Upload
cisco-public-sector
View
1.321
Download
7
Tags:
Embed Size (px)
Citation preview
Intelligent WAN (IWAN) Architecture
Peyton Schouest
Systems Engineer
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda • Intelligent WAN Overview • Transport Independent Design
• Intelligent Path Control • Application Optimization
• Secure Connectivity
• IWAN Management • IWAN Portfolio
• Summary
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Emerging Branch Demands Application Landscape is Changing
Applications Are Moving to the Data Center and Cloud
Internet Edge Is Moving to the Branch
Branch
Cloud
Data Centers
Cloud of CIOs Expect to Operate via the Cloud by 2015
%50 Mobility
More Mobile Data Traffic by 2015
Fat Apps of Mobile Traffic Will Be Video 6X 2/3
Pressures on the WAN
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise WAN - What’s Going on?
• WAN bandwidth needs are growing! – Cloud, BYOD/IOE and Video making it worse
• IT budgets flat or declining – Transport/bandwidth costs are majority of WAN budget
• These factors are driving WAN modernization – Lower cost transports – Internet, LTE, Carrier Ethernet, – Cloud application performance monitoring and optimization – Security – strong encryption and threat protection
Cisco IWAN addressing this market demand!
Cloud
50% of CIOs Expect to Operate via the Cloud by 2015
Mobility
6X More Mobile Data Traffic by 2015
Fat Apps
2/3 of Mobile Traffic Will Be Video
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Third-Party Lab Test: Chromebook vs.
Windows 8 Laptop
Chromebook creates more traffic than Windows PC
• Chromebook creates as high as 692.2 times more network traffic
• On average, Chromebook creates152 times more network traffic
http://principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf
0 2 4 6 8 10 Asus VivoBook S200E Notebook Running Microsoft Windows 8
Document Manipulation
Photo Manipulation
Video Manipulation
Music Manipulation
Web Browsing
Note Taking
Test Taking
0.14
0.27
2.73
0.21
6.06
5.00 8.65
18.30
77.39
145.56
211.29
57.84
10.80
41.33
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet Becoming an Extension of Enterprise WAN
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Performance Over Internet
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Low-Cost Alternative
Why is the Internet viable now?
%46 of Organizations Are Planning to
Transition to Internet
Connections 1Internet Transit Pricing based on surveys and informal data collection primarily from Internet Operations Forums—‘street pricing’ estimates
2Packet delivery based on 15 years of ping data from PingER for WORLD (global server sample) from EDU.STANFORD.SLAC in California Source: William Norton (DrPeering.net); Stanford ping end-to-end reporting (PingER)
Internet Pricing vs. Reliability, 1998-2012
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Leveraging the Internet Pays Off Fast
1.5 Mbps
10 Mbps
$220
$140
$830
$260
$885
$274
$1,014
$303
EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)
Dual Internet Links Combined for Ent SLA
$665 Savings/Month x
12 Months X 1,000 Sites
= $8M Savings per Year
-75%
iWAN MPLS VPN CoS3
MPLS VPN CoS2
MPLS VPN CoS1
Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access
Optimized Secure Transport
Branch
Direct Internet Access
Private Cloud
Virtual Private Cloud
Public Cloud
1. IWAN Secure transport for private and virtual private cloud access
2. Leverage local Internet path for public cloud and Internet access
! Increase WAN transport capacity and app performance cost effectively!
! Improve application performance (right flows to right places)
MPLS (IP-VPN)
Internet
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. IWAN Secure transport for private and virtual private cloud access
2. Leverage local Internet path for public cloud and Internet access
! Increase WAN transport capacity and app performance cost effectively!
! Improve application performance (right flows to right places)
Intelligent WAN: Leveraging the Internet So What is New Here?
Optimized Secure Transport
Branch
Direct Internet Access
Private Cloud
Virtual Private Cloud
Public Cloud
MPLS (IP-VPN)
Internet
Mixed transport WANs with High Reliability
SLOs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs Without Compromise
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intelligent WAN Deployment Models
Dual MPLS
Internet
ü Highest SLA guarantees – Tightly coupled to SP ẋ Expensive
Public
MPLS
Branch
MPLS
ü More BW for key applications ü Balanced SLA guarantees – Moderately priced
Public Enterprise
Branch
MPLS+ Internet
Consistent VPN Overlay Enables Security Across Transition
ü Best price/performance ü Most SP flexibility – Enterprise responsible for SLAs
Internet
Branch
Enterprise Public
Hybrid Dual Internet
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intelligent WAN Solution Components
MPLS
Branch
3G/4G-LTE
AVC
Internet
Private Cloud
Virtual Private Cloud
Public Cloud WAAS PfR
Application Optimization
• Application visibility with performance monitoring
• Application acceleration and bandwidth optimization
Secure Connectivity
• Certified strong encryption • Cloud Managed Security for
secure direct Internet access • Comprehensive threat
defense
Intelligent Path Control
• Dynamic Application best path based on policy
• Load balancing for full utilization of bandwidth
• Improved availability
Transport Independent
• Consistent operational model • Simple provider migrations • Scalable and modular design • IPsec routing overlay design
Control & Management with Automation
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Vision and Strategy
Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA
Secure, Simple, Centralized Policy Automation
ACI Policies, Inter-Cloud Mobility, Optimization, AMP
vRouter, vService and App Orchestration
Predictive, Self Directed
INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD
INTEGRATION SERVICE
VIRTUALIZATION
SELF LEARNING
NETWORKS
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Vision and Strategy Systems Development evolution of IWAN Framework
INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD
INTEGRATION SERVICE
VIRTUALIZATION
SELF LEARNING
NETWORKS
Transport Independent Design
Intelligent Path Control
Application Optimization
Secure Connectivity
Management & Orchestration IWA
N F
ram
ewor
k
Incremental improvements while delivering new use-cases
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN: An Architectural and Systems Approach
