iwan - cisco · path control • application best path based on delay, loss, jitter, path...
Post on 11-Jul-2020
9 Views
Preview:
TRANSCRIPT
IWAN –Intelligent WAN, Next Generation Branch Architecture
Lars Thoren – Technical Marketing Engineer, ENG
© 2013 Cisco and/or its affiliates. All rights reserved. 3
Mobile Device Network Traffic
Sources: * http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation-%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-
smartphones.html
** https://www.abiresearch.com/press/average-size-of-mobile-games-for-ios-increased-by-
*** http://www.wirelessandmobilenews.com/2013/05/samsung-galaxy-s3-iii-update-android-4.2.1-jelly-bean.html
http://theiphonewiki.com/wiki/Firmware#iPad_4
http://answers.microsoft.com/en-us/windows/forum/windows_other-windows_update/what-is-average-monthly-size-of-update-
downloads/dfe9bb34-c2dd-478e-a6cb-0a26228cf552
Average Number of Apps per Device*
Average App Size** OS Update File
Size***
iOS
Android
Windows
iOS 7 for
iPhone 5
Jelly Beans
4.1
Windows 7
© 2013 Cisco and/or its affiliates. All rights reserved. 4
Third-Party Lab Test Chromebook vs. Windows 8 Laptop
Chromebook Creates an Average of 152 Times More Traffic
Chromebook creates as high as 692.2 times more network traffic
On average, Chromebook creates152 times more network traffic
http://principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf
0 2 4 6 8 10
Asus VivoBook S200E Notebook RunningMicrosoft Windows 8Samsung Chromebook Running Chrome OS
Document
Manipulation
Photo
Manipulation
Video
Manipulation
Music
Manipulation
Web
Browsing
Note
Taking
Test
Taking
0.14
0.27
2.73
0.21
6.06
5.00 8.65
18.30
77.39
145.56
211.29
57.84
10.80
41.33
© 2013 Cisco and/or its affiliates. All rights reserved. 5
Emerging Branch Demands The Application Landscape is Changing
Applications Are Moving to the Data Center and Cloud
Internet Edge Is Moving to the Branch
Branch
Cloud
Data Centers
Cloud
of CIOs Expect
to Operate via
the
Cloud by 2015
Mobility
More Mobile
Data Traffic by
2015
Fat Apps
of Mobile
Traffic
Will Be Video
Pressures on the WAN
© 2013 Cisco and/or its affiliates. All rights reserved. 6
Internet Becoming an Extension of Enterprise WAN
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Performance Over Internet
© 2013 Cisco and/or its affiliates. All rights reserved. 7
Why Move to Internet as WAN?
Low-Cost Alternative
of Organizations
Are Planning to
Transition to
Internet
Connections 1Internet Transit Pricing based on surveys and informal data collection
primarily from Internet Operations Forums—‘street pricing’ estimates 2Packet delivery based on 15 years of ping data from PingER for WORLD
(global server sample) from EDU.STANFORD.SLAC in California
Source: William Norton (DrPeering.net); Stanford ping end-to-end reporting
(PingER)
Internet Pricing vs. Reliability, 1998-2012
© 2013 Cisco and/or its affiliates. All rights reserved. 8
And the Internet Transition Pays Off Fast
1.5 Mbps
10 Mbps
$220
$140
$830
$260
$885
$274
$1,014
$303
EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)
Dual Internet Links
Combined for Ent SLA
$665 Savings/Month x
12 Months X 1,000 Sites
= $8M Savings per Year
-75%
iWAN MPLS VPN
CoS3 MPLS VPN
CoS2
MPLS VPN
CoS1
Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website
© 2013 Cisco and/or its affiliates. All rights reserved. 9
Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access
Hybrid WAN
Transport
IPsec Secure
Branch
MPLS (IP-VPN)
Internet
Direct
Internet
Access
Private Cloud
Virtual Private Cloud
Public Cloud
• Secure WAN transport for private
and virtual private cloud access
• Leverage local Internet path for
public cloud and Internet access
• Increased WAN transport
capacity;
and cost effectively!
• Improve application performance
(right flows to right places)
© 2013 Cisco and/or its affiliates. All rights reserved. 10
Branch
MPLS (IP-VPN)
Internet
Private Cloud
Virtual Private Cloud
Public Cloud
Intelligent WAN: Leveraging the Internet So What is New Here?
