Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Enabling Business Class Internet with Intelligent WAN (IWAN) TechAdvantage Webinar

2,618

Published on

Slides from the March 26th TechAdvantage Webinar on Intelligent WAN, or IWAN, and how it leverages the Internet to enhance traditional networks and improve cloud performance. This architecture …

Slides from the March 26th TechAdvantage Webinar on Intelligent WAN, or IWAN, and how it leverages the Internet to enhance traditional networks and improve cloud performance. This architecture session explains how organizations can not only take advantage of low-cost, high-performance Internet services to reduce costs without compromising network reliability, but also to improve application performance.
This session discusses the emerging industry trends and business drivers, as well as which Cisco products and technologies are used to build an IWAN. Each technology is explained to enable you to design your IWAN to take advantage of the price-performance benefits of the Internet but does not go into detail on how to configure an IWAN. Attendees should have a general understanding of Enterprise WAN designs, routers and related IOS WAN technologies.
Watch the Replay: WebEx at https://cisco.webex.com/ciscosales/lsr.php?RCID=8277b76ec631405bab09dcf2d626a990

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,618
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
154
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Intelligent WAN (IWAN) Cisco TechAdvantage Webinar – March 26, 2014 Jean-Marc Barozet – Technical Leader Sumanth Kakaraparthi – Product Manager Network Operating Systems Technology Group
  • 2. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential •  Submit questions in Q&A panel and send to “All Panelists” Avoid CHAT window for better access to panelists •  Please complete the post-event survey •  For WebEx audio, select COMMUNICATE > Join Audio Broadcast •  Where can I get the presentation? Or send email to: ask_techadvantage@cisco.com •  Join us for upcoming TechAdvantage Webinars: www.cisco.com/go/techadvantage •  For WebEx call back, click ALLOW phone button at the bottom of participants side panel Housekeeping
  • 3. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential PanelistsSpeakers Sumanth Kakaraparthi Product Manager sukakara@cisco.com Scott Van de Houten Distinguished Architect svandeho@cisco.com Jean-Marc Barozet Technical Leader jbarozet@cisco.com Madhavan Arunachalam Technical Leader marunach@cisco.com Speakers & Panelists Introduction
  • 4. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Mobile Device Network Traffic Average Number of Apps per Device*: iOS 7 for iPhone 5 Sources: * http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation-%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html ** https://www.abiresearch.com/press/average-size-of-mobile-games-for-ios-increased-by- *** http://www.wirelessandmobilenews.com/2013/05/samsung-galaxy-s3-iii-update-android-4.2.1-jelly-bean.html http://theiphonewiki.com/wiki/Firmware#iPad_4 http://answers.microsoft.com/en-us/windows/forum/windows_other-windows_update/what-is-average-monthly-size-of-update-downloads/dfe9bb34-c2dd-478e-a6cb-0a26228cf552 Average App Size**: OS Update File Size***: 750 MB 168 MB 400 MB Jelly Beans 4.1 Windows 7 23 MB 6 MB 25 MB iOS Android Windows 41
  • 5. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Third-Party Lab Test: Chromebook vs. Windows 8 Laptop Chromebook Creates an Average of 152 Times More Traffic •  Chromebook creates as high as 692.2 times more network traffic •  On average, Chromebook creates152 times more network traffic http://principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf 0 2 4 6 8 10 Asus VivoBook S200E Notebook Document Manipulation Photo Manipulation Video Manipulation Music Manipulation Web Browsing Note Taking Test Taking 0.14 0.27 2.73 0.21 6.06 5.00 8.65 18.30 77.39 145.56 211.29 57.84 10.80 41.33
