Documente Academic
Documente Profesional
Documente Cultură
REFERENCE
NETWORK
ARCHITECTURE
Contents
WAN Strategy ................................................................................................................................ 1
IWAN Introduction.......................................................................................................................... 5
Business Use Cases for IWAN....................................................................................................................................... 5
IWAN Architecture.......................................................................................................................... 7
Transport-Independent Design...................................................................................................................................... 8
Intelligent Path Control................................................................................................................................................... 9
IWAN-Aggregation Design........................................................................................................................................... 11
IWAN Remote-Site Design........................................................................................................................................... 17
IP Multicast................................................................................................................................................................... 23
Quality of Service......................................................................................................................................................... 23
WAN Strategy
WAN Strategy
This guide provides a high level overview of several WAN technologies, followed by a discussion of the usage of
each technology at the WAN-aggregation site and remote sites. This guide should be used as a roadmap on how
to use the companion WAN and IWAN deployment guides. The intended audience is a technical decision maker
who wants to compare Ciscos WAN offerings and learn more about the best practices for each technology.
The days of conducting business with information stored locally on your computer are disappearing rapidly.
The trend is for users to access mission-critical information by connecting to the network and downloading the
information or by using a network-enabled application. Users depend upon shared access to common secured
storage, web-based applications, and cloud-based services. Users may start their day at home, in the office, or
from a coffee shop, expecting to log on to applications that they need in order to conduct business, update their
calendar, or check emailall important tasks that support your business. Connecting to the network to do your
work has become as fundamental as turning on a light switch to see your desk; its expected to work. Taken a
step further, the network becomes a means to continue to function whether you are at your desk, roaming over
wireless LAN (WLAN) within the facility, or working at a remote site, and you still have the same access to your
applications and information.
Now that networks are critical to the operation and innovation of organizations, workforce productivity enhancements are built on the expectation of nonstop access to communications and resources. As networks become
more complex in order to meet the needs of any device, any connection type, and any location, networks incur an
enhanced risk of downtime caused by poor design, complex configurations, increased maintenance, or hardware
and software faults. At the same time, organizations seek ways to simplify operations, reduce costs, and improve
their return on investment by exploiting their investments as quickly and efficiently as possible.
The Cisco Visual Networking Index (VNI) is an ongoing effort to forecast and analyze the growth and use of IP
networks worldwide. The Global Mobile Data Traffic Forecast highlights the following predictions by 2019:
There will be 5.2 billion global mobile users, up from 4.3 billion in 2014
There will be 11.5 billion mobile-ready devices and connections, more than 4 billion more than there were in
2014
The average mobile connection speed will increase 2.4-fold, from 1.7 Mbps in 2014 to 4.0 Mbps by 2019
Global mobile IP traffic will reach an annual run rate of 292 exabytes, up from 30 exabytes in 2014
With increasing mobile traffic from employee devices, an organization must plan for expanded WAN bandwidth at
remote sites and larger router platforms to accommodate the higher capacity links.
The enterprise series of Cisco Reference Designs (CRDs) incorporates local area network (LAN), WLAN, wide
area network (WAN), security, data center, and unified communications technologies in order to provide a complete solution for an organizations business challenges.
page 1
WAN Strategy
There are many ways an organization can benefit by deploying a CRD enterprise WAN architecture:
Flexibility with multiple design models in order to address a variety of WAN technologies and resiliency options
Increased reliability with multiple remote-site designs that provide for resiliency through the addition of WAN
links and WAN routers, depending on business requirements
Scalability provided by using a consistent method for remote-site LAN connectivity based on the CRD enterprise campus architecture
Reduced cost of deploying a standardized design based on Cisco-tested and supported best practices
Summarized and simplified design choices so that IT workers with a CCNA certification or equivalent experience can deploy and operate the network
Using a modular approach to building your network with tested, interoperable designs allows you to reduce risks
and operational issues and to increase deployment speed.
page 2
WAN Strategy
IWAN Hybrid
Data Center
Data Center
DMVPN
Internet
MPLS
GETVPN
SP B
ISP A
DMVPN
Remote Site
DMVPN
Remote Site
WAN Paths
Active/Standby
Primary With Backup
WAN Paths
Active/Active
Intelligent Path Control
MPLS
Internet
1328F
SP B
ISP A
The traditional WAN hybrid design provides an active/standby path and two IPsec technologies based on the type
of transport chosen. The design uses two WAN routing domains, which require route redistribution and route filtering for loop prevention. A traditional design has more transport options for customers who have varied needs,
but because of the additional flexibility, the complexity is higher.
page 3
WAN Strategy
The IWAN design provides an active/active path for all WAN links and uses a single IPsec technology, which is
not dependent on the underlying transport. It also uses a single WAN routing domain without route redistribution
or route filtering. The IWAN design is prescriptive in order to reduce the possible combinations, which lowers the
cost and complexity for customers who want a simplified approach.
When planning your WAN strategy, Cisco recommends that you:
Overprovision the WAN as much as possible
Replace some or all of your MPLS bandwidth with Internet bandwidth
Grow your existing WAN bandwidth with Internet bandwidth
Keep QoS as simple as possible
Use SDWAN management tools to automate and virtualize WAN connectivity
page 4
IWAN Introduction
IWAN Introduction
The Cisco IWAN solution provides design and implementation guidance for organizations looking to deploy WAN
transport with a transport-independent design (TID), intelligent path control, application optimization, and secure
encrypted communications between branch locations while reducing the operating cost of the WAN. IWAN takes
full advantage of cost-effective transport services in order to increase bandwidth capacity without compromising
performance, reliability, or security of collaboration or cloud-based applications.
page 5
IWAN Introduction
page 6
IWAN Architecture
IWAN Architecture
With the advent of globalization, WANs have become a major artery for communication between remote offices
and customers in any corner of the world. Additionally, with data center consolidation, applications are moving
to centralized data centers and clouds. WANs now play an even more critical role, because business survival is
dependent on the availability and performance of the network.
Until now, the only way to get reliable connectivity with predictable performance was to take advantage of a
private WAN using MPLS or leased line service. However, carrier-based MPLS and leased line services can be
expensive and are not always cost-effective for an organization to use for WAN transport in order to support
growing bandwidth requirements for remote-site connectivity. Organizations are looking for ways to lower operating budget while adequately providing the network transport for a remote site.
As bandwidth demands have increased, the Internet has become a much more stable platform, and the priceto-performance gains are very attractive. However, businesses are primarily deploying Internet as WAN in their
smaller sites or as a backup path because of the risks. Now this cost-effective, performance-enhancing opportunity can be realized at all your branch offices with Cisco IWAN.
Cisco IWAN enables organizations to deliver an uncompromised experience over any connection. With Cisco
IWAN, IT organizations can provide more bandwidth to their branch office connections by using less expensive
WAN transport options without affecting performance, security, or reliability. With the IWAN solution, traffic is
dynamically routed based on application SLA, endpoint type, and network conditions in order to deliver the best
quality experience. The realized savings from IWAN not only pays for the infrastructure upgrades, but also frees
resources for business innovation.
page 7
IWAN Architecture
Figure 2 Cisco IWAN solution components
Cisco
webex
Private
Cloud
MPLS
AVC
Virtual
Private
Cloud
Remote
Site
3G/4G-LTE
WAAS
PfR
Public
Cloud
Internet
Cisco
webex
Application
Optimization
Consistent operational
model
Application with
acceleration
Improved availability
Secure
Connectivity
Certified strong encryption
Comprehensive threat
defense
Cloud Managed Security
for secure direct Internet
access
11348F
Transport
Independent
Transport-Independent Design
A transport-independent design simplifies the WAN deployment by using an IPsec VPN overlay over all WAN
transport options including MPLS, Internet, and Cellular (4G LTE). A single VPN overlay reduces routing and security complexity, and provides flexibility in choosing providers and transport options. Cisco DMVPN provides the
IWAN IPsec overlay.
DMVPN makes use of mGRE tunnels to interconnect the hub to all of the spoke routers. These mGRE tunnels are
also sometimes referred to as DMVPN clouds in this context. This technology combination supports unicast, multicast, and broadcast IP, including the ability to run routing protocols within the tunnels.
page 8
IWAN Architecture
page 9
IWAN Architecture
Cisco PfR consists of border routers (BRs) that connect to the DMVPN overlay networks for each carrier network
and a master controller (MC) application process that enforces policy. The BR collects traffic and path information
and sends it to the MC at each site. The MC and BR can be configured on separate routers or the same router
as shown in the figures below.
Figure 3 Cisco Performance Routing: Hub location
Core Layer
WAN Distribution
Layer
PfR Master
Controller
DMVPN Hub
Router (MPLS)
DMVPN Hub
Router (INET)
PfR Border
Routers
DMVPN 1
Internet Edge
DMVPN 2
INET
1225F
MPLS
MPLS
Master
Controller/
Border Router
DMVPN 2
MPLS
Internet
Master
Controller/
Border Router
Internet
Border
Router
1226F
DMVPN 1
Dual Router
page 10
IWAN Architecture
IWAN-Aggregation Design
This guide describes two IWAN design models. The first design model is the IWAN Hybrid, which uses MPLS
paired with Internet VPN as WAN transports. In this design model, the MPLS WAN can provide more bandwidth
for the critical classes of services needed for key applications and can provide SLA guarantees for these applications.
The second design model is the IWAN Dual Internet, which uses a pair of Internet service providers to further
reduce cost while maintaining a high level of resiliency for the WAN. A third design model, the IWAN Dual MPLS,
is not covered in this guide.
Figure 5 Cisco IWAN design models
Hybrid
Dual Internet
Public
Cloud
Public
Cloud
Cisco
Cisco
webex
Enterprise
Branch
Internet
Best price/performance
Most SP flexibility
Moderately priced
11349F
Enterprise
Branch
webex
The IWAN WAN-aggregation for both design models includes two WAN edge routers, and either design can scale
up to 2000 remote sites.
When WAN aggregation routers are referred to in the context of the connection to a carrier or service provider,
they are typically known as CE routers. WAN aggregation routers that terminate VPN traffic are referred to as
VPN hub routers. In the context of IWAN, an MPLS CE router is also used as a VPN hub router. Regardless of the
design model, the WAN aggregation routers always connect into a pair of distribution layer switches.
Each of the design models is shown with LAN connections into either a collapsed core/distribution layer or a
dedicated WAN distribution layer. From the WAN-aggregation perspective, there are no functional differences between these two methods.
In all of the WAN-aggregation designs, tasks such as IP route summarization are performed at the distribution
layer. There are other various devices supporting WAN edge services, and these devices should also connect into
the distribution layer.
page 11
IWAN Architecture
The characteristics of each design are discussed in the following sections.
Core Layer
WAN Distribution
Layer
DMVPN Hub
Router (MPLS)
DMVPN Hub
Router (INET)
DMVPN 1
Internet Edge
DMVPN 2
MPLS
1219F
INET
In both the IWAN Hybrid and IWAN Dual Internet design models, the DMVPN hub routers connect to the Internet
indirectly through a firewall DMZ interface contained within the Internet edge. For details about the connection to
the Internet, see the Firewall and IPS Technology Design Guide. The VPN hub routers are connected into the firewall DMZ interface, rather than connected directly with Internet service-provider routers. A firewall connection is
typically not used when the VPN hub router connects to a MPLS carrier.
page 12
IWAN Architecture
Core Layer
WAN Distribution
Layer
DMVPN Hub
Router (INET 1)
DMVPN 3
DMVPN Hub
Router (INET 2)
Internet Edge
DMVPN 4
ISP A / ISP B
1220F
INET
page 13
IWAN Architecture
The transit site design models are as follows:
Multiple data centers with multiple borders and different prefixes
Multiple data centers with multiple borders and shared prefixes
DC2
10.8.0.0/16
DCI
WAN Core
Transit Site
Hub Site
Hub MC
POP-ID 0
Transit MC
POP-ID 1
10.4.0.0/16
10.8.0.0/16
Hub BRs
MPLS
PATH-ID 1
INET
PATH-ID 2
MPLS
PATH-ID 1
INET
PATH-ID 2
DMVPN 1
DMVPN 2
DMVPN 1
DMVPN 2
1330F
Hub BRs
page 14
IWAN Architecture
DC2
10.8.0.0/16
DCI
WAN Core
Transit Site
Hub Site
Hub MC
POP-ID 0
Transit MC
POP-ID 1
10.4.0.0/16
10.8.0.0/16
10.4.0.0/16
10.8.0.0/16
MPLS
PATH-ID 1
INET
PATH-ID 2
MPLS
PATH-ID 1
INET
PATH-ID 2
DMVPN 1
DMVPN 2
DMVPN 1
DMVPN 2
1331F
Hub BRs
Hub BRs
page 15
IWAN Architecture
Hub Site
Loopback:
10.6.32.252/32
Loopback:
10.6.32.252/31
Redundant
Hub MC
POP-ID 0
Multiple paths
to the same
DMVPN
INET1
PATH-ID 1
INET1
PATH-ID 2
INET2
PATH-ID 3
INET2
PATH-ID 4
DMVPN 1
DMVPN 1
DMVPN 2
DMVPN 2
1332F
Hub BRs
page 16
IWAN Architecture
MPLS
Internet
Internet
Internet
Link Resiliency
MPLS
Internet
Internet
Internet
1221F
Link Resiliency
with Dual Routers
The remote-site designs include single or dual WAN edge routers. The remote-site routers are DMVPN spokes to
the primary site hubs.
