Cisco Intelligent WAN: Enabling the Next-Generation Branch

Tammy Getschel
Systems Engineer
Cisco Intelligent WAN
Enabling the Next-Generation Branch

© 2013 Cisco and/or its affiliates. All rights reserved. 2
Pressures on the WAN
Emerging Branch Demands
The Application Landscape Is Changing
Applications are Moving to the DC and Cloud
Internet Edge Is Moving to the Branch
Cloud
SaaS, Google Docs, Office365 Guest WiFi, BYOD, App Updates
Cloud Mobility Apps
Video, VDI, Backup
Branch Data Centers

Internet as an Extension of Enterprise WAN
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Performance Over Internet
3

Intelligent WAN: Leveraging the Internet
Secure WAN Transport and Internet Access
Optimized
Secure Transport
Branch
Direct Cloud
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
1. IWAN Secure transport for private
and virtual private cloud access
2. Leverage local Internet path for
public cloud and Internet access
 Increase WAN transport capacity and
app performance cost effectively!
 Improve application performance
(right flows to right places)
MPLS (IP-VPN)
Internet

Intelligent WAN (IWAN) Architecture
MPLS
Unified
Branch
3G/4G-LTE
Internet
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
Application
Optimization
Enhanced Application
Visibility and Performance
Secure
Connectivity
Comprehensive
Threat Defense
Intelligent
Path Control
Application
Aware Routing
Transport
Independent
Simplified
Hybrid WAN
Management Automation
5

Transport-Independence
Virtualizing the Enterprise WAN

IWAN Transport Independence
Consistent deployment models simplify operations
Internet MPLS
Branch
DMVPN DMVPN
IWAN HYBRID
Data Center
ISR
ASR 1000 ASR 1000
ISP A SP B
4G/LTE
Branch
DMVPN
IWAN HYBRID/LTE
Data Center
ISP C SP B
ASR 1000
MPLS
Branch
MPLS
DMVPN
IWAN Dual MPLS
Data Center
ISR
ASR 1000 ASR 1000
SP A SP B
DMVPN
MPLS
DMVPN
ISR
ASR 1000

IWAN Transport Independent Design
with Dynamic Multipoint VPN (DMVPN)
• Proven IPsec VPN technology
• Widely deployed, Large scale
• Standards based IPsec and Routing
• Adv QOS: hierarchical, per tunnel and adaptive
• Flexible & Resilient
• Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,..
• Hub-n-Spoke with Dynamic full mesh Topology
• Multiple encryption, key management, routing options
• Multiple redundancy options: platform, hub, transports
• Secure
• Industry Certified IPsec and Firewall
• NG Strong Encryption: AES-GCM-256 (Suite B)
• IKE Version 2
• IEEE 802.1AR Secure unique device identifier
• Simplified IWAN Deployments
• Prescriptive validated IWAN designs
• Automated provisioning – Prime, IWAN-App, Glue
Branch
Internet MPLS
DMVPN
Purple
DMVPN
Green
IWAN HYBRID
Data Center
ISP A SP B

Intelligent Path Control
Improving Application Delivery and WAN Efficiency

Getting the Most Out of Your WAN Investment
Benefits of Intelligent Path Control
Data Center
Branch
ASR 1000
ASR 1000
ISR
MPLS
Internet
Enabling
Hybrid WANs
Efficient Distribution of
Traffic Based Upon Load
or Path Preference
Application Best Path
Based on Quality
Protection From
Carrier Black Holes
and Brownouts
Lower
WAN Costs
Full Utilization
of WAN Bandwidth
Improved
Application
Performance
Higher Application
Availability
11

Intelligent Path Control with PfR
Voice and Video Use-Case
Branch
MPLS
Internet
Virtual Private
Cloud
Private Cloud
• PfR monitors network performance and routes applications
based on policy
• PfR load balances traffic based upon link utilization levels
to efficiently utilize all available WAN bandwidth
Other traffic is load
balanced to maximize
bandwidth
Voice/Video will be
rerouted if the current path
degrades below policy
thresholds
Voice/Video take the
best delay, jitter,
and/or loss path
12

What is Performance Routing (PfR)?
MPLS Internet
Branch
BR BR
Data Center
MC
“Performance Routing (PfR) provides
additional intelligence to classic routing
to track and verify the quality of a path
over a Wide Area Networking (WAN) to
determine the best path for application
traffic....”
MC+BR
13

