cisco intelligent wan: enabling the next-generation branch
TRANSCRIPT
© 2013 Cisco and/or its affiliates. All rights reserved. 2
Pressures on the WAN
Emerging Branch DemandsThe Application Landscape Is Changing
Applications are Moving to the DC and Cloud
Internet Edge Is Moving to the Branch
Cloud
SaaS, Google Docs, Office365 Guest WiFi, BYOD, App Updates
Cloud Mobility Apps
Video, VDI, Backup
Branch Data Centers
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3
Internet as an Extension of Enterprise WAN
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Performance Over Internet
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Intelligent WAN: Leveraging the InternetSecure WAN Transport and Internet Access
OptimizedSecure
Transport
Branch
Direct CloudAccess
PrivateCloudVirtual
PrivateCloud
PublicCloud
1. IWAN Secure transport for private and virtual private cloud access
2. Leverage local Internet path for public cloud and Internet access
Increase WAN transport capacity and app performance cost effectively!
Improve application performance (right flows to right places)
MPLS (IP-VPN)
Internet
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
5
Intelligent WAN (IWAN) Architecture
MPLS
UnifiedBranch
3G/4G-LTE
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloud
Application Optimization
Enhanced ApplicationVisibility and Performance
Secure Connectivity
ComprehensiveThreat Defense
Intelligent Path Control
ApplicationAware Routing
TransportIndependent
SimplifiedHybrid WAN
Management Automation
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport-IndependenceVirtualizing the Enterprise WAN
6
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN Transport IndependenceConsistent deployment models simplify operations
Internet MPLS
Branch
DMVPN DMVPN
IWAN HYBRID
Data Center
ISR
ASR 1000 ASR 1000
ISP A SP B
4G/LTE
Branch
DMVPN
IWAN HYBRID/LTE
Data Center
ISP C SP B
ASR 1000
MPLS
Branch
MPLS
DMVPN
IWAN Dual MPLS
Data Center
ISR
ASR 1000 ASR 1000
SP A SP B
DMVPN
MPLS
DMVPN
ISR
ASR 1000
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2000 9
IWAN Transport Independent Designwith Dynamic Multipoint VPN (DMVPN)• Proven IPsec VPN technology
• Widely deployed, Large scale• Standards based IPsec and Routing• Adv QOS: hierarchical, per tunnel and adaptive
• Flexible & Resilient• Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,..• Hub-n-Spoke with Dynamic full mesh Topology• Multiple encryption, key management, routing options• Multiple redundancy options: platform, hub, transports
• Secure• Industry Certified IPsec and Firewall• NG Strong Encryption: AES-GCM-256 (Suite B)• IKE Version 2• IEEE 802.1AR Secure unique device identifier
• Simplified IWAN Deployments• Prescriptive validated IWAN designs• Automated provisioning – Prime, IWAN-App, Glue
Branch
Internet MPLS
DMVPNPurple
DMVPNGreen
IWAN HYBRID
Data Center
ISP A SP B
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Intelligent Path ControlImproving Application Delivery and WAN Efficiency
10
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
11
Getting the Most Out of Your WAN InvestmentBenefits of Intelligent Path Control
Data CenterBranch
ASR 1000
ASR 1000
ISR
MPLS
Internet
EnablingHybrid WANs
Efficient Distribution of Traffic Based Upon Load
or Path Preference
Application Best Path Based on Quality
Protection FromCarrier Black Holes
and Brownouts
Lower WAN Costs
Full Utilization of WAN Bandwidth
Improved Application
Performance
Higher ApplicationAvailability
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
12
Intelligent Path Control with PfRVoice and Video Use-Case
Branch
MPLS
Internet
Virtual PrivateCloud
Private Cloud
• PfR monitors network performance and routes applicationsbased on policy
• PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth
Other traffic is load balanced to maximize bandwidth Voice/Video will be
rerouted if the current path degrades below policy thresholds
Voice/Video take the best delay, jitter, and/or loss path
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
13
What is Performance Routing (PfR)?
MPLS Internet
Branch
BR BR
Data Center
MC
“Performance Routing (PfR) provides additional intelligence to classic routing to track and verify the quality of a path over a Wide Area Networking (WAN) to determine the best path for application traffic....”
MC+BR
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
14
SP1 (MPLS) ISP (FTTH)
• Protect voice and video quality
Latency < 150 ms Jitter < 20 ms
• Protect Email applications from WAN congestion
Loss < 5%• Voice and video preferred
path SP1• Email preferred path ISP• Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Best-Effort Traffic
High Delay Detected
SP1 (MPLS) ISP (DSL)
Voice and Video
High JitterDetected
Best-Effort Traffic
Protecting Critical Applications While Increasing Bandwidth Utilization
• Protect transactionalbusiness app from brownouts
delay < 250ms• Preferred path SP1 (MPLS)
• Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet
Business App and Load-Balancing Policy
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
15
Load BalancingMaximizing Link Utilization to Increase Available Bandwidth
• Traffic distributed across all paths to efficiently use all WAN bandwidth
• Load Balancing based upon link utilization levels
• External links can have different bandwidth capacitiesMPLS = 1.5MbpsInternet = 15Mbps
ISR
WAN
Internet
MPLSASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Optimization
16
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
17
Branch
Proliferationof Devices
Users/Machines
PrivateCloud
Make Your IWAN Application AwareApplication Visibility and Control (AVC)
DC/Headquarters
PublicCloud
Cisco AVC
Application Performance Visibility
• Application inspection with existing routers
• Rich data collection using NetFlow v9/IPFIX
• Easy to integrate into many reporting tools
Smart CapacityPlanning
• Better use of costly bandwidth• Per-branch and per-application
level reporting
Business Objective Enforcement
• Service Level monitoring per application
• Better Analytics to adjust network policies to maintain compliance
AVC
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
18
Proliferationof Devices
Users/Machines
PrivateCloud
Application Performance Monitoring for IWANTrack and Report Application Flows and Performance
WANNetFlow v9
Enterprise Edge
AVC
AVC
CSR
NetFlow/IPFIX Records(Same provisioning, same format)
• Traffic statistics records• Application Response Time records• Media monitoring records
(Application, Jitter, Loss, etc)
Cisco ToolsPrime, APIC-EM
Partner Tools Ecosystem
LiveActionGlue Networks
PlixerLiving ObjectsCompuWare
CA Technologies
Collecting Collecting Collecting
Provisioning
Exporting
NetFlow v9 Export/IPFIX Export
Branch DC/Headquarters
AVC
AVC
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
19
Cisco WAAS Enhancing User Experience and WAN Efficiency
Solution
• Reduce load Data redundancy elimination (DRE), compression, and TCP optimization
• Application optimizationFewer protocol messages and metadata caching
Problem
• Application latency• WAN bandwidth
inefficiencies
Application bandwidth with Cisco® WAAS
Application bandwidth natively
Application latency natively
Application latency with Cisco WAAS 0 0
1
2
3
4
40
80
120
160
ApplicationBandwidth
ApplicationLatency
Bandwidth(Mbps)
Latency(Seconds)
Reduction inbandwidth
Reductionin latency
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data CenterBranch
Akamai Intelligent Platform
Optimal Experience Regardless of Device, Connectivity or CloudAll HTTP Traffic in Private, Public, Akamai Cloud
Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport
ISR-AX
AKAMAI Inside
AKAMAICACHE
WAN
IWAN – Application Optimizationwith Akamai Connect
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN Secure Connectivity
22
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
23
Intelligent WAN: Secure ConnectivitySecuring the network and users
Secure WAN Transport
Branch
MPLS (IP-VPN)
InternetSecureInternetAccess
PrivateCloud Virtual
PrivateCloud
PublicCloud
Two areas of concern1. Protecting the network from outside threats with data privacy over provider networks2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
24
Securing the IWAN TransportIPSec VPN and Access Control
• Step 1: Authenticate hardware and softwareTrust Anchor Module verification
• Step 2: Secure TransportProven IPsec VPN overlay
Strong Cryptography: IKEv2 + AES-GCM 256
F-VRF to isolate provider networks
• Step 3: Access ControlIOS Zone-based Firewall or ACLs protection
Role based access to router w/ logging
Minimize exposure
Provider assigned addressing to hide routers
Don’t put tunnel addresses into DNS
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
26
Intelligent WAN—Direct Cloud Access
Branch
MPLS (IP-VPN)
InternetDirect
InternetAccess
PrivateCloud
VirtualPrivateCloud
PublicCloud
• Leverage Local Internet path for Public Cloud and Internet access• Improve application performance (right flows to right places)
SolutionsOn Premise – Zone Based FirewallCloud Based – Cloud Web Security
CWS
ISR-AXZBFW
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
27
Secure Internet Access with Cisco Cloud Web Security (CWS)
Secure Public Cloud and Internet
Access
ISR Connector toCWS Firewall towers
Web Filtering, Access Policy, Malware Detect
WAN1(IP-VPN)
CWS
PrivateCloud
PublicCloud
Branch
WAN2(Internet)
IWAN IPsec VPN for Private Cloud
TrafficIOS Firewall to protect Internet
Edge
Internet
28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Orchestration and Automation
28
29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco IWAN Management PortfolioCovering a broad range of preferences and requirements
• Customer wants advanced provisioning, life cycle management, and customized policies
• System-wide network consistency assurance
• Lean IT OR IT Network team
Cisco
Prime Infrastructure
• Customer needs customizable IWAN with end-to-end monitoring
• One Assurance across Cisco portfolio from Branch to Datacenter
• IT Network team
Enterprise Network Mgmt and Monitoring
Ecosystem Partners
IWAN App
• Customer wants considerable automation and operational simplicity
• Requirements consistent with prescriptive IWAN Validated Design
• Lean IT organization
Prescriptive Policy Automation
• Customer looking for advanced monitoring and visualization
• QoS/ PfR/ AVC configuration, Real-time analytics and network troubleshooting
• IT Network team
Application Aware Performance Mgmt
AdvancedOrchestration
29
30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Provisioning & Life Cycle Management
Visualization & Health
IWAN Management Solution Positioning
CustomizablePrescriptive
AdvancedFoundation
Prime
Prime
IWAN AppOn Prem
Cloud
Infrastructure ASR 1000
32© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
32
APIC-EM IWAN AppSite provisioning
33© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
33
APIC-EM IWAN AppSite provisioning
34© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
34
APIC-EM IWAN AppSite provisioning
35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN App – Site provisioning
35
36© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN App – Site provisioning
36
37© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN App – Site provisioning
37
38© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
38
APIC-EM IWAN AppDefine Application Policy
• Business Intent network admin informs the controller what applications are relevant for the business
• The controller is going to perform background tasks based on this business logic
39© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
39
APIC-EM IWAN AppDefine Application Policy
• Define primary path for group of applications
• The controller will create a PfR policy based on those paths.
40© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
40
IWAN AppDefine Application Policy
41© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
41
Prime Infrastructure for IWAN
• IWAN workflow wizard with PnP• Template-based IWAN configs• PfRv3 Domain, MC and BR• AVC One-Click provision• QoS Provisioning• Single or Dual Router Branch• CVD-based, Customizable• AVC Readiness Assessment• AVC, QoS, PfR Visibility• Leverages APIC EM services
42© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco IWAN Product Portfolio
42
43© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Start with Cisco AX RoutersIWAN Capabilities Embedded in the Router
ISR-AX
Simplify Application
Delivery
One NetworkUNIFIED SERVICES ASR1000-AX
ISR-4000 AX
Transport Independent
Secure Routing
Optimization
Control
Visibility
Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000
45© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Internet
Intelligent WAN Summary
Branch-1 Branch-513
DCIWAN Core
MC MC
20M Dn2M Up
512M FD
BR BR
ATBTMPLS
IslandADSL
BR
ISR-AXvWAAS
ISR-AXvWAAS
1.5M FD
256M FD
CWS
BRASR-AX ASR-AX
WAAS WAAS
AVC
AVC
AVC
ShowMe$$
DC-WestDC-East
Internet Internet
Transport Independent Design• Highly available Hybrid WAN
Intelligent Path Control• Performance Routing (PfR) to protect applications and
load balance traffic to maximize expensive WAN bandwidth
Application Optimization• Application Visibility and Control (AVC) to monitor performance
• WAAS + Akamai to reduce bandwidth consumption while improving application experience
Secure Connectivity• Secure the network from outside threats
• Cloud Web Security (CWS) for improved Cloud performance while freeing up WAN bandwidth, without compromising security
IWAN Management• Cisco and Ecosystem Partner tools
APIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more
45
46© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
46
Branch
MPLS (IP-VPN)
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloud
Cisco Intelligent WAN (IWAN)
Secure WAN Transport
Direct InternetAccess
Mixed Transport WAN with High Reliability
SLAs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs Without Compromise
49© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What Are the Big Trends in the Branch?
Clients engage with Digital Signage 50% more than static ads
-Intel field trials
Dynamic signs, driven by RFID, increase sales by 34%
-Intel field trials
growing more than 10% Y:Y through 2020
-Grandview Research
41% of K-12 students use tablets for video learning
-Project Tomorrow
38% of Corporations are investing to develop or replace applications to be web based in 2015
-Computer World
18% of companies use Mobile Video Applications for Training
-eLearning Industry
Branch Guest WiFi causes 39% of customers to increases the duration of their stay.
Offering guest WiFi increases traffic for 56% of branch locations
-IHL Group
“A week without guest WIFI leaves customers grumpier than a week without coffee”
-Huff Tech Research
Digital Signage Mobile Applications Guest WiFi
50© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What Are the Big Cloud Trends?20% of applications are the in cloud Growing 18% a year
AWS Reaches Over 1 Million Active Customers
Applications that move between the branch, the cloud, and the DC
2008
2009
2010
2011
2012
2013
2014
2012 2013 2014 2015 2016 2017
0
40
80
120
160
200Cloud Data Center (30% CAGR)Traditional Data Center (6% CAGR)
Inst
alle
d W
orkl
oads
in
Mill
ions
61%
39%
37%
63%
Source: Cisco Global Cloud Index (GCI)
Source: zdnet.com
40% of organizations will spend more on software as a service and a mix of public, private, hybrid and community clouds in 2015.
Source: Computer World
51© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
51
Leveraging the Internet Pays Off Fast
1.5 Mbps
10 Mbps
$220
$140
$830
$260
$885
$274
$1,014
$303
EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)
Dual Internet LinksCombined for Ent SLA
$665 Savings/Month x
12 Months X 1,000 Sites
= $8M Savingsper Year
-75%
iWANMPLS VPNCoS3
MPLS VPNCoS2
MPLS VPNCoS1
Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website
52© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
52
DUAL ROUTERS,DUAL PATHS
ISR
MPLS Internet
ISR ISR
Internet Internet
ISR
99.999% 99.999%
5 Minutes
ISR
MPLS MPLS
ISR
99.999%
ISR
MPLS MPLS Internet
ISR
MPLS
SINGLE ROUTER,DUAL PATHS Internet Internet
ISR
99.995% 99.995% 99.995%
26 Minutes
Building Highly Resilient WANsRedundancy and Path Diversity Matter
ISR
MPLS
SINGLE ROUTER,SINGLE PATH
ISR
Internet
99.95%* 99.90%*Downtimeper Year
4–9 Hours
Downtimeper Year8 Hours
46 Minutes
IWAN Solution
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
53© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
53
IWAN Transport Best Practices• Private peering with Internet providers
Use same Internet provider for hub and spoke sitesAvoids Internet Exchange bottlenecks between providersReduces round trip latency
• DMVPN Phase 3Scalable dynamic site-to-site tunnels
Separate DMVPN per transport for path diversity
Per tunnel QOS
NG Encryption – IKEv2 + AES-GCM-256 encryption
• Transport settingsUse the same MTU size on all WAN pathsBandwidth settings should match offered rate
• Routing OverlayiBGP or EIGRP for high scaleSingle routing process, simplified operationsFront-side VRF to isolate provider networks
Branch
Internet MPLS
DMVPNPurple
DMVPNGreen
IWAN HYBRID
Data Center
ISP A SP B
54© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Intelligent Path Control - Backup Slides
54
55© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
55
Performance Routing—Components
The Decision Maker: Master Controller (MC)• Discover BRs, collect statistics• Apply policy, verification, reporting• No packet forwarding/inspection required
The Forwarding Path: Border Router (BR)• Does all packet forwarding• Visibility in network performance • Enforce MC’s decision (path enforcement)
The Policy Controller: Domain Controller (DC)• Discover site peers, prefixes and connected networks• Advertise policy and services• One per domain, collocated with MC
MPLS Internet
BranchMC+BR
BR BR
DC/MC
56© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
56
PfR Domain Controller Domain Controller (DC) Peering Framework
– Site MCs register to Domain– Advertise to, or request services– Simplifies deployment and configuration– Provides topology auto-discovery
Single point of configuration across the domain
Used to distribute information to sites: – Learned site-prefix – Application/Traffic Policies – Performance monitoring– Traffic Class Database
WAN1 WAN2
Domain Controller
Master Controller
BR
BR BR
DC/MC
MC+BR MC+BRMC+BR
57© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
57
Define Traffic Classes and service level Policies based on Applications or Transport Classifiers
ISR
ASR1K
Border Routers learn current traffic classes going to the WAN based on classifier definitions
LearningActive TCs
BR BR
MC+BR MC+BR MC+BR MC+BR
Traffic Classes
MC
Measure the traffic flow and network performance and report metrics to the Master Controller
PerformanceMeasurements
BR BR
MC+BR MC+BR MC+BR MC+BR
MC
How PfR WorksKey Operations
Master Controller commands path changes based on traffic classpolicy definitions
BestPath
BR BR
MC+BR MC+BR BR MC+BR
MC
Path EnforcementMeasurementLearn the TrafficDefine Your Traffic Policy
58© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
58
Intelligent Path ControlPath of Last Resort – New
• Simplifies and speeds up failover routing to a backup only path
• Granular failover per traffic class policy
• Extends path-preference to include a last-resort path(s)
• Removes the need for the routing protocol to initiate failover
• Good choice for cellular, satellite and other backup only paths
Branch Site
MPLS INET MPLS INET
R14
DMVPNMPLS
DMVPNINET
DC1 DC2
LTEMPLS2 INET2 MPLS2 INET2
DC/MC MCDC/MC MC
MC/BR
ASA
LTE
DMVPNLTE
BR
IWAN 2.1Fall 15
59© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Optimization - Backup Slides
59
60© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
60
Today’s Network is an IT Blind Spot
• Static port classification is nolonger enough
• More and more apps are opaque
• Increasing use of encryptionand obfuscation
• Application consists of multiple sessions (video, voice, data)
• What if user experience is not meeting business needs?
61© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
61
What applications, how much bandwidth, flow direction?(NBAR2 and Flexible Netflow) Basic Monitoring
Performance Collection & ExportingIntegrated performance monitoring and advanced metrics for different type of applications and use cases
HTTP HTTP
Voice and Video Performance(Media Monitoring)
Unified Monitoring
30% of traffic is voice and video
Critical Applications Performance(Application Response Time)
40% of traffic is critical applications
62© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SupportsAkamai Cloud | Single-sided Optimization | Secure Direct Cloud Access
Application Acceleration + Edge CachingEnhancing User Experience while reducing WAN load
AKAMAI CACHINGTransparent HTTP
CachingDynamic URL OTT
HTTP CachingAkamai
Connected CacheContent
Pre-positioning
CISCO WAAS OptimizationLZ
CompressionTCP
OptimizationData
De-duplicationApplication Specific
Acceleration
62
63© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
63
Cisco WAAS & Akamai Deployment Models
Branch Office
WAASService
Module/ UCSe
Branch OfficeWAAS-XE
on ISR-4000
Branch OfficeWAAS
Appliance
Regional OfficeWAAS
Appliance
Data Center or Private Cloud WAAS
Appliances
VPN
VMware ESXi
vWAASAppliances
Server VMs
AppNav + WAAS
IWAN
vWAAS WAE
Server VMs
VMware ESXi Server
Nexus 1000v vPATH
UCS /x86 Server
FC SAN
Nexus 1000v VSM
Virtual Private CloudNew
64© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN Secure Connectivity - Backup Slides
64
65© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
65
Trust Anchor Module (TAM)“How do I Know the Hardware is Authentic?”
• Provides Immutable Identity• Standard Identity- IEEE 802.1AR (SUDI-
X.509 cert) • Secure Storage of Credentials• Anti-Theft & Anti-Tamper Chip Design• Certifiable Entropy for Random Number
Generation
Trust Anchor Module
TAM Features & Services
Checks to Verify as Cisco Genuine
TAM/Secure Identity Verification
• Immutable Identity
• Secure Storage (Keys & Objects)
• Certifiable Entropy Source
• Secure Crypto Assist
• Secure Application Certificates
•
Authenticity & License Check
• Verify Secure Identity
Product Security
• Provides trustworthy hardware offering immutable identity, secure storage, random number generator, and encryption
• Available in the ISR-4000, newer Catalyst and other Cisco products
• Provides Immutable Identity• Standard Identity- IEEE 802.1AR
(SUDI- X.509 cert) • Secure Storage of Credentials• Anti-Theft & Anti-Tamper Chip Design• Certifiable Entropy for Random
Number Generation
66© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure Boot“How do I Know the Software is Authentic?”
Verifies the software has not been altered or tampered since it was signed
Power On Hardware
AnchorSecure
MicroloaderSigned
Bootloader/BIOS
Immutable Anchor ensuring hardware integrity and key authenticity
Integrity Check
Image Signing
Image Signing
Image Signing
Secure Boot Process
Launch Operating
System
Signed Operating
System
Power-Up
Microloader verifies Bootloader and BIOS
A Signed Bootloader/ BIOS validates Operating System
• Ensures only authentic Cisco software boots up on a Cisco Platform
• Anchored in hardware, as the image is created, the signature is installed & signed with a secure private key
• As the software boots, the system checks to ensure the installed digital certificate is valid
• Subsequent hash checks provides continuous monitoring with runtime integrity
67© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
67
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Add Network Integrated Threat DefenseIOS Zone-Based Firewall• Control the Perimeter:
• External and internal protection: internal network is no longer trusted
• Protocol anomaly detection and stateful inspection
• Communicate Securely: • Call flow awareness (SIP, SCCP, H323)
• Prevent DoS attacks
• Flexible:• Split Tunnel-Branch direct Internet access
• Internal FW— addresses regulatory compliances
• Integrated: • No need for additional devices, expenses and power
• Works with other IWAN Services: CWS, WAAS, UCS-E,…
• Manageable: • APIC-EM, Prime, CLI, SNMP, CCP, and CSM
68© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Virtual Route Forwarding (VRFs) create multiple logical routers on a single device
• Separate control/forwarding planes per VRF• No connectivity between VRFs by default• Provider side VRF (yellow) for external networks,
Global VRF (blue) for internal networks
Provider VRF minimizes threat exposure• Default routing only in Provider VRF• Provider assigned IP addressing hides internal
network• Provider IP address used as IPSec tunnel source • Only IPsec allowed between internal Global and
Provider Front Side VRFs
Securing IWAN Transports with Front-door VRFIsolation of external networks
Global
F-VRF
Branch LAN10.1.1.0/2410.1.2.0/24…
Front Side “Provider Interface”
VRF
Provider Assigned WAN IP Address192.168.254.254
VRFs have independent routing and forwarding
planesIPSec TunnelInterface
Inside NetworkVRF
IOS ZBFW or ACL to permit only authorized traffic; i.e. IPsec
69© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
69
DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Protecting Public facing IWAN Interfaces• Use ACLs, ZBFW or ASA to block all traffic
except the DMVPN tunnel traffic to routers
• Zone Based Firewall (ZBFW) at the branch if thereare plans for Direct Cloud Access
• Typical ACL for protecting the Internet interfaceinterface GigabitEthernet0/0 bandwidth 10000 ip vrf forwarding INET-PUBLIC1 ip address dhcp ip access-group ACL-INET-PUBLIC in duplex auto!ip access-list extended ACL-INET-PUBLIC permit udp any any eq non500-isakmp permit udp any any eq isakmp permit esp any any permit udp any any eq bootpc permit icmp any any echo permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any port-unreachable permit udp any any gt 1023 ttl eq 1!
70© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Orchestration and Automation - Backup Slides
70
71© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
71
IWAN App – Application Classification
72© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
72
IWAN App – Policy Provisioning
73© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Service Health Summary
74© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
PfR dashboard – look at events at sites
75© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Router – Provider – Server
76© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Link detailsLink Details
PfR threshold crossing
77© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LiveAction Software• An Application-aware Network Performance Management
and QoS Control tool
• Fast, simple, cost effective way to monitor and control application performance leveraging Cisco capabilities
LiveAction Components
Flow QoS Monitor QoS Configure RoutingLAN IP SLA
78© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Business Relevance to End-Customers
Insightful Application Performance and Troubleshooting
Faster QoS Monitoring and Configuration
Visual WAN Bandwidth Management
Higher Quality Voice and Video
Efficient WAN Performance Baselining and Capacity Planning
Click -- Easily deploy, configure, monitor, and analyze Cisco advanced technologies
See -- End-to-end flow visualization for a holistic view of the network
Fix -- Unique QoS graphical control to troubleshoot and solve issues. Instant validation of policy changes
Point -- Quick diagnosis of performance issues through visual displays
Higher Productivity Thru Faster and Reliable Applications
79© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
79
Glue Networks IWAN Orchestration
• Cloud-based SaaS subscription model
• Eliminates manual building of WANs
• Automated WAN orchestration and management
• Quick configuration updates and IOS upgrades
• Rapidly delivers nextgen and IWAN features
• Forward compatible with SDN and OnePK for app aware WANs
• Broadband and MPLS support for centralized hybrid WANmanagement for IWAN
80© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introducing Gluware 2.0:DevOps for Network Engineers
Transforms Enterprise Networks
• Network Engineer Centric vs. Programmer Centric
• Gluware Lab—Rapid Development Environment, NDK, & FLOW (Flexible Language Object Workstream)
• Gluware Control—Network-aware and Customizable Life-Cycle Mgmt
• Integrated with leading architectures (IWAN)
• Rest API third party Monitoring, Visualization, Controllers
81© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LiveAction 4.3 and Performance RoutingPfR path change visualizationAlert and report on PfR Out of Policy eventsReports on traffic class/application path changes
81
Out-Of-PolicyThreshold Crossing Alert
Before Brown-Out (Northern Path) After Brown-Out (Southern Path)
82© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
82
Alerts / performance by Site
Alerts / performance by Application Group
All Alerts
PfRv3 Dashboard
83© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LiveAction Demonstration
• System topology and end-to-end flow visualization
• Flow, PfR, and QoS
• PfR Failover Demo (12 min) http://vimeo.com/108511944
• PfR Configuration (15 min) https://vimeo.com/121177440
85© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Intelligent SD-WAN Orchestration Platform BenefitsOptimize WAN Management with best-practices architectures (IWAN) & centralized management
Zero Touch Deployment with consistency, error checking & architecture awareness
WAN Orchestration with DevOps boosting agility and customization with the Network Engineer in mind
Simplify Roll-Out of complex services through policy centralization and assurance
Control Network Evolution with advanced feature support and open, programmable interfaces
Transport Agnostic connectivity for hybrid WAN and cost reduction
86© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Device Layer
IWAN Glue Networks APIC-EM Evolution
Element LayerCLITCL
SNMP
Control Layer
Orchestration & Automation Layer
Phases
Gluware
NetworkOperator
Level
CLI, APITCL
SNMP
APIC-EM
Gluware
APISNMP
APIC-EM
Gluware
TID
IPC
AO
SIC TID
IPC
AO
SIC TID
IPC
AO
SIC
Phase 1 Phase 2 Phase 3-5
Admin Admin Admin
Cisco Internal Only
IWAN Pillars:TID – Transport IndependentIPC – Intelligent Path ControlAO – Application OptimizationSIC – Secure Internet Access
87© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco IWAN Product Portfolio - Backup Slides
87
88© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN Branch Services Routers
INTEGRATED IWAN SERVICES
APPLICATION CENTRIC
APPLIANCE LEVEL PERFORMANCE
IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS
Scalable on-chip service provisioning
App/User policy-driven deployment APIC_EM Automation: deploy in
minutes Pay-as-you-grow Up-to-75% cost savings
Service-Aware Dataplane Resilient Service Virtualization Multi-gigabit Fabric
ASR4000 Series - IWAN AX Ready, Next Generation Branch
ISR4431
ISR 4351
ISR 4331
ISR4321
ISR4451
500Mbps/1Gbps
200/400Mbps
100/300Mbps
50/100Mbps
1-2Gbps
88
89© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN Aggregation Border RoutersASR1000 - IWAN AX Ready, High Performance Routers
INTEGRATED IWAN SERVICES
BUSINESS-CRITICAL RESILIENCY
COMPACT, POWERFUL ROUTER
IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS
Scalable on-chip service provisioning
Separate control and data planes Hardware and software redundancy In-service software upgrades
Line-rate performance 2.5G to 200G+ with services enabled
Crypto performance from 2G to 60G+ Flexible I/O: SPAs and Ethernet LCs
2.5G Upgradeable to 5G, 10G, 20G Up to 8G Crypto Throughput
5G Upgradeable to 10G, 20G, 36G Up to 4G Crypto Throughput
Modular, Redundant up to 200G Up to 60G Crypto Throughput
ASR1001-X
ASR1002-X
Modular ASR1006
89
90© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
90
Cisco UCS-E SeriesExtend Cloud Services into Branch Infrastructure
Support on ISR Series Routers
IOS, MGF Backplane Switch
UCS-E Blade
Hypervisor
CIMCE UCS-E Blade
Hypervisor
OS
App
OS
App
OS
App
OS
AppPlatform for WANEdge Applications
Microsoft Windows-Serverand Linux Certified
Server Virtualization
Cisco UCS Virtualization Powered byVMware, Microsoft, Citrix
Dedicated BladeManagement
Cisco IntegratedManagement Controller
Consistent managementfor UCS family
Multipurpose x86 Blades
Cisco UCSE Series modules
House up to four server blades in an ISR
Single-DeviceNetwork Integration
House all services in ISR chassis
Multigigabit fabric backplane switch
91© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
91
Cisco UCS E-Series ServerHypervisor and OS Support
Hypervisors• VMware vSphere Hypervisor™ 5.0, update 1, 5.1 and 5.5• Hyper-V (Windows 2008 R2 and 2012, 2012 R2) • Citrix XenServer 6.0
Microsoft Windows• Windows Server 2008 R2 Standard 64-bit • Windows Server 2008 R2 Enterprise 64-bit• Windows Server 2012, 2012 R2
Linux• Red Hat Enterprise Linux 6.2 • SUSE Linux Enterprise 11, service pack 2 • Oracle Enterprise Linux 6.0, update 2
92© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Cisco IWAN?- Backup Slides
92
93© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Internet
Intelligent WAN Summary
Branch-1 Branch-513
DCIWAN Core
MC MC
20M Dn2M Up
512M FD
BR BR
ATBTMPLS
IslandADSL
BR
ISR-AXvWAAS
ISR-AXvWAAS
1.5M FD
256M FD
CWS
BRASR-AX ASR-AX
WAAS WAAS
AVC
AVC
AVC
ShowMe$$
DC-WestDC-East
Internet Internet
Transport Independent Design• Highly available Hybrid WAN
Intelligent Path Control• Performance Routing (PfR) to protect applications and
load balance traffic to maximize expensive WAN bandwidth
Application Optimization• Application Visibility and Control (AVC) to monitor performance
• WAAS + Akamai to reduce bandwidth consumption while improving application experience
Secure Connectivity• Secure the network from outside threats
• Cloud Web Security (CWS) for improved Cloud performance while freeing up WAN bandwidth, without compromising security
IWAN Management• Cisco and Ecosystem Partner tools
APIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more
93
94© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
94
IWAN Vision and Strategy
Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA
Secure, Simple, Centralized Policy Automation
ACI Policies, Inter-Cloud Mobility, Optimization, AMP
vRouter, vService and App Orchestration
Predictive, Self Directed
INTELLIGENT VIRTUALIZATION
AUTOMATION CLOUDINTEGRATION
SERVICE VIRTUALIZATION
SELF LEARNING
NETWORKS
95© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
95
IWAN Vision and StrategySystems Development evolution of IWAN
INTELLIGENT VIRTUALIZATION
AUTOMATION CLOUDINTEGRATION
SERVICE VIRTUALIZATION
SELF LEARNING
NETWORKS
Transport Independent Design
Intelligent Path Control
Application Optimization
Secure Connectivity
Management & OrchestrationIWA
N F
ram
ewor
k
Incremental improvements while delivering new use-cases
96© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-WAN Working Group – SD-WAN Top 10 Requirements- Backup Slides
96
97© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Community of IT business leaders who exchange ideas and best practices for implementing Open Networking and Software-Defined Networking (SDN) designs.
• One of the ONUG working groups is the SD-WAN Working Group • The SD-WAN working group has determined a set of
10 business requirements (based on user-developed use cases) that Enterprises should consider when evaluating SD-WAN solutions.
Open Networking User Group
Source: http://blogs.cisco.com/enterprise/cisco-intelligent-wan-delivers-on-sd-wan-business-requirements
98© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1. Public and Private Active-Active: Ability for remote site/branch to leverage public and private WANs in an active/active fashion for business applications.
2. Physical or Virtual CPE: Ability to deploy CPE in a physical or virtual form factor on commodity hardware.
3. Security and Business policies: A secure hybrid WAN architecture that allows for dynamic traffic engineering capability across private and public WAN paths as specified by application policy, prevailing network WAN availability and/or degradation at transport or application layer performance.
4. App and Performance Aware Dynamic Traffic Eng: Visibility, prioritization and steering of business critical and real-time applications as per security and corporate governance and compliance policies.
5. Highly Available & Resilient WAN: A highly available and resilient hybrid WAN environment for optimal client and application experience.
Top 10 Requirements for SD-WAN
99© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6. L2 and L3 Interoperability: Layer 2 and 3 interoperability with directly connected switch and/or router.
7. Dashboard Reporting: Site, Application and VPN performance level dashboard reporting.
8. Open API: Open north-bound API for controller access and management, ability to forward specific log events to network event co-relation manager and/or Security Incident & Event Manager (SIEM).
9. Zero Touch Deployment: Capability to effect zero touch deployment at branch site with minimal to no configuration changes on directly connected infrastructure, ensuring agility in provisioning and deployment.
10. FIPS-140-2: FIPS 140-2 validation certification for cryptography modules/encryption with automated certificate life cycle management and reporting.
Top 10 Requirements for SD-WAN