Your SlideShare is downloading. ×
0
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Design and Deployment using the Cisco Smart Business Architecture (SBA)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Design and Deployment using the Cisco Smart Business Architecture (SBA)

1,738

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,738
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
54
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Design and Deployment using the Cisco Smart Business Architecture (SBA) Anastasia Marchenko Systems Engineer Cisco amarchen@cisco.com BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 2. Design and Deployment Using SBA Agenda • SBA WAN Overview • SBA WAN Design Methodology • Key Aspects of the Design • Summary BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  • 3. The Challenge How can I anticipate what the network might need to do in the future so I don’t have to revisit my design and deployment? Which platform should I choose? How can I do it quickly? Many to choose from at each place in the network ASR1000 WAE-7341 What are the best practices? How do I manage it? How do I put it all together? BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  • 4. Cisco Smart Business Architecture Overview Tested Optimized  A reference design, tested, and supported by Cisco  One architecture to scale for different size organizations  Multiple tiers to match your organization’s needs without changing the network architecture Flexible  Flexible architecture to help ensure easy migration as the organization grows Comprehensive  Seamless support for quick deployment of wired and wireless network access for data, voice, teleworker, and wireless guest Secure Performance BRKRST-2040  Security and high availability for corporate information resources, and Internet-facing applications  Improved network performance and cost reduction through the use services like WAN optimization © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  • 5. Cisco SBA Design Overview BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  • 6. SBA WAN Deployment Principles  Ease of Deployment: Deploy the design consistently across all products included in the architecture. The configurations used in the deployment represent a best-practice methodology to enable a fast and resilient deployment.  Flexibility and Scalability: The architecture can grow with the organization without being redesigned.  Resiliency and Security: The architecture keeps the network operating even during unplanned outages and attacks.  Easy to Manage: The deployment guidance includes configuring devices to be managed by a network management system (NMS) or as unique elements of the network.  Advanced Technology Ready: Implementing advanced technologies like collaboration is easy because the network foundation is already configured with the required baseline network services. BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  • 7. Borderless Networks SBA Guides for Enterprise: MPLS WAN Deployment Guide Layer 2 WAN Deployment Guide VPN WAN Deployment Guide http://www.cisco.com/go/sba Deployment Guide MPLS WAN Layer 2 WAN Usage WAN Aggregation Design Models MPLS L3 VPN Primary/Secondary Dual MPLS MPLS Dynamic MPLS Static Layer 2 WAN Primary Transports Trunked Demarcation Simple Demarcation VPN WAN Internet/DMVPN Primary/Secondary Dual DMVPN DMVPN Only DMVPN Backup Dedicated DMVPN Backup Shared VPN Remote Site over 3G/4G 3G/4G Internet/DMVPN Primary/Secondary Remote site only Group Encrypted Transport VPN MPLS L3 VPN Layer 2 WAN Primary/Secondary Primary Compatible with all design models BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  • 8. WAN Design and Deployment Using SBA Agenda • SBA WAN Overview • SBA WAN Design Methodology • Key Aspects of the Design • Summary BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  • 9. Hierarchical WAN Design SBA ≤ 500 Remote Sites Core/ Distribution Data Center /HQ Data Center /HQ Core Distribution Access BRKRST-2040 Spoke Site 1 ... Spoke Site N © 2013 Cisco and/or its affiliates. All rights reserved. Spoke Site 1 Regional hub ... Regional hub Spoke Site N Spoke Site 1’ Cisco Public ... Spoke Site N’ 9
