You are previewing premium content. 
The WAN is a place in the network that aggregates various types, speeds, and links running a disparate set of protocols together crossing metropolitan, state, and even country boundaries. The largest example of a WAN is the Internet itself, which can be regarded as the public WAN. The primary purpose of a WAN is to connect users and applications connected to various LANs.
As evident from its definition, the WAN is the central point for all data aggregation coming from various places within an enterprise network. Because of this, it is important to understand not only how a WAN is constructed, but also the underlying business drivers that have been and continue to bring changes to this place in the network.
In this book, you study the variety of WANs as they exist today, business models, and the associated emerging trends and how they are giving birth to “next-generation” WAN. Once you have the first four chapters (or Part I) behind you, it should become evident that the core requirement to building such networks hinges on the usage of modern routing/switching infrastructure that is highly available, scalable, flexible, and above all, service rich.
This chapter describes the various types of WAN architectures and their various associated aspects.
Introduction to WAN Solutions
Thanks to an increasingly dispersed global work force, businesses rely on their WANs more than ever. So much so that business performance is now directly tied to how well quality, reliability, and security are implemented when it comes to communications between main and regional headquarters, branch offices, suppliers, partners, and customers. Because of the development of new IP services and applications such as VoIP, video, and mobile data connectivity, and because of remotely connected road warriors and the unification of both wired and wireless networks, the headend router must perform a wide variety of functions.
Depending on the connectivity, transport protocols, and whether the medium is private or public, several different varieties of WAN might be in play. The four main WAN types are as follows:
-
Branch/private WAN aggregation
-
Internet edge
-
Data center interconnect
-
Large branch WAN
The WAN aggregation role can also be subdivided into the following three categories, based on what is typically found in the enterprise networks:
-
Basic WAN aggregation (explained in the following section)
-
Secure WAN aggregation (add-on with solutions based on IPsec or Secure Sockets Layer virtual private networking [SSL VPN])
-
Optimized WAN aggregation (add-on with solutions based on WAN optimization with Web Cache Communication Protocol Version 2/Policy Based Routing [WCCPv2/PBR] and Wide Area Application Services [WAAS])
Figure 1-1 shows various WAN options and puts them into perspective as to how they come together.
Figure 1-1
WAN options.
Branch/Private WAN Aggregation Role
Branch WAN aggregation is a way to connect and aggregate all the enterprise branches into the WAN core router, or headend. On the cloud-facing side, router interfaces use various physical transport options (as outlined in Table 1-1), whereas on the campus core side, the connection is Gigabit Ethernet (GE) or 10 Gigabit Ethernet (10 GigE) that is acting as the uplink for the campus core switches to the WAN. Leased lines are one of the most common ways (now more so Ethernet) of interfacing with the WAN cloud. IPsec tunnel termination and firewall functions are usually not collapsed in the WAN aggregation/edge router. This is usually implemented as classical hub-and-spoke design with traditional Layer 2 connectivity.
Figure 1-2 shows the basic WAN aggregation topology.
Figure 1-2
WAN aggregation topology.
Table 1-1 shows the various options in use for WAN connectivity.
Table 1-1 WAN Connectivity Options
|
Types |
Physical Transport |
Pros |
Cons |
Typical Bandwidth |
Protocol Encapsulations |
||
|
Leased line |
T1/E1, T3/E3 |
Private |
Costly |
1.544 to 45 Mbps |
High-Level Data Control (HDLC), PPP |
||
|
Circuit switching |
Packet over SONET/SDH OC3/OC12/ OC192 |
Affordable |
Less secure |
155 Mbps to 10 Gbps |
HDLC, PPP |
||
|
Packet switching |
T1/E1, T3/E3 (PVCs) |
Affordable |
Shared bandwidth |
Up to 45 Mbps |
Frame Relay |
||
|
Cell relay |
OC3/OC12/ OC48 |
Private |
Higher per port cost |
Up to 620 Mbps |
ATM |
||
|
Metro Ethernet |
Ethernet, GE, 10 GigE |
Affordable |
Lacks inherent reliability |
Up to 10 Gbps |
Ethernet (Frac-GE, Frac-10 GigE) |
||
Basic Feature Requirements
Table 1-2 outlines the basic requirements that a router must meet to be positioned as the WAN aggregation platform. Scale and performance for these services are driven based on how large the branch site concentration is for the given deployment. A platform with a separate control, data, and input/output plane is most preferred, for obvious reasons.
