Table Of Contents
9.1 Resiliency/High Availability
9.3 Network and Application Performance
9.5.4 Branch LAN-Side High Availability
9.5.5 Branch WAN-Side High Availability
9.6.1 Application Visibility Using NBAR
9.6.2 Congestion Management Using QoS
9.6.4 Path Optimization Using PfR
9.7.1 PfR-Based Load Balancing
9.7.2 PfR Link/Path Congestion/Failure
9.9.2 Internet-Based VPNs Secured using DMVPN
9.11 Interoperability Considerations
9.11.1 Putting QoS and NBAR Together
9.11.2 QoS, NBAR, NetFlow, and Path Optimization with PfR
9.12.1 PfR Supports Only One Next Hop Per Interface
9.12.2 PfR Supports only BGP or Static Routes for Path Optimization
9.12.3 PfR Might Break WAAS TCP Optimization if the WAAS Network Path Changes
9.12.4 PfR Interface Mapping and WAAS
9.12.5 PfR Cannot Recognize MQC Marking Done by the Same Router
9.12.6 PFR Interface Mapping and NetFlow Sampling
9.12.7 CIFS tunneling on WAE and Network visibility
9.12.10 WAAS Might Not Intercept IP SLA Probes Configured on the Branch Router
9.12.11 NBAR Cannot Perform DPI if WAE TCP Optimization Occurs before NBAR Discovery
9.13 Example Deployment Models
9.13.1 Small Branch Office with Single-Homed SOHO Branch Router
9.13.2 Small Branch Office with Dual-Homed, Single-Tier Branch Router
9.13.3 Medium Branch Office with Dual-Homed, Dual-Tiered Branch Routers
9.13.4 Large Branch Offices with Dual-Homed, Dual-Tiered Branch Routers
9.15.2 WAAS Catalyst 6500 Load Balancing
9.16 Network Performance Management
9.17 Performance Monitoring for WAN and Application Optimization
9.17.1 NetQoS Support for WAN and Application Optimization
9.17.2 NetQoS Metrics for WAN and Application Optimization
9.17.3 NetQoS Deployment Considerations
9.17.4 Application Response Time Analysis with NetQoS SuperAgent
9.17.5 Link Traffic Analysis using NetQoS ReporterAnalyzer
9.17.6 Device Performance Analysis using NetQoS NetVoyant
9.18 Use Case 1: Predeployment Baselining
9.19 Use Case 2: Validating WAAS Effectiveness
9.20 Cisco NAM Use Cases for WAN and Application Optimization
9.20.1 NAM-2 Support for WAN and Application Optimization
9.21 NAM 3.6 Metrics for WAN and Application Optimization
9.22 NAM-2 Deployment Considerations
9.23 NAM-2 Data Collection for WAN and Application Optimization
9.23.1 Data Center Deployment Scenario 1
9.23.2 Data Center Deployment Scenario 2
9.23.3 Monitoring the Server Segment
9.23.4 Monitoring the WAN Segment
9.23.5 NAM-2 Deployment Caveats
9.24 Use Case 1: Troubleshooting
9.25 Use Case 2: Conversation Analysis
Branch Design Considerations
In today's global economy, companies are rapidly expanding their presence throughout the world. As they grow, so do their networks. Their branch offices must have effective and reliable network connectivity to their corporate HQs (and between branch offices) in support of business applications. For any branch network, the designer must consider the following key requirements:
•
Resiliency
•
•
•
This chapter considers different technologies that can address these requirements, and introduces sample branch designs.
9.1 Resiliency/High Availability
Providing uninterrupted network connectivity between branches and headquarters, and among branches, is critical to any network design. It is essential to avoid single points of failure.
The cost of business interruption caused by network failure, the probability of component or network device failure, and other factors must be carefully analyzed. Designers should consider the cost-benefit ratio of resiliency and plan for appropriate resiliency. In very small branch offices, the cost of providing resiliency may not provide adequate cost benefits.
9.2 Security
Security is a critical factor in any network design. Typically, data transfer between branches and corporate headquarters happens over a service provider (SP) network or over the Internet. Data that traverses the Internet is highly susceptible to snooping.
To protect against snooping and provide business confidentiality, some form of data encryption should be deployed. Additionally, many government regulations, such as Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) mandate securing traffic.
9.3 Network and Application Performance
As global businesses evolve, some deploy more and more business critical applications that can provide split-second decisions. Network performance is a key consideration for such applications, which need fast connectivity and bandwidth.
9.4 Load Sharing
A good branch design also provides resources for scaling and growth. Load sharing can provide both improved availability and scalability to the network. In a branch network, load sharing can be implemented by having multiple WAN exit routers to share the load. In addition, branch routers can have multiple exit interfaces connected to the WAN for load sharing. These methods can improve both availability and scaling.
9.5 Common Branch Topologies
Although in many cases a branch might have overlapping features from the following profiles, a typical branch with WAN optimization can be categorized into one of the most widely deployed topologies.
9.5.1 Single Tier Branches
These branches typically have one branch router with a WAE (either internal or external) for optimizing traffic. This router typically has an inbuilt switching module so that multiple same subnet end hosts and IP phones can be connected without requiring an external switch.
In a typical small-enterprise/SOHO deployment, the branch routers are usually single-homed, as shown in Figure 9-1 (a). In small enterprise branches with few users, shown in Figure 9-1 (b), the branch router is often dual-homed to two SPs (or to the same SP), providing resiliency for the WAN connection. A variation of this design, shown in Figure 9-1 (c), adds another WAE to add WAE resiliency. The second WAE can be used to share bandwidth and application optimization loads.
Figure 9-1 SOHO and Single Tier Branches
9.5.2 Dual Tier Branches
Dual tier branches employ multiple (usually two) branch routers and an external Ethernet bridge providing connectivity to the two routers. Typically, both routers are homed to different SPs to provide more resilient WAN connectivity.
A router dual homed to WAN, or a dual branch router design enables efficient link utilization with load sharing, but can also increase the possibility of asymmetric routing and associated challenges. Asymmetric routing is explained in the following section.
The routers can share one WAE for optimization, as shown in Figure 9-2 (a). Alternatively, the routers can use multiple WAEs in a load-shared and redundant manner as shown in The routers can share one WAE for optimization, as shown in Figure 9-2 (b). WCCP can locally correct asymmetry issues and keep optimized session on a consistent WAE.
Figure 9-2 Dual Tier Branches
9.5.3 Asymmetric Routing
In hop-by-hop packet routing systems (the vast majority of IP routing systems), each router independently selects the outgoing path. While routing protocols ensure that loops are avoided, the symmetry of bidirectional traffic flows cannot be guaranteed when destination prefixes are reachable by multiple paths.
Asymmetric routing occurs when traffic does not traverse the same path in both directions of a conversation. A branch site that has multiple WAN connections, with either a single router or multiple routers, is always prone to asymmetric routing. This can occur because the routing protocol on each end selects a different path, by load or session balancing, or even by path optimization mechanisms.
Consider a simple branch network with one router dual-homed to the WAN, as shown in Figure 9-3, with a bidirectional traffic session between a client on the branch LAN and a headquarters server. As Figure 9-3 shows, traffic from the branch to headquarters can exit through one WAN link on the branch router (in this case, Link l). However, the server-side routers calculated the best path for the client network to be over the WAN2 link. This is the asymmetric routing case: server-sourced traffic arrives on Link 2 of the branch router.
Figure 9-3 Asymmetric Routing
Without proper design and placement of network services, asymmetric routing can create challenges in networks. For example, asymmetric routing results in suboptimal TCP performance; TCP assumes that the SYN from one end and the ACK from other end traverse the same path. Because data does not traverse the same physical path in both directions, suboptimal TCP performance results.
If state is built into network services for transiting traffic, full flow information might not be available to a network device. Network services that need to act on (or simply see) both directions of a conversation include firewalls, NAT devices, and stateful identification in some applications. Some monitoring tools also rely on bidirectional traffic flows.
Such tools have potential issues when traffic exits through one router and ingresses through the other. Challenges caused by asymmetric routing in a network with a multi-homed single router are a little easier to mitigate than designs where two routers are being used, because conversation state for both directions still transits the same router in the single router case.
9.5.4 Branch LAN-Side High Availability
When using two branch routers, Gateway Load Balancing Protocol (GLBP), Hot Standby Routing Protocol (HSRP), or Virtual Router Redundancy Protocol (VRRP) can be configured on the LAN interfaces of the routers to provide high availability for the default gateway of an end host. Table 9-1 lists the advantages of HSRP and GLBP.
9.5.5 Branch WAN-Side High Availability
To ensure business continuity, it is essential to provide high availability on the WAN side. Therefore, branch routers are typically dual-homed to the SP network on the WAN side. In such cases, one path serves as the primary path, and the other is a secondary or backup path.
In other words, traffic normally takes the primary path. If the primary path fails, traffic can move to the secondary path. Routing protocols deployed over the WAN network provide reachability information that enables the branch routers to decide on the path to be taken.
However, when a path fails, it takes some time for routing protocols to converge and point to the alternate path, causing packet loss. Although routing protocol timers can be tweaked to alleviate some of these effects, this is not always fully effective. Additionally, some types of failures (brownouts, black holes, path congestion, and so on) are not captured by the routing protocol reachability information. Performance Routing (PfR), detailed in Path Optimization Using PfR, can be deployed to provide faster, efficient, more granular optimization per application path.
Figure 9-4 depicts a typical GLBP/HSRP implementation on the LAN side and dual homing on the WAN side on branch networks.
Figure 9-4 Typical Branch LAN/WAN High Availability
9.6 Optimization Tools
This section describes the major tools used in the Cisco WAN and application optimization solution:
•
•
•
•
•
9.6.1 Application Visibility Using NBAR
To use WAN bandwidth efficiently, the user should be able to implement appropriate application-aware traffic policies. When using WAEs for TCP optimization, the user faces challenges; for example, L5 through L7 details are no longer visible after packets are optimized (especially with compression). This is shown in Figure 9-5.
Figure 9-5 TCP Optimization and Application Visibility
Figure 9-6 NBAR Application Marking with TCP Optimization
This challenge makes implementing any application-aware traffic policies difficult. In such cases, using NBAR (as shown in Figure 9-6), with deep packet inspection (DPI) capabilities, and using QoS to mark traffic before WAAS, can be an ideal tool for classifying application traffic.
NBAR has stateful packet inspection capabilities that complement NetFlow, which collects flow information only up to the TCP or UDP port level. Therefore, NetFlow is limited in identifying some kinds of traffic. NBAR can be applied on branch router LAN interfaces to inspect and mark traffic using Differentiated Services Code Point (DSCP) or type of service (ToS) values as traffic enters the branch router.
Different applications of interest can be marked with different DSCP settings. For example, the user can configure specific policies to mark HTTP traffic based on URLs. Because the WAEs do not change IP header information, appropriate QoS egress policies can be configured on the branch router WAN interfaces of the to condition optimized traffic from WAE. A sample NBAR classification configuration follows.
!CONFIGURE APPROPRIATE NBAR CLASS MAPS TO MATCH DIFFERENT APPLICATION/PROTOCOLSclass-map match-any NBAR_FTPmatch protocol ftpclass-map match-any NBAR_voicematch protocol sipmatch protocol skinnyclass-map match-any NBAR_HTTPmatch protocol secure-httpmatch protocol http url "*cisco.htm*"match protocol http url "*ba_HN.jpg*"9.6.2 Congestion Management Using QoS
Congestion management using QoS can play a key role in regulating WAN traffic. In a branch, WAN traffic might comprise real-time traffic, Web traffic, and other application traffic. Each traffic patterns requires different handling for delay, packet loss, and so on. For example, real-time traffic such as voice requires low latency and jitter, and appropriate low latency queues should be configured to provide priority for this traffic.
Other traffic types, such as TCP traffic, can have huge packet sizes that can delay other queued traffic, especially on slow links, such as T1. These traffic types require configuration with some link efficiency mechanism, such as fragmentation interleaving, to help minimize the effect. Even with optimization by WAE, congestion can occur and the user must configure appropriate QoS mechanisms to help ensure that different traffic classes are guaranteed appropriate bandwidth.
Similarly, traffic to and from the WAE can be prioritized. If necessary, traffic policing and shaping can be applied on the WAN/LAN interfaces to ensure adherence to traffic limits. For more information, refer to Enterprise QoS Solution Reference Network Design Guide:
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Book.html
9.6.3 NetFlow
NetFlow supports accounting of IP flows traversing and terminating on the router. This data can be exported to a NetFlow collector and analyzer, which can generate reports, ranging from departmental usage and capacity planning to understanding, which applications are running on the network. NetFlow can also support early detection of security threats, such as denial of service (DoS) attacks. On the router itself, the NetFlow data can be a powerful troubleshooting tool.
Figure 9-7 illustrates some charting examples from a specific product (NetQoS ReporterAnalyzer). This product is described in more detail in Network and Application Performance.
Seven unique fields (called key fields) identify a NetFlow flow: router source interface, source IP address, destination IP address, type of service (ToS) byte, IP protocol, L4 source port, and L4 destination port.
Additional fields are collected, such as destination interface (where the flow was forwarded), bytes sent, and number of packets sent. Because the deepest flow accounting is based on the L4 ports (in TCP, the source and destination ports), in certain cases it is impossible to identify the end application in use.
To address this problem in many cases, identify an L4 port range and IP addresses to help in identify the application. For example, voice traffic might use UDP port numbers between 16384 and 32767, and IP phones might be restricted to a certain IP address range. The identification data can be represented in the NetFlow collector, which can then use this information to name the application "voice."
Figure 9-7 NetQoS NetFlow Analysis
Figure 9-8 shows these technologies and where they are applied.
Figure 9-8 NetFlow, NBAR, QoS at a Branch Router
9.6.4 Path Optimization Using PfR
In any WAN design, the challenge is to provide application-specific bandwidth and resiliency while making efficient use of WAN bandwidth. While resiliency and some load sharing of WAN links can be ensured with routing protocols, traditional routing protocols do not provide best path selection based on link utilization or many of the other path characteristics. Therefore, the branch network might not be able to respond to dynamic network emergencies like intermittent congestion or a link failure upstream that does not cause a routing protocol transition. Even if the routing protocol does respond, it might take quite some time for the network to re-converge. In such cases, Cisco PfR can be used to respond to such failures dynamically.
PfR helps to provide dynamic route optimization based on latency, link utilization, and dynamic detection of data path failure. PfR enables a user to:
•
•
•
•
•
Cisco PfR implementation requires at least one border router (BR) and master controller (MC) process, both of which run on IOS routers. The BR has the branch exit interfaces (attached to the WAN) and is responsible for collecting information about traffic exiting the site, and for implementing policy decisions derived by the MC. For a small office, home office (SOHO), the MC and BR can be the same device.
PfR also requires at least two exits towards the WAN. Figure 9-9 represents a typical PfR implementation with a dual-homed branch network. In this case, efficiently deploying PfR with NetFlow, NBAR, and QoS can enable the operator to maximize network performance and end user experience for different applications.
Figure 9-9 SOHO Deployment
However, most deployments have two BRs and one MC. Note that Cisco Express Forwarding (CEF) must be enabled on PfR routers. Figure 9-10 depicts such a deployment.
Figure 9-10 PfR Deployment with dual Branch Routers
9.7 How PfR Works
The BR on a PfR-enabled network monitors the performance of the traffic going out to the WAN and relays this information to the MC. The MC verifies whether the current performance conforms to the configured policy for each traffic class. If not, the MC instructs the BRs to change the route for that particular prefix.
To perform route control, a route is injected. The injected route can be a static route, a BGP route (if BGP is used), or a Policy Based Routing (PBR) policy (if the forwarding decision is based on something more than the IP destination). Support for other routing protocols, such as Enhanced Interior Gateway Routing Protocol (EIGRP), is under development. Note that the injected routes are local and should not be advertised.
A typical PfR MC/BR configuration geared toward load balancing traffic between two serial links follows:
!CONFIGURE THE OER KEY TO BE USED FOR MASTER-BORDER AUTHENTICATIONkey chain oer-keykey 1key-string WANOPT!!CONFIGURE PfR MASTERoer mastermax-range-utilization percent 10logging!!POINT TO THE BORDER ROUTER AND OER KEY TO USE FOR AUTHENTICATIONborder 10.0.0.173 key-chain oer-key!DEFINE THE INTERNAL AND EXTERNAL INTERFACES ON THE BORDER ROUTERinterface FastEthernet3/1 internalinterface Serial6/1:0 externalmax-xmit-utilization percentage 50interface Serial6/0:0 externalmax-xmit-utilization percentage 50!!CONFIGURE THE PfR MASTER TO LEARN TRAFFIC CLASS OR PREFIXESlearn!CONFIGURE THE PfR TO LEARN TOP PREFIXES BASED ON THROUGHPUTThroughput!CONFIGURE THE PfR TIMERSperiodic-interval 0monitor-period 1!CONFIGURE THE NUMBER OF PREFIXES TO LEARNprefixes 500traffic-class keys dscp!CONFIGURE THE TYPE OF PREFIXES TO AGGREGATEaggregation-type prefix-length 32no max range receivebackoff 90 90!CONFIGURE THE PfR MODEmode route controlmode select-exit bestperiodic 180resolve range priority 1resolve utilization priority 2 variance 10no resolve delay!CONFIGURE PfR BORDERoer border!ENABLE LOGGINGlogginglocal Loopback0!POINT TO THE MASTER ROUTER AND OER KEY TO USE FOR AUTHENTICATIONmaster 10.0.0.173 key-chain oer-key9.7.1 PfR-Based Load Balancing
PfR can also track flows based on destination prefixes and link utilization. By intelligently combining destination prefixes into different groups, appropriate policy maps can be defined in PfR for different kinds of traffic. These different flows can then be appropriately routed and optimized for bandwidth. For example, consider the setup shown in Figure 9-11.
Figure 9-11 Dual-Homed SOHO Branch
This setup has a dual homed branch router with one link over an MPLS WAN and the other over the Internet. Although the available bandwidth for each path is the same, delay and jitter are not. With normal routing protocols, the path through the MPLS WAN is the preferred exit and all traffic flows through that interface. The entire bandwidth available through the Internet exit is unused and wasted.
Using PfR to route all critical and delay sensitive traffic over the primary exit and all entertainment and non-critical traffic over Internet is probably a better solution. Thus, PfR can be used for efficient load balancing to ensure better bandwidth utilization. Section How PfR Works provides sample configurations.
9.7.2 PfR Link/Path Congestion/Failure
Normal routing protocols are primarily limited because they are based primarily on reachability. Although some routing protocols include cost as a metric for route calculations, cost is typically based on the theoretical link bandwidth and is a static value. This seriously impedes their routing path decisions because they do not track dynamically changing metrics such as delay or jitter.
For example, if there is congestion along a path and data packets are dropped or delay increases, normal routing protocols cannot effect a change in the routing path. A failure of this kind can affect all critical and real time user traffic. Because PfR can track metrics such as delay, jitter, and true reachability, it provides a potential solution for such situations. For example, consider the setup shown in Figure 9-12.
This setup has a dual homed branch router with two exit links. The path over Link1 provides a 30ms delay and the path over Link2 provides a delay of 60ms. The router is configured with PfR to track delay, send real time traffic over the path with the least delay, and send all other traffic over the alternate path.
Figure 9-12 Dual-Homed SOHO Branch with Multiple Exit Links
9.7.2.1 Case 1: Normal Conditions: No Congestion
PfR is active and is tracking delay and reachability. Because path 1 provides the lowest delay, all delay sensitive traffic is routed over path 1. As can be seen using show commands, PfR introduces a static route through path1 for delay sensitive traffic. All other traffic is routed over path 2 because of the default route. This is shown in Figure 9-13.
Figure 9-13 SOHO Branch with No Congestion
9.7.2.2 Case 2: Sudden Congestion in Downstream Path 1
A sudden congestion occurs downstream on path 1. Because of this, the delay over path 1 increases to more than 100ms. PfR senses this delay and effects a route change, diverting all real time traffic through path 2. Other traffic is not affected and continues to flow through path 2. See Figure 9-14 and Figure 9-5. Also, see How PfR Works for sample configurations.
Figure 9-14 SOHO Branch with Congestion
Figure 9-15 SOHO Branch Path Congestion with PfR Path Optimization
9.7.2.3 Case 3: Path Failure in Downstream Path 1
A link on a router within the WAN cloud fails, but the routing protocol does not relay this failure, possibly because of static routes or summarization, or possibly because data traffic is failing but the routing protocol remains up. Because of the failure, user traffic does not reach the other end of enterprise network. PfR observes increasing packet retransmissions and failures of its own probes. In response to the failure, PfR can direct all traffic to the alternate WAN path. As in the preceding case, traffic continues to flow unhindered over path 2. This is shown in Figure 9-16.
Figure 9-16 SOHO Branch Path Failure with PfR Path Optimization
For more information about PfR and its deployment, refer to Transport Diversity: PfR Design Guide:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns483/c649/ccmigration_09186a008094e673.pdf
9.8 WCCP WAEs
WCCP was introduced in content routing to redirect web traffic to content cache engines. The idea was that with intelligent cache engines, network web traffic could be reduced; conversely, access speed could increase to improve the user experience. WCCP v1, introduced in 1997, was superseded by WCCP v2.
Cisco WAEs are devices used with Cisco IOS routers running WCCP to provide TCP optimization. WCCP is a common deployment tool used to intercept TCP traffic. WCCP redirects selected TCP traffic to the WAE, which can perform TCP optimization and compression, and which has data redundancy elimination (DRE) cache to help optimize the TCP traffic.
Figure 9-17 shows a typical WCCP and WAE deployment in a branch network.
Figure 9-17 WCCP and WAE in a Branch Network
9.9 WANs
WANs are networks that cover a wide area. Typically, they interconnect LANs located in different areas. WANs imply a path of higher latency (generally 10s of milliseconds to several hundred milliseconds), relative lower bandwidth (therefore leading to more congestion), and a higher possibility of intermittent packet loss and path failures.
9.9.1 MPLS WANs
Enabling MPLS over the WANs provides multiple advantages to an enterprise network:
•
•
•
•
•
Figure 9-18 shows a common deployment of branch to HQ connectivity over a MPLS WAN.
Figure 9-18 MPLS WAN
9.9.2 Internet-Based VPNs Secured using DMVPN
Even as MPLS-enabled WANs gain increased acceptance and deployment, a need remains for legacy WAN connectivity (direct leased line links, and so on), especially for SOHO and small branch offices. Additionally, Internet connectivity is useful in case the primary MPLS WAN link fails.
One major drawback for such a deployment is the lack of security for Internet traffic. Security for the traffic over Internet can be assured by securing the Internet connection with Dynamic Multicast VPN (DMVPN), which provide a variant of IP security (IPsec) protection with deployment friendly L3 features.
Figure 9-19 shows such a deployment.
Figure 9-19 Secure WAN over Internet
9.10 Security
The WAN and application optimization solution supports a variety of security options:
•
–
–
–
•
9.10.1 IOS Firewall
IOS Firewall (IOS FW) provides users with a feature-rich and cost-effective way to implement security. IOS FW is particularly suited for branch networks where dedicated firewall boxes are not justified because of their complexity and cost. IOS FW provides users with protection along with seamless integration of other IOS features.
The Cisco IOS Firewall feature set has the following components:
•
•
•
9.10.1.1 Content-Based Access Control (CBAC)
CBAC inspects all TCP and UDP packets and can dynamically create temporary openings for outbound traffic at the firewall interface. Return traffic is supported only for established sessions. CBAC maintains state information for every session. CBAC is interface based and is configured using ACLs.
9.10.1.2 Zone-Based Firewall
Zone-based firewall, as the name implies, is based on zones. Interfaces are usually associated with zones, and a zone can have multiple interfaces. Typically, on a Cisco router, LAN interfaces on the corporate network are configured to be in the trusted or inside zone; WAN interfaces are placed in the untrusted or outside zone. Zone-based firewalls are simpler to deploy. A class-based policy language is used to configure policies. Figure 9-20 shows a typical zone-based Firewall deployment.
Figure 9-20 Zone-Based Firewall
9.10.1.3 Intrusion Detection
The Firewall's Intrusion Detection system (IDS) contains most common attack signatures to detect intrusion. When IDS detects suspicious activity, IDS logs the event and can either shut down the port or send an alarm before network security is compromised.
For a more detailed explanation of these features and their use, see http://www.cisco.com/en/US/products/ps6586/products_ios_technology_home.html
9.10.2 DMVPN
DMVPN is an IPSec-based secure VPN technology that provides a high degree of security for traffic transmitted over public networks such as the Internet. DMVPN combines protocols such as Generic Routing Encapsulation (GRE), Next Hop Resolution Protocol (NHRP), and IPSec. DMVPN provides a dynamic full mesh based on spoke-to-spoke traffic.
Figure 9-21 DMVPN Hub-and-Spoke Deployment
In a typical enterprise network with multiple branches, DMVPN is deployed in hub-and-spoke topology. Figure 9-21 shows such a deployment. The advantage of DMVPN is that the hub does not need to be configured for specific adjacency with each spoke. This helps scaling because hub reconfiguration is not necessary when new spokes are added. Another advantage with DMVPN is that spoke-to-spoke traffic does need not go through the hub. After spoke-to-spoke traffic is initiated, the hub sends a redirect message to the spokes. The spokes then set up a secure dynamic tunnel directly between them.
For more information, refer to Enterprise Branch Security Design Guide:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a00807593b6.pdf
Figure 9-22 shows a typical setup.
Figure 9-22 DMVPN Spoke-to-Spoke Dynamic Tunnel
For more detailed information about these features and their use, see http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html
9.11 Interoperability Considerations
The WAN bandwidth available to most branches is typically less than that of the LANs. The challenge for the user is to make optimal use of the available WAN bandwidth and provide LAN-like performance and experience over WAN. The technologies described in the preceding sections must be combined to realize maximum performance optimization and gains over the WAN.
9.11.1 Putting QoS and NBAR Together
In a typical branch, a myriad of applications is running, each with its own needs and idiosyncrasies such as response times, jitter, bandwidth, and so on. In any well-designed branch, QoS plays an important role in allocating bandwidth between competing applications. However, traditional QoS cannot look very deeply into the packets and identify all applications. NBAR and its DPI capability can be used with QoS in a branch router to provide optimization. NBAR can be configured at the branch router ingress to mark flows from different applications with different ToS/DSCP. QoS can then use the marked flows on the egress to provide bandwidth optimization.
9.11.2 QoS, NBAR, NetFlow, and Path Optimization with PfR
NetFlow provides detailed tracking and statistics for each flow through the router. PfR uses NetFlow to track and monitor the prefixes that need to be controlled. Additionally, PfR can use DSCP values or L4 ports, and so on, to recognize flows based on different traffic classes.
A user can combine the DPI capability of NBAR and DSCP marking with the ability of PfR to track application classes based on those markings to provide resilience and route path optimization. Adding QoS to these provides bandwidth optimization. Figure 9-23 depicts a typical deployment scenario, and relevant sample configurations follow.
Figure 9-23 NBAR/NetFlow/PfR/QoS Interoperability
9.11.2.1 NBAR Configlets
!CONFIGURE APPROPRIATE NBAR CLASS MAPS TO MATCH DIFFERENT APPLICATION/PROTOCOLSclass-map match-all NBAR_UDPmatch access-group name UDPclass-map match-any NBAR_FTPmatch protocol ftpclass-map match-any NBAR_voicematch protocol sipmatch protocol skinnyclass-map match-any NBAR_HTTPmatch protocol httpmatch protocol secure-http!CONFIGURE APPROPRIATE POLICY MAPS TO SET THE IP DSCP VALUES FOR EACH APPLICATION/PROTOCOLpolicy-map NBARclass NBAR_HTTPset dscp cs2class NBAR_UDPset dscp cs5class NBAR_voiceset dscp cs6class NBAR_FTPset dscp cs4class class-defaultset ip precedence 39.11.2.2 QoS Configlets
!CONFIGURE APPROPRIATE QoS CLASS MAPS TO MAP TO THE IP DSCP VALUES IN THE PACKETSclass-map match-all QoS_HTTPmatch ip precedence 2class-map match-all QoS_FTPmatch ip precedence 4class-map match-all QoS_UDPmatch ip precedence 5class-map match-all QoS_voicematch ip precedence 6!CONFIGURE APPROPRIATE POLICY MAPS TO ALLOT BANDWIDTH TO DIFFERENT TRAFFIC WHEN CONGESTEDpolicy-map QoSclass QoS_HTTPbandwidth percent 25class QoS_UDPbandwidth percent 15class QoS_voicepriority percent 10class QoS_FTPbandwidth percent 10class class-defaultbandwidth percent 159.11.2.3 PfR Configlets
!CONFIGURE THE OER KEY TO BE USED FOR MASTER-BORDER AUTHENTICATIONkey chain oer-keykey 1key-string WANOPT!CONFIGURE PfR MASTERoer master!ASSIGN THE POLICY MAP TO BE USED FOR PATH-OPTIMIZATION (OPTIONAL)policy-rules delayPolicy logging ! !POINT TO THE BORDER ROUTER AND OER KEY TO USE FOR AUTHENTICATIONborder 10.0.0.172 key-chain oer-key!DEFINE THE INTERNAL AND EXTERNAL INTERFACES ON THE BORDER ROUTERinterface Serial6/1:0 external interface FastEthernet3/1 internal interface Serial6/0:0.1 external ! !CONFIGURE THE PfR MASTER TO LEARN TRAFFIC CLASS OR PREFIXESlearn !CONFIGURE THE PfR TO LEARN PREFIXES BASED ON DELAYdelay !CONFIGURE THE PfR TIMERSperiodic-interval 0 monitor-period 1!CONFIGURE THE NUMBER OF PREFIXES TO LEARN prefixes 1000!CONFIGURE THE TYPE OF PREFIXES TO AGGREGATE aggregation-type prefix-length 32 no max range receive !CONFIGURE THE PfR MODE mode monitor fast no resolve delay no resolve utilization ! !CONFIGURE AN ACTIVE PROBE TO ONE OF THE PREFIXESactive-probe echo 60.1.1.100 ! !CONFIGURE PfR BORDERoer border !ENABLE LOGGINGlogging local Loopback0 !POINT TO THE MASTER ROUTER AND OER KEY TO USE FOR AUTHENTICATIONmaster 10.0.0.172 key-chain oer-key
Note
9.11.3 WAAS Interoperability
WCCP can be deployed with all of the preceding IOS features to further enhance performance and optimization. Figure 9-24 depicts such a deployment. WAE provides TCP optimization only so other traffic, such as voice (over UDP) flows, is not affected by WAE. The following sections detail interoperability considerations when using WCCP with other features.
Figure 9-24 WCCP/NBAR/NetFlow/PfR/QoS Interoperability
9.11.3.1 WAAS and Firewalls
Introducing WAAS sets up three TCP segments along the data path, as shown in Figure 9-25. They include sessions between:
1.
2.
3.
Figure 9-25 TCP Optimization with WAAS
In the second session, the segment between the two WAEs initially uses a TCP sequence to match the original client, but on confirmation of a remote WAE willing to perform optimization, the TCP sequence number jumps to greater than 2 million for the leg between the WAEs. This jump provides a different TCP window for the optimized leg to help differentiate it from the unoptimized leg that the client and server actually see.
TCP options are used in the WAE-WAE TCP segment. This behavior causes the firewall, if it is deployed anywhere along the path in the middle segment, to treat the traffic as suspicious and drop it. Table 9-2 lists the various operating systems and the versions in which firewall drop behavior was fixed.
Table 9-2 Firewall Fixes
IOS
12.4(11)T2
inspect waas enable
FWSM
3.2.1
inspect waas
PIX
7.2(3)
inspect waas
9.11.3.2 WCCP and NetFlow
NetFlow, which helps track different flows as they traverse routers and networks, has become indispensable for network operators. PfR depends on NetFlow to track and work with flows. However, when enabling NetFlow along with WCCP on the branch router, note the following:
•
•
Figure 9-26 NetFlow and WCCP (NetFlow, WCCP, IP return (12.4T))
9.11.3.3 WCCP and PfR
When configuring PfR, interfaces must be explicitly labeled as "internal" and "external" so that outgoing WAN traffic can be identified. Because of the NetFlow-WCCP "Unknown" issue, the GRE return feature in WAAS must be enabled so that an explicit internal to external NetFlow cache entry is seen. Additionally, because there are cases where WAAS itself originates traffic (for example, CIFS tunnel traffic), the WAAS-facing interface should labeled as PfR "internal."
9.11.3.4 High Availability and WCCP
9.11.3.4.1 Branch WAE High Availability and Load Sharing
Consider a typical branch network with one branch router and one WAE. The WAE can become a single point of failure, disrupting branch activities. A WAE failure can be a complete failure (for example, power outage, software error, and so on) or a case in which the WAE single box performance limit is reached.
Although these failure possibilities are remote, deploying multiple WAEs at the branch can help minimize the effects of such failures. Using WCCP automatic load distribution features, the WAEs can work as a cluster and can share the load, and potentially protect against a single point of failure by providing backup if one WAE fails.
To help protect against branch router failure and improve availability, a user can set up two branch routers in the network. This also provides load sharing by the routers. In such cases, it is customary to implement HSRP or GLBP on the branch LANs. These two branch routers can share either one WAE or multiple WAEs.
9.11.3.4.2 Branch LAN High Availability with One Shared WAE
A typical network is shown in Figure 9-27.
Figure 9-27 Branch LAN High Availability - One WAN
Configuring GLBP on the Branch LAN is more advantageous in such situations because GLBP provides load sharing. On the WAE side, the routers can be configured with HSRP and the WAE default gateway can be pointed toward the HSRP address. This, however, can result in inefficient routing.
Assume that branch routers BR1 and BR2 run a routing protocol between them and with the WAN routers. Let BR1 be the preferred exit to network X over the WAN. Let BR2 be the higher priority router for HSRP on the WAE VLAN. With this setup, let us look at a packet flow from branch to network X:
1.
2.
3.
4.
5.
As can be easily seen, if the WAE could have returned the packet to BR1 instead of to BR2, the extra hop and the consequent delay could have been avoided. A workaround for such issues is to add static routes to pointing to the standby address of the preferred branch router on the WAE. The same problem can happen on the reverse path with asymmetric routing. The problem might be worse in that case, because it might involve unoptimized traffic flowing between the two branch routers. Therefore, there should be adequate bandwidth between the branch routers.
Starting with version 4.0.13, WAEs support negotiated GRE return for optimized packets. With GRE return, the WAE returns the packet directly to the router that sent it. Note that on the routers, HSRP on the WAE side and on the WAE pointing the default gateway to the HSRP address is still recommended. This provides higher availability for WAE connectivity to the network and Central Manager.
9.11.3.4.3 Branch LAN High Availability with Two Shared WAEs
Figure 9-28 shows this implementation.
Figure 9-28 Branch LAN High Availability with Two WAE
As in the previous case, on the routers, GLBP/HSRP is configured on the Branch LAN side and HSRP on the WAE side. The WAE default gateways are pointed to the HSRP address. Configuring GRE return is preferred on the WAEs.
Any multiple link/router environments might give rise to asymmetric routing issues, where packets exit the branch through one router (or one link), such as BR1, and return through another link on the same router (or, possibly, on a different router at the site). On the branch routers, WCCP handles intercepting and directing returning packets to the correct WAE. Figure 9-28 shows a packet flow in the asymmetric routing case.
1.
2.
3.
4.
5.
6.
7.
8.
9.12 Caveats
This section lists caveats for the various components of the WAN and application optimization solution.
9.12.1 PfR Supports Only One Next Hop Per Interface
PfR, by design has traditionally supported only one next hop per interface. This means PfR can be deployed only in topologies using logical point-to-point technologies, such as:
•
•
•
PfR cannot be deployed in topologies using:
•
•
•
However, PfR can work with DMVPN solution using point-to-point GRE tunnels. PfR support for multipoint interfaces is under development.
9.12.2 PfR Supports only BGP or Static Routes for Path Optimization
For path optimization in a router, PfR uses static routes or BGP routes as parent routes. PfR cannot control routes learned using other protocols. However, many WAN deployments use EIGRP or Open Shortest Path First (OSPF). In such cases, the workaround is to use static summary routes and use PfR for route unreachability mitigation.
Support for EIGRP in PfR is under development.
9.12.3 PfR Might Break WAAS TCP Optimization if the WAAS Network Path Changes
PfR tracks various traffic parameters and, based on those parameters, shifts the network path of an application from one link to another to perform path optimization. While doing so, if WAAS is inside the PfR domain as shown in Figure 9-29, the WAAS TCP optimization will be broken. To avoid this, always place outer WAEs outside the PfR domain.
Figure 9-29 PfR-WAAS Network Path
9.12.4 PfR Interface Mapping and WAAS
PfR tracks traffic that enters and exits the router. PfR tags interfaces through which traffic flows as external interfaces or internal interfaces. Typically, the interface through which the traffic enters into the router from the LAN network is tagged as internal and the interfaces through which the traffic exits the router (the WAN) are tagged as external. PfR terms traffic that flows from internal to external interfaces as interesting. PfR needs the traffic in the reverse direction, from external to internal, for verification. Figure 9-30 shows this tagging.
If a router is doing TCP optimization with WAAS, the interface connecting the router to the WAAS cannot be clearly distinguished as internal or external. This is because it acts as the exit interface for traffic that is intercepted by WCCP on the router and as an ingress interface for optimized or un-optimized traffic. The workaround is to configure the WAE to do GRE return.
Additionally, if there is CIFS traffic, the CIFS traffic is not returned using GRE. Therefore, for CIFS traffic, the WAE interface on the router should be tagged as PfR internal.
Another option is to disable the return traffic verification of PfR by using the command no mode verify bidirectional. This, however, exposes PfR to self-created black holes.
9.12.5 PfR Cannot Recognize MQC Marking Done by the Same Router
If the branch router running PfR is doing DSCP or ToS marking on ingress traffic, PfR cannot recognize these remarkings. PfR uses ingress NetFlow to learn and verify traffic. Ingress NetFlow records the original received ToS marking when the packet entered the router and does not record the remarked value. Therefore, PfR cannot match locally remarked flows based on DSCP or ToS. Figure 9-30 illustrates this issue.
Figure 9-30 PfR and Modular QoS CLI (MQC) Mappings
This, however, does not affect TCP traffic redirected to WAAS because the markings on the packets on reentry are recorded by NetFlow, which PfR can then use. The workaround is to use upstream devices to mark the traffic. DDTS CSCsk99096 tracks this issue.
9.12.6 PFR Interface Mapping and NetFlow Sampling
When NetFlow sampling is enabled on an interface, that interface cannot be used as an internal or external PfR interface. A solution for this issue is under development.
9.12.7 CIFS tunneling on WAE and Network visibility
In Windows operating system environments, CIFS (also known as Windows file sharing) is predominantly used for file sharing. With CIFS application acceleration enabled on such networks with WAAS, WAEs tunnel CIFS traffic across the network over TCP port 4050 and the IP addresses of the WAEs involved.
This affects the visibility of technologies such as NetFlow and QoS, because they are no longer aware of the actual endpoints. Tunneled traffic affects the ability of PfR to granularly path optimize the optimized CIFS traffic because PfR relies on NetFlow. This issue will be resolved in the upcoming release of WAE software in late 2008.
Figure 9-31 illustrates CIFS tunneling with WAE.
Figure 9-31 WAE CIFS Tunneling
9.12.8 WAAS and Firewall
Introducing WAAS creates three different TCP segments: one between the client and the client side WAE, the second between the client side WAE and server side WAE, and the third between the server side WAE and the server.
The WAEs use TCP options (0x21) for autodiscovery and jump up the sequence number to more than 2 million in the WAE-WAE TCP session. Any firewall deployed in between the WAEs might view these activities as suspicious and might drop the packets. This behavior is fixed in the IOS versions detailed in WAAS and Firewalls.
9.12.9 WCCP and NHRP Redirect
Next Hop Routing Protocol (NHRP) is part of DMVPN technology. In a typical hub-and-spoke DMVPN deployment, when spoke-to-spoke traffic hits the hub, it sends a NHRP redirect to the spokes (as shown in Figure 9-32) to enable the spokes to establish a direct secure tunnel between them. For NHRP on the hub to send the redirect, it should see the same packet enter and exit the same tunnel interface. This breaks when WCCP is enabled on the DMVPN hub.
Figure 9-32 DMVPN-NHRP Redirect
In DMVPN deployments with WCCP, WCCP intercept is configured on the tunnels. Therefore, any packet traveling from spoke-to-spoke, on reaching the tunnel, is intercepted by WCCP and sent to the WAE. Assuming that the WAE is doing L3 return, the return packet from the WAE is then sent out the hub. This breaks the NHRP condition to send the redirect. Therefore, no redirect is sent to the spokes and no direct tunnels are established between them. With WAE doing GRE return, NHRP incorrectly sends the redirect to the WAE instead of the spokes, and no spoke-to-spoke tunnels can be established.
