Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intelligent wan

623 views

Published on

Intelligent wan

Published in: Technology
  • Be the first to comment

Intelligent wan

  1. 1. Cisco Intelligent WAN Enabling the Next-Generation Branch Technical Overview David Prall, Communications Architect dprall@cisco.com CCIE 6508 (R&S/SP/Security)
  2. 2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID • IWAN Architecture Overview • Transport Independence • Intelligent Path Control • Application Optimization • Secure Connectivity • Orchestration & Automation • Product Portfolio • Closing – Why IWAN? Agenda 2
  3. 3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID What If Your WAN Can… Hours Minutes Pinpoint Application Issues Instantly Improve Your Application Performance 1x 2x -20x Increase WAN Utilization Deliver More Bandwidth for Lower Cost Backhaul Local & Cloud Consistent Security Policies Ensure Security Over Any Connection Device-by- device System Simplify Operations Reduce Network Complexity
  4. 4. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Internet as an Extension of Enterprise WAN Commodity Transports Viable Now Dramatic Bandwidth, Price Performance Benefits Higher Network Availability Improved Internet Performance 6
  5. 5. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access Optimized Secure Transport Branch Direct Cloud Access Private Cloud Virtual Private Cloud Public Cloud 1. IWAN Secure transport for private and virtual private cloud access 2. Leverage local Internet path for public cloud and Internet access 4 Increase WAN transport capacity and app performance cost effectively! 4 Improve application performance (right flows to right places) MPLS (IP-VPN) Internet
  6. 6. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID 1. IWAN Secure transport for private and virtual private cloud access 2. Leverage local Internet path for public cloud and Internet access 4 Increase WAN transport capacity and app performance cost effectively! 4 Improve application performance (right flows to right places) Intelligent WAN So What is New Here? Optimized Secure Transport Branch Direct Internet Access Private Cloud Virtual Private Cloud Public Cloud MPLS (IP-VPN) Internet Mixed transport WANs with High Reliability Service Levels for Business-Critical Applications Centralized Security Policy for Internet Access Dramatically Lower WAN Costs Without Compromise 9
  7. 7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Intelligent WAN Deployment Models Dual MPLS Internet ü HighestSLA guarantees – Tightly coupled ẋ Expensive Public MPLS Branch MPLS ü More BW for key applications ü Balanced SLA guarantees – Moderately priced PublicEnterprise Branch MPLS+ Internet Consistent VPN Overlay Enables Security Across Transition ü Best price/performance ü Most SP flexibility – Enterprise responsiblefor SLAs Internet Branch Enterprise Public Hybrid Dual Internet 10 Internet
  8. 8. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Intelligent WAN (IWAN) Architecture Enterprise MPLS Unified Branch 3G/4G-LTE Internet Private Cloud Virtual Private Cloud Public Cloud Application Optimization Enhanced Application Visibility and Performance Secure Connectivity Comprehensive ThreatDefense Intelligent Path Control Application Aware Routing Transport Independence Simplified Hybrid WAN Management Automation 11
  9. 9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN: An Architectural and Systems Approach • IWAN is a Solution Architecture • Solves a network problem • Use Case Driven • Systems Development Approach • Prescribed. Tested. Interoperable. • Bounded Scope and Complexity • Enables Automation and Quality • Delivers Business Outcomes • Reduce Operational Complexity • Reduce WAN costs, Increase bandwidth • Improve Application Performance • Direct Cloud Access • Guest Access Offload IWAN
  10. 10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Transport-Independence Virtualizing the Enterprise WAN 15
  11. 11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Simplifies WAN Design Dynamic Full-Meshed Connectivity Proven Robust Security Flexible Secure IWAN Over Any Transport SecureFlexible • Easy multi-homing over several providers • Single routing control plane over the top of provider networks • Consistent design over all WAN service offerings • Scalable Hub-n-spoke and full mesh topologies • Industry Certified security compliance • Scalable high-performance cryptography in hardware ISR WAN Internet MPLS ASR 1000 ASR 1000 Transport-Independent Data CenterBranch 16
  12. 12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN Transport Independence Consistent deployment models simplify operations Internet MPLS Branch DMVPN DMVPN IWAN HYBRID Data Center ISR ASR 1000 ASR 1000 ISP A SP B 4G/LTE Branch DMVPN IWAN HYBRID/LTE Data Center ISP C SP B ASR 1000 MPLS Branch MPLS DMVPN IWAN DualMPLS Data Center ISR ASR 1000 ASR 1000 SP A SP B DMVPN MPLS DMVPN ISR ASR 1000
  13. 13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID DUAL ROUTERS, DUAL PATHS ISR MPLS Internet ISR ISR Internet Internet ISR 99.999% 99.999% 5 Minutes ISR MPLS MPLS ISR 99.999% ISR MPLS MPLS Internet ISR MPLS SINGLE ROUTER, DUAL PATHS Internet Internet ISR 99.995% 99.995% 99.995% 26 Minutes Building Highly Resilient WANs Redundancy and Path Diversity Matter ISR MPLS SINGLE ROUTER, SINGLE PATH ISR Internet 99.95%* 99.90%* Downtime per Year 4–9 Hours Downtime per Year 8 Hours 46 Minutes IWAN Solution * Typical MPLS andBusiness Grade BroadbandAvailabilitySLAs and Downtimeper Year, calculated withCisco AS DAAPtool. 18
  14. 14. IWAN Transport Independent Design with Dynamic Multipoint VPN (DMVPN) • Proven IPsec VPN technology • Widely deployed,Large scale • Standards based IPsec and Routing • Adv QOS: hierarchical,per tunnel and adaptive • Flexible & Resilient • Over any transport:MPLS,Carrier Ethernet,Internet,3G/4G,.. • Hub-n-Spoke with Dynamic full mesh Topology • Multiple encryption,key management,routing options • Multiple redundancy options:platform,hub,transports • Secure • Industry Certified IPsec and Firewall • NG Strong Encryption:AES-GCM-256(Suite B) • IKE Version 2 • IEEE 802.1AR Secure uniquedevice identifier • Simplified IWAN Deployments • Prescriptive validated IWAN designs • Automated provisioning – Prime,IWAN-App,Glue 19 Branch Internet MPLS DMVPN Purple DMVPN Green IWAN HYBRID Data Center ISP A SP B
  15. 15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID SECURE ON-DEMAND TUNNELS • Branch spoke sites establish a DMVPN tunnel with IPsec encryption to and register with the hub site • IP routing exchanges prefix information for each site • BGP or EIGRP are typically used for scalability • WAN interface address used as the tunnel address, so provider network does not need to know or route customer internal IP prefixes • Data traffic flows over the DMVPN tunnels • When traffic flows between spoke sites, the hub assists the spokes to establish a site-to-site tunnel • Per-tunnel QOS is applied to prevent hub site from overrunning spoke sites Over-the-Top WAN Design with Dynamic Multipoint VPN (DMVPN) Branch 2 Traditional Static Tunnels DMVPN On-Demand Tunnels Static KnownIP Addresses Dynamic UnknownIP Addresses ISR G2 Branch 1 Hub IPsec VPN Branch n ASR 1000 ISR G2 ISR G2 20
  16. 16. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID DMVPN How it Works • Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, but not to other spokes. They register as clients of the NHRP server (hub) and register their NBMA address • Active-Active redundancy model—two or more hubs per spoke • All configured hubs are active and are routing neighbors with spokes • Routing protocol routes are used to determine traffic forwarding • A spoke will initially send a packet to a destination (private) subnet behind another spoke via the hub, and the hub will send it an NHRP redirect. • The redirect triggers the spoke to send an NHRP query for the data packet destination address behind the destination spoke • The destination spoke initiates a dynamic GRE/IPsec tunnel to the source spoke (it now knows its NBMA address) and sends the NHRP reply. • The dynamic spoke-to-spoke tunnel is built over the same mGRE tunnel interface • When traffic ceases then the spoke-to-spoke tunnel is removed 192.168.0.0/24 Physical: 172.17.0.5 Tunnel1: 10.0.1.1 Physical: 172.17.0.1 Tunnel0: 10.0.0.1 Physical: (dynamic) Tunnel0: 10.0.0.12 Tunnel1: 10.0.1.12 192.168.3.0/24 .1 Physical: (dynamic) Tunnel0: 10.0.0.11 Tunnel1: 10.0.1.11 192.168.1.0 /24 .1 Dual DMVPN Design Single mGRE tunnel on Hub, two mGRE tunnels on Spokes 192.168.2.0 /24 .1
  17. 17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN Transport Best Practices • Private peering with Internet providers Use same Internet provider for hub and spoke sites Avoids Internet Exchange bottlenecks between providers Reduces round trip latency • DMVPN Phase 3 Scalable dynamic site-to-site tunnels Separate DMVPN per transport for path diversity Per tunnel QOS NG Encryption – IKEv2 + AES-GCM-256 encryption • Transport settings Use the same MTU size on all WAN paths Bandwidth settings should match offered rate • Routing Overlay iBGP or EIGRP for high scale Single routing process, simplified operations Front-side VRF to isolate provider networks Branch Internet MPLS DMVPN Purple DMVPN Green IWAN HYBRID Data Center ISP A SP B 22
  18. 18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Intelligent Path Control Improving Application Delivery and WAN Efficiency 24
  19. 19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control Data Center Branch ASR 1000 ASR 1000 ISR MPLS Internet Enabling Hybrid WANs Efficient Distribution of Traffic Based Upon Load or Path Preference Application Best Path Based on Quality Protection From Carrier Black Holes and Brownouts Lower WAN Costs Full Utilization of WAN Bandwidth Improved Application Performance Higher Application Availability 25
  20. 20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Intelligent Path Control with PfR Voice and Video Use-Case Branch MPLS Internet Virtual Private Cloud Private Cloud • PfR monitors network performance and routes applications based on policy • PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth Other traffic is load balanced to maximize bandwidth Voice/Video will be rerouted if the current path degrades below policy thresholds Voice/Video take the best delay, jitter, and/or loss path 26
  21. 21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID What is Performance Routing (PfR)? MPLS Internet Branch BR BR Data Center MC “Performance Routing (PfR) provides additional intelligence to classic routing to track and verify the quality of a path over a Wide Area Networking (WAN) to determine the best path for application traffic....” MC+BR 27
  22. 22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID SP1 (MPLS) ISP (FTTH) • Protectvoice and video quality Latency <150 ms Jitter < 20 ms • ProtectEmail applications from WAN congestion Loss < 5% • Voice and video preferred path SP1 • Email preferred path ISP • Increase utilization by load sharing Multimedia and CriticalData Policy Business App Best-Effort Traffic High Delay Detected SP1 (MPLS) ISP (DSL) Voice and Video High Jitter Detected Email Best-Effort Traffic Protecting Critical Applications While Increasing Bandwidth Utilization • Protecttransactional business app from brownouts delay < 250ms • Preferred path SP1 (MPLS) • Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet Business App and Load-Balancing Policy 28
  23. 23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Load Balancing Maximizing Link Utilization to Increase Available Bandwidth • Traffic distributed across all paths to efficiently use all WAN bandwidth • Load Balancing based upon link utilization levels • External links can have different bandwidth capacities MPLS = 1.5Mbps Internet = 15Mbps ISR WAN Internet MPLS ASR 1000 ASR 1000 Data Center 50% T1 = 750kbps 50% 15Mbps = 7.5Mbps 29
  24. 24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Performance Routing—Components The Decision Maker: Master Controller (MC) • Discover BRs, collect statistics • Apply policy, verification, reporting • No packet forwarding/inspection required The Forwarding Path: Border Router (BR) • Does all packet forwarding • Visibility in network performance • Enforce MC’s decision (path enforcement) The Policy Controller: Domain Controller (DC) • Discover site peers, prefixes and connected networks • Advertise policy and services • One per domain, collocated with MC MPLS Internet BranchMC+BR BR BR DC/MC 30
  25. 25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID PfR Domain Controller § Domain Controller (DC) Peering Framework – Site MCs register to Domain – Advertise to, or request services – Simplifies deployment and configuration – Provides topology auto-discovery § Single point of configuration across the domain § Used to distribute information to sites: – Learned site-prefix – Application/Traffic Policies – Performance monitoring – Traffic Class Database WAN1 WAN2 Domain Controller Master Controller 31 BR BR BR DC/MC MC+BR MC+BRMC+BR
  26. 26. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Define Traffic Classes and service level Policies based on Applications or Transport Classifiers ISR ASR1K Border Routers learn current traffic classes going to the WAN based on classifier definitions Learning Active TCs BR BR MC+BR MC+BR MC+BR MC+BR Traffic Classes MC Measure the traffic flow and network performance and report metrics to the Master Controller Performance Measurements BR BR MC+BR MC+BR MC+BR MC+BR MC How PfR Works Key Operations Master Controller commands path changes based on traffic class policy definitions Best Path BR BR MC+BR MC+BR BR MC+BR MC Path EnforcementMeasurementLearnthe TrafficDefine Your Traffic Policy 32
  27. 27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID • Simplifies and speeds up failover routing to a backup only path • Granular failover per traffic class policy • Extends path-preference to include a last-resort path(s) • Removes the need for the routing protocol to initiate failover • Good choice for cellular, satellite and other backup only paths Intelligent Path Control Path of Last Resort – New 34 Branch Site MPLS INET MPLS INET R14 DMVPN MPLS DMVPN INET DC1 DC2 LTE MPLS2 INET2 MPLS2 INET2 DC/MC MC DC/MC MC MC/BR ASA LTE DMVPN LTE BR IWAN 2.2 Spring 16
  28. 28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Application Optimization 35
  29. 29. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Today’s Network is an IT Blind Spot • Static port classification is no longer enough • More and more apps are opaque • Increasing use of encryption and obfuscation • Application consists of multiple sessions (video, voice, data) • What if user experience is not meeting business needs? 36
  30. 30. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Branch Proliferation of Devices Users/ Machines Private Cloud Make Your IWAN ApplicationAware Application Visibility and Control (AVC) DC/Headquarters Public Cloud Cisco AVC Application Performance Visibility • Applicationinspectionwith existing routers • Rich data collectionusing NetFlow v9/IPFIX • Easy to integrateintomany reporting tools Smart Capacity Planning • Better use of costly bandwidth • Per-branch andper-application level reporting Business Objective Enforcement • Service Level monitoringper application • Better Analytics to adjust network policiesto maintain compliance 37 AVC
  31. 31. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID What applications, how much bandwidth, flow direction? (NBAR2 and Flexible Netflow) Basic Monitoring Performance Collection & Exporting Integrated performance monitoring and advanced metrics for different type of applications and use cases HTTP HTTP Voice and Video Performance (Media Monitoring) Unified Monitoring 30% of traffic is voice and video Critical Applications Performance (Application Response Time) 40% of traffic is critical applications 38
  32. 32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Proliferation of Devices Users/ Machines Private Cloud Application Performance Monitoring for IWAN Track and Report Application Flows and Performance WAN NetFlow v9 Enterprise Edge AVC AVC CSR NetFlow/IPFIX Records (Same provisioning, same format) • Traffic statistics records • Application Response Time records • Media monitoring records (Application, Jitter, Loss, etc) Cisco Tools Prime, APIC-EM Partner Tools Ecosystem LiveAction Glue Networks Plixer Living Objects CompuWare CA Technologies Collecting Collecting Collecting Provisioning Exporting NetFlow v9 Export/IPFIX Export Branch DC/Headquarters AVC AVC 39
  33. 33. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Private Cloud Add WAN Optimization with WAAS + Akamai Speed and Bandwidth Benefits on Top of the IWAN Branch DC/POP Application Optimization • Improved Application performance, delay mitigation, less bandwidth • Twice as many Citrix users over same WAN, 70% faster • TypicalROI in less than one year, 65% BW cost savings Content Caching & Prepositioning Simple and Scalable • Works with existing branch routers • Scale out optimizations resources with AppNav • Native HA resiliency vWAAS Proliferation of Devices Users/ Machines AppNav-XE Controller CSR WAVE, vWAAS WAN Improving Application Performance 40 • Reduces WAN bandwidth usage, while accelerating applications • Intelligent caching of internal and Internet content • Prepositioning of data and rich media before it is needed
  34. 34. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Transport Independent DMVPN/IPSec PerformanceRouting(PfR) Intelligent Path Control ApplicationVisibilityandControl (AVC) Akamai Connect WAAS Application Optimization IOS Firewall/IPS Cloud Web Security Secure Connectivity Akamai Connect Part of Cisco Intelligent WAN Cisco Intelligent WAN AKAMAI Connect Transparent Cache Dynamic URL Cache Akamai Connected Cache Content Pre-positioning CISCO WAAS LZ Compression TCP Optimization Data De-duplication Application Specific Acceleration
  35. 35. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Branch End-User Akamai Connect integrated into Cisco ISR-AX routers ISR-AX+AC Akamai Intelligent Platform INTERNET Data Center WAAS WAN Application Optimization Enhancing User Experience and WAN Efficiency Mobile Apps Video Software Downloads Digital Signage Catalogs Guest WiFi Any Device,Connectivity,Cloud Result Reduce Load Improve Response Time ~70+% of HTTP/S data served from cache 0 1 2 3 4 5 6 7 8 9 WAAS + AKC Native WANAvg.LoadTime(sec.) 51% reduction load time
  36. 36. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Akamai Connect accelerates HTTP/HTTPS applications, video and content in the branch, while maximizing existing enterprise network bandwidth Branch End-User AkamaiConnect integrated into Cisco ISR-AX routers ISR-AX+AC INTERNET Akamai Intelligent Platform Data Center WAAS WAN IWAN – Application Optimization with Akamai Connect
  37. 37. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Cisco WAAS & Akamai Connect Deployment Models Data Center or Private Cloud WAAS Appliances VMware ESXi vWAAS Appliances Server VMs Branch Office ISR-WAAS on ISR 4000 WAN Internet vWAAS Server VMs VMware ESXi Server Nexus 1000v UCS /x86 Server FC SAN Virtual Private Cloud Branch Office WAAS Appliance Branch Office WAAS Appliance Branch Office WAAS Service Module/ UCSe CSR1000v + AppNav-XE ASR1K + AppNav-XE
  38. 38. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID • Single sided SSL enables DIA HTTPS caching with Akamai Connect Recent/UpcomingApp Opt enhancements 46
  39. 39. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID SSL serverClient HTTPS Acceleration and Caching - Today Client WAAS & Akamai Connect Server WAAS send session key Transparent Secure Channel SSL HandshakeSSL Handshake SSL Session: client to server WAAS SSL Session: coreWAE toserverOriginal Data - Encrypted Optimized & Encrypted Optimized - Encrypted
  40. 40. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Client Client WAAS & Akamai Connect Enterprise WAN SSL Handshake SSL Handshake Internet HTTPS Caching - Tomorrow DC/Headquarters Cached Data - Encrypted
  41. 41. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN Secure Connectivity 49
  42. 42. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Intelligent WAN: Secure Connectivity Securing the network and users Secure WAN Transport Branch MPLS (IP-VPN) Internet Secure Internet Access Private Cloud Virtual Private Cloud Public Cloud Two areas of concern 1. Protecting the network from outside threats with data privacy over provider networks 2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,… 50
  43. 43. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Securing the IWAN Transport IPSec VPN and Access Control • Step 1: Authenticate hardware and software Trust Anchor Module verification • Step 2: Secure Transport Proven IPsec VPN overlay Strong Cryptography: IKEv2 + AES-GCM 256 F-VRF to isolate provider networks • Step 3: Access Control IOS Zone-based Firewall or ACLs protection Role based access to router w/ logging Minimize exposure Provider assigned addressing to hide routers Don’t put tunnel addresses into DNS MPLS Internet Branch ASR 1000 ASR 1000 ISP A ISP C Data Center 51
  44. 44. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID * RFC 6379 ** Not supportedon older RP1 basedASR 1000s Cisco Router Security Certifications FIPS CommonCriteria Suite B* 140-2,Level 2 EAL4 Hardware Assist Cisco ISR 890 Series ü P P Cisco ISR 1900 Series ü P P Cisco ISR 2900 Series ü P P Cisco ISR 3900 Series P P P Cisco ISR 4000 Series P P P Cisco ASR 1000 Series P ü P** 52
  45. 45. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Trust Anchor Module (TAM) “How do I Know the Hardware is Authentic?” • Provides Immutable Identity • Standard Identity- IEEE 802.1AR (SUDI- X.509 cert) • Secure Storage of Credentials • Anti-Theft & Anti-Tamper Chip Design • Certifiable Entropy for Random Number Generation Trust Anchor Module TAM Features & Services Checks to Verify as Cisco Genuine TAM/Secure Identity Verification • Immutable Identity • Secure Storage (Keys & Objects) • Certifiable Entropy Source • Secure Crypto Assist • Secure Application Certificates • Authenticity & License Check • Verify Secure Identity Product Security • Provides trustworthy hardware offering immutable identity, secure storage, random number generator, and encryption • Available in the ISR-4000, newer Catalyst and other Cisco products • Provides Immutable Identity • Standard Identity- IEEE 802.1AR (SUDI- X.509 cert) • Secure Storage of Credentials • Anti-Theft & Anti-Tamper Chip Design • Certifiable Entropy for Random Number Generation 53
  46. 46. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Secure Boot “How do I Know the Software is Authentic?” Verifies the software has not been altered or tampered since it was signed Power On Hardware Anchor Secure Microloader Signed Bootloader/ BIOS Immutable Anchor ensuring hardware integrity and key authenticity Integrity Check Image Signing Image Signing Image Signing Secure Boot Process Launch Operating System Signed Operating System Power-Up Microloader verifies Bootloader and BIOS A Signed Bootloader/ BIOS validates Operating System • Ensures only authentic Cisco software boots up on a Cisco Platform • Anchored in hardware, as the image is created, the signature is installed & signed with a secure private key • As the software boots, the system checks to ensure the installed digital certificate is valid • Subsequent hash checks provides continuous monitoring with runtime integrity
  47. 47. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID MPLS Internet Branch ASR 1000 ASR 1000 ISP A ISP C Data Center Add Network Integrated Threat Defense IOS Zone-Based Firewall • Control the Perimeter: • External and internal protection:internal network is no longer trusted • Protocol anomaly detection and stateful inspection • Communicate Securely: • Call flow awareness (SIP,SCCP,H323) • PreventDoS attacks • Flexible: • SplitTunnel-Branch directInternetaccess • Internal FW— addresses regulatory compliances • Integrated: • No need for additional devices,expenses and power • Works with other IWAN Services: CWS,WAAS, UCS-E,… • Manageable: • APIC-EM,Prime, CLI,SNMP, CCP,and CSM 55
  48. 48. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Virtual Route Forwarding (VRFs) create multiple logical routers on a single device • Separate control/forwarding planes per VRF • No connectivity between VRFs by default • Provider side VRF (yellow) for external networks, Global VRF (blue) for internal networks Provider VRF minimizes threat exposure • Default routing only in Provider VRF • Provider assigned IP addressing hides internal network • Provider IP address used as IPSec tunnel source • Only IPsec allowed between internal Global and Provider Front Side VRFs Securing IWAN Transports with Front-door VRF Isolation of external networks Global F-VRF Branch LAN 10.1.1.0/24 10.1.2.0/24 … Front Side “Provider Interface” VRF Provider Assigned WAN IP Address 192.168.254.254 VRFs have independent routing and forwarding planes IPSec Tunnel Interface Inside Network VRF IOS ZBFW or ACL to permit only authorized traffic; i.e. IPsec
  49. 49. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Protecting the Public facing IWAN Interfaces 57 • Use ACLs, ZBFW or ASA to block all traffic except the DMVPN tunnel traffic to routers • Zone Based Firewall (ZBFW) at the branch if there are plans for direct Internet access • Typical ACL for protecting the Internet interface interface GigabitEthernet0/0 bandwidth 10000 vrf forwarding IWAN-TRANSPORT-2 ip address dhcp ip access-group ACL-INET-PUBLIC in ! ip access-list extended ACL-INET-PUBLIC permit udp any any eq non500-isakmp permit udp any any eq isakmp permit esp any any permit udp any any eq bootpc permit icmp any any echo permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any port-unreachable permit udp any any range 33434 33463 ttl eq 1 MPLS Internet Branch ASR 1000 ASR 1000 ISP A ISP C Data Center
  50. 50. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IOS Security General IOS Security measures for Internet facing interfaces 58 service tcp-keepalives-in service tcp-keepalives-out ! no mop enabled ! no service pad ! no service config interface GigabitEthernet0/0 description Internet Connection no ip redirects no ip proxy-arp no lldp transmit no lldp receive no cdp enable no mop enabled ! • Disable unused services and features MPLS Internet Branch ASR 1000 ASR 1000 ISP A ISP C Data Center
  51. 51. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Intelligent WAN—Direct Cloud Access Branch MPLS (IP-VPN) Internet Direct Internet Access Private Cloud Virtual Private Cloud Public Cloud • Leverage Local Internet path for Public Cloud and Internet access • Improve application performance (right flows to right places) Solutions On Premise – Zone Based Firewall Cloud Based – Cloud Web Security CWS ISR-AX ZBFW 59
  52. 52. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Cloud Web Security Centralized Management for Distributed Policy 60 Cisco ScanCenter Portal
  53. 53. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Secure Internet Access with Cisco Cloud Web Security (CWS) Secure Public Cloud and Internet Access ISR Connector to CWS Firewall towers Web Filtering, Access Policy, Malware Detect WAN1 (IP-VPN) CWS Private Cloud Public Cloud Branch WAN2 (Internet) IWAN IPsec VPN for Private Cloud TrafficIOS Firewall to protect Internet Edge Internet 61
  54. 54. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Orchestration and Automation 63
  55. 55. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Policy driving the Network Application Policies: – AppID, bandwidth, latency, loss, jitter,... Security Policies: – Segmentation, access control, privacy/crypto, Controllers collect data from the network and push policy to network The network only maintains segments No application stateNetwork SDN Controller Policy 1 2 3 Network enforces the policies and reports status and event data
  56. 56. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID 65 The next generation Branch WAN needs Automation & Orchestration APIC-EM IWAN APP Prime Infrastructure Enterprise vMS/NSO Large Ent & SP
  57. 57. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Cisco IWAN Management Portfolio Covering a broad range of requirements and preferences • Customer wants advanced provisioning, life cycle management, and customized policies • System-wide network consistency assurance • Lean IT OR IT Network team Cisco Prime Infrastructure • Customer needs customizable IWAN with end-to-end monitoring • One Assurance across Cisco portfolio from Branch to Datacenter • IT Network team Enterprise Network Mgmt and Monitoring Ecosystem Partners IWAN App • Customer wants considerable automation and operational simplicity • Requirements consistent with prescriptive IWAN Validated Design • Lean IT organization Prescriptive Policy Automation • Customer looking for advanced monitoring and visualization • QoS/ PfR/ AVC configuration, Real-time analytics and network troubleshooting • IT Network team Application Aware Performance Mgmt Advanced Orchestration
  58. 58. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN Automation and Orchestration Evolution APIC-EM Device Abstraction Layer REST APIs APIC-EM Services (Partial) PKI Svc NetFlow Svc ZTD Svc Network Svc Events Svc Inventory Svc Traditional Management Systems CiscoPrime IWAN Transport PKI Automation Security Intelligent Path Control Cisco IWAN Apps Partners (future) Application Experience PnP Provisioning Capacity Planning, Historical Reporting, Licensing, etc…Prime DeploymentWorkflows, Changecontrol,etc…
  59. 59. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN App Provisioning 69
  60. 60. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN App – Application Classification 70
  61. 61. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN App – Policy Provisioning 71
  62. 62. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Prime Infrastructure for IWAN • IWAN workflow wizard with PnP • Template-based IWAN configs • PfRv3 Domain, MC and BR • AVC One-Click provision • QoS Provisioning • Single or Dual Router Branch • CVD-based, Customizable • AVC Readiness Assessment • AVC, QoS, PfR Visibility • Leverages APIC EM services 72
  63. 63. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Service Health Summary
  64. 64. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID PfR dashboard – look at events at sites
  65. 65. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Router – Provider – Server
  66. 66. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Link details PfR threshold crossing Link Details
  67. 67. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID An Application-aware Network Performance Management and QoS Control tool Fast, simple, cost effective way to monitor and control application performance leveraging Cisco capabilities LiveAction Software LiveAction Components Flow QoS Monitor QoS Configure RoutingLAN IP SLA
  68. 68. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID LiveAction and Performance Routing • PfR path change visualization • Alert and report on PfR Out of Policy events • Reports on traffic class/application path changes 79 Out-Of-Policy Threshold Crossing Alert Before Brown-Out (Northern Path) After Brown-Out (Southern Path)
  69. 69. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID 80 Alerts / performance by Site Alerts / performance by Application Group All Alerts PfRv3 Dashboard
  70. 70. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Glue Networks IWAN Orchestration • Cloud-based SaaS subscription model • Eliminates manual building of WANs • Automated WAN orchestration and management • Quick configuration updates and IOS upgrades • Rapidly delivers nextgen and IWAN features • Forward compatible with SDN and OnePK for app aware WANs • Broadband and MPLS support for centralized hybrid WAN management for IWAN 82
  71. 71. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID • Network Engineer Centric vs. Programmer Centric • Gluware Lab—Rapid Development Environment, NDK, & FLOW (Flexible Language Object Workstream) • Gluware Control—Network-aware and Customizable Life-Cycle Mgmt • Integrated with leading architectures (IWAN) • Rest API third party Monitoring, Visualization, Controllers Introducing Gluware 2.0: DevOps for Network Engineers
  72. 72. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Cisco IWAN Product Portfolio 87
  73. 73. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Start with Cisco AX Routers IWAN Capabilities Embedded in the Router ISR-AX Simplify Application Delivery One Network UNIFIED SERVICES ASR1000-AX ISR-4000 AX Transport Independent Secure Routing Optimization Control Visibility Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000
  74. 74. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN Branch Services Routers ASR4000 Series - IWAN AX Ready, Next Generation Branch 89 INTEGRATED IWAN SERVICES APPLICATION CENTRIC APPLIANCE LEVEL PERFORMANCE 4 IOS Firewall,VPN,IPSec, PfRV3, NBAR2,AVC, AppNav,VRF,MPLS 4 Scalable on-chipservice provisioning 4 App/User policy-driven deployment 4 APIC_EM Automation:deploy in minutes 4 Pay-as-you-grow 4 Up-to-75% costsavings 4 Service-Aware Dataplane 4 ResilientService Virtualization 4 Multi-gigabitFabric ISR4431 ISR4351 ISR4331 ISR4321 ISR4451 500Mbps/1Gbps 200/400Mbps 100/300Mbps 50/100Mbps 1-2Gbps
  75. 75. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN Aggregation Border Routers ASR1000 - IWAN AX Ready, High Performance Routers 90 INTEGRATED IWAN SERVICES BUSINESS-CRITICAL RESILIENCY COMPACT, POWERFUL ROUTER 4 IOS Firewall,VPN,IPSec, PfRV3, NBAR2,AVC, AppNav,VRF,MPLS 4 Scalable on-chipservice provisioning 4 Separate control and data planes 4 Hardware and software redundancy 4 In-service software upgrades 4 Line-rate performance 2.5Gto 200G+ with services enabled 4 Crypto performance from 2Gto 60G+ 4 Flexible I/O: SPAs and EthernetLCs § 2.5G Upgradeable to 5G, 10G, 20G § Up to 8G Crypto Throughput § 5G Upgradeable to 10G, 20G, 36G § Up to 4G Crypto Throughput § Modular, Redundant up to 200G § Up to 60G Crypto Throughput ASR1001-X ASR1002-X Modular ASR1006
  76. 76. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Cisco UCS-E Series Extend Cloud Services into Branch Infrastructure Supporton ISR Series Routers IOS, MGF Backplane Switch UCS-E Blade Hypervisor CIMC E UCS-E Blade Hypervisor OS App OS App OS App OS AppPlatform for WAN Edge Applications Microsoft Windows-Server and Linux Certified Server Virtualization Cisco UCS Virtualization Poweredby VMware, Microsoft,Citrix Dedicated Blade Management Cisco Integrated Management Controller Consistentmanagement for UCS family Multipurpose x86 Blades Cisco UCS E Series modules House up to four server blades in an ISR Single-Device Network Integration House all services in ISR chassis Multigigabit fabric backplaneswitch 91
  77. 77. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Why Cisco IWAN? 94
  78. 78. Internet Transport Independent Design • Highly available Hybrid WAN Intelligent Path Control • Performance Routing(PfR) to protectapplications and load balance traffic to maximize expensive WAN bandwidth Application Optimization • Application Visibility and Control (AVC) to monitor performance • WAAS + Akamai to reduce bandwidth consumption while improving application experience Secure Connectivity • Secure the network from outside threats • Cloud Web Security (CWS) for improved Cloud performancewhile freeing up WAN bandwidth,withoutcompromisingsecurity IWAN Management • Cisco and Ecosystem Partner tools APIC-EM IWAN-APP,Prime, LiveAction,GlueWare,and more Intelligent WAN Summary 95 Branch-1 Branch-513 DCI WAN Core MC MC 20M Dn 2M Up 512M FD BR BR ATBT MPLS Island ADSL BR ISR-AX vWAAS ISR-AX vWAAS 1.5M FD 256M FD CWS BR ASR-AX ASR-AX WAAS WAAS AV C AV C AV C ShowMe$$ DC-WestDC-East Internet Internet
  79. 79. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN Vision and Strategy Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA Secure, Simple, Centralized Policy Automation Global Policies, Cloud POPs, Mobility, Optimization, Cloud Security vRouter, vService and App Orchestration Campus/WAN/DC INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD INTEGRATION SERVICE VIRTUALIZATION SD Enterprise 96
  80. 80. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID IWAN Vision and Strategy Systems Development evolution of IWAN INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD INTEGRATION SERVICE VIRTUALIZATION SD Enterprise TransportIndependentDesign IntelligentPath Control Application Optimization Secure Connectivity Management& Orchestration IWANFramework Incremental improvements while delivering new use-cases 97
  81. 81. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID Branch MPLS (IP-VPN) Internet Private Cloud Virtual Private Cloud Public Cloud Cisco Intelligent WAN (IWAN) Secure WAN Transport Direct Internet Access Mixed Transport WAN with High Reliability SLAs for Business-Critical Applications Centralized Security Policy for Internet Access Dramatically Lower WAN Costs Without Compromise 98
  82. 82. We’re ready. Are you?

×