IWAN Lab Guide
Transcript of IWAN Lab Guide
IWANSEBC
Lab Guide
Overview This guide presents the instructions and other information concerning the lab activities for
this course.
Outline
This guide includes these activities:
Lab Overview, Resources and Access Information
Lab 1: Navigating the Lab and Configuring Cisco Prime Building Blocks
Lab 2: Transport Independent Design using DMVPN
Lab 3: Application Optimization – Application Visibility.
Lab 4: Application Optimization – QoS Control
Lab 5: Intelligent Path Control using PfRv3
Optional Lab: Application Optimization – using WAAS with Akamai
2 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Lab Overview, Resources and Access Information This lab activity is based on a real-life network with the following components:
Data Center
— Cisco ASR1001
— Cisco Prime
— Cisco WAAS Central Manager
— Cisco vWAAS
— Microsoft Domain Controller
— Microsoft SharePoint
— Windows 7 PC
Branch Office
— Cisco ISR-2911 w/UCSe
— Cisco vWAAS
— Windows 7 PC
Activity Objective
In this activity, you will learn how to access the lab and how to use the different components
(servers, clients, and network elements). You will also document some of the lab resources,
such as access credentials, and have this information ready so that you can come back to this
section and review it, if needed.
After completing this activity, you will be able to meet these objectives:
Understand the access method and tools used to connect to the lab.
Document lab access information and login credentials.
© 2014 Cisco Systems, Inc. Lab Guide 3
Visual Objective
The figure illustrates the lab topology for the IWAN solution.
4 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
The following table summarizes the access methods and login credentials used to access the lab
infrastructure. The red squares in the diagram above highlight the clickable items you will find
in your Student LabOps Portal. In your web browsers’ Student Portal, click on the items to
launch your terminal service or RDP client to access the highlighted devices, then use the
credentials below.
Device/Server Access Method Username Password
Terminal Server Telnet, IP Address: Pods 1-4 -128.107.217.130 Pods 5-10 – 128.107.217.131 Pods 11-20 128.107.217.136 Pods 21-30 128.107.65.194
labops
Branch Router term server labops, lab-cert
DC Router term server labops, lab-cert
Cloud Router telnet admin labops, labops
Cisco Prime Infrastructure https://10.10.0.3 root Pr1m3
UCS-E ESXi Server vSphere Client on Branch PC
student Iwanlab1
All WAAS appliances https://10.10.0.111:8443 admin default
SharePoint Server http://sharepoint/
Branch PC Remote Desktop:
Pods 1-9 128.107.217.15X:2001
Pod10 128.107.217.160:2001 Pods 11-19 128.107.217.16X:2001
Pod 20 128.107.217.170:2001Pod 21-30 128.107.65.215-225:2001
User: student Domain: PODX
*X = last digit of pod number.
** POD’s 10 and 20 are both Domain: POD10
Cisc0123
Datacenter PC Remote Desktop:
Pods 1-9 128.107.217.15X:2002
Pod 10 128.107.217.160:2002
Pods 11-19 128.107.217.16X:2002
Pod 20
128.107.217.170:2002
Pod 21-30 128.107.65.215-225:2002
User: student Domain: PODX
*X = last digit of pod number.
** POD’s 10 and 20 are both Domain: POD10
Cisc0123
© 2014 Cisco Systems, Inc. Lab Guide 5
Lab 1: Navigating the Lab and Configuring Cisco Prime Building Blocks
Activity Objective
In this activity, you will get acquainted with the lab topology and related components, while
testing connectivity and learning the current state of the solution. You will also use Cisco Prime
Infrastructure to verify and configure the building blocks for the rest of the activities.
After completing this activity, you will be able to meet these objectives:
Verify current network environment.
Originate test traffic and verify connectivity.
Discover Cisco Prime features and configure templates.
Visual Objective
The figure illustrates the lab topology you will be working with, as well as a visual reference of
the objectives of this lab.
6 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Task 1: Verify Lab Infrastructure
In this task, you will connect to the lab equipment and verify their operations and
baseline settings.
Complete these steps:
Step 1 Connect to the terminal server using the information on the Lab Resources section of
this guide.
Step 2 Connect to the Branch Router by typing pX-2911 at the terminal server.
Note For the remainder of this lab guide, the X in italics represents your pod number in machine
names, host names, and IP addresses. Substitute your pod number for X, for instance for
Pod 1 the branch router is P1-2911.
Step 3 Verify the IOS version and hardware on this router with the show version
command. Notice the UCS-E module, a critical component of the Intelligent
WAN architecture.
POD4-BR-RTR#show version
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 07-Nov-12 14:08 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
POD4-BR-RTR uptime is 9 weeks, 5 days, 26 minutes
System returned to ROM by power-on
System image file is "flash0:c2900-universalk9-mz.SPA.154-3.M.bin"
Last reload type: Normal Reload
Last reload reason: power-on
<…output omitted…>
Cisco CISCO2911/K9 (revision 1.0) with 2564032K/57344K bytes of memory.
Processor board ID FTX1702ALZ3
9 Gigabit Ethernet interfaces
2 terminal lines
1 Virtual Private Network (VPN) Module
1 cisco UCSE Module(s)
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2911/K9 FTX1702ALZ3
Technology Package License Information for Module:'c2900'
© 2014 Cisco Systems, Inc. Lab Guide 7
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 RightToUse securityk9
uc None None None
data datak9 RightToUse datak9
Configuration register is 0x2102
Step 4 You can also use the show diag command to learn more about the UCS-E hardware.
POD4-BR-RTR#show diag | begin Slot 1
Slot 1:
UCSE Single Wide Module Port adapter, 1 port
Port adapter is analyzed
Port adapter insertion time 9w5d ago
EEPROM contents at hardware discovery:
Hardware Revision : 1.0
Part Number : 74-10422-01
Deviation Number : 0
Fab Version : 01
PCB Serial Number : FOC16473XBN
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Product (FRU) Number : UCS-E140S-M1/K9
Version Identifier : V01
CLEI Code : IPUCBASBTA
Board Revision : A0
Base MAC Address : e02f.6de0.5886
MAC Address block size : 10
Platform features : 02 01 01 4B 00 00 00 00
01 01 05
EEPROM format version 4
EEPROM contents (hex):
0x00: 04 FF 40 0B 3F 41 01 00 82 4A 28 B6 01 88 00 00
0x10: 00 00 02 01 C1 8B 46 4F 43 31 36 34 37 33 58 42
0x20: 4E 03 00 81 00 00 00 00 04 00 CB 8F 55 43 53 2D
0x30: 45 31 34 30 53 2D 4D 31 2F 4B 39 89 56 30 31 20
0x40: D9 03 40 C1 CB C6 8A 49 50 55 43 42 41 53 42 54
0x50: 41 42 41 30 F3 00 06 40 0B E3 43 00 4B CF 06 E0
0x60: 2F 6D E0 58 86 43 00 0A C9 0B 02 01 01 4B 00 00
0x70: 00 00 01 01 05 FF FF FF FF FF FF FF FF FF FF FF
Embedded Service Engine 0/0 :
Total platform memory : 2621440K bytes
Total 2nd core memory : 0K bytes
Start of physical address for 2nd core : 0x80000000
Virtual address start of 2nd core memory : 0x0 - 0x0
2nd core configured disabled
L2 cache ways for 2nd core : 0
8 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 5 Display the router’s interfaces to get acquainted with the physical and logical
topology of the lab. Notice the IP subnet location of the UCS-E service module on
the same subnet as the Branch Client PC.
POD4-BR-RTR#show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.10.#3.2 YES NVRAM up up
GigabitEthernet0/1 10.10.#4.2 YES NVRAM up up
GigabitEthernet0/2 10.10.#1.1 YES NVRAM up up
ucse1/0 10.10.#1.1 YES unset up up
Loopback0 3.3.3.3 YES NVRAM up up
Tunnel10 10.10.#5.2 YES NVRAM up up
Step 6 The UCS-E module can use several interfaces for CIMC (Integrated Management
Controller) management. In this instance, you are using an internal PCIe interface on
the ISR G2 router, ucse1/0, for CICM access. Use the show running-config
command to display the simple ucse1/0 configuration for such environment.
POD4-BR-RTR#show run interface ucse1/0
interface ucse1/0
ip unnumbered GigabitEthernet0/2
imc ip address 10.10.#1.2 255.255.255.0 default-gateway 10.10.#1.1
imc access-port shared-lom console
end
Step 7 Notice that you are using unnumbered IP addresses, inheriting the IP address from
the router’s LAN interface. For this reason, static routes are needed to point to
specific IP addresses on the UCS-E module. The address 10.10.X1.2 is UCS’s
management IP address, while 10.10.X1.3 is the VMWare Hypervisor host and
10.10.X1.4 points to your vWAAS instance, which will be used later in lab 6.
POD4-BR-RTR#show ip route static <…output omitted…> Gateway of last resort is 10.10.#3.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks S 10.10.#1.2/32 is directly connected, ucse1/0 S 10.10.#1.3/32 is directly connected, ucse1/0 S 10.10.#1.4/32 is directly connected, ucse1/0
Step 8 Connect to the Data Center router, an ASR1K, with pX-asr1k—where X is the pod
number—through the term server and input your enable password.
Step 9 Display IOS information on the Data Center router using show version. Remember
to enter Enable mode with password lab-cert.
POD4-DC-RTR#show version
Cisco IOS XE Software, Version 03.13.00.S – Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 19-Nov-13 20:45 by mcpre
<…output omitted…>
© 2014 Cisco Systems, Inc. Lab Guide 9
Step 10 Use the show license command to verify the Advanced IP Services or Advanced
Enterprise Services licenses, as well as the AVC license, required for features such
as NBAR, Flexible NetFlow, and other AVC components. Advanced IP Services or
Advanced Enterprise Services licenses are enough for WAAS and the AppNav
solution.
POD4-DC-RTR#show license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
adventerprise yes yes no yes yes
advipservices yes yes no no yes
ipbase no no no no no
avc yes yes no no yes
broadband no no no no no
broadband_4k no no no no no
cube_250 no no no no no
<…output omitted…>
Activity Verification
You have completed this task when you attain these results:
Verified basic settings on Branch and Data Center routers.
Task 2: Test Connectivity and Generate Application Traffic
In this task, you will generate traffic to test connectivity and traffic paths, as well as verifying
access to the test applications.
Step 1 Connect to the Branch PC using the information on the Lab Resources section of
this guide. You will use the Branch PC for all traffic testing in this lab.
Step 2 Before you can generate traffic, verify the WAN Bridge is powered on and both 1 &
2 are running. WAN Bridge is hosted on the UCS-E module of the branch router. So
from the Branch PC, connect to the ESXi vCenter server on that module using the
information on the Lab Resources section of this guide.
Step 3 Turn off the vWAAS if it is on. We will turn this on later in Lab 5 as part of the
WAAS lab tasks. (This will ensure the vWAAS is reset to base configs)
Step 4 Verify that both WANBRIDGE-1 and 2 are set to option 3: 40ms Round trip delay
with .1% packet loss.
10 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 5 You will now generate traffic for the test applications, namely Web Video, and
SharePoint. Start with Web Video using YouTube, by browsing from the Branch PC
to http://www.youtube.com/cisco.
Step 6 On the Cisco YouTube channel, click the search link to find videos on “IWAN”.
The search tool is located next to the Welcome link.
