the ultimate iwan dual data center lab feat. qos and...

The Ultimate IWAN Dual Data Center Lab

feat. QoS and PfR

Lab Guide

Version 1.6

Developed by: Cisco’s So lutio ns R eadiness Engineering Team

“With Great Knowledge Comes Great Deployments”

February 6, 2017

IWAN Dual Data Center Lab – Feat. PfR & QoS

Table of Contents

Disclaimer ........................................................................................................................................ 3

Lab Overview ................................................................................................................................... 3

Lab Goal .......................................................................................................................................... 3

Lab Topology ................................................................................................................................... 4

Prerequisite Knowledge ................................................................................................................... 4

Introduction ..................................................................................................................................... 5

Exercise 0: Accessing the Lab Environment ..................................................................................... 7

Exercise 1: Lab Walkthrough ......................................................................................................... 13

Exercise 2: Modify Traffic Flows in EIGRP ...................................................................................... 21

Exercise 3: Deploying Quality of Service (QoS) .................................................................................. 26

Exercise 4: Configuring and Verifying PfR .................................................................................... 43

Exercise 5: PfR Verification ............................................................................................................ 52

Exercise 6: Verifying PfR Traffic Policies ........................................................................................ 60

Exercise 7: Simulating WAN Delay using WANem......................................................................... 61

Exercise 8: Configure and Verify flows using LiveAction ............................................................... 69

End of Lab Exercises ...................................................................................................................... 87

Optional Challenge Lab: Configure and Verify Branch/Spoke Site 3 ............................................. 88

Appendix: Router Configurations .................................................................................................. 96

ROUTER R10-MC-DC1 ................................................................................................................................................ 96

ROUTER R11-HUB-DC1 .............................................................................................................................................. 100

ROUTER R12-HUB-DC1 .............................................................................................................................................. 108

ROUTER R20-HUB-DC1 .............................................................................................................................................. 115

ROUTER R21-HUB-DC2 .............................................................................................................................................. 120

ROUTER R22-HUB-DC2 .............................................................................................................................................. 127

ROUTER R41-SPOKE-SITE4 .......................................................................................................................................... 134



End Of Lab ................................................................................................................................... 156

Cisco Systems Inc. Solutions Readiness Engineering Page | 2


Disclaimer This Guide is intended to demonstrate one way to configure the network, to meet the specified

requirements of this example. There are various ways that this can be accomplished, depending on the

situation and the customer’s goals/requirements. Please ensure that you consult all current official Cisco

documentation before proceeding with a design or installation. This lab is primarily intended to be a

learning tool, and may not necessarily follow best practice recommendation at all times, in order to

convey specific information. This is not intended to be a deployment guide. It is intended for learning

purposes only.

Lab Overview This lab guide uses a custom version of the dCloud IWAN 4D Deploying for Impact Dual DC Sandbox. All procedures conducted in this lab guide will be performed in this custom dCloud lab environment.

Required Resources The following resources and equipment are required for completing the activities in this lab guide

PC or laptop with a web browser (Internet Explorer or Firefox), and Cisco AnyConnect installed

Access to the Internet

Access to dcloud.cisco.com and the IWAN Dual DC PfR and QoS Lab v1

Lab Goal There are many different technologies within the scope of what is called the IWAN solution. This lab looks

to take a deep dive into the configuration of Traffic Shaping, Quality of Service (QoS), and Performance

Routing (PfR) within the boundaries of a fully functional Dual Data Center IWAN Lab environment. With

that in mind, this lab environment has already been configured with the following:

Two Data Centers (DC1 & DC2) acting in a dual data center configuration

Two branch locations (BR Site 4 & BR Site 5 or called BR4 & BR5)

The DC1, DC2, BR4, & BR5 are configured with Front Door VRFs (fVRF), and Dynamic Multipoint

Virtual Private Networks (DMVPN) Phase 3

DC1 and DC2 are connected to BR4 and BR5 through the DMVPN Phase 3 tunnels over the

Internet (INET) and Multi-Protocol Label Switching (MPLS) clouds

IPSec is configured on the DMVPN tunnels

EIGRP is running through the tunnels and includes route summarization, and filtering

Branch 3 has purposefully been left un-configured as a challenge lab, if time permits.



In this lab you will practice how to prepare for deploying Quality of Service (QoS), Traffic Engineering,

and Performance Routing (PfR) in a Dual Data Center IWAN lab environment.

Lab Topology This lab is based on a custom version of the dCloud IWAN 4D Deploying for Impact – Dual DC Sandbox Lab

v1. This is a fully functional Intelligent WAN (IWAN) v2.x lab that includes real and synthetic end user

traffic.

Prerequisite Knowledge A solid understanding of networking, including routing and switching is assumed. Some

background with Cisco IOS, IOS XE and the IWAN solution is helpful, but not required.



Introduction Cisco Intelligent WAN (IWAN) enables organizations to deliver an uncompromised experience over any connection. With Cisco IWAN IT organizations can provide more bandwidth to their branch office connections by using less expensive WAN transport options without affecting performance, security, or reliability. With the IWAN solution, traffic is dynamically routed based on application service-level agreement (SLA), endpoint type, and network conditions in order to deliver the best quality experience. The realized savings from IWAN not only pays for the infrastructure upgrades, but also frees resources for business innovation.

There are two primary IWAN design models: Hybrid and Dual Internet. This lab implements the IWAN Hybrid design model, which uses Multiprotocol Label Switching (MPLS) paired with Internet Virtual Private Network (VPN) as Wide Area Network (WAN) transports. In this design model, the MPLS WAN can provide more bandwidth for the critical classes of services needed for key applications and can provide SLA guarantees for these applications.

The IWAN solution incorporates numerous Cisco IOS and IOS XE features and is built on what is called “the four pillars of IWAN”. These four pillars are Transport Independence, Intelligent Path Control, Secure Connectivity, and Application Optimization.

The features implemented in this lab are Traffic Shaping, Quality Of Service (QoS) and Performance Routing (PfR), which are part of the 2nd pillar Intelligent Path Control.

Intelligent Path Control Cisco PfR improves application delivery and WAN efficiency. PfR dynamically controls data packet forwarding decisions by looking at application type, performance, policies, and path status. PfR monitors the network performance—jitter, packet loss, and delay—and makes decisions to forward critical applications over the best-performing path based on the application policy. Cisco



PfR can intelligently load balance traffic to efficiently use all available WAN bandwidth. IWAN intelligent path control is the key to providing a business-class WAN over Internet transport.

Quality of Service Most users perceive the network as just a transport utility mechanism to shift data from point A to point B as fast as it can. Many sum this up as just “speeds and feeds.” While it is true that IP networks forward traffic on a best-effort basis by default, this type of routing only works well for applications that adapt gracefully to variations in latency, jitter, and loss. However networks are multiservice by design and support real-time voice and video as well as data traffic. The difference is that real-time applications require packets to be delivered within the specified delay, jitter, and loss parameters.

For additional information about Cisco Intelligent WAN, visit:

IWAN main web page - www.cisco.com/go/iwan

IWAN 2.1 PfRv3 web page - http://bit.ly/iwan21pfrv3

IWAN Cisco Validated Design (CVD) October 2016 - http://bit.ly/iwancvdoct2016


http://www.cisco.com/go/iwan

http://bit.ly/iwan21pfrv3

http://bit.ly/iwancvdoct2016


Exercise 0: Accessing the Lab Environment In this exercise you will become familiar with how to access and maneuver in the dCloud’s lab environment.

The lab hardware for this lab is sponsored by Cisco’s dCloud offering, and this lab session require a VPN connection between your computer and the dCloud data center that is hosting this session. Your lab proctor will provide you with all the information needed to access your lab session.

There are three options for connecting your laptop to an active dCloud session using Cisco AnyConnect VPN Client.

Using Cisco AnyConnect Client Already Installed On Your Computer

Downloading and Installing Cisco AnyConnect Client From Cisco.com Using the dCloud Browser Based Cisco AnyConnect Client

This lab guide assumes you already have the Cisco AnyConnect installed on your computer, and will walk you through the first option to connect to the lab. If you do not have Cisco AnyConnect installed or need to use the Browser option you can find those instructions at this address http://bit.ly/connect2dcloud.

Connecting to the dCloud Lab Session

To use the Cisco AnyConnect client already installed on your laptop:

NOTE: If you are logged into another network via Cisco AnyConnect, please log off before

starting this procedure.

Step 1. Start Cisco AnyConnect on your computer.

Step 2. In Cisco AnyConnect, paste the HOST URL into the connection field, and click Connect

(Host URL provided by lab proctor).

NOTE: This URL may be different than the one shown in this illustration, depending

on which dCloud facility is hosting the lab session.


http://bit.ly/connect2dcloud


Step 3. Paste the User name into the Username field (User name provided by lab proctor).

Step 4. Paste the saved Password into the Password field, and click OK (password provided by

lab proctor).

Step 5. Click Accept, to finish connecting to the dCloud Lab.



RDPing to PC1 Using Local RDP Client on Windows

In this lab environment you will use Remote Desktop Protocol (RDP) to a Virtual Machine (VM) called

PC01. You will use PC01 as a access point to control all devices in the lab.

If you are using an Apple MAC, please follow this link to get instructions on how to connect via a MAC

http://bit.ly/dcloudrdpmac .

NOTE: Due to the differences in Windows operating systems, your steps may differ slightly.

Step 6. On your computer, launch Remote Desktop Connection.

Step 7. Click Show Options.


http://bit.ly/dcloudrdpmac


Step 8. On the General tab, enter 198.18.133.36 in the computer field, and Administrator, in

the user name field.

Step 9. Click the Local Resources tab.

Step 10. In the Remote Audio section, click Settings.



Step 11. In the Remote Audio Playback section, select Play on remote Computer.

Step 12. Click OK.

NOTE: Optionally, on the General tab, click Save As and enter a name to save the

connection information. This is useful if you will be using this profile in future

dCloud sessions.

Step 13. Click Connect

Step 14. If you receive a security warning, click Yes or Connect to continue.

Step 15. You will be prompted for a password. In most cases you will already see your personal

company and login information. Click User Another Account, to switch users and

domains.

Step 16. Enter Administrator, in the username field if it is not already filled in.

Step 17. Enter the Password C1sco12345.

Step 18. Click OK, to login.



Step 19. Once you are RDPed into PC01 the following screen should open.



Exercise 1: Lab Walkthrough In this section you will be guided through the network devices and their configurations at the beginning of the lab.

Lab Topology Data Center 1 (DC1)

Branch Site 5 (BR5)

Data Center 2 (DC2)

Branch Site 4 (BR4) Branch Site 3 (BR3) Optional Lab

Lab Start Status

As a reminder, the lab is pre-configured as follows.

The DC1, DC2, BR4, and BR5 are configured with Front Door VRFs (fVRF).

The DC1, DC2, BR4, and BR5 are configured with DMVPN Phase 3 tunnels over the INET and MPLS Clouds.

The DC1, DC2, BR4, and BR5 are configured with IPSEC over the DMPVN tunnels

EIGRP is running through the Tunnels and includes route summarization and filtering.




Navigating the Lab

In this activity, you will become familiar with the lab components. After completing this activity you will

have a good understanding on how the routers are configured at beginning of this lab.

Activity Objective:

In this activity, you will practice connecting to the devices in the lab. After completing this activity, you

should be able to access all the router and switch devices in the lab via MTPuTTY.

Connecting to devices in the lab

Step 1. Click the MTPuTTY, icon on the desktop of PC01.

Step 2. If necessary, expand the PuTTY sessions folder under the Servers pane on the left hand

side of MTPuTTY. Double click R11-Hub-DC1 (10.1.1.11) from the PuTTY sessions list.



Step 3. Login to R11 with the username admin, and password of C1sco12345. If the R11 screen

is blank, press <Enter> to get the login screen to appear.

Notice how a tab was opened on the right hand side of MTPuTTY. With MTPuTTY,

you can open multiple sessions at one time and click back and forth between the

sessions.

Step 4. Double click R41-Spoke-Site4 (198.18.129.22), under PuTTY sessions on the navigation

pane on the left hand side of the screen.

Step 5. Login to R41-Spoke-Site4 with the username admin, and password C1sco1234 (admin

might already be logged in).

Notice that a second tab opened in the content pane of MTPuTTY.

Step 6. Double click R51-Spoke-Site5 (198.18.129.22), in the navigation pane on the left hand

side.

Step 7. Login to R51-Spoke-Site4 with the username admin, and password of C1sco1234 (admin

might already be logged in).

NOTE: You can click and drag the tabs to reorder them.



Verifying Router Configurations

Remember this lab is featuring PfR and Qos, so Transport Independence pillar of IWAN have already been

configured for you, such as.

The DC1, DC2, BR4, & BR5 are configured with Front Door VRFs (fVRF), and Dynamic Multipoint

Virtual Private Networks (DMVPN) Phase 3

DC1 and DC2 are connected to BR4 and BR5 through the DMVPN tunnels over the Internet (INET)

and Multi-Protocol Label Switching (MPLS) clouds

IPSec is configured on the DMVPN tunnels

EIGRP is running through the tunnels and includes route summarization, and filtering

Branch 3 has purposefully left un-configured as a challenge lab, if time permits.

Activity Objective:

In this section, you will become familiar with the lab topology and how it is configured. You will also

confirm that DMVPN Phase 3, IPsec, EIGRP, and fVRF are functioning as expected.

Step 8. Use the following table to verify Transport Independence is enabled. Take note of your

results by filling in the chart. When testing connectivity initiate tests from Hub to

Branch, and Branch to Hub, as well as branch to branch.

NOTE: You might have to open session to routers you did not open in the previous

session, by double clicking the name in the left hand side PuTTY sessions

list in MTPuTTY.

These commands will be explained in more detail later in the lab.

DMVPN MPLS

Tunnel 100

DMVPN INET

Tunnel 200

EIGRP Routing

VRF Routes Tunnel

100

VRF Routes Tunnel

200

Connectivity

Commands Show

dmvpn

Detail

Show

dmvpn

detail

Show IP

Route

Show IP

Route vrf

MPLS1

Show IP

Route vrf

INET1

Ping

R11-Hub-DC1 R12-Hub-DC1 R21-Hub-DC2 R22-Hub-DC2 R41-Spoke-Site4 R51-Spoke-Site5 R52-Spoke-Site5

Step 9. With MTPutty, navigate to the R11-Hub-DC1 tab, and login as admin with the password

of C1sco12345 again if necessary.



Step 10. Initiate the show dmvpn detail command, and evaluate the output.

Notice the following:

VRF = MPLS1 which is on tunnel 100

Protocol = Multi-GRE with IPsec

Peer NBMA addr = 172.16.41.1 which is the physical interface e0/1 on R11

Peer Tunnel addr = 192.168.100.41 which is the tunnel 100 logical interface on R11.

Click space bar to see more of the show dmvpn detail output, to see the crypto session

details. Notice the crypto session for tunnel 100 is UP-ACTIVE, and there is inbound and

outbound traffic.


Step 11. Initiate the show dmvpn detail command on router R12, R21, R22, R41, R51, R52, and

compare the difference between the outputs.

NOTE: Use username admin and password C1sco12345 on all routers.

Step 12. Initiate the show ip route command on router R11.

Compare the routes in the table to the topology diagram - on page 13 above - to make

sure all the routes are in the table. Notice the outbound interface of Tunnel100 on

the 192.168.100.0 network.



Step 13. Initiate the show ip route command on router R12, R21, R22, R41, R51, R52, and

compare the difference between the outputs.

Step 14. Initiate the show ip route vrf MPLS1 command on router R11, and evaluate the output.

Compare the routes in the table to the topology diagram, to make sure all the routes

are in the table. Notice the IP addresses are the physical interface addresses and not

the tunnel interfaces.

Step 15. Initiate the show ip route vrf MPLS1 command on router R21, R41, R51, and compare

the difference between the outputs.

Step 16. Initiate the show ip route vrf INET1 command on router R22, R41, R52, and compare

the difference between the outputs.

Why is R41 included in both of the previous commands?

Hint: Look at the topology diagram.

Step 17. Initiate the ping 10.4.4.41 command on router R11.

Repeat the command to ping 10.5.12.51





Step 18. Continue to use the ping command to various differ addresses around the network.

Make sure you ping from branch to branch (for ex. From R41 ping 10.5.12.51) to make

sure you have branch to branch routing (Remember that Branch 3 is not active at this

time).

Step 19. Initiate the show run | begin ip prefix-list command on router R11.

Step 20. Initiate the show run | begin eigrp command on router R11.

Notice that route summarization has been configured to help reduce the number of

routes in the border routers.

Step 21. Initiate the show run command on routers R11, R12, R21, R22, R41, R51, R22, and

become familiar with the overall configurations at this point of the lab.



Exercise 2: Modify Traffic Flows in EIGRP The purpose of this exercise is to use traffic engineering techniques to influence the primary path selection process.

Activity Objective

In this activity, you will practice how to influence traffic flows in an EIGRP environment by adding delay

commands to interfaces on each device. After completing this activity, you should be able to meet these

objectives.

Use EIGRP traffic engineering techniques to define the MPLS paths as the preferred paths

through the DMVPN tunnels.

Visual Objective

This figure provides a visual aid for this activity.



Configuring Traffic Shaping

Step 1. Initiate the show ip route command on router R41. Capture this output in a notepad on

PC01, and save it for comparison. You can also collect this same information on R11,

R12, R21, R22, R51, and R52, but this lab guide will only compare R41’s RIB table output.

Notice how many routers are for Tunnel100 (MPLS), and Tunnel200 (INET)

Step 2. Initiate the following commands on routers R11 & R21. Both R11 and R21 have the

same tunnel interface scheme so you can use the same configuration for both devices.

NOTE: The lab uses RDP for access to PC01, so use copy and paste from this lab guide to MTPuTTY on PC01.

Configure terminal

Interface Tunnel100

Delay 1000

!

Interface GigabitEthernet2

Description Site-Lan

Delay 24000

!

end



Step 3. Initiate the following commands on router R12 & R22.

Configure terminal

Interface Tunnel200

Delay 2000

!



Delay 24000

!

end

Step 4. Initiate the following commands on router R41.

Configure terminal

Interface Tunnel100

Delay 1000

!

Interface Tunnel200

Delay 20000

!

Interface e0/2

Description Site-Lan1

Delay 20000

!

Interface e0/3

Description Site-Lan2

Delay 20000

!

end


Configure terminal

Interface Tunnel100

Delay 1000

!

Interface e0/2

Description Site-Crosslink

Delay 20000

!

Interface e0/1


Delay 20000

!

end




Configure terminal

Interface Tunnel200

Delay 1000

!

Interface e0/2

Description Site-Crosslink

Delay 20000

!

Interface e0/1


Delay 20000

!

end

Step 7. Initiate the show ip route command again on router R41.

This is the output we saved from before Traffic Engineering was applied.



This is the output after Traffic Engineering was applied.

Why did all of the Tunnel 200 routes disappear in the 2nd output?



Exercise 3: Deploying Quality of Service (QoS) QoS ensures more predictable network services by providing dedicated bandwidth, controlled jitter and

latency, and improved loss characteristics. QoS provides tools for managing network congestion, shaping

network traffic, using WAN links more efficiently, and setting traffic policies across the network. QoS helps

provide consistent, predictable network performance by offering intelligent network services.

For the network to provide secure, predictable, measurable, and sometimes guaranteed services, the fixed qualities of a network and the flow of packets must be managed with QoS. Some of the issues that can occur within a network that can have an impact on our time-sensitive packets are:

Bandwidth – Lack of bandwidth on the network the IP packets are traversing. Packet Loss – Dropping of packets because of network congestion, not network outages. Delay Variation (Jitter) – The time difference between how long it takes packets to traverse the

network. Out-of-Order Delivery – Different packets may take different routes and arrive at the destination

in a different order than they were sent. Delay – The time it takes to get the packet end-to-end, or from the mouth to the ear.

o Packetization Delay – Time required to sample and encode voice or video into an IP packet

o Serialization Delay – Time required to put the packet on to the wire o Propagation Delay – Time required for the packet to traverse the media

When configuring WAN-edge QoS, you are defining how traffic egresses your network. It is critical that

the classification, marking, and bandwidth allocations align to the service provider, offering to ensure

consistent QoS treatment end to end.

The Per-Tunnel QoS for DMVPN feature allows the configuration of a QoS policy on a DMVPN hub on a

per-tunnel (spoke) basis. The QoS policy on a tunnel instance allows you to shape the tunnel traffic to

individual spokes (parent policy) and to differentiate between traffic classes within the tunnel for

appropriate treatment (child policy).

You can also mark the header of the GRE tunneled packets by using the QoS policy map classes. There

are two methods for marking the DSCP of the tunnel headers in order to influence per-hop treatment

within the service provider network. One method applies the policy to a virtual tunnel interface and the

second method applies the policy to a physical interface.



The following table shows an example of how to mark the tunnel headers when using a 12- or 8-class

model in the enterprise, while combining the traffic classes into a smaller 6-, 5- or 4-class model in the

service provider network. The tunnel markings must match the service provider offering, so you will

have to adjust the table below according to your specific service level agreement.



QoS Traffic Pattern Map

Review the following QoS Traffic Pattern Map, to become familiar with the type of applications traffic

that is in the lab network. This kind of information should be mapped out during deployments to help

understand the traffic on the network, and help build the QoS configurations.

This table explains the type of simulated traffic that has been induced in this lab environment.

This QoS Traffic Patten map also includes the endpoint IP addresses for this lab environment.



Activity Objective:

In this Exercise, you will practice how to prepare and deploy Quality of Service (QoS). After completing

this activity, you should be able to meet these objectives.

Configure and verify operations of QoS policies for selected traffic types.

Define interesting traffic via access list

The access list command can be used for many different uses within the router, but in all cases it is used

to define interesting traffic. In the case of QoS the access list creates groups of interesting host address,

or application types to be called later from the Class Maps. This allows the class maps to be very granular

when classifying traffic.

