IWAN Lab Guide

IWANSEBC

Lab Guide

Overview This guide presents the instructions and other information concerning the lab activities for

this course.

Outline

This guide includes these activities:

Lab Overview, Resources and Access Information

Lab 1: Navigating the Lab and Configuring Cisco Prime Building Blocks

Lab 2: Transport Independent Design using DMVPN

Lab 3: Application Optimization – Application Visibility.

Lab 4: Application Optimization – QoS Control

Lab 5: Intelligent Path Control using PfRv3

Optional Lab: Application Optimization – using WAAS with Akamai

2 Intelligent WAN SE Boot Camp (IWANSEBC) v1.0 © 2014 Cisco Systems, Inc.

Lab Overview, Resources and Access Information This lab activity is based on a real-life network with the following components:

Data Center

— Cisco ASR1001

— Cisco Prime

— Cisco WAAS Central Manager

— Cisco vWAAS

— Microsoft Domain Controller

— Microsoft SharePoint

— Windows 7 PC

Branch Office

— Cisco ISR-2911 w/UCSe

— Cisco vWAAS

— Windows 7 PC

Activity Objective

In this activity, you will learn how to access the lab and how to use the different components

(servers, clients, and network elements). You will also document some of the lab resources,

such as access credentials, and have this information ready so that you can come back to this

section and review it, if needed.

After completing this activity, you will be able to meet these objectives:

Understand the access method and tools used to connect to the lab.

Document lab access information and login credentials.

© 2014 Cisco Systems, Inc. Lab Guide 3

Visual Objective

The figure illustrates the lab topology for the IWAN solution.


The following table summarizes the access methods and login credentials used to access the lab

infrastructure. The red squares in the diagram above highlight the clickable items you will find

in your Student LabOps Portal. In your web browsers’ Student Portal, click on the items to

launch your terminal service or RDP client to access the highlighted devices, then use the

credentials below.

Device/Server Access Method Username Password

Terminal Server Telnet, IP Address: Pods 1-4 -128.107.217.130 Pods 5-10 – 128.107.217.131 Pods 11-20 128.107.217.136 Pods 21-30 128.107.65.194

labops

Branch Router term server labops, lab-cert

DC Router term server labops, lab-cert

Cloud Router telnet admin labops, labops

Cisco Prime Infrastructure https://10.10.0.3 root Pr1m3

UCS-E ESXi Server vSphere Client on Branch PC

student Iwanlab1

All WAAS appliances https://10.10.0.111:8443 admin default

SharePoint Server http://sharepoint/

Branch PC Remote Desktop:

Pods 1-9 128.107.217.15X:2001

Pod10 128.107.217.160:2001 Pods 11-19 128.107.217.16X:2001

Pod 20 128.107.217.170:2001Pod 21-30 128.107.65.215-225:2001

User: student Domain: PODX

*X = last digit of pod number.

** POD’s 10 and 20 are both Domain: POD10

Cisc0123

Datacenter PC Remote Desktop:

Pods 1-9 128.107.217.15X:2002

Pod 10 128.107.217.160:2002

Pods 11-19 128.107.217.16X:2002

Pod 20

128.107.217.170:2002

Pod 21-30 128.107.65.215-225:2002

User: student Domain: PODX

*X = last digit of pod number.

** POD’s 10 and 20 are both Domain: POD10

Cisc0123


Lab 1: Navigating the Lab and Configuring Cisco Prime Building Blocks

Activity Objective

In this activity, you will get acquainted with the lab topology and related components, while

testing connectivity and learning the current state of the solution. You will also use Cisco Prime

Infrastructure to verify and configure the building blocks for the rest of the activities.


Verify current network environment.

Originate test traffic and verify connectivity.

Discover Cisco Prime features and configure templates.

Visual Objective

The figure illustrates the lab topology you will be working with, as well as a visual reference of

the objectives of this lab.


Task 1: Verify Lab Infrastructure

In this task, you will connect to the lab equipment and verify their operations and

baseline settings.

Complete these steps:

Step 1 Connect to the terminal server using the information on the Lab Resources section of

this guide.

Step 2 Connect to the Branch Router by typing pX-2911 at the terminal server.

Note For the remainder of this lab guide, the X in italics represents your pod number in machine

names, host names, and IP addresses. Substitute your pod number for X, for instance for

Pod 1 the branch router is P1-2911.

Step 3 Verify the IOS version and hardware on this router with the show version

command. Notice the UCS-E module, a critical component of the Intelligent

WAN architecture.

POD4-BR-RTR#show version

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Wed 07-Nov-12 14:08 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

POD4-BR-RTR uptime is 9 weeks, 5 days, 26 minutes

System returned to ROM by power-on

System image file is "flash0:c2900-universalk9-mz.SPA.154-3.M.bin"

Last reload type: Normal Reload

Last reload reason: power-on

<…output omitted…>

Cisco CISCO2911/K9 (revision 1.0) with 2564032K/57344K bytes of memory.

Processor board ID FTX1702ALZ3

9 Gigabit Ethernet interfaces

2 terminal lines

1 Virtual Private Network (VPN) Module

1 cisco UCSE Module(s)

DRAM configuration is 64 bits wide with parity enabled.

255K bytes of non-volatile configuration memory.

250880K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------

Device# PID SN

-------------------------------------------------

*0 CISCO2911/K9 FTX1702ALZ3

Technology Package License Information for Module:'c2900'


-----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

------------------------------------------------------------------

ipbase ipbasek9 Permanent ipbasek9

security securityk9 RightToUse securityk9

uc None None None

data datak9 RightToUse datak9

Configuration register is 0x2102

Step 4 You can also use the show diag command to learn more about the UCS-E hardware.

POD4-BR-RTR#show diag | begin Slot 1

Slot 1:

UCSE Single Wide Module Port adapter, 1 port

Port adapter is analyzed

Port adapter insertion time 9w5d ago

EEPROM contents at hardware discovery:

Hardware Revision : 1.0

Part Number : 74-10422-01

Deviation Number : 0

Fab Version : 01

PCB Serial Number : FOC16473XBN

RMA Test History : 00

RMA Number : 0-0-0-0

RMA History : 00

Product (FRU) Number : UCS-E140S-M1/K9

Version Identifier : V01

CLEI Code : IPUCBASBTA

Board Revision : A0

Base MAC Address : e02f.6de0.5886

MAC Address block size : 10

Platform features : 02 01 01 4B 00 00 00 00

01 01 05

EEPROM format version 4

EEPROM contents (hex):

0x00: 04 FF 40 0B 3F 41 01 00 82 4A 28 B6 01 88 00 00

0x10: 00 00 02 01 C1 8B 46 4F 43 31 36 34 37 33 58 42

0x20: 4E 03 00 81 00 00 00 00 04 00 CB 8F 55 43 53 2D

0x30: 45 31 34 30 53 2D 4D 31 2F 4B 39 89 56 30 31 20

0x40: D9 03 40 C1 CB C6 8A 49 50 55 43 42 41 53 42 54

0x50: 41 42 41 30 F3 00 06 40 0B E3 43 00 4B CF 06 E0

0x60: 2F 6D E0 58 86 43 00 0A C9 0B 02 01 01 4B 00 00

0x70: 00 00 01 01 05 FF FF FF FF FF FF FF FF FF FF FF

Embedded Service Engine 0/0 :

Total platform memory : 2621440K bytes

Total 2nd core memory : 0K bytes

Start of physical address for 2nd core : 0x80000000

Virtual address start of 2nd core memory : 0x0 - 0x0

2nd core configured disabled

L2 cache ways for 2nd core : 0


Step 5 Display the router’s interfaces to get acquainted with the physical and logical

topology of the lab. Notice the IP subnet location of the UCS-E service module on

the same subnet as the Branch Client PC.

POD4-BR-RTR#show ip interface brief | exclude unassigned

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 10.10.#3.2 YES NVRAM up up



ucse1/0 10.10.#1.1 YES unset up up

Loopback0 3.3.3.3 YES NVRAM up up

Tunnel10 10.10.#5.2 YES NVRAM up up

Step 6 The UCS-E module can use several interfaces for CIMC (Integrated Management

Controller) management. In this instance, you are using an internal PCIe interface on

the ISR G2 router, ucse1/0, for CICM access. Use the show running-config

command to display the simple ucse1/0 configuration for such environment.

POD4-BR-RTR#show run interface ucse1/0

interface ucse1/0

ip unnumbered GigabitEthernet0/2

imc ip address 10.10.#1.2 255.255.255.0 default-gateway 10.10.#1.1

imc access-port shared-lom console

end

Step 7 Notice that you are using unnumbered IP addresses, inheriting the IP address from

the router’s LAN interface. For this reason, static routes are needed to point to

specific IP addresses on the UCS-E module. The address 10.10.X1.2 is UCS’s

management IP address, while 10.10.X1.3 is the VMWare Hypervisor host and

10.10.X1.4 points to your vWAAS instance, which will be used later in lab 6.

POD4-BR-RTR#show ip route static <…output omitted…> Gateway of last resort is 10.10.#3.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks S 10.10.#1.2/32 is directly connected, ucse1/0 S 10.10.#1.3/32 is directly connected, ucse1/0 S 10.10.#1.4/32 is directly connected, ucse1/0

Step 8 Connect to the Data Center router, an ASR1K, with pX-asr1k—where X is the pod

number—through the term server and input your enable password.

Step 9 Display IOS information on the Data Center router using show version. Remember

to enter Enable mode with password lab-cert.

POD4-DC-RTR#show version

Cisco IOS XE Software, Version 03.13.00.S – Extended Support Release

Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2013 by Cisco Systems, Inc.

Compiled Tue 19-Nov-13 20:45 by mcpre



Step 10 Use the show license command to verify the Advanced IP Services or Advanced

Enterprise Services licenses, as well as the AVC license, required for features such

as NBAR, Flexible NetFlow, and other AVC components. Advanced IP Services or

Advanced Enterprise Services licenses are enough for WAAS and the AppNav

solution.

POD4-DC-RTR#show license feature

Feature name Enforcement Evaluation Subscription Enabled RightToUse

adventerprise yes yes no yes yes

advipservices yes yes no no yes

ipbase no no no no no

avc yes yes no no yes

broadband no no no no no

broadband_4k no no no no no

cube_250 no no no no no


Activity Verification

You have completed this task when you attain these results:

Verified basic settings on Branch and Data Center routers.

Task 2: Test Connectivity and Generate Application Traffic

In this task, you will generate traffic to test connectivity and traffic paths, as well as verifying

access to the test applications.

Step 1 Connect to the Branch PC using the information on the Lab Resources section of

this guide. You will use the Branch PC for all traffic testing in this lab.

