the ultimate iwan dual data center lab feat. qos and...
TRANSCRIPT
The Ultimate IWAN Dual Data Center Lab
feat. QoS and PfR
Lab Guide
Version 1.6
Developed by: Cisco’s So lutio ns R eadiness Engineering Team
“With Great Knowledge Comes Great Deployments”
February 6, 2017
IWAN Dual Data Center Lab – Feat. PfR & QoS
Table of Contents
Disclaimer ........................................................................................................................................ 3
Lab Overview ................................................................................................................................... 3
Lab Goal .......................................................................................................................................... 3
Lab Topology ................................................................................................................................... 4
Prerequisite Knowledge ................................................................................................................... 4
Introduction ..................................................................................................................................... 5
Exercise 0: Accessing the Lab Environment ..................................................................................... 7
Exercise 1: Lab Walkthrough ......................................................................................................... 13
Exercise 2: Modify Traffic Flows in EIGRP ...................................................................................... 21
Exercise 3: Deploying Quality of Service (QoS) .................................................................................. 26
Exercise 4: Configuring and Verifying PfR .................................................................................... 43
Exercise 5: PfR Verification ............................................................................................................ 52
Exercise 6: Verifying PfR Traffic Policies ........................................................................................ 60
Exercise 7: Simulating WAN Delay using WANem......................................................................... 61
Exercise 8: Configure and Verify flows using LiveAction ............................................................... 69
End of Lab Exercises ...................................................................................................................... 87
Optional Challenge Lab: Configure and Verify Branch/Spoke Site 3 ............................................. 88
Appendix: Router Configurations .................................................................................................. 96
ROUTER R10-MC-DC1 ................................................................................................................................................ 96
ROUTER R11-HUB-DC1 .............................................................................................................................................. 100
ROUTER R12-HUB-DC1 .............................................................................................................................................. 108
ROUTER R20-HUB-DC1 .............................................................................................................................................. 115
ROUTER R21-HUB-DC2 .............................................................................................................................................. 120
ROUTER R22-HUB-DC2 .............................................................................................................................................. 127
ROUTER R41-SPOKE-SITE4 .......................................................................................................................................... 134
ROUTER R51-SPOKE-SITE5 .......................................................................................................................................... 142
ROUTER R52-SPOKE-SITE5 .......................................................................................................................................... 149
End Of Lab ................................................................................................................................... 156
Cisco Systems Inc. Solutions Readiness Engineering Page | 2
IWAN Dual Data Center Lab – Feat. PfR & QoS
Disclaimer This Guide is intended to demonstrate one way to configure the network, to meet the specified
requirements of this example. There are various ways that this can be accomplished, depending on the
situation and the customer’s goals/requirements. Please ensure that you consult all current official Cisco
documentation before proceeding with a design or installation. This lab is primarily intended to be a
learning tool, and may not necessarily follow best practice recommendation at all times, in order to
convey specific information. This is not intended to be a deployment guide. It is intended for learning
purposes only.
Lab Overview This lab guide uses a custom version of the dCloud IWAN 4D Deploying for Impact Dual DC Sandbox. All procedures conducted in this lab guide will be performed in this custom dCloud lab environment.
Required Resources The following resources and equipment are required for completing the activities in this lab guide
PC or laptop with a web browser (Internet Explorer or Firefox), and Cisco AnyConnect installed
Access to the Internet
Access to dcloud.cisco.com and the IWAN Dual DC PfR and QoS Lab v1
Lab Goal There are many different technologies within the scope of what is called the IWAN solution. This lab looks
to take a deep dive into the configuration of Traffic Shaping, Quality of Service (QoS), and Performance
Routing (PfR) within the boundaries of a fully functional Dual Data Center IWAN Lab environment. With
that in mind, this lab environment has already been configured with the following:
Two Data Centers (DC1 & DC2) acting in a dual data center configuration
Two branch locations (BR Site 4 & BR Site 5 or called BR4 & BR5)
The DC1, DC2, BR4, & BR5 are configured with Front Door VRFs (fVRF), and Dynamic Multipoint
Virtual Private Networks (DMVPN) Phase 3
DC1 and DC2 are connected to BR4 and BR5 through the DMVPN Phase 3 tunnels over the
Internet (INET) and Multi-Protocol Label Switching (MPLS) clouds
IPSec is configured on the DMVPN tunnels
EIGRP is running through the tunnels and includes route summarization, and filtering
Branch 3 has purposefully been left un-configured as a challenge lab, if time permits.
Cisco Systems Inc. Solutions Readiness Engineering Page | 3
IWAN Dual Data Center Lab – Feat. PfR & QoS
In this lab you will practice how to prepare for deploying Quality of Service (QoS), Traffic Engineering,
and Performance Routing (PfR) in a Dual Data Center IWAN lab environment.
Lab Topology This lab is based on a custom version of the dCloud IWAN 4D Deploying for Impact – Dual DC Sandbox Lab
v1. This is a fully functional Intelligent WAN (IWAN) v2.x lab that includes real and synthetic end user
traffic.
Prerequisite Knowledge A solid understanding of networking, including routing and switching is assumed. Some
background with Cisco IOS, IOS XE and the IWAN solution is helpful, but not required.
Cisco Systems Inc. Solutions Readiness Engineering Page | 4
IWAN Dual Data Center Lab – Feat. PfR & QoS
Introduction Cisco Intelligent WAN (IWAN) enables organizations to deliver an uncompromised experience over any connection. With Cisco IWAN IT organizations can provide more bandwidth to their branch office connections by using less expensive WAN transport options without affecting performance, security, or reliability. With the IWAN solution, traffic is dynamically routed based on application service-level agreement (SLA), endpoint type, and network conditions in order to deliver the best quality experience. The realized savings from IWAN not only pays for the infrastructure upgrades, but also frees resources for business innovation.
There are two primary IWAN design models: Hybrid and Dual Internet. This lab implements the IWAN Hybrid design model, which uses Multiprotocol Label Switching (MPLS) paired with Internet Virtual Private Network (VPN) as Wide Area Network (WAN) transports. In this design model, the MPLS WAN can provide more bandwidth for the critical classes of services needed for key applications and can provide SLA guarantees for these applications.
The IWAN solution incorporates numerous Cisco IOS and IOS XE features and is built on what is called “the four pillars of IWAN”. These four pillars are Transport Independence, Intelligent Path Control, Secure Connectivity, and Application Optimization.
The features implemented in this lab are Traffic Shaping, Quality Of Service (QoS) and Performance Routing (PfR), which are part of the 2nd pillar Intelligent Path Control.
Intelligent Path Control Cisco PfR improves application delivery and WAN efficiency. PfR dynamically controls data packet forwarding decisions by looking at application type, performance, policies, and path status. PfR monitors the network performance—jitter, packet loss, and delay—and makes decisions to forward critical applications over the best-performing path based on the application policy. Cisco
Cisco Systems Inc. Solutions Readiness Engineering Page | 5
IWAN Dual Data Center Lab – Feat. PfR & QoS
PfR can intelligently load balance traffic to efficiently use all available WAN bandwidth. IWAN intelligent path control is the key to providing a business-class WAN over Internet transport.
Quality of Service Most users perceive the network as just a transport utility mechanism to shift data from point A to point B as fast as it can. Many sum this up as just “speeds and feeds.” While it is true that IP networks forward traffic on a best-effort basis by default, this type of routing only works well for applications that adapt gracefully to variations in latency, jitter, and loss. However networks are multiservice by design and support real-time voice and video as well as data traffic. The difference is that real-time applications require packets to be delivered within the specified delay, jitter, and loss parameters.
For additional information about Cisco Intelligent WAN, visit:
IWAN main web page - www.cisco.com/go/iwan
IWAN 2.1 PfRv3 web page - http://bit.ly/iwan21pfrv3
IWAN Cisco Validated Design (CVD) October 2016 - http://bit.ly/iwancvdoct2016
Cisco Systems Inc. Solutions Readiness Engineering Page | 6
IWAN Dual Data Center Lab – Feat. PfR & QoS
Exercise 0: Accessing the Lab Environment In this exercise you will become familiar with how to access and maneuver in the dCloud’s lab environment.
The lab hardware for this lab is sponsored by Cisco’s dCloud offering, and this lab session require a VPN connection between your computer and the dCloud data center that is hosting this session. Your lab proctor will provide you with all the information needed to access your lab session.
There are three options for connecting your laptop to an active dCloud session using Cisco AnyConnect VPN Client.
Using Cisco AnyConnect Client Already Installed On Your Computer
Downloading and Installing Cisco AnyConnect Client From Cisco.com Using the dCloud Browser Based Cisco AnyConnect Client
This lab guide assumes you already have the Cisco AnyConnect installed on your computer, and will walk you through the first option to connect to the lab. If you do not have Cisco AnyConnect installed or need to use the Browser option you can find those instructions at this address http://bit.ly/connect2dcloud.
Connecting to the dCloud Lab Session
To use the Cisco AnyConnect client already installed on your laptop:
NOTE: If you are logged into another network via Cisco AnyConnect, please log off before
starting this procedure.
Step 1. Start Cisco AnyConnect on your computer.
Step 2. In Cisco AnyConnect, paste the HOST URL into the connection field, and click Connect
(Host URL provided by lab proctor).
NOTE: This URL may be different than the one shown in this illustration, depending
on which dCloud facility is hosting the lab session.
Cisco Systems Inc. Solutions Readiness Engineering Page | 7
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 3. Paste the User name into the Username field (User name provided by lab proctor).
Step 4. Paste the saved Password into the Password field, and click OK (password provided by
lab proctor).
Step 5. Click Accept, to finish connecting to the dCloud Lab.
Cisco Systems Inc. Solutions Readiness Engineering Page | 8
IWAN Dual Data Center Lab – Feat. PfR & QoS
RDPing to PC1 Using Local RDP Client on Windows
In this lab environment you will use Remote Desktop Protocol (RDP) to a Virtual Machine (VM) called
PC01. You will use PC01 as a access point to control all devices in the lab.
If you are using an Apple MAC, please follow this link to get instructions on how to connect via a MAC
http://bit.ly/dcloudrdpmac .
NOTE: Due to the differences in Windows operating systems, your steps may differ slightly.
Step 6. On your computer, launch Remote Desktop Connection.
Step 7. Click Show Options.
Cisco Systems Inc. Solutions Readiness Engineering Page | 9
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 8. On the General tab, enter 198.18.133.36 in the computer field, and Administrator, in
the user name field.
Step 9. Click the Local Resources tab.
Step 10. In the Remote Audio section, click Settings.
Cisco Systems Inc. Solutions Readiness Engineering Page | 10
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 11. In the Remote Audio Playback section, select Play on remote Computer.
Step 12. Click OK.
NOTE: Optionally, on the General tab, click Save As and enter a name to save the
connection information. This is useful if you will be using this profile in future
dCloud sessions.
Step 13. Click Connect
Step 14. If you receive a security warning, click Yes or Connect to continue.
Step 15. You will be prompted for a password. In most cases you will already see your personal
company and login information. Click User Another Account, to switch users and
domains.
Step 16. Enter Administrator, in the username field if it is not already filled in.
Step 17. Enter the Password C1sco12345.
Step 18. Click OK, to login.
Cisco Systems Inc. Solutions Readiness Engineering Page | 11
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 19. Once you are RDPed into PC01 the following screen should open.
Cisco Systems Inc. Solutions Readiness Engineering Page | 12
IWAN Dual Data Center Lab – Feat. PfR & QoS
Exercise 1: Lab Walkthrough In this section you will be guided through the network devices and their configurations at the beginning of the lab.
Lab Topology Data Center 1 (DC1)
Branch Site 5 (BR5)
Data Center 2 (DC2)
Branch Site 4 (BR4) Branch Site 3 (BR3) Optional Lab
Lab Start Status
As a reminder, the lab is pre-configured as follows.
The DC1, DC2, BR4, and BR5 are configured with Front Door VRFs (fVRF).
The DC1, DC2, BR4, and BR5 are configured with DMVPN Phase 3 tunnels over the INET and MPLS Clouds.
The DC1, DC2, BR4, and BR5 are configured with IPSEC over the DMPVN tunnels
EIGRP is running through the Tunnels and includes route summarization and filtering.
Cisco Systems Inc. Solutions Readiness Engineering Page | 13
IWAN Dual Data Center Lab – Feat. PfR & QoS
Cisco Systems Inc. Solutions Readiness Engineering Page | 14
Navigating the Lab
In this activity, you will become familiar with the lab components. After completing this activity you will
have a good understanding on how the routers are configured at beginning of this lab.
Activity Objective:
In this activity, you will practice connecting to the devices in the lab. After completing this activity, you
should be able to access all the router and switch devices in the lab via MTPuTTY.
Connecting to devices in the lab
Step 1. Click the MTPuTTY, icon on the desktop of PC01.
Step 2. If necessary, expand the PuTTY sessions folder under the Servers pane on the left hand
side of MTPuTTY. Double click R11-Hub-DC1 (10.1.1.11) from the PuTTY sessions list.
IWAN Dual Data Center Lab – Feat. PfR & QoS
Cisco Systems Inc. Solutions Readiness Engineering Page | 15
Step 3. Login to R11 with the username admin, and password of C1sco12345. If the R11 screen
is blank, press <Enter> to get the login screen to appear.
Notice how a tab was opened on the right hand side of MTPuTTY. With MTPuTTY,
you can open multiple sessions at one time and click back and forth between the
sessions.
Step 4. Double click R41-Spoke-Site4 (198.18.129.22), under PuTTY sessions on the navigation
pane on the left hand side of the screen.
Step 5. Login to R41-Spoke-Site4 with the username admin, and password C1sco1234 (admin
might already be logged in).
Notice that a second tab opened in the content pane of MTPuTTY.
Step 6. Double click R51-Spoke-Site5 (198.18.129.22), in the navigation pane on the left hand
side.
Step 7. Login to R51-Spoke-Site4 with the username admin, and password of C1sco1234 (admin
might already be logged in).
NOTE: You can click and drag the tabs to reorder them.
IWAN Dual Data Center Lab – Feat. PfR & QoS
Cisco Systems Inc. Solutions Readiness Engineering Page | 16
Verifying Router Configurations
Remember this lab is featuring PfR and Qos, so Transport Independence pillar of IWAN have already been
configured for you, such as.
The DC1, DC2, BR4, & BR5 are configured with Front Door VRFs (fVRF), and Dynamic Multipoint
Virtual Private Networks (DMVPN) Phase 3
DC1 and DC2 are connected to BR4 and BR5 through the DMVPN tunnels over the Internet (INET)
and Multi-Protocol Label Switching (MPLS) clouds
IPSec is configured on the DMVPN tunnels
EIGRP is running through the tunnels and includes route summarization, and filtering
Branch 3 has purposefully left un-configured as a challenge lab, if time permits.
Activity Objective:
In this section, you will become familiar with the lab topology and how it is configured. You will also
confirm that DMVPN Phase 3, IPsec, EIGRP, and fVRF are functioning as expected.
Step 8. Use the following table to verify Transport Independence is enabled. Take note of your
results by filling in the chart. When testing connectivity initiate tests from Hub to
Branch, and Branch to Hub, as well as branch to branch.
NOTE: You might have to open session to routers you did not open in the previous
session, by double clicking the name in the left hand side PuTTY sessions
list in MTPuTTY.
These commands will be explained in more detail later in the lab.
DMVPN MPLS
Tunnel 100
DMVPN INET
Tunnel 200
EIGRP Routing
VRF Routes Tunnel
100
VRF Routes Tunnel
200
Connectivity
Commands Show
dmvpn
Detail
Show
dmvpn
detail
Show IP
Route
Show IP
Route vrf
MPLS1
Show IP
Route vrf
INET1
Ping
R11-Hub-DC1 R12-Hub-DC1 R21-Hub-DC2 R22-Hub-DC2 R41-Spoke-Site4 R51-Spoke-Site5 R52-Spoke-Site5
Step 9. With MTPutty, navigate to the R11-Hub-DC1 tab, and login as admin with the password
of C1sco12345 again if necessary.
IWAN Dual Data Center Lab – Feat. PfR & QoS
Cisco Systems Inc. Solutions Readiness Engineering Page | 17
Step 10. Initiate the show dmvpn detail command, and evaluate the output.
Notice the following:
VRF = MPLS1 which is on tunnel 100
Protocol = Multi-GRE with IPsec
Peer NBMA addr = 172.16.41.1 which is the physical interface e0/1 on R11
Peer Tunnel addr = 192.168.100.41 which is the tunnel 100 logical interface on R11.
Click space bar to see more of the show dmvpn detail output, to see the crypto session
details. Notice the crypto session for tunnel 100 is UP-ACTIVE, and there is inbound and
outbound traffic.
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 11. Initiate the show dmvpn detail command on router R12, R21, R22, R41, R51, R52, and
compare the difference between the outputs.
NOTE: Use username admin and password C1sco12345 on all routers.
Step 12. Initiate the show ip route command on router R11.
Compare the routes in the table to the topology diagram - on page 13 above - to make
sure all the routes are in the table. Notice the outbound interface of Tunnel100 on
the 192.168.100.0 network.
Cisco Systems Inc. Solutions Readiness Engineering Page | 18
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 13. Initiate the show ip route command on router R12, R21, R22, R41, R51, R52, and
compare the difference between the outputs.
Step 14. Initiate the show ip route vrf MPLS1 command on router R11, and evaluate the output.
Compare the routes in the table to the topology diagram, to make sure all the routes
are in the table. Notice the IP addresses are the physical interface addresses and not
the tunnel interfaces.
Step 15. Initiate the show ip route vrf MPLS1 command on router R21, R41, R51, and compare
the difference between the outputs.
Step 16. Initiate the show ip route vrf INET1 command on router R22, R41, R52, and compare
the difference between the outputs.
Why is R41 included in both of the previous commands?
Hint: Look at the topology diagram.
Step 17. Initiate the ping 10.4.4.41 command on router R11.
Repeat the command to ping 10.5.12.51
Repeat the command to ping 10.5.12.52
Repeat the command to ping 10.1.0.10
Cisco Systems Inc. Solutions Readiness Engineering Page | 19
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 18. Continue to use the ping command to various differ addresses around the network.
Make sure you ping from branch to branch (for ex. From R41 ping 10.5.12.51) to make
sure you have branch to branch routing (Remember that Branch 3 is not active at this
time).
Step 19. Initiate the show run | begin ip prefix-list command on router R11.
Step 20. Initiate the show run | begin eigrp command on router R11.
Notice that route summarization has been configured to help reduce the number of
routes in the border routers.
Step 21. Initiate the show run command on routers R11, R12, R21, R22, R41, R51, R22, and
become familiar with the overall configurations at this point of the lab.
Cisco Systems Inc. Solutions Readiness Engineering Page | 20
IWAN Dual Data Center Lab – Feat. PfR & QoS
Exercise 2: Modify Traffic Flows in EIGRP The purpose of this exercise is to use traffic engineering techniques to influence the primary path selection process.
Activity Objective
In this activity, you will practice how to influence traffic flows in an EIGRP environment by adding delay
commands to interfaces on each device. After completing this activity, you should be able to meet these
objectives.
Use EIGRP traffic engineering techniques to define the MPLS paths as the preferred paths
through the DMVPN tunnels.
Visual Objective
This figure provides a visual aid for this activity.
Cisco Systems Inc. Solutions Readiness Engineering Page | 21
IWAN Dual Data Center Lab – Feat. PfR & QoS
Configuring Traffic Shaping
Step 1. Initiate the show ip route command on router R41. Capture this output in a notepad on
PC01, and save it for comparison. You can also collect this same information on R11,
R12, R21, R22, R51, and R52, but this lab guide will only compare R41’s RIB table output.
Notice how many routers are for Tunnel100 (MPLS), and Tunnel200 (INET)
Step 2. Initiate the following commands on routers R11 & R21. Both R11 and R21 have the
same tunnel interface scheme so you can use the same configuration for both devices.
NOTE: The lab uses RDP for access to PC01, so use copy and paste from this lab guide to MTPuTTY on PC01.
Configure terminal
Interface Tunnel100
Delay 1000
!
Interface GigabitEthernet2
Description Site-Lan
Delay 24000
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 22
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 3. Initiate the following commands on router R12 & R22.
Configure terminal
Interface Tunnel200
Delay 2000
!
Interface GigabitEthernet2
Description Site-Lan
Delay 24000
!
end
Step 4. Initiate the following commands on router R41.
Configure terminal
Interface Tunnel100
Delay 1000
!
Interface Tunnel200
Delay 20000
!
Interface e0/2
Description Site-Lan1
Delay 20000
!
Interface e0/3
Description Site-Lan2
Delay 20000
!
end
Step 5. Initiate the following commands on router R51.
Configure terminal
Interface Tunnel100
Delay 1000
!
Interface e0/2
Description Site-Crosslink
Delay 20000
!
Interface e0/1
Description Site-Lan
Delay 20000
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 23
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 6. Initiate the following commands on router R52.
Configure terminal
Interface Tunnel200
Delay 1000
!
Interface e0/2
Description Site-Crosslink
Delay 20000
!
Interface e0/1
Description Site-Lan
Delay 20000
!
end
Step 7. Initiate the show ip route command again on router R41.
This is the output we saved from before Traffic Engineering was applied.
Cisco Systems Inc. Solutions Readiness Engineering Page | 24
IWAN Dual Data Center Lab – Feat. PfR & QoS
This is the output after Traffic Engineering was applied.
Why did all of the Tunnel 200 routes disappear in the 2nd output?
Cisco Systems Inc. Solutions Readiness Engineering Page | 25
IWAN Dual Data Center Lab – Feat. PfR & QoS
Exercise 3: Deploying Quality of Service (QoS) QoS ensures more predictable network services by providing dedicated bandwidth, controlled jitter and
latency, and improved loss characteristics. QoS provides tools for managing network congestion, shaping
network traffic, using WAN links more efficiently, and setting traffic policies across the network. QoS helps
provide consistent, predictable network performance by offering intelligent network services.
For the network to provide secure, predictable, measurable, and sometimes guaranteed services, the fixed qualities of a network and the flow of packets must be managed with QoS. Some of the issues that can occur within a network that can have an impact on our time-sensitive packets are:
Bandwidth – Lack of bandwidth on the network the IP packets are traversing. Packet Loss – Dropping of packets because of network congestion, not network outages. Delay Variation (Jitter) – The time difference between how long it takes packets to traverse the
network. Out-of-Order Delivery – Different packets may take different routes and arrive at the destination
in a different order than they were sent. Delay – The time it takes to get the packet end-to-end, or from the mouth to the ear.
o Packetization Delay – Time required to sample and encode voice or video into an IP packet
o Serialization Delay – Time required to put the packet on to the wire o Propagation Delay – Time required for the packet to traverse the media
When configuring WAN-edge QoS, you are defining how traffic egresses your network. It is critical that
the classification, marking, and bandwidth allocations align to the service provider, offering to ensure
consistent QoS treatment end to end.
The Per-Tunnel QoS for DMVPN feature allows the configuration of a QoS policy on a DMVPN hub on a
per-tunnel (spoke) basis. The QoS policy on a tunnel instance allows you to shape the tunnel traffic to
individual spokes (parent policy) and to differentiate between traffic classes within the tunnel for
appropriate treatment (child policy).
You can also mark the header of the GRE tunneled packets by using the QoS policy map classes. There
are two methods for marking the DSCP of the tunnel headers in order to influence per-hop treatment
within the service provider network. One method applies the policy to a virtual tunnel interface and the
second method applies the policy to a physical interface.
Cisco Systems Inc. Solutions Readiness Engineering Page | 26
IWAN Dual Data Center Lab – Feat. PfR & QoS
The following table shows an example of how to mark the tunnel headers when using a 12- or 8-class
model in the enterprise, while combining the traffic classes into a smaller 6-, 5- or 4-class model in the
service provider network. The tunnel markings must match the service provider offering, so you will
have to adjust the table below according to your specific service level agreement.
Cisco Systems Inc. Solutions Readiness Engineering Page | 27
IWAN Dual Data Center Lab – Feat. PfR & QoS
QoS Traffic Pattern Map
Review the following QoS Traffic Pattern Map, to become familiar with the type of applications traffic
that is in the lab network. This kind of information should be mapped out during deployments to help
understand the traffic on the network, and help build the QoS configurations.
This table explains the type of simulated traffic that has been induced in this lab environment.
This QoS Traffic Patten map also includes the endpoint IP addresses for this lab environment.
Cisco Systems Inc. Solutions Readiness Engineering Page | 28
IWAN Dual Data Center Lab – Feat. PfR & QoS
Activity Objective:
In this Exercise, you will practice how to prepare and deploy Quality of Service (QoS). After completing
this activity, you should be able to meet these objectives.
Configure and verify operations of QoS policies for selected traffic types.
Define interesting traffic via access list
The access list command can be used for many different uses within the router, but in all cases it is used
to define interesting traffic. In the case of QoS the access list creates groups of interesting host address,
or application types to be called later from the Class Maps. This allows the class maps to be very granular
when classifying traffic.
Step 1. Initiate the following commands on routers R11, R12, R21, and R22.
configure terminal
! ip access-list extended MARK-CRITICAL permit
ip host 198.18.133.110 host 10.5.1.11
permit ip host 198.18.133.110 host 10.5.1.12
permit ip host 198.18.133.110 host 10.4.4.21
permit ip host 198.18.133.110 host 10.4.4.22
!
ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
!
ip access-list extended MARK-VOIP
permit ip host 198.18.133.36 host 10.5.1.11
permit ip host 198.18.133.36 host 10.4.4.21
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 29
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 2. Initiate the following commands on routers R41.
configure terminal
! ip access-list extended MARK-CRITICAL permit
ip host 10.5.1.11 host 198.18.133.110
permit ip host 10.5.1.12 host 198.18.133.110
permit ip host 10.4.4.21 host 198.18.133.110
permit ip host 10.4.4.22 host 198.18.133.110
!
ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
!
ip access-list extended MARK-VOIP
permit ip host 10.5.1.11 host 198.18.133.36
permit ip host 10.4.4.21 host 198.18.133.36
!
End
Step 3. Initiate the following commands on routers R51 and R52.
configure terminal
!
ip access-list extended MARK-CRITICAL permit
ip host 10.5.1.11 host 198.18.133.110
permit ip host 10.5.1.12 host 198.18.133.110
permit ip host 10.4.4.21 host 198.18.133.110
permit ip host 10.4.4.22 host 198.18.133.110
! ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
!
ip access-list extended MARK-VOIP
permit ip host 10.5.1.11 host 198.18.133.36
permit ip host 10.4.4.21 host 198.18.133.36
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 30
IWAN Dual Data Center Lab – Feat. PfR & QoS
What are Class-Maps
The class-map command is used to define a traffic class and identify traffic to associate with the class name. Class names are used when configuring policy maps that define actions you want to take against the traffic type. The class-map command sets the match logic. In this case, the match-any keyword indicates that the maps match any of the specified criteria. This keyword is followed by the name that is assign to the class of service. After the class-map command is configured, define specific values, such as DSCP and protocols to match with the match command.
This chart lays out some of the values used in QoS and how they relate to one another.
Cisco Systems Inc. Solutions Readiness Engineering Page | 31
IWAN Dual Data Center Lab – Feat. PfR & QoS
Class-Map Configurations
Step 4. Initiate the following commands on routers R11, R12, R21, R22, R41, R51, and R52.
NOTE: Notice the use of the command match access-group, this is how the class-map calls the access-list
created in the previous section.
configure terminal
! class-map match-any STREAMING-VIDEO
match dscp af31 af32
! class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41 af42
!
class-map match-any CRITICAL-DATA
match dscp af11 af21
match access-group name MARK-CRITICAL
! class-map match-any NET-CTRL-MGMT
match dscp cs2 cs6
! class-map match-any VOICE
match dscp ef
match access-group name MARK-VOIP
!
class-map match-any SCAVENGER
match dscp cs1
match access-group name MARK-SCAVENGER
!
class-map match-any CALL-SIGNALING
match dscp cs3
!
end
NOTE: You do not need to explicitly configure the default class.
Cisco Systems Inc. Solutions Readiness Engineering Page | 32
IWAN Dual Data Center Lab – Feat. PfR & QoS
HQ WAN 1 policy map with queuing policy
The WAN policy map references the class names that was created in the previous procedures and defines the queuing behavior, along with the minimum guaranteed bandwidth allocated to each class. Each class within the policy map invokes an egress queue and assigns a percentage of bandwidth. One additional default class defines the minimum allowed bandwidth available for best effort traffic. There are two methods for marking the tunnel headers depending on whether the policy is applied to a virtual tunnel interface or a physical interface.
NOTE: For QOS policies that will be attached to tunnel interfaces (hub router configuration), the DSCP value is set in the tunnel header, such as: set dscp tunnel [dscp value]
Modular QoS CLI
In the QoS section of this lab we will configure Class Maps, Policy Maps, and Service Policies. This three
level configuration is known as Modular QoS CLI.
Modular Quality of Service (QoS) command-Line Interface (CLI), or MQC, provides a modular approach
to the configuration of quality of service (QoS) mechanisms. MQC is a three-level hierarchical policer
that extends the traffic policing functionality by allowing the configuration of traffic policing at three
levels of policy map hierarchies; a primary level, a secondary level, and a tertiary level. Traffic policing
may be configured at any or all of these levels, depending on the needs of your network. Configuring
traffic policing in a three-level hierarchical structure provides a high degree of granularity for traffic
policing.
Cisco Systems Inc. Solutions Readiness Engineering Page | 33
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 5. a. Initiate the following commands on routers on R11, R12, R21 and R22 HUB.
configure terminal
!
policy-map WAN
class INTERACTIVE-VIDEO
bandwidth remaining percent 30
random-detect dscp-based
set dscp tunnel af41
!
class STREAMING-VIDEO bandwidth remaining percent 10
random-detect dscp-based
set dscp tunnel af41
!
class NET-CTRL-MGMT bandwidth remaining percent 5
set dscp tunnel cs6
!
class CALL-SIGNALING
bandwidth remaining percent 4
set dscp tunnel af41
!
class CRITICAL-DATA
bandwidth remaining percent 25
random-detect dscp-based
set dscp tunnel af21
!
class SCAVENGER bandwidth remaining percent 1
set dscp tunnel af11
! class VOICE
priority level 1
police cir percent 10
set dscp tunnel ef
!
class class-default bandwidth remaining percent 25
random-detect
set dscp tunnel default
! Policy-map LAN-MARKING
Class CRITICAL-DATA
Set dscp af21
Class VOICE
Set dscp ef
Class SCAVENGER
Set dscp cs1
!
end
b. Initiate the following commands on routers R41, R51, and R52.
configure terminal !
policy-map WAN
class INTERACTIVE-VIDEO bandwidth remaining percent 30
random-detect dscp-based
set dscp af41
!
class STREAMING-VIDEO
bandwidth remaining percent 10
random-detect dscp-based
set dscp af41
!
class NET-CTRL-MGMT bandwidth remaining percent 5
set dscp cs6
!
class CALL-SIGNALING
bandwidth remaining percent 4
set dscp af41
!
class CRITICAL-DATA
bandwidth remaining percent 25
random-detect dscp-based
set dscp af21
!
class SCAVENGER bandwidth remaining percent 1
set dscp af11
! class VOICE
priority level 1
police cir percent 10
set dscp ef
!
class class-default bandwidth remaining percent 25
random-detect
set dscp default
! Policy-map LAN-MARKING
Class CRITICAL-DATA
Set dscp af21
Class VOICE
Set dscp ef
Class SCAVENGER
Set dscp cs1
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 34
IWAN Dual Data Center Lab – Feat. PfR & QoS
HQ WAN 1 shaping policy
With WAN interfaces using Ethernet as an access technology, the demarcation point between the enterprise and service provider may no longer have a physical-interface bandwidth constraint. Instead, a specified amount of access bandwidth is contracted with the service provider. To ensure the offered load to the service provider does not exceed the contracted rate that results in the carrier discarding traffic, you need to configure shaping on the physical interface. When you configure the shape average command, ensure that the value matches the contracted bandwidth rate from your service provider.
Step 6. Initiate the following commands on routers R11, R12, R21, R22.
configure terminal
policy-map INTERFACE-G1
class class-default
shape average 100000000
! Interface GigabitEthernet1
service-policy output INTERFACE-G1
!
Interface GigabitEthernet2
Service-policy input LAN-MARKING
!
end
Step 7. Initiate the following commands on routers R41
configure terminal
policy-map INTERFACE-E0/0
class class-default
shape average 20000000
service-policy WAN
! Policy-map INTERFACE-E0/1
Class class-default
Shape average 10000000
Service-policy WAN
!
Interface Ethernet0/0
service-policy output INTERFACE-E0/0
!
Interface Ethernet0/1
service-policy output INTERFACE-E0/1
!
Interface Ethernet0/2
Service-policy input LAN-MARKING
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 35
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 8. Initiate the following commands on routers R51 and R52.
configure terminal
! policy-map INTERFACE-E0/0
class class-default
shape average 10000000
service-policy WAN
! Interface Ethernet0/0
service-policy output INTERFACE-E0/0
!
Interface Ethernet0/1
Service-policy input LAN-MARKING
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 36
IWAN Dual Data Center Lab – Feat. PfR & QoS
Per-tunnel QoS policy for DMVPN hub router
The QoS policy on a tunnel instance allows you to shape the tunnel traffic to individual spokes and to
differentiate between traffic classes within the tunnel for appropriate treatment. The QoS policy on the
tunnel instance is defined and applied only to the Dynamic Multipoint Virtual Private Network (DMVPN)
hub routers at the central site. The remote-site router signals the QoS group policy information to the hub
router with a command in the Next Hope Redundancy Protocol (NHRP) configuration, which greatly
reduces Quality Of Service (QoS) configuration and complexity. The hub router applies the signaled policy
in the egress direction for each remote site.
The bandwidth remaining ratio command is used to provide each site with their fair share of the remaining
bandwidth when the outbound interface is experiencing congestion. If you do not use this command, the
lower bandwidth sites will get all of their assigned bandwidth, while the higher bandwidth sites will get
less than their fair share.
With Per-Tunnel QoS for DMVPN, the queuing and shaping is performed at the outbound physical
interface for the GRE/IPsec tunnel packets. This means that the GRE header, the IPsec header and the
layer2 (for the physical interface) header are included in the packet-size calculations for shaping and
bandwidth queuing of packets under QoS.
Visual Objective
Cisco Systems Inc. Solutions Readiness Engineering Page | 37
IWAN Dual Data Center Lab – Feat. PfR & QoS
Configuring Per-Tunnel QoS for DMVPN hub routers
Step 9. Initiate the following commands on routers R11, R12, R21, and R22
configure terminal
!
policy-map RS-GROUP-20MBPS-POLICY class class-default
shape average 20000000
bandwidth remaining ratio 20
service-policy WAN
!
policy-map RS-GROUP-30MBPS-POLICY class class-default
shape average 30000000
bandwidth remaining ratio 30
service-policy WAN
!
policy-map RS-GROUP-300MBPS-POLICY class class-default
shape average 300000000
bandwidth remaining ratio 300
service-policy WAN
!
policy-map RS-GROUP-200MBPS-POLICY
class class-default
shape average 200000000
bandwidth remaining ratio 200
service-policy WAN
!
policy-map RS-GROUP-100MBPS-POLICY
class class-default
shape average 100000000
bandwidth remaining ratio 100
service-policy WAN
!
policy-map RS-GROUP-50MBPS-POLICY class class-default
shape average 50000000
bandwidth remaining ratio 50
service-policy WAN
!
policy-map RS-GROUP-10MBPS-POLICY
class class-default
shape average 10000000
bandwidth remaining ratio 10
service-policy WAN
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 38
IWAN Dual Data Center Lab – Feat. PfR & QoS
HQ WAN 1 apply per-tunnel QoS NHRP policies on DMVPN hub router
The QoS policy that the hub uses for a particular endpoint or spoke is selected by the NHRP group in
which the spoke is configured.
Prerequisites and important caveats:
DMVPN must be fully configured and operational before you can configure an NHRP group on a
spoke or map the NHRP group to a QoS policy on a hub.
Although you may configure multiple spokes as part of the same NHRP group, the tunnel traffic
for each spoke is measured individually for shaping and policing.
Only output NHRP policies are supported. These apply to per-site traffic egressing the router
towards the WAN.
Step 10. Initiate the following commands on routers R11, and R21
configure terminal
interface Tunnel100
ip nhrp map group RS-GROUP-300MBPS service-policy output RS-GROUP-300MBPS-POLICY
ip nhrp map group RS-GROUP-200MBPS service-policy output RS-GROUP-200MBPS-POLICY
ip nhrp map group RS-GROUP-100MBPS service-policy output RS-GROUP-100MBPS-POLICY
ip nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY
ip nhrp map group RS-GROUP-30MBPS service-policy output RS-GROUP-30MBPS-POLICY
ip nhrp map group RS-GROUP-20MBPS service-policy output RS-GROUP-20MBPS-POLICY
ip nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY
end
wr
Step 11. Initiate the following commands on routers R12, and R22 configure terminal
interface Tunnel200
ip nhrp map group RS-GROUP-300MBPS service-policy output RS-GROUP-300MBPS-POLICY
ip nhrp map group RS-GROUP-200MBPS service-policy output RS-GROUP-200MBPS-POLICY
ip nhrp map group RS-GROUP-100MBPS service-policy output RS-GROUP-100MBPS-POLICY
ip nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY
ip nhrp map group RS-GROUP-30MBPS service-policy output RS-GROUP-30MBPS-POLICY
ip nhrp map group RS-GROUP-20MBPS service-policy output RS-GROUP-20MBPS-POLICY
ip nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY
end
wr
Cisco Systems Inc. Solutions Readiness Engineering Page | 39
IWAN Dual Data Center Lab – Feat. PfR & QoS
Configure per-tunnel QoS NHRP policy on Branch Routers
Apply the NHRP group policy to each service provider DMVPN tunnel interface on the Branch routers. Use the NHRP group name as defined on the hub router.