  • 6. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Emerging Branch Demands The Application Landscape is Changing Applications Are Moving to the Data Center and Cloud Internet Edge Is Moving to the Branch Branch Cloud Data Centers Cloud of CIOs Expect to Operate via the Cloud by 2015 Mobility More Mobile Data Traffic by 2015 Fat Apps of Mobile Traffic Will Be Video Pressures on the WAN
  • 7. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Internet Becoming an Extension of Enterprise WAN Commodity Transports Viable Now Dramatic Bandwidth, Price Performance Benefits Higher Network Availability Improved Performance Over Internet
  • 8. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Why Move to Internet as WAN? Low-Cost Alternative of Organizations Are Planning to Transition to Internet Connections 1Internet Transit Pricing based on surveys and informal data collection primarily from Internet Operations Forums—‘street pricing’ estimates 2Packet delivery based on 15 years of ping data from PingER for WORLD (global server sample) from EDU.STANFORD.SLAC in California Source: William Norton (DrPeering.net); Stanford ping end-to-end reporting (PingER) Internet Pricing vs. Reliability, 1998-2012
  • 9. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential …And the Internet Transition Pays Off Fast 1.5 Mbps 10 Mbps iWAN $220 $140 MPLS VPN CoS3 $830 $260 MPLS VPN CoS2 $885 $274 MPLS VPN CoS1 $1,014 $303 EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month) Dual Internet Links Combined for Ent SLA $665 Savings/Month x 12 Months X 1,000 Sites = $8M Savings per Year -75% Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website
  • 10. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access Secure WAN Transport Branch MPLS (IP-VPN) Internet Direct Internet Access Private Cloud Virtual Private Cloud Public Cloud •  Secure WAN transport for private and virtual private cloud access •  Leverage local Internet path for public cloud and Internet access ü Increased WAN transport capacity, cost effectively! ü Improve application performance (right flows to right places)
  • 11. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Intelligent WAN Solution Components Internet Branch 3G/4G-LTE AVC MPLS Private Cloud Virtual Private Cloud Public CloudWAAS PfR Application Optimization •  Application visibility with performance monitoring •  Application acceleration and bandwidth optimization Secure Connectivity •  Certified strong encryption •  Comprehensive threat defense •  Cloud Web Security for secure direct Internet access Intelligent Path Control •  Dynamic Application best path based on policy •  Load balancing for full utilization of bandwidth •  Improved network availability Transport Independent •  Consistent operational model •  Simple provider migrations •  Scalable and modular design •  IPsec routing overlay design
  • 12. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Intelligent WAN Deployment Models Dual MPLS Hybrid Dual Internet Internet ü  Highest SLA guarantees –  Tightly coupled to SP ẋ  Expensive Public MPLS Consistent VPN Overlay Enables Security Across Transition ü  More BW for key applications ü  Balanced SLA guarantees –  Moderately priced ü  Best price/performance ü  Most SP flexibility –  Enterprise responsible for SLAs Interne t PublicEnterprise Branch Branch Branch ü  ü  MPLS MPLS+ Internet
  • 13. Transport-Independent Design Simplifying Internet-Based WANs
  • 14. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Simplifies WAN Design Dynamic Full-Meshed Connectivity Proven Robust Security Flexible Secure WAN Design Over Any Transport Dynamic Multipoint VPN (DMVPN) SecureFlexible •  Easy multi-homing over any carrier service offering •  Single routing control plane with minimal peering to the provider •  Consistent design over all transports •  Automatic site-to-site IPsec tunnels •  Zero-touch hub configuration for new spokes •  Certified crypto and firewall for compliance •  Scalable design with high- performance cryptography in hardware ISR-G2 WAN Internet MPLS ASR 1000 ASR 1000 Transport-Independent Data CenterBranch
  • 15. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential SECURE ON-DEMAND TUNNELS Over-the-Top WAN Design with •  Branch spoke sites establish an IPsec tunnel to and register with the hub site •  IP routing exchanges prefix information for each site •  BGP or EIGRP are typically used for scalability •  With WAN interface IP address as the tunnel source address, provider network does not need to route customer internal IP prefixes •  Data traffic flows over the DMVPN tunnels •  When traffic flows between spoke sites, dynamic site-to-site tunnels are established •  Per-tunnel QOS is applied to prevent hub site oversubscription to spoke sites Dynamic Multipoint VPN (DMVPN) Branch 2 Traditional Static Tunnels DMVPN On-Demand Tunnels Static Known IP Addresses Dynamic Unknown IP Addresses ISR G2 Branch 1 Hub IPsec VPN Branch n ASR 1000 ISR G2 ISR G2
  • 16. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Internet MPLS Branch DMVPN Internet MPLS Branch DMVPN DMVPN Two IPsec Technologies GETVPN/MPLS DMVPN/Internet Two WAN Routing Domains MPLS: eBGP or Static Internet: iBGP, EIGRP or OSPF Route Redistribution Route Filtering Loop Prevention Active/Standby WAN Paths Primary With Backup One IPsec Overlay DMVPN One WAN Routing Domain iBGP, EIGRP, or OSPF Active/Active WAN Paths ISR-G2 ASR 1000 ASR 1000 ISP A SP V ISR-G2 ISP A SP V ASR 1000 ASR 1000 TRADITIONAL HYBRID Data Center IWAN HYBRID Data Center Hybrid WAN Designs – Traditional and IWAN GETVPN
  • 17. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential One DMVPN IPsec Overlay One WAN Routing Domains iBGP, EIGRP, or OSPF One Active/Active WAN Paths IWAN Transport Independent Designs Same Design Over MPLS, Internet, 3G/4G Internet MPLS Branch DMVPN DMVPN Internet Internet Branch DMVPN DMVPN IWAN HYBRID Data Center IWAN DUAL INTERNET Data Center ISR-G2 ASR 1000 ASR 1000 ISP A SP V ISR-G2 ISP A DSL ISP C Cable ASR 1000 ASR 1000
  • 18. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential What if the CPE is Owned and Managed by an MSP? •  ISR-AX – IWAN Services Gateway –  Lower cost than overlay appliances –  Integrated services gateway incl AX, SEC, UC, Compute –  Internet path for extra capacity –  Direct Internet Access for improved SaaS Cloud performance 18 ISR-G2 WAN Internet MPLS ASR 1000 ASR 1000 Data CenterBranch AVC PfRWAAS CPE-MSP
  • 19. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Building Highly Available WANs With Cisco IWAN Redundancy and Path Diversity Matter ISR G2 MPLS ISR G2 MPLS MPLS Internet ISR G2 MPLS SINGLE ROUTER, SINGLE PATH SINGLE ROUTER, DUAL PATHS DUAL ROUTERS, DUAL PATHS Internet Internet ISR G2 ISR G2 Internet ISR G2 MPLS Internet ISR G2 ISR G2 Internet Internet ISR G2 99.95%* 99.90%* 99.995% 99.995% 99.995% 99.999% 99.999% Downtime per Year 4–9 Hours Downtime per Year 8 Hours 46 Minutes 5 Minutes 26 Minutes IWAN Solution ISR G2 MPLS MPLS ISR G2 99.999% * Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
  • 20. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Traditional to IWAN Transition Migration Steps ADDING DMVPN TO MPLS WAN REPLACING A WAN SERVICE WITH AN INTERNET SERVICE OTHER INTERESTING IWAN TOPOLOGIES ISR G2 MPLS MPLS ISR G2 MPLS MPLS ISR G2 MPLS MPLS ISR G2 MPLS MPLS Internet Internet ISR G2 MPLS 3G/4G-LTE Internet Internet ISR G2 3G/4G-LTE Internet Internet ISR G2 3 Internet ISR G2 MPLS ISR G2 MPLS MPLS Internet 4 5 0 1 2
  • 21. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential IWAN Transport Best Practices •  Private peering with Internet providers –  Use same Internet provider for hub and spoke sites –  Avoids Internet Exchange bottlenecks between providers –  Reduces round trip latency •  DMVPN –  DMVPN Phase 2 for dynamic tunnels with PfR –  Separate DMVPN network per provider for path diversity –  Per tunnel QOS •  Transport settings –  Use the same MTU size on all WAN paths –  Bandwidth settings should match offered rate –  Use a front-side VRF to separate Internet and internal default routes •  Internet security –  Firewalls or Access Lists to only permit DMVPN tunnel traffic –  Hub Tunnel IP address should not be registered in DNS to hide it •  Routing Overlay –  iBGP or EIGRP for high scale (1000+ sites) –  Single routing process, simplified operations Branch Internet MPLS DMVPN Purple DMVPN Green IWAN HYBRID Data Center ISP A SP V
