The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes Cisco Intelligent WAN (IWAN) and Cisco Performance Routing (PfR).
The Cisco IWAN is a system that enhances collaboration and cloud application performance, while it also reduces the operating cost of the WAN. The IWAN solution provides design and implementation guidance for organizations that look to deploy a transport independent WAN with intelligent path control, application optimization, and secure connectivity to the Internet and branch locations while it reduces the operating cost of the WAN. IWAN takes full advantage of premium WAN and cost-effective Internet services to increase bandwidth capacity without a compromise in performance, reliability, or security of collaboration or cloud-based applications. Organizations can use IWAN in order to leverage the Internet as a WAN transport, as well as for direct access to public cloud applications.
R1 will prefer voice and video traffic to take the best path with a relatively less delay, jitter and/or loss among the two links available to it. Other traffic is load balanced in order to maximize bandwidth.
Voice and video is rerouted if the current path degrades (Multiprotocol Label Switching (MPLS)) and then the Direct Internet Access (DIA) link is chosen.
IWAN allows you to:
So far, the only way to get reliable connectivity with predictable performance is to take advantage of a private WAN using MPLS or a leased line service. However, carrier-based MPLS and leased line services can be expensive and are not always cost-effective for an organization to use for WAN transport to support growing bandwidth requirements for remote-site connectivity. Organizations look for ways to lower their operating budget while adequately providing the network transport for a remote site.
IWAN can enable organizations to deliver an uncompromised experience over any connection. With Cisco IWAN, IT organizations can provide more bandwidth to their branch office connections with less expensive WAN transport options without affecting performance, security, or reliability. With the IWAN solution, traffic is dynamically routed based on application service-level agreement (SLA), endpoint type, and network conditions to deliver the best quality experience.
With IWAN, you can quickly roll out bandwidth-intensive applications, such as video, virtual desktop infrastructure (VDI), and guest Wi-Fi services. And it does not matter which transport model you prefer, whether MPLS, the Internet, cellular, or a hybrid WAN access model.
This figure outlines the components of the IWAN solution. Performance Routing is a key pillar of this initiative:
The four components of IWAN are:
IWAN uses a prescriptive design with an Hybrid Transport Independent design based on DMVPN. DMVPN is deployed across MPLS and Internet Transport. This greatly simplifies the routing by using a single routing domain that encompasses both transports. The DMVPN routers use tunnel interfaces that support IP unicast as well as IP multicast and broadcast traffic, which includes the use of dynamic routing protocols. After the initial spoke-to-hub tunnel is active, it is possible to create dynamic spoke-to-spoke tunnels when site-to-site IP traffic flows require it.
The Transport Independent Design is based on one DMVPN cloud per provider. In this guide two providers are used, one is considered the primary (MPLS), and one is considered the secondary (Internet). Branch sites are connected to both DMVPN clouds and both tunnels are up.
As shown in the diagram, each Branch router is connected to both the providers, one is MPLS which is primary and other is INTERNET which is secondary.
Dependent on the type of traffic, each of the providers is used to send the traffic. For example, data which is of higher priority can be sent out through MPLS and data with lesser priority can be routed over INTERNET. This makes it more cost effective and frees available resources can be utilized for more innovative business purposes.
The design provides active-active WAN paths that take full advantage of DMVPN for consistent IPsec overlay. The MPLS and Internet connections can be terminated on a single router, or terminated on two separate routers for additional resiliency. The same design can be used over MPLS, Internet, or 3G/4G transports, which makes the design transport- independent.
It is recommended to use a DMVPN hub (PfRv3 BR) per provider and transport on the hub. It makes the routing configuration much easier.
DMVPN requires the use of Internet Key Management Protocol version 2 (IKEv2) keepalive intervals for Dead Peer Detection (DPD), which is essential to facilitate fast reconvergence and for spoke registration to function properly in case a DMVPN hub is reloaded. This design enables a spoke to detect that an encryption peer has failed and that the IKEv2 session with that peer is stale, which then allows a new one to be created. Without DPD, the IPsec SA must time out (the default is 60 minutes) and when the router cannot renegotiate a new SA, a new IKEv2 session is initiated. The maximum wait time is approximately 60 minutes.
DMVPN has multiple phases that are summarized here:
DMVPN Phase 1 is based on Hub and Spoke functionality.
DMVPN Phase 2 has no summarization on the hub.
Each spoke has the next-hop (spoke address) for each spoke destination prefix.
PfR has all the information to enforce the path with dynamic PBR and the correct next-hop information.
DMVPN phase3 allows route summarization:
PfRv3 supports all DMVPN phases.
For further information on DMVPN, see Cisco IOS DMVPN Overview.