Cisco Intelligent WAN

IWAN APIC-EM Application

Feb 23th 2016

René og Per Cisco DK SE´s

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

MPLS

Branch

3G/4G-LTE

AVC

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloudWAAS PfR

Application Optimization

• Application visibility with

performance monitoring

• Application acceleration

and bandwidth

optimization

Secure Connectivity

• Certified strong encryption

• Comprehensive threat

defense

• Cloud Managed Security for

secure direct Internet access

Intelligent Path Control

• Dynamic Application best

path based on policy

• Load balancing for full

utilization of bandwidth

• Improved availability

TransportIndependent

• Consistent operational model

• Simple provider migrations

• Scalable and modular design

• IPsec routing overlay design

Control, Management, & Automation

Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM)

A New Software-Driven Platform for Solutions Development

Published Rest APIs

CATALYST® ASRISR WIRELESS

EN

D-T

O-E

ND

SO

LU

TIO

NS

Cisco® APIC-EM ServicesNetwork Plug and Play

Discovery

PKI (Trust Manager)

Topology

Common Policy

Engine

IWANSecurity Collaboration Services Orchestration

Device Abstraction Layer (SAL)

IWAN TransportData Center with ASR 1000

Okay to use 4000 ISR or CSR 1000

Data Center

Master

Controller

ASR 1000

Typical IWAN POC LAB

Greenfield for 4000 ISR

LAN Branch

Switch4000 ISR

LAN Branch

Internet HUB

ASR 1000

Internal network

In the data center

BGP,

OSPF,

EIGRP

Switch

MPLS

Internet

Sing Router Branch

Dual Router Branch

IWAN APP

MPLS HUB

ASR 1000

Switch

Switch

4000 ISR

Possible Architectures

Branch

1. Dual router dual links

2. Single router dual links

3. Single router single links

1 2

3

SP links can be:

Internet + MPLS

Internet + Internet

1 2 3

Data Center

1. For a lab or

POC, MC can

run in one of the

DMVPN hubs

2. Single data

center with a

separate MC

3. Dual data center

with primary

and transit

MonitoringCisco Prime Infrastructure 3.0.2+

Typical End-to-End IWAN Management

Plug and play

Secure PKI certificate automation

IWAN CVD provisioning (DMVPN, QoS, PfR, AVC)

Centralized business-policy definition

Definition of application categories path preference

Configuration archive

End-to-end assurance

Detailed, network-level monitoring (CPU, Mem, Interfaces)

Day-2 monitoring for PfR, L7 app visibility, QoS

REST APIsPrime™

Infrastructure 3.0.2

IWAN APP

Integration with Cisco Prime Infrastructure3.0.2 or Above

Using REST API calls, the APIC-EM will:

Automatically add every IWAN app device to Cisco

Prime™ (DMVPN hubs and branch sites)

Start NeFlow export and allow Cisco® Prime to collect and

process NetFlow data for AVC (L7 visibility), application

response time (ART), QoS stats, PfRv3 monitor

Prime also keeps a configuration archive of each device

Configuration compliance jobs will be run by Prime on a

daily basis. Detailed compliance reports are available

in Prime

Enter your PI 3.0.2 credentials

under global APIC-EM settings

Overall application/site

health and stats

PI 3.0 PfR Dashboard

SP SLA summary: Reachability

| loss | jitter | delay

Number of threshold crossings

over time

PfR resolved threshold

crossings/route-change events

Link details

Link Details

Detailed Site View

Threshold Crossings

Application or category usage

over time for a given

link/provider

QoS: application at a site

on a provider link

How to Add Additional Features to a Site

Any additional features can be pushed to the router. One way is to use Cisco Prime™ to push any

CLI template

Take care when pushing new CLI commands, which may conflict with the IWAN features (like

ACLs, routing,

RSA keys)

Any feature pushed by the IWAN App (listed in the previous slide) cannot be changed

manually. This will make the IWAN App policies become unsynchronized

IWAN App Requirements

Data Center

Two ASR 1000 routers for DMVPN hubs - one must be

Internet. Two minimum interfaces: one for WAN and one for

LAN, management, and ub interconnect

Hubs need to be configured with the WAN, management IP

address, and with SNMP credentials before stating with

IWAN app

One ASR 1000 master controller (in lab/POC; MC can run in

the DMVPN hub)

HTTPS/HTTP proxy for plug and play (no need for lab/POC)

APIC-EM and IWAN app:

Server: 64-bit x86

vCPU: 6 (2.4GHz)

RAM: 64 Gigabytes

Disk space: 500 Gb

Disk I/O speed: 200 Mbps

Network adapter: 1x

Browser: Chrome (4.3.0 or later)

Cisco IOS® Software version:

Cisco® IOS-XE 3.16 or above; Cisco IOS-XE 3.16.1 is

required for a dual data center

Branch Sites

4000 ISR with two clouds (one must be Internet)

3 Gigabit interfaces (4321 ISR requires a switch module)

The ISR must have a clean configuration, with no RSA keys

Either dual router with dual link, or single router dual link.

Single router with single link is supported, but without PfR