  • 22. Intelligent Path Control Performance Routing (PfR)
  • 23. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control Data Center Branch ASR 1000 ASR 1000 WAAS PfR AVC ISR G2 MPLS Internet Enabling Internet-Based WANs Efficient Distribution of Traffic Based Upon Load, Circuit Cost, and Path Preference Per Application Best Path Based on Delay, Loss, Jitter Measurements Protection From Carrier Black Holes and Brownouts Lower WAN Costs Full Utilization of All WAN Bandwidth Improved Application Performance Lower WAN Costs
  • 24. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Intelligent Path Control with PfR Voice and Video Use-Case Branch MPLS Internet Virtual Private Cloud Private Cloud •  PfR monitors network performance and routes applications based on application performance policies •  PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth Other traffic is load balanced to maximize bandwidth Voice/Video will be rerouted if the current path degrades below policy thresholds Voice/Video take the best delay, jitter, and/or loss path
  • 25. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Performance Routing Components 25 The Decision Maker: Master Controller (MC) §  Apply policy, verification, reporting §  No packet forwarding/ inspection required The Forwarding Path: Border Router (BR) §  Gain network visibility in forwarding path (Learn, measure) §  Enforce MC’s decision (path enforcement) Optimize by: §  Reachability, Delay, Loss, Jitter, MOS, §  Throughput, Load, and/or $Cost DSL Cable Data Center BranchMC+BR BR BR MC
  • 26. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential How PfR Works – Key Operations Path Enforcement Identify Traffic Classes based on Applications or Transport Classifiers ISR G2 and ASR Learn traffic classes flowing through Border Routers (BRs) based on your policy definitions Measure the traffic flow and network performance actively or passively and report metrics to the Master Controller Master Controller commands path changes based on your traffic policy definitions MeasurementLearn the TrafficDefine your Traffic Policy ISR G2 ASR1K MC BR BR MC BR BR Performance Measurements MC BR BR Learning Active TCs Traffic Classes TC Path
  • 27. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Performance Routing—Control Loop Apply Your Traffic Policy: •  Compute Path Performance •  Compare to defined policy per traffic class Passive Mode: BW, Delay (TCP), Loss (TCP) Active Mode: Delay, Loss, Jitter, MOS Measure: •  Network Performance Passive: Netflow Data (Throughput) Active: IPSLA Probes (Jitter, Delay) •  Network Availability Reachability and Topology Info via Routing Processe Select Path: •  Send Good path to BRs for each traffic class •  BRs inject best path into FIB •  Gather new path performance info Learn Your Traffic Classes: •  Prefix-based flows •  ACL-based flows •  Application flows Verify New Path: •  Verify traffic is flowing on new path •  Revert to previous path if performance remains out-of-policy 1 PfR 2 3 4 5
  • 28. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Learning Traffic Classes (TCs) •  PfR Operates on Traffic Classes flowing through BRs •  A traffic class is a subset of the traffic defined by policy that is to be optimized •  Traffic Class performance metrics are collected per path •  PfR can learn traffic classes in two ways –  Automatic: dynamically learn flows that match TC definitions –  Configuration: user defined traffic classes and prefixes to optimize •  Traffic classes can be identified using: –  IP prefixes –  ACL classes (e.g., well-known ports, CoS markings) –  Application classes (e.g., NBAR) BR Dest. IP DSCP AppID Delay Loss Jitter BW 10.2.2.0/24 EF … … … … … … … … Example of a Traffic Class List
  • 29. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Measuring Network and Application Performance •  Passive Measurement –  For Data or Best Effort Applications –  Ingress/Egress Bandwidth and TCP Loss and Delay derived from Netflow •  Active Measurement –  For Video, Voice and delay sensitive data applications –  Path Jitter, Delay, Loss and MOS derived from IPSLA synthetic traffic probes •  PfR automatically enables Netflow and IPSLA –  No knowledge or configuration experience needed •  MC Performance Database to determine Policy Enforcement actions •  Dedicated IPSLA Responder to offload probing from branch in large deployments Destination Prefix DSCP App Id Delay Jitter Loss Ingress BW Egress BW BR Exit 10.1.1.1/32 EF 60 10 0 20 40 BR1 Gi1/1 10.1.10.0/24 AF31 110 15 0 52 60 BR1 Gi1/2 … 0 89 26 1 34 10 BR2 Gi1/1 DSL Cable Data Center MC BranchMC+BR Probe Respond IPSLA Responder BRBR
  • 30. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Defining Application Performance Policy •  Choose your policy actions for various traffic classes •  Alternate path selection based on flexible criteria Example: Link Load Balancing Max Utilization Link-Group Path Preference Bandwidth Costs ($) Application Reachability Delay Loss MOS Jitter FLEXIBLE CRITERIA 2. Loss 3. Jitter 4. Delay Load-BalanceRemaining Traffic Voice/Video Critical Application 1. Link-Group: Path-A 2. Loss 4. Delay 1. Link-Group: Path-B
  • 31. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Path Enforcement •  Master controller monitors traffic classes and BR exit links for out-of-policy conditions •  Appropriate enforcement method is determined automatically by the MC •  MC commands the BRs to enforce path changes for policy compliance Destination Prefix §  BGP -  Egress: route injection or Modifying the BGP Local Preference attribute -  Ingress: BGP AS-PATH Prepend or AS Community §  EIGRP Route Control §  Static Route Injection §  Protocol Independent Route Optimization (PIRO) with PBR injection Application §  Dynamic PBR §  NBAR/CCE
  • 32. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Use Case #1 – Load Balancing Maximizing Link Utilization to Increase Available Bandwidth ISR-G2 WAN Internet MPLS ASR 1000 ASR 1000 Data Center 50% T1 = 750kbps 50% 15Mbps = 7.5Mbps •  External link Load Balancing is enabled by default •  PfR Distributes traffic across a set of links to maintain efficient utilization levels with a defined percentage range. Default utilization range is +/- 20% •  External links can have different available bandwidth, e.g., Int 1/0 = 1.5Mbps, Int 1/1 = 15Mbps •  Load Balancing defaults can be modified by CLI –  Utilization Range –  Max Utilization 90%
  • 33. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Use Case #2 – Cisco Intelligent WAN Use Case Example HUB1 HUB2 650 Branches + 2 Traffic Classes BR BR BR BR MC MC ASR1002-X ASR1002-X ISR 890 ISR 810 100M Dn 10M Up 20M Dn 2M Up DMVPN FTTH DMVPN ADSL IPSLA Responder IPSLA Responder Requirements: •  Broadband Internet to reduce WAN transport costs •  Dual ISP design to improve availability •  Protect multimedia applications from Internet brownouts •  Load balance traffic to maximize WAN bandwidth utilization Solution Overview: 1.  Policies: –  Voice/Video: Delay < 200ms, Jitter < 30ms, Preferred Path = FTTH –  Data: Load Balance, max link utilization 90% 2.  DMVPN for secure IPsec transport independent design –  Per-tunnel QOS at hub to minimize branch bandwidth oversubscription –  Site to site dynamic tunnels to reduce latency for multimedia applications 3.  Performance Routing (PfR) to protect apps and maximize bandwidth 4.  Advanced QoS to prioritize critical applications during congestion 5.  Prime Plug-n-Play automated deployment to simplify and expedite Branch rollout
  • 34. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential PfR Scale and Performance Scale Notes Typical Policies 2 TCs per site 650 Branches Sufficient for protecting Voice/Video TC and load balancing all data traffic Advanced Policies 4 TCs per site 300 Branches Multiple application policies and load balancing Max TCs 18K concurrent ASR1002-X highest scale MC and BR Recommended Hardware Hub or DC ASR1002-X Dedicated PfR MC, PfR BR+DMVPN Hub Hub or DC ISR 3945E Dedicated IPSLA shadow router Branch ISR 892 FSP ISR1900 or better ASR1001 or better Branch MC/BR+DMVPN spoke
  • 35. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential PfR Evolution—Simplification and Scale PfR/OER •  Internet Edge •  Basic WAN •  Provisioning per site per policy •  1000s of lines of config PfRv2 •  Policy simplification •  App Path Selection •  Blackout ~6s •  Brownout ~9s •  Scale 500 sites •  10s of lines of config PfRv3 •  Centralized provisioning •  AVC Infrastructure •  VRF Awareness •  Blackout ~ 2s •  Brownout ~ 2s •  Scale 2000 sites •  Hub config only Summer 2014 Today
  • 36. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Domain Global Control Local Monitoring Single Touch Provisioning Auto-discovery Cisco ISR G2 ASR 1000 Branch/Campus Cisco ISR G2 ASR 1000 Branch/Campus Cisco ISR G2 ASR 1000 Branch/Campus APIC-EM Introducing “Enterprise Domain” Full AVC – future Path Optimization
  • 37. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Service Exchange. Peering & Coordination at WAN Edge Automatic Discovery - Single Touch Provisioning Network Discovers the Apps (NBAR2) or based on DSCP Unified Performance Monitor Collect Application Performance Using Unified Performance Monitors (AVC Infrastructure) Smart Probes for discovery Also used if there is no traffic Performance measured on ingress on the remote site Sends performance feedback to Peers WAN Edge peers, learns SP SLA ( per DSCP), manages congestion (local CAC*, Remote CAC*) Application Based, Domain, Performance Monitor Passive Monitoring Enterprise Domain Smart Probing QoS Synthesis Remote Feedback Learning * Not available at FCS
  • 38. Collecting Application Performance
  • 39. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Today’s Network is an IT Blind Spot •  Static port classification is no longer enough •  More and more apps are opaque •  Increasing use of encryption and obfuscation •  Application consists of multiple sessions (video, voice, data) •  What if user experience is not meeting business needs?
  • 40. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential NBAR2 IOS NBAR +150 Signatures SCE Classification +1000 Signatures Innovations Native IPv6 Classification Open API 3rd Party Integration.. Application Classification Deep Packet Inspection (DPI) with Next Generation NBAR2 40 •  Provides Advanced Application Classification and Field Extraction capabilities •  In-service upgradable Protocol Definitions No IOS upgrade or reboot for new Protocol Packs •  Backward compatibility to preserve existing NBAR investments •  NBAR2 Protocol List http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
  • 41. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Branch Proliferation of Devices Users/ Machines Private Cloud Add Application Visibility Add Unified Performance Monitor (Cisco AVC) DC/Headquarters Public Cloud Cisco AVC 60% of IT Professionals Cite Performance as Key Challenge for Cloud No Probes •  Deep Packet Inspection •  Passive Monitoring for Voice, Video, Critical apps and best effort apps •  No additional hardware (and included in AX license) Smart Capacity Planning •  Better use of costly bandwidth •  Per-branch and per-application level reporting Business Aligned Privacy Enforcement •  No need for complex IP and port ACLs •  See inside HTTP flows to identify specific Cloud applications
  • 42. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential What applications, how much bandwidth, flow direction? (Flexible Netflow and NBAR/NBAR2) Basic Monitoring Performance Collection & Exporting Integrated performance monitoring and advanced metrics for different type of applications and use cases HTTP HTTP Voice and Video Performance (Media Monitoring) Advanced Monitoring 30% of traffic is voice and video Critical Applications Performance (Application Response Time) 40% of traffic is critical applications
  • 43. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Evolving to Unified Monitoring 43 •  Certain metrics available for certain features. Multiple features to configure •  Separate provisioning •  This was the current model for IOS •  All metrics are available within single feature •  Single provisioning •  This is the current model for IOS XE •  This is new in IOS – 15.4(1)T Exporting Provisioning Collecting Exporting Provisioning Collecting Exporting Provisioning Collecting NetFlow v9 Export IPFIX Export Flexible NetFlow (FNF) Performance Agent (PA) PerfMon Performance Agent (PA) Collecting Collecting Collecting Traffic Stats Records Media Records ART Records Provisioning Exporting NetFlow v9 Export IPFIX Export App Usage Top Talker Voice/Video Perf App Response Time App Usage Top Talker Voice/Video Perf App Response Time
