Cisco Intelligent WAN: Enabling the Next-Generation Branch

Tammy GetschelSystems Engineer

Cisco Intelligent WANEnabling the Next-Generation Branch

© 2013 Cisco and/or its affiliates. All rights reserved. 2

Pressures on the WAN

Emerging Branch DemandsThe Application Landscape Is Changing

Applications are Moving to the DC and Cloud

Internet Edge Is Moving to the Branch

Cloud

SaaS, Google Docs, Office365 Guest WiFi, BYOD, App Updates

Cloud Mobility Apps

Video, VDI, Backup

Branch Data Centers

3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

3

Internet as an Extension of Enterprise WAN

Commodity Transports Viable Now

Dramatic Bandwidth, Price Performance Benefits

Higher Network Availability

Improved Performance Over Internet


Intelligent WAN: Leveraging the InternetSecure WAN Transport and Internet Access

OptimizedSecure

Transport

Branch

Direct CloudAccess

PrivateCloudVirtual

PrivateCloud

PublicCloud

1. IWAN Secure transport for private and virtual private cloud access

2. Leverage local Internet path for public cloud and Internet access

Increase WAN transport capacity and app performance cost effectively!

Improve application performance (right flows to right places)

MPLS (IP-VPN)

Internet


5

Intelligent WAN (IWAN) Architecture

MPLS

UnifiedBranch

3G/4G-LTE

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloud

Application Optimization

Enhanced ApplicationVisibility and Performance

Secure Connectivity

ComprehensiveThreat Defense

Intelligent Path Control

ApplicationAware Routing

TransportIndependent

SimplifiedHybrid WAN

Management Automation

Scott Van de Houten (svandeho)

I swapped AO to be before Security.


Transport-IndependenceVirtualizing the Enterprise WAN

6


IWAN Transport IndependenceConsistent deployment models simplify operations

Internet MPLS

Branch

DMVPN DMVPN

IWAN HYBRID

Data Center

ISR

ASR 1000 ASR 1000

ISP A SP B

4G/LTE

Branch

DMVPN

IWAN HYBRID/LTE

Data Center

ISP C SP B

ASR 1000

MPLS

Branch

MPLS

DMVPN

IWAN Dual MPLS

Data Center

ISR

ASR 1000 ASR 1000

SP A SP B

DMVPN

MPLS

DMVPN

ISR

ASR 1000

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2000 9

IWAN Transport Independent Designwith Dynamic Multipoint VPN (DMVPN)• Proven IPsec VPN technology

• Widely deployed, Large scale• Standards based IPsec and Routing• Adv QOS: hierarchical, per tunnel and adaptive

• Flexible & Resilient• Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,..• Hub-n-Spoke with Dynamic full mesh Topology• Multiple encryption, key management, routing options• Multiple redundancy options: platform, hub, transports

• Secure• Industry Certified IPsec and Firewall• NG Strong Encryption: AES-GCM-256 (Suite B)• IKE Version 2• IEEE 802.1AR Secure unique device identifier

• Simplified IWAN Deployments• Prescriptive validated IWAN designs• Automated provisioning – Prime, IWAN-App, Glue

Branch

Internet MPLS

DMVPNPurple

DMVPNGreen

IWAN HYBRID

Data Center

ISP A SP B


Intelligent Path ControlImproving Application Delivery and WAN Efficiency

10


11

Getting the Most Out of Your WAN InvestmentBenefits of Intelligent Path Control

Data CenterBranch

ASR 1000

ASR 1000

ISR

MPLS

Internet

EnablingHybrid WANs

Efficient Distribution of Traffic Based Upon Load

or Path Preference

Application Best Path Based on Quality

Protection FromCarrier Black Holes

and Brownouts

Lower WAN Costs

Full Utilization of WAN Bandwidth

Improved Application

Performance

Higher ApplicationAvailability


12

Intelligent Path Control with PfRVoice and Video Use-Case

Branch

MPLS

Internet

Virtual PrivateCloud

Private Cloud

• PfR monitors network performance and routes applicationsbased on policy

• PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth

Other traffic is load balanced to maximize bandwidth Voice/Video will be

rerouted if the current path degrades below policy thresholds

Voice/Video take the best delay, jitter, and/or loss path


13

What is Performance Routing (PfR)?

MPLS Internet

Branch

BR BR

Data Center

MC

“Performance Routing (PfR) provides additional intelligence to classic routing to track and verify the quality of a path over a Wide Area Networking (WAN) to determine the best path for application traffic....”