Table 1-2 Feature Matrix for WAN Aggregation Role
|
Feature/Service |
Feature/Service Details |
|
IP routing (v4/v6) |
Interior Gateway Protocol (IGP) and Border Gateway Protocol (BGP) with fast convergence, such as bidirectional failure detection (BFD) Policy Based Routing (PBR) |
|
IP unicast and multicast |
Protocol Independent Multicast(PIM) Sparse, Sparse-Dense Mode, Auto-Rendezvous Point (RP), Anycast-RP, Source Specific Multicast, Bidirectional PIM, Unicast Reverse Path Forwarding (uRPF) |
|
NetFlow |
v5, v9 NetFlow Data Export |
|
Quality of Service (QoS) |
Classification based on application traffic, protocol/port, access control lists (ACL) Marking Hierarchical QoS Class-based weighted fair queuing (WFQ), fair queuing, low-latency queuing (LLQ), weighted random early detection (WRED) Traffic policing Traffic shaping Link Fragmentation and Interleaving (LFI) |
|
Compression |
Real-Time Protocol (RTP) header compression for voice traffic |
|
WCCP (Web Cache Control Protocol) |
WCCPv2 for web cache engine and WAN optimization for data and video traffic |
|
Multilink PPP (MLPPP) |
MLPPP with LFI |
|
Multiprotocol Label Switching (MPLS) |
2547-based VPNs, Layer 2 VPNs |
|
High availability (HA) |
Intra- and Interbox HA |
Basic Service Level Agreement Requirements
Table 1-3 outlines the usual service level agreement (SLA) requirements that need to be met for the converged WAN for voice, video, and data traffic types.
Table 1-3 Typical SLA Target
|
Traffic Type/Application |
SLA Target |
|
VoIP |
Interactive video Videoconferencing |
|
Delay <= 50 ms |
Jitter <= 5 ms Loss <= 1% Voice MOS (mean opinion score) >= 3.8 |
|
Video broadcast Video on Demand (VoD) |
Delay <= 50 ms Loss <= 1% |
|
Mission-critical WWW traffic Voice signaling |
Response time <= 3 sec |
|
Loss of service (RP convergence) |
IGP <= 3 mins |
Traditional WANs (such as those based on Frame Relay) are assumed to be inherently secure, which is not the case (because providers do use shared physical infrastructure to carry this traffic). An MPLS VPN is another example where traffic is isolated (via Virtual Routing/Forwarding [VRF] instances and labels) but still share the same physical infrastructure while traversing the service provider cloud.
It is not uncommon to see some form of encryption used to achieve confidentiality, the drivers behind which could be company policy (such as any traffic leaving the premises must be encrypted) or regulatory compliance (such as with HIPAA or SOX).
Table 1-4 outlines the commonly used technologies to secure WAN traffic. Chapter 14, “Security Services Use Cases,” provides further detail.
Table 1-4 High-Level Details of Secure WAN Technologies
|
Secure WAN Technology |
Details |
|
Native IPsec (unicast and multicast) |
IPsec using both encryption and a hashing algorithm. The virtual tunnel interface can be used for multicast traffic support. |
|
Point-to-point (p2p) generic routing encapsulation (GRE) over IPsec (or p2p GRE inside IPsec) |
IPsec with multicast and routing protocol support. |
|
Dynamic Multipoint VPN (DM VPN) |
Typically deployed over the public Internet infrastructure. |
|
Remote-access VPNs |
Soft IPsec/SSL VPN clients and small office/home office (SOHO; 8xx/18xx) router tunnel aggregation. |
|
Group Encrypted Transport (GET VPN) |
Tunnel-less encryption, best suited for private IP or MPLS clouds. |
Internet Edge Role
The Internet edge is the boundary where an enterprise private network connects to the public Internet. In the simplest sense, the Internet edge device acts as the gateway for the inside network. Contrary to popular understanding, the Internet edge is not only just about accessing the Internet for web traffic for campus users.
The Internet edge serves various functions, including those outlined in Table 1-5.
Table 1-5 Internet Edge Router Functionality
|
Function |
Details |
|
Corporate Internet gateway for campus and data center |
Users at the campus access the Internet to browse, email, and use instant messaging, and so on. |
|
Corporate Internet gateway for branches |
Users at the branches access the Internet to browse, email, and use instance messaging, and so on. This is to enforce a common set of |
|
policies across the enterprise at the burden of bringing all traffic to the headend. |
|
|
Demilitarized zone (DMZ) services |
Traditional FTP, Domain Name System (DNS), and Network Time Protocol (NTP) services located at the DMZ. |
|
Teleworker (remote users) |
Teleworkers or road warriors connect to corporate resources via the Internet through encrypted VPN technologies such as IPsec or SSL VPN soft or hard clients (such as Cisco 800 series routers). |
|
Branch WAN backup |
This serves as the backup or alternate connection for branch office routers to connect to the corporate headend via the public Internet. Commonly used technologies in this scenario are DM VPN, GRE over IPsec, or dynamic virtual tunnel interface (VTI)-based remote access. |
|
Multi-Homing |
This is where the Internet edge router connects directly to multiple SPs. This provides higher fault tolerance for brownouts and greater path selection with advanced routing techniques. This requires that the router be capable of supporting one or multiple copies of Internet routing table. |
Figure 1-3 shows the Internet edge topology.
Figure 1-3
WAN Internet edge topology.
Basic Feature Requirements
The primary function of a device at the Internet edge is to act as the demarcation between the private (campus or data center) and public network (that is, the Internet). Features required in a single device depend on how the Internet edge is designed, although typically the basic features are those outlined in Table 1-6.
Table 1-6 Internet Edge Network Device Feature Requirements
|
Feature/Service |
Details |
|
IP routing (v4/v6) |
IGP, and BGP with fast convergence such as BFD PBR Large routing scale (Internet routing table) |
|
NetFlow |
v5, v9 NetFlow Data Export |
|
QoS |
Classification based on application traffic, protocol/port, ACLs Marking Hierarchical QoS Class-based WFQ, fair queuing, LLQ, WRED Traffic policing Traffic shaping LFI |
|
Distributed denial of service (DDoS) mitigation |
Remotely triggered black holes (RTBH), rACL, firewall |
|
WCCP |
WCCPv2 for web cache engine |
|
Firewall |
L4–L7 firewall |
|
Address translation |
Network/Port Address Translation (NAT/PAT) with application layer gateway (ALG) |
|
High Availability |
Intra- and interbox HA |
|
Box-to-box HA |
Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), Gateway Load Balancing Protocol (GLBP) |
|
Deep Packet Inspection |
Network Based Application Recognition (NBAR), Flexible Packet Matching (FPM) |
|
Secure WAN connectivity |
DMVPN, GRE over IPsec, IPsec |
Data Center Interconnect
Data center interconnect (DCI) is yet another WAN function where someone is trying to connect two data centers together via Layer 2 or 3 links. Layer 2 extensions are much more common because of their capability to take all Ethernet frames (or even dot1Q or QinQ [IEEE 802.1Q-in-Q VLAN]) as is across the data centers. This is usually done with some kind of pseudowire (for example, Ethernet over MPLS [EoMPLS] for two data centers, and Virtual Private LAN Service [VPLS] for multisite data center connectivity). Major drivers behind DCI are as follows:
-
Data center consolidation and virtualization (VMWare VMotion)
-
Disaster recovery or data center HA
-
Geo-clustering, where clusters are connected across geographies
-
Layer 2 extensions for any reason
Figure 1-4 shows the DCI topology
Figure 1-4
WAN DCI topology.