Step 7 Launch one of the IWAN videos, preferably the bundled title of several videos,
or a single video of more than 10 minutes in duration, and verify it plays. Try to
select the bundled title or a video with long duration in order to generate a large
enough sample.
Step 8 Still from the Branch PC, connect to the SharePoint server by browsing to
http://sharepoint.
© 2014 Cisco Systems, Inc. Lab Guide 11
Step 9 Click the Site Contents link on the left menu, and click the Site Collection
Documents.
Step 10 Download the 10MB and 15MB files from the list by clicking on their file names in
the list. Ensure that the download proceeds by looking at the bottom left corner of
the browser window.
12 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Activity Verification
You have completed this task when you attain these results:
Both WAN Bridge virtual machines are operational.
Lab applications are reachable and operational.
Task 3: Discover Cisco Prime Features and Create Templates
In this task, you will navigate the general settings of the Cisco Prime server.
Step 1 Connect to the Data Center PC using the information on the Lab Resources section
of this guide. You will use the Data Center PC for all Prime configurations in
this lab.
Step 2 Using Chrome as your browser, connect to the Cisco Prime server on
http://10.10.0.3. Use the credentials on the Lab Resources section of this guide.
Note Click Proceed Anyway if presented with a certificate warning by your Chrome web browser
Step 3 The Monitoring Dashboards have many options to monitor health and traffic on the
discovered routers. Navigate to Operate>Monitoring
Dashboards>Performance>Network Interface and verify that no data is
displayed.
Step 4 To fix this you will deploy a monitoring template. Navigate to
Deploy>Configuration Deployment>Monitoring Deployment to push a
monitoring template to routers.
© 2014 Cisco Systems, Inc. Lab Guide 13
Step 5 Notice that the Interface Health template is not deployed by default, while the
Traffic Analysis Metrics template is deployed. Select the Interface Health template
from the list and click Deploy at the top of the list.
Note The Interface Heath template will monitor basic interface metrics, such as packet and byte
counters, interface availability and utilization, and interface errors. This template has been
adjusted for this lab to monitor these metrics every minute, instead of the default 15 minutes.
Step 6 Click to select the Port Groups radio button.
Step 7 Expand the User Defined branch, click to select the “WAN Interfaces – Dynamic”
and “LAN Interfaces – Dynamic” port groups and click Submit.
Note “Wan Interfaces – Dynamic” and “LAN Interfaces – Dynamic” are pre-configured port groups
that include all WAN and LAN interfaces by dynamically matching their interface description
to the words “WAN” and “LAN”, respectively. You can navigate to Design>Management
Tools>Port Grouping to verify the configuration of this object. This modularity and object
reuse allows Cisco Prime administrators to streamline the configuration of Intelligent WANs.
Activity Verification
You have completed this task when you attain these results:
All lab routers are now managed by Cisco Prime Infrastructure.
Monitoring metrics are visible to Cisco Prime dashboards.
You have navigated the Cisco Prime building blocks (port groups, device groups,
configuration and monitoring templates).
14 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Lab 2: Transport Independent Design using DMVPN
Activity Objective
In this activity, you will a secure transport network using Hub & Spoke DMPVN.
After completing this activity, you will be able to meet these objectives:
Use Cisco Prime templates to deploy a hub & spoke DMVPN design between the Data
Center and the Branch
Customize Cisco Prime to monitor detailed DMPVN metrics.
Visual Objective
The figure illustrates the lab topology you will be working with, as well as a visual indication
of the objectives of this lab.
© 2014 Cisco Systems, Inc. Lab Guide 15
The detailed DMVPN topology is shown here, including the IP addressing and routing
protocol information.
Task 1: Verify Traffic Flows Before DMVPN
In this task, you will verify how traffic reaches the Data Center from the branch previous to the
deployment of DMVPN.
Step 1 Connect to the Branch PC using the information on the Lab Resources section of
this guide.
Step 2 Trace the SharePoint server and verify that the path includes the main WAN subnet,
10.10.X3.0/24 or 10.10.X4.0/24.
Note Refer to the visual objectives of this lab to clarify the lab topology, IP addressing,
and objectives.
16 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 3 Connect to the terminal server using the information on the Lab Resources section of
this guide.
Step 4 Connect to the Branch Router by typing pX-2911 at the terminal server.
Step 5 Display the routing information learned from EIGRP autonomous system 100. This
is the transport routing protocol that will enable the establishments of the IPsec
tunnels. Notice that the device loopbacks the Data Center LAN, 10.10.0.0/24, and
the default route to the Internet, are currently being learned via this routing process.
POD4-BR-RTR#show ip route eigrp 100
<…output omitted…>
Gateway of last resort is 10.10.43.1 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/3072] via 10.10.#3.1, 01:22:58, GigabitEthernet0/0
1.0.0.0/32 is subnetted, 1 subnets
D 1.1.1.1 [90/130816] via 10.10.#3.1, 01:22:58, GigabitEthernet0/0
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/131072] via 10.10.#3.1, 01:22:33, GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
D 10.10.0.0/24 [90/3072] via 10.10.#3.1, 01:22:58, GigabitEthernet0/0
Step 6 Display the routing information learned from EIGRP autonomous system 200. This
is the DMVPN routing protocol that will advertise the subnets that will be connected
via DMVPN. Notice that the Cloud Services LAN, 10.20.10.0/24 is currently being
learned via this routing process.
POD4-BR-RTR#show ip route eigrp 200 <…output omitted…> Gateway of last resort is 10.10.#3.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks D 10.20.10.0/24 [80/3413504] via 10.10.#5.1, 01:22:47, Tunnel10
Activity Verification
You have completed this task when you attain these results:
Verified current traffic flows and routing topology.
© 2014 Cisco Systems, Inc. Lab Guide 17
Task 2: Configure the DMVPN Hub
In this task, you will configure the DC router as DMVPN Hub on Cisco Prime, creating a
DMVPN feature template.
Step 1 Connect to the Data Center PC using the information on the Lab Resources section
of this guide. You will use the Data Center PC for all Prime configurations in
this lab.
Step 2 Using Chrome as your browser, connect to the Cisco Prime server on
http://10.10.0.3. Use the credentials on the Lab Resources section of this guide.
Step 3 Navigate to Design>Feature Design, and expand the Features and Technologies
folder, then the Security folder. Click the DMVPN template.
Step 4 Name the new template DMVPN Hub.
Step 5 Under Template Detail, click the + sign on the IKE Authentication type dropdown,
and configure these settings:
Authentication Type: Pre-Shared key.
Pre-Shared key: Cisc0123
Confirm Pre-Shared key: Cisc0123
IKE Policies: select the PRE_SHARE/AES_256/SHA policy
Step 6 Click the – sign on the IKE Authentication dropdown to collapse the
authentication options.
Step 7 Click the + sign on the Encryption Policy dropdown.
Step 8 Click to select defaultPolicy., and click to edit the AH Integrity field.
18 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 9 Select the “-Select-” entry from the dropdown. This will configure no protocol for
AH. Click Save to the left of the dropdown.
Note This box may close on you before you click “save”. If so, o pen it again to set the AH
Integrity. The AH Integrity field will be blank, with no protocol configured. You may have to
click + on the Encryption Policy dropdown again to review.
Step 10 Under Topology and Routing information, confirm that the template is set to “Create
dynamic connection between spokes”, and change the role to Hub.
Step 11 Set the EIGRP AS number to 200
Step 12 Configure these settings for the NHRP and Tunnel Parameters section
Network ID: 999
NHRP Authentication String: Cisc0123
Tunnel Key: 999
© 2014 Cisco Systems, Inc. Lab Guide 19
Step 13 Click Save as New Template, and click Save again to store the template under the
My Templates folder.
Note This template can now be used to configure all the hub routers in your DMVPN topology. It
can be deployed to all routers in one deployment job. In this case, the only DMVPN hub will
be the Data Center Router.
Step 14 The template is saved to the folder and it is automatically displayed. Click the
Deploy button at the bottom of the panel.
Step 15 In the Template Deployment window, under Device Selection expand the “ALL”
branch and select the PODX-DC-RTR router.
Step 16 In the Value Assignment section, configure these settings:
Physical interface: GigabitEthernet0/0/2
IP Address of this router's GRE Tunnel Interface: 172.16.99.1
Subnet Mask: 255.255.255.0
Step 17 Click Apply.
Step 18 Click the CLI Preview tab to get a glimpse of the actual configuration being pushed
to the router.
Note DMVPN is a good example of the power of Cisco Prime Infrastructure templates. In this
example, 20+ commands are sent to all spoke routers with a simple deployment action.
Step 19 Click OK to deploy the template.
Step 20 Navigate to Operate>Device Work Center, and select the PODX-DC-RTR device.
Step 21 In the panel at the bottom, navigate to the Configuration tab, and expand
the Interfaces folder under Feature Configuration. Remember to click on the
Interface option.
20 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 22 You will notice the newly created Tunnel0 interface. It should be Up/Up, because
even though the spoke has not been configured, this is a multipoint GRE interface,
and it remains always up waiting for spoke routers to connect.
Note If the Tunnel0 interface is not part of the list, re-synchronize the DC router by selecting it on
the device list and clicking Sync. You will have to wait until the Inventory Collection Status
column shows Completed, and then you can go back to the interface list to verify.
Step 23 Click to edit the Tunnel0 interface, and configure a description of “WAN Interface –
DMVPN to Branches” and set the Bandwidth to 1500. It is extremely important to
type this in, rather than copy and paste from the document. Click Save.
Note Remember, by configuring this description to the interface you immediately make it part of a
dynamic port group that will be used to deploy other features later in this lab.
Step 24 The tunnel is also considered to be an inside interface for the purposes of NAT
translation. While still configuring the PODX-DC-RTR, expand the Security folder
in the Features panel on the left.
Step 25 Expand the NAT sub-folder and click the Interfaces option under that sub-folder.
Step 26 Click the radio button to select the Tunnel0 interface, and click Edit at the top of the
interface list. A drop-down menu appears next to the interface name.
Step 27 Select Inside from the drop-down, and click Save next to the drop-down.
© 2014 Cisco Systems, Inc. Lab Guide 21
Activity Verification
You have completed this task when you attain these results:
The DMVPN hub is configured and the tunnel interface shows Up/Up.
The tunnel interface is now ready to forward traffic according to your network
environment.
Task 3: Configure the DMVPN Spokes
In this task, you will use Cisco Prime feature template to configure the branch router as
DMVPN Spoke.
Step 1 Navigate to Design> Configuration>Feature Design, and expand the My
Templates folder.
Step 2 The DMVPN Spokes template is pre-created. Click to select it under the My
Templates folder.
Step 3 As expected, the configuration is very similar to the DMVPN hub. Scroll down to
the bottom of the template to notice the main difference: the spoke will have a
permanent tunnel to the hub to register and obtain NHRP information about other
spokes. The NHS Information section tells the spokes the location of the hub for
this purpose.
Note The example shown corresponds to pod 4
Step 4 Click Deploy at the bottom of the panel.
22 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 5 In the Template Deployment window, expand the Site Groups branch of the Device
Selection section. Select the Power Branches site group.
Note Deploying the template to a site group results in streamlined configurations of multiple
branches at a time.
Step 6 In the Value Assignment section, configure these settings:
Physical interface: GigabitEthernet0/0
IP Address of this router's GRE Tunnel Interface: 172.16.99.2
Subnet Mask: 255.255.255.0
Step 7 Click Apply.
