Вы находитесь на странице: 1из 48

Layer 2 WAN Deployment Guide

February 2013 Series


Preface

Who Should Read This Guide How to Read Commands


This Cisco Smart Business Architecture (SBA) guide is for people who fill a Many Cisco SBA guides provide specific details about how to configure
variety of roles: Cisco network devices that run Cisco IOS, Cisco NX-OS, or other operating
Systems engineers who need standard procedures for implementing systems that you configure at a command-line interface (CLI). This section
solutions describes the conventions used to specify commands that you must enter.

Project managers who create statements of work for Cisco SBA Commands to enter at a CLI appear as follows:
implementations configure terminal
Sales partners who sell new technology or who create implementation Commands that specify a value for a variable appear as follows:
documentation
ntp server 10.10.48.17
Trainers who need material for classroom instruction or on-the-job
Commands with variables that you must define appear as follows:
training
class-map [highest class name]
In general, you can also use Cisco SBA guides to improve consistency
among engineers and deployments, as well as to improve scoping and Commands shown in an interactive example, such as a script or when the
costing of deployment jobs. command prompt is included, appear as follows:
Router# enable
Release Series Long commands that line wrap are underlined. Enter them as one command:
Cisco strives to update and enhance SBA guides on a regular basis. As wrr-queue random-detect max-threshold 1 100 100 100 100 100
we develop a series of SBA guides, we test them together, as a complete 100 100 100
system. To ensure the mutual compatibility of designs in Cisco SBA guides,
Noteworthy parts of system output or device configuration files appear
you should use guides that belong to the same series.
highlighted, as follows:
The Release Notes for a series provides a summary of additions and interface Vlan64
changes made in the series.
ip address 10.5.204.5 255.255.255.0
All Cisco SBA guides include the series name on the cover and at the
bottom left of each page. We name the series for the month and year that we Comments and Questions
release them, as follows:
If you would like to comment on a guide or ask questions, please use the
month year Series SBA feedback form.
For example, the series of guides that we released in February 2013 is If you would like to be notified when new comments are posted, an RSS feed
the February Series. is available from the SBA customer and partner pages.
You can find the most recent series of SBA guides at the following sites:
Customer access: http://www.cisco.com/go/sba
Partner access: http://www.cisco.com/go/sbachannel

February 2013 Series Preface


Table of Contents

Whats In This SBA Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Deploying a Layer 2 WAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13


Cisco SBA Borderless Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Business Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Route to Success. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Technology Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Deployment Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Layer 2 WAN CE Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Remote-Site Layer 2 WAN CE Router Configuration. . . . . . . . . . . . . . . . 25
Related Reading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Deploying a WAN Remote-Site Distribution Layer. . . . . . . . . . . . . . . . . . . . . . . . 33
Remote-Site Layer 2 WAN CE Router Distribution Layer. . . . . . . . . . . . 33
Architecture Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
WAN Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Deploying WAN Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Quality of Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 QoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Deploying the WAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Appendix A: Product List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41


Overall WAN Architecture Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Appendix B: Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

February 2013 Series Table of Contents


Whats In This SBA Guide

Cisco SBA Borderless Networks About This Guide


Cisco SBA helps you design and quickly deploy a full-service business This deployment guide contains one or more deployment chapters, which
network. A Cisco SBA deployment is prescriptive, out-of-the-box, scalable, each include the following sections:
and flexible. Business OverviewDescribes the business use case for the design.
Cisco SBA incorporates LAN, WAN, wireless, security, data center, application Business decision makers may find this section especially useful.
optimization, and unified communication technologiestested together as a Technology OverviewDescribes the technical design for the
complete system. This component-level approach simplifies system integration business use case, including an introduction to the Cisco products that
of multiple technologies, allowing you to select solutions that solve your make up the design. Technical decision makers can use this section to
organizations problemswithout worrying about the technical complexity. understand how the design works.
Cisco SBA Borderless Networks is a comprehensive network design Deployment DetailsProvides step-by-step instructions for deploying
targeted at organizations with up to 10,000 connected users. The SBA and configuring the design. Systems engineers can use this section to
Borderless Network architecture incorporates wired and wireless local get the design up and running quickly and reliably.
area network (LAN) access, wide-area network (WAN) connectivity, WAN
You can find the most recent series of Cisco SBA guides at the following
application optimization, and Internet edge security infrastructure.
sites:
Route to Success Customer access: http://www.cisco.com/go/sba
To ensure your success when implementing the designs in this guide, you Partner access: http://www.cisco.com/go/sbachannel
should first read any guides that this guide depends uponshown to the
left of this guide on the route below. As you read this guide, specific
prerequisites are cited where they are applicable.

Prerequisite Guides You Are Here Dependent Guides

BORDERLESS
NETWORKS
WAN Design Overview LAN Deployment Guide Layer 2 WAN Additional Deployment
Deployment Guide Guides

February 2013 Series Whats In This SBA Guide 1


Introduction

Cisco SBABorderless Networks is a solid network foundation designed to


provide networks with up to 10,000 connected users the flexibility to sup-
port new users or network services without re-engineering the network. We
created a prescriptive, out-of-the-box deployment guide that is based on
best-practice design principles and that delivers flexibility and scalability.
The overall WAN architecture is described in the WAN Design Overview.
To help focus on specific elements of the architecture, there are three WAN
deployment guides:
This Layer 2 WAN Deployment Guide provides guidance and configura-
tion for a VPLS or Metro Ethernet transport.
MPLS WAN Deployment Guide provides flexible guidance and configu-
ration for Multiprotocol Label Switching (MPLS) transport.
VPN WAN Deployment Guide provides guidance and configuration for
broadband or Internet transport in a both a primary or backup role.
Each of these WAN deployment guides has a complementary WAN configu-
ration guide.

Related Reading
The LAN Deployment Guide describes wired network access with ubiqui-
tous capabilities for both the larger campus-size LAN as well as the smaller
remote-site LAN. Resiliency, security, and scalability are included to provide
a robust communications environment. Quality of service (QoS) is integrated
to ensure that the base architecture can support a multitude of applications,
including low-latency, drop-sensitive multimedia applications coexisting
with data applications on a single network.

Design Goals
This architecture is based on requirements gathered from customers,
partners, and Cisco field personnel for organizations with up to 10,000 con-
nected users. When designing the architecture, we considered the gathered
requirements and the following design goals.

February 2013 Series Introduction 2


Figure 1 - Borderless Networks for Enterprise Organizations Overview

Headquarters

WAAS
V
Access
Switches V

UCS Rack-mount
Servers UCS Rack-mount UCS Blade
Voice
Routers Server Chassis
PSTN
V
Distribution
Switches WAAS Storage
Central Manager
Nexus
2000
Communications
WAN
Internet Edge Managers
Routers
Access
Switches
Internet
Routers Cisco ACE Data Center
Wireless LAN
Nexus 5500 Firewalls
Regional Site Controller

Wireless LAN Data Center


V
Internet Controllers
RA-VPN Firewall
Access WAN Guest
Switch Router DMZ Wireless LAN
Remote Site Switch Controller
Core
Web Switches
Security
Appliance DMZ
Servers
W ww
MPLS W ww Email Security
Teleworker /
Hardware and WANs Appliance
Mobile Worker
Software VPN

Distribution
VPN
WAN Switches
Access Routers
Switch V WAN
Stack Routers User
Access
Layers
V PSTN

WAAS

WAN Remote Site Wireless


Remote Site Aggregation LAN Controllers

2189
WAAS

February 2013 Series Introduction 3


Ease of Deployment, Flexibility, and Scalability Ease of Management
Organizations with100 to 10,000 users are often spread out among dif- While this guide focuses on the deployment of the network foundation, the
ferent geographical locations, making flexibility and scalability a critical design takes next phase management and operation into consideration. The
requirement of the network. This design uses several methods to create and configurations in the deployment guides are designed to allow the devices
maintain a scalable network: to be managed via normal device management connections, such as SSH
By keeping a small number of standard designs for common portions of and HTTPS, as well as via NMS. The configuration of the NMS is not covered
the network, support staff is able to design services for, implement, and in this guide.
support the network more effectively.
Advanced TechnologyReady
Our modular design approach enhances scalability. Beginning with a set
of standard, global building blocks, we can assemble a scalable network Flexibility, scalability, resiliency, and security all are characteristics of an
to meet requirements. advanced technology-ready network. The modular design of the architec-
Many of the plug-in modules look identical for several service areas; ture means that technologies can be added when the organization is ready
this common look provides consistency and scalability in that the same to deploy them. However, the deployment of advanced technologies, such
support methods can be used to maintain multiple areas of the network. as collaboration, is eased because the architecture includes products and
These modules follow standard core-distribution-access network design configurations that are ready to support collaboration from day one. For
models and use layer separation to ensure that interfaces between the example:
plug-ins are well defined. Access switches provide Power over Ethernet (PoE) for phone deploy-
ments without the need for a local power outlet.
Resiliency and Security The entire network is preconfigured with QoS to support high-quality
One of the keys to maintaining a highly available network is building appro- voice, video, and collaboration applications.
priate redundancy to guard against failure in the network. The redundancy Multicast is configured in the network to support efficient voice and
in our architecture is carefully balanced with the complexity inherent in broadcast-video delivery.
redundant systems. The wireless network is preconfigured for devices that send voice over
With the addition of a significant amount of delay-sensitive and drop- the wireless LAN, providing IP telephony over 802.11 Wi-Fi (referred to
sensitive traffic such as voice and video conferencing, we also place a as mobility) at all locations.
strong emphasis on recovery times. Choosing designs that reduce the time Video and voice perform better through the use of medianet technolo-
between failure detection and recovery is important for ensuring that the gies, Ciscos recommended approach for video and collaboration, which
network stays available even in the face of a minor component failure. simplifies, lowers the risks, cuts costs, and improves the quality of your
Network security is also a strong component of the architecture. In a large video and voice deployments.
network, there are many entry points and we ensure that they are as secure The Internet Edge is ready to provide soft phones via VPN, as well as tradi-
as possible without making the network too difficult to use. Securing the tional hard or desk phones.
network not only helps keep the network safe from attacks but is also a key
component to network-wide resiliency.

February 2013 Series Introduction 4


Architecture Overview

The Cisco SBABorderless Networks Layer 2 WAN Deployment Guide Layer 2 WAN transports are now widely available from service providers and
provides a design that enables highly available, secure, and optimized con- are able to extend various Layer 2 traffic types (Frame Relay, PPP, ATM, or
nectivity for multiple remote-site LANs. Ethernet) over a WAN. The most common implementations of Layer 2 WAN
are used to provide Ethernet over the WAN using either a point-to-point or
The WAN is the networking infrastructure that provides an IP-based inter-
point-to-multipoint service.
connection between remote sites that are separated by large geographic
distances. Service providers implement these Ethernet services by using a variety of
methods. MPLS networks support both Ethernet over MPLS (EoMPLS) and
This document shows you how to deploy the network foundation and
Virtual Private LAN Service (VPLS). You can use other network technologies,
services to enable the following:
such as Ethernet switches in various topologies, to provide Ethernet Layer
Layer 2 WAN connectivity for up to 100 remote sites 2 WAN services. These offerings are also referred to as Carrier Ethernet or
Wired LAN access at all remote sites Metro Ethernet, and they are typically limited to a relatively small geographic
area. This guide describes how to use a Layer 2 WAN to interconnect
WAN Design multiple sites independent of the various underlying technologies that are
being used by the service providers.
The primary focus of the design is to allow usage of the following commonly
deployed WAN transports: Layer 2 WAN supports an enterprise subscriber model in which the service
provider is transparent and the enterprise implements all Layer 3 routing.
Layer 2 WAN (primary) This allows for flexibility in the WAN design and interconnection of the
Internet VPN (secondary) remote sites.
At a high level, the WAN is an IP network, and this transport can be easily Point-to-point service allows for the interconnection of two LANs. Point-
integrated to the design. The chosen architecture designates a primary to-multipoint (multipoint) transparent LAN service allows for the intercon-
WAN-aggregation site that is analogous to the hub site in a traditional hub- nection of more than two LANS. Other service variants include simple and
and-spoke design. This site has direct connections to both WAN transports trunked demarcations. By using trunk mode, you can interconnect LANs
and high-speed connections to the selected service providers. In addition, using 802.1Q VLAN tagging. Service providers often refer to a trunked
the site uses network equipment scaled for high performance and redun- service as Q-in-Q tunneling (QinQ).
dancy. The primary WAN-aggregation site is coresident with the data center
Subscribers who need to transport IP multicast traffic are supported with no
and usually the primary campus or LAN as well.
additional configuration required by the service provider.
The usage of an Internet VPN transport to provide a redundant topology
The WAN uses Layer 2 WAN as a primary WAN transport.
option for resiliency is covered in the VPN WAN Deployment Guide.
WAN-Aggregation Designs
Layer 2 WAN Transport
The WAN-aggregation (hub) design uses a single WAN edge router. When a
Ethernet has traditionally been a LAN technology primarily due to the dis-
WAN edge router is referred to in the context of the connection to a carrier
tance limitations of the available media and the requirement for dedicated
or service provider, it is typically known as a customer edge (CE) router. The
copper or fiber links.
WAN edge router connects into a distribution layer.

