brkarc-2091
DESCRIPTION
BRKARC-2091TRANSCRIPT
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Next Generation Enterprise WAN:
Branch & Head-End Scott Van de Houten
Borderless Networks Technical Strategy
BRKARC-2091
2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Housekeeping
• Please switch your mobile phones to STUN
• We value your feedback—don't forget to complete your
online session evaluations after each session and
complete the Overall Conference Evaluation which will be
available online from Thursday
• Visit the World of Solutions
• Please remember this is a non-smoking venue!
• Please make use of the recycling bins provided
• Please remember to wear your badge to the Party
3
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
“Everything is moving to the CLOUD!”
4
Which Cloud?
Server, Application, Desktop virtualization are transforming Data Centers into Private Clouds.
It’s in the Cloud!
The Internet and Web have revolutionized how Application Service Providers deliver applications.
Hosting providers offer virtual infrastructures instead of physical space and equipment – Hybrid Clouds
Private Cloud?
How do you design a network if you don’t know where the applications reside?
What if the applications move to a different DC? Or, Hybrid Cloud offering?
How do you isolate user performance issues for Cloud applications?
Public Cloud?
Mobile devices enable users to access applications from anywhere at anytime – Work Your Way
How will all of this impact Security Policies and Procedures?
Hybrid Cloud?
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Agenda
• The Borderless Network
• Next Generation Enterprise WAN
• Private Cloud Services
• Hybrid Cloud Services
• Public Cloud Services
• Platform Overview
• Wrap Up / Summary
5
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Enterprise Megatrends
COST CONTROL,
Enterprise Megatrends
MOBILITY
BYOD
CLOUD Private, Public
Hybrid
IMMERSIVE
COLLABORATION
Pervasive Video
IT EFFECTIVENESS,
SECURITY,
$
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Network Implications: Shifting Borders
IT Consumerization
Device Border
Mobile Worker
Location Border
Video/Cloud
IaaS,SaaS
Application Border
External-Facing Applications
Internal Applications
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
BYOD Desktop
Virtualization Pervasive
Video
Remote
Expert
Cloud
Computing IT/OT
Convergence Key IT
Initiatives
Managem
ent
P
R
I
M
E
Key System Pillars Addressing Initiatives
Network and
End-Point Services
EnergyWise Energy
Management
TrustSec Policy
Enforcement
App Visibility and Control
App Performance
Medianet Multimedia
Optimization
Technology
Innovation Wireless Routing Switching
Application Networking/ Optimization
Security Appliance
and Firewall
Risk
Management &
Compliance
Borderless Networks Architecture
Systems
Excellence
SecureX
Unified Access Cloud Intelligent
Networks Connected Industries
Cloud Connectors Cloud Optimization
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cloud Intelligent Networks Solutions
9
Cloud Connectors
ScanSafe
HCS
Webex CCA
3rd party
Public Cloud
HCS
Services
Virtual Private
Cloud
ASA
1000V
Nexus 1000V
vWAAS VSG
VXLAN
CSR
1000V
vPath
Cisco ISR G2
ASR 1000
AVC, WAAS
UCS-E
Private Cloud
ASR 1000, AVC, ASA,
WAAS, AppNav
Cisco Prime Infrastructure
AnyConnect VPN, ScanSafe, WebEx, and HCS Cloud Connectors
Cloud
Intelligent
Network
Security
App Visibility & Control (AVC)
Cloud Connectors
Medianet
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Introducing the Next Generation
Enterprise WAN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Operations
IPv4/v6
TrustSec
MediaNet
Application Visibility & Control
Cloud
Next Generation Enterprise WAN
High Level Topology
11
Local Campus
Interconnect
Data Center
Remote Branch
Regional WAN
Hybrid Cloud
Service Provider
Services Voice, Video, Etc.
Internet
WAN Primary or
Back up
Public Cloud Cloud
Private Cloud
South Region
Inter Connect
West Region
Inter Connect
WAN Core
East Region
Efficient use of
resources
Seamless any-to-any
Services
Consistent Security Remote
Branch
Metro
Data Center
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Operations
IPv4/v6
TrustSec
MediaNet
Application Visibility & Control
Cloud
Local Campus
Interconnect
Data Center
Remote Branch
Regional WAN
Hybrid Cloud
Service Provider
Services Voice, Video, Etc.
Internet
WAN Primary or
Back up
Public Cloud Cloud
Private Cloud
South Region
Inter Connect
West Region
Inter Connect
WAN Core
East Region
Remote Branch
Metro
Data Center
Regional WAN
Next Generation Enterprise WAN
High Level Topology
12
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Regional WAN Architecture
13
Redundant, Scalable GETVPN
Headend
Standard Branch
High End Branch
Mobile Branch
Serial, Ethernet
DS3, FE
3G/4G Satellite
Ultra High-End Branch/Campus
ASR1K
SP V
MPLS
OC3, GE
Enterprise Interconnect
ASR1K
ASR1K ASR1K
ISR G2
ISR G2
ISR G2
ISR G2
Cisco Prime
SP A
MPLS
Redundant, Scalable DMVPN
Headend
ASR1K ASR1K
Local Campus
Interconnect
Data Center
Internet
Standardized Profiles
Any WAN Transport
Pervasive, Scalable
End-to-end Security
Intelligent, Per-Application,
Adaptive Routing
Optimized Performance
Simplify Management,
Monitoring, Troubleshooting
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Regional WAN Branch Profiles
14
Mobile Branch
• 3G/4G or Satellite
• WAAS Express to
boost application
performance
• Branch mobility
• Deliver video over
4G*
Standard Branch
• Most common
deployment
• Migration from Serial
to Ethernet
• SP MPLS VPN with
Internet VPN backup
• Application
performance
• 4-9s availability
• Deliver SD video
High-end Branch
• Migration from DS3
to FastEthernet
• Dual SP MPLS
• Redundant router
• Application
performance
• 5-9s availability
• Deliver HD video
Ultra High-end
Branch/Campus
• Very high Bandwidth
– up to 1Gb
• Software and
hardware redundancy
• Same profile as
High-end Branch
• Services scaled up
by dedicated
appliance engines
ISR G2
3G/4G Satellite
ISR G2
MPLS Internet MPLS MPLS
ISR G2 ISR G2 ASR1K ASR1K
MPLS MPLS
Perf
orm
ance
an
d A
vaila
bili
ty
Flexible deployment options for different service requirements
Retail Banking, Kiosk, Vehicles, Cruises
Typical branch office
Financial branch, Med/Large branch office
Remote campus
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Regional WAN Aggregation Profiles
15
Scal
abili
ty a
nd
Ava
ilab
ility
Standard Aggregation
• Scale to support 1500 sites
• 4-9s availability
• One device serves multiple roles
• Hardware/software redundancy
High-end Aggregation
• Scale to support 5000* sites
• 5-9s availability
• Dual SP MPLS and Internet
• Redundant Key Server
• Dedicate PfR MC
• Hardware/software redundancy
Ultra High-end Branch
High-end Branch
Standard Branch
Mobile Branch
PfR MC
Internet
GETVPN GM
DMVPN
COOP GETVPN KS
ASR1K
ISR G2
ASR1K
High-end Aggregation
Internet
ASR1K
ASR1K
ISR G2 MPLS
GETVPN KS
GETVPN GM/PfR MC
DMVPN
Standard Aggregation
Branch Profiles WAN Aggregation Profiles
ASR1K MPLS
MPLS
Two WAN Aggregation Profiles for different
availability and scalability
requirements
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Private Cloud Services Application Visibility & Control
WAAS & USC E
MediaNet
TrustSec Security
IPv6
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Private Cloud Definition
17
Public Cloud
HCS
Services
Virtual Private
Cloud
ASA
1000V
Nexus 1000V
vWAAS VSG
VXLAN
CSR
1000V
vPath
Private Cloud
ASR 1000, AVC, ASA,
WAAS, AppNav
Used only by a single company or organization, the Private Cloud looks a lot like the traditional Enterprise Data Centers we’re familiar with although they tend to focus on virtualized services. They might be operated by a third party instead of the company using them.
Source: NIST
Cloud
Intelligent
Network
Security
App Visibility & Control (AVC)
Cloud Connectors
Medianet
Application Visibility & Control
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
“Today Network is an IT Blind Spot”
• Static port classification is no
longer enough
• More and More apps are
opaque
• Increasing use of Encryption
and Obfuscation
• Application consists of multiple
sessions (Video, Voice, Data)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Next Generation Networks will be Application Aware
20
Gain visibility into application running in the network,
performance trend, and user experiences
Intelligently prioritize and control application traffic to maximize user experience
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Control application
usage to maximize
application
performance
ASR1K
ISR G2
Control
High
Med
Low
Advanced reporting
tool aggregates and
reports application
performance
App Visibility & User Experience Report
Management
Tool
Collect application
performance metrics,
and export to
management tool
ASR1K
ISR G2
Reporting Tool Perf. Collection &
Exporting
Reporting Tools
NFv9/IPFIX
3
App BW Transaction
Time
…
SAP 3M 150 ms …
Sharepoint 10M 500 ms …
Identify applications
using L3 to L7
information
ASR1K
ISR G2
Application
Recognition
What is Application Visibility and Control (AVC) Solution
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
• QOS
• PfR
ASR1K
ISR G2
Control
High
Med
Low
• Cisco Prime
Infrastructure
• Cisco Insight
• 3rd Party Tools
App Visibility & User Experience Report
Management
Tool
Metric Mediation Agent
• FNF
• ART
• MMON
ASR1K
ISR G2
Reporting Tool Perf. Collection &
Exporting
Reporting Tools
NFv9/IPFIX
3
App BW Transaction
Time
…
SAP 3M 150 ms …
Sharepoint 10M 500 ms …
• NBAR2
ASR1K
ISR G2
Application
Recognition
AVC Solution – Enabled Technologies
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
NBAR2
IOS NBAR +150 Signatures
SCE Classification
+1000 Signatures
Advanced Classification Techniques
Innovations Native IPv6 Classification
Open API 3rd Party Integration..
