Cisco IWAN – Intelligent Connectivity for Today’s Reality

Cisco Intelligent WAN:
Enabling the Next-Gen Branch
Technical Overview

Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Agenda
IWAN Introduction and Business Drivers
Intelligent Path Control
Transport Independent Design
Application Visibility
Secure Connectivity for Direct Internet Connectivity
IWAN Management
Summary

New Requirements for the Branch/WAN
Rising User Expectations
Growing Security Threats
Faster Time to Market
Cost Optimization
App Performance
Advanced Threat Defense
Operational Simplicity
Agility/Simplicity

Emerging Branch Demands
The Application Landscape Is Changing
Applications Are Moving to the Data Center and Cloud
Internet Edge Is Moving to the Branch
Branch
Cloud
Data Centers
of CIOs Expect
to Operate via
the Cloud by
2015
More Mobile Data
Traffic by 2015
of Mobile Traffic
Will Be Video
Pressures on the WAN
Fat AppsMobilityCloud

Commodity Transports Viable Now
Internet Becoming an Extension of Enterprise WAN
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Performance Over Internet

And the Internet Transition Pays Off Fast
EXAMPLE:
San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)
1.5 Mbps
10 Mbps
$220
$140
$830
$260
$885
$274
$1,014
$303
Dual Internet Links
Combined for Ent SLA
-75%
iWANMPLS VPN
CoS3
MPLS VPN
CoS2
MPLS VPN
CoS1
Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website

Intelligent WAN Deployment Models
Dual InternetHybridDual MPLS
Consistent VPN Overlay Enables Security Across Transition
Expensive
Highest SLA guarantees
Tightly coupled to SP
Internet
Branch
Public
MPLS
MPLS
Branch
Public
MPLS+
Internet
Branch
Internet
More BW for key applications
Moderately priced
Balanced SLA guarantees
Enterprise
Best price/performance
Enterprise responsible for SLAs
Most SP flexibility

Intelligent WAN Solution Components
Branch
Internet
MPLS
Private
Cloud
Virtual
Private Cloud
Public Cloud
3G/4G-LTE
AVC
WAAS PfR
Transport
Independent
• Consistent operational model
• Simple provider migrations
• Scalable and modular design
• IPsec routing overlay design
• Dynamic Application best path based on policy
• Load balancing for full utilization of bandwidth
• Improved network availability
Intelligent
Path Control
• Application visibility with
performance monitoring
• Application acceleration
and bandwidth optimization
Application
Optimization
• Certified strong encryption
• Comprehensive threat defense
• Cloud Web Security for secure
direct Internet access
Secure
Connectivity

Transport-
Independent
Design
Simplifying Internet-
Based WANs

Transport Independent
Comprehensive WAN Transport Support with Secure, Full Mesh Connectivity
SecureFlexibleTransport-independent
Simplifies WAN Design
 Easy multi-homing over any carrier
service offering
 Single routing control plane with
minimal peering to the provider
Dynamic Full-Meshed
Connectivity
 Consistent design over all transports
 Automatic site-to-site IPsec tunnels
 Zero-touch hub configuration for
new spokes
Proven Robust Security
 Consistent design over all transports
 Automatic site-to-site IPsec tunnels
 Zero-touch hub configuration for
new spokes
WAN
Internet
Branch
MPLS
Data Center
ASR 1000
ASR 1000
ISR-G2

SINGLE
ROUTER,
SINGLE
PATH
SINGLE
ROUTER,
DUAL PATHS
DUAL
ROUTERS,
DUAL PATHS
Building Highly Available WANs with Cisco IWAN
Redundancy and Path Diversity Matter
Downtime
per Year
4–9 Hours
5 Minutes
26 Minutes
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
Downtime per Year
8 Hours
46 Minutes
IWAN Solution
MPLS
99.95%*
ISR G2
MPLS
99.995%
MPLS
ISR G2
Internet
99.90%*
ISR G2
MPLS
99.995%
Internet
ISR G2
Internet
99.995%
Internet
ISR G2
InternetMPLS
99.999%
ISR G2 ISR G2
InternetInternet
99.999%
ISR G2 ISR G2
99.999%
MPLS
ISR G2
MPLS
ISR G2

Intelligent Path Control:
Performance Routing (PfR)
Improving Application
Delivery and WAN
Efficiency

“Performance Routing (PfR) provides
additional intelligence to classic routing
technologies to track the performance of, or
verify the quality of, a path between two
devices over a Wide Area Networking (WAN)
infrastructure to determine the best egress or
ingress path for application traffic....”
What Is Performance Routing (PfR)?
DSL Cable
BranchMC+BR
BR BR
Data
Center
MC
• Cisco IOS technology
• Two components: Master controller and border router

PATH
CONTROL
METRICS
ADAPTIVE
PfR Enhances Classical Routing
Classical PfR
• Topological state
• Least cost path
• Static user preference
• Path cost
• Interface state
• Delay
• Jitter
• Bandwidth
Responds To:
• Measured performance changes
(degradation)
Responds To:
• Link and node state changes
(up/down)
• Application-aware
• Policy controlled
• Measured performance
+

SP1 (MPLS) ISP (Internet)
Business App
Hybrid IWAN
Best-Effort Traffic
Detect Loss
Greater Than 10%
ISP-1 (Cable) ISP-2 (DSL)
Voice and
Video
Dual Internet iWAN
Detect
High Jitter
VDI
Best-Effort Traffic
What PfR Does
Protecting Critical Applications While Increasing Bandwidth Utilization
• Protect business
cloud applications
from brownouts
Loss < 5%
• Preferred path for
business applications:
SP1 (MPLS)
• Increase WAN
bandwidth efficiency by
load-sharing traffic
over all WAN paths,
MPLS + Internet
Business App and Load-Balancing Policy
• Protect voice and video
quality
Latency < 150 ms;
Jitter < 20 ms
• Protect VDI applications
from brownouts
Loss < 5%
• Voice and video
preferred path SP-A
• VDI preferred path SP-
B
• Increase utilization
by load sharing
Multimedia and Critical Data Policy

Master Controller
commands path changes
based on your traffic
policy definitions
Best
Path
BR BR
MC
MC+BR MC+BR MC+BR MC+BR
Measure the traffic flow
and network performance
actively or passively and
report metrics to the
Master Controller
Performance
Measurements
BR BR
MC
ISR G2 and ASR Learn
traffic classes flowing
through Border Routers
(BRs) based on your
policy definitions
Learning
Active TCs
BR BR
Traffic
Classes
MC
Identify Traffic Classes
based on Applications or
Transport Classifiers
ASR1K
ISR G2
How PfR Works
Key Operations
Path EnforcementMeasurementLearn the TrafficDefine Your Traffic Policy

 Choose your policy actions for various traffic classes
 Alternate path selection based on flexible criteria
Example:
Defining Application Performance Policy
Link
Load Balancing
Max Utilization
Link-Group Path Preference
Bandwidth Costs ($)
Application
Reachability
Delay
Loss
MOS
Jitter
FLEXIBLE CRITERIA
Load-BalanceRemaining Traffic
Critical Application
1. Link-Group: Path-B
2. Loss
4. Delay
Voice/Video
1. Link-Group: Path-A
2. Loss
3. Jitter
4. Delay

Optimize
Application
Performance

HTTP IS THE NEW TCP
Today’s Network Is an IT Blind Spot
 Static port classification is no
longer enough
 More and more apps are opaque
 Increasing use of encryption and obfuscation
 Application consists of multiple sessions (video, voice,
data)
 What if user experience is not meeting business
needs?
COLLABORATION SaaSINFORMATION
RPCSOAP Video
IMFTP

Application Performance Monitoring for IWAN
Track and Report Application Flows and Performance
Public Cloud
DC/Headquarters
Private
Cloud
Enterprise Edge
• Traffic statistics records
• Application Response Time records
• Media monitoring records
(Application, Jitter, Loss, etc)
NetFlow/IPFIX Records
(Same provisioning, same format)
• ActionPacked
• Glue
• Plixer
• Living Objects
• CompuWare
• CA
Technologies
• InfoVista
PARTNER TOOLS ECOSYSTEMNetFlow v9 Export/IPFIX Export
Collecting Collecting Collecting
Provisioning
Exporting
AVC
AVC
NetFlow v9
AVC
Branch
Proliferation of Devices
Users/
Machines
AVC
CSR

Next Generation NBAR (NBAR2)
Deep Packet Inspection (DPI)
 Provides Advanced Application Classification and Field
Extraction capabilities
 In-service upgradable Protocol Definitions
No IOS upgrade or reboot for new Protocol Packs
 Backward compatibility to preserve existing NBAR
investments
 NBAR2 Protocol List
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps653
7/ps6558/ps6616/product_bulletin_c25-627831.html
Application
Recognition
NBAR2
IOS
NBAR
+150
Signatures
SCE
Classification
+1000
Signatures
Innovations
Native IPv6
Classification
Open API 3rd Party
Integration.

Performance Collection and Exporting
HTTP HTTP
Voice and Video Performance
(Media Monitoring)
Advanced
Monitoring
30% of traffic is voice
and video
Critical Applications Performance
(Application Response Time)
40% of traffic is
critical applications
Perf. Collection
and Exporting
Integrated performance monitoring and advanced metrics for different type of applications and use cases
What applications, how much bandwidth, flow direction?
(Flexible Netflow and NBAR/NBAR2)
Basic Monitoring

SOLUTION
• Reduce load
– Data redundancy
elimination (DRE),
compression, and
TCP optimization
• Application
optimization
– Fewer protocol messages
and metadata caching
PROBLEM
• Application latency
• WAN bandwidth
inefficiencies
Application bandwidth with Cisco® WAAS
Application bandwidth natively
Application latency natively
Application latency with Cisco WAAS
0 0
1
2
3
4
40
80
120
160
Application
Bandwidth
Application
Latency
Bandwidth
(Mbps)
Latency
(Seconds)
Reduction in
bandwidth
Reduction
in latency
App Optimization: Reduce Bandwidth and Latency
Enhancing User Experience and WAN Efficiency

EMAIL 5 MB Attachment CIFS 5 MB File
WAAS Delivers User Experience at Scale
 Send and receive email over native WAN
 First optimized with WAAS
 Second pass optimized with WAAS
100 20 30 40 50 60 70 80 90 100 110 120 130 140 150
Time in Seconds
T1
(1.54Mbps)
80 ms
Latency
MS SHAREPOINT 5 MB Document VDI (CITRIX)
100 20 30 40 50 60 70 80 90 100 110 120 130 140 150
Time in Seconds
 File drag and drop over native WAN
 SharePoint file download over native WAN
20 4 6 8 10 12 14 16 18 20 22 24 26 28 30
Time in Seconds
 Launch Citrix XenDesktop over native Citrix ICA/SSL
 Launch Citrix XenDesktop with WAAS
 Site navigation over native Citrix ICA/SSL
 Site navigation with WAAS
20 4 6 8 10 12 14 16 18 20 22 24 26 28 30
Time in Seconds

Akamai
Intelligent
Platform
Extending Akamai to the Branch with Akamai Connect
Akamai Intelligent Caching Inside Cisco ISR-AX
COMPLETING THE LAST MILE
Branch
ISR-AX
AKAMAI
INSIDE
AKAMAI
CACHE
Optimal Experience Regardless of Device, Connectivity or Cloud
All HTTP Traffic in Private, Public, Akamai Cloud
Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport
Data CenterWAN/MLPS

Private
Cloud
Secure Internet Access with Cisco
Cloud Web Security (CWS)
WAN1
(IP-VPN)
CWS
Public Cloud
Internet
WAN2
(Internet)
Branch
IOS Firewall to protect
Internet Edge
Secure Public Cloud and
Internet Access
ISR Connector to
CWS Firewall towers
Web Filtering, Access
Policy, Malware Detect
IWAN IPsec VPN for Private Cloud Traffic

MPLS (IP-VPN)
Internet
Private
Cloud
Virtual
Private Cloud
Public Cloud
Branch
Cisco ISR CWS Connector
How it Works
HQ
Routes
HQ
Traffic
Default
Route
WAN
Tunnel
CWS
Connector
Internet
DSL
Interface
Cisco ISR G2
with CWS Cloud
Connector—
FUNCTIONS:
• Authenticate router and client to CWS cloud
• Intercept HTTP/HTTPS traffic based on ACL
filters
• Add user credentials header for identifying
policy to be applied
• Traffic Relay: replace client Source IP address
with Egress address
• Redirect to CWS for scanning
• Act as HTTP proxy to complete requests
• Allow/Block or Warn based on user or
group policy
• Scan for Malware

 Cisco Prime Infrastructure
 Provides Enterprise and Integrator life-cycle network management
applications
 Glue Networks
 Delivers Cloud based simplified deployment portal
 LiveAction
 IWAN AVC and PfR Configuration and Monitoring
 SDN ready with OnePK
 Comprehensive programmability kit to enable SDN
provisioning applications
IWAN Network Management Solutions
From Cisco and NMS Partners

Simplified Deployment
Prime
Infrastructure
Transport Independent
Design
Prime
Infrastructure
Intelligent Path Control
Application Optimization
WAAS
Central Manager
Secure Internet Connectivity
Prime
Infrastructure
Network Health and Status
Prime
Infrastructure
IWAN 1.0 Management Tool Matrix
(AVC)

Why Cisco IWAN
Up to
in Savings
The Alternative:
Overlay Appliances
App Visibility
andControl
IP Sec VPN
WAN Opt.
Firewall
WAN Path Selection
Router
Integrated Platform
for IT Simplicity
• Branch  ISR-AX
• DC  ASR1K-AX
• Cloud  CSR1000V
Granular Control
Everywhere
• Savings enables
Business Innovation
Many pay off in
6-12 months
Quick ROI Faster
than Alternatives
• Any to Any Security
• Protect All Branch
Resources
• Secure Direct
Internet Access
Proven Security
at Scale
• App-Aware
• Endpoint-Aware
• Network-Aware
Unmatched Context-
based Routing

Start with Cisco AX Routers
IWAN Capabilities Embedded in the Router
Simplify
Application
Delivery
One Network
UNIFIED SERVICES
ASR1000-AX
ISR-AX
Cisco AX Routers: ISR-4000-AX | ASR1000-AX
Transport
Independent
Routing
Secure
Connectivity
Intelligent
Path Control
Application
Optimization

Cisco Confidential
IWAN Branch Services Routers
INTEGRATED IWAN SERVICES
APPLICATION CENTRIC
APPLIANCE LEVEL PERFORMANCE
 IOS Firewall, VPN, IPSec, PfRV3,
NBAR2, AVC, AppNav, VRF, MPLS
 Scalable on-chip service provisioning
 App/User policy-driven deployment
 APIC_EM Automation: deploy in
minutes
 Pay-as-you-grow
 Up-to-75% cost savings
 Service-Aware Dataplane
 Resilient Service Virtualization
 Multi-gigabit Fabric
ISR4000 Series - IWAN AX Ready, Next Generation Branch
ISR4431
ISR 4351
ISR 4331
ISR4321
ISR4451
500Mbps/1Gb
ps
200/400Mbps
100/300Mbps
50/100Mbps
1-2Gbps
NEW!
NEW!
NEW!
NEW!

Cisco Confidential
IWAN Aggregation Border Routers
ASR1000 - IWAN AX Ready, High Performance Routers
INTEGRATED IWAN SERVICES
BUSINESS-CRITICAL RESILIENCY
COMPACT, POWERFUL ROUTER
 IOS Firewall, VPN, IPSec, PfRV3,
NBAR2, AVC, AppNav, VRF, MPLS
 Scalable on-chip service provisioning
 Separate control and data planes
 Hardware and software redundancy
 In-service software upgrades
 Line-rate performance 2.5G to 200G+
with services enabled
 Crypto performance from 2G to 60G+
 Flexible I/O: SPAs and Ethernet LCs
 2.5G Upgradeable to 5G, 10G, 20G
 Up to 8G Crypto Throughput
 5G Upgradeable to 10G, 20G, 36G
 Modular, Redundant up to 200G
ASR1001-X
ASR1002-X
Modular ASR1006
NEW!

Branch
MPLS (IP-VPN)
Internet
Private
Cloud
Virtual
Private Cloud
Public Cloud
Secure WANTransport
Direct Internet
Access
Intelligent WAN (IWAN)
Internet As WAN with High Reliability
SLAs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs without Compromise

Cisco IWAN – Intelligent Connectivity for Today’s Reality

More Related Content

What's hot

Similar to Cisco IWAN – Intelligent Connectivity for Today’s Reality

More from Cisco Canada

Recently uploaded

Cisco IWAN – Intelligent Connectivity for Today’s Reality