The document discusses the fundamentals of Software Defined WAN (SD-WAN) and its architecture, emphasizing transport independence, intelligent path control, application optimization, and secure connectivity. It highlights the increasing demands on branch office networks due to the rise in digital innovations and the need for effective bandwidth management and security. Additionally, it outlines Cisco's iWAN solutions, showcasing features such as deployment automation, traffic optimization, and threat defense to enhance application performance and simplify network operations.

1. WWW.GTRI.COM
© 2016 Global Technology Resources, Inc.
All rights reserved.
Software Defined WAN 101
Mani Ganesan - Cisco
Michael Edwards - GTRI

2. Agenda
• What is SD-WAN ?
• IWAN Architecture Overview
• Transport Independence
• Intelligent Path Control
• Application Optimization
• Secure Connectivity
• Orchestration & Automation
• Closing
2

3. Digital Innovation Overwhelming the Branch
3
BRANCH
OS
Updates
HD
Video
Mobile
Apps
Online
Training
Social
Media
Guest
Wi-Fi
MORE
USERS
MORE
APPS
MORE
THREATS
80%
Of employee and
customers are served
in branch offices*
20-50%
Increase in enterprise
bandwidth per year
through 2018**
30%
Of advanced threats will
target branch offices by
2016 (up from 5%) ***
Omnichannel
Apps
SaaS Enterprise
Apps
Digital
Displays
* Tech Target, Branch Office Growth Demands
New Devices., 2013
** Gartner, Forecast Analysis: Worldwide
Enterprise Network Services, Q2 2015 Update
*** Gartner: “Bring Branch Office Network Security
Up to the Enterprise Standard, Jeremy
D’Hoinne, 26 April. 2013.

4. 58% OF IT BUDGETS SPENT
ON WAN CONNECTIVITY
4
Source: IDG

5. What If Your WAN Can…
5
Hours Minutes
Pinpoint Application Issues Instantly
Improve Your Application Performance
1x 2x -20x
Increase WAN Utilization
Deliver More Bandwidth for Lower Cost
Backhaul
Local &
Cloud
Consistent Security Policies
Ensure Security Over Any Connection
By Device System
Simplify Operations
Reduce Network Complexity

6. Internet as an Extension of Enterprise WAN
6
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Internet Performance

7. ONUG - Software Defined-WAN Requirements
Branch
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
MPLS (IP-VPN)
Internet
CSR1000-AX
1) Physical or Virtual* devices
2) Zero Touch Deployment
7) L2/3 Interoperability
8) Management Dashboard
9) Open North-bound API
3) Dynamic Traffic Engineering
5) HA and Resilient WAN
6) App Visibility, Prioritization and
Steering
4) Active-Active Architecture
APIC
Prime
10) FIPS 140-2 w/ Cert Management
Optimized
Secure Transport
Direct
Internet
Access

8. WWW.GTRI.COM
© 2016 Global Technology Resources, Inc.
All rights reserved.
SD-WAN and beyond with
Cisco IWAN
8

9. SD-WAN and Beyond with Cisco Intelligent WAN
ApplicationsUsers/Devices
Private
(MPLS)
Public
(Internet/4G LTE)
Hybrid
(MPLS, Internet)
SMART
• Intelligent Path Control
• Application Optimization
• Advanced Content Caching
SECURE
• Secure Direct Internet Access
• Advanced Threat Defense
• Robust Data Encryption
SIMPLE
• SD-WAN Policy Management
• Deployment Automation
• Open APIs
Transport
Independence
Application
Optimization
Secure
Connectivity
Intelligent
Path Control
Technology Blocks

10. Intelligent WAN: Leveraging the Internet
Secure WAN Transport and Cloud Access
10
Optimized
Secure Transport
Branch
Direct Cloud
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
1. IWAN Secure transport for private
and virtual private cloud access
2. Leverage local Internet path for
public cloud and Internet access
 Increase WAN transport capacity and
app performance cost effectively!
 Improve application performance
(right flows to right places)
MPLS (IP-VPN)
Internet

11. Intelligent WAN (IWAN) Architecture
Enterprise
11
MPLS
Unified
Branch
3G/4G-LTE
Internet
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
Application
Optimization
Enhanced Application
Visibility and Performance
Secure
Connectivity
Comprehensive
Threat Defense
Intelligent
Path Control
Application
Aware Routing
Transport
Independence
Simplified
Hybrid WAN
Management Automation

12. Cisco Intelligent WAN
Enabling the Next-Generation
Branch
Mani Ganesan - Cisco

13. WWW.GTRI.COM
© 2016 Global Technology Resources, Inc.
All rights reserved.
Transport-Independence
Virtualizing the Enterprise WAN
1
3

14. Simplifies WAN Design
Dynamic Full-Meshed
Connectivity
Proven Robust Security
Flexible Secure IWAN Over Any Transport
SecureFlexible
• Easy multi-homing with several
providers
• Single routing control plane over
the top of provider networks
• Consistent design over all
WAN transport types
• Scalable Hub-n-spoke with
dynamic full mesh topology
• Industry Certified security
compliance
• Scalable high-performance
cryptography in hardware
ISR
WAN
Internet
MPLS
ASR 1000
ASR 1000
Transport-Independent
Data CenterBranch
14

15. IWAN Transport Independence
Consistent deployment models simplify operations
Internet MPLS
Branch
DMVPN DMVPN
IWAN HYBRID
Data Center
ISR
ASR 1000 ASR 1000
ISP A SP B
4G/LTE
Branch
DMVPN
IWAN HYBRID/LTE
Data Center
ISP C SP B
ASR 1000
MPLS
Branch
MPLS
DMVPN
IWAN Dual MPLS
Data Center
ISR
ASR 1000 ASR 1000
SP A SP B
DMVPN
MPLS
DMVPN
ISR
ASR 1000
15

16. Intelligent Path Control
Improving Application Delivery and WAN Efficiency
23

17. Getting the Most Out of Your WAN Investment
Benefits of Intelligent Path Control
Data Center
Branch
ASR 1000
ASR 1000
ISR
MPLS
Internet
Enabling
Hybrid WANs
Efficient Distribution of
Traffic Based Upon Load
or Path Preference
Application Best Path
Based on Quality
Protection From
Carrier Black Holes
and Brownouts
Lower
WAN Costs
Full Utilization
of WAN Bandwidth
Improved
Application
Performance
Higher Application
Availability
24

18. Intelligent Path Control with PfR
Voice and Video Use-Case
Branch
MPLS
Internet
Virtual Private
Cloud
Private Cloud
• PfR monitors network performance and routes applications
based on policy
• PfR load balances traffic based upon link utilization levels
to efficiently utilize all available WAN bandwidth
Other traffic is load
balanced to maximize
bandwidth Voice/Video will be rerouted if
the current path degrades
below policy thresholds
Voice/Video take the best
delay, jitter, and/or loss path
25

19. SP1 (MPLS) ISP (FTTH)
• Protect voice and
video quality
Latency < 150 ms
Jitter < 20 ms
• Protect Email applications
from WAN congestion
Loss < 5%
• Voice and video preferred
path SP1
• Email preferred path ISP
• Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Best-Effort Traffic
High Delay
Detected
SP1 (MPLS) ISP (DSL)
Voice and Video
High Jitter
Detected
Email
Best-Effort Traffic
Protecting Critical Applications While Increasing Link Efficiency
• Protect transactional
business app from brownouts
delay < 250ms
• Preferred path SP1 (MPLS)
• Increase WAN bandwidth
efficiency by load-sharing
traffic over all WAN paths,
MPLS + Internet
Business App and Load-Balancing Policy
27

20. Load Balancing
Maximizing Link Utilization to Increase Available Bandwidth
• Traffic distributed across all paths to efficiently use all WAN bandwidth
• Load Balancing based upon link utilization levels
• External links can have different bandwidth capacities
MPLS = 1.5Mbps
Internet = 15Mbps
ISR
WAN
Internet
MPLS
ASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
28

21. Application Optimization
32

22. Today’s Network is an IT Blind Spot
• Static port classification is no
longer enough
• More and more apps are opaque
• Increasing use of encryption
and obfuscation
• Application consists of multiple
sessions (video, voice, data)
• What if user experience is not
meeting business needs?
33

23. Branch
Private
Cloud
Make Your IWAN Application Aware
Application Visibility and Control (AVC)
DC/Headquarters
Public
Cloud
Cisco AVC
Application Performance
Visibility
• Application inspection with
existing routers
• Rich data collection using
NetFlow v9/IPFIX
• Easy to integrate into many
reporting tools
Smart Capacity
Planning
• Better use of costly
bandwidth
• Per-branch and per-
application level reporting
Business Objective
Enforcement
• Service Level monitoring per
application
• Better Analytics to adjust
network policies to maintain
compliance
AVC
AVC
34

24. What applications, how much bandwidth, flow direction?
(NBAR2 and Flexible Netflow)
Basic Monitoring
Performance Collection & Exporting
Integrated performance monitoring and advanced metrics for different type of applications and use cases
HTTP HTTP
Voice and Video Performance
(Media Monitoring)
Unified
Monitoring
30% of traffic is
voice and video
Critical Applications Performance
(Application Response Time)
40% of traffic is
critical applications
AVC
35

25. Private
Cloud
Add WAN Optimization with WAAS + Akamai
Speed and Bandwidth Benefits on Top of the IWAN
Branch DC/POP
Application
Optimization
• Improved Application
performance, delay mitigation,
less bandwidth
• Twice as many Citrix users over
same WAN, 70% faster
• Typical ROI in less than one year,
65% BW cost savings
Content Caching
& Prepositioning
Simple and Scalable
• Works with existing branch
routers
• Scale out optimizations
resources with AppNav
• Native HA resiliency
vWAAS
AppNav-XE
Controller
CSR
WAVE,
vWAAS
WAN
Improving Application Performance
• Reduces WAN bandwidth
usage, while accelerating
applications
• Intelligent caching of internal
and Internet content
• Prepositioning of data and rich
media before it is needed
37

26. WAAS and Akamai Connect Synergy
AKAMAI Connect
Transparent
Cache
Dynamic URL Cache
Akamai
Connected Cache
Content
Pre-positioning
CISCO WAAS
LZ
Compression
TCP
Optimization
Data
De-duplication
Application Specific
Acceleration
38

27. IWAN Secure Connectivity
45

28. Intelligent WAN: Secure Connectivity
Securing the network and users
Secure WAN
Transport
Branch
MPLS (IP-VPN)
Internet
Secure
Internet
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
Two areas of concern
1. Protecting the network from outside threats with data privacy over provider networks
2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…
46

29. Securing the IWAN Transport
IPSec VPN and Access Control
• Step 1: Authenticate hardware and software
Trust Anchor Module verification
• Step 2: Secure Transport
Proven IPsec VPN overlay
Strong Cryptography: IKEv2 + AES-GCM 256
F-VRF to isolate provider networks
• Step 3: Access Control
IOS Zone-based Firewall or ACLs protection
Role based access to router w/ logging
Minimize exposure
Provider assigned addressing to hide routers
Don’t put tunnel addresses into DNS
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
47

30. * RFC 6379 Suite B ** Not supported on older RP1 based ASR 1000s
Cisco Router Security Certifications
FIPS Common Criteria NG Strong Crypto
140-2, Level 2 EAL4 AES-GCM-256*
Cisco ISR 890 Series   
Cisco ISR 1900 Series   
Cisco ISR 2900 Series   
Cisco ISR 3900 Series   
Cisco ISR 4000 Series   
Cisco ASR 1000 Series   **
48

31. MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Add Network Integrated Threat Defense
IOS Zone-Based Firewall
• Control the Perimeter:
• External and internal protection: internal network is no longer trusted
• Protocol anomaly detection and stateful inspection
• Communicate Securely:
• Call flow awareness (SIP, SCCP, H323)
• Prevent DoS attacks
• Flexible:
• Split Tunnel-Branch direct Internet access
• Internal FW— addresses regulatory compliances
• Integrated:
• No need for additional devices, expenses and power
• Works with other IWAN Services: CWS, WAAS, UCS -E,…
• Manageable:
• APIC-EM, Prime, CLI, SNMP, CCP, and CSM
51

32. Intelligent WAN—Direct Cloud Access
Branch
MPLS (IP-VPN)
Internet
Direct
Internet
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
• Leverage Local Internet path for Public Cloud and Internet access
• Improve application performance (right flows to right places)
Solutions
On Premise – Zone Based Firewall
Cloud Based – Cloud Web Security
CWS
ISR-AX
ZBFW
55

33. Secure Internet Access with Cisco
Cloud Web Security (CWS) with ISR-4000 and ISR-G2 Series Routers
Secure Public
Cloud and Internet
Access
ISR Connector to
CWS Firewall towers
Web Filtering,
Access Policy,
Malware Detect
WAN1
(IP-VPN)
CWS
Private
Cloud
Public
Cloud
Branch
WAN2
(Internet)
IWAN IPsec VPN
for Private Cloud
TrafficIOS Firewall to
protect Internet
Edge
Internet
60

34. Orchestration and Automation
61

35. Network-Wide Abstractions Simplify the Network
Applications
SecurityOrchestration Automation Collaboration
SOUTHBOUND ABSTRACTION LAYER
REST API
CATALYST® CISCO NEXUS® ASRISR WIRELESSASA OTHER
SDN Ideal:
Controller as the
Application Platform
The SDN
Ideal:
Controller as
the Application
Platform
Virtualization
64

36. IWAN SD-WAN Automation with APIC-EM
`
 Cisco® APIC-EM centralized policy expression
and distribution
 Distributed policy enforcement
 Automated application and topology discovery
 Application and network performance monitoring
 Adaptive path selection and QoS to sustain policy
 Performance analytics collected network-wide
and reported centrally
MC
Branch
MC
Large Site
MC
Campus
Data Center
or POP
4G
LTE
Internet
Data Center
or POP #2...n
MPLS
(IP-VPN)
IWAN Domain
ControllerPolicy Rendering
Policy Distribution
and Domain Control
Distributed Policy
Enforcement
IWAN APP
Policy Expression
66

37. Cisco IWAN Management Portfolio
Covering a broad range of requirements and preferences
• Customer wants advanced
provisioning, life cycle
management, and
customized policies
• System-wide network
consistency assurance
• Lean IT OR IT Network team
Cisco
Prime
Infrastructure
• Customer needs
customizable IWAN with
end-to-end monitoring
• One Assurance across
Cisco portfolio from Branch
to Datacenter
• IT Network team
Enterprise Network
Mgmt and Monitoring
Ecosystem Partners
IWAN App
• Customer wants
considerable automation
and operational simplicity
• Requirements consistent
with prescriptive IWAN
Validated Design
• Lean IT organization
Prescriptive
Policy Automation
• Customer looking for
advanced monitoring and
visualization
• QoS/ PfR/ AVC configuration,
Real-time analytics and
network troubleshooting
• IT Network team
Application Aware
Performance Mgmt
Advanced
Orchestration
67

38. IWAN App
Demo
68

39. GTRI SDN Solutions
• GTRI’s Virtualization and Advanced Networking Professional Services
(PS) practice has expertise with SDN vendor solutions.
• GTRI has top-tier partner status with the most relevant long-term
vendors in the IT virtualization market.
• GTRI offers an SDN readiness assessment service to assess your
infrastructure, your applications, and the benefits to your business
gained from using SDN.
• GTRI has a SDN test bed where we can learn and teach SDN solutions
and help validate solutions prior to deployment.
• GTRI is performing SDN deployments and we will freely share the
latest vendor and industry information with you.
© 2016 Global Technology Resources, Inc. All Rights Reserved.
85

40. FREE SDN Technology Review
• We are offering a FREE 3-hour (~1/2 day) SDN technology review
for your company
• Bring your networking, security, DevOps, and other technology
teams together
• Review SDN capabilities within your existing networked systems
• Discuss SDN architecture and design options
• Review network automation and network programmability potential
• Engage in conversation on securely deploying IPv6 and using SDN for
security

41. WWW.GTRI.COM
© 2016 Global Technology Resources, Inc.
All rights reserved.
Q&A
Thank you for attending!
info@gtri.com | 877.603.1984 | @gtri_global