LiveAction for Cisco Intelligent WAN Management Solution Deployment Guide August 2014
Contents About This Guide... 3 Introduction... 3 Solution Overview... 3 Solution Benefits... 5 System Requirements... 5 LiveAction Specifications... 5 Client Application... 6 Server... 6 Node... 6 LiveAction IWAN Management Licenses... 7 What s New with LiveAction 4.1 and PfRv3 Support?... 8 PfR Dashboards... 9 Updated PfR Device View... 10 PfR Drill-down Troubleshooting... 11 PfR Configuration... 14 Solution Use Cases... 17 Use Case 1: Visualizing Application Path Changes... 17 Use Case 2 Leveraging NBAR2 and QoS Control... 19 Use Case 3 - QoS Monitoring and Configuration... 20 Use Case 4 PfR At-A-Glance & Network Health Status... 23 Getting Started... 25 Enable Cisco Intelligent WAN... 25 Install LiveAction... 26 Add Devices to the Topology Map... 26 Add Site Semantics... 26 Provision basic NetFlow and QoS Monitoring... 27 Enable PfRv3 NetFlow Exports... 28 Configure PfRv3... 28 Hub MC Configuration via NetLD... 29 Hub BR1 Configuration via NetLD... 32 Hub BR2 Configuration via NetLD... 32 Branch MC/BR Configuration via NetLD... 33 Enable AVC Flows... 36 Validate traditional, PfR and AVC Flows... 37 Set Alert Thresholds... 38 Filter Traffic to Visualize Path Changes... 39 Define Application Groups... 41 Conclusion...41 Appendix A... 42 Configure AVC to Export Flows on an ASR... 42 http://www.liveaction.com 2
About This Guide Cisco Application Experience (AX) delivers application-centric networking by integrating essential applicationaware services and infrastructure tools into the router, enabling customers to overcome application performance challenges. Cisco Intelligent WAN (IWAN) is enabled by the Cisco AX platform and delivers an unmatched user experience over any connection, allowing businesses to simplify their operations and lower costs. LiveAction is the Cisco recommended platform for IWAN management that leverages Cisco Performance Routing and Applications Experience capabilities to provide intelligent path control visualization and application performance optimization. The information in this guide is intended to help customers implement LiveAction IWAN management by turning on LiveAction features that support these functions, including PfRv3. In addition, it provides some high level requirements for ensuring Cisco IWAN infrastructure is enabled. Related Documentation Cisco IWAN Training Page LiveAction for IWAN Management Home Page LiveAction IWAN 1.0 Management Demo LiveAction PfR V2 Demo LiveAction PfRv3 Demo LiveAction IWAN 2.0 Management Solution Overview LiveAction IWAN 2.0 Management Datasheet LiveAction IWAN 2.0 Management Ordering Guide LiveAction IWAN 1.0 Management Webinar Recording LiveAction Cisco Market Place Resources Cisco Intelligent WAN Cisco Intelligent WAN (IWAN) Design Guide Cisco Application Experience ISR-Application Experience Overview Video LiveAction FAQs Introduction As Enterprise Information Technology (IT) budgets become continually smaller, organizations must optimize their investments while managing increasingly complex network and services, and they must do so without compromising performance, reliability, or security. In addition, the application landscape is changing dramatically. Applications are moving to public or private clouds to promote efficiencies and tools such as Microsoft Office 365, Google Docs, and WebEx are becoming part of Software as a Services (SaaS) delivery model. Furthermore, the proliferation of mobile devices, adoption of BYOD (Bring-Your-Own-Device) and highbandwidth video applications put growing demands on WAN usage. Customers who are using premium WAN connections are looking for ways to reduce recurring WAN costs by migrating their WAN to the Internet. For large deployments of hundreds of branch offices, these savings can be significant. For example, migrating 100 branches in 3 cities to Internet connections can save approximately $2.5M+ annually (estimated by Telegeography). While the Internet is quickly becoming a more stable platform with better price-performance and improved reliability, it still falls short of meeting standards for many businesses. Businesses are primarily deploying Internet as WAN in their smaller sites or as a backup path because of the risks. Yet, with Cisco Intelligent IWAN, Internet connections can be managed as a cost-effective, performance-enhancing, reliable and secure alternative to realize these financial benefits. Solution Overview Cisco Intelligent WAN (IWAN) delivers an uncompromised user experience over any connection, whether that connection is Multiprotocol Label Switching (MPLS) or Internet. By unifying the logical infrastructure of multiple connections that span diverse carriers and link types, customers get more net bandwidth through the same http://www.liveaction.com 3
physical connections. Cisco Intelligent WAN (IWAN) protects performance-sensitive applications from brownouts and blackouts, provides active-active load balancing for applications securely and reliability, and improves application performance, while reducing significant WAN costs. LiveAction is application-aware network management software with QoS control, designed to simplify network management. LiveAction features an innovative visual display, real-time big data analytics and deep control of routers and switches for unparalleled ease of network administration. At a high level, LiveAction has the See- Point-Click-Fix features below: See Visualization Visualize real-time end-to-end network traffic Examine historical QoS, Flow, routing and IP SLA data Point Decision Making Analyze hop-by-hop path, devices, interfaces, and queues Locate and troubleshoot problems Click Control Enable and deploy QoS, Network-Based Application Recognition (NBAR), Flexible NetFlow (FNF), Cisco Application Visibility and Control (AVC) and Cisco Medianet Create IP SLA probes and Media Services Interface (MSI) endpoints Fix Improve Edit QoS policies, access control lists (ACLs), Cisco Policy-Based Routing (PBR), and IP SLA. For Cisco IWAN, LiveAction provides GUI-based management and situational awareness for intelligent path control and application performance optimization. Specifically, LiveAction offers the following IWAN management functions: Real-time and historical graphical displays of Performance Routing (PfR) intelligent path changes PfR Dashboard AVC Visualization, Reporting, and Configuration QoS Monitoring and Control using NBAR2 to optimize application performance Overall Network Health and Status The diagram below depicts Cisco IWAN and LiveAction IWAN management solution components: http://www.liveaction.com 4
