brkarc-2091

© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public

Next Generation Enterprise WAN:

Branch & Head-End Scott Van de Houten

[email protected]

Borderless Networks Technical Strategy

BRKARC-2091

2

mailto:[email protected]


Housekeeping

• Please switch your mobile phones to STUN

• We value your feedback—don't forget to complete your

online session evaluations after each session and

complete the Overall Conference Evaluation which will be

available online from Thursday

• Visit the World of Solutions

• Please remember this is a non-smoking venue!

• Please make use of the recycling bins provided

• Please remember to wear your badge to the Party

3


“Everything is moving to the CLOUD!”

4

Which Cloud?

Server, Application, Desktop virtualization are transforming Data Centers into Private Clouds.

It’s in the Cloud!

The Internet and Web have revolutionized how Application Service Providers deliver applications.

Hosting providers offer virtual infrastructures instead of physical space and equipment – Hybrid Clouds

Private Cloud?

How do you design a network if you don’t know where the applications reside?

What if the applications move to a different DC? Or, Hybrid Cloud offering?

How do you isolate user performance issues for Cloud applications?

Public Cloud?

Mobile devices enable users to access applications from anywhere at anytime – Work Your Way

How will all of this impact Security Policies and Procedures?

Hybrid Cloud?


Agenda

• The Borderless Network

• Next Generation Enterprise WAN

• Private Cloud Services

• Hybrid Cloud Services

• Public Cloud Services

• Platform Overview

• Wrap Up / Summary

5


Enterprise Megatrends

COST CONTROL,

Enterprise Megatrends

MOBILITY

BYOD

CLOUD Private, Public

Hybrid

IMMERSIVE

COLLABORATION

Pervasive Video

IT EFFECTIVENESS,

SECURITY,

$


Network Implications: Shifting Borders

IT Consumerization

Device Border

Mobile Worker

Location Border

Video/Cloud

IaaS,SaaS

Application Border

External-Facing Applications

Internal Applications


BYOD Desktop

Virtualization Pervasive

Video

Remote

Expert

Cloud

Computing IT/OT

Convergence Key IT

Initiatives

Managem

ent

P

R

I

M

E

Key System Pillars Addressing Initiatives

Network and

End-Point Services

EnergyWise Energy

Management

TrustSec Policy

Enforcement

App Visibility and Control

App Performance

Medianet Multimedia

Optimization

Technology

Innovation Wireless Routing Switching

Application Networking/ Optimization

Security Appliance

and Firewall

Risk

Management &

Compliance

Borderless Networks Architecture

Systems

Excellence

SecureX

Unified Access Cloud Intelligent

Networks Connected Industries

Cloud Connectors Cloud Optimization


Cloud Intelligent Networks Solutions

9

Cloud Connectors

ScanSafe

HCS

Webex CCA

3rd party

Public Cloud

HCS

Services

Virtual Private

Cloud

ASA

1000V

Nexus 1000V

vWAAS VSG

VXLAN

CSR

1000V

vPath

Cisco ISR G2

ASR 1000

AVC, WAAS

UCS-E

Private Cloud

ASR 1000, AVC, ASA,

WAAS, AppNav

Cisco Prime Infrastructure

AnyConnect VPN, ScanSafe, WebEx, and HCS Cloud Connectors

Cloud

Intelligent

Network

Security

App Visibility & Control (AVC)

Cloud Connectors

Medianet


Introducing the Next Generation

Enterprise WAN


Operations

IPv4/v6

TrustSec

MediaNet

Application Visibility & Control

Cloud

Next Generation Enterprise WAN

High Level Topology

11

Local Campus

Interconnect

Data Center

Remote Branch

Regional WAN

Hybrid Cloud

Service Provider

Services Voice, Video, Etc.

Internet

WAN Primary or

Back up

Public Cloud Cloud

Private Cloud

South Region

Inter Connect

West Region

Inter Connect

WAN Core

East Region

Efficient use of

resources

Seamless any-to-any

Services

Consistent Security Remote

Branch

Metro

Data Center


Operations

IPv4/v6

TrustSec

MediaNet


Cloud

Local Campus

Interconnect

Data Center

Remote Branch

Regional WAN

Hybrid Cloud

Service Provider

Services Voice, Video, Etc.