  • 44. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Proliferation of Devices Users/ Machines Private Cloud Report Application Flows and Performance Using Standard – NetFlow v9 or IPFIX WAN NetFlow v9 IPFIX Enterprise Edge AVC AVC CSR NetFlow/IPFIX Records (Same provisioning, same format) •  Traffic statistics records •  Application Response Time records •  Media monitoring records (Application, Jitter, Loss, etc) Partner Tools Ecosystem ActionPacked Glue Plixer Living Objects CompuWare CA Technologies InfoVista Collecting Collecting Collecting Provisioning Exporting NetFlow v9 Export/IPFIX Export Branch DC/Headquarters AVC AVC
  • 45. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential 45 For Your Reference
  • 46. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential DMVPN Network QoS Design 46 •  Remark DSCP on egress to align with each SP’s SLA class of service requirements •  H-QOS with shaping to offered rate on egress •  Hub per tunnel QOS to minimize spoke oversubscription DSCP CS5 Packet Initially Marked to DSCP CS5 DSCP CS5 DSCP CS5 By Default DSCP Values is Copied To IPSec Header DSCP CS5 Top-Most DSCP is Remarked on egress DSCP CS5 Packet decapsulated To reveal the original DSCP policy-map WAN-OUT class VOICE priority percent 10 class VIDEO-INTERACTIVE priority percent 23 set ip dscp af41 class NETWORK-MGMT bandwidth percent 5 service-policy MARK-BGP class class-default bandwidth percent 25 random-detect ! policy-map Int-Gig-Agg-HE class class-default shape average 1000000000 service-policy WAN-Out Remarks the DSCP value on the encrypted/encapsulated header on egress interface DSCP AF41 Control ISR-G2 WAN ASR 1000
  • 47. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Private Cloud Add WAN Optimization Speed and Bandwidth Benefits on Top of the IWAN Branch DC/Headquarters Faster Applications, More Users, Less Bandwidth •  90% HD Video optimization and better user experience •  Twice as many Citrix users over same WAN, 70% faster •  Toyota: ROI in less than one year, 65% BW cost savings Easy to Deploy •  Works with existing branch routers (and existing AX license Scalable •  AppNav Controller and WAVE pool is scalable •  Native HA capability vWAAS WAAS Express Proliferation of Devices Users/ Machines AppNav-XE Controller CSR WAVE WAN Accelerate Any TCP Connection
  • 48. Secure Internet Access
  • 49. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Securing the IWAN •  Step 1: Secure Transport –  IPSec with DMVPN overlay •  Secure transport independent overlay •  Add Strong Cryptography: IKEv2 + AES-GCM 256 •  Step 2: Threat Defense –  IOS Zone-based Firewall –  Minimize exposure •  DHCP addressing for Internet and tunnel interfaces •  Don’t put tunnel addresses into DNS •  Step 3: Choose your performance level –  Size router based on Encryption with Services and WAN bandwidth •  Head-end: ASR1000 or ISR4451X •  Branch: ISR-G2 IPSec VPN and Firewall DSL Cable Branch Data Center ISR-G2 ASR 1000 ASR 1000 ISP A ISP C
  • 50. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Intelligent WAN—Direct Internet Access Branch MPLS (IP-VPN) Internet Direct Internet Access Private Cloud Virtual Private Cloud Public Cloud •  Leverage Local Internet path for Public Cloud and Internet access •  Improve application performance (right flows to right places)
  • 51. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential DSL Cable BranchISR-G2 ASR 1000 ASR 1000 ISP A ISP C Data Center Add Network Integrated Threat Defense IOS Zone-Based Firewall •  Control the Perimeter: –  External and internal protection: internal network is no longer trusted –  Protocol anomaly detection and stateful inspection •  Communicate Securely: –  Call flow awareness (SIP, SCCP, H323) –  Prevent DoS attacks •  Flexible: –  Split Tunnel-Branch/Remote Office/Store/Clinic –  Internal FW—International or un-trusted locations/segments, addresses regulatory compliances •  Integrated: –  No need for additional devices, expenses and power –  Works with other Cisco Services: SRE, Scansafe, WaaS Express •  Manageable: –  Supports CLI, SNMP, CCP, and CSM –  Supports Cisco Configuration Engine
  • 52. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Secure Internet Access with Cisco Cloud Web Security (CWS) Secure Public Cloud and Internet Access ISR Connector to CWS Firewall towers Web Filtering, Access Policy, Malware Detect WAN1 (IP-VPN) CWS Private Cloud Public Cloud Branch WAN2 (Internet) IWAN IPsec VPN for Private Cloud TrafficIOS Firewall to protect Internet Edge Internet
  • 53. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Cisco ISR CWS Connector How it Works HQ Routes HQ Traffic Default Route WAN Tunnel CWS Connector MPLS (IP-VPN) Internet Private Cloud Virtual Private Cloud Public Cloud Internet Branch DSL Interface Cisco ISR G2 with CWS Cloud Connector—FUNCTIONS: •  Authenticate router and client to CWS cloud •  Intercept HTTP/HTTPS traffic based on ACL filters •  Add user credentials header for identifying policy to be applied •  Traffic Relay: replace client Source IP address with Egress address •  Redirect to CWS for scanning •  Act as HTTP proxy to complete requests •  Allow/Block or Warn based on user or group policy •  Scan for Malware
  • 54. IWAN Management
  • 55. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Specialized ManagementCloud-Based Management •  Speed: Eliminates manual building of WANs •  Agility: Quick configuration updates and IOS upgrades •  Dynamic: Compatible with onePK for app aware WANs •  Reduced OPEX: Automated WAN orchestration •  Cost Savings: Centralized hybrid WAN management •  Integrates with Cisco App Visibility and Control •  Monitor and analyze app-level traffic •  End-to-end flow visualization •  Troubleshoots hop-by-hop to pinpoint source •  Fix and verify QoS and App in realtime Cisco IWAN Management Automates Deployment and Lifecycle Management Application Aware Network Performance Management On-Prem Management Cisco Prime •  Lifecycle: Simplified deployment and configuration •  Configuration – Plug and Play deployment automation •  Health Assurance: Improved application delivery •  Compliance: Regulatory requirements and best practices Enterprise and Integrator Lifecycle Management
  • 56. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Cisco APIC - Enterprise Module Architecture Abstracts Network Devices to Mask Complexity Treat Network as a System Exposes Network Intelligence For Business InnovationCisco APIC - Enterprise Module Network Devices Catalyst, ASR, ISR Network Info Database Policy Infrastructure Automation REST API CLI, OpenFlow, OnePK API QoS Third Party
  • 57. Summary
  • 58. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential Why Cisco IWAN Proven Security at Scale •  Any to Any Security •  Protect All Branch Resources •  Secure Direct Internet Access Unmatched Context-based Routing •  App-Aware •  Endpoint-Aware •  Network-Aware Quick ROI Faster than Alternatives •  Savings enables Business Innovation Many pay off in Granular Control Everywhere •  Branch à ISR-AX •  DC à ASR1K-AX •  Cloud à CSR1000V Integrated Platform for IT Simplicity Up to in Savings The Alternative: Overlay Appliances App Visibility andControl IP Sec VPN WAN Opt. Firewall WAN Path Selection Router
  • 59. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential ASR1000-AX Start with Cisco AX Routers IWAN Capabilities Embedded in the Router Transport Independent Secure Routing ISR-AX Simplify Application Delivery One Network UNIFIED SERVICES Visibility Control Optimization Cisco AX Routers 3900 | 2900 | 1900 | 800 | 4451 | ASR1002-X
  • 60. © 2014 Cisco and/or its affiliates. All rights reserved.IWAN Cisco Confidential •  Thank you! •  Please complete the post-event survey •  Join us for upcoming webinars: Register: www.cisco.com/go/techadvantage Follow us @GetYourBuildOn

×