeds 0
No embeds

No notes for slide

WAN Architectures and Design Principles

  1. 1. WAN Architectures and Design Principles BRKCRS-2041
  2. 2. Cisco Live & Networkers Virtual Special Offer – Save $100 Cisco Live has a well deserved reputation as one the industry’s best educational values. With hundreds of sessions spanning four educational programs — Networkers, Developer Networker, Service Provider, IT Management, you can build a custom curriculum that can make you a more valuable asset to your workplace and advance your career goals. Cisco Live and Networkers Virtual immerses you in all facets of Cisco Live, from participating in live keynotes and Super Sessions events to accessing session content to networking with your peers. Visit www.ciscolivevirtual.com and register for Cisco Live and Networkers Virtual. To get $100 USD off the Premier pass, which provides access to hundreds of technical sessions, enter “slideshareFY11”. Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  3. 3. Agenda WAN Technologies & Solutions WAN Transport Technologies WAN Overlay Technologies WAN Optimization Wide Area Network Quality of Service WAN Architecture Design Considerations Secure WAN Communication with GETVPN Internet Backup Connectivity with DMVPN WCCP Implementation Consideration Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  4. 4. WAN Transport Technologies Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  5. 5. Hierarchical Network Design Core Data Center /HQ Regional Regional Distribution hub hub Access Spoke Spoke Spoke Spoke Site 1 ... Site N Site 1’ ... Site N’ Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  6. 6. MPLS VPN Topology Definition Spoke Site 1 Spoke Spoke Site 2 Site Y Hub Site (The Network) SP-Provided Equivalent to MPLS IP WAN Spoke Spoke Spoke Spoke Spoke Spoke Spoke Site 1 Site 2 Site X Site Y Site N Site X Site N MPLS WAN is provided by a service provider As seen by the enterprise network, every site is one IP “hop” away Equivalent to a full mesh, or to a “hubless” hub-and-spoke Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  7. 7. MPLS VPN Layer 3 (L3) Service local loop CE PE PE CE Direct Layer 2 Adjacencies Only Between CE and PE Routers ! PE Router – Multiple VRFs ip vrf blue rd 65100:10 route-target import 65100:10 VRF route-target export 65100:10 VRF ip vrf yellow Global rd 65100:20 route-target import 65100:20 route-target export 65100:20 VRF—Virtual Routing and Forwarding ! interface GigabitEthernet0/1.10 ip vrf forwarding blue interface GigabitEthernet0/1.20 ip vrf forwarding yellow Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  8. 8. MPLS VPN Design Trends Single Carrier Designs: Enterprise will home all sites into a single carrier to provide L3 MPLS VPN connectivity. Pro: Simpler design with consistent features Con: Bound to single carrier for feature velocity Con: Does not protect against MPLS cloud failure with Single Provider Dual Carrier Designs: Enterprise will single or dual home sites into one or both carriers to provide L3 MPLS VPN connectivity. Pro: Protects against MPLS service failure with Single Provider Pro: Potential business leverage for better competitive pricing Con: Increased design complexity due to Service Implementation Differences (e.g. QoS, BGP AS Topology) Con: Feature differences between providers could force customer to use least common denominator features. Variants of these designs and site connectivity: Encryption Overlay (e.g. IPSec, DMVPN, GET VPN, etc.) Sites with On-demand / Permanent backup links Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  9. 9. Single Carrier Site Types (Non-Transit) AS 64517 CE5 CE3 CE4 Dual Homed Non Transit Only advertise local prefixes (^$) Typically with Dual CE routers AS 200 BGP design: EBGP to carrier IBGP between CEs Redistribute cloud learned routes CE1 CE2 into site IGP Site IGP Single Homed Non Transit C2 Advertise local prefixes and C1 AS 64512 optionally use default route. Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  10. 10. Dual Carrier: Transit vs. Non Transit To guarantee single homed site AS 64517 reachability to a dual homed site CE3 CE5 experiencing a failure, transit sites CE4 had to be elected. Transit Transit sites would act as a BGP AS 64545 bridge transiting routes between AS 100 AS 200 the two provider clouds. To minimize latency costs of transits, transits need to be CE1 CE2 Site selected with geographic diversity IGP (e.g. from the East, West and C1 C2 AS 64512 Central US.) Prefix X Prefix Y Prefix Z Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  11. 