Next Generation NBAR (NBAR2) Deep Packet Inspection (DPI)
23
• Provides Advanced Application Classification and Field Extraction capabilities
• In-service upgradable Protocol Definitions
No IOS upgrade or reboot for new Protocol Packs
• Backward compatibility to preserve existing NBAR investments
• NBAR2 Protocol List http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
IOS
15.2(2)T1
IOS XE 3.4S
Application
Recognition
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Perf. Collection
& Exporting
What applications, how much bandwidth, flow direction?
(Flexible Netflow and NBAR/NBAR2) Basic Monitoring
Performance Collection & Exporting – What is it?
• Integrated performance monitoring and advanced metrics for different type of
applications and use cases
HTTP HTTP
Voice and Video Performance
(Media Monitoring)
Advanced
Monitoring
30% of traffic is voice and video
Critical Applications Performance
(Application Response Time)
40% of traffic is critical applications
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Gaining Full Visibility with Flexible Netflow
L3 and L4
Netflow
L3 and L4 L2 L7
(NBAR)
Performance Metrics
(MMON, ART)
Other
Metrics
Network Metrics
(QoS)
Flexible Netflow
Flexible NetFlow
Extensible to support new and future metrics
Monitors data from layer 2 thru 7
Collect only what is needed – define your own record format and aggregation
Netflow to FNF Migration Guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html
Perf. Collection
& Exporting
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Perf. Collection
& Exporting Better Visibility with NBAR2 and FNF
27
• Application Information exported in
FNF records
• Reporting tools display top client & server
• show ip nbar protocol-discovery top-n
Router#show ip nbar protocol-discover top-n 10
GigabitEthernet0/0/3
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
30sec Bit Rate (bps) 30sec Bit Rate (bps)
30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps)
------------- ------------------------ ------------------------
webex-meeting 45807530 163458047
2497543722 129842885217
115000 5998000
152000 7799000
bittorrent 59667396 156155174
12768822744 103187176646
555000 4715000
697000 5077000
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Active or Passive Monitoring for
Performance Measurement
29
• Generate synthetic traffic into the
network
• Require IOS responder for advanced
monitoring types
• Inspect traffic to measure
performance metrics
• Performance metrics available only
when there is traffic
Router 1 Router 2
IPSLA Responder IPSLA Sender
Active Probing
FNF MMON
ART
Active Monitoring Passive Monitoring
Perf. Collection
& Exporting
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Application Response Time (ART) Measurement
Key Features
27 Application Response Time (ART) Metrics
Interact with NBAR2 for Application ID and field
extraction information
In ISR G2, provide by Performance Agent (PA)
In ASR1K, ART is part of unified monitoring
Benefits
Visibility into application usage and performance
Quantify user experience
Troubleshoot application performance
Track service levels for application delivery
My query
is taking
long time!
My email
is slow!
Branch Data Center
How do I
ensure
my SLA is
met
Reporting Tool
WAN
NFv9/IPFIX
ISR G2: 15.2(4)M2
ASR1K: 3.8S
Perf. Collection
& Exporting
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
ART Path Network Segment Breakdown
• Separate application delivery path into client and server segments
• Server Network Delay (SND) approximates WAN Delay
• Latency per application
Application Servers
Total Delay
Client
Network Clients
Client Network
Delay (CND) Application
Delay (AD)
Network Delay (ND)
Server
Network
Request
Response Server Network
Delay (SND)
Perf. Collection
& Exporting
Branch
ISR-G2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Application BW Priority
Business Critical Committed 50% High
Browsing 30% (=15% of the line) Normal
Internal
Browsing
60% (Out of Browsing)
Remaining 70% (=35% of the line) Normal
Application-aware QoS with NBAR2
32
class-map match-all business-critical
match protocol citrix
match access-group 101
class-map match-any browsing
match protocol attribute category browsing
class-map match-any internal-browsing
match protocol http url “*myserver.com*”
policy-map internal-browsing-policy
class internal-browsing
bandwidth remaining percent 60
policy-map my-network-policy
class business-critical
priority percent 50
class browsing
bandwidth remaining percent 30
service-policy internal-browsing-policy
Internal-Browsing: 60% of Browsing
Browsing: 30% of Excess BW (=15% of the line)
Remaining: 70% of Excess BW (=35% of line)
Committed BW (50% of the line)
Excess BW (50% of the line)
interface Serial0/0/0
service-policy output my-network-policy
Control
Business-Critical: High Priority 50% committed
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
GRE/IPSec Network QoS Design
34
Direction of Packet Flow
DSCP CS5
Packet Initially
Marked to
DSCP AF41
DSCP CS5
DSCP CS5
By Default ToS
Values is Copied
To IPSec Header
DSCP CS5
Top-Most ToS is
Rewrote on egress
DSCP CS5
Packet decapsulated
To reveal the original
ToS Byte
policy-map WAN-OUT
class VOICE
priority percent 10
class VIDEO-INTERACTIVE
priority percent 23
set ip dscp af41
class NETWORK-MGMT
bandwidth percent 5
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
!
