Professional Documents
Culture Documents
Route to Success
To ensure your success when implementing the designs in this guide, you
should first read any guides that this guide depends upon—shown to the
left of this guide on the route below. As you read this guide, specific
prerequisites are cited where they are applicable.
BORDERLESS
NETWORKS
WAN Design Overview • MPLS WAN Deployment Guide Additional Deployment
Guides
• Layer 2 WAN Deployment Guide
Headquarters
WAAS
V
Access
Switches V
UCS Rack-mount
Servers UCS Rack-mount UCS Blade
Voice
Routers Server Chassis
PSTN
V
Distribution
Switches WAAS Storage
Central Manager
Nexus
2000
Communications
WAN
Internet Edge Managers
Routers
Access
Switches
Internet
Routers Cisco ACE Data Center
Wireless LAN
Nexus 5500 Firewalls
Regional Site Controller
Distribution
VPN
WAN Switches
Access Routers
Switch V WAN
Stack Routers User
Access
Layers
V PSTN
WAAS
2189
WAAS
Data networks are critical to an organization’s viability and productivity. primary or backup network transport for a remote site. A flexible network
Online workforce-enablement tools are only beneficial if the data network architecture should include Internet VPN as a transport option without
provides reliable access to information resources. The number of users and significantly increasing the complexity of the overall design. VPN for a WAN
locations in an organization can vary dramatically as an organization grows transport performs well for many applications even without explicit quality of
and adapts to changes in business activity. Providing a consistent user service (QoS) assurance from the Internet service providers.
experience when users connect to the network increases their productivity.
While Internet IP VPN networks present an attractive option for effective
Whether users are sitting in an office at headquarters or working from a
WAN connectivity, any time an organization sends data across a public
remote site, they require transparent access to the applications and files in
network there is risk that the data could be compromised. Loss or corruption
order to perform their jobs.
of data can result in a regulatory violation and can present a negative public
For remote-site users to effectively support the business, organizations image, either of which can have significant financial impact on an organiza-
require that the WAN provide sufficient performance and reliability. Because tion. Secure data transport over public networks like the Internet requires
most of the applications and services that the remote-site worker uses are adequate encryption to protect business information.
centrally located, the WAN design must provide a common resource access
Internet IP VPN access can also be provided by using a cellular WAN
experience to the workforce regardless of location.
technology. This offers a mobility option for deploying a remote site that is
To control operational costs, the WAN must support the convergence of ideal for rapid deployment or for short term and temporary deployments. In
voice, video, and data transport onto a single, centrally managed infrastruc- many cases, cellular WAN is the only available option, due to the availability
ture. As organizations move into multinational or global business markets, constraints of wired services in certain areas. The bandwidth available using
they require a flexible network design that allows for country-specific cellular technologies continues to increase and performance compares
access requirements without increased complexity. favorably with wired WAN technologies when used at smaller remote sites.
The performance, reliable service level, and broad availability of carrier- As organizations consider new business requirements, such as providing
provided MPLS networks and Layer 2 WAN networks makes these technolo- video and collaboration applications to its employees, IT departments face
gies a required consideration for an organization building a WAN. challenges associated with supporting all the different applications in the
same network. IT needs to manage applications that have very different
To reduce the time needed to deploy new technologies that support emerg-
characteristics and requirements from the network. The IT challenges are
ing business applications and communications, the WAN architecture
exacerbated if you consider shrinking budgets and increasing end-user
requires a flexible design. The ability to easily scale bandwidth and to add
quality expectations, as video becomes pervasive in their everyday lives out
additional sites or resilient links makes MPLS an effective WAN transport for
of the office. Cisco Medianet technologies help your organization minimize
growing organizations.
and deal with these challenges.
Major market drivers for Layer 2 WAN services include surging bandwidth
requirements and the increased availability of Ethernet building termina- Why Is a Cohesive Approach to the Network
tions. Carriers have the flexibility to provision bandwidth in flexible incre- Architecture a Value to Your Organization?
ments and deploy these services over their existing infrastructure.