• IWAN is a Solution Architecture – Solves a network problem – Use Case Driven – Systems Development Approach
• Prescribed. Tested. Interoperable. – Bounded Scope and Complexity – Enables Automation and Quality
• Delivers Business Outcomes – Reduce Operational Complexity – Reduce WAN costs, Increase bandwidth – Improve Application Performance – Direct Internet Access – Guest Access Offload
IWAN
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Roadmap Overview IWAN 1.0
Intelligent Virtualization
IWAN 2.0 Automation (Q4 CY2014)
Domain Scale Hundreds of Branches Large Scale (2000 Branches)
Transport Independence
Secure VPN Overlay (DMVPN Phase 2)
VPN Scalability (DMVPN Phase 3)
Intelligent Path Control
2nd Generation Path Control – PfRv2
Simplified Path Control – PfRv3 (Centralized Provisioning,
Large Scale)
Application Optimization
AVC
WAAS
Adaptive AVC (Performance Optimization)
Adv. QoS (Adaptive Shaping, Local Admission)
Akamai Connect
Secure Connectivity
IPSec Suite-B crypto IOS ZBFW Firewall
Cloud Web Security (CWS)
Key Management Automation (PKI Certificate/Trust Automation)
Management
Cisco Prime
LiveAction
Glue Networks
Prime Infrastructure 2.2: Transport Ind. Design (DMVPN) Application Optimization (AVC),
Automated Deployment Workflow Wizards
APIC-EM EFT: PKI Automation
Site-by-Site Provisioning CVD-based: QoS, AVC, PfR
New
Transport-Independent Design Virtualizing the Enterprise WAN
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Simplifies WAN Design Dynamic Full-Meshed Connectivity Proven Robust Security
Flexible Secure IWAN Over Any Transport Secure Flexible
• Easy multi-homing over any WAN service offering
• Single routing control plane with minimal peering to the provider
• Consistent design over all transports
• Automatic site-to-site IPsec tunnels
• Zero-touch hub configuration for new spokes
• Certified crypto and firewall for compliance
• Scalable design with high- performance cryptography in hardware
ISR-G2
WAN
Internet
MPLS ASR 1000
ASR 1000
Transport-Independent
Data Center Branch
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Transport Independent Design with Dynamic Multipoint VPN (DMVPN) • Proven IPsec VPN technology
– Widely deployed, large scale – Standards based IPsec and Routing – Adv QOS: hierarchical, per tunnel and adaptive
• Flexible & Resilient – Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,.. – Hub-n-Spoke and Spoke-to-Spoke Topologies – Multiple encryption, key management, routing options – Multiple redundancy options: platform, hub, transports
• Secure – Industry Certified IPsec and Firewall – NG Strong Encryption: AES-GCM-256 (Suite B) – IKE Version 2 – IEEE 802.1AR Secure unique device identifier
• Simplified IWAN Deployments – Prescriptive validated IWAN designs – Automated provisioning – Prime, APIC, Glue
Branch
Internet MPLS
DMVPN Purple
DMVPN Orange
IWAN HYBRID
Data Center
ISP A SP V
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Multipoint VPN (DMVPN) • Branch spoke sites establish an IPsec tunnel to and
register with the hub site
• IP routing exchanges prefix information for each site
• BGP or EIGRP are typically used for scalability
• Only the WAN IP addresses need to be known by the WAN transport
• WAN interface IP address can be used for the tunnel source address
• Data traffic flows over the DMVPN tunnels
• When traffic flows between spoke sites, dynamic site-to-site tunnels are established
• Per-tunnel QOS is applied to prevent hub site oversubscription to spoke sites
SECURE ON-DEMAND TUNNELS
Branch 2
Traditional Static Tunnels DMVPN On-Demand Tunnels Static Known IP Addresses Dynamic Unknown IP Addresses
ISR G2
Branch 1
Hub
IPsec VPN
Branch n
ASR 1000
ISR G2 ISR G2
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hybrid WAN Designs Traditional and IWAN
Internet MPLS
Branch
DMVPN GETVPN
Internet MPLS
Branch
DMVPN DMVPN
Two IPsec Technologies GETVPN/MPLS DMVPN/Internet
Two WAN Routing Domains MPLS: eBGP or Static Internet: iBGP, EIGRP or OSPF Route Redistribution Route Filtering Loop Prevention
Active/Standby WAN Paths Primary With Backup
One IPsec Overlay DMVPN
One WAN Routing Domain iBGP, EIGRP, or OSPF Minimal route filtering
Active/Active WAN Paths
ISR-G2
ASR 1000 ASR 1000
ISP A SP V
ISR-G2
ISP A SP V
ASR 1000 ASR 1000
TRADITIONAL HYBRID
Data Center
IWAN HYBRID
Data Center
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Transport Independence Consistent deployment models simplify operations
Internet MPLS
Branch
DMVPN DMVPN
IWAN HYBRID
Data Center
ISR-G2
ASR 1000 ASR 1000
ISP A SP V
Internet Internet
Branch
DMVPN DMVPN
IWAN DUAL INTERNET
Data Center
ISR-G2
ISP A DSL
ISP C Cable
ASR 1000 ASR 1000
MPLS
Branch
MPLS
DMVPN
IWAN Dual MPLS
Data Center
ISR-G2
ASR 1000 ASR 1000
ISP A SP V
DMVPN
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Self, Integrator, or Provider Managed
Internet MPLS
Branch
DMVPN DMVPN
Internet MPLS
Branch
DMVPN DMVPN
IWAN HYBRID
Data Center
IWAN HYBRID
Data Center
ISR-G2
ASR 1000 ASR 1000 MSP
ISR-G2
Self or Integrator
ASR 1000 ASR 1000
ISP A DSL
ISP C Cable
Self or Integrator
Managed Service Provider
Hybrid Model Typical
Increases HA Diversity
Competitive Service Offering
Self/Integrator Managed
Hybrid or Internet Models
Ownership of Service Levels
Competitive Provider Selection
MSP
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
What if the CPE is Owned and Managed by an MSP? ISR-AX – IWAN Services Gateway
• Lower cost than overlay appliances
• Integrated services gateway incl AX, SEC, UC, Compute
• Internet path for extra capacity
• Direct Internet Access for improved SaaS Cloud performance
ASR 1000 Data Center
Branch
MSP-RT MPLS
ASR 1000 WAN
Internet
ISP-RT
ISR-AX
AVC
WAAS PfR
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building Highly Resilient WANs Redundancy and Path Diversity Matter
ISR G2
MPLS
SINGLE ROUTER, SINGLE PATH
ISR G2
Internet
99.95%* 99.90%* Downtime per Year
4–9 Hours
Downtime per Year 8 Hours
46 Minutes
ISR G2 MPLS MPLS Internet
ISR G2 MPLS
SINGLE ROUTER, DUAL PATHS Internet Internet
ISR G2
99.995% 99.995% 99.995%
26 Minutes
IWAN Solution
DUAL ROUTERS, DUAL PATHS
ISR G2
MPLS Internet
ISR G2 ISR G2
Internet Internet
ISR G2
99.999% 99.999%
5 Minutes
ISR G2
MPLS MPLS
ISR G2
99.999%
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional to IWAN Transition Migration Steps
ADDING DMVPN TO MPLS WAN
REPLACING A WAN SERVICE WITH AN INTERNET SERVICE
OTHER INTERESTING IWAN TOPOLOGIES
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year.