Step 8 Click OK to deploy the template.
Step 9 Navigate to Operate>Device Work Center, and select the PODX-BR-RTR device.
Step 10 In the panel at the bottom, navigate to the Configuration tab, and expand the
Interfaces folder by navigating to Feature Configuration>Interface.
Step 11 You will notice the newly created Tunnel11 interface. It should be Up/Up.
Note If the Tunnel11 interface is not part of the list, re-synchronize the Branch router by selecting
it on the device list and clicking Sync. You will have to wait until the Inventory Collection
Status column shows Completed, and then you can go back to the interface list to verify.
© 2014 Cisco Systems, Inc. Lab Guide 23
Step 12 Click to edit the Tunnel11 interface, and configure a description of “WAN Interface
– DMVPN to DC” and set the Bandwidth to 1500. It is extremely important to
type this in, rather than copy and paste from the document. Click Save.
Note Remember, by configuring this description to the interface you immediately make it part of a
dynamic port group that will be used to deploy other features later in this lab.
Activity Verification
You have completed this task when you attain these results:
The DMVPN spoke is configured and all tunnel interfaces are Up/Up.
Task 4: Complete and Verify DMVPN Operations
At this point, the LAN subnets on each side of the DMVPN are advertised using the transport
routing protocol, EIGRP 100. In this task, you will tune routing protocol operations across the
DMVPN design to use the DMVPN routing protocol, EIGRP 200.
Step 1 Start with the DC router. To do this, navigate to Operate>Device Work Center,
and select the PODX-DC-RTR device.
Note If other devices are also selected, you will have to unselect them in order to edit the
individual router PODX-DC-RTR
Step 2 In the panel at the bottom, navigate to the Configuration tab, and expand the Routing
folder under Feature Configuration.
Step 3 Under EIGRP, expand AS 200 by clicking the arrow to the left of the number 200,
and click Add Row under “Routing Networks”.
Note You may have to scroll down using the scroll bars on the right, or better yet maximize the
whole Device Details panel (the whole bottom half of the screen) by dragging and moving
the upper edge of the panel upwards.
Step 4 Configure 10.10.0.0 with a wildcard mask 0.0.0.255 and click Save.
Step 5 Click Add Row again, and configure the DMVPN tunnel network, 172.16.99.0, with
a wildcard mask of 0.0.0.255, and click Save.
Step 6 Click Add Row again, and configure the Loopback address 1.1.1.1, with a wildcard
mask of 0.0.0.0, and click Save.
24 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 7 Now expand the AS 100 select the loopback network of 1.1.1.1 and delete it from
AS100, and click OK.
Step 8 Scroll to the very bottom of the EIGRP panel and click Save.
Note If you can’t find the Save button of step 6, scroll all the way down using the middle scroll bar
of the EIGRP panel.
Step 9 You will now adjust routing on the branch router. Back at the Device Group list,
deselect PODX-DC-RTR and select PODX-BR-RTR to configure the branch router
for DMVPN routing.
Step 10 In the panel at the bottom, navigate to the Configuration tab, and expand the Routing
folder under Feature Configuration.
Step 11 Click to select EIGRP under the routing folder.
Step 12 Expand AS 200 by clicking the arrow to the left of the number 200, and click Add
Row under “Routing Networks”.
Step 13 Configure the DMVPN tunnel network, 172.16.99.0, with a wildcard mask of
0.0.0.255.
Step 14 Configure the Loopback network, 3.3.3.3, with a wildcard mask of 0.0.0.0, and click
Save.
Step 15 Scroll to the very bottom of the EIGRP panel and click Save.
Step 16 Only after you have done step 15, expand the AS 100 select the loopback network of
3.3.3.3 and delete it from AS100 (you may need to scroll down to see it), and click
OK.
Note The Branch LAN is already part of the routing process EIGRP 200 because it’s also the
source of the already existing DMVPN configuration toward the Cloud Services network.
Step 17 Scroll to the very bottom of the EIGRP panel and click Save.
Step 18 Connect to the Branch PC and verify that tracing the SharePoint server at 10.10.0.9
now uses the DMVPN. You should see devices in the 172.16.99.0/24 subnet as one
of the hops.
© 2014 Cisco Systems, Inc. Lab Guide 25
Step 19 There’s a reason for this. Connect to the Branch Router by typing pX-2911 at the
terminal server.
Step 20 Display the routing information learned from EIGRP autonomous system 200. The
DMVPN routing protocol now learns the Data Center LAN subnet, 10.10.0.0/24, as
well as the Internet default, via the newly created tunnel.
POD4-BR-RTR#sh ip route eigrp 200
<…output ommitted…>
Gateway of last resort is 172.16.99.1 to network 0.0.0.0
D*EX 0.0.0.0/0 [160/26880256] via 172.16.99.1, 00:04:56, Tunnel11
1.0.0.0/32 is subnetted, 1 subnets
D 1.1.1.1 [80/3114496] via 172.16.99.1, 00:02:24, Tunnel11
10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
D 10.10.0.0/24 [80/2986752] via 172.16.99.1, 00:02:24, Tunnel11
D 10.20.10.0/24 [80/3413504] via 10.10.65.1, 00:02:24, Tunnel10
Activity Verification
You have completed this task when you attain these results:
Routing has been adjusted to the DMVPN topology and branch connectivity now uses
the DMVPN.
Task 5: Monitor DMVPN Operations
In this task, you will also use Cisco Prime tools to monitor the behavior of your
DMVPN deployment.
Step 1 Navigate to Deploy>Configuration Deployment>Monitoring Deployment.
Step 2 Select the Dynamic Multipoint VPN Tunnel Statistics template from the list and
click Deploy.
Step 3 Click the checkbox next to the Name column to select all device types, and
click Submit.
Step 4 Back at the branch PC, generate traffic for all test applications (YouTube by
replaying the video, SharePoint by downloading the 10MB and 15MB files
26 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 5 Cisco Prime Reports are another valuable tool to monitor DMVPN. Navigate to
Report>Report Launch Pad.
Step 6 On the left panel, expand the Device folder and select DMVPN Reports.
Step 7 Click New to create a new report, and name it DMVPN Report in the Report
Title field.
Step 8 Click Customize to review the report settings. Notice the report components in the
Data Fields to Include box.
Step 9 Select the NHRP Expiration parameter in the Data Fields to Include box, and click
Remove to simplify the report.
Step 10 Click Apply to save the changes.
Step 11 Click Run and Save at the bottom right corner of the panel to run the report.
Step 12 Verify the information in the Report Run Result section at the bottom of the panel.
Notice the simple format to verify byte counts for each DMVPN peer for the set of
reported remote subnets.
Note This Report takes time to generate. If necessary, generate more traffic from the Branch PC
and run the report again or come back later to run again.
Activity Verification
You have completed this task when you attain these results:
You have monitored DMVPN operations using the Cisco Prime Dashboard and Cisco
Prime Reports.
© 2014 Cisco Systems, Inc. Lab Guide 27
Lab 3: Application Optimization – Application Visibility
Activity Objective
In this activity, you will deploy Application Visibility and Control templates to gain granular
visibility into application traffic and application performance.
After completing this activity, you will be able to meet these objectives:
Deploy AVC templates to enhance granular application classification via NBAR2,
optimized data collection via Flexible NetFlow, and obtain application performance metrics
via Performance Agent.
Use Cisco Prime Dashboard and Reports in three use cases: to discover application usage in
the network, to monitor application performance, and to troubleshoot application
performance issues.
Visual Objective
The figure illustrates the lab topology you will be working with.
28 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Task 1: Customizing Cisco Prime for AVC
In this task, you will customize Cisco Prime dashboards and building blocks in preparation to
your AVC deployment.
Step 1 Before you deploy AVC, you can customize some of your dashboards according to
your needs. With network readiness and base lining in mind, navigate to
Operate>Monitoring Dashboards>Performance>Service Assurance.
Step 2 Find the Top N Resources by NetFlow dashlet and hover your mouse over the top
right corner of the dashlet. Click X to remove the dashlet from the dashboard.
Step 3 Click the Edit Dashboard icon at the top right corner of the Cisco Prime window and
expand the Add Dashlet option.
Step 4 Expand the Service Assurance Dashlets branch if it’s not expanded already, and
hover your mouse over the crosshair icon to the left of the Application Usage
Summary dashlet. You will see detailed information about the data sources, layout,
and overall objective of the dashlet.
Step 5 Click Add to add the dashlet to the dashboard.
Step 6 If the dashlet is added to the bottom of the dashboard, click the top of the dashlet
area to drag and drop at the top of the dashboard for improved viewing.
© 2014 Cisco Systems, Inc. Lab Guide 29
Step 7 Notice the application traffic mix in the pie chart. Hover your mouse over the HTTP
slice and you will notice context-sensitive callouts that provide traffic rate
information
Step 8 Repeat steps 3 to 5 to add the Top N WAN Interfaces by Utilization dashlet. In it
you should see the Tunnel interfaces on the DC and branch routers at the top of
the list
Step 9 Other customization options allow you to streamline the deployment of some
templates. Navigate to Design>Configuration>Shared Policy Objects.
Step 10 Click to select the Interface Role in the left panel.
Step 11 Click Add Object at the top of the interface roles list.
Step 12 Name the object WAN Interfaces, and click the first dropdown under “Match the
following rule” to match the Description of router interfaces. Leave the operator
“Contains” as is, and type WAN in the last field.
Note Interface roles allow you to group interfaces based on existing attributes, for instance the
description, to then apply templates based on the role.
Step 13 Click OK.
Activity Verification
You have completed this task when you attain these results:
You have customized Cisco Prime dashboards to display application traffic mix
and interface utilization dashlets, and created an interface role, in preparation for
AVC deployment.
30 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Task 2: AVC Use Case - Provision Branch Instrumentation and Application Visibility
The first step in enhancing the application experience is to deploy enhanced branch
instrumentation using AVC, to gather application and performance metrics using the various
technologies that fall within the AVC umbrella (Performance Agent, NBAR2, and Flexible
NetFlow). In this task, you will deploy those AVC features using Cisco Prime one-click options
and templates.
Step 1 You can configure default AVC policies on individual interfaces if you want quick
testing or on-the-spot configurations. To do this, navigate to Operate>Device Work
Center.
Step 2 Click the checkbox to select the PODX-CSR-RTR and click Configuration at the
bottom panel.
Step 3 Navigate to the Application Visibility>Interfaces panel under the Feature
Configuration list at the bottom left.
Step 4 Click the checkboxes to select the two WAN interfaces, GigabitEthernet1 and
Tunnel10.
Step 5 At the top of the interface list, click the Enable Default Policy dropdown, and select
the IPv4 Default Policy option. Click Yes to accept the warning.
Step 6 After a few seconds, the interface will be configured with the default AVC policy.
Notice the default policy visible under the Input Reports and Output Reports
columns on the interface list.
Step 7 For bulk configurations you can apply a Cisco Prime AVC template. Create the
AVC template, by navigating to Design>Configuration>Feature Design, and
expanding the Features and Technologies and Application Visibility folders.
© 2014 Cisco Systems, Inc. Lab Guide 31
Step 8 Click to select the AVC Configuration template.
Step 9 Name the custom template “Enterprise AVC” and click the arrow on the Apply to
Interface Role dropdown.
Step 10 Select the WAN Interfaces role.
Step 11 Ensure that YouTube application layer traffic metrics and performance indicators
are measured, by expanding the list of Applications in the HTTP URL Visibility
section of the template. To do this, click the arrow button next to the applications list
of that section.
32 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 12 Navigate through the list of applications by clicking the greater-than button of the
HTTP Applications option. From the resulting window, select YouTube.
Note There are many applications you can choose from the NBAR2 definition. This allows you to
customize and adjust to the appropriate traffic mix according to your network requirements,
performing deep packet inspection to identify those applications on the network.
Step 13 Click OK twice to go back to the AVC template.
Note Go back to the application list and deselect the ActiveSync and Baidu Movie applications if
you reach the maximum of 32 applications in the filter.
© 2014 Cisco Systems, Inc. Lab Guide 33
Step 14 For the sake of understanding the power of AVC, in the Application Response Time
section of the template, click the arrow icon to the right of the Applications list.
Notice how you can also customize the template based on application categories and
subcategories, for added flexibility. You don’t have to enable application by
application necessarily. Navigate through the list of categories to review.
Step 15 We will not be using the Voice/Video Metric so let’s turn this component off.
Step 16 Click Save as New Template at the bottom of the panel, and click Save to save it to
the My Templates folder.
Step 17 Scroll down to the bottom of the template and click Deploy.
Step 18 Expand the Site Groups and select the Power Branches and the Data Center groups.
This will deploy the template to the branch and DC routers.
34 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 19 In the Value Assignment section, click CLI Preview for the Branch Router to
display the resulting commands. You will see more than 150 commands.
Step 20 Ensure that both routers show CLI commands in the preview, and click OK to
deploy the template.
Step 21 Given the size of the configuration, wait until the template deployment job has
successfully completed. You can verify the status of the job at Administration>Job
Dashboard. Refresh the job list as needed.
Activity Verification
You have completed this task when you attain these results:
You have deployed AVC configurations for proactive monitoring of granular application
traffic metrics.
© 2014 Cisco Systems, Inc. Lab Guide 35
Task 3: AVC Use Case - Discover Application Usage in the Network
In this task, you will use the improved, granular application visibility that results from
deploying AVC to discover your application mix, usage, and behavior in the network.
This allows you to gather actionable intelligence to determine which AVC control features
to deploy.
Complete these steps:
Step 1 Connect to the branch PC and generate traffic for all test applications (YouTube by
replaying three videos, SharePoint by downloading the 10MB and 15MB files a few
times).
Step 2 This time, also connect to http://video.cisco.com and play a video of about 10
minutes in duration.
Step 3 Navigate back to Home>Performance>Service Assurance.
Step 4 Notice the richer granularity per application in the Top N Applications and
Application Usage Summary dashlets, including not only generic application traffic
(HTTP) but also specific applications (YouTube, binary-over-HTTP for SharePoint
file transfers, and others). This is the result of NBAR2 inspection and classification,
as a result of the AVC configuration template.
Also notice the tunnel interfaces carrying the bulk of the load, as they transport
SharePoint traffic to the Data Center subnet.
Note Refresh the dashlet as needed.
Step 5 Verify which application has the greater traffic rate on the Top N Applications
dashlet, and click the Volume link at the top left corner of the dashlet to verify
which application has the greater traffic volumes.
36 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 6 Drill down on the Windows Remote Desktop application by clicking the bar
associated to ms-wbt in the Top N Applications dashlet. This makes Cisco Prime
navigate to the Application dashboard, filtered to this particular application. This
dashboard allows you to see the top N clients and servers along with their
corresponding traffic rates and volumes, all valuable information for a common
candidate application to control.
Step 7 Notice the traffic rate behavior for Windows Remote Desktop on the Application
Traffic Analysis dashlet. Also notice that you can move the sliding bar at the bottom
to zoom in to specific times. Use the sliding bar to zoom in to the peak traffic rate,
and make a note of this rate. You will use this information in our next lab to rate-
limit this application.
Note You can obtain the traffic rate at any point of the graphic by just hovering your mouse over
the line. A callout will appear to indicate the specific rate at that point of the graph.
Step 8 Click the Back button on your browser to go back to the Service Assurance
dashboard. You will notice a bar in the Top N Applications dashlet labeled
“Unknown”. Cisco Prime facilitates the discovery and re-classification of unknown
traffic. Click the Unknown bar in the dashlet.
Step 9 In order to display the associated ports, you will now add another dashlet to this
dashboard. To do so, click the Edit Dashboard icon at the top right corner of the
Cisco Prime window and expand the Add Dashlet option.
© 2014 Cisco Systems, Inc. Lab Guide 37
Step 10 Expand the Application Dashlets branch if it’s not expanded already, and hover
your mouse over the crosshair icon to the left of the Application Configuration
dashlet. You will see detailed information about the data sources, layout, and overall
objective of the dashlet.
Step 11 Click Add to add the Application Configuration dashlet to the dashboard.
Step 12 The dashlet is added to the bottom of the dashboard, click the top of the dashlet area
to drag and drop at the top of the dashboard for improved viewing.
Step 13 Now look at the different ports and byte counts for the unknown applications. With
this information, you can create a custom application definition in Cisco Prime to
assign an application and category to traffic belonging to custom applications.
Step 14 Click the Back button on your browser to go back to the Service Assurance
dashboard.
Step 15 In the Top N WAN Interfaces by Utilization, click the interface name for Tunnel11
of the branch router 3.3.3.3. This will lead you to the Interface detailed dashboard,
where you can see traffic behavior and mix for the selected interface only.
38 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 16 On the Interface dashboard, scroll down to inspect the Top Application Traffic Over
Time, a powerful dashlet to understand the traffic mix per interface. Notice how this
tunnel interface is carrying the SharePoint traffic, as well as YouTube and Internet
traffic. Also notice the traffic rates, in the figure below around the 3-5 Mbps range.
Note The ability to categorize traffic using NBAR2 in this type of interface enhances visibility
inside the tunnel.
Step 17 Move to the top of the Interface dashboard and click the Interface dropdown in the
Filters section. You can change the view to inspect similar information for other
interfaces. This time navigate the dropdown options by clicking Power Branches,
then PODX-BR-RTR, then GigabitEthernet0/0. This is the physical interface used by
the DMVPN tunnel between Branch and Data Center sites.
Step 18 Click Go at the far right of the Filters section to apply the filter.
© 2014 Cisco Systems, Inc. Lab Guide 39
Step 19 Scroll down to check the Top Application Traffic Over Time dashlet for this
GigabitEthernet0/0 interface of the branch router. You will see that this interface
only sees encrypted IPsec/ESP traffic, with traffic rates similar or greater than the
Tunnel interface rates. It makes sense, it is the tunnel interface the one that can see
applications granularly, the physical interface sees encapsulated traffic only.
Activity Verification
You have completed this task when you attain these results:
You have understood the application mix in the lab network, identified candidate areas of
optimization, and gathered actionable performance metrics that allow you to design the
AVC control features you would need to deploy.
40 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Lab 4: Application Optimization – QoS Control
Activity Objective
Now that you have granular application visibility over your network traffic mix, and have
identified candidates for optimization, it’s time to enter the Control phase of AVC and start
adjusting traffic patterns according to application and user requirements. In this activity, you
will deploy application-aware QoS policies to enhance the user’s application experience.
After completing this activity, you will be able to meet these objectives:
Use CLI templates to configure marking, bandwidth reservation, and rate limiting policies
Color your traffic using DSCP, to apply QoS policy consistently across the network.
Limit the rate of non-critical traffic granularly using application awareness.
Reserve Bandwidth for mission critical applications.
Visual Objective
The figure illustrates the lab topology you will be working with.
© 2014 Cisco Systems, Inc. Lab Guide 41
Task 1: Deploy QoS Policy for Classification and Marking
Based on the results of AVC monitoring in the previous lab, you will now customize QoS
templates to classify application traffic using NBAR2 and mark packets using DSCP.
Complete these steps:
Step 1 Connect to the branch PC and generate traffic for all test applications (YouTube by
replaying three videos, SharePoint by downloading the 10MB and 15MB files a few
times).
Step 2 Navigate to Operate>Monitoring Dashboards>Detail Dashboards>Interface,
and use the Filters section to filter down to all applications for LAN interface of the
branch router, GigabitEthernet0/2.
Note Remember to click Go to set the filter.
Step 3 Scroll down to the DSCP Classification dashlet and verify that no DSCP marking is
taking place. Dashlet should show all traffic with default marking (value 0 or best
effort).
Step 4 Navigate to Design>Configuration>Feature Design and expand the My Templates
folder below the Templates panel on the left.
Step 5 Select the Mark Critical Apps template from the list.
Step 6 On the panel on the right, review this CLI template in the CLI Content box, as it
classifies traffic using NBAR2 (match protocol statements) and marks using a policy
applied to the LAN interface.
42 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 7 CLI templates can use variables to streamline bulk configurations across multiple
devices. In order to customize this template with variables, select the text
INTERFACE-RANGE at the bottom of the CLI Content box.
Step 8 With the text selected, click the Manage Variables icon at the top right corner of the
Template Detail section
Step 9 Click the radio button to select the INTERFACE-RANGE variable, and click Edit to
complete the variable definition. Use these settings:
Type: String
Display Label: Interface Range
Description: Type the interface range, separating the interfaces with a comma,
and using dashes for ranges
Required: Click to mark the checkbox
Step 10 Click Save, then Add To CLI.
© 2014 Cisco Systems, Inc. Lab Guide 43
Step 11 Notice how the previous string in the CLI Content box changes to include a $ sign
prepended to it.
Step 12 Click Save to the My Templates folder.
Step 13 Click Deploy at the bottom of the panel. You will deploy the classification and
marking template to the LAN interface at the branch router for outbound traffic, and
the LAN interfaces of the DC router for inbound or return traffic.
Step 14 On the Template Deployment window, click to select All in the Device Selection
section. This is because you want to mark traffic on all LAN interfaces.
Step 15 On the Value Assignment section, click to select the branch router, PODX-BR-RTR,
and configure GigabitEthernet0/2, the branch router’s LAN interface, in the
Interface Range field. Scroll down and click Apply.
Step 16 On the Value Assignment section, click to select the data center router, PODX-DC-
RTR, and configure the range GigabitEthernet0/0/0-1 in the Interface Range field.
Scroll down and click Apply.
Note Verify that you have configured a range of interfaces with the exact text
“GigabitEthernet0/0/0-1”, which includes GigabitEthernet0/0/0, the Internet interface, and
GigabitEthernet0/0/1, the Data Center LAN interface.
Step 17 On the Value Assignment section, click to select the cloud services router, PODX-
CSR-RTR, and configure the range GigabitEthernet2, the cloud services router’s
LAN interface, in the Interface Range field. Scroll down and click Apply.
Step 18 Click OK to deploy the template.
Step 19 Back at the branch PC and generate traffic for all test applications (YouTube by
replaying three videos, SharePoint by downloading the 10MB and 15MB files a few
times).
44 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 20 On the Cisco Prime Infrastructure GUI, navigate back to Operate>Monitoring
Dashboards>Detail Dashboards>Interface, and verify that the DSCP
Classification dashlet now shows how DSCP values are being assigned.
Note Verify that interface GigabitEthernet0/2 of the branch router is still selected in the filter. Also,
you may have to change the filter to a time frame of the past 1 hour to see DSCP values
other than 0 in the chart. Remember to click Go on the Filters section, and also refresh each
dashlet by clicking the Refresh button at the top right corner of each dashlet.
Step 21 As additional verification, connect to the Branch Router CLI using the terminal
server and credentials on the Lab Resources section of the lab guide.
Step 22 Display the counters for the newly deployed classification and marking policy, using
the show policy-map interface gigabitethernet 0/2 command, and verify that packets
are being marked.
Note Student output may differ from the example.
P2-BR-RTR#show policy-map interface gigabitEthernet 0/2
GigabitEthernet0/2
Service-policy input: MARK
Class-map: YOUTUBE (match-any)
17860 packets, 1392695 bytes
5 minute offered rate 9000 bps, drop rate 0000 bps
Match: protocol youtube
1380 packets, 131881 bytes
5 minute rate 0 bps
Match: protocol video-over-http
4589 packets, 415661 bytes
5 minute rate 9000 bps
QoS Set
dscp af41
Packets marked 17860
© 2014 Cisco Systems, Inc. Lab Guide 45
Class-map: SHAREPOINT (match-any)
54362 packets, 3334972 bytes
5 minute offered rate 16000 bps, drop rate 0000 bps
Match: protocol share-point
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol binary-over-http
54362 packets, 3334972 bytes
5 minute rate 16000 bps
QoS Set
dscp af11
Packets marked 54362
Class-map: class-default (match-any)
49817 packets, 3887444 bytes
5 minute offered rate 15000 bps, drop rate 0000 bps
Match: any
QoS Set
dscp default
Packets marked 49817
Activity Verification
You have completed this task when you attain these results:
You have verified that application traffic is being marked using DSCP values.
46 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Task 2: Deploy QoS Policy to Police YouTube Traffic
The bulk of YouTube traffic comes downstream from the Internet. For this reason it is common
to find rate limiting policies at the Data Center router for YouTube traffic flowing back to the
branches across the DMVPN.
To accomplish this objective, in this task, you will aim at controlling non-critical traffic, in this
instance the YouTube application, by creating rate limit thresholds using Cisco Prime
templates.
Complete these steps:
Step 1 Navigate to Deploy>Configuration Deployment>Configuration Tasks, and click
the My Templates branch below the Templates panel on the left.
Step 2 On the panel on the right, click the Police Non-Critical Apps link under the
Name column.
Step 3 Review the CLI commands in the Template Detail box, as they rate-limit traffic
already marked with a DSCP value of AF41 (YouTube) to 64 Kbps.
Note The 64Kbps threshold is artificial and designed for the lab objectives. It does not resemble a
recommended practice or suggested figure for production environments.
Note The ip nhrp map group BRANCHES service-policy output IWAN-8-Class-Parent
command is used on the DMVPN Hub router to apply per-tunnel QoS policies on DMVPN
tunnel interfaces. As spoke routers register to the hub via NHRP, their NHRP group
assignment is also registered, and their tunnel will be then subject to policy per NHRP
group. It is required, however, that the spoke router is configured to be part of the
appropriate NHRP group. You will do this in step 10 of this task
Step 4 Click Close, and then click to select the checkbox next to the template name.
© 2014 Cisco Systems, Inc. Lab Guide 47
Step 5 Click Deploy.
Step 6 You will now deploy the template to the Data Center ASR router, so that outbound
YouTube traffic, egress on the DMVPN tunnel interface toward the branch, is rate-
limited. To do so, in the Template Deployment window, expand the Site Groups
branch and click to select the Data Center site group.
Step 7 In the Value Assignment section, configure Tunnel0 as the Interface Range. Scroll
down and click Apply.
Step 8 Click OK to deploy the template.
Step 9 Go back to Deploy>Configuration Deployment>Configuration Tasks, in order to
configure the branch side of the per-tunnel QoS configuration.
Step 10 Click the My Templates folder, and select the “QoS Per-Tunnel - Client Side”
template in the panel on the right.
Note This template completes the per-tunnel QoS configuration by assigning the tunnel spokes to
an NHRP group called BRANCHES. Refer to the note after step 3.
48 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 11 Click Deploy. Select the branch router in the Device Selection section and
Tunnel10-11 in the Interface Range field of the Value Assignment section.
Note Notice that the interface range is an actual range, Tunnel10-11, which deploys per-tunnel
QoS on both tunnel interfaces of the branch router. You will need both at different points of
this lab, including the Task 3 for bandwidth reservation.
Step 12 Scroll down to click Apply, then click OK to deploy the template.
Step 13 You are now ready to test this configuration. For verification, connect to the Data
Center ASR router using the terminal server and the credentials found in the Lab
Resources section of this lab guide.
Step 14 Display detailed DMVPN information using show dmvpn detail, and notice how the
branch router registered using the BRANCHES NHRP group, and how it has been
assigned the rate limiting policy for outbound flows.
Note You may have to wait a couple of minutes until the deployment job completes. Check back
at Administration>Jobs Dashboard to verify the status of the job.
POD2-DC-RTR#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 172.16.99.1, VRF ""
Tunnel Src./Dest. addr: 1.1.1.1/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_IPSECPROFILE"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 3.3.3.3 172.16.99.2 UP 02:45:02 D 172.16.99.2/32
NHRP group: BRANCHES
Output QoS service-policy applied: IWAN-8-Class-Parent
<…rest of output ommitted…>
Step 15 To generate relevant traffic, connect back to the branch PC and generate YouTube
traffic. Select and run at least 3 videos between 7 and 10 minutes long to generate a
relevant sample.
© 2014 Cisco Systems, Inc. Lab Guide 49
Step 16 On the DC router CLI, verify that traffic policing is taking place.
POD2-DC-RTR#sh policy-map multipoint tunnel 0
Interface Tunnel0 <--> 10.10.23.2
Service-policy output: IWAN-8-Class-Parent
Class-map: class-default (match-any)
6951 packets, 2395257 bytes
5 minute offered rate 58000 bps, drop rate 19000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 6439/2061529
shape (average) cir 1500000, bc 6000, be 6000
target shape rate 1500000
Service-policy : RATE-LIMIT
Class-map: NON-CRITICAL (match-any)
1103 packets, 1496945 bytes
5 minute offered rate 38000 bps, drop rate 19000 bps
Match: ip dscp af41 (34)
police:
rate 64000 bps, burst 9972 bytes
conformed 674 packets, 877875 bytes; actions:
transmit
exceeded 514 packets, 729503 bytes; actions:
drop
conformed 22000 bps, exceeded 19000 bps
Class-map: class-default (match-any)
5848 packets, 898312 bytes
5 minute offered rate 25000 bps, drop rate 0000 bps
Match: any
Step 17 Back at the Cisco Prime GUI, navigate to Operate>Monitoring
Dashboards>Detail Dashboards>Interface, and use the Filters section to display
information for the Tunnel0 interface of the DC Router, part of the Data Center site
group.
Note Remember to click Go on the Filters section to effectively apply the filter.
Note The selected threshold of 64 Kbps was chosen almost arbitrarily to produce a dramatic
result for this lab and demonstrate the sudden drop in the application’s rate. Your mileage
may vary, do change the threshold by editing the template at Design>Configuration>Feature
Design if you don’t obtain the expected results. If you do so, you will need to redeploy the
template.
50 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 18 The impact of this policy can be seen in the Top Application Traffic Over Time
dashlet. Notice the sudden drop for YouTube highlighted by the sharp inflection
point for this application in the diagram.
Step 19 Analyzing packet counters and bandwidth utilization is a valid approach, but in the
end it’s all about the user experience. Cisco Prime allows you a more comprehensive
analysis of application and user experience, by providing the tools do drill down
from an interface view to an application view to a client/user view of the
information. To start, scroll up to the Top N Applications dashlet in the same
Interface dashboard, and click the bar on the diagram that corresponds to YouTube
or video-over-http.
Step 20 Cisco Prime immediately navigates to the Application dashboard, filtered to display
information about the YouTube application.
Note You can also navigate to this dashboard by selecting Operate>Monitoring
Dashboards>Detail Dashboards>Application
Step 21 The Application dashboard allows you to learn more about the user experience by
looking at the server side of the conversation. Scroll down to the Application Server
Performance dashlet to observe the IP addresses of YouTube servers and their
average and maximum response times.
© 2014 Cisco Systems, Inc. Lab Guide 51
Step 22 Click the Show Analysis link for any of the youtube servers.
Step 23 Using this powerful tool, you can analyze information to troubleshoot average server
response times, average transaction times, network delay, and retransmissions. Use
the Troubleshoot dropdown to change the view and switch to each relevant graphic.
Notice the sliding bars at the bottom to zoom in to specific times and further isolate
issues.
Step 24 Click Close to dismiss the server analysis window.
52 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 25 Back at the Application dashboard, you can also look at per-client traffic volumes on
the Top N Clients dashlet. When combining network admission control and BYOD
technologies with Cisco Prime (for instance Cisco’s ISE – Identity Services Engine)
you are in fact able to display traffic volumes per user, by clicking the Users link at
the top of the dashlet.
Note ISE is not present in this lab, so you will not be able to display per-user information.
Step 26 From there, you can drill down per client and use Cisco Prime to troubleshoot
specific client issues. So on the Top N Clients dashlet, click the branch PC client
(10.10.X1.10).
Step 27 Cisco Prime automatically navigates to the End User Experience dashboard, where
you can isolate this client’s information when using the YouTube application
Note Remember, you first filtered to YouTube traffic, and then filtered to the Client IP. The
resulting dashboard lets you isolate issues for that client when using that application.
Step 28 On the same End User Experience dashboard, you can scroll down to the Worst N
Clients by Transaction Time dashlet, and correlate the experience of the filtered
client to that of other clients on the same site. This particular dashlet displays the
clients on that site who experience the worst transaction times for the specific
application (in this case YouTube), so you can perhaps isolate issues to the site and
not to individual clients.
© 2014 Cisco Systems, Inc. Lab Guide 53
Activity Verification
You have completed this task when you attain these results:
You have verified the impact of your rate-limiting policy, and used Cisco Prime to drill
down from an interface view to an application view to a user/client view of application
performance metrics.
54 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Lab 5: Intelligent Path Control – Using PfRv3
Activity Objective
The preferred routing path before the start of the lab follows the main WAN link between
branch and Data Center for all traffic. The backup link is completely unused.
In this activity, you will continue implementing the Control side of AVC, by deploying a
second DMVPN tunnel across the backup link, and using PfR to select routing paths according
to performance instrumentation and enterprise policy. You will route traffic based on roundtrip
delay, using a performance policy for SharePoint traffic using PfR to fully utilize the under
used backup link.
After completing this activity, you will be able to meet these objectives:
Configure the branch router for PfR learning using default settings.
Learn PfR traffic flows using the automatic option, defining traffic classes based on DSCP
markings from previous lab
Create enforcement policy to route YouTube application traffic on a different link when
encountering delay conditions on the main link, while leaving the rest of the traffic on the
main link.
Test by increasing delay on the main link, and see YouTube flows re-routing to a
different link
Visual Objective
The figure illustrates the lab topology you will be working with.
© 2014 Cisco Systems, Inc. Lab Guide 55
PfR uses a phased approach to deploying a traffic policy. The figure describes the operational
mode suggested in this lab:
Learning dynamically and statically, traffic classes defined by IP prefixes and DSCP values
marked on packets according to previous labs.
Active monitoring of key performance indicators, specifically roundtrip delay.
A routing policy using PBR to reroute SharePoint traffic across the backup WAN link
between branch and data center.
Enforcement at a threshold of 120 ms for roundtrip delay.
Task 1: Provision Second DMVPN Tunnel from Branch to Data Center.
In this task, you will provision a new DMVPN tunnel in the backup link between branch and
data center. As a potential path for all traffic, this tunnel must enjoy all of the features you have
deployed so far (AVC, application-aware QoS, NAT, etc). Complete these steps to deploy this
tunnel using composite templates:
Step 1 Connect to the Data Center PC and launch the Cisco Prime Infrastructure GUI.
Step 2 First, configure the DMVPN hub router. Navigate to
Design>Configuration>Feature Design, and expand the Composite Templates
folder on the left panel.
Step 3 Click Composite Templates below the Composite Templates folder, and name the
template “DMVPN Hub - All Features” in the panel on the right.
Step 4 Click Add in the Template Detail section.
56 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 5 In the Templates window, expand the My Templates folder and click to select these
templates: DMVPN Hub – Padding, DMVPN Hub, and Police Non-Critical Apps.
Click Add.
Note The template DMVPN Hub - Padding is pre-configured, and it deploys all the additional and
miscellaneous settings required by all hub tunnel interfaces: a description, designation as ip
nat inside, and assignment of its subnet to the routing domain.
Step 6 Use the green arrows at the top of the template list to move the DMVPN Hub
template to the first position, so that templates are executed in the right order. This is
important, as the tunnel interface is created by the DMVPN Hub template, and then
customized by the DMVPN Hub - Padding template.
© 2014 Cisco Systems, Inc. Lab Guide 57
Step 7 Click Save as New Template, then click Deploy and select the Data Center site
group in the Deployed on Device section.
Step 8 Scroll down to the Value Assignment section in the Data Center site group and click
the Select Template dropdown.
Step 9 Click the radio button to select the DMVPN Hub template.
Step 10 Configure these settings for the selected template:
Physical Interface: GigabitEthernet0/0/3
IP address on the GRE tunnel interface: 172.16.88.1
Subnet mask: 255.255.255.0
Step 11 Scroll down to click Apply.
Step 12 Proceed to select the other templates from the Select Template dropdown and
configure these settings for each one. Remember, for each you must click Apply,
where applicable:
Template Settings
Police Non-Critical Apps Interface Range: Tunnel1
DMVPN Hub - Padding Tunnel Subnet: 172.16.88.0 0.0.0.255
Tunnel Interface: Tunnel1
Step 13 Click OK to deploy the composite template.
Step 14 The next step is to configure the spoke router. A composite template is already
created, and it contains all the necessary settings for a spoke. Navigate back to the
Design>Configuration>Feature Design, and click the My Templates folder on the
left panel.
Step 15 Move your mouse to the right of the DMVPN Spoke – All Features to select the
edit option.
58 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 16 Use the green arrows at the top of the template list to move the DMVPN Spokes –
Second Tunnel template to the first position, so that templates are executed in the
right order. This is important, as the tunnel interface is created by the DMVPN
Spokes – Second Tunnel template, and then customized by the DMVPN Spokes -
Padding template. Click Save to save your new settings.
Step 17 Click Deploy.
Step 18 Select the Power Branches site group, and use the Select Template dropdown to
select each of the three templates to configure these settings:
Note Remember, you must click Apply for each template to commit the settings per template
before you select the next one.
Template Settings
DMVPN Spokes – Second Tunnel Physical Interface: GigabitEthernet0/1
IP address of the tunnel: 172.16.88.2
Subnet mask: 255.255.255.0
DMVPN Spokes - Padding Tunnel Subnet: 172.16.88.0 0.0.0.255
Tunnel Interface: Tunnel12
QoS Per-Tunnel - Client Site Interface Range: Tunnel12
Step 19 Click OK to deploy the composite template.
Step 20 Navigate to Operate>Device Work Center, select the PODX-DC-RTR and PODX-
BR-RTR, and click Sync.
© 2014 Cisco Systems, Inc. Lab Guide 59
Step 21 Now that the new tunnel interfaces exist in both routers, branch and data center,
proceed to deploy the Enterprise AVC template again. Because the new tunnel
interfaces acquired a description that contains the word WAN through the composite
templates, they are automatically assigned to the dynamic interface role that makes
them acquire the AVC configuration.
Note Refer to previous labs (Lab 3 Task 2) to refresh how to deploy the Enterprise AVC template.
You basically have to navigate to Deploy>Configuration Deployment>Configuration
Tasks, find the template, click Deploy, and select the Power Branches and Data Center site
groups
Step 22 Connect to the DC router console using the terminal server, and verify the new
tunnel operations. Status should be up/up, and the IWAN-8-Class-Parent policy
should be applied.
POD4-DC-RTR#show dmvpn detail | begin Tunnel1
Interface Tunnel1 is up/up, Addr. is 172.16.88.1, VRF ""
Tunnel Src./Dest. addr: 10.10.44.1/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_IPSECPROFILE_1"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 10.10.44.2 172.16.88.2 UP 00:21:33 D 172.16.88.2/32
NHRP group: BRANCHES
Output QoS service-policy applied: IWAN-8-Class-Parent
Activity Verification
You have completed this task when you attain these results:
The second tunnel between the branch and data center routers is operational.
60 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Task 2: Provision Routers for PfR with Automatic Profiling.
In the presence of two alternative paths from branch to data center, you will now start
configuring PfR to make intelligent use of those paths. In this task, you will provision the
Branch Router as PfR Master Controller (MC) and Border Router (BR), with automatic
profiling of traffic classes for the learning phase. Complete these steps:
Step 1 Connect to the Branch PC using the information found in the Lab Resources section
of this lab guide.
Step 2 Trace the SharePoint and YouTube destinations, you may see traffic now using both
link, or everything is over one link. What we are seeing is the randomness of
EIGRP with two equal cost paths. With PfR we can add control to our traffic flows
and predict which path will be used.
Note Remember, the subnet for the main tunnel is 172.16.99.0 and the 2nd
tunnel is 172.16.88.0
Step 3 At the branch PC, generate traffic for all test applications (YouTube by replaying
three videos, SharePoint by downloading the 10MB and 15MB files a few times)..
Step 4 For more focused analysis, you will modify pre-configured port groups to include
only tunnel interfaces. In order to accomplish this navigate to Design>Management
Tools>Port Grouping and click the ALL folder on the left panel.
Step 5 Select the Tunnel11 and Tunnel12 interfaces of device 3.3.3.3 (the branch router),
click Add to Group, and navigate to select the DMVPN Tunnels - Branch group
from the list, and click Save.
© 2014 Cisco Systems, Inc. Lab Guide 61
Step 6 Now verify interface utilization on the branch router by navigating to
Home>Performance>Network Interface on Cisco Prime and locating the Top N
Interfaces Utilization dashlet.
Step 7 Select the Dashlet Options icon at the top right corner of the dashlet, and change the
Refresh Interval to 30 seconds, and the Port Group dropdown to filter to the
DMVPN Tunnels - Branch port group.
Step 8 Click Save and Close. Refresh the dashlet and observe interface Tunnel11 and
Tunnel12 are used for all traffic.
Note It may take some time for the below chart to appear in Prime properly. Continue on with the
lab steps and we will revisit this chart again in a future step.
Step 9 Let’s add some control to our traffic. Lets deploy the initial components of PfR, you
will first deploy a template that creates the PfR domain and defines the interfaces.
Navigate to Deploy>Configuration Deployment>Configuration Tasks, and click
the My Templates folder.
Step 10 On the panel on the right, click the PfR-Activation-DC link under the Name column.
62 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 11 Review the CLI commands in the Template Detail box, as they establish a router as
both PfR MC and BR, and fire off automatic learning.
Note Variables have already been configured on this template for deployment flexibility: you will
deploy it to the Data Center router.
Step 12 Click Close, and then click to select the checkbox next to the same PfR-Activation-
DC template.
Step 13 Click Deploy.
Step 14 Select the Data Center site group in the Device Selection section, and configure
these settings in the Value Assignment section:
First WAN Interface: Tunnel0
Second WAN Interface: Tunnel1
Step 15 Scroll down to click Apply, then click OK at the bottom to submit deployment.
Step 16 Connect to the console of the data center router, and display status of the PfR
Master Controller and Border Router on the datacenter router.
POD4-DC-RTR#show domain default master status *** Domain MC Status ***
© 2014 Cisco Systems, Inc. Lab Guide 63
Master VRF: Global Instance Type: Hub Instance id: 0 Operational status: Up Configured status: Down Missing Configs: Policy configuration Loopback IP Address: 1.1.1.1 Load Balancing: Admin Status: Disabled Operational Status: Down Enterprise top level prefixes configured: 0 Route Control: Enabled Mitigation mode Aggressive: Disabled Policy threshold variance: 20 Minimum Mask Length: 28 Sampling: off Borders: IP address: 1.1.1.1 Connection status: CONNECTED (Last Updated 00:00:40 ago ) Interfaces configured: Name: Tunnel0 | type: external | Service Provider: MPLS | Status: UP Number of default Channels: 0 Name: Tunnel1 | type: external | Service Provider: INET | Status: UP Number of default Channels: 0 Tunnel if: Tunnel2 ---------------------------------------------------------------------
Step 17 Repeat steps 9 to 16, but this time use the PfR-Activation-Branch template, deploy it
to the Power Branches site group, and use these settings when deploying:
First WAN Interface: Tunnel11
Second WAN Interface: Tunnel12
Step 18 Review the CLI commands in the Template Detail box, as they establish this router
as both PfR Branch MC and BR.
Note Variables have already been configured on this template for deployment flexibility: you will
deploy it to the Data Center router.
64 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 19 Click Deploy and deploy it to the Power Branches site group, and use these settings
when deploying:
First WAN Interface: Tunnel11
Second WAN Interface: Tunnel12
Step 20 Connect to the Branch router CLI. Display the global parameters for the Master
Controller role using the show domain default master status command. Notice
these default and custom settings:
The Instance Type is Branch.
The Border status is connected and it has learned the Interface types from the
Hub MC on the data center router.
Note It may take a few seconds for the Hub and Branch to sync and display this information .
POD4-DC-RTR#show domain default master status
*** Domain MC Status ***
Master VRF: Global
Instance Type: Branch
Instance id: 0
Operational status: Up
Configured status: Up
Loopback IP Address: 3.3.3.3
Load Balancing:
Operational Status: Down
Route Control: Enabled
Mitigation mode Aggressive: Disabled
Policy threshold variance: 20
Minimum Mask Length: 28
Sampling: off
Minimum Requirement: Met
© 2014 Cisco Systems, Inc. Lab Guide 65
Borders:
IP address: 3.3.3.3
Connection status: CONNECTED (Last Updated 00:02:22 ago )
Interfaces configured:
Name: Tunnel11 | type: external | Service Provider: MPLS | Status: UP
Number of default Channels: 0
Name: Tunnel12 | type: external | Service Provider: INET | Status: UP
Number of default Channels: 0
Tunnel if: Tunnel0
---------------------------------------------------------------------
Activity Verification
You have completed this task when you attain these results:
You have enabled PfR MC and BR on both the data center and branch routers.
66 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Task 3: Configure Custom Traffic Classes Using DSCP Values.
In this task, you change the default configuration to match your network environment. You will
create custom traffic classes for SharePoint traffic, to later define a custom policy for these
applications.
Complete these steps:
Step 1 Navigate to Deploy>Configuration Deployment>Configuration Tasks, and click
the My Templates folder.
Step 2 On the panel on the right, click the PfR-Enterprise-Traffic link under the
Name column.
Step 3 Review the CLI commands in the Template Detail box, it will create an enterprise
traffic classes for PfR policy for SharePoint. Notice how classification is
accomplished using existing DSCP markings on packets, previously configured in
Lab 4. NBAR2 classification can also be used for powerful application-aware
custom classes. Also notice how delay, is the performance metric measured for the
Sharepoint traffic classes.
Note In this lab, NBAR classification has already taken place, as part of your QoS strategy in the
previous lab. It only makes sense that you take advantage of this fact to define PfR traffic
classes, especially due to performance considerations: costly NBAR deep packet inspection
is performed only once, and PfR just looks at DSCP markings to define traffic classes.
Step 4 Click Close, and then click to select the checkbox next to the same PfR-Enterprise-
Traffic template.
Step 5 Click Deploy at the top of the list.
Step 6 Select the Data Center site group in the Device Selection section, and click OK at
the bottom to submit deployment. This template does not have variables or values to
submit per device.
Step 7 Generate more traffic (YouTube and SharePoint) from the Branch PC.
Step 8 Back at the Data Center Router CLI, display the new deployed traffic classes.
Notice the default behavior is not set to load-balance and the class critical-
applications is now monitoring Sharepoint traffic based on its DSCP tagging.
POD4-DC-RTR#sh run | sec domain
© 2014 Cisco Systems, Inc. Lab Guide 67
ip domain name pod4.ax.local domain default vrf default border source-interface Loopback0 master 1.1.1.1 password Cisco123 master hub source-interface Loopback0 site-prefixes prefix-list HQ_PREFIX password Cisco123 load-balance class critical-application sequence 10 match dscp af11 policy custom priority 1 one-way-delay threshold 120 path-preference MPLS fallback INET domain path MPLS domain path INET
Activity Verification
You have completed this task when you attain these results:
You have defined custom traffic classes to match your traffic mix and application
requirements.
Task 4: Monitor and Manipulate PfR.
In this task, you will alter the WAN Bridge to trigger PFR to enforce paths on the PfR routers
according to policies.
Complete these steps:
Step 1 Verify the MPLS link is now the primary path for your SharePoint traffic (af11).
POD4-DC-RTR#show domain default master traffic-class summary
APP - APPLICATION, TC-ID - TRAFFIC-CLASS-ID, APP-ID - APPLICATION-ID
SP - SERVICE PROVIDER, PC = PRIMARY CHANNEL ID,
BC - BACKUP CHANNEL ID, BR - BORDER, EXIT - WAN INTERFACE
UC - UNCONTROLLED, PE - PICK-EXIT, CN - CONTROLLED, UK – UNKNOWN
Dst-Site-Pfx Dst-Site-Id APP DSCP TC-ID APP-ID State SP PC/BC BR/EXIT
10.20.10.160/28 Internet N/A default 3 N/A CN MPLS 1/NA 1.1.1.1/Tunnel0
10.10.41.0/24 3.3.3.3 N/A af41 5 N/A CN MPLS 7/8 1.1.1.1/Tunnel0
10.10.41.0/24 3.3.3.3 N/A default 4 N/A CN MPLS 3/NA 1.1.1.1/Tunnel0
10.10.41.0/24 3.3.3.3 N/A af11 6 N/A CN MPLS 9/10 1.1.1.1/Tunnel0
3.3.3.3/32 3.3.3.3 N/A default 7 N/A CN MPLS 3/NA 1.1.1.1/Tunnel0
Total Traffic Classes: 5 Site: 4 Internet: 1
Step 2 Go to your Branch PC connect to the ESXi vCenter server on that module using the
information on the Lab Resources section of this guide and lets impair our
WANBRIDGE-1.
68 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 3 Open the consul access and select option 7: 120ms Round trip delay with .5% packet
loss.
Step 4 Back at the branch PC, generate SharePoint traffic.
Step 5 Verify the MPLS link is now out of Policy and the traffic is moved to the INET link
on the Branch router. You can move the traffic back and forth by adjusting the
values of your WAN Bridge. If your traffic was on MPLS simply adjust the WAN
Bridge to cause that path to be out of Policy..
POD4-BR-RTR#show domain default master traffic-class summary
APP - APPLICATION, TC-ID - TRAFFIC-CLASS-ID, APP-ID - APPLICATION-ID
SP - SERVICE PROVIDER, PC = PRIMARY CHANNEL ID,
BC - BACKUP CHANNEL ID, BR - BORDER, EXIT - WAN INTERFACE
UC - UNCONTROLLED, PE - PICK-EXIT, CN - CONTROLLED, UK - UNKNOWN
Dst-Site-Pfx Dst-Site-Id APP DSCP TC-ID APP-ID State SP PC/BC BR/EXIT
10.98.64.64/28 Internet N/A default 65 N/A CN INET 463/NA 3.3.3.3/Tunnel12
10.10.0.0/24 1.1.1.1 N/A default 77 N/A CN MPLS 470/NA 3.3.3.3/Tunnel11
10.10.0.0/24 1.1.1.1 N/A af11 78 N/A CN INET 473/472 3.3.3.3/Tunnel12
Total Traffic Classes: 3 Site: 2 Internet: 1
POD5-BR-RTR#show domain default master channels dscp af11
Legend: * (Value obtained from Network delay:)
© 2014 Cisco Systems, Inc. Lab Guide 69
Channel Id: 472 Dst Site-Id: 1.1.1.1 Link Name: MPLS DSCP: af11 [10] TCs: 0
Channel Created: 00:04:57 ago
Provisional State: Initiated and open
Operational state: Available
Interface Id: 19
Estimated Channel Egress Bandwidth: 23 Kbps
Immitigable Events Summary:
Total Performance Count: 0, Total BW Count: 0
ODE Stats Bucket Number: 1
Last Updated : 00:00:28 ago
Packet Count : 2061
Byte Count : 87280
One Way Delay : 163 msec*
Loss Rate Pkts: 0.0 %
Loss Rate Byte: 0.0 %
Jitter Mean : 17449 usec
Unreachable : FALSE
ODE Stats Bucket Number: 2
Last Updated : 00:03:27 ago
Packet Count : 2033
Byte Count : 86110
One Way Delay : 216 msec*
Loss Rate Pkts: 0.0 %
Loss Rate Byte: 0.0 %
Jitter Mean : 25610 usec
Unreachable : FALSE
TCA Statitics:
Received:2 ; Processed:2 ; Unreach_rcvd:0
Latest TCA Bucket
Last Updated : 00:00:28 ago
One Way Delay : 163 msec*
Loss Rate Pkts: NA
Loss Rate Byte: NA
Jitter Mean : NA
Unreachability: FALSE
Channel Id: 473 Dst Site-Id: 1.1.1.1 Link Name: INET DSCP: af11 [10] TCs: 1
Channel Created: 00:04:53 ago
Provisional State: Initiated and open
Operational state: Available
Interface Id: 20
Estimated Channel Egress Bandwidth: 23 Kbps
Immitigable Events Summary:
Total Performance Count: 0, Total BW Count: 0
ODE Stats Bucket Number: 1
Last Updated : 00:00:27 ago
Packet Count : 586
Byte Count : 42192
One Way Delay : 58 msec*
70 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Loss Rate Pkts: 0.67 %
Loss Rate Byte: 0.0 %
Jitter Mean : 374 usec
Unreachable : FALSE
ODE Stats Bucket Number: 2
Last Updated : 00:03:28 ago
Packet Count : 591
Byte Count : 42552
One Way Delay : 59 msec*
Loss Rate Pkts: 0.16 %
Loss Rate Byte: 0.0 %
Jitter Mean : 345 usec
Unreachable : FALSE
TCA Statitics:
Received:0 ; Processed:0 ; Unreach_rcvd:0
Step 6 Go back to your Branch PC connect to the ESXi vCenter server on that module
using the information on the Lab Resources section of this guide and lets remove the
impairment from our WANBRIDGE-1.
Step 7 Open the consul access and select option 3: 40ms Round trip delay with .1% packet
loss.
Activity Verification
You have completed this task when you attain these results:
You have provided route control to PfR, which now controls traffic paths according to
desired policy.
© 2014 Cisco Systems, Inc. Lab Guide 71
Optional Lab: Application Optimization – Using WAAS
Activity Objective
In this activity you deploy the building blocks of a WAN optimization deployment using
WAAS and AppNav.
After completing this activity, you will be able to meet these objectives:
Deploy vWAAS running on UCS-E at the branch router.
Configure AppNav-XE on Data Center and Cloud Services routers using Cisco Prime
Infrastructure templates.
Verify WAAS optimization effectiveness using WAAS Central Manager.
Visual Objective
The figure illustrates the lab topology you will be working with.
72 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Task 1: Deploy vWAAS At the Branch ISR G2 Router
In this task, you will initialize the branch vWAAS service, register the device to the WAAS
Central Manager, and configure WCCP as the traffic interception method for WAN
optimization services in the branch.
Step 1 Log in to the Branch PC, connect to the ESXi vCenter server on that module using
the information on the Lab Resources section of this guide and power up the
vWAAS virtual machine. Wait until the VM is powered up.
Step 2 Log in to the Data Center PC and access the WAAS Central Manager GUI using a
web browser, at https://10.10.0.111:8443. Dismiss digital certificate warnings on
your browser, and log in to WAAS Central Manager using the credentials found in
the Lab Resources section of this lab guide.
Step 3 Navigate to the Devices using the top menu. Verify that all WAAS Application
Accelerators on the Data Center and Cloud Services locations are registered to the
Central Manager.
Note The Management Status column will display all devices Online.
Step 4 You will now initialize the branch vWAAS devices. Remember, this device is
hosted as a virtual machine on the UCS-E module of the branch router. Log in to the
Branch PC and connect to the ESXi vCenter server on the UCS-E module using the
information on the Lab Resources section of this lab guide.
Step 5 Navigate to the console of the PodX-BR-vWAAS1 virtual machine, and log in using
the credentials found in the Lab Resources section of this lab guide.
Step 6 Configure a hostname of PodX-BR-vWAAS.
© 2014 Cisco Systems, Inc. Lab Guide 73
Note Remember, X=pod number
NO-HOSTNAME#config t
NO-HOSTNAME(config)#hostname BR-vWAAS
Step 7 Configure interface virtual 1/0 with an IP address of 10.10.X1.4/24, and configure a
default gateway of 10.10.X1.1.
BR-vWAAS(config)#interface virtual 1/0
BR-vWAAS(config-if)#ip address 10.10.X1.4 255.255.255.0
BR-vWAAS(config-if)# no shut
BR-vWAAS(config-if)#exit
BR-vWAAS(config)#ip default-gateway 10.10.X1.1
Step 8 Configure the virtual 1/0 interface as primary, and verify you can ping the WAAS
Central Manager at 10.10.0.111.
BR-vWAAS(config)#primary-interface virtual 1/0
BR-vWAAS(config)#exit
BR-vWAAS#ping 10.10.0.111
PING 10.10.0.111 (10.10.0.111) 56(84) bytes of data.
64 bytes from 10.10.0.111: icmp_seq=1 ttl=62 time=81.1 ms
64 bytes from 10.10.0.111: icmp_seq=2 ttl=62 time=81.6 ms
64 bytes from 10.10.0.111: icmp_seq=3 ttl=62 time=81.5 ms
64 bytes from 10.10.0.111: icmp_seq=4 ttl=62 time=81.3 ms
64 bytes from 10.10.0.111: icmp_seq=5 ttl=62 time=81.2 ms
--- 10.10.0.111 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 81.129/81.382/81.656/0.407 ms
Step 9 Configure the central manager ip address and register with by running the cms
enable command.
BR-vWAAS(config)#central-manager address 10.10.0.111
BR-vWAAS(config)#cms enable
Registering WAAS Applicatio Engine…
Sending device registraion request to Central Manager with address 10.10.0.111
Please Wait, initializing CMS tables
Successfully initialized CMS tables
Registration complete.
Please preserve running configuration using ‘copy running-config startup-config’.
Otherwise management service will not be started on reload and node will be shown ‘offline’ in the WAAS Central Manager UI.
Management services enabled
BR-vWAAS(config)#
74 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 10 Connect to the DC PC again, and go back to the Devices option in WAAS Central
Manager. Verify that the BR-vWAAS device is now registered and online. You will
notice, however, that it shows Not Active in the License Status column.
Step 11 Click Activate All Inactive Devices in the menu at the top of the device list,
Step 12 Select the radio button next to the Select an existing location for all inactive
Devices, then select from the drop down your branch location then click Submit.
The branch vWAAS device will now show Enterprise in the License Status column.
© 2014 Cisco Systems, Inc. Lab Guide 75
Step 13 Click the BR-vWAAS device icon to edit the device using the device dashboard.
Step 14 Verify the Click the link “1 Device Group(s)” in the Assignments field to assign this
device to a device group.
Step 15 Click the blue X next to the Branches device group, and click Submit at the bottom.
Note The blue X becomes a green arrow when you click on it.
v
76 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 16 Go back to the BR-vWAAS dashboard by clicking BR-vWAAS>Dashboard at
the top.
Step 17 Select WCCP from the Interception Method dropdown.
© 2014 Cisco Systems, Inc. Lab Guide 77
Step 18 Configure these WCCP settings:
Enable WCCP Service: checked
Use Default Gateway as WCCP Router: checked
Redirect Method: WCCP GRE
Egress Method: WCCP GRE
Activity Verification
You have completed this task when you attain these results:
You have registered the Branch WAE to Central Manager and configured it for WCCP
interception.
78 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Task 2: Configure the Branch Router for WCCP
In this task, you will use Cisco Prime templates to configure the branch router to intercept and
redirect traffic to the WAE using WCCP.
Step 1 Connect to the Data Center PC and log in to the Cisco Prime Infrastructure GUI
using the credentials found in the Lab Resources section of this lab guide.
Step 2 Navigate to Design>Configuration>Feature Design, and click the My Templates
folder.
Step 3 On the panel on the right, click the WCCP-for-WAAS link under the Name column.
Step 4 Review the CLI commands in the Template Detail box, as they configure routers to
join a WCCP domain for redirection into the branch vWAAS.
Step 5 Click Close, and then click to select the checkbox next to the same WCCP-for-WAS
template.
Step 6 Click Deploy, and select the Power Branches site group in the Device Selection
section.
Step 7 Under the Value Assignment section, configure these settings:
LAN Interface: ucse1/0
Outbound Interface: Tunnel10-12
Inbound Interface: Tunnel10-12
Note Notice how the interface settings configure interface ranges, Tunnel10-12. You are
deploying WAAS optimization on the two DMVPN tunnels that connect the branch to the
Data Center, as well as the DMVPN tunnel that connects the branch to the Cloud Services
segment.
Step 8 Click Apply then Ok to deploy
© 2014 Cisco Systems, Inc. Lab Guide 79
Step 9 Connect to the branch router using the terminal server, and confirm that the BR-
vWAAS WAE is detected as part of the WCCP domain from the router. Use the
show ip wccp clients command for WCCP groups 61 and 62
POD4-BR-RTR#show ip wccp 61 clients
WCCP Client information:
WCCP Client ID: 10.10.41.4
Protocol Version: 2.00
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: MASK
Connect Time: 00:15:37
Redirected Packets:
Process: 0
CEF: 97
GRE Bypassed Packets:
Process: 0
CEF: 97
Mask Allotment: 16 of 16 (100.00%)
POD4-BR-RTR#show ip wccp 62 clients
WCCP Client information:
WCCP Client ID: 10.10.41.4
Protocol Version: 2.00
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: MASK
Connect Time: 00:15:45
Redirected Packets:
Process: 0
CEF: 524
GRE Bypassed Packets:
Process: 0
CEF: 298
Mask Allotment: 16 of 16 (100.00%)
Step 10 Back at the Branch PC, generate traffic for all applications, YouTube and
SharePoint. Verify that connectivity to these services has not been affected even
though WAAS is still not configured on the Data Center or the Cloud Service.
80 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 11 Log back into WAAS Central Manager, and navigate to
Home>Monitor>Network>Summary Report.
Step 12 Scroll down to the Traffic Summary Over Time dashlet, and click to compare
original versus optimized traffic. Optimized traffic statistics are non-existent
because the WAAS device at the branch is passing traffic through, in the absence of
a WAAS device at the Data Center. This demonstrates the transparency and
flexibility of WAAS deployments.
v
v
© 2014 Cisco Systems, Inc. Lab Guide 81
Step 13 To verify Pass-Through, you can click the Pass-Through checkbox of the Traffic
Summary Over Time dashlet, or look at the statistics on the
Activity Verification
You have completed this task when you attain these results:
Your branch router is redirecting traffic to the WAAS device, and the WAAS device is
passing-through traffic.
v
v
82 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Task 3: Deploy Akamai Connect for the Branch
In this task, you will configure the Akamai Connect feature within WAAS. You will enable
Akamai Connect through the WAAS Central Manager to cache Web traffic in the branch
vWAAS instance.
Step 1 Akamai Connect requires the Central Manager be configured with proper DNS and
NTP settings. Connect to the Central Manager menu and select the CM device from
the Devices dropdown menu.
Step 2 Click on the Network>DNS and configure the following settings; Local DNS
Name: podX.ax.local and List of DNS Servers: 128.107.212.175. Then Click
Submit to save your settings.
© 2014 Cisco Systems, Inc. Lab Guide 83
Step 3 Check that you CM NTP setting are also using the same server as our DNS by
moving your mouse over Configure and clicking on Date/Time>NTP. If you need
to set the NTP to 128.107.212.175 and click Submit.
Step 4 In Central Manager menu, navigate to Device Groups>Branch, click on Branch and
then choose Configure > Caching > Akamai Connect.
Step 5 Under the cache settings click on the check box to enable Akamai Connect.
Step 6 Accept the End User License Agreement.
Note This will then disappear off the screen and in the lower left corner of the page is the Submit
button to finish this process.
84 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 7 Using your Branch PC start to navigate to Web Sites like www.cnn.com,
www.espn.com and www.cisco.com.
Step 8 Close the pages and clear your Branch PC’s Browser’s Cache, then reopen the same
web pages.
Activity Verification
You have completed this task when you attain these results:
The Akamai Connect is now configured and can be monitored and managed from WAAS
Central Manager.
© 2014 Cisco Systems, Inc. Lab Guide 85
Task 4: Deploy AppNav at the Data Center ASR Router
In this task, you will configure AppNav on the ASR router in the Data Center using the Cisco
WAAS Central Manager. Refer to the Visual Objectives of this lab to clarify the AppNav
Cluster topology for this router: the ASR will become the AppNav Controller, redirecting
traffic to the vWAAS appliances on the Data Center segment (WN1 and WN2), which will
become the WAAS Nodes in the cluster.
Step 1 Connect to the data center router using the terminal server, generate an rsa crypto
key using the command crypto key generate rsa from config mode. Accepts the
default 512 key size.
Step 2 Log in to the WAAS Central Manager GUI, and navigate to
Home>Admin>Security>Cisco IOS Global Router Credentials
Step 3 Configure username admin, password labops.
Note The credentials you just configured will allow Central Manager to use HTTPS to
communicate with all registered IOS routers.
Step 4 Now navigate to Home > Admin > Registration > Cisco IOS Routers, in order to
register the ASR device to Central Manager.
Step 5 Configure these settings:
IP Address(es):1.1.1.1
Username: admin
Password: labops
YouEnable password: lab-cert
Step 6 Click Register. After a few seconds, the ASR router will appear under the
Registration Status section at the bottom. The Status column displays a successful
status, and the Router Type column displays AppNav-XE Controller.
Step 7 You will now use the AppNav wizard to setup the Data Center AppNav Cluster
using the WN1 and WN2 vWAAS instance. Navigate to the AppNav menu at the
top and select the All AppNav option.
Step 8 In the AppNav section, click to launch the AppNav Wizard.
Step 9 Select the ASR 1000 Series from the AppNav Platform drop down list.
Step 10 Then select next at the bottom of the screen
86 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Step 11 Configure these settings:
Cluster Name: DC-WNG
WAAS Cluster Id: waas/2
Step 12 Click Next and now choose the Device Selection
AppNav-XEs: PODX-DC-RTR
WAAS Node: vWN1 & vWN2
© 2014 Cisco Systems, Inc. Lab Guide 87
Step 13 Click Next and notice the Default VRF is already chosen, so click Next again to
setup Interception/Cluster Interfaces. Select the following settings;
WAN interfaces: Tunnel0 and Tunnel1
Select the Cluster Interface: GigabitEthernet0/0/1
Step 14 Click Next to select the Cluster Interface on the WAAS Node.
Step 15 Set Virtual 1/0 as the Cluster Interface and click next and on the next screen click
Finish.
Step 16 After a few minutes the new AppNav Cluster will turn green and be
fully operational.
88 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.
Activity Verification
You have completed this task when you attain these results:
The Data Center AppNav cluster is configured and can be monitored and managed from
WAAS Central Manager.
Task 5: Verify the Effectiveness of WAAS Optimization
In this task, you will use Cisco Prime Infrastructure and Cisco WAAS Central Manager GUIs
to verify the effectiveness and impact of WAAS optimization under the AppNav architecture.
Step 1 Return to the Branch PC and generate our test traffic with SharePoint and YouTube.
Step 2 Download the share point files a few times and notice the download time will
improve from a few minutes to 10-30 seconds.
Step 3 From the Branch PC, browse to www.cisco.com/go/iwan and select one of the 4 or 5
MB files listed on the page. Clear your browser cache again and navigate and
download the same file.
Step 4 Back on the DC-PC navigate around the WAAS Central Manager and notice the
Mix of traffic optimization, HTTP and SSL traffic is all being shown as traffic types
in your new IWAN environment.
Step 5 Navigate to Home>Monitor>Caching>Akamai Connect
Step 6 After a few minutes your cache hit stats will start to appear.
© 2014 Cisco Systems, Inc. Lab Guide 89
Activity Verification
You have completed this task when you attain these results:
WAAS optimization is taking place and you can navigate the WAAS Central Manager
Dashboards and reports to verify it.