Note that this affects only spoke-to-spoke traffic and optimization, and does not affect spoke-to-hub or hub-to-spoke traffic. The workaround is to remove the WCCP intercept on the tunnel interface on the hub and configure it on its LAN interface. The LAN interface on the hub will have WCCP intercept for both in and out directions. This has some performance implications on the hub, as the hub router must do two route lookups for spoke-to-hub traffic.
9.12.10 WAAS Might Not Intercept IP SLA Probes Configured on the Branch Router
In any network, IP SLAs are an essential component for monitoring network performance parameters such as round-trip-time (RTT). On a branch network, it is typical to configure IP SLAs on the branch router connected to the WAN to measure performance. This is shown in Figure 9-33.
Current IOS code does not perform WCCP intercept of any IP SLA probes configured on the branch router. However, WCCP intercepts all regular TCP traffic that passes through the branch router. This can create monitoring issues because parameters, such as network RTT, reported by such SLAs on the branch router do not represent the actual user experience. WCCP does not intercept SLA probes, so WAAS does not optimize them. The workaround is to configure such SLA probes on an upstream router, where WCCP will intercept them on the branch router.
Figure 9-33 IP SLA and WCCP
9.12.11 NBAR Cannot Perform DPI if WAE TCP Optimization Occurs before NBAR Discovery
One of the key abilities of NBAR is its ability to look deep inside packets and classify protocols and applications. In a network using NBAR and inline WAE, an inline WAE located before the branch router, as shown in Figure 9-34, causes optimization to occur first on the TCP flows. Similarly, with WCCP interception along with egress NBAR on branch routers, optimization occurs before NBAR protocol discovery.
Figure 9-34 WAAS Inline and NBAR
For flows that WAE optimizes using LZ and DRE, packets that exit the WAE can be obfuscated and NBAR can no longer rely on DPI to identify such flows. NBAR can still identify flows based on L4 ports, but as discussed previously, such a classification is not always dependable.
Therefore, WAE and NBAR should be placed so that NBAR can operate on the flows before WAE can. For example, in the WCCP interception case, NBAR should be configured on the ingress of the branch router, as shown in Figure 9-35.
Figure 9-35 WCCP and Egress NBAR
9.13 Example Deployment Models
This section describes a variety of branch office deployment models, varying in size and optimization technologies.
Enterprise Branch Architecture Design Overview provides detailed information about the different types of branches and their deployments:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a00807593b7.pdf
9.13.1 Small Branch Office with Single-Homed SOHO Branch Router
This model, shown in Figure 9-36, is commonly deployed in SOHO branches. It is simple to configure and maintain.
Figure 9-36 Small Branch Office with Single-Homed Branch Router
In this deployment, the branch router is single homed, and has one interface connected to Corporate HQ over Internet. The branch router is configured with the following:
•
•
•
•
•
•
9.13.1.1 Sample Branch Router Configuration
A sample branch router configuration for this deployment model follows:
Current configuration: 8884 bytes!! Last configuration change at 19:37:45 EST Tue Jan 29 2008! NVRAM config last updated at 19:27:30 EST Tue Jan 29 2008!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionservice internal!hostname WANOPT-3845-BR1!boot-start-markerboot system flash:c3845-adventerprisek9-mz.124-15.T2.fc3boot-end-marker!logging buffered 16000000enable password lab!no aaa new-modelclock timezone EST -5clock summer-time EDT recurringno network-clock-participate wic 1!!crypto isakmp policy 10encr 3desauthentication pre-sharegroup 2crypto isakmp key cisco address 0.0.0.0 0.0.0.0crypto isakmp keepalive 30!!crypto ipsec transform-set gre_set esp-3des esp-sha-hmacmode transport!crypto ipsec profile gre_profset transform-set gre_set!!ip wccp 61ip wccp 62ip cef!ip domain list wanopt4.cisco.comip domain name wanopt4.cisco.comip host www.cisco.com 60.1.1.100ip name-server 52.1.1.100ip inspect WAAS enable!multilink bundle-name authenticated!voice-card 0no dspfarm!username cisco privilege 15 secret 5 $1$D.pS$pRcbUNacHbYzs9.BnwDeP0username lab privilege 15 password 0 labarchivelog confighidekeys!!controller T1 0/1/0framing esflinecode b8zs!controller T1 0/1/1framing esflinecode b8zschannel-group 0 timeslots 1-24vlan internal allocation policy ascending!ip ftp source-interface FastEthernet1/15ip ftp username anonymousip ftp password nobody@cisco.com!class-map match-all NBAR_UDPmatch access-group name UDPclass-map match-any NBAR_FTPmatch protocol ftpclass-map match-all QoS_HTTPmatch ip precedence 2class-map type inspect match-any wanoptmatch protocol tcpmatch protocol udpmatch protocol icmpclass-map match-any NBAR_voicematch protocol sipmatch protocol skinnyclass-map match-all QoS_FTPmatch ip precedence 4class-map match-all QoS_UDPmatch ip precedence 5class-map match-any NBAR_HTTPmatch protocol httpmatch protocol secure-httpclass-map match-all QoS_voicematch ip precedence 6!!policy-map NBARclass NBAR_HTTPset dscp cs2class NBAR_UDPset dscp cs5class NBAR_voiceset dscp cs6class NBAR_FTPset dscp cs4class class-defaultset ip precedence 3policy-map type inspect fromOutsideclass type inspect wanoptinspectclass class-defaultpolicy-map QoSclass QoS_HTTPbandwidth percent 25class QoS_UDPbandwidth percent 15class QoS_voicepriority percent 10class QoS_FTPbandwidth percent 10class class-defaultbandwidth percent 15policy-map type inspect toOutsideclass type inspect wanoptinspectclass class-default!!interface Loopback0ip address 10.0.0.161 255.255.255.255!interface Tunnel1ip address 172.20.1.2 255.255.255.0no ip redirectsip mtu 1400ip wccp 62 redirect inip flow ingressip nhrp authentication nsiteip nhrp
