Cisco TechAdvantage Webinars

WAN Virtualization using OTP
Donnie Savage – TME
Chris Le – PM
We’ll get started a few minut...
Housekeeping
•  Submit questions in Q&A panel and send to “All Panelists”
Avoid CHAT window for better access to panelists...
Speaker & Panelists Introduction
Speaker

Panelists

Donnie Savage

Chris Le

Saul Adler

Technical Leader
dsavage@cisco.c...
Overview
PE-CE Issues
§  Service Provider must redistributed and carry
Enterprise routes via MP-iBGP;
–  Either EIGRP or eBGP must...
PE-CE Issues with Backdoor Links
PE1

MPLS VPN
Cloud

PE2

CE2
CE2
CE2

CE1
CE1 1
Site

Site 2
Backdo

or Link

C4

C3

§...
OTP – Overview
WAN Virtualization using OTP
§  OTP supports transparent CE to CE Routing
BGP

§  Single “end-to-end” IGP...
OTP – Enterprise Benefits
EIGRP Support for WAN Transparency
§  EIGRP OTP Enterprise benefits
–  Simple configuration and...
OTP – Service Provider Benefits
EIGRP Support for WAN Transparency
§  EIGRP OTP Service Provider benefits
– 
– 
– 
– 
– 
...
OTP WAN Solution Analysis Overview
EIGRP OTP

DMVPN / Internet

MPLS VPN

MPLS+DMVPN

Control Plane

EIGRP

IGP/BGP + NHRP...
OTP – How it Works
EIGRP
AS 4453
CE-1

EIGRP
AS 4453

Service Provider
MPLS VPN

CE-2

§  CE routers exchange information...
OTP – Data Plane
LISP Header Format (IPv4 example)
LISP0
Internal Interface
DATA

External Interface
LISP DATA

LISP encap...
OTP Configuration Overview
§  Checking for support (IOS/XR, ISR):
show eigrp plugins detail

§  Configuration used by OT...
Point to Point Peering
OTP – Deployment
Point-to-Point
EIGRP
AS 4453
DATA

Hello
CE-1LISP DATA

Service Provider
MPLS VPN

interface Ethernet0/2
...
Route Reflector Peering
OTP – Deployment

Point to Multi-Point – Multiple Branch Sites
§  Use EIGRP Route-Reflectors when setting up multiple bra...
OTP – Deployment

Point to Multi-Point – Adding Branch Sites
§  EIGRP Route Reflector simplifies adding additional branch...
OTP – Deployment

Point to Multi-Point – Any-to-Any Data
§  Any-to-Any data is accomplished using 3rd Party Next hop supp...
Backdoor Links
OTP – Backdoor Links
§  Use MPLS-VPN core for the site-to-site connectivity
§  Use “back-door” link in case of a failure...
OTP – Backdoor Links

Headquarters

CE

Service Provider
MPLS VPN
CE

C1
interface Serial0/0
delay 40000
. . .

Backdoor L...
OTP Deployment Considerations
OTP – Deployment

Route Reflector – Redundancy
OTP Dual Hub, Dual Service Provider
Hub 1

§  OTP is able to handle Dual H...
OTP – Deployment

EIGRP Hub and Spoke (STUBs)

10.1.1.0/24

Route Reflector – Scaling

§  EIGRP offers the best scaling p...
OTP – Deployment

§  Marking sites as “stubs” allows them to signal the
Route Reflector they are not valid transit paths
...
OTP – Deployment

Route Reflector – Scaling
§  Most EIGRP Neighbors Recommended
–  Maximum of 500 deployed in live, worki...
OTP – Deployment

Route Reflector – Security
Hash-based Message Authentication Code (HMAC)

RR

§  EIGRP offers Secure Ha...
OTP – Deployment

Route Reflector – Security
•  Simple configuration using only one password

•  Interface inheritance can...
OTP – Deployment

Route Reflector – Security
Group Encrypted Transport VPN (GETVPN) Encryption
§  OTP offers secure site ...
Case Study
The Acme Corporation
Requirements:
–  Fast convergence (<1s if possible)
–  Direct Spoke-to-spoke traffic
–  1600+ sites a...
The Acme Corporation
Sweden

France

…

…

…

MPLS
VPN

MPLS
VPN

MPLS
VPN

…

MPLS
VPN

MPLS
VPN

MPLS
VPN

Corporate Bac...
The Acme Corporation
Route Exchange

RR

RR

WAN Hubs
2 x ASR1000

MPLS VPN for

MPLS VPN for

Branches and ATMs

Branches...
The Acme Corporation
WAN Security with GET VPN
KEY SERVER
WAN Services
2 x 3945E

MEMBER

RR

RR

WAN Hubs

MEMBER

2 x AS...
The Acme Corporation
Requirements:
–  Fast convergence (<1s if possible)
–  Direct Spoke-to-spoke traffic
–  1600+ sites a...
Additional Information
§  OTP Availability
–  ASR 1000 Series – IOS-XE 3.10
ISR, ISR G2, 7200 Series – IOS 15.4(3)

§ Fo...
Q&A
•  Thank you!
•  Please complete the post-event survey
•  Join us for upcoming webinars:
Register: www.cisco.com/go/techad...
WAN Virtualization Using Over-the-Top (OTP) TechAdvantage Webinar
Upcoming SlideShare
Loading in …5
×

WAN Virtualization Using Over-the-Top (OTP) TechAdvantage Webinar

3,279 views

Published on

Slides and recording from the December 2013 Cisco TechAdvantage Webinar that provides an introduction to our latest enterprise routing feature: Over-the-Top (OTP).

OTP enables customers to quickly and easily deploy remote offices and data centers in multi-carrier IP WAN design. Customers no longer need to peer and exchange internal routes with Service Providers, creating filters, and redistribute routes into and out of their Internet Gateway Protocol (IGP). OTP simplifies multi-site deployments by utilizing a "route reflector" architecture where all participating WAN routers exchange their internal routes, and the data path operates independently from the underlying WAN network thereby facilitating seamless introduction of new branch sites into the customer WAN network.

With OTP, customers can deploy Enhanced Interior Gateway Routing Protocol (EIGRP) end-to-end, from site-to-site over the WAN, making their IGP network behave as a single autonomous system. This greatly reduces operational costs and simplifies WAN deployments. The session will expose you to configure various deployments scenarios including point-to-point site connections, route reflectors, dual home, and dual providers, and encryption for public networks.

WebEx Replay: https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=EC&rID=73537722&rKey=db4b96a94fca1d5b

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,279
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
160
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

WAN Virtualization Using Over-the-Top (OTP) TechAdvantage Webinar

  1. 1. Cisco TechAdvantage Webinars WAN Virtualization using OTP Donnie Savage – TME Chris Le – PM We’ll get started a few minutes past the top of the hour. Note: You may not hear any audio until we get started. Follow us @GetYourBuildOn
  2. 2. Housekeeping •  Submit questions in Q&A panel and send to “All Panelists” Avoid CHAT window for better access to panelists •  For WebEx audio, select COMMUNICATE > Join Audio Broadcast •  For WebEx call back, click ALLOW phone button at the bottom of participants side panel •  Where can I get the presentation? Or send email to: ask_techadvantage@cisco.com •  Please complete the post-event survey •  Join us for upcoming TechAdvantage Webinars: www.cisco.com/go/techadvantage Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  3. 3. Speaker & Panelists Introduction Speaker Panelists Donnie Savage Chris Le Saul Adler Technical Leader dsavage@cisco.com Product Manager cle@cisco.com Technical Leader sadler@cisco.com Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  4. 4. Overview
  5. 5. PE-CE Issues §  Service Provider must redistributed and carry Enterprise routes via MP-iBGP; –  Either EIGRP or eBGP must be run between the CE/PE MPLS VPN Core PE1 PE2 –  BGP route propagation impacts Site’s convergence –  Provider often limits number of routes being redistributed CE1 Site 1 Site 2 CE2 –  Route flaps within sites results in BGP convergence events –  Route metric changes results in new extended communities flooded into the core §  Enterprise and Service Provider must co-support deployment –  Managed services is required, even if not needed –  Control of traffic flow using multiple providers is problematic –  Changing providers results in migration issues Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  6. 6. PE-CE Issues with Backdoor Links PE1 MPLS VPN Cloud PE2 CE2 CE2 CE2 CE1 CE1 1 Site Site 2 Backdo or Link C4 C3 §  Route redistribution adds deployment complications –  Without PE/CE support, back-door must be redistributed into a second instance of EIGRP –  With PE/CE support, use of SoO (route) tagging must be used to prevent count-to-infinity issues due to BGP’s slower convergence Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  7. 7. OTP – Overview WAN Virtualization using OTP §  OTP supports transparent CE to CE Routing BGP §  Single “end-to-end” IGP solution with: –  NO special requirement on Service Provider EIGRP Complexity Simplicity –  NO special requirement on Enterprise –  NO routing protocol on CE/PE link –  NO need for route redistribution Carrier Independence Carrier Involvement PE/ CE –  NO no need for default or static routes EIGRP OTP Zero Redistribution Multiple Redistribution Private & Secure Public & Unsecure Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  8. 8. OTP – Enterprise Benefits EIGRP Support for WAN Transparency §  EIGRP OTP Enterprise benefits –  Simple configuration and deployment for both IPv4 and IPv6 –  Single routing protocol solution, convergence is not depending on Service Provider –  Routes are carried over the Service Provider’s network, not though it –  No artificial limitation on number of routes being exchanged between sites –  Support for multiple MPLS VPN backbone connections –  Support connections not part of the MPLS VPN backbone (“backdoor” links) –  Only the CE needs to be upgraded –  Works with both traditional managed and non-managed internet connections –  Compliments an L3 Any-to-Any architecture (optional hair pinning of traffic) 8 Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  9. 9. OTP – Service Provider Benefits EIGRP Support for WAN Transparency §  EIGRP OTP Service Provider benefits –  –  –  –  –  –  –  –  Allow customers to segment their network using an MPLS VPN backbone All user traffic appears and unicast IP data packets No routing protocol is needed on CE to PE link Customer routes are NOT carried in MPLS VPN backbone Customer route flaps do not generate BGP convergence events Smaller BGP routing tables, smaller memory foot print, lower CPU usage No upgrade requirements for PE or any MPLS VPN backbone router Multivendor PE support 9 Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  10. 10. OTP WAN Solution Analysis Overview EIGRP OTP DMVPN / Internet MPLS VPN MPLS+DMVPN Control Plane EIGRP IGP/BGP + NHRP; LAN IGP eBGP/iBGP; LAN IGP IGP/BGP + NHRP; eBGP; LAN IGP Data Plane LISP mGRE IP IP + mGRE Privacy GETVPN IPSec over mGRE GETVPN GETVPN + DMVPN Routing Policies EIGRP, EIGRP Stub EIGRP Stub Redistribution and route filtering EIGRP Stub, Redistribution, filtering, Multiple AS Network Virtualization VRF/EVN to LISP multitenancy DMVPN VRF-Lite; MPLS or DMVPN Multi-VRF CEs and multiple IP VPNs Multi-VRF CEs and DMVPN VRF-Lite Convergence Branch/Hub Branch Fast; Hub – Fast Branch Fast; Hub - Fast Branch / Hub carrier dependent Carrier and DMVPN hub dependent Multicast Support Planned PIM Hub-n-Spoke PIM MVPN MVPN + DMVPN Hub-nSpoke Provider Dependence No No Yes Yes/No Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  11. 11. OTP – How it Works EIGRP AS 4453 CE-1 EIGRP AS 4453 Service Provider MPLS VPN CE-2 §  CE routers exchange information using unicast packets –  Internal site routes are passed “Over the ToP” to other Sites –  Routes are not redistributed into the WAN §  Unicast packets are sourced FROM the public interface –  No static routes are needed –  No default routes are needed §  Data packet delivery is accomplished using LISP to encapsulate site-to-site traffic Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  12. 12. OTP – Data Plane LISP Header Format (IPv4 example) LISP0 Internal Interface DATA External Interface LISP DATA LISP encapsulation uses 36 bytes : IP header (20 Bytes) UDP header (8 Bytes) LISP header (8 Bytes) / / | | OH | | OH – Outer Header (LISP Encap packet) Source Routing Locator: Public address of external Interface Destination Routing Locator Public address provided by network configuration Source Port - Set by LISP Instance ID - Set by EIGRP IH – Inner Header (Site Data packet) / UDP L I S / P / / | | IH | | Source EID (Site private address) Destination EID(Site private address) Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol = 17 | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Routing Locator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Routing Locator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port = xxxx | Dest Port = 4341 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | UDP Length | UDP Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |N|L|E|V|I|flags| Nonce/Map-Version | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Instance ID/Locator Status Bits | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source EID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination EID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Cisco Public 12
  13. 13. OTP Configuration Overview §  Checking for support (IOS/XR, ISR): show eigrp plugins detail §  Configuration used by OTP 1.  2.  3.  4.  5.  6.  7.  8.  9.  CE4#show eigrp plugins detailed ! EIGRP feature plugins:::! eigrp-release : 15.00.00 : Portable EIGRP Release : 4.00.00 : Source Component Release(dev15)! + HMAC-SHA-256 Authentication! parser : 2.02.00 : EIGRP Parser Support igrp2 : 2.00.00 : Reliable Transport/Dual Database + Wide Metrics! bfd : 2.00.00 : BFD Platform Support mtr : 1.00.01 : Multi-Topology Routing(MTR) eigrp-pfr : 1.00.01 : Performance Routing Support + IPv4 PFR! EVN/vNets : 1.00.00 : Easy Virtual Network (EVN/vNets) + IPv4 EVN/vNets! ipv4-af : 2.01.01 : Routing Protocol Support + Dynamic Remote Neighbors! ipv6-af : 1.02.00 : Service Distribution Support + Dynamic Remote Neighbors! configure terminal router eigrp virtual-name address-family ipv4 autonomous-system as-number af-interface interface-type interface-number no split-horizon no next-hop-self exit-af-interface neighbor {ip-address | ipv6-address} interface-type interface-number [remote maximum-hops [lisp-encap [lisp-id]]] end §  Cisco Configuration Guide: http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-eigrp-over-the-top.html Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  14. 14. Point to Point Peering
  15. 15. OTP – Deployment Point-to-Point EIGRP AS 4453 DATA Hello CE-1LISP DATA Service Provider MPLS VPN interface Ethernet0/2 ip address 172.16.1.1 255.255.255.0 ! router eigrp ROCKS address-family ipv4 unicast auto 4453 neighbor 172.16.2.2 Ethernet0/2 remote 10 lisp-encap ... EIGRP AS 4453 Hello DATA CE-2 interface Ethernet0/2 ip address 172.16.2.2 255.255.255.0 ! router eigrp ROCKS address-family ipv4 unicast auto 4453 neighbor 172.16.1.1 Ethernet0/2 remote 10 lisp-encap ... §  Control Plane peering is accomplished with EIGRP “neighbor” statement –  CE-1 sends unicast packets to CE-2’s public address (172.16.2.2) –  CE-2 sends unicast packets to CE-1’s public address (172.16.1.1) §  Data Plane packet delivery is accomplished with LISP encapsulation –  Encapsulation happens on the CE routers Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  16. 16. Route Reflector Peering
  17. 17. OTP – Deployment Point to Multi-Point – Multiple Branch Sites §  Use EIGRP Route-Reflectors when setting up multiple branches §  Chose one of the CE routers to function as Route Reflector (RR) §  Purpose of the Route Reflector is to ‘reflect’, or advertise routes received to other CE routers §  Control plane is deployed in a “Hub-and-spoke” topology §  Data from CE routers will ‘hairpin’ though RR Q  : In the example, if CE-1 advertises a route to the RR, will the Route Reflector propagate it to CE-2 and CE-3? router eigrp ROCKS address-family ipv4 unicast auto 4453 remote-neighbors source Serial 0/0 unicast-listen lisp-encap af-interface serial 0/0 no split-horizon exit-af-interface ... RR = CP EIGRP AS 4453 A  : Only if split horizon is disabled on the interface! EIGRP AS 4453 Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. = DP EIGRP AS 4453 Cisco Public 17
  18. 18. OTP – Deployment Point to Multi-Point – Adding Branch Sites §  EIGRP Route Reflector simplifies adding additional branches address-family ipv4 unicast auto 4453 neighbor 172.16.1.1 Serial 0/2 remote 10 lisp-encap ... exit-address-family EIGRP AS 4453 RR = CP §  Configure the new CE to point to the RR §  Adding additional CE routers does not require a change to the configuration of the Route Reflector (RR) EIGRP AS 4453 EIGRP AS 4453 Presentation_ID = DP © 2013 Cisco and/or its affiliates. All rights reserved. EIGRP AS 4453 Cisco Public 18
  19. 19. OTP – Deployment Point to Multi-Point – Any-to-Any Data §  Any-to-Any data is accomplished using 3rd Party Next hop support Each CE normally shows the Route Reflector (RR) as the next hop, and data will ‘hairpin‘ though the RR to get to other sites §  Configuring “no next-hop-self” on the Route Reflector will cause the original next-hop to be preserved when route updates are sent §  When a CE gets an update with a non-zero next-hop address install it in the RIB §  router eigrp ROCKS address-family ipv4 unicast auto 4453 remote-neighbors source Serial 0/0 unicast-listen lisp-encap af-interface serial 0/0 no split-horizon no next-hop-self exit-af-interface ... RR = CP EIGRP-IPv4 VR(ROCKS) Topology Table for AS(4453)/ID(10.1.0.1) .... P 10.1.1.0/24, 1 successors EIGRP AS 4453 via 10.1.2.1 §  Traffic will be forwarded directly to the remote CE will be sent to that next-hop Presentation_ID EIGRP AS 4453 © 2013 Cisco and/or its affiliates. All rights reserved. = DP EIGRP AS 4453 Cisco Public 19
  20. 20. Backdoor Links
  21. 21. OTP – Backdoor Links §  Use MPLS-VPN core for the site-to-site connectivity §  Use “back-door” link in case of a failure (these are usually are low-speed links) Headquarters CE EIGRP-OTP Session Service Provider MPLS VPN CE C1 Backdoor Link C2 Remote Office §  EIGRP end-to-end ensures -  Prefixes appear as native routes in across ISP network -  Internal routes show up as internal §  Normal path selection using ‘delay’ on interface to influence path selection Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  22. 22. OTP – Backdoor Links Headquarters CE Service Provider MPLS VPN CE C1 interface Serial0/0 delay 40000 . . . Backdoor Link C2 Remote Office interface Serial0/0 delay 40000 . . . §  Convergence events in Customer’s network: -  Are not depend on MPLS convergence -  Do not impact the MPLS Core §  Routing works as expected in event of outage via Service Provider Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  23. 23. OTP Deployment Considerations
  24. 24. OTP – Deployment Route Reflector – Redundancy OTP Dual Hub, Dual Service Provider Hub 1 §  OTP is able to handle Dual Hub and Dual Service Provider connections §  Stub Co-Existence Allows for Dual Hubs –  Support for dual Hubs for redundancy for load-balancing –  Spoke to spoke load balancing and redundancy Service Provider 1 Hub 2 Service Provider 2 §  Equal Cost MultiPath (15.2(3)T, 15.2(1)S) –  Destination network is reachable via more than one peer on the same interface, the ip next-hop needs to be preserved over both paths §  Add-path (15.3(1)S) –  Spoke site has multiple spoke routers and want to be able to loadbalance spoke-spoke tunnels going into this spoke site –  Up to 4 additional Nexthops addresses (5 total) Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Site1 Cisco Public Site2 24
  25. 25. OTP – Deployment EIGRP Hub and Spoke (STUBs) 10.1.1.0/24 Route Reflector – Scaling §  EIGRP offers the best scaling performance of all IGPs §  If these spokes are remote sites, they have two connections for resiliency, not so they can transit traffic between A and B §  A should never use the spokes as a path to anything, so there’s no reason to learn about, or query for, routes through these spokes §  What happens when a route or link is lost? A RR-1 B RR-2 →  EIGRP query's ALL neighbors →  Each neighbors using it to reach the destination will also query their neighbors Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Don’t Use These Paths 25
  26. 26. OTP – Deployment §  Marking sites as “stubs” allows them to signal the Route Reflector they are not valid transit paths §  The Route Reflector will not query other sites which are marked as “stubs”, reducing the total number of queries §  The “stub” keyword can not be used of the remote sites contains complex topologies (multiple routes) §  The back-up routes can be deployed at remotes using “leak-maps” 10.1.1.0/24 Route Reflector – Scaling A RR-1 B RR-2 Router eigrp ROCKS address-family ipv4 unicast auto 4453 neighbor 172.16.1.2 Serial 0/2 remote 10 lisp-encap eigrp stub ... Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  27. 27. OTP – Deployment Route Reflector – Scaling §  Most EIGRP Neighbors Recommended –  Maximum of 500 deployed in live, working networks –  2500 (Stubs) is the largest number ever tested in a lab environment §  Key Strategy for achieving scalability is design! –  –  –  –  –  Minimize advertisements between sites Use summaries with static summary metric option Stubs to create a hub and spoke environments Use any-to-any traffic to reduce bandwidth and load on Route Reflector Use add-path feature to better utilize redundancy Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  28. 28. OTP – Deployment Route Reflector – Security Hash-based Message Authentication Code (HMAC) RR §  EIGRP offers Secure Hash Algorithms SHA2-256 bit Algorithms §  The addition of SHA2-256 HMAC authentication to EIGRP packets ensures that your routers only accept routing updates from other routers that know the same pre-shared key. §  This prevents someone from purposely or accidentally adding another router to the network and causing a problem. §  The SHA2 key is a concatenation of the user-configured shared secret key along with the IPv4/IPv6 address from which this particular packet is sent. This prevents Hello Packet DOS replay attacks with a spoofed source address. ü  Simpler configuration mode using a common ‘password’ ü  Keychain support when additional security is needed Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. CE1 Cisco Public CE2 28
  29. 29. OTP – Deployment Route Reflector – Security •  Simple configuration using only one password •  Interface inheritance can simplify configura router eigrp ROCKS
 address-family ipv4 auto 4453
 af-interface default
 authentication mode hmac-sha-256 my-password 
 exit-af-interface! •  Additional security can be added with key-chains key chain DC012-CHAIN
 key 1
 key-string securetraffic
 !
 router eigrp ROCKS
 address-family ipv4 auto 4453
 af-interface default
 authentication mode hmac-sha-256 my-password
 authentication key-chain DC012-CHAIN
 exit-af-interface! Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. router eigrp DC012-md5
 address-family ipv4 auto 4453
 af-interface default
 authentication key-chain DC012-CHAIN
 exit-af-interface
 af-interface Ethernet0
 authentication mode hmac-sha-256 ADMIN
 exit-af-interface
 af-interface Ethernet1
 authentication mode hmac-sha-256 CAMPAS 
 exit-af-interface
 af-interface Ethernet2
 authentication mode hmac-sha-256 LAB
 authentication key-chain DC012-LAB
 exit-af-interface! Cisco Public 29
  30. 30. OTP – Deployment Route Reflector – Security Group Encrypted Transport VPN (GETVPN) Encryption §  OTP offers secure site to site encryption using GETVPN §  The addition of GETVPN ensures that data and control plane traffic sent from site to site is not decodable to outside sources §  IPsec or GETVPN can be used Route Updates -  Apply crypto maps to either public interface, or the LISP0 (virtual Interface) -  EIGRP forms peers over the ‘public’ interface, so control traffic will be encrypted Inside Interface §  Split encryption can be accomplished by peering to a loopback -  Applying encryption to the loopback -  Default traffic would be forward to the physical interface un-encrypted Presentation_ID EIGRP © 2013 Cisco and/or its affiliates. All rights reserved. Default Traffic RIB GETV PN Public Interface Site to Site Traffic LISP0 Cisco Public 30
  31. 31. Case Study
  32. 32. The Acme Corporation Requirements: –  Fast convergence (<1s if possible) –  Direct Spoke-to-spoke traffic –  1600+ sites across four countries –  Active/active load balancing –  Encryption across WAN Nice to have: –  Easy provisioning §  No config changes on hubs as new sites are added §  Zero touch deployment of branch wan router (CE) –  Provider flexibility §  Multiple providers in each country §  Easy migration between providers §  No routing exchange of internal addresses Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  33. 33. The Acme Corporation Sweden France … … … MPLS VPN MPLS VPN MPLS VPN … MPLS VPN MPLS VPN MPLS VPN Corporate Backbone MPLS VPN MPLS VPN … … … USA England Presentation_ID … © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  34. 34. The Acme Corporation Route Exchange RR RR WAN Hubs 2 x ASR1000 MPLS VPN for MPLS VPN for Branches and ATMs Branches and ATMs A B … … Spokes Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  35. 35. The Acme Corporation WAN Security with GET VPN KEY SERVER WAN Services 2 x 3945E MEMBER RR RR WAN Hubs MEMBER 2 x ASR1000 MPLS VPN for MPLS VPN for Branches and ATMs Branches and ATMs A B … … MEMBERS Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  36. 36. The Acme Corporation Requirements: –  Fast convergence (<1s if possible) –  Direct Spoke-to-spoke traffic –  1600+ sites across four countries –  Active/active load balancing –  Encryption across WAN – IGP speeds via end-to-end EIGRP solution – Use of no nexthop-self on RR – Up to 500 EIGRP spokes per RR – Ability to add 4 additional ECMP via addpath – GET VPN Nice to have: –  Easy provisioning §  No config changes on hubs as new sites are added – Route Reflectors §  Zero touch deployment of branch wan router (CE) – Route Reflectors –  Provider flexibility §  Multiple providers in each country – Multiple neighbor configs supported §  Easy migration between providers – Built into OTP §  No routing exchange of internal addresses – Built into OTP Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  37. 37. Additional Information §  OTP Availability –  ASR 1000 Series – IOS-XE 3.10 ISR, ISR G2, 7200 Series – IOS 15.4(3) § For more information on EIGRP visit: –  EIGRP §  http://www.cisco.com/go/eigrp –  Open EIGRP (IETF Draft): §  http://tools.ietf.org/html/draft-savage-eigrp –  OTP: §  http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-eigrp-over-thetop.html §  https://techzone.cisco.com/t5/EIGRP/EIGRP-OTP-Over-the-ToP/ta-p/317994 –  GETVPN: §  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/ GETVPN_DIG_version_1_0_External.pdf Presentation_ID © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  38. 38. Q&A
  39. 39. •  Thank you! •  Please complete the post-event survey •  Join us for upcoming webinars: Register: www.cisco.com/go/techadvantage Follow us Presentation_ID @GetYourBuildOn © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

×