February 2013 Series Architecture Overview 5


The only WAN transport option used in this guide is Layer 2 WAN, which The characteristics of each design are as follows:
connects to a CE router.
This deployment guide documents two WAN-aggregation design models Layer 2 Simple Demarcation Design Model
that use either simple demarcation or trunked demarcation. The primary Uses a multipoint service
difference between the Simple Demarcation and Trunked Demarcation Connects to a simple demarcation
design models is the number of broadcast domains or VLANs that are used
to communicate with a subset of remote-site routers. Supports up to 25 remote sites

Each of the design models is shown with LAN connections into either a The Layer 2 Simple Demarcation design is shown in the following figure.
collapsed core/distribution layer or a dedicated WAN distribution layer.
Figure 2 - Layer 2 Simple Demarcation and Trunked Demarcation design models
From the WAN-aggregation perspective, there are no functional differences
between these two methods.
In the WAN-aggregation design, tasks such as IP route summarization are Core Layer
performed at the distribution layer. There are other various devices sup-
porting WAN edge services, and these devices should also connect into the
distribution layer.
The Layer 2 WAN service terminates to a dedicated WAN router. The various Collapsed Core/
Distribution Layer Distribution Layer
design models are shown in the following table.

Table 1 - WAN-aggregation design models


Layer 2 WAN Layer 2 WAN
Layer 2 simple demar- Layer 2 trunked demar- CE Router CE Router
QFP QFP
cation design model cation design model
Remote sites Up to 25 Up to 100 Simple or Trunked Simple or Trunked
Demarcation Demarcation
WAN links Single Single
Edge routers Single Single
WAN routing EIGRP EIGRP

1031
protocol Layer 2 Layer 2
Transport 1 type MetroE/VPLS MetroE/VPLS
Transport 1 Simple Trunked Layer 2 Trunked Demarcation Design Model
demarcation
Uses a multipoint service
Connects to a trunked demarcation
Supports up to 100 remote sites
Logically separates the remote-site peering. Distributes router peers
across multiple VLANs with maximum of 25 remote-site router peers per
VLAN
Typically used with a dedicated WAN distribution layer
The Layer 2 Trunked Demarcation design is shown in Figure 2.

February 2013 Series Architecture Overview 6


WAN Remote-Site Designs WAN/LAN Interconnection
This guide documents a single remote-site WAN design that is based on a The primary role of the WAN is to interconnect primary site and remote-
Layer 2 WAN transport. site LANs. The LAN discussion within this guide is limited to how the WAN
aggregation site LAN connects to the WAN aggregation devices and how
Figure 3 - WAN remote-site design the remote-site LANs connect to the remote-site WAN devices. Specific
details regarding the LAN components of the design are covered in the LAN
Non-Redundant Deployment Guide.
At remote sites, the LAN topology depends on the number of connected
Layer 2 users and physical geography of the site. Large sites may require the use
of a distribution layer to support multiple access layer switches. Other sites
may only require an access layer switch directly connected to the WAN
remote-site routers. The variants that are tested and documented in this
guide are shown in the following table.

Table 3 - WAN remote-site LAN options

WAN remote-site routers WAN transports LAN topology

1033
Layer 2 WAN Single Single Access only
The remote-site design includes a single WAN edge route, which is a Layer Distribution/access
2 WAN CE router.
Designs which include Internet VPN for additional resiliency are covered in
WAN Remote SitesLAN Topology
the VPN WAN Deployment Guide.
For consistency and modularity, all WAN remote sites use the same VLAN
The overall WAN design methodology is based on a primary WAN-
assignment scheme, which is shown in the following table. This deployment
aggregation site design that can accommodate all of the remote-site types
guide uses a convention that is relevant to any location that has a single
that map to the various link combinations listed in the following table.
access switch and this model can also be easily scaled to additional access
closets through the addition of a distribution layer.
Table 2 - WAN remote-site transport options

Table 4 - WAN remote-sitesVLAN assignment


WAN remote- WAN Secondary
site routers transports Primary transport transport
Layer 3 distribution/
Single Single MetroE/VPLS (simple) - VLAN Usage Layer 2 access access
Single Single MetroE/VPLS (trunked) - VLAN 64 Data Yes -
VLAN 69 Voice Yes -
The modular nature of the network design enables you to create design
VLAN50 Router link (1) - Yes
elements that you can replicate throughout the network.
Both the WAN-aggregation designs and all of the WAN remote-site designs
are standard building blocks in the overall design. Replication of the indi-
vidual building blocks provides an easy way to scale the network and allows
for a consistent deployment method.

February 2013 Series Architecture Overview 7


Layer 2 Access Distribution and Access Layer
WAN remote sites that do not require additional distribution layer routing Large remote sites may require a LAN environment similar to that of a small
devices are considered to be flat, or from a LAN perspective they are campus LAN that includes a distribution layer and access layer. This topol-
considered unrouted Layer 2 sites. All Layer 3 services are provided by the ogy works well with either a single or dual router WAN edge. To implement
attached WAN routers. The access switches, through the use of multiple this design, the routers should connect via EtherChannel links to the dis-
VLANs, can support services such as data and voice. The design shown in tribution switch. These EtherChannel links are configured as 802.1Q VLAN
the following figure illustrates the standardized VLAN assignment scheme. trunks, to support both a routed point-to-point link to allow EIGRP routing
The benefits of this design are clear: all of the access switches can be with the distribution switch, and in the dual router design, to provide a transit
configured identically, regardless of the number of sites in this configuration. network for direct communication between the WAN routers.
Access switches and their configuration are not included in this guide.
Figure 5 - WAN remote siteConnection to Distribution Layer
The LAN Deployment Guide provides configuration details on the various
access switching platforms. Layer 2 WAN
IP subnets are assigned on a per-VLAN basis. This design only allocates
subnets with a 255.255.255.0 netmask for the access layer, even if less than
254 IP addresses are required. (This model can be adjusted as necessary
to other IP address schemes.) The connection between the router and the
access switch must be configured for 802.1Q VLAN trunking with subinter-
faces on the router that map to the respective VLANs on the switch. The
various router subinterfaces act as the IP default gateways for each of the IP
subnet and VLAN combinations. 802.1Q Trunk
(50)

Figure 4 - WAN remote site - Flat Layer 2 LAN (single router)

WAN
802.1Q Trunk 802.1Q Trunk
(xx-xx) (yy-yy)

1035
VLAN 50 - Router 1 Link

The distribution switch handles all access layer routing, with VLANs trunked
to access switches. A full distribution and access layer design is shown in
the following figure.
VLAN 64 - Data

VLAN 69 - Voice
1034

802.1Q VLAN Trunk (64, 69)

February 2013 Series Architecture Overview 8


Figure 6 - WAN remote siteDistribution and access layer The RP is a control-plane operation that should be placed in the core of the
network or close to the IP Multicast sources on a pair of Layer 3 switches
Layer 2 WAN
or routers. IP Multicast routing begins at the distribution layer if the access
layer is Layer 2 and provides connectivity to the IP Multicast RP. In designs
without a core layer, the distribution layer performs the RP function.
This design is fully enabled for a single global scope deployment of IP
Multicast. The design uses an Anycast RP implementation strategy. This
strategy provides load sharing and redundancy in Protocol Independent
Multicast sparse mode (PIM SM) networks. Two RPs share the load for
802.1Q Trunk
(50) source registration and the ability to act as hot backup routers for each
other.
The benefit of this strategy from the WAN perspective is that all IP routing
devices within the WAN use an identical configuration referencing the
Anycast RPs. IP PIM SM is enabled on all interfaces including loopbacks,
802.1Q Trunk 802.1Q Trunk VLANs, and subinterfaces.
(xx-xx) (yy-yy)

Quality of Service
Most users perceive the network as just a transport utility mechanism to
shift data from point A to point B as fast as it can. Many sum this up as just
VLAN xx - Data VLAN yy - Data
speeds and feeds. While it is true that IP networks forward traffic on a
VLAN xx - Voice VLAN yy - Voice
best-effort basis by default, this type of routing only works well for applica-
tions that adapt gracefully to variations in latency, jitter, and loss. However
networks are multiservice by design and support real-time voice and video
VLAN 50 - Router 1 Link 1036 as well as data traffic. The difference is that real-time applications require
packets to be delivered within specified loss, delay, and jitter parameters.
IP Multicast In reality, the network affects all traffic flows and must be aware of end-user
requirements and services being offered. Even with unlimited bandwidth,
IP Multicast allows a single IP data stream to be replicated by the infra-
time-sensitive applications are affected by jitter, delay, and packet loss.
structure (routers and switches) and sent from a single source to multiple
Quality of service (QoS) enables a multitude of user services and applica-
receivers. IP Multicast is much more efficient than multiple individual
tions to coexist on the same network.
unicast streams or a broadcast stream that would propagate everywhere. IP
telephony Music On Hold (MOH) and IP video broadcast streaming are two Within the architecture, there are wired and wireless connectivity options
examples of IP Multicast applications. that provide advanced classification, prioritizing, queuing, and congestion
mechanisms as part of the integrated QoS to help ensure optimal use of
To receive a particular IP Multicast data stream, end hosts must join a
network resources. This functionality allows for the differentiation of applica-
multicast group by sending an Internet Group Management Protocol (IGMP)
tions, ensuring that each application has an appropriate share of the network
message to their local multicast router. In a traditional IP multicast design,
resources to protect the user experience and ensure the consistent opera-
the local router consults another router in the network that is acting as a
tion of business critical applications.
rendezvous point (RP) to map the receivers to active sources so that they
can join their streams.

February 2013 Series Architecture Overview 9


QoS is an essential function of the network infrastructure devices used Table 5 - QoS service class mappings
throughout this architecture. QoS enables a multitude of user services
and applications, including real-time voice, high-quality video, and delay- Per-hop Differentiated IP Class of
sensitive data to coexist on the same network. For the network to provide behavior services code Precedence service
predictable, measurable, and sometimes guaranteed services, it must man- Service class (PHB) point (DSCP) (IPP) (CoS)
age bandwidth, delay, jitter, and loss parameters. Even if you do not require Network layer Layer 3 Layer 3 Layer 3 Layer 2
QoS for your current applications, you can use QoS for management and
Network control CS6 48 6 6
network protocols to protect the network functionality and manageability
under normal and congested traffic conditions. Telephony EF 46 5 5
The goal of this design is to provide sufficient classes of service to allow Signaling CS3 24 3 3
you to add voice, interactive video, critical data applications, and manage- Multimedia AF41, 42, 43 34, 36, 38 4 4
ment traffic to the network, either during the initial deployment or later with conferencing
minimum system impact and engineering effort. Real-time CS4 32 4 4
The QoS classifications in the following table are applied throughout this interactive
design. Multimedia AF31, 32, 33 26, 28, 30 3 3
streaming
Broadcast video CS5 40 4 4
Low-latency AF21, 22, 23 18, 20, 22 2 2
data
Operation, CS2 16 2 2
administration,
and mainte-
nance (OAM)
Bulk data AF11, 12, 13 10, 12, 14 1 1
Scavenger CS1 8 1 1
Default DF 0 0 0
best effort

February 2013 Series Architecture Overview 10


Deploying the WAN

Overall WAN Architecture Design Goals Path Selection Preferences


There are many potential traffic flows based on which WAN transports are
IP Routing in use and whether or not a remote site is using a dual WAN transport. The
The design has the following IP routing goals: single WAN transport routing functions as follows.

Provide optimal routing connectivity from primary WAN aggregation The Layer 2 WAN-connected site:
sites to all remote locations Connects to a site on the Layer 2 WAN (same VLAN); the optimal route is
Isolate WAN routing topology changes from other portions of the direct within the Layer 2 WAN (traffic is not sent to the primary site).
network Connects to any other site; the route is through the primary site.
Provide site-site remote routing via the primary WAN aggregation site
(hub-and-spoke model) Quality of Service (QoS)
Permit optimal direct site-site remote routing when carrier services allow The network must ensure that business applications perform across the
(spoke-to-spoke model) WAN during times of network congestion. Traffic must be classified and
Support IP Multicast sourced from the primary WAN aggregation site queued and the WAN connection must be shaped to operate within the
capabilities of the connection. This is referred to as hierarchical QoS (HQoS).
At the WAN remote sites, there is no local Internet access for web browsing When the WAN design uses a service provider offering with QoS, the WAN
or cloud services. This model is referred to as a centralized Internet model. edge QoS classification and treatment must align to the service provider
In the centralized Internet model, a default route is advertised to the WAN offering to ensure consistent end-to-end QoS treatment of traffic.
remote sites in addition to the internal routes from the data center and
campus. Any multipoint WAN service that supports differing access speeds is
susceptible to traffic overruns. Layer 2 WAN transports may be imple-
LAN Access mented with inherent QoS capabilities by the service provider, but this
design assumes that the responsibility for implementing QoS falls on the
All remote sites are to support both wired LAN access. subscriber and must be configured on all WAN Layer 2 CE devices.
The primary difference between the Layer 2 WAN transport QoS model and
High Availability
other SBA WAN QoS is specific to the WAN-aggregation CE router only.
Resilient design options for a Layer 2 WAN connected remote site are This router performs traffic-shaping both at the physical interface level
covered in the Cisco SBABorderless Networks VPN Remote Site and on a per-remote-site basis. This is referred to as HQoS with nested
Deployment Guide. traffic-shaping.

February 2013 Series Deploying the WAN 11


Design Parameters
This deployment guide uses certain standard design parameters and refer-
ences various network infrastructure services that are not located within the
WAN. These parameters are listed in the following table.

Table 6 - Universal design parameters

Network service IP address


Domain name cisco.local
Active Directory, DNS server, DHCP server 10.4.48.10
Authentication Control System (ACS) 10.4.48.15
Network Time Protocol (NTP) server 10.4.48.17

February 2013 Series Deploying the WAN 12


Deploying a Layer 2 WAN

Business Overview a wide range of 3- to 16-mpps (millions of packets per second) packet-
forwarding capabilities, 2.5- to 40-Gbps system bandwidth performance,
For remote-site users to effectively support the business, organizations and scaling.
require that the WAN provide sufficient performance and reliability. Although
most of the applications and services that the remote-site worker uses are The Cisco ASR 1000 Series is fully modular from both hardware and soft-
centrally located, the WAN design must provide the workforce with a com- ware perspectives, and the routers have all the elements of a true carrier-
mon resource-access experience, regardless of location. class routing product that serves both enterprise and service-provider
networks.
Major market drivers for Layer 2 WAN services include surging bandwidth
requirements and the increased availability of Ethernet building termina- This design uses the following routers as Layer 2 WAN CE routers:
tions. Carriers have the flexibility to provision bandwidth in flexible incre- Cisco ASR 1002 Aggregation Services Router configured with an
ments and deploy these services over their existing infrastructure. Embedded Service Processor 5 (ESP5)
To control operational costs, the WAN must support the convergence of Cisco ASR 1001 Aggregation Services Router fixed configuration with a
voice, video, and data transport onto a single, centrally managed infrastruc- 2.5 Gbps Embedded Service Processor
ture. Layer 2 WAN services provide high-performance, cost-effective, and Both of the design models can be constructed using either of the Layer 2
reliable services within metropolitan areas and, in some cases, for broader WAN CE routers listed in Table 7. You should consider the following: the
geographic areas. The ubiquity of carrier-provided Layer 2 WAN networks forwarding performance of the router using an Ethernet WAN deployment
makes it a required consideration for an organization building a WAN. with broad services enabled, the routers alignment with the suggested
To reduce the time needed to deploy new technologies that support emerg- design model, and the number of remote sites.
ing business applications and communications, the WAN architecture
requires a flexible design. The ability to easily scale bandwidth or to add Table 7 - WAN aggregationLayer 2 WAN CE router options
additional sites makes Layer 2 WAN an effective WAN transport for growing
organizations. Option ASR 1001 ASR 1002
Ethernet WAN with 250 Mbps 500 Mbps
Technology Overview services
Software Redundancy Yes Yes
WAN-AggregationLayer 2 WAN CE Routers Option
The Layer 2 WAN designs are intended to support up to 100 remote sites Redundant power supply Default Default
with a combined aggregate WAN bandwidth of up to 500 Mbps. The most Supported Design Models All All
critical devices are the WAN routers that are responsible for reliable IP
forwarding and QoS. The amount of bandwidth required at the WAN- Suggested Design Model Simple Demarcation Trunked Demarcation
aggregation site determines which model of router to use. Suggested Number of 25 100
Remote Sites
Cisco ASR 1000 Series Aggregation Services Routers represent the next-
generation, modular, services-integrated Cisco routing platform. They are
specifically designed for WAN aggregation, with the flexibility to support

February 2013 Series Deploying a Layer 2 WAN 13


Remote SitesCE Router Selection The IP routing is straightforward and can be handled entirely by using static
routes at the WAN-aggregation site and static default routes at the remote
The actual WAN remote-site routing platforms remain unspecified because
site. However, there is significant value to configuring this type of site with
the specification is tied closely to the bandwidth required for a location and
dynamic routing.
the potential requirement for the use of service module slots. The ability to
implement this solution with a variety of potential router choices is one of the Dynamic routing makes it easy to add or modify IP networks at the remote
benefits of a modular design approach. site because any changes are immediately propagated to the rest of the
network. No configuration changes are required on the WAN-aggregation
There are many factors to consider in the selection of the WAN remote-site
CE router or on other remote-site CE routers when you use dynamic routing.
routers. Among those, and key to the initial deployment, is the ability to
process the expected amount and type of traffic. You also need to make
Figure 7 - Layer 2 WAN remote site (single-router, single-link)
sure that you have enough interfaces, enough module slots, and a properly
licensed Cisco IOS Software image that supports the set of features that
Layer 2
is required by the topology. Cisco tested multiple integrated service router
models as Layer 2 WAN CE routers, and the expected performance is shown
in the following table.

Table 8 - WAN remote-site Cisco Integrated Services Router options

Option 2911 2921 3925 3945


Ethernet WAN with services 1
35 50 100 150
Mbps Mbps Mbps Mbps
On-board GE ports 3 3 3 3
Service module slots 2
1 1 2 4

1039
Redundant power supply option No No Yes Yes Simple or Trunked Demarcation

Notes:
Design Details
1. The performance numbers are conservative numbers obtained when
the router is passing IMIX traffic with heavy services configured and the The WAN-aggregation Layer 2 WAN CE router connects to a resilient switch-
CPU utilization is under 75 percent. ing device in the distribution layer. All devices use EtherChannel connec-
tions consisting of two port bundles. This design provides both resiliency
2. Some service modules are double-wide.
and additional forwarding performance. You can accomplish additional
The CE routers at the WAN remote sites connect in the same manner as the forwarding performance by increasing the number of physical links within an
WAN aggregation CE router at the WAN-aggregation site. Depending on the EtherChannel.
service provider, the demarcation may be simple access mode or 802.1Q
The Layer 2 WAN transport is explicitly focused on providing an Ethernet WAN
trunk mode. It is not necessary to use multiple VLANs for connecting the
service, so it is not relevant to document media types other than Ethernet.
remote-site routers, so if you are using a trunked demarcation, only a single
VLAN should is necessary. A Layer 2 WAN requires a link between a provider edge (PE) router and
a CE router. However, the Layer 2 WAN PE routers are transparent from a
The single link Layer 2 WAN remote site is the most basic of building blocks
Layer 3 perspective so the WAN-aggregation and remote-site CE routers
for any remote location. You can use this design with the CE router connected
are considered IP neighbors across the WAN link. CE routers are able to
directly to the access layer, or you can use it to support a more complex LAN
directly communicate with other CE routers across the Layer 2 WAN (CE-CE
topology by connecting the CE router directly to a distribution layer.
connections).

February 2013 Series Deploying a Layer 2 WAN 14


Figure 8 - Layer 2 WAN simple point-to-point The device connections to a multipoint Layer 2 WAN transport are logically
equivalent to the connections to a shared Ethernet segment. The service
Layer 2 WAN Carrier provider devices are transparent to the subscribers CE routers. All CE
CE PE PE CE
routers are able to directly communicate with each other as if they were on
the same LAN.

Figure 10 - Layer 2 WAN simple point-to-multipoint (logical view)

CE

Direct Layer 3 Adjacency Between CE Routers CE

1040
A service provider implements a multipoint Layer 2 WAN by extending the
broadcast domain to multiple locations each with a corresponding PE router
and attached CE router. A discussion of the underlying technologies used CE
by the service provider to provision this service is beyond the scope of this
EIGRP Direct Layer 3 Adjacency
guide. Cisco did not test the PE routers, and their configurations are not
Between All Red CE Routers
included in this guide.

Figure 9 - Layer 2 WAN simple point-to-multipoint CE

CE PE

1042
The CE routers are the only devices required to have IP-routing information
PE CE to provide end-to-end reachability. No IP-routing information is required
to be shared with the service provider. Maintaining this routing information
typically requires a routing protocol, and we chose EIGRP for this purpose.
The various CE routers advertise their routes to other CE router peers.

PE CE As the number of CE devices increases, there is a corresponding increase


in the number of routing protocol neighbors sending and receiving updates
to each other. There is a performance impact on the routers CPU associ-
ated with the processing of the updates from the additional neighbors.
This impact is most significant on the remote-site Layer 2 WAN CE routers,
PE CE
which are not designed to accommodate large numbers of routing protocol
neighbors.
The limiting factor in the number of routing protocol neighbors on a broad-
cast media is the processing capability of the smallest routers CPU.

Direct Layer 3 Adjacency


1041

Between All Red CE Routers

February 2013 Series Deploying a Layer 2 WAN 15


There are a variety of methods that can be used to limit the number of The device connections to a trunked multipoint Layer 2 WAN transport
neighbors. It is straightforward to use VLANs in the Layer 2 WAN to isolate are logically equivalent to the connections to a common Ethernet that has
the remote-site Layer 2 WAN CE routers from each other. The primary dif- implemented VLANs. The service provider devices are transparent to the
ference is the use of a trunked demarcation which allows the use of 802.1Q subscribers CE routers. All CE routers attached to a particular VLAN are
tagged Ethernet frames. The service provider can provide this additional able to directly communicate with each other. Devices connected to multiple
capability over the same infrastructure though a change in the edge con- VLANs, such as the WAN-aggregation Layer 2 WAN CE router, are able to
figuration and by propagating VLAN tagged frames to other PE devices. communicate with multiple sets of CE routers.