  • 10. WAN-Aggregation Reference Design Core Layer WAN Distribution Layer DMVPN Hub Routers Internet Edge Layer 2 WAN CE Router MPLS CE Routers DMVPN 1 DMVPN 2 MPLS A BRKRST-2040 MPLS B ISP A / ISP B Layer 2 WAN © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  • 11. WAN Remote Site Designs Basic Remote Site BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  • 12. WAN Remote Site Designs (MPLS and DMVPN) MPLS Redundant Links Redundant Links & Routers MPLS-A MPLS-B MPLS-A MPLS-B MPLS Non Redundant Internet DMVPN MPLS Internet DMVPN Internet (DMVPN-1) Internet (DMVPN-2) Internet (DMVPN-1) Internet (DMVPN-2) MPLS WAN MPLS + Internet WAN Internet DMVPN Internet WAN BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • 13. WAN Remote Site Designs (L2, 3G/4G and DMVPN) Non Redundant Redundant Links Redundant Links & Routers VPLS VPLS WAN VPLS Internet (DMVPN-1) MPLS 3G/4G (DMVPN) VPLS Internet (DMVPN-1) VPLS + Internet WAN 3G/4G (DMVPN) 3G/4G Internet WAN MPLS 3G/4G (DMVPN) MPLS + 3G/4G Internet WAN BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • 14. WAN Remote Site Reference Designs Access Layer Only Single Router Remote Sites Dual Router Remote Sites Add router and transit network and enable HSRP Vlan99 - transit HSRP Vlans Active HSRP Router Vlan64 - data Vlan65 – wireless data Vlan69 - voice Vlan70 – wireless voice No HSRP Required Vlan64 - data Vlan65 – wireless data Vlan69 - voice Vlan70 – wireless voice 802.1q Vlan trunk (64-65, 69-70, 99) 802.1q Vlan trunk (64-65, 69-70) Vlan Access Layer Only Designs IP Network Assignment (Example) Vlan65 Wireless Data Yes 10.5.50.0/24 Vlan70 Wireless Voice Yes 10.5.51.0/24 Vlan64 Data 1 Yes 10.5.52.0/24 Vlan69 Voice 1 Yes 10.5.53.0/24 Vlan99 BRKRST-2040 Usage Transit Yes (dual router only) 10.5.48.0/30 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  • 15. WAN Remote Site Reference Designs Distribution and Access Layer Single Router Remote Sites Dual Router Remote Sites Add distribution layer (with transit network for dual router sites) 802.1q trunk (50,99) 802.1q trunk (54,99) 802.1q trunk (50) Vlan50 – router 1 link Vlan54 – router 2 link Vlan99 – transit Vlan50 – router 1 link 802.1q trunk (xx-xx) 802.1q trunk (xx-xx) 802.1q trunk (xx-xx) 802.1q trunk (xx-xx) data data data data voice voice voice voice BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  • 16. WAN Remote Site Reference Design Distribution Layer Wireless LAN Integration WLAN Controller Required for Distribution Layer Design to Support Roaming Vlan50 – router 1 link Vlan54 – router 2 link Vlan99 – transit 802.1q trunk (50,99) 802.1q trunk (54,99) 802.1q trunk (106, WD, WV) Vlan106 – management) 802.1q trunk (100, 101) 802.1q trunk (102-103) VlanWD – wireless data VlanWV– wireless voice Vlan100 - data Vlan102 - data Vlan101 - voice Vlan103 - voice No HSRP Required BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  • 17. WAN Design and Deployment Using SBA Agenda • SBA WAN Overview • SBA WAN Design Methodology • Key Aspects of the Design • Summary BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • 18. This Topic Is Covered in Detail in BRKCRS-2030 WAN Edge Connection Methods Compared SBA Recommended Core/Distribution Core/Distribution Core/Distribution WAN Edge Router WAN WAN  All No static routes No FHRPs BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. WAN  Single Logical Control Plane  Port-Channel for H/A Cisco Public 18
  • 19. Optimize Convergence and Redundancy Multichassis EtherChannel VSS or 3750 Stack Layer 3 P-to-P Link Channel Member Removed IGP recalc  Link redundancy achieved through redundant L3 paths  Provide Link Redundancy and reduce peering complexity  Flow based load-balancing through CEF forwarding across  Tune L3/L4 load-balancing hash to achieve maximum utilization  Routing protocol reconvergence when uplink failed  No L3 reconvergence required when member link failed  Convergence time may depends on routing protocol used and the size of routing entries  No individual flow can go faster than the speed of an individual member of the link BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  • 20. WAN Dual-Path Route Preference Incorrect Choice of Primary Path (DMVPN) D 10.5.48.0/21 [90/xxxxx] via 10.4.32.18 • eBGP routes are redistributed into EIGRP-100 as external routes with default Administrative Distance =170 WAN Distribution Layer • Running same EIGRP AS for both campus and DMVPN network would result in Internet path preferred over MPLS path 10.4.32.18 DMVPN Hub Router MPLS CE Router EIGRP BGP BGP AS = 65511 Mutual Route Redistribution eBGP EIGRP (100) MPLS A AS 65401 DMVPN 1 Remote Site 10.5.48.0/21 BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  • 21. WAN Dual-Path Route Preference Correct Choice of Primary Path (MPLS) • Multiple EIGRP AS processes can be used to provide control of the routing D EX 10.5.48.0/21 [170/34304] via 10.4.32.2 EIGRP 100 is used in HQ location EIGRP 200 over DMVPN tunnel WAN Distribution Layer • Routes from EIGRP 200 redistributed into EIGRP 100 appear as external route (distance = 170) 10.4.32.2 DMVPN Hub Router DMVPN hub router# router eigrp 100 redistribute eigrp 200 MPLS CE Router EIGRP  EIGRP uses bandwidth and delay metrics if prefix and distance are the same.  If routes from both WAN sources are equal-cost paths use EIGRP delay to modify path preference EIGRP BGP EIGRP BGP AS = 65511 eBGP EIGRP (200) MPLS A AS 65401 MPLS CE router# router eigrp 100 default-metric 1000000 10 255 1 1500 DMVPN 1 Remote Site 10.5.48.0/21 BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  • 22. WAN-Aggregation IP Routing Detail WAN Distribution Layer DMVPN Hub Routers Internet Edge EIGRP Layer 2 WAN CE Router MPLS CE Routers EIGRP EIGRP BGP iBGP EIGRP BGP EIGRP EIGRP eBGP EIGRP EIGRP (200) BGP AS = 65511 eBGP default (201) EIGRP (300) ISP A / ISP B DMVPN 1 MPLS A AS 65401 BRKRST-2040 MPLS B AS 65402 DMVPN 2 Layer 2 WAN © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  • 23. WAN Dual-Path Route Preference Is Route Control Needed? D EX 10.5.48.0/21 [170/xxxx] via 10.4.32.18 WAN Distribution Layer 10.4.32.1 D EX 10.4.32.18 10.5.48.0/21 [170/xxxx] via 10.4.32.1 DMVPN Hub Router MPLS CE Router EIGRP • After link failure, MPLS CE router learns alternate path to remote site via distribution layer (EIGRP route) EIGRP BGP EIGRP eBGP EIGRP (200) MPLS A DMVPN 1 Remote Site 10.5.48.0/21 BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  • 24. WAN Dual-Path Route Preference Is Route Control Needed? Yes. D EX 10.5.48.0/21 [170/xxxx] via 10.4.32.18 WAN Distribution Layer 10.4.32.1  D EX 10.4.32.18 10.5.48.0/21 [170/xxxx] via 10.4.32.1 DMVPN Hub Router MPLS CE Router • After link restore, MPLS CE router receives BGP advertisement for remote-site route. • Does BGP route get (re)installed in the route table? EIGRP EIGRP BGP EIGRP eBGP 192.168.3.2 EIGRP X B (200) 10.5.48.0/21 [20/0] via 192.168.3.2 MPLS A DMVPN 1 No. EIGRP from distribution layer remains in the table. Remote Site 10.5.48.0/21 BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  • 25. WAN Dual-Path Route Preference Route Control is Needed CE-1#show ip bgp 10.5.48.0 255.255.248.0 BGP routing table entry for 10.5.48.0/21, version 1293 Paths: (3 available, best #3, table default) Advertised to update-groups: WAN Distribution 4 5 Layer 65401 65401, (aggregated by 65511 10.5.48.254) eBGP route 192.168.3.2 from 192.168.3.2 (192.168.100.3) (no weight defined) Origin IGP, localpref 100, valid, external, atomic-aggregate 10.4.32.1 Local 10.4.32.1 from 0.0.0.0 (10.4.32.1) Origin incomplete, metric 3584, localpref 100, weight 32768, valid, sourced, best DMVPN Hub Router MPLS CE Router EIGRP BGP  Remote-site route is redistributed into BGP with weight = 32768  After link is restored, distribution layer route remains in table due to BGP weight EIGRP EIGRP eBGP EIGRP (200) MPLS A AS 65401 DMVPN 1  Routes from distribution layer should be blocked  Also protects from other “backdoor” and routing loop conditions BRKRST-2040 Remote Site © 2013 Cisco and/or its affiliates. All rights reserved. 10.5.48.0/21 Cisco Public 25
