IWAN - Implementing Performance Routing PfRv3 - Jaromir Pilar Cisco

IWAN - Implementing
Performance Routing
(PfRv3)
Jaromír Pilař– Consulting Systems Engineer, CCIE #2910
Agenda
•  IWAN Introduction
•  IWAN Domain
•  Transport Independent Design
•  IWAN Sites
•  Components and Roles
•  Performance Routing Principles
•  Policies, Site Discovery, Site Prefix Learning, WAN Interface Discovery
•  Channels, Traffic Class
•  Path Selection
•  Enterprise Deployment
•  Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
IWAN Introduction
BRKRST-2362 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Hybrid WAN: Leveraging the Internet
Secure WAN Transport and Internet Access
Secure WAN
Transport
Private
MPLS (IP-VPN) Cloud
Virtual
Private Cloud
Branch
Internet
Direct Internet Public Cloud
Access
•  Secure Increased WAN transport

Secure WANWAN transport
transport for private
for private •  Increased WAN transport
capacity,capacity;
cost effectively!
andand virtual
virtual private
private cloud
cloud access
access and cost effectively!
•  Leverage local Internet path for •  Improve
Improve application performance
application
Leverage
publiclocal
cloud Internet pathaccess
and Internet for (right(right
performance flowsflows
to right to places)
public cloud and Internet access right places) © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Intelligent WAN
Solution Components
Unified
Private
Branch Cloud
MPLS
Virtual
Private
Cloud
3G/4G-LTE
Internet Public
Cloud
Enterprise IWAN - IWAN-App/APIC-EM

ORCHESTRATION
SP-IWAN - vMS/NSO
Transport Intelligent Application Secure

Independent Path Control Optimization Connectivity
Simplified Application Enhanced Application Comprehensive

Hybrid WAN Aware Routing Visibility and Performance Threat Defense
IWAN: Intelligent Path Control
Performance Routing
Voice/Video/Critical take
the best delay, jitter, and/or
loss path
MPLS
Private Cloud
Branch Virtual Private

Cloud
Other traffic is load Internet
balanced to maximize
bandwidth
Voice/Video/Critical will be
•  PfR monitors network performance and routes applications rerouted if the current path
based on application performance policies degrades below policy thresholds
•  PfR load balances traffic based upon link utilization levels
to efficiently utilize all available WAN bandwidth
How PfR Works – Key Operations
Traffic
Classes Performance
Learning Measurements
Active TCs MC MC
MC MC
Best
Path BR BR
BR BR BR BR
MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR BR MC+BR
Define Your Traffic Policy Learn the Traffic Measurement Path Enforcement
Define Traffic Classes Border Routers learn Measure the traffic flow Master Controller
and service level current traffic classes and network performance commands path changes
Policies based on going to the WAN based and report metrics to the based on traffic class
Applications or DSCP on classifier definitions Master Controller policy definitions
IWAN Domain
IWAN Layered Solution
•  CPE-to-CPE overlay PfR path selection policies
enables separation of
transport (underlay) and AVC/QoS PfR intelligent routing AVC/QoS
VPN service (overlay)

•  Point to multipoint WAN Overlay routing over tunnels
connections with secure Overlay tunnels (DMVPN)

tunnel overlay
architecture
Transport routing
•  Intelligent policy routing
to provide cost Perimeter
Security Internet Routing
Perimeter
Security
optimization and dynamic

load balancing MPLS-VPN Routing
PfR Components
•  The Decision Maker: Master Controller (MC) MC1
•  Apply policy, verification, reporting

•  No packet forwarding/ inspection required BR1 BR2
•  Standalone of combined with a BR

•  VRF Aware
•  IPv4 only (IPv6 Future) MC/BR
•  The Forwarding Path: Border Router (BR)

•  Gain network visibility in forwarding path (Learn, measure)
•  Enforce MC’s decision (path enforcement)
MC/BR BR
•  VRF aware
•  IPv4 only (IPv6 Future)
DCn
IWAN Domain
DC1
POP1 - HUB DCI POP2 - TRANSIT

Site ID = 10.1.0.10 Site ID = 10.2.0.20
WAN Core
•  Collection of sites that share the same set of policies
MC1 MC2
•  An IWAN domain includes: Hub Transit
–  A mandatory Hub site,
–  Optional Transit sites,
BR1 BR2 BR3 BR4
–  As well as Branch sites.
IWAN
•  Each site has a unique identifier (Site-Id) Peering
–  Derived from the loopback address of the local MC
•  Central and headquarter sites play a significant role in PATH1 PATH2
PfR and are called an IWAN Point of Presence (POP).
–  Each of these sites will have a unique identifier called a
POP-ID
•  Each site runs PfR and gets its path control
configuration and policies from the logical IWAN MC/BR MC/BR MC/BR BR
domain controller through the IWAN Peering Service
Site ID Site ID Site ID
10.3.0.31 10.4.0.41 10.5.0.51
Hub Site Policies
Monitors
POP1 - HUB
Site ID = 10.1.0.10
POP-ID 0
POP2 - TRANSIT
Site ID = 10.2.0.20
POP-ID 1
•  Located in an enterprise central site or MC1 MC2

headquarter location.
•  Can act as a transit site to access servers in the
datacenters or for spoke-to-spoke traffic BR1 BR2 BR3 BR4
•  A POP Identifier (POP-ID) 0 is automatically Path MPLS Path INET
assigned to a Hub site. Id 1 Id 2
•  Only one Hub site exists per IWAN domain.

DMVPN DMVPN
•  The logical domain controller functionality MPLS INET
resides on this site’s master controller (MC).
•  The master controller (MC) for this site is known as
the Hub master controller (Hub MC, HMC)
•  MCs from all other sites (transit or branch) MC/BR MC/BR MC/BR BR
connect to the Hub MC for PfR configuration Branch Branch Branch

and policies.
Transit Site POP1 - HUB
Site ID = 10.1.0.10
POP-ID 0
POP2 - TRANSIT
Site ID = 10.2.0.20
POP-ID 1
•  Located in an enterprise central site or MC1 IWAN MC2

headquarter location. Peering
•  Can act as a transit site to access servers in
the datacenters or for spoke-to-spoke traffic BR1 BR2 BR3 BR4
Path MPLS Path INET

•  A POP Identifier (POP-ID) is configured for Id 1 Id 2
each transit site. This POP-ID has to be
unique in the domain. DMVPN DMVPN
•  The master controller (MC) for this site is MPLS INET
known as a Transit Master Controller

(Transit MC, TMC)
•  The local MC peers with the Hub MC to
get its policies, monitor, configuration and MC/BR MC/BR MC/BR BR
timers Branch Branch Branch
Branch Site POP1 - HUB
Site ID = 10.1.0.10
POP2 - TRANSIT
Site ID = 10.2.0.20
•  These will always be a DMVPN spoke, MC1 MC2

and are a stub sites where traffic transit is
not allowed.
BR1 BR2 BR3 BR4
•  The local MC peers with the logical
domain controller (aka Hub MC) to get its
policies, and monitoring guidelines.
DMVPN DMVPN
IWAN MPLS INET
Peering
MC/BR MC/BR MC/BR BR
Branch Branch Branch
WAN Interface Discovery HUB SITE
Site ID = 10.1.0.10
TRANSIT SITE
Site ID = 10.2.0.20
Hub MC Transit MC
•  Hub and Transit BRs have path names MC1 MC2
and path identifier manually defined POP-ID 0 POP-ID 1
–  Path name identifies a Transport BR1 BR1 BR3 BR4
–  Path Identifier (Path-id) is unique per site Path MPLS Path INET Path MPLS Path INET
Path-id 1 Path-id 2 Path-id 1 Path-id 2
•  Hub and Transit BRs send Discovery

Packet with path names from to all DMVPN DMVPN
MPLS INET
discovered sites
•  Path Discovery from the Hub Border
Routers
WAN Path is detected on the branch MC/BR MC/BR MC/BR BR
-  Path Name
-  POP-ID 10.3.1.0/24 10.4.1.0/24 10.5.1.0/24
-  Path-Id
-  DSCP
WAN Interface – Performance Monitors
•  PfR automatically configures 3 Performance
Monitors instances (PMI) over every external
interface
•  Monitor1 – Site Prefix Learning (egress direction)
•  Monitor2 – Aggregate Bandwidth per Traffic Class
(egress direction) 1 2 3 1 2 3
•  Monitor3 – Performance measurements (ingress BR

direction)
Site Prefix Discovery
•  Every MC in the domain owns a Site Prefix
database DMVPN DMVPN
MPLS INET
•  Gives the mapping between site and prefixes
•  2 options:
–  Static (Hub and Transit sites) IWAN
Peering
–  Automatic Learning (Branch sites)
Site 3
1 1
10.3.3.0/24
R31
10.3.3.0/24
IOS-XE 3.15
IOS 15.5(2)T
Shared Prefixes (M)

HUB SITE TRANSIT SITE
Site ID = 10.1.0.10 Site ID = 10.2.0.20
•  Prefix (10.1.0.0/16 in this example) can
belong to multiple Sites. Hub MC Transit MC
MC1 MC2
•  Prefix associated with a list of site-ids 10.1.0.0/16 10.2.0.0/16
•  Flags:
BR1 BR2 BR3 BR4
•  S – Learned from SAF (IWAN Peering)
•  C – Configured 10.1.0.0/16 10.2.0.0/16
•  M – Shared
•  A TC may be associated with more than 1 DMVPN DMVPN
MPLS INET
site
SITE-ID PREFIXES FLAGS
10.1.0.10 10.1.0.0/16 S,C,M
R31 R41
10.2.0.20 10.2.0.0/16 S,C,M MC/BR MC/BR
10.4.0.41 10.4.4.0/24 S
10.3.3.0/24 10.4.4.0/24
PfRv3 Principles
Define PfR Traffic Policies
CLASS MATCH ADMIN PERFORMANCE

Hub MC
Preferred: MPLS Delay threshold
DSCP
Voice Fallback: INET Loss threshold
Application
Next Fallback: 4G Jitter threshold
Preferred: MPLS Delay threshold
DSCP
Interactive Video Fallback: INET Loss threshold
Application
Define your Traffic Policy Jitter threshold
§  Identify Traffic Classes based on Application Preferred: MPLS Delay threshold
DSCP
or DSCP Critical Data Fallback: INET Loss threshold
Application
§  Performance thresholds (loss, delay and Jitter threshold
Jitter), Preferred Path
§  Centralized on a Domain Controller - Delay threshold
DSCP
Best Effort Loss threshold
Application
Jitter threshold
PfRv3 works on Traffic Class – DSCP Based
IWAN POP
DSCP Based Policies
Prefix DSCP AppID Dest Site Next-Hop
10.3.3.0/24 EF N/A Site 3 ? R10 Traffic with EF, AF41, AF31 and 0
10.3.3.0/24 AF41 N/A Site 3 ?
10.3.3.0/24 AF31 N/A Site 3 ?
10.3.3.0/24 0 N/A Site 3 ? R11 R12
10.4.4.0/24 EF N/A Site 4 ?
10.4.4.0/24 AF41 N/A Site 4 ?
10.4.4.0/24 AF31 N/A Site 4 ?
10.4.4.0/24 0 N/A Site 4 ?
10.5.5.0/24 EF N/A Site 5 ? MPLS INET
10.5.5.0/24 AF41 N/A Site 5 ?
10.5.5.0/24 AF31 N/A Site 5 ?
10.5.5.0/24 0 N/A Site 5 ?
R31 R41 R51 R52

Traffic Class
10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
§  Destination Prefix
§  DSCP Value
§  Application (N/A when DSCP policies used)
PfRv3 works on Traffic Class– Application Based
IWAN POP
Application based Policies
Prefix DSCP AppID Dest Site Next-Hop
R10 Traffic with EF, AF41, AF31 and 0
10.3.3.0/24 EF N/A Site 3 ? App1, App2, etc
10.3.3.0/24 AF41 App1 Site 3 ?
10.3.3.0/24 AF41 App2 Site 3 ?
R11 R12
10.3.3.0/24 AF41 N/A Site 3 ?
10.3.3.0/24 AF31 N/A Site 3 ?
10.3.3.0/24 0 N/A Site 3 ?
10.4.4.0/24 EF N/A Site 4 ?
10.4.4.0/24 AF41 App1 Site 4 ?
10.4.4.0/24 AF31 N/A Site 4 ? MPLS INET
10.4.4.0/24 0 N/A Site 4 ?
10.5.5.0/24 EF N/A Site 5 ?
10.5.5.0/24 AF41 App2 Site 5 ?
10.5.5.0/24 AF31 N/A Site 5 ?
10.5.5.0/24 0 N/A Site 5 ?
R31 R41 R51 R52
Traffic Class 10.3.3.0/24 10.4.4.0/24 10.5.5.0/24

§  Destination Prefix
§  DSCP Value
§  Application (N/A when DSCP policies used)
Performance Monitoring
Passive Monitoring
raffic
User t CPE12 SITE2
3
Dual CPE
MPLS
2
CPE1
3 CPE11
SITE1
CPE2 2 SITE3
Single CPE
INET
CPE10
Bandwidth on egress
Per Traffic Class Performance Monitor
(dest-prefix, DSCP, AppName) •  Collect Performance Metrics
•  Per Channel
-  Per DSCP
-  Per Source and Destination Site
-  Per Interface
Performance Monitoring
Smart Probing
raffic
User t CPE12 SITE2
3
Dual CPE
MPLS
2
CPE1
3 CPE11
SITE1
CPE2 2 SITE3
Single CPE
INET
CPE10
Integrated Smart Probes Performance Monitor

•  Traffic driven – intelligent on/off •  Collect Performance Metrics
•  Site to site and per DSCP •  Per Channel
-  Per DSCP
-  Per Source and Destination Site
-  Per Interface
Channels Between Central and Branch Sites
IWAN POP
Hub MC
10.1.0.10/32
MC1
Present Channel 10
•  Site 1
BR1 BR2 BR3
•  DSCP AF41
•  MPLS
•  Path 1
Backup Channel 12
•  Site 1
Present Channel 11 •  DSCP AF41
•  Site 1 MPLS INET
•  INET
•  DSCP AF41 •  Path 3
•  MPLS
•  Path 2
R10 R11 R12 R13
10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
Channel Between Branch Sites
IWAN POP
Hub MC
10.8.3.3/32
MC1
BR1 BR2
Present Channel 13 MPLS INET

Backup Channel 14
•  Site 4
•  Site 4
•  DSCP EF
•  DSCP EF
•  MPLS
•  INET
R31 R41 R51 R52
10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
Performance Violation
CPE12
SITE2
MPLS Dual CPE
CPE1 CPE11
SITE1
CPE2
SITE3
INET
CPE10 Single CPE
ALERT – Threshold Crossing Alert (TCA)

•  From Destination site
•  Sent to source site
•  Loss, delay, jitter, unreachable
Policy Decision
CPE12
SITE2
User traffic
MPLS Dual CPE
CPE1 CPE11
SITE1
User t
raffic
CPE2
SITE3
INET
CPE10 Single CPE
•  Reroute Traffic to a Secondary Path

•  PfR Dataplane Route control
Deploying IWAN Intelligent
Path Control
Cisco IWAN Enterprise Management Portfolio
Cisco Ecosystem Partners
Prime
IWAN App
Infrastructure
Prescriptive Enterprise Network Application Aware Advanced
Policy Automation Mgmt and Monitoring Performance Mgmt Orchestration
•  Customer wants •  Customer needs •  Customer looking for •  Customer wants advanced
considerable automation customizable IWAN with advanced monitoring and provisioning, life cycle
and operational simplicity end-to-end monitoring visualization management, and
customized policies
•  Requirements consistent •  One Assurance across Cisco •  QoS/ PfR/ AVC configuration,
with prescriptive IWAN portfolio from Branch to Real-time analytics and •  System-wide network
Validated Design Datacenter network troubleshooting consistency assurance
•  Lean IT organization •  IT Network team •  IT Network team •  Lean IT OR IT Network team
IWAN Deployment – DMVPN DCI
Site1 WAN Core Site2
•  IWAN Prescriptive Design – Transport
Independent Design based on DMVPN R10 R20
10.1.0.0/16 10.2.0.0/16
•  Branch spoke sites establish an IPsec tunnel to
and register with the hub site
R11 R12 R21 R22
•  Data traffic flows over the DMVPN tunnels
•  WAN interface IP address used for the tunnel
source address (in a Front-door VRF)
•  One tunnel per user inside VRF MPLS INET
•  Per-tunnel QOS is applied to prevent hub site

oversubscription to spoke sites
R31 R41 R51 R52

10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
Using Front Door VRF
Keeping the Default Routes in Separate VRFs vrf definition FVRF_SP1
!
Customer routing context address-family ipv4
exit-address-family
(Global table) !
!
crypto keyring DMVPN vrf FVRF_SP1
pre-shared-key address 0.0.0.0 0.0.0.0 key
cisco123
!
FVRF_SP1 (SP1 routing context) Interface Tunnel0

ip address 172.50.1.1 255.255.255.0
ip nhrp authentication HBfR3lpl
FVRF_SP2 (SP2 routing context) ip nhrp map multicast 3.3.3.3
ip nhrp map 172.50.1.254 3.3.3.3
ip nhrp network-id 1
ip nhrp nhs 172.50.1.254
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf FVRF_SP1
tunnel protection ipsec profile dmvpn
!
•  Different default routes possible within global table Interface GigabitEthernet 0/0
description WAN interface to ISP in vrf
and towards SP infrastructure ip address dhcp

ip vrf forwarding FVRF_SP1
•  Configuration towards SP simplified, allows for simple !

Interface GigabitEthernet 0/1
swap description LAN interface In Global Table
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overlay Routing - Which protocol should I use?
•  IWAN Profiles are based upon BGP and EIGRP for scalability and optimal Intelligent Path
Control
•  Intelligent Path Control:
•  PfR can be used with any routing protocols by relying on the routing table (RIB).
•  Requires all valid WAN paths be ECMP so that each valid path is in the RIB.
•  For BGP and EIGRP, PfR can look into protocol’s topology information to determine both best paths
and secondary paths thus, ECMP is not required.
•  PfRv3 always checks for a parent route before being able to control a Traffic Class. Parent
route check is done as follows:
•  Check to see if there is an NHRP shortcut route
•  If not – Check in the order of BGP, EIGRP, Static and RIB
•  Make sure that all Border Routers have a route over each external path to the destination sites PfR
will NOT be able to effectively control traffic otherwise.
IWAN Deployment – EIGRP DCI
Site1 WAN Core
Site2
•  Single EIGRP process for Branch, WAN and
POP/hub sites
R10 R20
•  Extend Hello/Hold timers for WAN
Delay 25000 Delay 25000 Delay 25000 Delay 25000
•  Adjust tunnel interface “delay” to ensure WAN path Delay 24000 Delay 24000
preference (MPLS primary, INET secondary)
R11 R12 R21 R22
•  Hubs Delay 1000 Delay 2000
•  Disable Split-Horizon
•  Advertise Site summary, enterprise summary,
default route to spokes Set Tunnel
Delay to MPLS INET
•  Summary metrics: A summary-metric is used to
reduce computational load on the DMVPN hubs. influence best
path
•  Ingress filter on tunnels.
•  Spokes
Delay 1000 Delay 1000 Delay 20000
•  EIGRP Stub-Site functionality builds on stub
functionality that allows a router to advertise itself EIGRP Delay 20000
as a stub to peers on specified WAN interfaces, Stub R31 R41 R51

Delay 24000
R52
but allows for it to exchange routes learned on LAN Site Delay 25000 Delay 25000
interface 10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
IWAN Deployment – BGP DCI
Site1 WAN Core
Site2
•  A single iBGP routing domain is used
•  Appropriate Hello/Hold timers for WAN R10 R20
•  Hub
Metric: 1000 Metric: 2000 Metric: 1000 Metric: 2000
•  DMVPN hub routers function as BGP route-reflectors for the OSPF OSPF
spokes.
R11 R12 R21 R22
•  No BGP peering between RR. LP 20000 LP 3000
LP 100000 LP 400
•  BGP dynamic peer feature configured on the route-reflectors
•  Site specific prefixes, Enterprise summary prefix and default route
advertised to spokes
•  Set local preference for all prefixes MPLS INET
•  Redistribute BGP into local IGP with a defined metric cost to
attract traffic from the central sites to the spokes across MPLS.
•  Spokes
•  Peer to Hub/Transit BRs in each DMVPN cloud
•  Mutual redistribution OSPF/BGP
•  Set a route tag to identify routes redistributed from BGP R31 R41 R51 R52
OSPF
•  Preferred path is MPLS due to highest Local Preference
10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
PfR Deployment – Hub
HUB SITE
domain IWAN Site ID = 10.1.0.10
vrf default
master hub
MC Hub MC
source-interface Loopback0 R10 R20
R10 enterprise-prefix prefix-list ENTERPRISE_PREFIX
POP ID 0
site-prefixes prefix-list SITE_PREFIX
R11 R12 R21 R22

domain IWAN
vrf default Path MPLS Path INET
border Id 1 Id 2
master 10.1.0.10
BR source-interface Loopback0
R11 !
interface Tunnel100
description -- Primary Path -- DMVPN DMVPN
domain IWAN path MPLS path-id 1 <zero-sla> <path-last-resort> MPLS INET
•  Enterprise Prefix: summary prefix for the entire domain

•  Site Prefix: Disable automatic learning – Mandatory
•  POP Id is 0
R31 R41 R51 R52
•  Path ID unique per Site
10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
PfR Deployment – Transit Site
domain IWAN Site ID = 10.1.0.10 Site ID = 10.2.0.20
vrf default
master transit 1
MC Transit MC
source-interface Loopback0 R10 R20
R20 site-prefixes prefix-list SITE_PREFIX
POP ID 1
hub 10.1.0.10
R11 R12 R21 R22

domain IWAN
vrf default Path MPLS Path INET
border Id 1 Id 2
master 10.2.0.20
BR source-interface Loopback0
R21 !
interface Tunnel100
description -- Primary Path -- DMVPN DMVPN
domain IWAN path MPLS path-id 1 <zero-sla> <path-last-resort> MPLS INET
•  Site Prefix: Disable automatic learning – Mandatory

•  POP Id unique per domain
•  Path ID unique per Site
R31 R41 R51 R52
•  Peering with Hub MC
10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
PfR Deployment – Single CPE Branch
Site ID = 10.1.0.10 Site ID = 10.2.0.20
R10 R20
domain IWAN
vrf default
master branch
R11 R12 R21 R22
source-interface Loopback0
hub 10.1.0.10
R31 border
R41 master local
DMVPN DMVPN
MPLS INET
•  MC/BR colocated
•  Branch MCs connect to the Hub
R31 R41 R51 R52
10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
PfR Deployment – Dual CPE Branch
Site ID = 10.1.0.10 Site ID = 10.2.0.20
domain IWAN
vrf default
master branch R10 R20
R51 source-interface Loopback0

hub 10.1.0.10
border R11 R12 R21 R22
master local
domain IWAN
vrf default
DMVPN DMVPN
R52 border MPLS INET
master 10.5.0.51
•  Branch MCs connect to the Hub

R31 R41 R51 R52
•  Make sure there is a direct connection
between BRs 10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
PfR Policies – DSCP or App Based
domain IWAN
vrf default •  When load balancing is enabled, PfRv3 adds a
“default class for match all DSCP (lowest priority
master hub
compared to all the other classes)” and PfRv3
load-balance
controls this traffic.
class MEDIA sequence 10
match application <APP-NAME1> policy real-time-video •  When load balancing is disabled, PfRv3 deletes this
match application <APP-NAME2> policy custom “default class” and as a part of that frees up the TCs
that was learnt as a part of LB – they follow the
priority 1 one-way-delay threshold 200
routing table
priority 2 loss threshold 1
path-preference MPLS fallback INET
class VOICE sequence 20
match dscp <DSCP-VALUE> policy voice •  Custom thresholds
path-preference MPLS fallback INET
class CRITICAL sequence 30
match dscp af31 policy low-latency-data •  Pre-defined thresholds
R83
For Your
Reference
PfR Policies – Built-in Policy Templates