Internet

WAN Primary or

Back up

Public Cloud Cloud

Private Cloud

South Region

Inter Connect

West Region

Inter Connect

WAN Core

East Region

Remote Branch

Metro

Data Center

Regional WAN


High Level Topology

12


Regional WAN Architecture

13

Redundant, Scalable GETVPN

Headend

Standard Branch

High End Branch

Mobile Branch

Serial, Ethernet

DS3, FE

3G/4G Satellite

Ultra High-End Branch/Campus

ASR1K

SP V

MPLS

OC3, GE

Enterprise Interconnect

ASR1K

ASR1K ASR1K

ISR G2

ISR G2

ISR G2

ISR G2

Cisco Prime

SP A

MPLS

Redundant, Scalable DMVPN

Headend

ASR1K ASR1K

Local Campus

Interconnect

Data Center

Internet

Standardized Profiles

Any WAN Transport

Pervasive, Scalable

End-to-end Security

Intelligent, Per-Application,

Adaptive Routing

Optimized Performance

Simplify Management,

Monitoring, Troubleshooting


Regional WAN Branch Profiles

14

Mobile Branch

• 3G/4G or Satellite

• WAAS Express to

boost application

performance

• Branch mobility

• Deliver video over

4G*

Standard Branch

• Most common

deployment

• Migration from Serial

to Ethernet

• SP MPLS VPN with

Internet VPN backup

• Application

performance

• 4-9s availability

• Deliver SD video

High-end Branch

• Migration from DS3

to FastEthernet

• Dual SP MPLS

• Redundant router

• Application

performance


• Deliver HD video

Ultra High-end

Branch/Campus

• Very high Bandwidth

– up to 1Gb

• Software and

hardware redundancy

• Same profile as

High-end Branch

• Services scaled up

by dedicated

appliance engines

ISR G2

3G/4G Satellite

ISR G2

MPLS Internet MPLS MPLS

ISR G2 ISR G2 ASR1K ASR1K

MPLS MPLS

Perf

orm

ance

an

d A

vaila

bili

ty

Flexible deployment options for different service requirements

Retail Banking, Kiosk, Vehicles, Cruises

Typical branch office

Financial branch, Med/Large branch office

Remote campus


Regional WAN Aggregation Profiles

15

Scal

abili

ty a

nd

Ava

ilab

ility

Standard Aggregation

• Scale to support 1500 sites


• One device serves multiple roles

• Hardware/software redundancy

High-end Aggregation

• Scale to support 5000* sites


• Dual SP MPLS and Internet

• Redundant Key Server

• Dedicate PfR MC

• Hardware/software redundancy

Ultra High-end Branch

High-end Branch

Standard Branch

Mobile Branch

PfR MC

Internet

GETVPN GM

DMVPN

COOP GETVPN KS

ASR1K

ISR G2

ASR1K

High-end Aggregation

Internet

ASR1K

ASR1K

ISR G2 MPLS

GETVPN KS

GETVPN GM/PfR MC

DMVPN

Standard Aggregation

Branch Profiles WAN Aggregation Profiles

ASR1K MPLS

MPLS

Two WAN Aggregation Profiles for different

availability and scalability

requirements


Private Cloud Services Application Visibility & Control

WAAS & USC E

MediaNet

TrustSec Security

IPv6


Private Cloud Definition

17

Public Cloud

HCS

Services

Virtual Private

Cloud

ASA

1000V

Nexus 1000V

vWAAS VSG

VXLAN

CSR

1000V

vPath

Private Cloud

ASR 1000, AVC, ASA,

WAAS, AppNav

Used only by a single company or organization, the Private Cloud looks a lot like the traditional Enterprise Data Centers we’re familiar with although they tend to focus on virtualized services. They might be operated by a third party instead of the company using them.

Source: NIST

Cloud

Intelligent

Network

Security


Cloud Connectors

Medianet


“Today Network is an IT Blind Spot”

• Static port classification is no

longer enough

• More and More apps are

opaque

• Increasing use of Encryption

and Obfuscation

• Application consists of multiple

sessions (Video, Voice, Data)


Next Generation Networks will be Application Aware

20

Gain visibility into application running in the network,

performance trend, and user experiences

Intelligently prioritize and control application traffic to maximize user experience

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://4.bp.blogspot.com/_UZImdYAiry8/Sb9qYmN0llI/AAAAAAAAPtc/a_qXEx69CB0/s400/oracle_logo.jpg&imgrefurl=http://vectorlogo.blogspot.com/2009/03/oracle-logo-eps.html&usg=__TTg6bQ4L8aDCa2kKWUD3Q4YWewM=&h=161&w=400&sz=7&hl=fr&start=3&sig2=xj4d94noyf1kS0Adw6tzJA&um=1&tbnid=LLEUA6II6jNxiM:&tbnh=50&tbnw=124&prev=/images?q=oracle+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=FeHBSvDVKsjKjAeGsfDoBQ




Control application

usage to maximize

application

performance

ASR1K

ISR G2

Control

High

Med

Low

Advanced reporting

tool aggregates and

reports application

performance

App Visibility & User Experience Report

Management

Tool

Collect application

performance metrics,

and export to

management tool

ASR1K

ISR G2

Reporting Tool Perf. Collection &

Exporting

Reporting Tools

NFv9/IPFIX

3

App BW Transaction

Time

…

SAP 3M 150 ms …

Sharepoint 10M 500 ms …

Identify applications

using L3 to L7

information

ASR1K

ISR G2

Application

Recognition

What is Application Visibility and Control (AVC) Solution




• QOS

• PfR

ASR1K

ISR G2

Control

High

Med

Low

• Cisco Prime

Infrastructure

• Cisco Insight

• 3rd Party Tools

App Visibility & User Experience Report

Management

Tool

Metric Mediation Agent

• FNF

• ART

• MMON

ASR1K

ISR G2

Reporting Tool Perf. Collection &

Exporting

Reporting Tools

NFv9/IPFIX

3

App BW Transaction

Time

…

SAP 3M 150 ms …

Sharepoint 10M 500 ms …

• NBAR2

ASR1K

ISR G2

Application

Recognition

AVC Solution – Enabled Technologies




NBAR2

IOS NBAR +150 Signatures

SCE Classification

+1000 Signatures

Advanced Classification Techniques

Innovations Native IPv6 Classification

Open API 3rd Party Integration..

Next Generation NBAR (NBAR2) Deep Packet Inspection (DPI)

23

• Provides Advanced Application Classification and Field Extraction capabilities

• In-service upgradable Protocol Definitions

No IOS upgrade or reboot for new Protocol Packs

• Backward compatibility to preserve existing NBAR investments

• NBAR2 Protocol List http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html

IOS

15.2(2)T1

IOS XE 3.4S

Application

Recognition

http://images.google.fr/imgres?imgurl=http://www.clikphoto.com/2003/Customers/images/Siebel.Logo.JPG&imgrefurl=http://www.clikphoto.com/2003/Customers/links.html&usg=__dY-YhzjlqXwgaBUa3GI7LkIC8nE=&h=137&w=363&sz=4&hl=fr&start=1&sig2=jRZ_dNmSZXrDAJLEkmINsA&um=1&tbnid=q54bb4J2TD1_uM:&tbnh=46&tbnw=121&prev=/images?q=siebel+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=CeHBSv6xGdi7jAfDrYHfBQ


http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html




Perf. Collection

& Exporting

What applications, how much bandwidth, flow direction?

(Flexible Netflow and NBAR/NBAR2) Basic Monitoring

Performance Collection & Exporting – What is it?

• Integrated performance monitoring and advanced metrics for different type of

applications and use cases

HTTP HTTP

Voice and Video Performance

(Media Monitoring)

Advanced

Monitoring

30% of traffic is voice and video

Critical Applications Performance

(Application Response Time)

40% of traffic is critical applications


Gaining Full Visibility with Flexible Netflow

L3 and L4

Netflow

L3 and L4 L2 L7

(NBAR)

Performance Metrics

(MMON, ART)

Other

Metrics

Network Metrics

(QoS)

Flexible Netflow

Flexible NetFlow

Extensible to support new and future metrics

Monitors data from layer 2 thru 7

Collect only what is needed – define your own record format and aggregation

Netflow to FNF Migration Guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html

Perf. Collection

& Exporting

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html




Perf. Collection

& Exporting Better Visibility with NBAR2 and FNF

27

• Application Information exported in

FNF records

• Reporting tools display top client & server

• show ip nbar protocol-discovery top-n

Router#show ip nbar protocol-discover top-n 10

GigabitEthernet0/0/3

Input Output

----- ------

Protocol Packet Count Packet Count

Byte Count Byte Count

30sec Bit Rate (bps) 30sec Bit Rate (bps)

30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps)

------------- ------------------------ ------------------------

webex-meeting 45807530 163458047

2497543722 129842885217

115000 5998000

152000 7799000

bittorrent 59667396 156155174

12768822744 103187176646

555000 4715000

697000 5077000


Active or Passive Monitoring for

Performance Measurement

29

• Generate synthetic traffic into the

network

• Require IOS responder for advanced

monitoring types

• Inspect traffic to measure

performance metrics

• Performance metrics available only

when there is traffic

Router 1 Router 2

IPSLA Responder IPSLA Sender

Active Probing

FNF MMON

ART

Active Monitoring Passive Monitoring

Perf. Collection

& Exporting


Application Response Time (ART) Measurement

Key Features

27 Application Response Time (ART) Metrics

Interact with NBAR2 for Application ID and field

extraction information

In ISR G2, provide by Performance Agent (PA)

In ASR1K, ART is part of unified monitoring

Benefits

Visibility into application usage and performance

Quantify user experience

Troubleshoot application performance

Track service levels for application delivery

My query

is taking

long time!

My email

is slow!

Branch Data Center

How do I

ensure

my SLA is

met

Reporting Tool

WAN

NFv9/IPFIX

ISR G2: 15.2(4)M2

ASR1K: 3.8S

Perf. Collection

& Exporting

http://images.google.com/imgres?imgurl=http://www.mobiletown.com/images/index.php1.gif&imgrefurl=http://www.mobiletown.com/whatisit_us.php&h=132&w=137&sz=4&hl=en&start=3&um=1&tbnid=G6PNLs4aF7kOLM:&tbnh=90&tbnw=93&prev=/images?q=microsoft+exchange+logo&um=1&hl=en&sa=X


ART Path Network Segment Breakdown

• Separate application delivery path into client and server segments

• Server Network Delay (SND) approximates WAN Delay

• Latency per application

Application Servers

Total Delay

Client

Network Clients

Client Network

Delay (CND) Application

Delay (AD)

Network Delay (ND)

Server

Network

Request

Response Server Network

Delay (SND)

Perf. Collection

& Exporting

Branch

ISR-G2


Application BW Priority

Business Critical Committed 50% High

Browsing 30% (=15% of the line) Normal

Internal

Browsing

60% (Out of Browsing)

Remaining 70% (=35% of the line) Normal

Application-aware QoS with NBAR2

32

class-map match-all business-critical

match protocol citrix

match access-group 101

class-map match-any browsing

match protocol attribute category browsing

class-map match-any internal-browsing

match protocol http url “*myserver.com*”

policy-map internal-browsing-policy

class internal-browsing

bandwidth remaining percent 60

policy-map my-network-policy

class business-critical

priority percent 50

class browsing

bandwidth remaining percent 30

service-policy internal-browsing-policy

Internal-Browsing: 60% of Browsing

Browsing: 30% of Excess BW (=15% of the line)

Remaining: 70% of Excess BW (=35% of line)

Committed BW (50% of the line)

Excess BW (50% of the line)

interface Serial0/0/0

service-policy output my-network-policy

Control

Business-Critical: High Priority 50% committed


GRE/IPSec Network QoS Design

34

Direction of Packet Flow

DSCP CS5

Packet Initially

Marked to

DSCP AF41

DSCP CS5

DSCP CS5

By Default ToS

Values is Copied

To IPSec Header

DSCP CS5

Top-Most ToS is

Rewrote on egress

DSCP CS5

Packet decapsulated

To reveal the original

ToS Byte

policy-map WAN-OUT

class VOICE

priority percent 10

class VIDEO-INTERACTIVE

priority percent 23

set ip dscp af41

class NETWORK-MGMT

bandwidth percent 5

service-policy MARK-BGP

class class-default

bandwidth percent 25

random-detect

!

policy-map Int-Gig-Agg-HE

class class-default

shape average 1000000000

service-policy WAN-Out

Remarks the DSCP value on the

encrypted/encapsulated header on

egress interface

DSCP AF41

Control


Performance Routing (PfR) Application aware adaptive routing

35

• Full utilization of expensive WAN bandwidth

Efficient distribution of traffic based upon load, circuit cost and path preference

• Improved Application Performance

Per application best path based on delay, loss, jitter measurements

• Increased Application Availability

Protection from carrier blackouts and brownouts

SP A

MPLS

GETVPN

WAE Cluster

Internet

DMVPN ASR1K

ASR1K

PfR MCs

Headquarter

ISR G2

SP B

MPLS

GETVPN

ASR1K

ASR1K

Branch

PfR BRs

PfR MC/BR

Master Controller (MC) Border Router (BR)

Email VMs

Email Path Video Path

Control


PfR Use Case Examples Protecting critical applications while Maximizing bandwidth utilization

• Protect business Cloud applications from Internet brownout Loss <10%

• Cloud Service preferred path – ISP1

• Maximize all ISP bandwidth by load sharing all other Internet traffic

• Protect voice and video quality

‒ Latency < 200ms; Jitter < 30ms

• Protect VDI applications from brownouts

‒ Loss < 5%

• Voice & Video preferred path SP-A

• VDI preferred path SP-B

• Maximize utilization by load sharing

36

Cloud Service & Load Balancing Policy Multimedia & Critical Data Policy

ISP-1 (Primary) ISP-2 (Secondary) SP-A (MPLS VPN) SP-B (MPLS VPN)

VDI

Detect loss >

10%

Detect high

jitter

Cloud Service

Best Effort traffic

Voice&Video

Best Effort traffic

Internet WAN

Control


Cisco Prime Infrastructure – Assurance

37

• Configuration of AVC features*

• Network Monitoring

• Service Monitoring

• Reporting and Trends

• Multi-NAM Manager

• Packet and Flows Analysis

• Application Response Time

• Voice and Video Metrics

• Distributed SNMP and Netflow Collection

Management

Tool

WAAS and UCS E Series

38


Cisco WAAS –

Enhancing user experience and WAN efficiency

39

Solution

• Reduce load

Data Redundancy Elimination,

Compression, TCP optimization

• Application Optimization

Fewer protocol messages,

Meta data caching,...

Application Bandwidth with WAAS

Application Bandwidth Natively

Application latency Natively

Application latency with WAAS 0 0

1

2

3

4

40

80

120

160

Application

Bandwidth

Application

Latency

Bandwidth

(Mbps)

Latency

(Seconds)

Problem

• Poor Application

responsiveness

• WAN Bandwidth costs Bandwidth

Saved

Reduced

Latency


Challenges of Desktop Virtualization over WAN

End-users see pixelization over the WAN

T1

Increasing bandwidth is expensive and might not help

Video processed on HVD overloading server compute and bandwidth

End-users experience no pixelization on LAN

Branch Router

Data Center

Video Source

Campus

Hairpinning WAN’s effects on Users Experience Display Protocol Opaque to the Network

Display Protocol

Branch Office


Display Protocol

WAAS 5.0 optimization with Citrix ICA AO

• WAAS will optimize encrypted and compressed ICA desktop session traffic

(no changes required on ICA client, HVD, or DC infrastructure) for all versions of

XenDesktop and XenApp

• Includes WAAS 4.4 Application aware DRE feature for unidirectional caching of

desktop session traffic which improves the scalability and Application performance

Branch Router

WAAS WAAS Display Protocol Acceleration

Aggregation Router Citrix HVD

ICA client

Data Center

Note: Multi-Session ICA (MSI) in XenDesktop 5.5 is not supported in the current release. If MSI is used only one initial session (port 1498) will be optimized automatically. Other flows will be treated as regular TCP flows


Cisco WAAS: WAN Optimization Solution

44

SOHO User

WAAS Mobile Software

Mobile User

Branch Office

WAAS Service Module

WAN

Internet

Branch Office IOS WAAS

Express

Branch Office

WAAS WAE Appliance

Regional Office

WAAS WAE Appliance

WAAS Mobile Server

VPN

Data Center or Private Cloud WAAS WAE

Appliances

VPN

VMware ESXi vWAAS

Appliances

Server VMs

vWAAS Server VMs

VMware ESXi Server

Nexus 1000v vPATH

UCS /x86 Server

FC SAN

Nexus 1000v VSM

Virtual Private Cloud

CSR 1000V


Lean Branch Office Applications Edge Applications That Defy Centralization

Core Windows Services Mission Critical Business

Applications Client Management

Services

DNS and DHCP Servers

Microsoft Active Directory

Windows Print Services

Windows File Services

Others …

Point of Sale Server

Bank Teller Control Point

Electronic Medical Records

Inventory Management

Others …

Software Update Service

Client Monitoring Service

Backup and Recovery

Terminal Server Gateway

Others …

46


UCS E Extend Cloud Services into Branch Infrastructure

47

Support on ISR G2 2911 and above

IOS, MGF Backplane Switch

SRE Blade

SRE-V Hypervisor

CIMCE SRE Blade

SRE-V Hypervisor

OS

App

OS

App

OS

App

OS

App Platform for WAN Edge Applications

• Microsoft Windows Server-Certified

Server Virtualization

• Cisco SRE Virtualization Powered by VMware vSphere Hypervisor™ (ESXi)

Dedicated Blade Management

• Cisco Integrated Management Controller

• Consistent management for UCS family

Multipurpose x86 Blades

• Cisco Service-Ready Engine modules

• House up to four server blades in ISR G2

Single-Device Network Integration

• House all devices in ISR G2 chassis

• Multigigabit fabric backplane switch

MediaNet & Video Services


Medianet Introduction

49

I want a network infrastructure so that I should not worry when tomorrow I’ll be asked to implement video applications.

Massimo Fogaroli – IT Manager, Mediolanum Bank

Network Aware Automatically respond to changes in devices and service availability

Endpoint aware Automatic detection and configuration

Media Aware Detection and Optimization of different media and applications

Visibility Diagnostics Network Assessment

Media

Trace

Performance

Monitoring

IPSLA

VO

Flow

MetaData


Medianet Media Monitoring Media Assessment, Monitoring, and Troubleshooting

• Pre-deployment assessment / network validation IP SLA VO

Use ISR G2 DSPs to generate synthetic video, i.e. TelePresence

50

ASR1K ISR G2

MPLS

I am detecting

video quality

issue Initiate

mediatrace

Cisco Prime Collaboration Manager

Lost packets

seen

What path and where is the problem? Mediatrace and Performance Monitor

Network-initiated mediatrace collecting path and performance metrics of media stream

Cisco Collaboration Manager displays mediatrace results

IP SLA

Initiator IP SLA

Responder

Generate

TelePresence

traffic

Internet

DMVPN


Media Monitoring Performance Monitor

• Monitor video traffic traversing different network types

• Generate alert based on user configurable threshold

• Enable on voice/video VLAN

• Provide metrics including jitter, packet loss, latency, bitrate, etc.

• MediaNet PerfMon is also the Media Monitor (MMon) in AVC

51

WAN Headend Branch

MPLS

Apply to in/out direction of voice/video VLAN

Internet

LiveAction

Perf. Collection

& Exporting


Media Troubleshooting Mediatrace

• Use Mediatrace to further troubleshoot media issues

• Initiate Mediatrace to discover path, system resource, or quality metrics on devices in the media path

• Mediatrace responders collect the requested metrics and return to initiator

• Works with Cisco Collaboration Manager

54

VPN Headend Branch

MPLS

Internet

Initiate

Mediatrace for

traffic from

Branch phone to

Headend phone

Collaboration Manager

Diagnostics


Need for End to End Classification

57

This flow has a DSCP =

EF

This flow contents RTP

Voice

This packet has a DSCP=EF

This packet comes from Fast1/0

This packet comes from location “Desk1”

This packet comes from user “Marylou”

John

Voice communication between Marylou and

John

Voice communication started with application “X”

Packets has DSCP=EF

I know lots of information from the

application that I’m not going to send to the

wire

Marylou

• How to enforce a consistent network policy when classification is different along the path?

‒ Eg: Rule: Prioritize Voice communication from Marylou to John?

• Endpoint can provide information not available or visible to the network

Visibility


MediaNet Metadata for end to end classification Metadata Flow Principles

1. Application Creates

Metadata

Meta

data

DB

Meta

data

DB

Meta

data

DB

IP Src IP Dst Prot L4 Src L4 Dst Application Vendor Dial From Dial To Caller ID

10.1.1.2 20.1.1.2 UDP 2000 4000 Video-

Conference

(Audio)

Cisco 83922564 85268229 Albert

Albatross

Flow Identifier Metadata

10.1.1.2 10.1.1.2

3. Media Flow 2. Metadata

Announcement

Export of data to NMS

QoS based on

Metadata

Visibility


Video Conferencing Services

• Multiple video streams traverse

the WAN to a central MCU

resource – non-optimal use of

limited WAN BW

• Video is mixed by a centralized

MCU controlled by CUCM

60

HQ/Campus

Branch

MCU

A

Video mixing

WAN

HQ/Campus

MCU

A

Video mixing

Branch

Video is mixed by the ISR G2 DSPs

controlled by CUCM or UCME

Keeps traffic local in the branch if all

participants are located in the branch

Ad-hoc and MeetMe conferences

Signaling

Media

WAN


Video Delivery Optimization WAAS + Enterprise Content Delivery System (ECDS)

62

Data Center

WAN

• Multiple “Publish and Subscribe” Channels for simplified management • Broad live broadcast protocol support-wmf, silverlight, flash • Video Pre-positioning

Branch Office

Branch Office

CDN Infrastructure

+ ECDS

+ ECDS

Context- aware DRE

Signage Channel

HR VOD Channel

Corporate Communications

Channel

WAN TrustSec Security Services


NG WAN Pervasive Security Secure Reliable Access to Any Services

• Provides data privacy across the WAN

GETVPN any-to-any encryption over MPLS

DMVPN & FlexVPN over 3G/4G or Internet provides dynamic spoke-to-spoke tunnel

• Highly scalable WAN aggregation with encryption

4000 DMVPN tunnels and 4000 GETVPN Group Members

Up to 28 Gbps of encryption throughput per ASR1K

• Interoperation with QoS and PfR ensures service performance

• TrustSec simplified access control – SGT, SXP, SGACL and SG Firewall

64

SP A

MPLS

GETVPN

WAE Cluster

Internet

DMVPN ASR1K

ASR1K

Headquarter SP B

MPLS

GETVPN

ASR1K

ASR1K

Branch

GETVPN

Standard Branch

Data Center Protected by DMVPN Protected by GETVPN

DMVPN Hub ISR G2

ASR1K

ISR G2

GETVPN COOP KS

Private Cloud SG FW

SXP

SGT


Dynamic Multipoint VPN (DMVPN)

• Full meshed connectivity with

simple configuration

• Zero-touch configuration for

addition of new spokes

• Automatic site-to-site IPSec tunnels

• Transport & Carrier agnostic

overlay transport

easy multi-homing

single control plane

simple carrier transition

• Large Scale

‒ Up to 4000 spokes per ASR1k hub

with EIGRP or BGP

‒ Hierarchical Hub designs, to scale

beyond single hub limits

65

Spoke n

Traditional Static Tunnels

DMVPN Tunnels

Static Known IP Addresses

Dynamic Unknown IP Addresses

Hub

VPN Spoke 1

Spoke 2

Secure On-Demand Meshed Tunnels


Introducing FlexVPN

A single overlay VPN solution Corporate LAN

Shortcut Switching

(DMVPN)

Isolated branches

(Easy VPN)

Remote Access

(AnyConnect)

Department RED

Department GREEN

New


Group Encrypted Transport VPN (GETVPN) Before and After GET VPN

68

Scalability—an issue (N^2 problem)

Overlay routing

Any-to-any connectivity may require tunnel setup

Inefficient Multicast replication

Any wan transport

WAN

Multicast

Before: IPSec P2P Tunnels After: Tunnel-Less VPN

Scalable architecture for any-to-any connectivity and encryption

No overlays—native routing

Any-to-any instant connectivity

Efficient Multicast replication

Private IP WANs

Public/Private WAN Private WAN


Cisco Router Security Certifications

http://www.cisco.com/go/securitycert * NSA Suite B RFC-4869 cryptographic algorithm for both unclassified and most-classified information

** 1900s and lower 2900 Series require ISMs. Only ASR 1002-X and ESP-100 based ASR 1000s

FIPS Common Criteria

Next-Gen Encryption*

Next-Gen Encryption*

140-2, Level 2

EAL4 Software Support

Hardware Assist

Cisco ISR 890 Series

Cisco ISR 1900 Series **

Cisco ISR 2900 Series **

Cisco ISR 3900 Series

Cisco ISR 3900E Series

Cisco ASR 1000 Series N/A **

http://www.cisco.com/go/securitycert


MPLS

GETVPN

Internet

DMVPN

Nexus 7000 Data Center

Catalyst® Switch

ISE

SGT

Profiler

Posture

Guest Server

TrustSec SGT over DMVPN and GETVPN

70

Nexus 5000/2000

SGACL

SGT Frame

WAN • ISR G2/ASR1k, SG Firewall Campus Aggregation: • Cat6K/Sup2 – SGACL Data Center Enforcement • Nexus 7000 – SGT/SGACL

Egress Enforcement

AP

Branch Network

HR

Finance

Sales

SGT

Admin Catalyst® Switch

Catalyst® Switch

SGT

• DMVPN Inline Tagging – ISR G2 (IOS 15.2(2)T) • SGToGETVPN support on ISR G2 (IOS PI21*) and ASR1k (XE 3.9*) • SG Firewall for Egress Enforcement • SGT Capability exchange during DMVPN IKEv2 negotiations and GETVPN group membership registration • Learn SGT from SXP or Auth-methods • Simple one command configuration – DMVPN “crypto ikev2 cts sgt”; GETVPN “tag cts sgt” * ISR G2 IOS (PI21) and ASR1k IOS (XE3.9) will be available in Spring 2013.

SGT

Catalyst 6500

ISR G2

ISR G2

ISR G2

ASR1k


Security Group FW Architecture

71

Data Center

SGT or SXP

IP Address SGT

10.1.10.1 10

SGFW

SGACL

• Consistent Classification/enforcement between ISR/ASR SGFW and switching

• In general SGACL and SGFW policy should be sync’d via policy administration UI

• SGT allows more dynamic classification in the branch and WAN aggregation

• Rich Logging requirements will be fulfilled on SGFW – URL logging, etc.

• Active/Active support in ZBFW allows for async routing*

• SGFW in ISR G2 IOS 15.2(2)T and ASR1k IOS XE 3.5

*active/active assumes shared L3 subnet on router interfaces for redundancy groups

ASR1k Enforcement

Enforcement on a switch

ISE for SGACL Policies

SGFW ISR Enforcement

PC

I

Enterprise

WAN

IPv6

Preserve, Prepare, Prosper


IPv6

74

IPv6 Feature Enablement

IPv6 Transitioning

IPv6 Routing

• IPv6 parity with IPv4 in most cases

• IPv4 address exhaustion • Government mandate • IPv6 device and content

growth • Mergers and Acquisitions • Gain familiarity with IPv6

• Routers designed with more memory, better performance for IPv6

Anyone, Anything, Anywhere, Anytime

ISR G2, ASR 1000 designed for IPv6

Broadest coverage in Industry

3 Feb ‘11 last day of IPv4 address allocations

Why?

All transition mechanisms supported

• Dual Stack • Tunneling • Translation


Transitioning Network to IPv6 Preserve, Prepare, Prosper

75

Cisco NG Enterprise WAN Solutions

• Branch & Campus – Dual Stack IPv4 and IPv6

• IPv4 WAN – Tunnel: 64 tunnels, IPv6 over DMVPNv4

• IPv6 Internet – Translate: NAT64 allows IPv6 devices to access IPv4 applications

Dual-stack Tunnel Dual-stack

Campus/

Datacenter

Internet

Edge

Branch

office

ISR G2

WAN

Aggregation

IPv4

IPv6 devices

IPv6

Translate (nat64)

IPv4

services

ASR1K

ASR1K

ASR1K

http://www.google.com/imgres?imgurl=http://www.amaczone.com/images/image_large/Apple_MacBook_Pro_MB134LL-A_15-4-inch_Laptop_-2-5_GHz_Intel_Core_2_Duo_Processor-_2_GB_RAM-_250_GB_Hard_Drive-_DVD-CD_SuperDrive-291.jpg&imgrefurl=http://www.amaczone.com/category/Apple iPod/pg-4-0&usg=__2j5ay1ry5-cN_Ecir_FBE5Uv7iE=&h=334&w=500&sz=20&hl=en&start=27&itbs=1&tbnid=GImeBvKJZNIR1M:&tbnh=87&tbnw=130&prev=/images?q=mac+pro+laptop&start=20&hl=en&sa=N&gbv=2&ndsp=20&tbs=isch:1


Hybrid Cloud Services

Virtual Private Clouds

Virtual Networking Services

Cloud Services Router


Hybrid Cloud Definition

Virtual Private Clouds (VPC)

77

Public Cloud

HCS

Services

Virtual Private

Cloud

ASA

1000V

Nexus 1000V

vWAAS VSG

VXLAN

CSR

1000V

vPath Cloud

Intelligent

Network

Security


Cloud Connectors

Medianet

Private Cloud

ASR 1000, AVC, ASA,

WAAS, AppNav

Hybrid Clouds exist on the premisis and are maintained by a cloud provider. Resources are allocated to individual companies or organizations providing them the look and feel of a private cloud within a shared cloud environment.

Source: NIST


CSR 1000V

• WAN Gateway

• IOS Networking

vWAAS

• WAN Optimization

• Application Traffic

ASA 1000V

• Edge Firewall

• Protocol Inspection

VSG

• Zone-based Firewall

• VM-level Control

Nexus 1000V

• Distributed Switch

• NX-OS Consistency

Multi - hypervisor

Servers

Tenant A ASA

1000V CSR

1000V

Department B Department A

Nexus 1000V

vPath

Physical Infrastructure

Virtual Infrastructure

Cloud Provider’s Data Center

vWAAS

AppNav

VSG VSG

Hybrid – Virtual Private Cloud Virtual Networking Services

Cloud Network Services

Multi-Hypervisor


Cisco CSR 1000V

Cisco IOS Software in Virtual Form-Factor

Server

Hypervisor

Virtual Switch

VPC/vDC

OS

App

OS

App

CSR 1000V

• Virtual Route Processor (RP)

• Virtual Forwarding Processor (FP)

• Optimized for single tenant use cases

• Hypervisor agnostic

• Virtual switch agnostic

• Server agnostic

Public Cloud Services

Cloud Connectors


Public Cloud Definition

81

Public Cloud

HCS

Services

Virtual Private

Cloud

ASA

1000V

Nexus 1000V

vWAAS VSG

VXLAN

CSR

1000V

vPath Cloud

Intelligent

Network

Security


Cloud Connectors

Medianet

Private Cloud

ASR 1000, AVC, ASA,

WAAS, AppNav

Operated wholly by cloud

providers, public clouds offer

services to companies,

organizations and individuals

using a fully virtualized

environment hosted in the

cloud. Services are

delivered in a shared

environment even though

they might be provisioned or

customized for the needs of

the individual organization.

Source: NIST


What is Cloud Connector?

• Connects a Corporate Network to a Cloud Service

• Application or Service specific to ensure transparent access

• Improves delivery of Public Cloud Services

Provisioning, Performance, Security, Reliability, Management

• Cloud Connector solutions include

ScanSafe, WebEx Media, Hosted Collaboration Service, Storage/Backup, …

82

MPLS

GETVPN

Internet ASR1K

ASR1K

Headquarter

Campus

MPLS ASR1K

ASR1K

Branch

Email VMs

Public Cloud

Cloud Connector


ScanSafe provides secure access to Public Cloud services

Single policy portal, easy of deployment and management

Direct Internet access reduces WAN cost and improves

application performance Internet

Public Cloud Applications

Example – Scan Safe Cloud Connector

83

MPLS

GETVPN

Internet ASR1K

ASR1K

Headquarter

Campus

MPLS ASR1K

ASR1K

Branch

ScanSafe Cloud Connector

Web Security

Web Filtering

Centralized Reporting

Consistent Policy Control

http://www.salesforce.com/


WebEx Media Connector peers directly with the Enterprise WAN CUCM+CUBE deployed at Enterprise and WebEx Cloud Firewalls+CUBE to secure the borders with WebEx.

Improves voice and video conferencing quality

Reduces 800 toll charges

Example – WebEx Media Connector

84

MPLS

GETVPN

Internet

ASR1K

ASR1K

Headquarter

Campus

MPLS ASR1K

ASR1K

Branch

WebEx Cloud Connector

Cisco WebEx Collaboration

Cloud


Example - Cloud Storage Connector

Third Party Connector

End-User Virtual Portal

Users access their own cloud backups and

folders, restore and share files.

MSP Admin Portal

Manage end-user accounts,

service provisioning and billing

Cisco ISR G2 and UCS® E-Series with Cloud Storage Gateway

MSP Network

Backup Agent

for Roaming Laptop

Branch Office Agent-Less Solution

Cloud storage is cached on

UCS E. Branch files are

backed up to the cloud.

Platform Overview


Prime Infrastructure 1.2

A single integrated solution for

comprehensive lifecycle

management of wired/wireless

access, campus, and branch

networks

Automates compliance with

regulatory requirements, Cisco

and IT best practices

Utilizes rich performance data for

end-to-end network visibility to

assure application delivery and

optimal end-user experience

Functional Overview


High-End Branch

Standard Branch

Mobile Branch

ISR G2 Portfolio

88

WA

N A

ccess S

peed

Wit

h S

ervic

es

2911

1921 1941

2901

3945

150 Mb 100 Mb 75 Mb 50 Mb 35 Mb 25 Mb

EFM SubrateFE

VDSL2+/Sub-rate FE

Line Rate FE +

Line Rate N x FE

3945E

3925E

350 Mb

2921

2951

3925

800

15 Mb 250 Mb 10 Mb

Recommended Positioning with Services


Instant On

Service Delivery

Cisco ASR 1000 Series Routers: Overview

Designed Today for up to 360 Gbps in the Future

Compact,

Powerful Router

Business-Critical

Resiliency

ASR 1002-X ASR 1004 ASR 1006

One IOS-XE Feature Set

5–36

Gbps 10-40

Gbps

10-100+

Gbps

Integrated firewall, VPN, encryption, NBAR, CUBE

Scalable on-chip service provisioning through software licensing

Fully separated control and forwarding planes

Hardware and software redundancy

In-service software upgrades

Line-rate performance 2.5G to 100G+ with services enabled

Investment protection with modular engines, IOS CLI and SPAs for I/O

Hardware based QoS engine with up to 232K queues

ASR 1001

2.5 -5

Gbps 10-360

Gbps

ASR 1013

ASR 1002

2.5–10

Gbps

Wrap Up / Summary


Realizing the Borderless Enterprise Borderless Experience

95

ANYONE ANY DEVICE

ANYTIME ANYWHERE

Securely Reliably Seamlessly

Application

Visibility & Control TrustSec

Operational

Simplicity MediaNet

Cloud

Connect

IPv6

Transition

Cisco Cloud Intelligent Network

Private Clouds

Public Clouds

Hybrid Clouds



• Architectural approach to solving business requirements

‒ Modular—Building Blocks with Layered Services

‒ Infrastructure Foundation for Cisco’s Borderless Network

• Cloud Intelligent Network solutions

‒ Private Cloud Services

‒ Hybrid/Virtual Private Cloud Services

‒ Public Cloud Services

• ASR 1000 series high performance Secure WAN aggregation router

• ISR G2 series for integrated branch services security, voice, video and cloud access

• Virtualized Networks Services – CSR 1000v, vWAAS, ASA 1000v, Nexus 1000v

• Cisco Prime—Unique Ability to Manage Entire Solution

Wrap Up/Summary

brkarc-2091

Documents