Home Page Icon
Home Page
Table of Contents for
Part II: Transport Independent Design
Close
Part II: Transport Independent Design
by Nir Ben-Dvora, Anthony Lockhart, David Prall, Jean-Marc Barozet, Brad Edgeworth
Cisco Intelligent WAN (IWAN)
About This E-Book
Title Page
Copyright Page
About the Authors
About the Technical Reviewers
Dedications
Acknowledgments
Contents at a Glance
Contents
Icons Used in This Book
Command Syntax Conventions
Foreword
Introduction
Who Should Read This Book?
How This Book Is Organized
Learning in a Lab Environment
Additional Reading
Part I: Introduction to IWAN
Chapter 1. Evolution of the WAN
WAN Connectivity
Leased Circuits
Internet
Multiprotocol Label Switching VPNs (MPLS VPNs)
Increasing Demands on Enterprise WANs
Server Virtualization and Consolidation
Cloud-Based Services
Collaboration Services
Bring Your Own Device (BYOD)
Guest Internet Access
Quality of Service for the WAN
Branch Internet Connectivity and Security
Centralized Internet Access
Distributed Internet Access
Cisco Intelligent WAN
Transport Independence
Intelligent Path Control
Application Optimization
Secure Connectivity
Software-Defined Networking (SDN) and Software-Defined WAN (SD-WAN)
Summary
Part II: Transport Independent Design
Chapter 2. Transport Independence
WAN Transport Technologies
Dial-Up
Leased Circuits
Virtual Circuits
Peer-to-Peer Networks
Broadband Networks
Cellular Wireless Networks
Virtual Private Networks (VPNs)
Multiprotocol Label Switching (MPLS) VPNs
Link Oversubscription on Multipoint Topologies
Dynamic Multipoint VPN (DMVPN)
Benefits of Transport Independence
Managing Bandwidth Cost
Leveraging the Internet
Intelligent WAN Transport Models
Summary
Chapter 3. Dynamic Multipoint VPN
Generic Routing Encapsulation (GRE) Tunnels
GRE Tunnel Configuration
GRE Example Configuration
Next Hop Resolution Protocol (NHRP)
Dynamic Multipoint VPN (DMVPN)
Phase 1: Spoke-to-Hub
Phase 2: Spoke-to-Spoke
Phase 3: Hierarchical Tree Spoke-to-Spoke
DMVPN Configuration
DMVPN Hub Configuration
DMVPN Spoke Configuration for DMVPN Phase 1 (Point-to-Point)
Viewing DMVPN Tunnel Status
Viewing the NHRP Cache
DMVPN Configuration for Phase 3 DMVPN (Multipoint)
Spoke-to-Spoke Communication
Forming Spoke-to-Spoke Tunnels
NHRP Route Table Manipulation
NHRP Route Table Manipulation with Summarization
Problems with Overlay Networks
Recursive Routing Problems
Outbound Interface Selection
Front-Door Virtual Route Forwarding (FVRF)
IP NHRP Authentication
Unique IP NHRP Registration
DMVPN Failure Detection and High Availability
NHRP Redundancy
NHRP Traffic Statistics
DMVPN Tunnel Health Monitoring
DMVPN Dual-Hub and Dual-Cloud Designs
IWAN DMVPN Sample Configurations
Sample IWAN DMVPN Transport Models
Backup Connectivity via Cellular Modem
Enhanced Object Tracking (EOT)
Embedded Event Manager
IWAN DMVPN Guidelines
Troubleshooting Tips
Summary
Further Reading
Chapter 4. Intelligent WAN (IWAN) Routing
Routing Protocol Overview
Topology
WAN Routing Principles
Multihomed Branch Routing
Route Summarization
Traffic Engineering for DMVPN and PfR
EIGRP for IWAN
Base Configuration
Verification of EIGRP Neighbor Adjacencies
EIGRP Stub Sites on Spokes
EIGRP Summarization
EIGRP Traffic Steering
Complete EIGRP Configuration
Advanced EIGRP Site Selection
Border Gateway Protocol (BGP)
BGP Routing Logic
Base Configuration
BGP Neighbor Sessions
Default Route Advertisement into BGP
Routes Learned via DMVPN Tunnel Are Always Preferred
Branch Router Configuration
Changing BGP Administrative Distance
Route Advertisement on DMVPN Hub Routers
Traffic Steering
Complete BGP Configuration
Advanced BGP Site Selection
FVRF Transport Routing
Multicast Routing
Multicast Distribution Trees
Rendezvous Points
Protocol Independent Multicast (PIM)
Source Specific Multicast (SSM)
Multicast Routing Table
IWAN Multicast Configuration
Hub-to-Spoke Multicast Stream
Spoke-to-Spoke Multicast Traffic
Summary
Further Reading
Chapter 5. Securing DMVPN Tunnels and Routers
Elements of Secure Transport
IPsec Fundamentals
Security Protocols
Key Management
Security Associations
ESP Modes
IPsec Tunnel Protection
Pre-shared Key Authentication
Verification of Encryption on IPsec Tunnels
Private Key Infrastructure (PKI)
IKEv2 Protection
Basic IOS CA Management
Securing Routers That Connect to the Internet
Access Control Lists (ACLs)
Zone-Based Firewalls (ZBFWs)
Control Plane Policing (CoPP)
IOS Embedded Packet Capture (EPC)
IOS XE Embedded Packet Capture
Analyzing and Creating the CoPP Policy
Device Hardening
Summary
Further Reading
Part III: Intelligent Path Control
Chapter 6. Application Recognition
What Is Application Recognition?
What Are the Benefits of Application Recognition?
NBAR2 Application Recognition
NBAR2 Application ID, Attributes, and Extracted Fields
NBAR2 Application ID
NBAR2 Application Attributes
NBAR2 Layer 7 Extracted Fields
NBAR2 Operation and Functions
Phases of Application Recognition
NBAR2 Engine and Best-Practice Configuration
Custom Applications and Attributes
Auto-learn Traffic Analysis Engine
Traffic Auto-customization
Manual Application Customization
Manual Application Attributes Customization
NBAR2 State with Regard to Device High Availability
Encrypted Traffic
NBAR2 Interoperability with Other Services
NBAR2 Protocol Discovery
Enabling NBAR2 Protocol Discovery
Displaying NBAR2 Protocol Discovery Statistics
Clearing NBAR2 Protocol Discovery Statistics
NBAR2 Visibility Dashboard
NBAR2 Protocol Packs
Release and Download of NBAR2 Protocol Packs
NBAR2 Protocol Pack License
Application Customization
NBAR2 Protocol Pack Types
NBAR2 Protocol Pack States
Identifying the NBAR2 Software Version
Verifying the Active NBAR2 Protocol Pack
Loading an NBAR2 Protocol Pack
NBAR2 Taxonomy File
Protocol Pack Auto Update
Validation and Troubleshooting
Verify the Software Version
Check the Device License
Verifying That NBAR2 Is Enabled
Verifying the Active NBAR2 Protocol Pack
Checking That Policies Are Applied Correctly
Reading Protocol Discovery Statistics
Granular Traffic Statistics
Discovering Generic and Unknown Traffic
Verifying the Number of Flows
Summary
Further Reading
Chapter 7. Introduction to Performance Routing (PfR)
Performance Routing (PfR)
Simplified Routing over a Transport-Independent Design
“Classic” Path Control Used in Routing Protocols
Path Control with Policy-Based Routing
Intelligent Path Control—Performance Routing
Introduction to PfRv3
Introduction to the IWAN Domain
IWAN Sites
Device Components and Roles
IWAN Peering
Parent Route Lookups
Intelligent Path Control Principles
PfR Policies
Site Discovery
Site Prefix Database
PfR Enterprise Prefixes
WAN Interface Discovery
Channel
Smart Probes
Traffic Class
Path Selection
Performance Monitoring
Threshold Crossing Alert (TCA)
Path Enforcement
Summary
Further Reading
Chapter 8. PfR Provisioning
IWAN Domain
Topology
Overlay Routing
Traffic Engineering for PfR
PfR Components
PfR Configuration
Master Controller Configuration
BR Configuration
NetFlow Exports
Domain Policies
Complete Configuration
Advanced Parameters
Unreachable Timer
Smart Probes Ports
Transit Site Affinity
Path Selection
Routing—Candidate Next Hops
Routing—No Transit Site Preference
Routing—Site Preference
PfR Path Preference
PfR Transit Site Preference
Using Transit Site Preference and Path Preference
Summary
Further Reading
Chapter 9. PfR Monitoring
Topology
Checking the Hub Site
Check the Routing Table
Checking the Hub MC
Checking the Hub BRs
Verification of Remote MC SAF Peering with the Hub MC
Checking the Transit Site
Check the Branch Site
Check the Routing Table
Check Branch MC Status
Check the Branch BR
Monitoring Operations
Routing Table
Monitor the Site Prefix
Monitor Traffic Classes
Monitor Channels
Transit Site Preference
Summary
Further Reading
Chapter 10. Application Visibility
Application Visibility Fundamentals
Overview
Components
Flows
Performance Metrics
Application Response Time Metrics
Media Metrics
Web Statistics
Flexible NetFlow
Flexible NetFlow Overview
Configuration Principles
Flexible NetFlow for Application Visibility
Monitoring NetFlow Data
Flexible NetFlow Summary
Evolution to Performance Monitor
Principles
Performance Monitor Configuration Principles
Easy Performance Monitor (ezPM)
ezPM Configuration Steps
Monitoring Performance Monitor
Metrics Export
Flow Record, NetFlow v9, and IPFIX
Terminology
NetFlow Version 9 Packet Header Format (RFC 3954)
IPFIX Packet Header Format (RFC 7011)
Monitoring Exports
Monitoring Performance Collection on Network Management Systems
Deployment Considerations
Performance Routing
Interoperability with WAAS
Summary
Further Reading
Part IV: Application Optimization
Chapter 11. Introduction to Application Optimization
Application Behavior
Bandwidth
Latency
Cisco Wide Area Application Services (WAAS)
Cisco WAAS Architecture
TCP Optimization
Caching and Compression
Compression
Object Caching
Application-Specific Acceleration
Microsoft Exchange Application Optimization
HTTP Application Optimization
SharePoint Application Optimization
SSL Application Optimization
Citrix Application Optimization
CIFS Application Optimization
SMB Application Optimization
NFS Acceleration
Akamai Connect
Summary
Further Reading
Chapter 12. Cisco Wide Area Application Services (WAAS)
Cisco WAAS Architecture
Central Management Subsystem
Interface Manager
Monitoring Facilities and Alarms
Network Interception and Bypass Manager
Application Traffic Policy Engine
Disk Encryption
Cisco WAAS Platforms
Router-Integrated Network Modules
Appliances
ISR-WAAS
WAAS Performance and Scalability Metrics
WAAS Design and Performance Metrics
Device Memory
Disk Capacity
Number of Optimized TCP Connections
WAN Bandwidth and LAN Throughput
Number of Peers and Fan-out Each
Central Manager Sizing
Licensing
Cisco WAAS Operational Modes
Transparent Mode
Directed Mode
Interception Techniques and Protocols
Web Cache Communication Protocol
Policy-Based Routing (PBR)
Inline Interception
AppNav Overview
AppNav IOM
AppNav-XE
Advantages of Using the AppNav-XE Component
Guidelines and Limitations
WAAS Interception Network Integration Best Practices
Summary
Further Reading
Chapter 13. Deploying Application Optimizations
GBI: Saving WAN Bandwidth and Replicating Data
WAN Optimization Solution
Deploying Cisco WAAS
WAAS Data Center Deployment
Primary Central Manager
Standby Central Manager
AppNav-XE
Initial GBI AppNav-XE Deployment
Deploying a Data Center Cluster
Deploying a Separate Node Group and Policy for Replication
Deploying a New Policy for Data Center Replication
GBI Branch Deployment
Branch 1 Sizing
Branch 1 Deployment
Branch 12 Sizing
Branch 12 WAAS Deployment
Summary
Part V: QoS
Chapter 14. Intelligent WAN Quality of Service (QoS)
QoS Overview
Ingress QoS NBAR-Based Classification
Ingress LAN Policy Maps
Egress QoS DSCP-Based Classification
Egress QoS Policy Map
Hierarchical QoS
DMVPN Per-Tunnel QoS
Per-Tunnel QoS Tunnel Markings
Bandwidth-Based QoS Policies
Bandwidth Remaining QoS Policies
Subrate Physical Interface QoS Policies
Association of Per-Tunnel QoS Policies
Per-Tunnel QoS Verification
Per-Tunnel QoS Caveats
QoS and IPSec Packet Replay Protection
Complete QoS Configuration
Summary
Further Reading
Part VI: Direct Internet Access
Chapter 15. Direct Internet Access (DIA)
Guest Internet Access
Dynamic Host Configuration Protocol (DHCP)
Network Address Translation (NAT)
Verification of NAT
Zone-Based Firewall (ZBFW) Guest Access
Verification of ZBFW for Guest Access
Guest Access Quality of Service (QoS)
Guest Access Web-Based Acceptable Use Policy
Guest Network Consent
Guest Authentication
Internal User Access
Fully Specified Static Default Route
Verification of Internet Connectivity
Network Address Translation (NAT)
Policy-Based Routing (PBR)
Internal Access Zone-Based Firewall (ZBFW)
Cloud Web Security (CWS)
Baseline Configuration
Outbound Proxy
WAAS and WCCP Redirect
Prevention of Internal Traffic Leakage to the Internet
Summary
References in this Chapter
Part VII: Migration
Chapter 16. Deploying Cisco Intelligent WAN
Pre-Migration Tasks
Document the Existing WAN
Network Traffic Analysis
Proof of Concept
Finalize the Design
Migration Overview
IWAN Routing Design Review
EIGRP for the IWAN and the LAN
BGP for the IWAN and an IGP (OSPF) for the LAN
Routing Design During Migration
Deploying DMVPN Hub Routers
Migrating the Branch Routers
Migrating a Single-Router Site with One Transport
Migrating a Single-Router Site with Multiple Transports
Migrating a Dual-Router Site with Multiple Transports
Post-Migration Tasks
Migrating from a Dual MPLS to a Hybrid IWAN Model
Migrating IPsec Tunnels
PfR Deployment
Testing the Migration Plan
Summary
Further Reading
Part VIII: Conclusion
Chapter 17. Conclusion and Looking Forward
Intelligent WAN Today
Intelligent WAN Architecture
Intelligent WAN Tomorrow
Appendix A. Dynamic Multipoint VPN Redundancy Models
NHRP Clusterless Model
NHRP Clustered Model
NHRP Clustered Model Configuration
Further Reading
Appendix B. IPv6 Dynamic Multipoint VPN
IPv6-over-IPv6 Sample Configuration
IPv6 DMVPN Verification
IPv4 over IPv6 Sample Configuration
IPv4-over-IPv6 Verification
Further Reading
Index
Code Snippets
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Chapter 1. Evolution of the WAN
Next
Next Chapter
Chapter 2. Transport Independence
Part II: Transport Independent Design
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset