Yes it took me hours just to plan and draw this Topology in EVE, and after opening 18 CLI windows for each device, I’ve appreciated just opening the CLI’s of one site at a time, 18 command prompts will make you feel out of chair staring at long enough 🙂
I’m calling an audible here in the midst of finish off MPLS Layer 2 studies, to now have well reinforced my CCNP R/S skillset building this Topology so everything is Adjacent and humming along, now I’d like to add a few things to really secure it like an Enterprise would be secured out in the wild (and hopefully fine-tune it as well).
I have built and saved this Topology as of right now, but will be saving it for further down the road with my full CCIE VPN Technologies covered, however I wanted to explain a couple technologies here that will be labbed on this Topology!
Which technologies you mask ask? Great question!
Front Door VRF (f VRF) for VPN / DMVPN deployments and PfR (Performance Routing).
When I first saw these I had no idea what they are, and when its in a production environment you support, you better know what your doing fast 🙂
Without further ado, a quick overview of what each is, then I will be doing some huge freestyle labs (YES!!!) on both of these topics to take a break from my MPLS studies.
I love freestyle labbing, it is my passion in Networking, nothing about a Certification or emergency fixing a problem and not really knowing a solution – But labbing until you fully understand the technology!
What is the deal with PfR and why should I care about it?
It acts a lot like the new buzzword that makes people foam at the mouth “SD-WAN” on companies existing Cisco Hardware, though not as feature rich as say Viptela or Meraki, it is SOMETHING we can use to utilize a customers “fail-over” link that has been sitting there unused for years. Some customers I’ve worked with, literally 5+ years if not more.
The components that makeup IWAN / PfR at a site is as follows:
- 1 “Boarder Router” (BR) and 1 “Master Controller” (MC), device can be BR and MC
- At least 1 “Internal” interface and two “External” interfaces
- A single device that has 2x WAN links to different providers
- IP SLA / Netflow configured on the MC to perform WAN Link directions for the BRs
The Boarder Router is of course your “Edge” or ISP facing device, and the Master Controller (MC) is what measures link statistics to either ISP, and tells the Boarder Routers how to perform true “load-sharing” rather than “load-balancing” on their traffic between the two links to optimize throughput.
This can be done on another Cisco Router device as seen in my Topology, or done on a very specific piece of hardware for this, much alike SD-WAN functionality only performed given our CLI tools such as IP SLA / Responder statistics and Netflow.
The Term “Internal” and “External” is an important deployment concept, as this will identify which likes will be part of PfR, of course we need 2x External links to send traffic on different links to Optimize traffic flow.
Lots more on this during labbing, I have NEVER looked at this before, so should be fun 🙂
Front Door VRFs – Specifically a VPN Technology for site-to-site or DMVPN
I won’t spend a lot of time on this as its incredibly easy at a high level view, Front Door VPNs are configured on both the WAN Interface of the ISP you want your DMVPN to run over, and on your Tunnel interface to hard code your DMVPN Branch to use a specific provider to reach its HQ or wherever it is pointed.
A few really nice features is the ISP info doesn’t show in the IP Global Route Table and does not need to in the first place (hidden by VRF Instance), it allows two protocols to run between sites, because the WAN protocol will be “Silo’d” to the VRF, so you can configure another IGP between the Branch sites connected by the VPN.
I’ve also heard f VRFs make DMVPN Tunnels so much easier to work with in an Enterprise environment, I am not entirely sure why yet (I can only learn so fast), however I will be configuring those advanced technologies in this blog!
We are graduating from CCNP Technologies to I am not sure what level but its fun! 🙂
I will actually be going back to my Single Device OSPF DMVPN lab to introduce Front Door VRF’s, as they are meant to keep DMVPN traffic routing segmented to one VRF instance for a carrier, the concept is easily demonstrated.
That is why I was going to go really GRANDE with the size of the lab, but its size is getting distracting, and I am starting to get behind in covering topics so I need to ramp up the pace here to get things moving!
To wrap this up, this is very important to understand for Network Engineers!
If you don’t learn it here (which I wouldn’t recommend 100%), I’d use many study sources + labbing it in EVE to really get an idea of how it is labbed, this is that “Genius” level knowledge that is on CCIE Blueprints which will take your skill set to the next level and impress the hell out of your customers for optimizing their networks!
Off to finish configuring all devices in that monster lab, got INET clouds working and 1 Branch going, 2 more Branches to go – Be back soon with some lab sessions on testing how to configure and understand this technology 100%!
(This is all either completely or very new to me, so this labbing might get ugly!) 🙂