Excerpt from Building Service-Aware Networks: The Next-Generation WAN/MAN. | |
By Muhammad Afaq Khan Published by Cisco Press ISBN-10: 1-58705-788-3 ISBN-13: 978-1-58705-788-5 |
The WAN is a place in the network that aggregates various types, speeds, and links running a disparate set of protocols together crossing metropolitan, state, and even country boundaries. The largest example of a WAN is the Internet itself, which can be regarded as the public WAN. The primary purpose of a WAN is to connect users and applications connected to various LANs.
As evident from its definition, the WAN is the central point for all data aggregation coming from various places within an enterprise network. Because of this, it is important to understand not only how a WAN is constructed, but also the underlying business drivers that have been and continue to bring changes to this place in the network.
In this book, you study the variety of WANs as they exist today, business models, and the associated emerging trends and how they are giving birth to “next-generation” WAN. Once you have the first four chapters (or Part I) behind you, it should become evident that the core requirement to building such networks hinges on the usage of modern routing/switching infrastructure that is highly available, scalable, flexible, and above all, service rich.
This chapter describes the various types of WAN architectures and their various associated aspects.
Introduction to WAN Solutions
Thanks to an increasingly dispersed global work force, businesses rely on their WANs more than ever. So much so that business performance is now directly tied to how well quality, reliability, and security are implemented when it comes to communications between main and regional headquarters, branch offices, suppliers, partners, and customers. Because of the development of new IP services and applications such as VoIP, video, and mobile data connectivity, and because of remotely connected road warriors and the unification of both wired and wireless networks, the headend router must perform a wide variety of functions.
Depending on the connectivity, transport protocols, and whether the medium is private or public, several different varieties of WAN might be in play. The four main WAN types are as follows:
Branch/private WAN aggregation
Internet edge
Data center interconnect
Large branch WAN
The WAN aggregation role can also be subdivided into the following three categories, based on what is typically found in the enterprise networks:
Basic WAN aggregation (explained in the following section)
Secure WAN aggregation (add-on with solutions based on IPsec or Secure Sockets Layer virtual private networking [SSL VPN])
Optimized WAN aggregation (add-on with solutions based on WAN optimization with Web Cache Communication Protocol Version 2/Policy Based Routing [WCCPv2/PBR] and Wide Area Application Services [WAAS])
Figure 1-1 shows various WAN options and puts them into perspective as to how they come together.
WAN options.
Branch/Private WAN Aggregation Role
Branch WAN aggregation is a way to connect and aggregate all the enterprise branches into the WAN core router, or headend. On the cloud-facing side, router interfaces use various physical transport options (as outlined in Table 1-1), whereas on the campus core side, the connection is Gigabit Ethernet (GE) or 10 Gigabit Ethernet (10 GigE) that is acting as the uplink for the campus core switches to the WAN. Leased lines are one of the most common ways (now more so Ethernet) of interfacing with the WAN cloud. IPsec tunnel termination and firewall functions are usually not collapsed in the WAN aggregation/edge router. This is usually implemented as classical hub-and-spoke design with traditional Layer 2 connectivity.
Figure 1-2 shows the basic WAN aggregation topology.
WAN aggregation topology.
Table 1-1 shows the various options in use for WAN connectivity.
Table 1-1 WAN Connectivity Options
Types | Physical Transport | Pros | Cons | Typical Bandwidth | Protocol Encapsulations | ||
Leased line | T1/E1, T3/E3 | Private | Costly | 1.544 to 45 Mbps | High-Level Data Control (HDLC), PPP | ||
Circuit switching | Packet over SONET/SDH OC3/OC12/ OC192 | Affordable | Less secure | 155 Mbps to 10 Gbps | HDLC, PPP | ||
Packet switching | T1/E1, T3/E3 (PVCs) | Affordable | Shared bandwidth | Up to 45 Mbps | Frame Relay | ||
Cell relay | OC3/OC12/ OC48 | Private | Higher per port cost | Up to 620 Mbps | ATM | ||
Metro Ethernet | Ethernet, GE, 10 GigE | Affordable | Lacks inherent reliability | Up to 10 Gbps | Ethernet (Frac-GE, Frac-10 GigE) |
NOTE
Metro Ethernet is gaining a lot of momentum to aggregate sites located in a given geographic area. This also scales well today with fractional GE and 10 GigE, and will scale even more with the newer standards of 40 and 100 Gbps already in the works at IEEE as P802.3ba, and the first drafts are already out
Basic Feature Requirements
Table 1-2 outlines the basic requirements that a router must meet to be positioned as the WAN aggregation platform. Scale and performance for these services are driven based on how large the branch site concentration is for the given deployment. A platform with a separate control, data, and input/output plane is most preferred, for obvious reasons.
Table 1-2 Feature Matrix for WAN Aggregation Role
Feature/Service | Feature/Service Details |
IP routing (v4/v6) | Interior Gateway Protocol (IGP) and Border Gateway Protocol (BGP) with fast convergence, such as bidirectional failure detection (BFD) Policy Based Routing (PBR) |
IP unicast and multicast | Protocol Independent Multicast(PIM) Sparse, Sparse-Dense Mode, Auto-Rendezvous Point (RP), Anycast-RP, Source Specific Multicast, Bidirectional PIM, Unicast Reverse Path Forwarding (uRPF) |
NetFlow | v5, v9 NetFlow Data Export |
Quality of Service (QoS) | Classification based on application traffic, protocol/port, access control lists (ACL) Marking Hierarchical QoS Class-based weighted fair queuing (WFQ), fair queuing, low-latency queuing (LLQ), weighted random early detection (WRED) Traffic policing Traffic shaping Link Fragmentation and Interleaving (LFI) |
Compression | Real-Time Protocol (RTP) header compression for voice traffic |
WCCP (Web Cache Control Protocol) | WCCPv2 for web cache engine and WAN optimization for data and video traffic |
Multilink PPP (MLPPP) | MLPPP with LFI |
Multiprotocol Label Switching (MPLS) | 2547-based VPNs, Layer 2 VPNs |
High availability (HA) | Intra- and Interbox HA |
~Basic Service Level Agreement Requirements
Table 1-3 outlines the usual service level agreement (SLA) requirements that need to be met for the converged WAN for voice, video, and data traffic types.
Table 1-3 Typical SLA Target
Traffic Type/Application | SLA Target |
VoIP | Interactive video Videoconferencing |
Delay <= 50 ms | Jitter <= 5 ms Loss <= 1% Voice MOS (mean opinion score) >= 3.8 |
Video broadcast Video on Demand (VoD) | Delay <= 50 ms Loss <= 1% |
Mission-critical WWW traffic Voice signaling | Response time <= 3 sec |
Loss of service (RP convergence) | IGP <= 3 mins |
Traditional WANs (such as those based on Frame Relay) are assumed to be inherently secure, which is not the case (because providers do use shared physical infrastructure to carry this traffic). An MPLS VPN is another example where traffic is isolated (via Virtual Routing/Forwarding [VRF] instances and labels) but still share the same physical infrastructure while traversing the service provider cloud.
It is not uncommon to see some form of encryption used to achieve confidentiality, the drivers behind which could be company policy (such as any traffic leaving the premises must be encrypted) or regulatory compliance (such as with HIPAA or SOX).
Table 1-4 outlines the commonly used technologies to secure WAN traffic. Chapter 14, “Security Services Use Cases,” provides further detail.
Table 1-4 High-Level Details of Secure WAN Technologies
Secure WAN Technology | Details |
Native IPsec (unicast and multicast) | IPsec using both encryption and a hashing algorithm. The virtual tunnel interface can be used for multicast traffic support. |
Point-to-point (p2p) generic routing encapsulation (GRE) over IPsec (or p2p GRE inside IPsec) | IPsec with multicast and routing protocol support. |
Dynamic Multipoint VPN (DM VPN) | Typically deployed over the public Internet infrastructure. |
Remote-access VPNs | Soft IPsec/SSL VPN clients and small office/home office (SOHO; 8xx/18xx) router tunnel aggregation. |
Group Encrypted Transport (GET VPN) | Tunnel-less encryption, best suited for private IP or MPLS clouds. |
NOTE
In a majority of the cases, the transport medium for secure connectivity solutions (as outlined in the table) is the public WAN Internet.
Internet Edge Role
The Internet edge is the boundary where an enterprise private network connects to the public Internet. In the simplest sense, the Internet edge device acts as the gateway for the inside network. Contrary to popular understanding, the Internet edge is not only just about accessing the Internet for web traffic for campus users.
The Internet edge serves various functions, including those outlined in Table 1-5.
Table 1-5 Internet Edge Router Functionality
Function | Details |
Corporate Internet gateway for campus and data center | Users at the campus access the Internet to browse, email, and use instant messaging, and so on. |
Corporate Internet gateway for branches | Users at the branches access the Internet to browse, email, and use instance messaging, and so on. This is to enforce a common set of |
policies across the enterprise at the burden of bringing all traffic to the headend. | |
Demilitarized zone (DMZ) services | Traditional FTP, Domain Name System (DNS), and Network Time Protocol (NTP) services located at the DMZ. |
Teleworker (remote users) | Teleworkers or road warriors connect to corporate resources via the Internet through encrypted VPN technologies such as IPsec or SSL VPN soft or hard clients (such as Cisco 800 series routers). |
Branch WAN backup | This serves as the backup or alternate connection for branch office routers to connect to the corporate headend via the public Internet. Commonly used technologies in this scenario are DM VPN, GRE over IPsec, or dynamic virtual tunnel interface (VTI)-based remote access. |
Multi-Homing | This is where the Internet edge router connects directly to multiple SPs. This provides higher fault tolerance for brownouts and greater path selection with advanced routing techniques. This requires that the router be capable of supporting one or multiple copies of Internet routing table. |
Figure 1-3 shows the Internet edge topology.
WAN Internet edge topology.
~Basic Feature Requirements
The primary function of a device at the Internet edge is to act as the demarcation between the private (campus or data center) and public network (that is, the Internet). Features required in a single device depend on how the Internet edge is designed, although typically the basic features are those outlined in Table 1-6.
Table 1-6 Internet Edge Network Device Feature Requirements
Feature/Service | Details |
IP routing (v4/v6) | IGP, and BGP with fast convergence such as BFD PBR Large routing scale (Internet routing table) |
NetFlow | v5, v9 NetFlow Data Export |
QoS | Classification based on application traffic, protocol/port, ACLs Marking Hierarchical QoS Class-based WFQ, fair queuing, LLQ, WRED Traffic policing Traffic shaping LFI |
Distributed denial of service (DDoS) mitigation | Remotely triggered black holes (RTBH), rACL, firewall |
WCCP | WCCPv2 for web cache engine |
Firewall | L4–L7 firewall |
Address translation | Network/Port Address Translation (NAT/PAT) with application layer gateway (ALG) |
High Availability | Intra- and interbox HA |
Box-to-box HA | Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), Gateway Load Balancing Protocol (GLBP) |
Deep Packet Inspection | Network Based Application Recognition (NBAR), Flexible Packet Matching (FPM) |
Secure WAN connectivity | DMVPN, GRE over IPsec, IPsec |
Data Center Interconnect
Data center interconnect (DCI) is yet another WAN function where someone is trying to connect two data centers together via Layer 2 or 3 links. Layer 2 extensions are much more common because of their capability to take all Ethernet frames (or even dot1Q or QinQ [IEEE 802.1Q-in-Q VLAN]) as is across the data centers. This is usually done with some kind of pseudowire (for example, Ethernet over MPLS [EoMPLS] for two data centers, and Virtual Private LAN Service [VPLS] for multisite data center connectivity). Major drivers behind DCI are as follows:
Data center consolidation and virtualization (VMWare VMotion)
Disaster recovery or data center HA
Geo-clustering, where clusters are connected across geographies
Layer 2 extensions for any reason
Figure 1-4 shows the DCI topology
WAN DCI topology.
Basic Feature Requirements
The primary function of the edge device at the DCI is to extend VLANs across the data centers for the previously listed applications such as VMWare’s VMotion or geo-clusters to function. Convergence and failover times for this type of connectivity are of extreme importance because the underlying assumptions from the application perspective usually require them to be on the same LAN.
NOTE