Basic Feature Requirements
The primary function of the edge device at the DCI is to extend VLANs across the data centers for the previously listed applications such as VMWare’s VMotion or geo-clusters to function. Convergence and failover times for this type of connectivity are of extreme importance because the underlying assumptions from the application perspective usually require them to be on the same LAN.
The solution requirements in Table 1-7 call for an infrastructure that has the features outlined in Table 1-8.
Table 1-7 DCI Feature Requirements
|
Feature |
Details |
|
Layer 2 extensions |
Typically using pseudowires. |
|
Spanning Tree Protocol (STP) isolation |
Spanning-tree isolation is one of the must-haves, where each DCI does not extend the STP to avoid any loop. Having redundant links functioning at the same time without STP in the core. |
|
HA |
The DCI edge must deal with node and link failures. |
|
Faster convergence |
This needs to be as small as possible in case of node or link failure. Ideally, anything less than a few seconds. |
|
Secure communication |
Encryption, such as IPsec-based solutions. |
|
QoS |
Hierarchical QoS for DCI. |
|
WAN optimization |
DCI WAN optimization using WAAS technologies. |
|
Maximum transmission unit (MTU) requirements |
Jumbo frame support. |
The solution requirements in Table 1-7 call for an infrastructure that has the features outlined in Table 1-8.
Table 1-8 Router/Switch Feature Requirements Needed to Meet the DCI Solution Requirements
|
Feature |
Details |
|
Layer 2 extensions |
Using EoMPLS (p2p), or VPLS (point to multipoint). |
|
STP isolation per data center |
Capability to terminate the STP at the given data center itself. Redundant links functioning at the same can be provisioned using Cat 6500 Virtual Switching Systems / Multichassis Ethernet Channel (VSS/MEC) and/or Nexus 7K vPC (virtual port channel). |
|
HA |
Usage of redundant routers (ASR 1000, for example) or switches (6500/Nexus 7K). |
|
Faster convergence |
There are two broader approaches: EoMPLS remote port shutdown via laser off (supported on ASR 1000). Using Embedded Event Manager (EEM) or undirectional link detection (UDLD) on 6500, Nexus 7K, or ASR 1000. |
|
Secure communication |
GRE over IPsec solution, or Nexus TrustSec (Cisco TrustSec based on IEEE 802.1AE link-layer encryption). |
|
QoS |
Hierarchical QoS at the DCI edge. |
|
WAN optimization |
WAN optimization using WCCPv2 or PBR using existing Cisco WAAS appliances. |
|
MTU requirements |
Jumbo frames are supported on Cat 6500, Nexus 7K, and ASR 1000 GE / 10 GigE links. |
Large Branch WAN
As universally understood, not all branches are equal. This is not only true for the size of branch (as in number of users or perhaps application servers residing at the branch) but also for how critical the branch is to the overall business function. Consider bank branches, for example. Not all branches provide the entire portfolio of services. In the real world, some provide only basic banking services, whereas others provide full-blown services, including home mortgage, small business loans, and investment services to commercial customers.
Large branches (those that provide more services or services that are critical to the business, or in most cases both) tend to have slightly different requirements for a WAN infrastructure that connects them to the corporate backbone. Table 1-9 outlines the large branch WAN requirements.
Table 1-9 Large Branch Office Deployment Requirements
|
Requirements |
Details |
|
Larger bandwidth uplink |
OC3, or even Metro Ethernet. |
|
Ability to handle both WAN and Internet traffic |
Because of the volume of traffic, large branches are connected directly to the Internet. |
|
Multitenancy |
Capability to support multiple departments or even customers or partners that use the common physical infrastructure along with employees. |
|
QoS |
Hierarchical QoS to support multiple levels of classes of service. |
|
Class-based WFQ, fair queuing, LLQ, WRED Traffic shaping. |
|
|
Services requirements |
Services such as NAT, firewall, and NetFlow at high speeds and scale. |
|
HA |
Intra and interbox HA supporting basic traffic forwarding and services. |
Table 1-10 maps the requirements onto the infrastructure needed to support such requirements.
Table 1-10 Large Branch Office Requirements/Traits
|
Requirements |
Infrastructure Traits to Meet Them |
|
Larger bandwidth uplink |
Interface diversity |
|
Ability to handle both WAN and Internet traffic |
Modular data and control plane to deal with the increasing set of requirements |
|
Multitenancy |
Capability to support virtualization of interfaces, services, and routing/forwarding tables |
|
QoS |
Flexible architecture being able to adopt to changing QoS requirements via software upgrade |
|
Services requirements |
Capability to support the existing and newer services with the existing hardware via software upgrades |
|
HA |
Inherently highly available system |
Summary
This opening chapter covered the basic building blocks of WAN architectures:
-
Branch aggregation
-
Internet edge
-
Data center interconnect
-
Large branch office
Although the basic requirements are common across the various roles, they differ significantly enough that you need to understand how they are architected, deployed, and troubleshot. If there were one word to describe the hardware required to meet these needs, that word would be flexibility. Infrastructure needs to be very flexible in terms of feeds and speeds, scale and performance, service richness, and interface diversity (to name a few).
The next chapter covers the various business drivers, and the underlying technical requirements that they are generating. It concludes with an analysis of how these are driving requirements for next-generation WAN infrastructure.
Review Questions
-
What are the four usual WAN architectures?
-
What does optimized WAN mean?
-
What are the few fundamental requirements for WAN aggregation?
-
Why is service richness so important to enterprises?
-
Why would an enterprise connect directly to a service provider or be multihomed?
-
What are the core business drivers for DCI?
Answers
-
Usual WAN architectures typical in today’s networks include the following:
Branch and private WAN aggregation
Internet edge
Data center interconnect
Large branch WAN
-
Optimization here refers to the capability of the network infrastructure to provide the voice, video, and data traffic optimization before it goes over the WAN links. This helps reduce the need for more bandwidth every time a new application is added to the network. Cisco WAAS and IOS provide such services.
-
WAN aggregation requires, at a minimum, infrastructure to support the following:
Flexible routing/switching architecture that can evolve with the changing business requirements
Capability to combine various types and speeds of interfaces into one common infrastructure
Modular and highly available carrier-class design with the separation of control, data, and I/O planes
Capability to add basic services without requiring new hardware
-
Service richness refers to an in structure (hardware and software) that can introduce a basic service and some of the advanced services into baseline hardware with simple software upgrades. Enterprises and their businesses thrive on applications, and that in turn requires network-based services for them to work on common physical infrastructure and with the ability for virtualization for today’s typical multitenant requirements.
-
Enterprises connect to multiple Internet providers (or what is generally known as multihoming) for a few key reasons, including the following:
Fault tolerance and resiliency to failure in one provider’s network
Granular routing control
Path selection based on features such as performance-based routing or PfR
-
Core business drivers behind DCI include the following:
Layer 2 extensions
Data center consolidation
Data center disaster recovery site
Virtualization and clustering applications such as VMWare’s VMotion
Further Reading
Introduction to WAN, document: http://tinyurl.com/6g8cym
Cisco Validated Designs, document: http://tinyurl.com/lnnyjt
Unified WAN Services, document: http://www.cisco.com/en/US/netsol/index.html
DC Interconnect, document: http://tinyurl.com/rclv2f
© Copyright Pearson Education. All rights reserved.
Newsletters: Sign-Up & Save! Receive Special Offers, Free Chapters, Articles Reference Guide Updates, and plug into the pulse of what's happening in your corner of the industry by subscribing to InformIT newsletters! FREE coupon after sign-up!
Try Safari Books Online NOW! Access the largest fully searchable e-reference library for programmers and IT professionals!