Can your WAN Keep Up? - Amazon Web Services€¦ · Challenges balancing security and user experience Data Center Branch SaaS/IaaS/ Private Cloud Cloud Security Firewall/IPS UTM Pro:

Deliver at no compromises SD-WAN today

Can your WAN Keep Up?

Robert McGuckin, Systems Engineer

IPExpo Manchester 2019

• WAN Challenges

• Introduction to Cisco SD-WAN

• Cisco SD-WAN Security

• Cisco SD-WAN Portfolio and Licensing

• Why Cisco SD-WAN?

• What to do next?

Deliver at no compromises SD-WAN today

Can your WAN Keep Up?

Robert McGuckin, Systems Engineer

IPExpo Manchester 1029

The way we work has changed

WAN

Mobile Users

Campus & Branch Users

Devices & Things

PSOEN-2400

Applications moved to not one cloud, but many

Mobile Users

Campus & Branch Users

Devices & Things

WAN

DC/Private Cloud

SaaS

IaaS

PSOEN-2400

Campus

X2-5

Branches X100+

Mobile

Users

X1000s

Resulting in a highly complex and dynamic network

DC/Private Cloud

SaaS

IaaS

Internet connectivity becomes

business critical

PSOEN-2400

Campus

X2-5

Branches X100+

Mobile

Users

X1000s

DC/Private Cloud

SaaS

IaaS

The New Cloud EdgeEvery WAN device must be software defined and secure

Cloud Edge

PSOEN-2400

Campus

X2-5

Branches X100+

Mobile

Users

X1000s

DC/Private Cloud

SaaS

IaaS


Cloud Edge

Networking

Cloud

Security

PSOEN-2400

Campus

X2-5

Branches X100+

Mobile

Users

X1000s

DC/Private Cloud

SaaS

IaaS


Cloud Edge

Inconsistent user experience

Increasing complexity

Greater risk exposure

PSOEN-2400

The Hardware Based WAN of Yesterday Doesn’t Keep up with the Needs of Today

Branch

Branch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400


Branch

Branch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400


Cloud Providers

Branch

Cloud Applications

Branch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400


Cloud Providers

Branch

Cloud Applications

Branch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400

Cisco SD-WAN: Software ApproachReady for today’s WAN needs

Cloud ProvidersCloud Applications

BranchBranch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400



BranchBranch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400



BranchBranch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400



BranchBranch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400



BranchBranch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400



BranchBranch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400



BranchBranch

Branch

Branch

Branch

Branch

Data Center/HQ

PSOEN-2400


InternetInternet


BranchBranch

Branch

Branch

Branch

Branch

Data Center/HQ

4G/LTE

MPLS

PSOEN-2400


InternetInternet


BranchBranch

Branch

Branch

Branch

Branch

Data Center/HQ

4G/LTE

MPLS

PSOEN-2400


InternetInternet

Cloud ProvidersCloud ApplicationsData Center/HQ

vEdge

vEdge

vEdge

ISR 4000ENCS

4G/LTE

MPLS

ISR 1100

PSOEN-2400

ASR 1000

vEdge Cloud /

CSR 1000v

Introduction to Cisco SD-WAN

Cisco vManageTransport

Independence

Data CenterCampus/

Branch

IaaS/

SaaS

End-point

flexibilityColocation

Network

ServicesFirewall/IPS/

URL Filtering

WAN

Optimization

Cloud

Security

Orchestration | Analytics | API’s

Cisco SD-WAN cloud first architecture

SD-WAN Fabric

InternetLTE

MPLS

PSOEN-2400

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco SD-WAN Solution PhilosophyMost Comprehensive Solution on the Market

Transport Independent Fabric

CellularMPLSBroadband

Delivery Platform

QoS

Application Policies

Security

Per-Segment

Topologies

Segmentation Svc Insertion

Cloud

Path

Application

SLA

Secure

Perimeter

Traffic

Engineering

SurvivabilityRouting

Analytics

Monitoring

Operations

Transport

Hub

Multicast

Cloud

Accel

APIs

3rd Party

Automation

vManage

4GMPLS

INTERNET

Data Center CoLo Campus BranchCloud

WAN Edge

vBond & vSmart Controllers

WAN Edge = Cisco ISRs or vEdge

PSOEN-2400

Cisco SD-WAN Key Components

APIs

3rd Party

Automation

vManage

4GMPLS

INTERNET


WAN Edge

Data Plane

• Physical of Virtual

• Zero Touch Provisioning

• On-Premise or Cloud


MultiCloud

OnRamp

Application

QoE

Security

(+Cloud)