Most remote sites are designed with a single router WAN edge; however, certain remote-site types require a
dual router WAN design. Dual router candidate sites include regional office or remote campus locations with large
user populations or sites with business critical needs that justify additional redundancy to remove single points of
failure.
The overall WAN design methodology is based on a primary WAN-aggregation site design that can accommodate
all of the remote-site types that map to the various link combinations listed in the following table.
Table 1 WAN remote-site transport options
WAN remote-site routers
WAN transports
Primary transport
Secondary transport
Single
Dual
MPLS VPN
Internet
Dual
Dual
MPLS VPN
Internet
Single
Dual
Internet
Internet
Dual
Dual
Internet
Internet
page 17
IWAN Architecture
This design also includes information for adding an LTE fallback DMVPN for a single-router remote site.
Table 2 WAN remote-site transport options with LTE fallback
WAN remote-site
routers
WAN transports
Primary transport
Secondary transport
Tertiary transport
Single
Dual w/ fallback
MPLS VPN
Internet
4G LTE
Single
Dual w/ fallback
Internet
Internet
4G LTE
The modular nature of the IWAN network design enables you to create design elements that can be replicated
throughout the network.
The WAN-aggregation designs and all of the WAN remote-site designs are standard building blocks in the overall
design. Replication of the individual building blocks provides an easy way to scale the network and allows for a
consistent deployment method.
Remote-site LAN
The primary role of the WAN is to interconnect primary site and remote-site LANs. The LAN discussion within this
design is limited to how the WAN-aggregation site LAN connects to the WAN-aggregation devices and how the
remote-site LANs connect to the remote-site WAN devices. Specific details regarding the LAN components of
the design are covered in the Campus Wired LAN Technology Design Guide.
At remote sites, the LAN topology depends on the number of connected users and physical geography of the
site. Large sites may require the use of a distribution layer to support multiple access layer switches. Other sites
may only require an access layer switch directly connected to the WAN remote-site routers. The variants are
shown in the following table.
Table 3 Remote-site LAN topology
WAN remote-site routers
WAN transports
LAN topology
Single
Dual
Access only
Distribution/Access
Dual
Dual
Access only
Distribution/Access
For consistency and modularity, all WAN remote sites use the same VLAN assignment scheme, which is shown in
the following table. This design uses a convention that is relevant to any location that has a single access switch
and this model can also be easily scaled to additional access closets through the addition of a distribution layer.
page 18
IWAN Architecture
Table 4 Remote-site VLAN assignment
VLAN
Usage
Layer 2 access
Layer 3 distribution/access
VLAN 64
Data 1
Yes
VLAN 69
Voice 1
Yes
VLAN 99
Transit
Yes
Yes
(dual router
only)
VLAN 50
Yes
VLAN 54
Yes
(dual router only)
Internet
VLAN 64 - Data
VLAN 69 - Voice
2140F
No HSRP
Required
page 19
IWAN Architecture
A similar LAN design can be extended to a dual-router edge as shown in the following figure. This design change
introduces some additional complexity. The first requirement is to run a routing protocol. You need to configure
enhanced interior gateway routing protocol (EIGRP) between the routers.
Because there are now two routers per subnet, an FHRP must be implemented. For this design, Cisco selected
HSRP as the FHRP. HSRP is designed to allow for transparent failover of the first-hop IP router. HSRP provides
high network availability by providing first-hop routing redundancy for IP hosts configured with a default gateway IP
address. HSRP is used in a group of routers for selecting an active router and a standby router. When there are multiple routers on a LAN, the active router forwards the packets; the standby router is the router that takes over when
the active router fails or when preset conditions are met.
Figure 13 Remote-site with flat Layer 2 LAN (dual router)
WAN
WAN
EIGRP
VLAN99 - Transit
HSRP VLANs
Active HSRP Router
VLAN 64 - Data
2141F
VLAN 69 - Voice
EOT provides a consistent methodology for various router and switching features to conditionally modify their
operation based on information objects available within other processes. The objects that can be tracked include
interface line protocol, IP route reachability, and IP SLA reachability, as well as several others.
To improve convergence times after a primary WAN failure, HSRP has the capability to monitor the line-protocol
status of the DMVPN tunnel interface. This capability allows for a router to give up its HSRP Active role if its DMVPN hub becomes unresponsive, and that provides additional network resiliency.
HSRP is configured to be active on the router with the highest priority WAN transport. EOT of the primary DMVPN
tunnel is implemented in conjunction with HSRP so that in the case of WAN transport failure, the standby HSRP
router associated with the lower priority (alternate) WAN transport becomes the active HSRP router.
The dual router designs also warrant an additional component that is required for proper routing in certain scenarios. In these cases, a traffic flow from a remote-site host might be sent to a destination reachable via the alternate WAN transport (for example, a dual DMVPN remote site communicating with a DMVPN2-only remote site).
The primary WAN transport router then forwards the traffic out the same data interface to send it to the alternate
WAN transport router, which then forwards the traffic to the proper destination. This is referred to as hairpinning.
The appropriate method to avoid sending the traffic out the same interface is to introduce an additional link
between the routers and designate the link as a transit network (Vlan 99). There are no hosts connected to the
transit network, and it is only used for router-router communication. The routing protocol runs between router
sub-interfaces assigned to the transit network. No additional router interfaces are required with this design modification because the 802.1Q VLAN trunk configuration can easily accommodate an additional sub-interface.
page 20
IWAN Architecture
1222F
page 21
IWAN Architecture
Figure 15 IWAN dual router remote-site: Connection to distribution layer
802.1q Trunk
(50, 99)
802.1q Trunk
(xx-xx)
802.1q Trunk
(54, 99)
802.1q Trunk
(xx-xx)
1223F
The distribution switch handles all access layer routing, with VLANs trunked to access switches. No HSRP is
required when the design includes a distribution layer. A full distribution and access layer design is shown in the
following figure.