SP1 (MPLS) ISP (FTTH)
• Protect voice and
video quality
Latency < 150 ms
Jitter < 20 ms
• Protect Email applications
from WAN congestion
Loss < 5%
• Voice and video preferred
path SP1
• Email preferred path ISP
• Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Best-Effort Traffic
High Delay
Detected
SP1 (MPLS) ISP (DSL)
Voice and Video
High Jitter
Detected
Email
Best-Effort Traffic
Protecting Critical Applications While Increasing Bandwidth Utilization
• Protect transactional
business app from brownouts
delay < 250ms
• Preferred path SP1 (MPLS)
• Increase WAN bandwidth
efficiency by load-sharing
traffic over all WAN paths,
MPLS + Internet
Business App and Load-Balancing Policy
14

Load Balancing
Maximizing Link Utilization to Increase Available Bandwidth
• Traffic distributed across all paths to efficiently use all WAN bandwidth
• Load Balancing based upon link utilization levels
• External links can have different bandwidth capacities
MPLS = 1.5Mbps
Internet = 15Mbps
ISR
WAN
Internet
MPLS
ASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
15

Branch
Proliferation
of Devices
Users/
Machines
Private
Cloud
Make Your IWAN Application Aware
Application Visibility and Control (AVC)
DC/Headquarters
Public
Cloud
Cisco AVC
Application Performance
Visibility
• Application inspection with
existing routers
• Rich data collection using
NetFlow v9/IPFIX
• Easy to integrate into many
reporting tools
Smart Capacity
Planning
• Better use of costly bandwidth
• Per-branch and per-application
level reporting
Business Objective
Enforcement
• Service Level monitoring per
application
• Better Analytics to adjust
network policies to maintain
compliance
17
AVC

Proliferation
of Devices
Users/
Machines
Private
Cloud
Application Performance Monitoring for IWAN
Track and Report Application Flows and Performance
WAN
NetFlow v9
Enterprise Edge
AVC
AVC
CSR
NetFlow/IPFIX Records
(Same provisioning, same format)
• Traffic statistics records
• Application Response Time records
• Media monitoring records
(Application, Jitter, Loss, etc)
Cisco Tools
Prime, APIC-EM
Partner Tools Ecosystem
LiveAction
Glue Networks
Plixer
Living Objects
CompuWare
CA Technologies
Collecting Collecting Collecting
Provisioning
Exporting
NetFlow v9 Export/IPFIX Export
Branch DC/Headquarters
AVC
AVC
18

Cisco WAAS
Enhancing User Experience and WAN Efficiency
Solution
• Reduce load
Data redundancy elimination
(DRE), compression, and
TCP optimization
• Application optimization
Fewer protocol messages
and metadata caching
Problem
• Application latency
• WAN bandwidth
inefficiencies
Application bandwidth with Cisco® WAAS
Application bandwidth natively
Application latency natively
Application latency with Cisco WAAS 0 0
1
2
3
4
40
80
120
160
Application
Bandwidth
Application
Latency
Bandwidth
(Mbps)
Latency
(Seconds)
Reduction in
bandwidth
Reduction
in latency
19

Data CenterBranch
Akamai
Intelligent
Platform
Optimal Experience Regardless of Device, Connectivity or Cloud
All HTTP Traffic in Private, Public, Akamai Cloud
Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport
ISR-AX
AKAMAI
Inside
AKAMAI
CACHE
WAN
IWAN – Application Optimization
with Akamai Connect

Intelligent WAN: Secure Connectivity
Securing the network and users
Secure WAN
Transport
Branch
MPLS (IP-VPN)
Internet
Secure
Internet
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
Two areas of concern
1. Protecting the network from outside threats with data privacy over provider networks
2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…
23

Securing the IWAN Transport
IPSec VPN and Access Control
• Step 1: Authenticate hardware and software
Trust Anchor Module verification
• Step 2: Secure Transport
Proven IPsec VPN overlay
Strong Cryptography: IKEv2 + AES-GCM 256
F-VRF to isolate provider networks
• Step 3: Access Control
IOS Zone-based Firewall or ACLs protection
Role based access to router w/ logging
Minimize exposure
Provider assigned addressing to hide routers
Don’t put tunnel addresses into DNS
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
24

Intelligent WAN—Direct Cloud Access
Branch
MPLS (IP-VPN)
Internet
Direct
Internet
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
• Leverage Local Internet path for Public Cloud and Internet access
• Improve application performance (right flows to right places)
Solutions
On Premise – Zone Based Firewall
Cloud Based – Cloud Web Security
CWS
ISR-AX
ZBFW
26

Secure Internet Access with Cisco
Cloud Web Security (CWS)
Secure Public
Cloud and Internet
Access
ISR Connector to
CWS Firewall towers
Web Filtering,
Access Policy,
Malware Detect
WAN1
(IP-VPN)
CWS
Private
Cloud
Public
Cloud
Branch
WAN2
(Internet)
IWAN IPsec VPN
for Private Cloud
TrafficIOS Firewall to
protect Internet
Edge
Internet
27

Cisco IWAN Management Portfolio
Covering a broad range of preferences and requirements
• Customer wants advanced
provisioning, life cycle
management, and
customized policies
• System-wide network
consistency assurance
• Lean IT OR IT Network team
Cisco
Prime
Infrastructure
• Customer needs
customizable IWAN with
end-to-end monitoring
• One Assurance across
Cisco portfolio from Branch
to Datacenter
• IT Network team
Enterprise Network
Mgmt and Monitoring
Ecosystem Partners
IWAN App
• Customer wants
considerable automation
and operational simplicity
• Requirements consistent
with prescriptive IWAN
Validated Design
• Lean IT organization
Prescriptive
Policy Automation
• Customer looking for
advanced monitoring and
visualization
• QoS/ PfR/ AVC configuration,
Real-time analytics and
network troubleshooting
• IT Network team
Application Aware
Performance Mgmt
Advanced
Orchestration

Provisioning & Life
Cycle Management
Visualization & Health
IWAN Management Solution Positioning
CustomizablePrescriptive
AdvancedFoundation
Prime
Prime
IWAN AppOn Prem
Cloud
Infrastructure ASR 1000

APIC-EM IWAN App
Site provisioning

IWAN App – Site provisioning
3

APIC-EM IWAN App
Define Application Policy
• Business Intent  network admin informs the controller
what applications are relevant for the business
• The controller is going to perform background tasks
based on this business logic

APIC-EM IWAN App
• Define primary path for group of applications
• The controller will create a PfR policy based on
those paths.

IWAN App

Prime Infrastructure for IWAN
• IWAN workflow wizard with PnP
• Template-based IWAN configs
• PfRv3 Domain, MC and BR
• AVC One-Click provision
• QoS Provisioning
• Single or Dual Router Branch
• CVD-based, Customizable
• AVC Readiness Assessment
• AVC, QoS, PfR Visibility
• Leverages APIC EM services
41

Start with Cisco AX Routers
IWAN Capabilities Embedded in the Router
ISR-AX
Simplify
Application
Delivery
One Network
UNIFIED SERVICES
ASR1000-AX
ISR-4000AX
Transport
Independent
Secure
Routing
Optimization
Control
Visibility
Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000

Internet
Intelligent WAN Summary
Branch-1 Branch-513
DCI
WAN
Core
MC MC
20M Dn
2M Up
512M FD
BR BR
ATBT
MPLS
Island
ADSL
BR
ISR-AX
vWAAS
ISR-AX
vWAAS
1.5M FD
256M FD
CWS
BR
ASR-AX ASR-AX
WAAS WAAS
AV
C
AV
C
AV
C
ShowMe$$
DC-WestDC-East
Internet Internet
Transport Independent Design
• Highly available Hybrid WAN
• Performance Routing (PfR) to protect applications and
load balance traffic to maximize expensive WAN bandwidth
Application Optimization
• Application Visibility and Control (AVC) to monitor performance
• WAAS + Akamai to reduce bandwidth consumption while improving
application experience
Secure Connectivity
• Secure the network from outside threats
• Cloud Web Security (CWS) for improved Cloud performance while
freeing up WAN bandwidth, without compromising security
IWAN Management
• Cisco and Ecosystem Partner tools
APIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more

Branch
MPLS (IP-VPN)
Internet
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
Cisco Intelligent WAN (IWAN)
Secure WAN
Transport
Direct
Internet
Access
Mixed Transport WAN with High Reliability
SLAs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs Without Compromise
46

