wan and remote-site deployment using cisco validated designs · wan and remote-site deployment...

WAN and Remote-Site Deployment using Cisco

Validated DesignsAdam Groudan, Technical Solutions Architect

BRKRST-2040

The ChallengeI want to design and deploy a network….

Which platform should I choose?Many to choose from at each place in the

network

What are the best practices?How do I manage it?

How do I put it all together?

How can I do it quickly?

How can I anticipate what the

network might need to do in the

future so I don’t have to revisit my

design and deployment? ASR1002-X

WAVE-7571

Cisco Validated Designs provide a

framework for design and deployment

guidance based on common use cases.

• WAN CVD Overview

• WAN CVD Design Methodology

• Key Aspects of the Design

• Summary

Agenda

Each design guide addresses

a common deployment issue—

called a use case—that defines

a customer-driven set of

requirements and technology.

Cisco Validated Design Guides

CVD Navigator

Design Overview

Deployment Details

Product and Software Versions

Configuration Files Appendix

Blueprints and overviews for

technical and business

decision-makers.Validate Document

Inside the Design Guide

+

Use Case(s)

Scope

Proficiency

Related CVDs

CVD Navigator

www.cisco.com/go/cvdTechnology/Solution Design Guides

Overview Documents

At-a-Glance Documents

Business Presentations

The Cisco Design Zone

www.cisco.com/go/cvd/wan

Cisco Validated Designs for Enterprise WAN:

MPLS WAN Design Guide

Layer 2 WAN Design Guide

VPN WAN Design Guide

http://www.cisco.com/go/cvd/wan

Design Guide Transports UsageWAN Aggregation

Design Models

MPLS WANMPLS L3 VPN Primary/Secondary

Dual MPLS

MPLS Dynamic

MPLS Static

Layer 2 WANLayer 2 WAN Primary

Trunked Demarcation

Simple Demarcation

VPN WAN Internet/DMVPN Primary/Secondary

Dual DMVPN

DMVPN Only

DMVPN Backup Dedicated

DMVPN Backup Shared

Remote Sites Using Local Internet

Access

Internet/DMVPN

(with Local Internet)Primary/Secondary Remote site only

VPN Remote Site over 3G/4G 3G/4G Internet/DMVPN Primary/Secondary Remote site only

Group Encrypted Transport VPNMPLS L3 VPN

Layer 2 WAN

Primary/Secondary

Primary

Compatible with all design

models




• Summary

Agenda

Hybrid WAN DesignsTraditional and IWAN

Internet MPLS

Remote Site

DMVPN GETVPN

Internet MPLS

Remote Site

DMVPN DMVPN

Two IPsec TechnologiesGETVPN/MPLS

DMVPN/Internet

Two WAN Routing

DomainsMPLS: eBGP or Static

Internet: iBGP, EIGRP or OSPF

Route Redistribution

Route Filtering Loop Prevention

Active/Standby

WAN PathsPrimary With Backup

One IPsec OverlayDMVPN

One WAN Routing

DomainiBGP, EIGRP, or OSPF

Active/Active

WAN Paths

TRADITIONAL HYBRID

Data Center

IWAN HYBRID

Data Center

ISR

ASR 1000 ASR 1000

ISP A SP B

ISR

ISP A SP B

ASR 1000 ASR 1000

Hierarchical WAN Design

Core/

Distribution

Distribution

Access

Data Center/HQ

Regionalhub

SpokeSite 1

SpokeSite N

...

Regionalhub

SpokeSite 1’

SpokeSite N’

...

Core

SpokeSite 1

SpokeSite N

...

Data Center/HQ

WAN-Aggregation Reference Design

MPLS A MPLS B Layer 2

WAN

ISP A / ISP B

DMVPN Hub

Routers

Internet Edge

DMVPN 1 DMVPN 2

MPLS CE

Routers

Layer 2 WAN

CE Router

WAN Distribution

Layer

Core Layer

Basic Remote

Site

WAN Remote Site Designs

MPLS

Non Redundant

MPLS WAN

MPLS + Internet

WAN

Internet WAN

Internet

DMVPN

Redundant

Links

MPLS

MPLS-A MPLS-B

Internet

DMVPN

Internet

(DMVPN-1)

Internet

(DMVPN-2)

Redundant

Links & Routers

MPLS

MPLS-A MPLS-B

Internet

DMVPN

Internet

(DMVPN-1)

Internet

(DMVPN-2)

WAN Remote Site Designs (MPLS and DMVPN)

VPLS

Non Redundant

VPLS WAN

3G/4G

Internet WAN

3G/4G

(DMVPN)

VPLS + Internet WAN

Redundant

Links

VPLSInternet

(DMVPN)

Redundant

Links & Routers

VPLSInternet

(DMVPN)

MPLS + 3G/4G

Internet WAN

MPLS

3G/4G

(DMVPN) MPLS3G/4G

(DMVPN)

WAN Remote Site Designs (L2, 3G/4G and DMVPN)

Single Router Remote Sites

Add router and transit

network, enable HSRP

Vlan65 – wireless data

Vlan64 - data

Vlan70 – wireless voice

Vlan69 - voice

802.1q Vlan trunk (64-65, 69-70)

No HSRP

Required

Dual Router Remote Sites

Vlan65 – wireless data

Vlan64 - data

Vlan70 – wireless voice

Vlan69 - voice

Vlan99 - transit

802.1q Vlan trunk (64-65, 69-70,

99)

HSRP Vlans

Active HSRP

Router

Vlan Usage Access Layer Only Designs IP Network Assignment (Example)

Vlan65 Wireless Data Yes 10.5.50.0/24

Vlan70 Wireless Voice Yes 10.5.51.0/24

Vlan64 Data 1 Yes 10.5.52.0/24

Vlan69 Voice 1 Yes 10.5.53.0/24

Vlan99 Transit Yes (dual router only) 10.5.48.0/30

WAN Remote Site Reference DesignsAccess Layer Only

Single Router Remote Sites Dual Router Remote Sites

Add distribution layer

802.1q trunk (50)

Vlan50 – router 1 link

802.1q trunk (xx-xx)802.1q trunk (xx-xx)

data

voice

data

voice

802.1q trunk

(54,99)802.1q trunk

(50,99)



Vlan99 – transit

802.1q trunk (xx-xx) 802.1q trunk (xx-xx)

data

voice

data

voice

(with transit network

for dual router sites)

WAN Remote Site Reference DesignsDistribution and Access Layer




• Summary

Agenda

WAN EdgeConnection Methods Compared

WAN

Edge

Router

Core/Distribution Core/Distribution Core/Distribution

Single Logical Control Plane

Port-Channel for H/A

CVD Recommended

All

No static routes

No FHRPs

This Topic Is Covered in Detail in BRKCRS-2030

WANWAN WAN

Optimize Convergence and RedundancyMultichassis EtherChannel

P-to-P Link

Layer 3

Provide Link Redundancy and reduce peering complexity

Tune L3/L4 load-balancing hash to achieve maximum utilization

No L3 reconvergence required when member link failed

No individual flow can go faster than the speed of an individual member of the link

VSS or

3750 Stack

IGP recalc

Channel Member

Removed

Link redundancy achieved through redundant L3 paths

Flow based load-balancing through CEF forwarding across

Routing protocol reconvergence when uplink failed

Convergence time may depends on routing protocol used and the size of routing entries

BGP AS = 65511

MPLS A

AS 65401

DMVPN Hub

Router

DMVPN 1

EIGRP(100)

MPLS CE Router

EIGRP

BGP

eBGP

WAN Distribution

Layer

D 10.5.48.0/21 [90/xxxxx] via 10.4.32.18

10.5.48.0/21

Remote Site

10.4.32.18

WAN Dual-Path Route PreferenceIncorrect Choice of Primary Path (DMVPN)

• eBGP routes are redistributed into EIGRP-100 as external routes with default Administrative Distance =170

• Running same EIGRP AS for both campus and DMVPN network would result in Internet path preferred over MPLS path

Mutual Route Redistribution

BGP AS = 65511

MPLS A

AS 65401

DMVPN Hub

Router

DMVPN 1

EIGRP(200)

MPLS CE Router

EIGRP

BGP

eBGP

WAN Distribution

Layer

D EX 10.5.48.0/21 [170/34304] via 10.4.32.2

EIGRP

EIGRP

10.5.48.0/21

Remote Site

10.4.32.2

WAN Dual-Path Route Preference• Correct Choice of Primary Path (MPLS)

• Multiple EIGRP AS processes can be used to provide control of the routing

EIGRP 100 is used in HQ location (LAN)EIGRP 200 over DMVPN tunnel

• Routes from EIGRP 200 redistributed into EIGRP 100 appear as external route (distance = 170)

MPLS CE router#

router eigrp LAN

address-family ipv4 unicast autonomous-system 100

topology base

default-metric 1000000 10 255 1 1500

EIGRP uses bandwidth and delay metrics if prefix and distance are the same.

If routes from both WAN sources are equal-cost paths use EIGRP delay to modify path preference

DMVPN hub router#

router eigrp LAN


topology base

redistribute eigrp 200

BGP AS = 65511

MPLS A

AS 65401

MPLS B

AS 65402

Layer 2

WAN

ISP A / ISP B

DMVPN Hub

Routers

Internet Edge

DMVPN 1

EIGRP(200)

default

DMVPN 2

EIGRP(201)

MPLS CE RoutersLayer 2 WAN

CE Router

EIGRP

BGP

EIGRP

BGP

EIGRP

EIGRP

EIGRP(300)

EIGRP

EIGRP

eBGP eBGP

iBGP

WAN Distribution

Layer

WAN-Aggregation IP Routing Detail

D EX 10.5.48.0/21 [170/xxxx] via 10.4.32.1

MPLS A

DMVPN Hub

Router

DMVPN 1

EIGRP(200)

EIGRP

BGP

eBGP

WAN Distribution Layer

EIGRP

EIGRP

10.5.48.0/21

Remote Site

10.4.32.1

D EX 10.5.48.0/21 [170/xxxx] via 10.4.32.18

10.4.32.18

WAN Dual-Path Route PreferenceIs Route Control Needed?

• After link failure, MPLS CE router learns alternate path to remote site via distribution layer (EIGRP route)

MPLS CE Router

D EX 10.5.48.0/21 [170/xxxx] via 10.4.32.1

MPLS A

DMVPN Hub

Router

DMVPN 1

EIGRP(200)

EIGRP

BGP

eBGP

WAN Distribution

Layer

EIGRP

EIGRP

10.5.48.0/21

Remote Site

10.4.32.1

D EX 10.5.48.0/21 [170/xxxx] via 10.4.32.18

10.4.32.18

WAN Dual-Path Route PreferenceIs Route Control Needed?

• After link restore, MPLS CE router receives BGP advertisement for remote-site route.

• Does BGP route get (re)installed in the route table?

MPLS CE Router

B 10.5.48.0/21 [20/0] via 192.168.3.2

192.168.3.2

No.

EIGRP from distribution layer remains in the table.

X

Yes.

MPLS A

AS 65401

DMVPN Hub

Router

DMVPN 1

EIGRP(200)

EIGRP

BGP

eBGP

WAN Distribution

Layer

EIGRP

EIGRP

10.5.48.0/21

Remote Site

10.4.32.1

Remote-site route is redistributed into BGP with weight = 32768

After link is restored, distribution layer route remains in table due to BGP weight

Routes from distribution layer should be blocked

Also protects from other “backdoor” and routing loop conditions

MPLS CE Router

CE-1#show ip bgp 10.5.48.0 255.255.248.0

BGP routing table entry for 10.5.48.0/21, version 1293

Paths: (3 available, best #3, table default)

Advertised to update-groups:

4 5

65401 65401, (aggregated by 65511 10.5.48.254)

192.168.3.2 from 192.168.3.2 (192.168.100.3)

Origin IGP, localpref 100, valid, external, atomic-aggregate

Local

10.4.32.1 from 0.0.0.0 (10.4.32.1)

Origin incomplete, metric 3584, localpref 100, weight 32768, valid, sourced, best

eBGP route

(no weight defined)

WAN Dual-Path Route PreferenceRoute Control is Needed

router eigrp LAN


topology base

default-metric [BW] 100 255 1 1500

distribute-list route-map BLOCK-TAGGED-ROUTES in

redistribute bgp 65511

route-map BLOCK-TAGGED-ROUTES deny 10

match tag 65401 65402

route-map BLOCK-TAGGED-ROUTES permit 20

Best Practice: Route Tag and Filter

• Routes are implicitly tagged when distributed from eBGP to EIGRP with carrier AS

• Configure explicit tags for other routing protocol sources

• Use route-map to block re-learning of WAN routes via the distribution layer (MPLS routes already known via iBGP)

Campus/

Data Center

EIGRP routes from

distribution layer

iBGP

MPLS A

AS 65401

MPLS B

AS 65402

MPLS A MPLS B Layer 2

WAN

ISP A / ISP B

DMVPN Hub

Routers

Internet Edge

DMVPN 1

EIGRP(200)

default

DMVPN 2

EIGRP(201)

MPLS CE RoutersLayer 2 WAN

CE Router

EIGRP

BGP

EIGRP

BGP

EIGRP

EIGRP

EIGRP(300)

EIGRP

EIGRP

eBGP eBGP

iBGP

WAN-Aggregation Router

From WAN towardsCore/Distribution

From Core/Distributiontowards WAN

(Redistribute EIGRP 100)

MPLS A CE Redistribute BGP Block: MPLS-A, MPLS-B, DMVPN

Implicit tag: MPLS-A

MPLS B CE Redistribute: BGP Block: MPLS-A, MPLS-B, DMVPN

Implicit tag: MPLS-B

Layer 2 WAN CE Redistribute: EIGRP Block: DMVPN

Explicit tag: Layer 2 WAN

DMVPN 1 Hub Redistribute EIGRP Accept: Any

Explicit tag: DMVPN

DMVPN 2 Hub Redistribute EIGRP Accept: Any

Explicit tag: DMVPN

WAN-Aggregation Mutual Route Redistribution

MPLS VPN

eBGPBGP

summary

Only requires a single WAN facing routing protocol process

router bgp 65511

bgp router-id 10.255.251.204

network 10.5.60.0 mask 255.255.255.0

network 10.5.61.0 mask 255.255.255.0

network 10.255.251.204 mask 255.255.255.255

network 192.168.3.28 mask 255.255.255.252

aggregate-address 10.5.56.0 255.255.248.0 summary-only

neighbor 192.168.3.30 remote-as 65401

Wired/Wireless

Data Subnets

WAN Remote-Site RoutingSingle-Router, Single-Link, Access Layer only

DMVPN

Internet

Layer 2

EIGRP(200) EIGRP

(300)

EIGRP

summaryEIGRP

summary

Only requires a single WAN facing routing protocol process

WAN Remote-Site RoutingSingle-Router, Single-Link, Access Layer Only

router eigrp WAN-LAYER2

!


!

af-interface default

passive-interface

exit-af-interface

!

af-interface GigabitEthernet0/0.38

summary-address 10.5.144.0 255.255.248.0

no passive-interface

exit-af-interface

!

topology base

exit-af-topology

network 10.4.38.0 0.0.0.255

network 10.5.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255

eigrp router-id 10.255.255.210

eigrp stub connected summary

exit-address-family

Includes all remote-site

networks

Layer 2 WAN

interface

InternetMPLS VPN

DMVPN

EIGRP(200)

EIGRP

summary

BGP

summaryRequires two separate WAN

facing routing protocol processes

router bgp 65511

bgp router-id 10.255.251.201

network 10.5.44.0 mask 255.255.255.0

network 10.5.45.0 mask 255.255.255.0

network 10.255.251.201 mask 255.255.255.255

network 192.168.3.20 mask 255.255.255.252



WAN Remote-Site RoutingSingle-Router, Dual-Link, Access Layer Only

router eigrp WAN-DMVPN-1

!


!


passive-interface

exit-af-interface

!

af-interface Tunnel10

summary-address 10.5.40.0 255.255.248.0


exit-af-interface

!

topology base

exit-af-topology

network 10.4.34.0 0.0.1.255

network 10.5.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255



exit-address-family

MPLS VPN A MPLS VPN B

InternetInternet

DMVPN-2DMVPN-1

InternetLayer 2

DMVPN

EIGRP(200)

EIGRP(201) EIGRP

(200)

BGP

summary

BGP

summary

EIGRP

summaryEIGRP

summary

EIGRP

summary

EIGRP

summary

Requires two separate WAN

facing routing protocol processes

(except for dual-MPLS)

WAN Remote-Site RoutingSingle-Router, Dual-Link, Access Layer Only

router eigrp LAN

!


!


passive-interface

exit-af-interface

!

af-interface Port-channel2.99


exit-af-interface

!

topology base

exit-af-topology

network 10.4.0.0 0.1.255.255

network 10.255.0.0 0.0.255.255


exit-address-family

router eigrp LAN

!


!


passive-interface

exit-af-interface

!

af-interface Port-channel1.99


exit-af-interface

!

topology base

default-metric 20000 100 255 1 1500

redistribute bgp 65511

exit-af-topology

network 10.4.0.0 0.1.255.255

network 10.255.0.0 0.0.255.255


exit-address-family

MPLS VPN

DMVPN

Internet

EIGRP(200)

eBGP

EIGRP(100)

BGP

EIGRP

EIGRP

EIGRP

BGP

summary EIGRP

summary

Transit network

Requires Separate WAN and LAN

Facing Routing Protocol Processes

One Way Redistribution Is Required.

Summary Routes Make Two-Way

Redistribution Unnecessary

One Way Route Redistribution

WAN Remote-Site RoutingDual-Router, Dual-Link, Access Layer Only

Transit network

MPLS VPN A MPLS VPN B

InternetInternet

DMVPN-1 DMVPN-2

Layer 2

DMVPN

Internet

eBGPeBGP

EIGRP(201)

EIGRP(200)

EIGRP(200)

EIGRP(300)

BGP

EIGRP

iBGP

BGP

EIGRP

EIGRP(100)

EIGRP(100)EIGRP

(100)

EIGRP

EIGRP

EIGRP

EIGRP

EIGRP

EIGRP

EIGRP

EIGRP

BGP

summary

EIGRP

summaries

BGP

summary

EIGRP

summary

EIGRP

summaryEIGRP

summaryEIGRP

summary

Requires Separate WAN and LAN

Facing Routing Protocol Processes

WAN Remote-Site RoutingDual-Router, Dual-Link, Access Layer Only

Vlan64 - data

Active HSRP

Router

10.5.192.0/21

Remote SiteD EX 10.5.192.0/21 [170/xxxx] via 10.5.52.3

10.5.52.0/24

(.2) (.3)

(.1)

Gig0/1.64 Gig0/1.64

2. Received by R1 on Gig0/1.64

R1 R2

1. Host sends packet to HSRP active (10.5.52.1)

4. R1 sends packet to 10.5.52.3, via Gig0/1.64 (hairpin out same interface)

3. R1 does route lookup, next hop 10.5.52.3

6. Packet forwarded to the WAN and final destination

5. Received by R2 on Gig0/1.64Host sending data to remote site

(10.5.52.10 → 10.5.192.10)

If WCCP is enabled inbound on Gig0/1.64

interfaces, this will cause double redirect

Dual-Router WAN Remote-Site DesignTraffic In/Out Same Interface

Vlan64 - data

Active HSRP

Router

10.5.192.0/21

Remote SiteD EX 10.5.192.0/21 [170/xxxx] via 10.5.48.2

10.5.48.0/30

(.2) (.3)

(.1)

Gig0/1.64 Gig0/1.64


R1 R2


4. R1 sends packet to 10.5.48.2, via Gig0/1.99




Host sending data to remote site

(10.5.52.10 → 10.5.192.10)

Vlan99 -

transit

(.1) (.2)

10.5.52.0/24

WCCP is not enabled on the transit

network

Dual-Router WAN Remote Site DesignIntroduce Transit Network

802.1q trunk

(54,99)802.1q trunk

(50,99)

WAN



Vlan99 – transit

802.1q trunk (102-103)802.1q trunk (100-101)

802.1q trunk (50)

WAN


802.1q trunk (100-101)

EIGRP/BGP

EIGRP

EIGRP/BGP

EIGRP

EIGRP/BGP

EIGRPEIGRP

(100)

EIGRP(100)

EIGRP/BGP

summary

EIGRP/BGP

summaries

WAN

802.1q trunk (102-103)

Requires Separate WAN and LAN Facing Routing Protocol Processes

WAN EIGRP Is Either: DMVPN (200/201)

Layer 2 WAN (300)

WAN Remote-Site RoutingDistribution/Access Layer Only

Best Practice: Implement AS-Path FilterPrevent Remote Site from Becoming Transit Network

• Dual carrier sites can unintentionally become transit network during network failure event and causing network congestion due to transit traffic

• Design the network so that transit path between two carriers only occurs at sites with enough bandwidth

• Implement AS-Path filter to allow only locally originated routes to be advertised on the outbound updates for branches that should not be transit

router bgp 65511

neighbor 192.168.4.10 route-map NO-TRANSIT-AS

out

!

ip as-path access-list 10 permit ^$

!

route-map NO-TRANSIT-AS permit 10

match as-path 10

Campus

iBGP

iBGP

R1 R2

MPLS A MPLS B

A B

Best Practice: Stub RoutingImprove Network Stability and Prevent Transit Site

• The stub routing feature improves network stability, reduces resource utilization, and simplifies stub router configuration. Use at all remote sites.

• Implement stub routing to allow only locally originated routes to be advertised on the outbound updates for dual-router sites that should not be transit

router eigrp 200


Campus

EIGRP

VPLS/

DMVPN DMVPN

A B

DMVPN Deployment ConsiderationsHow to Accommodate Multiple Default Routers for a VPN Hub Router

• VPN hub has a default route to ASA firewall’s VPN-DMZ interface to reach the Internet

• Remote site policy requires centralized Internet access

• Enable EIGRP between VPN headend & Campus core to propagate default to remote

• Static default (admin distance=1) remains active

• User traffic from remote sites is forwarded to VPN-DMZ (wrong firewall interface for user traffic)

• Adjust admin distances to allow EIGRP default route (to core)

• VPN tunnel drops

VPN-DMZ

Internet Edge

Block

default

default

INSIDE

OUTSIDE

default

default

default

DMVPN Hub

DMVPN

spoke

Internet

VPN-DMZ

Internet Edge

Block

default

default

INSIDE

OUTSIDEdefault

default

default

Enable Front-Door VRF (FVRF) with DMVPN to permit two default routes

The VRF INET-PUBLIC contains the default route to VPN-DMZ Interface needed for Tunnel Establishment

A 2nd default route exists in the Global Routing Table

used by the user traffic to reach Internet

To enforce centralized tunneling the default route is advertised to spokes via Tunnel

Spoke’s tunnel drops due to 2nd default route conflict with the one learned from ISP

EIG

RP

default

DMVPN Deployment over InternetNo Split Tunneling at Remote-Site Location

Internet

VRF: INET-PUBLIC

Best Practice: VRF-Aware DMVPNKeeping the Default Routes in Separate VRFs

• Enable FVRF DMVPN on the Spokes

• Allow the ISP learned Default Route in the VRF INET-PUBLIC and use for tunnel establishment

• Global VRF contains Default Route learned via tunnel. User data traffic follows Tunnel to INSIDE interface on firewall

• Allows for consistent implementation of corporate security policy for all users VPN-DMZ

Internet Edge

Block

default

default

INSIDE

OUTSIDEdefault

default

default

default

EIG

RP

Internet

VRF: INET-PUBLIC

VRF: INET-PUBLIC

Avoid Fragmentation when Tunneling

• IP fragmentation will cause CPU and memory overhead and result in lower throughput performance

• When one fragment of a datagram is dropped, the entire original IP datagram will have to be resent

• Use ‘mode transport’ on transform-set• NHRP requires this for NAT support and it saves 20 bytes of overhead

• Avoid MTU issues with the following best practices• ip mtu 1400 (WAN facing interface or tunnel)

• ip tcp adjust-mss 1360 (WAN facing interface or tunnel)

MTU 1500MTU 1500MTU 1400

Tunnel Setting (esp-aes 256 esp-sha-hmac) Maximum MTU Recommended MTU

GRE/IPSec (Tunnel Mode) 1414 bytes 1400 bytes

GRE/IPSec (Transport Mode) 1434 bytes 1400 bytes

GRE+IPsec

Vlan64 - data

Active HSRP

Router

B* 10.4.0.0/20 [20/0] via 192.168.3.26

10.5.48.0/30

(.2) (.3)

(.1)

Gig0/1.64 Gig0/1.64


R1 R2




Host sending data to primary site

(10.5.52.10 → 10.4.0.x)

Vlan99 - transit

(.1) (.2)

192.168.3.26

Dual-Router WAN Resilient Remote-Site DesignRouting to Primary Site

Vlan64 - data

Active HSRP

Router

D EX 10.4.0.0/20 [170/xxxx] via 10.5.48.2

10.5.48.0/30

(.2) (.3)

(.1)

Gig0/1.64 Gig0/1.64

R1 R2


(10.5.52.10 → 10.4.0.x)

Vlan99 - transit

(.1) (.2)

192.168.3.26



4. R1 sends packet to 10.5.48.2, via Gig0/1.99




Dual-Router WAN Resilient Remote-Site DesignSuboptimal Routing After Primary WAN Failure

Vlan64 - data

Active HSRP

Router

10.5.48.0/30

(.2) (.3)

(.1)

Gig0/1.64 Gig0/1.64

R1 R2


(10.5.52.10 → 10.4.0.x)

Vlan99 -

transit

(.1) (.2)

192.168.3.26

R1#

ip sla 100

icmp-echo 192.168.3.26 source-interface GigabitEthernet0/0

timeout 1000

threshold 1000

frequency 15

ip sla schedule 100 life forever start-time now

track 50 ip sla 100 reachability

interface GigabitEthernet0/1.64

encapsulation dot1Q 64

ip address 10.5.52.2 255.255.255.0

standby 1 ip 10.5.52.1

standby 1 priority 110

standby 1 preempt

standby 1 track 50 decrement 10

R2#

interface GigabitEthernet0/1.64

encapsulation dot1Q 64

ip address 10.5.52.3 255.255.255.0

standby 1 ip 10.5.52.1

standby 1 priority 105

standby 1 preempt

B* 10.4.0.0/20 [20/0] via 192.168.3.26

192.168.3.26IP

SLA

Probe

R1

Gig0/0

Dual-Router WAN Resilient Remote-Site DesignEnhanced Object Tracking (EOT) with HSRP

Vlan64 -

data

Active HSRP

Router

10.5.48.0/30

(.2) (.3)

(.1)

Gig0/1.64 Gig0/1.64

R1 R2Vlan99 -

transit

(.1) (.2)R2# show standby brief

Interface Grp Pri P State Active Standby Virtual IP

Gi0/1.64 1 105 P Active local 10.5.52.2 10.5.52.1

D EX 10.4.0.0/20 [170/xxxx] via 10.4.34.1

10.4.34.1

R1#

08:59:00.117: %TRACKING-5-STATE: 50 ip sla 100 reachability Up->Down

08:59:01.321: %HSRP-5-STATECHANGE: GigabitEthernet0/1.64 Grp 1 state Active -> Speak

08:59:12.569: %HSRP-5-STATECHANGE: GigabitEthernet0/1.64 Grp 1 state Speak -> Standby

192.168.3.26IP

SLA

Probe

R1

Gig0/0

Dual-Router WAN Resilient Remote-Site DesignEnhanced Object Tracking (EOT) with HSRP (continued)

Dialer1

VP

N T

unnel

3G/4G Wireless WAN

Select 3G or 4GTechnology Option

4G/LTE3G/GSM

1. GSM Specific

Remote Site Router Configuration

1. LTE Specific


1. Configure the WAN remote router

2. Configure VRF Lite

3. Configure the Cellular Interface

4. Configure the Dialer watch-list

5. Configure VRF-Specific Default Routing

6. Apply the Access List

7. Configure ISAKMP and IPSec

8. Configure mGRE Tunnel

9. Configure EIGRP

10. Configure IP Multicast

3G/CDMA

1. CDMA Specific


Remote-Site with 3G or 4G/LTE Wireless WANBest Practice Uses Dialer Watch-list

Vlan64 - data

R1#

chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK"

interface Cellular0/0/0

bandwidth 8000

ip vrf forwarding INET-PUBLIC1

ip address negotiated

ip access-group ACL-INET-PUBLIC in

no ip unreachables

encapsulation slip

dialer in-band

dialer idle-timeout 0

dialer string LTE

dialer watch-group 1

no peer default ip address

async mode interactive

!

ip route vrf INET-PUBLIC1 0.0.0.0 0.0.0.0 Cellular0/0/0

!

dialer watch-list 1 ip 127.0.0.255 255.255.255.255

dialer watch-list 1 delay route-check initial 60

dialer watch-list 1 delay connect 1

!

line 0/0/0

script dialer LTE

modem InOut

no exec

No HSRP

Required

Ce0/0/0

VP

N T

unnel

4G Wireless WAN

R1

Direct IP requires SLIP encapsulation keyword

No PPP authentication parameters required

No profile required

Wireless WAN with 4G/LTEDirect IP Encapsulation

chat-script CDMA "" "ATDT#777" TIMEOUT 30 "CONNECT"

!


bandwidth 1800




no ip unreachables

encapsulation ppp

dialer in-band


dialer string CDMA




!


!




!

line 0/0/0

script dialer CDMA

modem InOut

no exec

CDMA Example GSM Example

chat-script GSM "" "AT!SCACT=1,1" TIMEOUT 60 "OK“

!


bandwidth 384




no ip unreachables

encapsulation slip

dialer in-band


dialer string GSM




!


!




!

line 0/0/0

script dialer GSM

modem InOut

no exec

R1# cellular 0/0/0 gsm profile create 1 isp.cingular

Router with GSM must also create a profile

Wireless WAN with 3G (GSM and CDMA)Different Encapsulation Methods

Vlan64 - data

R1#

ip sla 100

icmp-echo 192.168.3.26 source-interface

GigabitEthernet0/0

timeout 1000

threshold 1000

frequency 15

ip sla schedule 100 life forever start-time now

track 60 ip sla 100 reachability

event manager applet ACTIVATE-4G

event track 60 state down

action 1 cli command "enable"

action 2 cli command "configure terminal"

action 3 cli command "interface cellular0/0/0"

action 4 cli command "no shutdown"

action 5 cli command "end"

action 99 syslog msg "Activating 4G interface"

IP SLA

Probe

No HSRP

Required

Ce0/0/0

3G/4G Wireless WAN

R1

R1#

14:22:14: %TRACKING-5-STATE: 60 ip sla 100 reachability Up->Down

14:22:14: %SYS-5-CONFIG_I: Configured from console by on vty0(EEM:ACTIVATE-4G)

14:22:14: %HA_EM-6-LOG: ACTIVATE-3G: Activating 4G interface

14:22:34: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up

14:22:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up

14:22:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to up

14:22:40: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

14:22:42: %DUAL-5-NBRCHANGE: EIGRP-IPv4 200: Neighbor 10.4.34.1 (Tunnel11) is up: new adjacency

Note: This method is also compatible with a dual router design (probes are sent from R2)

Wireless WAN with 3G/4G BackupEnhanced Object Tracking (EOT) with EEM Scripts

Vlan64 - data

R1#

event manager applet TIME-OF-DAY-ACTIVATE-3G

event timer cron cron-entry "45 4 * * 1-5"




action 4 cli command "no shutdown"


action 99 syslog msg "M-F @ 4:45AM Activating 3G interface“

event manager applet TIME-OF-DAY-DEACTIVATE-3G

event timer cron cron-entry "15 18 * * 1-5"




action 4 cli command "shutdown"


action 99 syslog msg "M-F @ 6:15PM Deactivating 3G interface"

No HSRP

Required

Ce0/0/0

VP

N T

unnel

3G/4G Wireless WAN

R1

Limit connection time to reduce usage charges

EEM scripts leverage CRON

Additional scripting or enhancements can allow for manual override for weekend or after hours use.

Wireless WAN with 3G/4G Only LinkTime Based Connection with EEM Scripts

Class of Service Traffic Type DSCP Value(s) Bandwidth (%) Congestion

Avoidance

VOICE Voice traffic ef 10 (PQ)

INTERACTIVE-VIDEO Interactive video

(video conferencing)

cs4

af41

23 (PQ)

CRITICAL-DATA Highly interactive

(such as Telnet, Citrix, and Oracle thin clients)

cs3

af31

15 DSCP based

DATA Data af21 19 DSCP based

SCAVENGER

Scavenger cs1

af11

5

NETWORK-CRITICAL Routing protocols. Operations, administration and

maintenance (OAM) traffic.

cs2

cs6

3

class-default Best effort other 25 random

class-map match-any VOICE

match dscp ef

class-map match-any INTERACTIVE-VIDEO

match dscp cs4 af41

class-map match-any CRITICAL-DATA

match dscp cs3 af31

class-map match-any DATA

match dscp af21

class-map match-any SCAVENGER

match dscp cs1 af11

class-map match-any NETWORK-CRITICAL

match dscp cs2 cs6

class-map match-any BGP-ROUTING

match protocol bgp

policy-map MARK-BGP

class BGP-ROUTING

set dscp cs6

ip access-list extended ISAKMP

permit udp any eq isakmp any eq isakmp

class-map match-any NETWORK-CRITICAL

match access-group name ISAKMP

For MPLS CE routers:

For DMVPN routers:

All WANrouters:

WAN Quality of ServiceDefining QoS Classes

CBWFQ

FQ

Low Latency Queuing

Packets In

VOICE

INTERACTIVE-VIDEO

PQ

Layer 3 Queuing Subsystem

CRITICAL-DATA

DATA

SCAVENGER

NETWORK-CRITICAL

class-default

Police

Police

To Layer 2 Queuing

Subsystem

policy-map WAN

class VOICE

priority percent 10

class INTERACTIVE-VIDEO

priority percent 23

class CRITICAL-DATA

bandwidth percent 15

random-detect dscp-based

class DATA



class SCAVENGER

bandwidth percent 5

class NETWORK-CRITICAL

bandwidth percent 3

service-policy MARK-BGP

class class-default


random-detect

Random Early Detection (RED)

Weighted Random Early Detection (WRED)

WAN Quality of ServiceImplementing WAN QoS (Layer 3)

Traffic Shaping

• Policers typically drop traffic

• Shapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops

• Very common with Ethernet WAN, as well as Non-Broadcast Multiple-Access (NBMA) network topologies such as Frame-Relay and ATM

With Traffic Shaping

Without Traffic ShapingLineRate

ShapedRate

Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate

LFI, Shaping and Serialization

Layer 2 Queuing Subsystem

From Layer 3

Queuing Subsystem

policy-map WAN-INTERFACE-G0/0/4

class class-default

shape average 300000000

service-policy WAN

interface GigabitEthernet0/0/4

bandwidth 300000

service-policy output WAN-INTERFACE-G0/0/4

Fragment

Packets OutTXRing

Interleave

Shaping

LFI only typically used at <768 Kbps

WAN Quality of ServiceImplementing WAN QoS (Layer 2)

CE

CE

CE

CE

CE

CE

CE

CE

CE

CE

CE

CE

802.1q

trunk

500 Mbps

50 Mbps

50 Mbps

20 Mbps

20 Mbps

10 Mbps

10 Mbps

Shape only(500 Mbps)

500 Mbps in to DMVPN cloud can easily

overrun the lower speed committed rates at

spoke sites

DMVPN Per Tunnel QoSPer-Site Shaping to Avoid Overruns

policy-map WAN-INTERFACE-G0/0/3-SHAPE-ONLY

class class-default


!

interface GigabitEthernet0/0/3

banwidth 100000

service-policy output WAN-INTERFACE-G0/0/3-SHAPE-ONLY

!

interface Tunnel10

nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY



policy-map RS-GROUP-50MBPS-POLICY

class class-default


service-policy WAN

Separate shaper policies for

each remote-site bandwidth

DMVPN Hub Per Tunnel QoSImplementing Per-Site Traffic Shaping


class class-default


service-policy WAN


class class-default


service-policy WAN

List all available policies as map groups on hub tunnel interface

interface GigabitEthernet0/0

bandwidth 50000

service-policy output WAN-INTERFACE-G0/0

!

interface Tunnel10

bandwidth 50000

nhrp group RS-GROUP-50MBPS

tunnel source GigabitEthernet0/0


bandwidth 20000


!

interface Tunnel10

bandwidth 20000




bandwidth 10000


!

interface Tunnel10

bandwidth 10000



Spoke Tunnel Configurations

50 Mbps spoke

20 Mbps spoke

10 Mbps spoke

Shape(500 Mbps)

50 Mbps

50 Mbps

20 Mbps

20 Mbps

10 Mbps

10 Mbps

per tunnel shapers

parent shaper

CE

CE

CE

CE

CE

CE

CE

CE

CE

CE

CE

CE

802.1q

trunk

500 Mbps

10 Mbps

10 Mbps

50 Mbps

50 Mbps

20 Mbps

20 Mbps

Shape(500 Mbps)

500 Mbps in to WAN can easily overrun the

lower speed committed rates at remote sites

10.5.144.0/21

10.5.152.0/21

10.5.168.0/21

10.5.176.0/21

Layer 2 WAN QoSPer-Site Shaping to Avoid Overruns

policy-map POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS


bandwidth percent 3

class CLASS-MAP-RS210


service-policy POLICY-MAP-RS210




ip access-list extended RS210-10.5.144.0

permit ip any 10.5.144.0 0.0.7.255

!

class-map match-all CLASS-MAP-RS210

match access-group name RS210-10.5.144.0

policy-map POLICY-MAP-RS210

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect

ip access-list extended RS212-10.5.168.0

permit ip any 10.5.168.0 0.0.7.255

!

class-map match-all CLASS-MAP-RS212

match access-group name RS212-10.5.168.0

policy-map POLICY-MAP-RS212

class VOICE

priority percent 10


priority percent 23

class CRITICAL-DATA



class DATA



class SCAVENGER

bandwidth percent 5


bandwidth percent 3

class class-default


random-detect

Per-Destination

Service Policies

Per-Destination

Class Maps

Shape to 20 Mbps to RS212


Layer 2 WAN Quality of ServiceImplementing Per-Site Traffic Shaping

policy-map POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS


bandwidth percent 3









policy-map WAN-INTERFACE-G0/0/4

class class-default


service-policy POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS

Shape to 500 Mbps aggregate

Shape(500 Mbps)

10 Mbps

10 Mbps

50 Mbps

50 Mbps

20 Mbps

20 Mbps

child shapers

parent shaper

Layer 2 WAN Quality of ServiceImplementing Per-Site Traffic Shaping (continued)




• Summary

Agenda

Summary

• The CVD WAN design methodology allows for either a small or large scale initial deployment.

• Flexibility is built into the WAN and remote-site design. Adding additional scale, resiliency or capabilities is straightforward.

•The CVD WAN design uses advanced features and capabilities. Each is documented in a prescriptive manner.

•Route-maps ensure routing stability•F-VRF DMVPN permits spoke-spoke with central tunneling•Multiple WAAS design models•EEM scripts extend capabilities of EOT

Cisco Validated Design Guides - Feedback

http://cvddocs.com/feedback CVD team members will respond to ALL

feedback requests.

We appreciate your feedback and have

updated documents specifically to

address topics that have generated

feedback.

Every CVD guide has a feedback link:

http://cvddocs.com/feedback

Cisco Validated Designs for Enterprise WAN:

MPLS WAN Design Guide

Layer 2 WAN Design Guide

VPN WAN Design Guide

http://www.cisco.com/go/cvd/wan

Design Guide Transports UsageWAN Aggregation

Design Models

MPLS WANMPLS L3 VPN Primary/Secondary

Dual MPLS

MPLS Dynamic

MPLS Static

Layer 2 WANLayer 2 WAN Primary

Trunked Demarcation

Simple Demarcation

VPN WAN Internet/DMVPN Primary/Secondary

Dual DMVPN

DMVPN Only

DMVPN Backup Dedicated

DMVPN Backup Shared

Remote Sites Using Local Internet

Access

Internet/DMVPN (with

Local Internet)Primary/Secondary Remote site only

VPN Remote Site over 3G/4G 3G/4G Internet/DMVPN Primary/Secondary Remote site only

Group Encrypted Transport VPNMPLS L3 VPN

Layer 2 WAN

Primary/Secondary

Primary

Compatible with all design

models

Now You Can Build This!

Related Sessions

• BRKCRS-2030: Wired LAN Deployment Using the Cisco Validated Design for Campus

• BRKRST-2041: WAN Architectures and Design Principles

• BRKCRS-2042: Highly Available Wide Area Network Design

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

Thank you

Vlan102 - data

Vlan103 - voice

No HSRP

Required

802.1q trunk

(54,99)802.1q trunk

(50,99)



Vlan99 – transit

Vlan100 - data

Vlan101 - voice

VlanWD – wireless data

Vlan106 – management)

VlanWV– wireless voice

802.1q trunk (100, 101) 802.1q trunk (102-103)

802.1q trunk (106, WD,

WV)

WLAN Controller Required

for Distribution Layer

Design to Support Roaming

WAN Remote Site Reference DesignDistribution Layer Wireless LAN Integration

MPLS VPN

DMVPN

Internet

EIGRP(200)

eBGP

EIGR

P(100)

R1 R2

interface Loopback0

ip address 10.5.48.254 255.255.255.255

router bgp 65511

bgp router-id 10.5.48.254

network 10.5.52.0 mask 255.255.255.0

network 10.5.53.0 mask 255.255.255.0

network 192.168.3.20 mask 255.255.255.252



no auto-summary

interface Loopback0

ip address 10.5.48.253 255.255.255.255

router eigrp 200

network 10.4.34.0 0.0.1.255

network 10.5.0.0 0.0.255.255

passive-interface default

no passive-interface Tunnel10



interface Tunnel10

ip summary-address eigrp 200 10.5.48.0 255.255.248.0

BGP

summary

Summaries are advertised via both links, but best path is via

primary.

When primary link is operational both loopbacks are reachable via

primary link.

WAN Remote-Site Loopback RoutingInitial Approach – Loopbacks within Summary Route (1)

EIGRP

summary

MPLS VPN

DMVPN

Internet

EIGRP(200)

eBGP

EIGRP(100)

R1 R2

interface Loopback0

ip address 10.5.48.254 255.255.255.255

router bgp 65511


network 10.5.52.0 mask 255.255.255.0

network 10.5.53.0 mask 255.255.255.0

network 192.168.3.20 mask 255.255.255.252



no auto-summary

interface Loopback0

ip address 10.5.48.253 255.255.255.255

router eigrp 200

network 10.4.34.0 0.0.1.255

network 10.5.0.0 0.0.255.255





interface Tunnel10


After primary link failure, only summary learned via secondary path

is reachable. Both loopbacks are reachable via secondary path.


EIGRP

summary

MPLS VPN

DMVPN

Internet

EIGRP(200)

eBGP

EIGR

P(100)

R1 R2

interface Loopback0

ip address 10.5.48.254 255.255.255.255

router bgp 65511


network 10.5.52.0 mask 255.255.255.0

network 10.5.53.0 mask 255.255.255.0

network 192.168.3.20 mask 255.255.255.252



no auto-summary

interface Loopback0

ip address 10.5.48.253 255.255.255.255

router eigrp 200

network 10.4.34.0 0.0.1.255

network 10.5.0.0 0.0.255.255





interface Tunnel10


If the LAN interconnect between routers goes down and the

primary link remains operational, then summary remains

advertised via the primary link.

R2 has a route to the WAN-aggregation site, but traffic is

returned to R1 (follows best summary route).


EIGRP

summary

BGP

summary

R2 loopback is unreachable. Traffic from HQ

site is blackholed down primary link.

Must be tolerant of various remote-site failures:

LAN switch failure

Primary or Backup WAN failure

Must work with both single and dual router topologies

WAN Transport(All Sites use 10.255.0.0/16)

Third Octet

Fourth Octet

Examples

Router Loopback0

MPLS A 251 Site # RS203-2921-1 10.255.251.203

MPLS B 252 Site # RS202-2911 10.255.252.202

DMVPN 1 253 Site # RS203-2921-2 10.255.253.203

DMVPN 2 254 Site # RS232.-2921-2 10.255.254.232

MetroE 255 Site # RS213-2911 10.255.255.213

Use unique network range for loopbacks that is not summarized.

Creates a host route (/32) for each WAN remote-site router.

WAN Remote-Site Loopback RoutingEnsure Reachability of Remote-Site Routers for All Failure Scenarios

MPLS VPN

eBGP

router bgp 65511

bgp router-id 10.255.251.204

network 10.255.251.204 mask 255.255.255.255


Loopback

interface Loopback0

ip address 10.255.251.204 255.255.255.255

WAN Remote-Site Loopback RoutingBGP Configuration for Single-Router

DMVPN

Internet

EIGRP(200)

router eigrp 200

network 10.255.0.0 0.0.255.255


interface Loopback0

ip address 10.255.253.205 255.255.255.255

All Loopbacks

WAN Remote-Site Loopback RoutingEIGRP Configuration for Single-Router

InternetMPLS VPN

DMVPN

EIGR

P(200)Choose loopback from address block

of primary link for single-router, dual-

link remote site

interface Loopback0

ip address 10.255.251.201 255.255.255.255

router bgp 65511

bgp router-id 10.255.251.201

network 10.255.251.201 mask 255.255.255.255


Loopback

router eigrp 200

network 10.255.0.0 0.0.255.255


All Loopbacks

WAN Remote-Site Loopback RoutingConfiguration for Single-Router (MPLS with DMVPN Backup)

MPLS VPN

DMVPN

Internet

EIGRP(200)

eBGP

EIGR

P(100)

Uses the LAN facing routing

protocol process to advertise R2

loopback to R1 (and R1 loopback

to R2)

R1 R2

interface Loopback0

ip address 10.255.253.203 255.255.255.255

router eigrp 100

network 10.255.0.0 0.0.255.255


interface Loopback0

ip address 10.255.251.203 255.255.255.255

router eigrp 100

network 10.255.0.0 0.0.255.255


WAN Remote-Site Loopback RoutingConfiguration for Dual-Router (MPLS with DMVPN Backup)

MPLS VPN

DMVPN

Internet

EIGRP(200)

eBGP

EIGRP(100)

BGP

EIGR

P

EIGRP

EIGRP

router bgp 65511

bgp router-id 10.255.251.203

network 10.255.251.203 mask 255.255.255.255

network 10.255.253.203 mask 255.255.255.255router eigrp 200

network 10.255.0.0 0.0.255.255

redistribute eigrp 100 route-map LOOPBACK-ONLY


eigrp stub connected summary redistributed

ip access-list standard R1-LOOPBACK

permit 10.255.251.203

route-map LOOPBACK-ONLY permit 10

match ip address R1-LOOPBACK

Two way redistribution is required for

EIGRP WAN routing protocol (on R2)

Only the loopback addresses should

be redistributed from LAN to WAN

R1 R2Both loopbacks need to be explicitly

listed in the BGP configuration.

WAN Remote-Site Loopback Routing(continued) Configuration for Dual-Router (MPLS with DMVPN Backup)