Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Cisco Intelligent WAN: Enabling the Next-Generation Branch

1 859 vues

Publié le

Session: Cisco Intelligent WAN: Enabling the Next-Generation Branch
Presenter: Tammy Getschel, Systems Engineer
Date: October 20, 2015

Publié dans : Technologie
  • Soyez le premier à commenter

Cisco Intelligent WAN: Enabling the Next-Generation Branch

  1. 1. Tammy Getschel Systems Engineer Cisco Intelligent WAN Enabling the Next-Generation Branch
  2. 2. © 2013 Cisco and/or its affiliates. All rights reserved. 2 Pressures on the WAN Emerging Branch Demands The Application Landscape Is Changing Applications are Moving to the DC and Cloud Internet Edge Is Moving to the Branch Cloud SaaS, Google Docs, Office365 Guest WiFi, BYOD, App Updates Cloud Mobility Apps Video, VDI, Backup Branch Data Centers
  3. 3. Internet as an Extension of Enterprise WAN Commodity Transports Viable Now Dramatic Bandwidth, Price Performance Benefits Higher Network Availability Improved Performance Over Internet 3
  4. 4. Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access Optimized Secure Transport Branch Direct Cloud Access Private Cloud Virtual Private Cloud Public Cloud 1. IWAN Secure transport for private and virtual private cloud access 2. Leverage local Internet path for public cloud and Internet access  Increase WAN transport capacity and app performance cost effectively!  Improve application performance (right flows to right places) MPLS (IP-VPN) Internet
  5. 5. Intelligent WAN (IWAN) Architecture MPLS Unified Branch 3G/4G-LTE Internet Private Cloud Virtual Private Cloud Public Cloud Application Optimization Enhanced Application Visibility and Performance Secure Connectivity Comprehensive Threat Defense Intelligent Path Control Application Aware Routing Transport Independent Simplified Hybrid WAN Management Automation 5
  6. 6. Transport-Independence Virtualizing the Enterprise WAN
  7. 7. IWAN Transport Independence Consistent deployment models simplify operations Internet MPLS Branch DMVPN DMVPN IWAN HYBRID Data Center ISR ASR 1000 ASR 1000 ISP A SP B 4G/LTE Branch DMVPN IWAN HYBRID/LTE Data Center ISP C SP B ASR 1000 MPLS Branch MPLS DMVPN IWAN Dual MPLS Data Center ISR ASR 1000 ASR 1000 SP A SP B DMVPN MPLS DMVPN ISR ASR 1000
  8. 8. IWAN Transport Independent Design with Dynamic Multipoint VPN (DMVPN) • Proven IPsec VPN technology • Widely deployed, Large scale • Standards based IPsec and Routing • Adv QOS: hierarchical, per tunnel and adaptive • Flexible & Resilient • Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,.. • Hub-n-Spoke with Dynamic full mesh Topology • Multiple encryption, key management, routing options • Multiple redundancy options: platform, hub, transports • Secure • Industry Certified IPsec and Firewall • NG Strong Encryption: AES-GCM-256 (Suite B) • IKE Version 2 • IEEE 802.1AR Secure unique device identifier • Simplified IWAN Deployments • Prescriptive validated IWAN designs • Automated provisioning – Prime, IWAN-App, Glue Branch Internet MPLS DMVPN Purple DMVPN Green IWAN HYBRID Data Center ISP A SP B
  9. 9. Intelligent Path Control Improving Application Delivery and WAN Efficiency
  10. 10. Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control Data Center Branch ASR 1000 ASR 1000 ISR MPLS Internet Enabling Hybrid WANs Efficient Distribution of Traffic Based Upon Load or Path Preference Application Best Path Based on Quality Protection From Carrier Black Holes and Brownouts Lower WAN Costs Full Utilization of WAN Bandwidth Improved Application Performance Higher Application Availability 11
  11. 11. Intelligent Path Control with PfR Voice and Video Use-Case Branch MPLS Internet Virtual Private Cloud Private Cloud • PfR monitors network performance and routes applications based on policy • PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth Other traffic is load balanced to maximize bandwidth Voice/Video will be rerouted if the current path degrades below policy thresholds Voice/Video take the best delay, jitter, and/or loss path 12
  12. 12. What is Performance Routing (PfR)? MPLS Internet Branch BR BR Data Center MC “Performance Routing (PfR) provides additional intelligence to classic routing to track and verify the quality of a path over a Wide Area Networking (WAN) to determine the best path for application traffic....” MC+BR 13
  13. 13. SP1 (MPLS) ISP (FTTH) • Protect voice and video quality Latency < 150 ms Jitter < 20 ms • Protect Email applications from WAN congestion Loss < 5% • Voice and video preferred path SP1 • Email preferred path ISP • Increase utilization by load sharing Multimedia and Critical Data Policy Business App Best-Effort Traffic High Delay Detected SP1 (MPLS) ISP (DSL) Voice and Video High Jitter Detected Email Best-Effort Traffic Protecting Critical Applications While Increasing Bandwidth Utilization • Protect transactional business app from brownouts delay < 250ms • Preferred path SP1 (MPLS) • Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet Business App and Load-Balancing Policy 14
  14. 14. Load Balancing Maximizing Link Utilization to Increase Available Bandwidth • Traffic distributed across all paths to efficiently use all WAN bandwidth • Load Balancing based upon link utilization levels • External links can have different bandwidth capacities MPLS = 1.5Mbps Internet = 15Mbps ISR WAN Internet MPLS ASR 1000 ASR 1000 Data Center 50% T1 = 750kbps 50% 15Mbps = 7.5Mbps 15
  15. 15. Application Optimization
  16. 16. Branch Proliferation of Devices Users/ Machines Private Cloud Make Your IWAN Application Aware Application Visibility and Control (AVC) DC/Headquarters Public Cloud Cisco AVC Application Performance Visibility • Application inspection with existing routers • Rich data collection using NetFlow v9/IPFIX • Easy to integrate into many reporting tools Smart Capacity Planning • Better use of costly bandwidth • Per-branch and per-application level reporting Business Objective Enforcement • Service Level monitoring per application • Better Analytics to adjust network policies to maintain compliance 17 AVC
  17. 17. Proliferation of Devices Users/ Machines Private Cloud Application Performance Monitoring for IWAN Track and Report Application Flows and Performance WAN NetFlow v9 Enterprise Edge AVC AVC CSR NetFlow/IPFIX Records (Same provisioning, same format) • Traffic statistics records • Application Response Time records • Media monitoring records (Application, Jitter, Loss, etc) Cisco Tools Prime, APIC-EM Partner Tools Ecosystem LiveAction Glue Networks Plixer Living Objects CompuWare CA Technologies Collecting Collecting Collecting Provisioning Exporting NetFlow v9 Export/IPFIX Export Branch DC/Headquarters AVC AVC 18
  18. 18. Cisco WAAS Enhancing User Experience and WAN Efficiency Solution • Reduce load Data redundancy elimination (DRE), compression, and TCP optimization • Application optimization Fewer protocol messages and metadata caching Problem • Application latency • WAN bandwidth inefficiencies Application bandwidth with Cisco® WAAS Application bandwidth natively Application latency natively Application latency with Cisco WAAS 0 0 1 2 3 4 40 80 120 160 Application Bandwidth Application Latency Bandwidth (Mbps) Latency (Seconds) Reduction in bandwidth Reduction in latency 19
  19. 19. Data CenterBranch Akamai Intelligent Platform Optimal Experience Regardless of Device, Connectivity or Cloud All HTTP Traffic in Private, Public, Akamai Cloud Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport ISR-AX AKAMAI Inside AKAMAI CACHE WAN IWAN – Application Optimization with Akamai Connect
  20. 20. IWAN Secure Connectivity
  21. 21. Intelligent WAN: Secure Connectivity Securing the network and users Secure WAN Transport Branch MPLS (IP-VPN) Internet Secure Internet Access Private Cloud Virtual Private Cloud Public Cloud Two areas of concern 1. Protecting the network from outside threats with data privacy over provider networks 2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,… 23
  22. 22. Securing the IWAN Transport IPSec VPN and Access Control • Step 1: Authenticate hardware and software Trust Anchor Module verification • Step 2: Secure Transport Proven IPsec VPN overlay Strong Cryptography: IKEv2 + AES-GCM 256 F-VRF to isolate provider networks • Step 3: Access Control IOS Zone-based Firewall or ACLs protection Role based access to router w/ logging Minimize exposure Provider assigned addressing to hide routers Don’t put tunnel addresses into DNS MPLS Internet Branch ASR 1000 ASR 1000 ISP A ISP C Data Center 24
  23. 23. Intelligent WAN—Direct Cloud Access Branch MPLS (IP-VPN) Internet Direct Internet Access Private Cloud Virtual Private Cloud Public Cloud • Leverage Local Internet path for Public Cloud and Internet access • Improve application performance (right flows to right places) Solutions On Premise – Zone Based Firewall Cloud Based – Cloud Web Security CWS ISR-AX ZBFW 26
  24. 24. Secure Internet Access with Cisco Cloud Web Security (CWS) Secure Public Cloud and Internet Access ISR Connector to CWS Firewall towers Web Filtering, Access Policy, Malware Detect WAN1 (IP-VPN) CWS Private Cloud Public Cloud Branch WAN2 (Internet) IWAN IPsec VPN for Private Cloud TrafficIOS Firewall to protect Internet Edge Internet 27
  25. 25. Orchestration and Automation
  26. 26. Cisco IWAN Management Portfolio Covering a broad range of preferences and requirements • Customer wants advanced provisioning, life cycle management, and customized policies • System-wide network consistency assurance • Lean IT OR IT Network team Cisco Prime Infrastructure • Customer needs customizable IWAN with end-to-end monitoring • One Assurance across Cisco portfolio from Branch to Datacenter • IT Network team Enterprise Network Mgmt and Monitoring Ecosystem Partners IWAN App • Customer wants considerable automation and operational simplicity • Requirements consistent with prescriptive IWAN Validated Design • Lean IT organization Prescriptive Policy Automation • Customer looking for advanced monitoring and visualization • QoS/ PfR/ AVC configuration, Real-time analytics and network troubleshooting • IT Network team Application Aware Performance Mgmt Advanced Orchestration
  27. 27. Provisioning & Life Cycle Management Visualization & Health IWAN Management Solution Positioning CustomizablePrescriptive AdvancedFoundation Prime Prime IWAN AppOn Prem Cloud Infrastructure ASR 1000
  28. 28. APIC-EM IWAN App
  29. 29. APIC-EM IWAN App Site provisioning
  30. 30. APIC-EM IWAN App Site provisioning
  31. 31. APIC-EM IWAN App Site provisioning
  32. 32. IWAN App – Site provisioning 3
  33. 33. IWAN App – Site provisioning 3
  34. 34. IWAN App – Site provisioning 3
  35. 35. APIC-EM IWAN App Define Application Policy • Business Intent  network admin informs the controller what applications are relevant for the business • The controller is going to perform background tasks based on this business logic
  36. 36. APIC-EM IWAN App Define Application Policy • Define primary path for group of applications • The controller will create a PfR policy based on those paths.
  37. 37. IWAN App Define Application Policy
  38. 38. Prime Infrastructure for IWAN • IWAN workflow wizard with PnP • Template-based IWAN configs • PfRv3 Domain, MC and BR • AVC One-Click provision • QoS Provisioning • Single or Dual Router Branch • CVD-based, Customizable • AVC Readiness Assessment • AVC, QoS, PfR Visibility • Leverages APIC EM services 41
  39. 39. Cisco IWAN Product Portfolio
  40. 40. Start with Cisco AX Routers IWAN Capabilities Embedded in the Router ISR-AX Simplify Application Delivery One Network UNIFIED SERVICES ASR1000-AX ISR-4000AX Transport Independent Secure Routing Optimization Control Visibility Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000
  41. 41. Why Cisco IWAN?
  42. 42. Internet Intelligent WAN Summary Branch-1 Branch-513 DCI WAN Core MC MC 20M Dn 2M Up 512M FD BR BR ATBT MPLS Island ADSL BR ISR-AX vWAAS ISR-AX vWAAS 1.5M FD 256M FD CWS BR ASR-AX ASR-AX WAAS WAAS AV C AV C AV C ShowMe$$ DC-WestDC-East Internet Internet Transport Independent Design • Highly available Hybrid WAN Intelligent Path Control • Performance Routing (PfR) to protect applications and load balance traffic to maximize expensive WAN bandwidth Application Optimization • Application Visibility and Control (AVC) to monitor performance • WAAS + Akamai to reduce bandwidth consumption while improving application experience Secure Connectivity • Secure the network from outside threats • Cloud Web Security (CWS) for improved Cloud performance while freeing up WAN bandwidth, without compromising security IWAN Management • Cisco and Ecosystem Partner tools APIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more
  43. 43. Branch MPLS (IP-VPN) Internet Private Cloud Virtual Private Cloud Public Cloud Cisco Intelligent WAN (IWAN) Secure WAN Transport Direct Internet Access Mixed Transport WAN with High Reliability SLAs for Business-Critical Applications Centralized Security Policy for Internet Access Dramatically Lower WAN Costs Without Compromise 46
  44. 44. IWAN Backup Slides
  45. 45. What Are the Big Trends in the Branch?  Clients engage with Digital Signage 50% more than static ads -Intel field trials  Dynamic signs, driven by RFID, increase sales by 34% -Intel field trials  growing more than 10% Y:Y through 2020 -Grandview Research  41% of K-12 students use tablets for video learning -Project Tomorrow  38% of Corporations are investing to develop or replace applications to be web based in 2015 -Computer World  18% of companies use Mobile Video Applications for Training -eLearning Industry  Branch Guest WiFi causes 39% of customers to increases the duration of their stay.  Offering guest WiFi increases traffic for 56% of branch locations -IHL Group  “A week without guest WIFI leaves customers grumpier than a week without coffee” -Huff Tech Research Digital Signage Mobile Applications Guest WiFi
  46. 46. What Are the Big Cloud Trends? 20% of applications are the in cloud Growing 18% a year AWS Reaches Over 1 Million Active Customers Applications that move between the branch, the cloud, and the DC 20 08 20 09 20 10 20 11 20 12 20 13 20 14 0 40 80 120 160 200 2012 2013 2014 2015 2016 2017 InstalledWorkloads inMillions Cloud Data Center (30% CAGR) Traditional Data Center (6% CAGR) 61% 39% 37% 63% Source: Cisco Global Cloud Index (GCI) Source: zdnet.com 40% of organizations will spend more on software as a service and a mix of public, private, hybrid and community clouds in 2015. Source: Computer World
  47. 47. Leveraging the Internet Pays Off Fast 1.5 Mbps 10 Mbps $220 $140 $830 $260 $885 $274 $1,014 $303 EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month) Dual Internet Links Combined for Ent SLA $665 Savings/Month x 12 Months X 1,000 Sites = $8M Savings per Year -75% iWANMPLS VPN CoS3 MPLS VPN CoS2 MPLS VPN CoS1 Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website 51
  48. 48. DUAL ROUTERS, DUAL PATHS ISR MPLS Internet ISR ISR Internet Internet ISR 99.999% 99.999% 5 Minutes ISR MPLS MPLS ISR 99.999% ISR MPLS MPLS Internet ISR MPLS SINGLE ROUTER, DUAL PATHS Internet Internet ISR 99.995% 99.995% 99.995% 26 Minutes Building Highly Resilient WANs Redundancy and Path Diversity Matter ISR MPLS SINGLE ROUTER, SINGLE PATH ISR Internet 99.95%* 99.90%* Downtime per Year 4–9 Hours Downtime per Year 8 Hours 46 Minutes IWAN Solution * Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool. 52
  49. 49. IWAN Transport Best Practices • Private peering with Internet providers Use same Internet provider for hub and spoke sites Avoids Internet Exchange bottlenecks between providers Reduces round trip latency • DMVPN Phase 3 Scalable dynamic site-to-site tunnels Separate DMVPN per transport for path diversity Per tunnel QOS NG Encryption – IKEv2 + AES-GCM-256 encryption • Transport settings Use the same MTU size on all WAN paths Bandwidth settings should match offered rate • Routing Overlay iBGP or EIGRP for high scale Single routing process, simplified operations Front-side VRF to isolate provider networks Branch Internet MPLS DMVPN Purple DMVPN Green IWAN HYBRID Data Center ISP A SP B 53
  50. 50. Intelligent Path Control - Backup Slides