What Are the Big Trends in the Branch?
 Clients engage with Digital
Signage 50% more than static
ads
-Intel field trials
 Dynamic signs, driven by
RFID, increase sales by 34%
-Intel field trials
 growing more than 10% Y:Y
through 2020
-Grandview Research
 41% of K-12 students use
tablets for video learning
-Project Tomorrow
 38% of Corporations are
investing to develop or replace
applications to be web based
in 2015
-Computer World
 18% of companies use Mobile
Video Applications for Training
-eLearning Industry
 Branch Guest WiFi causes
39% of customers to increases
the duration of their stay.
 Offering guest WiFi increases
traffic for 56% of branch
locations
-IHL Group
 “A week without guest WIFI
leaves customers grumpier
than a week without coffee”
-Huff Tech Research
Digital Signage Mobile Applications Guest WiFi

What Are the Big Cloud Trends?
20% of applications are the in cloud Growing 18% a year
AWS Reaches Over 1 Million Active
Customers
Applications that move between the
branch, the cloud, and the DC
20
08
20
09
20
10
20
11
20
12
20
13
20
14
0
40
80
120
160
200
2012 2013 2014 2015 2016 2017
InstalledWorkloads
inMillions
Cloud Data Center (30% CAGR)
Traditional Data Center (6% CAGR)
61%
39%
37%
63%
Source: Cisco Global Cloud Index (GCI)
Source: zdnet.com
40% of organizations will spend more on software as a
service and a mix of public, private, hybrid and
community clouds in 2015. Source: Computer World

Leveraging the Internet Pays Off Fast
1.5 Mbps
10 Mbps
$220
$140
$830
$260
$885
$274
$1,014
$303
EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)
Dual Internet Links
Combined for Ent SLA
$665
Savings/Month x
12 Months X 1,000
Sites
= $8M Savings
per Year
-75%
iWANMPLS VPN
CoS3
MPLS VPN
CoS2
MPLS VPN
CoS1
Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website
51

DUAL
ROUTERS,
DUAL PATHS
ISR
MPLS Internet
ISR ISR
Internet Internet
ISR
99.999% 99.999%
5 Minutes
ISR
MPLS MPLS
ISR
99.999%
ISR
MPLS MPLS Internet
ISR
MPLS
SINGLE
ROUTER,
DUAL PATHS Internet Internet
ISR
99.995% 99.995% 99.995%
26 Minutes
Building Highly Resilient WANs
Redundancy and Path Diversity Matter
ISR
MPLS
SINGLE
ROUTER,
SINGLE PATH
ISR
Internet
99.95%* 99.90%*
Downtime
per Year
4–9 Hours
Downtime
per Year
8 Hours
46 Minutes
IWAN Solution
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
52

IWAN Transport Best Practices
• Private peering with Internet providers
Use same Internet provider for hub and spoke sites
Avoids Internet Exchange bottlenecks between providers
Reduces round trip latency
• DMVPN Phase 3
Scalable dynamic site-to-site tunnels
Separate DMVPN per transport for path diversity
Per tunnel QOS
NG Encryption – IKEv2 + AES-GCM-256 encryption
• Transport settings
Use the same MTU size on all WAN paths
Bandwidth settings should match offered rate
• Routing Overlay
iBGP or EIGRP for high scale
Single routing process, simplified operations
Front-side VRF to isolate provider networks
Branch
Internet MPLS
DMVPN
Purple
DMVPN
Green
IWAN HYBRID
Data Center
ISP A SP B
53

- Backup Slides

Performance Routing—Components
The Decision Maker: Master Controller (MC)
• Discover BRs, collect statistics
• Apply policy, verification, reporting
• No packet forwarding/inspection required
The Forwarding Path: Border Router (BR)
• Does all packet forwarding
• Visibility in network performance
• Enforce MC’s decision (path enforcement)
The Policy Controller: Domain Controller (DC)
• Discover site peers, prefixes and connected networks
• Advertise policy and services
• One per domain, collocated with MC
MPLS Internet
BranchMC+BR
BR BR
DC/MC
55

PfR Domain Controller
 Domain Controller (DC) Peering Framework
– Site MCs register to Domain
– Advertise to, or request services
– Simplifies deployment and configuration
– Provides topology auto-discovery
 Single point of configuration across the domain
 Used to distribute information to sites:
– Learned site-prefix
– Application/Traffic Policies
– Performance monitoring
– Traffic Class Database
WAN1 WAN2
Domain
Controller
Master
Controller
56
BR
BR BR
DC/MC
MC+BR MC+BRMC+BR

Define Traffic Classes
and service level
Policies based on
Applications or Transport
Classifiers
ISR
ASR1K
Border Routers learn
current traffic classes
going to the WAN based
on classifier definitions
Learning
Active TCs
BR BR
MC+BR MC+BR MC+BR MC+BR
Traffic
Classes
MC
Measure the traffic flow
and network performance
and report metrics to the
Master Controller
Performance
Measurements
BR BR
MC+BR MC+BR MC+BR MC+BR
MC
How PfR Works
Key Operations
Master Controller
commands path changes
based on traffic class
policy definitions
Best
Path
BR BR
MC+BR MC+BR BR MC+BR
MC
Path EnforcementMeasurementLearn the TrafficDefine Your Traffic Policy
57

Path of Last Resort – New
• Simplifies and speeds up failover routing
to a backup only path
• Granular failover per traffic class policy
• Extends path-preference to include a
last-resort path(s)
• Removes the need for the routing
protocol to initiate failover
• Good choice for cellular, satellite and
other backup only paths
Branch Site
MPLS INET MPLS INET
R14
DMVPN
MPLS
DMVPN
INET
DC1 DC2
LTE
MPLS2 INET2 MPLS2 INET2
DC/MC MC
DC/MC MC
MC/BR
ASA
LTE
DMVPN
LTE
BR
IWAN 2.1
Fall 15

- Backup Slides

Today’s Network is an IT Blind Spot
• Static port classification is no
longer enough
• More and more apps are opaque
• Increasing use of encryption
and obfuscation
• Application consists of multiple sessions
(video, voice, data)
• What if user experience is not meeting
business needs?
60

What applications, how much bandwidth, flow direction?
(NBAR2 and Flexible Netflow)
Basic Monitoring
Performance Collection & Exporting
Integrated performance monitoring and advanced metrics for different type of applications and use cases
HTTP HTTP
Voice and Video Performance
(Media Monitoring)
Unified
Monitoring
30% of traffic is
voice and video
Critical Applications Performance
(Application Response Time)
40% of traffic is
critical applications
61

Supports
Akamai Cloud | Single-sided Optimization | Secure Direct Cloud Access
Application Acceleration + Edge Caching
Enhancing User Experience while reducing WAN load
AKAMAI CACHING
Transparent HTTP
Caching
Dynamic URL OTT
HTTP Caching
Akamai
Connected Cache
Content
Pre-positioning
CISCO WAAS Optimization
LZ
Compression
TCP
Optimization
Data
De-duplication
Application Specific
Acceleration

Cisco WAAS & Akamai Deployment Models
Branch Office
WAAS
Service
Module/ UCSe
Branch Office
WAAS-XE
on ISR-4000
Branch Office
WAAS
Appliance
Regional Office
WAAS
Appliance
Data Center or
Private Cloud WAAS
Appliances
VPN
VMware ESXi
vWAAS
Appliances
Server VMs
AppNav +
WAAS
IWAN
vWAAS
WAE
Server
VMs
VMware ESXi Server
Nexus 1000v vPATH
UCS /x86 Server
FC SAN
Nexus 1000v VSM
Virtual Private Cloud
New
63

IWAN Secure Connectivity
- Backup Slides

Trust Anchor Module (TAM)
“How do I Know the Hardware is Authentic?”
• Provides Immutable Identity
• Standard Identity- IEEE 802.1AR (SUDI-
X.509 cert)
• Secure Storage of Credentials
• Anti-Theft & Anti-Tamper Chip Design
• Certifiable Entropy for Random Number
Generation
Trust Anchor
Module
TAM
Features &
Services
Checks to Verify
as Cisco
Genuine
TAM/Secure Identity
Verification
• Immutable
Identity
• Secure
Storage (Keys
& Objects)
• Certifiable
Entropy
Source
• Secure Crypto
Assist
• Secure
Application
Certificates
• Authenticity
& License
Check
• Verify Secure
Identity
Product Security
• Provides trustworthy hardware offering immutable identity, secure storage,
random number generator, and encryption
• Available in the ISR-4000, newer Catalyst and other Cisco products
• Provides Immutable Identity
• Standard Identity- IEEE 802.1AR
(SUDI- X.509 cert)
• Secure Storage of Credentials
• Anti-Theft & Anti-Tamper Chip Design
• Certifiable Entropy for Random Number
Generation
65