Step 12. Initiate the following commands on routers R41.
configure terminal
!
interface Tunnel100
ip nhrp group RS-GROUP-10MBPS
! interface Tunnel200
ip nhrp group RS-GROUP-20MBPS
!
end
wr
Step 13. Initiate the following commands on routers R51.
configure terminal
!
interface Tunnel100 ip nhrp group RS-GROUP-10MBPS
!
end
wr
Step 14. Initiate the following commands on routers R52.
configure terminal
!
interface Tunnel200
ip nhrp group RS-GROUP-20MBPS
!
end
wr
Cisco Systems Inc. Solutions Readiness Engineering Page | 40
IWAN Dual Data Center Lab – Feat. PfR & QoS
Verify QoS policy on the routers physical interfaces
Step 15. Initiate the command show run interface e0/0 on router R41, R51, and R52, to verify
that your output matches below.
Step 16. Initiate show run interface e0/1 & show run interface e0/2 on router R41, to verify
that your output matches below.
Step 17. Initiate show run interface e0/1, on routers R51 and R52.
Cisco Systems Inc. Solutions Readiness Engineering Page | 41
IWAN Dual Data Center Lab – Feat. PfR & QoS
Verify DMVPN per-tunnel QoS from each of the four hub routers.
Step 18. Initiate the show dmvpn detail command on routers R11, R12, R21, R22.
Output for router R11
Output for router R12
Cisco Systems Inc. Solutions Readiness Engineering Page | 42
IWAN Dual Data Center Lab – Feat. PfR & QoS
Exercise 4: Configuring and Verifying PfR All sites belong to a PfR domain where the remote site MCs are peered together. Peering has been
greatly enhanced in PfRv3 which allows site information exchange and single touch provisioning.
PfRv3 has simplified policies with pre-existing templates. The policy configuration for the PfR domain is
done in the hub MC and the information is distributed to all sites via MC peering. This not only simplifies
provisioning substantially, but also makes the policy consistent across the entire IWAN network.
Activity Objective In this activity, you will practice how to configure PfRv3 on the Master Controllers, Hub Border Routers,
and Spoke Border Routers.
Configure and verify operations of Master Controller Hub and Master Controller Transit Routers
Configure and verify operation of Hub Border Routers at Data Center 1 (Master Controller), and
Data Center 2 (Transit Site).
Configure and verify operation of Branch Border Routers at sites 4 and 5.
Visual Objective
Cisco Systems Inc. Solutions Readiness Engineering Page | 43
IWAN Dual Data Center Lab – Feat. PfR & QoS
Master controller access
Step 1. Double click on R10-MC-DC1 (198.18.129.201) in the left hand side navigation pane in
MTPuTTY. This will open a new tab on the right hand side of MTPuTTY.
Step 2. Login to R10 with the username admin, password C1sco12345.
Step 3. Double click on R20-MC-DC2 (10.2.1.20) in the left hand side navigation pane in
MTPuTTY. This will open a new tab on the right hand side of MTPuTTY.
Step 4. Login to R20 with the username admin, password C1sco12345.
Configure and verify Master Controllers and Hub Border Routers
Step 5. Initiate the follow commands on router R10. This is Data Center 1’s Hub Master
Controller.
Configure terminal
domain 10
vrf default
master hub
source-interface Loopback0 site-prefixes prefix-list DC1_Prefix
enterprise-prefix prefix-list ENT_Prefix
! ip prefix-list DC1_Prefix seq 25 permit 198.18.0.0/16
ip prefix-list DC1_Prefix seq 40 permit 10.1.0.0/16
! ip prefix-list ENT_Prefix seq 5 permit 198.18.0.0/16
ip prefix-list ENT_Prefix seq 15 permit 10.0.0.0/8
end
wr
Step 6. Initiate the follow commands on router R20. This is Data Center 2’s Transit Site Master
Controller.
Configure terminal
domain 10
vrf default
master transit 1
source-interface Loopback0 site-prefixes prefix-list DC2_Prefix
hub 10.1.0.10
! ip prefix-list DC2_Prefix seq 25 permit 198.18.0.0/16
ip prefix-list DC2_Prefix seq 40 permit 10.2.0.0/16
end
wr
Cisco Systems Inc. Solutions Readiness Engineering Page | 44
IWAN Dual Data Center Lab – Feat. PfR & QoS
Cisco Systems Inc. Solutions Readiness Engineering Page | 45
Step 7. Initiate the follow commands on router R11. This is Data Center 1’s MPLS Hub Border
Router.
Configure terminal
domain 10
vrf default
border
source-interface Loopback0
master 10.1.0.10
!
interface Tunnel100 domain 10 path MPLS path-id 1
end
wr
Step 8. Initiate the follow commands on router R12. This is Data Center 1’s INET Hub Border
Router.
Configure terminal
domain 10
vrf default
border
source-interface Loopback0
master 10.1.0.10
!
interface Tunnel200 domain 10 path INET path-id 2
end
wr
Step 9. Initiate the follow commands on router R21. This is Data Center 2’s MPLS Hub Border
Router.
Configure terminal
domain 10
vrf default
border
source-interface Loopback0
master 10.2.0.20
!
interface Tunnel100
domain 10 path MPLS path-id 1
end
wr
IWAN Dual Data Center Lab – Feat. PfR & QoS
Cisco Systems Inc. Solutions Readiness Engineering Page | 46
Step 10. Initiate the follow commands on router R22. This is Data Center 2’s INET Hub Border
Router.
Configure terminal
domain 10
vrf default
border
source-interface Loopback0
master 10.2.0.20
!
interface Tunnel200 domain 10 path INET path-id 2
end
wr
Verify Connectivity between the PfR MCs and Hub BRs
The purpose of this task is to verify that there is connectivity between the Hub and Transit Master
Controllers and the Hub Border Routers in Data Center 1 and 2.
Step 11. Verify the Master Controllers configuration using the following Table.
Verification Questions Commands R10 Success Y/N
R20 Success Y/N
Is the Operational Status of the Master Controller UP?
Should be down since no traffic policies are configured yet.
Show domain
10 master
status
Can the MC see it’s Hub BRs?
Each MC should see the Hub BRs that are in the same DC as the MC.
Show domain
10 master
status
Does each Hub BR show the appropriate tunnel mapping and path IDs?
Show domain
10 master
status
Is the connection status to each HUB BR indicate Connected.
Show domain
10 master
status
Does the Hub MC see the Transit MC.
Show domain
10 master
discovered-
sites
IWAN Dual Data Center Lab – Feat. PfR & QoS
Cisco Systems Inc. Solutions Readiness Engineering Page | 47
Show Domain 10 Master Status Output for R10
Step 12. Verify the Hub BR configuration using the following table.
Verification Questions Commands R11 Success
Y/N
R12 Success
Y/N
R21 Success
Y/N
R22 Success
Y/N Is the Instance Status Up? Show domain 10
border status
Is the Loopback Up? Show domain 10
border status
Is the IP address for the MC Correct?
Show domain 10
border status
In the MC Connection Successful?
Show domain 10
border status
Does the connection status to each Hub BR say Connected?
Show domain 10
border status
IWAN Dual Data Center Lab – Feat. PfR & QoS
Cisco Systems Inc. Solutions Readiness Engineering Page | 48
Show Domain 10 Border Status on R11
IWAN Dual Data Center Lab – Feat. PfR & QoS
Cisco Systems Inc. Solutions Readiness Engineering Page | 49
Configure and verify Branch Border Routers
In this lab configuration we have two different types of branches. Branch 4 has a single router that is
connected to both the MPLS and INET clouds. This single router acts in two capacities, One as a Master
Controller for the branch, and two as a Border router. Branch 5 has two routers, R51 connected to the
MPLS cloud and R52 that is connected to the INET. In branch 5 R51 is acting as a Master Controller and a
border router. R52 is acting as a border router only.
Step 13. Initiate the follow commands on router R41. This is Branch Spoke Site 4 MPLS/INET Hub
Border Router.
Configure Terminal
interface Tunnel200
no nhrp route-watch
! domain 10
vrf default
master branch
source-interface Loopback0
hub 10.1.0.10
border
master local source-interface Loopback0
end
wr
Step 14. Initiate the following commands on router R41 to clear any crypto errors between the
Master Controller and Border Controller which are present on this single router.
Configure Terminal
Interface tunnel200
Shut
No shut
End
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 15. Initiate the follow commands on router R51. This is Branch Spoke Site 5 MPLS Hub
Border Router (Branch Master Controller).
Configure terminal
domain 10
vrf default
master branch
source-interface Loopback0
hub 10.1.0.10
border source-interface Loopback0
master local
end
wr
Step 16. Initiate the follow commands on router R52. This is Branch Spoke Site 5 MPLS Hub
Border Router.
Configure terminal
domain 10
vrf default
border
source-interface Loopback0
master 10.5.0.51
end
wr
Cisco Systems Inc. Solutions Readiness Engineering Page | 50
IWAN Dual Data Center Lab – Feat. PfR & QoS
Configure a PfR traffic policies
Step 17. Initiate the follow commands on router R10. Note that for the VOICE and CRITICAL-
DATA classes, MPLS is the preferred path, and for SCAVENGER class, INET is the
preferred path.
NOTE: The commands below that are highlighted in yellow are highlighted to point out
the three different sections and their path preference. Enter all commands below in R10
Configure terminal
domain 10
vrf default
master hub
load-balance class VOICE sequence 20
match dscp ef policy voice
path-preference MPLS fallback INET
!
class CRITICAL-DATA sequence 30 match dscp af21 policy low-latency-data
path-preference MPLS fallback INET
!
class SCAVENGER sequence 40
match dscp cs1 policy scavenger
path-preference INET fallback MPLS
end
wr
Cisco Systems Inc. Solutions Readiness Engineering Page | 51
IWAN Dual Data Center Lab – Feat. PfR & QoS
Exercise 5: PfR Verification In this activity, the PfR configuration will be tested to verify that PfR is functioning as expected.
Verify PfR traffic classes are controlled
NOTE: It takes about two minutes or so for the neighbor relationship to fully synchronize, and for the domain 10 to fully come up. If you don’t see anything when you run the next command, keep trying and you will see the system start to collect flow information. Notice the UCs in the State column, these are flows that have been identified but are not yet controlled. Once the flows are controlled by the MC policy, they state will change to CN.
Step 1. Initiate the command show domain 10 master traffic-classes summary, on router R10.
Notice the following:
Legend at the top
CN = Controlled by master controller (MC)
SP = Service Provider, one flow is taking INET, and one is taking MPLS
Cisco Systems Inc. Solutions Readiness Engineering Page | 52
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 2. Initiate the command show domain 10 master traffic-classes summary, on router R20.
Notice the following:
DSCP column displays what classification the flow was tagged as.
State shows if the flow is controlled by the MC or not. UC is uncontrolled
by the MC, and CN is controlled.
SP shows which service provider the flow is taking.
Step 3. Initiate the command show domain 10 master traffic-classes dscp ef on router R20.
Notice the following:
Cisco Systems Inc. Solutions Readiness Engineering Page | 53
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 4. Initiate the command show domain 10 master traffic-classes summary on router R51.
Compare the output of R51 with other hub and branch routers. Notice which routers are
seeing which traffic.
Step 5. Initiate the command show domain 10 master traffic-classes dscp ef, on router R52.
Notice the output says “No master configured…”.
This is a dual router connected site, one router connected to the MPLS WAN
and one connected to the internet. At each spoke there will always be a master
border router, and any subsequent routers will be border routers only.
Cisco Systems Inc. Solutions Readiness Engineering Page | 54
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 6. Initiate the command show domain 10 border traffic-classes on router R52. This
command shows the different classes of traffic that exist or is flowing on each router.
Try this command on the other border routers and compare the output.
Cisco Systems Inc. Solutions Readiness Engineering Page | 55
IWAN Dual Data Center Lab – Feat. PfR & QoS
Auto Distrusted Policies
Step 7. Initiate the command show run | begin domain 10, on router R10.
Step 8. Initiate the command show run | begin domain 10, on routers R20, R41, and R51.
Notice that R10 (the Hub Master Controller) sets the policies for the whole network.
Although R20 is a Master Controller it is a transit site.
Cisco Systems Inc. Solutions Readiness Engineering Page | 56
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 9. Initiate the command show domain 10 master policy, on routers R10, R20, R41, R51.
Notice there are sequences 20, 30, and 40 and what their names are. Remember that
the policy was only configured on router R10 and was dynamically passed to the other
master controller routers.
Cisco Systems Inc. Solutions Readiness Engineering Page | 57
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 10. Initiate the following commands on R10 to add two more traffic classes.
Configure terminal
domain 10
vrf default
master hub
class VIDEO sequence 25
match dscp af41 policy real-time-video
match dscp cs4 policy real-time-video
path-preference MPLS fallback INET
class BULK-DATA sequence 50
match dscp af11 policy bulk-data
path-preference INET fallback MPLS
end
wr
Step 11. Initiate the command show run | begin domain 10, on router R10.
Compare the output to the previous time this command was initiated (in
the step above).
Cisco Systems Inc. Solutions Readiness Engineering Page | 58
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 12. Initiate the command show run | begin domain 10, on routers R20, R41, and R51 to
confirm the configuration is not replicated to the other routers.
Step 13. Initiate the command show domain 10 master policy, on routers R10, R20, R41, R51.
Notice the master policies have been replicated to the other Master Controllers in
domain 10.
Cisco Systems Inc. Solutions Readiness Engineering Page | 59
IWAN Dual Data Center Lab – Feat. PfR & QoS
Exercise 6: Verifying PfR Traffic Policies The purpose of this task is to verify the application traffic policies have been propagated to the border
routers and are operating as intended.
Performance Routing Verification
Step 1. Initiate the command show domain 10 master traffic-classes summary, on router R20.
Take note of the output.
Step 2. Initiate the command show domain 10 master traffic-class dscp ef, on router R20. Take
note of the output.
Cisco Systems Inc. Solutions Readiness Engineering Page | 60
IWAN Dual Data Center Lab – Feat. PfR & QoS
Exercise 7: Simulating WAN Delay using WANem In this section we are going to use an app called WANem to add delay to the network at one of two places
at a time on the network. WANem can be used to simulate WAN characteristics like Network delay, Packet
loss, Packet corruption, Disconnections, Packet re-ordering, Jitter, etc.
For more information about WANem follow this link: http://bit.ly/SimDelay
Visual Objective
Notice in the topology map for this lab there are two indicators for WANem. One on BR0 and one on BR1.
In this lab we are going to use WANem to induce delay of 500ms to BR1, but you can also conduct your
own test on BR0 as well. As IWAN probes the networks it will detect the induction of delay, and find that
the INET connection is a better or preferred path and move the traffic to the INET. This traffic change can
be witnessed with the ‘show domain 10 master traffic-classes summary’ command.
Cisco Systems Inc. Solutions Readiness Engineering Page | 61
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 1. Add delay to the MPLS links using the WANem application by performing the following
steps:
On PC01, use the WANem shortcut or open the browser from the task
bar and go to http://198.18.133.40/WANem (case sensitive).
Maximize the application to full screen to see the menu options.
Click Basic Mode.
Select BR1 from the bridges drop down menu.
Enter 500 in the Delay field for interface eth0
Enter 500 in the Delay field for interface eth1
Click Apply Settings
Cisco Systems Inc. Solutions Readiness Engineering Page | 62
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 2. Return to MPuTTY on PC01, and initiate the command show domain 10 master traffic-
classes summary on router R20.
Notice the EFs and AF21 traffic have been moved to the INET.
Step 3. Initiate the command show domain 10 master traffic-class dscp ef on router R20.
Notice that the current Service Provider is INET, the previous Service Provider is
MPLS, and re-evaluated in a period of time (38 seconds in the example shown
below).
The system is probing the network checking for delay, loss, and jitter. If the MPLS
path looks better during re-evaluation, the traffic class will switch back to MPLS.
If not, it will stay on the INET path.
Cisco Systems Inc. Solutions Readiness Engineering Page | 63
IWAN Dual Data Center Lab – Feat. PfR & QoS
Add Traffic Flows and Evaluate the Results
Voice and Critical data traffic are being generated automatically by simulators installed on PC11, PC21,
and DC2-PC, but scavenger traffic needs to be generated manually.
Step 4. Induce scavenger traffic by initiating a large file download across the network, by
completing the following steps.
Step 5. From PC01 desktop, connect to PC11 via RDP using the shortcut on the desktop.
When you open PC11 you will see some applications open, such as WAN Impairment tool and
another called Big Info. Just minimize and ignore WAN Impairment, and Big Info will go away on
its own in a few seconds.
Step 6. From the PC11 desktop, double click on Mozilla FireFox to open the browser.
Step 7. Enter ftp://demo:[email protected], in the address field. Press <Enter>.
Step 8. Click Ubuntu-14.04.4-server-amd64.iso
Cisco Systems Inc. Solutions Readiness Engineering Page | 64
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 9. Select Save, and click OK
If you open the down load monitor in FireFox, you will see there is a large file being downloaded
across the network.
Step 10. Return to PC01, in MTPUTTY initiate the command show domain 10 master traffic-
classes summary on R20.
Notice there is now a CS1 flow, as well as EF and AF21 are still on the INET.
Cisco Systems Inc. Solutions Readiness Engineering Page | 65
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 11. Return to PC11, and click on Ubuntu-14.0.4.4-server-amd64.iso, and create a second
large file download.
Step 12. Induce even more scavenger traffic by add another large file download across the
network, by completing the following steps.
Step 13. From PC01 desktop, connect to PC21 via RDP using the shortcut on the desktop.
When you open PC21 you will see some applications open, such as IWAN-wget Impairment tool
and another called Big Info. Just minimize and ignore IWAN-wget window, and Big Info will go
away on its own in a few seconds.
Step 14. From PC11 desktop, double click on Mozilla FireFox to open the browser.
Step 15. Enter ftp://demo:[email protected] in the address field. Press <Enter>
Cisco Systems Inc. Solutions Readiness Engineering Page | 66
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 16. Click Ubuntu-14.04.4-server-amd64.iso
Step 17. Select Save, and click OK
If you open the down load monitor in FireFox, you will see there is a large file being downloaded
across the network.
Cisco Systems Inc. Solutions Readiness Engineering Page | 67
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 18. Return to PC01, in MTPUTTY initiate the command show domain 10 master traffic-
classes summary, on router R20.
Notice CS1 traffic is out of policy and uncontrolled when the traffic is first
added. When traffic is UC, it will follow normal routing rules.
Step 19. Initiate the command show domain 10 master traffic-classes summary, on router R20
again and see that the CS1 traffic is a state of CN.
NOTE: Your results in the show command outputs might be different then what is shown here
in the lab guide due to timing. Some changes in IWAN can take a few minutes to be reflected in
the output of the commands.
Step 20. Continue experimenting with adding traffic or removing traffic, and witnessing the
resulting outputs in the various show commands. Clear added flows and delays by doing
the following:
Click Stop WANem, in the WANem app on PC01.
Stop downloads on PC11, and PC12
Cisco Systems Inc. Solutions Readiness Engineering Page | 68
IWAN Dual Data Center Lab – Feat. PfR & QoS
Exercise 8: Configure and Verify flows using LiveAction LiveAction is an application-aware network management software with quality-of-service (QoS) control,
designed to simplify network management. LiveAction features an innovative visual display, real-time
big data analytics, and deep control of routers and switches for un
paralleled ease of network administration.
At a high level, LiveAction has the following See-Point-Click-Fix features:
See: Visualization:
o Visualize real-time end-to-end network traffic
o Examine historical QoS, flow, routing, and IP service-level agreement (IP SLA) data
Point: Decision making:
o Analyze hop-by-hop path, devices, interfaces, and queues
o Locate and troubleshoot problems
Click: Control
o Enable and deploy QoS, Network-Based Application Recognition (NBAR), Flexible
NetFlow (FNF), Cisco Application Visibility and Control (AVC), and Cisco Medianet
o Create IP SLA probes and Media Services Interface (MSI) endpoints
Fix: Improve
o Edit QoS policies, access control list (ACL), Policy Based Routing (PBR), and IP SLA
For Cisco IWAN, LiveAction provides GUI-based management and situational awareness for intelligent
path control and application performance optimization. Specifically, LiveAction offers the following
IWAN management functions:
Real-time and historical graphical displays of Performance Routing (PfR) intelligent path changes
AVC visualization, reporting, and configuration
Application-aware QoS monitoring and control to optimize application performance
Overall network health and status
Cisco Systems Inc. Solutions Readiness Engineering Page | 69
IWAN Dual Data Center Lab – Feat. PfR & QoS
Activity Objective: In this activity, the flows that were evaluated in the previous section via Command Line Interface (CLI)
commands will be verify via the Live Action tool. This section will only be a taste of the full potential
power of Cisco’s Live Action management and monitoring tools.
Visual Objective:
Cisco Systems Inc. Solutions Readiness Engineering Page | 70
IWAN Dual Data Center Lab – Feat. PfR & QoS
Configure Collector CLI Command on R10
Step 1. Initiate the following commands on R10 to the address to the Live Action collector
server.
Configure Terminal
Domain 10
Vrf default
Master hub
Collector 198.18.133.34 port 2055
End
Wr
Opening Live Action Client on PC01 In this section the LiveAction client will be opened on PC01.
NOTE: Careful there are two ICONs on the desktop of PC01. LiveAction HTML5 and LiveAction
Client. In this exercise the LiveAction client will be used, not the HTML5 version.
Step 2. Double click the LiveAction Client 5.2.0 icon on the desktop of PC01
Step 3. Login to LiveAction with the username of admin and password of C1sco12345, and click
OK.
NOTE: Be patient sometimes logging into LiveAction takes some time.
Cisco Systems Inc. Solutions Readiness Engineering Page | 71
IWAN Dual Data Center Lab – Feat. PfR & QoS
Configuring Flows in LiveAction
Step 4. Click Flow>Configure Flow on the main menu at the top of the LiveAction Client
Window
Cisco Systems Inc. Solutions Readiness Engineering Page | 72
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 5. Notice that R10-MC-DC1, and R31-Spoke-Site3 are grayed out. R10-MC-DC1 is grayed
out because snmp community settings on the router are not updated properly. R31-
Spoke-Site3 is not configured at all since this is the branch that is used for the optional
challenge lab later in this document. The following few tasks will be used to setup R10-
MC-DC1 to be seen by LiveAction.
Step 6. Click Close to close the Flow configuration pop-up window.
Step 7. Click the + sign next to home in the navigation pane on the left hand side, to open all
the sites.
Step 8. Click the + sign next to DC1 in the navigation pane on the left hand side, to open DC1.
Cisco Systems Inc. Solutions Readiness Engineering Page | 73
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 9. Right click R10-MC-DC1 and click Edit Device Settings.
Step 10. Click Next on page one of the edit device settings pop-up window. Take all defaults
(change nothing).
Cisco Systems Inc. Solutions Readiness Engineering Page | 74
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 11. Click Next on page two of the edit device settings pop-up window.
Step 12. Click Next on page three of the edit device settings pop-up window.
Cisco Systems Inc. Solutions Readiness Engineering Page | 75
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 13. Click Continue on the Validation Details pop-up window.
Step 14. Click and uncheck Loopback0, only GigabitEthernet1 should be checked on page four of
the edit device settings pop-up window.
Step 15. Click Next.
Cisco Systems Inc. Solutions Readiness Engineering Page | 76
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 16. Click Next on page five of the edit device settings pop-up window
Step 17. Click and check NBAR and NetFlow on page six of the edit device settings pop-up
window.
Step 18. Click Next
Cisco Systems Inc. Solutions Readiness Engineering Page | 77
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 19. Click Next on page seven of the edit device settings pop-up window.
Step 20. Review the configuration that will be added to R10-MC-DC1 on page eight of the edit
device settings pop-up window. Make sure to leave the radio button selected for “send
the configuration commands to device”.
Step 21. Click Next
Wait for the configuration to be uploaded to R10-MC-DC1
Cisco Systems Inc. Solutions Readiness Engineering Page | 78
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 22. Click Finish on page nine of the edit device settings pop-up window.
Step 23. Click Yes to save the settings on RC10-MC-DC1.
Step 24. Return to MTPuTTY, and select R10-MC-DC1 tab at the top. If R10 is not open in
MTPuTTY open it and login to R10.
Cisco Systems Inc. Solutions Readiness Engineering Page | 79
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 25. Initiate the command show run | beg flow record on router R10. Verify that the
LiveAction console added configuration parameters to the router R10.
Continue exploring the running configuration for more parameters that
LiveAction added to the routers configuration.
Step 26. Return to the LiveAction Client on PC01 when you are finished exploring the updated
configuration on router R10.
Cisco Systems Inc. Solutions Readiness Engineering Page | 80
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 27. Click Flow > Configure Flow from the main LiveAction Client menus.
Step 28. Notice R10-MC-DC1 is no longer grayed out. Also notice that most of the bubbles on the
right under Traffic, Application, and Voice are grayed out at this time.
Step 29. Click and check R10, R11, R12, R20, R21, R22, R41, R51, and R52.
Step 30. Click Configure Selected.
Cisco Systems Inc. Solutions Readiness Engineering Page | 81
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 31. Click and select Traffic Statistic, Application Response Time, and Voice/Video check
boxes for the following selections.
R10-MC-DC1 – GigabitEthernet1
R11-Hub-DC1 – Tunnel100
R12-Hub-DC1 – Tunnel200
R20-MC-DC2 – GigabitEthernet1
R21-Hub-DC2 – Tunnel100
R22-Hub-DC2 – Tunnel200
R41-Spoke-Site4 – Tunnel100 and Tunnel200
R51-Spoke-Site5 – Tunnel100
R52-Spoke-Site5 – Tunnel200
Step 32. Click Preview CLI to see what changes will be made to each router.
Step 33. Click OK on the NetFlow Export Warnings pop-up window.
Cisco Systems Inc. Solutions Readiness Engineering Page | 82
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 34. Notice the CLI changes LiveAction is going to make on the nine different routers, by
selecting each router on the left hand side of the Multiple CLI Viewer. The configuration
deltas will be displayed right hand side of the viewer.
Step 35. Click Close when your done inspecting the CLI changes.
Step 36. Click Save to Devices button at the bottom of the Flow Configuration pop-up window.
Step 37. Click Yes on the save flow configurations pop-up window
Cisco Systems Inc. Solutions Readiness Engineering Page | 83
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 38. Be patient while the configuration changes are made on each of the nine routers.
Step 39. Click OK on the succeeded pop-up window
Step 40. Click Yes on each Save Startup Config pop-up windows to save the new running
configuration on each router to the startup config.
NOTE: Click Yes nine times one for each router
Cisco Systems Inc. Solutions Readiness Engineering Page | 84
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 41. Notice the green bubbles that were grayed out before the flows were configured.
Step 42. Click Close when you are done verifying the changes.
Evaluate PfR Flows Using LiveAction In a previous section we verified PfR flows using the CLI command “show domain 10 master traffic-
classes summary” on each of the Master Border Routers, and Master Controllers. In this section we will
verify PfR via the LiveAction GUI.
Step 43. Click the + sign next to Site-4 in the navigation pane of LiveAction.
Step 44. Click and highlight R41-Spoke-Site4
Cisco Systems Inc. Solutions Readiness Engineering Page | 85
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 45. Select PfR in the dropdown menu that is labeled as basic flow.
Step 46. Notice in the spreadsheet formatted section you will see the many different simulated
flows in this lab environment that are flowing through R41.
Cisco Systems Inc. Solutions Readiness Engineering Page | 86
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 47. If you scroll the bottom scroll bar all the way to the right you will see the DSCP values of
the flow. You will also see Tunnel information, Bandwidth, Out of parameter values as
seen in red in this screen shot below.
Also notice that if you look at this screen over time it will change as the
simulated traffic changes on the network. In the upper left corner polling is
enabled so every few seconds the data for this output will change.
Continue exploring this screen as well as selecting other routers from the
navigation pane on the left to see what data is presented at each router.
End of Lab Exercises
Cisco Systems Inc. Solutions Readiness Engineering Page | 87
IWAN Dual Data Center Lab – Feat. PfR & QoS
Optional Challenge Lab: Configure and Verify Branch/Spoke Site 3 Complete this lab exercise to add Branch 3 spoke to the IWAN environment. Configure Branch 3 router
to ensure that it can connect and communicate with the Hub and Transit Border Routers, as well as the
Branch Border Routers at Branch 4 and 5.
Visual Objective
Configure Branch 3 Challenge
Step 1. Configure R31-Spoke-Site3 router to be part of the IWAN DMVPN Phase 3 cloud,
including front door VRFs, and IPsec.
Step 2. Configure R31-Spoke-Site3 to be in the same EIGRP autonomous system as the other
border routers in the IWAN environment.
Step 3. Enable R31-Spoke-Site 3 to communicate with the Hub Master Controller, so it can
participate in PfR.
Cisco Systems Inc. Solutions Readiness Engineering Page | 88
IWAN Dual Data Center Lab – Feat. PfR & QoS
Step 4. When you are done with your configuration run the following commands to confirm
proper operation.
Show domain 10 master traffic-classes summary
Show domain 10 master policy
Step 5. From PC01 RDP to PC31, using the desktop icon. Open FireFox and navigate to
ftp://demo:[email protected] and download the large file Ubuntu-14.04.4-server-
amd64.iso.
Step 6. Return to PC01 and initiate the show domain 10 master traffic-classes summary,
command on R31. Confirm that you see CS1 traffic being controlled by the Master
Controller.
NOTE: The best place to start is by looking at the R41-Spoke-Site4 router configuration.
Copy and paste the portions of R41 config into a notepad on PC01, and edit the
configuration to be relevant for PC31. Once you have a good config in notepad copy
and paste the config into R31.
WARNING Spoiler Alert: Do not move on to the next page until you have your R31 router configured and operational. The next pages present the full final configuration for R31.
Cisco Systems Inc. Solutions Readiness Engineering Page | 89
IWAN Dual Data Center Lab – Feat. PfR & QoS
R31-Spoke-Site3 Final Configuration
Final operational configuration for router R31-Spoke-Site3. Sections in blue are IWAN part of the IWAN
configuration. version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R31-Spoke-Site3
!
boot-start-marker
boot-end-marker
!
vrf definition INET1
!
address-family ipv4
exit-address-family
!
vrf definition MPLS1
!
address-family ipv4
exit-address-family
!
logging console warnings
enable secret 5 $1$5abw$/S6M9GiORaLyD8OxWuMoa1
!
no aaa new-model
!
clock timezone PST -7 0
clock summer-time PDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip domain lookup source-interface Loopback0
ip domain name dcloud.cisco.com
ip name-server 198.18.133.1
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
domain 10
vrf default
border
source-interface Loopback0
master local
master branch
source-interface Loopback0
hub 10.1.0.10
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 90
IWAN Dual Data Center Lab – Feat. PfR & QoS
username admin privilege 15 secret 5 $1$kC78$yLDu4V/p/cr8bdJlwKEGf/
!
redundancy
!
class-map match-any STREAMING-VIDEO
match dscp af31 af32
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41 af42
class-map match-any CRITICAL-DATA
match dscp af11 af21
match access-group name MARK-CRITICAL
class-map match-any NET-CTRL-MGMT
match dscp cs2 cs6
class-map match-any VOICE
match dscp ef
match access-group name MARK-VOIP
class-map match-any SCAVENGER
match dscp cs1
match access-group name MARK-SCAVENGER
class-map match-any CALL-SIGNALING
match dscp cs3
!
policy-map LAN-MARKING
class CRITICAL-DATA
set dscp af21
class VOICE
set dscp ef
class SCAVENGER
set dscp cs1
policy-map INTERFACE-E0/1
class class-default
shape average 10000000
policy-map WAN
class INTERACTIVE-VIDEO
bandwidth remaining percent 30
random-detect dscp-based
set dscp tunnel af41
class STREAMING-VIDEO
bandwidth remaining percent 10
random-detect dscp-based
set dscp tunnel af41
class NET-CTRL-MGMT
bandwidth remaining percent 5
set dscp tunnel cs6
class CALL-SIGNALING
bandwidth remaining percent 4
set dscp tunnel af41
class CRITICAL-DATA
bandwidth remaining percent 25
random-detect dscp-based
set dscp tunnel af21
class SCAVENGER
bandwidth remaining percent 1
set dscp tunnel af11
class VOICE
Cisco Systems Inc. Solutions Readiness Engineering Page | 91
IWAN Dual Data Center Lab – Feat. PfR & QoS
priority level 1
police cir percent 10
set dscp tunnel ef
class class-default
bandwidth remaining percent 25
random-detect
set dscp tunnel default
policy-map INTERFACE-E0/0
class class-default
shape average 20000000
service-policy WAN
!
crypto ikev2 keyring DMVPN-KEYRING-INET
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 123CISCO
!
crypto ikev2 keyring DMVPN-KEYRING-MPLS
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 123CISCO
!
crypto ikev2 profile DMVPN-IKE-PROFILE-INET
match fvrf INET1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-INET
dpd 40 5 on-demand
!
crypto ikev2 profile DMVPN-IKE-PROFILE-MPLS
match fvrf MPLS1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-MPLS
dpd 40 5 on-demand
!
crypto isakmp nat keepalive 20 !
crypto
ipsec security-association replay window-size
1024
! crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-INET
set ikev2-profile DMVPN-IKE-PROFILE-INET
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-MPLS
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile DMVPN-IKE-PROFILE-MPLS
!
interface Loopback0
ip address 10.3.0.31 255.255.255.255
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 92
IWAN Dual Data Center Lab – Feat. PfR & QoS
interface Tunnel100
description ** DMVPN Tunnel over MPLS **
bandwidth 1000
ip address 192.168.100.31 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp network-id 100
ip nhrp holdtime 70
ip nhrp nhs 192.168.100.11 nbma 172.16.11.1 multicast
ip nhrp nhs 192.168.100.21 nbma 172.16.21.1 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
if-state nhrp
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel vrf MPLS1
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-MPLS
!
interface Tunnel200
description ** DMVPN Tunnel over INET **
bandwidth 1000
ip address 192.168.200.31 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp network-id 200
ip nhrp holdtime 70
ip nhrp nhs 192.168.200.12 nbma 100.64.12.1 multicast
ip nhrp nhs 192.168.200.22 nbma 100.64.22.1 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 20000
no nhrp route-watch
if-state nhrp
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel vrf INET1
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-INET
!
interface Ethernet0/0
description INET interface
vrf forwarding INET1
ip address 100.64.31.1 255.255.255.252
load-interval 30
service-policy output INTERFACE-E0/0
!
interface Ethernet0/1
description MPLS interface
vrf forwarding MPLS1
ip address 172.16.31.1 255.255.255.252
load-interval 30
service-policy output INTERFACE-E0/1
!
interface Ethernet0/2
description Site-LAN1
Cisco Systems Inc. Solutions Readiness Engineering Page | 93
IWAN Dual Data Center Lab – Feat. PfR & QoS
ip address 10.3.3.31 255.255.255.0
load-interval 30
delay 20000
service-policy input LAN-MARKING
!
interface Ethernet0/3
no ip address
shutdown
!
router eigrp IWAN-EIGRP
!
address-family ipv4 unicast autonomous-system 400
!
af-interface Tunnel100
stub-site wan-interface
exit-af-interface
!
af-interface Tunnel200
stub-site wan-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.100.0
network 192.168.200.0
eigrp router-id 10.3.0.31
eigrp stub-site 1:1
exit-address-family
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route vrf MPLS1 0.0.0.0 0.0.0.0 172.16.31.2
ip route vrf INET1 0.0.0.0 0.0.0.0 100.64.31.2
!
ip access-list extended MARK-CRITICAL
permit ip host 10.5.1.11 host 198.18.133.110
permit ip host 10.5.1.12 host 198.18.133.110
permit ip host 10.4.4.21 host 198.18.133.110
permit ip host 10.4.4.22 host 198.18.133.110
ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
ip access-list extended MARK-VOIP
permit ip host 10.5.1.11 host 198.18.133.36
permit ip host 10.4.4.21 host 198.18.133.36
!
no service-routing capabilities-manager
!
snmp-server community cisco123 RW 55
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 94
IWAN Dual Data Center Lab – Feat. PfR & QoS
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 198.18.128.1
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 95
IWAN Dual Data Center Lab – Feat. PfR & QoS
Appendix: Router Configurations These router configurations are each routers configuration at the end of this lab guide.
Router R10-MC-DC1 version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
platform hardware throughput level MB 100
!
hostname R10-MC-DC1
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin
boot-end-marker
!
enable secret 5 $1$UU3I$OXntpE./eOmxxgP4WpxDa.
!
no aaa new-model
clock timezone JST 9 0
!
ip name-server 198.18.133.1
!
ip domain lookup source-interface Loopback0
ip domain name dcloud.cisco.com
!
subscriber templating
!
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect application name
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
match application name account-on-resolution
Cisco Systems Inc. Solutions Readiness Engineering Page | 96
IWAN Dual Data Center Lab – Feat. PfR & QoS
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match ipv4 protocol
match routing vrf input
collect application http host
collect connection client counter bytes long
collect connection client counter bytes network long
collect connection client counter packets long
collect connection client counter packets retransmitted
collect connection delay application sum
collect connection delay network client-to-server sum
collect connection delay network to-client sum
collect connection delay network to-server sum
collect connection delay response client-to-server sum
collect connection delay response to-server histogram late
collect connection delay response to-server sum
collect connection initiator
collect connection new-connections
collect connection server counter bytes long
collect connection server counter bytes network long
collect connection server counter packets long
collect connection server counter responses
collect connection sum-duration
collect connection transaction counter complete
collect connection transaction duration max
collect connection transaction duration min
collect connection transaction duration sum
collect interface input
collect interface output
collect ipv4 destination address
collect ipv4 dscp
collect ipv4 source address
collect ipv4 ttl
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-MEDIANET
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match transport destination-port
match transport rtp ssrc
match transport source-port
collect application media bytes counter
collect application media bytes rate
collect application media event
collect application media packets counter
collect application media packets rate
collect application name
collect counter bytes
collect counter bytes rate
collect counter packets
collect interface input
collect interface output
collect ipv4 dscp
collect ipv4 ttl
collect monitor event
collect routing forwarding-status
collect timestamp interval
collect transport event packet-loss counter
collect transport packets expected counter
Cisco Systems Inc. Solutions Readiness Engineering Page | 97
IWAN Dual Data Center Lab – Feat. PfR & QoS
collect transport packets lost counter
collect transport packets lost rate
collect transport rtp jitter maximum
collect transport rtp jitter mean
collect transport rtp jitter minimum
!
flow exporter LIVEACTION-FLOWEXPORTER-IPFIX
description DO NOT MODIFY. USED BY LIVEACTION.
destination 198.18.133.34
source Loopback0
transport udp 2055
export-protocol ipfix
option interface-table
option vrf-table
option application-table
option c3pl-class-table
option c3pl-policy-table
option application-attributes
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-AVC
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache entries 6500
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-MEDIANET
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-MEDIANET
exporter LIVEACTION-FLOWEXPORTER-IPFIX
!
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
!
multilink bundle-name authenticated
!
domain 10
vrf default
master hub
source-interface Loopback0
site-prefixes prefix-list DC1_Prefix
load-balance
enterprise-prefix prefix-list ENT_Prefix
collector 198.18.133.34 port 2055
class VOICE sequence 20
match dscp ef policy voice
path-preference MPLS fallback INET
class VIDEO sequence 25
match dscp af41 policy real-time-video
match dscp cs4 policy real-time-video
path-preference MPLS fallback INET
class CRITICAL-DATA sequence 30
match dscp af21 policy low-latency-data
path-preference MPLS fallback INET
class SCAVENGER sequence 40
match dscp cs1 policy scavenger
path-preference INET fallback MPLS
class BULK-DATA sequence 50
match dscp af11 policy bulk-data
Cisco Systems Inc. Solutions Readiness Engineering Page | 98
IWAN Dual Data Center Lab – Feat. PfR & QoS
path-preference INET fallback MPLS
!
license udi pid CSR1000V sn 9E0K829FLKK
license accept end user agreement
license boot level ax
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$85Yx$Al6FWGUwWOaZWQR9tRwxi1
!
redundancy
!
class-map match-any LIVEACTION-CLASS-AVC
match access-group name LIVEACTION-ACL-AVC
class-map match-any LIVEACTION-CLASS-MEDIANET
match protocol telepresence-media
match protocol rtp
!
policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED
class LIVEACTION-CLASS-AVC
flow monitor LIVEACTION-FLOWMONITOR-AVC
class LIVEACTION-CLASS-MEDIANET
flow monitor LIVEACTION-FLOWMONITOR-MEDIANET
!
interface Loopback0
ip address 10.1.0.10 255.255.255.255
!
interface GigabitEthernet1
description LAN interface
ip address 198.18.129.201 255.255.192.0
ip nbar protocol-discovery
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
load-interval 30
negotiation auto
cdp enable
service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED
service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED
!
router eigrp IWAN-EIGRP
!
address-family ipv4 unicast autonomous-system 400
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet1
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.1.0.0 0.0.255.255
network 198.18.129.201 0.0.0.0
eigrp router-id 10.1.0.10
exit-address-family
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 99
IWAN Dual Data Center Lab – Feat. PfR & QoS
no ip http server
no ip http secure-server
!
ip access-list extended LIVEACTION-ACL-AVC
permit tcp any any
!
ip prefix-list DC1_Prefix seq 25 permit 198.18.0.0/16
ip prefix-list DC1_Prefix seq 40 permit 10.1.0.0/16
!
ip prefix-list ENT_Prefix seq 5 permit 198.18.0.0/16
ip prefix-list ENT_Prefix seq 15 permit 10.0.0.0/8
no service-routing capabilities-manager
!
snmp-server community cisco123 RW 55
snmp ifmib ifindex persist
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
!
end
Router R11-Hub-DC1 version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
platform hardware throughput level MB 100
!
hostname R11-Hub-DC1
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin
boot-end-marker
!
vrf definition MPLS1
!
address-family ipv4
exit-address-family
!
enable secret 5 $1$PqCC$dXzY64XCtlr5HlaNcGRj//
!
no aaa new-model
clock timezone PST -7 0
clock summer-time PDT recurring
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 100
IWAN Dual Data Center Lab – Feat. PfR & QoS
ip multicast-routing distributed
!
ip name-server 198.18.133.1
!
ip domain lookup source-interface Loopback0
ip domain name dcloud.cisco.com
!
subscriber templating
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
match application name account-on-resolution
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match ipv4 protocol
match routing vrf input
collect application http host
collect connection client counter bytes long
collect connection client counter bytes network long
collect connection client counter packets long
collect connection client counter packets retransmitted
collect connection delay application sum
collect connection delay network client-to-server sum
collect connection delay network to-client sum
collect connection delay network to-server sum
collect connection delay response client-to-server sum
collect connection delay response to-server histogram late
collect connection delay response to-server sum
collect connection initiator
collect connection new-connections
collect connection server counter bytes long
collect connection server counter bytes network long
collect connection server counter packets long
collect connection server counter responses
collect connection sum-duration
collect connection transaction counter complete
collect connection transaction duration max
collect connection transaction duration min
collect connection transaction duration sum
collect interface input
collect interface output
collect ipv4 destination address
collect ipv4 dscp
collect ipv4 source address
collect ipv4 ttl
!
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
Cisco Systems Inc. Solutions Readiness Engineering Page | 101
IWAN Dual Data Center Lab – Feat. PfR & QoS
match transport destination-port
match transport source-port
collect application name
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
!
flow exporter LIVEACTION-FLOWEXPORTER-IPFIX
description DO NOT MODIFY. USED BY LIVEACTION.
destination 198.18.133.34
source Loopback0
transport udp 2055
export-protocol ipfix
option interface-table
option vrf-table
option application-table
option c3pl-class-table
option c3pl-policy-table
option application-attributes
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-AVC
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache entries 6500
!
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
!
multilink bundle-name authenticated
!
domain 10
vrf default
border
source-interface Loopback0
master 10.1.0.10
!
license udi pid CSR1000V sn 9UN0OOZU4QP
license accept end user agreement
Cisco Systems Inc. Solutions Readiness Engineering Page | 102
IWAN Dual Data Center Lab – Feat. PfR & QoS
license boot level ax
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$mPhf$N7VeB4S8/OT3c8exmBFlJ1
!
redundancy
!
crypto ikev2 keyring DMVPN-KEYRING-MPLS
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 123CISCO
!
crypto ikev2 profile DMVPN-IKE-PROFILE-MPLS
match fvrf MPLS1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-MPLS
!
cdp run
!
class-map match-any LIVEACTION-CLASS-AVC
match access-group name LIVEACTION-ACL-AVC
class-map match-any STREAMING-VIDEO
match dscp af31 af32
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41 af42
class-map match-any CRITICAL-DATA
match dscp af11 af21
match access-group name MARK-CRITICAL
class-map match-any NET-CTRL-MGMT
match dscp cs2 cs6
class-map match-any VOICE
match dscp ef
match access-group name MARK-VOIP
class-map match-any SCAVENGER
match dscp cs1
match access-group name MARK-SCAVENGER
class-map match-any LIVEACTION-CLASS-MEDIANET
match protocol rtp
class-map match-any CALL-SIGNALING
match dscp cs3
!
policy-map WAN
class INTERACTIVE-VIDEO
bandwidth remaining percent 30
random-detect dscp-based
set dscp tunnel af41
class STREAMING-VIDEO
bandwidth remaining percent 10
random-detect dscp-based
set dscp tunnel af41
class NET-CTRL-MGMT
bandwidth remaining percent 5
Cisco Systems Inc. Solutions Readiness Engineering Page | 103
IWAN Dual Data Center Lab – Feat. PfR & QoS
set dscp tunnel cs6
class CALL-SIGNALING
bandwidth remaining percent 4
set dscp tunnel af41
class CRITICAL-DATA
bandwidth remaining percent 25
random-detect dscp-based
set dscp tunnel af21
class SCAVENGER
bandwidth remaining percent 1
set dscp tunnel af11
class VOICE
priority level 1
police cir percent 10
set dscp tunnel ef
class class-default
bandwidth remaining percent 25
random-detect
set dscp tunnel default
policy-map RS-GROUP-200MBPS-POLICY
class class-default
shape average 200000000
bandwidth remaining ratio 200
service-policy WAN
policy-map INTERFACE-G1
class class-default
shape average 100000000
policy-map RS-GROUP-20MBPS-POLICY
class class-default
shape average 20000000
bandwidth remaining ratio 20
service-policy WAN
policy-map LAN-MARKING
class CRITICAL-DATA
set dscp af21
class VOICE
set dscp ef
class SCAVENGER
set dscp cs1
policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED
class LIVEACTION-CLASS-AVC
flow monitor LIVEACTION-FLOWMONITOR-AVC
class LIVEACTION-CLASS-MEDIANET
policy-map RS-GROUP-30MBPS-POLICY
class class-default
shape average 30000000
bandwidth remaining ratio 30
service-policy WAN
policy-map RS-GROUP-300MBPS-POLICY
class class-default
shape average 300000000
bandwidth remaining ratio 300
service-policy WAN
policy-map RS-GROUP-100MBPS-POLICY
class class-default
Cisco Systems Inc. Solutions Readiness Engineering Page | 104
IWAN Dual Data Center Lab – Feat. PfR & QoS
shape average 100000000
bandwidth remaining ratio 100
service-policy WAN
policy-map RS-GROUP-50MBPS-POLICY
class class-default
shape average 50000000
bandwidth remaining ratio 50
service-policy WAN
policy-map RS-GROUP-10MBPS-POLICY
class class-default
shape average 10000000
bandwidth remaining ratio 10
service-policy WAN
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-MPLS
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile DMVPN-IKE-PROFILE-MPLS
!
interface Loopback0
ip address 10.1.0.11 255.255.255.255
!
interface Tunnel100
description ***DMVPN Tunnel over MPLS***
bandwidth 100
ip address 192.168.100.11 255.255.255.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
ip nhrp map multicast dynamic
ip nhrp map group RS-GROUP-300MBPS service-policy output RS-GROUP-300MBPS-POLICY
ip nhrp map group RS-GROUP-200MBPS service-policy output RS-GROUP-200MBPS-POLICY
ip nhrp map group RS-GROUP-100MBPS service-policy output RS-GROUP-100MBPS-POLICY
ip nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY
ip nhrp map group RS-GROUP-30MBPS service-policy output RS-GROUP-30MBPS-POLICY
ip nhrp map group RS-GROUP-20MBPS service-policy output RS-GROUP-20MBPS-POLICY
ip nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY
ip nhrp network-id 100
ip nhrp holdtime 70
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
if-state nhrp
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel vrf MPLS1
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-MPLS
domain 10 path MPLS path-id 1
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 105
IWAN Dual Data Center Lab – Feat. PfR & QoS
interface GigabitEthernet1
description MPLS interface
vrf forwarding MPLS1
ip address 172.16.11.1 255.255.255.252
load-interval 30
negotiation auto
cdp enable
service-policy output INTERFACE-G1
!
interface GigabitEthernet2
description Site-Lan
ip address 10.1.1.11 255.255.255.0
load-interval 30
delay 24000
negotiation auto
cdp enable
service-policy input LAN-MARKING
!
router eigrp IWAN-EIGRP
!
address-family ipv4 unicast autonomous-system 400
!
af-interface Tunnel100
hello-interval 20
hold-time 60
no split-horizon
summary-address 10.0.0.0 255.0.0.0
summary-address 10.1.0.0 255.255.0.0
exit-af-interface
!
topology base
distribute-list prefix EIGRPSUMMARY in Tunnel100
summary-metric 10.1.0.0/16 10000000 1 255 0 1500 distance 250
summary-metric 10.0.0.0/8 10000000 1 255 0 1500 distance 250
exit-af-topology
network 10.1.0.0 0.0.255.255
network 192.168.100.0
eigrp router-id 10.1.0.11
exit-address-family
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route vrf MPLS1 0.0.0.0 0.0.0.0 172.16.11.2
ip ssh version 1
!
ip access-list extended LIVEACTION-ACL-AVC
permit tcp any any
ip access-list extended MARK-CRITICAL
permit ip host 198.18.133.110 host 10.5.1.11
permit ip host 198.18.133.110 host 10.5.1.12
permit ip host 198.18.133.110 host 10.4.4.21
Cisco Systems Inc. Solutions Readiness Engineering Page | 106
IWAN Dual Data Center Lab – Feat. PfR & QoS
permit ip host 198.18.133.110 host 10.4.4.22
ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
ip access-list extended MARK-VOIP
permit ip host 198.18.133.36 host 10.5.1.11
permit ip host 198.18.133.36 host 10.4.4.21
!
ip prefix-list EIGRPSUMMARY seq 10 deny 0.0.0.0/0
ip prefix-list EIGRPSUMMARY seq 20 deny 10.0.0.0/8
ip prefix-list EIGRPSUMMARY seq 30 deny 10.1.0.0/16
ip prefix-list EIGRPSUMMARY seq 40 deny 10.2.0.0/16
ip prefix-list EIGRPSUMMARY seq 50 permit 0.0.0.0/0 le 32
no service-routing capabilities-manager
logging source-interface Loopback0
logging host 198.18.133.65
!
snmp-server community cisco123 RW 55
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
line vty 5 8
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 198.18.128.1
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 107
IWAN Dual Data Center Lab – Feat. PfR & QoS
Router R12-Hub-DC1 version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
platform hardware throughput level MB 100
!
hostname R12-Hub-DC1
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin
boot-end-marker
!
vrf definition INET1
!
address-family ipv4
exit-address-family
!
enable secret 5 $1$.Y6g$Md5qjnc6CkRxbpRa26i0N0
!
no aaa new-model
clock timezone PST -7 0
clock summer-time PDT recurring
!
ip multicast-routing distributed
!
ip name-server 198.18.133.1
!
ip domain lookup source-interface Loopback0
ip domain name dcloud.cisco.com
!
subscriber templating
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
match application name account-on-resolution
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match ipv4 protocol
match routing vrf input
collect application http host
collect connection client counter bytes long
collect connection client counter bytes network long
collect connection client counter packets long
collect connection client counter packets retransmitted
collect connection delay application sum
collect connection delay network client-to-server sum
collect connection delay network to-client sum
collect connection delay network to-server sum
collect connection delay response client-to-server sum
collect connection delay response to-server histogram late
collect connection delay response to-server sum
Cisco Systems Inc. Solutions Readiness Engineering Page | 108
IWAN Dual Data Center Lab – Feat. PfR & QoS
collect connection initiator
collect connection new-connections
collect connection server counter bytes long
collect connection server counter bytes network long
collect connection server counter packets long
collect connection server counter responses
collect connection sum-duration
collect connection transaction counter complete
collect connection transaction duration max
collect connection transaction duration min
collect connection transaction duration sum
collect interface input
collect interface output
collect ipv4 destination address
collect ipv4 dscp
collect ipv4 source address
collect ipv4 ttl
!
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect application name
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
!
flow exporter LIVEACTION-FLOWEXPORTER-IPFIX
description DO NOT MODIFY. USED BY LIVEACTION.
destination 198.18.133.34
source Loopback0
transport udp 2055
export-protocol ipfix
option interface-table
option vrf-table
option application-table
option c3pl-class-table
Cisco Systems Inc. Solutions Readiness Engineering Page | 109
IWAN Dual Data Center Lab – Feat. PfR & QoS
option c3pl-policy-table
option application-attributes
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-AVC
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache entries 6500
!
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
!
multilink bundle-name authenticated
!
domain 10
vrf default
border
source-interface Loopback0
master 10.1.0.10
!
cts logging verbose
!
license udi pid CSR1000V sn 9TNHAU3EBHU
license accept end user agreement
license boot level ax
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$dd..$y.s.vtT0xS.YTG/FP5QvE.
!
redundancy
!
crypto ikev2 keyring DMVPN-KEYRING-INET
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 123CISCO
!
crypto ikev2 profile DMVPN-IKE-PROFILE-INET
match fvrf INET1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-INET
!
cdp run
!
class-map match-any LIVEACTION-CLASS-AVC
match access-group name LIVEACTION-ACL-AVC
class-map match-any STREAMING-VIDEO
match dscp af31 af32
class-map match-any INTERACTIVE-VIDEO
Cisco Systems Inc. Solutions Readiness Engineering Page | 110
IWAN Dual Data Center Lab – Feat. PfR & QoS
match dscp cs4 af41 af42
class-map match-any CRITICAL-DATA
match dscp af11 af21
match access-group name MARK-CRITICAL
class-map match-any NET-CTRL-MGMT
match dscp cs2 cs6
class-map match-any VOICE
match dscp ef
match access-group name MARK-VOIP
class-map match-any SCAVENGER
match dscp cs1
match access-group name MARK-SCAVENGER
class-map match-any LIVEACTION-CLASS-MEDIANET
match protocol rtp
class-map match-any CALL-SIGNALING
match dscp cs3
!
policy-map WAN
class INTERACTIVE-VIDEO
bandwidth remaining percent 30
random-detect dscp-based
set dscp tunnel af41
class STREAMING-VIDEO
bandwidth remaining percent 10
random-detect dscp-based
set dscp tunnel af41
class NET-CTRL-MGMT
bandwidth remaining percent 5
set dscp tunnel cs6
class CALL-SIGNALING
bandwidth remaining percent 4
set dscp tunnel af41
class CRITICAL-DATA
bandwidth remaining percent 25
random-detect dscp-based
set dscp tunnel af21
class SCAVENGER
bandwidth remaining percent 1
set dscp tunnel af11
class VOICE
priority level 1
police cir percent 10
set dscp tunnel ef
class class-default
bandwidth remaining percent 25
random-detect
set dscp tunnel default
policy-map RS-GROUP-200MBPS-POLICY
class class-default
shape average 200000000
bandwidth remaining ratio 200
service-policy WAN
policy-map INTERFACE-G1
class class-default
shape average 100000000
Cisco Systems Inc. Solutions Readiness Engineering Page | 111
IWAN Dual Data Center Lab – Feat. PfR & QoS
policy-map RS-GROUP-20MBPS-POLICY
class class-default
shape average 20000000
bandwidth remaining ratio 20
service-policy WAN
policy-map LAN-MARKING
class CRITICAL-DATA
set dscp af21
class VOICE
set dscp ef
class SCAVENGER
set dscp cs1
policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED
class LIVEACTION-CLASS-AVC
flow monitor LIVEACTION-FLOWMONITOR-AVC
class LIVEACTION-CLASS-MEDIANET
policy-map RS-GROUP-30MBPS-POLICY
class class-default
shape average 30000000
bandwidth remaining ratio 30
service-policy WAN
policy-map RS-GROUP-300MBPS-POLICY
class class-default
shape average 300000000
bandwidth remaining ratio 300
service-policy WAN
policy-map RS-GROUP-100MBPS-POLICY
class class-default
shape average 100000000
bandwidth remaining ratio 100
service-policy WAN
policy-map RS-GROUP-50MBPS-POLICY
class class-default
shape average 50000000
bandwidth remaining ratio 50
service-policy WAN
policy-map RS-GROUP-10MBPS-POLICY
class class-default
shape average 10000000
bandwidth remaining ratio 10
service-policy WAN
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-INET
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile DMVPN-IKE-PROFILE-INET
!
interface Loopback0
ip address 10.1.0.12 255.255.255.255
!
interface Tunnel200
Cisco Systems Inc. Solutions Readiness Engineering Page | 112
IWAN Dual Data Center Lab – Feat. PfR & QoS
description ***DMVPN Tunnel over Internet***
bandwidth 1000
ip address 192.168.200.12 255.255.255.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
ip nhrp map multicast dynamic
ip nhrp map group RS-GROUP-300MBPS service-policy output RS-GROUP-300MBPS-POLICY
ip nhrp map group RS-GROUP-200MBPS service-policy output RS-GROUP-200MBPS-POLICY
ip nhrp map group RS-GROUP-100MBPS service-policy output RS-GROUP-100MBPS-POLICY
ip nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY
ip nhrp map group RS-GROUP-30MBPS service-policy output RS-GROUP-30MBPS-POLICY
ip nhrp map group RS-GROUP-20MBPS service-policy output RS-GROUP-20MBPS-POLICY
ip nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY
ip nhrp network-id 200
ip nhrp holdtime 70
ip nhrp redirect
ip tcp adjust-mss 1360
delay 2000
if-state nhrp
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel vrf INET1
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-INET
domain 10 path INET path-id 2
!
interface GigabitEthernet1
description INET interface
vrf forwarding INET1
ip address 100.64.12.1 255.255.255.252
load-interval 30
negotiation auto
cdp enable
service-policy output INTERFACE-G1
!
interface GigabitEthernet2
description Site-Lan
ip address 10.1.1.12 255.255.255.0
load-interval 30
delay 24000
negotiation auto
cdp enable
service-policy input LAN-MARKING
!
interface GigabitEthernet3
description LAN interface to PRIME
ip address 198.100.0.2 255.255.255.0
load-interval 30
negotiation auto
cdp enable
!
router eigrp IWAN-EIGRP
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 113
IWAN Dual Data Center Lab – Feat. PfR & QoS
address-family ipv4 unicast autonomous-system 400
!
af-interface Tunnel200
hello-interval 20
hold-time 60
no split-horizon
summary-address 10.0.0.0 255.0.0.0
summary-address 10.1.0.0 255.255.0.0
exit-af-interface
!
topology base
distribute-list prefix EIGRPSUMMARY in Tunnel200
summary-metric 10.1.0.0/16 10000000 1 255 0 1500 distance 250
summary-metric 10.0.0.0/8 10000000 1 255 0 1500 distance 250
exit-af-topology
network 10.1.0.0 0.0.255.255
network 192.168.200.0
eigrp router-id 10.1.0.12
exit-address-family
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route vrf INET1 0.0.0.0 0.0.0.0 100.64.12.2
!
ip access-list extended LIVEACTION-ACL-AVC
permit tcp any any
ip access-list extended MARK-CRITICAL
permit ip host 198.18.133.110 host 10.5.1.11
permit ip host 198.18.133.110 host 10.5.1.12
permit ip host 198.18.133.110 host 10.4.4.21
permit ip host 198.18.133.110 host 10.4.4.22
ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
ip access-list extended MARK-VOIP
permit ip host 198.18.133.36 host 10.5.1.11
permit ip host 198.18.133.36 host 10.4.4.21
!
ip prefix-list EIGRPSUMMARY seq 10 deny 0.0.0.0/0
ip prefix-list EIGRPSUMMARY seq 20 deny 10.0.0.0/8
ip prefix-list EIGRPSUMMARY seq 30 deny 10.1.0.0/16
ip prefix-list EIGRPSUMMARY seq 40 deny 10.2.0.0/16
ip prefix-list EIGRPSUMMARY seq 50 permit 0.0.0.0/0 le 32
no service-routing capabilities-manager
!
snmp-server community cisco123 RW 55
!
control-plane
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 114
IWAN Dual Data Center Lab – Feat. PfR & QoS
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 198.18.128.1
!
end
Router R20-Hub-DC1 version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname R20-MC-DC2
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin
boot-end-marker
!
enable secret 5 $1$Zi8l$w47EAP/2fWMKJwezsIUO31
!
no aaa new-model
clock timezone JST 9 0
!
ip name-server 198.18.133.1
!
ip domain lookup source-interface Loopback0
ip domain name dcloud.cisco.com
!
subscriber templating
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
match application name account-on-resolution
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match ipv4 protocol
match routing vrf input
collect application http host
collect connection client counter bytes long
collect connection client counter bytes network long
collect connection client counter packets long
collect connection client counter packets retransmitted
Cisco Systems Inc. Solutions Readiness Engineering Page | 115
IWAN Dual Data Center Lab – Feat. PfR & QoS
collect connection delay application sum
collect connection delay network client-to-server sum
collect connection delay network to-client sum
collect connection delay network to-server sum
collect connection delay response client-to-server sum
collect connection delay response to-server histogram late
collect connection delay response to-server sum
collect connection initiator
collect connection new-connections
collect connection server counter bytes long
collect connection server counter bytes network long
collect connection server counter packets long
collect connection server counter responses
collect connection sum-duration
collect connection transaction counter complete
collect connection transaction duration max
collect connection transaction duration min
collect connection transaction duration sum
collect interface input
collect interface output
collect ipv4 destination address
collect ipv4 dscp
collect ipv4 source address
collect ipv4 ttl
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-MEDIANET
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match transport destination-port
match transport rtp ssrc
match transport source-port
collect application media bytes counter
collect application media bytes rate
collect application media event
collect application media packets counter
collect application media packets rate
collect application name
collect counter bytes
collect counter bytes rate
collect counter packets
collect interface input
collect interface output
collect ipv4 dscp
collect ipv4 ttl
collect monitor event
collect routing forwarding-status
collect timestamp interval
collect transport event packet-loss counter
collect transport packets expected counter
collect transport packets lost counter
collect transport packets lost rate
collect transport rtp jitter maximum
Cisco Systems Inc. Solutions Readiness Engineering Page | 116
IWAN Dual Data Center Lab – Feat. PfR & QoS
collect transport rtp jitter mean
collect transport rtp jitter minimum
!
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect application name
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
!
flow exporter LIVEACTION-FLOWEXPORTER-IPFIX
description DO NOT MODIFY. USED BY LIVEACTION.
destination 198.18.133.34
source Loopback0
transport udp 2055
export-protocol ipfix
option interface-table
option vrf-table
option application-table
option c3pl-class-table
option c3pl-policy-table
option application-attributes
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-AVC
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache entries 6500
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-MEDIANET
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-MEDIANET
exporter LIVEACTION-FLOWEXPORTER-IPFIX
!
flow monitor LIVEACTION-FLOWMONITOR
Cisco Systems Inc. Solutions Readiness Engineering Page | 117
IWAN Dual Data Center Lab – Feat. PfR & QoS
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
!
multilink bundle-name authenticated
!
domain 10
vrf default
master transit 1
source-interface Loopback0
site-prefixes prefix-list DC2_Prefix
hub 10.1.0.10
!
license udi pid CSR1000V sn 948QOETXPZQ
license boot level ax
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$gJ0U$WobSFrOdaJI0s3Iz5LVe0/
!
redundancy
!
class-map match-any LIVEACTION-CLASS-AVC
match access-group name LIVEACTION-ACL-AVC
class-map match-any LIVEACTION-CLASS-MEDIANET
match protocol rtp
!
policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED
class LIVEACTION-CLASS-AVC
flow monitor LIVEACTION-FLOWMONITOR-AVC
class LIVEACTION-CLASS-MEDIANET
flow monitor LIVEACTION-FLOWMONITOR-MEDIANET
!
interface Loopback0
ip address 10.2.0.20 255.255.255.255
!
interface GigabitEthernet1
description LAN interface
ip address 10.2.1.20 255.255.255.0
ip nbar protocol-discovery
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
load-interval 30
negotiation auto
cdp enable
service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED
service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED
!
router eigrp IWAN-EIGRP
!
address-family ipv4 unicast autonomous-system 400
!
af-interface default
Cisco Systems Inc. Solutions Readiness Engineering Page | 118
IWAN Dual Data Center Lab – Feat. PfR & QoS
passive-interface
exit-af-interface
!
af-interface GigabitEthernet1
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.2.0.0 0.0.255.255
eigrp router-id 10.2.0.20
exit-address-family
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip access-list extended LIVEACTION-ACL-AVC
permit tcp any any
!
ip prefix-list DC2_Prefix seq 25 permit 198.18.0.0/16
ip prefix-list DC2_Prefix seq 40 permit 10.2.0.0/16
no service-routing capabilities-manager
!
snmp-server community cisco123 RW 55
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 198.18.128.1
onep
!
end
Cisco Systems Inc. Solutions Readiness Engineering Page | 119
IWAN Dual Data Center Lab – Feat. PfR & QoS
Router R21-Hub-DC2 version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname R21-Hub-DC2
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin
boot-end-marker
!
vrf definition MPLS1
!
address-family ipv4
exit-address-family
!
enable secret 5 $1$EIiO$Q.ZhnZUcsgJ0SO3kxHxwu.
!
no aaa new-model
clock summer-time PDT recurring
!
ip multicast-routing distributed
!
ip name-server 198.18.133.1
!
ip domain lookup source-interface Loopback0
ip domain name dcloud.cisco.com
!
subscriber templating
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
match application name account-on-resolution
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match ipv4 protocol
match routing vrf input
collect application http host
collect connection client counter bytes long
collect connection client counter bytes network long
collect connection client counter packets long
collect connection client counter packets retransmitted
collect connection delay application sum
collect connection delay network client-to-server sum
collect connection delay network to-client sum
collect connection delay network to-server sum
collect connection delay response client-to-server sum
collect connection delay response to-server histogram late
collect connection delay response to-server sum
collect connection initiator
collect connection new-connections
Cisco Systems Inc. Solutions Readiness Engineering Page | 120
IWAN Dual Data Center Lab – Feat. PfR & QoS
collect connection server counter bytes long
collect connection server counter bytes network long
collect connection server counter packets long
collect connection server counter responses
collect connection sum-duration
collect connection transaction counter complete
collect connection transaction duration max
collect connection transaction duration min
collect connection transaction duration sum
collect interface input
collect interface output
collect ipv4 destination address
collect ipv4 dscp
collect ipv4 source address
collect ipv4 ttl
!
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect application name
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
!
flow exporter LIVEACTION-FLOWEXPORTER-IPFIX
description DO NOT MODIFY. USED BY LIVEACTION.
destination 198.18.133.34
source Loopback0
transport udp 2055
export-protocol ipfix
option interface-table
option vrf-table
option application-table
option c3pl-class-table
option c3pl-policy-table
option application-attributes
Cisco Systems Inc. Solutions Readiness Engineering Page | 121
IWAN Dual Data Center Lab – Feat. PfR & QoS
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-AVC
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache entries 6500
!
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
!
multilink bundle-name authenticated
!
domain 10
vrf default
border
source-interface Loopback0
master 10.2.0.20
!
license udi pid CSR1000V sn 9ZF91NWOZAL
license boot level ax
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$j3K6$6zkRfjf6nguXJNC4QbGMl0
!
redundancy
!
crypto ikev2 keyring DMVPN-KEYRING-MPLS
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 123CISCO
!
crypto ikev2 profile DMVPN-IKE-PROFILE-MPLS
match fvrf MPLS1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-MPLS
!
cdp run
!
class-map match-any LIVEACTION-CLASS-AVC
match access-group name LIVEACTION-ACL-AVC
class-map match-any STREAMING-VIDEO
match dscp af31 af32
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41 af42
class-map match-any CRITICAL-DATA
match dscp af11 af21
match access-group name MARK-CRITICAL
class-map match-any NET-CTRL-MGMT
Cisco Systems Inc. Solutions Readiness Engineering Page | 122
IWAN Dual Data Center Lab – Feat. PfR & QoS
match dscp cs2 cs6
class-map match-any VOICE
match dscp ef
match access-group name MARK-VOIP
class-map match-any SCAVENGER
match dscp cs1
match access-group name MARK-SCAVENGER
class-map match-any LIVEACTION-CLASS-MEDIANET
match protocol rtp
class-map match-any CALL-SIGNALING
match dscp cs3
!
policy-map WAN
class INTERACTIVE-VIDEO
bandwidth remaining percent 30
random-detect dscp-based
set dscp tunnel af41
class STREAMING-VIDEO
bandwidth remaining percent 10
random-detect dscp-based
set dscp tunnel af41
class NET-CTRL-MGMT
bandwidth remaining percent 5
set dscp tunnel cs6
class CALL-SIGNALING
bandwidth remaining percent 4
set dscp tunnel af41
class CRITICAL-DATA
bandwidth remaining percent 25
random-detect dscp-based
set dscp tunnel af21
class SCAVENGER
bandwidth remaining percent 1
set dscp tunnel af11
class VOICE
priority level 1
police cir percent 10
set dscp tunnel ef
class class-default
bandwidth remaining percent 25
random-detect
set dscp tunnel default
policy-map RS-GROUP-200MBPS-POLICY
class class-default
shape average 200000000
bandwidth remaining ratio 200
service-policy WAN
policy-map INTERFACE-G1
class class-default
shape average 100000000
policy-map RS-GROUP-20MBPS-POLICY
class class-default
shape average 20000000
bandwidth remaining ratio 20
service-policy WAN
Cisco Systems Inc. Solutions Readiness Engineering Page | 123
IWAN Dual Data Center Lab – Feat. PfR & QoS
policy-map LAN-MARKING
class CRITICAL-DATA
set dscp af21
class VOICE
set dscp ef
class SCAVENGER
set dscp cs1
policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED
class LIVEACTION-CLASS-AVC
flow monitor LIVEACTION-FLOWMONITOR-AVC
class LIVEACTION-CLASS-MEDIANET
policy-map RS-GROUP-30MBPS-POLICY
class class-default
shape average 30000000
bandwidth remaining ratio 30
service-policy WAN
policy-map RS-GROUP-300MBPS-POLICY
class class-default
shape average 300000000
bandwidth remaining ratio 300
service-policy WAN
policy-map RS-GROUP-100MBPS-POLICY
class class-default
shape average 100000000
bandwidth remaining ratio 100
service-policy WAN
policy-map RS-GROUP-50MBPS-POLICY
class class-default
shape average 50000000
bandwidth remaining ratio 50
service-policy WAN
policy-map RS-GROUP-10MBPS-POLICY
class class-default
shape average 10000000
bandwidth remaining ratio 10
service-policy WAN
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-MPLS
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile DMVPN-IKE-PROFILE-MPLS
!
interface Loopback0
ip address 10.2.0.21 255.255.255.255
!
interface Tunnel100
description ***DMVPN Tunnel over MPLS***
bandwidth 1000
ip address 192.168.100.21 255.255.255.0
no ip redirects
ip mtu 1400
Cisco Systems Inc. Solutions Readiness Engineering Page | 124
IWAN Dual Data Center Lab – Feat. PfR & QoS
ip nbar protocol-discovery
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
ip nhrp map multicast dynamic
ip nhrp map group RS-GROUP-300MBPS service-policy output RS-GROUP-300MBPS-POLICY
ip nhrp map group RS-GROUP-200MBPS service-policy output RS-GROUP-200MBPS-POLICY
ip nhrp map group RS-GROUP-100MBPS service-policy output RS-GROUP-100MBPS-POLICY
ip nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY
ip nhrp map group RS-GROUP-30MBPS service-policy output RS-GROUP-30MBPS-POLICY
ip nhrp map group RS-GROUP-20MBPS service-policy output RS-GROUP-20MBPS-POLICY
ip nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY
ip nhrp network-id 100
ip nhrp holdtime 70
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
if-state nhrp
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel vrf MPLS1
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-MPLS
domain 10 path MPLS path-id 1
!
interface GigabitEthernet1
description MPLS interface
vrf forwarding MPLS1
ip address 172.16.21.1 255.255.255.252
load-interval 30
negotiation auto
cdp enable
service-policy output INTERFACE-G1
!
interface GigabitEthernet2
description Site-Lan
ip address 10.2.2.21 255.255.255.0
load-interval 30
delay 24000
negotiation auto
cdp enable
service-policy input LAN-MARKING
!
router eigrp IWAN-EIGRP
!
address-family ipv4 unicast autonomous-system 400
!
af-interface Tunnel100
hello-interval 20
hold-time 60
no split-horizon
summary-address 10.0.0.0 255.0.0.0
summary-address 10.2.0.0 255.255.0.0
exit-af-interface
!
topology base
distribute-list prefix EIGRPSUMMARY in Tunnel100
Cisco Systems Inc. Solutions Readiness Engineering Page | 125
IWAN Dual Data Center Lab – Feat. PfR & QoS
summary-metric 10.2.0.0/16 10000000 1 255 0 1500 distance 250
summary-metric 10.0.0.0/8 10000000 1 255 0 1500 distance 250
exit-af-topology
network 10.2.0.0 0.0.255.255
network 192.168.100.0
eigrp router-id 10.2.0.21
exit-address-family
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route vrf MPLS1 0.0.0.0 0.0.0.0 172.16.21.2
!
ip access-list extended LIVEACTION-ACL-AVC
permit tcp any any
ip access-list extended MARK-CRITICAL
permit ip host 198.18.133.110 host 10.5.1.11
permit ip host 198.18.133.110 host 10.5.1.12
permit ip host 198.18.133.110 host 10.4.4.21
permit ip host 198.18.133.110 host 10.4.4.22
ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
ip access-list extended MARK-VOIP
permit ip host 198.18.133.36 host 10.5.1.11
permit ip host 198.18.133.36 host 10.4.4.21
!
ip prefix-list EIGRPSUMMARY seq 10 deny 0.0.0.0/0
ip prefix-list EIGRPSUMMARY seq 20 deny 10.0.0.0/8
ip prefix-list EIGRPSUMMARY seq 30 deny 10.1.0.0/16
ip prefix-list EIGRPSUMMARY seq 40 deny 10.2.0.0/16
ip prefix-list EIGRPSUMMARY seq 50 permit 0.0.0.0/0 le 32
no service-routing capabilities-manager
!
snmp-server community cisco123 RW 55
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 198.18.128.1
onep
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 126
IWAN Dual Data Center Lab – Feat. PfR & QoS
end
Router R22-Hub-DC2 version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname R22-Hub-DC2
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin
boot-end-marker
!
vrf definition INET1
!
address-family ipv4
exit-address-family
!
enable secret 5 $1$uvdG$VeavXN/At4LxAf8jc3QHg0
!
no aaa new-model
clock timezone PST -7 0
clock summer-time PDT recurring
!
ip multicast-routing distributed
!
ip name-server 198.18.133.1
!
ip domain lookup source-interface Loopback0
ip domain name dcloud.cisco.com
!
subscriber templating
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
match application name account-on-resolution
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match ipv4 protocol
match routing vrf input
collect application http host
collect connection client counter bytes long
collect connection client counter bytes network long
collect connection client counter packets long
collect connection client counter packets retransmitted
collect connection delay application sum
collect connection delay network client-to-server sum
collect connection delay network to-client sum
collect connection delay network to-server sum
collect connection delay response client-to-server sum
collect connection delay response to-server histogram late
collect connection delay response to-server sum
Cisco Systems Inc. Solutions Readiness Engineering Page | 127
IWAN Dual Data Center Lab – Feat. PfR & QoS
collect connection initiator
collect connection new-connections
collect connection server counter bytes long
collect connection server counter bytes network long
collect connection server counter packets long
collect connection server counter responses
collect connection sum-duration
collect connection transaction counter complete
collect connection transaction duration max
collect connection transaction duration min
collect connection transaction duration sum
collect interface input
collect interface output
collect ipv4 destination address
collect ipv4 dscp
collect ipv4 source address
collect ipv4 ttl
!
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect application name
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
!
flow exporter LIVEACTION-FLOWEXPORTER-IPFIX
description DO NOT MODIFY. USED BY LIVEACTION.
destination 198.18.133.34
source Loopback0
transport udp 2055
export-protocol ipfix
option interface-table
option vrf-table
option application-table
option c3pl-class-table
Cisco Systems Inc. Solutions Readiness Engineering Page | 128
IWAN Dual Data Center Lab – Feat. PfR & QoS
option c3pl-policy-table
option application-attributes
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-AVC
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache entries 6500
!
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
!
multilink bundle-name authenticated
!
domain 10
vrf default
border
source-interface Loopback0
master 10.2.0.20
!
license udi pid CSR1000V sn 9T8CCIBM6RN
license boot level ax
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$3TO/$HWZCFrD7mgrOb0ZIV9COD1
!
redundancy
!
crypto ikev2 keyring DMVPN-KEYRING-INET
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 123CISCO
!
crypto ikev2 profile DMVPN-IKE-PROFILE-INET
match fvrf INET1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-INET
!
cdp run
!
class-map match-any LIVEACTION-CLASS-AVC
match access-group name LIVEACTION-ACL-AVC
class-map match-any STREAMING-VIDEO
match dscp af31 af32
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41 af42
class-map match-any CRITICAL-DATA
match dscp af11 af21
Cisco Systems Inc. Solutions Readiness Engineering Page | 129
IWAN Dual Data Center Lab – Feat. PfR & QoS
match access-group name MARK-CRITICAL
class-map match-any NET-CTRL-MGMT
match dscp cs2 cs6
class-map match-any VOICE
match dscp ef
match access-group name MARK-VOIP
class-map match-any SCAVENGER
match dscp cs1
match access-group name MARK-SCAVENGER
class-map match-any LIVEACTION-CLASS-MEDIANET
match protocol rtp
class-map match-any CALL-SIGNALING
match dscp cs3
!
policy-map WAN
class INTERACTIVE-VIDEO
bandwidth remaining percent 30
random-detect dscp-based
set dscp tunnel af41
class STREAMING-VIDEO
bandwidth remaining percent 10
random-detect dscp-based
set dscp tunnel af41
class NET-CTRL-MGMT
bandwidth remaining percent 5
set dscp tunnel cs6
class CALL-SIGNALING
bandwidth remaining percent 4
set dscp tunnel af41
class CRITICAL-DATA
bandwidth remaining percent 25
random-detect dscp-based
set dscp tunnel af21
class SCAVENGER
bandwidth remaining percent 1
set dscp tunnel af11
class VOICE
priority level 1
police cir percent 10
set dscp tunnel ef
class class-default
bandwidth remaining percent 25
random-detect
set dscp tunnel default
policy-map RS-GROUP-200MBPS-POLICY
class class-default
shape average 200000000
bandwidth remaining ratio 200
service-policy WAN
policy-map INTERFACE-G1
class class-default
shape average 100000000
policy-map RS-GROUP-20MBPS-POLICY
class class-default
shape average 20000000
Cisco Systems Inc. Solutions Readiness Engineering Page | 130
IWAN Dual Data Center Lab – Feat. PfR & QoS
bandwidth remaining ratio 20
service-policy WAN
policy-map LAN-MARKING
class CRITICAL-DATA
set dscp af21
class VOICE
set dscp ef
class SCAVENGER
set dscp cs1
policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED
class LIVEACTION-CLASS-AVC
flow monitor LIVEACTION-FLOWMONITOR-AVC
class LIVEACTION-CLASS-MEDIANET
policy-map RS-GROUP-30MBPS-POLICY
class class-default
shape average 30000000
bandwidth remaining ratio 30
service-policy WAN
policy-map RS-GROUP-300MBPS-POLICY
class class-default
shape average 300000000
bandwidth remaining ratio 300
service-policy WAN
policy-map RS-GROUP-100MBPS-POLICY
class class-default
shape average 100000000
bandwidth remaining ratio 100
service-policy WAN
policy-map RS-GROUP-50MBPS-POLICY
class class-default
shape average 50000000
bandwidth remaining ratio 50
service-policy WAN
policy-map RS-GROUP-10MBPS-POLICY
class class-default
shape average 10000000
bandwidth remaining ratio 10
service-policy WAN
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-INET
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile DMVPN-IKE-PROFILE-INET
!
interface Loopback0
ip address 10.2.0.22 255.255.255.255
!
interface Tunnel200
description ***DMVPN Tunnel over Internet***
bandwidth 1000
ip address 192.168.200.22 255.255.255.0
Cisco Systems Inc. Solutions Readiness Engineering Page | 131
IWAN Dual Data Center Lab – Feat. PfR & QoS
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
ip nhrp map multicast dynamic
ip nhrp map group RS-GROUP-300MBPS service-policy output RS-GROUP-300MBPS-POLICY
ip nhrp map group RS-GROUP-200MBPS service-policy output RS-GROUP-200MBPS-POLICY
ip nhrp map group RS-GROUP-100MBPS service-policy output RS-GROUP-100MBPS-POLICY
ip nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY
ip nhrp map group RS-GROUP-30MBPS service-policy output RS-GROUP-30MBPS-POLICY
ip nhrp map group RS-GROUP-20MBPS service-policy output RS-GROUP-20MBPS-POLICY
ip nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY
ip nhrp network-id 200
ip nhrp holdtime 70
ip nhrp redirect
ip tcp adjust-mss 1360
delay 2000
if-state nhrp
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel vrf INET1
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-INET
domain 10 path INET path-id 2
!
interface GigabitEthernet1
description INET interface
vrf forwarding INET1
ip address 100.64.22.1 255.255.255.252
load-interval 30
negotiation auto
cdp enable
service-policy output INTERFACE-G1
!
interface GigabitEthernet2
description Site-Lan
ip address 10.2.2.22 255.255.255.0
load-interval 30
delay 24000
negotiation auto
cdp enable
service-policy input LAN-MARKING
!
router eigrp IWAN-EIGRP
!
address-family ipv4 unicast autonomous-system 400
!
af-interface Tunnel200
hello-interval 20
hold-time 60
no split-horizon
summary-address 10.0.0.0 255.0.0.0
summary-address 10.2.0.0 255.255.0.0
exit-af-interface
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 132
IWAN Dual Data Center Lab – Feat. PfR & QoS
topology base
distribute-list prefix EIGRPSUMMARY in Tunnel200
summary-metric 10.2.0.0/16 10000000 1 255 0 1500 distance 250
summary-metric 10.0.0.0/8 10000000 1 255 0 1500 distance 250
exit-af-topology
network 10.2.0.0 0.0.255.255
network 192.168.200.0
eigrp router-id 10.2.0.22
exit-address-family
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route vrf INET1 0.0.0.0 0.0.0.0 100.64.22.2
!
ip access-list extended LIVEACTION-ACL-AVC
permit tcp any any
ip access-list extended MARK-CRITICAL
permit ip host 198.18.133.110 host 10.5.1.11
permit ip host 198.18.133.110 host 10.5.1.12
permit ip host 198.18.133.110 host 10.4.4.21
permit ip host 198.18.133.110 host 10.4.4.22
ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
ip access-list extended MARK-VOIP
permit ip host 198.18.133.36 host 10.5.1.11
permit ip host 198.18.133.36 host 10.4.4.21
!
ip prefix-list EIGRPSUMMARY seq 10 deny 0.0.0.0/0
ip prefix-list EIGRPSUMMARY seq 20 deny 10.0.0.0/8
ip prefix-list EIGRPSUMMARY seq 30 deny 10.1.0.0/16
ip prefix-list EIGRPSUMMARY seq 40 deny 10.2.0.0/16
ip prefix-list EIGRPSUMMARY seq 50 permit 0.0.0.0/0 le 32
no service-routing capabilities-manager
!
snmp-server community cisco123 RW 55
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 198.18.128.1
Cisco Systems Inc. Solutions Readiness Engineering Page | 133
IWAN Dual Data Center Lab – Feat. PfR & QoS
onep
!
end
Router R41-Spoke-Site4 version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R41-Spoke-Site4
!
boot-start-marker
boot-end-marker
!
vrf definition INET1
!
address-family ipv4
exit-address-family
!
vrf definition MPLS1
!
address-family ipv4
exit-address-family
!
logging console warnings
enable secret 5 $1$5abw$/S6M9GiORaLyD8OxWuMoa1
!
no aaa new-model
!
clock timezone PST -7 0
clock summer-time PDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip domain lookup source-interface Loopback0
ip domain name dcloud.cisco.com
ip name-server 198.18.133.1
ip cef
no ipv6 cef
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
match application name account-on-resolution
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match ipv4 protocol
match routing vrf input
collect application http host
collect application http uri statistics
collect connection client counter bytes long
Cisco Systems Inc. Solutions Readiness Engineering Page | 134
IWAN Dual Data Center Lab – Feat. PfR & QoS
collect connection client counter bytes network long
collect connection client counter packets long
collect connection client counter packets retransmitted
collect connection delay application sum
collect connection delay network client-to-server sum
collect connection delay network to-client sum
collect connection delay network to-server sum
collect connection delay response client-to-server sum
collect connection delay response to-server histogram late
collect connection delay response to-server sum
collect connection initiator
collect connection new-connections
collect connection server counter bytes long
collect connection server counter bytes network long
collect connection server counter packets long
collect connection server counter responses
collect connection sum-duration
collect connection transaction counter complete
collect connection transaction duration max
collect connection transaction duration min
collect connection transaction duration sum
collect interface input
collect interface output
collect ipv4 destination address
collect ipv4 dscp
collect ipv4 source address
collect ipv4 ttl
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-MEDIANET
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match transport destination-port
match transport rtp ssrc
match transport source-port
collect application media bytes counter
collect application media bytes rate
collect application media event
collect application media packets counter
collect application media packets rate
collect application name
collect counter bytes
collect counter bytes rate
collect counter packets
collect interface input
collect interface output
collect ipv4 dscp
collect ipv4 ttl
collect monitor event
collect routing forwarding-status
collect timestamp interval
collect transport event packet-loss counter
collect transport packets expected counter
Cisco Systems Inc. Solutions Readiness Engineering Page | 135
IWAN Dual Data Center Lab – Feat. PfR & QoS
collect transport packets lost counter
collect transport packets lost rate
collect transport rtp jitter maximum
collect transport rtp jitter mean
collect transport rtp jitter minimum
!
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect application name
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
!
flow exporter LIVEACTION-FLOWEXPORTER-IPFIX
description DO NOT MODIFY. USED BY LIVEACTION.
destination 198.18.133.34
source Loopback0
transport udp 2055
export-protocol ipfix
option interface-table
option vrf-table
option c3pl-class-table
option c3pl-policy-table
option application-table
option application-attributes
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-AVC
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache entries 6500
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-MEDIANET
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-MEDIANET
Cisco Systems Inc. Solutions Readiness Engineering Page | 136
IWAN Dual Data Center Lab – Feat. PfR & QoS
exporter LIVEACTION-FLOWEXPORTER-IPFIX
!
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
!
multilink bundle-name authenticated
!
domain 10
vrf default
border
source-interface Loopback0
master local
master branch
source-interface Loopback0
hub 10.1.0.10
!
cts logging verbose
!
username admin privilege 15 secret 5 $1$kC78$yLDu4V/p/cr8bdJlwKEGf/
!
redundancy
!
class-map match-any LIVEACTION-CLASS-AVC
match access-group name LIVEACTION-ACL-AVC
class-map match-any STREAMING-VIDEO
match dscp af31 af32
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41 af42
class-map match-any CRITICAL-DATA
match dscp af11 af21
match access-group name MARK-CRITICAL
class-map match-any NET-CTRL-MGMT
match dscp cs2 cs6
class-map match-any VOICE
match dscp ef
match access-group name MARK-VOIP
class-map match-any SCAVENGER
match dscp cs1
match access-group name MARK-SCAVENGER
class-map match-any LIVEACTION-CLASS-MEDIANET
match protocol rtp
class-map match-any CALL-SIGNALING
match dscp cs3
!
policy-map LAN-MARKING
class CRITICAL-DATA
set dscp af21
class VOICE
set dscp ef
class SCAVENGER
set dscp cs1
Cisco Systems Inc. Solutions Readiness Engineering Page | 137
IWAN Dual Data Center Lab – Feat. PfR & QoS
policy-map WAN
class INTERACTIVE-VIDEO
bandwidth remaining percent 30
random-detect dscp-based
set dscp tunnel af41
class STREAMING-VIDEO
bandwidth remaining percent 10
random-detect dscp-based
set dscp tunnel af41
class NET-CTRL-MGMT
bandwidth remaining percent 5
set dscp tunnel cs6
class CALL-SIGNALING
bandwidth remaining percent 4
set dscp tunnel af41
class CRITICAL-DATA
bandwidth remaining percent 25
random-detect dscp-based
set dscp tunnel af21
class SCAVENGER
bandwidth remaining percent 1
set dscp tunnel af11
class VOICE
priority level 1
police cir percent 10
set dscp tunnel ef
class class-default
bandwidth remaining percent 25
random-detect
set dscp tunnel default
policy-map INTERFACE-E0/1
class class-default
shape average 10000000
service-policy WAN
policy-map INTERFACE-E0/0
class class-default
shape average 20000000
service-policy WAN
policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED
class LIVEACTION-CLASS-AVC
flow monitor LIVEACTION-FLOWMONITOR-AVC
class LIVEACTION-CLASS-MEDIANET
flow monitor LIVEACTION-FLOWMONITOR-MEDIANET
!
crypto ikev2 keyring DMVPN-KEYRING-INET
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 123CISCO
!
crypto ikev2 keyring DMVPN-KEYRING-MPLS
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 123CISCO
!
crypto ikev2 profile DMVPN-IKE-PROFILE-INET
Cisco Systems Inc. Solutions Readiness Engineering Page | 138
IWAN Dual Data Center Lab – Feat. PfR & QoS
match fvrf INET1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-INET
dpd 40 5 on-demand
!
crypto ikev2 profile DMVPN-IKE-PROFILE-MPLS
match fvrf MPLS1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-MPLS
dpd 40 5 on-demand
!
crypto isakmp nat keepalive 20
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-INET
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile DMVPN-IKE-PROFILE-INET
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-MPLS
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile DMVPN-IKE-PROFILE-MPLS
!
interface Loopback0
ip address 10.4.0.41 255.255.255.255
!
interface Tunnel100
description ** DMVPN Tunnel over MPLS **
bandwidth 1000
ip address 192.168.100.41 255.255.255.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
ip nhrp group RS-GROUP-10MBPS
ip nhrp network-id 100
ip nhrp holdtime 70
ip nhrp nhs 192.168.100.11 nbma 172.16.11.1 multicast
ip nhrp nhs 192.168.100.21 nbma 172.16.21.1 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
if-state nhrp
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel vrf MPLS1
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-MPLS
Cisco Systems Inc. Solutions Readiness Engineering Page | 139
IWAN Dual Data Center Lab – Feat. PfR & QoS
service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED
service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED
!
interface Tunnel200
description ** DMVPN Tunnel over INET **
bandwidth 1000
ip address 192.168.200.41 255.255.255.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
ip nhrp group RS-GROUP-20MBPS
ip nhrp network-id 200
ip nhrp holdtime 70
ip nhrp nhs 192.168.200.12 nbma 100.64.12.1 multicast
ip nhrp nhs 192.168.200.22 nbma 100.64.22.1 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 20000
no nhrp route-watch
if-state nhrp
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel vrf INET1
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-INET
service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED
service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED
!
interface Ethernet0/0
description INET interface
vrf forwarding INET1
ip address 100.64.41.1 255.255.255.252
load-interval 30
service-policy output INTERFACE-E0/0
!
interface Ethernet0/1
description MPLS interface
vrf forwarding MPLS1
ip address 172.16.41.1 255.255.255.252
load-interval 30
service-policy output INTERFACE-E0/1
!
interface Ethernet0/2
description Site-Lan1
ip address 10.4.4.41 255.255.255.0
load-interval 30
delay 20000
service-policy input LAN-MARKING
!
interface Ethernet0/3
description Site-Lan2
ip address 10.4.100.41 255.255.255.0
load-interval 30
delay 20000
Cisco Systems Inc. Solutions Readiness Engineering Page | 140
IWAN Dual Data Center Lab – Feat. PfR & QoS
!
interface Ethernet1/0
no ip address
shutdown
!
interface Ethernet1/1
no ip address
shutdown
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
router eigrp IWAN-EIGRP
!
address-family ipv4 unicast autonomous-system 400
!
af-interface Tunnel100
stub-site wan-interface
exit-af-interface
!
af-interface Tunnel200
stub-site wan-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.4.0.0 0.0.255.255
network 192.168.100.0
network 192.168.200.0
eigrp router-id 10.4.0.41
eigrp stub-site 1:1
exit-address-family
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route vrf INET1 0.0.0.0 0.0.0.0 100.64.41.2
ip route vrf MPLS1 0.0.0.0 0.0.0.0 172.16.41.2
!
ip access-list extended LIVEACTION-ACL-AVC
permit tcp any any
ip access-list extended MARK-CRITICAL
permit ip host 10.5.1.11 host 198.18.133.110
permit ip host 10.5.1.12 host 198.18.133.110
permit ip host 10.4.4.21 host 198.18.133.110
permit ip host 10.4.4.22 host 198.18.133.110
ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
Cisco Systems Inc. Solutions Readiness Engineering Page | 141
IWAN Dual Data Center Lab – Feat. PfR & QoS
permit tcp any any eq ftp
permit tcp any any eq ftp-data
ip access-list extended MARK-VOIP
permit ip host 10.5.1.11 host 198.18.133.36
permit ip host 10.4.4.21 host 198.18.133.36
!
no service-routing capabilities-manager
!
snmp-server community cisco123 RW 55
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 198.18.128.1
!
end
Router R51-Spoke-Site5
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R51-Spoke-Site5
!
boot-start-marker
boot-end-marker
!
vrf definition MPLS1
!
address-family ipv4
exit-address-family
!
enable secret 5 $1$FZOc$GXnu3u7SMjx7Ux09upMm50
!
no aaa new-model
!
clock timezone PST -7 0
clock summer-time PDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 142
IWAN Dual Data Center Lab – Feat. PfR & QoS
no ip domain lookup
ip domain name dcloud.cisco.com
ip multicast-routing
ip cef
no ipv6 cef
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
match application name account-on-resolution
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match ipv4 protocol
match routing vrf input
collect application http host
collect application http uri statistics
collect connection client counter bytes long
collect connection client counter bytes network long
collect connection client counter packets long
collect connection client counter packets retransmitted
collect connection delay application sum
collect connection delay network client-to-server sum
collect connection delay network to-client sum
collect connection delay network to-server sum
collect connection delay response client-to-server sum
collect connection delay response to-server histogram late
collect connection delay response to-server sum
collect connection initiator
collect connection new-connections
collect connection server counter bytes long
collect connection server counter bytes network long
collect connection server counter packets long
collect connection server counter responses
collect connection sum-duration
collect connection transaction counter complete
collect connection transaction duration max
collect connection transaction duration min
collect connection transaction duration sum
collect interface input
collect interface output
collect ipv4 destination address
collect ipv4 dscp
collect ipv4 source address
collect ipv4 ttl
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-MEDIANET
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match transport destination-port
match transport rtp ssrc
match transport source-port
collect application media bytes counter
Cisco Systems Inc. Solutions Readiness Engineering Page | 143
IWAN Dual Data Center Lab – Feat. PfR & QoS
collect application media bytes rate
collect application media event
collect application media packets counter
collect application media packets rate
collect application name
collect counter bytes
collect counter bytes rate
collect counter packets
collect interface input
collect interface output
collect ipv4 dscp
collect ipv4 ttl
collect monitor event
collect routing forwarding-status
collect timestamp interval
collect transport event packet-loss counter
collect transport packets expected counter
collect transport packets lost counter
collect transport packets lost rate
collect transport rtp jitter maximum
collect transport rtp jitter mean
collect transport rtp jitter minimum
!
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect application name
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
!
flow exporter LIVEACTION-FLOWEXPORTER-IPFIX
description DO NOT MODIFY. USED BY LIVEACTION.
destination 198.18.133.34
source Loopback0
transport udp 2055
Cisco Systems Inc. Solutions Readiness Engineering Page | 144
IWAN Dual Data Center Lab – Feat. PfR & QoS
export-protocol ipfix
option interface-table
option vrf-table
option c3pl-class-table
option c3pl-policy-table
option application-table
option application-attributes
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-AVC
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache entries 6500
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-MEDIANET
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-MEDIANET
exporter LIVEACTION-FLOWEXPORTER-IPFIX
!
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
!
multilink bundle-name authenticated
!
domain 10
vrf default
border
source-interface Loopback0
master local
master branch
source-interface Loopback0
hub 10.1.0.10
!
cts logging verbose
!
username admin privilege 15 secret 5 $1$cMkR$gFVL9xA2TsO6T1ojq6XgA1
!
redundancy
!
class-map match-any LIVEACTION-CLASS-AVC
match access-group name LIVEACTION-ACL-AVC
class-map match-any STREAMING-VIDEO
match dscp af31 af32
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41 af42
class-map match-any CRITICAL-DATA
match dscp af11 af21
match access-group name MARK-CRITICAL
class-map match-any NET-CTRL-MGMT
match dscp cs2 cs6
class-map match-any VOICE
Cisco Systems Inc. Solutions Readiness Engineering Page | 145
IWAN Dual Data Center Lab – Feat. PfR & QoS
match dscp ef
match access-group name MARK-VOIP
class-map match-any SCAVENGER
match dscp cs1
match access-group name MARK-SCAVENGER
class-map match-any LIVEACTION-CLASS-MEDIANET
match protocol rtp
class-map match-any CALL-SIGNALING
match dscp cs3
!
policy-map LAN-MARKING
class CRITICAL-DATA
set dscp af21
class VOICE
set dscp ef
class SCAVENGER
set dscp cs1
policy-map WAN
class INTERACTIVE-VIDEO
bandwidth remaining percent 30
random-detect dscp-based
set dscp tunnel af41
class STREAMING-VIDEO
bandwidth remaining percent 10
random-detect dscp-based
set dscp tunnel af41
class NET-CTRL-MGMT
bandwidth remaining percent 5
set dscp tunnel cs6
class CALL-SIGNALING
bandwidth remaining percent 4
set dscp tunnel af41
class CRITICAL-DATA
bandwidth remaining percent 25
random-detect dscp-based
set dscp tunnel af21
class SCAVENGER
bandwidth remaining percent 1
set dscp tunnel af11
class VOICE
priority level 1
police cir percent 10
set dscp tunnel ef
class class-default
bandwidth remaining percent 25
random-detect
set dscp tunnel default
policy-map INTERFACE-E0/0
class class-default
shape average 10000000
service-policy WAN
policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED
class LIVEACTION-CLASS-AVC
flow monitor LIVEACTION-FLOWMONITOR-AVC
class LIVEACTION-CLASS-MEDIANET
Cisco Systems Inc. Solutions Readiness Engineering Page | 146
IWAN Dual Data Center Lab – Feat. PfR & QoS
flow monitor LIVEACTION-FLOWMONITOR-MEDIANET
!
crypto ikev2 keyring DMVPN-KEYRING-MPLS
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 123CISCO
!
crypto ikev2 profile DMVPN-IKE-PROFILE-MPLS
match fvrf MPLS1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-MPLS
dpd 40 5 on-demand
!
crypto isakmp nat keepalive 20
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-MPLS
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile DMVPN-IKE-PROFILE-MPLS
!
interface Loopback0
ip address 10.5.0.51 255.255.255.255
!
interface Tunnel100
description DMVPN Tunnel over MPLS
bandwidth 1000
ip address 192.168.100.51 255.255.255.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
ip nhrp group RS-GROUP-10MBPS
ip nhrp network-id 100
ip nhrp holdtime 70
ip nhrp nhs 192.168.100.11 nbma 172.16.11.1 multicast
ip nhrp nhs 192.168.100.21 nbma 172.16.21.1 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
if-state nhrp
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel vrf MPLS1
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-MPLS
service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED
service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED
!
interface Ethernet0/0
Cisco Systems Inc. Solutions Readiness Engineering Page | 147
IWAN Dual Data Center Lab – Feat. PfR & QoS
description MPLS interface
vrf forwarding MPLS1
ip address 172.16.51.1 255.255.255.252
load-interval 30
service-policy output INTERFACE-E0/0
!
interface Ethernet0/1
description Site-Lan
ip address 10.5.1.51 255.255.255.0
standby version 2
standby 10 ip 10.5.1.254
standby 10 timers 1 3
standby 10 priority 110
standby 10 preempt
standby 10 authentication CISCO
standby 10 track 50 decrement 30
load-interval 30
delay 20000
service-policy input LAN-MARKING
!
interface Ethernet0/2
description Site-Crosslink
ip address 10.5.12.51 255.255.255.0
load-interval 30
delay 20000
!
interface Ethernet0/3
no ip address
shutdown
!
router eigrp IWAN-EIGRP
!
address-family ipv4 unicast autonomous-system 400
!
af-interface Tunnel100
stub-site wan-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.5.0.0 0.0.255.255
network 192.168.100.0
eigrp router-id 10.5.0.51
eigrp stub-site 1:1
exit-address-family
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route vrf MPLS1 0.0.0.0 0.0.0.0 172.16.51.2
!
ip access-list extended LIVEACTION-ACL-AVC
permit tcp any any
ip access-list extended MARK-CRITICAL
Cisco Systems Inc. Solutions Readiness Engineering Page | 148
IWAN Dual Data Center Lab – Feat. PfR & QoS
permit ip host 10.5.1.11 host 198.18.133.110
permit ip host 10.5.1.12 host 198.18.133.110
permit ip host 10.4.4.21 host 198.18.133.110
permit ip host 10.4.4.22 host 198.18.133.110
ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
ip access-list extended MARK-VOIP
permit ip host 10.5.1.11 host 198.18.133.36
permit ip host 10.4.4.21 host 198.18.133.36
!
no service-routing capabilities-manager
!
snmp-server community cisco123 RW 55
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 198.18.128.1
!
end
Router R52-Spoke-Site5 version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R52-Spoke-Site5
!
boot-start-marker
boot-end-marker
!
vrf definition INET1
!
address-family ipv4
exit-address-family
!
enable secret 5 $1$K1Ia$8p/dLDKRG1lz8pxZ/ry2u.
!
Cisco Systems Inc. Solutions Readiness Engineering Page | 149
IWAN Dual Data Center Lab – Feat. PfR & QoS
no aaa new-model
!
clock timezone PST -7 0
clock summer-time PDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip domain lookup source-interface Loopback0
ip domain name dcloud.cisco.com
ip name-server 198.18.133.1
ip cef
no ipv6 cef
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
match application name account-on-resolution
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match ipv4 protocol
match routing vrf input
collect application http host
collect application http uri statistics
collect connection client counter bytes long
collect connection client counter bytes network long
collect connection client counter packets long
collect connection client counter packets retransmitted
collect connection delay application sum
collect connection delay network client-to-server sum
collect connection delay network to-client sum
collect connection delay network to-server sum
collect connection delay response client-to-server sum
collect connection delay response to-server histogram late
collect connection delay response to-server sum
collect connection initiator
collect connection new-connections
collect connection server counter bytes long
collect connection server counter bytes network long
collect connection server counter packets long
collect connection server counter responses
collect connection sum-duration
collect connection transaction counter complete
collect connection transaction duration max
collect connection transaction duration min
collect connection transaction duration sum
collect interface input
collect interface output
collect ipv4 destination address
collect ipv4 dscp
collect ipv4 source address
collect ipv4 ttl
!
flow record type performance-monitor LIVEACTION-FLOWRECORD-MEDIANET
Cisco Systems Inc. Solutions Readiness Engineering Page | 150
IWAN Dual Data Center Lab – Feat. PfR & QoS
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match transport destination-port
match transport rtp ssrc
match transport source-port
collect application media bytes counter
collect application media bytes rate
collect application media event
collect application media packets counter
collect application media packets rate
collect application name
collect counter bytes
collect counter bytes rate
collect counter packets
collect interface input
collect interface output
collect ipv4 dscp
collect ipv4 ttl
collect monitor event
collect routing forwarding-status
collect timestamp interval
collect transport event packet-loss counter
collect transport packets expected counter
collect transport packets lost counter
collect transport packets lost rate
collect transport rtp jitter maximum
collect transport rtp jitter mean
collect transport rtp jitter minimum
!
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect application name
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
Cisco Systems Inc. Solutions Readiness Engineering Page | 151
IWAN Dual Data Center Lab – Feat. PfR & QoS
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
!
flow exporter LIVEACTION-FLOWEXPORTER-IPFIX
description DO NOT MODIFY. USED BY LIVEACTION.
destination 198.18.133.34
source Loopback0
transport udp 2055
export-protocol ipfix
option interface-table
option vrf-table
option c3pl-class-table
option c3pl-policy-table
option application-table
option application-attributes
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-AVC
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache entries 6500
!
flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-MEDIANET
description DO NOT MODIFY. USED BY LIVEACTION.
record LIVEACTION-FLOWRECORD-MEDIANET
exporter LIVEACTION-FLOWEXPORTER-IPFIX
!
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER-IPFIX
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
!
multilink bundle-name authenticated
!
domain 10
vrf default
border
source-interface Loopback0
master 10.5.0.51
!
cts logging verbose
!
username admin privilege 15 secret 5 $1$SYOv$ckr5tYA./LrlgGa4shf7x1
!
redundancy
!
class-map match-any LIVEACTION-CLASS-AVC
match access-group name LIVEACTION-ACL-AVC
class-map match-any STREAMING-VIDEO
match dscp af31 af32
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41 af42
Cisco Systems Inc. Solutions Readiness Engineering Page | 152
IWAN Dual Data Center Lab – Feat. PfR & QoS
class-map match-any CRITICAL-DATA
match dscp af11 af21
match access-group name MARK-CRITICAL
class-map match-any NET-CTRL-MGMT
match dscp cs2 cs6
class-map match-any VOICE
match dscp ef
match access-group name MARK-VOIP
class-map match-any SCAVENGER
match dscp cs1
match access-group name MARK-SCAVENGER
class-map match-any LIVEACTION-CLASS-MEDIANET
match protocol rtp
class-map match-any CALL-SIGNALING
match dscp cs3
!
policy-map LAN-MARKING
class CRITICAL-DATA
set dscp af21
class VOICE
set dscp ef
class SCAVENGER
set dscp cs1
policy-map WAN
class INTERACTIVE-VIDEO
bandwidth remaining percent 30
random-detect dscp-based
set dscp tunnel af41
class STREAMING-VIDEO
bandwidth remaining percent 10
random-detect dscp-based
set dscp tunnel af41
class NET-CTRL-MGMT
bandwidth remaining percent 5
set dscp tunnel cs6
class CALL-SIGNALING
bandwidth remaining percent 4
set dscp tunnel af41
class CRITICAL-DATA
bandwidth remaining percent 25
random-detect dscp-based
set dscp tunnel af21
class SCAVENGER
bandwidth remaining percent 1
set dscp tunnel af11
class VOICE
priority level 1
police cir percent 10
set dscp tunnel ef
class class-default
bandwidth remaining percent 25
random-detect
set dscp tunnel default
policy-map INTERFACE-E0/0
class class-default
Cisco Systems Inc. Solutions Readiness Engineering Page | 153
IWAN Dual Data Center Lab – Feat. PfR & QoS
shape average 10000000
service-policy WAN
policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED
class LIVEACTION-CLASS-AVC
flow monitor LIVEACTION-FLOWMONITOR-AVC
class LIVEACTION-CLASS-MEDIANET
flow monitor LIVEACTION-FLOWMONITOR-MEDIANET
!
crypto ikev2 keyring DMVPN-KEYRING-INET
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 123CISCO
!
crypto ikev2 profile DMVPN-IKE-PROFILE-INET
match fvrf INET1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-INET
dpd 40 5 on-demand
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-INET
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile DMVPN-IKE-PROFILE-INET
!
interface Loopback0
ip address 10.5.0.52 255.255.255.255
!
interface Tunnel100
no ip address
delay 1000
!
interface Tunnel200
description ** DMVPN Tunnel over INET **
bandwidth 1000
ip address 192.168.200.52 255.255.255.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
ip nhrp group RS-GROUP-20MBPS
ip nhrp network-id 200
ip nhrp holdtime 70
ip nhrp nhs 192.168.200.12 nbma 100.64.12.1 multicast
ip nhrp nhs 192.168.200.22 nbma 100.64.22.1 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
if-state nhrp
tunnel source Ethernet0/0
Cisco Systems Inc. Solutions Readiness Engineering Page | 154
IWAN Dual Data Center Lab – Feat. PfR & QoS
tunnel mode gre multipoint
tunnel vrf INET1
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-INET
service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED
service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED
!
interface Ethernet0/0
description INET interface
vrf forwarding INET1
ip address 100.64.52.1 255.255.255.252
load-interval 30
service-policy output INTERFACE-E0/0
!
interface Ethernet0/1
description Site-Lan
ip address 10.5.1.52 255.255.255.0
standby version 2
standby 10 ip 10.5.1.254
standby 10 timers 1 3
standby 10 priority 90
standby 10 preempt
standby 10 authentication CISCO
load-interval 30
delay 20000
service-policy input LAN-MARKING
!
interface Ethernet0/2
description Site-Crosslink
ip address 10.5.12.52 255.255.255.0
load-interval 30
delay 20000
!
interface Ethernet0/3
no ip address
shutdown
!
router eigrp IWAN-EIGRP
!
address-family ipv4 unicast autonomous-system 400
!
af-interface Tunnel200
stub-site wan-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.5.0.0 0.0.255.255
network 192.168.200.0
eigrp router-id 10.5.0.52
eigrp stub-site 1:1
exit-address-family
!
ip forward-protocol nd
!
no ip http server
Cisco Systems Inc. Solutions Readiness Engineering Page | 155
IWAN Dual Data Center Lab – Feat. PfR & QoS
no ip http secure-server
ip route vrf INET1 0.0.0.0 0.0.0.0 100.64.52.2
!
ip access-list extended LIVEACTION-ACL-AVC
permit tcp any any
ip access-list extended MARK-CRITICAL
permit ip host 10.5.1.11 host 198.18.133.110
permit ip host 10.5.1.12 host 198.18.133.110
permit ip host 10.4.4.21 host 198.18.133.110
permit ip host 10.4.4.22 host 198.18.133.110
ip access-list extended MARK-SCAVENGER
permit tcp any eq ftp any
permit tcp any eq ftp-data any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
ip access-list extended MARK-VOIP
permit ip host 10.5.1.11 host 198.18.133.36
permit ip host 10.4.4.21 host 198.18.133.36
!
no service-routing capabilities-manager
!
snmp-server community cisco123 RW 55
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
!
ntp source Loopback0
ntp server 198.18.128.1
!
end
End Of Lab
Cisco Systems Inc. Solutions Readiness Engineering Page | 156