Step 1. Initiate the following commands on routers R11, R12, R21, and R22.

configure terminal

! ip access-list extended MARK-CRITICAL permit

ip host 198.18.133.110 host 10.5.1.11

permit ip host 198.18.133.110 host 10.5.1.12



!

ip access-list extended MARK-SCAVENGER

permit tcp any eq ftp any

permit tcp any eq ftp-data any

permit tcp any any eq ftp

permit tcp any any eq ftp-data

!

ip access-list extended MARK-VOIP



!

end



Step 2. Initiate the following commands on routers R41.

configure terminal

! ip access-list extended MARK-CRITICAL permit

ip host 10.5.1.11 host 198.18.133.110




!






!




!

End

Step 3. Initiate the following commands on routers R51 and R52.

configure terminal

!

ip access-list extended MARK-CRITICAL permit

ip host 10.5.1.11 host 198.18.133.110




! ip access-list extended MARK-SCAVENGER





!




!

end



What are Class-Maps

The class-map command is used to define a traffic class and identify traffic to associate with the class name. Class names are used when configuring policy maps that define actions you want to take against the traffic type. The class-map command sets the match logic. In this case, the match-any keyword indicates that the maps match any of the specified criteria. This keyword is followed by the name that is assign to the class of service. After the class-map command is configured, define specific values, such as DSCP and protocols to match with the match command.

This chart lays out some of the values used in QoS and how they relate to one another.



Class-Map Configurations

Step 4. Initiate the following commands on routers R11, R12, R21, R22, R41, R51, and R52.

NOTE: Notice the use of the command match access-group, this is how the class-map calls the access-list

created in the previous section.

configure terminal

! class-map match-any STREAMING-VIDEO

match dscp af31 af32

! class-map match-any INTERACTIVE-VIDEO

match dscp cs4 af41 af42

!

class-map match-any CRITICAL-DATA


match access-group name MARK-CRITICAL

! class-map match-any NET-CTRL-MGMT

match dscp cs2 cs6

! class-map match-any VOICE

match dscp ef

match access-group name MARK-VOIP

!

class-map match-any SCAVENGER

match dscp cs1

match access-group name MARK-SCAVENGER

!

class-map match-any CALL-SIGNALING

match dscp cs3

!

end

NOTE: You do not need to explicitly configure the default class.



HQ WAN 1 policy map with queuing policy

The WAN policy map references the class names that was created in the previous procedures and defines the queuing behavior, along with the minimum guaranteed bandwidth allocated to each class. Each class within the policy map invokes an egress queue and assigns a percentage of bandwidth. One additional default class defines the minimum allowed bandwidth available for best effort traffic. There are two methods for marking the tunnel headers depending on whether the policy is applied to a virtual tunnel interface or a physical interface.

NOTE: For QOS policies that will be attached to tunnel interfaces (hub router configuration), the DSCP value is set in the tunnel header, such as: set dscp tunnel [dscp value]

Modular QoS CLI

In the QoS section of this lab we will configure Class Maps, Policy Maps, and Service Policies. This three

level configuration is known as Modular QoS CLI.

Modular Quality of Service (QoS) command-Line Interface (CLI), or MQC, provides a modular approach

to the configuration of quality of service (QoS) mechanisms. MQC is a three-level hierarchical policer

that extends the traffic policing functionality by allowing the configuration of traffic policing at three

levels of policy map hierarchies; a primary level, a secondary level, and a tertiary level. Traffic policing

may be configured at any or all of these levels, depending on the needs of your network. Configuring

traffic policing in a three-level hierarchical structure provides a high degree of granularity for traffic

policing.



Step 5. a. Initiate the following commands on routers on R11, R12, R21 and R22 HUB.

configure terminal

!

policy-map WAN

class INTERACTIVE-VIDEO

bandwidth remaining percent 30

random-detect dscp-based

set dscp tunnel af41

!

class STREAMING-VIDEO bandwidth remaining percent 10



!

class NET-CTRL-MGMT bandwidth remaining percent 5

set dscp tunnel cs6

!

class CALL-SIGNALING



!

class CRITICAL-DATA




!

class SCAVENGER bandwidth remaining percent 1


! class VOICE

priority level 1

police cir percent 10

set dscp tunnel ef

!

class class-default bandwidth remaining percent 25

random-detect

set dscp tunnel default

! Policy-map LAN-MARKING

Class CRITICAL-DATA

Set dscp af21

Class VOICE

Set dscp ef

Class SCAVENGER

Set dscp cs1

!

end

b. Initiate the following commands on routers R41, R51, and R52.

configure terminal !

policy-map WAN

class INTERACTIVE-VIDEO bandwidth remaining percent 30


set dscp af41

!

class STREAMING-VIDEO



set dscp af41

!

class NET-CTRL-MGMT bandwidth remaining percent 5

set dscp cs6

!



set dscp af41

!

class CRITICAL-DATA



set dscp af21

!

class SCAVENGER bandwidth remaining percent 1

set dscp af11

! class VOICE

priority level 1


set dscp ef

!

class class-default bandwidth remaining percent 25

random-detect

set dscp default

! Policy-map LAN-MARKING

Class CRITICAL-DATA

Set dscp af21

Class VOICE

Set dscp ef

Class SCAVENGER

Set dscp cs1

!

end



HQ WAN 1 shaping policy

With WAN interfaces using Ethernet as an access technology, the demarcation point between the enterprise and service provider may no longer have a physical-interface bandwidth constraint. Instead, a specified amount of access bandwidth is contracted with the service provider. To ensure the offered load to the service provider does not exceed the contracted rate that results in the carrier discarding traffic, you need to configure shaping on the physical interface. When you configure the shape average command, ensure that the value matches the contracted bandwidth rate from your service provider.

Step 6. Initiate the following commands on routers R11, R12, R21, R22.

configure terminal

policy-map INTERFACE-G1

class class-default

shape average 100000000

! Interface GigabitEthernet1

service-policy output INTERFACE-G1

!


Service-policy input LAN-MARKING

!

end

Step 7. Initiate the following commands on routers R41

configure terminal

policy-map INTERFACE-E0/0

class class-default


service-policy WAN

! Policy-map INTERFACE-E0/1

Class class-default

Shape average 10000000

Service-policy WAN

!

Interface Ethernet0/0

service-policy output INTERFACE-E0/0

!



!



!

end



Step 8. Initiate the following commands on routers R51 and R52.

configure terminal

! policy-map INTERFACE-E0/0

class class-default


service-policy WAN

! Interface Ethernet0/0


!



!

end



Per-tunnel QoS policy for DMVPN hub router

The QoS policy on a tunnel instance allows you to shape the tunnel traffic to individual spokes and to

differentiate between traffic classes within the tunnel for appropriate treatment. The QoS policy on the

tunnel instance is defined and applied only to the Dynamic Multipoint Virtual Private Network (DMVPN)

hub routers at the central site. The remote-site router signals the QoS group policy information to the hub

router with a command in the Next Hope Redundancy Protocol (NHRP) configuration, which greatly

reduces Quality Of Service (QoS) configuration and complexity. The hub router applies the signaled policy

in the egress direction for each remote site.

The bandwidth remaining ratio command is used to provide each site with their fair share of the remaining

bandwidth when the outbound interface is experiencing congestion. If you do not use this command, the

lower bandwidth sites will get all of their assigned bandwidth, while the higher bandwidth sites will get

less than their fair share.

With Per-Tunnel QoS for DMVPN, the queuing and shaping is performed at the outbound physical

interface for the GRE/IPsec tunnel packets. This means that the GRE header, the IPsec header and the

layer2 (for the physical interface) header are included in the packet-size calculations for shaping and

bandwidth queuing of packets under QoS.

Visual Objective



Configuring Per-Tunnel QoS for DMVPN hub routers

Step 9. Initiate the following commands on routers R11, R12, R21, and R22

configure terminal

!

policy-map RS-GROUP-20MBPS-POLICY class class-default


bandwidth remaining ratio 20

service-policy WAN

!




service-policy WAN

!




service-policy WAN

!

policy-map RS-GROUP-200MBPS-POLICY

class class-default



service-policy WAN

!


class class-default



service-policy WAN

!




service-policy WAN

!


class class-default



service-policy WAN

!

end



HQ WAN 1 apply per-tunnel QoS NHRP policies on DMVPN hub router

The QoS policy that the hub uses for a particular endpoint or spoke is selected by the NHRP group in

which the spoke is configured.

Prerequisites and important caveats:

DMVPN must be fully configured and operational before you can configure an NHRP group on a

spoke or map the NHRP group to a QoS policy on a hub.

Although you may configure multiple spokes as part of the same NHRP group, the tunnel traffic

for each spoke is measured individually for shaping and policing.

Only output NHRP policies are supported. These apply to per-site traffic egressing the router

towards the WAN.

Step 10. Initiate the following commands on routers R11, and R21

configure terminal

interface Tunnel100

ip nhrp map group RS-GROUP-300MBPS service-policy output RS-GROUP-300MBPS-POLICY







end

wr

Step 11. Initiate the following commands on routers R12, and R22 configure terminal

interface Tunnel200








end

wr



Configure per-tunnel QoS NHRP policy on Branch Routers

Apply the NHRP group policy to each service provider DMVPN tunnel interface on the Branch routers. Use the NHRP group name as defined on the hub router.


configure terminal

!

interface Tunnel100

ip nhrp group RS-GROUP-10MBPS

! interface Tunnel200


!

end

wr


configure terminal

!

interface Tunnel100 ip nhrp group RS-GROUP-10MBPS

!

end

wr


configure terminal

!

interface Tunnel200


!

end

wr



Verify QoS policy on the routers physical interfaces

Step 15. Initiate the command show run interface e0/0 on router R41, R51, and R52, to verify

that your output matches below.

Step 16. Initiate show run interface e0/1 & show run interface e0/2 on router R41, to verify

that your output matches below.

Step 17. Initiate show run interface e0/1, on routers R51 and R52.



Verify DMVPN per-tunnel QoS from each of the four hub routers.

Step 18. Initiate the show dmvpn detail command on routers R11, R12, R21, R22.

Output for router R11

Output for router R12



Exercise 4: Configuring and Verifying PfR All sites belong to a PfR domain where the remote site MCs are peered together. Peering has been

greatly enhanced in PfRv3 which allows site information exchange and single touch provisioning.

PfRv3 has simplified policies with pre-existing templates. The policy configuration for the PfR domain is

done in the hub MC and the information is distributed to all sites via MC peering. This not only simplifies

provisioning substantially, but also makes the policy consistent across the entire IWAN network.

Activity Objective In this activity, you will practice how to configure PfRv3 on the Master Controllers, Hub Border Routers,

and Spoke Border Routers.

Configure and verify operations of Master Controller Hub and Master Controller Transit Routers

Configure and verify operation of Hub Border Routers at Data Center 1 (Master Controller), and

Data Center 2 (Transit Site).

Configure and verify operation of Branch Border Routers at sites 4 and 5.

Visual Objective



Master controller access

Step 1. Double click on R10-MC-DC1 (198.18.129.201) in the left hand side navigation pane in

MTPuTTY. This will open a new tab on the right hand side of MTPuTTY.

Step 2. Login to R10 with the username admin, password C1sco12345.

Step 3. Double click on R20-MC-DC2 (10.2.1.20) in the left hand side navigation pane in

MTPuTTY. This will open a new tab on the right hand side of MTPuTTY.

Step 4. Login to R20 with the username admin, password C1sco12345.

Configure and verify Master Controllers and Hub Border Routers

Step 5. Initiate the follow commands on router R10. This is Data Center 1’s Hub Master

Controller.