Secure Boot
“How do I Know the Software is Authentic?”
Verifies the software has not been altered or tampered since it was signed
Power On
Hardware
Anchor
Secure
Microloader
Signed
Bootloader/
BIOS
Immutable
Anchor
ensuring
hardware
integrity
and key
authenticity
Integrity
Check
Image
Signing
Image
Signing
Image
Signing
Secure Boot Process
Launch
Operating
System
Signed
Operating
System
Power-Up
Microloader
verifies
Bootloader
and BIOS
A Signed
Bootloader/
BIOS
validates
Operating
System
• Ensures only authentic Cisco software boots up
on a Cisco Platform
• Anchored in hardware, as the image is created,
the signature is installed & signed with a secure
private key
• As the software boots, the system checks to
ensure the installed digital certificate is valid
• Subsequent hash checks provides continuous
monitoring with runtime integrity

MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Add Network Integrated Threat Defense
IOS Zone-Based Firewall
• Control the Perimeter:
• External and internal protection: internal network is no longer trusted
• Protocol anomaly detection and stateful inspection
• Communicate Securely:
• Call flow awareness (SIP, SCCP, H323)
• Prevent DoS attacks
• Flexible:
• Split Tunnel-Branch direct Internet access
• Internal FW— addresses regulatory compliances
• Integrated:
• No need for additional devices, expenses and power
• Works with other IWAN Services: CWS, WAAS, UCS-E,…
• Manageable:
• APIC-EM, Prime, CLI, SNMP, CCP, and CSM
67

Virtual Route Forwarding (VRFs) create
multiple logical routers on a single device
• Separate control/forwarding planes per VRF
• No connectivity between VRFs by default
• Provider side VRF (yellow) for external networks,
Global VRF (blue) for internal networks
Provider VRF minimizes threat exposure
• Default routing only in Provider VRF
• Provider assigned IP addressing hides internal
network
• Provider IP address used as IPSec tunnel source
• Only IPsec allowed between internal Global and
Provider Front Side VRFs
Securing IWAN Transports with Front-door VRF
Isolation of external networks
Global
F-VRF
Branch LAN
10.1.1.0/24
10.1.2.0/24
…
Front Side
“Provider Interface”
VRF
Provider Assigned
WAN IP Address
192.168.254.254
VRFs have
independent
routing and
forwarding
planes
IPSec Tunnel
Interface
Inside Network
VRF
IOS ZBFW or
ACL to permit
only authorized
traffic; i.e. IPsec

DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Protecting Public facing IWAN Interfaces
• Use ACLs, ZBFW or ASA to block all traffic
except the DMVPN tunnel traffic to routers
• Zone Based Firewall (ZBFW) at the branch if there
are plans for Direct Cloud Access
• Typical ACL for protecting the Internet interface
interface GigabitEthernet0/0
bandwidth 10000
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip access-group ACL-INET-PUBLIC in
duplex auto
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
!
69

Orchestration and Automation
- Backup Slides

IWAN App – Application Classification
71

IWAN App – Policy Provisioning
72

PfR dashboard – look at events at sites

Router – Provider – Server

Link details
Link Details
PfR threshold crossing

LiveAction Software
• An Application-aware Network Performance Management
and QoS Control tool
• Fast, simple, cost effective way to monitor and control
application performance leveraging Cisco capabilities
LiveAction Components
Flow QoS Monitor QoS Configure RoutingLAN IP SLA

Business Relevance to End-Customers
Insightful Application Performance
and Troubleshooting
Faster QoS Monitoring and
Configuration
Visual WAN Bandwidth
Management
Higher Quality Voice and Video
Efficient WAN Performance
Baselining and Capacity Planning
Click -- Easily deploy, configure,
monitor, and analyze Cisco advanced
technologies
See -- End-to-end flow visualization
for a holistic view of the network
Fix -- Unique QoS graphical control to
troubleshoot and solve issues. Instant
validation of policy changes
Point -- Quick diagnosis of
performance issues through visual
displays
Higher Productivity Thru Faster and Reliable Applications

Glue Networks IWAN Orchestration
• Cloud-based SaaS subscription model
• Eliminates manual building of WANs
• Automated WAN orchestration and management
• Quick configuration updates and IOS upgrades
• Rapidly delivers nextgen and IWAN features
• Forward compatible with SDN and OnePK for app aware WANs
• Broadband and MPLS support for centralized hybrid WAN
management for IWAN
79

Introducing Gluware 2.0:
DevOps for Network Engineers
Transforms Enterprise Networks
• Network Engineer Centric vs. Programmer Centric
• Gluware Lab—Rapid Development Environment,
NDK, & FLOW (Flexible Language Object
Workstream)
• Gluware Control—Network-aware and
Customizable Life-Cycle Mgmt
• Integrated with leading architectures (IWAN)
• Rest API third party Monitoring, Visualization,
Controllers

LiveAction 4.3 and Performance Routing
• PfR path change visualization
• Alert and report on PfR Out of Policy events
• Reports on traffic class/application path changes
Out-Of-Policy
Threshold Crossing Alert
Before Brown-Out (Northern Path) After Brown-Out (Southern Path)

Alerts / performance
by Site
Alerts / performance
by Application Group
All Alerts
PfRv3 Dashboard

LiveAction Demonstration
• System topology and end-to-end flow
visualization
• Flow, PfR, and QoS
• PfR Failover Demo (12 min)
http://vimeo.com/108511944
• PfR Configuration (15 min)
https://vimeo.com/121177440

Intelligent SD-WAN Orchestration Platform Benefits
Optimize WAN Management with best-practices
architectures (IWAN) & centralized management
Zero Touch Deployment with consistency, error checking
& architecture awareness
WAN Orchestration with DevOps boosting agility and
customization with the Network Engineer in mind
Simplify Roll-Out of complex services through policy
centralization and assurance
Control Network Evolution with advanced feature
support and open, programmable interfaces
Transport Agnostic connectivity for hybrid WAN and
cost reduction

Device Layer
IWAN Glue Networks APIC-EM Evolution
Element Layer
CLI
TCL
SNMP
Control Layer
Orchestration &
Automation Layer
Phases
Gluware
Network
Operator
Level
CLI, API
TCL
SNMP
APIC-EM
Gluware
API
SNMP
APIC-EM
Gluware
TID
IPC
AO
SIC
TID
IPC
AO
SIC
TID
IPC
AO
SIC
Phase 1 Phase 2 Phase 3-5
Admin Admin Admin
Cisco Internal O
IWAN Pillars:
TID – Transport Independent
IPC – Intelligent Path Control
AO – Application Optimization
SIC – Secure Internet Access

Cisco IWAN Product Portfolio
- Backup Slides

IWAN Branch Services Routers
INTEGRATED IWAN SERVICES
APPLICATION CENTRIC
APPLIANCE LEVEL
PERFORMANCE
 IOS Firewall, VPN, IPSec, PfRV3,
NBAR2, AVC, AppNav, VRF, MPLS
 Scalable on-chip service provisioning
 App/User policy-driven deployment
 APIC_EM Automation: deploy in
minutes
 Pay-as-you-grow
 Up-to-75% cost savings
 Service-Aware Dataplane
 Resilient Service Virtualization
 Multi-gigabit Fabric
ASR4000 Series - IWAN AX Ready, Next Generation Branch
ISR4431
ISR 4351
ISR 4331
ISR4321
ISR4451
500Mbps/1Gbps
200/400Mbps
100/300Mbps
50/100Mbps
1-2Gbps

IWAN Aggregation Border Routers
ASR1000 - IWAN AX Ready, High Performance Routers
INTEGRATED IWAN SERVICES
BUSINESS-CRITICAL RESILIENCY
COMPACT, POWERFUL ROUTER
 IOS Firewall, VPN, IPSec, PfRV3,
NBAR2, AVC, AppNav, VRF, MPLS
 Scalable on-chip service provisioning
 Separate control and data planes
 Hardware and software redundancy
 In-service software upgrades
 Line-rate performance 2.5G to 200G+
with services enabled
 Crypto performance from 2G to 60G+
 Flexible I/O: SPAs and Ethernet LCs
 2.5G Upgradeable to 5G, 10G, 20G
 Up to 8G Crypto Throughput
 5G Upgradeable to 10G, 20G, 36G
 Modular, Redundant up to 200G
ASR1001-X
ASR1002-X
Modular ASR1006