• Secure WAN transport for private
and virtual private cloud access
• Leverage local Internet path for
public cloud and Internet access
• Increased WAN transport
capacity;
and cost effectively!
• Improve application performance
(right flows to right places)
Hybrid WAN
Transport
IPsec Secure
Direct
Internet
Access
Internet as WAN with High Reliability
SLAs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs Without Compromise
© 2013 Cisco and/or its affiliates. All rights reserved. 11
Intelligent WAN Solution Components
Internet
Branch
3G/4G-LTE
AVC
MPLS
Private Cloud
Virtual Private Cloud
Public Cloud WAAS PfR
Application Optimization
• Application monitoring
with Application Visibility
and Control (AVC)
• Application Acceleration
and bandwidth savings
with WAAS
Secure Connectivity
• Certified strong
encryption
• Comprehensive threat
defense with ASA and
IOS firewall/IPS
• Cloud Web Security
(CWS)
for scalable secure direct
Internet access
Intelligent Path Control
• Application best path based
on delay, loss, jitter, path
preference
• Load balancing for full
utilization
of all bandwidth
• Improved network
availability
• Performance Routing (PfR)
Transport Independent
• Consistent operational model
• Simple provider migrations
• Scalable and modular design
• DMVPN IPsec overlay design
© 2013 Cisco and/or its affiliates. All rights reserved. 12
Intelligent WAN Deployment Models
Dual MPLS Hybrid Dual Internet
Internet
Highest SLA guarantees
– Tightly coupled to SP
ẋ Expensive
Public
MPL
S
Consistent VPN Overlay Enables Security Across Transition
More BW for key
applications
Balanced SLA
guarantees
– Moderately priced
Best price/performance
Most SP flexibility
– Enterprise responsible
for SLAs
Inter
net
Public Enterprise
Branch Branch Branch
MPL
S
MPLS
+
Intern
et
© 2010 Cisco and/or its affiliates. All rights reserved. 13
Transport-Independent Design Simplifying Internet-Based WANs
© 2013 Cisco and/or its affiliates. All rights reserved. 14
Simplifies WAN Design Dynamic Full-Meshed
Connectivity Proven Robust Security
Flexible Secure WAN Design Over Any Transport Dynamic Multipoint VPN (DMVPN)
Secure Flexible
• Easy multi-homing over any carrier service offering
• Single routing control plane with minimal peering to the provider
• Consistent design over all transports
• Automatic site-to-site IPsec tunnels
• Zero-touch hub configuration for new spokes
• Certified crypto and firewall for compliance
• Scalable design with high- performance cryptography in hardware
ISR-G2
WAN
Internet
MPLS ASR 1000
ASR 1000
Transport-Independent
Data Center Branch
© 2013 Cisco and/or its affiliates. All rights reserved. 15
Relies on Two Proven Technologies
Major Features
What is Dynamic Multipoint VPN?
DMVPN Is a Cisco IOS Software Solution for Building IPsec + GRE VPNs in an Easy, Dynamic, and Scalable Manner
• Next-Hop Resolution Protocol
(NHRP)
Creates a distributed mapping database of
VPN (tunnel interface) to real (public
interface) addresses
• Multipoint GRE tunnel
interface
Single GRE interface to support multiple
GRE/IPsec tunnels and endpoints
Simplifies size and complexity of
configuration
Supports dynamic tunnel creation
• Configuration reduction and no-
touch deployment supports: Passenger protocols (IP(v4/v6) unicast,
multicast, and dynamic routing protocols)
Transport protocols (NBMA) (IPv4 and IPv6)
Remote peers with dynamically
assigned transport addresses
Spoke routers behind dynamic NAT;
hub routers behind static NAT
Dynamic spoke-spoke tunnels for partial/full
mesh scaling
Works with MPLS; GRE tunnels and/or data
packets
in VRFs and MPLS switching over the tunnels
Wide variety of network designs and options
© 2013 Cisco and/or its affiliates. All rights reserved. 16
Hybrid WAN Designs Traditional and IWAN
Internet MPLS
Branch
DMVPN GETVPN
Internet MPLS
Branch
DMVPN DMVPN
Two IPsec Technologies GETVPN/MPLS
DMVPN/Internet
Two WAN Routing
Domains MPLS: eBGP or Static
Internet: iBGP, EIGRP or OSPF
Route Redistribution
Route Filtering Loop Prevention
Active/Standby
WAN Paths Primary With Backup
One IPsec Overlay DMVPN
One WAN
Routing Domain iBGP, EIGRP, or OSPF
Active/Active
WAN Paths
ISR-G2
ASR 1000 ASR 1000
ISP A SP V
ISR-G2
ISP A SP V
ASR 1000 ASR 1000
TRADITIONAL HYBRID
Data Center
IWAN HYBRID
Data Center
© 2013 Cisco and/or its affiliates. All rights reserved. 17
Traditional WAN to IWAN Transition Migration Steps
ADDING DMVPN
TO MPLS WAN
REPLACING A
WAN SERVICE
WITH AN
INTERNET
SERVICE
OTHER
INTERESTING
IWAN
TOPOLOGIES
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year.
ISR G2
MPLS MPLS
ISR G2
MPLS MPLS
ISR G2
MPLS MPLS
ISR G2
MPLS MPLS
Internet
Internet
ISR G2
MPLS
3G/4G-LTE
Internet Internet
ISR G2
3G/4G-LTE
Internet Internet
ISR G2
3
Internet
ISR G2
MPLS
ISR G2
MPLS MPLS
Internet
4 5
0 1 2
© 2013 Cisco and/or its affiliates. All rights reserved. 18
Building Highly Available WANs With Cisco IWAN Redundancy and Path Diversity Matter
ISR G2
MPLS
ISR G2
MPLS MPLS Internet
ISR G2
MPLS
SINGLE
ROUTER,
SINGLE
PATH
SINGLE
ROUTER,
DUAL
PATHS
DUAL
ROUTERS,
DUAL
PATHS
Internet Internet
ISR G2
ISR G2
Internet
ISR G2
MPLS Internet
ISR G2 ISR G2
Internet Internet
ISR G2
99.95%* 99.90%*
99.995% 99.995% 99.995%
99.999% 99.999%
Downtime
per Year
4–9 Hours
Downtime
per Year
8 Hours
46 Minutes
5 Minutes
26 Minutes
IWAN Solution
ISR G2
MPLS MPLS
ISR G2
99.999%
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
© 2010 Cisco and/or its affiliates. All rights reserved. 19
Intelligent Path Control Improving Application Delivery and WAN Efficiency
© 2013 Cisco and/or its affiliates. All rights reserved. 20
Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control
Data Center Branch
ASR 1000
ASR 1000
WAAS PfR
AVC
ISR G2
WAN
Internet
Enabling
Internet-Based
WANs
Efficient Distribution of
Traffic Based Upon
Load, Circuit Cost,
and Path Preference
Per Application Best
Path Based on
Delay, Loss,
Jitter Measurements
Protection From
Carrier Black Holes
and Brownouts
Lower
WAN Costs
Full Utilization
of All WAN Bandwidth
Improved
Application Performance
© 2013 Cisco and/or its affiliates. All rights reserved. 21
Intelligent Path Control with PfR Voice and Video Use-Case
Branch
MPLS
Internet Virtual Private
Cloud
Private Cloud
• PfR monitors network performance and routes applications
based on application performance policies
• PfR load balances traffic based upon link utilization levels
to efficiently utilize all available WAN bandwidth
Other traffic is load
balanced to
maximize
bandwidth Voice/Video will be
rerouted if the current path
degrades below policy
thresholds
Voice/Video take the
best delay, jitter,
and/or loss path
© 2013 Cisco and/or its affiliates. All rights reserved. 22
What is Performance Routing (PfR)? Tooling for Intelligent Path Control
DSL Cable
Branch MC+BR
BR BR
Data Center
MC
“Performance Routing (PfR) provides additional intelligence to classic routing technologies to track the performance of, or verify the quality of, a path between two devices over a Wide Area Networking (WAN) infrastructure to determine the best egress or ingress path for application traffic....”
• Cisco IOS technology
• Two components: Master controller and
border router
© 2013 Cisco and/or its affiliates. All rights reserved. 23
PfR Enhances Classical Routing
PATH CONTROL
METRICS
ADAPTIVE
• Topological state
• Least cost path
• Static user preference
• Path cost
• Interface state
• Application-aware
• Policy controlled
• Measured
performance
• Delay
• Jitter
• Bandwidth
Responds To:
• Measured performance
changes (degradation)
Responds To:
• Link and node state
changes (up/down)
+
Classical PfR
© 2013 Cisco and/or its affiliates. All rights reserved. 24
SP1 (MPLS) ISP (Internet)
• Protect voice and
video quality
Latency less than 150
ms;
Jitter less than 20 ms
• Protect VDI
applications
from brownouts
Loss less than 5%
• Voice and video
preferred
path SP-A
• VDI preferred path
SP-B
• Increase utilization
by load sharing
Multimedia and Critical Data Policy
Cloud Services
Hybrid
IWAN
Best-Effort Traffic
Detect Loss Greater Than
10%
ISP-1 (Cable) ISP-2 (DSL)
Voice and Video
Dual Internet
IWAN Detect
High Jitter
VDI
Best-Effort Traffic
What PfR Does Protecting Critical Applications While Increasing Bandwidth Utilization
• Protect business
cloud applications
from brownouts
Loss less than 5%
• Preferred path for
critical
applications: SP1
(MPLS)
• Increase WAN
bandwidth efficiency
by load-sharing
traffic over all WAN
paths, MPLS +
Internet
Cloud Services and Load-Balancing Policy
© 2013 Cisco and/or its affiliates. All rights reserved. 25
Performance Routing—Components
The Decision Maker: Master Controller (MC)
• Discover BRs, collect statistics
• Apply policy, verification, reporting
• No packet forwarding/inspection required
The Forwarding Path: Border Router (BR)
• Gain network visibility in forwarding path (Learn, measure)
• Enforce MC’s decision (path enforcement)
• Does all packet forwarding
Optimize By:
• Reachability, Delay, Loss, Jitter, MOS,
• Throughput, Load, and/or $Cost
DSL Cable
Branch MC+BR
BR BR
Data Center
MC
© 2013 Cisco and/or its affiliates. All rights reserved. 26
PfR Evolution—Focusing on Simplification and Scale
PfR/OER
• Internet Edge
• Basic WAN
• Provisioning per site
per policy
• 1000s of lines of config
PfRv2
• Policy simplification
• App Path Selection
• Blackout ~6s
• Brownout ~9s
• Scale 500 sites
• 10s of lines of config
PfRv3
• Centralized
provisioning
• AVC Infrastructure
• VRF Awareness
• Blackout ~ 2s
• Brownout ~ 2s
• Scale 2000 sites
• Hub config only
Summer 2014
Today
© 2010 Cisco and/or its affiliates. All rights reserved. 27
Optimize Application
Performance
© 2013 Cisco and/or its affiliates. All rights reserved. 28
Static port classification is no longer enough
More and more apps are opaque
Increasing use of encryption and obfuscation
Application consists of multiple sessions (video, voice, data)
What if user experience is not meeting business needs?
FTP IM
RP
C
SOA
P
Vide
o
HTTP is the new TCP
Information Collaboration SaaS
© 2013 Cisco and/or its affiliates. All rights reserved. 29
Branch
Proliferation
of Devices
Users/ Machines
Private Cloud
Make Your IWAN Application Aware Add Cisco AVC
DC/Headqua
rters
Public Cloud
Cisco AVC FNF/NBAR2/QoS/Pfr
60% of IT Professionals Cite Performance as Key Challenge for Cloud
No Probes
• Rich data collection using NetFlow v9/IPFIX
• No additional hardware (and included in AX license)
• Easy to integrate into many reporting tools
Smart Capacity Planning
• Better use of costly bandwidth
• Per-branch and per-application level reporting
Business Aligned Privacy Enforcement
• No need for complex IP and port ACLs
• See inside HTTP flows to identify specific Cloud applications
© 2013 Cisco and/or its affiliates. All rights reserved. 30
Private Cloud
Add WAN Optimization Speed and Bandwidth Benefits on Top of the IWAN
Branch DC/Headqua
rters
Faster Applications, More Users, Less
Bandwidth
• 90% HD Video optimization and better user experience
• Twice as many Citrix users over same WAN, 70% faster
• Toyota: ROI in less than one year, 65% BW cost savings
Easy to Deploy
• Works with existing branch routers (and existing AX license
Scalable
• AppNav Controller and WAVE pool is scalable
• Native HA capability
vWAAS WAAS Express
Proliferation
of Devices
Users/ Machines
AppNav-XE Controller
CSR
WAVE
WAN
Accelerate Any TCP
Connection
© 2010 Cisco and/or its affiliates. All rights reserved. 31
Branch Internet Access
© 2013 Cisco and/or its affiliates. All rights reserved. 32
Intelligent WAN—Direct Internet Access
Branch
MPLS (IP-VPN)
Internet
Direct
Internet
Access
Private Cloud
Virtual Private Cloud
Public Cloud
• Leverage Local Internet path for Public Cloud and Internet access
• Improve application performance (right flows to right places)
© 2013 Cisco and/or its affiliates. All rights reserved. 33
Secure Internet Access with Cisco Cloud Web Security (CWS)
Secure Public
Cloud and
Internet Access
ISR Connector to
CWS Firewall
towers
Web Filtering,
Access Policy,
Malware Detect
WAN1 (IP-VPN)
CWS
Private Cloud
Public Cloud
Branch
WAN2 (Internet)
IWAN IPsec
VPN for
Private Cloud
Traffic IOS Firewall to
protect Internet
Edge
Internet
© 2010 Cisco and/or its affiliates. All rights reserved. 34
IWAN Management
© 2013 Cisco and/or its affiliates. All rights reserved. 35
1. Cisco Prime Infrastructure
– Provides Enterprise and Integrator life-cycle network management applications
2. Glue Networks
– Delivers Cloud based simplified deployment portal
3. Live Action
1. - On Premise IWAN Management solution
4. SDN ready with OnePK
– Comprehensive programmability kit to enable SDN provisioning applications
5. APIC-EM, IWAN app
– Enterprise SDN Controller with IWAN app (Future)
© 2010 Cisco and/or its affiliates. All rights reserved. 36
Where to go next?
© 2013 Cisco and/or its affiliates. All rights reserved. 37
ASR1000-AX
L2-L3 Transpor
t
L4-L7 Applicati
on Services
IWAN Capabilities Embedded in the Router
Control
Optimization
Visibility
Transport Independent
Secure Routing
ISR-AX
Simplify Application
Delivery
One Network UNIFIED SERVICES
Cisco AX Routers 3900 | 2900 | 1900 | 800 | 4451 | ASR1002-X
Redefining Branch Routing with ISR 4451-X Unprecedented Performance and Service Scalability with IT Simplicity
Cisco ISR 4451-X The Ultimate ISR with Application Experience
• 1-2 Gbps Performance
• Separate Services Planes for Continuity
• Pay-As-You-Grow Model
• No Disruptions or Truck Rolls
• Ease of L2-L7 Service Deployment
• Native, Full-featured WAN Optimization
• Security with Application Visibility
• Application Service Assurance
Appliance-level
Services
Performance
Simplified Service
Integration
3
8
Just in, hot of the press!!!!!!! Best of Interop 2014, Networking
3
9
Network Computing article
http://www.networkcomputing.com/data-networking-management/best-of-interop-2014-winners-unveiled/240166898?pgno=2 Link to video with solution overview http://youtu.be/JvaXi5hSbpI
Cisco is … transforming a
product line that began as a
way to connect remote sites
to corporate networks and
the Internet into a small-
scale data center in a
box...a very small, 2U box.
Kurt Marko, Judge Interop
© 2010 Cisco and/or its affiliates. All rights reserved. 40
Why Cisco IWAN?
© 2013 Cisco and/or its affiliates. All rights reserved. 41
Proven
Security at
Scale
• Any to Any Security
• Protect All Branch Resources
• Secure Direct Internet Access
Unmatched
Context-
based
Routing
• App-Aware
• Endpoint-Aware
• Network-Aware
Quick ROI
Faster than
Alternatives
• Savings enables Business Innovation
Many pay off in
Granular
Control
Everywhere
• Branch ISR-AX
• DC ASR1K-AX
• Cloud CSR1000V
Integrated
Platform
for IT
Simplicity
Up to
in Savings
The Alternative:
Overlay
Appliances
App Visibility
andControl
IP Sec VPN
WAN Opt.
Firewall
WAN Path Selection
Router
top related