  • 26. Best Practice: Route Tag and Filter • Routes are implicitly tagged when distributed from eBGP to EIGRP with carrier AS Campus/ Data Center • Configure explicit tags for other routing protocol sources • Use route-map to block re-learning of WAN routes via the distribution layer (MPLS routes already known via iBGP) EIGRP routes from distribution layer router eigrp 100 distribute-list route-map BLOCK-TAGGED-ROUTES in default-metric [BW] 100 255 1 1500 redistribute bgp 65511 iBGP route-map BLOCK-TAGGED-ROUTES deny 10 match tag 65401 65402 route-map BLOCK-TAGGED-ROUTES permit 20 MPLS A AS 65401 BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public MPLS B AS 65402 26
  • 27. WAN-Aggregation Mutual Route Redistribution WAN-Aggregation Router From WAN towards Core/Distribution From Core/Distribution towards WAN (Redistribute EIGRP 100) MPLS A CE Redistribute BGP Implicit tag: MPLS-A MPLS B CE Redistribute: BGP Implicit tag: MPLS-B Layer 2 WAN CE Redistribute: EIGRP Block: MPLS-A, MPLS-B, DMVPN Block: MPLS-A, MPLS-B, DMVPN Block: DMVPN Explicit tag: Layer 2 WAN DMVPN 1 Hub Redistribute EIGRP Accept: Any DMVPN Hub Routers Explicit tag: DMVPN DMVPN 2 Hub Redistribute EIGRP Accept: Any Explicit tag: DMVPN EIGRP Layer 2 WAN CE Router MPLS CE Routers EIGRP BGP iBGP EIGRP default EIGRP BGP EIGRP Internet Edge EIGRP eBGP EIGRP (200) eBGP EIGRP (201) EIGRP (300) ISP A / ISP B DMVPN 1 MPLS A BRKRST-2040 MPLS B DMVPN 2 Layer 2 WAN © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  • 28. WAN Remote-Site Routing Single-Router, Single-Link, Access Layer only Only requires a single WAN facing routing protocol process MPLS VPN eBGP BGP summary router bgp 65511 bgp router-id 10.5.56.254 network 10.5.60.0 mask 255.255.255.0 Wired/Wireless Data Subnets network 10.5.61.0 mask 255.255.255.0 network 192.168.3.28 mask 255.255.255.252 aggregate-address 10.5.56.0 255.255.248.0 summary-only neighbor 192.168.3.30 remote-as 65401 no auto-summary BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • 29. WAN Remote-Site Routing Single-Router, Single-Link, Access Layer Only Only requires a single WAN facing routing protocol process DMVPN Layer 2 Internet EIGRP EIGRP summary (200) EIGRP (300) EIGRP summary router eigrp 300 network 10.4.38.0 0.0.0.255 Includes all Remote-site network 10.5.0.0 0.0.255.255 networks passive-interface default Layer 2 WAN no passive-interface GigabitEthernet0/0.38 interface eigrp router-id 10.5.144.254 eigrp stub connected summary interface GigabitEthernet0/0.38 ip summary-address eigrp 300 10.5.144.0 255.255.248.0 BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  • 30. WAN Remote-Site Routing Single-Router, Dual-Link, Access Layer Only DMVPN EIGRP MPLS VPN Requires two separate WAN facing routing protocol processes BGP summary router bgp 65511 bgp router-id 10.5.40.254 network 10.5.44.0 mask 255.255.255.0 network 10.5.45.0 mask 255.255.255.0 network 192.168.3.20 mask 255.255.255.252 aggregate-address 10.5.40.0 255.255.248.0 summary-only neighbor 192.168.3.22 remote-as 65401 no auto-summary BRKRST-2040 (200) Internet EIGRP summary router eigrp 200 network 10.4.34.0 0.0.1.255 network 10.5.0.0 0.0.255.255 passive-interface default no passive-interface Tunnel10 eigrp router-id 10.5.40.254 eigrp stub connected summary interface Tunnel10 ip summary-address eigrp 200 10.5.40.0 255.255.248.0 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  • 31. WAN Remote-Site Routing Single-Router, Dual-Link, Access Layer Only MPLS VPN A MPLS VPN B BGP summary BGP summary DMVPN-1 BRKRST-2040 EIGRP (200) EIGRP summary DMVPN DMVPN-2 EIGRP Internet Requires two separate WAN facing routing protocol processes (except for dual-MPLS) (201) EIGRP Layer 2 Internet EIGRP summary (200) Internet EIGRP summary EIGRP summary © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  • 32. WAN Remote-Site Routing Dual-Router, Dual-Link, Access Layer Only DMVPN Requires Separate WAN and LAN Facing Routing Protocol Processes MPLS VPN Internet BGP summary eBGP One Way Route Redistribution EIGRP summary EIGRP (200) BGP EIGRP EIGRP EIGRP EIGRP (100) One Way Redistribution Is Required. Summary Routes Make Two-Way Redistribution Unnecessary router eigrp 100 default-metric 100000 100 255 1 1500 network 10.5.0.0 0.0.255.255 redistribute bgp 65511 passive-interface default no passive-interface GigabitEthernet0/1.99 eigrp router-id 10.5.48.254 router eigrp 100 network 10.5.0.0 0.0.255.255 redistribute eigrp 200 passive-interface default no passive-interface GigabitEthernet0/1.99 