Professional Documents
Culture Documents
The Cisco IWAN solution helps businesses achieve their goals, and this book will help
IT departments get the most out of these solutions. The book describes IWAN and its
implementation in an easy-to-understand format that will allow network professionals to
take full advantage of this solution in their environments. In doing so, it will allow those
IT professionals to deliver tremendous business value to their organizations. At Cisco,
we believe that technology can truly help businesses define their strategy and value in
the market. And we believe that IT can help deliver that value through speed, agility, and
responsiveness to their customers and their businesses.
Michael Koons
Cisco Systems
xxxi
Introduction
The Cisco Intelligent WAN (IWAN) enables organization to deliver an uncompromised
experience over any WAN transport. With the Cisco IWAN architecture, organizations
can provide more bandwidth to their branch office connections using cost-effective
WAN transports without affecting performance, security, or reliability.
The authors’ goal was to provide a multifunction self-study book that explains the
technologies used in the IWAN architecture that would allow the reader to successfully
deploy the technology. Concepts are explained in a modular structure so that the reader
can learn the logic and configuration associated with a specific feature. The authors
provide real-world use cases that will influence the design of your IWAN network.
Knowledge learned from this book can be used for deploying IWAN via CLI or other
Cisco management tools such as Cisco Prime Infrastructure or Application Policy
Infrastructure Controller Enterprise Module (APIC-EM).
■ Chapter 1, “Evolution of the WAN”: This chapter explains the reasons for increased
demand on the WAN and why the WAN has become more critical to businesses in
any market vertical. The chapter provides an introduction to Cisco Intelligent WAN
(IWAN) and how it enhances user experiences while lowering operational costs.
Part II of the book explains transport independence through the deployment of Dynamic
Multipoint VPN (DMVPN).
■ Chapter 3, “Dynamic Multipoint VPN”: This chapter explains the basic concepts
of DMVPN and walks the user from a simple topology to a dual-hub, dual-cloud
topology. The chapter explains the interaction that NHRP has with DMVPN because
that is a vital component of the routing architecture.
xxxii Cisco Intelligent WAN (IWAN)
■ Chapter 4, “Intelligent WAN (IWAN) Routing”: This chapter explains why EIGRP
and BGP are selected for the IWAN routing protocols and how to configure them.
In addition to explaining the logic for the routing protocol configuration, multicast
routing is explained.
■ Chapter 5, “Securing DMVPN Tunnels and Routers”: This chapter examines the
vulnerabilities of a network and the steps that can be taken to secure the WAN.
It explains IPsec DMVPN tunnel protection using pre-shared keys and PKI
infrastructure. In addition, the hardening of the router is performed through the
deployment of Zone-Based Firewall (ZBFW) and Control Plane Policing (CoPP).
Part III of the book explains how to deploy intelligent routing in the WAN.
■ Chapter 8, “PfR Provisioning”: This chapter explains how PfRv3 can be configured
and deployed in a topology.
■ Chapter 9, “PfR Monitoring”: This chapter explains how PfR can be examined to
verify that it is operating optimally.
■ Chapter 10, “Application Visibility”: This chapter discusses how PfR can view and
collect application performance on the WAN.
Part IV of the book discusses and explains how application optimization integrates into
the IWAN architecture.
■ Chapter 12, “Cisco Wide Area Application Services (WAAS)”: This chapter
explains the Cisco WAAS architecture and methods that it can be inserted into a
network. In addition, it explains how the environment can be sized appropriately for
current and future capacity.
■ Chapter 13, “Deploying Application Optimizations”: This chapter explains how the
various components of WAAS can be configured for the IWAN architecture.
Part V of the book explains the specific aspects of QoS for the WAN.
■ Chapter 14, “Intelligent WAN Quality of Service (QoS)”: This chapter explains
NBAR-based QoS policies, Per-Tunnel QoS policy, and other changes that should be
made to accommodate the IWAN architecture.
xxxiii
Part VI of the book discusses direct Internet access and how it can reduce operational
costs while maintaining a consistent security policy.
■ Chapter 15, “Direct Internet Access (DIA)”: This chapter explains how direct
Internet access can save operational costs while providing additional services at
branch sites. The chapter explains how ZBFW or Cisco Cloud Web Security can be
deployed to provide a consistent security policy to branch network users.
■ Chapter 16, “Deploying Cisco Intelligent WAN”: This chapter provides an overview
of the steps needed to successfully migrate an existing WAN to Cisco Intelligent WAN.
The book ends with a closing perspective on the future of the Cisco software-defined
WAN (SD-WAN) and the management tools that are being released by Cisco.
The authors will be releasing a VIRL topology file so that readers can learn the
technologies as they are explained in the book. More information about VIRL can be
found at http://virl.cisco.com.
Additional Reading
The authors tried to keep the size of the book manageable while providing only
necessary information about the topics involved. Readers who require additional
reference material may find the following books to be a great supplementary resource
for the topics in this book:
■ Bollapragada, Vijay, Mohamed Khalid, and Scott Wainner. IPSec VPN Design.
Indianapolis: Cisco Press, 2005. Print.
■ Edgeworth, Brad, Aaron Foss, and Ramiro Garza Rios. IP Routing on Cisco IOS,
IOS XE, and IOS XR. Indianapolis: Cisco Press, 2014. Print.
■ Seils, Zach, Joel Christner, and Nancy Jin. Deploying Cisco Wide Area Application
Services. Indianapolis: Cisco Press, 2008. Print.
■ Szigeti, Tim, Robert Barton, Christina Hattingh, and Kenneth Briley Jr. End-to-End
QoS Network Design: Quality of Service for Rich-Media & Cloud Networks,
Second Edition. Indianapolis: Cisco Press, 2013. Print.
This page intentionally left blank
Chapter 1
■ WAN connectivity
WANs provide connectivity between multiple LANs that are spread across a broad area.
Designing and supporting a WAN add complexity because of the variety of network
transports, associated limitations, design choices, and costs of each WAN technology.
WAN Connectivity
WAN connectivity uses a variety of technologies, but the predominant methods come
from service providers (SPs) with three primary solutions: leased circuits, Internet, and
Multiprotocol Label Switching (MPLS) VPNs.
Leased Circuits
The cost to secure land rights and to purchase and install cables between two locations
can present a financial barrier to most companies. Service providers can deliver
dedicated circuits between two locations at a specific cost. Leased circuits can provide
2 Chapter 1: Evolution of the WAN
Internet
The Internet was originally created based on the needs of the U.S. Department of
Defense to allow communication even if a network segment is destroyed. The Internet’s
architecture has evolved so that it now supports the IP protocol (IPv4 and IPv6) and
consists of a global public network connecting multiple SPs. A key benefit of using
the Internet as a WAN transport is that both locations do not have to use the same SP.
A company can easily establish connectivity between sites using different SPs.
Figure 1-1 illustrates a sample topology in which bandwidth contention can occur
on peering links. AS100 guarantees 1 Gbps of connectivity to R1 and 10 Gbps of
connectivity to R3. AS200 guarantees 10 Gbps of connectivity to R4, and AS300
guarantees 1 Gbps of connectivity to R2. AS100 and AS200 peer with a 10 Gbps circuit,
and AS200 peers with AS300 with two 10 Gbps circuits. With normal traffic flows R1
can communicate at 1 Gbps rates with R2. However, if R3 is transmitting 10 Gbps of
data to R4, 11 Gbps of traffic must travel across the 10 Gbps circuit into AS200. Because
the peering links are not dedicated to a specific customer, some traffic is delayed or
dropped because of oversubscription of the 10 Gbps link. Bandwidth or latency cannot
be guaranteed when packets travel across peering links.
Quality of service (QoS) is based on granting preference to one type of network traffic
over another. QoS design is based on trust boundaries, classification, and prioritization.
Because the Internet is composed of multiple SPs, the trust boundary continually changes.
Internet SPs trust and prioritize only network traffic that originates from their devices.
QoS is considered a best effort when using the Internet as a transport. Some organizations
may deem the Internet unacceptable because this requirement cannot be met.
The MPLS VPNs are able to forward customer networks via two options depending upon
the customer’s requirements:
■ Layer 3 VPN (L3VPN): The SP routers create a virtual context, known as a Virtual
Route Forwarding (VRF) instance, for each customer. Every VRF provides a
method for routers to maintain a separate routing and forwarding table for each VPN
network on a router. The SP communicates and exchanges routes with the customer
edge (CE) routers. L3VPN exchanges IPv4 and IPv6 packets between PE routers.
The SPs own all the network components in an MPLS VPN network and can guarantee
specific QoS levels to the customer. They price their services based on service-level
agreements (SLAs) that specify bandwidth, QoS, end-to-end latency, uptime, and
additional guarantees. The price of the connectivity typically correlates to higher
demands in the SLAs to offset additional capacity and redundancy in their infrastructure.
Cloud-Based Services
An organization’s IT department is responsible for maintaining business applications such
as word processing, email, and e-commerce. Application sponsors must work with IT to
accommodate costs for staffing, infrastructure (network, workstations, and servers) for
day-to-day operations, architecture, and disaster recovery.
Collaboration Services
Enterprise organizations historically maintained a network for voice and a network for
computer data. Phone calls between cities were classified as long distance, allowing
telephone companies to charge the party initiating the call on a per-minute basis.
By consolidating phone calls onto the data network using voice over IP (VoIP), organiza-
tions were able to reduce their operating costs. Companies did not have to maintain both
voice and data circuits between sites. Legacy private branch exchanges (PBXs) no longer
needed to be maintained at all the sites, and calls between users in different sites used the
WAN circuit instead of incurring per-minute long-distance charges.
Expanding upon the concepts of VoIP, collaboration tools such as Cisco WebEx now
provide virtual meeting capability by combining voice, computer screen sharing, and
interactive webcam video. These tools allow employees to meet with other employees,
meet with customers, or provide training seminars without requiring attendees to be in
the same geographic location. WebEx provides a significant reduction in operating costs
because travel is no longer required. Management has realized the benefits of WebEx
Increasing Demands on Enterprise WANs 5
but has found video conferencing or Cisco TelePresence even more effective. These tools
provide immersive face-to-face interaction, involving all participants in the meeting,
thereby increasing the attention of all attendees. Decisions are made faster because of the
reduced delay, and people are more likely to interact and share information with others
over video.
Voice and video network traffic requires prioritization on a network. Voice traffic is
sensitive to latency between endpoints, which should be less than 150 ms one way.
Video traffic is more tolerant of latency than voice. Latency by itself causes a delay
before the voice is heard, turning a phone call (two-way audio) into a CB radio (one-way).
While this is annoying, people can still communicate. Jitter is the varying delay between
packets as they arrive in a network and can cause gaps in the playback of voice or video
streams. If packet loss, jitter, or latency is too high, users can become frustrated with
choppy/distorted audio, video tiling, or one-way phone calls that drastically reduce
the effectiveness of these technologies.
However, because these devices are not centrally managed, corporations must take steps
to ensure that their intellectual property is not compromised. Properly designed networks
ensure that BYOD devices are separated from corporate-managed devices.
Smartphones and tablets for BYOD contain a variety of applications. Some may be used
for work, but others are not. Application updates are an average size of 2 MB to 25 MB;
some operating system updates are 150 MB to 750 MB in size. When users update
multiple applications or the operating system (OS) on their device, it consumes network
bandwidth from business-related applications.
Note Some users connect their smartphones and tablets to corporate networks purely to
avoid data usage fees associated with their wireless carrier contracts.
Media applications (voice and/or video) are sensitive to delay and packet loss and are
often granted the highest priority in QoS policies. Typically, non-business-related traffic
(Internet) is assigned the lowest QoS priority (best effort). All other business-related
traffic is categorized and assigned an appropriate QoS priority and bandwidth based
upon the business justification.
HTTP is not sensitive to latency or loss of packets and uses TCP to detect packet loss
and retransmission. Network engineers might assume that all web-browsing traffic can
be marked as best effort because it uses HTTP, but other applications that are nested in
HTTP can be marked incorrectly as well.
Deep packet inspection is the process of looking at the packet header and payload to
determine the actual application for that packet. Packets that use HTTP or HTTPS header
information should use deep packet inspection to accurately classify the application for
proper QoS marking. Providing proper network traffic classification ensures that the
network engineers can deploy QoS properly for every application.
Internet access is provided to the branch with either a centralized or a distributed model.
Both models are explained in the following sections.
The downside of the centralized model is that all network traffic from remote locations
to the Internet is also backhauled across the WAN circuit. This can cause congestion on
the enterprise WAN and centralized Internet access circuits during peak usage periods
unless the Internet circuit contains sufficient bandwidth for all sites and the WAN
circuits are sized to accommodate internal network traffic as well as the backhauled
Internet traffic. Although Internet circuits have a low cost, the backhauled network
traffic travels on more expensive WAN circuits. In addition, backhauling Internet traffic
may add latency between the clients and servers on the Internet. The latency occurs for
recreational web browsing as well as access to corporate cloud-based applications.
Figure 1-2 illustrates the centralized Internet model. All Internet traffic from R2 or R3
must cross the WAN circuit where it is forwarded out through the headquarters Internet
connection.
Internet
Internet Traffic
R2 R1 R3
Internet
In
ffic tra
ra ne
tT tT
ne ra
ra ffic
nt
Headquarters
Branch I Branch
R2 R1 R3
This model requires that the security policy be consistent at all sites, and that appropriate
devices be located at each site to enforce those policies. These requirements can be a
burden to some companies’ network and/or security teams.
Transport Independence
Cisco IWAN uses Dynamic Multipoint VPN (DMVPN) to provide transport
independence via overlay routing. Overlay routing provides a level of abstraction that
simplifies the control plane for any WAN transport, allowing organizations to deploy a
consistent routing design across any transport and facilitating better traffic control and load
sharing, and supports routing protocols, removing any barriers to equal-cost multipathing
(ECMP). Overlay routing provides transport independence so that a customer can select
any WAN technology: MPLS VPN (L2 or L3), metro Ethernet, direct Internet, broadband,
Cisco Intelligent WAN 9
cellular 3G/4G/LTE, or high-speed radios. Transport independence makes it easy to mix and
match transport options or change SPs to meet business requirements.
For example, a new branch office requires network connectivity. Installing a physical
circuit can take an SP six to 12 weeks to provision after the order is placed. If the order
is not placed soon enough or complications are encountered, WAN connectivity for
the branch is delayed. Cisco IWAN’s transport independence allows the temporary use
of a cellular modem until the physical circuit is installed without requiring changes to
the router’s routing protocol configuration, because DMVPN resides over the top of the
cellular transport. Changing transports does not impact the overlay routing design.
PfR has been enhanced multiple times for Cisco intelligent path control, integrating
with DMVPN and making it a vital component of the IWAN architecture. It provides
improved application monitoring, faster convergence, simple centralized configuration,
service orchestration capability, automatic discovery, and single-touch provisioning.
Figure 1-4 depicts a topology that provides R1 connectivity to R5 across two different
paths. R1 and R5 have identified DMVPN tunnel 100 as the best path with the routing
protocol used and continue to send VoIP traffic up to that tunnel’s capacity. R1 uses
the same tunnel for sending and transferring files. The total amount of network traffic
exceeds tunnel 100’s bandwidth capacity. The QoS policies on the tunnel ensure that the
VoIP traffic is not impacted, but file transfer traffic is impacted. The DMVPN tunnel 200
could be used to transfer files with intelligent path control.
10 Chapter 1: Evolution of the WAN
R2
R1 R5
R3 R4
PfR overcomes scenarios like the one described previously. With PfR, R1 can send VoIP
traffic across DMVPN tunnel 100 and send file transfer traffic toward DMVPN tunnel
200. PfR allows both DMVPN tunnels to be used while still supporting application
requirements and not dropping packets.
Note Some network engineers might correlate PfR with MPLS traffic engineering (TE).
MPLS TE supports the capability to send specific marked QoS traffic down different TE
tunnels but lacks the granularity that PfR provides for identifying an application.
Application Optimization
Most users assume that application responsiveness across a WAN is directly related
to available bandwidth on the network link. This is an incorrect assumption because
application responsiveness directly correlates to the following variables: bandwidth, path
latency, congestion, and application behavior.
Most applications do not take network characteristics into account and rely on
underlying protocols like TCP for communicating between computers. Applications
are typically designed for LAN environments that provide high-speed links that do not
have congestion and are “chatty.” Chatty applications transmit multiple packets in a
back-and-forth manner, requiring an acknowledgment in each direction.