Upload
cisco-canada
View
270
Download
0
Embed Size (px)
Citation preview
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Cisco Intelligent Branch – Enabling the Next Generation Branch
Tammy GetschelSystems Engineer
May 19, 2016
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Housekeeping notesThank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.
• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session
• [Please add any special notes for your session/labs]
© 2013 Cisco and/or its affiliates. All rights reserved. 3
Pressures on the WAN
Emerging Branch DemandsThe Application Landscape Is Changing
Applications are Moving to the DC and Cloud
Internet Edge Is Moving to the Branch
Cloud
SaaS, Google Docs, Office365 Guest WiFi, BYOD, App Updates
Cloud Mobility Apps
Video, VDI, Backup
BranchData Centers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Internet as an Extension of Enterprise WAN
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Performance Over Internet
4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Intelligent WAN: Leveraging the InternetSecure WAN Transport and Internet Access
Optimized
Secure Transport
Branch
Direct Cloud
Access
PrivateCloud
VirtualPrivateCloud
PublicCloud
1. IWAN Secure transport for private and virtual private cloud access
2. Leverage local Internet path for public cloud and Internet access
Increase WAN transport capacity and app performance cost effectively!
Improve application performance (right flows to right places)
MPLS (IP-VPN)
Internet
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Intelligent WAN (IWAN) Architecture
MPLS
Unified
Branch
3G/4G-LTE
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloud
Application Optimization
Enhanced Application
Visibility and Performance
Secure Connectivity
Comprehensive
Threat Defense
Intelligent Path Control
Application
Aware Routing
TransportIndependent
Simplified
Hybrid WAN
Management Automation
6
Cisco Confidential 7© 2015 Cisco and/or its affiliates. All rights reserved.
Transport-IndependenceVirtualizing the Enterprise WAN
7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
IWAN Transport IndependenceConsistent deployment models simplify operations
Internet MPLS
Branch
DMVPN DMVPN
IWAN HYBRID
Data Center
ISR
ASR 1000 ASR 1000
ISP A SP B
4G/LTE
Branch
DMVPN
IWAN HYBRID/LTE
Data Center
ISP C SP B
ASR 1000
MPLS
Branch
MPLS
DMVPN
IWAN Dual MPLS
Data Center
ISR
ASR 1000 ASR 1000
SP A SP B
DMVPN
MPLS
DMVPN
ISR
ASR 1000
IWAN Transport Independent Designwith Dynamic Multipoint VPN (DMVPN)
• Proven IPsec VPN technology
Widely deployed, Large scale
Standards based IPsec and Routing
Adv QOS: hierarchical, per tunnel and adaptive
• Flexible & Resilient
Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,..
Hub-n-Spoke with Dynamic full mesh Topology
Multiple encryption, key management, routing options
Multiple redundancy options: platform, hub, transports
• Secure
Industry Certified IPsec and Firewall
NG Strong Encryption: AES-GCM-256 (Suite B)
IKE Version 2
IEEE 802.1AR Secure unique device identifier
• Simplified IWAN Deployments
Prescriptive validated IWAN designs
Automated provisioning – Prime, IWAN-App, Glue
Branch
Internet MPLS
DMVPNPurple
DMVPNGreen
IWAN HYBRID
Data Center
ISP A SP B
Cisco Confidential 11© 2015 Cisco and/or its affiliates. All rights reserved.
Intelligent Path ControlImproving Application Delivery and WAN Efficiency
1
1
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Getting the Most Out of Your WAN InvestmentBenefits of Intelligent Path Control
Data CenterBranch
ASR 1000
ASR 1000
ISR
MPLS
Internet
Enabling
Hybrid WANs
Efficient Distribution of
Traffic Based Upon Load
or Path Preference
Application Best Path
Based on Quality
Protection From
Carrier Black Holes
and Brownouts
Lower
WAN Costs
Full Utilization
of WAN Bandwidth
Improved
Application
Performance
Higher Application
Availability
12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Intelligent Path Control with PfRVoice and Video Use-Case
Branch
MPLS
Internet
Virtual PrivateCloud
Private Cloud
• PfR monitors network performance and routes applications
based on policy
• PfR load balances traffic based upon link utilization levels
to efficiently utilize all available WAN bandwidth
Other traffic is load
balanced to maximize
bandwidth Voice/Video will be rerouted if the
current path degrades below policy
thresholds
Voice/Video take the best
delay, jitter, and/or loss path
13
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
What is Performance Routing (PfR)?
MPLS Internet
Branch
BR BR
Data Center
MC
“Performance Routing (PfR) provides additional
intelligence to classic routing to track and verify the
quality of a path over a Wide Area Networking (WAN)
to determine the best path for application traffic....”
MC+BR
14
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
SP1 (MPLS) ISP (FTTH)
• Protect voice and
video quality
Latency < 150 ms
Jitter < 20 ms
• Protect Email applications
from WAN congestion
Loss < 5%
• Voice and video preferred
path SP1
• Email preferred path ISP
• Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Best-Effort Traffic
High Delay Detected
SP1 (MPLS) ISP (DSL)
Voice and Video
High JitterDetected
Best-Effort Traffic
Protecting Critical Applications While Increasing Bandwidth Utilization
• Protect transactional
business app from brownouts
delay < 250ms
• Preferred path SP1 (MPLS)
• Increase WAN bandwidth
efficiency by load-sharing
traffic over all WAN paths,
MPLS + Internet
Business App and Load-Balancing Policy
15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Load BalancingMaximizing Link Utilization to Increase Available Bandwidth
• Traffic distributed across all paths to efficiently use all WAN bandwidth
• Load Balancing based upon link utilization levels
• External links can have different bandwidth capacities
MPLS = 1.5Mbps
Internet = 15Mbps
ISR
WAN
Internet
MPLS
ASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
16
Cisco Confidential 17© 2015 Cisco and/or its affiliates. All rights reserved.
Application Optimization
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Branch
Proliferation
of Devices
Users/Machines
PrivateCloud
Make Your IWAN Application AwareApplication Visibility and Control (AVC)
DC/Headquarters
PublicCloud
Cisco AVC
Application Performance Visibility
• Application inspection with existing routers
• Rich data collection using NetFlow v9/IPFIX
• Easy to integrate into many reporting tools
Smart CapacityPlanning
• Better use of costly bandwidth
• Per-branch and per-application level reporting
Business Objective Enforcement
• Service Level monitoring per application
• Better Analytics to adjust network policies to maintain compliance
18
AVC
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Proliferation
of Devices
Users/Machines
PrivateCloud
Application Performance Monitoring for IWANTrack and Report Application Flows and Performance
WAN
Enterprise Edge
AVC
AVC
CSR
NetFlow/IPFIX Records(Same provisioning, same format)
• Traffic statistics records
• Application Response Time records
• Media monitoring records (Application, Jitter, Loss, etc)
Cisco ToolsPrime, APIC-EM
Partner Tools
EcosystemLiveAction
Glue NetworksPlixer
Living Objects
CompuWare
CA Technologies
Collecting Collecting Collecting
Provisioning
Exporting
NetFlow v9 Export/IPFIX Export
BranchDC/Headquarters
AVC
AVC
19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Cisco WAAS Enhancing User Experience and WAN Efficiency
Solution
• Reduce load
Data redundancy elimination
(DRE), compression, and
TCP optimization
• Application optimization
Fewer protocol messages
and metadata caching
Problem
• Application latency
• WAN bandwidth
inefficiencies
Application bandwidth with Cisco® WAAS
Application bandwidth natively
Application latency natively
Application latency with Cisco WAAS 0 0
1
2
3
4
40
80
120
160
Application
Bandwidth
Application
Latency
Bandwidth
(Mbps)
Latency
(Seconds)
Reduction in
bandwidth
Reduction
in latency
20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
© 2010 Cisco Systems, Inc. All rights reserved.
WAN
Application-Specific Acceleration Application and protocol awareness
Eliminate unnecessary chatter
Save WAN bandwidth
Pre-populate edge cache as necessary
Enable disconnected operations
Intelligent protocol accelerationRead-ahead, prediction, and batching
Safe data and metadata caching
Improves application response time
Provide origin server offload
DRE HintsApplication intelligence signals to DRE & LZ…
whether to compress
whether to cache
Safe Caching
Read-ahead
Prediction
Batching
DRE Hinting
WAN
Optimization
DRE/TFO/LZ
Origin Server
Offloaded
Application Specific Acceleration
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Email (5MB Attachment) File Services (5MB File)
VDI (Citrix)(5MB Document)
First Optimized with WAAS
Send and Receive Email over native WAN
Second Pass Optimized with WAAS
100 20 30 40 50 60 70 80 90 100 110 120 130 140 150
Time in Seconds
Optimize and Enhance Thousands of ApplicationsAX Includes Cisco WAAS WAN Optimization
24xFaster First Optimized with WAAS
File Drag and Drop Over native WAN
Second Pass Optimized with WAAS
100 20 30 40 50 60 70 80 90 100 110 120 130 140 150
Time in Seconds
17xFaster
First Optimized with WAAS
Sharepoint File Download over Native WAN
Second Pass Optimized with WAAS
Launch Citrix XenDesktop with WAAS
Launch Citrix XenDesktop Over Native Citrix ICA/SSL
Site Navigation with WAAS
20 4 6 8 10 12 14 16 18 20 22 24 26 28 30
Time in Seconds
30xFaster
20 4 6 8 10 12 14 16 18 20 22 24 26 28 30
Time in Seconds
Site Navigation Over Native Citrix ICA/SSL
3-8xFaster
Cisco Confidential 25© 2015 Cisco and/or its affiliates. All rights reserved.
IWAN Secure Connectivity
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Intelligent WAN: Secure ConnectivitySecuring the network and users
Secure WAN Transport
Branch
MPLS (IP-VPN)
Internet
Secure
Internet
Access
PrivateCloud
VirtualPrivateCloud
PublicCloud
Two areas of concern
1. Protecting the network from outside threats with data privacy over provider networks
2. Protecting user access to Public Cloud and Internet services; malware, privacy,
phishing,…
26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Securing IWAN Transports with Front-door VRFIsolation of external networks
• Virtual Route Forwarding (VRFs) create multiple logical routers on a single device
Separate control/data planes per VRF
No connectivity between VRFs by default
Provider side VRF (yellow) for external networks, Global VRF (blue) for internal networks
• Provider VRF minimizes threat exposure
Default routing only in Provider VRF
Provider assigned IP addressing hides internal network
Provider IP address used as IPSec tunnel source
Only IPsec allowed between internal Global and Provider Front Side VRFs
Global
F-VRF
Branch LAN
10.1.1.0/24
10.1.2.0/24
…
Front Side
Provider VRF
Provider Assigned
WAN IP Address
192.168.254.254
VRFs have
independent
routing and
forwarding
planesIPSec Tunnel
Interface
Global
Enterprise
VRF
• Use ACLs, ZBFW or ASA to block all trafficexcept the DMVPN tunnel traffic to routers
• Zone Based Firewall (ZBFW) at the branch if thereare plans for direct Internet access
• Typical ACL for protecting the Internet interface
DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Protecting the Public facing IWAN Interfaces
interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip access-group ACL-INET-PUBLIC in
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Intelligent WAN—Direct Cloud Access
Branch
MPLS (IP-VPN)
Internet
Direct Internet
Access
PrivateCloud
VirtualPrivateCloud
PublicCloud
• Leverage Local Internet path for Public Cloud and Internet access
• Improve application performance (right flows to right places)
Solutions
On Premise – Zone Based Firewall
Cloud Based – Cloud Web Security
CWS
ISR-AX
ZBFW
31
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Secure Internet Access with Cisco Cloud Web Security (CWS)
Secure Public
Cloud and Internet
Access
ISR Connector to
CWS Firewall towers
Web Filtering,
Access Policy,
Malware Detect
WAN1(IP-VPN)
CWS
PrivateCloud
PublicCloud
Branch
WAN2(Internet)
IWAN IPsec VPN
for Private Cloud
TrafficIOS Firewall to
protect Internet
Edge
Internet
32
Cisco Confidential 33© 2015 Cisco and/or its affiliates. All rights reserved.
Orchestration and Automation
3
3
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Cisco IWAN Management PortfolioCovering a broad range of preferences and requirements
• Customer wants advanced
provisioning, life cycle
management, and
customized policies
• System-wide network
consistency assurance
• Lean IT OR IT Network team
Cisco
Prime
Infrastructure
• Customer needs
customizable IWAN with
end-to-end monitoring
• One Assurance across Cisco
portfolio from Branch to
Datacenter
• IT Network team
Enterprise Network
Mgmt and Monitoring
Ecosystem Partners
IWAN App
• Customer wants
considerable automation
and operational simplicity
• Requirements consistent
with prescriptive IWAN
Validated Design
• Lean IT organization
Prescriptive
Policy Automation
• Customer looking for
advanced monitoring and
visualization
• QoS/ PfR/ AVC configuration,
Real-time analytics and
network troubleshooting
• IT Network team
Application Aware
Performance Mgmt
Advanced
Orchestration
3
4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Provisioning & Life
Cycle Management
Visualization & Health
IWAN Management Solution Positioning
CustomizablePrescriptive
AdvancedFoundation
Prime
Prime
IWAN AppOn Prem
Cloud
Infrastructure ASR 1000
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
APIC-EM IWAN AppSite provisioning
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
APIC-EM IWAN AppSite provisioning
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
APIC-EM IWAN AppSite provisioning
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
IWAN App – Site provisioning
4
0
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
IWAN App – Site provisioning
4
1
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
IWAN App – Site provisioning
4
2
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
APIC-EM IWAN AppDefine Application Policy
• Business Intent network admin informs the controller what applications are relevant for the business
• The controller is going to perform background tasks based on this business logic
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
APIC-EM IWAN AppDefine Application Policy
• Define primary path for group of applications
• The controller will create a PfR policy based on those paths.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
IWAN AppDefine Application Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Prime Infrastructure for IWAN
• IWAN workflow wizard with PnP
• Template-based IWAN configs
• PfRv3 Domain, MC and BR
• AVC One-Click provision
• QoS Provisioning
• Single or Dual Router Branch
• CVD-based, Customizable
• AVC Readiness Assessment
• AVC, QoS, PfR Visibility
• Leverages APIC EM services
46
Cisco Confidential 47© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco IWAN Product Portfolio
4
7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Start with Cisco AX RoutersIWAN Capabilities Embedded in the Router
ISR-AX
Simplify Application
Delivery
One Network
UNIFIED SERVICES ASR1000-AX
ISR-4000 AX
Transport Independent
Secure Routing
Optimization
Control
Visibility
Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Internet
Intelligent WAN Summary
Branch-1 Branch-513
DCI
WAN Core
MC MC
20M Dn
2M Up
512M FD
BR BR
ATBT
MPLS
Island
ADSL
BR
ISR-AX
vWAASISR-AX
vWAAS
1.5M FD
256M FD
CWS
BR
ASR-AX ASR-AX
WAAS WAAS
AVC
AVC AVC
ShowMe$$
DC-WestDC-East
Internet Internet
Transport Independent Design
• Highly available Hybrid WAN
Intelligent Path Control
• Performance Routing (PfR) to protect applications and load balance traffic to maximize expensive WAN bandwidth
Application Optimization
• Application Visibility and Control (AVC) to monitor performance
• WAAS + Akamai to reduce bandwidth consumption while improving application experience
Secure Connectivity
• Secure the network from outside threats
• Cloud Web Security (CWS) for improved Cloud performance while freeing up WAN bandwidth, without compromising security
IWAN Management
• Cisco and Ecosystem Partner toolsAPIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more
5
0
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Branch
MPLS (IP-VPN)
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloud
Cisco Intelligent WAN (IWAN)
Secure WAN Transport
Direct Internet
Access
Mixed Transport WAN with High Reliability
SLAs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs Without Compromise
51