Figure 16 IWAN dual router remote-site: Distribution and access layer
802.1q Trunk
(xx-xx)
802.1q Trunk
(54, 99)
802.1q Trunk
(xx-xx)
Data
Data
Voice
Voice
1224F
802.1q Trunk
(50, 99)
page 22
IWAN Architecture
IP Multicast
IP Multicast allows a single IP data stream to be replicated by the infrastructure (routers and switches) and sent
from a single source to multiple receivers. IP Multicast is much more efficient than multiple individual unicast
streams or a broadcast stream that would propagate everywhere. IP telephony music on hold (MOH) and IP video
broadcast streaming are two examples of IP Multicast applications.
To receive a particular IP Multicast data stream, end hosts must join a multicast group by sending an Internet
group management protocol (IGMP) message to their local multicast router. In a traditional IP Multicast design, the
local router consults another router in the network acting as a rendezvous point (RP). An RP maps the receivers to
active sources so the end hosts can join their streams.
The RP is a control-plane operation that should be placed in the core of the network or close to the IP Multicast
sources on a pair of Layer 3 switches or routers. IP Multicast routing begins at the distribution layer if the access
layer is Layer 2 and provides connectivity to the IP Multicast RP. In designs without a core layer, the distribution
layer performs the RP function.
This design is fully enabled for a single global scope deployment of IP Multicast. The design uses an Anycast RP
implementation strategy. This strategy provides load sharing and redundancy in protocol-independent multicast
sparse mode (PIM SM) networks. Two RPs share the load for source registration and the ability to act as hot
backup routers for each other.
The benefit of this strategy from the WAN perspective is that all IP routing devices within the WAN use an identical configuration referencing the Anycast RPs. IP PIM-SM is enabled on all interfaces including loopbacks, VLANs
and sub-interfaces.
Quality of Service
Most users perceive the network as just a transport utility mechanism to shift data from point A to point B as
fast as it can. Many sum this up as just speeds and feeds. While it is true that IP networks forward traffic on a
best-effort basis by default, this type of routing only works well for applications that adapt gracefully to variations
in latency, jitter, and loss. However networks are multiservice by design and support real-time voice and video as
well as data traffic. The difference is that real-time applications require packets to be delivered within the specified delay, jitter, and loss parameters.
In reality, the network affects all traffic flows and must be aware of end-user requirements and services being
offered. Even with unlimited bandwidth, time-sensitive applications are affected by jitter, delay, and packet loss.
QoS enables a multitude of user services and applications to coexist on the same network.
Within the architecture, there are connectivity options that provide advanced classification, prioritizing, queuing,
and congestion-avoidance as part of the integrated QoS in order to help ensure optimal use of network resources. This functionality allows for the differentiation of applications, ensuring that each has the appropriate share of
the network resources to protect the user experience and ensure the consistent operations of business critical
applications.
QoS is an essential function of the network infrastructure devices used throughout this architecture. QoS enables
a multitude of user services and applications, including real-time voice, high-quality video, and delay-sensitive
data to coexist on the same network. In order for the network to provide predictable, measurable, and sometimes
guaranteed services, it must manage bandwidth, delay, jitter, and loss parameters.
page 23
IWAN Architecture
There are twelve common service classes that are grouped together based on interface speed, available queues,
and device capabilities. The treatment of the twelve classes can be adjusted according to the policies of your organization. Cisco recommends marking your traffic in a granular manner to make it easier to make the appropriate
queuing decisions at different places in the network. The goal of this design is to allow you to enable voice, video,
critical data applications, bulk data applications and management traffic on the network, either during the initial
deployment or later, with minimal system impact and engineering effort.
The twelve mappings in the following table are applied throughout this design by using an eight-class model in
the enterprise and a six-class or four-class model in the service provider network.
Table 5 QoS service 12-class mappings
Service class
Application examples
Network control
CS6
48
VoIP telephony
EF
46
Call signaling
CS3
24
Multimedia conferencing
AF4
34, 36, 38
Real-time interactive
CS4
32
Multimedia
streaming
AF3
26, 28, 30
CS5
40
Transactional
data
AF2
18, 20, 22
OAM
CS2
16
AF1
10, 12, 14
DF
Default class
Scavenger
CS1
Broadcast video
Bulk data
page 24
page 25
You can also use Internal BGP as an overlay routing protocol. For design guidance, see the
IWAN Technology Design Guide.
Quality of Service
The network must ensure that business applications perform across the WAN during times of network congestion.
Traffic must be classified and queued and the WAN connection must be shaped to operate within the capabilities
of the connection. When the WAN design uses a service provider offering with QoS, the WAN edge QoS classification and treatment must align to the service provider in order to ensure consistent end-to-end QoS treatment
of traffic.
Encryption
The primary goal of encryption is to provide data confidentiality, integrity, and authenticity by encrypting IP packets
as the data travels across a network.
The encrypted payloads are then encapsulated with a new header (or multiple headers) and transmitted across
the network. The additional headers introduce a certain amount of overhead to the overall packet length.
page 26
Overhead
GRE only
24 bytes
36 bytes
52 bytes
60 bytes
76 bytes
There is a maximum transmission unit (MTU) parameter for every link in an IP network and typically the MTU is
1500 bytes. IP packets larger than 1500 bytes must be fragmented when transmitted across these links. Fragmentation is not desirable and can impact network performance. To avoid fragmentation, the original packet size
plus overhead must be 1500 bytes or less, which means that the sender must reduce the original packet size. To
account for other potential overhead, Cisco recommends that you configure tunnel interfaces with a 1400 byte
MTU.
There are dynamic methods for network clients to discover the path MTU, which allow the clients to reduce the
size of packets they transmit. However, in many cases, these dynamic methods are unsuccessful, typically because security devices filter the necessary discovery traffic. This failure to discover the path MTU drives the need
for a method that can reliably inform network clients of the appropriate packet size. The solution is to implement
the ip tcp adjust mss [size] command on the WAN routers, which influences the TCP maximum segment size
(MSS) value reported by end hosts.