Cisco UCS-E Series
Extend Cloud Services into Branch Infrastructure
Support on ISR Series Routers
IOS, MGF Backplane Switch
UCS-E Blade
Hypervisor
CIMC
E
UCS-E Blade
Hypervisor
OS
App
OS
App
OS
App
OS
AppPlatform for WAN
Edge Applications
Microsoft Windows-Server
and Linux Certified
Server Virtualization
Cisco UCS Virtualization Powered by
VMware, Microsoft, Citrix
Dedicated Blade
Management
Cisco Integrated
Management Controller
Consistent management
for UCS family
Multipurpose x86 Blades
Cisco UCS
E Series modules
House up to four server
blades in an ISR
Single-Device
Network Integration
House all services in ISR chassis
Multigigabit fabric backplane switch
90

Cisco UCS E-Series Server
Hypervisor and OS Support
Hypervisors
• VMware vSphere Hypervisor™ 5.0, update 1, 5.1 and 5.5
• Hyper-V (Windows 2008 R2 and 2012, 2012 R2)
• Citrix XenServer 6.0
Microsoft Windows
• Windows Server 2008 R2 Standard 64-bit
• Windows Server 2008 R2 Enterprise 64-bit
• Windows Server 2012, 2012 R2
Linux
• Red Hat Enterprise Linux 6.2
• SUSE Linux Enterprise 11, service pack 2
• Oracle Enterprise Linux 6.0, update 2
91

Why Cisco IWAN?
- Backup Slides

IWAN Vision and Strategy
Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA
Secure, Simple, Centralized Policy Automation
ACI Policies, Inter-Cloud Mobility, Optimization, AMP
vRouter, vService and App
Orchestration
Predictive,
Self Directed
INTELLIGENT
VIRTUALIZATION
AUTOMATION
CLOUD
INTEGRATION
SERVICE
VIRTUALIZATION
SELF
LEARNING
NETWORKS
94

IWAN Vision and Strategy
Systems Development evolution of IWAN
INTELLIGENT
VIRTUALIZATION
AUTOMATION
CLOUD
INTEGRATION
SERVICE
VIRTUALIZATION
SELF
LEARNING
NETWORKS
Transport Independent Design
Secure Connectivity
Management & Orchestration
IWANFramework
Incremental improvements while delivering new use-cases
95

SD-WAN Working Group –
SD-WAN Top 10
Requirements
- Backup Slides

• Community of IT business leaders who exchange ideas and best
practices for implementing Open Networking and Software-Defined
Networking (SDN) designs.
• One of the ONUG working groups is the SD-WAN Working Group
• The SD-WAN working group has determined a set of 10 business
requirements (based on user-developed use cases) that Enterprises
should consider when evaluating SD-WAN solutions.
Open Networking User Group
Source: http://blogs.cisco.com/enterprise/cisco-intelligent-wan-delivers-on-sd-wan-business-requirements

1. Public and Private Active-Active: Ability for remote site/branch to leverage public and private
WANs in an active/active fashion for business applications.
2. Physical or Virtual CPE: Ability to deploy CPE in a physical or virtual form factor on commodity
hardware.
3. Security and Business policies: A secure hybrid WAN architecture that allows for dynamic traffic
engineering capability across private and public WAN paths as specified by application policy,
prevailing network WAN availability and/or degradation at transport or application layer
performance.
4. App and Performance Aware Dynamic Traffic Eng: Visibility, prioritization and steering of
business critical and real-time applications as per security and corporate governance and
compliance policies.
5. Highly Available & Resilient WAN: A highly available and resilient hybrid WAN environment for
optimal client and application experience.
Top 10 Requirements for SD-WAN

6. L2 and L3 Interoperability: Layer 2 and 3 interoperability with directly connected switch and/or
router.
7. Dashboard Reporting: Site, Application and VPN performance level dashboard reporting.
8. Open API: Open north-bound API for controller access and management, ability to forward specific
log events to network event co-relation manager and/or Security Incident & Event Manager
(SIEM).
9. Zero Touch Deployment: Capability to effect zero touch deployment at branch site with minimal to
no configuration changes on directly connected infrastructure, ensuring agility in provisioning and
deployment.
10. FIPS-140-2: FIPS 140-2 validation certification for cryptography modules/encryption with
automated certificate life cycle management and reporting.
Top 10 Requirements for SD-WAN

Cisco Intelligent WAN: Enabling the Next-Generation Branch

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cisco Intelligent WAN: Enabling the Next-Generation Branch

Similar to Cisco Intelligent WAN: Enabling the Next-Generation Branch (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Cisco Intelligent WAN: Enabling the Next-Generation Branch