Pre-defined Threshold Definition
Template
Voice priority 1 one-way-delay threshold 150 threshold 150 (msec)
priority 2 packet-loss-rate threshold 1 (%)
priority 2 byte-loss-rate threshold 1 (%)
priority 3 jitter 30 (msec) Pre- Threshold Definition
Real-time-video priority 1 packet-loss-rate threshold 1 (%) defined
priority 1 byte-loss-rate threshold 1 (%) Template
priority 2 one-way-delay threshold 150 (msec) Bulk-data priority 1 one-way-delay threshold 300 (msec)
priority 3 jitter 20 (msec) priority 2 byte-loss-rate threshold 5 (%)
Low-latency-data priority 1 one-way-delay threshold 100 (msec) priority 2 packet-loss-rate threshold 5 (%)
priority 2 byte-loss-rate threshold 5 (%) Best-effort priority 1 one-way-delay threshold 500 (msec)
priority 2 packet-loss-rate threshold 5 (%) priority 2 byte-loss-rate threshold 10 (%)
scavenger priority 1 one-way-delay threshold 500 (msec)
priority 2 byte-loss-rate threshold 50 (%)
PfR Policies – Transit Site Preference
•  Transit Site Preference is used in the context of a Multiple Transit Site
deployment with the same set of prefixes advertised from all central sites.
•  A specific Transit site is preferred for a specific prefix, as long as there are available ‘in
policy’ channels for this site.
•  Based on routing metrics and advertised mask length in routing
•  Transit Site preference is a higher priority filter and takes precedence over path-
preference.
•  Transit Site Affinity introduced in 15.5(3)M1 and XE 3.16.1
Transit Site Affinity is domain IWAN
enabled by default. vrf default
To disable use: master hub
advanced
no transit-site-affinity
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
PfR Policies – Path Preference
•  With Path Preference configured, PfR will then first consider all the links
belonging to the preferred path preference (i.e it will include the active
and the standby links belonging to the preferred path) and will then use
the fallback provider links.
•  Without Path Preference configured PfR will give preference to the
active channels and then the standby channels (active/standby will be
per prefix) with respect to the performance and policy decisions
•  Note that the Active and Standby channels per prefix will span across the POP’s.
•  Spoke will randomly (hash) choose the active channel
Load Balancing
Site ID = 10.1.0.10 Site ID = 10.2.0.20
•  Current Situation
-  Load balancing works on physical links R10
Hub MC
R20
Transit MC
-  Load sharing on NH on the same DMVPN network POP ID 0 POP ID 1

(XE 3.16.1 and IOS 15.5(3)M1) :
-  between R11 and R21 R11 R12 R21 R22
-  between R12 and R22 Path MPLS Path INET Path MPLS Path INET
Id 1 Id 2 Id 1 Id 2
•  Default Classes TCs 10.1.0.0/16 10.1.0.0/16
10.2.0.0/16 10.2.0.0/16
-  Load balancing at any time (not only at creation
time).
MPLS INET
-  TC will be moved to ensure bandwidth on all links is
within the defined range
•  Performance TCs
-  Initial load-balancing while placing the TCs, on a per R31
TC basis. PfR does not account for the TCs getting
fatter.
Unreachable Timer HUB SITE
Site ID = 10.1.0.10
TRANSIT SITE
Site ID = 10.2.0.20
Hub MC Transit MC
•  Channel Unreachable R10
POP ID 0
R20
POP ID 1
•  PfRv3 considers a channel reachable as long as
the site receives a PACKET on that channel R11 R12 R21 R22
•  A channel is declared unreachable in both Path MPLS

Id 1
Path INET
Id 2
Path MPLS
Id 1
Path INET
Id 2
direction if
•  There is NO traffic on the Channel, probes are the only way
of detecting unreachability. So if no probe is received within 1 DMVPN DMVPN
sec, PfR detects unreachability. MPLS INET
•  When there IS traffic on the channel, if PfR does not see any
packet for more than a second on a channel PfR detects
unreachability.
Default: 1 Sec
Recommended: 4 sec R31
Advanced options – with 3.16 15.5(3)S / 15.5(3)M 10.3.3.0/24

channel-unreachable-timer 4
Failover Time HUB SITE
Site ID = 10.1.0.10
TRANSIT SITE
Site ID = 10.2.0.20
Hub MC Transit MC
•  Ingress Performance Violation detected R10
POP ID 0
R20
POP ID 1
•  Delay, loss or jitter thresholds
R11 R12 R21 R22
•  Based on Monitor-interval
Path MPLS Path INET Path MPLS Path INET
Id 1 Id 2 Id 1 Id 2
domain IWAN DMVPN DMVPN

MPLS INET
vrf default
master hub
monitor-interval 4 dscp ef
monitor-interval 4 dscp af41
monitor-interval 4 dscp cs4
monitor-interval 4 dscp af31 R31
10.3.3.0/24
Path Selection
Direction from POPs to Spokes HUB SITE
Site ID = 10.1.0.10
TRANSIT SITE
Site ID = 10.2.0.20
Hub MC Transit MC
•  Each POP is a unique site by itself and so it R10 POP-ID 0 R20 POP-ID 1
will only control traffic towards the spoke on
the WAN’s that belong to that POP.
R11 R12 R21 R22
•  PfRv3 will NOT be redirecting traffic between Path MPLS Path INET Path MPLS Path INET
POP across the DCI or WAN Core. If it is Id 1 Id 2 Id 1 Id 2
required that all the links are considered from

POP to spoke, then the customer will need to
use a single MC. DMVPN
MPLS
DMVPN
INET
•  Only one next hop (on branch) per DMVPN

network
•  No PfR control between Transit Sites R31
10.3.3.0/24
Path Selection
Direction from Spokes to POPs DC1
Site ID = 10.1.0.10
DC2
Site ID = 10.2.0.20
•  The spoke considers all the paths (multiple R10 R20

