Cisco Intelligent Branch - Enabling the Next Generation Branch

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1

Cisco Intelligent Branch – Enabling the Next Generation Branch

Tammy GetschelSystems Engineer

May 19, 2016

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Housekeeping notesThank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.

• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session

• [Please add any special notes for your session/labs]

© 2013 Cisco and/or its affiliates. All rights reserved. 3

Pressures on the WAN

Emerging Branch DemandsThe Application Landscape Is Changing

Applications are Moving to the DC and Cloud

Internet Edge Is Moving to the Branch

Cloud

SaaS, Google Docs, Office365 Guest WiFi, BYOD, App Updates

Cloud Mobility Apps

Video, VDI, Backup

BranchData Centers


Internet as an Extension of Enterprise WAN

Commodity Transports Viable Now

Dramatic Bandwidth, Price Performance Benefits

Higher Network Availability

Improved Performance Over Internet

4


Intelligent WAN: Leveraging the InternetSecure WAN Transport and Internet Access

Optimized

Secure Transport

Branch

Direct Cloud

Access

PrivateCloud

VirtualPrivateCloud

PublicCloud

1. IWAN Secure transport for private and virtual private cloud access

2. Leverage local Internet path for public cloud and Internet access

Increase WAN transport capacity and app performance cost effectively!

Improve application performance (right flows to right places)

MPLS (IP-VPN)

Internet


Intelligent WAN (IWAN) Architecture

MPLS

Unified

Branch

3G/4G-LTE

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloud

Application Optimization

Enhanced Application

Visibility and Performance

Secure Connectivity

Comprehensive

Threat Defense

Intelligent Path Control

Application

Aware Routing

TransportIndependent

Simplified

Hybrid WAN

Management Automation

6

Cisco Confidential 7© 2015 Cisco and/or its affiliates. All rights reserved.

Transport-IndependenceVirtualizing the Enterprise WAN

7


IWAN Transport IndependenceConsistent deployment models simplify operations

Internet MPLS

Branch

DMVPN DMVPN

IWAN HYBRID

Data Center

ISR

ASR 1000 ASR 1000

ISP A SP B

4G/LTE

Branch

DMVPN

IWAN HYBRID/LTE

Data Center

ISP C SP B

ASR 1000

MPLS

Branch

MPLS

DMVPN

IWAN Dual MPLS

Data Center

ISR

ASR 1000 ASR 1000

SP A SP B

DMVPN

MPLS

DMVPN

ISR

ASR 1000

IWAN Transport Independent Designwith Dynamic Multipoint VPN (DMVPN)

• Proven IPsec VPN technology

Widely deployed, Large scale

Standards based IPsec and Routing

Adv QOS: hierarchical, per tunnel and adaptive

• Flexible & Resilient

Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,..

Hub-n-Spoke with Dynamic full mesh Topology

Multiple encryption, key management, routing options

Multiple redundancy options: platform, hub, transports

• Secure

Industry Certified IPsec and Firewall

NG Strong Encryption: AES-GCM-256 (Suite B)

IKE Version 2

IEEE 802.1AR Secure unique device identifier

• Simplified IWAN Deployments

Prescriptive validated IWAN designs

Automated provisioning – Prime, IWAN-App, Glue

Branch

Internet MPLS

DMVPNPurple

DMVPNGreen

IWAN HYBRID

Data Center

ISP A SP B


Intelligent Path ControlImproving Application Delivery and WAN Efficiency

1

1


Getting the Most Out of Your WAN InvestmentBenefits of Intelligent Path Control

Data CenterBranch

ASR 1000

ASR 1000

ISR

MPLS

Internet

Enabling

Hybrid WANs

Efficient Distribution of

Traffic Based Upon Load

or Path Preference

Application Best Path

Based on Quality

Protection From

Carrier Black Holes

and Brownouts

Lower

WAN Costs

Full Utilization

of WAN Bandwidth

Improved

Application

Performance

Higher Application

Availability

12


Intelligent Path Control with PfRVoice and Video Use-Case

Branch

MPLS

Internet

Virtual PrivateCloud

Private Cloud

• PfR monitors network performance and routes applications

based on policy

• PfR load balances traffic based upon link utilization levels

to efficiently utilize all available WAN bandwidth

Other traffic is load

balanced to maximize

bandwidth Voice/Video will be rerouted if the

current path degrades below policy

thresholds

Voice/Video take the best

delay, jitter, and/or loss path

13


What is Performance Routing (PfR)?

MPLS Internet

Branch

BR BR

Data Center

MC

“Performance Routing (PfR) provides additional

intelligence to classic routing to track and verify the

quality of a path over a Wide Area Networking (WAN)

to determine the best path for application traffic....”

MC+BR

14


SP1 (MPLS) ISP (FTTH)

• Protect voice and

video quality

Latency < 150 ms

Jitter < 20 ms

• Protect Email applications

from WAN congestion

Loss < 5%

• Voice and video preferred

path SP1

• Email preferred path ISP

• Increase utilization

by load sharing

Multimedia and Critical Data Policy

Business App

Best-Effort Traffic

High Delay Detected

SP1 (MPLS) ISP (DSL)

Voice and Video

High JitterDetected

Email

Best-Effort Traffic

Protecting Critical Applications While Increasing Bandwidth Utilization

• Protect transactional

business app from brownouts

delay < 250ms

• Preferred path SP1 (MPLS)

• Increase WAN bandwidth

efficiency by load-sharing

traffic over all WAN paths,

MPLS + Internet

Business App and Load-Balancing Policy

15


Load BalancingMaximizing Link Utilization to Increase Available Bandwidth

• Traffic distributed across all paths to efficiently use all WAN bandwidth

• Load Balancing based upon link utilization levels

• External links can have different bandwidth capacities

MPLS = 1.5Mbps

Internet = 15Mbps

ISR

WAN

Internet

MPLS

ASR 1000

ASR 1000

Data Center

50% T1 = 750kbps

50% 15Mbps = 7.5Mbps

16




Branch

Proliferation

of Devices

Users/Machines

PrivateCloud

Make Your IWAN Application AwareApplication Visibility and Control (AVC)

DC/Headquarters

PublicCloud

Cisco AVC

Application Performance Visibility

• Application inspection with existing routers

• Rich data collection using NetFlow v9/IPFIX

• Easy to integrate into many reporting tools

Smart CapacityPlanning

• Better use of costly bandwidth

• Per-branch and per-application level reporting

Business Objective Enforcement

• Service Level monitoring per application

• Better Analytics to adjust network policies to maintain compliance

18

AVC


Proliferation

of Devices

Users/Machines

PrivateCloud

Application Performance Monitoring for IWANTrack and Report Application Flows and Performance

WAN

Enterprise Edge

AVC

AVC

CSR

NetFlow/IPFIX Records(Same provisioning, same format)

• Traffic statistics records

• Application Response Time records

• Media monitoring records (Application, Jitter, Loss, etc)

Cisco ToolsPrime, APIC-EM

Partner Tools

EcosystemLiveAction

Glue NetworksPlixer

Living Objects

CompuWare

CA Technologies

Collecting Collecting Collecting

Provisioning

Exporting

NetFlow v9 Export/IPFIX Export

BranchDC/Headquarters

AVC

AVC

19


Cisco WAAS Enhancing User Experience and WAN Efficiency

Solution

• Reduce load

Data redundancy elimination

(DRE), compression, and

TCP optimization

• Application optimization

Fewer protocol messages

and metadata caching

Problem

• Application latency

• WAN bandwidth

inefficiencies

Application bandwidth with Cisco® WAAS

Application bandwidth natively

Application latency natively

Application latency with Cisco WAAS 0 0

1

2

3

4

40

80

120

160

Application

Bandwidth

Application

Latency

Bandwidth

(Mbps)

Latency

(Seconds)

Reduction in

bandwidth

Reduction

in latency

20


© 2010 Cisco Systems, Inc. All rights reserved.

WAN

Application-Specific Acceleration Application and protocol awareness

Eliminate unnecessary chatter

Save WAN bandwidth

Pre-populate edge cache as necessary

Enable disconnected operations

Intelligent protocol accelerationRead-ahead, prediction, and batching

Safe data and metadata caching

Improves application response time

Provide origin server offload

DRE HintsApplication intelligence signals to DRE & LZ…

whether to compress

whether to cache

Safe Caching

Read-ahead

Prediction

Batching

DRE Hinting

WAN

Optimization

DRE/TFO/LZ

Origin Server

Offloaded

Application Specific Acceleration


Email (5MB Attachment) File Services (5MB File)

VDI (Citrix)(5MB Document)

First Optimized with WAAS

Send and Receive Email over native WAN

Second Pass Optimized with WAAS

100 20 30 40 50 60 70 80 90 100 110 120 130 140 150

Time in Seconds

Optimize and Enhance Thousands of ApplicationsAX Includes Cisco WAAS WAN Optimization

24xFaster First Optimized with WAAS

File Drag and Drop Over native WAN


100 20 30 40 50 60 70 80 90 100 110 120 130 140 150

Time in Seconds

17xFaster

First Optimized with WAAS

Sharepoint File Download over Native WAN


Launch Citrix XenDesktop with WAAS

Launch Citrix XenDesktop Over Native Citrix ICA/SSL

Site Navigation with WAAS

20 4 6 8 10 12 14 16 18 20 22 24 26 28 30

Time in Seconds

30xFaster

20 4 6 8 10 12 14 16 18 20 22 24 26 28 30

Time in Seconds

Site Navigation Over Native Citrix ICA/SSL

3-8xFaster


IWAN Secure Connectivity


Intelligent WAN: Secure ConnectivitySecuring the network and users

Secure WAN Transport

Branch

MPLS (IP-VPN)

Internet

Secure

Internet

Access

PrivateCloud

VirtualPrivateCloud

PublicCloud

Two areas of concern

1. Protecting the network from outside threats with data privacy over provider networks

2. Protecting user access to Public Cloud and Internet services; malware, privacy,

phishing,…

26


Securing IWAN Transports with Front-door VRFIsolation of external networks

• Virtual Route Forwarding (VRFs) create multiple logical routers on a single device

Separate control/data planes per VRF

No connectivity between VRFs by default

Provider side VRF (yellow) for external networks, Global VRF (blue) for internal networks

• Provider VRF minimizes threat exposure

Default routing only in Provider VRF

Provider assigned IP addressing hides internal network

Provider IP address used as IPSec tunnel source

Only IPsec allowed between internal Global and Provider Front Side VRFs

Global

F-VRF

Branch LAN

10.1.1.0/24

10.1.2.0/24

…

Front Side

Provider VRF

Provider Assigned

WAN IP Address

192.168.254.254

VRFs have

independent

routing and

forwarding

planesIPSec Tunnel

Interface

Global

Enterprise

VRF

• Use ACLs, ZBFW or ASA to block all trafficexcept the DMVPN tunnel traffic to routers

• Zone Based Firewall (ZBFW) at the branch if thereare plans for direct Internet access

• Typical ACL for protecting the Internet interface

DSL Cable

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center

Protecting the Public facing IWAN Interfaces

interface GigabitEthernet0/0

ip vrf forwarding INET-PUBLIC1

ip access-group ACL-INET-PUBLIC in

!

ip access-list extended ACL-INET-PUBLIC

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit esp any any

permit udp any any eq bootpc

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

permit udp any any gt 1023 ttl eq 1


Intelligent WAN—Direct Cloud Access

Branch

MPLS (IP-VPN)

Internet

Direct Internet

Access

PrivateCloud

VirtualPrivateCloud

PublicCloud

• Leverage Local Internet path for Public Cloud and Internet access

• Improve application performance (right flows to right places)

Solutions

On Premise – Zone Based Firewall

Cloud Based – Cloud Web Security

CWS

ISR-AX

ZBFW

31


Secure Internet Access with Cisco Cloud Web Security (CWS)

Secure Public

Cloud and Internet

Access

ISR Connector to

CWS Firewall towers

Web Filtering,

Access Policy,

Malware Detect

WAN1(IP-VPN)

CWS

PrivateCloud

PublicCloud

Branch

WAN2(Internet)

IWAN IPsec VPN

for Private Cloud

TrafficIOS Firewall to

protect Internet

Edge

Internet

32


Orchestration and Automation

3

3


Cisco IWAN Management PortfolioCovering a broad range of preferences and requirements

• Customer wants advanced

provisioning, life cycle

management, and

customized policies

• System-wide network

consistency assurance

• Lean IT OR IT Network team

Cisco

Prime

Infrastructure

• Customer needs

customizable IWAN with

end-to-end monitoring

• One Assurance across Cisco

portfolio from Branch to

Datacenter

• IT Network team

Enterprise Network

Mgmt and Monitoring

Ecosystem Partners

IWAN App

• Customer wants

considerable automation

and operational simplicity

• Requirements consistent

with prescriptive IWAN

Validated Design

• Lean IT organization

Prescriptive

Policy Automation

• Customer looking for

advanced monitoring and

visualization

• QoS/ PfR/ AVC configuration,

Real-time analytics and

network troubleshooting

• IT Network team

Application Aware

Performance Mgmt

Advanced

Orchestration

3

4


Provisioning & Life

Cycle Management

Visualization & Health

IWAN Management Solution Positioning

CustomizablePrescriptive

AdvancedFoundation

Prime

Prime

IWAN AppOn Prem

Cloud

Infrastructure ASR 1000


APIC-EM IWAN App


APIC-EM IWAN AppSite provisioning






IWAN App – Site provisioning

4

0



4

1



4

2


APIC-EM IWAN AppDefine Application Policy

• Business Intent network admin informs the controller what applications are relevant for the business

• The controller is going to perform background tasks based on this business logic


APIC-EM IWAN AppDefine Application Policy

• Define primary path for group of applications

• The controller will create a PfR policy based on those paths.


IWAN AppDefine Application Policy


Prime Infrastructure for IWAN

• IWAN workflow wizard with PnP

• Template-based IWAN configs

• PfRv3 Domain, MC and BR

• AVC One-Click provision

• QoS Provisioning

• Single or Dual Router Branch

• CVD-based, Customizable

• AVC Readiness Assessment

• AVC, QoS, PfR Visibility

• Leverages APIC EM services

46


Cisco IWAN Product Portfolio

4

7


Start with Cisco AX RoutersIWAN Capabilities Embedded in the Router

ISR-AX

Simplify Application

Delivery

One Network

UNIFIED SERVICES ASR1000-AX

ISR-4000 AX

Transport Independent

Secure Routing

Optimization

Control

Visibility

Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000


Why Cisco IWAN?

4

9


Internet

Intelligent WAN Summary

Branch-1 Branch-513

DCI

WAN Core

MC MC

20M Dn

2M Up

512M FD

BR BR

ATBT

MPLS

Island

ADSL

BR

ISR-AX

vWAASISR-AX

vWAAS

1.5M FD

256M FD

CWS

BR

ASR-AX ASR-AX

WAAS WAAS

AVC

AVC AVC

ShowMe$$

DC-WestDC-East

Internet Internet

Transport Independent Design

• Highly available Hybrid WAN

Intelligent Path Control

• Performance Routing (PfR) to protect applications and load balance traffic to maximize expensive WAN bandwidth


• Application Visibility and Control (AVC) to monitor performance

• WAAS + Akamai to reduce bandwidth consumption while improving application experience

Secure Connectivity

• Secure the network from outside threats

• Cloud Web Security (CWS) for improved Cloud performance while freeing up WAN bandwidth, without compromising security

IWAN Management

• Cisco and Ecosystem Partner toolsAPIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more

5

0


Branch

MPLS (IP-VPN)

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloud

Cisco Intelligent WAN (IWAN)

Secure WAN Transport

Direct Internet

Access

Mixed Transport WAN with High Reliability

SLAs for Business-Critical Applications

Centralized Security Policy for Internet Access

Dramatically Lower WAN Costs Without Compromise

51

Technology

Cisco Intelligent Branch - Enabling the Next Generation Branch