policy-map Int-Gig-Agg-HE
class class-default
shape average 1000000000
service-policy WAN-Out
Remarks the DSCP value on the
encrypted/encapsulated header on
egress interface
DSCP AF41
Control
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Performance Routing (PfR) Application aware adaptive routing
35
• Full utilization of expensive WAN bandwidth
Efficient distribution of traffic based upon load, circuit cost and path preference
• Improved Application Performance
Per application best path based on delay, loss, jitter measurements
• Increased Application Availability
Protection from carrier blackouts and brownouts
SP A
MPLS
GETVPN
WAE Cluster
Internet
DMVPN ASR1K
ASR1K
PfR MCs
Headquarter
ISR G2
SP B
MPLS
GETVPN
ASR1K
ASR1K
Branch
PfR BRs
PfR MC/BR
Master Controller (MC) Border Router (BR)
Email VMs
Email Path Video Path
Control
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
PfR Use Case Examples Protecting critical applications while Maximizing bandwidth utilization
• Protect business Cloud applications from Internet brownout Loss <10%
• Cloud Service preferred path – ISP1
• Maximize all ISP bandwidth by load sharing all other Internet traffic
• Protect voice and video quality
‒ Latency < 200ms; Jitter < 30ms
• Protect VDI applications from brownouts
‒ Loss < 5%
• Voice & Video preferred path SP-A
• VDI preferred path SP-B
• Maximize utilization by load sharing
36
Cloud Service & Load Balancing Policy Multimedia & Critical Data Policy
ISP-1 (Primary) ISP-2 (Secondary) SP-A (MPLS VPN) SP-B (MPLS VPN)
VDI
Detect loss >
10%
Detect high
jitter
Cloud Service
Best Effort traffic
Voice&Video
Best Effort traffic
Internet WAN
Control
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cisco Prime Infrastructure – Assurance
37
• Configuration of AVC features*
• Network Monitoring
• Service Monitoring
• Reporting and Trends
• Multi-NAM Manager
• Packet and Flows Analysis
• Application Response Time
• Voice and Video Metrics
• Distributed SNMP and Netflow Collection
Management
Tool
WAAS and UCS E Series
38
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cisco WAAS –
Enhancing user experience and WAN efficiency
39
Solution
• Reduce load
Data Redundancy Elimination,
Compression, TCP optimization
• Application Optimization
Fewer protocol messages,
Meta data caching,...
Application Bandwidth with WAAS
Application Bandwidth Natively
Application latency Natively
Application latency with WAAS 0 0
1
2
3
4
40
80
120
160
Application
Bandwidth
Application
Latency
Bandwidth
(Mbps)
Latency
(Seconds)
Problem
• Poor Application
responsiveness
• WAN Bandwidth costs Bandwidth
Saved
Reduced
Latency
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Challenges of Desktop Virtualization over WAN
End-users see pixelization over the WAN
T1
Increasing bandwidth is expensive and might not help
Video processed on HVD overloading server compute and bandwidth
End-users experience no pixelization on LAN
Branch Router
Data Center
Video Source
Campus
Hairpinning WAN’s effects on Users Experience Display Protocol Opaque to the Network
Display Protocol
Branch Office
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Display Protocol
WAAS 5.0 optimization with Citrix ICA AO
• WAAS will optimize encrypted and compressed ICA desktop session traffic
(no changes required on ICA client, HVD, or DC infrastructure) for all versions of
XenDesktop and XenApp
• Includes WAAS 4.4 Application aware DRE feature for unidirectional caching of
desktop session traffic which improves the scalability and Application performance
Branch Router
WAAS WAAS Display Protocol Acceleration
Aggregation Router Citrix HVD
ICA client
Data Center
Note: Multi-Session ICA (MSI) in XenDesktop 5.5 is not supported in the current release. If MSI is used only one initial session (port 1498) will be optimized automatically. Other flows will be treated as regular TCP flows
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cisco WAAS: WAN Optimization Solution
44
SOHO User
WAAS Mobile Software
Mobile User
Branch Office
WAAS Service Module
WAN
Internet
Branch Office IOS WAAS
Express
Branch Office
WAAS WAE Appliance
Regional Office
WAAS WAE Appliance
WAAS Mobile Server
VPN
Data Center or Private Cloud WAAS WAE
Appliances
VPN
VMware ESXi vWAAS
Appliances
Server VMs