11. Single vs. Dual Carriers Single Provider Dual Providers Pro: Common QoS support Pro: More fault domains model Pro: More product offerings to Pro: Only one vendor to “tune” business Pro: Ability to leverage vendors Pro: Reduced head end circuits for better pricing Pro: Nice to have a second Pro: Overall simpler design vendor option Con: Carrier failure could be Con: Increased Bandwidth catastrophic “Paying for bandwidth twice” Con: Do not have another carrier Con: Increased overall design “in your pocket” complexity Con: May be reduced to “common denominator” between carriers Resiliency Drivers vs. Simplicity Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  12. 12. WAN Overlay Technologies Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  13. 13. Tunneling Technologies Packet Encapsulation over IP IPSec—Encapsulating Security Payload (ESP) Strong encryption IP Unicast only Tunnels Generic Routing Encapsulation (GRE) IP Unicast, Multicast, Broadcast Multiprotocol support Layer 2 Tunneling Protocol—Version 3 (L2TPv3) Layer 2 payloads (Ethernet, Serial,…) Pseudowire capable Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  14. 14. GRE Tunneling Original IP datagram (before forwarding) Original IP header IP payload 20 bytes GRE packet with new IP header: protocol 47 (forwarded using new IP dst) New IP header GRE header Original IP header IP payload 20 bytes 4 bytes 20 bytes ! Router A – GRE Example ! Router B – GRE Example interface Loopback 0 interface Loopback 0 ip address 192.168.1.1 255.255.255.255 ip address 192.168.2.2 255.255.255.255 interface Tunnel0 interface Tunnel0 ip address 172.16.1.1 255.255.255.0 ip address 172.16.1.2 255.255.255.0 encapsulation gre encapsulation gre ip mtu 1476 ip mtu 1476 tunnel source Loopback0 tunnel source Loopback0 tunnel dest 192.168.2.2 tunnel dest 192.168.1.1 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  15. 15. IPSec ESP Transport and Tunnel Modes IP HDR IP Payload Transport mode 2 bytes ESP ESP IP HDR ESP HDR IP Payload Trailer Auth 30 bytes Encrypted Authenticated Tunnel mode 2 bytes ESP ESP IP HDR ESP HDR IP HDR IP Payload Trailer Auth 20 bytes 54 bytes Encrypted Authenticated Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  16. 16. This Topic Is Covered in VPN Technology Detail in BRKSEC-2011 Positioning EzVPN, DMVPN, GETVPN Data Center Internet Edge GM GM IPsec IPsec KS KS WAN Edge Internet/ Shared MPLS/Private Network* Network EzVPN Spoke DMVPN DMVPN Spoke Spoke GET GM GET GM GET GM * Note: DMVPN Can Also Be Used on MPLS/Private Network Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  17. 17. VPN Technology Comparison EzVPN DMVPN GET VPN Infrastructure Public Internet Private & Public Private IP Network Transport Internet Transport Transport Hub-Spoke and Hub-Spoke; Any-to-Any; Network Style Spoke-to-Spoke; (Client to Site) (Site-to-Site) (Site-to-Site) Reverse-route Dynamic routing Dynamic routing Routing Injection on tunnels on IP WAN Route Route Failover Stateful Hub Distribution Distribution Redundancy Crypto Failover Model Model + Stateful Peer-to-Peer Peer-to-Peer Encryption Style Group Protection Protection Protection Multicast Multicast Multicast IP Multicast replication in IP replication at hub replication at hub WAN network Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  18. 18. Dynamic Multipoint VPN Provides full meshed Secure On-Demand Meshed Tunnels connectivity with simple Hub configuration of hub and spoke Supports dynamically addressed spokes VPN Spoke 1 Facilitates zero-touch configuration for addition of new spokes Spoke n Spoke 2 Features automatic IPsec DMVPN Tunnels triggering for building an Traditional Static Tunnels IPsec tunnel Static Known IP Addresses Dynamic Unknown IP Addresses Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  19. 19. Network Designs Spoke-to-hub tunnels Spoke-to-spoke path Hub and spoke Spoke-to-spoke Server Load Balancing Hierarchical Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  20. 20. Dynamic Multipoint VPN (DMVPN) Operational Example Data packet 192.168.0.1/24 10.0.0.11 172.16.1.1 NHRP Redirect 10.0.0.12 172.16.2.1 NHRP Resolution Physical: 172.17.0.1 192.168.0.0/24 Conn. NHRP mapping Tunnel0: 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12 CEF FIB Table 10.0.0.11 172.16.1.1 CEF Adjacency 10.0.0.12 172.16.2.1 Physical: 172.16.2.1 (dynamic) Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.12 Tunnel0: 10.0.0.11 Spoke B 192.168.2.1/24 Spoke A 192.168.1.1/24 10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.1 192.168.2.1 ??? 192.168.2.0/24 Conn. 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.1 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  21. 21. Dynamic Multipoint VPN (DMVPN) Operational Example (cont) Data packet 192.168.0.1/24 10.0.0.11 172.16.1.1 NHRP Redirect 10.0.0.12 172.16.2.1 NHRP Resolution Physical: 172.17.0.1 192.168.0.0/24 Conn. NHRP mapping Tunnel0: 10.0.0.1 192.168.1.0/24 10.0.0.11 192.168.2.0/24 10.0.0.12 CEF FIB Table 10.0.0.11 172.16.1.1 CEF Adjacency 10.0.0.12 172.16.2.1 Physical: 172.16.2.1 (dynamic) Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.12 Tunnel0: 10.0.0.11 Spoke B 192.168.2.1/24 Spoke A 192.168.1.1/24 10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 192.168.2.1 ??? 192.168.2.0/24 Conn. 192.168.1.0/24 Conn. 192.168.0.0/16 10.0.0.1 192.168.0.0/16 10.0.0.1 10.0.0.1 172.17.0.1 10.0.0.1 172.17.0.1 10.0.0.11 172.16.1.1 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  22. 22. Any-to-Any Encryption Before and After GET VPN Public/Private WAN Private WAN Before: IPSec P2P Tunnels After: Tunnel-Less VPN WAN Multicast Scalability—an issue (N^2 problem) Scalable architecture for any-to-any Overlay routing connectivity and encryption Any-to-any instant connectivity can’t No overlays—native routing be done to scale Any-to-any instant connectivity Limited QoS Enhanced QoS Inefficient Multicast replication Efficient Multicast replication Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  23. 23. Group Security Functions Routing Member Key Server Forwarding Key Server Replication Validate Group Members Routing Manage Security Policy Create Group Keys Distribute Policy/Keys Group Member Routing Members Group Member Group Group Member Member Encryption Devices Route Between Secure/ Unsecure Regions Group Multicast Participation Member Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  24. 24. Group Security Elements KS Cooperative Key Servers Group Policy Protocol Key Encryption Key (KEK) Traffic Encryption Key (TEK) Group Member Routing Members Group Member Group Member RFC3547: Group Domain of Interpretation Group (GDOI) Member Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  25. 25. GETVPN: Innovation— Group Key Technology GM3 GM4 GM2 Step 1: Group Members (GM) GM5 “register” via GDOI (IKE) with the GM1 Key Server (KS) GM6 KS authenticates and authorizes the GM GM9 KS GM8 GM7 KS returns a set of IPsec SAs for the GM to use GM3 GM4 Step 2: Data Plane Encryption GM2 GM exchange encrypted traffic using the GM1 GM5 group keys GM6 The traffic uses IPSec Tunnel Mode with “address preservation” GM9 KS GM8 GM7 Step 3: Periodic Rekey of Keys GM3 GM4 KS pushes out replacement IPsec GM2 keys before current IPsec keys expire; GM5 This is called a “rekey” GM1 GM6 GM9 KS GM8 GM7 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  26. 26. WAN Optimization Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  27. 27. The WAN Is the Barrier to Branch Application Performance Applications are Round Trip Time (RTT) ~ 0mS designed to work LAN well on LAN’s Client Server Switch High bandwidth Low latency Reliability Round Trip Time (RTT) ~ usually measured in milliseconds WANs have opposite characteristics Client LAN Routed Network LAN Server Switch Switch Low bandwidth High latency Packet loss WAN Packet Loss and Latency = Slow Application Performance = Keep and manage servers in branch offices ($$$) Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  28. 28. TCP Behavior Return to maximum throughput could take a very long time! Packet loss Packet loss Packet loss Packet loss TCP cwnd Slow start Congestion avoidance Time (RTT) Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  29. 29. WAAS—TCP Performance Improvement Transport Flow Optimization (TFO) overcomes TCP and WAN bottlenecks Shields nodes connections from WAN conditions Clients experience fast acknowledgement Minimize perceived packet loss Eliminate need to use inefficient congestion handling WAN Window Scaling LAN TCP Large Initial Windows LAN TCP Behavior Congestion Mgmt Behavior Improved Retransmit Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  30. 30. Comparing TCP and Transport Flow Optimization Cisco TFO provides significant throughput improvements over standard TCP implementations TFO cwnd TCP Slow start Congestion avoidance Time (RTT) Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  31. 31. WAAS Overview DRE and LZ Manage Bandwidth Utilization Data Redundancy Elimination (DRE) provides advanced compression to eliminate redundancy from network flows regardless of application LZ compression provides generic compression for all traffic Origin Connection Origin Connection WAN FILE.DOC Optimized Connection FILE.DOC DRE CACHE DRE CACHE LZ LZ Encode Decode Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  32. 32. Integrated Branch-WAN Services Example: Delivering Voice over the Network Branch End-to-End Security HQ WAN Optimization for Application Performance VoIP VoIP Additional Scavenger Capacity Scavenger Email VoIP Email Scavenger ERP Email ERP ERP Without Cisco WAAS With Cisco WAAS Without QoS With QoS Route Optimization for Application Performance ISP2 Best Performing Path WAN with PfR ISP1 Performance Best Metric Path Issues/Brown Out WAN Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  33. 33. Wide Area Network Quality of Service Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  34. 34. Quality of Service Operations How Does It Work and Essential Elements Classification and Queuing and Post-Queuing Marking Dropping Operations Classification and Marking: The first element to a QoS policy is to classify/identify the traffic that is to be treated differently. Following classification, marking tools can set an attribute of a frame or packet to a specific value. Policing: Determine whether packets are conforming to administratively-defined traffic rates and take action accordingly. Such action could include marking, remarking or dropping a packet. Scheduling (including Queuing and Dropping): Scheduling tools determine how a frame/packet exits a device. Queuing algorithms are activated only when a device is experiencing congestion and are deactivated when the congestion clears. Link Specific Mechanisms (shaping, fragmentation, compression, Tx Ring) Offers network administrators tools to optimize link utilization Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  35. 35. Enabling QoS in the WAN Traffic Profiles and Requirements Voice Telepresence Data Smooth Bursty Smooth/bursty Benign Greedy Benign/greedy Drop sensitive Drop sensitive Drop insensitive Delay sensitive Delay sensitive Delay insensitive UDP priority UDP priority TCP retransmits Bandwidth per Call IP/VC has the Same Traffic patterns for Depends on Codec, Requirements as Data Vary Among Sampling-Rate, VoIP, but Has Applications and Layer 2 Media Radically Different Traffic Patterns (BW Varies Greatly) Latency ≤ 150 ms Latency ≤ 150 ms Data Classes: Jitter ≤ 30 ms Jitter ≤ 50 ms Mission-Critical Apps Loss ≤ 1% Loss ≤ 0.05% Transactional/Interactive Apps One-Way Requirements One-Way Requirements Bulk Data Apps Best Effort Apps (Default) Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  36. 36. QoS Considerations Voice vs. Video—At the Packet Level Voice Packets Video Packets 1400 1400 Video Video Video Frame Frame Frame 1000 1000 Bytes 600 Audio 600 Samples 200 200 20 msec Time 33 msec Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
  37. 37. Scheduling Tools LLQ/CBWFQ Subsystems Low Latency Queueing Link Fragmentation Police and Interleave VoIP IP/VC PQ TX Interleave Ring Signaling Packets Packets Critical Out In Fragment Bulk CBWFQ Mgmt FQ Default Layer 3 Queueing Subsystem Layer 2 Queueing Subsystem Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
  38. 38. Traffic Shaping Without Traffic Shaping Line Rate With Traffic Shaping Shaped Rate Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate Policers typically drop traffic Shapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops Very common with Ethernet WAN, as well as Non- Broadcast Multiple-Access (NBMA) network topologies such as Frame-Relay and ATM Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  39. 39. MPLS VPN QoS Design MPLS VPN Port QoS Roles Campus VPN Block Branch 1 E F F E MPLS VPN E F F E Branch 2 CE Routers PE Routers CE Routers Enterprise Subscriber (Unmanaged CE Routers) E Outbound Policies: Inbound Policies: HQoS Shaper (if required) ≤ 33% + LLQ for VoIP (EF) Trust DSCP of BW + LLQ or CBWFQ for RT-Interactive (CS4) + Remark RTI (if necessary) + Restore RT-Interactive to CS4 (if necessary) + CBWFQ for Signaling (CS3) + Remark Signaling (if necessary) + Restore Signaling to CS3 (if necessary) Service Provider: Outbound Policies: Inbound Policies: F + LLQ for Real-Time Trust DSCP + CBWFQ for Critical Dataits affiliates. All rights reserved. Presentation_ID © 2010 Cisco and/or Police on a per-Class Basis Cisco Public 39
  40. 40. Ethernet WAN QoS Design HQoS Shaping & Queuing Policy and Operation policy-map ACCESS-EDGE policy-map HQoS-50MBPS class VOIP class class-default priority 1000 shape average 50000000 1000000 class REALTIME service-policy ACCESS-EDGE priority 15000 class CALL-SIGNALING bandwidth x Queuing policies will not engage unless the interface is congested class TRANSACTIONAL A shaper will guarantee that traffic will not exceed the contracted rate bandwidth y class BULK-DATA A nested queuing policy will force queuing to engage at the contracted bandwidth z sub-line-rate to prioritize packets prior to shaping class class-default fair-queue 1 Mbps GE Interface VOIP with a sub-line-rate Packets Policer access service 16 Mbps PQ (FIFO Between VOIP and VIDEO) in (e.g. 50 Mbps) Class- 15 Mbps TX REALTIME Based Ring Policer Call-Signaling CBWFQ Shaper Transactional CBWFQ CBWFQ Packets Bulk Data CBWFQ Scheduler out FQ Default Queue Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  41. 41. WAN Architecture Design Considerations Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  42. 42. Enterprise WAN Design Best Practices High Availability Design - Multiple/diverse WAN connections SLA - PfR for intelligent path routing of applications Latency and Bandwidth Optimization WAN WAN Transport Branch Aggregation - Upgrade aggregation points to OC3/OC12 Edge Edge - Upgrade branches to DS3 or higher - Plan capacity and traffic engineering FR/ATM - Implement IP multicast and/or stream splitting … services (e.g. WAAS) MPLS Real-Time Application Delivery Internet -implement robust QoS service policies to manage application service levels - Insuring wanted/limiting unwanted bandwidth MAN Edge MAN Transport MAN Edge consumers (tools like PISA) Site 1 Site 2 SONET / SDH Service Level Assurance - SLAs from SPs Metro Ethernet - Operationalize SLA tools (e.g. Netflow, IP SLA) Confidentiality DWDM - Comply to security policies with data protection strategies, such as IPSec, DMVPN, GETVPN Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
  43. 43. Borderless Network Architecture Two Thousand to Ten Thousand User Organization Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
  44. 44. High Performance WAN Headend Over 100Mbps Aggregate bandwidth, Up to 500 Branchs Campus/ Data Center Data Center/ Campus WAAS Service WAN Key Services/ Servers Distribution VPN Termination WAN Edge MPLS A MPLS B Internet Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
  45. 45. Remote Branch Transport & Redundancy Options Non-Redundant Redundant-Links Redundant-Links & Routers MPLS MPLS MPLS MPLS MPLS MPLS WAN MPLS Internet MPLS Internet MPLS + Internet WAN Internet Internet Internet Internet WAN Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
  46. 46. Routing Topology at Hub Location Campus/ Data Center EIGRP AS 100 Summaries + iBGP Default 10.5.0.0/16 0.0.0.0/0.0.0.0 MPLS A MPLS B DMVPN/ Internet eBGP EIGRP AS200 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
  47. 47. WAN Edge Connection Methods Compared Recommended Core/Distribution Core/Distribution Core/Distribution Si WAN Edge Router WA WA WA N N N All: Single Logical No static routes Control Plane No FHRPs Port-Channel for H/A Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
  48. 48. Optimize Convergence with EtherChannel VSS/3750 Stacks Si Layer 3 Si P-to-P Link Channel Member Removed IGP recalc Link redundancy achieved through Provide Link Redundancy and redundant L3 paths reduce peering complexity Flow based load-balancing through Tune L3/L4 load-balancing CEF forwarding across hash to achieve maximum utilization Routing protocol reconvergence when No L3 reconvergence required when uplink failed member link failed Convergence time may depends on No individual flow can go faster than routing protocol used and the size of the speed of an individual member routing entries of the link Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  49. 49. Best Practice— Summarize at Service Distribution It is important to force summarization Campus/ Summary at the distribution towards WAN Edge Data Center 10.5.0.0/16 and towards campus & data center Summarization limit the number of peers an EIGRP router must query (minimize SIA) or the number of Summaries + LSAs an OSPF peer must process Default 10.5.0.0/16 interface Port-channel1 0.0.0.0/0.0.0.0 description Interface to MPLS-A-CE no switchport ip address 10.4.128.1 255.255.255.252 ip pim sparse-mode ip summary-address eigrp 100 10.5.0.0 255.255.0.0 MPLS A MPLS B Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  50. 50. Dual MPLS Carrier Hub Use iBGP to Retain AS Path Information Run iBGP between the CE routers Campus Prefixes from carrier-A will be advertised to carrier-B and vice versa EI G RP R P G Allows the preservation of AS Path E I 10.5.128.0/21 length so remote sites can choose the best path to destination iBGP Use IGP (OSPF/EIGRP) for prefix re- advertisement will result in equal-cost paths at remote-site MPLS A MPLS B bn-br200-3945-1# sh ip bgp 10.5.128.0/21 BGP routing table entry for 10.5.128.0/21, version 71 Paths: (2 available, best #2, table default, RIB-failure(17)) Not advertised to any peer 65401 65401 65402 65402, (aggregated by 65511 10.5.128.254) 10.4.142.26 from 10.4.142.26 (192.168.100.3) Origin IGP, localpref 100, valid, external, atomic- aggregate 65402 65402, (aggregated by 65511 10.5.128.254) 10.4.143.26 (metric 51456) from 10.5.0.10 (10.5.0.253) iBGP Origin IGP, metric 0, localpref 100, valid, internal, 10.5.128.0/21 atomic-aggregate, best Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  51. 51. Best Practice - Implement AS-Path Filter Prevent Branch Site Becoming Transit Network Dual carrier sites can unintentionally Campus become transit network during network failure event and causing network congestion due to transit traffic Design the network so that transit path between two carriers only occurs at sites with enough bandwidth Implement AS-Path filter to allow only locally originated routes to be advertised on the outbound updates for MPLS A MPLS B branches that should not be transit router bgp 65511 neighbor 10.4.142.26 route-map NO-TRANSIT-AS out ! ip as-path access-list 10 permit ^$ ! iBGP route-map NO-TRANSIT-AS permit 10 match as-path 10 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  52. 52. EIGRP Metric Calculation - Review EIGRP Composite Metric EIGRP Metric = 256*([K1*Bw + K2*Bw/(256-Load) + K3*Delay]*[K5/(Reliability + K4)]) Bandwidth [Bw] (minimum along path) Delay (aggregate) Load (1-255) Reliability (1-255) MTU (minimum along path) For default bahavior (K1=K3=1), the formula metric is following: metric = bandwidth + delay EIGRP uses the following formula to scale the bandwidth & delay bandwidth = (10000000/bandwidth(i)) * 256 delay = delay(i) *256 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
  53. 53. Best Practice – Use Delay Parameter to Influence EIGRP Path Selection EIGRP uses the minimum bandwidth along the path and the total delay to compute routing metrics Does anything else use these values? EIGRP also uses interface Bandwidth parameter to avoid congestion by pacing routing updates (default is 50% of bandwidth) Interface Bandwidth parameter is also used for QoS policy calculation PfR leverages Bandwidth parameter Delay parameter should always be used to influence EIGRP routing decision Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
  54. 54. MPLS + Internet WAN Use EIGRP Autonomous System for Path Differentiation D EX 10.5.48.0/21 [170/28416] via 10.4.128.2, Campus eBGP routes are redistributed into EIGRP 100 as external routes with default Admin Distance 170 EIGRP AS100 10.4.128.2 Running same EIGRP AS for both campus and DMVPN network would result in Internet path preferred over MPLS path Multiple EIGRP AS processes can be used to eBGP provide control of the routing EIGRP 100 is used in campus location MPLS A Internet EIGRP 200 over DMVPN tunnels Routes from EIGRP 200 redistributed into EIGRP 100 appear as external route (distance = 170) EIGRP Routes from both WAN sources are equal-cost AS200 paths. To prefer MPLS path over DMVPN use eigrp delay to modify path preference MPLS CE router# router eigrp 100 10.5.48.0/21 default-metric 1000000 10 255 1 1500 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
  55. 55. Best Practice – Assign Unique Router-ID for Routing Protocols X I am John! You must be Imposter I am John! For EIGRP & OSPF highest IP address assigned to a loopback is selected as Router-ID. If there are no loopback interface configured, the highest IP address from the other interfaces is selected Router-ID can be used as tie breaker for path selection in BGP. Prefer route that come from neighbor with lowest Router-ID Duplicate EIGRP Router-ID will not prevent neighbor adjacency from establishing, but can cause redistributed EIGRP external routes with the same RID to be rejected from routing table For OSPF and BGP duplicate Router-ID will prevent neighbors from establishing adjacency Certain OSPF LSA are tied to RID. When router receive network LSA with LSA ID conflicts with IP address of interface on the router, it will flush the LSA out of the network Modification to Router-ID will result in adjacency reset Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