ISR G2 MPLS MPLS
ISR G2 MPLS MPLS
ISR G2 MPLS MPLS
ISR G2 MPLS MPLS
Internet
Internet
ISR G2 MPLS
3G/4G-LTE
Internet Internet ISR G2
3G/4G-LTE Internet Internet
ISR G2
3 Internet
ISR G2 MPLS
ISR G2 MPLS MPLS
Internet
4 5
0 1 2
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Automated Secure VPN
Intelligent Branch
ISP
Optional External Certificate Authority
Enterprise WAN Core
AX
MPLS
4G
DC
Resilient WAN POP
Embedded Trust Devices
Metro-E
AX
AX
APIC
Branch
Large Site
Campus
Secure Boot Strap
Automatic Configuration and Trust Establishment
Dynamic VPN Establishment
Key and Certificate Controller
IWAN App, Prime, 3rd Party
Deploy, Search, Retrieve, Revoke
Configuration Orchestration
Automatic Session Key Refresh (IKEv2)
Trust Revocation
1H2015
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Transport Best Practices • Private peering with Internet providers
Use same Internet provider for hub and spoke sites Avoids Internet Exchange bottlenecks between providers Reduces round trip latency
• DMVPN Phase 3 Scalable dynamic site-to-site tunnels Separate DMVPN per transport for path diversity Per tunnel QOS NG Encryption – IKEv2 + AES-GCM-256 encryption
• Transport settings Use the same MTU size on all WAN paths Bandwidth settings should match offered rate
• Routing Overlay iBGP or EIGRP for high scale (1000+ sites) Single routing process, simplified operations Front-side VRF to isolate external interfaces Branch
Internet MPLS
DMVPN Purple
DMVPN Green
IWAN HYBRID
Data Center
ISP A SP V
Intelligent Path Control Improving Application Delivery and WAN Efficiency
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control
Data Center Branch
ASR 1000
ASR 1000
WAAS PfR
AVC
ISR G2
MPLS
Internet
Enabling Internet-Based WANs
Efficient Distribution of Traffic Based Upon Load,
Circuit Cost, and Path Preference
Per Application Best Path Based on Delay,
Loss, Jitter Measurements
Protection From Carrier Black Holes
and Brownouts
Lower WAN Costs
Full Utilization of WAN Bandwidth
Improved Application
Performance
Higher Application Availability
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intelligent Path Control with PfR Voice and Video Use-Case
Branch
MPLS
Internet
Virtual Private Cloud
Private Cloud
• PfR monitors network performance and routes applications based on application performance policies
• PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth
Other traffic is load balanced to maximize bandwidth Voice/Video will be
rerouted if the current path degrades below policy thresholds
Voice/Video take the best delay, jitter, and/or loss path
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Performance Routing (PfR)?
DSL Cable
Branch
BR BR
Data Center
MC
“Performance Routing (PfR) provides additional intelligence to classic routing to track and verify the performance quality of a path between two devices over a Wide Area Networking (WAN) to determine the best path for application traffic....”
• Cisco IOS technology • Two components: Master Controller , Border Router
MC+BR
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
PfR Enhances Classical Routing
PATH CONTROL
METRICS
ADAPTIVE
• Topological state • Least cost path • Static user preference
• Path cost • Interface state
• Application-aware • Policy controlled • Measured performance
• Delay • Jitter • Bandwidth
Responds To: • Measured performance
changes (degradation)
Responds To: • Link and node state
changes (up/down)
+
Classical PfR
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
SP1 (MPLS) ISP (FTTH)
• Protect voice and video quality
Latency < 150 ms Jitter < 20 ms
• Protect Email applications from WAN congestion
Loss < 5%
• Voice and video preferred path SP1
• Email preferred path ISP • Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Best-Effort Traffic
300ms Delay Detected
SP1 (MPLS) ISP (DSL)
Voice and Video
High Jitter Detected
Best-Effort Traffic
Protecting Critical Applications While Increasing Bandwidth Utilization
• Protect transactional business app from brownouts
delay < 250ms • Preferred path SP1 (MPLS)
• Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet
Business App and Load-Balancing Policy
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Load Balancing Maximizing Link Utilization to Increase Available Bandwidth
• External link Load Balancing by default
• PfR Distributes traffic across a set of links to maintain efficient utilization levels with a defined percentage range. Default utilization range is +/- 20%
• External links can have different available bandwidth, e.g., Int 1/0 = 1.5Mbps, Int 1/1 = 15Mbps
• Load Balancing defaults can be modified by CLI – Utilization Range – Max Utilization 90%
ISR-G2
WAN
Internet
MPLS ASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
PfR Evolution—Simplification and Scale
PfR/OER • Internet Edge • Basic WAN • Provisioning per site
per policy • 1000s of lines of config
PfRv2 • Policy simplification • App Path Selection • Blackout ~6s • Brownout ~9s • Scale 500 sites • 10s of lines of config
PfRv3 • Centralized provisioning • AVC Infrastructure • VRF Awareness • Blackout ~ 2s • Brownout ~ 2s • Scale 2000 sites • Small Branch config
2014
IWAN 2.0
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Performance Routing—Components
The Decision Maker: Master Controller (MC) • Discover BRs, collect statistics • Apply policy, verification, reporting • No packet forwarding/inspection required
The Forwarding Path: Border Router (BR) • Gain network visibility in forwarding path (Learn, measure) • Enforce MC’s decision (path enforcement) • Does all packet forwarding
The Policy Controller: Domain Controller (DC) • Discover site peers, prefixes and connected networks • Advertise policy and services • One per domain, collocated with MC
DSL Cable
Branch MC+BR
BR BR
Data Center
DC/MC
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
PfR Domain Controller
§ Domain Controller Peering Framework – Site MCs register to Domain – Advertise to, or request services – Simplifies deployment and configuration – Provides topology auto-discovery
§ Single point of configuration across the domain
§ Used to distribute information to sites: – Learned site-prefix – Application/Traffic Policies – Performance monitoring – Traffic Class Database
BR BR
MC/BR MC/BR BR MC/BR
WAN1 WAN2
Scaling: recommended 2000 sites max
Domain Controller
DC/MC Master Controller
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Define Traffic Classes and service level Policies based on Applications or Transport Classifiers
ISR G2
ASR1K
Border Routers learn current traffic classes going to the WAN based on classifier definitions
Learning Active TCs
BR BR
MC+BR MC+BR MC+BR MC+BR
Traffic Classes
MC
Measure the traffic flow and network performance and report metrics to the Master Controller
Performance Measurements
BR BR
MC+BR MC+BR MC+BR MC+BR
MC
Master Controller commands path changes based on traffic class policy definitions
Best Path
BR BR
MC+BR MC+BR BR MC+BR
MC
How PfR Works Key Operations
Path Enforcement Measurement Learn the Traffic Define Your Traffic Policy
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dual POPs – Different Prefix
• Requirements: – Separate datacenters/POPs – Separate prefix advertised from
each datacenters to spokes
• POP2 Hub MC – Configured as Branch
Separate Prefix
10.1.10.0/24 10.1.11.0/24 10.1.12.0/24 10.1.13.0/24
DC/MC1 MC2
BR1 BR2 BR3 BR4
R10 R11 R12 R13
EIGRP/BGP 10.8.0.0/16 10.0.0.0/8 0.0.0.0
10.8.0.0/16 10.9.0.0/16
DMVPN MPLS
DMVPN INET
EIGRP/BGP 10.9.0.0/16 10.0.0.0/8 0.0.0.0
IWAN POP1 IWAN POP2 Hub MC 10.8.3.3/32
MC 10.9.3.3/32
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
PfRv3 Multiple Next Hop Limitation • Issues:
– PfRv3 manages traffic between Tunnel Interfaces, not multiple tunnels within a single Tunnel Interface
– Spokes have multiple next hops on the same DMVPN tunnel Interface
– Channel definition: • local site id + remote site id + DSCP + color(SP)
• No differentiation for multiple channels within a color(SP)
• Solution: PfRv3 DMVPN Multiple Next Hop support – Need to add sub-color to differentiate channels – New channel definition
• local site id + remote site id + DSCP + color(SP) + SP tag
– BR1 with tag 1, BR2 with tag 2
• Targeted for Spring XE 3.15 / PI27 releases
Multiple DMVPN Next Hops
DMVPN2 DMVPN1
10.1.10.0/24 10.1.11.0/24 10.1.12.0/24 10.1.13.0/24
BR1 BR2 BR3 BR4
R10 R11 R12 R13
Hub MC 10.8.3.3/32
MC1
Next Hop 1 Next Hop 2
10.8.0.0/16
IWAN POP1
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dual POPs – Common Prefix
• Requirements: – 2 (or more) POPs advertise the very same set
of prefixes – Datacenter may not be collocated with the
POPs – DCs/DMZs are reachable across the WAN Core
for each PoP – Branches can access any DC or DMZ across
either POP(hub). And, DC/DMZs can reach any branch across multiple POPs (hubs).
– Multiple BRs per DMVPN per site may be required for crypto and bandwidth horizontal scaling
• Targeted for Spring XE 3.15 / PI27 releases
Separate Prefix
10.1.10.0/24 10.1.11.0/24 10.1.12.0/24 10.1.13.0/24
IWAN POP1 IWAN POP2
MC1 MC2
R10 R11 R12 R13
Datacenters
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 10.9.0.0/16 0.0.0.0/0
DMVPN MPLS
DMVPN INET
Backbone/backdoor connectivity between POPs for failover. May not exist
BR1 BR1 BR2
BR2 BR3 BR3 BR4
BR4
Optimize Application Performance
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Today’s Network is an IT Blind Spot
• Static port classification is no longer enough
• More and more apps are opaque
• Increasing use of encryption and obfuscation
• Application consists of multiple sessions (video, voice, data)
• What if user experience is not meeting business needs?
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Branch
Proliferation of Devices
Users/ Machines
Private Cloud
Make Your IWAN Application Aware Add Cisco AVC
DC/Headquarters
Public Cloud
Cisco AVC
60% of IT Professionals Cite Performance as Key Challenge for Cloud
No Probes
• Rich data collection using NetFlow v9/IPFIX
• No additional hardware (and included in AX license)
• Easy to integrate into many reporting tools
Smart Capacity Planning
• Better use of costly bandwidth • Per-branch and per-application
level reporting
Business Aligned Privacy Enforcement
• No need for complex IP and port ACLs
• See inside HTTP flows to identify specific Cloud applications
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2
IOS NBAR +150 Signatures
SCE Classification +1000 Signatures
Innovations
Native IPv6 Classification Open API 3rd Party
Integration..
Next Generation NBAR (NBAR2) Deep Packet Inspection (DPI)
• Provides Advanced Application Classification and Field Extraction capabilities • In-service upgradable Protocol Definitions
No IOS upgrade or reboot for new Protocol Packs
• Backward compatibility to preserve existing NBAR investments • NBAR2 Protocol List
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
What applications, how much bandwidth, flow direction? (NBAR2 and Flexible Netflow) Basic Monitoring
Performance Collection & Exporting Integrated performance monitoring and advanced metrics for different type of applications and use cases
HTTP HTTP
Voice and Video Performance (Media Monitoring)
Unified Monitoring
30% of traffic is voice and video
Critical Applications Performance (Application Response Time)
40% of traffic is critical applications
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Proliferation of Devices
Users/ Machines
Private Cloud
Application Performance Monitoring for IWAN Track and Report Application Flows and Performance
WAN NetFlow v9
Enterprise Edge
AVC
AVC
CSR
NetFlow/IPFIX Records (Same provisioning, same format)
• Traffic statistics records • Application Response Time records • Media monitoring records
(Application, Jitter, Loss, etc)
Cisco Tools Prime, APIC-EM
Partner Tools Ecosystem LivePacked
Glue Plixer
Living Objects CompuWare
CA Technologies InfoVista
Collecting Collecting Collecting
Provisioning
Exporting
NetFlow v9 Export/IPFIX Export
Branch DC/Headquarters
AVC
AVC
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet VPN
Up to X Mbps Offered BW : AVAILABLE BW Not always X, typically < X Mbps
Branch
DC
Bandwidth Management Challenges
• Available Link BW Can Change (Internet) Static Bandwidth Provisioning (QoS) not accurate Shapers become inaccurate due to BW fluctuation Cannot predict BW changes at configuration
• Application & User Impact Applications tune based on static shape rate Indiscriminate traffic drops - SAP instead of YouTube!! New calls/flows admitted can degrade performance of
existing ones
• How can QOS improve user experience?
Degrading Application Experience in Non SLA Environments - Internet
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Adaptive QoS How Does It Work?
Adapt Sender shape rate based on the available bandwidth to Receiver
Sender Receiver
• Configure MQC Policy with Adaptive Shaping
DMVPN
Transport Monitoring Enable
• Collect Periodic bw Stats on received traffic
Transport Received Rate
• Calculate Available Bandwidth over the WAN • Adust Egress Shaper to observed rate
IWAN 2.0
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Advanced QoS Local Per-Flow Admission Control (PFA)
... ...
Pat
h S
elec
tion
Drop or remark flows exceeding nominal interface bandwidth
MPLS or Internet
Pat
h S
elec
tion
DMVPN Tunnel
...
... ...
ASR1000
ASR1000
Path S
election
... ...