eigrp router-id 10.5.48.253 Transit network BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  • 33. WAN Remote-Site Routing Dual-Router, Dual-Link, Access Layer Only MPLS VPN A Requires Separate WAN and LAN Facing Routing Protocol Processes MPLS VPN B BGP summary BGP summary eBGP eBGP iBGP BGP BGP EIGRP EIGRP EIGRP (100) DMVPN DMVPN-2 DMVPN-1 Layer 2 Internet EIGRP (200) EIGRP summary EIGRP Internet Internet (201) EIGRP summary EIGRP summaries EIGRP EIGRP summary EIGRP (200) (300) EIGRP EIGRP EIGRP EIGRP EIGRP (100) BRKRST-2040 EIGRP summary © 2013 Cisco and/or its affiliates. All rights reserved. EIGRP EIGRP EIGRP EIGRP EIGRP (100) Cisco Public 33
  • 34. WAN Remote-Site Routing Distribution/Access Layer Only Requires Separate WAN and LAN Facing Routing Protocol Processes WAN EIGRP Is Either: DMVPN (200/201) Layer 2 WAN (300) WAN WAN EIGRP/BGP summaries EIGRP/BGP summary EIGRP/BGP WAN EIGRP/BGP Vlan50 – router 1 link EIGRP EIGRP/BGP EIGRP EIGRP EIGRP (100) EIGRP 802.1q trunk (50) (100) 802.1q trunk (50,99) 802.1q trunk (54,99) Vlan50 – router 1 link Vlan54 – router 2 link Vlan99 – transit 802.1q trunk (100101) BRKRST-2040 802.1q trunk (102-103) 802.1q trunk (100-101) © 2013 Cisco and/or its affiliates. All rights reserved. 802.1q trunk (102-103) Cisco Public 34
  • 35. Best Practice: Implement AS-Path Filter Prevent Remote Site from Becoming Transit Network Campus • Dual carrier sites can unintentionally become transit network during network failure event and causing network congestion due to transit traffic • Design the network so that transit path between two carriers only occurs at sites with enough bandwidth • Implement AS-Path filter to allow only locally originated routes to be advertised on the outbound updates for branches that should not be transit iBGP MPLS A router bgp 65511 neighbor 192.168.4.10 route-map NO-TRANSIT-AS out ! ip as-path access-list 10 permit ^$ ! route-map NO-TRANSIT-AS permit 10 match as-path 10 MPLS B R1 R2 iBGP B A BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  • 36. Best Practice: Stub Routing Improve Network Stability and Prevent Transit Site Campus • The stub routing feature improves network stability, reduces resource utilization, and simplifies stub router configuration. Use at all remote sites. • Implement stub routing to allow only locally originated routes to be advertised on the outbound updates for dual-router sites that should not be transit VPLS/ DMVPN router eigrp 200 eigrp stub connected summary DMVPN EIGRP B A BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
  • 37. WAN Remote-Site Loopback Routing Initial Approach – Loopbacks within Summary Route (1) DMVPN MPLS VPN Internet BGP summary EIGRP summary EIGRP eBGP Summaries are advertised via both links, but best path is via primary. When primary link is operational both loopbacks are reachable via primary link. interface Loopback0 ip address 10.5.48.254 255.255.255.255 router bgp 65511 bgp router-id 10.5.48.254 network 10.5.52.0 mask 255.255.255.0 network 10.5.53.0 mask 255.255.255.0 network 192.168.3.20 mask 255.255.255.252 aggregate-address 10.5.48.0 255.255.248.0 summary-only neighbor 192.168.3.22 remote-as 65401 no auto-summary BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. (200) R1 R2 EIGRP (100) interface Loopback0 ip address 10.5.48.253 255.255.255.255 router eigrp 200 network 10.4.34.0 0.0.1.255 network 10.5.0.0 0.0.255.255 passive-interface default no passive-interface Tunnel10 eigrp router-id 10.5.48.253 eigrp stub connected summary interface Tunnel10 ip summary-address eigrp 200 10.5.48.0 255.255.248.0 Cisco Public 37
  • 38. BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  • 39. BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  • 40. BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  • 41. WAN Remote-Site Loopback Routing BGP Configuration for Single-Router MPLS VPN eBGP interface Loopback0 ip address 10.255.251.204 255.255.255.255 router bgp 65511 bgp router-id 10.255.251.204 network 10.255.251.204 mask 255.255.255.255 neighbor 192.168.3.30 remote-as 65401 BRKRST-2040 Loopback © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  • 42. WAN Remote-Site Loopback Routing EIGRP Configuration for Single-Router DMVPN Internet interface Loopback0 ip address 10.255.253.205 255.255.255.255 router eigrp 200 network 10.255.0.0 0.0.255.255 eigrp router-id 10.255.253.205 BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. EIGRP (200) All Loopbacks Cisco Public 42