The MSS defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. The
MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its
MSS value to the other side. The sending host is required to limit the size of data in a single TCP segment to a
value less than or equal to the MSS reported by the receiving host.
The IP and TCP headers combine for 40 bytes of overhead, so the typical MSS value reported by network clients will be 1460. This design includes encrypted tunnels with a 1400 byte MTU, so the MSS used by endpoints
should be configured to be 1360 to minimize any impact of fragmentation. In this solution, you implement the ip
tcp adjust mss 1360 command on all WAN facing router interfaces.
IPsec security association (SA) anti-replay is a security service in which the decrypting router can reject duplicate
packets and protect itself against replay attacks. Cisco QoS gives priority to high-priority packets. This prioritization may cause some low-priority packets to be discarded. Cisco IOS provides anti-replay protection against an
attacker duplicating encrypted packets. By expanding the IPsec anti-replay window you can allow the router to
keep track of more than the default of 64 packets. In this solution you implement the crypto ipsec security-association replay window-size command in order to increase the window size on all DMVPN routers.
IPsec uses a key exchange between the routers in order to encrypt/decrypt the traffic. You can exchange these
keys by using a simple pre-sharing algorithm or a certificate authority. You can deploy IOS-CA in order to enroll,
store, authenticate and distribute the keys to routers that request them. If a certificate authority is chosen, the
certificates and keys can be distributed using the simple certificate enrollment protocol (SCEP) for automated
certificate retrieval by the routers.
page 27
DMVPN Cloud 2
Spoke-Spoke Tunnel
Internet
DMVPN Spoke
DMVPN Spoke
DMVPN Spoke
2158F
DMVPN Spoke
DMVPN Spoke
page 28
1227F
Internet/MPLS
page 29
MPLS/
Internet
Internet
DMVPN-1
DMVPN-2
MPLS/
Internet
Internet
1228F
DMVPN-1
page 30
vrf IWAN-TRANSPORT
DMVPN
Hub Router
Inside
Internet
Edge
Default
Default
VPN-DMZ
Default
EIGRP
Outside
Internet
Default
vrf global
Default Route
Default Route (vrf IWAN-TRANSPORT)
vrf
IWAN-TRANSPORT
1229F
DMVPN
Spoke Router
In both the IWAN Hybrid and IWAN Dual Internet design models, the DMVPN hub routers must have sufficient
IP-routing information in order to provide end-to-end reachability. Maintaining this routing information typically
requires a routing protocol, and EIGRP or BGP are recommended for this purpose.
At the WAN-aggregation site, you must connect the DMVPN hub routers to the WAN and configure default routing to build the DMVPN tunnels. The MPLS VPN hub uses default routing to the MPLS provider edge router, and
the Internet VPN hubs use default routing to the DMZ-VPN that provides Internet connectivity. The DMVPN hub
routers use FVRF and have a static default route with the IWAN-TRANSPORT VRF pointing to their respective next
hops.
page 31
MPLS CE Router
vrf IWAN-TRANSPORT-2
vrf IWAN-TRANSPORT-1
Default
Internet Edge
Default
Internet A
Internet B
1231F
VPN Hub
Routers
vrf IWAN-TRANSPORT-3
vrf IWAN-TRANSPORT-4
Internet Edge
Default
Default
Internet A
Internet B
1232F
page 32
page 33
page 34
page 35
page 36
WAN-Aggregation Design
The CRD enterprise WAN design does not take a one size fits all approach. Cisco developed a set of WAN
design models based on scaling requirements and other considerations including resiliency, the need for future
growth, regional availability of WAN services, and ease of operation. Cisco designed and tested the complete
CRD enterprise WAN to accommodate the use of multiple concurrent design models but also to support the usage of individual design models.
The approach to platform selection is straightforward. You determine which models of router to use by the
amount of bandwidth required at the WAN-aggregation site. You determine whether to implement a single router
or dual router by the number of carriers and WAN transports that are required in order to provide connections to
all of the remote sites.
The available design models can be grouped together in a number of ways to provide connectivity to the required
numbers and types of remote sites. All design models provide a high level of performance and services. To illustrate the wide range of scale that CRD enterprise WAN provides you can compare two combinations of design
models.
The following figures show a CRD enterprise WAN implemented using the lowest and highest scaling design
models.
page 37
MPLS CE Router
VPN Hub Router
Internet
Edge
Static Routing
Internet
2249F
MPLS
Figure 24 CRD WAN (highest scale)Dual MPLS + Layer 2 Trunked + Dual DMVPN
Core Layer
Distribution Layer
Internet Edge
VPN Hub
Routers
Internet A
MPLS CE
Routers
Layer 2 WAN
CE Router
MPLS B
Trunked
Demarcation
Layer 2
2250F
BGP Dynamic
Routing
MPLS A
Internet B
page 38
1329F
Add Link
The actual WAN remote-site routing platforms remain unspecified because the specification is tied closely to the
bandwidth required for a location and the potential requirement for the use of service module slots. The ability to
implement this solution with a variety of potential router choices is one of the benefits of a modular design approach.
There are many factors to consider in the selection of the WAN remote-site routers. Among those, and key to the
initial deployment, is the ability to process the expected amount and type of traffic. You also need to make sure
that you have enough interfaces, enough module slots, and a properly licensed Cisco IOS Software image that
supports the set of features that is required by the topology.
page 39
Remote-site LAN
The primary role of the WAN is to interconnect primary site and remote-site LANs. The LAN discussion within this
design is limited to how the WAN-aggregation site LAN connects to the WAN-aggregation devices and how the
remote-site LANs connect to the remote-site WAN devices. Specific details regarding the LAN components of
the design are covered in the Campus Wired LAN Technology Design Guide.
At remote sites, the LAN topology depends on the number of connected users and physical geography of the
site. Large sites may require the use of a distribution layer in order to support multiple access layer switches.
Other sites may only require an access layer switch directly connected to the WAN remote-site routers. The variants are shown in the following table.
Table 7 Remote-site LAN options
WAN remote-site routers
WAN transports
LAN topology
Single
Single
Access only
Distribution/Access
Single
Dual
Access only
Distribution/Access
Dual
Dual
Access only
Distribution/Access
For consistency and modularity, all WAN remote sites use the same VLAN assignment scheme, which is shown in
the following table. This guide uses a convention that is relevant to any location that has a single access switch,
and this model can also be easily scaled to additional access closets by adding a distribution layer.