  56. 56. BGP Weight Metric Issue Router prefer IGP over eBGP 10.4.160.0/24 Dual MPLS VPN Network providing Campus primary and secondary network connectivity between locations E IG R eBGP peering with MPLS VPN P providers IGP R1 R2 Preferred path are learned via BGP to remote location with backup path learned via IGP e BG eBGP P With default configuration the failover works to the backup IGP path, but MPLS A MPLS B reconvergence back to primary path is a problem 10.4.160.0/24 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
  57. 57. Path Selection Admin Dist [170] is better than [20] ? 10.4.160.0/24 Campus D EX 10.4.160.0/24 [170/3584].... EIG R P R1# show ip route IGP B 10.4.144.0/24 [20/0] via 10.4.142.2, 01:30:06 R1 R2 B 10.4.145.0/24 [20/0] via 10.4.142.2, 01:30:06 D EX 10.4.160.0/24 [170/3584] via 10.4.128.9, 00:30:06 e B G eBGP P B 10.4.160.0/24 [20/0].... MPLS A MPLS B 10.4.160.0/24 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
  58. 58. BGP Route Selection Criteria ASR1004-1#show ip bgp 10.4.160.0 255.255.255.0 BGP routing table entry for 10.4.160.0/24, version 22 Paths: (3 available, best #3, table default) Advertised to update-groups: 4 5 65401 65401 10.4.142.2 from 10.4.142.2 (192.168.100.3) Origin IGP, localpref 200, valid, external Local 10.4.128.1 from 0.0.0.0 (10.4.142.1) Origin incomplete, metric 26883072, localpref 100, weight 32768, valid, sourced, best BGP Prefers Path with: 1.Highest Weight 2.Highest Local PREF 3.Locally originated via network or aggregate BGP 4.Shortest AS_PATH 5.Lowest Origin type IGP>EGP>INCOMPLETE 6.Lowest MED 7.eBGP over iBGP paths 8.Lowest IGP metric to BGP next hop Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
  59. 59. Prefer the eBGP Path over IGP Set the eBGP weight > 32768 IGP (EIGRP) route is redistributed into BGP Routes redistributed into BGP are considered locally originated and get a default weight of 32768 The eBGP learned prefix has default weight of 0 BGP prefers the path with highest weight and the prefix learned via eBGP is not selected To resolve this issue set the weights on route learned via eBGP peer higher than 32768 neighbor 10.4.142.2 weight 35000 ASR1004-1#show ip bgp 10.4.160.0 255.255.255.0 BGP routing table entry for 10.4.160.0/24, version 22 Paths: (3 available, best #3, table default) Advertised to update-groups: 4 5 65401 65401 10.4.142.2 from 10.4.142.2 (192.168.100.3) Origin IGP, localpref 200, valid, external Local 10.4.128.1 from 0.0.0.0 (10.4.142.1) Origin incomplete, metric 26883072, localpref 100, weight 32768, valid, sourced, best Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
  60. 60. Securing WAN communication with GET VPN Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
  61. 61. GETVPN Topology COOP Key Server Key Servers WAN Agg Switches GM GM MPLS A MPLS B GM GM GM GM Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
  62. 62. Best Practice - High Availability with Cooperative Key Servers Two or more KSs known as COOP KSs manage a common set of keys and security policies for GETVPN group members Group members can register to any one of the available KSs Cooperative KSs periodically exchange and synchronize group’s database, policy and keys Primary KS is responsible to generate and distribute group keys Cooperative KS1 Cooperative KS2 Subnet 1 Subnet 2 GM 1 GM 2 IP Network Subnet 3 Subnet 4 GM 4 GM 3 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
  63. 63. Transition from Clear-text to GETVPN Receive-Only Method Goal permit ip 10.1.4.0 0.0.1.255 10.1.4.0 0.0.1.255 Incrementally deploy infrastructure without encryption 10.1.4.0/24 Immediate transition to KS encryption controlled by KS 10.1.6.0/24 GM Method GET Deploy KS with Receive-only GM SA’s (don’t encrypt, allow GM decryption) GM Deploy GM throughout 10.1.5.0/24 10.1.7.0/24 infrastructure and monitor rekey processes permit ip 10.1.4.0 0.0.3.255 10.1.4.0 0.0.3.255 Transition KS to Normal SA (encrypt, decrypt) 10.1.4.0/24 KS Assessment 10.1.6.0/24 Pro: Simple transition to network- GM wide encryption GET Con: Correct policies imperative GM GM Con: Deferred encryption until all GM CE are capable of GM functions 10.1.5.0/24 10.1.7.0/24 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
  64. 64. Group Member Configuration Group Member MPLS A Key Group Member Server crypto isakmp key c1sco123 address 10.4.128.151 crypto isakmp key c1sco123 address 10.4.128.152 GDOI Group crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! Primary KS Address crypto gdoi group GETVPN identity number 65511 Secondary KS server address ipv4 10.4.128.151 Address server address ipv4 10.4.128.152 ! crypto map dgvpn 10 gdoi set group dgvpn GDOI configuration ! mapped to crypto map interface FastEthernet0/0 Presentation_ID crypto map GETVPN © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
  65. 65. Key Server Configuration Group Member MPLS A Key Group Member Server crypto keyring gdoi1 pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 IPSec Transform ! crypto ipsec transform-set AES256/SHA esp-aes 256 IPSec Profile esp-sha-hmac ! crypto ipsec profile GETVPN-GDOI-PROFILE set security-association lifetime seconds 7200 set transform-set AES256/SHA ! Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
  66. 66. KS Configuration (Cont.) GDOI Group ID crypto gdoi group GETVPN Lifetime for Key identity number 65511 Encryption Key server local rekey lifetime seconds 86400 rekey retransmit 40 number 3 rekey authentication mypubkey rsa GETVPN-Key RSA Key to authenticate rekey transport unicast rekeys sa ipsec 10 profile GETVPN-GDOI-PROFILE Unicast Rekey match address ipv4 GETVPN-MATCH-ACL no replay address ipv4 10.4.128.151 redundancy local priority 100 Coop Server Config peer address ipv4 10.4.128.152 ! Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
  67. 67. GET VPN Encryption Policy Access-List configuration on KS Access-list denying ip access-list extended GETVPN-MATCH-ACL !Don’t double encrypt traffic that’s encrypted encryption for ISAKMP, deny esp any any GDOI, BGP, TACACS, SSH ! Allow telemetry traffic packets and permitting deny ip 10.4.0.0 0.1.255.255 10.4.142.0 0.0.1.255 encryption for all IP traffic deny ip 10.4.142.0 0.0.1.255 10.4.0.0 0.1.255.255 deny tcp any any eq tacacs deny tcp any eq tacacs any deny tcp any any eq 22 deny tcp any eq 22 any !Allow BGP between CE-PE router deny tcp any any eq bgp deny tcp any eq bgp any !Dont encryption ISAKMP traffic deny udp any eq isakmp any eq isakmp !Don’t encrypt GDOI messages deny udp any eq 848 any eq 848 !Allow CE-PE to form PIM adjacency deny pim any 224.0.0.0 0.0.0.255 permit ip any any Allow communication from internal nets to the PE-CE subnets (summarized): 10.4.0.0/16 to/from 10.4.142.0/24, 10.4.143.0/24 10.5.0.0/16 to/from 10.4.142.0/24, 10.4.143.0/24 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
  68. 68. DMVPN over Internet Deployment Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
  69. 69. DMVPN over Internet Design Consideration Running EIGRP inside the DVMPN using a different AS number than the campus EIGRP Capable of dynamic vpn-7206-1 vpn-7206-2 spoke-to-spoke tunnel to tun10 tun10 other Internet attached spokes Internet tun10 tun10 ... Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
  70. 70. DMVPN Deployment over Internet Multiple Default Routes for VPN Headend VPN Headend has a default route to ASA firewall’s VPN-DMZ E I default interface to reach Internet G RP Remote site policy requires INSIDE default Internet Edge centralized Internet access Block Enable EIGRP between VPN default headend & Campus core to propagate default to remote VPN-DMZ default OUTSIDE Static default (admin dist=0) remains active, Internet Internet VPN-DMZ is wrong firewall interface for user traffic Adjust admin distance so EIGRP default route installed (to core) VPN tunnel drops Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
  71. 71. DMVPN Deployment over Internet Enable FVRF with DMVPN to separate out the two default routes default The RED-VRF contains the default default EIGRP INSIDE route to VPN-DMZ Interfae needed Internet Edge for Tunnel Establishment Block default A 2nd default route exist on the Global Routing Table used by the VPN-DMZ user data traffic to reach Internet OUTSIDE default To prevent split tunneling the R P default default route is advertised to E IG 0 ) (2 0 Internet spokes via Tunnel Spoke’s tunnel drops due to 2nd default route conflict with the one default learned from ISP Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
  72. 72. Best Practice – VRF-aware DMVPN Keeping the Default Routes in Separate VRFs No Split Tunneling at Branch location Enable FVRF DMVPN on the Spokes default Allow the ISP learned Default EIGRP default INSIDE Route in the RED-VRF and used Internet Edge for tunnel establishment Block default Global VRF contains Default Route learned via tunnel. User VPN-DMZ data traffic follow Tunnel to OUTSIDE default INSIDE interface on firewall R P default E IG 0 ) Allow for consistency for 2 0 ( Internet implementing corporate security policy for all users default Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

×