The days of conducting business with information stored locally in files on
Carrier-based MPLS and Layer 2 WAN services are not always available your computer are disappearing rapidly. The trend is for users to access
or cost-effective for an organization to use for WAN transport to support mission-critical information by connecting to the network and downloading
remote-site connectivity. Internet-based IP VPNs adequately provide the the information or by using a network-enabled application. Users depend
There is a tendency to discount the network as just simple plumbing, to think This guide provides a high level overview of each technology followed by
that all you have to consider is the size and the length of the pipes or the a discussion of the usage of each technology at the WAN-aggregation site
speeds and feeds of the links, and to dismiss the rest as unimportant. Just and remote sites. This guide should also be used as a roadmap on how to
as the plumbing in a large stadium or high rise has to be designed for scale, use the companion WAN deployment guides.
purpose, redundancy, protection from tampering or denial of operation, and
the capacity to handle peak loads, the network requires similar consider- WAN Transport Technologies
ation. As users depend on the network to access the majority of the informa-
tion they need to do their jobs and to transport their voice or video with MPLS WAN
reliability, the network must be able to provide resilient, intelligent transport.
MPLS enables organizations and service providers to build next-generation
Many businesses have remote locations that depend entirely on applica- intelligent networks that deliver a wide variety of advanced, value-added
tions hosted in a centralized data center. If a WAN outage occurs, these services like QoS and service level agreements (SLAs) over a single infra-
remote locations are essentially offline and they are unable to process trans- structure. You can integrate this economical solution seamlessly over any
actions or support other types of business services. It is critical to provide existing infrastructure, such as IP, Frame Relay, ATM, or Ethernet.
reliable connectivity to these locations.
MPLS Layer 3 VPNs use a peer-to-peer VPN model that leverages the
The demand for WAN bandwidth continues to increase and there has been Border Gateway Protocol (BGP) to distribute VPN-related information. This
a recent trend towards using Ethernet as the WAN access media to deliver peer-to-peer model allows a customer to outsource routing information to
higher bandwidth. Even with the increased amount of bandwidth available service providers, which can result in significant cost savings and a reduc-
to connect remote sites today, there are performance-sensitive applications tion in operational complexity for organizations.
affected by jitter, delay, and packet loss. It is the function of the network
foundation to provide an efficient, fault-tolerant transport that can differenti- Subscribers who need to transport IP multicast traffic can enable Multicast
ate application traffic to make intelligent load-sharing decisions when the VPNs (MVPNs).
network is temporarily congested. Regardless of the chosen WAN technol- The MPLS WAN Deployment Guide provides details on how to use MPLS
ogy, the network must provide intelligent prioritization and queuing of traffic VPN as a primary WAN transport or as a backup WAN transport (to an
along the most efficient route possible. alternate MPLS VPN primary).
The Cisco SBA WAN design uses a variety of WAN transport technologies
for primary links and backup links: Layer 2 WAN Transport
• MPLS WAN using Layer 3 VPN Ethernet has traditionally been a LAN technology primarily due to the dis-
• Layer 2 WAN as implemented using Virtual Private LAN Services (VPLS) tance limitations of the available media and the requirement for dedicated
or Metro Ethernet copper or fiber links.
• Internet with VPN WAN Layer 2 WAN transports are now widely available from service providers and
• Internet 3G/4G with VPN WAN are able to extend various Layer 2 traffic types (Frame Relay, Point-to-Point
Protocol (PPP), ATM, or Ethernet) over a WAN. The most common implemen-
tations of Layer 2 WAN are used to provide Ethernet over the WAN using
either a point-to-point or point-to-multipoint service.
2183
MPLS Static MPLS Dynamic Dual MPLS MPLS MPLS
2184
MPLS A MPLS B MPLS A MPLS B
The characteristics of each design are as follows.
1031
Layer 2 Layer 2 tion are performed at the distribution layer. There are other various devices
supporting WAN edge services such as application optimization, and these
devices should also connect into the distribution layer.
Layer 2 Trunked Demarcation Design Model
• Uses a multipoint service
• Connects to a trunked demarcation
• Supports up to 100 remote sites
• Logically separates the remote-site peering. Distributes router peers
across multiple VLANs with maximum of 25 remote-site router peers per
VLAN
• Typically used with a dedicated WAN distribution layer
The Layer 2 Trunked Demarcation design is shown in Figure 4.
Table 3 - Design models using only VPN transport Figure 5 - DMVPN Only design model
Table 4 - Design models using VPN transport as backup VPN Hub VPN Hub
Internet Edge Internet Edge
Router QFP
Router QFP
2133
Internet Internet
Transport 1 (existing) MPLS VPN A MPLS VPN A
Transport 2 (existing) — MPLS VPN B
Transport 3 (existing) — MetroE/VPLS Dual DMVPN Design Model
Backup transport Internet VPN Internet VPN • Supports up to 500 remote sites
• Uses dual Internet links
The characteristics of each design are as follows: • Typically used with a dedicated WAN distribution layer
DMVPN Only Design Model
• Supports up to 100 remote sites
• Uses a single Internet link
Internet Edge
QFP QFP
2135
Internet
MPLS
VPN Hub Routers
In the DMVPN Backup Shared design model, the DMVPN hub router is also
Internet A Internet B
the MPLS CE router, which is already connected to the distribution or core
2134
layer. The connection to the Internet has already been established through
a firewall interface contained within the Internet edge. A DMZ is not required
In both the DMVPN Only and Dual DMVPN design models, the DMVPN hub for this design model. For details about the connection to the Internet, see
routers connect to the Internet indirectly through a firewall demilitarized the Firewall and IPS Deployment Guide.
zone (DMZ) interface contained within the Internet edge. For details about DMVPN Backup Dedicated Design Model
the connection to the Internet, see the Firewall and IPS Deployment Guide.
• Supports up to 500 remote sites
The VPN hub routers are connected into the firewall DMZ interface, rather
than connected directly with Internet service-provider routers. • Has a single or dual MPLS VPN carriers or a single Layer 2 WAN
• Uses BGP routing with MPLS VPN carrier, or EIGRP routing within the
Layer 2 WAN
• Uses a single Internet link
Distribution Layer
MPLS Dynamic
Design Model
Layer 2 WAN Internet Edge
CE Router QFP QFP
Simple or Trunked
MPLS CE Internet Edge VPN Hub
Demarcation
Router QFP QFP Router
BGP Dynamic
VPN Hub
Routing
Router
2137
Layer 2 Internet
Internet
In the DMVPN Backup Dedicated design models, the DMVPN hub routers
connect to the Internet indirectly through a firewall DMZ interface contained
within the Internet edge. For details about the connection to the Internet, see
Dual MPLS
Distribution Layer the Firewall and IPS Deployment Guide. The VPN hub routers are con-
Design Model nected into the firewall DMZ interface, rather than connected directly with
Internet service-provider routers.
Note that the DMVPN Only and Dual DMVPN design models can also
provide DMVPN backup when paired with MPLS WAN and Layer 2 WAN
MPLS CE Internet Edge design models.
QFP Routers QFP QFP
Collapsed Core/
Distribution Layer Distribution Layer
Internet Edge
MPLS CE Router
VPN Hub Router
QFP QFP
Internet
Edge VPN Hub
Static Routing Routers
Internet A Internet B
2249
BGP Dynamic Trunked
Routing Demarcation
2250
WAN Remote-Site Designs
This guide documents multiple WAN remote-site designs, and they are
based on various combinations of WAN transports mapped to the site-
specific requirements for service levels and redundancy.
Most remote sites are designed with a single-router WAN edge; however,
certain remote-site types require a dual-router WAN edge. Dual-router
candidate sites include regional office or remote campus locations with
large user populations, or sites with business critical needs that justify
additional redundancy to remove single points of failure. Similarly, the size
of the remote-site LAN depends on factors such as number of connected
users and the physical layout of the remote site.
The actual WAN remote-site routing platforms remain unspecified because
the specification is tied closely to the bandwidth required for a location and
the potential requirement for the use of service module slots. The ability to
implement this solution with a variety of potential router choices is one of the
benefits of a modular design approach.