Configure terminal

domain 10

vrf default

master hub

source-interface Loopback0 site-prefixes prefix-list DC1_Prefix

enterprise-prefix prefix-list ENT_Prefix

! ip prefix-list DC1_Prefix seq 25 permit 198.18.0.0/16

ip prefix-list DC1_Prefix seq 40 permit 10.1.0.0/16

! ip prefix-list ENT_Prefix seq 5 permit 198.18.0.0/16

ip prefix-list ENT_Prefix seq 15 permit 10.0.0.0/8

end

wr

Step 6. Initiate the follow commands on router R20. This is Data Center 2’s Transit Site Master

Controller.

Configure terminal

domain 10

vrf default

master transit 1

source-interface Loopback0 site-prefixes prefix-list DC2_Prefix

hub 10.1.0.10

! ip prefix-list DC2_Prefix seq 25 permit 198.18.0.0/16


end

wr




Step 7. Initiate the follow commands on router R11. This is Data Center 1’s MPLS Hub Border

Router.

Configure terminal

domain 10

vrf default

border

source-interface Loopback0

master 10.1.0.10

!

interface Tunnel100 domain 10 path MPLS path-id 1

end

wr

Step 8. Initiate the follow commands on router R12. This is Data Center 1’s INET Hub Border

Router.

Configure terminal

domain 10

vrf default

border


master 10.1.0.10

!

interface Tunnel200 domain 10 path INET path-id 2

end

wr

Step 9. Initiate the follow commands on router R21. This is Data Center 2’s MPLS Hub Border

Router.

Configure terminal

domain 10

vrf default

border


master 10.2.0.20

!

interface Tunnel100

domain 10 path MPLS path-id 1

end

wr



Step 10. Initiate the follow commands on router R22. This is Data Center 2’s INET Hub Border

Router.

Configure terminal

domain 10

vrf default

border


master 10.2.0.20

!

interface Tunnel200 domain 10 path INET path-id 2

end

wr

Verify Connectivity between the PfR MCs and Hub BRs

The purpose of this task is to verify that there is connectivity between the Hub and Transit Master

Controllers and the Hub Border Routers in Data Center 1 and 2.

Step 11. Verify the Master Controllers configuration using the following Table.

Verification Questions Commands R10 Success Y/N

R20 Success Y/N

Is the Operational Status of the Master Controller UP?

Should be down since no traffic policies are configured yet.

Show domain

10 master

status

Can the MC see it’s Hub BRs?

Each MC should see the Hub BRs that are in the same DC as the MC.

Show domain

10 master

status

Does each Hub BR show the appropriate tunnel mapping and path IDs?

Show domain

10 master

status

Is the connection status to each HUB BR indicate Connected.

Show domain

10 master

status

Does the Hub MC see the Transit MC.

Show domain

10 master

discovered-

sites



Show Domain 10 Master Status Output for R10

Step 12. Verify the Hub BR configuration using the following table.

Verification Questions Commands R11 Success

Y/N

R12 Success

Y/N

R21 Success

Y/N

R22 Success

Y/N Is the Instance Status Up? Show domain 10

border status

Is the Loopback Up? Show domain 10

border status

Is the IP address for the MC Correct?

Show domain 10

border status

In the MC Connection Successful?

Show domain 10

border status

Does the connection status to each Hub BR say Connected?

Show domain 10

border status



Show Domain 10 Border Status on R11



Configure and verify Branch Border Routers

In this lab configuration we have two different types of branches. Branch 4 has a single router that is

connected to both the MPLS and INET clouds. This single router acts in two capacities, One as a Master

Controller for the branch, and two as a Border router. Branch 5 has two routers, R51 connected to the

MPLS cloud and R52 that is connected to the INET. In branch 5 R51 is acting as a Master Controller and a

border router. R52 is acting as a border router only.

Step 13. Initiate the follow commands on router R41. This is Branch Spoke Site 4 MPLS/INET Hub

Border Router.

Configure Terminal

interface Tunnel200

no nhrp route-watch

! domain 10

vrf default

master branch


hub 10.1.0.10

border

master local source-interface Loopback0

end

wr

Step 14. Initiate the following commands on router R41 to clear any crypto errors between the

Master Controller and Border Controller which are present on this single router.

Configure Terminal

Interface tunnel200

Shut

No shut

End


Step 15. Initiate the follow commands on router R51. This is Branch Spoke Site 5 MPLS Hub

Border Router (Branch Master Controller).

Configure terminal

domain 10

vrf default

master branch


hub 10.1.0.10

border source-interface Loopback0

master local

end

wr

Step 16. Initiate the follow commands on router R52. This is Branch Spoke Site 5 MPLS Hub

Border Router.

Configure terminal

domain 10

vrf default

border


master 10.5.0.51

end

wr



Configure a PfR traffic policies

Step 17. Initiate the follow commands on router R10. Note that for the VOICE and CRITICAL-

DATA classes, MPLS is the preferred path, and for SCAVENGER class, INET is the

preferred path.

NOTE: The commands below that are highlighted in yellow are highlighted to point out

the three different sections and their path preference. Enter all commands below in R10

Configure terminal

domain 10

vrf default

master hub

load-balance class VOICE sequence 20

match dscp ef policy voice

path-preference MPLS fallback INET

!

class CRITICAL-DATA sequence 30 match dscp af21 policy low-latency-data


!

class SCAVENGER sequence 40

match dscp cs1 policy scavenger

path-preference INET fallback MPLS

end

wr



Exercise 5: PfR Verification In this activity, the PfR configuration will be tested to verify that PfR is functioning as expected.

Verify PfR traffic classes are controlled

NOTE: It takes about two minutes or so for the neighbor relationship to fully synchronize, and for the domain 10 to fully come up. If you don’t see anything when you run the next command, keep trying and you will see the system start to collect flow information. Notice the UCs in the State column, these are flows that have been identified but are not yet controlled. Once the flows are controlled by the MC policy, they state will change to CN.

Step 1. Initiate the command show domain 10 master traffic-classes summary, on router R10.


Legend at the top

CN = Controlled by master controller (MC)

SP = Service Provider, one flow is taking INET, and one is taking MPLS





DSCP column displays what classification the flow was tagged as.

State shows if the flow is controlled by the MC or not. UC is uncontrolled

by the MC, and CN is controlled.

SP shows which service provider the flow is taking.

Step 3. Initiate the command show domain 10 master traffic-classes dscp ef on router R20.




Step 4. Initiate the command show domain 10 master traffic-classes summary on router R51.

Compare the output of R51 with other hub and branch routers. Notice which routers are

seeing which traffic.

Step 5. Initiate the command show domain 10 master traffic-classes dscp ef, on router R52.

Notice the output says “No master configured…”.

This is a dual router connected site, one router connected to the MPLS WAN

and one connected to the internet. At each spoke there will always be a master

border router, and any subsequent routers will be border routers only.



Step 6. Initiate the command show domain 10 border traffic-classes on router R52. This

command shows the different classes of traffic that exist or is flowing on each router.

Try this command on the other border routers and compare the output.



Auto Distrusted Policies

Step 7. Initiate the command show run | begin domain 10, on router R10.

Step 8. Initiate the command show run | begin domain 10, on routers R20, R41, and R51.

Notice that R10 (the Hub Master Controller) sets the policies for the whole network.

Although R20 is a Master Controller it is a transit site.



Step 9. Initiate the command show domain 10 master policy, on routers R10, R20, R41, R51.

Notice there are sequences 20, 30, and 40 and what their names are. Remember that

the policy was only configured on router R10 and was dynamically passed to the other

master controller routers.



Step 10. Initiate the following commands on R10 to add two more traffic classes.

Configure terminal

domain 10

vrf default

master hub

class VIDEO sequence 25

match dscp af41 policy real-time-video

match dscp cs4 policy real-time-video


class BULK-DATA sequence 50

match dscp af11 policy bulk-data


end

wr

Step 11. Initiate the command show run | begin domain 10, on router R10.

Compare the output to the previous time this command was initiated (in

the step above).



Step 12. Initiate the command show run | begin domain 10, on routers R20, R41, and R51 to

confirm the configuration is not replicated to the other routers.

Step 13. Initiate the command show domain 10 master policy, on routers R10, R20, R41, R51.

Notice the master policies have been replicated to the other Master Controllers in

domain 10.



Exercise 6: Verifying PfR Traffic Policies The purpose of this task is to verify the application traffic policies have been propagated to the border

routers and are operating as intended.

Performance Routing Verification


Take note of the output.

Step 2. Initiate the command show domain 10 master traffic-class dscp ef, on router R20. Take

note of the output.



Exercise 7: Simulating WAN Delay using WANem In this section we are going to use an app called WANem to add delay to the network at one of two places

at a time on the network. WANem can be used to simulate WAN characteristics like Network delay, Packet

loss, Packet corruption, Disconnections, Packet re-ordering, Jitter, etc.

For more information about WANem follow this link: http://bit.ly/SimDelay

Visual Objective

Notice in the topology map for this lab there are two indicators for WANem. One on BR0 and one on BR1.

In this lab we are going to use WANem to induce delay of 500ms to BR1, but you can also conduct your

own test on BR0 as well. As IWAN probes the networks it will detect the induction of delay, and find that

the INET connection is a better or preferred path and move the traffic to the INET. This traffic change can

be witnessed with the ‘show domain 10 master traffic-classes summary’ command.


http://bit.ly/SimDelay


Step 1. Add delay to the MPLS links using the WANem application by performing the following

steps:

On PC01, use the WANem shortcut or open the browser from the task

bar and go to http://198.18.133.40/WANem (case sensitive).

Maximize the application to full screen to see the menu options.

Click Basic Mode.

Select BR1 from the bridges drop down menu.

Enter 500 in the Delay field for interface eth0

Enter 500 in the Delay field for interface eth1

Click Apply Settings


http://198.18.133.40/WANem


Step 2. Return to MPuTTY on PC01, and initiate the command show domain 10 master traffic-

classes summary on router R20.

Notice the EFs and AF21 traffic have been moved to the INET.

Step 3. Initiate the command show domain 10 master traffic-class dscp ef on router R20.

Notice that the current Service Provider is INET, the previous Service Provider is

MPLS, and re-evaluated in a period of time (38 seconds in the example shown

below).

The system is probing the network checking for delay, loss, and jitter. If the MPLS

path looks better during re-evaluation, the traffic class will switch back to MPLS.

If not, it will stay on the INET path.



Add Traffic Flows and Evaluate the Results

Voice and Critical data traffic are being generated automatically by simulators installed on PC11, PC21,

and DC2-PC, but scavenger traffic needs to be generated manually.

Step 4. Induce scavenger traffic by initiating a large file download across the network, by

completing the following steps.

Step 5. From PC01 desktop, connect to PC11 via RDP using the shortcut on the desktop.

When you open PC11 you will see some applications open, such as WAN Impairment tool and

another called Big Info. Just minimize and ignore WAN Impairment, and Big Info will go away on

its own in a few seconds.

Step 6. From the PC11 desktop, double click on Mozilla FireFox to open the browser.

Step 7. Enter ftp://demo:[email protected], in the address field. Press <Enter>.

Step 8. Click Ubuntu-14.04.4-server-amd64.iso


mailto:[email protected]


Step 9. Select Save, and click OK

If you open the down load monitor in FireFox, you will see there is a large file being downloaded

across the network.

Step 10. Return to PC01, in MTPUTTY initiate the command show domain 10 master traffic-

classes summary on R20.

Notice there is now a CS1 flow, as well as EF and AF21 are still on the INET.



Step 11. Return to PC11, and click on Ubuntu-14.0.4.4-server-amd64.iso, and create a second

large file download.

Step 12. Induce even more scavenger traffic by add another large file download across the

network, by completing the following steps.

Step 13. From PC01 desktop, connect to PC21 via RDP using the shortcut on the desktop.

When you open PC21 you will see some applications open, such as IWAN-wget Impairment tool

and another called Big Info. Just minimize and ignore IWAN-wget window, and Big Info will go

away on its own in a few seconds.

Step 14. From PC11 desktop, double click on Mozilla FireFox to open the browser.

Step 15. Enter ftp://demo:[email protected] in the address field. Press <Enter>




Step 16. Click Ubuntu-14.04.4-server-amd64.iso

Step 17. Select Save, and click OK

If you open the down load monitor in FireFox, you will see there is a large file being downloaded

across the network.



Step 18. Return to PC01, in MTPUTTY initiate the command show domain 10 master traffic-

classes summary, on router R20.

Notice CS1 traffic is out of policy and uncontrolled when the traffic is first

added. When traffic is UC, it will follow normal routing rules.

Step 19. Initiate the command show domain 10 master traffic-classes summary, on router R20

again and see that the CS1 traffic is a state of CN.

NOTE: Your results in the show command outputs might be different then what is shown here

in the lab guide due to timing. Some changes in IWAN can take a few minutes to be reflected in

the output of the commands.

Step 20. Continue experimenting with adding traffic or removing traffic, and witnessing the

resulting outputs in the various show commands. Clear added flows and delays by doing

the following:

Click Stop WANem, in the WANem app on PC01.

Stop downloads on PC11, and PC12



Exercise 8: Configure and Verify flows using LiveAction LiveAction is an application-aware network management software with quality-of-service (QoS) control,

designed to simplify network management. LiveAction features an innovative visual display, real-time

big data analytics, and deep control of routers and switches for un

paralleled ease of network administration.

At a high level, LiveAction has the following See-Point-Click-Fix features:

See: Visualization:

o Visualize real-time end-to-end network traffic

o Examine historical QoS, flow, routing, and IP service-level agreement (IP SLA) data

Point: Decision making:

o Analyze hop-by-hop path, devices, interfaces, and queues

o Locate and troubleshoot problems

Click: Control

o Enable and deploy QoS, Network-Based Application Recognition (NBAR), Flexible

NetFlow (FNF), Cisco Application Visibility and Control (AVC), and Cisco Medianet

o Create IP SLA probes and Media Services Interface (MSI) endpoints

Fix: Improve

o Edit QoS policies, access control list (ACL), Policy Based Routing (PBR), and IP SLA

For Cisco IWAN, LiveAction provides GUI-based management and situational awareness for intelligent

path control and application performance optimization. Specifically, LiveAction offers the following

IWAN management functions:

Real-time and historical graphical displays of Performance Routing (PfR) intelligent path changes

AVC visualization, reporting, and configuration

Application-aware QoS monitoring and control to optimize application performance

Overall network health and status



Activity Objective: In this activity, the flows that were evaluated in the previous section via Command Line Interface (CLI)

commands will be verify via the Live Action tool. This section will only be a taste of the full potential

power of Cisco’s Live Action management and monitoring tools.

Visual Objective:



Configure Collector CLI Command on R10

Step 1. Initiate the following commands on R10 to the address to the Live Action collector

server.

Configure Terminal

Domain 10

Vrf default

Master hub

Collector 198.18.133.34 port 2055

End

Wr

Opening Live Action Client on PC01 In this section the LiveAction client will be opened on PC01.

NOTE: Careful there are two ICONs on the desktop of PC01. LiveAction HTML5 and LiveAction

Client. In this exercise the LiveAction client will be used, not the HTML5 version.

Step 2. Double click the LiveAction Client 5.2.0 icon on the desktop of PC01

Step 3. Login to LiveAction with the username of admin and password of C1sco12345, and click

OK.

NOTE: Be patient sometimes logging into LiveAction takes some time.



Configuring Flows in LiveAction

Step 4. Click Flow>Configure Flow on the main menu at the top of the LiveAction Client

Window



Step 5. Notice that R10-MC-DC1, and R31-Spoke-Site3 are grayed out. R10-MC-DC1 is grayed

out because snmp community settings on the router are not updated properly. R31-

Spoke-Site3 is not configured at all since this is the branch that is used for the optional

challenge lab later in this document. The following few tasks will be used to setup R10-

MC-DC1 to be seen by LiveAction.

Step 6. Click Close to close the Flow configuration pop-up window.

Step 7. Click the + sign next to home in the navigation pane on the left hand side, to open all

the sites.

Step 8. Click the + sign next to DC1 in the navigation pane on the left hand side, to open DC1.



Step 9. Right click R10-MC-DC1 and click Edit Device Settings.

Step 10. Click Next on page one of the edit device settings pop-up window. Take all defaults

(change nothing).



Step 11. Click Next on page two of the edit device settings pop-up window.

Step 12. Click Next on page three of the edit device settings pop-up window.



Step 13. Click Continue on the Validation Details pop-up window.

Step 14. Click and uncheck Loopback0, only GigabitEthernet1 should be checked on page four of

the edit device settings pop-up window.

Step 15. Click Next.



Step 16. Click Next on page five of the edit device settings pop-up window

Step 17. Click and check NBAR and NetFlow on page six of the edit device settings pop-up

window.

Step 18. Click Next



Step 19. Click Next on page seven of the edit device settings pop-up window.

Step 20. Review the configuration that will be added to R10-MC-DC1 on page eight of the edit

device settings pop-up window. Make sure to leave the radio button selected for “send

the configuration commands to device”.

Step 21. Click Next

Wait for the configuration to be uploaded to R10-MC-DC1



Step 22. Click Finish on page nine of the edit device settings pop-up window.

Step 23. Click Yes to save the settings on RC10-MC-DC1.

Step 24. Return to MTPuTTY, and select R10-MC-DC1 tab at the top. If R10 is not open in

MTPuTTY open it and login to R10.



Step 25. Initiate the command show run | beg flow record on router R10. Verify that the

LiveAction console added configuration parameters to the router R10.

Continue exploring the running configuration for more parameters that

LiveAction added to the routers configuration.

Step 26. Return to the LiveAction Client on PC01 when you are finished exploring the updated

configuration on router R10.



Step 27. Click Flow > Configure Flow from the main LiveAction Client menus.

Step 28. Notice R10-MC-DC1 is no longer grayed out. Also notice that most of the bubbles on the

right under Traffic, Application, and Voice are grayed out at this time.

Step 29. Click and check R10, R11, R12, R20, R21, R22, R41, R51, and R52.

Step 30. Click Configure Selected.



Step 31. Click and select Traffic Statistic, Application Response Time, and Voice/Video check

boxes for the following selections.

R10-MC-DC1 – GigabitEthernet1

R11-Hub-DC1 – Tunnel100


R20-MC-DC2 – GigabitEthernet1



R41-Spoke-Site4 – Tunnel100 and Tunnel200

R51-Spoke-Site5 – Tunnel100

R52-Spoke-Site5 – Tunnel200

Step 32. Click Preview CLI to see what changes will be made to each router.

Step 33. Click OK on the NetFlow Export Warnings pop-up window.



Step 34. Notice the CLI changes LiveAction is going to make on the nine different routers, by

selecting each router on the left hand side of the Multiple CLI Viewer. The configuration

deltas will be displayed right hand side of the viewer.

Step 35. Click Close when your done inspecting the CLI changes.

Step 36. Click Save to Devices button at the bottom of the Flow Configuration pop-up window.

Step 37. Click Yes on the save flow configurations pop-up window



Step 38. Be patient while the configuration changes are made on each of the nine routers.

Step 39. Click OK on the succeeded pop-up window

Step 40. Click Yes on each Save Startup Config pop-up windows to save the new running

configuration on each router to the startup config.

NOTE: Click Yes nine times one for each router



Step 41. Notice the green bubbles that were grayed out before the flows were configured.

Step 42. Click Close when you are done verifying the changes.

Evaluate PfR Flows Using LiveAction In a previous section we verified PfR flows using the CLI command “show domain 10 master traffic-

classes summary” on each of the Master Border Routers, and Master Controllers. In this section we will

verify PfR via the LiveAction GUI.

Step 43. Click the + sign next to Site-4 in the navigation pane of LiveAction.

Step 44. Click and highlight R41-Spoke-Site4



Step 45. Select PfR in the dropdown menu that is labeled as basic flow.

Step 46. Notice in the spreadsheet formatted section you will see the many different simulated

flows in this lab environment that are flowing through R41.



Step 47. If you scroll the bottom scroll bar all the way to the right you will see the DSCP values of

the flow. You will also see Tunnel information, Bandwidth, Out of parameter values as

seen in red in this screen shot below.

Also notice that if you look at this screen over time it will change as the

simulated traffic changes on the network. In the upper left corner polling is

enabled so every few seconds the data for this output will change.

Continue exploring this screen as well as selecting other routers from the

navigation pane on the left to see what data is presented at each router.

End of Lab Exercises



Optional Challenge Lab: Configure and Verify Branch/Spoke Site 3 Complete this lab exercise to add Branch 3 spoke to the IWAN environment. Configure Branch 3 router

to ensure that it can connect and communicate with the Hub and Transit Border Routers, as well as the

Branch Border Routers at Branch 4 and 5.

Visual Objective

Configure Branch 3 Challenge

Step 1. Configure R31-Spoke-Site3 router to be part of the IWAN DMVPN Phase 3 cloud,

including front door VRFs, and IPsec.

Step 2. Configure R31-Spoke-Site3 to be in the same EIGRP autonomous system as the other

border routers in the IWAN environment.

Step 3. Enable R31-Spoke-Site 3 to communicate with the Hub Master Controller, so it can

participate in PfR.



Step 4. When you are done with your configuration run the following commands to confirm

proper operation.

Show domain 10 master traffic-classes summary

Show domain 10 master policy

Step 5. From PC01 RDP to PC31, using the desktop icon. Open FireFox and navigate to

ftp://demo:[email protected] and download the large file Ubuntu-14.04.4-server-

amd64.iso.

Step 6. Return to PC01 and initiate the show domain 10 master traffic-classes summary,

command on R31. Confirm that you see CS1 traffic being controlled by the Master

Controller.

NOTE: The best place to start is by looking at the R41-Spoke-Site4 router configuration.

Copy and paste the portions of R41 config into a notepad on PC01, and edit the

configuration to be relevant for PC31. Once you have a good config in notepad copy

and paste the config into R31.

WARNING Spoiler Alert: Do not move on to the next page until you have your R31 router configured and operational. The next pages present the full final configuration for R31.




R31-Spoke-Site3 Final Configuration

Final operational configuration for router R31-Spoke-Site3. Sections in blue are IWAN part of the IWAN

configuration. version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R31-Spoke-Site3

!

boot-start-marker

boot-end-marker

!

vrf definition INET1

!

address-family ipv4

exit-address-family

!

vrf definition MPLS1

!

address-family ipv4

exit-address-family

!

logging console warnings

enable secret 5 $1$5abw$/S6M9GiORaLyD8OxWuMoa1

!

no aaa new-model

!

clock timezone PST -7 0

clock summer-time PDT recurring

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

!

ip domain lookup source-interface Loopback0

ip domain name dcloud.cisco.com

ip name-server 198.18.133.1

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

domain 10

vrf default

border


master local

master branch


hub 10.1.0.10

!



username admin privilege 15 secret 5 $1$kC78$yLDu4V/p/cr8bdJlwKEGf/

!

redundancy

!

class-map match-any STREAMING-VIDEO


class-map match-any INTERACTIVE-VIDEO





class-map match-any NET-CTRL-MGMT

match dscp cs2 cs6

class-map match-any VOICE

match dscp ef



match dscp cs1



match dscp cs3

!

policy-map LAN-MARKING

class CRITICAL-DATA

set dscp af21

class VOICE

set dscp ef

class SCAVENGER

set dscp cs1


class class-default


policy-map WAN









class NET-CTRL-MGMT


set dscp tunnel cs6




class CRITICAL-DATA




class SCAVENGER



class VOICE



priority level 1


set dscp tunnel ef

class class-default


random-detect



class class-default


service-policy WAN

!

crypto ikev2 keyring DMVPN-KEYRING-INET

peer ANY

address 0.0.0.0 0.0.0.0

pre-shared-key 123CISCO

!

crypto ikev2 keyring DMVPN-KEYRING-MPLS

peer ANY

address 0.0.0.0 0.0.0.0


!

crypto ikev2 profile DMVPN-IKE-PROFILE-INET

match fvrf INET1

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local DMVPN-KEYRING-INET

dpd 40 5 on-demand

!

crypto ikev2 profile DMVPN-IKE-PROFILE-MPLS

match fvrf MPLS1




keyring local DMVPN-KEYRING-MPLS

dpd 40 5 on-demand

!

crypto isakmp nat keepalive 20 !

crypto

ipsec security-association replay window-size

1024

! crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN-IPSEC-PROFILE-INET

set ikev2-profile DMVPN-IKE-PROFILE-INET

!

crypto ipsec profile DMVPN-IPSEC-PROFILE-MPLS

set transform-set AES256/SHA/TRANSPORT

set ikev2-profile DMVPN-IKE-PROFILE-MPLS

!

interface Loopback0

ip address 10.3.0.31 255.255.255.255

!



interface Tunnel100

description ** DMVPN Tunnel over MPLS **

bandwidth 1000

ip address 192.168.100.31 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp network-id 100

ip nhrp holdtime 70

ip nhrp nhs 192.168.100.11 nbma 172.16.11.1 multicast


ip nhrp shortcut

ip tcp adjust-mss 1360

delay 1000

if-state nhrp

tunnel source Ethernet0/1

tunnel mode gre multipoint

tunnel vrf MPLS1

tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-MPLS

!

interface Tunnel200

description ** DMVPN Tunnel over INET **

bandwidth 1000

ip address 192.168.200.31 255.255.255.0

no ip redirects

ip mtu 1400


ip nhrp holdtime 70



ip nhrp shortcut


delay 20000

no nhrp route-watch

if-state nhrp



tunnel vrf INET1

tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-INET

!

interface Ethernet0/0

description INET interface

vrf forwarding INET1

ip address 100.64.31.1 255.255.255.252

load-interval 30


!


description MPLS interface

vrf forwarding MPLS1

ip address 172.16.31.1 255.255.255.252

load-interval 30


!


description Site-LAN1



ip address 10.3.3.31 255.255.255.0

load-interval 30

delay 20000

service-policy input LAN-MARKING

!


no ip address

shutdown

!

router eigrp IWAN-EIGRP

!

address-family ipv4 unicast autonomous-system 400

!

af-interface Tunnel100

stub-site wan-interface

exit-af-interface

!



exit-af-interface

!

topology base

exit-af-topology

network 10.0.0.0

network 192.168.100.0

network 192.168.200.0

eigrp router-id 10.3.0.31

eigrp stub-site 1:1

exit-address-family

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip route vrf MPLS1 0.0.0.0 0.0.0.0 172.16.31.2

ip route vrf INET1 0.0.0.0 0.0.0.0 100.64.31.2

!

ip access-list extended MARK-CRITICAL













!

no service-routing capabilities-manager

!

snmp-server community cisco123 RW 55

!



control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

line vty 0 4

exec-timeout 0 0

logging synchronous

login local

transport input telnet ssh

!

ntp source Loopback0

ntp server 198.18.128.1

!

end



Appendix: Router Configurations These router configurations are each routers configuration at the end of this lab guide.

Router R10-MC-DC1 version 15.5



no platform punt-keepalive disable-kernel-core

platform console auto

platform hardware throughput level MB 100

!

hostname R10-MC-DC1

!

boot-start-marker

boot system bootflash:csr1000v-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin

boot-end-marker

!

enable secret 5 $1$UU3I$OXntpE./eOmxxgP4WpxDa.

!

no aaa new-model

clock timezone JST 9 0

!


!



!

subscriber templating

!

flow record LIVEACTION-FLOWRECORD

description DO NOT MODIFY. USED BY LIVEACTION.

match flow direction

match interface input

match ipv4 destination address

match ipv4 protocol

match ipv4 source address

match ipv4 tos

match transport destination-port

match transport source-port

collect application name

collect counter bytes

collect counter packets

collect flow sampler

collect interface output

collect ipv4 destination mask

collect ipv4 dscp

collect ipv4 id

collect ipv4 source mask

collect ipv4 source prefix

collect routing destination as

collect routing next-hop address ipv4

collect routing source as

collect timestamp sys-uptime first

collect timestamp sys-uptime last

collect transport tcp flags

!

flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC


match application name account-on-resolution



match connection client ipv4 address

match connection server ipv4 address

match connection server transport port

match ipv4 protocol

match routing vrf input

collect application http host

collect connection client counter bytes long

collect connection client counter bytes network long

collect connection client counter packets long

collect connection client counter packets retransmitted

collect connection delay application sum

collect connection delay network client-to-server sum

collect connection delay network to-client sum

collect connection delay network to-server sum

collect connection delay response client-to-server sum

collect connection delay response to-server histogram late

collect connection delay response to-server sum

collect connection initiator

collect connection new-connections

collect connection server counter bytes long

collect connection server counter bytes network long

collect connection server counter packets long

collect connection server counter responses

collect connection sum-duration

collect connection transaction counter complete

collect connection transaction duration max

collect connection transaction duration min

collect connection transaction duration sum

collect interface input


collect ipv4 destination address

collect ipv4 dscp

collect ipv4 source address

collect ipv4 ttl

!

flow record type performance-monitor LIVEACTION-FLOWRECORD-MEDIANET




match ipv4 protocol



match transport rtp ssrc


collect application media bytes counter

collect application media bytes rate

collect application media event

collect application media packets counter

collect application media packets rate



collect counter bytes rate




collect ipv4 dscp

collect ipv4 ttl

collect monitor event

collect routing forwarding-status

collect timestamp interval

collect transport event packet-loss counter

collect transport packets expected counter



collect transport packets lost counter

collect transport packets lost rate

collect transport rtp jitter maximum

collect transport rtp jitter mean

collect transport rtp jitter minimum

!

flow exporter LIVEACTION-FLOWEXPORTER-IPFIX


destination 198.18.133.34

source Loopback0

transport udp 2055

export-protocol ipfix

option interface-table

option vrf-table

option application-table

option c3pl-class-table

option c3pl-policy-table

option application-attributes

!

flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC


record LIVEACTION-FLOWRECORD-AVC

exporter LIVEACTION-FLOWEXPORTER-IPFIX

cache entries 6500

!

flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-MEDIANET


record LIVEACTION-FLOWRECORD-MEDIANET


!

flow monitor LIVEACTION-FLOWMONITOR



cache timeout inactive 10

cache timeout active 60

record LIVEACTION-FLOWRECORD

!


!

domain 10

vrf default

master hub


site-prefixes prefix-list DC1_Prefix

load-balance

enterprise-prefix prefix-list ENT_Prefix

collector 198.18.133.34 port 2055

class VOICE sequence 20

match dscp ef policy voice


class VIDEO sequence 25

match dscp af41 policy real-time-video

match dscp cs4 policy real-time-video


class CRITICAL-DATA sequence 30

match dscp af21 policy low-latency-data


class SCAVENGER sequence 40

match dscp cs1 policy scavenger


class BULK-DATA sequence 50

match dscp af11 policy bulk-data




!

license udi pid CSR1000V sn 9E0K829FLKK

license accept end user agreement

license boot level ax

!

spanning-tree extend system-id

!

username admin privilege 15 secret 5 $1$85Yx$Al6FWGUwWOaZWQR9tRwxi1

!

redundancy

!

class-map match-any LIVEACTION-CLASS-AVC

match access-group name LIVEACTION-ACL-AVC

class-map match-any LIVEACTION-CLASS-MEDIANET

match protocol telepresence-media

match protocol rtp

!

policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED

class LIVEACTION-CLASS-AVC

flow monitor LIVEACTION-FLOWMONITOR-AVC

class LIVEACTION-CLASS-MEDIANET

flow monitor LIVEACTION-FLOWMONITOR-MEDIANET

!

interface Loopback0

ip address 10.1.0.10 255.255.255.255

!

interface GigabitEthernet1

description LAN interface

ip address 198.18.129.201 255.255.192.0

ip nbar protocol-discovery

ip flow monitor LIVEACTION-FLOWMONITOR input

ip flow monitor LIVEACTION-FLOWMONITOR output

load-interval 30

negotiation auto

cdp enable

service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED

service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED

!


!


!

af-interface default

passive-interface

exit-af-interface

!

af-interface GigabitEthernet1

no passive-interface

exit-af-interface

!

topology base

exit-af-topology

network 10.1.0.0 0.0.255.255

network 198.18.129.201 0.0.0.0


exit-address-family

!

virtual-service csr_mgmt

!


!



no ip http server


!

ip access-list extended LIVEACTION-ACL-AVC

permit tcp any any

!



!




!


snmp ifmib ifindex persist

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

exec-timeout 0 0

logging synchronous

login local


!

end

Router R11-Hub-DC1 version 15.5






!

hostname R11-Hub-DC1

!

boot-start-marker


boot-end-marker

!


!

address-family ipv4

exit-address-family

!

enable secret 5 $1$PqCC$dXzY64XCtlr5HlaNcGRj//

!

no aaa new-model



!



ip multicast-routing distributed

!


!



!


!







match ipv4 protocol




























collect ipv4 dscp


collect ipv4 ttl

!






match ipv4 protocol


match ipv4 tos











collect ipv4 dscp

collect ipv4 id









!




source Loopback0

transport udp 2055



option vrf-table





!





cache entries 6500

!







!


!

domain 10

vrf default

border


master 10.1.0.10

!

license udi pid CSR1000V sn 9UN0OOZU4QP





!


!

username admin privilege 15 secret 5 $1$mPhf$N7VeB4S8/OT3c8exmBFlJ1

!

redundancy

!


peer ANY

address 0.0.0.0 0.0.0.0


!


match fvrf MPLS1





!

cdp run

!











match dscp cs2 cs6


match dscp ef



match dscp cs1



match protocol rtp


match dscp cs3

!

policy-map WAN









class NET-CTRL-MGMT




set dscp tunnel cs6




class CRITICAL-DATA




class SCAVENGER



class VOICE

priority level 1


set dscp tunnel ef

class class-default


random-detect



class class-default



service-policy WAN


class class-default



class class-default



service-policy WAN


class CRITICAL-DATA

set dscp af21

class VOICE

set dscp ef

class SCAVENGER

set dscp cs1






class class-default



service-policy WAN


class class-default



service-policy WAN


class class-default





service-policy WAN


class class-default



service-policy WAN


class class-default



service-policy WAN

!

crypto ipsec security-association replay window-size 1024

!

crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac

mode transport

!




!

interface Loopback0

ip address 10.1.0.11 255.255.255.255

!

interface Tunnel100

description ***DMVPN Tunnel over MPLS***

bandwidth 100

ip address 192.168.100.11 255.255.255.0

no ip redirects

ip mtu 1400




ip nhrp map multicast dynamic









ip nhrp holdtime 70

ip nhrp redirect


delay 1000

if-state nhrp

tunnel source GigabitEthernet1


tunnel vrf MPLS1



!






ip address 172.16.11.1 255.255.255.252

load-interval 30

negotiation auto

cdp enable


!


description Site-Lan

ip address 10.1.1.11 255.255.255.0

load-interval 30

delay 24000

negotiation auto

cdp enable


!


!


!


hello-interval 20

hold-time 60

no split-horizon

summary-address 10.0.0.0 255.0.0.0

summary-address 10.1.0.0 255.255.0.0

exit-af-interface

!

topology base

distribute-list prefix EIGRPSUMMARY in Tunnel100

summary-metric 10.1.0.0/16 10000000 1 255 0 1500 distance 250


exit-af-topology

network 10.1.0.0 0.0.255.255

network 192.168.100.0


exit-address-family

!


!


!

no ip http server


ip route vrf MPLS1 0.0.0.0 0.0.0.0 172.16.11.2

ip ssh version 1

!


permit tcp any any
















!

ip prefix-list EIGRPSUMMARY seq 10 deny 0.0.0.0/0




ip prefix-list EIGRPSUMMARY seq 50 permit 0.0.0.0/0 le 32


logging source-interface Loopback0

logging host 198.18.133.65

!


!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

exec-timeout 0 0

logging synchronous

login local


line vty 5 8

exec-timeout 0 0

logging synchronous

login local


!


ntp server 198.18.128.1

!

end









!


!

boot-start-marker


boot-end-marker

!


!

address-family ipv4

exit-address-family

!

enable secret 5 $1$.Y6g$Md5qjnc6CkRxbpRa26i0N0

!

no aaa new-model



!


!


!



!


!







match ipv4 protocol






























collect ipv4 dscp


collect ipv4 ttl

!






match ipv4 protocol


match ipv4 tos









collect ipv4 dscp

collect ipv4 id









!




source Loopback0

transport udp 2055



option vrf-table







!





cache entries 6500

!







!


!

domain 10

vrf default

border


master 10.1.0.10

!

cts logging verbose

!

license udi pid CSR1000V sn 9TNHAU3EBHU



!


!

username admin privilege 15 secret 5 $1$dd..$y.s.vtT0xS.YTG/FP5QvE.

!

redundancy

!


peer ANY

address 0.0.0.0 0.0.0.0


!


match fvrf INET1





!

cdp run

!













match dscp cs2 cs6


match dscp ef



match dscp cs1



match protocol rtp


match dscp cs3

!

policy-map WAN









class NET-CTRL-MGMT


set dscp tunnel cs6




class CRITICAL-DATA




class SCAVENGER



class VOICE

priority level 1


set dscp tunnel ef

class class-default


random-detect



class class-default



service-policy WAN


class class-default





class class-default



service-policy WAN


class CRITICAL-DATA

set dscp af21

class VOICE

set dscp ef

class SCAVENGER

set dscp cs1






class class-default



service-policy WAN


class class-default



service-policy WAN


class class-default



service-policy WAN


class class-default



service-policy WAN


class class-default



service-policy WAN

!


!


mode transport

!




!

interface Loopback0

ip address 10.1.0.12 255.255.255.255

!

interface Tunnel200



description ***DMVPN Tunnel over Internet***

bandwidth 1000

ip address 192.168.200.12 255.255.255.0

no ip redirects

ip mtu 1400













ip nhrp holdtime 70

ip nhrp redirect


delay 2000

if-state nhrp



tunnel vrf INET1


domain 10 path INET path-id 2

!




ip address 100.64.12.1 255.255.255.252

load-interval 30

negotiation auto

cdp enable


!



ip address 10.1.1.12 255.255.255.0

load-interval 30

delay 24000

negotiation auto

cdp enable


!


description LAN interface to PRIME

ip address 198.100.0.2 255.255.255.0

load-interval 30

negotiation auto

cdp enable

!


!




!


hello-interval 20

hold-time 60

no split-horizon


summary-address 10.1.0.0 255.255.0.0

exit-af-interface

!

topology base




exit-af-topology

network 10.1.0.0 0.0.255.255

network 192.168.200.0


exit-address-family

!


!


!

no ip http server


ip route vrf INET1 0.0.0.0 0.0.0.0 100.64.12.2

!


permit tcp any any














!







!


!

control-plane

!



line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

exec-timeout 0 0

logging synchronous

login local


!


ntp server 198.18.128.1

!

end





platform console virtual

!

hostname R20-MC-DC2

!

boot-start-marker


boot-end-marker

!

enable secret 5 $1$Zi8l$w47EAP/2fWMKJwezsIUO31

!

no aaa new-model

clock timezone JST 9 0

!


!



!


!







match ipv4 protocol






























collect ipv4 dscp


collect ipv4 ttl

!





match ipv4 protocol
















collect ipv4 dscp

collect ipv4 ttl













!






match ipv4 protocol


match ipv4 tos









collect ipv4 dscp

collect ipv4 id









!




source Loopback0

transport udp 2055



option vrf-table





!





cache entries 6500

!





!









!


!

domain 10

vrf default

master transit 1


site-prefixes prefix-list DC2_Prefix

hub 10.1.0.10

!

license udi pid CSR1000V sn 948QOETXPZQ


!


!

username admin privilege 15 secret 5 $1$gJ0U$WobSFrOdaJI0s3Iz5LVe0/

!

redundancy

!




match protocol rtp

!






!

interface Loopback0

ip address 10.2.0.20 255.255.255.255

!


description LAN interface

ip address 10.2.1.20 255.255.255.0




load-interval 30

negotiation auto

cdp enable



!


!


!

af-interface default



passive-interface

exit-af-interface

!

af-interface GigabitEthernet1

no passive-interface

exit-af-interface

!

topology base

exit-af-topology

network 10.2.0.0 0.0.255.255


exit-address-family

!


!


!

no ip http server


!


permit tcp any any

!




!


!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

stopbits 1

line vty 0 4

exec-timeout 0 0

logging synchronous

login local


!


ntp server 198.18.128.1

onep

!

end








!


!

boot-start-marker


boot-end-marker

!


!

address-family ipv4

exit-address-family

!

enable secret 5 $1$EIiO$Q.ZhnZUcsgJ0SO3kxHxwu.

!

no aaa new-model


!


!


!



!


!







match ipv4 protocol






























collect ipv4 dscp


collect ipv4 ttl

!






match ipv4 protocol


match ipv4 tos









collect ipv4 dscp

collect ipv4 id









!




source Loopback0

transport udp 2055



option vrf-table







!





cache entries 6500

!







!


!

domain 10

vrf default

border


master 10.2.0.20

!

license udi pid CSR1000V sn 9ZF91NWOZAL


!


!

username admin privilege 15 secret 5 $1$j3K6$6zkRfjf6nguXJNC4QbGMl0

!

redundancy

!


peer ANY

address 0.0.0.0 0.0.0.0


!


match fvrf MPLS1





!

cdp run

!













match dscp cs2 cs6


match dscp ef



match dscp cs1



match protocol rtp


match dscp cs3

!

policy-map WAN









class NET-CTRL-MGMT


set dscp tunnel cs6




class CRITICAL-DATA




class SCAVENGER



class VOICE

priority level 1


set dscp tunnel ef

class class-default


random-detect



class class-default



service-policy WAN


class class-default



class class-default



service-policy WAN




class CRITICAL-DATA

set dscp af21

class VOICE

set dscp ef

class SCAVENGER

set dscp cs1






class class-default



service-policy WAN


class class-default



service-policy WAN


class class-default



service-policy WAN


class class-default



service-policy WAN


class class-default



service-policy WAN

!


!


mode transport

!




!

interface Loopback0

ip address 10.2.0.21 255.255.255.255

!

interface Tunnel100

description ***DMVPN Tunnel over MPLS***

bandwidth 1000

ip address 192.168.100.21 255.255.255.0

no ip redirects

ip mtu 1400















ip nhrp holdtime 70

ip nhrp redirect


delay 1000

if-state nhrp



tunnel vrf MPLS1



!




ip address 172.16.21.1 255.255.255.252

load-interval 30

negotiation auto

cdp enable


!



ip address 10.2.2.21 255.255.255.0

load-interval 30

delay 24000

negotiation auto

cdp enable


!


!


!


hello-interval 20

hold-time 60

no split-horizon


summary-address 10.2.0.0 255.255.0.0

exit-af-interface

!

topology base






exit-af-topology

network 10.2.0.0 0.0.255.255

network 192.168.100.0


exit-address-family

!


!


!

no ip http server


ip route vrf MPLS1 0.0.0.0 0.0.0.0 172.16.21.2

!


permit tcp any any














!







!


!

control-plane

!

line con 0

stopbits 1

line vty 0 4

exec-timeout 0 0

logging synchronous

login local


!


ntp server 198.18.128.1

onep

!



end






!


!

boot-start-marker


boot-end-marker

!


!

address-family ipv4

exit-address-family

!

enable secret 5 $1$uvdG$VeavXN/At4LxAf8jc3QHg0

!

no aaa new-model



!


!


!



!


!







match ipv4 protocol






























collect ipv4 dscp


collect ipv4 ttl

!






match ipv4 protocol


match ipv4 tos









collect ipv4 dscp

collect ipv4 id









!




source Loopback0

transport udp 2055



option vrf-table







!





cache entries 6500

!







!


!

domain 10

vrf default

border


master 10.2.0.20

!

license udi pid CSR1000V sn 9T8CCIBM6RN


!


!

username admin privilege 15 secret 5 $1$3TO/$HWZCFrD7mgrOb0ZIV9COD1

!

redundancy

!


peer ANY

address 0.0.0.0 0.0.0.0


!


match fvrf INET1





!

cdp run

!













match dscp cs2 cs6


match dscp ef



match dscp cs1



match protocol rtp


match dscp cs3

!

policy-map WAN









class NET-CTRL-MGMT


set dscp tunnel cs6




class CRITICAL-DATA




class SCAVENGER



class VOICE

priority level 1


set dscp tunnel ef

class class-default


random-detect



class class-default



service-policy WAN


class class-default



class class-default





service-policy WAN


class CRITICAL-DATA

set dscp af21

class VOICE

set dscp ef

class SCAVENGER

set dscp cs1






class class-default



service-policy WAN


class class-default



service-policy WAN


class class-default



service-policy WAN


class class-default



service-policy WAN


class class-default



service-policy WAN

!