vWAAS Server VMs
VMware ESXi Server
Nexus 1000v vPATH
UCS /x86 Server
FC SAN
Nexus 1000v VSM
Virtual Private Cloud
CSR 1000V
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Lean Branch Office Applications Edge Applications That Defy Centralization
Core Windows Services Mission Critical Business
Applications Client Management
Services
DNS and DHCP Servers
Microsoft Active Directory
Windows Print Services
Windows File Services
Others …
Point of Sale Server
Bank Teller Control Point
Electronic Medical Records
Inventory Management
Others …
Software Update Service
Client Monitoring Service
Backup and Recovery
Terminal Server Gateway
Others …
46
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
UCS E Extend Cloud Services into Branch Infrastructure
47
Support on ISR G2 2911 and above
IOS, MGF Backplane Switch
SRE Blade
SRE-V Hypervisor
CIMCE SRE Blade
SRE-V Hypervisor
OS
App
OS
App
OS
App
OS
App Platform for WAN Edge Applications
• Microsoft Windows Server-Certified
Server Virtualization
• Cisco SRE Virtualization Powered by VMware vSphere Hypervisor™ (ESXi)
Dedicated Blade Management
• Cisco Integrated Management Controller
• Consistent management for UCS family
Multipurpose x86 Blades
• Cisco Service-Ready Engine modules
• House up to four server blades in ISR G2
Single-Device Network Integration
• House all devices in ISR G2 chassis
• Multigigabit fabric backplane switch
MediaNet & Video Services
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Medianet Introduction
49
I want a network infrastructure so that I should not worry when tomorrow I’ll be asked to implement video applications.
Massimo Fogaroli – IT Manager, Mediolanum Bank
Network Aware Automatically respond to changes in devices and service availability
Endpoint aware Automatic detection and configuration
Media Aware Detection and Optimization of different media and applications
Visibility Diagnostics Network Assessment
Media
Trace
Performance
Monitoring
IPSLA
VO
Flow
MetaData
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Medianet Media Monitoring Media Assessment, Monitoring, and Troubleshooting
• Pre-deployment assessment / network validation IP SLA VO
Use ISR G2 DSPs to generate synthetic video, i.e. TelePresence
50
ASR1K ISR G2
MPLS
I am detecting
video quality
issue Initiate
mediatrace
Cisco Prime Collaboration Manager
Lost packets
seen
What path and where is the problem? Mediatrace and Performance Monitor
Network-initiated mediatrace collecting path and performance metrics of media stream
Cisco Collaboration Manager displays mediatrace results
IP SLA
Initiator IP SLA
Responder
Generate
TelePresence
traffic
Internet
DMVPN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Media Monitoring Performance Monitor
• Monitor video traffic traversing different network types
• Generate alert based on user configurable threshold
• Enable on voice/video VLAN
• Provide metrics including jitter, packet loss, latency, bitrate, etc.
• MediaNet PerfMon is also the Media Monitor (MMon) in AVC
51
WAN Headend Branch
MPLS
Apply to in/out direction of voice/video VLAN
Internet
LiveAction
Perf. Collection
& Exporting
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Media Troubleshooting Mediatrace
• Use Mediatrace to further troubleshoot media issues
• Initiate Mediatrace to discover path, system resource, or quality metrics on devices in the media path
• Mediatrace responders collect the requested metrics and return to initiator
• Works with Cisco Collaboration Manager
54
VPN Headend Branch
MPLS
Internet
Initiate
Mediatrace for
traffic from
Branch phone to
Headend phone
Collaboration Manager
Diagnostics
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Need for End to End Classification
57
This flow has a DSCP =
EF
This flow contents RTP
Voice
This packet has a DSCP=EF
This packet comes from Fast1/0
This packet comes from location “Desk1”
This packet comes from user “Marylou”
John
Voice communication between Marylou and
John
Voice communication started with application “X”
Packets has DSCP=EF
I know lots of information from the
application that I’m not going to send to the
wire
Marylou
• How to enforce a consistent network policy when classification is different along the path?
‒ Eg: Rule: Prioritize Voice communication from Marylou to John?
• Endpoint can provide information not available or visible to the network
Visibility
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
MediaNet Metadata for end to end classification Metadata Flow Principles
1. Application Creates
Metadata
Meta
data
DB
Meta
data
DB
Meta
data
DB
IP Src IP Dst Prot L4 Src L4 Dst Application Vendor Dial From Dial To Caller ID
10.1.1.2 20.1.1.2 UDP 2000 4000 Video-
Conference
(Audio)
Cisco 83922564 85268229 Albert
Albatross
Flow Identifier Metadata
10.1.1.2 10.1.1.2
3. Media Flow 2. Metadata
Announcement
Export of data to NMS
QoS based on
Metadata
Visibility
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Video Conferencing Services
• Multiple video streams traverse
the WAN to a central MCU
resource – non-optimal use of
limited WAN BW
• Video is mixed by a centralized
MCU controlled by CUCM
60
HQ/Campus
Branch
MCU
A
Video mixing
WAN
HQ/Campus
MCU
A
Video mixing
Branch
Video is mixed by the ISR G2 DSPs
controlled by CUCM or UCME
Keeps traffic local in the branch if all
participants are located in the branch
Ad-hoc and MeetMe conferences
Signaling
Media
WAN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Video Delivery Optimization WAAS + Enterprise Content Delivery System (ECDS)
62
Data Center
WAN
• Multiple “Publish and Subscribe” Channels for simplified management • Broad live broadcast protocol support-wmf, silverlight, flash • Video Pre-positioning
Branch Office
Branch Office
CDN Infrastructure
+ ECDS
+ ECDS
Context- aware DRE
Signage Channel
HR VOD Channel
Corporate Communications
Channel
WAN TrustSec Security Services
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
NG WAN Pervasive Security Secure Reliable Access to Any Services
• Provides data privacy across the WAN
GETVPN any-to-any encryption over MPLS
DMVPN & FlexVPN over 3G/4G or Internet provides dynamic spoke-to-spoke tunnel
• Highly scalable WAN aggregation with encryption
4000 DMVPN tunnels and 4000 GETVPN Group Members
Up to 28 Gbps of encryption throughput per ASR1K
• Interoperation with QoS and PfR ensures service performance
• TrustSec simplified access control – SGT, SXP, SGACL and SG Firewall
64
SP A
MPLS
GETVPN
WAE Cluster
Internet
DMVPN ASR1K
ASR1K
Headquarter SP B
MPLS
GETVPN
ASR1K
ASR1K
Branch
GETVPN
Standard Branch
Data Center Protected by DMVPN Protected by GETVPN
DMVPN Hub ISR G2
ASR1K
ISR G2
GETVPN COOP KS
Private Cloud SG FW
SXP
SGT
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Dynamic Multipoint VPN (DMVPN)
• Full meshed connectivity with
simple configuration
• Zero-touch configuration for
addition of new spokes
• Automatic site-to-site IPSec tunnels
• Transport & Carrier agnostic
overlay transport
easy multi-homing
single control plane
simple carrier transition
• Large Scale
‒ Up to 4000 spokes per ASR1k hub
with EIGRP or BGP
‒ Hierarchical Hub designs, to scale
beyond single hub limits
65
Spoke n
Traditional Static Tunnels
DMVPN Tunnels
Static Known IP Addresses
Dynamic Unknown IP Addresses
Hub
VPN Spoke 1
Spoke 2
Secure On-Demand Meshed Tunnels
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Introducing FlexVPN
A single overlay VPN solution Corporate LAN
Shortcut Switching
(DMVPN)
Isolated branches
(Easy VPN)
Remote Access
(AnyConnect)
Department RED
Department GREEN
New
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Group Encrypted Transport VPN (GETVPN) Before and After GET VPN
68
Scalability—an issue (N^2 problem)
Overlay routing
Any-to-any connectivity may require tunnel setup
Inefficient Multicast replication
Any wan transport
WAN
Multicast
Before: IPSec P2P Tunnels After: Tunnel-Less VPN
Scalable architecture for any-to-any connectivity and encryption
No overlays—native routing
Any-to-any instant connectivity
Efficient Multicast replication
Private IP WANs
Public/Private WAN Private WAN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cisco Router Security Certifications
http://www.cisco.com/go/securitycert * NSA Suite B RFC-4869 cryptographic algorithm for both unclassified and most-classified information
** 1900s and lower 2900 Series require ISMs. Only ASR 1002-X and ESP-100 based ASR 1000s
FIPS Common Criteria
Next-Gen Encryption*
Next-Gen Encryption*
140-2, Level 2
EAL4 Software Support
Hardware Assist
Cisco ISR 890 Series
Cisco ISR 1900 Series **
Cisco ISR 2900 Series **
Cisco ISR 3900 Series
Cisco ISR 3900E Series
Cisco ASR 1000 Series N/A **
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
MPLS
GETVPN
Internet
DMVPN
Nexus 7000 Data Center
Catalyst® Switch
ISE
SGT
Profiler
Posture
Guest Server
TrustSec SGT over DMVPN and GETVPN
70
Nexus 5000/2000
SGACL
SGT Frame
WAN • ISR G2/ASR1k, SG Firewall Campus Aggregation: • Cat6K/Sup2 – SGACL Data Center Enforcement • Nexus 7000 – SGT/SGACL
Egress Enforcement
AP
Branch Network
HR
Finance
Sales
SGT
Admin Catalyst® Switch
Catalyst® Switch
SGT
• DMVPN Inline Tagging – ISR G2 (IOS 15.2(2)T) • SGToGETVPN support on ISR G2 (IOS PI21*) and ASR1k (XE 3.9*) • SG Firewall for Egress Enforcement • SGT Capability exchange during DMVPN IKEv2 negotiations and GETVPN group membership registration • Learn SGT from SXP or Auth-methods • Simple one command configuration – DMVPN “crypto ikev2 cts sgt”; GETVPN “tag cts sgt” * ISR G2 IOS (PI21) and ASR1k IOS (XE3.9) will be available in Spring 2013.