  • 43. WAN Remote-Site Loopback Routing Configuration for Single-Router (MPLS with DMVPN Backup) DMVPN EIGRP Choose loopback from address block of primary link for singlerouter, dual-link remote site MPLS VPN (200) Internet interface Loopback0 ip address 10.255.251.201 255.255.255.255 router bgp 65511 bgp router-id 10.255.251.201 network 10.255.251.201 mask 255.255.255.255 neighbor 192.168.3.22 remote-as 65401 Loopback router eigrp 200 network 10.255.0.0 0.0.255.255 eigrp router-id 10.255.251.201 BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. All Loopbacks Cisco Public 43
  • 44. WAN Remote-Site Loopback Routing Configuration for Dual-Router (MPLS with DMVPNDMVPN Backup) Uses the LAN facing routing protocol process to advertise R2 loopback to R1 (and R1 loopback to R2) MPLS VPN Internet EIGRP (200) eBGP R1 R2 EIGRP (100) interface Loopback0 ip address 10.255.251.203 255.255.255.255 router eigrp 100 network 10.255.0.0 0.0.255.255 eigrp router-id 10.255.251.203 BRKRST-2040 interface Loopback0 ip address 10.255.253.203 255.255.255.255 router eigrp 100 network 10.255.0.0 0.0.255.255 eigrp router-id 10.5.253.203 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
  • 45. WAN Remote-Site Loopback Routing (continued) Configuration for Dual-Router (MPLS with DMVPN Backup) DMVPN MPLS VPN Internet EIGRP (200) eBGP R1 Both loopbacks need to be explicitly listed in the BGP configuration. EIGRP EIGRP EIGRP R2 EIGRP (100) router bgp 65511 bgp router-id 10.255.251.203 network 10.255.251.203 mask 255.255.255.255 network 10.255.253.203 mask 255.255.255.255 Two way redistribution is required for EIGRP WAN routing protocol (on R2) Only the loopback addresses should be redistributed from LAN to WAN BRKRST-2040 BGP router eigrp 100 network 10.255.0.0 0.0.255.255 redistribute eigrp 100 route-map LOOPBACK-ONLY eigrp router-id 10.255.253.203 eigrp stub connected summary redistributed ip access-list standard R1-LOOPBACK permit 10.255.251.203 route-map LOOPBACK-ONLY permit 10 match ip address R1-LOOPBACK © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
  • 46. DMVPN Deployment Considerations How to Accommodate Multiple Default Routers for a VPN Hub Router • VPN hub has a default route to ASA firewall’s VPNDMZ interface to reach the Internet • Remote site policy requires centralized Internet access • Enable EIGRP between VPN headend & Campus core to propagate default to remote default INSIDE default Internet Edge Block DMVPN Hub • Static default (admin dist=1) remains active default VPN-DMZ • User traffic from remote sites is forwarded to VPNDMZ (wrong firewall interface for user traffic) OUTSIDE default Internet • Adjust admin distances to allow EIGRP default route (to core) • VPN tunnel drops default DMVPN spoke BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
  • 47. DMVPN Deployment over Internet No Split Tunneling at Remote-Site Location  The VRF INET-PUBLIC contains the default route to VPN-DMZ Interface needed for Tunnel Establishment default EIGRP  Enable Front-Door VRF (FVRF) with DMVPN to permit two default routes default VRF: INET-PUBLIC INSIDE Internet Edge Block  A 2nd default route exists in the Global Routing Table used by the user traffic to reach Internet default VPN-DMZ  To enforce centralized tunneling the default route is advertised to spokes via Tunnel 2nd  Spoke’s tunnel drops due to with the one learned from ISP default route conflict OUTSIDE default default Internet default BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
  • 48. Best Practice: VRF-Aware DMVPN Keeping the Default Routes in Separate VRFs • Enable FVRF DMVPN on the Spokes default EIGRP • Allow the ISP learned Default Route in the VRF INETPUBLIC and use for tunnel establishment default VRF: INET-PUBLIC • Global VRF contains Default Route learned via tunnel. User data traffic follows Tunnel to INSIDE interface on firewall INSIDE Internet Edge Block default • Allows for consistent implementation of corporate security policy for all users VPN-DMZ OUTSIDE default default Internet VRF: INET-PUBLIC BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public default 48