PSOEN-2400


APIs

3rd Party

Automation

vManage

4GMPLS

INTERNET


WAN Edge

• SDN Architecture

• Routing and Security Distribution

• Horizontal Scale, Low Complexity

Control Plane

Data Plane





MultiCloud

OnRamp

Application

QoE

Security

(+Cloud)


PSOEN-2400


APIs

3rd Party

Automation

vManage

4GMPLS

INTERNET


WAN Edge




Control Plane

Data Plane




• Single pane of glass

• Monitoring and Troubleshooting

• RBAC and APIs

Management Plane


MultiCloud

OnRamp

Application

QoE

Security

(+Cloud)


PSOEN-2400


APIs

3rd Party

Automation

vManage

4GMPLS

INTERNET


WAN Edge




Control Plane

Data Plane




vAnalytics• Single pane of glass

• Monitoring and Troubleshooting

• RBAC and APIs

Management Plane Analytics

• Machine Learning

• Carrier Performance

• Bandwidth Forecasting


MultiCloud

OnRamp

Application

QoE

Security

(+Cloud)


PSOEN-2400


Cisco SD-WAN Security

4GMPLS

INTERNE

T

SD-WAN exposes new security challenges

Outside-in threats

Exposed connections as traffic is no

longer backhauled to the

data center

Internal threats

Traffic throughout the fabric must be

secure from threats, segmented,

and private

Inside-out threats

Threats inside the network

inevitably lead to inside-out traffic to

malicious infrastructures

Branch

Corporate

Software

Critical

Infrastructure

Data

Center

Data

Cen

ter E

dg

e

SaaS

Internet

Cloud Edge

IoT Mobile

devices

Users

(guests)

WA

N E

dg

e

Remote

Devices Users

IaaS

PSOEN-2400


SD-WAN Fabric

Challenges balancing security and user experience

BranchData Center

SaaS/IaaS/

Private Cloud

Cloud

SecurityFirewall/IPS UTM

Pro: Security is simple

Con: Poor user experience

1. Continue Backhauling

PSOEN-2400


BranchData Center

SaaS/IaaS/

Private Cloud

Cloud





Pro: Improves user experience

Con: Limited control

2. DIA via Cloud Security

PSOEN-2400


BranchData Center

SaaS/IaaS/

Private Cloud

Cloud









Con: Complex to manage

3. DIA via UTM

PSOEN-2400


BranchData Center

SaaS/IaaS/

Private Cloud

Cloud









Con: Complex to manage

3. DIA via UTM

Pro: Efficient traffic flows for experience

Con: Difficult to maintain policy

4. Security Everywhere

PSOEN-2400

Combining best of breed in security and SD-WAN

Enterprise Firewall+1400 layer 7 apps classified

Intrusion Protection SystemMost widely deployed IPS engine in

the world

URL-FilteringWeb reputation score using 82+ web

categories

Simplified Cloud SecurityEasy Deployment for Cisco Umbrella

Cisco SD-WAN

Cisco

Security

Hours instead of weeks and months

PSOEN-2400

Cisco SD-WAN Portfolio

Cisco SD-WAN Edge Platform Options

ISR 1000 ISR 4000 ASR 1000

• 2.5-200Gbps

• High-performance

service w/hardware

assist

• Hardware & software

redundancy

• Up to 2 Gbps

• Modular

• Integrated service

containers

• Compute with UCS E

• 200 Mbps

• Next-gen connectivity

• Performance flexibility

Branch Services

Public Cloud

vEdge 2000

• 10 Gbps

• Modular

vEdge 1000

• Up to 1 Gbps

• Fixed

vEdge 100

• 100 Mbps

• 4G LTE & Wireless

vEdge Appliances

Virtualization

ENCS 5100 ENCS 5400

• Up to 250Mbps • 250Mbps – 2GB

vEdge 5000

• ~30 Gbps

• Modular

vEdge Cloud / CSR1000vISRv

PSOEN-2400

Cisco SD-WAN Licensing

Routing Offer Details

Policy Based Automation

Cisco DNA Essentials

Cisco DNA Advantage

Cisco DNA Premier

Analytics and Assurance

• Network ---optimization analytics

• Application trending and forecasting

Secure Connectivity

• Unlimited segmentation

• SD-WAN and advanced WAN

topologies

• Limited segmentation

• Cloud connectivity

• All types of connectivity

• Secure VPN overlay

• L3-L4 firewall, App Aware FW

• IPS/IDS with Talos Signatures

• URL-Filtering

• Basic application visibility

• On-prem or cloud managed

• Zero touch deployment

• Branch virtualization with Cisco VNF

orchestration

• Day 0 and Day 2 provisioning

• Lifecycle management

Centralized Management

• Advanced network and application

visibility

• WAN Optimization

• Application aware policies using

path control, bandwidth optimization

• Cloud OnRamp

• Forwarding Error Correction

• Contextual insights with assurance

• Encrypted traffic analytics

PSOEN-2400

Subscription

TiersTerm Bandwidth

Term

flexibility: 3/5

years

Bandwidth

choice :

10M- 10G

Cisco DNA

Essentials to

Advantage and

Premier tiers

WAN Solutions that Grows with Your Business

PSOEN-2400

Why Cisco SD-WAN?

Apps

SD-WANCloud

Use-Cases.…

WAN

USERS

DC

IaaS

SaaS

vDC

AnalyticsCloud Delivered

DEVICES

THINGS

Intent-based Network Infrastructure

DNA Center

AnalyticsPolicy Automation

I N T EN T C O N T EX T

S EC U RI T Y

L EA RN I N G

Cisco SD-WAN Value Proposition

PSOEN-2400

Apps

SD-WANCloud

Use-Cases.…

WAN

USERS

DC

IaaS

SaaS

vDC


DEVICES

THINGS


DNA Center



S EC U RI T Y

L EA RN I N G

0 Transport Independent

WAN Fabric


PSOEN-2400

Apps

SD-WANCloud

Use-Cases.…

WAN

USERS

DC

IaaS

SaaS

vDC


DEVICES

THINGS


DNA Center



S EC U RI T Y

L EA RN I N G


WAN Fabric

1Cloud delivered WAN with

operational simplicity & analytics


PSOEN-2400

Apps

SD-WANCloud

Use-Cases.…

WAN

USERS

DC

IaaS

SaaS

vDC


DEVICES

THINGS


DNA Center



S EC U RI T Y

L EA RN I N G


WAN Fabric



2Superior security architecture –

cloud based & on-prem


PSOEN-2400

Apps

SD-WANCloud

Use-Cases.…

WAN

USERS

DC

IaaS

SaaS

vDC


DEVICES

THINGS


DNA Center



S EC U RI T Y

L EA RN I N G


WAN Fabric





3 Application QOE


PSOEN-2400

Apps

SD-WANCloud

Use-Cases.…

WAN

USERS

DC

IaaS

SaaS

vDC


DEVICES

THINGS


DNA Center



S EC U RI T Y

L EA RN I N G


WAN Fabric


operational simplicity & analytics4 End-point flexibility:

• Physical or virtual

• Rich services or lite

• Branch, Agg, Cloud



3 Application QOE


PSOEN-2400

Apps

SD-WANCloud

Use-Cases.…

WAN

USERS

DC

IaaS

SaaS

vDC


DEVICES

THINGS


DNA Center



S EC U RI T Y

L EA RN I N G


WAN Fabric


operational simplicity & analytics4 End-point flexibility:

• Physical or virtual

• Rich services or lite

• Branch, Agg, Cloud



3 Application QOE

5


PSOEN-2400

For YourReferenceProven Solution Across Many Verticals

Customer Industry Challenge Solution

Retail High cost, slow change, limited flexibility 60-70% cheaper broadband at high bandwidth, centralized control, full visibility.

FinancialNeeded more bandwidth and guaranteed network uptime for a

new teller application

Dollar cost averaged the bandwidth cost down using a mix of transport (MPLS, Broadband,

LTE). Traffic now uses the optimal network path to avoid downtime and slowdowns.

Tech

Slow performance and MPLS outages provided an expensive

and poor user experience

Monthly savings reduced the cost per Mbps by more than 80%. Diverse circuits improve

the reliability of the global network, with more than half of Agilent’s sites doubling WAN

redundancy.

Healthcare

With an MPLS contract renewal approaching, Cigna wanted the

flexibility to change carriers without a massive technology

shift

Gained back control of its control plane and created the Cigna Service Provider Agnostic

Network.

Healthcare Security and high network cost

Satisfied strict security and audit requirements and provided greater flexibility for

partnerships and secure clinical solutions. Cost reductions with the removal of remote site

voice equipment and expensive PRIs, aging WAN acceleration equipment and maintenance.

Energy

Scale to support evolving field operations, and support cloud

and support cloud migration and application SLAs

SLAs

Provided 30-60% savings in overall bandwidth costs. Enabled faster response to

faster response to acquisitions, divestitures and policy changes.

Learn More


Stand No P500


Thank You

Documents

Can your WAN Keep Up? - Amazon Web Services€¦ · Challenges balancing security and user experience Data Center Branch SaaS/IaaS/ Private Cloud Cloud Security Firewall/IPS UTM Pro: