Cisco Intelligent Branch - Enabling the Next Generation Branch

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Cisco Intelligent Branch – Enabling
the Next Generation Branch
Tammy Getschel
Systems Engineer
May 19, 2016

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Housekeeping notes
Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes
to ensure we all enjoy the session today.
• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed
during the session
• [Please add any special notes for your session/labs]

© 2013 Cisco and/or its affiliates. All rights reserved. 3
Pressures on the WAN
Emerging Branch Demands
The Application Landscape Is Changing
Applications are Moving to the DC and Cloud
Internet Edge Is Moving to the Branch
Cloud
SaaS, Google Docs, Office365 Guest WiFi, BYOD, App Updates
Cloud Mobility Apps
Video, VDI, Backup
Branch Data Centers

Internet as an Extension of Enterprise WAN
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Performance Over Internet
4

Intelligent WAN: Leveraging the Internet
Secure WAN Transport and Internet Access
Optimized
Secure Transport
Branch
Direct Cloud
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
1. IWAN Secure transport for private
and virtual private cloud access
2. Leverage local Internet path for
public cloud and Internet access
 Increase WAN transport capacity and
app performance cost effectively!
 Improve application performance
(right flows to right places)
MPLS (IP-VPN)
Internet

Intelligent WAN (IWAN) Architecture
MPLS
Unified
Branch
3G/4G-LTE
Internet
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
Application
Optimization
Enhanced Application
Visibility and Performance
Secure
Connectivity
Comprehensive
Threat Defense
Intelligent
Path Control
Application
Aware Routing
Transport
Independent
Simplified
Hybrid WAN
Management Automation
6

Cisco Confidential 7© 2015 Cisco and/or its affiliates. All rights reserved.
Transport-Independence
Virtualizing the Enterprise WAN
7

IWAN Transport Independence
Consistent deployment models simplify operations
Internet MPLS
Branch
DMVPN DMVPN
IWAN HYBRID
Data Center
ISR
ASR 1000 ASR 1000
ISP A SP B
4G/LTE
Branch
DMVPN
IWAN HYBRID/LTE
Data Center
ISP C SP B
ASR 1000
MPLS
Branch
MPLS
DMVPN
IWAN Dual MPLS
Data Center
ISR
ASR 1000 ASR 1000
SP A SP B
DMVPN
MPLS
DMVPN
ISR
ASR 1000

IWAN Transport Independent Design
with Dynamic Multipoint VPN (DMVPN)
• Proven IPsec VPN technology
Widely deployed, Large scale
Standards based IPsec and Routing
Adv QOS: hierarchical, per tunnel and adaptive
• Flexible & Resilient
Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,..
Hub-n-Spoke with Dynamic full mesh Topology
Multiple encryption, key management, routing options
Multiple redundancy options: platform, hub, transports
• Secure
Industry Certified IPsec and Firewall
NG Strong Encryption: AES-GCM-256 (Suite B)
IKE Version 2
IEEE 802.1AR Secure unique device identifier
• Simplified IWAN Deployments
Prescriptive validated IWAN designs
Automated provisioning – Prime, IWAN-App, Glue
Branch
Internet MPLS
DMVPN
Purple
DMVPN
Green
IWAN HYBRID
Data Center
ISP A SP B

Intelligent Path Control
Improving Application Delivery and WAN Efficiency
1

Getting the Most Out of Your WAN Investment
Benefits of Intelligent Path Control
Data Center
Branch
ASR 1000
ASR 1000
ISR
MPLS
Internet
Enabling
Hybrid WANs
Efficient Distribution of
Traffic Based Upon Load
or Path Preference
Application Best Path
Based on Quality
Protection From
Carrier Black Holes
and Brownouts
Lower
WAN Costs
Full Utilization
of WAN Bandwidth
Improved
Application
Performance
Higher Application
Availability
12

Intelligent Path Control with PfR
Voice and Video Use-Case
Branch
MPLS
Internet
Virtual Private
Cloud
Private Cloud
• PfR monitors network performance and routes applications
based on policy
• PfR load balances traffic based upon link utilization levels
to efficiently utilize all available WAN bandwidth
Other traffic is load
balanced to maximize
bandwidth Voice/Video will be rerouted if the
current path degrades below policy
thresholds
Voice/Video take the best
delay, jitter, and/or loss path
13

What is Performance Routing (PfR)?
MPLS Internet
Branch
BR BR
Data Center
MC
“Performance Routing (PfR) provides additional
intelligence to classic routing to track and verify the
quality of a path over a Wide Area Networking (WAN)
to determine the best path for application traffic....”
MC+BR
14

SP1 (MPLS) ISP (FTTH)
• Protect voice and
video quality
Latency < 150 ms
Jitter < 20 ms
• Protect Email applications
from WAN congestion
Loss < 5%
• Voice and video preferred
path SP1
• Email preferred path ISP
• Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Best-Effort Traffic
High Delay
Detected
SP1 (MPLS) ISP (DSL)
Voice and Video
High Jitter
Detected
Email
Best-Effort Traffic
Protecting Critical Applications While Increasing Bandwidth Utilization
• Protect transactional
business app from brownouts
delay < 250ms
• Preferred path SP1 (MPLS)
• Increase WAN bandwidth
efficiency by load-sharing
traffic over all WAN paths,
MPLS + Internet
Business App and Load-Balancing Policy
15

Load Balancing
Maximizing Link Utilization to Increase Available Bandwidth
• Traffic distributed across all paths to efficiently use all WAN bandwidth
• Load Balancing based upon link utilization levels
• External links can have different bandwidth capacities
MPLS = 1.5Mbps
Internet = 15Mbps
ISR
WAN
Internet
MPLS
ASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
16

Application Optimization

Branch
Proliferation
of Devices
Users/
Machines
Private
Cloud
Make Your IWAN Application Aware
Application Visibility and Control (AVC)
DC/Headquarters
Public
Cloud
Cisco AVC
Application Performance
Visibility
• Application inspection with
existing routers
• Rich data collection using
NetFlow v9/IPFIX
• Easy to integrate into many
reporting tools
Smart Capacity
Planning
• Better use of costly bandwidth
• Per-branch and per-application
level reporting
Business Objective
Enforcement
• Service Level monitoring per
application
• Better Analytics to adjust
network policies to maintain
compliance
18
AVC

Proliferation
of Devices
Users/
Machines
Private
Cloud
Application Performance Monitoring for IWAN
Track and Report Application Flows and Performance
WAN
Enterprise Edge
AVC
AVC
CSR
NetFlow/IPFIX Records
(Same provisioning, same format)
• Traffic statistics records
• Application Response Time records
• Media monitoring records
(Application, Jitter, Loss, etc)
Cisco Tools
Prime, APIC-EM
Partner Tools
Ecosystem
LiveAction
Glue Networks
Plixer
Living Objects
CompuWare
CA Technologies
Collecting Collecting Collecting
Provisioning
Exporting
NetFlow v9 Export/IPFIX Export
Branch DC/Headquarters
AVC
AVC
19

Cisco WAAS
Enhancing User Experience and WAN Efficiency
Solution
• Reduce load
Data redundancy elimination
(DRE), compression, and
TCP optimization
• Application optimization
Fewer protocol messages
and metadata caching
Problem
• Application latency
• WAN bandwidth
inefficiencies
Application bandwidth with Cisco® WAAS
Application bandwidth natively
Application latency natively
Application latency with Cisco WAAS 0 0
1
2
3
4
40
80
120
160
Application
Bandwidth
Application
Latency
Bandwidth
(Mbps)
Latency
(Seconds)
Reduction in
bandwidth
Reduction
in latency
20

© 2010 Cisco Systems, Inc. All rights reserved.
WAN
Application-Specific Acceleration
 Application and protocol awareness
Eliminate unnecessary chatter
Save WAN bandwidth
Pre-populate edge cache as necessary
Enable disconnected operations
Intelligent protocol acceleration
Read-ahead, prediction, and batching
Safe data and metadata caching
Improves application response time
Provide origin server offload
DRE Hints
Application intelligence signals to DRE & LZ…
whether to compress
whether to cache
Safe Caching
Read-ahead
Prediction
Batching
DRE Hinting
WAN
Optimization
DRE/TFO/LZ
Origin Server
Offloaded
Application Specific Acceleration

Email (5MB Attachment) File Services (5MB File)
VDI (Citrix)(5MB Document)
First Optimized with WAAS
Send and Receive Email over native WAN
Second Pass Optimized with WAAS
100 20 30 40 50 60 70 80 90 100 110 120 130 140 150
Time in Seconds
Optimize and Enhance Thousands of Applications
AX Includes Cisco WAAS WAN Optimization
24x
Faster First Optimized with WAAS
File Drag and Drop Over native WAN
100 20 30 40 50 60 70 80 90 100 110 120 130 140 150
Time in Seconds
17x
Faster
First Optimized with WAAS
Sharepoint File Download over Native WAN
Launch Citrix XenDesktop with WAAS
Launch Citrix XenDesktop Over Native Citrix ICA/SSL
Site Navigation with WAAS
20 4 6 8 10 12 14 16 18 20 22 24 26 28 30
Time in Seconds
30x
Faster
20 4 6 8 10 12 14 16 18 20 22 24 26 28 30
Time in Seconds
Site Navigation Over Native Citrix ICA/SSL
3-8x
Faster

IWAN Secure Connectivity

Intelligent WAN: Secure Connectivity
Securing the network and users
Secure WAN Transport
Branch
MPLS (IP-VPN)
Internet
Secure
Internet
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
Two areas of concern
1. Protecting the network from outside threats with data privacy over provider networks
2. Protecting user access to Public Cloud and Internet services; malware, privacy,
phishing,…
26

Securing IWAN Transports with Front-door VRF
Isolation of external networks
• Virtual Route Forwarding (VRFs) create
multiple logical routers on a single device
Separate control/data planes per VRF
No connectivity between VRFs by default
Provider side VRF (yellow) for external networks,
Global VRF (blue) for internal networks
• Provider VRF minimizes threat exposure
Default routing only in Provider VRF
Provider assigned IP addressing hides internal
network
Provider IP address used as IPSec tunnel
source
Only IPsec allowed between internal Global and
Provider Front Side VRFs
Global
F-VRF
Branch LAN
10.1.1.0/24
10.1.2.0/24
…
Front Side
Provider VRF
Provider Assigned
WAN IP Address
192.168.254.254
VRFs have
independent
routing and
forwarding
planes
IPSec Tunnel
Interface
Global
Enterprise
VRF

• Use ACLs, ZBFW or ASA to block all traffic
except the DMVPN tunnel traffic to routers
• Zone Based Firewall (ZBFW) at the branch if there
are plans for direct Internet access
• Typical ACL for protecting the Internet interface
DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Protecting the Public facing IWAN Interfaces
interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip access-group ACL-INET-PUBLIC in
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1

Intelligent WAN—Direct Cloud Access
Branch
MPLS (IP-VPN)
Internet
Direct Internet
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
• Leverage Local Internet path for Public Cloud and Internet access
• Improve application performance (right flows to right places)
Solutions
On Premise – Zone Based Firewall
Cloud Based – Cloud Web Security
CWS
ISR-AX
ZBFW
31

Secure Internet Access with Cisco
Cloud Web Security (CWS)
Secure Public
Cloud and Internet
Access
ISR Connector to
CWS Firewall towers
Web Filtering,
Access Policy,
Malware Detect
WAN1
(IP-VPN)
CWS
Private
Cloud
Public
Cloud
Branch
WAN2
(Internet)
IWAN IPsec VPN
for Private Cloud
TrafficIOS Firewall to
protect Internet
Edge
Internet
32

Orchestration and Automation
3

Cisco IWAN Management Portfolio
Covering a broad range of preferences and requirements
• Customer wants advanced
provisioning, life cycle
management, and
customized policies
• System-wide network
consistency assurance
• Lean IT OR IT Network team
Cisco
Prime
Infrastructure
• Customer needs
customizable IWAN with
end-to-end monitoring
• One Assurance across Cisco
portfolio from Branch to
Datacenter
• IT Network team
Enterprise Network
Mgmt and Monitoring
Ecosystem Partners
IWAN App
• Customer wants
considerable automation
and operational simplicity
• Requirements consistent
with prescriptive IWAN
Validated Design
• Lean IT organization
Prescriptive
Policy Automation
• Customer looking for
advanced monitoring and
visualization
• QoS/ PfR/ AVC configuration,
Real-time analytics and
network troubleshooting
• IT Network team
Application Aware
Performance Mgmt
Advanced
Orchestration
3

Provisioning & Life
Cycle Management
Visualization & Health
IWAN Management Solution Positioning
CustomizablePrescriptive
AdvancedFoundation
Prime
Prime
IWAN AppOn Prem
Cloud
Infrastructure ASR 1000

APIC-EM IWAN App

APIC-EM IWAN App
Site provisioning

IWAN App – Site provisioning
4

4

APIC-EM IWAN App
Define Application Policy
• Business Intent  network admin informs the controller
what applications are relevant for the business
• The controller is going to perform background tasks based
on this business logic

APIC-EM IWAN App
• Define primary path for group of applications
• The controller will create a PfR policy based on
those paths.

IWAN App

Prime Infrastructure for IWAN
• IWAN workflow wizard with PnP
• Template-based IWAN configs
• PfRv3 Domain, MC and BR
• AVC One-Click provision
• QoS Provisioning
• Single or Dual Router Branch
• CVD-based, Customizable
• AVC Readiness Assessment
• AVC, QoS, PfR Visibility
• Leverages APIC EM services
46

Cisco IWAN Product Portfolio
4

Start with Cisco AX Routers
IWAN Capabilities Embedded in the Router
ISR-AX
Simplify
Application
Delivery
One Network
UNIFIED SERVICES ASR1000-AX
ISR-4000AX
Transport
Independent
Secure
Routing
Optimization
Control
Visibility
Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000

Why Cisco IWAN?
4

Internet
Intelligent WAN Summary
Branch-1 Branch-513
DCI
WAN Core
MC MC
20M Dn
2M Up
512M FD
BR BR
ATBT
MPLS
Island
ADSL
BR
ISR-AX
vWAAS
ISR-AX
vWAAS
1.5M FD
256M FD
CWS
BR
ASR-AX ASR-AX
WAAS WAAS
AVC
AVC AVC
ShowMe$$
DC-WestDC-East
Internet Internet
Transport Independent Design
• Highly available Hybrid WAN
Intelligent Path Control
• Performance Routing (PfR) to protect applications and
load balance traffic to maximize expensive WAN bandwidth
Application Optimization
• Application Visibility and Control (AVC) to monitor performance
• WAAS + Akamai to reduce bandwidth consumption while improving
application experience
Secure Connectivity
• Secure the network from outside threats
• Cloud Web Security (CWS) for improved Cloud performance while
freeing up WAN bandwidth, without compromising security
IWAN Management
• Cisco and Ecosystem Partner tools
APIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more
5

Branch
MPLS (IP-VPN)
Internet
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
Cisco Intelligent WAN (IWAN)
Secure WAN Transport
Direct Internet
Access
Mixed Transport WAN with High Reliability
SLAs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs Without Compromise
51

Cisco Intelligent Branch - Enabling the Next Generation Branch

Cisco Intelligent Branch - Enabling the Next Generation Branch

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (10)

Similaire à Cisco Intelligent Branch - Enabling the Next Generation Branch

Similaire à Cisco Intelligent Branch - Enabling the Next Generation Branch (20)

Plus de Cisco Canada

Plus de Cisco Canada (20)

Dernier

Dernier (20)

Cisco Intelligent Branch - Enabling the Next Generation Branch