  • 49. Avoid Fragmentation when Tunneling GRE+IPsec MTU 1500 MTU 1400 MTU 1500 Tunnel Setting (esp-aes 256 esp-shahmac) Maximum MTU Recommended MTU GRE/IPSec (Tunnel Mode) 1414 bytes 1400 bytes GRE/IPSec (Transport Mode) 1434 bytes 1400 bytes • IP fragmentation will cause CPU and memory overhead and result in lower throughput performance • When one fragment of a datagram is dropped, the entire original IP datagram will have to be resent • Use ‘mode transport’ on transform-set ‒ NHRP requires this for NAT support and it saves 20 bytes of overhead • Avoid MTU issues with the following best practices ‒ ip mtu 1400 (WAN facing interface or tunnel) ‒ ip tcp adjust-mss 1360 (WAN facing interface or tunnel) BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  • 50. Remote-Site with 3G or 4G/LTE Wireless WAN Best Practice Uses Dialer Interface 3G/GSM Select 3G or 4G Technology Option 4G/LTE 3G/CDMA VPN Tunnel 1. GSM Specific Remote Site Router Configuration 3G/4G Wireless WAN 1. CDMA Specific Remote Site Router Configuration 1. LTE Specific Remote Site Router Configuration 1. Finish the WAN Router Universal Configuration 2. Configure VRF Lite 3. Configure the Cellular Interface 4. Configure the Dialer interface 5. Configure VRF-Specific Default Routing 6. Apply the Access List 7. Configure ISAKMP and IPSec 8. Configure mGRE Tunnel 9. Configure EIGRP 10. Configure IP Multicast Dialer1 The dialer interface provides a consistent method of configuration regardless of the chosen wireless technology. BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • 51. Wireless WAN with 3G (GSM and CDMA) Two PPP Encapsulation Methods CDMA Example chat-script CDMA "" "ATDT#777" TIMEOUT 30 "CONNECT" interface Cellular0/0/0 bandwidth 1800 no ip address encapsulation ppp dialer in-band dialer pool-member 1 no peer default ip address async mode interactive no ppp lcp fast-start ! interface Dialer1 bandwidth 1800 ip vrf forwarding INET-PUBLIC ip address negotiated ip access-group ACL-INET-PUBLIC in encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer string CDMA dialer persistent ppp ipcp address accept ! line 0/0/0 script dialer CDMA modem InOut no exec GSM Example chat-script GSM "" "ATDT*98*1#" TIMEOUT 30 "CONNECT“ ! interface Cellular0/0/0 bandwidth 384 no ip address encapsulation ppp dialer in-band dialer pool-member 1 no peer default ip address async mode interactive no ppp lcp fast-start ! interface Dialer1 bandwidth 384 ip vrf forwarding INET-PUBLIC ip address negotiated ip access-group ACL-INET-PUBLIC in encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer string GSM dialer persistent no ppp lcp fast-start ppp chap hostname ISP@CINGULARGPRS.COM ppp chap password 7 02252D752C3323007E1F ppp ipcp address accept ppp timeout retry 120 ppp timeout ncp 30 ! line 0/0/0 script dialer GSM modem InOut no exec Router with GSM must also create a profile R1# cellular 0/0/0 gsm profile create 1 isp.cingular chap ISP@CINGULARGPRS.COM CINGULAR1 BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  • 52. Wireless WAN with 4G/LTE Direct IP Encapsulation Instead of PPP VPN Tunnel R1# chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK" 3G/4G Wireless WAN Ce0/0/0 R1 No HSRP Required Vlan64 - data LTE recovery script recommended interface Cellular0/0/0 bandwidth 2000 no ip address encapsulation slip dialer in-band dialer pool-member 1 no peer default ip address async mode interactive ! interface Dialer1 bandwidth 2000 ip vrf forwarding INET-PUBLIC ip address negotiated ip access-group ACL-INET-PUBLIC in encapsulation slip dialer pool 1 dialer idle-timeout 0 dialer string LTE dialer persistent ! line 0/0/0 script dialer LTE modem InOut no exec  Direct IP requires SLIP encapsulation keyword  No PPP authentication parameters required  No profile required BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
