cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2079
Views
5
Helpful
8
Replies

IWAN - Are many people using it

carl_townshend
Spotlight
Spotlight

Hi All

I am working on an IWAN design and just wondered how many people are using IWAN deployments in there networks?

Also what technologies are most people using? APIC-EM / Riverbed / Infovista etc

 

Who are the leaders?

 

1 Accepted Solution

Accepted Solutions

Mark Malone
VIP Alumni
VIP Alumni

Hi

Its proprietarty so Cisco are the leaders as they own it , no one has else can yet anyway i dont think there going open source either

Were using it , were about 15 months in now 70 % through global rollout of all sites and core regions

Were using ASR 1001xs at the Core each region 2 border and 1 CSR100V as policy pusher , then all our remotre offices each region dual ISR4331s with dual symmetric internet/MPLS connections from same providors but completly diverse in path

Using LiveAction as the tool to monitor as its way more ahead of Cisco APIC-EM for visibility in terms of packet diving and qos , APIC-EM has some good features but there only catching up

We have RBs integrated too cores and most remotes , hit major issues in MTU with them during one phase but fixed them eventually and there working fine now too with design

If your going that route make sure you plan it well and i wont get statretd on bugs , but we have hit a few major ones but Cisco are on the ball with IWAN and are releasing fixes as quick as there coming but there is a few definite choice images you want to be aiming for and staying away from

 

I hear from meetings we have direct with Cisco that about 15k customer so far globally but expanding rapidly because its all active actiave and the ability to dump certain dscps down down backup lines an the ability of it to moniro for free bandwidth etc

 

One thing that has saved is is we kept our legacy design under the overlay dmvpn and pfr , so even if IWAN logically collapes in a bug the BGP will all still work on legacy design , this has obviously made it a very compliacted setup but its been worth it as we hit some bugs that crippled the CA servers for authenticaion in RSA leaving IWAN DMVPN all IKE certs could not authitciate even though they were reaching teh servert but BGP legacy kept the sites going

View solution in original post

8 Replies 8

Mark Malone
VIP Alumni
VIP Alumni

Hi

Its proprietarty so Cisco are the leaders as they own it , no one has else can yet anyway i dont think there going open source either

Were using it , were about 15 months in now 70 % through global rollout of all sites and core regions

Were using ASR 1001xs at the Core each region 2 border and 1 CSR100V as policy pusher , then all our remotre offices each region dual ISR4331s with dual symmetric internet/MPLS connections from same providors but completly diverse in path

Using LiveAction as the tool to monitor as its way more ahead of Cisco APIC-EM for visibility in terms of packet diving and qos , APIC-EM has some good features but there only catching up

We have RBs integrated too cores and most remotes , hit major issues in MTU with them during one phase but fixed them eventually and there working fine now too with design

If your going that route make sure you plan it well and i wont get statretd on bugs , but we have hit a few major ones but Cisco are on the ball with IWAN and are releasing fixes as quick as there coming but there is a few definite choice images you want to be aiming for and staying away from

 

I hear from meetings we have direct with Cisco that about 15k customer so far globally but expanding rapidly because its all active actiave and the ability to dump certain dscps down down backup lines an the ability of it to moniro for free bandwidth etc

 

One thing that has saved is is we kept our legacy design under the overlay dmvpn and pfr , so even if IWAN logically collapes in a bug the BGP will all still work on legacy design , this has obviously made it a very compliacted setup but its been worth it as we hit some bugs that crippled the CA servers for authenticaion in RSA leaving IWAN DMVPN all IKE certs could not authitciate even though they were reaching teh servert but BGP legacy kept the sites going

Hi Mark

 

Thanks for your feedback

 

So would you recommend it?

 

we will be using 4351 at the hub and 4331 at the branches, with mpls and internet at the branch

 

I'm looking at Prime Infrastructure and APIC-EM, No Waas at the min though.

 

Does this sound OK?

Anything to watch out for?

What Images would you use?

Cheers

 

 

Hi yes i would recommend it , its very smart and allows you to utilize all devices and circuits for that alone its worth it , not easy to setup , we have worked with a company that are tied to Cisco in US called TRace3 and even with them we have hit some issues but there underlying knowledge of IWAN and previous deployments have been very useful so keep professional services in mind if your company can afford it even for a few design meetings whern you have it ready on paper

 

Your hardware sounds fine , i use Prime too not for IWAN but i see it has an APIC integratiuon feature oin it , i cant really comment too much on APIC , i have seen it only ran in labs so far but thast theyu way Ciasco say to go ,qwhen we started IWAN APIC wasnt even out yet

 

the gotchas were mostly bugs and to be honest we mitigated them all in these images so i would go straight to either of these for stability , sa5 was stable too

 

asr1001x-universalk9.03.16.05a.S.155-3.S5a-ext.SPA.bin

same image for 4331 is stable too

 

CSCux35506   ISR4K: Intermittent kmalloc failure booting with Crypto Enabled

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux35506/?reffering_site=dumpcr

 

CSCva40152   qfp_ucode crash seen on flapping dmvpn tunnels aggressively

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva40152/?reffering_site=dumpcr

 

CSCvd67254   Crash during CRL fetch failure

 

Release Notes:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd67254/?reffering_site=dumpcr

 

fixes are found in 16.3.1 and later code.

 

Fixed-In:

16.6.1

16.3.5 estimated release end of September

 

Hi

What I am seeing is a little bit of a crossover between APIC-EM and Prime, as you can set up IWAN with both of them

Do you need both tools?

 

APIC-EM you should be able to do it all from the GUI if yiour not manually ptogramming it , i think Prime only has some features available for rollout and integrates with APIC-EM

High administrative overhead IMO. This may get better now with viptela coming into the picture, but iWAN requires just too much configuration, applicaitons, and overseeing. iWAN lacks the cloud managability like VeloCloud or Meraki. I beleive Viptela will bring this to Cisco now. I would hold off honestly on anything iWAN until they figure out the path of their product. 

Hi Mark

 

Thanks for your feedback.

 

I am interested to know more about what MTU issues you hit and how you resolved them.

 

Nick

It was the Riverbed causing the MTU issues on the remote and core sites , theres a limitation with the steelhead which can effect the IWAN traffic on our design anyway ., fixed it using the below on the steelheads to stop them dropping traffic on us

(config) # interface mtu-override enable

In RiOS 8.0 and later, the SteelHead does not pass through packets larger than the MTU value of its interfaces, nor does it send ICMP notifications to the sending host of the dropped packets. Use this command so larger packets can pass through in environments in which the in-path MTU is lowered to account for a smaller MTU in the WAN network.
Review Cisco Networking for a $25 gift card