Table 8 Remote-site VLAN assignment
VLAN
Usage
Layer 2 access
Layer 3 distribution/access
VLAN 64
Data 1
Yes
VLAN 69
Voice 1
Yes
VLAN 99
Transit
Yes
Yes
VLAN 50
Yes
VLAN 54
Yes
(dual router only)
page 40
WAN
VLAN 64 - Data
1034F
VLAN 69 - Voice
A similar LAN design can be extended to a dual-router edge as shown in the following figure. This design change
introduces some additional complexity. The first requirement is to run a routing protocol. You need to configure
EIGRP between the routers.
Because there are now two routers per subnet, you must implement a first-hop redundancy protocol (FHRP). For
this design, Cisco selected HSRP as the FHRP. HSRP is designed to allow for transparent failover of the first-hop
IP router. HSRP provides high network availability by providing first-hop routing redundancy for IP hosts configured with a default gateway IP address. HSRP is used in a group of routers for selecting an active router and a
standby router. When there are multiple routers on a LAN, the active router is chosen for routing packets; the
standby router takes over when the active router fails or when preset conditions are met.
page 41
WAN
WAN
EIGRP
VLAN99 - Transit
HSRP VLANs
Active HSRP Router
VLAN 64 - Data
2141F
VLAN 69 - Voice
Enhanced object tracking (EOT) provides a consistent methodology for various router and switching features to
conditionally modify their operation based on information objects available within other processes. The objects
that can be tracked include interface line protocol, IP route reachability, and IP service-level agreement (SLA)
reachability as well as several others.
To improve convergence times after a primary WAN failure, HSRP has the capability to monitor the reachability
of a next-hop IP neighbor through the use of EOT and IP SLA. This combination allows for a router to give up its
HSRP active role if its upstream neighbor becomes unresponsive. This provides additional network resiliency.
page 42
WAN
IP SLA
Probe
WAN
Interface
Upstream
Interface
WAN
WAN
R1
EIGRP
VLAN 99 - Transit
HSRP VLANs
VLAN 64 - Data
VLAN 69 - Voice
2142F
Active
HSRP Router
HSRP is configured to be active on the router with the highest priority WAN transport. EOT of IP SLA probes is
implemented in conjunction with HSRP so that in the case of WAN transport failure, the standby HSRP router associated with the lower priority (alternate) WAN transport becomes the active HSRP router. The IP SLA probes are
sent from the remote-site primary WAN router to the upstream neighbor (MPLS PE, Layer 2 WAN CE, or DMVPN
hub) in order to ensure reachability of the next hop router. This is more effective than simply monitoring the status
of the WAN interface.
The dual-router designs also warrant an additional transit network component that is required for proper routing in
certain scenarios. In these cases, a traffic flow from a remote-site host might be sent to a destination reachable
via the alternate WAN transport (for example, a dual MPLS remote site communicating with a MPLS-B-only remote site). The primary WAN transport router then forwards the traffic back out the same data interface on which
it was received from the LAN to send it to the alternate WAN transport router, which then forwards the traffic to
the proper destination. This is referred to as hairpinning.
The appropriate method to avoid sending the traffic out the same interface is to introduce an additional link between the routers and designate the link as a transit network (VLAN 99). There are no hosts connected to the
transit network, and it is only used for router-router communication. The routing protocol runs between router
sub-interfaces assigned to the transit network. No additional router interfaces are required with this design modification because the 802.1Q VLAN trunk configuration can easily accommodate an additional sub-interface.
page 43
WAN
802.1Q Trunk
(50, 99)
802.1Q Trunk
(54, 99)
2007F
802.1Q Trunk
(50)
The LAN distribution switch handles access layer routing, with VLANs trunked to access switches. No HSRP is
required when the design includes a distribution layer. A full distribution and access layer design is shown in the
following figure.
page 44
802.1Q Trunk
(50, 99)
802.1Q Trunk
(ww, xx)
802.1Q Trunk
(54, 99)
802.1Q Trunk
(yy, zz)
VLAN ww - Data
VLAN yy - Data
VLAN xx - Voice
VLAN zz - Voice
No HSRP Required
2144F
The Campus Wired LAN Technology Design Guide provides details on how to deploy wired LANs within your organization.
page 45
WANaggregation
design model
(secondary)
WAN
remote-site
routers
WAN transports
Primary
transport
Secondary
transport
MPLS Static
MPLS Dynamic
Dual MPLS
Single
Single
MPLS VPN
Layer 2 Simple
Layer 2 Trunked
Single
Single
MetroE/VPLS
DMVPN Only
Dual DMVPN
Single
Single
Internet
DMVPN Only
Dual DMVPN
Single
Single
Internet 4G LTE
Dual MPLS
Dual MPLS
Single
Dual
MPLS VPN A
MPLS VPN B
MPLS Static
MPLS Dynamic
Dual MPLS
DMVPN Backup
Shared
DMVPN Backup
Dedicated
Single
Dual
MPLS VPN
Internet
MPLS Static
MPLS Dynamic
Dual MPLS
DMVPN Backup
Shared
DMVPN Backup
Dedicated
Single
Dual
MPLS VPN
Internet 4G LTE
Layer 2 Simple
Layer 2 Trunked
DMVPN Backup
Dedicated
Single
Dual
MetroE/VPLS
Internet
Dual DMVPN
Dual DMVPN
Single
Dual
Internet
Internet
Dual MPLS
Dual MPLS
Dual
Dual
MPLS VPN A
MPLS VPN B
MPLS Dynamic
Dual MPLS
DMVPN Backup
Dedicated
Dual
Dual
MPLS VPN
Internet
MPLS Dynamic
Dual MPLS
DMVPN Backup
Dedicated
Dual
Dual
MPLS VPN
Internet 4G LTE
Layer 2 Simple
Layer 2 Trunked
DMVPN Backup
Dedicated
Dual
Dual
MetroE/VPLS
Internet
Dual DMVPN
Dual DMVPN
Dual
Dual
Internet
Internet
page 46
Data Center
To Internet Edge
Guest Anchor
Controllers
LAN Core
Switches
On-site WLC
HA Pair
CAPWAP Tunnel
CAPWAP MobilityTunnel
to Guest Anchor
CAPWAP Mobility Tunnel
LAN
Wireless Voice
Guest Traffic
1179F
Wireless Data
page 47
page 48
FlexConnect
Virtual WLC
N+1
FlexConnect
WLC HA Pair
Data Center
WAN
CAPWAP Tunnel
CAPWAP MobilityTunnel
to Guest Anchor
Wireless Data
Wireless Voice
Remote
Site
Remote
Site
Remote
Site
Guest Traffic
1180F
Cisco FlexConnect can also tunnel traffic back to the centralized controller, which is specifically used for wireless
guest access.
If all of the following are true at a site, deploy Cisco FlexConnect at the site:
The site LAN is a single access-layer switch or switch stack.
The site has fewer than 50 access points.
The site has a WAN latency less than 100ms round-trip to the shared controller.
You can use a shared controller pair or a dedicated controller pair in order to deploy Cisco FlexConnect. In a
shared controller model, both local-mode and FlexConnect configured access points share a common controller.
Shared controller architecture requires that the wireless LAN controller support both Flex-Connect local switching
and local mode.
The Campus Wireless LAN Technology Design Guide provides details on how to deploy wireless LANs within your
organization.
page 49
IP Multicast
IP Multicast allows a single IP data stream to be replicated by the infrastructure (routers and switches) and sent
from a single source to multiple receivers. IP Multicast is much more efficient than multiple individual unicast
streams or a broadcast stream that would propagate everywhere. IP telephony music on hold (MOH) and IP video
broadcast streaming are two examples of IP Multicast applications.
To receive a particular IP Multicast data stream, end hosts must join a multicast group by sending an Internet
group management protocol (IGMP) message to their local multicast router. In a traditional IP Multicast design, the
local router consults another router in the network acting as a rendezvous point (RP). An RP maps the receivers to
active sources so the end hosts can join their streams.
The RP is a control-plane operation that should be placed in the core of the network or close to the IP Multicast
sources on a pair of Layer 3 switches or routers. IP Multicast routing begins at the distribution layer if the access
layer is Layer 2 and provides connectivity to the IP Multicast RP. In designs without a core layer, the distribution
layer performs the RP function.
This design is fully enabled for a single global scope deployment of IP Multicast. The design uses an Anycast RP
implementation strategy. This strategy provides load sharing and redundancy in protocol-independent multicast
sparse mode (PIM SM) networks. Two RPs share the load for source registration and the ability to act as hot
backup routers for each other.
The benefit of this strategy from the WAN perspective is that all IP routing devices within the WAN use an identical configuration referencing the Anycast RPs. IP PIM-SM is enabled on all interfaces including loopbacks, VLANs
and sub-interfaces.
Quality of Service
Most users perceive the network as a transport utility mechanism to shift data from point A to point B as fast as it
can. Many sum this up as just speeds and feeds. While it is true that IP networks forward traffic on a best-effort
basis by default, this type of routing works well only for applications that adapt gracefully to variations in latency,
jitter, and loss. However, networks are multiservice by design and support real-time voice and video as well as
data traffic. The difference is that real-time applications require packets to be delivered within specified loss,
delay, and jitter parameters.
In reality, the network affects all traffic flows and must be aware of end-user requirements and services being
offered. Even with unlimited bandwidth, time-sensitive applications are affected by jitter, delay, and packet loss.
QoS enables a multitude of user services and applications to coexist on the same network.
Within the architecture, there are wired and wireless connectivity options that provide advanced classification,
prioritizing, queuing, and congestion mechanisms as part of the integrated QoS to help ensure optimal use of
network resources. This functionality allows for the differentiation of applications, ensuring that each has the appropriate share of the network resources to protect the user experience and ensure the consistent operations of
business critical applications.
QoS is an essential function of the network infrastructure devices used throughout this architecture. QoS enables
a multitude of user services and applications, including real-time voice, high-quality video, and delay-sensitive
data to coexist on the same network. In order for the network to provide predictable, measurable, and sometimes
guaranteed services, it must manage bandwidth, delay, jitter, and loss parameters. Even if you do not require QoS
for your current applications, you can use QoS for management and network protocols in order to protect the
network functionality and manageability under normal and congested traffic conditions.
page 50
Network control
CS6
48
VoIP telephony
EF
46
Call signaling
CS3
24
AF4
34, 36, 38
Real-time interactive
CS4
32
Multimedia streaming
AF3
26, 28, 30
CS5
40
Transactional data
AF2
18, 20, 22
Operation, administration,
and maintenance (OAM)
CS2
16
AF1
10, 12, 14
DF
Default class
Scavenger
CS1
Multimedia conferencing
Broadcast video
Bulk data
page 51
page 52
MPLS Dynamic
Dual MPLS
Remote sites
Up to 50
Up to 100
Up to 500
WAN links
Single
Single
Dual
Edge routers
Single
Single
Dual
WAN routing
protocol
None (static)
BGP (dynamic)
BGP (dynamic)
Transport 1
MPLS VPN A
MPLS VPN A
MPLS VPN A
Transport 2
MPLS VPN B
Figure 33 MPLS Static and MPLS Dynamic design models (single MPLS carrier)
Core Layer
Distribution
Layer
Collapsed Core/
Distribution Layer
MPLS CE Router
MPLS CE Router
MPLS
MPLS
2183F
Static Routing or
BGP Dynamic Routing
page 53
Collapsed Core/
Distribution Layer
MPLS CE
Routers
Distribution
Layer
MPLS CE
Routers
MPLS A
BGP
Dynamic
Routing
MPLS B
MPLS A
MPLS B
2184F
BGP
Dynamic
Routing
MPLS-A
MPLS-B
Redundant Links
& Routers
MPLS-A
MPLS-B
2117F
MPLS
Redundant Links
The MPLS WAN Technology Design Guide provides details on how to deploy MPLS VPN as a primary WAN transport or as a backup WAN transport (to an alternate MPLS VPN primary).
page 54
page 55
Remote sites
Up to 25
Up to 100
WAN links
Single
Single
Edge routers
Single
Single
EIGRP
EIGRP
Transport 1 type
MetroE/VPLS
MetroE/VPLS
Transport 1
demarcation
Simple
Trunked
Collapsed Core/
Distribution Layer
Layer 2 WAN
CE Router
Simple or Trunked
Demarcation
Layer 2
Simple or Trunked
Demarcation
Layer 2
1031F
Layer 2 WAN
CE Router
Distribution Layer
page 56
Layer 2 WAN
1033F
Layer 2
The Layer 2 WAN Technology Design Guide provides details on how to deploy Layer 2 WAN as a primary WAN
transport.
page 57
Internet
Nonredundant
Internet
Internet
Redundant Links
Internet
Internet
Redundant Links
& Routers
MPLS
Internet
Redundant Links
MPLS
Internet
Redundant Links
& Routers
Internet
Redundant Links
Layer 2
Internet
Redundant Links
& Routers
2139F
Layer 2
The VPN WAN Technology Design Guide provides details on how to use the Internet for VPN site-to-site connections as both a primary WAN transport and as a backup WAN transport (to a primary WAN transport).
page 58
Nonredundant
Redundant Links
MPLS
3G/4G
(DMVPN)
Redundant Links
& Routers
2251F
MPLS
The VPN Remote Site over 4G LTE Design Guide provides details on how to use a cellular connection to the Internet
for VPN site-to-site connections as both a primary WAN transport and as a backup WAN transport (to a primary
WAN transport).
page 59
Dual DMVPN
Remote sites
Up to 100
Up to 500
WAN links
Single
Dual
DMVPN hubs
Single
Dual
Transport 1
Internet VPN
Internet VPN
Transport 2
Internet VPN
page 60
Collapsed Core/
Distribution Layer
VPN Hub
Router
Internet Edge
Internet Edge
Internet
Internet
2133F
VPN Hub
Router
Distribution Layer
Distribution Layer
Internet Edge
Internet A
Internet B
Internet Edge
Internet A
Internet B
2134F
page 61
Remote sites
Up to 50
Up to 100/500
WAN links
Dual
Multiple
DMVPN hubs
Single/Dual
Transport 1 (existing)
MPLS VPN A
MPLS VPN A
Transport 2 (existing)
MPLS VPN B
Transport 3 (existing)
MetroE/VPLS
Backup transport
Internet VPN
Internet VPN
MPLS CE Router
VPN Hub Router
Internet
Edge
MPLS
Internet
2135F
Static Routing
In the DMVPN Backup Shared design model, the DMVPN hub router is also the MPLS CE router, which is already
connected to the distribution or core layer. The connection to the Internet has already been established through
a firewall interface contained within the Internet edge. A DMZ is not required for this design model. For details
about the connection to the Internet, see the Firewall and IPS Design Guide.
page 62
Internet Edge
MPLS CE
Router
BGP Dynamic
Routing
MPLS Dynamic
Design Model
VPN Hub
Router
Internet
Distribution Layer
Internet Edge
MPLS CE
Routers
BGP Dynamic
Routing
MPLS A
VPN Hub
Router
MPLS B
Internet
2136F
Dual MPLS
Design Model
page 63
Internet Edge
Layer 2 WAN
CE Router
Layer 2
VPN Hub
Router
Internet
2137F
Simple or Trunked
Demarcation
In the DMVPN Backup Dedicated design models, the DMVPN hub routers connect to the Internet indirectly
through a firewall DMZ interface contained within the Internet edge. For details about the connection to the Internet, see the Firewall and IPS Design Guide. The VPN hub routers are connected into the firewall DMZ interface,
rather than connected directly with Internet service-provider routers.
Note that the DMVPN Only and Dual DMVPN design models can also provide DMVPN backup when paired with
MPLS WAN and Layer 2 WAN design models.
GET VPN
Cisco GET VPN is a tunnel-less VPN technology based on the IETF standard (RFC 3547). The technology provides end-to-end data encryption for network infrastructure while maintaining any-to-any communication between sites. You can deploy it across various WAN core transports, such as MPLS or Layer 2 networks. GET VPN
leverages the GDOI protocol in order to create a secure communication domain among network devices.
GET VPN is recommended for organizations who want centralized policy management and group keys. GET VPN
is also recommended for Dynamic Site to Site VPNs. To think of it another way, GET VPN makes a network private
rather than creating a Virtual Private Network. (I.e. it secures an already existing network much like regular crypto
maps)
The benefits of GET VPN include the following:
Highly scalable VPN technology that provides an any-to-any meshed topology without the need for complex
peer-to-peer security associations
Low latency and jitter communication with direct traffic between sites
Centralized encryption policy and membership management with the key servers (KSs)
Simplified network design due to leveraging of native routing infrastructure (no overlay routing protocol
needed)
Efficient bandwidth utilization by supporting multicast-enabled network core
Network intelligence such as native routing path, network topology, and QoS
page 64
Key Server
Primary Site
WAN Distribution
Key Server
Group
Group
Member Member
MPLS CE Routers
MPLS A
Group
Member
MPLS B
Group
Member
Layer 2 WAN
CE Router
Layer 2
Group
Member
Group
Member
Group
Member
1345F
Group
Member
Remote Sites
page 65
Key Server 2
Priority 75
Key Server 1
Priority 100
Group
Member
Group
Member
Group
Member
Encrypted Traffic
Security Policy
Group
Member
1346F
Group
Member
The KS sends out rekey messages as needed. The rekey message contains new encryption policy and encryption
keys to use when the old IPSec Security Association (SA) expires. The rekey message is sent in advance of the
SA expiration, which helps ensure that the new keys are available to all GMs.
The KS is an essential component in the GET VPN deployment. If the KS becomes unavailable, new GMs will not
be able to register and participate in the secure communication, and the existing GMs will not receive new rekeys
and updated security policies when the existing ones expire.
To help ensure a highly available and resilient GET VPN network, redundant KSs operate in cooperative mode.
Cooperative key servers (COOP KSs) share the GM registration load by jointly managing the GDOI registration of
the group. When COOP KSs start up, they go through an election process and the KS with the highest priority assumes the primary role, while the other KSs remain in secondary roles. The primary KS is responsible for creating
and redistributing the security policies and keys to GMs, as well as synchronizing the secondary KSs.
page 66
Primary
Key Server
Security Policy
Group
Member
Group
Member
Secondary
Key Server
Group
Member
1347F
Priority
100
The GET VPN Technology Design Guide provides details on how to use GET VPN to encrypt your site-to-site connections over an MPLS or Layer 2 transport.
page 67
page 68
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Europe Headquarters
Cisco Systems International BV Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, DESIGNS) IN THIS MANUAL ARE PRESENTED AS
IS, WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT
SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION,
LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR
THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS
OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON
FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included
in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
2015 Cisco Systems, Inc. All rights reserved.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go
to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not
imply a partnership relationship between Cisco and any other company. (1110R)
B-000300c-2 07/15