SGT
Catalyst 6500
ISR G2
ISR G2
ISR G2
ASR1k
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Security Group FW Architecture
71
Data Center
SGT or SXP
IP Address SGT
10.1.10.1 10
SGFW
SGACL
• Consistent Classification/enforcement between ISR/ASR SGFW and switching
• In general SGACL and SGFW policy should be sync’d via policy administration UI
• SGT allows more dynamic classification in the branch and WAN aggregation
• Rich Logging requirements will be fulfilled on SGFW – URL logging, etc.
• Active/Active support in ZBFW allows for async routing*
• SGFW in ISR G2 IOS 15.2(2)T and ASR1k IOS XE 3.5
*active/active assumes shared L3 subnet on router interfaces for redundancy groups
ASR1k Enforcement
Enforcement on a switch
ISE for SGACL Policies
SGFW ISR Enforcement
PC
I
Enterprise
WAN
IPv6
Preserve, Prepare, Prosper
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
IPv6
74
IPv6 Feature Enablement
IPv6 Transitioning
IPv6 Routing
• IPv6 parity with IPv4 in most cases
• IPv4 address exhaustion • Government mandate • IPv6 device and content
growth • Mergers and Acquisitions • Gain familiarity with IPv6
• Routers designed with more memory, better performance for IPv6
Anyone, Anything, Anywhere, Anytime
ISR G2, ASR 1000 designed for IPv6
Broadest coverage in Industry
3 Feb ‘11 last day of IPv4 address allocations
Why?
All transition mechanisms supported
• Dual Stack • Tunneling • Translation
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Transitioning Network to IPv6 Preserve, Prepare, Prosper
75
Cisco NG Enterprise WAN Solutions
• Branch & Campus – Dual Stack IPv4 and IPv6
• IPv4 WAN – Tunnel: 64 tunnels, IPv6 over DMVPNv4
• IPv6 Internet – Translate: NAT64 allows IPv6 devices to access IPv4 applications
Dual-stack Tunnel Dual-stack
Campus/
Datacenter
Internet
Edge
Branch
office
ISR G2
WAN
Aggregation
IPv4
IPv6 devices
IPv6
Translate (nat64)
IPv4
services
ASR1K
ASR1K
ASR1K
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Hybrid Cloud Services
Virtual Private Clouds
Virtual Networking Services
Cloud Services Router
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Hybrid Cloud Definition
Virtual Private Clouds (VPC)
77
Public Cloud
HCS
Services
Virtual Private
Cloud
ASA
1000V
Nexus 1000V
vWAAS VSG
VXLAN
CSR
1000V
vPath Cloud
Intelligent
Network
Security
App Visibility & Control (AVC)
Cloud Connectors
Medianet
Private Cloud
ASR 1000, AVC, ASA,
WAAS, AppNav
Hybrid Clouds exist on the premisis and are maintained by a cloud provider. Resources are allocated to individual companies or organizations providing them the look and feel of a private cloud within a shared cloud environment.
Source: NIST
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
CSR 1000V
• WAN Gateway
• IOS Networking
vWAAS
• WAN Optimization
• Application Traffic
ASA 1000V
• Edge Firewall
• Protocol Inspection
VSG
• Zone-based Firewall
• VM-level Control
Nexus 1000V
• Distributed Switch
• NX-OS Consistency
Multi - hypervisor
Servers
Tenant A ASA
1000V CSR
1000V
Department B Department A
Nexus 1000V
vPath
Physical Infrastructure
Virtual Infrastructure
Cloud Provider’s Data Center
vWAAS
AppNav
VSG VSG
Hybrid – Virtual Private Cloud Virtual Networking Services
Cloud Network Services
Multi-Hypervisor
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cisco CSR 1000V
Cisco IOS Software in Virtual Form-Factor
Server
Hypervisor
Virtual Switch
VPC/vDC
OS
App
OS
App
CSR 1000V
• Virtual Route Processor (RP)
• Virtual Forwarding Processor (FP)
• Optimized for single tenant use cases
• Hypervisor agnostic
• Virtual switch agnostic
• Server agnostic
Public Cloud Services
Cloud Connectors
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Public Cloud Definition
81
Public Cloud
HCS
Services
Virtual Private
Cloud
ASA
1000V
Nexus 1000V
vWAAS VSG
VXLAN
CSR
1000V
vPath Cloud
Intelligent
Network
Security
App Visibility & Control (AVC)
Cloud Connectors
Medianet
Private Cloud
ASR 1000, AVC, ASA,
WAAS, AppNav
Operated wholly by cloud
providers, public clouds offer
services to companies,
organizations and individuals
using a fully virtualized
environment hosted in the
cloud. Services are
delivered in a shared
environment even though
they might be provisioned or
customized for the needs of
the individual organization.
Source: NIST
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
What is Cloud Connector?
• Connects a Corporate Network to a Cloud Service
• Application or Service specific to ensure transparent access
• Improves delivery of Public Cloud Services
Provisioning, Performance, Security, Reliability, Management
• Cloud Connector solutions include
ScanSafe, WebEx Media, Hosted Collaboration Service, Storage/Backup, …
82
MPLS
GETVPN
Internet ASR1K
ASR1K
Headquarter
Campus
MPLS ASR1K
ASR1K
Branch
Email VMs
Public Cloud
Cloud Connector
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
ScanSafe provides secure access to Public Cloud services
Single policy portal, easy of deployment and management
Direct Internet access reduces WAN cost and improves
application performance Internet
Public Cloud Applications
Example – Scan Safe Cloud Connector
83
MPLS
GETVPN
Internet ASR1K
ASR1K
Headquarter
Campus
MPLS ASR1K
ASR1K
Branch
ScanSafe Cloud Connector
Web Security
Web Filtering
Centralized Reporting
Consistent Policy Control
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
WebEx Media Connector peers directly with the Enterprise WAN CUCM+CUBE deployed at Enterprise and WebEx Cloud Firewalls+CUBE to secure the borders with WebEx.
Improves voice and video conferencing quality
Reduces 800 toll charges
Example – WebEx Media Connector
84
MPLS
GETVPN
Internet
ASR1K
ASR1K
Headquarter
Campus
MPLS ASR1K
ASR1K
Branch
WebEx Cloud Connector
Cisco WebEx Collaboration
Cloud
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Example - Cloud Storage Connector
Third Party Connector
End-User Virtual Portal
Users access their own cloud backups and
folders, restore and share files.
MSP Admin Portal
Manage end-user accounts,
service provisioning and billing
Cisco ISR G2 and UCS® E-Series with Cloud Storage Gateway
MSP Network
Backup Agent
for Roaming Laptop
Branch Office Agent-Less Solution
Cloud storage is cached on
UCS E. Branch files are
backed up to the cloud.
Platform Overview
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Prime Infrastructure 1.2
A single integrated solution for
comprehensive lifecycle
management of wired/wireless
access, campus, and branch
networks
Automates compliance with
regulatory requirements, Cisco
and IT best practices
Utilizes rich performance data for
end-to-end network visibility to
assure application delivery and
optimal end-user experience
Functional Overview
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
High-End Branch
Standard Branch
Mobile Branch
ISR G2 Portfolio
88
WA
N A
ccess S
peed
Wit
h S
ervic
es
2911
1921 1941
2901
3945
150 Mb 100 Mb 75 Mb 50 Mb 35 Mb 25 Mb
EFM SubrateFE
VDSL2+/Sub-rate FE
Line Rate FE +
Line Rate N x FE
3945E
3925E
350 Mb
2921
2951
3925
800
15 Mb 250 Mb 10 Mb
Recommended Positioning with Services
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Instant On
Service Delivery
Cisco ASR 1000 Series Routers: Overview
Designed Today for up to 360 Gbps in the Future
Compact,
Powerful Router
Business-Critical
Resiliency
ASR 1002-X ASR 1004 ASR 1006
One IOS-XE Feature Set
5–36
Gbps 10-40
Gbps
10-100+
Gbps
Integrated firewall, VPN, encryption, NBAR, CUBE
Scalable on-chip service provisioning through software licensing
Fully separated control and forwarding planes
Hardware and software redundancy
In-service software upgrades
Line-rate performance 2.5G to 100G+ with services enabled
Investment protection with modular engines, IOS CLI and SPAs for I/O
Hardware based QoS engine with up to 232K queues
ASR 1001
2.5 -5
Gbps 10-360
Gbps
ASR 1013
ASR 1002
2.5–10
Gbps
Wrap Up / Summary
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Realizing the Borderless Enterprise Borderless Experience
95
ANYONE ANY DEVICE
ANYTIME ANYWHERE
Securely Reliably Seamlessly
Application
Visibility & Control TrustSec
Operational
Simplicity MediaNet
Cloud
Connect
IPv6
Transition
Cisco Cloud Intelligent Network
Private Clouds
Public Clouds
Hybrid Clouds
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Next Generation Enterprise WAN
• Architectural approach to solving business requirements
‒ Modular—Building Blocks with Layered Services
‒ Infrastructure Foundation for Cisco’s Borderless Network
• Cloud Intelligent Network solutions
‒ Private Cloud Services
‒ Hybrid/Virtual Private Cloud Services
‒ Public Cloud Services
• ASR 1000 series high performance Secure WAN aggregation router
• ISR G2 series for integrated branch services security, voice, video and cloud access
• Virtualized Networks Services – CSR 1000v, vWAAS, ASA 1000v, Nexus 1000v
• Cisco Prime—Unique Ability to Manage Entire Solution
Wrap Up/Summary
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public 98