Figure 11 - Layer 2 WAN trunked point-to-multipoint Figure 12 - Layer 2 WAN trunked point-to-multipoint (logical view)

CE
PE CE

CE
Direct Layer 3 PE CE EIGRP Direct Layer 3
Adjacency Between Adjacency Between
All Blue CE Routers All Blue CE Routers

CE
PE CE

CE

CE PE CE
802.1Q
Trunk
802.1Q
Trunk PE CE
CE
Direct Layer 3
EIGRP
Adjacency Between
All Red CE Routers
PE CE
Direct Layer 3 CE
Adjacency Between
All Red CE Routers

1044
PE CE
Two separate EIGRP processes are used, one for internal routing on the
LAN (EIGRP-100) and one for the Layer 2 WAN (EIGRP-300). The primary
reason for the separate EIGRP processes is to simplify the route selection
1043

at the WAN-aggregation site when connecting multiple remote-site types,

February 2013 Series Deploying a Layer 2 WAN 16


potentially including MPLS WAN as used in other SBA WAN guides. This Figure 13 - Trunked Demarcation and Simple Demarcation design modelsLayer 2
method ensures that all WAN learned routes appear as EIGRP external WAN routing detail
routes after they are redistributed into the EIGRP-100 process used on the
campus LAN. WAN Distribution WAN Distribution
The Simple Demarcation design model assumes a simple demarcation
EIGRP EIGRP
for both the WAN-aggregation and remote-site routers. Therefore, in this
design the WAN-aggregation CE router and all of the remote-site CE routers
are EIGRP neighbors. The Trunked Demarcation design model assumes a Layer 2 WAN Layer 2 WAN
trunked demarcation for both the WAN-aggregation and remote-site rout- CE Router QFP
CE Router QFP

ers. Therefore, in this design the WAN-aggregation CE router and sets of


remote-site CE routers are EIGRP neighbors. Only remote-site CE routers
EIGRP Simple EIGRP
connected to the same VLAN are EIGRP neighbors. 802.1Q VLAN
(300) (300)
Trunk Access
Sites with only a single WAN transport (a single-homed site) do not require
dynamic routing and can rely on static routing because there is only a single
path to any destination. This design only includes dynamic WAN routing
to provide consistency with configurations across both single-homed and

1045
dual-homed sites. This also allows for easy transition from a single-homed to Layer 2 Layer 2
a dual-homed remote-site design by adding an additional link to an existing
remote site.
A Layer 2 WAN deployment requires the installation and configuration of EIGRP
CE routers at every location, including the WAN-aggregation site and every
Cisco chose EIGRP as the primary routing protocol because it is easy to
Layer 2 WAN-connected remote site.
configure, does not require a large amount of planning, has flexible sum-
At the WAN-aggregation site, a Layer 2 WAN CE router must be connected marization and filtering, and can scale to large networks. As networks grow,
both to the distribution layer and to the Layer 2 WAN service provider. A the number of IP prefixes or routes in the routing tables grows as well. You
single routing protocol (EIGRP with multiple instances) is used to exchange should program IP summarization on links where logical boundaries exist,
routing information, and the routing protocol configurations are tuned from such as distribution layer links to the wide area or to a core. By performing IP
their default settings to influence traffic flows to their desired behavior. summarization, you can reduce the amount of bandwidth, processor utiliza-
The router interface for the Trunked Demarcation design model uses tion, and memory necessary to carry large route tables, as well as reduce
multiple subinterfaces that map to the various VLANs in use, whereas the convergence time associated with a link failure.
Simple Demarcation design model uses only the single physical interface
In this design, EIGRP process 100 is the primary EIGRP process and is
to connect to all of the remote sites. The IP routing details for both WAN-
referred to as EIGRP-100.
aggregation topologies are shown in the following figure.
EIGRP-100 is used at the WAN-aggregation site to connect to the primary
site LAN distribution layer and at WAN remote sites with dual WAN routers or
with distribution-layer LAN topologies.
EIGRP process 300 is the Layer 2 WAN EIGRP process and is referred to as
EIGRP-300.

February 2013 Series Deploying a Layer 2 WAN 17


EIGRP-300 is used to exchange routing information between the WAN-
aggregation site Layer 2 WAN CE router and the remote-site Layer 2 WAN Procedure 1 Configure the Distribution Switch
CE routers. You should configure EIGRP-300 for stub routing on all remote-
site routers to improve network stability and reduce resource utilization.

Deployment Details Reader Tip

The procedures in this section provide examples for some settings. The
actual settings and values that you use are determined by your current This process assumes that the distribution switch has already
network configuration. been configured following the guidance in the LAN Deployment
Guide. Only the procedures required to support the integration of
Table 9 - Parameters used in the deployment examples the WAN-aggregation router into the deployment are included.

Hostname Loopback IP Address Port Channel IP Address


METRO-ASR1001-1 10.4.32.245/32 10.4.32.34/30 The LAN distribution switch is the path to the organizations main campus
and data center. A Layer 3 port-channel interface connects the distribution
switch to the WAN-aggregation router and the internal routing protocol
peers across this interface.
Process

Tech Tip
Layer 2 WAN CE Router Configuration
As a best practice, use the same channel numbering on both
1. Configure the Distribution Switch sides of the link where possible.
2. Configure the WAN Aggregation Platform
3. Configure Connectivity to the LAN
4. Connect to Layer 2 WAN Step 1: Configure the Layer 3 port-channel interface and assign the IP
address.
5. Configure EIGRP
interface Port-channel5
description METRO-ASR1001-1
no switchport
ip address 10.4.32.33 255.255.255.252
ip pim sparse-mode
logging event link-status
carrier-delay msec 0
no shutdown

February 2013 Series Deploying a Layer 2 WAN 18


Step 2: Configure EtherChannel member interfaces.
Procedure 2 Configure the WAN Aggregation Platform
Configure the physical interfaces to tie to the logical port-channel using the
channel-group command. The number for the port-channel and channel-
Within this design, there are features and services that are common across
group must match. Not all router platforms can support Link Aggregation
all WAN aggregation routers. These are system settings that simplify and
Control Protocol (LACP) to negotiate with the switch, so EtherChannel is
secure the management of the solution.
configured statically.
Also, apply the egress QoS macro that was defined in the platform configu- Step 1: Configure the device host name.
ration procedure to ensure traffic is prioritized appropriately.
Configure the device host name to make it easy to identify the device.
interface GigabitEthernet1/0/1
hostname METRO-ASR1001-1
description METRO-ASR1001-1 Gig0/0/0
! Step 2: Configure local login and password
interface GigabitEthernet2/0/1 The local login account and password provides basic access authentication
description METRO-ASR1001-1 Gig0/0/1 to a router which provides only limited operational privileges. The enable
! password secures access to the device configuration mode. By enabling
interface range GigabitEthernet1/0/1, GigabitEthernet2/0/1 password encryption, you prevent the disclosure of plain text passwords
no switchport when viewing configuration files.
macro apply EgressQoS username admin password c1sco123
carrier-delay msec 0 enable secret c1sco123
channel-group 5 mode on service password-encryption
logging event link-status aaa new-model
logging event trunk-status By default, https access to the router will use the enable password for
logging event bundle-status authentication.
no shutdown
Step 3: (Optional) Configure centralized user authentication.
Step 3: Allow the routing protocol to form neighbor relationships across the As networks scale in the number of devices to maintain it poses an opera-
port channel interface. tional burden to maintain local user accounts on every device. A centralized
router eigrp 100 Authentication, Authorization and Accounting (AAA) service reduces opera-
no passive-interface Port-channel5 tional tasks per device and provides an audit log of user access for security
compliance and root cause analysis. When AAA is enabled for access
Step 4: It is a best practice to summarize IP routes from the WAN distribu- control, all management access to the network infrastructure devices (SSH
tion layer towards the core. On the distribution layer switch, configure the and HTTPS) is controlled by AAA.
interfaces that are connected to the LAN core to summarize the WAN
network range.
Reader Tip
interface range TenGigabitEthernet1/1/1, TenGigabitEthernet2/1/1
ip summary-address eigrp 100 10.4.32.0 255.255.248.0
ip summary-address eigrp 100 10.5.0.0 255.255.0.0 The AAA server used in this architecture is the Cisco
Authentication Control System. For details about ACS configura-
tion, see the Device Management Using ACS Deployment Guide.

February 2013 Series Deploying a Layer 2 WAN 19


TACACS+ is the primary protocol used to authenticate management logins When synchronous logging of unsolicited messages and debug output is
on the infrastructure devices to the AAA server. A local AAA user database turned on, console log messages are displayed on the console after interac-
is also defined in Step 2 on each network infrastructure device to provide tive CLI output is displayed or printed. With this command, you can continue
a fallback authentication source in case the centralized TACACS+ server is typing at the device console when debugging is enabled.
unavailable. line con 0
tacacs server TACACS-SERVER-1 logging synchronous
address ipv4 10.4.48.15 Enable Simple Network Management Protocol (SNMP) to allow the network
key SecretKey infrastructure devices to be managed by a Network Management System
! (NMS). SNMPv2c is configured both for a read-only and a read-write com-
aaa group server tacacs+ TACACS-SERVERS munity string.
server name TACACS-SERVER-1 snmp-server community cisco RO
! snmp-server community cisco123 RW
aaa authentication login default group TACACS-SERVERS local
Step 5: (Optional) In networks where network operational support is central-
aaa authorization exec default group TACACS-SERVERS local
ized you can increase network security by using an access list to limit the
aaa authorization console networks that can access your device. In this example, only devices on the
ip http authentication aaa 10.4.48.0/24 network will be able to access the device via SSH or SNMP.

Step 4: Configure device management protocols. access-list 55 permit 10.4.48.0 0.0.0.255


line vty 0 15
Secure HTTP (HTTPS) and Secure Shell (SSH) are secure replacements for
access-class 55 in
the HTTP and Telnet protocols. They use Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) to provide device authentication and data !
encryption. snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
Secure management of the network device is enabled through the use of
the SSH and HTTPS protocols. Both protocols are encrypted for privacy and
the nonsecure protocols, Telnet and HTTP, are turned off.
Tech Tip
Specify the transport preferred none on vty lines to prevent errant con-
nection attempts from the CLI prompt. Without this command, if the ip
name-server is unreachable, long timeout delays may occur for mistyped If you configure an access-list on the vty interface you may lose
commands. the ability to use ssh to login from one router to the next for hop-
by-hop troubleshooting.
ip domain-name cisco.local
ip ssh version 2
no ip http server
ip http secure-server
line vty 0 15
transport input ssh
transport preferred none

February 2013 Series Deploying a Layer 2 WAN 20


Step 6: Configure a synchronized clock. Step 8: Configure IP unicast routing.
The Network Time Protocol (NTP) is designed to synchronize a network of EIGRP is configured facing the LAN distribution or core layer. In this design,
devices. An NTP network usually gets its time from an authoritative time the port-channel interface and the loopback must be EIGRP interfaces. The
source, such as a radio clock or an atomic clock attached to a time server. loopback may remain a passive interface. The network range must include
NTP then distributes this time across the organizations network. both interface IP addresses, either in a single network statement or in
multiple network statements. This design uses a best practice of assigning
You should program network devices to synchronize to a local NTP server
the router ID to a loopback address.
in the network. The local NTP server typically references a more accurate
clock feed from an outside source. By configuring console messages, router eigrp 100
logs, and debug output to provide time stamps on output, you can cross- network 10.4.0.0 0.1.255.255
reference events in a network. no auto-summary
ntp server 10.4.48.17 passive-interface default
! eigrp router-id 10.4.32.245
clock timezone PST -8
Step 9: Configure IP Multicast routing.
clock summer-time PDT recurring
! IP Multicast allows a single IP data stream to be replicated by the infra-
service timestamps debug datetime msec localtime structure (routers and switches) and sent from a single source to multiple
receivers. Using IP Multicast is much more efficient than multiple individual
service timestamps log datetime msec localtime
unicast streams or a Broadcast stream that would propagate everywhere. IP
Step 7: Configure an in-band management interface Telephony MOH and IP Video Broadcast Streaming are two examples of IP
Multicast applications.
The loopback interface is a logical interface that is always reachable as long
as the device is powered on and any IP interface is reachable to the network. To receive a particular IP Multicast data stream, end hosts must join a multi-
Because of this capability, the loopback address is the best way to manage cast group by sending an IGMP message to their local multicast router. In a
the switch in-band. Layer 3 process and features are also bound to the traditional IP Multicast design, the local router consults another router in the
loopback interface to ensure process resiliency. network that is acting as an RP to map the receivers to active sources so they
can join their streams.
The loopback address is commonly a host address with a 32-bit address
mask. Allocate the loopback address from the IP address block that the In this design, which is based on sparse mode multicast operation, Auto RP
distribution switch summarizes to the rest of the network. is used to provide a simple yet scalable way to provide a highly resilient RP
environment.
interface Loopback 0
ip address 10.4.32.245 255.255.255.255 Enable IP Multicast routing on the platforms in the global configuration mode.
ip pim sparse-mode ip multicast-routing
The ip pim sparse-mode command will be explained further in the process. The Cisco ASR1000 Series router requires the distributed keyword.

Bind the device processes for SNMP, SSH, PIM, TACACS+ and NTP to the ip multicast-routing distributed
loopback interface address for optimal resiliency. Every Layer 3 switch and router must be configured to discover the IP
snmp-server trap-source Loopback0 Multicast RP with autorp. Use the ip pim autorp listener command to allow
for discovery across sparse mode links. This configuration provides for
ip ssh source-interface Loopback0
future scaling and control of the IP Multicast environment and can change
ip pim register-source Loopback0 based on network needs and design.
ip tacacs source-interface Loopback0
ip pim autorp listener
ntp source Loopback0

February 2013 Series Deploying a Layer 2 WAN 21


All Layer 3 interfaces in the network must be enabled for sparse mode
multicast operation. Procedure 4 Connect to Layer 2 WAN
ip pim sparse-mode
Step 1: Assign the interface bandwidth.
The bandwidth value should correspond to the actual interface speed, or if
Procedure 3 Configure Connectivity to the LAN you are using a subrate service, use the policed rate from the carrier.

Any links to adjacent distribution layers should be Layer 3 links or Layer 3 The example shows a Gigabit interface (1000 Mbps) with a subrate of 500
EtherChannels. Mbps.
interface [interface type] [number]
Step 1: Configure Layer 3 Interface bandwidth [bandwidth (kbps)]
interface Port-channel5
ip address 10.4.32.34 255.255.255.252
ip pim sparse-mode
Tech Tip
no shutdown
Command reference:
Step 2: Configure EtherChannel member interfaces. bandwidth [kbps]
Configure the physical interfaces to tie to the logical port-channel using the
500 Mbps = 500000 kbps
channel-group command. The number for the port-channel and channel-
group must match. Not all router platforms can support LACP to negotiate
with the switch, so EtherChannel is configured statically.
interface GigabitEthernet0/0/0 Step 2: Assign the IP address and netmask of the WAN interface.
description WAN-D3750X Gig1/0/6 The IP addressing used between CE routers must allow for sufficient host
! addresses to support a WAN-aggregation CE router, plus up to 25 remote-
interface GigabitEthernet0/0/1 site CE routers. This design uses a netmask of 255.255.255.0, which is com-
description WAN-D3750X Gig2/0/6 monly used for LAN addressing. It may be more efficient to use a different
! netmask to conserve IP addresses. As a best practice, the VLAN number
and the subinterface number should match.
interface range GigabitEthernet0/0/0, GigabitEthernet0/0/1
no ip address Table 10 - Layer 2 WAN transport IP address information
channel-group 5
no shutdown Design CE router
Model Interface VLAN Subinterface Network address
Step 3: Configure the EIGRP interface.
Simple gig0/0/3 none none 10.4.38.0/24 .1
Allow EIGRP to form neighbor relationships across the interface to establish Demarcation
peering adjacencies and exchange route tables. Trunked gig0/0/3 38 gig0/0/3.38 10.4.38.0/24 .1
router eigrp 100 Demarcation 39 gig0/0/3.39 10.4.39.0/24 .1
no passive-interface Port-channel5

February 2013 Series Deploying a Layer 2 WAN 22


If connected to a simple demarcation use the following configuration.
Procedure 5 Configure EIGRP
interface [interface type] [number]
ip address [IP address] [netmask]
ip pim sparse-mode The WAN aggregation Layer 2 WAN CE router uses two EIGRP processes.
The primary reason for the additional process is to ensure that routes learned
Use the following configuration for each of the VLANs on a trunked demarcation. from the WAN remote sites appear as EIGRP external routes on the WAN
interface [interface type] [number].[subinterface number] distribution switch. If only a single process was used, then the remote-site
encapsulation dot1Q [Vlan number] routes would appear as EIGRP internal routes on the WAN distribution switch,
ip address [IP address] [netmask] which would be inconsistent with other SBA WAN deployment guides.
ip pim sparse-mode
Step 1: Enable an additional process, EIGRP-300, for the Layer 2 WAN.
Step 3: Administratively enable the interface and disable Cisco Discovery
EIGRP-300 is configured for the Layer 2 WAN interface or subinterfaces.
Protocol.
The Layer 2 WAN interface or subinterfaces are the only EIGRP-300 inter-
Cisco does not recommend the use of Cisco Discovery Protocol on external faces, and their network ranges should be explicitly listed. Repeat for all
interfaces. Layer 2 WAN interfaces as required.
interface [interface type] [number] router eigrp 300
no cdp enable network [L2 WAN network 1] [inverse mask]
no shutdown network [L2 WAN network 2] [inverse mask] ! if necessary
passive-interface default
Example (Simple Demarcation) no passive-interface [L2 WAN interface 1]
interface GigabitEthernet0/0/3 no passive-interface [L2 WAN interface 2] ! if necessary
bandwidth 500000 eigrp router-id [IP address of Loopback0]
ip address 10.4.38.1 255.255.255.0 no auto-summary
ip pim sparse-mode
no cdp enable Step 2: Configure route-maps for tagging routes and blocking routes.
no shutdown This design uses mutual route redistribution; Layer 2 WAN routes from
Example (Trunked Demarcation) the EIGRP-300 process are distributed into EIGRP-100 and other learned
routes from EIGRP-100 are distributed into EIGRP-300. Because the routing
interface GigabitEthernet0/0/3
protocol is the same, no default metric is required.
bandwidth 500000
no cdp enable It is important to tightly control how routing information is shared between
no shutdown different routing protocols when you use this mutual route redistribution;
! otherwise, you might experience route flapping, where certain routes are
interface GigabitEthernet0/0/3.38 repeatedly installed and withdrawn from the device routing tables. Proper
encapsulation dot1Q 38 route control ensures the stability of the routing table.
ip address 10.4.38.1 255.255.255.0
This router and other WAN routers in other SBA deployments use an
ip pim sparse-mode
inbound distribute list with a route map to limit which routes are accepted for
!
installation into the route table. These routers are configured to block routes
interface GigabitEthernet0/0/3.39
from certain other WAN sources. To accomplish this task, you must create
encapsulation dot1Q 39
a route map that matches any routes originating from the WAN as indicated
ip address 10.4.39.1 255.255.255.0
by a specific route tag. This method allows for dynamic identification of the
ip pim sparse-mode
various WAN routes. The specific route tags in use are shown below.

February 2013 Series Deploying a Layer 2 WAN 23


This task also requires that the Layer 2 WAN learned WAN routes are explic- route-map BLOCK-TAGGED-ROUTES deny 10
itly tagged by the WAN aggregation CE router during the route redistribution match tag 65512
process. To do this, you must create an additional route map to match the !
source interface of the routes. route-map BLOCK-TAGGED-ROUTES permit 20
You need to appropriately tag the Layer 2 WAN routes to be consistent with
other SBA deployments.
Reader Tip
The Simple Demarcation design model requires a single interface in the
match statement, whereas the Trunked Demarcation design model requires
MPLS WAN deployment is covered in the MPLS WAN multiple subinterfaces.
Deployment Guide. DMVPN deployment is covered in the VPN
WAN Deployment Guide. route-map SET-ROUTE-TAG-METROE permit 10
match interface GigabitEthernet0/0/3.38
GigabitEthernet0/0/3.39
set tag 300
Table 11 - Route tag information for WAN aggregation Layer 2 WAN CE router
Step 3: Configure the EIGRP mutual route redistribution.
Tag Route source Tag method Action
router eigrp 100
65401 MPLS VPN A implicit accept distribute-list route-map BLOCK-TAGGED-ROUTES in
65402 MPLS VPN B implicit accept redistribute eigrp 300 route-map SET-ROUTE-TAG-METROE
300 Layer 2 WAN explicit tag !
65512 DMVPN hub routers explicit block router eigrp 300
redistribute eigrp 100
This example includes all WAN route sources in the reference design.
Depending on the actual design of your network, you may use more or fewer Example
tags. route-map BLOCK-TAGGED-ROUTES deny 10
It is important when creating the blocking route-map that you include a match tag 65512
permit statement at the end to permit the installation of routes with non- !
matching tags. route-map BLOCK-TAGGED-ROUTES permit 20
!
route-map SET-ROUTE-TAG-METROE permit 10
Tech Tip match interface GigabitEthernet0/0/3.38 GigabitEthernet0/0/3.39
set tag 300
If you configure mutual route redistribution without proper match- !
ing, tagging, and filtering, route-flapping may occur, which can router eigrp 100
cause instability. distribute-list route-map BLOCK-TAGGED-ROUTES in
redistribute eigrp 300 route-map SET-ROUTE-TAG-METROE
!
router eigrp 300
network 10.4.38.0 0.0.0.255

February 2013 Series Deploying a Layer 2 WAN 24


network 10.4.39.0 0.0.0.255 Figure 14 - Remote-site Layer 2 WAN CE router configuration flowchart
redistribute eigrp 100
passive-interface default
no passive-interface GigabitEthernet0/0/3.38 Remote-Site Layer 2 WAN CE Router
Single Router, Single Link
no passive-interface GigabitEthernet0/0/3.39
eigrp router-id 10.4.32.245

Remote-Site 1. Configure the WAN Remote Router


Process Layer 2 WAN CE 2. Connect the Layer 2 WAN
Router Configuration
Procedures 3. Configure EIGRP

Remote-Site Layer 2 WAN CE Router Configuration

1. Configure the WAN Remote Router


2. Connect to the Layer 2 WAN
Distribution
3. Configure EIGRP NO Distribution
Layer Layer YES
Design?
Design?
4. Configure Router to Access Layer Switch Remote-Site
Layer 2 WAN CE
5. Configure Access Layer Routing Router Distribution
Layer Procedures

4. Connect Router to Access 1. Connect to Distribution Layer


Use this process for the configuration of any of the following: Layer Switch
2. Configure EIGRP (LAN Side)
Layer 2 WAN CE router for a Layer 2 WAN remote site (single router, 5. Configure Access Layer
single link). Routing

The following flowchart provides details about the configuration process for
a remote-site Layer 2 WAN CE router.

Site Complete Site Complete

1046
February 2013 Series Deploying a Layer 2 WAN 25
Step 4: (Optional) Configure centralized user authentication.
Procedure 1 Configure the WAN Remote Router
As networks scale in the number of devices to maintain it poses an opera-
tional burden to maintain local user accounts on every device. A centralized
Within this design, there are features and services that are common across
Authentication, Authorization and Accounting (AAA) service reduces opera-
all WAN remote-site routers. These are system settings that simplify and
tional tasks per device and provides an audit log of user access for security
secure the management of the solution.
compliance and root cause analysis. When AAA is enabled for access
control, all management access to the network infrastructure devices (SSH
Step 1: Configure the device host name.
and HTTPS) is controlled by AAA.
Configure the device hostname to make it easy to identify the device.
hostname [hostname]
Reader Tip
Step 2: Configure local login and password.
The local login account and password provides basic access authentication The AAA server used in this architecture is the Cisco
to a router, which provides only limited operational privileges. The enable Authentication Control System. For details about ACS configura-
password secures access to the device configuration mode. By enabling tion, see the Device Management Using ACS Deployment
password encryption, you prevent the disclosure of plain text passwords Guide.
when viewing configuration files.
username admin password c1sco123
enable secret c1sco123 TACACS+ is the primary protocol used to authenticate management logins
service password-encryption on the infrastructure devices to the AAA server. A local AAA user database
aaa new-model is also defined in Step 2 on each network infrastructure device to provide
a fallback authentication source in case the centralized TACACS+ server is
Step 3: By default, https access to the router will use the enable password unavailable.
for authentication. tacacs server TACACS-SERVER-1
address ipv4 10.4.48.15
key SecretKey
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization exec default group TACACS-SERVERS local
aaa authorization console
ip http authentication aaa

February 2013 Series Deploying a Layer 2 WAN 26


Step 5: Configure device management protocols. Step 6: (Optional) In networks where network operational support is central-
ized you can increase network security by using an access list to limit the
Secure HTTP (HTTPS) and Secure Shell (SSH) are secure replacements for
networks that can access your device. In this example, only devices on the
the HTTP and Telnet protocols. They use Secure Sockets Layer (SSL) and
10.4.48.0/24 network will be able to access the device via SSH or SNMP.
Transport Layer Security (TLS) to provide device authentication and data
encryption. access-list 55 permit 10.4.48.0 0.0.0.255
line vty 0 15
Secure management of the network device is enabled through the use of
the SSH and HTTPS protocols. Both protocols are encrypted for privacy and access-class 55 in
the nonsecure protocols, Telnet and HTTP, are turned off. !
snmp-server community cisco RO 55
Specify the transport preferred none on vty lines to prevent errant con-
nection attempts from the CLI prompt. Without this command, if the ip snmp-server community cisco123 RW 55
name-server is unreachable, long timeout delays may occur for mistyped
commands.
Tech Tip
ip domain-name cisco.local
ip ssh version 2
no ip http server If you configure an access-list on the vty interface you may lose
the ability to use ssh to login from one router to the next for hop-
ip http secure-server
by-hop troubleshooting.
line vty 0 15
transport input ssh
transport preferred none
Step 7: Configure a synchronized clock.
When synchronous logging of unsolicited messages and debug output is
turned on, console log messages are displayed on the console after interac- The Network Time Protocol (NTP) is designed to synchronize a network of
tive CLI output is displayed or printed. With this command, you can continue devices. An NTP network usually gets its time from an authoritative time
typing at the device console when debugging is enabled. source, such as a radio clock or an atomic clock attached to a time server.
line con 0 NTP then distributes this time across the organizations network.
logging synchronous You should program network devices to synchronize to a local NTP server
Enable Simple Network Management Protocol (SNMP) to allow the network in the network. The local NTP server typically references a more accurate
infrastructure devices to be managed by a Network Management System clock feed from an outside source. By configuring console messages,
(NMS). SNMPv2c is configured both for a read-only and a read-write com- logs, and debug output to provide time stamps on output, you can cross-
munity string. reference events in a network.
snmp-server community cisco RO ntp server 10.4.48.17
snmp-server community cisco123 RW ntp update-calendar
!
clock timezone PST -8
clock summer-time PDT recurring
!
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime

February 2013 Series Deploying a Layer 2 WAN 27


Step 8: Configure an in-band management interface. Enable IP Multicast routing on the platforms in the global configuration
mode.
The loopback interface is a logical interface that is always reachable as long
as the device is powered on and any IP interface is reachable to the network. ip multicast-routing
Because of this capability, the loopback address is the best way to manage Every Layer 3 switch and router must be configured to discover the IP
the switch in-band. Layer 3 process and features are also bound to the Multicast RP with autorp. Use the ip pim autorp listener command to allow
loopback interface to ensure process resiliency. for discovery across sparse mode links. This configuration provides for
The loopback address is commonly a host address with a 32-bit address future scaling and control of the IP Multicast environment and can change
mask. Allocate the loopback address from a unique network range that is not based on network needs and design.
part of any other internal network summary range. ip pim autorp listener
interface Loopback 0 All Layer 3 interfaces in the network must be enabled for sparse mode
ip address [ip address] 255.255.255.255 multicast operation.
ip pim sparse-mode ip pim sparse-mode
The ip pim sparse-mode command will be explained in the next step.
Bind the device processes for SNMP, SSH, PIM, TACACS+ and NTP to the
Procedure 2 Connect to the Layer 2 WAN
loopback interface address for optimal resiliency:
snmp-server trap-source Loopback0
ip ssh source-interface Loopback0 Step 1: Assign the interface bandwidth.
ip pim register-source Loopback0 The bandwidth value should correspond to the actual interface speed. Or, if
ip tacacs source-interface Loopback0 you are using a subrate service, use the policed rate from the carrier.
ntp source Loopback0 The example shows a Gigabit interface (1000 Mbps) with a subrate of 10
Mbps.
Step 9: Configure IP Multicast routing.
interface [interface type] [number]
IP Multicast allows a single IP data stream to be replicated by the infra- bandwidth [bandwidth (kbps)]
structure (routers and switches) and sent from a single source to multiple
receivers. Using IP Multicast is much more efficient than multiple individual
unicast streams or a Broadcast stream that would propagate everywhere. IP Tech Tip
Telephony MOH and IP Video Broadcast Streaming are two examples of IP
Multicast applications.
Command reference:
To receive a particular IP Multicast data stream, end hosts must join a
multicast group by sending an IGMP message to their local multicast router. bandwidth kbps
In a traditional IP Multicast design, the local router consults another router in 10 Mbps = 10,000 kbps
the network that is acting as an RP to map the receivers to active sources so
they can join their streams.
In this design, which is based on sparse mode multicast operation, Auto RP
is used to provide a simple yet scalable way to provide a highly resilient RP
environment.

February 2013 Series Deploying a Layer 2 WAN 28


Step 2: Assign the IP address and netmask of the WAN interface. Step 3: Administratively enable the interface and disable Cisco Discovery
Protocol. Cisco does not recommend the use of Cisco Discovery Protocol
The IP addressing used between CE routers must allow for sufficient host
on external interfaces.
addresses to support a WAN aggregation CE router plus up to 25 remote-
site CE routers. This design uses a netmask of 255.255.255.0, which is com- interface [interface type] [number]
monly used for LAN addressing. It may be more efficient to use a different no cdp enable
netmask to conserve IP addresses. As a best practice, the VLAN number no shutdown
and the subinterface number should match.
Step 4: Configure EIGRP.
Table 12 - Layer 2 WAN transport IP address information
The remote-site LAN networks must be advertised. The IP assignment for the
remote sites was designed so that all of the networks in use can be sum-
Design CE router
marized within a single aggregate route. The summary address as configured
Model Interface VLAN Subinterface Network address
below suppresses the more specific routes. If any network within the sum-
Simple gig0/0/4 none none 10.4.38.0/24 .1 mary is present in the route table, the summary is advertised to the Layer 2
Demarcation WAN, which offers a measure of resiliency. If the various LAN networks cannot
Trunked gig0/0/4 38 gig0/0/3.38 10.4.38.0/24 .1 be summarized, EIGRP continues to advertise the specific routes.
Demarcation 39 gig0/0/3.39 10.4.39.0/24 .1 interface [interface type] [number].[subinterface number]
ip summary-address eigrp [as number (Layer 2 WAN)]
The configuration of the remote-site Layer 2 WAN CE router depends [summary network] [summary mask]
on whether the service provider has implemented a simple or trunked
demarcation. Example (Simple Demarcation)
Use the following configuration for a simple demarcation. You can use this interface GigabitEthernet0/0
connection type even when the WAN aggregation Layer 2 WAN CE router is bandwidth 10000
using a trunked demarcation. However, the service provider must configure ip address 10.4.38.210 255.255.255.0
the proper VLAN assignment for the remote site connection. ip pim sparse-mode
interface [interface type] [number] ip summary-address eigrp 300 10.5.144.0 255.255.248.0
ip address [IP address] [netmask] no cdp enable
ip pim sparse-mode no shutdown
Use the following configuration for a trunked demarcation. The VLAN
number and IP network must match those chosen on the WAN aggregation Example (Trunked Demarcation)
Layer 2 WAN CE router. interface GigabitEthernet0/0
interface [interface type] [number].[subinterface number] bandwidth 10000
encapsulation dot1Q [Vlan number] no cdp enable
ip address [IP address] [netmask] no shutdown
ip pim sparse-mode !
interface GigabitEthernet0/0.38
encapsulation dot1Q 38
ip address 10.4.38.210 255.255.255.0
ip pim sparse-mode
ip summary-address eigrp 300 10.5.144.0 255.255.248.0

February 2013 Series Deploying a Layer 2 WAN 29


Procedure 3 Configure EIGRP Procedure 4 Configure Router to Access Layer Switch

A single EIGRP-300 process runs on the remote-site Layer 2 WAN CE


router. All interfaces on the router are EIGRP interfaces, but only the Layer 2
WAN interface is non-passive. The network range must include all interface Reader Tip
IP addresses either in a single network statement or in multiple network
statements. This design uses a best practice of assigning the router ID to a Please refer to the LAN Deployment Guide for complete access
loopback address. All remote-site Layer 2 WAN CE routers should run EIGRP layer configuration details. This guide only includes the additional
stub routing to improve network stability and reduce resource utilization. steps to complete the distribution layer configuration.
router eigrp 300
If you are using a remote-site distribution layer, skip to the
network [L2 WAN network] [inverse mask]
Deploying a WAN Remote-Site Distribution Layer section of this
network [WAN loopback range] [inverse mask] guide.
network [WAN remote range] [inverse mask]
passive-interface default
no passive-interface [L2 WAN interface] Layer 2 EtherChannels are used to interconnect the CE router to the access
eigrp router-id [IP address of Loopback0] layer in the most resilient method possible. If your access layer device is a
eigrp stub connected summary single fixed configuration switch, a simple Layer 2 trunk between the router
no auto-summary and switch is used.
In the access layer design, the remote sites use collapsed routing, with
Example (Trunked Demarcation) 802.1Q trunk interfaces to the LAN access layer. The VLAN numbering is
router eigrp 300 locally significant only.
network 10.4.38.0 0.0.0.255
network 10.255.0.0 0.0.255.255 Option 1. Layer 2 EtherChannel from router to access layer
network 10.5.0.0 0.0.255.255 switch
passive-interface default
Step 1: Configure port-channel interface on the router.
no passive-interface GigabitEthernet0/0.38
interface Port-channel1
eigrp router-id 10.255.255.210
description EtherChannel link to RS210-A2960S
eigrp stub connected summary
no shutdown
no auto-summary
Step 2: Configure EtherChannel member interfaces on the router.
Configure the physical interfaces to tie to the logical port-channel using the
channel-group command. The number for the port-channel and channel-
group must match. Not all router platforms can support LACP to negotiate
with the switch, so EtherChannel is configured statically.

February 2013 Series Deploying a Layer 2 WAN 30


interface GigabitEthernet0/1 Step 4: Configure EtherChannel trunk on the access layer switch.
description RS210-A2960S Gig1/0/24
An 802.1Q trunk is used which allows the router to provide the Layer 3
! services to all the VLANs defined on the access layer switch. The VLANs
interface GigabitEthernet0/2 allowed on the trunk are pruned to only the VLANs that are active on the
description RS210-A2960S Gig2/0/24 access layer switch. When using EtherChannel the interface type will be
! port-channel and the number must match the channel group configured in
interface range GigabitEthernet0/1, GigabitEthernet0/2 Step 3. DHCP Snooping and Address Resolution Protocol (ARP) inspection
are set to trust.
no ip address
channel-group 1 interface Port-channel1
no shutdown description EtherChannel link to RS210-2921
switchport trunk encapsulation dot1q
Step 3: Configure EtherChannel member interfaces on the access layer switchport trunk allowed vlan 64,69
switch. switchport mode trunk
Connect the router EtherChannel uplinks to separate switches in the access ip arp inspection trust
layer switch stack, or in the case of the Cisco Catalyst 4507R+E distribution spanning-tree portfast trunk
layer, to separate redundant modules for additional resiliency. ip dhcp snooping trust
The physical interfaces that are members of a Layer 2 EtherChannel are no shutdown
configured prior to configuring the logical port-channel interface. Doing The Catalyst 2960S-S and 4500 do not require the switchport trunk encap-
the configuration in this order allows for minimal configuration and reduces sulation dot1q command.
errors because most of the commands entered to a port-channel interface
are copied to its members interfaces and do not require manual replication.
Option 2. Layer 2 trunk from router to access layer switch
Configure two physical interfaces to be members of the EtherChannel. Also,
apply the egress QoS macro that was defined in the LAN switch platform Step 1: Enable the physical interface on the router.
configuration procedure to ensure traffic is prioritized appropriately. interface GigabitEthernet0/2
Not all connected router platforms can support LACP to negotiate with the description RS210-A2960S Gig1/0/24
switch, so EtherChannel is configured statically. no ip address
interface GigabitEthernet1/0/24 no shutdown
description Link to RS210-2921 Gig0/1
Step 2: Configure the trunk on the access layer switch.
interface GigabitEthernet2/0/24
description Link to RS210-2921 Gig0/2 Use an 802.1Q trunk for the connection, which allows the router to provide
! the Layer 3 services to all the VLANs defined on the access layer switch.
The VLANs allowed on the trunk are pruned to only the VLANs that are
interface range GigabitEthernet1/0/24, GigabitEthernet2/0/24
active on the access switch. DHCP Snooping and Address Resolution
switchport Protocol (ARP) inspection are set to trust.
macro apply EgressQoS
interface GigabitEthernet1/0/24
channel-group 1 mode on
description Link to RS210-2921 Gig0/2
logging event link-status
switchport trunk encapsulation dot1q
logging event trunk-status
switchport trunk allowed vlan 64,69
logging event bundle-status
switchport mode trunk

February 2013 Series Deploying a Layer 2 WAN 31


ip arp inspection trust Example - Layer 2 EtherChannel
spanning-tree portfast trunk interface Port-channel1
macro apply EgressQoS no ip address
logging event link-status no shutdown
logging event trunk-status !
ip dhcp snooping trust interface Port-channel1.64
no shutdown description Data
The Catalyst 2960 does not require the switchport trunk encapsulation encapsulation dot1Q 64
dot1q command. ip address 10.5.148.1 255.255.255.0
ip helper-address 10.4.48.10
ip pim sparse-mode
Procedure 5 Configure Access Layer Routing !
interface Port-channel1.69
Step 1: Create subinterfaces and assign VLAN tags. description Voice
After you have enabled the physical interface or port-channel, you can map encapsulation dot1Q 69
the appropriate data or voice subinterfaces to the VLANs on the LAN switch. ip address 10.5.149.1 255.255.255.0
The subinterface number does not need to equate to the 802.1Q tag, but ip helper-address 10.4.48.10
making them the same simplifies the overall configuration. The subinterface ip pim sparse-mode
portion of the configuration should be repeated for all data or voice VLANs.
interface [type][number].[sub-interface number] Example - Layer 2 Link
encapsulation dot1Q [dot1q VLAN tag] interface GigabitEthernet0/2
no ip address
Step 2: Configure IP settings for each subinterface.
no shutdown
This design uses an IP addressing convention with the default gateway !
router assigned an IP address and IP mask combination of N.N.N.1 interface GigabitEthernet0/2.64
255.255.255.0 where N.N.N is the IP network and 1 is the IP host.
description Data
When using a centralized DHCP server, routers with LAN interfaces con- encapsulation dot1Q 64
nected to a LAN using DHCP for end-station IP addressing must use an IP ip address 10.5.148.1 255.255.255.0
helper.
ip helper-address 10.4.48.10
interface [type][number].[sub-interface number] ip pim sparse-mode
description [usage] !
ip address [LAN network 1] [LAN network 1 netmask] interface GigabitEthernet0/2.69
ip helper-address 10.4.48.10 description Voice
ip pim sparse-mode encapsulation dot1Q 69
ip address 10.5.149.1 255.255.255.0
ip helper-address 10.4.48.10
ip pim sparse-mode

February 2013 Series Deploying a Layer 2 WAN 32


Deploying a WAN Remote-Site Distribution Layer

Use this set of procedures to configure a Layer 2 WAN CE router for a Layer
2 WAN remote site (single-router, single-link). This section includes all Process
required procedures to connect to a distribution layer.
The distribution layer remote-site topology is show in the following figure.
Remote-Site Layer 2 WAN CE Router Distribution Layer
Figure 15 - WAN remote site - Connection to distribution layer
1. Connect CE Router to Distribution Layer
Layer 2 WAN
2. Configure EIGRP (LAN Side)

Procedure 1 Connect CE Router to Distribution Layer

802.1Q Trunk
(50)
Reader Tip

Please refer to the LAN Deployment Guide for complete distri-


bution layer configuration details. This guide only includes the
802.1Q Trunk 802.1Q Trunk
(xx-xx) (yy-yy)
additional steps to complete the distribution layer configuration.