  51. 51. Performance Routing—Components The Decision Maker: Master Controller (MC) • Discover BRs, collect statistics • Apply policy, verification, reporting • No packet forwarding/inspection required The Forwarding Path: Border Router (BR) • Does all packet forwarding • Visibility in network performance • Enforce MC’s decision (path enforcement) The Policy Controller: Domain Controller (DC) • Discover site peers, prefixes and connected networks • Advertise policy and services • One per domain, collocated with MC MPLS Internet BranchMC+BR BR BR DC/MC 55
  52. 52. PfR Domain Controller  Domain Controller (DC) Peering Framework – Site MCs register to Domain – Advertise to, or request services – Simplifies deployment and configuration – Provides topology auto-discovery  Single point of configuration across the domain  Used to distribute information to sites: – Learned site-prefix – Application/Traffic Policies – Performance monitoring – Traffic Class Database WAN1 WAN2 Domain Controller Master Controller 56 BR BR BR DC/MC MC+BR MC+BRMC+BR
  53. 53. Define Traffic Classes and service level Policies based on Applications or Transport Classifiers ISR ASR1K Border Routers learn current traffic classes going to the WAN based on classifier definitions Learning Active TCs BR BR MC+BR MC+BR MC+BR MC+BR Traffic Classes MC Measure the traffic flow and network performance and report metrics to the Master Controller Performance Measurements BR BR MC+BR MC+BR MC+BR MC+BR MC How PfR Works Key Operations Master Controller commands path changes based on traffic class policy definitions Best Path BR BR MC+BR MC+BR BR MC+BR MC Path EnforcementMeasurementLearn the TrafficDefine Your Traffic Policy 57
  54. 54. Intelligent Path Control Path of Last Resort – New • Simplifies and speeds up failover routing to a backup only path • Granular failover per traffic class policy • Extends path-preference to include a last-resort path(s) • Removes the need for the routing protocol to initiate failover • Good choice for cellular, satellite and other backup only paths Branch Site MPLS INET MPLS INET R14 DMVPN MPLS DMVPN INET DC1 DC2 LTE MPLS2 INET2 MPLS2 INET2 DC/MC MC DC/MC MC MC/BR ASA LTE DMVPN LTE BR IWAN 2.1 Fall 15
  55. 55. Application Optimization - Backup Slides
  56. 56. Today’s Network is an IT Blind Spot • Static port classification is no longer enough • More and more apps are opaque • Increasing use of encryption and obfuscation • Application consists of multiple sessions (video, voice, data) • What if user experience is not meeting business needs? 60
  57. 57. What applications, how much bandwidth, flow direction? (NBAR2 and Flexible Netflow) Basic Monitoring Performance Collection & Exporting Integrated performance monitoring and advanced metrics for different type of applications and use cases HTTP HTTP Voice and Video Performance (Media Monitoring) Unified Monitoring 30% of traffic is voice and video Critical Applications Performance (Application Response Time) 40% of traffic is critical applications 61
  58. 58. Supports Akamai Cloud | Single-sided Optimization | Secure Direct Cloud Access Application Acceleration + Edge Caching Enhancing User Experience while reducing WAN load AKAMAI CACHING Transparent HTTP Caching Dynamic URL OTT HTTP Caching Akamai Connected Cache Content Pre-positioning CISCO WAAS Optimization LZ Compression TCP Optimization Data De-duplication Application Specific Acceleration
  59. 59. Cisco WAAS & Akamai Deployment Models Branch Office WAAS Service Module/ UCSe Branch Office WAAS-XE on ISR-4000 Branch Office WAAS Appliance Regional Office WAAS Appliance Data Center or Private Cloud WAAS Appliances VPN VMware ESXi vWAAS Appliances Server VMs AppNav + WAAS IWAN vWAAS WAE Server VMs VMware ESXi Server Nexus 1000v vPATH UCS /x86 Server FC SAN Nexus 1000v VSM Virtual Private Cloud New 63
  60. 60. IWAN Secure Connectivity - Backup Slides
  61. 61. Trust Anchor Module (TAM) “How do I Know the Hardware is Authentic?” • Provides Immutable Identity • Standard Identity- IEEE 802.1AR (SUDI- X.509 cert) • Secure Storage of Credentials • Anti-Theft & Anti-Tamper Chip Design • Certifiable Entropy for Random Number Generation Trust Anchor Module TAM Features & Services Checks to Verify as Cisco Genuine TAM/Secure Identity Verification • Immutable Identity • Secure Storage (Keys & Objects) • Certifiable Entropy Source • Secure Crypto Assist • Secure Application Certificates • Authenticity & License Check • Verify Secure Identity Product Security • Provides trustworthy hardware offering immutable identity, secure storage, random number generator, and encryption • Available in the ISR-4000, newer Catalyst and other Cisco products • Provides Immutable Identity • Standard Identity- IEEE 802.1AR (SUDI- X.509 cert) • Secure Storage of Credentials • Anti-Theft & Anti-Tamper Chip Design • Certifiable Entropy for Random Number Generation 65
  62. 62. Secure Boot “How do I Know the Software is Authentic?” Verifies the software has not been altered or tampered since it was signed Power On Hardware Anchor Secure Microloader Signed Bootloader/ BIOS Immutable Anchor ensuring hardware integrity and key authenticity Integrity Check Image Signing Image Signing Image Signing Secure Boot Process Launch Operating System Signed Operating System Power-Up Microloader verifies Bootloader and BIOS A Signed Bootloader/ BIOS validates Operating System • Ensures only authentic Cisco software boots up on a Cisco Platform • Anchored in hardware, as the image is created, the signature is installed & signed with a secure private key • As the software boots, the system checks to ensure the installed digital certificate is valid • Subsequent hash checks provides continuous monitoring with runtime integrity
  63. 63. MPLS Internet Branch ASR 1000 ASR 1000 ISP A ISP C Data Center Add Network Integrated Threat Defense IOS Zone-Based Firewall • Control the Perimeter: • External and internal protection: internal network is no longer trusted • Protocol anomaly detection and stateful inspection • Communicate Securely: • Call flow awareness (SIP, SCCP, H323) • Prevent DoS attacks • Flexible: • Split Tunnel-Branch direct Internet access • Internal FW— addresses regulatory compliances • Integrated: • No need for additional devices, expenses and power • Works with other IWAN Services: CWS, WAAS, UCS-E,… • Manageable: • APIC-EM, Prime, CLI, SNMP, CCP, and CSM 67
  64. 64. Virtual Route Forwarding (VRFs) create multiple logical routers on a single device • Separate control/forwarding planes per VRF • No connectivity between VRFs by default • Provider side VRF (yellow) for external networks, Global VRF (blue) for internal networks Provider VRF minimizes threat exposure • Default routing only in Provider VRF • Provider assigned IP addressing hides internal network • Provider IP address used as IPSec tunnel source • Only IPsec allowed between internal Global and Provider Front Side VRFs Securing IWAN Transports with Front-door VRF Isolation of external networks Global F-VRF Branch LAN … Front Side “Provider Interface” VRF Provider Assigned WAN IP Address VRFs have independent routing and forwarding planes IPSec Tunnel Interface Inside Network VRF IOS ZBFW or ACL to permit only authorized traffic; i.e. IPsec
  65. 65. DSL Cable Branch ASR 1000 ASR 1000 ISP A ISP C Data Center Protecting Public facing IWAN Interfaces • Use ACLs, ZBFW or ASA to block all traffic except the DMVPN tunnel traffic to routers • Zone Based Firewall (ZBFW) at the branch if there are plans for Direct Cloud Access • Typical ACL for protecting the Internet interface interface GigabitEthernet0/0 bandwidth 10000 ip vrf forwarding INET-PUBLIC1 ip address dhcp ip access-group ACL-INET-PUBLIC in duplex auto ! ip access-list extended ACL-INET-PUBLIC permit udp any any eq non500-isakmp permit udp any any eq isakmp permit esp any any permit udp any any eq bootpc permit icmp any any echo permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any port-unreachable permit udp any any gt 1023 ttl eq 1 ! 69
  66. 66. Orchestration and Automation - Backup Slides
  67. 67. IWAN App – Application Classification 71
  68. 68. IWAN App – Policy Provisioning 72
  69. 69. Service Health Summary
  70. 70. PfR dashboard – look at events at sites
  71. 71. Router – Provider – Server
  72. 72. Link details Link Details PfR threshold crossing
  73. 73. LiveAction Software • An Application-aware Network Performance Management and QoS Control tool • Fast, simple, cost effective way to monitor and control application performance leveraging Cisco capabilities LiveAction Components Flow QoS Monitor QoS Configure RoutingLAN IP SLA
  74. 74. Business Relevance to End-Customers Insightful Application Performance and Troubleshooting Faster QoS Monitoring and Configuration Visual WAN Bandwidth Management Higher Quality Voice and Video Efficient WAN Performance Baselining and Capacity Planning Click -- Easily deploy, configure, monitor, and analyze Cisco advanced technologies See -- End-to-end flow visualization for a holistic view of the network Fix -- Unique QoS graphical control to troubleshoot and solve issues. Instant validation of policy changes Point -- Quick diagnosis of performance issues through visual displays Higher Productivity Thru Faster and Reliable Applications
  75. 75. Glue Networks IWAN Orchestration • Cloud-based SaaS subscription model • Eliminates manual building of WANs • Automated WAN orchestration and management • Quick configuration updates and IOS upgrades • Rapidly delivers nextgen and IWAN features • Forward compatible with SDN and OnePK for app aware WANs • Broadband and MPLS support for centralized hybrid WAN management for IWAN 79
  76. 76. Introducing Gluware 2.0: DevOps for Network Engineers Transforms Enterprise Networks • Network Engineer Centric vs. Programmer Centric • Gluware Lab—Rapid Development Environment, NDK, & FLOW (Flexible Language Object Workstream) • Gluware Control—Network-aware and Customizable Life-Cycle Mgmt • Integrated with leading architectures (IWAN) • Rest API third party Monitoring, Visualization, Controllers
  77. 77. LiveAction 4.3 and Performance Routing • PfR path change visualization • Alert and report on PfR Out of Policy events • Reports on traffic class/application path changes Out-Of-Policy Threshold Crossing Alert Before Brown-Out (Northern Path) After Brown-Out (Southern Path)
  78. 78. Alerts / performance by Site Alerts / performance by Application Group All Alerts PfRv3 Dashboard
  79. 79. LiveAction Demonstration • System topology and end-to-end flow visualization • Flow, PfR, and QoS • PfR Failover Demo (12 min) http://vimeo.com/108511944 • PfR Configuration (15 min) https://vimeo.com/121177440
  80. 80. Gluware 2.0 Workflow
  81. 81. Intelligent SD-WAN Orchestration Platform Benefits Optimize WAN Management with best-practices architectures (IWAN) & centralized management Zero Touch Deployment with consistency, error checking & architecture awareness WAN Orchestration with DevOps boosting agility and customization with the Network Engineer in mind Simplify Roll-Out of complex services through policy centralization and assurance Control Network Evolution with advanced feature support and open, programmable interfaces Transport Agnostic connectivity for hybrid WAN and cost reduction
  82. 82. Device Layer IWAN Glue Networks APIC-EM Evolution Element Layer CLI TCL SNMP Control Layer Orchestration & Automation Layer Phases Gluware Network Operator Level CLI, API TCL SNMP APIC-EM Gluware API SNMP APIC-EM Gluware TID IPC AO SIC TID IPC AO SIC TID IPC AO SIC Phase 1 Phase 2 Phase 3-5 Admin Admin Admin Cisco Internal O IWAN Pillars: TID – Transport Independent IPC – Intelligent Path Control AO – Application Optimization SIC – Secure Internet Access
  83. 83. Cisco IWAN Product Portfolio - Backup Slides
  84. 84. IWAN Branch Services Routers INTEGRATED IWAN SERVICES APPLICATION CENTRIC APPLIANCE LEVEL PERFORMANCE  IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS  Scalable on-chip service provisioning  App/User policy-driven deployment  APIC_EM Automation: deploy in minutes  Pay-as-you-grow  Up-to-75% cost savings  Service-Aware Dataplane  Resilient Service Virtualization  Multi-gigabit Fabric ASR4000 Series - IWAN AX Ready, Next Generation Branch ISR4431 ISR 4351 ISR 4331 ISR4321 ISR4451 500Mbps/1Gbps 200/400Mbps 100/300Mbps 50/100Mbps 1-2Gbps
  85. 85. IWAN Aggregation Border Routers ASR1000 - IWAN AX Ready, High Performance Routers INTEGRATED IWAN SERVICES BUSINESS-CRITICAL RESILIENCY COMPACT, POWERFUL ROUTER  IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS  Scalable on-chip service provisioning  Separate control and data planes  Hardware and software redundancy  In-service software upgrades  Line-rate performance 2.5G to 200G+ with services enabled  Crypto performance from 2G to 60G+  Flexible I/O: SPAs and Ethernet LCs  2.5G Upgradeable to 5G, 10G, 20G  Up to 8G Crypto Throughput  5G Upgradeable to 10G, 20G, 36G  Up to 4G Crypto Throughput  Modular, Redundant up to 200G  Up to 60G Crypto Throughput ASR1001-X ASR1002-X Modular ASR1006
  86. 86. Cisco UCS-E Series Extend Cloud Services into Branch Infrastructure Support on ISR Series Routers IOS, MGF Backplane Switch UCS-E Blade Hypervisor CIMC E UCS-E Blade Hypervisor OS App OS App OS App OS AppPlatform for WAN Edge Applications Microsoft Windows-Server and Linux Certified Server Virtualization Cisco UCS Virtualization Powered by VMware, Microsoft, Citrix Dedicated Blade Management Cisco Integrated Management Controller Consistent management for UCS family Multipurpose x86 Blades Cisco UCS E Series modules House up to four server blades in an ISR Single-Device Network Integration House all services in ISR chassis Multigigabit fabric backplane switch 90
  87. 87. Cisco UCS E-Series Server Hypervisor and OS Support Hypervisors • VMware vSphere Hypervisor™ 5.0, update 1, 5.1 and 5.5 • Hyper-V (Windows 2008 R2 and 2012, 2012 R2) • Citrix XenServer 6.0 Microsoft Windows • Windows Server 2008 R2 Standard 64-bit • Windows Server 2008 R2 Enterprise 64-bit • Windows Server 2012, 2012 R2 Linux • Red Hat Enterprise Linux 6.2 • SUSE Linux Enterprise 11, service pack 2 • Oracle Enterprise Linux 6.0, update 2 91
  88. 88. Why Cisco IWAN? - Backup Slides
  89. 89. Internet Intelligent WAN Summary Branch-1 Branch-513 DCI WAN Core MC MC 20M Dn 2M Up 512M FD BR BR ATBT MPLS Island ADSL BR ISR-AX vWAAS ISR-AX vWAAS 1.5M FD 256M FD CWS BR ASR-AX ASR-AX WAAS WAAS AV C AV C AV C ShowMe$$ DC-WestDC-East Internet Internet Transport Independent Design • Highly available Hybrid WAN Intelligent Path Control • Performance Routing (PfR) to protect applications and load balance traffic to maximize expensive WAN bandwidth Application Optimization • Application Visibility and Control (AVC) to monitor performance • WAAS + Akamai to reduce bandwidth consumption while improving application experience Secure Connectivity • Secure the network from outside threats • Cloud Web Security (CWS) for improved Cloud performance while freeing up WAN bandwidth, without compromising security IWAN Management • Cisco and Ecosystem Partner tools APIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more
  90. 90. IWAN Vision and Strategy Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA Secure, Simple, Centralized Policy Automation ACI Policies, Inter-Cloud Mobility, Optimization, AMP vRouter, vService and App Orchestration Predictive, Self Directed INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD INTEGRATION SERVICE VIRTUALIZATION SELF LEARNING NETWORKS 94
  91. 91. IWAN Vision and Strategy Systems Development evolution of IWAN INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD INTEGRATION SERVICE VIRTUALIZATION SELF LEARNING NETWORKS Transport Independent Design Intelligent Path Control Application Optimization Secure Connectivity Management & Orchestration IWANFramework Incremental improvements while delivering new use-cases 95
  92. 92. SD-WAN Working Group – SD-WAN Top 10 Requirements - Backup Slides
  93. 93. • Community of IT business leaders who exchange ideas and best practices for implementing Open Networking and Software-Defined Networking (SDN) designs. • One of the ONUG working groups is the SD-WAN Working Group • The SD-WAN working group has determined a set of 10 business requirements (based on user-developed use cases) that Enterprises should consider when evaluating SD-WAN solutions. Open Networking User Group Source: http://blogs.cisco.com/enterprise/cisco-intelligent-wan-delivers-on-sd-wan-business-requirements
  94. 94. 1. Public and Private Active-Active: Ability for remote site/branch to leverage public and private WANs in an active/active fashion for business applications. 2. Physical or Virtual CPE: Ability to deploy CPE in a physical or virtual form factor on commodity hardware. 3. Security and Business policies: A secure hybrid WAN architecture that allows for dynamic traffic engineering capability across private and public WAN paths as specified by application policy, prevailing network WAN availability and/or degradation at transport or application layer performance. 4. App and Performance Aware Dynamic Traffic Eng: Visibility, prioritization and steering of business critical and real-time applications as per security and corporate governance and compliance policies. 5. Highly Available & Resilient WAN: A highly available and resilient hybrid WAN environment for optimal client and application experience. Top 10 Requirements for SD-WAN
  95. 95. 6. L2 and L3 Interoperability: Layer 2 and 3 interoperability with directly connected switch and/or router. 7. Dashboard Reporting: Site, Application and VPN performance level dashboard reporting. 8. Open API: Open north-bound API for controller access and management, ability to forward specific log events to network event co-relation manager and/or Security Incident & Event Manager (SIEM). 9. Zero Touch Deployment: Capability to effect zero touch deployment at branch site with minimal to no configuration changes on directly connected infrastructure, ensuring agility in provisioning and deployment. 10. FIPS-140-2: FIPS 140-2 validation certification for cryptography modules/encryption with automated certificate life cycle management and reporting. Top 10 Requirements for SD-WAN