!


mode transport

!




!

interface Loopback0

ip address 10.2.0.22 255.255.255.255

!

interface Tunnel200

description ***DMVPN Tunnel over Internet***

bandwidth 1000

ip address 192.168.200.22 255.255.255.0



no ip redirects

ip mtu 1400













ip nhrp holdtime 70

ip nhrp redirect


delay 2000

if-state nhrp



tunnel vrf INET1


domain 10 path INET path-id 2

!




ip address 100.64.22.1 255.255.255.252

load-interval 30

negotiation auto

cdp enable


!



ip address 10.2.2.22 255.255.255.0

load-interval 30

delay 24000

negotiation auto

cdp enable


!


!


!


hello-interval 20

hold-time 60

no split-horizon


summary-address 10.2.0.0 255.255.0.0

exit-af-interface

!



topology base




exit-af-topology

network 10.2.0.0 0.0.255.255

network 192.168.200.0


exit-address-family

!


!


!

no ip http server


ip route vrf INET1 0.0.0.0 0.0.0.0 100.64.22.2

!


permit tcp any any














!







!


!

control-plane

!

line con 0

stopbits 1

line vty 0 4

exec-timeout 0 0

logging synchronous

login local


!


ntp server 198.18.128.1



onep

!

end

Router R41-Spoke-Site4 version 15.5




!


!

boot-start-marker

boot-end-marker

!


!

address-family ipv4

exit-address-family

!


!

address-family ipv4

exit-address-family

!

logging console warnings

enable secret 5 $1$5abw$/S6M9GiORaLyD8OxWuMoa1

!

no aaa new-model

!





no mmi pvc


!




ip cef

no ipv6 cef

!







match ipv4 protocol



collect application http uri statistics




























collect ipv4 dscp


collect ipv4 ttl

!





match ipv4 protocol
















collect ipv4 dscp

collect ipv4 ttl













!






match ipv4 protocol


match ipv4 tos









collect ipv4 dscp

collect ipv4 id









!




source Loopback0

transport udp 2055



option vrf-table





!





cache entries 6500

!







!







!


!

domain 10

vrf default

border


master local

master branch


hub 10.1.0.10

!

cts logging verbose

!

username admin privilege 15 secret 5 $1$kC78$yLDu4V/p/cr8bdJlwKEGf/

!

redundancy

!











match dscp cs2 cs6


match dscp ef



match dscp cs1



match protocol rtp


match dscp cs3

!


class CRITICAL-DATA

set dscp af21

class VOICE

set dscp ef

class SCAVENGER

set dscp cs1



policy-map WAN









class NET-CTRL-MGMT


set dscp tunnel cs6




class CRITICAL-DATA




class SCAVENGER



class VOICE

priority level 1


set dscp tunnel ef

class class-default


random-detect



class class-default


service-policy WAN


class class-default


service-policy WAN






!


peer ANY

address 0.0.0.0 0.0.0.0


!


peer ANY

address 0.0.0.0 0.0.0.0


!




match fvrf INET1





dpd 40 5 on-demand

!


match fvrf MPLS1





dpd 40 5 on-demand

!

crypto isakmp nat keepalive 20

!


!


mode transport

!




!




!

interface Loopback0

ip address 10.4.0.41 255.255.255.255

!

interface Tunnel100

description ** DMVPN Tunnel over MPLS **

bandwidth 1000

ip address 192.168.100.41 255.255.255.0

no ip redirects

ip mtu 1400






ip nhrp holdtime 70



ip nhrp shortcut


delay 1000

if-state nhrp



tunnel vrf MPLS1






!

interface Tunnel200


bandwidth 1000

ip address 192.168.200.41 255.255.255.0

no ip redirects

ip mtu 1400






ip nhrp holdtime 70



ip nhrp shortcut


delay 20000

no nhrp route-watch

if-state nhrp



tunnel vrf INET1




!




ip address 100.64.41.1 255.255.255.252

load-interval 30


!




ip address 172.16.41.1 255.255.255.252

load-interval 30


!


description Site-Lan1

ip address 10.4.4.41 255.255.255.0

load-interval 30

delay 20000


!


description Site-Lan2

ip address 10.4.100.41 255.255.255.0

load-interval 30

delay 20000



!


no ip address

shutdown

!


no ip address

shutdown

!


no ip address

shutdown

!


no ip address

shutdown

!


!


!



exit-af-interface

!



exit-af-interface

!

topology base

exit-af-topology

network 10.4.0.0 0.0.255.255

network 192.168.100.0

network 192.168.200.0


eigrp stub-site 1:1

exit-address-family

!


!

no ip http server


ip route vrf INET1 0.0.0.0 0.0.0.0 100.64.41.2

ip route vrf MPLS1 0.0.0.0 0.0.0.0 172.16.41.2

!


permit tcp any any
















!


!


!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

line vty 0 4

exec-timeout 0 0

logging synchronous

login local


!


ntp server 198.18.128.1

!

end

Router R51-Spoke-Site5

version 15.5




!


!

boot-start-marker

boot-end-marker

!


!

address-family ipv4

exit-address-family

!

enable secret 5 $1$FZOc$GXnu3u7SMjx7Ux09upMm50

!

no aaa new-model

!





no mmi pvc


!



no ip domain lookup


ip multicast-routing

ip cef

no ipv6 cef

!







match ipv4 protocol





























collect ipv4 dscp


collect ipv4 ttl

!





match ipv4 protocol


















collect ipv4 dscp

collect ipv4 ttl











!






match ipv4 protocol


match ipv4 tos









collect ipv4 dscp

collect ipv4 id









!




source Loopback0

transport udp 2055





option vrf-table





!





cache entries 6500

!





!







!


!

domain 10

vrf default

border


master local

master branch


hub 10.1.0.10

!

cts logging verbose

!

username admin privilege 15 secret 5 $1$cMkR$gFVL9xA2TsO6T1ojq6XgA1

!

redundancy

!











match dscp cs2 cs6




match dscp ef



match dscp cs1



match protocol rtp


match dscp cs3

!


class CRITICAL-DATA

set dscp af21

class VOICE

set dscp ef

class SCAVENGER

set dscp cs1

policy-map WAN









class NET-CTRL-MGMT


set dscp tunnel cs6




class CRITICAL-DATA




class SCAVENGER



class VOICE

priority level 1


set dscp tunnel ef

class class-default


random-detect



class class-default


service-policy WAN








!


peer ANY

address 0.0.0.0 0.0.0.0


!


match fvrf MPLS1





dpd 40 5 on-demand

!

crypto isakmp nat keepalive 20

!


!


mode transport

!




!

interface Loopback0

ip address 10.5.0.51 255.255.255.255

!

interface Tunnel100

description DMVPN Tunnel over MPLS

bandwidth 1000

ip address 192.168.100.51 255.255.255.0

no ip redirects

ip mtu 1400






ip nhrp holdtime 70



ip nhrp shortcut


delay 1000

if-state nhrp



tunnel vrf MPLS1




!






ip address 172.16.51.1 255.255.255.252

load-interval 30


!



ip address 10.5.1.51 255.255.255.0

standby version 2

standby 10 ip 10.5.1.254

standby 10 timers 1 3

standby 10 priority 110

standby 10 preempt

standby 10 authentication CISCO

standby 10 track 50 decrement 30

load-interval 30

delay 20000


!


description Site-Crosslink

ip address 10.5.12.51 255.255.255.0

load-interval 30

delay 20000

!


no ip address

shutdown

!


!


!



exit-af-interface

!

topology base

exit-af-topology

network 10.5.0.0 0.0.255.255

network 192.168.100.0


eigrp stub-site 1:1

exit-address-family

!


!

no ip http server


ip route vrf MPLS1 0.0.0.0 0.0.0.0 172.16.51.2

!


permit tcp any any
















!


!


!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

line vty 0 4

exec-timeout 0 0

logging synchronous

login local


!


ntp server 198.18.128.1

!

end

Router R52-Spoke-Site5 version 15.5




!


!

boot-start-marker

boot-end-marker

!


!

address-family ipv4

exit-address-family

!

enable secret 5 $1$K1Ia$8p/dLDKRG1lz8pxZ/ry2u.

!



no aaa new-model

!





no mmi pvc


!




ip cef

no ipv6 cef

!







match ipv4 protocol





























collect ipv4 dscp


collect ipv4 ttl

!







match ipv4 protocol
















collect ipv4 dscp

collect ipv4 ttl











!






match ipv4 protocol


match ipv4 tos









collect ipv4 dscp

collect ipv4 id











!




source Loopback0

transport udp 2055



option vrf-table





!





cache entries 6500

!





!







!


!

domain 10

vrf default

border


master 10.5.0.51

!

cts logging verbose

!

username admin privilege 15 secret 5 $1$SYOv$ckr5tYA./LrlgGa4shf7x1

!

redundancy

!













match dscp cs2 cs6


match dscp ef



match dscp cs1



match protocol rtp


match dscp cs3

!


class CRITICAL-DATA

set dscp af21

class VOICE

set dscp ef

class SCAVENGER

set dscp cs1

policy-map WAN









class NET-CTRL-MGMT


set dscp tunnel cs6




class CRITICAL-DATA




class SCAVENGER



class VOICE

priority level 1


set dscp tunnel ef

class class-default


random-detect



class class-default




service-policy WAN






!


peer ANY

address 0.0.0.0 0.0.0.0


!


match fvrf INET1





dpd 40 5 on-demand

!


!


mode transport

!




!

interface Loopback0

ip address 10.5.0.52 255.255.255.255

!

interface Tunnel100

no ip address

delay 1000

!

interface Tunnel200


bandwidth 1000

ip address 192.168.200.52 255.255.255.0

no ip redirects

ip mtu 1400






ip nhrp holdtime 70



ip nhrp shortcut


if-state nhrp





tunnel vrf INET1




!




ip address 100.64.52.1 255.255.255.252

load-interval 30


!



ip address 10.5.1.52 255.255.255.0

standby version 2

standby 10 ip 10.5.1.254

standby 10 timers 1 3

standby 10 priority 90

standby 10 preempt

standby 10 authentication CISCO

load-interval 30

delay 20000


!


description Site-Crosslink

ip address 10.5.12.52 255.255.255.0

load-interval 30

delay 20000

!


no ip address

shutdown

!


!


!



exit-af-interface

!

topology base

exit-af-topology

network 10.5.0.0 0.0.255.255

network 192.168.200.0


eigrp stub-site 1:1

exit-address-family

!


!

no ip http server




ip route vrf INET1 0.0.0.0 0.0.0.0 100.64.52.2

!


permit tcp any any














!


!


!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

line vty 0 4

exec-timeout 0 0

logging synchronous

login local


!


ntp server 198.18.128.1

!

end

End Of Lab


the ultimate iwan dual data center lab feat. qos and...

Documents