Upload
cisco-canada
View
490
Download
4
Tags:
Embed Size (px)
Citation preview
Cisco Intelligent WAN: Enabling the Next-Gen Branch Technical Overview
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Agenda
IWAN Introduction and Business Drivers
Intelligent Path Control
Transport Independent Design
Application Visibility
Secure Connectivity for Direct Internet Connectivity
IWAN Management
Summary
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New Requirements for the Branch/WAN
Rising User Expectations
Growing Security Threats
Faster Time to Market
Cost Optimization
App Performance
Advanced Threat Defense
Operational Simplicity
Agility/Simplicity
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Emerging Branch Demands The Application Landscape Is Changing
Applications Are Moving to the Data Center and Cloud
Internet Edge Is Moving to the Branch
Branch
Cloud
Data Centers
of CIOs Expect to Operate via the Cloud by 2015
More Mobile Data Traffic by 2015
of Mobile Traffic Will Be Video
Pressures on the WAN
Fat Apps Mobility Cloud
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Commodity Transports Viable Now
Internet Becoming an Extension of Enterprise WAN
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Performance Over Internet
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
And the Internet Transition Pays Off Fast
EXAMPLE:
San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)
1.5 Mbps
10 Mbps
$220
$140
$830
$260
$885
$274
$1,014
$303
Dual Internet Links
Combined for Ent SLA
-75%
iWAN MPLS VPN
CoS3 MPLS VPN
CoS2
MPLS VPN
CoS1
Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Intelligent WAN Deployment Models
Dual Internet Hybrid Dual MPLS
Consistent VPN Overlay Enables Security Across Transition
Expensive
Highest SLA guarantees
Tightly coupled to SP
Internet
Branch
Public
MPLS MPLS
Branch
Public
MPLS+ Internet
Branch
Internet
More BW for key applications
Moderately priced
Balanced SLA guarantees
Enterprise
Best price/performance
Enterprise responsible for SLAs
Most SP flexibility
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Intelligent WAN Solution Components
Branch
Internet
MPLS
Private Cloud
Virtual Private Cloud
Public Cloud
3G/4G-LTE
AVC
WAAS PfR
Transport Independent
• Consistent operational model • Simple provider migrations • Scalable and modular design • IPsec routing overlay design
• Dynamic Application best path based on policy • Load balancing for full utilization of bandwidth • Improved network availability
Intelligent Path Control
• Application visibility with performance monitoring
• Application acceleration and bandwidth optimization
Application Optimization
• Certified strong encryption • Comprehensive threat defense • Cloud Web Security for secure
direct Internet access
Secure Connectivity
Transport-Independent Design
Simplifying Internet- Based WANs
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Transport Independent Comprehensive WAN Transport Support with Secure, Full Mesh Connectivity
Secure Flexible Transport-independent
Simplifies WAN Design
Easy multi-homing over any carrier service offering
Single routing control plane with minimal peering to the provider
Dynamic Full-Meshed Connectivity
Consistent design over all transports
Automatic site-to-site IPsec tunnels
Zero-touch hub configuration for new spokes
Proven Robust Security
Consistent design over all transports
Automatic site-to-site IPsec tunnels
Zero-touch hub configuration for new spokes
WAN
Internet
Branch MPLS
Data Center
ASR 1000
ASR 1000
ISR-G2
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SINGLE ROUTER, SINGLE PATH
SINGLE ROUTER, DUAL PATHS
DUAL ROUTERS, DUAL PATHS
Building Highly Available WANs with Cisco IWAN Redundancy and Path Diversity Matter
Downtime
per Year
4–9 Hours
5 Minutes
26 Minutes
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
Downtime per Year 8 Hours
46 Minutes
IWAN Solution
MPLS
99.95%*
ISR G2
MPLS
99.995%
MPLS
ISR G2
Internet
99.90%*
ISR G2
MPLS
99.995%
Internet
ISR G2
Internet
99.995%
Internet
ISR G2
Internet MPLS
99.999%
ISR G2 ISR G2
Internet Internet
99.999%
ISR G2 ISR G2
99.999%
MPLS
ISR G2
MPLS
ISR G2
Intelligent Path Control:
Performance Routing (PfR) Improving Application Delivery and WAN Efficiency
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
“Performance Routing (PfR) provides additional intelligence to classic routing technologies to track the performance of, or verify the quality of, a path between two devices over a Wide Area Networking (WAN) infrastructure to determine the best egress or ingress path for application traffic....”
What Is Performance Routing (PfR)?
DSL Cable
Branch MC+BR
BR BR
Data Center
MC
• Cisco IOS technology
• Two components: Master controller and border router
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
PATH CONTROL
METRICS
ADAPTIVE
PfR Enhances Classical Routing
Classical PfR
• Topological state • Least cost path • Static user preference
• Path cost • Interface state
• Delay • Jitter • Bandwidth
Responds To: • Measured performance changes
(degradation)
Responds To: • Link and node state changes
(up/down)
• Application-aware • Policy controlled • Measured performance
+
Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SP1 (MPLS) ISP (Internet)
Business App
Hybrid IWAN
Best-Effort Traffic
Detect Loss
Greater Than 10%
ISP-1 (Cable) ISP-2 (DSL)
Voice and Video
Dual Internet iWAN
Detect
High Jitter
VDI
Best-Effort Traffic
What PfR Does Protecting Critical Applications While Increasing Bandwidth Utilization
• Protect business cloud applications from brownouts
Loss < 5%
• Preferred path for business applications:
SP1 (MPLS)
• Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet
Business App and Load-Balancing Policy
• Protect voice and video quality
Latency < 150 ms; Jitter < 20 ms
• Protect VDI applications from brownouts
Loss < 5%
• Voice and video
preferred path SP-A
• VDI preferred path SP-B
• Increase utilization by load sharing
Multimedia and Critical Data Policy
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Master Controller commands path changes based on your traffic policy definitions
Best Path
BR BR
MC
MC+BR MC+BR MC+BR MC+BR
Measure the traffic flow and network performance actively or passively and report metrics to the Master Controller
Performance Measurements
BR BR
MC
MC+BR MC+BR MC+BR MC+BR
ISR G2 and ASR Learn traffic classes flowing through Border Routers (BRs) based on your policy definitions
Learning Active TCs
BR BR
MC+BR MC+BR MC+BR MC+BR
Traffic Classes
MC
Identify Traffic Classes based on Applications or Transport Classifiers
ASR1K
ISR G2
How PfR Works Key Operations
Path Enforcement Measurement Learn the Traffic Define Your Traffic Policy
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Choose your policy actions for various traffic classes
Alternate path selection based on flexible criteria
Example:
Defining Application Performance Policy
Link
Load Balancing
Max Utilization
Link-Group Path Preference
Bandwidth Costs ($)
Application
Reachability
Delay
Loss
MOS
Jitter
FLEXIBLE CRITERIA
Load-Balance Remaining Traffic
Critical Application
1. Link-Group: Path-B
2. Loss
4. Delay
Voice/Video
1. Link-Group: Path-A
2. Loss
3. Jitter
4. Delay
Optimize Application Performance
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
HTTP IS THE NEW TCP
Today’s Network Is an IT Blind Spot
Static port classification is no longer enough
More and more apps are opaque
Increasing use of encryption and obfuscation
Application consists of multiple sessions (video, voice, data)
What if user experience is not meeting business needs?
COLLABORATION SaaS INFORMATION
RPC SOAP Video
IM FTP
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Application Performance Monitoring for IWAN Track and Report Application Flows and Performance
Public Cloud
DC/Headquarters
Private Cloud
Enterprise Edge
• Traffic statistics records
• Application Response Time records
• Media monitoring records (Application, Jitter, Loss, etc)
NetFlow/IPFIX Records
(Same provisioning, same format)
• ActionPacked
• Glue
• Plixer
• Living Objects
• CompuWare
• CA Technologies
• InfoVista
PARTNER TOOLS ECOSYSTEM NetFlow v9 Export/IPFIX Export
Collecting Collecting Collecting
Provisioning
Exporting
AVC
AVC
NetFlow v9
AVC
Branch
Proliferation of Devices
Users/ Machines
AVC
CSR
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Next Generation NBAR (NBAR2) Deep Packet Inspection (DPI)
Provides Advanced Application Classification and Field Extraction capabilities
In-service upgradable Protocol Definitions
No IOS upgrade or reboot for new Protocol Packs
Backward compatibility to preserve existing NBAR investments
NBAR2 Protocol List http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
Application
Recognition
NBAR2
IOS
NBAR +150
Signatures
SCE Classification
+1000
Signatures
Innovations Native IPv6
Classification
Open API 3rd Party
Integration.
Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Performance Collection and Exporting
HTTP HTTP
Voice and Video Performance (Media Monitoring)
Advanced Monitoring
30% of traffic is voice
and video
Critical Applications Performance (Application Response Time)
40% of traffic is
critical applications
Perf. Collection
and Exporting
Integrated performance monitoring and advanced metrics for different type of applications and use cases
What applications, how much bandwidth, flow direction? (Flexible Netflow and NBAR/NBAR2)
Basic Monitoring
Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SOLUTION
• Reduce load – Data redundancy
elimination (DRE), compression, and TCP optimization
• Application optimization – Fewer protocol messages
and metadata caching
PROBLEM
• Application latency
• WAN bandwidth inefficiencies
Application bandwidth with Cisco® WAAS
Application bandwidth natively
Application latency natively
Application latency with Cisco WAAS
0 0
1
2
3
4
40
80
120
160
Application Bandwidth
Application Latency
Bandwidth
(Mbps)
Latency
(Seconds)
Reduction in bandwidth
Reduction in latency
App Optimization: Reduce Bandwidth and Latency Enhancing User Experience and WAN Efficiency
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
EMAIL 5 MB Attachment CIFS 5 MB File
WAAS Delivers User Experience at Scale
Send and receive email over native WAN
First optimized with WAAS
Second pass optimized with WAAS
10 0 20 30 40 50 60 70 80 90 100 110 120 130 140 150
Time in Seconds
T1 (1.54Mbps)
80 ms Latency
MS SHAREPOINT 5 MB Document VDI (CITRIX)
10 0 20 30 40 50 60 70 80 90 100 110 120 130 140 150
Time in Seconds
File drag and drop over native WAN
First optimized with WAAS
Second pass optimized with WAAS
SharePoint file download over native WAN
First optimized with WAAS
Second pass optimized with WAAS
2 0 4 6 8 10 12 14 16 18 20 22 24 26 28 30
Time in Seconds
Launch Citrix XenDesktop over native Citrix ICA/SSL
Launch Citrix XenDesktop with WAAS
Site navigation over native Citrix ICA/SSL
Site navigation with WAAS
2 0 4 6 8 10 12 14 16 18 20 22 24 26 28 30
Time in Seconds
Cisco Confidential 27 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Akamai Intelligent Platform
Extending Akamai to the Branch with Akamai Connect Akamai Intelligent Caching Inside Cisco ISR-AX
COMPLETING THE LAST MILE
Branch
ISR-AX
AKAMAI INSIDE
AKAMAI
CACHE
Optimal Experience Regardless of Device, Connectivity or Cloud All HTTP Traffic in Private, Public, Akamai Cloud
Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport
Data Center WAN/MLPS
Secure Internet Access
Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Private Cloud
Secure Internet Access with Cisco Cloud Web Security (CWS)
WAN1 (IP-VPN)
CWS
Public Cloud
Internet
WAN2 (Internet)
Branch
IOS Firewall to protect Internet Edge
Secure Public Cloud and Internet Access
ISR Connector to CWS Firewall towers
Web Filtering, Access Policy, Malware Detect
IWAN IPsec VPN for Private Cloud Traffic
Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
MPLS (IP-VPN)
Internet
Private Cloud
Virtual Private Cloud
Public Cloud
Branch
Cisco ISR CWS Connector How it Works
HQ Routes
HQ Traffic
Default Route
WAN Tunnel
CWS Connector
Internet
DSL Interface
Cisco ISR G2 with CWS Cloud
Connector—FUNCTIONS:
• Authenticate router and client to CWS cloud • Intercept HTTP/HTTPS traffic based on ACL
filters • Add user credentials header for identifying
policy to be applied • Traffic Relay: replace client Source IP address
with Egress address
• Redirect to CWS for scanning • Act as HTTP proxy to complete requests • Allow/Block or Warn based on user or
group policy • Scan for Malware
IWAN Management
Cisco Confidential 32 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Prime Infrastructure
Provides Enterprise and Integrator life-cycle network management applications
Glue Networks
Delivers Cloud based simplified deployment portal
LiveAction
IWAN AVC and PfR Configuration and Monitoring
SDN ready with OnePK
Comprehensive programmability kit to enable SDN provisioning applications
IWAN Network Management Solutions From Cisco and NMS Partners
Cisco Confidential 33 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Simplified Deployment
Prime Infrastructure
Transport Independent Design
Prime Infrastructure
Intelligent Path Control
Application Optimization
WAAS Central Manager
Secure Internet Connectivity
Prime Infrastructure
Network Health and Status
Prime Infrastructure
IWAN 1.0 Management Tool Matrix
(AVC)
Why Cisco IWAN?
Cisco Confidential 35 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Why Cisco IWAN
Up to
in Savings
The Alternative:
Overlay Appliances
App Visibility andControl
IP Sec VPN
WAN Opt.
Firewall
WAN Path Selection
Router
Integrated Platform
for IT Simplicity
• Branch ISR-AX
• DC ASR1K-AX
• Cloud CSR1000V
Granular Control
Everywhere
• Savings enables Business Innovation
Many pay off in
6-12 months
Quick ROI Faster
than Alternatives
• Any to Any Security
• Protect All Branch Resources
• Secure Direct Internet Access
Proven Security
at Scale
• App-Aware
• Endpoint-Aware
• Network-Aware
Unmatched Context-
based Routing
Cisco Confidential 36 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Start with Cisco AX Routers IWAN Capabilities Embedded in the Router
Simplify Application
Delivery
One Network UNIFIED SERVICES
ASR1000-AX
ISR-AX
Cisco AX Routers: ISR-4000-AX | ASR1000-AX
Transport Independent
Routing
Secure Connectivity
Intelligent Path Control
Application Optimization
Cisco Confidential 37 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
IWAN Branch Services Routers
INTEGRATED IWAN SERVICES
APPLICATION CENTRIC
APPLIANCE LEVEL PERFORMANCE
IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS
Scalable on-chip service provisioning
App/User policy-driven deployment
APIC_EM Automation: deploy in minutes
Pay-as-you-grow
Up-to-75% cost savings
Service-Aware Dataplane
Resilient Service Virtualization
Multi-gigabit Fabric
ISR4000 Series - IWAN AX Ready, Next Generation Branch
ISR4431
ISR 4351
ISR 4331
ISR4321
ISR4451
500Mbps/1Gbps
200/400Mbps
100/300Mbps
50/100Mbps
1-2Gbps
NEW!
NEW!
NEW!
NEW!
Cisco Confidential 38 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
IWAN Aggregation Border Routers
ASR1000 - IWAN AX Ready, High Performance Routers
INTEGRATED IWAN SERVICES
BUSINESS-CRITICAL RESILIENCY
COMPACT, POWERFUL ROUTER
IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS
Scalable on-chip service provisioning
Separate control and data planes
Hardware and software redundancy
In-service software upgrades
Line-rate performance 2.5G to 200G+ with services enabled
Crypto performance from 2G to 60G+
Flexible I/O: SPAs and Ethernet LCs
2.5G Upgradeable to 5G, 10G, 20G
Up to 8G Crypto Throughput
5G Upgradeable to 10G, 20G, 36G
Up to 4G Crypto Throughput
Modular, Redundant up to 200G
Up to 60G Crypto Throughput
ASR1001-X
ASR1002-X
Modular ASR1006
NEW!
Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Branch
MPLS (IP-VPN)
Internet
Private Cloud
Virtual Private Cloud
Public Cloud
Secure WAN Transport
Direct Internet
Access
Intelligent WAN (IWAN)
Internet As WAN with High Reliability
SLAs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs without Compromise
Thank you.