Figure 1 - Cisco IWAN and LiveAction IWAN Management Solution Benefits In addition to the financial benefits of moving from premium connections to lower cost Internet links, LiveAction-Cisco IWAN solution provides the following unique benefits to customers: Save Time and Money o Faster IWAN troubleshooting through dashboards and visual displays o Faster, more intuitive and less error-prone configuration and provisioning Facilitate IWAN Adoption o Demonstrate Cisco IWAN value to customers with visualization o Bridge the management gap for an end-to-end IWAN solution Increased Productivity o Deep understanding of application traffic with end-to-end flow visibility o Find and fix problems faster with graphical QoS control and bulk configuration o Robust IWAN reporting Ease of Operations o Clear visualization of path changes o Intuitive GUI for faster deployment, configuration, monitoring, and troubleshooting System Requirements LiveAction Specifications LiveAction 4.1 includes support for PfRv3 and is built on a 3-tier architecture with clients, servers, and nodes. Nodes discover network devices, ingest flow and SNMP data and extend configuration capabilities in a distributed environment by allowing for horizontal scaling of LiveAction. In addition, the clients and servers have been enhanced for massive scalability. http://www.liveaction.com 5
Client Application The client application can be run via web start directly from the LiveAction web server or can be installed as a 64 bit client application for Windows or Mac. Server LiveAction server runs on a Windows Server or VM. The LiveAction server has a built in collection node and is fully usable without any additional installations. Node The node provides the ability to add additional collection and other capabilities and helps scale horizontally by providing additional processing. The node runs on Linux and communicates to the central LiveAction server. Customers can choose the following LiveAction deployment scenarios: a. Single Server The single server deployment of LiveAction consists of installing the server on a Windows Server or VM. Since the LiveAction server has a built in collection node, it is fully useable without any additional installations. b. Distributed Deployment In distributed deployments, a single server is deployed as usual but additional nodes can be implemented and associated to the server, shown below. Data Center A LiveAction Node Data Center B LAN High Speed MAN LAN LAN LAN Administrative Offices LiveAction Node Campus 1 Campus 2 LAN LiveAction Node Low Speed WAN LAN Campus 3 LiveAction Server/Node Figure 2 - LiveAction Distributed Deployment In this scenario, when the devices are discovered, you can specify which node(s) will collect that device information as show below. http://www.liveaction.com 6
Figure 3 - Assigning Devices to Nodes c. Virtual Machine Servers and nodes can be deployed on VM as long as the performance requirements for compute, store and network are met. Deployment Decisions The use and location of additional nodes are based on 3 criteria: Performance o Off load performance to another node. Location o o Place node near devices being polled. Place at a branch site so data is not polled across the WAN to the Data Center where the server exists. Security o Place node for different security zone, DMZ. o Node(s) will initiate communication from security zone to server o In case of loss of communication, the server or node may re-initiate communication For LiveAction 4.1 performance and recommended hardware configurations, please refer to LiveAction User Guide. LiveAction IWAN Management Licenses LiveAction is a SolutionPlus partner, and LiveAction IWAN Management software is available on the Cisco Global Price List (GPL) as listed below. Multiple licenses can be combined to reach the desired number of devices to be managed. For example, to manage 700 devices, purchase a 500-device license and two 100-device licenses. LiveAction Enterprise - o LiveAction multi-node, multi-user, unlimited historical data, full-function features with Flow, QoS Monitor, QoS Configure, Routing, IP SLA, and LAN modules o In this configuration, Routing includes PBR (Policy-Based Routing), visualization of VRF/ routing/adjacency tables, and next-hop route tracing. IP SLA includes IP SLA dashboard, GUIbased IP SLA test generation, visualization of IP SLA test status, and all IP SLA reports. LAN http://www.liveaction.com 7
functionality includes Layer 2 QoS monitoring, LAN path visualization, and STP (Spanning Tree Protocol) visualization. LiveAction WAN LiveAction multi-node, multi-user, rolling 14 days of historical data with Flow, QoS Monitor, QoS Configure, and Routing. LiveAction Professional LiveAction for SMBs, single-server, single-user, 5 days of historical data with Flow, QoS Monitor, QoS Configure, Routing, IP SLA, and LAN modules. Up to 200 devices can be managed for this single-server LiveAction Professional version. For more than 200 devices on a single server, please use the multi-server licenses above. What s New with LiveAction 4.1 and PfRv3 Support? One of many key features in LiveAction 4.1 is Performance Routing V3 Management support. PfRv3 delivers a set of solutions on automatic prefix and Service Level Agreement (SLA) discovery through an intelligent framework. It provides easier application performance management controls including path optimization, managing over-subscription intelligently in the network for P2P, multi-site deployments, optimizing network infrastructure usage, policy distribution and enforcement and network based bandwidth management. PfRv3 features are supported in IOS 15.4.(3)M (ISR) and XE 3.13 S (ASR). Below is a summary of LiveAction management support for various PfR versions: Functions Description Benefits PfR Dashboard PfR dashboard and trending providing a high level status of what conditions contribute the most to PfR route changes (delay, packet loss, jitter, reachability) over time by service provider, by site, and by application. Quick glance and trending of how PfR has been performing in re-routing traffic or protecting applications Updated PfR Device View PfR statistics on MCs/BRs with color coded status based on new PfRv3 NetFlow records Easily see PfR performance metrics (delay, packet loss, inter-arrival time, etc.) and recognize/analyze possible issues quicker Drill-down Drill-down troubleshooting sort and search to find what sites or applications are having what performance routing issues Two to three clicks to find performance routing issues http://www.liveaction.com 8
PfR Configuration Configuration of one or more Master Controllers (MC) Faster configuration through CLI-templates to one or multiple devices PfR Dashboards Following is a LiveAction topology view of a sample IWAN environment consisting of multiple MCs/BRs (separate and collapsed) running PfRv3 code. Figure 4 - Sample IWAN Environment The corresponding PfR dashboard in Figure 5 provides a quick status of PfR Threshold Crossing Alerts and the associated reasons (delay, packet loss, jitter, reachability). Threshold Crossing Alerts (TCAs) NetFlow types are sent by PfRv3 every time there is a threshold that has been exceeded and PfR tries to make a route change. This is reported in the Alerts column. The other columns show application group, site, and service provider capacity utilizations which are reported using basic NetFlow. This data requires FnF to be configured for those interfaces and can be easily enabled via a simple wizard in LiveAction as described under Provisioning basic NetFlow and QoS Flows section. The alerts are reported for the entire network or distributed by site or service provider (e.g., from SiteA- SiteB, what are the issues causing thresholds to be exceeded?) Under Site, Application Group, and Service Provider are aggregated alerts by sites, by application groups, and by SPs. Application groups are name equivalence to DSCPs and are defined in LiveAction for the purpose of PfR reporting. In LiveAction, users can set a custom application group name and map it to a DSCP value. Any DSCP reported by PfR that doesn t correspond to an application group will show up as an Unknown under the application group column. Under % utilization by Application, you can see how much traffic a particular application group is coming inbound to or going outbound from a particular site. http://www.liveaction.com 9
Figure 5 - LiveAction PfRv3 Dashboard Below is an example of how application groups are configured in the LiveAction PfRv3 dashboard. Figure 6 - Configure Application Groups Updated PfR Device View LiveAction device view provides real-time performance statistics in the TCA records on this particular device, showing the reasons that caused the threshold to be exceeded (delay, packet loss, jitter, reachability). If PfR Alert parameters have been enabled in LiveAction (see Set Alert Threshold section), these values will show up color coded in Red as in Figure 7. This makes it easier and faster for troubleshooting and analysis than CLI displays. http://www.liveaction.com 10
Figure 7 - Updated PfR Device View PfR Drill-down Troubleshooting Users can drill down by double clicking from the dashboard, then sort and search based on IPFIX arguments to find out what applications or sites have specific performance issues. In the example below, search/sort and select Austin-San Francisco to find out what applications have the most packet/byte loss between these two sites. All Alert All Sites : sort & search by site ATT Austin-San Franciso Alert Detail ATT Austin-San Franciso Byte Loss by DSCP Figure 8 - LiveAction PfRv3 Drill-down In the example below, from the dashboard, you can drill down and see the capacity of Voice-EF and Voice-AF31 application groups for the particular sites. http://www.liveaction.com 11
From here, you can further understand how the traffic for Los Angeles is distributed across the service provider links. It can be seen that the majority of the traffic for both application groups are going through ISP1. Furthermore, if you want to find out which applications experience the most route changes, LiveAction displays the TCA reasons associated with different application groups. Another drill-down that is useful from the dashboard is the SP capacity utilization below, based on service provider definition discussed in Add Site Semantics section: http://www.liveaction.com 12
Another drill-down that is useful from the dashboard is the site capacity utilization by application groups below, based on service provider definition discussed in Add Site Semantics section. From there, further drilldowns/pivoting to other reports can be done. http://www.liveaction.com 13
Figure 9 - SP Capacity Utilization PfR Configuration Configuration management including PfRv3 is supported through LiveAction integration with NetLD. From the server primary screen, select Configuration Management to launch NetLD tool as shown below. Furthermore, other device configurations for IWAN such as DMVPN can be created using CLI templates and pushed to the devices through Command Runners as illustrated below. http://www.liveaction.com 14
Figure 10 - Launch NetLD NCCM from LiveAction Within NetLD, customers can use the Command Runner to create a PfR Master Controller configuration and push it to one or multiple devices. In the example below, one configuration template is deployed to all PfR routers. Here, search on devices with PfR in the host names: Figure 11 - List of Devices based on Search You can then create the CLI template to be pushed to the PfR routers, and Execute as shown. http://www.liveaction.com 15
Figure 12 - Execute Command Runner Eight (8) devices are selected. Figure 13- Push CLIs to Multiple Devices The results below show the CLI commands having been pushed to the eight (8) PfR routers as intended. http://www.liveaction.com 16
Solution Use Cases Figure 14 - Command Runner Results Use Case 1: Visualizing Application Path Changes IWAN can be enabled on the Cisco ISR-AX and ASR1000-AX platforms, which offer intelligent path control (PfR), security (firewall, IPsec, SSL VPN), and application services (AVC, NBAR2, QoS) at a lower cost. The PfR component of an IWAN can select the best path for each application based upon advanced criteria such as, reachability, delay, loss, jitter, and mean opinion score (MOS). PfR improves application availability by dynamically detecting and routing around network problems like black holes and brownouts that traditional IP routing may not detect. Furthermore, the intelligent load balancing capability of PfR can optimize path selection based on link usage or circuit pricing. To complement IWAN, LiveAction visualizes application before and after path changes from PfR, so customers can verify that key application paths are being adjusted as needed. In particular, when PfR makes a path change to protect the applications due to an Out-Of-Policy (OOP) condition, LiveAction renders the end-to-end path changes graphically from the branch Master Controller (MC)/Border Router (BR) through the service provider(s) to the data center where the applications reside, providing more meaningful and actionable information than the standard PfR CLI outputs. In the example below, a brown-out caused an Unreachable Criteria OOP condition, which prompted PfR to select an alternate path. You can easily see how the green flow for the application was moved from the upper (AT&T) path to the lower (Verizon) path. Before Brown-Out (Northern Path) After Brown-Out (Southern Path) Figure 15 LiveAction Visualization of PfR path changes http://www.liveaction.com 17
In addition to visually displaying the path changes, LiveAction generates TCAs (Threshold Crossing Alert) for the Unreachable Criteria OOP condition that triggered the above path changes, and for easy troubleshooting, color codes these alerts Red based on pre-configured thresholds that have been exceeded. In this example, the diagram below shows the OOP events in the alert and device views. Figure 16 Out-of-Policy Threshold Crossing Alerts Another important point that customers want to understand is what applications were moved by the PfRmanaged traffic. LiveAction can provide application traffic usage per interface. With an option to filter traffic by applications, classes, or prefixes, LiveAction can report that after the path change, the associated application traffic going through ATT is now shown going through Verizon as shown below: Before Path Change After Path Change Application Traffic To ATT Application Traffic To Verizon Figure 17 Application Traffic Being Moved http://www.liveaction.com 18
Use Case 2 Leveraging NBAR2 and QoS Control LiveAction provides AVC flow visualization, robust AVC reporting, and full NBAR2 QoS control to optimize application performance. The diagram below shows LiveAction display of NBAR2 applications and associated AVC metrics such as application, server, and network response times. This graphical representation can greatly assist in troubleshooting efforts. NBAR2 application names Figure 18 - LiveAction AVC Flow Visualization LiveAction NBAR Comparison report enables network administrators to understand what application traffic is incoming to/outgoing from an interface and how much bandwidth, thus providing useful knowledge for QoS shaping and trending. In the example below, LiveAction recognizes the NBAR2 applications both entering and leaving the same interface, enabling users to understand what applications traverse various devices in the network. NBAR applications inbound an interface NBAR applications outbound the same interface Figure 19 NBAR Application Traffic Comparison LiveAction allows full NBAR2 QoS control on Cisco routers both on a per-application level and also at the higher group level. Thus, network engineers can take advantage of Cisco s NBAR2 grouping feature and LiveAction QoS graphical configurator to vastly reduce the complexity and verbosity of the router configuration. In the example below, simply selecting the browsing category enables the http://www.liveaction.com 19
user to include applications such as flash-video, flashmyspace, flashyahoo, http, shockwave and others. Figure 20 NBAR QoS Control Use Case 3 - QoS Monitoring and Configuration Part of understanding and improving application performance is the ability to efficiently monitor and configure QoS. Via AVC flow and CBQoS monitoring, LiveAction tracks NBAR2 application and QoS per-class performance and provides extensive analyses, making it easy for IT engineers to fully understand QoS behaviors on their networks. With congestion indicator visualization and color-coded status, LiveAction offers proactive QoS monitoring that detects and alerts on critical policy drops before problems are reported by end users as shown in Figure 8. Congestion Indicator (amber color) QoS Marking Figure 21 QoS Monitoring & Visualization LiveAction s real-time QoS graphical reporting at intervals as short as 10-seconds enables quick validation of policy changes. For example, in Figure 9, once a policy is applied to police the Interactive Video traffic to 512 Kbps, LiveAction s graphical display of QoS information allows network administrators to monitor the class and see how the policy has taken effect. It can be seen that the traffic was throttled down as intended. http://www.liveaction.com 20
Figure22 QoS Policy Impact In the example below, LiveAction QoS control feature resolves an issue where Bittorrent slows down MS Office 365 performance. By policing Bittorrent traffic through LiveAction QoS GUI interface, one can instantly validate the performance of MS Office 365 which was restored to a favorable level as shown: MS-Office 365 BitTorrent Figure 23 BitTorrent Traffic Throttled Down For increased MS Office 365 Performance LiveAction graphical QoS configurator and management empowers IT engineers of all experience levels to create, edit, and implement highly effective QoS policies on live networks with complete ease and confidence. LiveAction has deep QoS expertise built-in based on extensive research of the features, functions, and idiosyncrasies of Cisco devices. With LiveAction, QoS configurations can be created from scratch or using Cisco best practice templates with hundreds of device specific rules and guidelines. Once QoS policies have been created, they can be immediately deployed or scheduled on multiple devices or interfaces. Below is an example of LiveAction s graphical QoS configurator. http://www.liveaction.com 21
Create Hierarchical Policy Copy Policy Add Policy Edit QoS Statements Figure 24 QoS Graphical Configurator For example, LiveAction can create and manage QoS policies for Dynamic Multipoint Virtual Private Network (DMVPN) tunnel endpoints and then apply them to tunnel interfaces. Each policy can then be assigned to the desired next hop routing protocol (NHRP) tunnel interface. Figure 25 DMVPN QoS Configuration http://www.liveaction.com 22
Use Case 4 PfR At-A-Glance & Network Health Status LiveAction provides PfR high level status and network health conditions that help network adminstrators understand how PfR is performing in particular and how the network is functioning in general. These include but are not limited to: PfR Threshold Crossing Alerts (TCAs) - Based on the new PfRv3 NetFlow information, LiveAction reports on conditions (delay, packet loss, jitter, reachability) that contribute the most to PfR route changes over time by service provider, by site, and by application, for example, top 10 route change reasons overall or by site pair. Network administrators can quickly see at-a-glance if delay, loss, jitter or reachability is the top issue for a particular site, application, or service provider. In addition, some OOP (Out-of-Policy) conditions are correctable and some are not. For example, if there is an OOP on delay, but PfR cannot find another path to move the traffic over, LiveAction will report uncorrectable events and the associated reasons. Those that were corrected means PfR was able to protect the application with route changes. This allows network adminstrators to prove that PfR is working as intended. Without these visual reports, it would be challenging to correlate route changes and TCAs through CLI displays. With an end-to-end topology providing connectivity and situational awareness, route change visualization showing how PfR reroutes and protects application traffic, and associated graphical reports displaying OOP dashboard and drill-down capabilities, LiveAction uniquely provides a comprehensive set of management functions needed to effectively manage the IWAN environment. Network discovery and network topology LiveAction discovers devices and draws them on the topology map. This topology is also interactive in that network administrators can perform commands or take actions (like creating ACL off a flow) by right-clicking on that topology. This interactive topology is at the core of LiveAction intuitive See Point Click Fix user interface model. End-to-end flow visualization - LiveAction visualizes the end-to-end flows on the network topology to help network administrators graphically understand traffic pattern, bandwidth consumption, QoS priority setting, and other performance conditions. http://www.liveaction.com 23
Figure 26 LiveAction Interactive Topology Network-wide audits of QoS policies With a single click of a button, LiveAction generates a policy and performance audit report analyzing QoS configurations for errors and performance issues and details this information in an easy-to-navigate report. This report will show everything you need to know about your QoS policies in great detail including configuration settings, performance issues, drops, and policy errors. Figure 27 Network-wide QoS Audit Report Network monitoring using NetFlow, IPFIX, SNMP, IP SLA, routing and LAN statistics Threshold crossing alert processing User-defined thresholds can be configured such that alerts are generated/color-coded by LiveAction to warn network administrators of impending performance issues Dashboard LiveAction features System, Flow, QoS, and IP SLA dashboards to provide at-aglance status for top application performance, site performance, networking device http://www.liveaction.com 24
CPU/memory usage, link utilization, interface up/down, top QoS conditions on interfaces, links, and Layer 2 devices (drops, congestions) Routing visualization - LiveAction provides real-time routing layer visualizations and path debugging tools for Cisco networks. In addition, the module s policy-based routing editor provides a high degree of traffic engineering for managing policy-specific forwarding paths. Getting Started Enable Cisco Intelligent WAN Figure 28 shows a typical IWAN environment with dual transport paths between the branch and the corporate data center, a Cisco integrated service router at the branch and dual Cisco routers at the data center. Though one Internet and one MPLS VPN transport path are shown here, the transport can be provided by any combination of transport services (MPLS VPN, Business Internet or Broadband). Figure 28 Typical IWAN Environment Please refer to www.cisco.com/go/iwan and http://www.cisco.com/c/en/us/td/docs/iosxml/ios/pfrv3/configuration/xe-3s/pfrv3-xe-3s-book.pdf for more specific platform, connectivity, and configuration requirements. In general, Cisco IWAN requirements include the following: 1. WAN connections Dual MPLS-VPN service, or a primary MPLS-VPN and a secondary DMVPN over the public Internet, or dual DMVPN over the public Internet 2. Cisco Application Experience platforms provides increasing performance and module slot density that include licenses for Data (DATA), Security (SEC) and Wide Area Application Services (WAAS). CSR1000V ASR 1000 AX - Cisco ASR 1001 (5G) and ASR 1002-X (5G, 10G, 20G and 36G) ISR AX - Cisco 4400-AX, 3900-AX, 2900-AX, 1900-AX Series Application Experience Routers and an AX Feature Set software licensing option for 800 Series. http://www.liveaction.com 25
If you buy the new AX hardware bundle, security license is part of the bundle. If you buy generic ISR, ASR platforms and add AX licenses, the Security license has to be purchased separately. Note: Ensure you refresh Access Routing installed base (ISR G1 and older) to AX, or upgrade ISR G2 to AX 3. Router Configurations a. Configure ACL or Firewall for security on Internet connections for threat defense and secure Internet access. b. Configure DMVPN - The IWAN independent transport solution requires a DMVPN dual-cloud design, each with a single hub router. The DMVPN routers use tunnel interfaces that support IP unicast as well as IP multicast and broadcast traffic, including the use of dynamic routing protocols. c. Enable Cisco Performance Routing (PfR) in both the branch office and headquarters ISR-AX devices if you are using more than one WAN link. To do this, you ll need to define the criteria for routing the mission-critical protocols across the WAN. Configure the branch-office hub master controller and all branch master controllers, which will then configure their corresponding border routers. For IOS provisioning of the MC/BRs, please refer to PfR Configuration Guide http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/pfr/configuration/xe-3s/pfr-xe-3sbook.html and http://docwiki.cisco.com/wiki/pfr:solutions:enterprisewan d. Enable any desired Application Visibility and Control (AVC) components to provide application visibility. The NBAR2 Custom Protocol feature enables the administrator to create custom application signatures for application protocols not pre-defined in the standard Cisco protocols packs. This process identifies all traffic traversing the ISR-AX by application. It can be trained to recognize new protocols or encrypted protocols. Note that this step can be performed with LiveAction (for ISR-AX) through simple point-and-click operations instead of coding hundreds of CLI commands. e. Enable WAAS to improve network responsiveness and provide LAN-like performance on the WAN. This process reduces application latency through application-specific optimizations. It also reduces the WAN usage through advanced caching techniques, and optimizes the TCP performance over high-latency WANs. Install LiveAction To install LiveAction, follow the steps below and refer to the LiveAction User Guide for more information http://www.liveaction.com/support/resources 1. Download LiveAction server, node, and client software 2. Install the above LiveAction components 3. Load your LiveAction permanent license 4. Activate your permanent license Add Devices to the Topology Map The first step when using LiveAction is to add your network devices to the topology. You can add multiple devices in one operation using the device discovery function ( Discover Device icon) or add devices one at a time ( Add Device icon). There is also an Advanced Add feature for bulk addition of devices. Please refer to LiveAction User Guide, Chapter 4, Add Devices To Topology for more detailed instructions. Add Site Semantics To get the most out of the PfR dashboard, it is important that WAN capacity, site and SP names, and other tags be appropriately configured. These include the following. Device or group site definition and site CIDR ranges for the MC and BR routers. Define BR interface tags including: o WAN tag o Service Provider tag o Capacity values http://www.liveaction.com 26
o Interface labels (optional) These can be defined in 2 ways. From the LiveAction device tree view, expand the properties to define or from import of device settings. For more information, please refer to the User Guide. Figure 29- Site Semantic Definition Provision basic NetFlow and QoS Monitoring After supported Cisco devices are added to the topology they need to be configured for NetFlow and QoS (basic SNMP, NBAR and CBQoS). LiveAction uses basic NetFlow to draw the end-to-end flows across the topology and to show the before and after PfR path changes. In addition, LiveAction also leverages PfRv3 NetFlow records to create the various PfR dashboard components and drill down reports. In order to drive the PfR dashboard capacity utilization and bandwidth reports, basic flow traffic statistics must be configured on the WAN edge interfaces of the border routers. To do this, you can manually set up FNF on those interfaces and have it exported to LiveAction, or you may use the Flow Configuration tool (Flow >Configure Flow or right-click on device in Device-tree-->Flow >Configure Flow). Please refer to LiveAction User Guide, Chapter 4, Configure Cisco Devices for QoS, Flow and IP SLA for more detailed instructions. PfR and AVC flows are also needed for IWAN management and that will be separately configured in the next few steps. Note that Medianet PerfMon must be turned off for PfRv3 to work properly as of this writing. http://www.liveaction.com 27
Figure 30 - LiveAction FnF Configuration Enable PfRv3 NetFlow Exports In addition to basic NetFlow above, you will need to enable PfRv3 NetFlow V9 export. Setting up the NetFlow collector configuration at the hub will propagate throughout the entire PfRv3 domain automatically. See the example configuration below: domain <DOMAIN> vrf default master hub source-interface Loopback0 collector 172.17.101.141 port 2055 Configure PfRv3 PfRv3 configuration can be can be pushed using NetLD-LiveAction integration or directly to the devices. PfRv3 Configuration includes the following steps: Device setup and role (4 different roles) Hub MC Include PfRv3 policy configuration Hub BR Branch MC Branch BR Below is the LiveAction view prior to PfRv3 configuration being applied. Note that there is a delay impairment on ISP1 - but traditional routing cannot route around the performance issues. After the PfRv3 configuration and policy is applied across the enterprise we'll see how PfR routes around the impairments. http://www.liveaction.com 28
Figure 31 - PfRv3 Topology Hub MC Configuration via NetLD Launch NetLD from LiveAction Configuration Management. Select Hub MC from the list and select Change --> Command Runner Figure 32 - Configure Hub MC with NeLD In the Command Runner tool, enter the hub MC configuration and click Execute http://www.liveaction.com 29
Here is the complete Hub MC configuration on the NetLD template: config t domain ONE vrf default master hub source-interface Loopback0!!Collector statement auto propagated throughout PfRv3 domain collector 172.17.101.141 port 2055! class DSCP-AF31 sequence 10 match dscp af31 policy custom priority 2 loss threshold 5 priority 1 one-way-delay threshold 500 path-preference ISP1 fallback ISP2 class DSCP-EF sequence 20 match dscp ef policy voice path-preference ISP2 fallback ISP1 class BEST-EFFORT sequence 30 match dscp default policy best-effort Click Yes below. http://www.liveaction.com 30
After the Command Runner completes the task, the user can see the results as shown below in NetLD: Figure 33 - NeLD Reflecting Correct Hub MC Configuration http://www.liveaction.com 31
A manual telnet/ssh to the device shows that the configuration was applied successfully. Figure 34 - Hub MC Configuration On Device Hub BR1 Configuration via NetLD Select the Hub BR1 router and select Change --> Command Runner and run through similar steps as shown above. Example configuration: config t domain ONE vrf default border source-interface Loopback0 master 10.10.10.1 interface Tunnel100 domain ONE path ISP1 Hub BR2 Configuration via NetLD Select the Hub BR2 router and select Change --> Command Runner and run through similar steps as shown above. Example configuration: config t domain ONE vrf default border source-interface Loopback0 master 10.10.10.1!collector 172.17.101.141 port 2055 interface Tunnel200 domain ONE path ISP2 http://www.liveaction.com 32
Branch MC/BR Configuration via NetLD PfRv3 has extremely simplified the configuration for branches. The same set of commands can be applied to all routers running as an MC/BR for example. Multi-select the Branch routers running as a combined MC/BR device and select Change --> Command Runner and run through similar steps as shown above. The difference this time is that NetLD will apply the same configuration to multiple devices in a single operation. Figure 35 Multiple PfR Device Configuration with NetLD Notice that netld will apply the configuration to multiple devices below. The Command Runner tool successfully applied the Branch MC/BR configuration at multiple branch routers in a single operation as shown in Figure 36. http://www.liveaction.com 33
Figure 36 Validation of PfRv3 MC/BR Configuration with NeLD After the PfRv3 configuration and policy is applied within the enterprise, we notice that PfR is able to successfully route around the delay impairments present in ISP1. All AF31 and EF traffic is shown as traversing ISP2. http://www.liveaction.com 34
Figure 37 Visualization of PfR V3 Intelligent Path Change LiveAction PfRv3 Dashboard is reporting accurately about the enterprise WAN. Figure 38 PfR V3 Dashboard Reflecting Intelligent Path Change http://www.liveaction.com 35
Enable AVC Flows LiveAction uses FNF and NBAR for traffic statistics, PA (Performance Agent on ISR-AX) and MMA (Metric Mediation Agent for ASR1K) for application response time (ART) measurements, and PerfMon for Medianet. For ISR-AX platforms, AVC can be enabled by LiveAction through the Flow Configuration wizard where users select the AVC metrics to collect rather than having to code a series of CLIs. For ASR platforms, AVC NetFlow needs to be configured via CLI as shown in Appendix A. LiveAction inventories the ISR-AX devices and provide a list of capabilities as shown below: Figure 39 - Enabling AVC Flows with LiveAction By selecting this option for the interfaces, LiveAction generates the CLIs in the back-end and push them to the devices to enable these flows for analysis. http://www.liveaction.com 36
Validate traditional, PfR and AVC Flows Select the appropriate NetFlow types (basic, AVC, PfR) under the drop down in the device view to ensure you can see flows coming in and going out of the interface as shown below. http://www.liveaction.com 37
Figure 40- Validating Basic, PfR and AVC Flows Set Alert Thresholds Under Tools, Configure Alerts, and Flow Triggers Tab, click on PfRv3 to enable Alerts to be color coded in LiveAction device view (Figure 41). http://www.liveaction.com 38
Figure 41 Setting PfRv3 Alert Thresholds Filter Traffic to Visualize Path Changes To see the before and after application path changes between different locations as shown in Figure 4, filter the traffic by clicking on the Configure Flow Display Filters option from the Flow tab. From here, you can add an entry and select Match IP, Range, Subnet or Match Device Interface to specify device end points you want to see the traversed path. http://www.liveaction.com 39
Figure 42 Filter Traffic to Visualize Path Changes Another way to filter traffic is using the search bar as shown in Figure 43 below. Figure 43 - Filter Flows by Search http://www.liveaction.com 40
Define Application Groups LiveAction allows customers to define application groups to align with DSCP settings within their network so that the PfRv3 dashboard or drill-down reports can show application names instead of DSCP values. This is done by selecting Configure Application Groups off the PfR dashboard or under Tools, Manage Application Groups. Figure 44- Configure Application Groups Conclusion Cisco IWAN enables businesses to deliver an uncompromised experience over any connection. With Cisco IWAN, traffic is dynamically routed based on application, endpoint, and network conditions to deliver the best-quality experience. The realized savings from IWAN not only pays for the infrastructure upgrades, but also frees resources for business innovation. LiveAction is Cisco recommended IWAN management platform. It increases Cisco IWAN value to customers by providing unparalleled visualization that bridges the management gap for an end-to-end IWAN solution, resulting in faster IWAN troubleshooting and easier justification of IWAN ROI. For More Information LiveAction is available to be resold on the Cisco Global Price List (GPL) as shown in the LiveAction IWAN Management Licenses section. Contact iwansales@liveaction.com if you have a question or would like to request a LiveAction demonstration. You may also login directly to our LiveAction server as a demo user via a LiveAction client and explore its various capabilities via http://liveaction.com/testdrive/ http://www.liveaction.com 41
Appendix A Configure AVC to Export Flows on an ASR At this time LiveAction does not configure AVC to export to LiveAction for ASR s, but it can be configured manually through the CLI. Following are the sample CLIs for AVC configuration on ASR. Create Flow Records flow record type performance-monitor LIVEACTION-FLOWRECORD-AVC match routing vrf input match ipv4 protocol match application name account-on-resolution match connection client ipv4 address match connection server ipv4 address match connection server transport port match services waas segment account-on-resolution collect ipv4 dscp collect ipv4 source address collect ipv4 destination address collect interface input collect interface output collect connection initiator collect connection new-connections collect connection sum-duration collect connection delay response to-server sum collect connection server counter responses collect connection delay response to-server histogram late collect connection delay network to-server sum collect connection delay network to-client sum collect connection client counter packets retransmitted collect connection delay network client-to-server sum collect connection delay application sum collect connection delay response client-to-server sum collect connection server counter bytes long collect connection server counter packets long collect connection client counter bytes long collect connection client counter packets long collect connection transaction duration sum collect connection transaction duration min collect connection transaction duration max collect connection transaction counter complete collect services waas passthrough-reason collect application http host Create Flow Exporters flow exporter LIVEACTION-FLOWEXPORTER-IPFIX description DO NOT MODIFY. USED BY LIVEACTION. export-protocol ipfix destination <LiveAction Server s Ip > source <Source Interface > transport udp 2055 option interface-table option application-table option c3pl-class-table option c3pl-policy-table http://www.liveaction.com 42
option interface-table option vrf-table Create Flow Monitors flow monitor type performance-monitor LIVEACTION-FLOWMONITOR-AVC description DO NOT MODIFY. USED BY LIVEACTION. record LIVEACTION-FLOWRECORD-AVC exporter LIVEACTION-FLOWEXPORTER-IPFIX cache entries 65000 Create an extended Access List* ip access-list extended LIVEACTION-ACL-AVC permit tcp any any Create Class-Maps class-map match-any LIVEACTION-CLASS-AVC match access-group name LIVEACTION-ACL-AVC Create a Policy Map to unify AVC and Medianet policy-map type performance-monitor LIVEACTION-POLICY-UNIFIED class LIVEACTION-CLASS-AVC flow monitor LIVEACTION-FLOWMONITOR-AVC Apply to Interfaces interface <Interface Name> service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED *This access-list may be modified if only specific TCP applications types need to be monitored by AVC Copyright 2014 ActionPacked Networks, Inc. dba LiveAction. All rights reserved. LiveAction, the LiveAction logo and LiveAction Software are trademarks of ActionPacked Networks, Inc. Other company and product names are the trademarks of their respective companies. LiveAction 825 San Antonio Road, Suite 201 Palo Alto, CA 94303 http://www.liveaction.com 43