  • 53. Wireless WAN with 3G/4G Backup Enhanced Object Tracking (EOT) with EEM Scripts R1# ip sla 100 icmp-echo 192.168.3.26 source-interface GigabitEthernet0/0 timeout 1000 threshold 1000 frequency 15 ip sla schedule 100 life forever start-time now IP SLA Probe 3G/4G Wireless WAN track 60 ip sla 100 reachability event manager applet ACTIVATE-3G event track 60 state down action 1 cli command "enable" action 2 cli command "configure terminal" action 3 cli command "interface cellular0/0/0" action 4 cli command "no shutdown" action 5 cli command "end" action 99 syslog msg "Activating 3G interface" Ce0/0/0 R1 No HSRP Required Vlan64 - data Note: This method is also compatible with a dual router design (probes are sent from R2) BRKRST-2040 R1# 14:22:14: 14:22:14: 14:22:14: 14:22:34: 14:22:34: 14:22:34: 14:22:40: 14:22:40: 14:22:42: %TRACKING-5-STATE: 60 ip sla 100 reachability Up->Down %SYS-5-CONFIG_I: Configured from console by on vty0(EEM:ACTIVATE-3G) %HA_EM-6-LOG: ACTIVATE-3G: Activating 3G interface %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up %DIALER-6-BIND: Interface Ce0/0/0 bound to profile Di1 %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON %DUAL-5-NBRCHANGE: EIGRP-IPv4 200: Neighbor 10.4.34.1 (Tunnel11) is up: new adjacency © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
  • 54. Wireless WAN with 3G/4G Only Link VPN Tunnel Time Based Connection with EEM Scripts 3G/4G Wireless WAN Ce0/0/0 R1 No HSRP Required Vlan64 - data R1# event manager applet TIME-OF-DAY-ACTIVATE-3G event timer cron cron-entry "45 4 * * 1-5" action 1 cli command "enable" action 2 cli command "configure terminal" action 3 cli command "interface cellular0/0/0" action 4 cli command "no shutdown" action 5 cli command "end" action 99 syslog msg "M-F @ 4:45AM Activating 3G interface“ event manager applet TIME-OF-DAY-DEACTIVATE-3G event timer cron cron-entry "15 18 * * 1-5" action 1 cli command "enable" action 2 cli command "configure terminal" action 3 cli command "interface cellular0/0/0" action 4 cli command "shutdown" action 5 cli command "end" action 99 syslog msg "M-F @ 6:15PM Deactivating 3G interface"  Limit connection time to reduce usage charges  EEM scripts leverage CRON  Additional scripting or enhancements can allow for manual override for weekend or after hours use. BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
  • 55. WAN Quality of Service Defining SBA QoS Classes of Services Class of Service Traffic Type DSCP Value(s) Bandwidth (%) ef Congestion Avoidance 10 (PQ) VOICE Voice traffic INTERACTIVE-VIDEO Interactive video (video conferencing) cs4 af41 23 (PQ) CRITICAL-DATA Highly interactive (such as Telnet, Citrix, and Oracle thin clients) cs3 af31 15 DSCP based DATA Data af21 19 DSCP based Scavenger cs1 af11 5 NETWORK-CRITICAL Routing protocols. Operations, administration and maintenance (OAM) traffic. cs2 cs6 3 class-default Best effort other 25 SCAVENGER All WAN routers: class-map match-any VOICE match dscp ef class-map match-any INTERACTIVE-VIDEO match dscp cs4 af41 class-map match-any CRITICAL-DATA match dscp cs3 af31 class-map match-any DATA match dscp af21 class-map match-any SCAVENGER match dscp cs1 af11 class-map match-any NETWORK-CRITICAL match dscp cs2 cs6 BRKRST-2040 For MPLS CE routers: class-map match-any BGP-ROUTING match protocol bgp policy-map MARK-BGP class BGP-ROUTING set dscp cs6 For DMVPN routers: random ip access-list extended ISAKMP permit udp any eq isakmp any eq isakmp class-map match-any NETWORK-CRITICAL match access-group name ISAKMP © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
  • 56. WAN Design and Deployment Using SBA Agenda • SBA WAN Overview • SBA WAN Design Methodology • Key Aspects of the Design • Summary BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
  • 57. Summary • The SBA WAN design methodology allows for either a small or large scale initial deployment. • Flexibility is built into the WAN and remote-site design. Adding additional scale, resiliency or capabilities is straightforward. •The SBA WAN design uses advanced features and capabilities. Each is documented in a prescriptive manner. ‒Route-maps ensure routing stability ‒F-VRF DMVPN permits spoke-spoke with central tunneling ‒WAAS GRE negotiated return enables shared clusters ‒EEM scripts extend capabilities of EOT BRKRST-2040 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

×