[c-nsp] LOAD SHARING BETWEEN WAN LINKS BASED ON LINK UTILIZATION WITH PFRV2
Vasu Varma
ypkcar at gmail.com
Thu Nov 3 07:01:41 EDT 2016
Hi Folks,
Need your help in getting the configuration right to achieve the load
sharing between two links using PFRv2. I shall explain in detail on the
requirement and the setup.
*Set up:*
There are two locations, one Hub and a Spoke connected over two service
provider links. Two DMVPN tunnels were built over each provider links for
communication between Hub and Spoke. Both these links are Internet based
and locations access the SaaS based applications directly.
The PFRv2 has been configured to influence the path selection based on
various parameters such as bandwidth/link utilization, jitter and latency.
*Requirement:*
*While accessing enterprise applications, traffic should go over the tunnel
and path selection should be based on the defined criteria. For example,
Application A should prefer Tunnel0 with fallback as Tunnel1 but if the
utilization of the Tunnel0 reaches 80%, it should prefer Tunnel1. *
*Similarly, for SaaS based applications (Facebook, Office365, Skype)
traffic should prefer Gig0/0 with fallback as Gig0/1 and if the utilization
of link crosses 70%, it should prefer Gig0/1.*
*Problem:*
*Even before meeting the thresholds, traffic is preferring the secondary
link.*
*Regards*
*Yaswanth*
-------------- next part --------------
Site-110-V10#sh run
Site-110-V10#sh running-config
Building configuration...
Current configuration : 13261 bytes
!
! Last configuration change at 09:22:45 UTC Wed Nov 2 2016 by nieg
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site-110-V10
!
boot-start-marker
boot system usbflash0:/c1900-universalk9-mz.SPA.152-3.T.bin
boot-end-marker
!
!
enable secret 5 $1$XZyK$t52TN1UH8raNnGEfI3jKY1
!
no aaa new-model
!
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
no ip domain lookup
ip cef
!
multilink bundle-name authenticated
!
!
key chain pfr
key 0
key-string cisco
!
!
!
pfr master
mc-peer domain 65000 3.3.3.3 Loopback0
target-discovery
logging
!
border 10.10.10.10 key-chain pfr
interface GigabitEthernet0/1.110 internal
interface Tunnel1 external
interface Tunnel0 external
max-xmit-utilization percentage 80
maximum utilization receive percentage 80
!
learn
!
pfr border
logging
local Loopback0
master 10.10.10.10 key-chain pfr
license udi pid CISCO1905/K9 sn FGL173323TB
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
!
username nieg password 0 sify1
!
redundancy
!
!
!
!
!
!
policy-map eem-policy
class class-default
police cir 8000 bc 16000
conform-action transmit
exceed-action drop
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 2
crypto isakmp key SDWAN address 0.0.0.0
crypto isakmp keepalive 60 periodic
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile SD-WAN
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
!
interface Tunnel0
description mGRE
bandwidth 50000
ip address 172.17.0.10 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
ip nhrp authentication SDWAN
ip nhrp map multicast dynamic
ip nhrp map 172.17.0.3 10.0.3.2
ip nhrp map multicast 10.0.3.2
ip nhrp network-id 1
ip nhrp nhs 172.17.0.3
tunnel source GigabitEthernet0/0.60
tunnel mode gre multipoint
tunnel protection ipsec profile SD-WAN
!
interface Tunnel1
description mGRE
ip address 172.25.0.10 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
ip nhrp authentication SDWAN
ip nhrp map multicast dynamic
ip nhrp map 172.25.0.3 10.0.3.6
ip nhrp map multicast 10.0.3.6
ip nhrp network-id 1
ip nhrp nhs 172.25.0.3
tunnel source GigabitEthernet0/0.70
tunnel mode gre multipoint
tunnel protection ipsec profile SD-WAN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description UPLINK
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.60
encapsulation dot1Q 60
ip address 10.0.10.2 255.255.255.252
!
interface GigabitEthernet0/0.70
encapsulation dot1Q 70
ip address 10.0.10.6 255.255.255.252
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.110
encapsulation dot1Q 110
ip address 10.0.110.1 255.255.255.0
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
!
router eigrp 100
network 172.17.0.0 0.0.0.255
network 172.25.0.0 0.0.0.255
redistribute connected metric 1000 1 1 1 1500 route-map LAN
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.60 10.0.10.1
!
!
ip prefix-list LAN seq 5 permit 10.0.110.0/24
ip prefix-list LAN seq 10 permit 10.10.10.10/32
!
route-map LAN permit 10
match ip address prefix-list LAN
!
!
snmp-server group S3LR0snmp v3 priv
snmp-server group S3LR0group v3 priv access 50
snmp-server community S1LR0snmp RO 50
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps ospf state-change
snmp-server enable traps entity-sensor threshold
snmp-server enable traps bgp state-changes
snmp-server enable traps config
snmp-server enable traps event-manager
snmp-server enable traps syslog
snmp-server enable traps ipsla
snmp-server host 124.7.159.5 version 2c S1LR0snmp
snmp-server host 202.191.136.186 version 2c S1LR0snmp
snmp-server host 202.191.136.224 version 2c S1LR0snmp
snmp-server host 119.226.225.229 version 3 priv S3LR0snmp
snmp-server host 119.226.225.243 version 3 priv S3LR0snmp
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input all
line vty 5 8
login
transport input all
line vty 9 15
login
transport input none
!
Site-110-V10#
Site-110-V10#
-------------- next part --------------
Site-103-V3#sh running-config
Building configuration...
Current configuration : 4819 bytes
!
! Last configuration change at 09:28:14 UTC Wed Nov 2 2016 by nieg
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Site-103-V3
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$ogBX$QpJIkxniVmw7QOFaFkPKm1
!
no aaa new-model
!
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
ip cef
!
multilink bundle-name authenticated
!
!
key chain pfr
key 0
key-string 7 070C285F4D06
!
!
!
pfr master
max-range-utilization percent 7
mc-peer domain 65000 head-end Loopback0
target-discovery responder-list RESPONDER_PREFIX inside-prefixes HQ_PREFIX
!
border 3.3.3.3 key-chain pfr
interface Tunnel1 external
link-group ISP2
interface Tunnel0 external
max-xmit-utilization percentage 80
maximum utilization receive percentage 80
link-group ISP1
interface GigabitEthernet0/1.102 internal
!
learn
periodic-interval 1
traffic-class filter access-list DENY_GLOBAL_LEARN_LIST
list seq 10 refname LEARN_VOICE_VIDEO
traffic-class access-list VOICE_VIDEO filter BRANCH_PREFIX
count 500 max 1000
throughput
list seq 30 refname LEARN_BEST_EFFORT
traffic-class access-list BEST_EFFORT filter BRANCH_PREFIX
count 500 max 1000
throughput
!
pfr border
logging
local Loopback0
master 3.3.3.3 key-chain pfr
license udi pid CISCO1941/K9 sn FGL17202019
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
!
username nieg privilege 15 password 7 1501020A1D7B
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key SDWAN address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile SD-WAN
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
description mGRE-HUB
bandwidth 50000
ip address 172.17.0.3 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
ip nhrp authentication SDWAN
ip nhrp map multicast dynamic
ip nhrp network-id 1
load-interval 30
tunnel source 10.0.3.2
tunnel mode gre multipoint
tunnel protection ipsec profile SD-WAN
!
interface Tunnel1
description mGRE-HUB
bandwidth 1000000
ip address 172.25.0.3 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
ip nhrp authentication SDWAN
ip nhrp map multicast dynamic
ip nhrp network-id 1
load-interval 30
tunnel source 10.0.3.6
tunnel mode gre multipoint
tunnel protection ipsec profile SD-WAN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.3.2 255.255.255.252
!
interface GigabitEthernet0/0.31
encapsulation dot1Q 31
ip address 10.0.3.6 255.255.255.252
!
interface GigabitEthernet0/0.88
encapsulation dot1Q 88
ip address 192.168.88.3 255.255.255.0
!
interface GigabitEthernet0/1
no ip address
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/1.102
encapsulation dot1Q 102
ip address 10.0.102.1 255.255.255.0
!
!
router eigrp 100
network 172.17.0.0 0.0.0.255
network 172.25.0.0 0.0.0.255
redistribute connected metric 1000 1 255 1 1500 route-map LAN
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.30 10.0.3.1
ip route 10.0.10.0 255.255.255.252 GigabitEthernet0/0.30 10.0.3.1
ip route 10.0.10.4 255.255.255.252 GigabitEthernet0/0.31 10.0.3.5
!
ip access-list extended BEST_EFFORT
permit ip any any dscp default
ip access-list extended CRITICAL
permit ip any any dscp af31
ip access-list extended DENY_GLOBAL_LEARN_LIST
deny ip any any
ip access-list extended VOICE_VIDEO
permit ip any any dscp ef
permit ip any any dscp af41
permit ip any any dscp cs4
!
!
ip prefix-list BRANCH_PREFIX seq 10 permit 10.0.10.0/24
!
ip prefix-list HQ_PREFIX seq 5 permit 10.0.102.0/24
!
ip prefix-list LAN seq 5 permit 10.0.102.0/24
ip prefix-list LAN seq 10 permit 3.3.3.3/32
!
ip prefix-list RESPONDER_PREFIX seq 5 permit 10.0.3.1/32
!
route-map LAN permit 10
match ip address prefix-list LAN
!
!
snmp-server community S1LR0snmp RO
snmp-server enable traps entity-sensor threshold
!
pfr-map 9047-MAP 10
match traffic-class prefix-list ftp-server
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input all
!
scheduler allocate 20000 1000
!
end
Site-103-V3#
More information about the cisco-nsp
mailing list