2117
• VPN WAN Non Redundant
• VPN WAN with Redundant Link
• VPN WAN with Redundant Link and Router
• MPLS WAN with VPN WAN Backup Link Layer 2 WAN Connected Remote Sites
• MPLS WAN with VPN WAN Backup Link and Router The Layer 2 WAN connected remote site is shown in Figure 13. This design
• Layer 2 WAN with VPN WAN Backup Link is compatible with both the Simple Demarcation and Trunked Demarcation
design models.
• Layer 2 WAN with VPN WAN Backup Link and Router
• VPN WAN (3G/4G) Non Redundant Figure 13 - Layer 2 WAN remote-site design
• MPLS WAN with VPN WAN (3G/4G) Backup Link
Non-Redundant
• MPLS WAN with VPN WAN (3G/4G) Backup Link and Router
Layer 2
MPLS WAN Connected Remote Sites
The three variants of a MPLS connected remote site are shown in Figure
12. The non-redundant variant is the only one that is compatible with the
single carrier design models (MPLS Static or MPLS Dynamic). The redun-
dant variants are compatible with the Dual MPLS design model. If you have
implemented the Dual MPLS design model, you may also connect a non-
redundant remote site to either carrier.
1033
Layer 2 WAN
The multiple variants of a VPN WAN connected remote site are shown in
Figure 14. The Internet WAN non-redundant variant is compatible with the Internet WAN
DMVPN only and Dual DMVPN design models. Both of the Internet WAN
redundant link variants are compatible with the Dual DMVPN design model.
Internet Internet Internet Internet Internet
The MPLS + Internet WAN single router (redundant links) variant is compat-
ible with either the DMVPN Backup Dedicated or DMVPN Backup Shared
design models. The MPLS + Internet WAN dual router (redundant links and
routers) and both Layer 2 WAN + Internet WAN variants are compatible with
the DMVPN Backup Dedicated design model.
2139
February 2013 Series Cisco SBA WAN Architecture 18
3G/4G VPN WAN Connected Remote Sites
The multiple variants of a 3G/4G VPN WAN connected remote site are
shown in Figure 15. The Internet WAN non-redundant variant is compatible
with the DMVPN only and Dual DMVPN design models. The MPLS + Internet
WAN single router (redundant links) variant is compatible with either the
DMVPN Backup Dedicated or DMVPN Backup Shared design models. The
MPLS + Internet WAN dual router (redundant links and routers) is compatible
with the DMVPN Backup Dedicated design model.
Internet WAN
3G/4G
(DMVPN)
Nonredundant
3G/4G 3G/4G
MPLS (DMVPN) MPLS
(DMVPN)
The primary role of the WAN is to interconnect primary site and remote-site Layer 3
LANs. The LAN discussion within this guide is limited to how the WAN- distribution/
aggregation site LAN connects to the WAN-aggregation devices and how VLAN Usage Layer 2 access access
the remote-site LANs connect to the remote-site WAN devices. Specific
VLAN 64 Data 1 Yes —
details regarding the LAN components of the design are covered in the LAN
Deployment Guide. VLAN 69 Voice 1 Yes —
At remote sites, the LAN topology depends on the number of connected VLAN 99 Transit Yes Yes
users and physical geography of the site. Large sites may require the use (dual router only) (dual router only)
of a distribution layer to support multiple access layer switches. Other sites
VLAN 50 Router Link (1) — Yes
may only require an access layer switch directly connected to the WAN
remote-site routers. The variants that are tested and documented in this VLAN 54 Router Link (2) — Yes
guide are shown in the following table. (dual router only)
For consistency and modularity, all WAN remote sites use the same VLAN IP subnets are assigned on a per-VLAN basis. This design allocates only
assignment scheme, which is shown in the following table. This deployment subnets with a 255.255.255.0 netmask for the access layer, even if less than
guide uses a convention that is relevant to any location that has a single 254 IP addresses are required. (This model can be adjusted as necessary to
access switch and this model can also be easily scaled to additional access other IP address schemes.) You must configure the connection between the
closets by adding a distribution layer. router and the access switch for 802.1Q VLAN trunking with subinterfaces
on the router that map to the respective VLANs on the switch. The various
router subinterfaces act as the IP default gateways for each of the IP subnet
and VLAN combinations.
EIGRP
VLAN99 - Transit
HSRP VLANs
Active HSRP Router VLAN 64 - Data
VLAN 69 - Voice
2141
802.1Q VLAN Trunk (64, 69, 99)
1034
802.1Q VLAN Trunk (64, 69) Enhanced Object Tracking (EOT) provides a consistent methodology for
A similar LAN design can be extended to a dual-router edge as shown in the various router and switching features to conditionally modify their operation
following figure. This design change introduces some additional complexity. based on information objects available within other processes. The objects
The first requirement is to run a routing protocol. You need to configure that can be tracked include interface line protocol, IP route reachability, and
Enhanced Interior Gateway Protocol (EIGRP) between the routers. IP service-level agreement (SLA) reachability as well as several others.
Because there are now two routers per subnet, you must implement a First The IP SLA feature provides a capability for a router to generate synthetic
Hop Redundancy Protocol (FHRP). For this design, Cisco selected Hot network traffic that can be sent to a remote responder. The responder can
Standby Router Protocol (HSRP) as the FHRP. HSRP is designed to allow for be a generic IP endpoint that can respond to an Internet Control Message
transparent failover of the first-hop IP router. HSRP provides high network Protocol (ICMP) echo (ping) request, or can be a Cisco router running an IP
availability by providing first-hop routing redundancy for IP hosts configured SLA responder process, which can respond to more complex traffic such as
with a default gateway IP address. HSRP is used in a group of routers for jitter probes. The use of IP SLA allows the router to determine end-to-end
selecting an active router and a standby router. When there are multiple reachability to a destination and also the roundtrip delay. More complex
routers on a LAN, the active router is the router of choice for routing packets; probe types can also permit the calculation of loss and jitter along the path.
the standby router is the router that takes over when the active router fails or This design uses IP SLA in tandem with EOT.
when preset conditions are met. To improve convergence times after a primary WAN failure, HSRP has the
capability to monitor the reachability of a next-hop IP neighbor through
the use of EOT and IP SLA. This combination allows for a router to give up
its HSRP active role if its upstream neighbor becomes unresponsive. This
provides additional network resiliency.
EIGRP
Distribution and Access Layer
VLAN 99 - Transit
Large remote sites may require a LAN environment similar to that of a small
campus LAN that includes a distribution layer and access layer. This topol-
HSRP VLANs ogy works well with either a single- or dual-router WAN edge. To implement
Active this design, the routers should connect via EtherChannel links to the dis-
802.1Q VLAN Trunk VLAN 64 - Data
HSRP Router
(64, 69, 99) tribution switch. These EtherChannel links are configured as 802.1Q VLAN
2142
VLAN 69 - Voice trunks, to support both a routed point-to-point link to allow EIGRP routing
with the distribution switch, and in the dual-router design, to provide a transit
network for direct communication between the WAN routers.
HSRP is configured to be active on the router with the highest priority WAN
transport. EOT of IP SLA probes is implemented in conjunction with HSRP so
that in the case of WAN transport failure, the standby HSRP router associ-
ated with the lower priority (alternate) WAN transport becomes the active
HSRP router. The IP SLA probes are sent from the remote-site primary WAN
router to the upstream neighbor (MPLS PE, Layer 2 WAN CE, or DMVPN
hub) to ensure reachability of the next hop router. This is more effective than
simply monitoring the status of the WAN interface.
WAN
VLAN 50 - Router 1 Link
802.1Q Trunk
(50)
802.1Q Trunk (ww, xx) 802.1Q Trunk (yy, zz) VLAN 50 - Router 1 Link
VLAN 54 - Router 2 Link 802.1Q Trunk 802.1Q Trunk
(50, 99) (54, 99)
VLAN 99 - Transit
2144
No HSRP Required
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLiERS DISCLAIM ALL WARRANTIES, INCLUDING, WITH-
OUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE
FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL
OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content
is unintentional and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their
respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
B-0000340-1 1/13