Soren D. Andreasen (sandreas@cisco.com)

Technical Solution Architect

CCIE# 3252

Deliver enhanced mobile experience at the branch with Intelligent WAN

Intelligent WAN : CVU update

• IWAN 2.0/2.1 overview and latest development

Agenda

Intelligent WAN Solution Components

MPLS

Branch

3G/4G-LTE

AVC

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloudWAAS

AkamaiPfRv3

Transport

Independence

Intelligent

Path Control

Application

Optimization

Secure

Connectivity

IPSec WAN Overlay

Consistent Operational Model

Optimal application routing

Efficient use of bandwidth

Performance monitoring

Optimization and Caching

NG Strong Encryption

Threat Defense

DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW

Management & Orchestration

Cisco Confidential

ISR-AX

ASR1000-AX

IWAN 2.0/2.1 Developments

IWAN Layers

MPLS Routing Internet Routing

Overlay Routing Protocol (BGP, EIGRP)

Transport Independent Design (DMVPN)

PfRAVC QoS

Infrastructure Routing

Transport Overlay

Overlay routing

over tunnels

Intelligent Path

Selection

ZBFW

CWS

6

Transport

Independence

Intelligent

Path Control

Intelligent WAN Solution Components

MPLS

Branch

3G/4G-LTE

AVC

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloudWAAS

AkamaiPfRv3

Application

Optimization

Secure

Connectivity

IPSec WAN Overlay

Consistent Operational Model

Optimal application routing

Efficient use of bandwidth

Performance monitoring

Optimization and Caching

NG Strong Encryption

Threat Defense

DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW

Management & Orchestration

Cisco Confidential

ISR-AX

ASR1000-AX

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

IWAN Transport Independent Design Summary

• IPsec Overlay – DMVPN Phase 3

• Site-to-site dynamic tunnels

• Per-Tunnel QOS

• PfRv3 Path Control (SD-WAN automation)

• Multiple DMVPNs for Path Diversity

• Separate failure domains

• Brownout circumvention—PfR

• Load balancing—PfR and routing protocol

• Single Routing Domain

• Simplified operations and support

• Simple ECMP or best path provisioning

• EIGRP or BGP

• Security

• Protecting the network from external threats

DC-East DC-West

Branch-1 Branch-513

DCI

WAN

Core

MC MC

BR BR

ATBT

MPLS

Island

ADSL

BR

ISR-AX ISR-AX

BRASR-AX ASR-AX

DMVPN 1 DMVPN 2

Path Control Domain

Intelligent WAN Solution Components

MPLS

Branch

3G/4G-LTE

AVC

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloudWAAS

AkamaiPfRv3

Transport

Independence

Intelligent

Path Control

Application

Optimization

Secure

Connectivity

IPSec WAN Overlay

Consistent Operational Model

Optimal application routing

Efficient use of bandwidth

Performance monitoring

Optimization and Caching

NG Strong Encryption

Threat Defense

DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW

Management & Orchestration

Cisco Confidential

ISR-AX

ASR1000-AX

Getting the Most Out of Your WAN InvestmentBenefits of Intelligent Path Control

Data CenterBranch

ASR 1000

ASR 1000

WAAS PfR

AVC

ISR

MPLS

Internet

Enabling

Internet-Based WANs

Efficient Distribution of

Traffic Based Upon Load,

Circuit Cost, and Path

Preference

Per Application Best

Path Based on Delay,

Loss,

Jitter Measurements

Protection From

Carrier Black Holes

and Brownouts

Lower

WAN Costs

Full Utilization

of WAN Bandwidth

Improved

Application

Performance

Higher Application

Availability

Enterprise DomainMC/BR

15

Hub

BR

BR

DC/MC BR

MC/BR

MC/BR

The Decision Maker: Master Controller (MC)

Apply policy, verification, reporting

No packet forwarding/ inspection required

Standalone of combined with a BR

The Forwarding Path: Border Router (BR)

Gain network visibility in forwarding path (Learn, measure)

Enforce MC’s decision (path enforcement)

MPLS

INET

Site-id 10.8.3.3

Site-id 10.2.11.11

Site-id 10.2.10.10

BRANCHSingle CPE

BRANCHDual CPE

Master Controller

Enterprise DomainDomain Controller

16

BR

BR

DC/MC BR

MC/BR

MC/BR

One of the MC is assigned the Domain Controller role

Central point of provisioning for the Enterprise Domain

Branch sites connect to the Hub Master Controller

Service Announcement Framework (SAF) Peering

MPLS

INET BRANCHSingle CPE

BRANCHDual CPE

Hub

Domain Controller

Site-id 10.8.3.3

Site-id 10.2.11.11

Site-id 10.2.10.10

BR

BR

DC/MC BR

MC/BR

MC/BR

MPLS

INET BRANCHSingle CPE

BRANCHDual CPE

Hub

Domain Controller

Site-id 10.8.3.3

Site-id 10.2.11.11

Site-id 10.2.10.10

Domain Policies and MonitorsPeering and Distribution

17

• Domain policies and monitor instances are configured on the Hub MC.

• Then distributed to branch sites using the peering infrastructure

Policies

Monitors

Policies

Monitors

Performance MonitoringPassive Monitoring

20

BR

BR

MC BR

MC/BR

MC/BR

BRANCHSingle CPE

BRANCHDual CPE

HUBMaster MC

MPLS

INET

Bandwidth on egressPer Traffic Class

Performance on IngressRTP and TCP metrics

Per DSCP and site

MonitoringSmart Probing

21

BR

BR

MC BR

MC/BR

MC/BR

BRANCHSingle CPE

BRANCHDual CPE

HUBMaster MC

MPLS

INET

Smart Probes• Generated from the dataplane

• Traffic driven – intelligent on/off

• Site to site and per DSCP

Performance Monitor• Collect Performance Metrics

Smart Probing

• Without actual traffic

• BR sends 10 probes spaced 20ms apart in the first 500ms and another similar 10 probes in the next 500ms, thus achieving 20pps for channels without traffic.

• With actual traffic

• Lower frequency when real traffic is observed over the channel

• Probes sent every 1/3 of [Monitor Interval], ie every 10 sec by default

• Measured by Unified Monitoring just like other data traffic

Help for Measurement Over Channels

Traffic Flow

Site10

10.1.10.0/24 3

INET

MPLS

3

BR BR

MC MC

MonitoringThreshold Crossing Alerts

23

BR

BR

MC BR

MC/BR

MC/BR

BRANCHSingle CPE

BRANCHDual CPE

HUBMaster MC

MPLS

INET

Threshold Crossing Alert (TCA)• Sent to source site

• loss, delay, jitter, unreachable

Site10

10.1.10.0/24

Site10

10.1.10.0/24

Site10

10.1.10.0/24

Path Enforcement

• Local MC

• Selects Traffic-class (TC) that are affected by TCA

• Move them to alternate path

• BRs

• Impose Next Hop on Internal Interfaces

• Input Direction

• Maintains a single database of traffic-class

• Each traffic-class entry contains output interface and a nexthop ip address.

• Lookup per packet - output-if/next hop retrieved

• Packet Forwarded

• If no entry – Uses RIB entry

Policy Decision

24

MC

BR BR

MC/BR MC/BR MC/BR BR

DMVPNMPLS

DMVPNINET

TC DATABASE

• destination-prefix,

• nbar-app-id,

• dscp.

Each traffic-class entry contains

• output interface

• nexthop ip address

Horizontal Scaling Architecture

• Requirements

• Multiple DMVPN Hubs per cloud for redundancy and scaling

• HA

- If the current exit/channel to a remote site fails, converge over to an alternate exit/channel on the same (DMVPN1) network. Else, converge over to the alternate (DMVPN2) network.

• Scale

- Distribute traffic across multiple BRs/exits on a single (DMVPN) to utilize all WAN and router capacity.

- Convergence across hubs/pops should only occur when all exits/channels in a hub/pop fail or reach max-bw limits.

INETMPLS

10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24

BR1 BR2 BR3 BR4

MC1

MC/BR MC/BR MC/BR BR

Multiple path to

the same

DMVPN

Multiple next

hops in the

same DMVPN

HUB SITESite ID = 10.8.3.3

Current Situation up to 3.14/15.5(1)T

• PfR Limitations:

• Path name is unique and cannot be used on multiple external interfaces

• Spokes have multiple next hops on the same DMVPN tunnel

• Only one is currently used by PfRv3

• PfR Channel definition:

• local site id + remote site id + DSCP + Interface + path

• Both “spoke to BR1” and “spoke to BR2” channels are the same, we can’t differentiate them

INETMPLS

10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24

Hub MC10.8.3.3/32

Path MPLS? Path MPLS?

?BR1 BR2 BR3 BR4

MC1

HUB SITESite ID = 10.8.3.3

MC/BR MC/BR MC/BR BR

INETMPLS

10.1.10.0/24

Hub MC10.8.3.3/32

BR1 BR2 BR3 BR4

MC1

MC/BR

Solution – Multiple Next Hop Per Tunnel

• Solution:

• Need to add an identifier to differentiate channels in the same DMVPN

• New PATH-ID added to each external Interface

• Path-id unique per POP

• Branches/spokes peer with each Hub BRs

• Active/Active or Active/Backup mode

• Targeted for XE 3.15 / 15.5(2)T

Path MPLSId 1

Path MPLSId 2

interface Tunnel 100

domain IWAN path MPLS path-id 1

interface Tunnel 100

domain IWAN path MPLS path-id 2

HUB SITESite ID = 10.8.3.3

Multiple POPsCommon Prefixes

10.8.0.0/16

10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24

MC/BR MC/BR MC/BR BR

BR1 BR2 BR3 BR4

MC1

IWAN POP1 IWAN POP2

MC2

DMVPNMPLS

DMVPNINET

DCIWAN Core

DC1 DCn

• Requirements:

– 2 (or more) Transit Sites advertise the very same set of prefixes

– Datacenter may not be collocated with the Transit Sites

– DCs/DMZs are reachable across the WAN Core for each Transit Site

– Branches can access any DC or DMZ across either POP(hub). And, DC/DMZs can reach any branch across multiple Transit Sites (hubs).

– Multiple BRs per DMVPN per site may be required for crypto and bandwidth horizontal scaling

10.8.0.0/16

Introducing PfR Transit Sites

Transit Sites

Enterprise POPs or Hubs Transit to DC or spoke to spoke

• Site Definition:

– Controlled by a local Master Controller (MC)

– Site ID – the IP address of the MC loopback

– One/Multiple BRs

– Each BR one/multiple links

Branch Sites

Stub

10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24

BR1 BR2 BR3 BR4

MC1

HUB SITESite ID = 10.8.3.3

TRANSIT SITESite ID = 10.9.3.3

DMVPNMPLS

DMVPNINET

MC2

BRANCH SITESite10Site ID = 10.2.10.10

Hub MC Transit MC

MC/BR MC/BR MC/BR BR

10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24

Hub MC

BR1 BR2 BR3 BR4

MC1

Transit Master Controller

• Separate independent MC in each POP

• Introduce “Transit Master Controller" concept for the 2nd Transit site

• Behaves like a Hub without provisioning

• Allows transit Smart Probes (initial spoke to spoke probe traffic goes through the POP)

• Allows its BR to configure WAN interface, and sends out SMP with WAN discovery flag set

• Each POP is allocated an unique POP-ID in the entire domain, this is done by CLI in the POP MC.

• MC1 in POP1 is the Hub MC – POP-ID 0

• MC2 in POP2 is a Transit MC – POP-ID 1

• Each external interface is allocated a unique PATH-ID per POP

Path MPLSId 1

Path INETId 2

Path MPLSId 1

Path INETId 2

Transit MCMC2

DMVPNMPLS

DMVPNINET

POP ID 0 POP ID 1

HUB SITESite ID = 10.8.3.3

TRANSIT SITESite ID = 10.9.3.3

MC/BR MC/BR MC/BR BR

Intelligent WAN Solution Components

MPLS

Branch

3G/4G-LTE

AVC

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloudWAAS

AkamaiPfRv3

Transport

Independence

Intelligent

Path Control

Application

Optimization

Secure

Connectivity

IPSec WAN Overlay

Consistent Operational Model

Optimal application routing

Efficient use of bandwidth

Performance monitoring

Optimization and Caching

NG Strong Encryption

Threat Defense

DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW

Management & Orchestration

Cisco Confidential

ISR-AX

ASR1000-AX

Application Visibility and Control

Branch

Proliferation

of Devices

Users/Machines

PrivateCloud

Make Your IWAN Application AwareAdd Cisco AVC

DC/Headquarters

PublicCloud

Cisco AVC

60% of IT Professionals Cite Performance as Key Challenge for Cloud

No Probes

• Rich data collection using NetFlow v9/IPFIX

• No additional hardware (and included in AX license)

• Easy to integrate into many reporting tools

Smart CapacityPlanning

• Better use of costly bandwidth

• Per-branch and per-application level reporting

Business Aligned Privacy Enforcement

• No need for complex IP and port ACLs

• See inside HTTP flows to identify specific Cloud applications

AO

Deep Packet Inspection

• New DPI engine provides Advanced Application Classification and Field Extraction Capabilities

• Categorization to simplify application management

• Protocol Pack allows adding more applications without upgrading or reloading IOS

Next Generation NBAR (NBAR2)

36

ISR G2: 15.2(2)T1

ASR1K: 3.4S

NBAR2

1000+ Signatures

Advanced

Classification

Techniques

Native IPv4/IPv6

ClassificationAdvanced Field

Extraction

Define Your Own Application in NBAR2Custom App

37

• Port• TCP or UDP

• 16 static ports per application

• Range of ports (1000

maximum)

• IP and Port• IOS-XE 3.12

• IOS 15.4(3)M

• Payload• Search the first 255 bytes of

TCP or UDP payload

• ASCII (16 characters)

• Hex (4 bytes)

• Decimal

• (1-4294967295)

• Variable (4 bytes Hex)

• HTTP• URI regex

• Host regex

• DNS

ISR G2: 15.2(4)M2

ASR1K: 3.8S

NBAR2 and Encrypted Traffic

• With heuristics based classification, NBAR can classify 70+ encrypted applications.

Overview

70+

Performance MonitoringFoundation Overview

39

Metering Process

• Flexible NetFlow

• Unified Monitor

Export Process

• NetFlow v9

• IPFIX

IETF Scope

Capacity Planning

Security

Performance Analysis

Visibility

Devices

Collector

1

2

IWAN Adaptive QoSHow Does It Work?

Adapt Sender shape rate based on the available bandwidth to Receiver

Sender Receiver

• Configure MQC Policy with Adaptive Shaping

DMVPN

Transport Monitoring Enable

• Collect Periodic bw Stats

on received traffic

Transport Received Rate

• Calculate Available Bandwidth over the WAN

• Adjust Egress Shaper to observed rate

Intelligent WAN Solution Components

MPLS

Branch

3G/4G-LTE

AVC

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloudWAAS

AkamaiPfRv3

Transport

Independence

Intelligent

Path Control

Application

Optimization

Secure

Connectivity

IPSec WAN Overlay

Consistent Operational Model

Optimal application routing

Efficient use of bandwidth

Performance monitoring

Optimization and Caching

NG Strong Encryption

Threat Defense

DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW

Management & Orchestration

Cisco Confidential

ISR-AX

ASR1000-AX

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

Specialized Management Cloud-Based Management

• Eliminates manual building of WANs

• Automated SD-WAN orchestration

• Centralized hybrid WAN management

• Quick config updates and IOS upgrades

• Leverages onePK and REST APIs

• Integrates with Cisco AVC and PfR

• Monitor and analyze application traffic

• End-to-end flow visualization

• Flow & App-based Troubleshooting

• Fix and Verify in Realtime

Cisco IWAN Management

Automates Deployment

and Lifecycle ManagementApplication Aware Network

Performance Management

On-Prem Management

Prime

Infrastructure

2.2

• Single-pane view of IWAN

• IWAN deployment workflows

• Plug and Play

• DMVPN, QoS, AVC deployment and

monitoring

• PfR v3 deploy/monitoring (April 2015)

• License includes IWAN App and APIC-

EM controller!

End-to-End Assurance of Application

Experience

Prime Infra workflow for IWAN

Prime Infra will provide:

• IWAN workflow wizard with PnP

• Template-based config for IWAN PINs

• PfRv3 Domain, MC and BR

• AVC One-Click provision

• QoS Provisioning

• Single or Dual Router Branch

• CVD-based, Customizable

• AVC Readiness Assessment

• AVC, QoS, PfR Visibility

• Leverages APIC EM services

PfR dashboard – look at events at sites

Router – Provider – Server

Link details

Link Details

PfR threshold crossing

LiveAction 4.3 and Performance Routing• PfR path change visualization

• Alert and report on PfR Out of Policy events

• Reports on traffic class/application path changes

47

Out-Of-Policy

Threshold Crossing Alert

Before Brown-Out (Northern Path) After Brown-Out (Southern Path)

Typical IWAN App deployment topology

Datacenter (POP) Aggregation Branch – Dual Links

www.cisco.com/go/IWAN