MC+BR


14

SP1 (MPLS) ISP (FTTH)

• Protect voice and video quality

Latency < 150 ms Jitter < 20 ms

• Protect Email applications from WAN congestion

Loss < 5%• Voice and video preferred

path SP1• Email preferred path ISP• Increase utilization

by load sharing

Multimedia and Critical Data Policy

Business App

Best-Effort Traffic

High Delay Detected

SP1 (MPLS) ISP (DSL)

Voice and Video

High JitterDetected

Email

Best-Effort Traffic

Protecting Critical Applications While Increasing Bandwidth Utilization

• Protect transactionalbusiness app from brownouts

delay < 250ms• Preferred path SP1 (MPLS)

• Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet

Business App and Load-Balancing Policy


15

Load BalancingMaximizing Link Utilization to Increase Available Bandwidth

• Traffic distributed across all paths to efficiently use all WAN bandwidth

• Load Balancing based upon link utilization levels

• External links can have different bandwidth capacitiesMPLS = 1.5MbpsInternet = 15Mbps

ISR

WAN

Internet

MPLSASR 1000

ASR 1000

Data Center

50% T1 = 750kbps

50% 15Mbps = 7.5Mbps



16


17

Branch

Proliferationof Devices

Users/Machines

PrivateCloud

Make Your IWAN Application AwareApplication Visibility and Control (AVC)

DC/Headquarters

PublicCloud

Cisco AVC

Application Performance Visibility

• Application inspection with existing routers

• Rich data collection using NetFlow v9/IPFIX

• Easy to integrate into many reporting tools

Smart CapacityPlanning

• Better use of costly bandwidth• Per-branch and per-application

level reporting

Business Objective Enforcement

• Service Level monitoring per application

• Better Analytics to adjust network policies to maintain compliance

AVC


18

Proliferationof Devices

Users/Machines

PrivateCloud

Application Performance Monitoring for IWANTrack and Report Application Flows and Performance

WANNetFlow v9

Enterprise Edge

AVC

AVC

CSR

NetFlow/IPFIX Records(Same provisioning, same format)

• Traffic statistics records• Application Response Time records• Media monitoring records

(Application, Jitter, Loss, etc)

Cisco ToolsPrime, APIC-EM

Partner Tools Ecosystem

LiveActionGlue Networks

PlixerLiving ObjectsCompuWare

CA Technologies

Collecting Collecting Collecting

Provisioning

Exporting

NetFlow v9 Export/IPFIX Export

Branch DC/Headquarters

AVC

AVC


19

Cisco WAAS Enhancing User Experience and WAN Efficiency

Solution

• Reduce load Data redundancy elimination (DRE), compression, and TCP optimization

• Application optimizationFewer protocol messages and metadata caching

Problem

• Application latency• WAN bandwidth

inefficiencies

Application bandwidth with Cisco® WAAS

Application bandwidth natively

Application latency natively

Application latency with Cisco WAAS 0 0

1

2

3

4

40

80

120

160

ApplicationBandwidth

ApplicationLatency

Bandwidth(Mbps)

Latency(Seconds)

Reduction inbandwidth

Reductionin latency


Data CenterBranch

Akamai Intelligent Platform

Optimal Experience Regardless of Device, Connectivity or CloudAll HTTP Traffic in Private, Public, Akamai Cloud

Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport

ISR-AX

AKAMAI Inside

AKAMAICACHE

WAN

IWAN – Application Optimizationwith Akamai Connect


IWAN Secure Connectivity

22


23

Intelligent WAN: Secure ConnectivitySecuring the network and users

Secure WAN Transport

Branch

MPLS (IP-VPN)

InternetSecureInternetAccess

PrivateCloud Virtual

PrivateCloud

PublicCloud

Two areas of concern1. Protecting the network from outside threats with data privacy over provider networks2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…


24

Securing the IWAN TransportIPSec VPN and Access Control

• Step 1: Authenticate hardware and softwareTrust Anchor Module verification

• Step 2: Secure TransportProven IPsec VPN overlay

Strong Cryptography: IKEv2 + AES-GCM 256

F-VRF to isolate provider networks

• Step 3: Access ControlIOS Zone-based Firewall or ACLs protection

Role based access to router w/ logging

Minimize exposure

Provider assigned addressing to hide routers

Don’t put tunnel addresses into DNS

MPLS Internet

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center


26

Intelligent WAN—Direct Cloud Access

Branch

MPLS (IP-VPN)

InternetDirect

InternetAccess

PrivateCloud

VirtualPrivateCloud

PublicCloud

• Leverage Local Internet path for Public Cloud and Internet access• Improve application performance (right flows to right places)

SolutionsOn Premise – Zone Based FirewallCloud Based – Cloud Web Security

CWS

ISR-AXZBFW


27

Secure Internet Access with Cisco Cloud Web Security (CWS)

Secure Public Cloud and Internet

Access

ISR Connector toCWS Firewall towers

Web Filtering, Access Policy, Malware Detect

WAN1(IP-VPN)

CWS

PrivateCloud

PublicCloud

Branch

WAN2(Internet)

IWAN IPsec VPN for Private Cloud

TrafficIOS Firewall to protect Internet

Edge

Internet


Orchestration and Automation

28


Cisco IWAN Management PortfolioCovering a broad range of preferences and requirements

• Customer wants advanced provisioning, life cycle management, and customized policies

• System-wide network consistency assurance

• Lean IT OR IT Network team

Cisco

Prime Infrastructure

• Customer needs customizable IWAN with end-to-end monitoring

• One Assurance across Cisco portfolio from Branch to Datacenter

• IT Network team

Enterprise Network Mgmt and Monitoring

Ecosystem Partners

IWAN App

• Customer wants considerable automation and operational simplicity

• Requirements consistent with prescriptive IWAN Validated Design

• Lean IT organization

Prescriptive Policy Automation

• Customer looking for advanced monitoring and visualization

• QoS/ PfR/ AVC configuration, Real-time analytics and network troubleshooting

• IT Network team

Application Aware Performance Mgmt

AdvancedOrchestration

29


Provisioning & Life Cycle Management

Visualization & Health

IWAN Management Solution Positioning

CustomizablePrescriptive

AdvancedFoundation

Prime

Prime

IWAN AppOn Prem

Cloud

Infrastructure ASR 1000


APIC-EM IWAN App


32

APIC-EM IWAN AppSite provisioning


33



34



IWAN App – Site provisioning

35



36



37


38

APIC-EM IWAN AppDefine Application Policy

• Business Intent network admin informs the controller what applications are relevant for the business

• The controller is going to perform background tasks based on this business logic


39

APIC-EM IWAN AppDefine Application Policy

• Define primary path for group of applications

• The controller will create a PfR policy based on those paths.


40

IWAN AppDefine Application Policy


41

Prime Infrastructure for IWAN

• IWAN workflow wizard with PnP• Template-based IWAN configs• PfRv3 Domain, MC and BR• AVC One-Click provision• QoS Provisioning• Single or Dual Router Branch• CVD-based, Customizable• AVC Readiness Assessment• AVC, QoS, PfR Visibility• Leverages APIC EM services


Cisco IWAN Product Portfolio

42


Start with Cisco AX RoutersIWAN Capabilities Embedded in the Router

ISR-AX

Simplify Application

Delivery

One NetworkUNIFIED SERVICES ASR1000-AX

ISR-4000 AX

Transport Independent

Secure Routing

Optimization

Control

Visibility

Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000


Why Cisco IWAN?

44


Internet

Intelligent WAN Summary

Branch-1 Branch-513

DCIWAN Core

MC MC

20M Dn2M Up

512M FD

BR BR

ATBTMPLS

IslandADSL

BR

ISR-AXvWAAS

ISR-AXvWAAS

1.5M FD

256M FD

CWS

BRASR-AX ASR-AX

WAAS WAAS

AVC

AVC

AVC

ShowMe$$

DC-WestDC-East

Internet Internet

Transport Independent Design• Highly available Hybrid WAN

Intelligent Path Control• Performance Routing (PfR) to protect applications and

load balance traffic to maximize expensive WAN bandwidth

Application Optimization• Application Visibility and Control (AVC) to monitor performance

• WAAS + Akamai to reduce bandwidth consumption while improving application experience

Secure Connectivity• Secure the network from outside threats

• Cloud Web Security (CWS) for improved Cloud performance while freeing up WAN bandwidth, without compromising security

IWAN Management• Cisco and Ecosystem Partner tools

APIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more

45


46

Branch

MPLS (IP-VPN)

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloud

Cisco Intelligent WAN (IWAN)

Secure WAN Transport

Direct InternetAccess

Mixed Transport WAN with High Reliability

SLAs for Business-Critical Applications

Centralized Security Policy for Internet Access

Dramatically Lower WAN Costs Without Compromise


IWAN Backup Slides


What Are the Big Trends in the Branch?

Clients engage with Digital Signage 50% more than static ads

-Intel field trials

Dynamic signs, driven by RFID, increase sales by 34%

-Intel field trials

growing more than 10% Y:Y through 2020

-Grandview Research

41% of K-12 students use tablets for video learning

-Project Tomorrow

38% of Corporations are investing to develop or replace applications to be web based in 2015

-Computer World

18% of companies use Mobile Video Applications for Training

-eLearning Industry

Branch Guest WiFi causes 39% of customers to increases the duration of their stay.

Offering guest WiFi increases traffic for 56% of branch locations

-IHL Group

“A week without guest WIFI leaves customers grumpier than a week without coffee”

-Huff Tech Research

Digital Signage Mobile Applications Guest WiFi


What Are the Big Cloud Trends?20% of applications are the in cloud Growing 18% a year

AWS Reaches Over 1 Million Active Customers

Applications that move between the branch, the cloud, and the DC

2008

2009

2010

2011

2012

2013

2014

2012 2013 2014 2015 2016 2017

0

40

80

120

160

200Cloud Data Center (30% CAGR)Traditional Data Center (6% CAGR)

Inst

alle

d W

orkl

oads

in

Mill

ions

61%

39%

37%

63%

Source: Cisco Global Cloud Index (GCI)

Source: zdnet.com

40% of organizations will spend more on software as a service and a mix of public, private, hybrid and community clouds in 2015.

Source: Computer World


51

Leveraging the Internet Pays Off Fast

1.5 Mbps

10 Mbps

$220

$140

$830

$260

$885

$274

$1,014

$303

EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)

Dual Internet LinksCombined for Ent SLA

$665 Savings/Month x

12 Months X 1,000 Sites

= $8M Savingsper Year

-75%

iWANMPLS VPNCoS3

MPLS VPNCoS2

MPLS VPNCoS1

Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website


52

DUAL ROUTERS,DUAL PATHS

ISR

MPLS Internet

ISR ISR

Internet Internet

ISR

99.999% 99.999%

5 Minutes

ISR

MPLS MPLS

ISR

99.999%

ISR

MPLS MPLS Internet

ISR

MPLS

SINGLE ROUTER,DUAL PATHS Internet Internet

ISR

99.995% 99.995% 99.995%

26 Minutes

Building Highly Resilient WANsRedundancy and Path Diversity Matter

ISR

MPLS

SINGLE ROUTER,SINGLE PATH

ISR

Internet

99.95%* 99.90%*Downtimeper Year

4–9 Hours

Downtimeper Year8 Hours

46 Minutes

IWAN Solution

* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.


53

IWAN Transport Best Practices• Private peering with Internet providers

Use same Internet provider for hub and spoke sitesAvoids Internet Exchange bottlenecks between providersReduces round trip latency

• DMVPN Phase 3Scalable dynamic site-to-site tunnels

Separate DMVPN per transport for path diversity

Per tunnel QOS

NG Encryption – IKEv2 + AES-GCM-256 encryption

• Transport settingsUse the same MTU size on all WAN pathsBandwidth settings should match offered rate

• Routing OverlayiBGP or EIGRP for high scaleSingle routing process, simplified operationsFront-side VRF to isolate provider networks

Branch

Internet MPLS

DMVPNPurple

DMVPNGreen

IWAN HYBRID

Data Center

ISP A SP B


Intelligent Path Control - Backup Slides

54


55

Performance Routing—Components

The Decision Maker: Master Controller (MC)• Discover BRs, collect statistics• Apply policy, verification, reporting• No packet forwarding/inspection required

The Forwarding Path: Border Router (BR)• Does all packet forwarding• Visibility in network performance • Enforce MC’s decision (path enforcement)

The Policy Controller: Domain Controller (DC)• Discover site peers, prefixes and connected networks• Advertise policy and services• One per domain, collocated with MC

MPLS Internet

BranchMC+BR

BR BR

DC/MC


56

PfR Domain Controller Domain Controller (DC) Peering Framework

– Site MCs register to Domain– Advertise to, or request services– Simplifies deployment and configuration– Provides topology auto-discovery

Single point of configuration across the domain

Used to distribute information to sites: – Learned site-prefix – Application/Traffic Policies – Performance monitoring– Traffic Class Database

WAN1 WAN2

Domain Controller

Master Controller

BR

BR BR

DC/MC

MC+BR MC+BRMC+BR


57

Define Traffic Classes and service level Policies based on Applications or Transport Classifiers

ISR

ASR1K

Border Routers learn current traffic classes going to the WAN based on classifier definitions

LearningActive TCs

BR BR

MC+BR MC+BR MC+BR MC+BR

Traffic Classes

MC

Measure the traffic flow and network performance and report metrics to the Master Controller

PerformanceMeasurements

BR BR

MC+BR MC+BR MC+BR MC+BR

MC

How PfR WorksKey Operations

Master Controller commands path changes based on traffic classpolicy definitions

BestPath

BR BR

MC+BR MC+BR BR MC+BR

MC

Path EnforcementMeasurementLearn the TrafficDefine Your Traffic Policy


58

Intelligent Path ControlPath of Last Resort – New

• Simplifies and speeds up failover routing to a backup only path

• Granular failover per traffic class policy

• Extends path-preference to include a last-resort path(s)

• Removes the need for the routing protocol to initiate failover

• Good choice for cellular, satellite and other backup only paths

Branch Site

MPLS INET MPLS INET

R14

DMVPNMPLS

DMVPNINET

DC1 DC2

LTEMPLS2 INET2 MPLS2 INET2

DC/MC MCDC/MC MC

MC/BR

ASA

LTE

DMVPNLTE

BR

IWAN 2.1Fall 15


Application Optimization - Backup Slides

59


60

Today’s Network is an IT Blind Spot

• Static port classification is nolonger enough

• More and more apps are opaque

• Increasing use of encryptionand obfuscation

• Application consists of multiple sessions (video, voice, data)

• What if user experience is not meeting business needs?


61

What applications, how much bandwidth, flow direction?(NBAR2 and Flexible Netflow) Basic Monitoring

Performance Collection & ExportingIntegrated performance monitoring and advanced metrics for different type of applications and use cases

HTTP HTTP

Voice and Video Performance(Media Monitoring)

Unified Monitoring

30% of traffic is voice and video

Critical Applications Performance(Application Response Time)

40% of traffic is critical applications


SupportsAkamai Cloud | Single-sided Optimization | Secure Direct Cloud Access

Application Acceleration + Edge CachingEnhancing User Experience while reducing WAN load

AKAMAI CACHINGTransparent HTTP

CachingDynamic URL OTT

HTTP CachingAkamai

Connected CacheContent

Pre-positioning

CISCO WAAS OptimizationLZ

CompressionTCP

OptimizationData

De-duplicationApplication Specific

Acceleration

62


63

Cisco WAAS & Akamai Deployment Models

Branch Office

WAASService

Module/ UCSe

Branch OfficeWAAS-XE

on ISR-4000

Branch OfficeWAAS

Appliance

Regional OfficeWAAS

Appliance

Data Center or Private Cloud WAAS

Appliances

VPN

VMware ESXi

vWAASAppliances

Server VMs

AppNav + WAAS

IWAN

vWAAS WAE

Server VMs

VMware ESXi Server

Nexus 1000v vPATH

UCS /x86 Server

FC SAN

Nexus 1000v VSM

Virtual Private CloudNew


IWAN Secure Connectivity - Backup Slides

64


65

Trust Anchor Module (TAM)“How do I Know the Hardware is Authentic?”

• Provides Immutable Identity• Standard Identity- IEEE 802.1AR (SUDI-

X.509 cert) • Secure Storage of Credentials• Anti-Theft & Anti-Tamper Chip Design• Certifiable Entropy for Random Number

Generation

Trust Anchor Module

TAM Features & Services

Checks to Verify as Cisco Genuine

TAM/Secure Identity Verification

• Immutable Identity

• Secure Storage (Keys & Objects)

• Certifiable Entropy Source

• Secure Crypto Assist

• Secure Application Certificates

•

Authenticity & License Check

• Verify Secure Identity

Product Security

• Provides trustworthy hardware offering immutable identity, secure storage, random number generator, and encryption

• Available in the ISR-4000, newer Catalyst and other Cisco products

• Provides Immutable Identity• Standard Identity- IEEE 802.1AR

(SUDI- X.509 cert) • Secure Storage of Credentials• Anti-Theft & Anti-Tamper Chip Design• Certifiable Entropy for Random

Number Generation


Secure Boot“How do I Know the Software is Authentic?”

Verifies the software has not been altered or tampered since it was signed

Power On Hardware

AnchorSecure

MicroloaderSigned

Bootloader/BIOS

Immutable Anchor ensuring hardware integrity and key authenticity

Integrity Check

Image Signing

Image Signing

Image Signing

Secure Boot Process

Launch Operating

System

Signed Operating

System

Power-Up

Microloader verifies Bootloader and BIOS

A Signed Bootloader/ BIOS validates Operating System

• Ensures only authentic Cisco software boots up on a Cisco Platform

• Anchored in hardware, as the image is created, the signature is installed & signed with a secure private key

• As the software boots, the system checks to ensure the installed digital certificate is valid

• Subsequent hash checks provides continuous monitoring with runtime integrity


67

MPLS Internet

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center

Add Network Integrated Threat DefenseIOS Zone-Based Firewall• Control the Perimeter:

• External and internal protection: internal network is no longer trusted

• Protocol anomaly detection and stateful inspection

• Communicate Securely: • Call flow awareness (SIP, SCCP, H323)

• Prevent DoS attacks

• Flexible:• Split Tunnel-Branch direct Internet access

• Internal FW— addresses regulatory compliances

• Integrated: • No need for additional devices, expenses and power

• Works with other IWAN Services: CWS, WAAS, UCS-E,…

• Manageable: • APIC-EM, Prime, CLI, SNMP, CCP, and CSM


Virtual Route Forwarding (VRFs) create multiple logical routers on a single device

• Separate control/forwarding planes per VRF• No connectivity between VRFs by default• Provider side VRF (yellow) for external networks,

Global VRF (blue) for internal networks

Provider VRF minimizes threat exposure• Default routing only in Provider VRF• Provider assigned IP addressing hides internal

network• Provider IP address used as IPSec tunnel source • Only IPsec allowed between internal Global and

Provider Front Side VRFs

Securing IWAN Transports with Front-door VRFIsolation of external networks

Global

F-VRF

Branch LAN10.1.1.0/2410.1.2.0/24…

Front Side “Provider Interface”

VRF

Provider Assigned WAN IP Address192.168.254.254

VRFs have independent routing and forwarding

planesIPSec TunnelInterface

Inside NetworkVRF

IOS ZBFW or ACL to permit only authorized traffic; i.e. IPsec


69

DSL Cable

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center

Protecting Public facing IWAN Interfaces• Use ACLs, ZBFW or ASA to block all traffic

except the DMVPN tunnel traffic to routers

• Zone Based Firewall (ZBFW) at the branch if thereare plans for Direct Cloud Access

• Typical ACL for protecting the Internet interfaceinterface GigabitEthernet0/0 bandwidth 10000 ip vrf forwarding INET-PUBLIC1 ip address dhcp ip access-group ACL-INET-PUBLIC in duplex auto!ip access-list extended ACL-INET-PUBLIC permit udp any any eq non500-isakmp permit udp any any eq isakmp permit esp any any permit udp any any eq bootpc permit icmp any any echo permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any port-unreachable permit udp any any gt 1023 ttl eq 1!

Scott Van de Houten (svandeho)


Orchestration and Automation - Backup Slides

70


71

IWAN App – Application Classification


72

IWAN App – Policy Provisioning


Service Health Summary


PfR dashboard – look at events at sites


Router – Provider – Server


Link detailsLink Details

PfR threshold crossing


LiveAction Software• An Application-aware Network Performance Management

and QoS Control tool

• Fast, simple, cost effective way to monitor and control application performance leveraging Cisco capabilities

LiveAction Components

Flow QoS Monitor QoS Configure RoutingLAN IP SLA


Business Relevance to End-Customers

Insightful Application Performance and Troubleshooting

Faster QoS Monitoring and Configuration

Visual WAN Bandwidth Management

Higher Quality Voice and Video

Efficient WAN Performance Baselining and Capacity Planning

Click -- Easily deploy, configure, monitor, and analyze Cisco advanced technologies

See -- End-to-end flow visualization for a holistic view of the network

Fix -- Unique QoS graphical control to troubleshoot and solve issues. Instant validation of policy changes

Point -- Quick diagnosis of performance issues through visual displays

Higher Productivity Thru Faster and Reliable Applications


79

Glue Networks IWAN Orchestration

• Cloud-based SaaS subscription model

• Eliminates manual building of WANs

• Automated WAN orchestration and management

• Quick configuration updates and IOS upgrades

• Rapidly delivers nextgen and IWAN features

• Forward compatible with SDN and OnePK for app aware WANs

• Broadband and MPLS support for centralized hybrid WANmanagement for IWAN


Introducing Gluware 2.0:DevOps for Network Engineers

Transforms Enterprise Networks

• Network Engineer Centric vs. Programmer Centric

• Gluware Lab—Rapid Development Environment, NDK, & FLOW (Flexible Language Object Workstream)

• Gluware Control—Network-aware and Customizable Life-Cycle Mgmt

• Integrated with leading architectures (IWAN)

• Rest API third party Monitoring, Visualization, Controllers


LiveAction 4.3 and Performance RoutingPfR path change visualizationAlert and report on PfR Out of Policy eventsReports on traffic class/application path changes

81

Out-Of-PolicyThreshold Crossing Alert

Before Brown-Out (Northern Path) After Brown-Out (Southern Path)


82

Alerts / performance by Site

Alerts / performance by Application Group

All Alerts

PfRv3 Dashboard


LiveAction Demonstration

• System topology and end-to-end flow visualization

• Flow, PfR, and QoS

• PfR Failover Demo (12 min) http://vimeo.com/108511944

• PfR Configuration (15 min) https://vimeo.com/121177440

http://vimeo.com/108511944

https://vimeo.com/121177440


Gluware 2.0 Workflow


Intelligent SD-WAN Orchestration Platform BenefitsOptimize WAN Management with best-practices architectures (IWAN) & centralized management

Zero Touch Deployment with consistency, error checking & architecture awareness

WAN Orchestration with DevOps boosting agility and customization with the Network Engineer in mind

Simplify Roll-Out of complex services through policy centralization and assurance

Control Network Evolution with advanced feature support and open, programmable interfaces

Transport Agnostic connectivity for hybrid WAN and cost reduction


Device Layer

IWAN Glue Networks APIC-EM Evolution

Element LayerCLITCL

SNMP

Control Layer

Orchestration & Automation Layer

Phases

Gluware

NetworkOperator

Level

CLI, APITCL

SNMP

APIC-EM

Gluware

APISNMP

APIC-EM

Gluware

TID

IPC

AO

SIC TID

IPC

AO

SIC TID

IPC

AO

SIC

Phase 1 Phase 2 Phase 3-5

Admin Admin Admin

Cisco Internal Only

IWAN Pillars:TID – Transport IndependentIPC – Intelligent Path ControlAO – Application OptimizationSIC – Secure Internet Access


Cisco IWAN Product Portfolio - Backup Slides

87


IWAN Branch Services Routers

INTEGRATED IWAN SERVICES

APPLICATION CENTRIC

APPLIANCE LEVEL PERFORMANCE

IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS

Scalable on-chip service provisioning

App/User policy-driven deployment APIC_EM Automation: deploy in

minutes Pay-as-you-grow Up-to-75% cost savings

Service-Aware Dataplane Resilient Service Virtualization Multi-gigabit Fabric

ASR4000 Series - IWAN AX Ready, Next Generation Branch

ISR4431

ISR 4351

ISR 4331

ISR4321

ISR4451

500Mbps/1Gbps

200/400Mbps

100/300Mbps

50/100Mbps

1-2Gbps

88


IWAN Aggregation Border RoutersASR1000 - IWAN AX Ready, High Performance Routers

INTEGRATED IWAN SERVICES

BUSINESS-CRITICAL RESILIENCY

COMPACT, POWERFUL ROUTER

IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS

Scalable on-chip service provisioning

Separate control and data planes Hardware and software redundancy In-service software upgrades

Line-rate performance 2.5G to 200G+ with services enabled

Crypto performance from 2G to 60G+ Flexible I/O: SPAs and Ethernet LCs

2.5G Upgradeable to 5G, 10G, 20G Up to 8G Crypto Throughput

5G Upgradeable to 10G, 20G, 36G Up to 4G Crypto Throughput

Modular, Redundant up to 200G Up to 60G Crypto Throughput

ASR1001-X

ASR1002-X

Modular ASR1006

89


90

Cisco UCS-E SeriesExtend Cloud Services into Branch Infrastructure

Support on ISR Series Routers

IOS, MGF Backplane Switch

UCS-E Blade

Hypervisor

CIMCE UCS-E Blade

Hypervisor

OS

App

OS

App

OS

App

OS

AppPlatform for WANEdge Applications

Microsoft Windows-Serverand Linux Certified

Server Virtualization

Cisco UCS Virtualization Powered byVMware, Microsoft, Citrix

Dedicated BladeManagement

Cisco IntegratedManagement Controller

Consistent managementfor UCS family

Multipurpose x86 Blades

Cisco UCSE Series modules

House up to four server blades in an ISR

Single-DeviceNetwork Integration

House all services in ISR chassis

Multigigabit fabric backplane switch


91

Cisco UCS E-Series ServerHypervisor and OS Support

Hypervisors• VMware vSphere Hypervisor™ 5.0, update 1, 5.1 and 5.5• Hyper-V (Windows 2008 R2 and 2012, 2012 R2) • Citrix XenServer 6.0

Microsoft Windows• Windows Server 2008 R2 Standard 64-bit • Windows Server 2008 R2 Enterprise 64-bit• Windows Server 2012, 2012 R2

Linux• Red Hat Enterprise Linux 6.2 • SUSE Linux Enterprise 11, service pack 2 • Oracle Enterprise Linux 6.0, update 2


Why Cisco IWAN?- Backup Slides

92


Internet

Intelligent WAN Summary

Branch-1 Branch-513

DCIWAN Core

MC MC

20M Dn2M Up

512M FD

BR BR

ATBTMPLS

IslandADSL

BR

ISR-AXvWAAS

ISR-AXvWAAS

1.5M FD

256M FD

CWS

BRASR-AX ASR-AX

WAAS WAAS

AVC

AVC

AVC

ShowMe$$

DC-WestDC-East

Internet Internet

Transport Independent Design• Highly available Hybrid WAN

Intelligent Path Control• Performance Routing (PfR) to protect applications and

load balance traffic to maximize expensive WAN bandwidth

Application Optimization• Application Visibility and Control (AVC) to monitor performance

• WAAS + Akamai to reduce bandwidth consumption while improving application experience

Secure Connectivity• Secure the network from outside threats

• Cloud Web Security (CWS) for improved Cloud performance while freeing up WAN bandwidth, without compromising security

IWAN Management• Cisco and Ecosystem Partner tools

APIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more

93


94

IWAN Vision and Strategy

Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA

Secure, Simple, Centralized Policy Automation

ACI Policies, Inter-Cloud Mobility, Optimization, AMP

vRouter, vService and App Orchestration

Predictive, Self Directed

INTELLIGENT VIRTUALIZATION

AUTOMATION CLOUDINTEGRATION

SERVICE VIRTUALIZATION

SELF LEARNING

NETWORKS


95

IWAN Vision and StrategySystems Development evolution of IWAN

INTELLIGENT VIRTUALIZATION

AUTOMATION CLOUDINTEGRATION

SERVICE VIRTUALIZATION

SELF LEARNING

NETWORKS

Transport Independent Design

Intelligent Path Control


Secure Connectivity

Management & OrchestrationIWA

N F

ram

ewor

k

Incremental improvements while delivering new use-cases


SD-WAN Working Group – SD-WAN Top 10 Requirements- Backup Slides

96


• Community of IT business leaders who exchange ideas and best practices for implementing Open Networking and Software-Defined Networking (SDN) designs.

• One of the ONUG working groups is the SD-WAN Working Group • The SD-WAN working group has determined a set of

10 business requirements (based on user-developed use cases) that Enterprises should consider when evaluating SD-WAN solutions.

Open Networking User Group

Source: http://blogs.cisco.com/enterprise/cisco-intelligent-wan-delivers-on-sd-wan-business-requirements

http://opennetworkingusergroup.com/participate-in-an-onug-use-case-working-group/

http://opennetworkingusergroup.com/fall-2014/sd-wan-working-group/


1. Public and Private Active-Active: Ability for remote site/branch to leverage public and private WANs in an active/active fashion for business applications.

2. Physical or Virtual CPE: Ability to deploy CPE in a physical or virtual form factor on commodity hardware.

3. Security and Business policies: A secure hybrid WAN architecture that allows for dynamic traffic engineering capability across private and public WAN paths as specified by application policy, prevailing network WAN availability and/or degradation at transport or application layer performance.

4. App and Performance Aware Dynamic Traffic Eng: Visibility, prioritization and steering of business critical and real-time applications as per security and corporate governance and compliance policies.

5. Highly Available & Resilient WAN: A highly available and resilient hybrid WAN environment for optimal client and application experience.

Top 10 Requirements for SD-WAN


6. L2 and L3 Interoperability: Layer 2 and 3 interoperability with directly connected switch and/or router.

7. Dashboard Reporting: Site, Application and VPN performance level dashboard reporting.

8. Open API: Open north-bound API for controller access and management, ability to forward specific log events to network event co-relation manager and/or Security Incident & Event Manager (SIEM).

9. Zero Touch Deployment: Capability to effect zero touch deployment at branch site with minimal to no configuration changes on directly connected infrastructure, ensuring agility in provisioning and deployment.

10. FIPS-140-2: FIPS 140-2 validation certification for cryptography modules/encryption with automated certificate life cycle management and reporting.

Top 10 Requirements for SD-WAN

Technology

Cisco Intelligent WAN: Enabling the Next-Generation Branch