Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Cisco Intelligent WAN
IWAN APIC-EM Application
Feb 23th 2016
René og Per Cisco DK SE´s
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
MPLS
Branch
3G/4G-LTE
AVC
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloudWAAS PfR
Application Optimization
• Application visibility with
performance monitoring
• Application acceleration
and bandwidth
optimization
Secure Connectivity
• Certified strong encryption
• Comprehensive threat
defense
• Cloud Managed Security for
secure direct Internet access
Intelligent Path Control
• Dynamic Application best
path based on policy
• Load balancing for full
utilization of bandwidth
• Improved availability
TransportIndependent
• Consistent operational model
• Simple provider migrations
• Scalable and modular design
• IPsec routing overlay design
Control, Management, & Automation
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM)
A New Software-Driven Platform for Solutions Development
Published Rest APIs
CATALYST® ASRISR WIRELESS
EN
D-T
O-E
ND
SO
LU
TIO
NS
Cisco® APIC-EM ServicesNetwork Plug and Play
Discovery
PKI (Trust Manager)
Topology
Common Policy
Engine
IWANSecurity Collaboration Services Orchestration
Device Abstraction Layer (SAL)
IWAN TransportData Center with ASR 1000
Okay to use 4000 ISR or CSR 1000
Data Center
Master
Controller
ASR 1000
Typical IWAN POC LAB
Greenfield for 4000 ISR
LAN Branch
Switch4000 ISR
LAN Branch
Internet HUB
ASR 1000
Internal network
In the data center
BGP,
OSPF,
EIGRP
Switch
MPLS
Internet
Sing Router Branch
Dual Router Branch
IWAN APP
MPLS HUB
ASR 1000
Switch
Switch
4000 ISR
Possible Architectures
Branch
1. Dual router dual links
2. Single router dual links
3. Single router single links
1 2
3
SP links can be:
Internet + MPLS
Internet + Internet
1 2 3
Data Center
1. For a lab or
POC, MC can
run in one of the
DMVPN hubs
2. Single data
center with a
separate MC
3. Dual data center
with primary
and transit
MonitoringCisco Prime Infrastructure 3.0.2+
Typical End-to-End IWAN Management
Plug and play
Secure PKI certificate automation
IWAN CVD provisioning (DMVPN, QoS, PfR, AVC)
Centralized business-policy definition
Definition of application categories path preference
Configuration archive
End-to-end assurance
Detailed, network-level monitoring (CPU, Mem, Interfaces)
Day-2 monitoring for PfR, L7 app visibility, QoS
REST APIsPrime™
Infrastructure 3.0.2
IWAN APP
Integration with Cisco Prime Infrastructure3.0.2 or Above
Using REST API calls, the APIC-EM will:
Automatically add every IWAN app device to Cisco
Prime™ (DMVPN hubs and branch sites)
Start NeFlow export and allow Cisco® Prime to collect and
process NetFlow data for AVC (L7 visibility), application
response time (ART), QoS stats, PfRv3 monitor
Prime also keeps a configuration archive of each device
Configuration compliance jobs will be run by Prime on a
daily basis. Detailed compliance reports are available
in Prime
Enter your PI 3.0.2 credentials
under global APIC-EM settings
Overall application/site
health and stats
PI 3.0 PfR Dashboard
SP SLA summary: Reachability
| loss | jitter | delay
Number of threshold crossings
over time
PfR resolved threshold
crossings/route-change events
Link details
Link Details
Detailed Site View
Threshold Crossings
Application or category usage
over time for a given
link/provider
QoS: application at a site
on a provider link
How to Add Additional Features to a Site
Any additional features can be pushed to the router. One way is to use Cisco Prime™ to push any
CLI template
Take care when pushing new CLI commands, which may conflict with the IWAN features (like
ACLs, routing,
RSA keys)
Any feature pushed by the IWAN App (listed in the previous slide) cannot be changed
manually. This will make the IWAN App policies become unsynchronized
IWAN App Requirements
Data Center
Two ASR 1000 routers for DMVPN hubs - one must be
Internet. Two minimum interfaces: one for WAN and one for
LAN, management, and ub interconnect
Hubs need to be configured with the WAN, management IP
address, and with SNMP credentials before stating with
IWAN app
One ASR 1000 master controller (in lab/POC; MC can run in
the DMVPN hub)
HTTPS/HTTP proxy for plug and play (no need for lab/POC)
APIC-EM and IWAN app:
Server: 64-bit x86
vCPU: 6 (2.4GHz)
RAM: 64 Gigabytes
Disk space: 500 Gb
Disk I/O speed: 200 Mbps
Network adapter: 1x
Browser: Chrome (4.3.0 or later)
Cisco IOS® Software version:
Cisco® IOS-XE 3.16 or above; Cisco IOS-XE 3.16.1 is
required for a dual data center
Branch Sites
4000 ISR with two clouds (one must be Internet)
3 Gigabit interfaces (4321 ISR requires a switch module)
The ISR must have a clean configuration, with no RSA keys
Either dual router with dual link, or single router dual link.
Single router with single link is supported, but without PfR