Acts on Egress flows only
Dropped or Remarked Flows
DMVPN Tunnel
MPLS or Internet
Branch
Branch
DC
Flows shaped to Available Link BW. PFA Algorithm is aware of Adaptive Shape Rate!
WAN bandwidth oversubscription problem • The N+1 flow on the pipe can affect quality of all
existing N flows!! • Problem compounded as available BW itself is variable
and not predictable
IWAN 2.0
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Private Cloud
Add WAN Optimization with WAAS + Akamai Speed and Bandwidth Benefits on Top of the IWAN
Branch DC/Headquarters
Faster Applications, More Users, Less Bandwidth
• 90% HD Video optimization and better user experience
• Twice as many Citrix users over same WAN, 70% faster
• Toyota: ROI in less than one year, 65% BW cost savings
Easy to Deploy
• Works with existing branch routers (and existing AX license
Scalable
• AppNav Controller and WAVE pool is scalable
• Native HA capability
vWAAS
Proliferation of Devices
Users/ Machines
AppNav-XE Controller
CSR
WAVE
WAN
Accelerate Any TCP Connection
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco WAAS Enhancing User Experience and WAN Efficiency
Solution
• Reduce load Data redundancy elimination (DRE), compression, and TCP optimization
• Application optimization Fewer protocol messages and metadata caching
Problem
• Application latency • WAN bandwidth
inefficiencies
Application bandwidth with Cisco® WAAS
Application bandwidth natively
Application latency natively
Application latency with Cisco WAAS 0 0
1
2
3
4
40
80
120
160
Application Bandwidth
Application Latency
Bandwidth (Mbps)
Latency (Seconds)
Reduction in bandwidth
Reduction in latency
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public © 2010 Cisco Systems, Inc. All rights reserved.
WAN
Application-Specific Acceleration § Application and protocol awareness
Eliminate unnecessary chatter Save WAN bandwidth Pre-populate edge cache as necessary Enable disconnected operations
§ Intelligent protocol acceleration Read-ahead, prediction, and batching Safe data and metadata caching Improves application response time Provide origin server offload
§ DRE Hints Application intelligence signals to DRE & LZ…
whether to compress whether to cache
Safe Caching Read-ahead Prediction Batching DRE Hinting
WAN Optimization DRE/TFO/LZ
Origin Server Offloaded
Application Specific Acceleration
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN 2.0
Data Center Branch
Akamai Intelligent Platform
Optimal Experience Regardless of Device, Connectivity or Cloud All HTTP Traffic in Private, Public, Akamai Cloud
Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport
ISR-AX
AKAMAI Inside
AKAMAI CACHE
WAN
IWAN – Application Optimization with Akamai Connect
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Akamai Connect Caching & Prepositioning
Branch
MPLS (IP-VPN) Private Cloud
Virtual Private Cloud
Public Cloud
Akamai Intelligent Pla3orm
WAAS Optimization + Akamai Connect improves both Private and Public Cloud
performance
Cached & Prepositioned content improves application response time dramatically
Prepositioning of internet and Private cloud content, including dynamic URLS like YouTube Caches HTTP Content
Akamai Connect works over WAN and directly
from the Internet
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Supports Akamai Cloud | Single-sided Optimization | Secure Direct Internet Access
Application Acceleration + Edge Caching Enhancing User Experience while reducing WAN load
AKAMAI CACHING Transparent HTTP
Caching Dynamic URL OTT
HTTP Caching Akamai
Connected Cache Content
Pre-positioning
CISCO WAAS Optimization LZ
Compression TCP
Optimization Data
De-duplication Application Specific
Acceleration
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco WAAS & Akamai Deployment Models
Branch Office
WAAS Service
Module/ UCSe
Branch Office WAAS-XE
on ISR-4000
Branch Office WAAS
Appliance
Regional Office WAAS
Appliance
Data Center or Private Cloud WAAS
Appliances
VPN
VMware ESXi
vWAAS Appliances
Server VMs
AppNav + WAAS
IWAN
vWAAS WAE
Server VMs
VMware ESXi Server
Nexus 1000v vPATH
UCS /x86 Server
FC SAN
Nexus 1000v VSM
Virtual Private Cloud IWAN 2.0
IWAN Secure Connectivity
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intelligent WAN: Secure Connectivity Securing the network and users
Secure WAN Transport
Branch
MPLS (IP-VPN)
Internet Secure Internet Access
Private Cloud Virtual
Private Cloud
Public Cloud
Two areas of concern 1. Protecting the network from outside threats with data privacy over provider networks 2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Securing the IWAN Transport IPSec VPN and Access Control
• Step 1: Secure Transport IPSec with DMVPN overlay
Secure transport independent overlay Add Strong Cryptography: IKEv2 + AES-GCM 256 F-VRF to isolate internal routing domain
• Step 2: Access Control IOS Zone-based Firewall or ACLs Minimize exposure
DHCP addressing for Internet and tunnel interfaces Don’t put tunnel addresses into DNS
• Step 3: Choose your performance level Size router based on Encryption with Services and WAN bandwidth
Head-end: ASR1000 or ISR4451X Branch: ISR-G2 or ISR-4000
DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
* RFC 6379 ** RP2 is only supported in ASR1004 , ASR1006, and ASR1013
Cisco Router Security Certifications
FIPS Common Criteria Suite B* 140-2, Level 2 EAL4 Hardware Assist
Cisco ISR 890 Series ü P P
Cisco ISR 1900 Series ü P P
Cisco ISR 2900 Series ü P P
Cisco ISR 3900 Series P P P
Cisco ISR 4000 Series P P P
Cisco ASR 1000 Series P ü P**
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco VPN ISM for ISR G2 Delivering High Performance VPN for Branch Routers
Features • Plug and play Internal Service Module (ISM) for VPN acceleration
• Hardware encryption support for both IPsec and SSL VPN
• Hardware support for IKEv2 and Suite B NG crypto algorithms
Performance • High IPsec VPN throughput (Up to 1.2Gbps)
• Up to 3X throughput and 2X supported IPsec tunnels over onboard crypto engine
Platform Requirements • IOS Requirement: 15.2(1)T1 or later
• Supported Platforms: 1941, 2901, 2911, 2921, 2951, 3925, 3945 – (Note: Not supported on 1941W, 3925E, 3945E)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Add Network Integrated Threat Defense IOS Zone-Based Firewall
• Control the Perimeter: – External and internal protection: internal network is no longer trusted – Protocol anomaly detection and stateful inspection
• Communicate Securely: – Call flow awareness (SIP, SCCP, H323) – Prevent DoS attacks
• Flexible: – Split Tunnel-Branch direct Internet access – Internal FW— addresses regulatory compliances
• Integrated: – No need for additional devices, expenses and power – Works with other IWAN Services: CWS, WAAS, UCS-E,…
• Manageable: – Supports CLI, SNMP, CCP, and CSM – Supports Cisco Configuration Engine
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Virtual Route Forwarding (VRFs) create multiple logical routers on a single device – Separate control/forwarding planes per VRF – No connectivity between VRFs by default – Provider side VRF (yellow) for external
networks, Global VRF (blue) for internal networks
• Provider VRF minimizes threat exposure – Default routing only in Provider VRF – Provider assigned IP addressing hides
internal network – Provider IP address used as IPSec tunnel
source – Only IPsec allowed between internal Global
and Provider Front Side VRFs
Securing IWAN Transports with Front-door VRF Isolation of external networks
Global
F-VRF
Branch LAN 10.1.1.0/24 10.1.2.0/24 …
Front Side Provider VRF
Provider Assigned WAN IP Address 192.168.254.254
VRFs have independent routing and forwarding
planes IPSec Tunnel Interface
Global Enterprise VRF
IOS ZBFW or ACL to permit only authorized traffic; i.e. IPsec
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Protecting Public facing IWAN Interfaces • Use ACLs, ZBFW or ASA to block all traffic
except the DMVPN tunnel traffic to routers
• Zone Based Firewall (ZBFW) at the branch if there are plans for direct Internet access
• Typical ACL for protecting the Internet interface
interface GigabitEthernet0/0 bandwidth 10000 ip vrf forwarding INET-PUBLIC1 ip address dhcp ip access-group ACL-INET-PUBLIC in duplex auto ! ip access-list extended ACL-INET-PUBLIC permit udp any any eq non500-isakmp permit udp any any eq isakmp permit esp any any permit udp any any eq bootpc permit icmp any any echo permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any port-unreachable permit udp any any gt 1023 ttl eq 1 !
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intelligent WAN—Direct Internet Access
Branch
MPLS (IP-VPN)
Internet Direct
Internet Access
Private Cloud
Virtual Private Cloud
Public Cloud
• Leverage Local Internet path for Public Cloud and Internet access • Improve application performance (right flows to right places)
Solutions On Premise – Zone Based Firewall Cloud Based – Cloud Web Security
CWS
ISR-AX ZBFW
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Web Security Centralized Management for Distributed Policy
Cisco ScanCenter Portal
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Internet Access with Cisco Cloud Web Security (CWS)
Secure Public Cloud and Internet
Access
ISR Connector to CWS Firewall towers
Web Filtering, Access Policy, Malware Detect
WAN1 (IP-VPN)
CWS
Private Cloud
Public Cloud
Branch
WAN2 (Internet)
IWAN IPsec VPN for Private Cloud
Traffic IOS Firewall to protect Internet
Edge
Internet
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ISR CWS Connector How it Works
HQ Routes
HQ Traffic
Default Route
WAN Tunnel
CWS Connector
MPLS (IP-VPN)
CWS
Private Cloud
Virtual Private Cloud
Public Cloud
Internet
Branch
DSL Interface
Cisco ISR G2 with CWS Cloud Connector—FUNCTIONS:
• Authenticate router and client to CWS cloud • Intercept HTTP/HTTPS traffic based on ACL filters • Add user credentials header for identifying policy to be applied • Traffic Relay: replace client Source IP address with Egress address
• Redirect to CWS for scanning • Act as HTTP proxy to complete requests • Allow/Block or Warn based on user or group policy • Scan for Malware
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CWS Features
• Custom, granular user-based policies managed in the cloud
• User-based reporting
• URL, IP, host, and user agent-based whitelisting for trusted sites (bypasses CWS filtering)
• Default block or permit action in case of tower unreachability
• Single sign-on support
• IP and browser-based authentication bypass features
• Authenticated IP cached with absolute/idle timer options
• Default “guest” access on authentication failure
• Multiple authentication support
User Experience
Transparent
Prompts user for login
Prompts user for login
Supported ADs
Microsoft AD/LDAP
Microsoft AD/LDAP, ACS
Microsoft AD/LDAP, ACS
Authentication Type
NTLM (v1and v2)
HTTP Basic
Web Auth
IWAN Orchestration and Automation
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Specialized Management Cloud-Based Management
• Eliminates manual building of WANs • Automated SD-WAN orchestration • Centralized hybrid WAN management • Quick config updates and IOS upgrades • Leverages onePK and REST APIs
• Integrates with Cisco AVC and PfR • Monitor and analyze application traffic • End-to-end flow visualization • Flow & App-based Troubleshooting • Fix and Verify in Realtime
Cisco IWAN Management
Automates Deployment and Lifecycle Management
Application Aware Network Performance Management
On-Prem Management
Prime Infrastructure
2.2
• Single-pane view of IWAN • IWAN deployment workflows • Plug and Play • DMVPN, QoS, AVC deployment and
monitoring • PfR v3 in Q1 2015 • License includes IWAN App and APIC-
EM controller!
End-to-End Assurance of Application Experience
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prime Infrastructure 2.2 for IWAN
• IWAN workflow wizard with PnP • Template-based IWAN configs • PfRv3 Domain, MC and BR • AVC One-Click provision • QoS Provisioning • Single or Dual Router Branch • CVD-based, Customizable • AVC Readiness Assessment • AVC, QoS, PfR Visibility • Leverages APIC EM services
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prime Infrastructure Plug-n-Play Options No CLI Skills Required
PnP 1
PnP 2
PnP 3
USB stick to bootstrap the ISR • Installer connects LAN/WAN cables
• ISR loads bootstrap config from USB memory stick
Prime Plug-n-Play Application • Installer connects LAN/WAN cables + a USB console cable to a Laptop/iPhone/iPad
• PnP Application bootstraps the router
Cisco Configuration Professional Express (ISR Device GUI) • Installer connects LAN/WAN cables + a PC to a LAN port
• CCP Express Application to bootstrap the router
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN1 (IP-VPN)
Branch WAN2 (Internet)
Prime Plug-n-Play Solution Components
PnP Application
Installer application for iPhone, iPad, and Windows PC used for authenticating and booting the IOS device
Prime Infrastructure Server
manages and distributes deployment information (images, configurations, and licenses)
Private Cloud
CNS Agent
CNS Protocol
Cisco PnP protocol for loading IOS image and initial configuration
IOS CNS Agent
Uses bootstrap config to access the PnP Server
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Plug-n-Play Application Workflow Overview
0 Pre-Provisioning In Prime Infrastructure
• Administrator creates a Plug and Play device profile in Prime Infrastructure
• Administrator specifies device names, desired configuration, SW image, and optionally the device serial numbers
• A deployment PIN number is generated for each device and can be emailed to the installer
1 Installation at the End Location
• Installer receives the device, mounts the device and connects the cables
• Installer launches Plug-and-Play application and enters the PIN
• Plug-and-Play application registers the device serial number with Prime and then downloads bootstrap configuration to the device
• Device downloads the SW image and full configuration from Prime, Plug-and-Play application displays status
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRANCH LOCATION
Prime Plug-n-Play Application Simplified Branch Router Deployment
NETWORK OPERATIONS CENTRE (NOC) ENTERPRISE OR SP
Remote ISR
Prime Infrastruct
ure
SP Network (MPLS/Internet)
https
3. PnP App retrieves serial number from ISR
4. PnP App requests router config through the 3G connection
8. ISR bootstrap downloads IOS image and full config from PnP Server
1. Installer connects the PC to ISR with USB cable and starts PnP App
6. PnP Gateway registers router Serial number and gets the ISR bootstrap config from Prime Infrastructure
7. PnP App receives bootstrap config from PnP Gateway and installs it on ISR Alternatively, installer could download the bootstrap config by logging in to the PnP Gateway’s portal prior to installation, eliminating the need for 3G/4G connection
2. Installer enters PIN and clicks “install”
PnP Gateway
DMZ USB Console
Cable PnP App
5. PnP Gateway validates installers credentials
ISE Radius, LDAP or AD DES/One-Time-Password
3G/4G
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Management with Application aware Network Performance Management + QoS Control
• End-to-End topology, flow and trace visualization
• Search capability • Alert drilldown to
applicable flows • Point-and-click FnF
configurations
• QoS dashboard and alert drill-down
• Pre and post-QoS graphs
• Congestion indicators
• Single-click QoS audit
• QoS/ACL graphical configurator
• Customized policies with 25+ QoS templates
• Apply policy to multiple devices w/ single click
• CLI preview
• LAN path and Spanning Tree connections
• Trunk and access bandwidth
• Layer 2 QoS stats • VLAN filtering in
topology view
• IP SLA topology view
• IP SLA dashboard • Graphical IP SLA
configurator • Support all IP SLA
tests including Video Operations
• Topology view of active routes
• Graphical Policy Based Routing
• Trace path to destination with return route
Flow QoS Monitor QoS Configure Routing LAN IP SLA
See Visualize Point Troubleshoot, Decision Making
Click Control, Deploy
Fix Improve
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Glue Networks IWAN Orchestration
• Cloud-based SaaS subscription model
• Eliminates manual building of WANs
• Automated WAN orchestration and management
• Quick configuration updates and IOS upgrades
• Rapidly delivers nextgen and IWAN features
• Forward compatible with SDN and OnePK for app aware WANs
• Broadband and MPLS support for centralized hybrid WAN management for IWAN
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
2 Implement
• Provision head end routers prior to branch routers • Initiate provisioning via USBConnect for both
greenfield and brownfield routers • Routers re-provisioned to Gluware management • Glueware lifecycle management and orchestration
Quick configuration changes and IOS upgrades
1 Plan
• Identify network services and IOS features (Security, QoS, etc.)
• Identify existing WAN infrastructure for inclusion into Gluware orchestrated WAN
• Translate network characteristics and design into templates via Gluware
DC/HQ Secure SSH
Tunnel
Branch
Branch
Internet
Existing WAN Router
Glue Networks Migrate Existing WAN Routers into Gluware Management
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Automation and Orchestration Evolution
APIC-EM
Device Abstraction Layer
REST APIs APIC-EM Services (Partial)
CLI OnePK/Openflow
PKI Svc
NetFlow Svc
PnP Svc
Network Svc
Events Svc
Inventory Svc
Traditional Management Systems
Cis
co P
rime
Evolution
Apps IWAN
Transport PKI
Automation
Security Intelligent
Path Control
Cisco IWAN Apps Partners (future)
Application Experience
PnP Provisioning
Q2 CY2015
Capacity Planning, Troubleshooting, Change control Prime
Cisco IWAN Product Portfolio
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Start with Cisco AX Routers IWAN Capabilities Embedded in the Router
ISR-AX
Simplify Application
Delivery
One Network UNIFIED SERVICES ASR1000-AX
ISR-4000 AX
Transport Independent
Secure Routing
Optimization
Control
Visibility
Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Branch Services Routers
INTEGRATED IWAN SERVICES
APPLICATION CENTRIC
APPLIANCE LEVEL PERFORMANCE
! IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS
! Scalable on-chip service provisioning
! App/User policy-driven deployment ! APIC_EM Automation: deploy in
minutes ! Pay-as-you-grow ! Up-to-75% cost savings
! Service-Aware Dataplane ! Resilient Service Virtualization ! Multi-gigabit Fabric
ASR4000 Series - IWAN AX Ready, Next Generation Branch
ISR4431
ISR 4351
ISR 4331
ISR4321
ISR4451
500Mbps/1Gbps
200/400Mbps
100/300Mbps
50/100Mbps
1-2Gbps
NEW!
NEW!
NEW!
NEW!
Information Reference
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Aggregation Border Routers ASR1000 - IWAN AX Ready, High Performance Routers
INTEGRATED IWAN SERVICES
BUSINESS-CRITICAL RESILIENCY
COMPACT, POWERFUL ROUTER
! IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS
! Scalable on-chip service provisioning
! Separate control and data planes ! Hardware and software redundancy ! In-service software upgrades
! Line-rate performance 2.5G to 200G+ with services enabled
! Crypto performance from 2G to 60G+ ! Flexible I/O: SPAs and Ethernet LCs
§ 2.5G Upgradeable to 5G, 10G, 20G § Up to 8G Crypto Throughput
§ 5G Upgradeable to 10G, 20G, 36G § Up to 4G Crypto Throughput
§ Modular, Redundant up to 200G § Up to 60G Crypto Throughput
ASR1001-X
ASR1002-X
Modular ASR1006
NEW!
Information Reference
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco UCS-E Series Extend Cloud Services into Branch Infrastructure
Support on ISR G2 and 4000 Series
IOS, MGF Backplane Switch
UCS-E Blade
Hypervisor
CIMCE UCS-E Blade
Hypervisor
OS
App
OS
App
OS
App
OS
App Platform for WAN Edge Applications
Microsoft Windows-Server and Linux Certified
Server Virtualization
Cisco UCS Virtualization Powered by VMware, Microsoft, Citrix
Dedicated Blade Management
Cisco Integrated Management Controller
Consistent management for UCS family
Multipurpose x86 Blades
Cisco UCS E Series modules
House up to four server blades in an ISR
Single-Device Network Integration
House all devices in ISR G2 chassis
Multigigabit fabric backplane switch
Information Reference
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco UCS E-Series Server Hypervisor and OS Support Hypervisors • VMware vSphere Hypervisor™ 5.0, update 1, 5.1 and 5.5 • Hyper-V (Windows 2008 R2 and 2012, 2012 R2) • Citrix XenServer 6.0
Microsoft Windows • Windows Server 2008 R2 Standard 64-bit • Windows Server 2008 R2 Enterprise 64-bit • Windows Server 2012, 2012 R2
Linux • Red Hat Enterprise Linux 6.2 • SUSE Linux Enterprise 11, service pack 2 • Oracle Enterprise Linux 6.0, update 2
Information Reference
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Future Application Delivery Write once. Run anywhere.
Blade Hosting Server Hosting
Cisco Network Operating System
External Server Network
Services & Applications
Traditional Features
Container Cisco Network Operating System
Embedded Network Services
ISR-4000 Hosting
Cisco Network Operating System
Feature
Container
Cisco Network Operating System
Network Services & Applications
UC
S-E
Bla
de
NEW!
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Advanced Services IWAN Portfolio Customer Situation Advanced Services Offering
Looking to explore IWAN architecture evolution
Network Architecture Discovery Workshop
Desire to evaluate current branch architecture and devise IWAN architecture strategy
Network Architecture Assessment and Strategy
Assistance with designing and planning an IWAN deployment strategy
Network Planning and Design
Customer wants Cisco to manage the full migration to the IWAN solution through a turn-key service
Network Planning, Design, and Implementation Service
NEW!
IWAN 2.0 Considerations
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN 2.0 Considerations • Intelligent Path Control
– Horizontal scaling with multiple BRs at a site connected to a single DMVPN network – Common/same prefixes being reachable over multiple hub/pop locations – Enhancements coming in Spring 2015
• Application Optimization – AVC requires flow symmetry across the same border router to classify stateful
applications • Problematic at sites with dual routers; e.g. hub/pop locations • Enhancement coming in the Summer or Fall 2015 release
• Secure Connectivity – CWS connector not currently supported on the ISR-4000 series routers
• Support coming in the Summer 2015 release
Why Cisco IWAN?
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
1st 3rd Savings & Loan (13S&L) Scenario Current Network Design • East and West Data Centers (DC) for
redundancy and business continuance
• Internet DMZs at each DC – 13S&L.com Internet presence – Employee Internet access – 7200 series routers and PIX firewalls
• WAN – 513 branches with 2 Hub/DC sites – MPLS VPN provided by AsTheBellTolls (ATBT)
• 3 Classes of service – Real Time, Data and Default • 99.95% circuit availability • T3 and ½ T1 access to VPN
– 7200 and 2800 series routers Branch-1 Branch-513
768kbps
DS3 45Mbps
ATBT MPLS VPN
7200 7200 7200 7200
2811 2811
3 CoS
Internet Internet 7200 7200
DCI WAN Core
DC-West DC-East
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Intelligent WAN Summary • Transport Independent Design
– Hybrid MPLS + Internet transports Increased bandwidth with higher availability
• Intelligent Path Control – Performance Routing (PfR) to protect critical applications
and load balance traffic to maximize expensive WAN bandwidth
• Application Optimization – Application Visibility and Control (AVC) to monitor application
performance at the branch – WAAS + Akamai to reduce bandwidth consumption and improved
application experience
• Secure Connectivity – Cloud Web Security (CWS) for improved performance of Public
Cloud and Internet applications while reducing bandwidth over the WAN, without compromising security or control
• IWAN Management – Prime, LiveAction, or GlueWare with SDN evolution with APIC-EM
Branch-1 Branch-513
DCI WAN Core
MC MC
20M Dn 2M Up
512M FD
BR BR
ATBT MPLS
Island ADSL
BR
ISR-AX vWAAS
ISR-AX vWAAS
1.5M FD
256M FD
CWS
BR ASR-AX ASR-AX
WAAS WAAS
AVC
AVC
AVC
ShowMe$$
DC-West DC-East
Internet Internet
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Branch
MPLS (IP-VPN)
Internet
Private Cloud
Virtual Private Cloud
Public Cloud
Cisco Intelligent WAN (IWAN)
Secure WAN Transport
Direct Internet Access
Mixed Transport WAN with High Reliability
SLAs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs Without Compromise
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Customer Proof of Concept (CPOC) IWAN Pre-Built Static Testbed (PBST)
• IWAN LAB for customer hands-on testing
• Network, Management, Traffic Generators and Impairment
• Remote Access with Telepresence
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CPOC IWAN PBST Questions? Contact your Cisco Sales or Partner Representative
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IWAN Sessions Cisco Live Milan Techtorial
TECCRS-2004 Implementing the Intelligent WAN (IWAN) Jean-Marc, Scott, Steve, David, Bill, Patrick Breakouts
BRKCRS-2000 Intelligent WAN (IWAN) Architecture Scott Van de Houten
BRKRST-2362 Implementing Next Generation Performance Routing – PfRv3 Jean-Marc Barozet
BRKAPP-2030 Troubleshoot Business Applications with Advanced Monitoring Techniques Karthik Dakshinamoorthy
BRKRST-2514 Application Optimization and Provisioning the Intelligent WAN (IWAN) Bill Reilly
BRKRST-2041 WAN Architectures and Design Principles Adam Groudan
BRKCRS-2042 Highly Available Wide Area Network Design David Prall
BRKNMS-2845 IWAN and AVC Management with Cisco Prime Infrastructure Tony Hosseiny
Others
LTRCRS-2005
Intermediate - Intelligent WAN (IWAN) Hands-On Lab : Leveraging Prime to deploy the IWAN Solution to The Next Generation Branch Bill Reilly
CCSRST-2400 SkyConnect, Lufthansa Systems global WAN Platform. Moving Business PKI to “IWAN” while adding more services to the network Markus Voegel (Lufthansa)
Related
BRKCRS-2448 Innovations in Branch Routing Matt Bollick
BRKRST-2121 Self Learning Networks Jean-Philippe Vasseur
BRKNMS-3132 Advanced NetFlow Benoit Claise
BRKRST-2040 WAN and Remote-Site Deployment using Cisco Validated Designs Adam Groudan
PSORST-2008 Introduction to Cisco ISR 4000 Series: Architected for Application Performance Jay Chokshi
TECCRS-2003 Advanced WAN Design Topics (Techtorial - 8h) Adam Groudan, David Prall, Mark Mitchiner, Arvind Durai
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call to Action
• Visit the World of Solutions for – Cisco Campus – (speaker to add relevant demos/areas to visit) – Walk in Labs – (speaker to add relevant walk in labs) – Technical Solution Clinics
• Meet the Engineer (Speaker to specify when they will be available for meetings)
• Lunch time Table Topics
• DevNet zone related labs and sessions
• Recommended Reading: for reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2015
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations