Add to collection(s) Add to saved
  1. No category
Uploaded by IE Bootcamps

BRKRST-2041

advertisement 
#CLUS
WAN Architectures
and Design Principles
Dave Fusik, Customer Solutions Architect
@davefusik
BRKRST-2041
#CLUS
Agenda
•
Introduction
•
Wide Area Network Design Principles
•
WAN Transport and Overlay Technologies
•
Enhanced WAN Capabilities
•
Software Defined WAN Design Considerations
•
WAN Architecture Best Practices
•
Conclusion
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated
by the speaker until June 16, 2019.
cs.co/ciscolivebot#BRKRST-2041
#CLUS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Introduction
The WAN Technology Continuum
Mid 1990s-Late 2000s
Early-Mid 1990s
Early Networking
Flat/Bridged
Multiprotocol
Large Scale
Experimental Networks
Business Enabling
Mission Critical
Architectural
Lessons
Architectural
Lessons
Protocols required for
Scale & Restoration
1960
ARPAnet
Internet
Protocol
1970
TCP/IP
OSPF,
ISDN,
ATM
Business Survival
Planning
?
Build to Scale
DMVPN
IPv6
BGP
RIP (BSD)
IP Ubiquity
Redundancy
Frame-Relay
1980
Global Scale
Architectural
Lessons
Route First,
Bridge only if Must
X.25
Today
GRE
1990
#CLUS
4G/LTE
2000
GETVPN
BRKRST-2041
Future
2010
MetroEthernet
Tag
Switching
NFV
SDWAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
The Challenge

Build a network that can adapt to
a quickly changing business and
technical environment

Realize rapid strategic advantage
from new technologies
• IPv6: global reachability
• Cloud: flexible diversified
resources
• Internet of Things
• Fast-IT
• What’s next?
Photo by Mikito Tateisi on Unsplash

#CLUS
Adapt to business changes
rapidly and smoothly
• Mergers and divestures
• Shifting Regulatory and
Security requirements
• Public perception of services
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Wide Area Network
Design Principles
Network Design Modularity
East Theater
Tier 1
West Theater
Tier 2
Global
IP/MPLS Core
In-Theater
IP/MPLS Core
West Region
East Region
Tier 3
Internet
Cloud
Public Voice/Video Mobility
Private
IP
Service
Metro
Service
Public
IP
Service
#CLUS
BRKRST-2041
Metro
Service
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
Hierarchical Network Principle
Use hierarchy to manage network scalability and complexity
while reducing routing algorithm overhead

Hierarchical design used to be…
• Three routed layers - Core, aggregation, access
• Only one hierarchical structure end-to-end

But has become any design that…
• Splits the network up into regions
• Separates regions by hiding information
• Organizes regions around a network core
• “Hub and Spoke” at a macro level
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Wide Area Network Design Trends
Single Carrier Designs
•
Enterprise homes all sites to a single MPLS VPN carrier for L3
connectivity
 Simple
design with consistent features
 Bound
to single carrier for feature velocity
 Vulnerable
to MPLS cloud failure scenario
Dual Carrier Designs
•
Enterprise single/dual homes sites into one/both MPLS VPN carriers
 Protection
 Leverage
against full MPLS cloud failure
for competitive services pricing
 Complexity
 Must
from service differences between carriers (QoS, BGP AS, etc.)
settle for least common denominator features
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Wide Area Network Design Trends (cont.)
Hybrid and Overlay Designs
•
Tunneling/encryption enables transport agnostic design
 On-demand
 Commodity
 Flexible
or permanent backup links
broadband services offer lower cost, higher bandwidth
overlay topology independent of physical underlay connectivity
 Two
“layers” to support
 SLA
over commodity transport services
 Must
consider potential for fragmentation
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
Single Carrier Design
• Single homed site
• Advertise local prefixes and
optionally use default route
• Dual homed site - Non Transit
• Only advertise local prefixes (^$)
• Typically with Dual CE routers
• BGP design:
• eBGP to carrier
• iBGP between CEs
• Redistribute cloud learned routes
into the site IGP
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
Dual Carrier Design: Transit vs. Non Transit
• To guarantee single homed site
reachability to dual homed site
during failure, create transit site
• Transit sites act as a BGP routing
bridge between the two provider
clouds
• Transit sites need to be strategically
selected with geographic diversity to
minimize latency costs (e.g. East,
West, Central)
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
Single Carrier
vs.
Dual Carriers
Pro: Common QoS support model
Pro: More fault domains
Pro: Only one carrier to “tune”
Pro: More product offerings to business
Pro: Reduced head end circuits
Pro: Ability to leverage vendors for better
pricing
Pro: Overall simpler design
Pro: Second vendor option
Con: Carrier failure could be catastrophic
Con: Increased Bandwidth “Paying for
bandwidth twice”
Con: No leverage to negotiate lower
costs
Con: Increased overall design complexity
Con: Bound to single carrier feature
velocity
Con: May be reduced to “common
denominator” between carriers
Simplicity vs. Resiliency
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
WAN Transport
and Overlay
Technologies
WAN Transport Technologies
• Layer 1 optical – Dark Fiber, DWDM, SONET
• Deployed in point-to-point
• Layer 1 legacy – T1/E1, T3/E3, DSx, OcX
• Layer 2 Metro Ethernet – E-Line, E-LAN
• Point-to-point, point-to-multipoint
• Layer 2 legacy – Frame Relay, ATM
• Layer 3 IP – MPLS, IP VPN, Internet
• Any-to-any, very scalable
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
MPLS L3VPN Topology
• MPLS WAN is provided by a service provider
• As seen by the enterprise network, every site is one IP “hop” away
• Equivalent to a full mesh, or to a “hubless” hub-and-spoke
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
Virtual Routing and Forwarding Instance (VRF)
Provides Network Virtualization and Path Isolation
VRF
VRF
VRF
VRF
VRF
VRF
 Virtualization at Layer 3 forwarding
 Associates to Layer 3 interfaces on router/switch
 Each VRF has its own
Forwarding table (CEF)
Routing process (RIP, OSPF, BGP)
 VRF-Lite
Hop-by-hop
 MPLS VPN
Multi-hop
#CLUS
! PE Router – Multiple VRFs
vrf definition BLUE
rd 65100:10
address-family ipv4
route-target import 65100:10
route-target export 65100:10
exit-address-family
vrf definition YELLOW
rd 65100:20
address-family ipv4
route-target import 65100:20
route-target export 65100:20
exit-address-family
!
interface GigabitEthernet0/1.10
vrf forwarding BLUE
interface GigabitEthernet0/1.20
vrf forwarding YELLOW
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
Metro Ethernet Service (L2VPN)




E-Line (Point-to-Point)
Replaces legacy TDM circuits and
Frame-Relay/ATM virtual circuits
(VCs)
Point-to-point Ethernet VCs (EVCs)
offer predictable performance for
applications
One or more EVCs allowed per single
physical interface (UNI)
Supports “hub & spoke” topology




#CLUS
E-LAN (Point-to-Multipoint)
Offers point to multipoint
connectivity
Transparent to VLANs and Layer 2
control protocols
4 or 6 classes of QoS support
Supports service multiplexing
(e.g. Internet access and corporate
VPN via one UNI)
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
MPLS (L3VPN) vs. Metro Ethernet (L2VPN)
•
•
•
MPLS Layer 3 Service
Routing protocol dependent
on the carrier
Layer 3 capability depends
on carrier offering
QoS (4 classes/6 classes)
• IPv6 capability
•
•
•
Transport IP protocol only
Highly scalable and ideal for
large network
•
•
•
•
•
MetroE Layer 2 Service
Flexibility of routing protocol and
network topology independent
of the carrier
Customer manages layer 3 QoS
Capable of transport IP and
non-IP traffic.
Routing protocol determines
scalability in point-to-multipoint
topology
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
Types of Overlay Service
Layer 2 Overlays
Layer 3 Overlays
 Layer 2 Tunneling Protocol—Version 3
(L2TPv3)
 IPSec—Encapsulating Security Payload
(ESP)
– Strong encryption
– IP Unicast only
– Layer 2 payloads (Ethernet, Serial,…)
– Pseudowire capable
 Other L2 overlay technologies –
OTV, VxLAN, MPLS-over-GRE/mGRE
 Generic Routing Encapsulation (GRE)
– IP Unicast, Multicast, Broadcast
– Multiprotocol support
 Other L3 overlay technologies –
MPLS-over-GRE/mGRE, LISP
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
Tunnelling
GRE and IPSec Transport and Tunnel Modes
IP HDR
IP Payload
GRE packet with new IP header: Protocol 47 (forwarded using new IP dst)
IP HDR
GRE
20 bytes
4 bytes
IP HDR
IP Payload
2 bytes
IPSec Transport mode
IP HDR
20 bytes
ESP HDR
30 bytes
IP Payload
Encrypted
Authenticated
Authenticated
IPSec Tunnel mode
IP HDR
ESP HDR
20 bytes
54 bytes
ESP
ESP
Trailer Auth
2 bytes
IP Payload
IP HDR
Encrypted
Authenticated
#CLUS
BRKRST-2041
ESP
ESP
Trailer Auth
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Cisco Site to Site VPN Technologies Comparison
Features
DMVPN
FlexVPN
GET VPN
Infrastructure
Network
 Public or Private Transport
 Overlay Routing
 IPv4/IPv6 dual Stack
 Public or Private Transport
 Overlay Routing
 Private IP Transport
 Flat/Non-Overlay IP
Routing
Network Style
 Large Scale Hub and Spoke
with dynamic Any-to-Any
 Converged Site to Site and
Remote Access
 Any-to-Any;
(Site-to-Site)
 Active/Active based on
Dynamic Routing
 Dynamic Routing or IKEv2
Route Distribution
 Server Clustering
 Transport Routing
 COOP Based on GDOI
 Unlimited
 3000+ Client/Srv
 Unlimited
 3000+ Client/Srv
 8000 GM total
 4000 GM/KS
 Multicast replication at hub
 Multicast replication at hub
 Multicast replication in IP
WAN network
 Per Tunnel QoS, Hub to
Spoke
 Per SA QoS, Hub to Spoke
 Per SA QoS, Spoke to
Spoke
 Transport QoS
 Locally Managed
 Centralized Policy
Management
 Central or Local
Management
 Tunneled VPN
 Multi-Point GRE Tunnel
 IKEv1 & IKEv2
 Tunneled VPN
 Point to Point Tunnels
 IKEv2 Only
 Tunnel-less VPN
 Group Protection
 IKEv1 & IKEv2
Failover
Redundancy
Scalability
IP Multicast
QoS
Policy Control
Technology
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Dynamic Multipoint VPN (DMVPN)
 Branch sites establish an IPsec tunnel to, and
SECURE ON-DEMAND TUNNELS
register with, the hub site
 IP routing exchanges prefix information for each
site
ASR 1000
 BGP or EIGRP are typically used for scalability
 Data traffic flows over the DMVPN tunnels
ISR
ISR
Branch 1
 When traffic flows between spoke sites, the hub
assists the spokes to establish a site-to-site tunnel
ISR
Branch 2
Traditional Static Tunnels
DMVPN On-Demand Tunnels
Static Known IP Addresses
 Per-tunnel QOS is applied to prevent hub site
Dynamic Unknown IP Addresses
oversubscription to spoke sites
#CLUS
Branch n
IPsec
VPN
 The WAN interface IP is the tunnel source address,
so the provider network does see the customer IP
prefixes
Hub
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
FlexVPN
 Created to simplify the deployment of VPNs
Typical Cisco FlexVPN Deployment
 Provides a unified ecosystem to cover all types
of VPN: Remote Access, Teleworker, Site-to-site,
Mobility, Managed security services, and others
 A single FlexVPN deployment can accept multiple
types of connections at the same time
 Provides compatibility with any IKEv2-based third-
party VPN vendors, including native VPN clients
from Apple iOS and Android devices
 VPN dynamic policies (i.e. split-tunnel policy,
encryption policy, VRF selection, DNS server for
remote access) can be fully integrated with the
AAA/RADIUS and applied on a per peer basis
#CLUS





Deployed over public or private transport
Standards-based encryption technology
Highly secure parameters by default
Superior hierarchical QoS per SA
Hub Multicast, or transport, replication
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
Group Encrypted Transport VPN (GETVPN)
 Uses Group Domain of Interest (GDOI – RFC 6407) Tunnel-Less VPN over Private WAN
to distribute common IPsec keys to a group of VPN
gateway devices
 Key Servers (KSs) create and maintain the GETVPN
control plane, centrally defining encryption policies
that are pushed to IKE authenticated Group
Members (GMs) at the time of registration
WAN
 GMs handle the encryption/decryption (i.e. the data
plane) based on the downloaded, or local, policy
Multicast
 GETVPN preserves the original unicast or multicast
source and destination packet addresses which
provides the ability to route encrypted packets
using the underlying network routing infrastructure
 Cooperative KSs provides highly available control
plane
#CLUS





BRKRST-2041
Scalable architecture for any-toany connectivity and encryption
No overlays—native routing
Any-to-any instant connectivity
Enhanced QoS
Efficient Multicast replication
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
Link Speeds Out-Pacing IP Encryption
•
•
•
link
BW
Link speed = Encryption speed
•
time
•
Link Speed
IPSec Encryption Speed
Bandwidth application requirements outpacing IP encryption capabilities
Bi-directional and packet sizes further
impact encryption performance
IPSec engines dictate aggregate
performance of the platform (much lower
throughput)
Cost per bit for IPSec much more
expensive
Encryption must align with link speed
(100G+) to support next-generation
applications
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
What is MAC Security (MACsec)?
Hop-by-Hop Encryption via IEEE 802.1AE
• Hop-by-Hop Encryption model
-Packets are decrypted on ingress port
-Packets are in the clear in the device
Decrypt at
Ingress
-Packets are encrypted on egress port
Encrypt at
Egress
01101001010001001
01101001010001001
• Supports 1/10G, 40G, 100G encryption speeds
128bit AES GCM Encryption
01101001000110001001001000
everything in clear
through the router
• Data plane (IEEE 802.1AE) and control plane (IEEE
802.1x-Rev)
MACsec PHY
• Transparent to IPv4/v6, MPLS, multicast, routing
• Encryption aligns with Link PHY speed (Ethernet)
128/256 bit AES GCM Encryption
01001010001001001000101001001110101
128/256 bit AES GCM Encryption
011010010001100010010010001010010011101010
01101001010001001
Encrypted Segment
Encrypted Segment
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
What is “WAN MACsec?
MKA Session
Service Provider
Owned Routers/Bridges
Data
Centre
Remote
Campus/DC
Data
Centre
Public Carrier
Ethernet
Service
Central
Campus/DC
•
Leverage MACsec over “public” standard Ethernet transport
•
Optimize MACsec + WAN features to accommodate running over
public Ethernet transport
MACsec Secured Path / MKA
Target “line-rate” encryption for high-speed applications
MACsec Capable Router
•
•
•
Inter DC, MPLS WAN links, massive data projects
Session
MACsec Capable PHY
SP Owned Ethernet
Transport Device
Targets 100G, but support 1/10/40G as well
#CLUS
MACsec MKA Session
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
What is “WAN” MACsec?
New Enhancements to 802.1AE for WAN/Metro-E Transport
• AES-256 (AES/GCM) support – 1/10/40 and 100G rates
• Target Next Generation Encryption (NGE) profile that currently leverages public NSA Suite B
• Standards Based MKA key framework
• (defined in 802.1X-2010) within Cisco security development (Cisco “NGE”)
• Ability to support 802.1Q tags in clear
• Offset 802.1Q tags in clear before encryption (2 tags is optional)
• Vital Network Features to Interoperate over Public Carrier Ethernet Providers
• 802.1Q tag in the clear
• Ability to change MKA EAPoL Destination Address type
• Ability to change MKA Ether-type value
• Ability to configure Anti-replay window sizes
• System Interoperability
• Create a common MACsec integration among all MACsec platforms in Cisco and Open Standards
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
31
WAN MACsec Use Case – 802.1Q Tag in the Clear
•
Leverage 802.1Q for logical connectivity to each site
•
This is analogous to “channelization” in SONET
•
Router leverages IP sub-interface tag per location
MACsec
PHY
(802.1Q)
Physical Ethernet Wire
Public
Ethernet
Transport
10
MACsec
PHY
20
30
40
802.1Q VLAN tags to provider
Ethernet Interface
Supporting 802.1q Trunking
Encrypted Ethernet session per destination
using 802.1q tag on SP n-PE
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
WAN MACsec – 802.1Q Tag in the Clear
Expose the 802.1Q tag “outside” the encrypted payload
•
Example:
...
interface GigabitEthernet0/0/4
macsec dot1q-in-clear 1
Allows the ability to leverage
MACsec on a per sub-interface
basis, exposing the “802.1Q
tag” outside the encryption
header.
Interface GigabitEthernet0/0/4.20
encapsulation dot1Q 20
ip address 10.3.2.1 255.255.255.0
mka pre-shared-key key-chain k1
macsec
!
Interface GigabitEthernet0/0/4.30
encapsulation dot1Q 30
ip address 10.3.3.1 255.255.255.0
mka pre-shared-key key-chain k1
macsec
Note: “1” denotes
one .1Q tag depth
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
Enabling Enhanced
WAN Capabilities
Quality of Service
Cisco vBranch with Enterprise NFV
WAN Extension into the Cloud
Quality of Service Operations
How Does It Work and Essential Elements
Classification
and Marking
Post-Queuing
Operations
Queuing and
Dropping
 Classification and Marking:
•
The first element to a QoS policy is to classify/identify the traffic that is to be treated differently.
Following classification, marking tools can set an attribute of a frame or packet to a specific value.
 Policing:
•
Determine whether packets are conforming to administratively-defined traffic rates and take action
accordingly. Such action could include marking, remarking or dropping a packet.
 Scheduling (including Queuing and Dropping):
•
Scheduling tools determine how a frame/packet exits a device. Queuing algorithms are activated only
when a device is experiencing congestion and are deactivated when the congestion clears.
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
35
Enabling QoS in the WAN
Traffic Profiles and SLA Requirements
Voice





Smooth
Benign
Drop sensitive
Delay sensitive
UDP priority
The bandwidth per call
depends on the CODEC,
Sampling-Rate, and the
Layer 2 Media

Latency ≤ 150 ms

Jitter ≤ 30 ms

Loss ≤ 1%
Bandwidth (30-128Kbps)
One-Way Requirements

Telepresence
SD Video Conf










Bursty
Greedy
Drop sensitive
Delay sensitive
UDP priority
SD/VC has the same
requirements as VoIP,
but has radically
different traffic patterns
(BW Varies Greatly)
 Latency ≤ 150 ms
 Jitter ≤ 30 ms
 Loss ≤ 0.05%
 Bandwidth (1Mbps)
One-Way Requirements
Data
Bursty
Drop sensitive
Delay sensitive
Jitter sensitive
UDP priority





HD/VC has tighter
requirements than VoIP
in terms of jitter and BW
varies based on the
resolutions
 Latency ≤ 200 ms
 Jitter ≤ 20 ms
 Loss ≤ 0.10%
 Bandwidth (5.5-16Mbps)
One-Way Requirements
#CLUS
BRKRST-2041
Smooth/bursty
Benign/greedy
Drop insensitive
Delay insensitive
TCP retransmits
Traffic patterns for Data
vary among Applications





Data Classes:
Mission-Critical Apps
Transactional/Interactive Apps
Bulk Data Apps
Best Effort Apps (Default)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
CBWFQ Operation
IOS Interface Buffers
Network Control CBWFQ
Call Signaling CBWFQ
Packets
In
OAM CBWFQ
FQ
Multimedia Conferencing CBWFQ
FQ
Multimedia Streaming CBWFQ
CBWFQ
Scheduler
policy-map CBWFQ
class NETWORK-CONTROL
bandwidth percent 5
class CALL-SIGNALING
bandwidth percent 5
class OAM
bandwidth percent 5
class MM-CONFERENCING
bandwidth percent 10
fair-queue
Tx-Ring
…
Packets
Out
FQ
Transactional Data CBWFQ
FQ
Bulk Data CBWFQ
FQ
FQ
Pre-Sorters
Best Effort / Default CBWFQ
Scavenger CBWFQ
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
LLQ Operation
IOS Interface Buffers
1 Mbps
VoIP
Policer
policy-map LLQ
class VOIP
priority 1000
…
LLQ
Packets
In
Packets
Out
CBWFQ
Scheduler
FQ
Pre-Sorters
Tx-Ring
CBWFQ
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
Traffic Shaping
Line
Rate
Without Traffic Shaping
With Traffic Shaping
Shaped
Rate
Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate
 Policers typically drop traffic
 Shapers typically delay excess traffic, smoothing bursts and
preventing unnecessary drops
 Very common with Ethernet WAN, as well as Non-Broadcast
Multiple-Access (NBMA) network topologies such as FrameRelay and ATM
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
Hierarchical QoS For Subrate Service
H-QoS Policy on WAN Interface, Shaper = CIR
Two Levels MQC
Policy-map PARENT
class class-default
shape average 150000000
service-policy output CHILD
Interface GigabitEthernet 0/1
service-policy output PARENT
Policy-map CHILD
class VOICE
priority percent 10
class VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
Gig 0/1
Service Level
Best Effort
Scavenger
Video
Voice
#CLUS
BRKRST-2041
150 Mbps
Critical
Data
Network
Critical
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
GRE/IPSec QoS Consideration
ToS Byte Preservation
ToS
ToS byte is copied to the
new IP Header
IP HDR
IP Payloaad
GRE
HDR
IP HDR
ToS
ToS
GRE Tunnel
IP HDR
IP Payload
IP HDR
ESP HDR
ToS
ToS
IPSec Tunnel mode
IP HDR
IP Payload
#CLUS
BRKRST-2041
ESP
Trailer
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP
Auth
41
Cisco vBranch with
Enterprise NFV
Existing model slow and expensive
Initial Router order
Order
Line
Router
Router
Online
Router
install
delivery
install
router
WAN
Order Service 1
Order
Appliance
Appliance
Online
service
delivery
install
appliance
Appliance
WAN
Order Service 2
Appliance
Order
Appliance
Appliance
Online
service
delivery
install
appliance
#CLUS
BRKRST-2041
Appliance
WAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
43
What is Cisco vBranch?
Network services in minutes, on any platform
Cisco DNA Center (DNAC)
Cisco Network Service Orchestrator (NSO) / Virtual Managed Services (VMS)
Virtual Router
(ISRv/vEdge)
Virtual Firewall
(ASAv)
Virtual WAN
Optimization
(vWAAS)
Virtual Wireless LAN
Controller (vWLC)
3 rd Party VNFs
Network Functions Virtualization Infrastructure Software (NFVIS)
ISR 4000 +
UCS E-Series
Enterprise Network
Compute System
UCS C-Series
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
44
Freedom of Choice
Cisco Intelligent Branch
Traditional
Physical Router
Cisco®
4000 Series ISR
Centralized services
Fixed integrated services
Conservative
Cisco ONE™
Enterprise NFV
Physical Router
Virtual Services
Virtual Router
Virtual Services
Virtual Router
Virtual Services
4000 Series ISR +
UCS® E-Series
Enterprise Network
Compute System (ENCS)
UCS C-Series, COTS
Upgradable hardware
Deterministic routing
performance
Elastic routing and services
Router / Server Hybrid
Elastic routing and services
Performance
Early adopter
Access to Ongoing
Innovation
#CLUS
License
Portability
BRKRST-2041
Investment
Protection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
Platform Built for Enterprise NFV
Branch/Campus
Colocation Center
ENCS 5000 Series for the Branch
Best of Routing
& Compute
Public Cloud
Complete
Virtualized Services
Open for Third Party
Services and Apps
Enterprise Network Compute System
ENCS 5100 Series
8 Integrated LAN Ports
USB 3.0
with Optional POE
Storage
Hardware Acceleration for
VM Traffic
ENCS 5400 Series
2 Onboard Gigabit
Ethernet ports
with SFP
Network Interface
Module for LTE & legacy
WAN
#CLUS
BRKRST-2041
2 HDD or SSD
RAID 0 & 1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
Network Services from Cisco
Consistent software across physical and virtual
ISRv/vEdge
ASAv/FTD*
vWAAS
vWLC
High Performance
Full DC-Class
Featured Functionality
Application
Optimization and
Akamai Connect
Built for small and
medium branches
Rich Features
Windows Server
Linux
3rd Party
Active Directory, File
Share, Server
Applications
Custom Applications
DNS/DHCP
Network Services
Management &
Monitoring
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
What changes with Cisco vBranch?
Before
After
Branch router
IPS/IDS appliance
NFVI S
NFVI S
WAAS appliance
Patch panel
Firewall appliance
A single x86 compute platform housing
multiple VNFs
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
WAN Extension
into the Cloud
Cloud Connectivity Challenges
• Complexity & Dependency – Need
a simple and scalable way to
securely extend the private
network across Multicloud
environments
Public Cloud
• Inconsistent security policies
between private & public- Need to
apply consistent security policies
• Performance and ambiguity for
best path to reach the cloud –
Need to enhance application
experience
Users
On-Prem Datacenters
Applications
Remote Branches
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
50
Cisco Cloud Services Router (CSR) 1000V
Cisco IOS XE Software in a virtual network function form-factor
Performance Elasticity
Software
Available licenses range from
10 Mbps to 10 Gbps
Same IOS XE software as the
ASR1000 and ISR4000
Infrastructure Agnostic
Runs on x86 platforms
Supported Hypervisors:
VMware ESXi, RHEL Linux KVM,
Suse Linux KVM, Citrix Xen,
Microsoft Hyper-V, Cisco NFVIS
and CSP5000
App
App
OS
OS
CSR 1000V
CPU footprint ranges from
1vCPU to 8vCPU
Programmability
Virtual Switch
NetConf/Yang, RESTConf, Guest
Shell and SSH/Telnet
Hypervisor
Server
License Options
Supported Cloud Platforms:
Amazon Web Services, Microsoft
Azure, Google Cloud Platform
Term based 1 year, 3 year
or 5 year
Enterprise-class networking with rapid deployment and flexibility
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
Cloud Connect – CSR 1000V
Securely extend the private network
to the cloud from the Branch and DC
with CSR 1000v
VPC
VPC
VPC
Extend routing to multi-VPC
environment with CSR 1000v
in Transit VPC
CSR1000v
VPC
VPC
CSR1000v
Maintain application experience
with QoS and AVC
CSR1000v
ASR 1000
ISR 4000
Branch
Enterprise DC
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
Public Cloud Deployment Models
Application VPC Gateway
• CSR deployed in application VPC
• Provide IPsec gateway for entire VPC
• Need high availability
Transit VPC
• CSR deployed in dedicated Transit Hub,
not in application VPC
• High speed traffic routing for spoke
VPC
• High availability is built-in natively
#CLUS
BRKRST-2041
Auto-scale
• Add another pair of CSRs to scale out
• Remote end (VGW) has multiple tunnels
and do L3 ECMP (Equal Cost Multiple
Path)
• Monitors CSR real-time throughput and
spin up new CSRs on demand
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
53
Connectivity Options into AWS Cloud
Corporate DC
AWS Managed VPN
Internet
Cisco
ISR/ASR
VGW
VLAN A
VLAN B
VLAN C
CSR 1000V
AWS Direct
Connect POP
Private VIF
CSR 1000V
Corporate DC
Customer
Cage
Colocation Facility
#CLUS
BRKRST-2041
Cisco
ISR/ASR
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
54
The WAN of Yesterday, Today and Tomorrow
Backhauled
Access
SaaS
IaaS
Data Center
Distributed Access
Extranet
Data Center
MPLS
SaaS
Optimized Access
SaaS
Extranet
IaaS
Data Center
Data Center
MPLS
IaaS
Data Center
Cloud
onRamp
or SAE
Extranet
Data Center
Internet
MPLS
#CLUS
BRKRST-2041
Internet
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
Cloud Migration Trend
Cloud onRamp for Colo or Secure Agile Exchange
Cloud
Customers
Cloud onRamp
or SAE
Colocation
Centers
Employees
Partners
DMZ
Private
Data Center
Applications
#CLUS
Security
Agility & Performance
Central policy
enforcement
Rapid provisioning,
change control, scaling via
NFV fabric - Speed of
software with the
performance of hardware
BRKRST-2041
Cost Savings
Lower OpEx and
CapEx through NFV.
Reduce circuit costs
and number of
circuits.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
56
SDWAN Design
Considerations
Common WAN Topologies
Design and Deployment Considerations
Design Challenges with Growing Needs and New Innovation
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
58
Common WAN Topologies
Growing Complexity - Scale, Policy, Segmentation
Complexity Grows with Scale and Changing Business Requirements
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
Network Transformation
The Era of Digital Transformation
Hardware Centric
Software Driven
Manual
Automated
Closed
Programmable
Reactive
Predictive
Network Intent
Business Intent
CLOUD & ON-PREM
AUTOMATION & SCALE
SECURITY & COMPLIANCE
ASSURANCE & ANALYTICS
Hosted, delivered, managed
Speed, flexible, zero-touch,
policy driven
Segmentation,
threat mitigation
Users, applications, devices
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
60
Business Driven WAN Infrastructure
Design and Deploy for Impact Objectives
Analytics
Application
SLA
Traffic
Engineering
Per-Segment
Topologies
Secure
Perimeter
Cloud Path Cloud Accel
(IaaS)
(SaaS)
Transport
Hub
APPLICATION POLICIES
Monitoring
Routing
Security
Segmentation
QoS
Multicast
Svc Insertion
Survivability
SERVICES DELIVERY PLATFORM
Operations
Broadband
MPLS
ZERO TOUCH
Cellular
ZERO TRUST
TRANSPORT INDEPENDENT FABRIC
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
Reinventing the WAN
The Four Pillars and Focus Areas of Cisco SDWAN
Secure
Elastic
Connectivity
• Security
Application
Applications
QoE
Services
• Connectivity
• Application Services
Cloud
Connectivity
First
• Operations
#CLUS
BRKRST-2041
Agile
Operations
Operations
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
Reinventing the WAN
Security
Embedded Security
Secure Bring-up
Applications
Application
Services
Security
Centralized Device
Auth-DB
Connectivity
Connectivity
Scalable Data-Plane
Encryption
Operations
Authenticated/Encrypted
Control Plane
Automatic Key Rollover
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
63
Reinventing the WAN
Connectivity
Provider/Transport
Agnostic
Hybrid WAN
LTE
LTE
INTERNET
INTERNET
MPLS
Segmentation/VPNs
Applications
Application
Services
Security
Connectivity
Connectivity
#CLUS
Operations
BRKRST-2041
MPLS
Dynamic Per-VPN
Topologies
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
64
Reinventing the WAN
Application Services
Central Orchestration
Deep Packet Inspection
App Fingerprinting
DPI
Engine
Transport SLA Monitoring
LTE
Applications
Application
Services
Security
Application Layer
Analytics
INTERNET
MPLS
Application-Aware
Routing
Connectivity
Connectivity
Operations
Cloud Services
Integration
SEN Overlay
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
Reinventing the WAN
Operations
Centralized Operations
Distributed Execution
Template-based
Configurations
Programmatic APIs
Open Object Model
NetConf
Centralized
Policy Orchestration
Applications
Application
Services
Security
Connectivity
Connectivity
Zero Touch Provisioning
Operations
Ad-Hoc
Adds/Moves/Changes
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
66
Cisco SDWAN Solution Overview
Applying SDN Principles To The Wide Area Network
vManage
vBond
Orchestration Plane
vSmart
MANAGEMENT
vBond
Management Plane
vEdge
API
(Multi-tenant or Dedicated)
ANALYTICS
ORCHESTRATION
Control Plane
(Containers or VMs)
CONTROL
Secure IPSEC Data Channel
INET
MPLS
4G
Secure DTLS Control Channel
Data Plane
(Physical or Virtual)
Data Center
Campus
#CLUS
Branch
BRKRST-2041
Home Office
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
67
Orchestration Plane
vBond Orchestrator
vBond
Main
Characteristics
MANAGEMENT
•
API
ANALYTICS
ORCHESTRATION
•
•
•
•
CONTROL
Secure IPSEC Data Channel
INET
MPLS
4G
Secure DTLS Control Channel
•
•
Data Center
Campus
Branch
Orchestrates control and
management plane
First point of authentication
Distributes list of vSmarts/
vManage to all vEdge routers
Facilitates NAT traversal
Requires public IP Address
[could sit behind 1:1 NAT]
Highly resilient
Multitenant or single tenant
Home Office
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
68
Management Plane
vManage
Main
Characteristics
vBond
MANAGEMENT
•
API
ANALYTICS
ORCHESTRATION
•
•
•
•
CONTROL
Secure IPSEC Data Channel
Data Center
INET
Campus
MPLS
Branch
4G
Secure DTLS Control Channel
Home Office
#CLUS
•
•
•
•
BRKRST-2041
Single pane of glass for
Day0, Day1 and Day2
operations
Centralized provisioning
Multitenant or single tenant
Policies and Templates
Troubleshooting and
Monitoring
Software upgrades
GUI with RBAC
Programmatic interfaces
(REST, NETCONF)
Highly resilient
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
69
Control Plane
vSmart Controller
vBond
Main
Characteristics
MANAGEMENT
•
•
API
ANALYTICS
ORCHESTRATION
•
CONTROL
Secure IPSEC Data Channel
INET
MPLS
4G
Secure DTLS Control Channel
•
•
•
Data Center
Campus
Branch
Facilitates fabric discovery
Disseminates control plane
information between vEdges
Distributes data plane and appaware routing policies to the
vEdge routers
Implements control plane policies
Dramatically reduces control
plane complexity
Highly resilient
Home Office
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
70
Data Plane
Main
Characteristics
vEdge Router
vBond
•
•
MANAGEMENT
API
•
ANALYTICS
ORCHESTRATION
•
CONTROL
Secure IPSEC Data Channel
INET
MPLS
4G
Secure DTLS Control Channel
•
•
•
Data Center
Campus
Branch
•
Home Office
#CLUS
BRKRST-2041
WAN edge router
Provides secure data plane with
remote vEdge routers
Establishes secure control plane
with vSmart controllers (OMP)
Implements data plane and
application aware routing
policies
Exports performance statistics
Leverages traditional routing
protocols like OSPF, BGP and
VRRP
Support Zero Touch
Deployment
Physical or Virtual form factor
(100Mb, 1Gb, 10Gb, 20Gb+)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
71
Cisco SDWAN Typical Architecture
Enterprise Controllers
Private Cloud Site
Virtual Private Cloud
SaaS
App
Servers
Servers
SDWAN
Headend
Distro
Switch
VPC
VPC
VPC
VPC
V
CE
Routers
V
INET
MPLS1
V = Virtual Router
Legacy
Branch
Dual Router
Branch
#CLUS
Single
Router
Branch
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
72
Cloud-Delivered SDWAN Control
Flexible Deployment Options
Cisco Cloud Ops
MSP Ops Team
Deploy
vManage
Deploy
Deploy
Recommended
vManage
vManage
DTLS
Or TLS
Connections
DTLS
Or TLS
Connections
DTLS
Or TLS
Connections
vSmart
Enterprise IT
vBond
vSmart
vSmart
vBond
MSP
Cloud
Cisco
Cloud
#CLUS
BRKRST-2041
vBond
Private
Cloud
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
73
Cisco SDWAN Migration Strategy
Gateway/DC Site Deployment
BGP/OSPF
 Identify Gateway/DC Sites
providing connectivity between
SD-WAN and legacy sites
DC/Gateway Site
 Legacy sites talk to each other
directly
 SD-WAN sites talk to each other
directly
Internet
SD-WAN
Secure Fabric
MPLS
 Legacy router/connectivity is
dropped in the DC/Gateway
sites once migration is complete
Legacy/MPLS Sites
SD-WAN Sites
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
74
SDWAN Platform Options
Deployment Flexibility
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
75
WAN Architecture
Best Practices
Cisco Validate Designs
Search “Design Zone” on Cisco.com for best practice details
Cisco SD-WAN
Design Guide
Traditional WAN
Design Summary
#CLUS
MPLS WAN
Technology Design Guide
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
77
WAN Aggregation Reference Design
Data
Center/
Campus
Campus/
Data Center
WAAS Service
WAN
Key
Servers
Services/
Distribution
VPN Termination
WAN Edge
MPLS A
MPLS B
Internet
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
78
Routing Topology at WAN Aggregation
Campus/Data Center
Core Layer
WAN Distribution
Layer
EIGRP AS 100
Summaries+
Default
DMVPN Hub
Routers
EIGRP AS = 100
BGP AS = 65511
MPLS CE
Routers
BGP AS = 65511
eBGP
MPLS A
EIGRP AS = 100
EIGRP AS = 100
iBGP
MPLS B
Internet Edge
EIGRP AS = 200
Layer 2
WAN CE
Router
Layer 2
WAN
#CLUS
DMVPN 1 DMVPN 2
BRKRST-2041
Internet
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
79
WAN Edge
Connection Methods Compared
Recommended
Multi-Chassis
EtherChannel
VSS
Si
Shared
LAN
WAN
Si
Si
Layer 3
Si
P-to-P Link
WAN
WAN
 No Static Routes
 No First Hop Redundancy Protocols
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
80
Optimize Convergence and Redundancy
Multi-chassis EtherChannel
VSS
Si
Layer 3
Si
P-to-P Link
IGP recalc
Channel
Member
Removed
 Link redundancy achieved through
redundant L3 paths
 Provide Link Redundancy and reduce
peering complexity
 Flow based load-balancing through
CEF forwarding across
 Tune L3/L4 load-balancing
hash to achieve maximum utilization
 Routing protocol reconvergence
when uplink failed
 No L3 reconvergence required when
member link failed
 Convergence time may depends on
routing protocol used and the size of
routing entries
 No individual flow can go faster than
the speed of an individual member of
the link
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
81
Link Recovery Comparison
ECMP vs. Multichassis EtherChannel
 ECMP convergence is dependent on the number of
routes
Si
Layer 3
Si
P-to-P Link
 MEC convergence is consistent, independent of the
number of routes
2.5
ECMP
MEC Max
sec of lost voice
2
VSS
1.5
1
0.5
0
1000
3000
6000
9000
12000
Number of Routes
Number of Routes - Sup720C
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
82
Redundancy vs. Convergence Time
More Is Not Always Better
 In principle, redundancy is easy
 Any system with more parallel
paths through the system will fail
less often
 Increasing parallel paths increases
routing complexity, therefore
increasing convergence times
2.5
Seconds
 The problem is a network isn’t
really a single system but a group
of interacting systems
0
#CLUS
BRKRST-2041
Routes
10000
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
83
Best Practice —
Summarize at Service Distribution
 It is important to force summarization
Campus/
Data Center
at the distribution towards WAN Edge
and towards campus & data center
Summary
10.5.0.0/16
 Summarization provides topology
change isolation.
Summaries +
Default
10.4.0.0/16
0.0.0.0/0.0.0.0
 Summarization reduce routing table
size.
interface Port-channel1
description Interface to MPLS-A-CE
no switchport
ip address 10.4.128.1 255.255.255.252
ip pim sparse-mode
ip summary-address eigrp 100 10.5.0.0 255.255.0.0
MPLS A
#CLUS
BRKRST-2041
MPLS B
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
84
Best Practice –
Preventing Routing Loops with Route Tag and Filter
 Mutual route redistribution between protocols can
cause routing loops without preventative measures
IGP Domain
(EIGRP/OSPF)
 Use route-map to set tags and then redistribute
based on the tags
 Routes are implicitly tagged when distributed from
eBGP to EIGRP/OSPF with carrier AS
Campus
 Use route-map to block re-learning of WAN routes
via the distribution layer (already known via iBGP)
router eigrp 100
distribute-list route-map BLOCK-TAGGED-ROUTES in
default-metric [BW] 100 255 1 1500
redistribute bgp 65500
MPLS WAN
route-map BLOCK-TAGGED-ROUTES deny 10
match tag 65401 65402
BGP Domain
route-map BLOCK-TAGGED-ROUTES permit 20
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
85
Dual Carriers with BGP as CE-PE Protocol
Use iBGP for Path Selection

Run iBGP between the CE routers to exchange
prefixes associated with each carrier

CE routers will use only BGP path selection
information to select both the primary and
secondary preferences for any destinations
announced by the IGP and BGP

Campus
10.5.128.0/2
1
iBGP
Use IGP (OSPF/EIGRP) for prefix re-advertisement
will result in equal-cost paths at remote-site
bn-br200-3945-1# sh ip bgp 10.5.128.0/21
BGP routing table entry for 10.5.128.0/21, version 71
Paths: (2 available, best #2, table default, RIB-failure(17))
Not advertised to any peer
65401 65402, (aggregated by 65511 10.5.128.254)
10.4.142.26 from 10.4.142.26 (192.168.100.3)
Origin IGP, localpref 100, valid, external, atomic-aggregate
65402, (aggregated by 65511 10.5.128.254)
10.4.143.26 (metric 51456) from 10.5.0.10 (10.5.0.253)
Origin IGP, metric 0, localpref 100, valid, internal, atomicaggregate, best
MPLS B
MPLS A
A
B
iBGP
10.5.128.0/21
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
86
Best Practice - Implement AS-Path Filter
Prevent Branch Site Becoming Transit Network
 Dual carrier sites can unintentionally become
Campus
transit network during network failure event and
causing network congestion due to transit traffic
 Design the network so that transit path between
two carriers only occurs at sites with enough
bandwidth
 Implement AS-Path filter to allow only locally
originated routes to be advertised on the
outbound updates for branches that should not
be transit
router bgp 65511
neighbor 10.4.142.26 route-map NO-TRANSIT-AS out
!
ip as-path access-list 10 permit ^$
!
route-map NO-TRANSIT-AS permit 10
match as-path 10
#CLUS
MPLS B
MPLS A
A
B
iBGP
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
87
Golden Rules
For Your
Reference
Route Preference for EIGRP & OSPF
EIGRP
OSPF

Internal EIGRP – Admin Dist. 90

Admin Dist. 110

External EIGRP – Admin Dist. 170

Route Preference

Metric Calculation
metric = bandwidth + delay
1.
Intra-Area
2.
Inter-Area
•
Bandwidth (in kb/s)
3.
External E1
(Internal + External Cost)
•
Delay (in microseconds)
4.
External E2
(External Cost)

Cost Calculation
Cost= Reference BW / Interface BW
Default Reference BW = 100Mbps
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
88
MPLS + Internet WAN
Prefer the MPLS Path over Internet
Campus
EIGRP
AS100
 Running same EIGRP AS for both campus and
DMVPN network would result in Internet path
preferred over MPLS path
10.4.128.2
eBGP
MPLS A
 eBGP routes are redistributed into EIGRP 100 as
external routes with default Admin Distance 170
Internet
EIGRP
AS100
10.5.48.0/21
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
89
MPLS + Internet WAN
Use Autonomous System for IGP Path Differentiation
D EX
Campus
10.5.48.0/21 [170/28416] via 10.4.128.2
 eBGP routes are redistributed into EIGRP 100 as external
EIGRP
AS100
 Running same EIGRP AS for both campus and DMVPN
network would result in Internet path preferred over
MPLS path
10.4.128.2
 Multiple EIGRP AS processes can be used to provide
eBGP
MPLS A
routes with default Admin Distance 170
control of the routing
Internet
EIGRP
AS200

EIGRP 100 is used in campus location
EIGRP 200 over DMVPN tunnels

Routes from EIGRP 200 redistributed into EIGRP 100 appear as
external route (distance = 170)
 Routes from both WAN sources are equal-cost paths.
To prefer MPLS path over DMVPN use eigrp delay to
modify path preference
MPLS CE router#
10.5.48.0/21
router eigrp 100
default-metric 1000000 10 255 1 1500
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
90
MPLS VPN BGP Path with IGP Backdoor Path
 eBGP as the PE-CE Routing Protocol
Campus
 MPLS VPN as preferred path learned via
eBGP
R2
MPLS A
Internet
IGP Backup Link
 Default configuration the failover to
backup path works as expected
R1
eBGP
 Secondary path via backdoor IGP link
(EIGRP or OSPF) over tunneled connection
(DMVPN over Internet)
EIGRP
AS100
10.4.160.0/24
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
91
MPLS VPN BGP Path with IGP Backdoor Path
Campus
 After link restore, MPLS CE router receives
BGP advertisement for remote-site route.
 Does BGP route get (re)installed in the
route table?
R1
R2
MPLS A
Internet
R1# show ip route
B
10.4.144.0/24 [20/0] via 10.4.142.2, 01:30:06
B
10.4.145.0/24 [20/0] via 10.4.142.2, 01:30:06
D EX 10.4.160.0/24 [170/3584] via 10.4.128.9, 00:30:06
B
10.4.160.0/24 [20/0]....
IGP Backup Link
eBGP
D EX 10.4.160.0/24 [170/3584]....
EIGRP
AS100
10.4.160.0/24
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
92
For Your
Reference
BGP Route Selection Algorithm
BGP Prefers Path with:
1.
Highest Weight
2.
Highest Local Preference
3.
Locally originated (via network or aggregate BGP)
4.
Shortest AS_PATH
5.
Lowest Origin type
6.
Lowest Multi-Exit Discriminator (MED)
7.
Prefer Externals (eBGP over iBGP paths)
8.
Lowest IGP metric to BGP next hop (exit point)
9.
Lowest Router ID for exit point
IGP>EGP>INCOMPLETE (redistributed into BGP)
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
93
BGP Prefers Path with Highest Weight

Routes redistributed into BGP are considered locally originated and
get a default weight of 32768

The eBGP learned prefix has default weight of 0

Path with highest weight is selected
ASR1004-1#show ip bgp 10.4.160.0 255.255.255.0
BGP routing table entry for 10.4.160.0/24, version 22
Paths: (3 available, best #3, table default)
Advertised to update-groups:
4
5
65401 65401
10.4.142.2 from 10.4.142.2 (192.168.100.3)
Origin IGP, localpref 200, valid, external
Local
10.4.128.1 from 0.0.0.0 (10.4.142.1)
Origin incomplete, metric 26883072, localpref 100, weight 32768, valid, sourced, best
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
94
Prefer the eBGP Path over IGP
Set the eBGP weight > 32768

To resolve this issue set the weights on route learned via eBGP
peer higher than 32768
neighbor 10.4.142.2 weight 35000
ASR1004-1#show ip bgp 10.4.160.0 255.255.255.0
BGP routing table entry for 10.4.160.0/24, version 22
Paths: (1 available, best #1, table default)
Not advertised to any peer
65401 65401
10.4.142.2 from 10.4.142.2 (192.168.100.3)
Origin IGP, metric 0, localpref 100, weight 35000, valid, external, best
ASR1004-1#show ip route
....
B
10.4.160.0/24 [20/0] via 10.4.142.2, 05:00:06
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
95
Summary
Modern Hierarchical Global WAN Design
East Theater
Tier 1
West Theater
Tier 2
Global
IP/MPLS Core
In-Theater
IP/MPLS Core
West Region
East Region
Tier 3
Internet
Cloud
Public Voice/Video Mobility
Private
IP
Service
Metro
Service
Public
IP
Service
#CLUS
BRKRST-2041
Metro
Service
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
97
Key Takeaways

Build a hierarchical, modular WAN as the foundation

Design a network with consistent behavior that provides
predictable performance

Overlay technologies can be a foundational component of
WAN designs for flexibility and transport independence

Understand the characteristics that affect your
applications (bandwidth, latency, loss)

Understand how to build a WAN leveraging Internet
transport with SD-WAN

In designing redundancy, more is not always better Keep it simple!
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
98
Recommended Reading
Abstract:
Virtual routing and the Cisco Cloud Services Router
(CSR 1000V) are key enablers of today’s
revolutionary shift to elastic cloud applications and
low-cost virtualized networking. The book covers
every essential building block, presents key use
cases and configuration examples, illuminates
design and deployment scenarios, and shows how
the CSR 1000V platform and APIs can enable
state-of-the-art software-defined networks (SDN).
Drawing on extensive early adopter experience,
they illuminate crucial OS and hypervisor details,
help you overcome migration challenges, and offer
practical guidance for monitoring and operations.
http://bit.ly/2l8UAod
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
99
Suggested Sessions
•
BRKRST-2042 Highly Available WAN Design
•
BRKRST-2044 Enterprise Multi-homed Internet Edge Arch.
•
BRKRST-2091 Cisco SD-WAN (Viptela) Data Center and Branch
Integration Design
•
BRKRST-2097 Conquer the Cloud with Cisco SDWAN!
•
BRKCRS-2110 Delivering Cisco Next Generation SD-WAN with
Viptela
•
BRKRST-2791 Building and Using Policies with Cisco SD-WAN
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
100
Complete your
online session
evaluation
•
Please complete your session survey
after each session. Your feedback
is very important.
•
Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
•
All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
101
Continue your education
Demos in the
Cisco campus
Walk-in
self-paced labs
Meet the engineer
1:1 meetings
Related sessions
#CLUS
BRKRST-2041
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
102
Thank you
#CLUS
#CLUS
Related documents
1.1.1.2 Lab - How Connected are You
1.1.1.2 Lab - How Connected are You
Module Summary
Module Summary
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
Networking Fundamentals Cisco.ctb
Networking Fundamentals Cisco.ctb
planning a fair test
planning a fair test
Download
advertisement