xv

IKEv2 Protection 262

Basic IOS CA Management 263
Securing Routers That Connect to the Internet 264
Access Control Lists (ACLs) 264
Zone-Based Firewalls (ZBFWs) 266
Self 267
Default 267
ZBFW Configuration 268
Control Plane Policing (CoPP) 275
IOS Embedded Packet Capture (EPC) 275
IOS XE Embedded Packet Capture 277
Analyzing and Creating the CoPP Policy 278
Device Hardening 284
Summary 286
Further Reading 286

Part III Intelligent Path Control

Chapter 6 Application Recognition 287
What Is Application Recognition? 287
What Are the Benefits of Application Recognition? 288
NBAR2 Application Recognition 288
NBAR2 Application ID, Attributes, and Extracted Fields 289
NBAR2 Application ID 289
NBAR2 Application Attributes 290
NBAR2 Layer 7 Extracted Fields 293
NBAR2 Operation and Functions 293
Phases of Application Recognition 295
First Packet Classification 295
Multistage Classification 295
Final Classification 296
Further Tracking 296
NBAR2 Engine and Best-Practice Configuration 296
Multipacket Engine 297
DNS Engine 297
DNS Authoritative Source (DNS-AS) Engine 297
DNS Classification by Domain 300
xvi Cisco Intelligent WAN (IWAN)

Control and Data Bundling Engine 301

Behavioral and Statistical Engine 301
Layer 3, Layer 4, and Sockets Engine 301
Transport Hierarchy 301
Subclassification 302
Custom Applications and Attributes 303
Auto-learn Traffic Analysis Engine 303
Traffic Auto-customization 305
Manual Application Customization 305
HTTP Customization 306
SSL Customization 306
DNS Customization 307
Composite Customization 307
Layer 3/Layer 4 Customization 308
Byte Offset Customization 308
Manual Application Attributes Customization 308
NBAR2 State with Regard to Device High Availability 310
Encrypted Traffic 310
NBAR2 Interoperability with Other Services 310
NBAR2 Protocol Discovery 311
Enabling NBAR2 Protocol Discovery 311
Displaying NBAR2 Protocol Discovery Statistics 311
Clearing NBAR2 Protocol Discovery Statistics 312
NBAR2 Visibility Dashboard 313
NBAR2 Protocol Packs 314
Release and Download of NBAR2 Protocol Packs 314
NBAR2 Protocol Pack License 315
Application Customization 315
NBAR2 Protocol Pack Types 315
NBAR2 Protocol Pack States 315
Identifying the NBAR2 Software Version 315
Verifying the Active NBAR2 Protocol Pack 316
Loading an NBAR2 Protocol Pack 316
NBAR2 Taxonomy File 318
Protocol Pack Auto Update 318
Protocol Pack Configuration Server 318
 xvii

Protocol Pack Source Server 318

Validation and Troubleshooting 322
Verify the Software Version 322
Check the Device License 322
Verifying That NBAR2 Is Enabled 322
Verifying the Active NBAR2 Protocol Pack 323
Checking That Policies Are Applied Correctly 323
Reading Protocol Discovery Statistics 324
Granular Traffic Statistics 324
Discovering Generic and Unknown Traffic 324
Verifying the Number of Flows 325
Summary 325
Further Reading 325

Chapter 7 Introduction to Performance Routing (PfR) 327

Performance Routing (PfR) 328
Simplified Routing over a Transport-Independent Design 328
“Classic” Path Control Used in Routing Protocols 329
Path Control with Policy-Based Routing 330
Intelligent Path Control—Performance Routing 332
Introduction to PfRv3 334
Introduction to the IWAN Domain 335
IWAN Sites 337
Device Components and Roles 339
IWAN Peering 340
Parent Route Lookups 342
Intelligent Path Control Principles 343
PfR Policies 343
Site Discovery 343
Site Prefix Database 345
PfR Enterprise Prefixes 346
WAN Interface Discovery 346
Hub and Transit Sites 347
Branch Sites 347
Channel 348
Smart Probes 350
Traffic Class 350
xviii Cisco Intelligent WAN (IWAN)

Path Selection 351

Direction from Central Sites (Hub and Transit) to Spokes 351
Direction from Spoke to Central Sites (Hub and Transit) 351
Performance Monitoring 353
Threshold Crossing Alert (TCA) 355
Path Enforcement 356
Summary 356
Further Reading 357

Chapter 8 PfR Provisioning 359

IWAN Domain 360
Topology 360
Overlay Routing 363
Advertising Site Local Subnets 363
Advertising the Same Subnets 364
Traffic Engineering for PfR 366
PfR Components 367
PfR Configuration 369
Master Controller Configuration 369
Hub Site MC Configuration 369
Transit Site MC Configuration 371
Branch Site MC Configuration 372
MC Status Verification 374
BR Configuration 377
Transit BR Configuration 377
Branch Site BR Configuration 381
BR Status Verification 382
NetFlow Exports 384
Domain Policies 386
Performance Policies 386
Load-Balancing Policy 391
Path Preference Policies 392
Quick Monitor 394
Hub Site Master Controller Settings 395
Hub, Transit, or Branch Site Specific MC Settings 395
Complete Configuration 396
 xix

Advanced Parameters 399

Unreachable Timer 399
Smart Probes Ports 400
Transit Site Affinity 400
Path Selection 401
Routing—Candidate Next Hops 401
Routing—No Transit Site Preference 401
Routing—Site Preference 403
PfR Path Preference 406
PfR Transit Site Preference 407
Using Transit Site Preference and Path Preference 408
Summary 409
Further Reading 410

Chapter 9 PfR Monitoring 411

Topology 412
Checking the Hub Site 413
Check the Routing Table 413
Checking the Hub MC 415
Checking the Hub BRs 417
Verification of Remote MC SAF Peering with the Hub MC 418
Checking the Transit Site 422
Check the Branch Site 423
Check the Routing Table 423
Check Branch MC Status 424
Check the Branch BR 429
Monitoring Operations 435
Routing Table 435
Monitor the Site Prefix 436
Monitor Traffic Classes 438
Monitor Channels 444
Transit Site Preference 450
With Transit Site Affinity Enabled (by Default) 454
With Transit Site Affinity Disabled (Configured) 455
Summary 456
Further Reading 457
xx Cisco Intelligent WAN (IWAN)

Chapter 10 Application Visibility 459

Application Visibility Fundamentals 459
Overview 460
Components 460
Flows 462
Observation Point 464
Flow Direction 464
Source/Destination IP Versus Connection 464
Performance Metrics 465
Application Response Time Metrics 466
Media Metrics 467
Web Statistics 468
HTTP Host 469
URI Statistics 469
Flexible NetFlow 470
Flexible NetFlow Overview 470
Configuration Principles 470
Create a Flexible NetFlow Flow Record 471
Create a Flow Exporter 472
Create a Flow Monitor 474
Apply a Flow Monitor to the WAN 475
Flexible NetFlow for Application Visibility 478
Use Case 1: Flow Statistics 478
Use Case 2: Application Client/Server Statistics 478
Use Case 3: Application Usage 479
Monitoring NetFlow Data 479
View Raw Data Directly on the Router 479
View Reports on NetFlow Collectors 484
Flexible NetFlow Summary 484
Evolution to Performance Monitor 485
Principles 485
Performance Monitor Configuration Principles 487
Easy Performance Monitor (ezPM) 492
Application Statistics Profile 493
Application Performance Profile 493
Application Experience Profile 494
 xxi

ezPM Configuration Steps 494

Monitoring Performance Monitor 499
Metrics Export 499
Flow Record, NetFlow v9, and IPFIX 499
Terminology 500
NetFlow Version 9 Packet Header Format (RFC 3954) 502
IPFIX Packet Header Format (RFC 7011) 502
Monitoring Exports 502
Monitoring Performance Collection on Network
Management Systems 504
Deployment Considerations 505
Performance Routing 505
Interoperability with WAAS 505
Summary 507
Further Reading 507

Part IV Application Optimization

Chapter 11 Introduction to Application Optimization 509
Application Behavior 510
Bandwidth 512
Latency 514
Application Latency 514
Network Latency 515
Cisco Wide Area Application Services (WAAS) 516
Cisco WAAS Architecture 517
Application Optimizers 518
Configuration Management System 519
Data Redundancy Elimination (DRE) with Scheduler 519
Storage 519
Network I/O 519
Interception and Flow Management 519
TCP Optimization 520
TCP Windows Scaling 521
TCP Initial Window Size Maximization 521
Increased Buffering 521
Selective Acknowledgment (SACK) 522
Binary Increase Congestion (BIC) TCP 522
xxii Cisco Intelligent WAN (IWAN)

Caching and Compression 522

Compression 523
Data Redundancy Elimination (DRE) 523
Unified Data Store 526
Lempel-Ziv (LZ) Compression 527
Object Caching 528
Application-Specific Acceleration 528
Microsoft Exchange Application Optimization 529
HTTP Application Optimization 530
SharePoint Application Optimization 530
SSL Application Optimization 530
Citrix Application Optimization 531
CIFS Application Optimization 532
SMB Application Optimization 533
NFS Acceleration 534
Akamai Connect 534
Transparent Cache 535
Akamai Connected Cache 535
Dynamic URL HTTP Cache (Over-the-Top Cache) 535
Content Prepositioning for Enhanced End-User Experience 535
Summary 536
Further Reading 536

Chapter 12 Cisco Wide Area Application Services (WAAS) 537

Cisco WAAS Architecture 537
Central Management Subsystem 539
Interface Manager 539
Monitoring Facilities and Alarms 539
Network Interception and Bypass Manager 540
Application Traffic Policy Engine 540
Disk Encryption 542
Cisco WAAS Platforms 542
Router-Integrated Network Modules 543
Appliances 543
WAVE Model 294 543
WAVE Model 594 543
WAVE Model 694 546
WAVE Model 7541 546
 xxiii

WAVE Model 7571 546

WAVE Model 8541 546
Interception Modules 547
Virtual WAAS 547
ISR-WAAS 549
Architecture 549
Sizing 550
WAAS Performance and Scalability Metrics 553
WAAS Design and Performance Metrics 553
Device Memory 553
Disk Capacity 554
Number of Optimized TCP Connections 555
WAN Bandwidth and LAN Throughput 556
Number of Peers and Fan-out Each 558
Central Manager Sizing 559
Licensing 560
Cisco WAAS Operational Modes 560
Transparent Mode 561
Directed Mode 561
Interception Techniques and Protocols 561
Web Cache Communication Protocol 562
WCCP Service Groups 562
Forwarding and Return Methods 563
Load Distribution 564
Failure Detection 565
Flow Protection 565
Scalability 565
Redirect Lists 566
Service Group Placement 566
Egress Methods 567
Policy-Based Routing (PBR) 567
Inline Interception 569
AppNav Overview 570
AppNav Cluster Components 572
Class Maps 572
AppNav Policies 573
AppNav Site Versus Application Affinity 573
xxiv Cisco Intelligent WAN (IWAN)

AppNav IOM 573

AppNav Controller Deployment Models 573
AppNav Controller Interface Modules 574
AppNav IOM Interfaces 575
Guidelines and Limitations 575
AppNav-XE 576
Advantages of Using the AppNav-XE Component 576
Guidelines and Limitations 577
WAAS Interception Network Integration Best Practices 578
Summary 578
Further Reading 579

Chapter 13 Deploying Application Optimizations 581

GBI: Saving WAN Bandwidth and Replicating Data 582
WAN Optimization Solution 583
Deploying Cisco WAAS 584
WAAS Data Center Deployment 584
GBI Data Centers 584
Data Center Device Selection and Placement 585
Primary Central Manager 587
Initial Primary Central Manager Configuration 587
Configuring the Primary Central Manager’s NTP Settings 590
Configuring the Primary Central Manager’s DNS Settings 590
Configuring WAAS Group Settings 591
Device Group Basic Settings 592
Standby Central Manager 592
Standby Central Manager’s Configuration 593
AppNav-XE 595
Initial GBI AppNav-XE Deployment 595
Deploying a Data Center Cluster 600
Deploying a Separate Node Group and Policy for Replication 605
Deploying a New Policy for Data Center Replication 610
GBI Branch Deployment 615
Branch 1 Sizing 615
Branch 1 Deployment 615
Branch 12 Sizing 618
Branch 12 WAAS Deployment 618
Summary 621
 xxv

Part V QoS
Chapter 14 Intelligent WAN Quality of Service (QoS) 623
QoS Overview 624
Ingress QoS NBAR-Based Classification 626
Ingress LAN Policy Maps 629
Egress QoS DSCP-Based Classification 630
Egress QoS Policy Map 631
Hierarchical QoS 633
DMVPN Per-Tunnel QoS 640
Per-Tunnel QoS Tunnel Markings 641
Bandwidth-Based QoS Policies 643
Bandwidth Remaining QoS Policies 644
Subrate Physical Interface QoS Policies 648
Association of Per-Tunnel QoS Policies 649
Per-Tunnel QoS Verification 650
Per-Tunnel QoS Caveats 658
QoS and IPSec Packet Replay Protection 660
Complete QoS Configuration 661
Summary 669
Further Reading 669

Part VI Direct Internet Access

Chapter 15 Direct Internet Access (DIA) 671
Guest Internet Access 673
Dynamic Host Configuration Protocol (DHCP) 676
Network Address Translation (NAT) 678
Verification of NAT 680
Zone-Based Firewall (ZBFW) Guest Access 680
Verification of ZBFW for Guest Access 684
Guest Access Quality of Service (QoS) 685
Guest Access Web-Based Acceptable Use Policy 688
Guest Network Consent 688
Guest Authentication 692
Internal User Access 697
Fully Specified Static Default Route 698
Verification of Internet Connectivity 699
xxvi Cisco Intelligent WAN (IWAN)

Network Address Translation (NAT) 704

Policy-Based Routing (PBR) 706
Internal Access Zone-Based Firewall (ZBFW) 708
Cloud Web Security (CWS) 711
Baseline Configuration 712
Outbound Proxy 717
WAAS and WCCP Redirect 720
Prevention of Internal Traffic Leakage to the Internet 720
Summary 721
References in this Chapter 722

Part VII Migration

Chapter 16 Deploying Cisco Intelligent WAN 723
Pre-Migration Tasks 723
Document the Existing WAN 724
Network Traffic Analysis 724
Proof of Concept 724
Finalize the Design 725
Migration Overview 725
IWAN Routing Design Review 726
EIGRP for the IWAN and the LAN 726
BGP for the IWAN and an IGP (OSPF) for the LAN 727
Routing Design During Migration 727
Deploying DMVPN Hub Routers 728
Migrating the Branch Routers 734
Migrating a Single-Router Site with One Transport 735
Migrating a Single-Router Site with Multiple Transports 737
Migrating a Dual-Router Site with Multiple Transports 739
Post-Migration Tasks 740
Migrating from a Dual MPLS to a Hybrid IWAN Model 742
Migrating IPsec Tunnels 744
PfR Deployment 746
Testing the Migration Plan 752
Summary 752
Further Reading 753
 xxvii

Part VIII Conclusion

Chapter 17 Conclusion and Looking Forward 755
Intelligent WAN Today 755
Intelligent WAN Architecture 756
Intelligent WAN Tomorrow 756

Appendix A Dynamic Multipoint VPN Redundancy Models 759

Appendix B IPv6 Dynamic Multipoint VPN 763

Index 779
xxviii Cisco Intelligent WAN (IWAN)

Icons Used in This Book

Ethernet Serial Circuit Switched Circuit

Circuit Branch
Headquarters

Layer 2
Router ASA Multi-Layer
Switch
Network Firewall Switch

Wireless
Frame Wide Area Laptop Workstation
Access Point
Relay Application Engine
Switch

Redistribution Malicious
Server
Activity

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions
used in the IOS Command Reference. The Command Reference describes these
conventions as follows:

■ Boldface indicates commands and keywords that are entered literally as shown.
In actual configuration examples and output (not general command syntax), boldface
indicates commands that are manually input by the user (such as a show command).

■ Italic indicates arguments for which you supply actual values.

■ Vertical bars (|) separate alternative, mutually exclusive elements.

■ Square brackets ([ ]) indicate an optional element.

■ Braces ({ }) indicate a required choice.

■ Braces within brackets ([{ }]) indicate a required choice within an optional element.
 xxix

Foreword
The world is changing fast. And demands on the network are growing exponentially.
More than ever before, businesses need technology to provide speed, flexibility, and
information in a cost-effective manner across their systems and processes. The Cisco
Intelligent WAN (IWAN) helps companies in any market segment connect the lifeblood
of their organization—their branch locations—to business value located anywhere
on the network. Whether your branch is a retail store, a healthcare clinic, or a remote
office, branches are a critical component of business. These are the places where organi-
zations interface with customers and other citizens, where most business intelligence is
acquired, and where the bulk of employees work. It’s crucial that the branch play a large
role in any organization’s plans for digitization and value.

As the leader of the Cisco Systems Engineering team, I have the privilege of working
with the best networking professionals in the industry. Working on the front lines of the
customer relationship, our SE teams are uniquely positioned to provide feedback from
our vast customer base back to the Cisco innovation engine, our development team.
Cisco has thousands of systems engineers globally working with our customers every day,
and they gain great insights into the top issues facing IT and our customers’ businesses
in general. The feedback collected from our customers and Systems Engineering team led
to the development of IWAN.

In many traditional WAN implementations, customers, vendors, suppliers, and employees

who are located in the branch often cannot receive optimal service, and their capabilities
are limited. The Cisco IWAN allows IT to remove those limitations by enabling intel-
ligence on the WAN. With IWAN’s ability to simplify VPNs and allow more control,
applications such as guest Internet traffic, public cloud services, and partner cloud appli-
cations can be offloaded immediately with the appropriate quality of service levels. And
with visibility to the application level, applications that are dependent upon data center
connectivity can perform better. Last, given the need for all these use cases to be secure,
you will see the value of IWAN in providing secure connectivity for your applications
while providing better service and improved performance.

This book was written by an all-star team, including Brad Edgeworth, one of the key
leaders in our Systems Engineering organization. Holding multiple CCIE certifications,
this team of contributing authors present at both internal and external events, which
means they can explain the technology and how it helps businesses. Their depth of expe-
rience and knowledge is demonstrated in this book as they address IWAN, its features,
benefits, and implementation, and provide readers insight into the top issues facing IT:
security, flexibility, application visibility, and ease of use. These are the most important
issues facing the WAN and IT in general.