Layer 2 EtherChannels are used to interconnect the CE router to the distri-


bution layer in the most resilient method possible. This connection allows for
1035

VLAN 50 - Router 1 Link multiple VLANs to be included on the EtherChannel if necessary.

Step 1: Configure port-channel interface on the router.


interface Port-channel1
description EtherChannel link to RS212-D3750X
no shutdown

February 2013 Series Deploying a WAN Remote-Site Distribution Layer 33


Step 2: Configure the port channel subinterfaces and assign IP addresses. Step 5: Configure Layer 3 on the distribution layer switch.
After you have enabled the interface, map the appropriate subinterfaces to Configure a VLAN interface, also known as a switch virtual interface (SVI), for
the VLANs on the distribution layer switch. The subinterface number does the new VLAN added. The SVI is used for point to point IP routing between
not need to equate to the 802.1Q tag, but making them the same simplifies the distribution layer and the WAN router.
the overall configuration. interface Vlan50
The subinterface configured on the router corresponds to a VLAN interface ip address 10.5.168.2 255.255.255.252
on the distribution-layer switch. Traffic is routed between the devices with ip pim sparse-mode
the VLAN acting as a point-to-point link. no shutdown
interface Port-channel1.50
description R1 routed link to distribution layer Step 6: Configure EtherChannel member interfaces on the distribution
layer switch.
encapsulation dot1Q 50
ip address 10.5.168.1 255.255.255.252 Connect the router EtherChannel uplinks to separate switches in the
ip pim sparse-mode distribution layer switches or stack, and in the case of the Cisco Catalyst
4507R+E distribution layer, to separate redundant modules for additional
Step 3: Configure EtherChannel member interfaces on the router. resiliency.

Configure the physical interfaces to tie to the logical port-channel using the The physical interfaces that are members of a Layer 2 EtherChannel are
channel-group command. The number for the port-channel and channel- configured prior to configuring the logical port-channel interface. Doing
group must match. Not all router platforms can support LACP to negotiate the configuration in this order allows for minimal configuration and reduces
with the switch, so EtherChannel is configured statically. errors because most of the commands entered to a port-channel interface
are copied to its members interfaces and do not require manual replication.
interface GigabitEthernet0/1
description RS212-D3750X Gig1/0/1 Configure two or more physical interfaces to be members of the
! EtherChannel. It is recommended that they are added in multiples of two.
Also, apply the egress QoS macro that was defined in the platform configu-
interface GigabitEthernet0/2
ration procedure to ensure traffic is prioritized appropriately.
description RS212-D3750X Gig2/0/1
! Not all connected router platforms can support LACP to negotiate with the
switch, so EtherChannel is configured statically.
interface range GigabitEthernet0/1, GigabitEthernet0/2
no ip address interface GigabitEthernet1/0/1
channel-group 1 description Link to RS212-2911 Gig0/1
no shutdown interface GigabitEthernet2/0/1
description Link to RS212-2911-1 Gig0/2
Step 4: Configure VLAN on the distribution layer switch. !
If your VLAN does not already exist on the distribution layer switch, config- interface range GigabitEthernet1/0/1, GigabitEthernet2/0/1
ure it now. switchport
vlan 50 macro apply EgressQoS
name R1-link channel-group 1 mode on
logging event link-status
logging event trunk-status
logging event bundle-status

February 2013 Series Deploying a WAN Remote-Site Distribution Layer 34


Step 7: Configure EtherChannel trunk on the distribution layer switch. router eigrp 100
network 10.5.0.0 0.0.255.255
An 802.1Q trunk is used which allows the router to provide the Layer 3 ser-
vices to all the VLANs defined on the distribution layer switch. The VLANs network 10.255.0.0 0.0.255.255
allowed on the trunk are pruned to only the VLANs that are active on the passive-interface default
distribution layer switch. When using EtherChannel the interface type will be no passive-interface [interface]
port-channel and the number must match the channel group configured in eigrp router-id [IP address of Loopback0]
Step 3. DHCP Snooping and Address Resolution Protocol (ARP) inspection no auto-summary
are set to trust.
interface Port-channel1 Step 2: Redistribute EIGRP-300 (Layer 2 WAN) into EIGRP-100.
description EtherChannel link to RS212-2911 EIGRP-300 is already configured for the Layer 2 WAN interface. Routes from
switchport trunk encapsulation dot1q this EIGRP process are redistributed. Because the routing protocol is the
switchport trunk allowed vlan 50 same, no default metric is required.
switchport mode trunk router eigrp [as number]
ip arp inspection trust redistribute eigrp [as number (Layer 2 WAN)]
spanning-tree portfast trunk
ip dhcp snooping trust Example
no shutdown router eigrp 100
The Catalyst 4500 does not require the switchport trunk encapsulation network 10.5.0.0 0.0.255.255
dot1q command. network 10.255.0.0 0.0.255.255
redistribute eigrp 300
passive-interface default
Procedure 2 Configure EIGRP (LAN Side) no passive-interface Port-channel1.50
eigrp router-id 10.255.255.212
You must configure a routing protocol between the router and distribution no auto-summary
layer.
Step 3: Enable EIGRP on distribution layer switch VLAN interface.
Step 1: Enable EIGRP-100 on the router. EIGRP is already configured on the distribution layer switch. The VLAN
Configure EIGRP-100 facing the distribution layer. In this design, all distribu- interface that connects to the router must be configured as a non-passive
tion-layer-facing subinterfaces and the loopback must be EIGRP interfaces. EIGRP interface.
All other interfaces should remain passive. The network range must include router eigrp 100
all interface IP addresses either in a single network statement or in multiple no passive-interface Vlan50
network statements. This design uses a best practice of assigning the router
ID to a loopback address.

February 2013 Series Deploying a WAN Remote-Site Distribution Layer 35


Deploying WAN Quality of Service

When configuring the WAN-edge QoS, you are defining how traffic egresses Step 1: Create the class maps for DSCP matching.
your network. It is critical that the classification, marking, and bandwidth
allocations align to the service provider offering to ensure consistent QoS Repeat this step to create a class-map for each of the six WAN classes of
treatment end to end. service listed in the following table.
You do not need to explicitly configure the default class.
class-map match-any [class-map name]
Process
match dscp [dcsp value] [optional additional dscp value(s)]

Table 13 - QoS classes of service


QoS Configuration
Class of Traffic DSCP Bandwidth Congestion
1. Create the QoS Maps to Classify Traffic service type values % avoidance
2. Implement the Queuing Policy VOICE Voice traffic ef 10 (PQ)
3. Configure Per-Site Shapers INTERACTIVE- Interactive cs4, af41 23 (PQ)
VIDEO video
4. Configure Physical Interface S&Q Policy
CRITICAL-DATA Highly af31, cs3 15 DSCP based
5. Apply WAN QoS Policy to Physical Interface interactive
DATA Data af21 19 DSCP based
SCAVENGER Scavenger af11, cs1 5
NETWORK- Routing cs6, cs2 3
Procedure 1 Create the QoS Maps to Classify Traffic CRITICAL protocols
default Best effort other 25 random
Use the class-map command to define a traffic class and identify traffic to
associate with the class name. These class names are used when configur-
ing policy maps that define actions you want to take against the traffic type.
The class-map command sets the match logic. In this case, the match-any
keyword indicates that the maps match any of the specified criteria. This
keyword is followed by the name you wish to assign to the class of service.
After you have configured the class-map command, define specific values,
such as DSCP and protocols to match with the match command. Use the fol-
lowing two forms of the match command: match dscp and match protocol.
Use the following steps to configure the required WAN class-maps and
matching criteria.

February 2013 Series Deploying WAN Quality of Service 36


Example
Procedure 2 Implement the Queuing Policy
class-map match-any VOICE
match dscp ef
The WAN policy map references the class names you created in the previ-
! ous procedures and defines the queuing behavior, along with the maximum
class-map match-any INTERACTIVE-VIDEO guaranteed bandwidth allocated to each class. This specification is accom-
match dscp cs4 af41 plished with the use of a policy-map. Then, each class within the policy
! map invokes an egress queue, assigns a percentage of bandwidth, and
class-map match-any CRITICAL-DATA associates a specific traffic class to that queue. One additional default class
defines the minimum allowed bandwidth available for best effort traffic.
match dscp af31 cs3
!
Option 1. Defining Per-Remote-Site Policy Maps
class-map match-any DATA
match dscp af21 This procedure applies to the WAN aggregation Layer 2 WAN CE router only.
This procedure will be repeated multiple timesonce for each Layer 2 WAN
!
connected remote site.
class-map match-any SCAVENGER
match dscp af11 cs1 Step 1: Create a remote-site specific policy map for all Layer 2 WAN con-
! nected remote sites.
class-map match-any NETWORK-CRITICAL policy-map [policy-map-name]
match dscp cs6 cs2
Step 2: Apply the previously created class-map.
class [class-name]
Tech Tip
Step 3: (Optional) Assign the maximum guaranteed bandwidth for the class.
You do not need to configure a Best-Effort Class. This is implicitly bandwidth percent [percentage]
included within class-default as shown in Procedure 5.
Step 4: (Optional) Define the priority queue for the class. Note, when using
a priority queue an implicit policer for this traffic type is applied.
priority percent [percentage]

Tech Tip Step 5: (Optional) Define the congestion mechanism.


random-detect [type]

The local router policy maps define seven classes while most Step 6: Repeat Step 2 through Step 5 for each class in Table 13, including
service providers offer only six classes of service. The NETWORK- class-default.
CRITICAL policy map is defined to ensure the correct classifica-
tion, marking, and queuing of network-critical traffic on egress
to the WAN. After the traffic has been transmitted to the service
provider, the network-critical traffic is typically remapped by the
service provider into the critical data class. Most providers perform
this remapping by matching on DSCP values cs6 and cs2.

February 2013 Series Deploying WAN Quality of Service 37


Option 1 Example (partial policy, showing sites 210 and 211) Option 2. Defining Single Global Policy Map
policy-map POLICY-MAP-RS210 This procedure applies to the remote-site WAN routers only.
class VOICE
priority percent 10 Step 1: Create the parent policy map.
class INTERACTIVE-VIDEO policy-map [policy-map-name]
priority percent 23
class CRITICAL-DATA Step 2: Apply the previously created class-map.
bandwidth percent 15 class [class-name]
random-detect dscp-based
Step 3: (Optional) Assign the maximum guaranteed bandwidth for the class.
class DATA
bandwidth percent [percentage]
bandwidth percent 19
random-detect dscp-based Step 4: (Optional) Define the priority queue for the class. Note, when using
class SCAVENGER a priority queue an implicit policer for this traffic type is applied.
bandwidth percent 5 priority percent [percentage]
class NETWORK-CRITICAL
bandwidth percent 3 Step 5: (Optional) Define the congestion mechanism.
class class-default random-detect [type]
bandwidth percent 25
Step 6: Repeat Step 3 through Step 5 for each class in Table 13 including
random-detect class-default.

policy-map POLICY-MAP-RS211 Option 2 Example


class VOICE policy-map WAN
priority percent 10 class VOICE
class INTERACTIVE-VIDEO priority percent 10
priority percent 23 class INTERACTIVE-VIDEO
class CRITICAL-DATA priority percent 23
bandwidth percent 15 class CRITICAL-DATA
random-detect dscp-based bandwidth percent 15
class DATA random-detect dscp-based
bandwidth percent 19 class DATA
bandwidth percent 19
random-detect dscp-based
random-detect dscp-based
class SCAVENGER
class SCAVENGER
bandwidth percent 5
bandwidth percent 5
class NETWORK-CRITICAL
class NETWORK-CRITICAL
bandwidth percent 3 bandwidth percent 3
class class-default class class-default
bandwidth percent 25 bandwidth percent 25
random-detect random-detect

February 2013 Series Deploying WAN Quality of Service 38


Table 14 - Layer 2 WAN remote-site network and bandwidth parameters

Tech Tip
Site Network Contracted rate (Mbps)
210 10.5.144.0/21 10
Although these bandwidth assignments represent a good base-
211 10.5.152.0/21 10
line, it is important to consider your actual traffic requirements
per class and adjust the bandwidth settings accordingly. 212 10.5.168.0/21 20
213 10.5.176.0/21 20

Step 5: Configure the shapers for each remote site using the parameters in
Procedure 3 Configure Per-Site Shapers Table 13.
class [class-name]
This procedure applies to the WAN-aggregation Layer 2 WAN CE router shape [average | peak] [bandwidth (kbps)]
only.
Step 6: Apply the child service policy.
An additional set of shaping policies is applied at the child level to avoid traf-
service-policy [policy-map-name]
fic overruns that may occur if a service provider has smaller contracted rates
for remote sites than the primary site. The shaping policies apply uniquely to Step 7: Repeat steps 5 and 6 for each remote site.
each remote site depending on the destination network addresses and the
contracted bandwidth rate for the remote site.
Example
Step 1: Create an IP extended access list to match the destination network ip access-list extended RS210-10.5.144.0
range for each remote site. permit ip any 10.5.144.0 0.0.7.255
ip access-list extended [ACL name site 1] ip access-list extended RS212-10.5.168.0
permit ip any [site 1 network] [site 1 inverse mask] permit ip any 10.5.168.0 0.0.7.255
class-map match-all CLASS-MAP-RS210
Step 2: Create a class map for each remote site. Associate the destination match access-group name RS210-10.5.144.0
network access list with the class map.
class-map match-all CLASS-MAP-RS212
class-map match-all [Class map name site 1] match access-group name RS212-10.5.168.0
match access-group [ACL name site 1] policy-map POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-SHAPERS
Step 3: Repeat steps 1-2 for each remote site. class NETWORK-CRITICAL
bandwidth percent 3
Step 4: Create a child policy map to reserve bandwidth for NETWORK- class CLASS-MAP-RS210
CRITICAL traffic and enable traffic shaping to the remote sites. shape average 10000000
policy-map [child policy-map-name] service-policy POLICY-MAP-RS210
class [class-name] class CLASS-MAP-RS212
bandwidth percent [percentage] shape average 20000000
service-policy POLICY-MAP-RS212

February 2013 Series Deploying WAN Quality of Service 39


Example (Remote-site CE Router)
Procedure 4 Configure Physical Interface S&Q Policy
This example shows a router with a 20-Mbps link on interface
GigabitEthernet0/0.
With WAN interfaces using Ethernet as an access technology, the demarca-
tion point between the enterprise and service provider may no longer have policy-map WAN-INTERFACE-G0/0
a physical-interface bandwidth constraint. Instead, a specified amount of class class-default
access bandwidth is contracted with the service provider. To ensure the shape average 20000000
offered load to the service provider does not exceed the contracted rate that service-policy WAN
results in the carrier discarding traffic, you need to configure shaping needs
on the physical interface. This shaping is accomplished with a QoS service
policy. You configure a QoS service policy on the outside Ethernet interface,
and this parent policy includes a shaper that then references a second or Procedure 5 Apply WAN QoS Policy to Physical Interface
subordinate (child) policy that enables queuing within the shaped rate. This is
called a hierarchical Class-Based Weighted Fair Queuing (HCBWFQ) con- To invoke shaping and queuing on a physical interface, you must apply the
figuration. When you configure the shape average command, ensure that the parent policy that you configured in the previous procedure.
value matches the contracted bandwidth rate from your service provider. This procedure applies to all WAN routers. You can repeat this procedure
This procedure applies to aggregation and all remote site WAN routers. This multiple times to support devices that have multiple WAN connections
procedure may be repeated multiple times to support devices that have attached to different interfaces.
multiple WAN connections attached to different interfaces.
Step 1: Select the WAN interface.
Step 1: Create the parent policy map. interface [interface type] [number]
As a best practice, embed the interface name within the name of the parent
Step 2: Apply the WAN QoS policy.
policy map.
policy-map [policy-map-name] The service policy needs to be applied in the outbound direction.
service-policy output [policy-map-name]
Step 2: Configure the shaper.
class [class-name] Example
shape [average | peak] [bandwidth (kbps)] interface GigabitEthernet0/0
service-policy output WAN-INTERFACE-G0/0
Step 3: Apply the child service policy.
service-policy [policy-map-name]

Example (WAN aggregation Layer 2 WAN CE Router)


This example shows a router with a 500-Mbps link on interface
GigabitEthernet0/0/3 and a child shaper policy.
policy-map WAN-INTERFACE-G0/0/3
class class-default
shape average 500000000
service-policy POLICY-MAP-L2-WAN-BACKBONE-WITH-PER-SITE-
SHAPERS

February 2013 Series Deploying WAN Quality of Service 40


Appendix A: Product List

WAN Aggregation
Functional Area Product Description Part Numbers Software
WAN-aggregation Aggregation Services 1002 Router ASR1002-5G-VPN/K9 IOS-XE 15.2(2)S2
Router Aggregation Services 1001 Router ASR1001-2.5G-VPNK9 Advanced
Enterprise license

WAN Remote Site


Functional Area Product Description Part Numbers Software
Modular WAN Cisco 3945 Voice Sec. Bundle, PVDM3-64, UC and SEC License PAK C3945-VSEC/K9 15.1(4)M5
Remote-site Router Cisco 3925 Voice Sec. Bundle, PVDM3-64, UC and SEC License PAK C3925-VSEC/K9 securityk9 license
datak9 license
Data Paper PAK for Cisco 3900 series SL-39-DATA-K9
Cisco 2951 Voice Sec. Bundle, PVDM3-32, UC and SEC License PAK C2951-VSEC/K9
Cisco 2921 Voice Sec. Bundle, PVDM3-32, UC and SEC License PAK C2921-VSEC/K9
Cisco 2911 Voice Sec. Bundle, PVDM3-32, UC and SEC License PAK C2911-VSEC/K9
Data Paper PAK for Cisco 2900 series SL-29-DATA-K9

LAN Access Layer


Functional Area Product Description Part Numbers Software
Modular Access Cisco Catalyst 4507R+E 7-slot Chassis with 48Gbps per slot WS-C4507R+E 3.3.0.SG(15.1-1SG)
Layer Switch Cisco Catalyst 4500 E-Series Supervisor Engine 7L-E WS-X45-SUP7L-E IP Base license

Cisco Catalyst 4500 E-Series 48 Ethernet 10/100/1000 (RJ45) PoE+ ports WS-X4648-RJ45V+E
Cisco Catalyst 4500 E-Series 48 Ethernet 10/100/1000 (RJ45) PoE+,UPoE ports WS-X4748-UPOE+E
Stackable Access Cisco Catalyst 3750-X Series Stackable 48 Ethernet 10/100/1000 PoE+ ports WS-C3750X-48PF-S 15.0(2)SE
Layer Switch Cisco Catalyst 3750-X Series Stackable 24 Ethernet 10/100/1000 PoE+ ports WS-C3750X-24P-S IP Base license

Cisco Catalyst 3750-X Series Two 10GbE SFP+ and Two GbE SFP ports network module C3KX-NM-10G
Cisco Catalyst 3750-X Series Four GbE SFP ports network module C3KX-NM-1G

February 2013 Series Appendix A: Product List 41


Functional Area Product Description Part Numbers Software
Standalone Access Cisco Catalyst 3560-X Series Standalone 48 Ethernet 10/100/1000 PoE+ ports WS-C3560X-48PF-S 15.0(2)SE
Layer Switch Cisco Catalyst 3560-X Series Standalone 24 Ethernet 10/100/1000 PoE+ ports WS-C3560X-24P-S IP Base license

Cisco Catalyst 3750-X Series Two 10GbE SFP+ and Two GbE SFP ports network module C3KX-NM-10G
Cisco Catalyst 3750-X Series Four GbE SFP ports network module C3KX-NM-1G
Stackable Access Cisco Catalyst 2960-S Series 48 Ethernet 10/100/1000 PoE+ ports and Two 10GbE WS-C2960S-48FPD-L 15.0(2)SE
Layer Switch SFP+ Uplink ports LAN Base license
Cisco Catalyst 2960-S Series 48 Ethernet 10/100/1000 PoE+ ports and Four GbE SFP WS-C2960S-48FPS-L
Uplink ports
Cisco Catalyst 2960-S Series 24 Ethernet 10/100/1000 PoE+ ports and Two 10GbE WS-C2960S-24PD-L
SFP+ Uplink ports
Cisco Catalyst 2960-S Series 24 Ethernet 10/100/1000 PoE+ ports and Four GbE SFP WS-C2960S-24PS-L
Uplink ports
Cisco Catalyst 2960-S Series Flexstack Stack Module C2960S-STACK

LAN Distribution Layer


Functional Area Product Description Part Numbers Software
Modular Distribution Cisco Catalyst 6500 E-Series 6-Slot Chassis WS-C6506-E 15.0(1)SY1
Layer Virtual Switch Cisco Catalyst 6500 VSS Supervisor 2T with 2 ports 10GbE and PFC4 VS-S2T-10G IP Services license
Pair
Cisco Catalyst 6500 16-port 10GbE Fiber Module w/DFC4 WS-X6816-10G-2T
Cisco Catalyst 6500 24-port GbE SFP Fiber Module w/DFC4 WS-X6824-SFP-2T
Cisco Catalyst 6500 4-port 40GbE/16-port 10GbE Fiber Module w/DFC4 WS-X6904-40G-2T
Cisco Catalyst 6500 4-port 10GbE SFP+ adapter for WX-X6904-40G module CVR-CFP-4SFP10G
Modular Distribution Cisco Catalyst 4507R+E 7-slot Chassis with 48Gbps per slot WS-C4507R+E 3.3.0.SG(15.1-1SG)
Layer Switch Cisco Catalyst 4500 E-Series Supervisor Engine 7-E, 848Gbps WS-X45-SUP7-E Enterprise Services
license
Cisco Catalyst 4500 E-Series 24-port GbE SFP Fiber Module WS-X4624-SFP-E
Cisco Catalyst 4500 E-Series 12-port 10GbE SFP+ Fiber Module WS-X4712-SFP+E
Stackable Cisco Catalyst 3750-X Series Stackable 12 GbE SFP ports WS-C3750X-12S-E 15.0(2)SE
Distribution Layer Cisco Catalyst 3750-X Series Two 10GbE SFP+ and Two GbE SFP ports network module C3KX-NM-10G IP Services license
Switch
Cisco Catalyst 3750-X Series Four GbE SFP ports network module C3KX-NM-1G

February 2013 Series Appendix A: Product List 42


Appendix B: Changes

This appendix summarizes the changes to this guide since the previous
Cisco SBA series.
We made changes to improve the readability and technical accuracy of
this guide.
We updated the code version for the Cisco ASR and ISR platforms.

February 2013 Series Appendix B: Changes 43


Feedback
Please use the feedback form to send comments
and suggestions about this guide.

SMART BUSINESS ARCHITECTURE

Americas Headquarters Asia Pacific Headquarters Europe Headquarters


Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, DESIGNS) IN THIS MANUAL ARE PRESENTED AS IS, WITH ALL FAULTS. CISCO AND ITS SUPPLiERS DISCLAIM ALL WARRANTIES, INCLUDING, WITH-
OUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE
FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL
OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content
is unintentional and coincidental.

2013 Cisco Systems, Inc. All rights reserved.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their
respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

B-0000235-1 1/13