10.1.0.0/24 10.1.0.0/24
NH’s) towards the POPs
•  The concept of "active" and "standby" next R11 R12 R21 R22
hops based on routing metrics and Path MPLS

Id 1
Path INET
Id 2
Path MPLS
Id 1
Path INET
Id 2
advertised mask length in routing is used LP 100000 LP 20000 LP 3000 LP 400
to gather information about the preferred

POP for a given prefix. DMVPN DMVPN
MPLS INET
•  Example: If the best metric for a given
prefix is on DC1 then all the next hops on
that DC for all the ISPs are tagged as
active (only for that prefix). R31
10.3.3.0/24
Monitoring
NetFlow – PfRv3 Exporter Configuration IWAN POP
Hub MC
domain IWAN 10.1.0.10/32
R10
vrf default
master hub
collector 10.151.1.95 port 2055 R11 R12
MC1
•  Enable exporter on the Hub MC

•  Distributed through SAF to all MCs and BRs in MPLS INET
the domain
•  Cisco Prime Infrastructure 3.0
•  LiveAction 4.3
R31 R41 R51 R52
•  All records available at:
•  http://docwiki.cisco.com/wiki/PfRv3:Reporting
IOS-XE 3.16
IOS 15.5(3)M
PfRv3 Syslogs
•  Syslog messages for all major PfRv3 events
•  Use cisco standard format (Facility-Severity-Mnemonic) for all syslogs with common Facility name
'DOMAIN’
•  Add TCA-ID to all syslog to allow correlation of TCA syslog to PFR reaction syslog. If PFR action is not
related to TCA then TCA-ID will be 0
•  Command '[no] logging' in domain submode default is syslog on
•  Distributed through SAF to all MCs and BRs in the domain
•  http://docwiki.cisco.com/wiki/PfRv3:Syslogs
•  DOMAIN-2-IME
•  DOMAIN-2-IME_DETAILS *Jun 1 18:50:41.104: %DOMAIN-5-TC_PATH_CHG: Traffic class Path
•  DOMAIN-4-MC_SHUTDOWN Changed. Details: Instance=0: VRF=default: Source Site ID=10.8.3.3:
•  DOMAIN-5-TCA Destination Site ID=10.2.11.11: Reason=Delay: TCA-ID=4: Policy
Violated=VOICE: TC=[Site id=10.2.11.11, TC ID=6, Site
•  DOMAIN-6-TC_CTRL
prefix=10.1.11.0/24, DSCP=ef(46), App ID=0]: Original Exit=[CHAN-
•  DOMAIN-5-TC_PATH_CHG ID=14, BR-IP=10.8.4.4, DSCP=ef[46], Interface=Tunnel100,
•  DOMAIN-3-PLR_INT_CFG Path=MPLS[label=0:0 | 0:1 [0x1]]]: New Exit=[CHAN-ID=13, BR-
•  DOMAIN-5-MC_STATUS IP=10.8.5.5, DSCP=ef[46], Interface=Tunnel200, Path=INET[label=0:0 |
0:2 [0x2]]]
Key Takeaways
Performance Routing – Platform Support
Cisco CSR-1000
MC
Cisco ASR-1000 BR(1)
Cisco ISR 4000 MC

BR
4400
Cisco ISR G2 family 4300
3900-AX
2900-AX MC
1900-AX BR
890
MC
BR
(1) XE 3.18
IWAN 2.1 – HUB-MC Scaling
ASR 1002-X
2000 sites
ASR 1001-X
1000 sites
ISR 4451 CSR1000v

200 sites 4 vCPU
ISR 4431 2000 sites
50 sites
CSR1000v
2 vCPU
CSR1000v 500 sites
XE 3.16.2
1 vCPU
200 sites
Performance Routing v3 – Phases
IOS 15.4(3)M IOS 15.5(1)T IOS 15.5(2)T IOS 15.5(3)M IOS 15.5(3)M1
IOS-XE 3.13 IOS-XE 3.14 IOS-XE 3.15 IOS-XE 3.16 IOS-XE 3.16.1
•  PfR Domain •  Zero SLA •  Transit Sites •  Path of Last Resort •  Transit Site Affinity
•  One touch provisioning •  WCCP Support •  Multiple Next Hop per •  EIGRP IWAN
•  Auto Discovery of sites DMVPN Simplification (Stub
•  NBAR2 support •  Multiple POPs site)
•  Passive Monitoring •  Syslog (TCA)
(performance monitor) •  Show last 5 TCA
•  Smart Probing
•  VRF Awareness
•  IPv4/IPv6 (Future)
•  <10 lines of configuration
and centralized
•  Blackout ~ sub second

•  Brownout ~ 2 sec
•  Scale 2000 sites
Key Takeaways
•  IWAN Intelligent Path Control pillar is based upon Performance
Routing (PfR)
•  Maximizes WAN bandwidth utilization
•  Protects applications from performance degradation
•  Enables the Internet as a viable WAN transport
•  Provides multisite coordination to simplify network wide provisioning.
•  Application-based policy driven framework and is tightly integrated with
existing AVC components.
•  Smart and Scalable multi-sites solution to enforce application SLAs while
optimizing network resources utilization.
•  PfRv3 is the 3rd generation Multi-Site aware Bandwidth and Path

Control/Optimization solution for WAN/Cloud based applications.
•  Available now on ISR-G2, ISR-4000, CSR1000v, ASR1k
Thank you
We’re ready. Are you?

IWAN - Implementing Performance Routing PfRv3 - Jaromir Pilar Cisco

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

IWAN - Implementing Performance Routing PfRv3 - Jaromir Pilar Cisco

Încărcat de

Drepturi de autor:

Formate disponibile

IWAN - Implementing

• Secure Increased WAN transport

Enterprise IWAN - IWAN-App/APIC-EM

Transport Intelligent Application Secure

Simplified Application Enhanced Application Comprehensive

Branch Virtual Private

VPN service (overlay)

connections with secure Overlay tunnels (DMVPN)

optimization and dynamic

• Apply policy, verification, reporting

• Standalone of combined with a BR

• The Forwarding Path: Border Router (BR)

POP1 - HUB DCI POP2 - TRANSIT

• Located in an enterprise central site or MC1 MC2

• Only one Hub site exists per IWAN domain.

connect to the Hub MC for PfR configuration Branch Branch Branch

• Located in an enterprise central site or MC1 IWAN MC2

Path MPLS Path INET

known as a Transit Master Controller

timers Branch Branch Branch

• These will always be a DMVPN spoke, MC1 MC2

MC/BR MC/BR MC/BR BR

Branch Branch Branch

and path identifier manually defined POP-ID 0 POP-ID 1

– Path name identifies a Transport BR1 BR1 BR3 BR4

• Hub and Transit BRs send Discovery

• Monitor3 – Performance measurements (ingress BR

Shared Prefixes (M)

CLASS MATCH ADMIN PERFORMANCE

R31 R41 R51 R52

Traffic Class 10.3.3.0/24 10.4.4.0/24 10.5.5.0/24

Integrated Smart Probes Performance Monitor

R10 R11 R12 R13

10.3.3.0/24 10.4.4.0/24 10.5.5.0/24

Present Channel 13 MPLS INET

R31 R41 R51 R52

10.3.3.0/24 10.4.4.0/24 10.5.5.0/24

ALERT – Threshold Crossing Alert (TCA)

• Reroute Traffic to a Secondary Path

• Lean IT organization • IT Network team • IT Network team • Lean IT OR IT Network team

• Per-tunnel QOS is applied to prevent hub site

R31 R41 R51 R52

FVRF_SP1 (SP1 routing context) Interface Tunnel0

and towards SP infrastructure ip address dhcp

• Configuration towards SP simplified, allows for simple !

swap description LAN interface In Global Table

as a stub to peers on specified WAN interfaces, Stub R31 R41 R51

R11 R12 R21 R22

• Enterprise Prefix: summary prefix for the entire domain

R11 R12 R21 R22

• Site Prefix: Disable automatic learning – Mandatory

10.3.3.0/24 10.4.4.0/24 10.5.5.0/24

R51 source-interface Loopback0

• Branch MCs connect to the Hub

PfR Policies – Built-in Policy Templates

- Load sharing on NH on the same DMVPN network POP ID 0 POP ID 1

• A channel is declared unreachable in both Path MPLS

Advanced options – with 3.16 15.5(3)S / 15.5(3)M 10.3.3.0/24

domain IWAN DMVPN DMVPN

required that all the links are considered from

• Only one next hop (on branch) per DMVPN

• The spoke considers all the paths (multiple R10 R20

hops based on routing metrics and Path MPLS

to gather information about the preferred

•  Secure Increased WAN transport

•  Apply policy, verification, reporting

•  Standalone of combined with a BR

•  The Forwarding Path: Border Router (BR)

•  Located in an enterprise central site or MC1 MC2

•  Only one Hub site exists per IWAN domain.

•  Located in an enterprise central site or MC1 IWAN MC2

•  These will always be a DMVPN spoke, MC1 MC2

–  Path name identifies a Transport BR1 BR1 BR3 BR4

•  Hub and Transit BRs send Discovery

•  Monitor3 – Performance measurements (ingress BR

•  Reroute Traffic to a Secondary Path

•  Lean IT organization •  IT Network team •  IT Network team •  Lean IT OR IT Network team

•  Per-tunnel QOS is applied to prevent hub site

•  Configuration towards SP simplified, allows for simple !

•  Enterprise Prefix: summary prefix for the entire domain

•  Site Prefix: Disable automatic learning – Mandatory

•  Branch MCs connect to the Hub

-  Load sharing on NH on the same DMVPN network POP ID 0 POP ID 1

•  A channel is declared unreachable in both Path MPLS

•  Only one next hop (on branch) per DMVPN

•  The spoke considers all the paths (multiple R10 R20

•  Enable exporter on the Hub MC

•  Blackout ~ sub second

•  PfRv3 is the 3rd generation Multi-Site aware Bandwidth and Path