Step 2 Before you can generate traffic, verify the WAN Bridge is powered on and both 1 &

2 are running. WAN Bridge is hosted on the UCS-E module of the branch router. So

from the Branch PC, connect to the ESXi vCenter server on that module using the

information on the Lab Resources section of this guide.

Step 3 Turn off the vWAAS if it is on. We will turn this on later in Lab 5 as part of the

WAAS lab tasks. (This will ensure the vWAAS is reset to base configs)

Step 4 Verify that both WANBRIDGE-1 and 2 are set to option 3: 40ms Round trip delay

with .1% packet loss.


Step 5 You will now generate traffic for the test applications, namely Web Video, and

SharePoint. Start with Web Video using YouTube, by browsing from the Branch PC

to http://www.youtube.com/cisco.

Step 6 On the Cisco YouTube channel, click the search link to find videos on “IWAN”.

The search tool is located next to the Welcome link.

Step 7 Launch one of the IWAN videos, preferably the bundled title of several videos,

or a single video of more than 10 minutes in duration, and verify it plays. Try to

select the bundled title or a video with long duration in order to generate a large

enough sample.

Step 8 Still from the Branch PC, connect to the SharePoint server by browsing to

http://sharepoint.


Step 9 Click the Site Contents link on the left menu, and click the Site Collection

Documents.

Step 10 Download the 10MB and 15MB files from the list by clicking on their file names in

the list. Ensure that the download proceeds by looking at the bottom left corner of

the browser window.




Both WAN Bridge virtual machines are operational.

Lab applications are reachable and operational.

Task 3: Discover Cisco Prime Features and Create Templates

In this task, you will navigate the general settings of the Cisco Prime server.

Step 1 Connect to the Data Center PC using the information on the Lab Resources section

of this guide. You will use the Data Center PC for all Prime configurations in

this lab.

Step 2 Using Chrome as your browser, connect to the Cisco Prime server on

http://10.10.0.3. Use the credentials on the Lab Resources section of this guide.

Note Click Proceed Anyway if presented with a certificate warning by your Chrome web browser

Step 3 The Monitoring Dashboards have many options to monitor health and traffic on the

discovered routers. Navigate to Operate>Monitoring

Dashboards>Performance>Network Interface and verify that no data is

displayed.

Step 4 To fix this you will deploy a monitoring template. Navigate to

Deploy>Configuration Deployment>Monitoring Deployment to push a

monitoring template to routers.


Step 5 Notice that the Interface Health template is not deployed by default, while the

Traffic Analysis Metrics template is deployed. Select the Interface Health template

from the list and click Deploy at the top of the list.

Note The Interface Heath template will monitor basic interface metrics, such as packet and byte

counters, interface availability and utilization, and interface errors. This template has been

adjusted for this lab to monitor these metrics every minute, instead of the default 15 minutes.

Step 6 Click to select the Port Groups radio button.

Step 7 Expand the User Defined branch, click to select the “WAN Interfaces – Dynamic”

and “LAN Interfaces – Dynamic” port groups and click Submit.

Note “Wan Interfaces – Dynamic” and “LAN Interfaces – Dynamic” are pre-configured port groups

that include all WAN and LAN interfaces by dynamically matching their interface description

to the words “WAN” and “LAN”, respectively. You can navigate to Design>Management

Tools>Port Grouping to verify the configuration of this object. This modularity and object

reuse allows Cisco Prime administrators to streamline the configuration of Intelligent WANs.



All lab routers are now managed by Cisco Prime Infrastructure.

Monitoring metrics are visible to Cisco Prime dashboards.

You have navigated the Cisco Prime building blocks (port groups, device groups,

configuration and monitoring templates).


Lab 2: Transport Independent Design using DMVPN

Activity Objective

In this activity, you will a secure transport network using Hub & Spoke DMPVN.


Use Cisco Prime templates to deploy a hub & spoke DMVPN design between the Data

Center and the Branch

Customize Cisco Prime to monitor detailed DMPVN metrics.

Visual Objective

The figure illustrates the lab topology you will be working with, as well as a visual indication

of the objectives of this lab.


The detailed DMVPN topology is shown here, including the IP addressing and routing

protocol information.

Task 1: Verify Traffic Flows Before DMVPN

In this task, you will verify how traffic reaches the Data Center from the branch previous to the

deployment of DMVPN.

Step 1 Connect to the Branch PC using the information on the Lab Resources section of

this guide.

Step 2 Trace the SharePoint server and verify that the path includes the main WAN subnet,

10.10.X3.0/24 or 10.10.X4.0/24.

Note Refer to the visual objectives of this lab to clarify the lab topology, IP addressing,

and objectives.


Step 3 Connect to the terminal server using the information on the Lab Resources section of

this guide.

Step 4 Connect to the Branch Router by typing pX-2911 at the terminal server.

Step 5 Display the routing information learned from EIGRP autonomous system 100. This

is the transport routing protocol that will enable the establishments of the IPsec

tunnels. Notice that the device loopbacks the Data Center LAN, 10.10.0.0/24, and

the default route to the Internet, are currently being learned via this routing process.

POD4-BR-RTR#show ip route eigrp 100


Gateway of last resort is 10.10.43.1 to network 0.0.0.0

D*EX 0.0.0.0/0 [170/3072] via 10.10.#3.1, 01:22:58, GigabitEthernet0/0

1.0.0.0/32 is subnetted, 1 subnets

D 1.1.1.1 [90/130816] via 10.10.#3.1, 01:22:58, GigabitEthernet0/0


D 2.2.2.2 [90/131072] via 10.10.#3.1, 01:22:33, GigabitEthernet0/0

10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks

D 10.10.0.0/24 [90/3072] via 10.10.#3.1, 01:22:58, GigabitEthernet0/0

Step 6 Display the routing information learned from EIGRP autonomous system 200. This

is the DMVPN routing protocol that will advertise the subnets that will be connected

via DMVPN. Notice that the Cloud Services LAN, 10.20.10.0/24 is currently being

learned via this routing process.

POD4-BR-RTR#show ip route eigrp 200 <…output omitted…> Gateway of last resort is 10.10.#3.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks D 10.20.10.0/24 [80/3413504] via 10.10.#5.1, 01:22:47, Tunnel10



Verified current traffic flows and routing topology.


Task 2: Configure the DMVPN Hub

In this task, you will configure the DC router as DMVPN Hub on Cisco Prime, creating a

DMVPN feature template.

Step 1 Connect to the Data Center PC using the information on the Lab Resources section

of this guide. You will use the Data Center PC for all Prime configurations in

this lab.

Step 2 Using Chrome as your browser, connect to the Cisco Prime server on

http://10.10.0.3. Use the credentials on the Lab Resources section of this guide.

Step 3 Navigate to Design>Feature Design, and expand the Features and Technologies

folder, then the Security folder. Click the DMVPN template.

Step 4 Name the new template DMVPN Hub.

Step 5 Under Template Detail, click the + sign on the IKE Authentication type dropdown,

and configure these settings:

Authentication Type: Pre-Shared key.

Pre-Shared key: Cisc0123

Confirm Pre-Shared key: Cisc0123

IKE Policies: select the PRE_SHARE/AES_256/SHA policy

Step 6 Click the – sign on the IKE Authentication dropdown to collapse the

authentication options.

Step 7 Click the + sign on the Encryption Policy dropdown.

Step 8 Click to select defaultPolicy., and click to edit the AH Integrity field.


Step 9 Select the “-Select-” entry from the dropdown. This will configure no protocol for

AH. Click Save to the left of the dropdown.

Note This box may close on you before you click “save”. If so, o pen it again to set the AH

Integrity. The AH Integrity field will be blank, with no protocol configured. You may have to

click + on the Encryption Policy dropdown again to review.

Step 10 Under Topology and Routing information, confirm that the template is set to “Create

dynamic connection between spokes”, and change the role to Hub.

Step 11 Set the EIGRP AS number to 200

Step 12 Configure these settings for the NHRP and Tunnel Parameters section

Network ID: 999

NHRP Authentication String: Cisc0123

Tunnel Key: 999


Step 13 Click Save as New Template, and click Save again to store the template under the

My Templates folder.

Note This template can now be used to configure all the hub routers in your DMVPN topology. It

can be deployed to all routers in one deployment job. In this case, the only DMVPN hub will

be the Data Center Router.

Step 14 The template is saved to the folder and it is automatically displayed. Click the

Deploy button at the bottom of the panel.

Step 15 In the Template Deployment window, under Device Selection expand the “ALL”

branch and select the PODX-DC-RTR router.

Step 16 In the Value Assignment section, configure these settings:

Physical interface: GigabitEthernet0/0/2

IP Address of this router's GRE Tunnel Interface: 172.16.99.1

Subnet Mask: 255.255.255.0

Step 17 Click Apply.

Step 18 Click the CLI Preview tab to get a glimpse of the actual configuration being pushed

to the router.

Note DMVPN is a good example of the power of Cisco Prime Infrastructure templates. In this

example, 20+ commands are sent to all spoke routers with a simple deployment action.

Step 19 Click OK to deploy the template.

Step 20 Navigate to Operate>Device Work Center, and select the PODX-DC-RTR device.

Step 21 In the panel at the bottom, navigate to the Configuration tab, and expand

the Interfaces folder under Feature Configuration. Remember to click on the

Interface option.


Step 22 You will notice the newly created Tunnel0 interface. It should be Up/Up, because

even though the spoke has not been configured, this is a multipoint GRE interface,

and it remains always up waiting for spoke routers to connect.

Note If the Tunnel0 interface is not part of the list, re-synchronize the DC router by selecting it on

the device list and clicking Sync. You will have to wait until the Inventory Collection Status

column shows Completed, and then you can go back to the interface list to verify.

Step 23 Click to edit the Tunnel0 interface, and configure a description of “WAN Interface –

DMVPN to Branches” and set the Bandwidth to 1500. It is extremely important to

type this in, rather than copy and paste from the document. Click Save.

Note Remember, by configuring this description to the interface you immediately make it part of a

dynamic port group that will be used to deploy other features later in this lab.

Step 24 The tunnel is also considered to be an inside interface for the purposes of NAT

translation. While still configuring the PODX-DC-RTR, expand the Security folder

in the Features panel on the left.

Step 25 Expand the NAT sub-folder and click the Interfaces option under that sub-folder.

Step 26 Click the radio button to select the Tunnel0 interface, and click Edit at the top of the

interface list. A drop-down menu appears next to the interface name.

Step 27 Select Inside from the drop-down, and click Save next to the drop-down.




The DMVPN hub is configured and the tunnel interface shows Up/Up.

The tunnel interface is now ready to forward traffic according to your network

environment.

Task 3: Configure the DMVPN Spokes

In this task, you will use Cisco Prime feature template to configure the branch router as

DMVPN Spoke.

Step 1 Navigate to Design> Configuration>Feature Design, and expand the My

Templates folder.

Step 2 The DMVPN Spokes template is pre-created. Click to select it under the My

Templates folder.

Step 3 As expected, the configuration is very similar to the DMVPN hub. Scroll down to

the bottom of the template to notice the main difference: the spoke will have a

permanent tunnel to the hub to register and obtain NHRP information about other

spokes. The NHS Information section tells the spokes the location of the hub for

this purpose.

Note The example shown corresponds to pod 4

Step 4 Click Deploy at the bottom of the panel.


Step 5 In the Template Deployment window, expand the Site Groups branch of the Device

Selection section. Select the Power Branches site group.

Note Deploying the template to a site group results in streamlined configurations of multiple

branches at a time.

Step 6 In the Value Assignment section, configure these settings:

Physical interface: GigabitEthernet0/0

IP Address of this router's GRE Tunnel Interface: 172.16.99.2

Subnet Mask: 255.255.255.0

Step 7 Click Apply.


Step 9 Navigate to Operate>Device Work Center, and select the PODX-BR-RTR device.

Step 10 In the panel at the bottom, navigate to the Configuration tab, and expand the

Interfaces folder by navigating to Feature Configuration>Interface.

Step 11 You will notice the newly created Tunnel11 interface. It should be Up/Up.

Note If the Tunnel11 interface is not part of the list, re-synchronize the Branch router by selecting

it on the device list and clicking Sync. You will have to wait until the Inventory Collection

Status column shows Completed, and then you can go back to the interface list to verify.


Step 12 Click to edit the Tunnel11 interface, and configure a description of “WAN Interface

– DMVPN to DC” and set the Bandwidth to 1500. It is extremely important to

type this in, rather than copy and paste from the document. Click Save.

Note Remember, by configuring this description to the interface you immediately make it part of a

dynamic port group that will be used to deploy other features later in this lab.



The DMVPN spoke is configured and all tunnel interfaces are Up/Up.

Task 4: Complete and Verify DMVPN Operations

At this point, the LAN subnets on each side of the DMVPN are advertised using the transport

routing protocol, EIGRP 100. In this task, you will tune routing protocol operations across the

DMVPN design to use the DMVPN routing protocol, EIGRP 200.

Step 1 Start with the DC router. To do this, navigate to Operate>Device Work Center,

and select the PODX-DC-RTR device.

Note If other devices are also selected, you will have to unselect them in order to edit the

individual router PODX-DC-RTR

Step 2 In the panel at the bottom, navigate to the Configuration tab, and expand the Routing

folder under Feature Configuration.

Step 3 Under EIGRP, expand AS 200 by clicking the arrow to the left of the number 200,

and click Add Row under “Routing Networks”.

Note You may have to scroll down using the scroll bars on the right, or better yet maximize the

whole Device Details panel (the whole bottom half of the screen) by dragging and moving

the upper edge of the panel upwards.

Step 4 Configure 10.10.0.0 with a wildcard mask 0.0.0.255 and click Save.

Step 5 Click Add Row again, and configure the DMVPN tunnel network, 172.16.99.0, with

a wildcard mask of 0.0.0.255, and click Save.

Step 6 Click Add Row again, and configure the Loopback address 1.1.1.1, with a wildcard

mask of 0.0.0.0, and click Save.


Step 7 Now expand the AS 100 select the loopback network of 1.1.1.1 and delete it from

AS100, and click OK.

Step 8 Scroll to the very bottom of the EIGRP panel and click Save.

Note If you can’t find the Save button of step 6, scroll all the way down using the middle scroll bar

of the EIGRP panel.

Step 9 You will now adjust routing on the branch router. Back at the Device Group list,

deselect PODX-DC-RTR and select PODX-BR-RTR to configure the branch router

for DMVPN routing.

Step 10 In the panel at the bottom, navigate to the Configuration tab, and expand the Routing

folder under Feature Configuration.

Step 11 Click to select EIGRP under the routing folder.

Step 12 Expand AS 200 by clicking the arrow to the left of the number 200, and click Add

Row under “Routing Networks”.

Step 13 Configure the DMVPN tunnel network, 172.16.99.0, with a wildcard mask of

0.0.0.255.

Step 14 Configure the Loopback network, 3.3.3.3, with a wildcard mask of 0.0.0.0, and click

Save.


Step 16 Only after you have done step 15, expand the AS 100 select the loopback network of

3.3.3.3 and delete it from AS100 (you may need to scroll down to see it), and click

OK.

Note The Branch LAN is already part of the routing process EIGRP 200 because it’s also the

source of the already existing DMVPN configuration toward the Cloud Services network.


Step 18 Connect to the Branch PC and verify that tracing the SharePoint server at 10.10.0.9

now uses the DMVPN. You should see devices in the 172.16.99.0/24 subnet as one

of the hops.


Step 19 There’s a reason for this. Connect to the Branch Router by typing pX-2911 at the

terminal server.

Step 20 Display the routing information learned from EIGRP autonomous system 200. The

DMVPN routing protocol now learns the Data Center LAN subnet, 10.10.0.0/24, as

well as the Internet default, via the newly created tunnel.

POD4-BR-RTR#sh ip route eigrp 200

<…output ommitted…>

Gateway of last resort is 172.16.99.1 to network 0.0.0.0

D*EX 0.0.0.0/0 [160/26880256] via 172.16.99.1, 00:04:56, Tunnel11


D 1.1.1.1 [80/3114496] via 172.16.99.1, 00:02:24, Tunnel11

10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks

D 10.10.0.0/24 [80/2986752] via 172.16.99.1, 00:02:24, Tunnel11

D 10.20.10.0/24 [80/3413504] via 10.10.65.1, 00:02:24, Tunnel10



Routing has been adjusted to the DMVPN topology and branch connectivity now uses

the DMVPN.

Task 5: Monitor DMVPN Operations

In this task, you will also use Cisco Prime tools to monitor the behavior of your

DMVPN deployment.

Step 1 Navigate to Deploy>Configuration Deployment>Monitoring Deployment.

Step 2 Select the Dynamic Multipoint VPN Tunnel Statistics template from the list and

click Deploy.

Step 3 Click the checkbox next to the Name column to select all device types, and

click Submit.

Step 4 Back at the branch PC, generate traffic for all test applications (YouTube by

replaying the video, SharePoint by downloading the 10MB and 15MB files


Step 5 Cisco Prime Reports are another valuable tool to monitor DMVPN. Navigate to

Report>Report Launch Pad.

Step 6 On the left panel, expand the Device folder and select DMVPN Reports.

Step 7 Click New to create a new report, and name it DMVPN Report in the Report

Title field.

Step 8 Click Customize to review the report settings. Notice the report components in the

Data Fields to Include box.

Step 9 Select the NHRP Expiration parameter in the Data Fields to Include box, and click

Remove to simplify the report.

Step 10 Click Apply to save the changes.

Step 11 Click Run and Save at the bottom right corner of the panel to run the report.

Step 12 Verify the information in the Report Run Result section at the bottom of the panel.

Notice the simple format to verify byte counts for each DMVPN peer for the set of

reported remote subnets.

Note This Report takes time to generate. If necessary, generate more traffic from the Branch PC

and run the report again or come back later to run again.



You have monitored DMVPN operations using the Cisco Prime Dashboard and Cisco

Prime Reports.


Lab 3: Application Optimization – Application Visibility

Activity Objective

In this activity, you will deploy Application Visibility and Control templates to gain granular

visibility into application traffic and application performance.


Deploy AVC templates to enhance granular application classification via NBAR2,

optimized data collection via Flexible NetFlow, and obtain application performance metrics

via Performance Agent.

Use Cisco Prime Dashboard and Reports in three use cases: to discover application usage in

the network, to monitor application performance, and to troubleshoot application

performance issues.

Visual Objective

The figure illustrates the lab topology you will be working with.


Task 1: Customizing Cisco Prime for AVC

In this task, you will customize Cisco Prime dashboards and building blocks in preparation to

your AVC deployment.

Step 1 Before you deploy AVC, you can customize some of your dashboards according to

your needs. With network readiness and base lining in mind, navigate to

Operate>Monitoring Dashboards>Performance>Service Assurance.

Step 2 Find the Top N Resources by NetFlow dashlet and hover your mouse over the top

right corner of the dashlet. Click X to remove the dashlet from the dashboard.

Step 3 Click the Edit Dashboard icon at the top right corner of the Cisco Prime window and

expand the Add Dashlet option.

Step 4 Expand the Service Assurance Dashlets branch if it’s not expanded already, and

hover your mouse over the crosshair icon to the left of the Application Usage

Summary dashlet. You will see detailed information about the data sources, layout,

and overall objective of the dashlet.

Step 5 Click Add to add the dashlet to the dashboard.

Step 6 If the dashlet is added to the bottom of the dashboard, click the top of the dashlet

area to drag and drop at the top of the dashboard for improved viewing.


Step 7 Notice the application traffic mix in the pie chart. Hover your mouse over the HTTP

slice and you will notice context-sensitive callouts that provide traffic rate

information

Step 8 Repeat steps 3 to 5 to add the Top N WAN Interfaces by Utilization dashlet. In it

you should see the Tunnel interfaces on the DC and branch routers at the top of

the list

Step 9 Other customization options allow you to streamline the deployment of some

templates. Navigate to Design>Configuration>Shared Policy Objects.

Step 10 Click to select the Interface Role in the left panel.

Step 11 Click Add Object at the top of the interface roles list.

Step 12 Name the object WAN Interfaces, and click the first dropdown under “Match the

following rule” to match the Description of router interfaces. Leave the operator

“Contains” as is, and type WAN in the last field.

Note Interface roles allow you to group interfaces based on existing attributes, for instance the

description, to then apply templates based on the role.

Step 13 Click OK.



You have customized Cisco Prime dashboards to display application traffic mix

and interface utilization dashlets, and created an interface role, in preparation for

AVC deployment.


Task 2: AVC Use Case - Provision Branch Instrumentation and Application Visibility

The first step in enhancing the application experience is to deploy enhanced branch

instrumentation using AVC, to gather application and performance metrics using the various

technologies that fall within the AVC umbrella (Performance Agent, NBAR2, and Flexible

NetFlow). In this task, you will deploy those AVC features using Cisco Prime one-click options

and templates.

Step 1 You can configure default AVC policies on individual interfaces if you want quick

testing or on-the-spot configurations. To do this, navigate to Operate>Device Work

Center.

Step 2 Click the checkbox to select the PODX-CSR-RTR and click Configuration at the

bottom panel.

Step 3 Navigate to the Application Visibility>Interfaces panel under the Feature

Configuration list at the bottom left.

Step 4 Click the checkboxes to select the two WAN interfaces, GigabitEthernet1 and

Tunnel10.

Step 5 At the top of the interface list, click the Enable Default Policy dropdown, and select

the IPv4 Default Policy option. Click Yes to accept the warning.

Step 6 After a few seconds, the interface will be configured with the default AVC policy.

Notice the default policy visible under the Input Reports and Output Reports

columns on the interface list.

Step 7 For bulk configurations you can apply a Cisco Prime AVC template. Create the

AVC template, by navigating to Design>Configuration>Feature Design, and

expanding the Features and Technologies and Application Visibility folders.


Step 8 Click to select the AVC Configuration template.

Step 9 Name the custom template “Enterprise AVC” and click the arrow on the Apply to

Interface Role dropdown.

Step 10 Select the WAN Interfaces role.

Step 11 Ensure that YouTube application layer traffic metrics and performance indicators

are measured, by expanding the list of Applications in the HTTP URL Visibility

section of the template. To do this, click the arrow button next to the applications list

of that section.


Step 12 Navigate through the list of applications by clicking the greater-than button of the

HTTP Applications option. From the resulting window, select YouTube.

Note There are many applications you can choose from the NBAR2 definition. This allows you to

customize and adjust to the appropriate traffic mix according to your network requirements,

performing deep packet inspection to identify those applications on the network.

Step 13 Click OK twice to go back to the AVC template.

Note Go back to the application list and deselect the ActiveSync and Baidu Movie applications if

you reach the maximum of 32 applications in the filter.


Step 14 For the sake of understanding the power of AVC, in the Application Response Time

section of the template, click the arrow icon to the right of the Applications list.

Notice how you can also customize the template based on application categories and

subcategories, for added flexibility. You don’t have to enable application by

application necessarily. Navigate through the list of categories to review.

Step 15 We will not be using the Voice/Video Metric so let’s turn this component off.

Step 16 Click Save as New Template at the bottom of the panel, and click Save to save it to

the My Templates folder.

Step 17 Scroll down to the bottom of the template and click Deploy.

Step 18 Expand the Site Groups and select the Power Branches and the Data Center groups.

This will deploy the template to the branch and DC routers.


Step 19 In the Value Assignment section, click CLI Preview for the Branch Router to

display the resulting commands. You will see more than 150 commands.

Step 20 Ensure that both routers show CLI commands in the preview, and click OK to

deploy the template.

Step 21 Given the size of the configuration, wait until the template deployment job has

successfully completed. You can verify the status of the job at Administration>Job

Dashboard. Refresh the job list as needed.



You have deployed AVC configurations for proactive monitoring of granular application

traffic metrics.


Task 3: AVC Use Case - Discover Application Usage in the Network

In this task, you will use the improved, granular application visibility that results from

deploying AVC to discover your application mix, usage, and behavior in the network.

This allows you to gather actionable intelligence to determine which AVC control features

to deploy.


Step 1 Connect to the branch PC and generate traffic for all test applications (YouTube by

replaying three videos, SharePoint by downloading the 10MB and 15MB files a few

times).

Step 2 This time, also connect to http://video.cisco.com and play a video of about 10

minutes in duration.

Step 3 Navigate back to Home>Performance>Service Assurance.

Step 4 Notice the richer granularity per application in the Top N Applications and

Application Usage Summary dashlets, including not only generic application traffic

(HTTP) but also specific applications (YouTube, binary-over-HTTP for SharePoint

file transfers, and others). This is the result of NBAR2 inspection and classification,

as a result of the AVC configuration template.

Also notice the tunnel interfaces carrying the bulk of the load, as they transport

SharePoint traffic to the Data Center subnet.

Note Refresh the dashlet as needed.

Step 5 Verify which application has the greater traffic rate on the Top N Applications

dashlet, and click the Volume link at the top left corner of the dashlet to verify

which application has the greater traffic volumes.


Step 6 Drill down on the Windows Remote Desktop application by clicking the bar

associated to ms-wbt in the Top N Applications dashlet. This makes Cisco Prime

navigate to the Application dashboard, filtered to this particular application. This

dashboard allows you to see the top N clients and servers along with their

corresponding traffic rates and volumes, all valuable information for a common

candidate application to control.

Step 7 Notice the traffic rate behavior for Windows Remote Desktop on the Application

Traffic Analysis dashlet. Also notice that you can move the sliding bar at the bottom

to zoom in to specific times. Use the sliding bar to zoom in to the peak traffic rate,

and make a note of this rate. You will use this information in our next lab to rate-

limit this application.

Note You can obtain the traffic rate at any point of the graphic by just hovering your mouse over

the line. A callout will appear to indicate the specific rate at that point of the graph.

Step 8 Click the Back button on your browser to go back to the Service Assurance

dashboard. You will notice a bar in the Top N Applications dashlet labeled

“Unknown”. Cisco Prime facilitates the discovery and re-classification of unknown

traffic. Click the Unknown bar in the dashlet.

Step 9 In order to display the associated ports, you will now add another dashlet to this

dashboard. To do so, click the Edit Dashboard icon at the top right corner of the

Cisco Prime window and expand the Add Dashlet option.


Step 10 Expand the Application Dashlets branch if it’s not expanded already, and hover

your mouse over the crosshair icon to the left of the Application Configuration

dashlet. You will see detailed information about the data sources, layout, and overall

objective of the dashlet.

Step 11 Click Add to add the Application Configuration dashlet to the dashboard.

Step 12 The dashlet is added to the bottom of the dashboard, click the top of the dashlet area

to drag and drop at the top of the dashboard for improved viewing.

Step 13 Now look at the different ports and byte counts for the unknown applications. With

this information, you can create a custom application definition in Cisco Prime to

assign an application and category to traffic belonging to custom applications.

Step 14 Click the Back button on your browser to go back to the Service Assurance

dashboard.

Step 15 In the Top N WAN Interfaces by Utilization, click the interface name for Tunnel11

of the branch router 3.3.3.3. This will lead you to the Interface detailed dashboard,

where you can see traffic behavior and mix for the selected interface only.


Step 16 On the Interface dashboard, scroll down to inspect the Top Application Traffic Over

Time, a powerful dashlet to understand the traffic mix per interface. Notice how this

tunnel interface is carrying the SharePoint traffic, as well as YouTube and Internet

traffic. Also notice the traffic rates, in the figure below around the 3-5 Mbps range.

Note The ability to categorize traffic using NBAR2 in this type of interface enhances visibility

inside the tunnel.

Step 17 Move to the top of the Interface dashboard and click the Interface dropdown in the

Filters section. You can change the view to inspect similar information for other

interfaces. This time navigate the dropdown options by clicking Power Branches,

then PODX-BR-RTR, then GigabitEthernet0/0. This is the physical interface used by

the DMVPN tunnel between Branch and Data Center sites.

Step 18 Click Go at the far right of the Filters section to apply the filter.


Step 19 Scroll down to check the Top Application Traffic Over Time dashlet for this

GigabitEthernet0/0 interface of the branch router. You will see that this interface

only sees encrypted IPsec/ESP traffic, with traffic rates similar or greater than the

Tunnel interface rates. It makes sense, it is the tunnel interface the one that can see

applications granularly, the physical interface sees encapsulated traffic only.



You have understood the application mix in the lab network, identified candidate areas of

optimization, and gathered actionable performance metrics that allow you to design the

AVC control features you would need to deploy.


Lab 4: Application Optimization – QoS Control

Activity Objective

Now that you have granular application visibility over your network traffic mix, and have

identified candidates for optimization, it’s time to enter the Control phase of AVC and start

adjusting traffic patterns according to application and user requirements. In this activity, you

will deploy application-aware QoS policies to enhance the user’s application experience.


Use CLI templates to configure marking, bandwidth reservation, and rate limiting policies

Color your traffic using DSCP, to apply QoS policy consistently across the network.

Limit the rate of non-critical traffic granularly using application awareness.

Reserve Bandwidth for mission critical applications.

Visual Objective



Task 1: Deploy QoS Policy for Classification and Marking

Based on the results of AVC monitoring in the previous lab, you will now customize QoS

templates to classify application traffic using NBAR2 and mark packets using DSCP.


Step 1 Connect to the branch PC and generate traffic for all test applications (YouTube by


times).

Step 2 Navigate to Operate>Monitoring Dashboards>Detail Dashboards>Interface,

and use the Filters section to filter down to all applications for LAN interface of the

branch router, GigabitEthernet0/2.

Note Remember to click Go to set the filter.

Step 3 Scroll down to the DSCP Classification dashlet and verify that no DSCP marking is

taking place. Dashlet should show all traffic with default marking (value 0 or best

effort).

Step 4 Navigate to Design>Configuration>Feature Design and expand the My Templates

folder below the Templates panel on the left.

Step 5 Select the Mark Critical Apps template from the list.

Step 6 On the panel on the right, review this CLI template in the CLI Content box, as it

classifies traffic using NBAR2 (match protocol statements) and marks using a policy

applied to the LAN interface.


Step 7 CLI templates can use variables to streamline bulk configurations across multiple

devices. In order to customize this template with variables, select the text

INTERFACE-RANGE at the bottom of the CLI Content box.

Step 8 With the text selected, click the Manage Variables icon at the top right corner of the

Template Detail section

Step 9 Click the radio button to select the INTERFACE-RANGE variable, and click Edit to

complete the variable definition. Use these settings:

Type: String

Display Label: Interface Range

Description: Type the interface range, separating the interfaces with a comma,

and using dashes for ranges

Required: Click to mark the checkbox

Step 10 Click Save, then Add To CLI.


Step 11 Notice how the previous string in the CLI Content box changes to include a $ sign

prepended to it.

Step 12 Click Save to the My Templates folder.

Step 13 Click Deploy at the bottom of the panel. You will deploy the classification and

marking template to the LAN interface at the branch router for outbound traffic, and

the LAN interfaces of the DC router for inbound or return traffic.

Step 14 On the Template Deployment window, click to select All in the Device Selection

section. This is because you want to mark traffic on all LAN interfaces.

Step 15 On the Value Assignment section, click to select the branch router, PODX-BR-RTR,

and configure GigabitEthernet0/2, the branch router’s LAN interface, in the

Interface Range field. Scroll down and click Apply.

Step 16 On the Value Assignment section, click to select the data center router, PODX-DC-

RTR, and configure the range GigabitEthernet0/0/0-1 in the Interface Range field.

Scroll down and click Apply.

Note Verify that you have configured a range of interfaces with the exact text

“GigabitEthernet0/0/0-1”, which includes GigabitEthernet0/0/0, the Internet interface, and

GigabitEthernet0/0/1, the Data Center LAN interface.

Step 17 On the Value Assignment section, click to select the cloud services router, PODX-

CSR-RTR, and configure the range GigabitEthernet2, the cloud services router’s

LAN interface, in the Interface Range field. Scroll down and click Apply.


Step 19 Back at the branch PC and generate traffic for all test applications (YouTube by


times).


Step 20 On the Cisco Prime Infrastructure GUI, navigate back to Operate>Monitoring

Dashboards>Detail Dashboards>Interface, and verify that the DSCP

Classification dashlet now shows how DSCP values are being assigned.

Note Verify that interface GigabitEthernet0/2 of the branch router is still selected in the filter. Also,

you may have to change the filter to a time frame of the past 1 hour to see DSCP values

other than 0 in the chart. Remember to click Go on the Filters section, and also refresh each

dashlet by clicking the Refresh button at the top right corner of each dashlet.

Step 21 As additional verification, connect to the Branch Router CLI using the terminal

server and credentials on the Lab Resources section of the lab guide.

Step 22 Display the counters for the newly deployed classification and marking policy, using

the show policy-map interface gigabitethernet 0/2 command, and verify that packets

are being marked.

Note Student output may differ from the example.

P2-BR-RTR#show policy-map interface gigabitEthernet 0/2

GigabitEthernet0/2

Service-policy input: MARK

Class-map: YOUTUBE (match-any)

17860 packets, 1392695 bytes

5 minute offered rate 9000 bps, drop rate 0000 bps

Match: protocol youtube


5 minute rate 0 bps

Match: protocol video-over-http


5 minute rate 9000 bps

QoS Set

dscp af41

Packets marked 17860


Class-map: SHAREPOINT (match-any)



Match: protocol share-point

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol binary-over-http


5 minute rate 16000 bps

QoS Set

dscp af11


Class-map: class-default (match-any)



Match: any

QoS Set

dscp default




You have verified that application traffic is being marked using DSCP values.


Task 2: Deploy QoS Policy to Police YouTube Traffic

The bulk of YouTube traffic comes downstream from the Internet. For this reason it is common

to find rate limiting policies at the Data Center router for YouTube traffic flowing back to the

branches across the DMVPN.

To accomplish this objective, in this task, you will aim at controlling non-critical traffic, in this

instance the YouTube application, by creating rate limit thresholds using Cisco Prime

templates.


Step 1 Navigate to Deploy>Configuration Deployment>Configuration Tasks, and click

the My Templates branch below the Templates panel on the left.

Step 2 On the panel on the right, click the Police Non-Critical Apps link under the

Name column.

Step 3 Review the CLI commands in the Template Detail box, as they rate-limit traffic

already marked with a DSCP value of AF41 (YouTube) to 64 Kbps.

Note The 64Kbps threshold is artificial and designed for the lab objectives. It does not resemble a

recommended practice or suggested figure for production environments.

Note The ip nhrp map group BRANCHES service-policy output IWAN-8-Class-Parent

command is used on the DMVPN Hub router to apply per-tunnel QoS policies on DMVPN

tunnel interfaces. As spoke routers register to the hub via NHRP, their NHRP group

assignment is also registered, and their tunnel will be then subject to policy per NHRP

group. It is required, however, that the spoke router is configured to be part of the

appropriate NHRP group. You will do this in step 10 of this task

Step 4 Click Close, and then click to select the checkbox next to the template name.


Step 5 Click Deploy.

Step 6 You will now deploy the template to the Data Center ASR router, so that outbound

YouTube traffic, egress on the DMVPN tunnel interface toward the branch, is rate-

limited. To do so, in the Template Deployment window, expand the Site Groups

branch and click to select the Data Center site group.

Step 7 In the Value Assignment section, configure Tunnel0 as the Interface Range. Scroll

down and click Apply.


Step 9 Go back to Deploy>Configuration Deployment>Configuration Tasks, in order to

configure the branch side of the per-tunnel QoS configuration.

Step 10 Click the My Templates folder, and select the “QoS Per-Tunnel - Client Side”

template in the panel on the right.

Note This template completes the per-tunnel QoS configuration by assigning the tunnel spokes to

an NHRP group called BRANCHES. Refer to the note after step 3.


Step 11 Click Deploy. Select the branch router in the Device Selection section and

Tunnel10-11 in the Interface Range field of the Value Assignment section.

Note Notice that the interface range is an actual range, Tunnel10-11, which deploys per-tunnel

QoS on both tunnel interfaces of the branch router. You will need both at different points of

this lab, including the Task 3 for bandwidth reservation.

Step 12 Scroll down to click Apply, then click OK to deploy the template.

Step 13 You are now ready to test this configuration. For verification, connect to the Data

Center ASR router using the terminal server and the credentials found in the Lab

Resources section of this lab guide.

Step 14 Display detailed DMVPN information using show dmvpn detail, and notice how the

branch router registered using the BRANCHES NHRP group, and how it has been

assigned the rate limiting policy for outbound flows.

Note You may have to wait a couple of minutes until the deployment job completes. Check back

at Administration>Jobs Dashboard to verify the status of the job.

POD2-DC-RTR#sh dmvpn detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface Tunnel0 is up/up, Addr. is 172.16.99.1, VRF ""

Tunnel Src./Dest. addr: 1.1.1.1/MGRE, Tunnel VRF ""

Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_IPSECPROFILE"

Interface State Control: Disabled

nhrp event-publisher : Disabled

Type:Hub, Total NBMA Peers (v4/v6): 1

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network

----- --------------- --------------- ----- -------- ----- -----------------

1 3.3.3.3 172.16.99.2 UP 02:45:02 D 172.16.99.2/32

NHRP group: BRANCHES

Output QoS service-policy applied: IWAN-8-Class-Parent

<…rest of output ommitted…>

Step 15 To generate relevant traffic, connect back to the branch PC and generate YouTube

traffic. Select and run at least 3 videos between 7 and 10 minutes long to generate a

relevant sample.


Step 16 On the DC router CLI, verify that traffic policing is taking place.

POD2-DC-RTR#sh policy-map multipoint tunnel 0

Interface Tunnel0 <--> 10.10.23.2

Service-policy output: IWAN-8-Class-Parent




Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 6439/2061529

shape (average) cir 1500000, bc 6000, be 6000

target shape rate 1500000

Service-policy : RATE-LIMIT

Class-map: NON-CRITICAL (match-any)



Match: ip dscp af41 (34)

police:

rate 64000 bps, burst 9972 bytes

conformed 674 packets, 877875 bytes; actions:

transmit

exceeded 514 packets, 729503 bytes; actions:

drop

conformed 22000 bps, exceeded 19000 bps




Match: any

Step 17 Back at the Cisco Prime GUI, navigate to Operate>Monitoring

Dashboards>Detail Dashboards>Interface, and use the Filters section to display

information for the Tunnel0 interface of the DC Router, part of the Data Center site

group.

Note Remember to click Go on the Filters section to effectively apply the filter.

Note The selected threshold of 64 Kbps was chosen almost arbitrarily to produce a dramatic

result for this lab and demonstrate the sudden drop in the application’s rate. Your mileage

may vary, do change the threshold by editing the template at Design>Configuration>Feature

Design if you don’t obtain the expected results. If you do so, you will need to redeploy the

template.


Step 18 The impact of this policy can be seen in the Top Application Traffic Over Time

dashlet. Notice the sudden drop for YouTube highlighted by the sharp inflection

point for this application in the diagram.

Step 19 Analyzing packet counters and bandwidth utilization is a valid approach, but in the

end it’s all about the user experience. Cisco Prime allows you a more comprehensive

analysis of application and user experience, by providing the tools do drill down

from an interface view to an application view to a client/user view of the

information. To start, scroll up to the Top N Applications dashlet in the same

Interface dashboard, and click the bar on the diagram that corresponds to YouTube

or video-over-http.

Step 20 Cisco Prime immediately navigates to the Application dashboard, filtered to display

information about the YouTube application.

Note You can also navigate to this dashboard by selecting Operate>Monitoring

Dashboards>Detail Dashboards>Application

Step 21 The Application dashboard allows you to learn more about the user experience by

looking at the server side of the conversation. Scroll down to the Application Server

Performance dashlet to observe the IP addresses of YouTube servers and their

average and maximum response times.


Step 22 Click the Show Analysis link for any of the youtube servers.

Step 23 Using this powerful tool, you can analyze information to troubleshoot average server

response times, average transaction times, network delay, and retransmissions. Use

the Troubleshoot dropdown to change the view and switch to each relevant graphic.

Notice the sliding bars at the bottom to zoom in to specific times and further isolate

issues.

Step 24 Click Close to dismiss the server analysis window.


Step 25 Back at the Application dashboard, you can also look at per-client traffic volumes on

the Top N Clients dashlet. When combining network admission control and BYOD

technologies with Cisco Prime (for instance Cisco’s ISE – Identity Services Engine)

you are in fact able to display traffic volumes per user, by clicking the Users link at

the top of the dashlet.

Note ISE is not present in this lab, so you will not be able to display per-user information.

Step 26 From there, you can drill down per client and use Cisco Prime to troubleshoot

specific client issues. So on the Top N Clients dashlet, click the branch PC client

(10.10.X1.10).

Step 27 Cisco Prime automatically navigates to the End User Experience dashboard, where

you can isolate this client’s information when using the YouTube application

Note Remember, you first filtered to YouTube traffic, and then filtered to the Client IP. The

resulting dashboard lets you isolate issues for that client when using that application.

Step 28 On the same End User Experience dashboard, you can scroll down to the Worst N

Clients by Transaction Time dashlet, and correlate the experience of the filtered

client to that of other clients on the same site. This particular dashlet displays the

clients on that site who experience the worst transaction times for the specific

application (in this case YouTube), so you can perhaps isolate issues to the site and

not to individual clients.




You have verified the impact of your rate-limiting policy, and used Cisco Prime to drill

down from an interface view to an application view to a user/client view of application

performance metrics.


Lab 5: Intelligent Path Control – Using PfRv3

Activity Objective

The preferred routing path before the start of the lab follows the main WAN link between

branch and Data Center for all traffic. The backup link is completely unused.

In this activity, you will continue implementing the Control side of AVC, by deploying a

second DMVPN tunnel across the backup link, and using PfR to select routing paths according

to performance instrumentation and enterprise policy. You will route traffic based on roundtrip

delay, using a performance policy for SharePoint traffic using PfR to fully utilize the under

used backup link.


Configure the branch router for PfR learning using default settings.

Learn PfR traffic flows using the automatic option, defining traffic classes based on DSCP

markings from previous lab

Create enforcement policy to route YouTube application traffic on a different link when

encountering delay conditions on the main link, while leaving the rest of the traffic on the

main link.

Test by increasing delay on the main link, and see YouTube flows re-routing to a

different link

Visual Objective



PfR uses a phased approach to deploying a traffic policy. The figure describes the operational

mode suggested in this lab:

Learning dynamically and statically, traffic classes defined by IP prefixes and DSCP values

marked on packets according to previous labs.

Active monitoring of key performance indicators, specifically roundtrip delay.

A routing policy using PBR to reroute SharePoint traffic across the backup WAN link

between branch and data center.

Enforcement at a threshold of 120 ms for roundtrip delay.

Task 1: Provision Second DMVPN Tunnel from Branch to Data Center.

In this task, you will provision a new DMVPN tunnel in the backup link between branch and

data center. As a potential path for all traffic, this tunnel must enjoy all of the features you have

deployed so far (AVC, application-aware QoS, NAT, etc). Complete these steps to deploy this

tunnel using composite templates:

Step 1 Connect to the Data Center PC and launch the Cisco Prime Infrastructure GUI.

Step 2 First, configure the DMVPN hub router. Navigate to

Design>Configuration>Feature Design, and expand the Composite Templates

folder on the left panel.

Step 3 Click Composite Templates below the Composite Templates folder, and name the

template “DMVPN Hub - All Features” in the panel on the right.

Step 4 Click Add in the Template Detail section.


Step 5 In the Templates window, expand the My Templates folder and click to select these

templates: DMVPN Hub – Padding, DMVPN Hub, and Police Non-Critical Apps.

Click Add.

Note The template DMVPN Hub - Padding is pre-configured, and it deploys all the additional and

miscellaneous settings required by all hub tunnel interfaces: a description, designation as ip

nat inside, and assignment of its subnet to the routing domain.

Step 6 Use the green arrows at the top of the template list to move the DMVPN Hub

template to the first position, so that templates are executed in the right order. This is

important, as the tunnel interface is created by the DMVPN Hub template, and then

customized by the DMVPN Hub - Padding template.


Step 7 Click Save as New Template, then click Deploy and select the Data Center site

group in the Deployed on Device section.

Step 8 Scroll down to the Value Assignment section in the Data Center site group and click

the Select Template dropdown.

Step 9 Click the radio button to select the DMVPN Hub template.

Step 10 Configure these settings for the selected template:

Physical Interface: GigabitEthernet0/0/3

IP address on the GRE tunnel interface: 172.16.88.1

Subnet mask: 255.255.255.0

Step 11 Scroll down to click Apply.

Step 12 Proceed to select the other templates from the Select Template dropdown and

configure these settings for each one. Remember, for each you must click Apply,

where applicable:

Template Settings

Police Non-Critical Apps Interface Range: Tunnel1

DMVPN Hub - Padding Tunnel Subnet: 172.16.88.0 0.0.0.255

Tunnel Interface: Tunnel1

Step 13 Click OK to deploy the composite template.

Step 14 The next step is to configure the spoke router. A composite template is already

created, and it contains all the necessary settings for a spoke. Navigate back to the

Design>Configuration>Feature Design, and click the My Templates folder on the

left panel.

Step 15 Move your mouse to the right of the DMVPN Spoke – All Features to select the

edit option.


Step 16 Use the green arrows at the top of the template list to move the DMVPN Spokes –

Second Tunnel template to the first position, so that templates are executed in the

right order. This is important, as the tunnel interface is created by the DMVPN

Spokes – Second Tunnel template, and then customized by the DMVPN Spokes -

Padding template. Click Save to save your new settings.


Step 18 Select the Power Branches site group, and use the Select Template dropdown to

select each of the three templates to configure these settings:

Note Remember, you must click Apply for each template to commit the settings per template

before you select the next one.

Template Settings

DMVPN Spokes – Second Tunnel Physical Interface: GigabitEthernet0/1

IP address of the tunnel: 172.16.88.2

Subnet mask: 255.255.255.0

DMVPN Spokes - Padding Tunnel Subnet: 172.16.88.0 0.0.0.255

Tunnel Interface: Tunnel12

QoS Per-Tunnel - Client Site Interface Range: Tunnel12

Step 19 Click OK to deploy the composite template.

Step 20 Navigate to Operate>Device Work Center, select the PODX-DC-RTR and PODX-

BR-RTR, and click Sync.


Step 21 Now that the new tunnel interfaces exist in both routers, branch and data center,

proceed to deploy the Enterprise AVC template again. Because the new tunnel

interfaces acquired a description that contains the word WAN through the composite

templates, they are automatically assigned to the dynamic interface role that makes

them acquire the AVC configuration.

Note Refer to previous labs (Lab 3 Task 2) to refresh how to deploy the Enterprise AVC template.

You basically have to navigate to Deploy>Configuration Deployment>Configuration

Tasks, find the template, click Deploy, and select the Power Branches and Data Center site

groups

Step 22 Connect to the DC router console using the terminal server, and verify the new

tunnel operations. Status should be up/up, and the IWAN-8-Class-Parent policy

should be applied.

POD4-DC-RTR#show dmvpn detail | begin Tunnel1

Interface Tunnel1 is up/up, Addr. is 172.16.88.1, VRF ""

Tunnel Src./Dest. addr: 10.10.44.1/MGRE, Tunnel VRF ""

Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_IPSECPROFILE_1"

Interface State Control: Disabled

nhrp event-publisher : Disabled

Type:Hub, Total NBMA Peers (v4/v6): 1

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network

----- --------------- --------------- ----- -------- ----- -----------------

1 10.10.44.2 172.16.88.2 UP 00:21:33 D 172.16.88.2/32

NHRP group: BRANCHES

Output QoS service-policy applied: IWAN-8-Class-Parent



The second tunnel between the branch and data center routers is operational.


Task 2: Provision Routers for PfR with Automatic Profiling.

In the presence of two alternative paths from branch to data center, you will now start

configuring PfR to make intelligent use of those paths. In this task, you will provision the

Branch Router as PfR Master Controller (MC) and Border Router (BR), with automatic

profiling of traffic classes for the learning phase. Complete these steps:

Step 1 Connect to the Branch PC using the information found in the Lab Resources section

of this lab guide.

Step 2 Trace the SharePoint and YouTube destinations, you may see traffic now using both

link, or everything is over one link. What we are seeing is the randomness of

EIGRP with two equal cost paths. With PfR we can add control to our traffic flows

and predict which path will be used.

Note Remember, the subnet for the main tunnel is 172.16.99.0 and the 2nd

tunnel is 172.16.88.0

Step 3 At the branch PC, generate traffic for all test applications (YouTube by replaying

three videos, SharePoint by downloading the 10MB and 15MB files a few times)..

Step 4 For more focused analysis, you will modify pre-configured port groups to include

only tunnel interfaces. In order to accomplish this navigate to Design>Management

Tools>Port Grouping and click the ALL folder on the left panel.

Step 5 Select the Tunnel11 and Tunnel12 interfaces of device 3.3.3.3 (the branch router),

click Add to Group, and navigate to select the DMVPN Tunnels - Branch group

from the list, and click Save.


Step 6 Now verify interface utilization on the branch router by navigating to

Home>Performance>Network Interface on Cisco Prime and locating the Top N

Interfaces Utilization dashlet.

Step 7 Select the Dashlet Options icon at the top right corner of the dashlet, and change the

Refresh Interval to 30 seconds, and the Port Group dropdown to filter to the

DMVPN Tunnels - Branch port group.

Step 8 Click Save and Close. Refresh the dashlet and observe interface Tunnel11 and

Tunnel12 are used for all traffic.

Note It may take some time for the below chart to appear in Prime properly. Continue on with the

lab steps and we will revisit this chart again in a future step.

Step 9 Let’s add some control to our traffic. Lets deploy the initial components of PfR, you

will first deploy a template that creates the PfR domain and defines the interfaces.

Navigate to Deploy>Configuration Deployment>Configuration Tasks, and click


Step 10 On the panel on the right, click the PfR-Activation-DC link under the Name column.


Step 11 Review the CLI commands in the Template Detail box, as they establish a router as

both PfR MC and BR, and fire off automatic learning.

Note Variables have already been configured on this template for deployment flexibility: you will

deploy it to the Data Center router.

Step 12 Click Close, and then click to select the checkbox next to the same PfR-Activation-

DC template.


Step 14 Select the Data Center site group in the Device Selection section, and configure

these settings in the Value Assignment section:

First WAN Interface: Tunnel0

Second WAN Interface: Tunnel1

Step 15 Scroll down to click Apply, then click OK at the bottom to submit deployment.

Step 16 Connect to the console of the data center router, and display status of the PfR

Master Controller and Border Router on the datacenter router.

POD4-DC-RTR#show domain default master status *** Domain MC Status ***


Master VRF: Global Instance Type: Hub Instance id: 0 Operational status: Up Configured status: Down Missing Configs: Policy configuration Loopback IP Address: 1.1.1.1 Load Balancing: Admin Status: Disabled Operational Status: Down Enterprise top level prefixes configured: 0 Route Control: Enabled Mitigation mode Aggressive: Disabled Policy threshold variance: 20 Minimum Mask Length: 28 Sampling: off Borders: IP address: 1.1.1.1 Connection status: CONNECTED (Last Updated 00:00:40 ago ) Interfaces configured: Name: Tunnel0 | type: external | Service Provider: MPLS | Status: UP Number of default Channels: 0 Name: Tunnel1 | type: external | Service Provider: INET | Status: UP Number of default Channels: 0 Tunnel if: Tunnel2 ---------------------------------------------------------------------

Step 17 Repeat steps 9 to 16, but this time use the PfR-Activation-Branch template, deploy it

to the Power Branches site group, and use these settings when deploying:



Step 18 Review the CLI commands in the Template Detail box, as they establish this router

as both PfR Branch MC and BR.

Note Variables have already been configured on this template for deployment flexibility: you will

deploy it to the Data Center router.


Step 19 Click Deploy and deploy it to the Power Branches site group, and use these settings

when deploying:



Step 20 Connect to the Branch router CLI. Display the global parameters for the Master

Controller role using the show domain default master status command. Notice

these default and custom settings:

The Instance Type is Branch.

The Border status is connected and it has learned the Interface types from the

Hub MC on the data center router.

Note It may take a few seconds for the Hub and Branch to sync and display this information .

POD4-DC-RTR#show domain default master status

*** Domain MC Status ***

Master VRF: Global

Instance Type: Branch

Instance id: 0

Operational status: Up

Configured status: Up

Loopback IP Address: 3.3.3.3

Load Balancing:

Operational Status: Down

Route Control: Enabled

Mitigation mode Aggressive: Disabled

Policy threshold variance: 20

Minimum Mask Length: 28

Sampling: off

Minimum Requirement: Met


Borders:

IP address: 3.3.3.3

Connection status: CONNECTED (Last Updated 00:02:22 ago )

Interfaces configured:

Name: Tunnel11 | type: external | Service Provider: MPLS | Status: UP

Number of default Channels: 0

Name: Tunnel12 | type: external | Service Provider: INET | Status: UP

Number of default Channels: 0

Tunnel if: Tunnel0

---------------------------------------------------------------------



You have enabled PfR MC and BR on both the data center and branch routers.


Task 3: Configure Custom Traffic Classes Using DSCP Values.

In this task, you change the default configuration to match your network environment. You will

create custom traffic classes for SharePoint traffic, to later define a custom policy for these

applications.


Step 1 Navigate to Deploy>Configuration Deployment>Configuration Tasks, and click


Step 2 On the panel on the right, click the PfR-Enterprise-Traffic link under the

Name column.

Step 3 Review the CLI commands in the Template Detail box, it will create an enterprise

traffic classes for PfR policy for SharePoint. Notice how classification is

accomplished using existing DSCP markings on packets, previously configured in

Lab 4. NBAR2 classification can also be used for powerful application-aware

custom classes. Also notice how delay, is the performance metric measured for the

Sharepoint traffic classes.

Note In this lab, NBAR classification has already taken place, as part of your QoS strategy in the

previous lab. It only makes sense that you take advantage of this fact to define PfR traffic

classes, especially due to performance considerations: costly NBAR deep packet inspection

is performed only once, and PfR just looks at DSCP markings to define traffic classes.

Step 4 Click Close, and then click to select the checkbox next to the same PfR-Enterprise-

Traffic template.

Step 5 Click Deploy at the top of the list.

Step 6 Select the Data Center site group in the Device Selection section, and click OK at

the bottom to submit deployment. This template does not have variables or values to

submit per device.

Step 7 Generate more traffic (YouTube and SharePoint) from the Branch PC.

Step 8 Back at the Data Center Router CLI, display the new deployed traffic classes.

Notice the default behavior is not set to load-balance and the class critical-

applications is now monitoring Sharepoint traffic based on its DSCP tagging.

POD4-DC-RTR#sh run | sec domain


ip domain name pod4.ax.local domain default vrf default border source-interface Loopback0 master 1.1.1.1 password Cisco123 master hub source-interface Loopback0 site-prefixes prefix-list HQ_PREFIX password Cisco123 load-balance class critical-application sequence 10 match dscp af11 policy custom priority 1 one-way-delay threshold 120 path-preference MPLS fallback INET domain path MPLS domain path INET



You have defined custom traffic classes to match your traffic mix and application

requirements.

Task 4: Monitor and Manipulate PfR.

In this task, you will alter the WAN Bridge to trigger PFR to enforce paths on the PfR routers

according to policies.


Step 1 Verify the MPLS link is now the primary path for your SharePoint traffic (af11).

POD4-DC-RTR#show domain default master traffic-class summary

APP - APPLICATION, TC-ID - TRAFFIC-CLASS-ID, APP-ID - APPLICATION-ID

SP - SERVICE PROVIDER, PC = PRIMARY CHANNEL ID,

BC - BACKUP CHANNEL ID, BR - BORDER, EXIT - WAN INTERFACE

UC - UNCONTROLLED, PE - PICK-EXIT, CN - CONTROLLED, UK – UNKNOWN

Dst-Site-Pfx Dst-Site-Id APP DSCP TC-ID APP-ID State SP PC/BC BR/EXIT

10.20.10.160/28 Internet N/A default 3 N/A CN MPLS 1/NA 1.1.1.1/Tunnel0

10.10.41.0/24 3.3.3.3 N/A af41 5 N/A CN MPLS 7/8 1.1.1.1/Tunnel0

10.10.41.0/24 3.3.3.3 N/A default 4 N/A CN MPLS 3/NA 1.1.1.1/Tunnel0

10.10.41.0/24 3.3.3.3 N/A af11 6 N/A CN MPLS 9/10 1.1.1.1/Tunnel0


Total Traffic Classes: 5 Site: 4 Internet: 1

Step 2 Go to your Branch PC connect to the ESXi vCenter server on that module using the

information on the Lab Resources section of this guide and lets impair our

WANBRIDGE-1.


Step 3 Open the consul access and select option 7: 120ms Round trip delay with .5% packet

loss.

Step 4 Back at the branch PC, generate SharePoint traffic.

Step 5 Verify the MPLS link is now out of Policy and the traffic is moved to the INET link

on the Branch router. You can move the traffic back and forth by adjusting the

values of your WAN Bridge. If your traffic was on MPLS simply adjust the WAN

Bridge to cause that path to be out of Policy..

POD4-BR-RTR#show domain default master traffic-class summary

APP - APPLICATION, TC-ID - TRAFFIC-CLASS-ID, APP-ID - APPLICATION-ID

SP - SERVICE PROVIDER, PC = PRIMARY CHANNEL ID,

BC - BACKUP CHANNEL ID, BR - BORDER, EXIT - WAN INTERFACE

UC - UNCONTROLLED, PE - PICK-EXIT, CN - CONTROLLED, UK - UNKNOWN

Dst-Site-Pfx Dst-Site-Id APP DSCP TC-ID APP-ID State SP PC/BC BR/EXIT

10.98.64.64/28 Internet N/A default 65 N/A CN INET 463/NA 3.3.3.3/Tunnel12


10.10.0.0/24 1.1.1.1 N/A af11 78 N/A CN INET 473/472 3.3.3.3/Tunnel12

Total Traffic Classes: 3 Site: 2 Internet: 1

POD5-BR-RTR#show domain default master channels dscp af11

Legend: * (Value obtained from Network delay:)


Channel Id: 472 Dst Site-Id: 1.1.1.1 Link Name: MPLS DSCP: af11 [10] TCs: 0

Channel Created: 00:04:57 ago

Provisional State: Initiated and open

Operational state: Available

Interface Id: 19

Estimated Channel Egress Bandwidth: 23 Kbps

Immitigable Events Summary:

Total Performance Count: 0, Total BW Count: 0

ODE Stats Bucket Number: 1

Last Updated : 00:00:28 ago

Packet Count : 2061

Byte Count : 87280

One Way Delay : 163 msec*

Loss Rate Pkts: 0.0 %

Loss Rate Byte: 0.0 %

Jitter Mean : 17449 usec

Unreachable : FALSE



Packet Count : 2033

Byte Count : 86110





Unreachable : FALSE

TCA Statitics:

Received:2 ; Processed:2 ; Unreach_rcvd:0

Latest TCA Bucket



Loss Rate Pkts: NA

Loss Rate Byte: NA

Jitter Mean : NA

Unreachability: FALSE

Channel Id: 473 Dst Site-Id: 1.1.1.1 Link Name: INET DSCP: af11 [10] TCs: 1

Channel Created: 00:04:53 ago

Provisional State: Initiated and open

Operational state: Available

Interface Id: 20

Estimated Channel Egress Bandwidth: 23 Kbps

Immitigable Events Summary:

Total Performance Count: 0, Total BW Count: 0



Packet Count : 586

Byte Count : 42192






Unreachable : FALSE



Packet Count : 591

Byte Count : 42552





Unreachable : FALSE

TCA Statitics:

Received:0 ; Processed:0 ; Unreach_rcvd:0

Step 6 Go back to your Branch PC connect to the ESXi vCenter server on that module

using the information on the Lab Resources section of this guide and lets remove the

impairment from our WANBRIDGE-1.

Step 7 Open the consul access and select option 3: 40ms Round trip delay with .1% packet

loss.



You have provided route control to PfR, which now controls traffic paths according to

desired policy.


Optional Lab: Application Optimization – Using WAAS

Activity Objective

In this activity you deploy the building blocks of a WAN optimization deployment using

WAAS and AppNav.


Deploy vWAAS running on UCS-E at the branch router.

Configure AppNav-XE on Data Center and Cloud Services routers using Cisco Prime

Infrastructure templates.

Verify WAAS optimization effectiveness using WAAS Central Manager.

Visual Objective



Task 1: Deploy vWAAS At the Branch ISR G2 Router

In this task, you will initialize the branch vWAAS service, register the device to the WAAS

Central Manager, and configure WCCP as the traffic interception method for WAN

optimization services in the branch.

Step 1 Log in to the Branch PC, connect to the ESXi vCenter server on that module using

the information on the Lab Resources section of this guide and power up the

vWAAS virtual machine. Wait until the VM is powered up.

Step 2 Log in to the Data Center PC and access the WAAS Central Manager GUI using a

web browser, at https://10.10.0.111:8443. Dismiss digital certificate warnings on

your browser, and log in to WAAS Central Manager using the credentials found in

the Lab Resources section of this lab guide.

Step 3 Navigate to the Devices using the top menu. Verify that all WAAS Application

Accelerators on the Data Center and Cloud Services locations are registered to the

Central Manager.

Note The Management Status column will display all devices Online.

Step 4 You will now initialize the branch vWAAS devices. Remember, this device is

hosted as a virtual machine on the UCS-E module of the branch router. Log in to the

Branch PC and connect to the ESXi vCenter server on the UCS-E module using the

information on the Lab Resources section of this lab guide.

Step 5 Navigate to the console of the PodX-BR-vWAAS1 virtual machine, and log in using

the credentials found in the Lab Resources section of this lab guide.

Step 6 Configure a hostname of PodX-BR-vWAAS.


Note Remember, X=pod number

NO-HOSTNAME#config t

NO-HOSTNAME(config)#hostname BR-vWAAS

Step 7 Configure interface virtual 1/0 with an IP address of 10.10.X1.4/24, and configure a

default gateway of 10.10.X1.1.

BR-vWAAS(config)#interface virtual 1/0

BR-vWAAS(config-if)#ip address 10.10.X1.4 255.255.255.0

BR-vWAAS(config-if)# no shut

BR-vWAAS(config-if)#exit

BR-vWAAS(config)#ip default-gateway 10.10.X1.1

Step 8 Configure the virtual 1/0 interface as primary, and verify you can ping the WAAS

Central Manager at 10.10.0.111.

BR-vWAAS(config)#primary-interface virtual 1/0

BR-vWAAS(config)#exit

BR-vWAAS#ping 10.10.0.111

PING 10.10.0.111 (10.10.0.111) 56(84) bytes of data.

64 bytes from 10.10.0.111: icmp_seq=1 ttl=62 time=81.1 ms





--- 10.10.0.111 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4000ms

rtt min/avg/max/mdev = 81.129/81.382/81.656/0.407 ms

Step 9 Configure the central manager ip address and register with by running the cms

enable command.

BR-vWAAS(config)#central-manager address 10.10.0.111

BR-vWAAS(config)#cms enable

Registering WAAS Applicatio Engine…

Sending device registraion request to Central Manager with address 10.10.0.111

Please Wait, initializing CMS tables

Successfully initialized CMS tables

Registration complete.

Please preserve running configuration using ‘copy running-config startup-config’.

Otherwise management service will not be started on reload and node will be shown ‘offline’ in the WAAS Central Manager UI.

Management services enabled

BR-vWAAS(config)#


Step 10 Connect to the DC PC again, and go back to the Devices option in WAAS Central

Manager. Verify that the BR-vWAAS device is now registered and online. You will

notice, however, that it shows Not Active in the License Status column.

Step 11 Click Activate All Inactive Devices in the menu at the top of the device list,

Step 12 Select the radio button next to the Select an existing location for all inactive

Devices, then select from the drop down your branch location then click Submit.

The branch vWAAS device will now show Enterprise in the License Status column.


Step 13 Click the BR-vWAAS device icon to edit the device using the device dashboard.

Step 14 Verify the Click the link “1 Device Group(s)” in the Assignments field to assign this

device to a device group.

Step 15 Click the blue X next to the Branches device group, and click Submit at the bottom.

Note The blue X becomes a green arrow when you click on it.

v


Step 16 Go back to the BR-vWAAS dashboard by clicking BR-vWAAS>Dashboard at

the top.

Step 17 Select WCCP from the Interception Method dropdown.


Step 18 Configure these WCCP settings:

Enable WCCP Service: checked

Use Default Gateway as WCCP Router: checked

Redirect Method: WCCP GRE

Egress Method: WCCP GRE



You have registered the Branch WAE to Central Manager and configured it for WCCP

interception.


Task 2: Configure the Branch Router for WCCP

In this task, you will use Cisco Prime templates to configure the branch router to intercept and

redirect traffic to the WAE using WCCP.

Step 1 Connect to the Data Center PC and log in to the Cisco Prime Infrastructure GUI

using the credentials found in the Lab Resources section of this lab guide.

Step 2 Navigate to Design>Configuration>Feature Design, and click the My Templates

folder.

Step 3 On the panel on the right, click the WCCP-for-WAAS link under the Name column.

Step 4 Review the CLI commands in the Template Detail box, as they configure routers to

join a WCCP domain for redirection into the branch vWAAS.

Step 5 Click Close, and then click to select the checkbox next to the same WCCP-for-WAS

template.

Step 6 Click Deploy, and select the Power Branches site group in the Device Selection

section.

Step 7 Under the Value Assignment section, configure these settings:

LAN Interface: ucse1/0

Outbound Interface: Tunnel10-12

Inbound Interface: Tunnel10-12

Note Notice how the interface settings configure interface ranges, Tunnel10-12. You are

deploying WAAS optimization on the two DMVPN tunnels that connect the branch to the

Data Center, as well as the DMVPN tunnel that connects the branch to the Cloud Services

segment.

Step 8 Click Apply then Ok to deploy


Step 9 Connect to the branch router using the terminal server, and confirm that the BR-

vWAAS WAE is detected as part of the WCCP domain from the router. Use the

show ip wccp clients command for WCCP groups 61 and 62

POD4-BR-RTR#show ip wccp 61 clients

WCCP Client information:

WCCP Client ID: 10.10.41.4

Protocol Version: 2.00

State: Usable

Redirection: GRE

Packet Return: GRE

Assignment: MASK

Connect Time: 00:15:37

Redirected Packets:

Process: 0

CEF: 97

GRE Bypassed Packets:

Process: 0

CEF: 97

Mask Allotment: 16 of 16 (100.00%)

POD4-BR-RTR#show ip wccp 62 clients

WCCP Client information:

WCCP Client ID: 10.10.41.4

Protocol Version: 2.00

State: Usable

Redirection: GRE

Packet Return: GRE

Assignment: MASK

Connect Time: 00:15:45

Redirected Packets:

Process: 0

CEF: 524

GRE Bypassed Packets:

Process: 0

CEF: 298

Mask Allotment: 16 of 16 (100.00%)

Step 10 Back at the Branch PC, generate traffic for all applications, YouTube and

SharePoint. Verify that connectivity to these services has not been affected even

though WAAS is still not configured on the Data Center or the Cloud Service.


Step 11 Log back into WAAS Central Manager, and navigate to

Home>Monitor>Network>Summary Report.

Step 12 Scroll down to the Traffic Summary Over Time dashlet, and click to compare

original versus optimized traffic. Optimized traffic statistics are non-existent

because the WAAS device at the branch is passing traffic through, in the absence of

a WAAS device at the Data Center. This demonstrates the transparency and

flexibility of WAAS deployments.

v

v


Step 13 To verify Pass-Through, you can click the Pass-Through checkbox of the Traffic

Summary Over Time dashlet, or look at the statistics on the



Your branch router is redirecting traffic to the WAAS device, and the WAAS device is

passing-through traffic.

v

v


Task 3: Deploy Akamai Connect for the Branch

In this task, you will configure the Akamai Connect feature within WAAS. You will enable

Akamai Connect through the WAAS Central Manager to cache Web traffic in the branch

vWAAS instance.

Step 1 Akamai Connect requires the Central Manager be configured with proper DNS and

NTP settings. Connect to the Central Manager menu and select the CM device from

the Devices dropdown menu.

Step 2 Click on the Network>DNS and configure the following settings; Local DNS

Name: podX.ax.local and List of DNS Servers: 128.107.212.175. Then Click

Submit to save your settings.


Step 3 Check that you CM NTP setting are also using the same server as our DNS by

moving your mouse over Configure and clicking on Date/Time>NTP. If you need

to set the NTP to 128.107.212.175 and click Submit.

Step 4 In Central Manager menu, navigate to Device Groups>Branch, click on Branch and

then choose Configure > Caching > Akamai Connect.

Step 5 Under the cache settings click on the check box to enable Akamai Connect.

Step 6 Accept the End User License Agreement.

Note This will then disappear off the screen and in the lower left corner of the page is the Submit

button to finish this process.


Step 7 Using your Branch PC start to navigate to Web Sites like www.cnn.com,

www.espn.com and www.cisco.com.

Step 8 Close the pages and clear your Branch PC’s Browser’s Cache, then reopen the same

web pages.



The Akamai Connect is now configured and can be monitored and managed from WAAS

Central Manager.


Task 4: Deploy AppNav at the Data Center ASR Router

In this task, you will configure AppNav on the ASR router in the Data Center using the Cisco

WAAS Central Manager. Refer to the Visual Objectives of this lab to clarify the AppNav

Cluster topology for this router: the ASR will become the AppNav Controller, redirecting

traffic to the vWAAS appliances on the Data Center segment (WN1 and WN2), which will

become the WAAS Nodes in the cluster.

Step 1 Connect to the data center router using the terminal server, generate an rsa crypto

key using the command crypto key generate rsa from config mode. Accepts the

default 512 key size.

Step 2 Log in to the WAAS Central Manager GUI, and navigate to

Home>Admin>Security>Cisco IOS Global Router Credentials

Step 3 Configure username admin, password labops.

Note The credentials you just configured will allow Central Manager to use HTTPS to

communicate with all registered IOS routers.

Step 4 Now navigate to Home > Admin > Registration > Cisco IOS Routers, in order to

register the ASR device to Central Manager.

Step 5 Configure these settings:

IP Address(es):1.1.1.1

Username: admin

Password: labops

YouEnable password: lab-cert

Step 6 Click Register. After a few seconds, the ASR router will appear under the

Registration Status section at the bottom. The Status column displays a successful

status, and the Router Type column displays AppNav-XE Controller.

Step 7 You will now use the AppNav wizard to setup the Data Center AppNav Cluster

using the WN1 and WN2 vWAAS instance. Navigate to the AppNav menu at the

top and select the All AppNav option.

Step 8 In the AppNav section, click to launch the AppNav Wizard.

Step 9 Select the ASR 1000 Series from the AppNav Platform drop down list.

Step 10 Then select next at the bottom of the screen


Step 11 Configure these settings:

Cluster Name: DC-WNG

WAAS Cluster Id: waas/2

Step 12 Click Next and now choose the Device Selection

AppNav-XEs: PODX-DC-RTR

WAAS Node: vWN1 & vWN2


Step 13 Click Next and notice the Default VRF is already chosen, so click Next again to

setup Interception/Cluster Interfaces. Select the following settings;

WAN interfaces: Tunnel0 and Tunnel1

Select the Cluster Interface: GigabitEthernet0/0/1

Step 14 Click Next to select the Cluster Interface on the WAAS Node.

Step 15 Set Virtual 1/0 as the Cluster Interface and click next and on the next screen click

Finish.

Step 16 After a few minutes the new AppNav Cluster will turn green and be

fully operational.




The Data Center AppNav cluster is configured and can be monitored and managed from

WAAS Central Manager.

Task 5: Verify the Effectiveness of WAAS Optimization

In this task, you will use Cisco Prime Infrastructure and Cisco WAAS Central Manager GUIs

to verify the effectiveness and impact of WAAS optimization under the AppNav architecture.

Step 1 Return to the Branch PC and generate our test traffic with SharePoint and YouTube.

Step 2 Download the share point files a few times and notice the download time will

improve from a few minutes to 10-30 seconds.

Step 3 From the Branch PC, browse to www.cisco.com/go/iwan and select one of the 4 or 5

MB files listed on the page. Clear your browser cache again and navigate and

download the same file.

Step 4 Back on the DC-PC navigate around the WAAS Central Manager and notice the

Mix of traffic optimization, HTTP and SSL traffic is all being shown as traffic types

in your new IWAN environment.

Step 5 Navigate to Home>Monitor>Caching>Akamai Connect

Step 6 After a few minutes your cache hit stats will start to appear.




WAAS optimization is taking place and you can navigate the WAAS Central Manager

Dashboards and reports to verify it.

Date post:	06-Jan-2017
Category:	Design
Upload:	jww330015
View:	3,038 times
Download:	7 times