cisco iwan – intelligent connectivity for today’s reality

Cisco Intelligent WAN: Enabling the Next-Gen Branch Technical Overview

Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Agenda

IWAN Introduction and Business Drivers

Intelligent Path Control

Transport Independent Design

Application Visibility

Secure Connectivity for Direct Internet Connectivity

IWAN Management

Summary


New Requirements for the Branch/WAN

Rising User Expectations

Growing Security Threats

Faster Time to Market

Cost Optimization

App Performance

Advanced Threat Defense

Operational Simplicity

Agility/Simplicity


Emerging Branch Demands The Application Landscape Is Changing

Applications Are Moving to the Data Center and Cloud

Internet Edge Is Moving to the Branch

Branch

Cloud

Data Centers

of CIOs Expect to Operate via the Cloud by 2015

More Mobile Data Traffic by 2015

of Mobile Traffic Will Be Video

Pressures on the WAN

Fat Apps Mobility Cloud


Commodity Transports Viable Now

Internet Becoming an Extension of Enterprise WAN

Dramatic Bandwidth, Price Performance Benefits

Higher Network Availability

Improved Performance Over Internet


And the Internet Transition Pays Off Fast

EXAMPLE:

San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)

1.5 Mbps

10 Mbps

$220

$140

$830

$260

$885

$274

$1,014

$303

Dual Internet Links

Combined for Ent SLA

-75%

iWAN MPLS VPN

CoS3 MPLS VPN

CoS2

MPLS VPN

CoS1

Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website


Intelligent WAN Deployment Models

Dual Internet Hybrid Dual MPLS

Consistent VPN Overlay Enables Security Across Transition

Expensive

Highest SLA guarantees

Tightly coupled to SP

Internet

Branch

Public

MPLS MPLS

Branch

Public

MPLS+ Internet

Branch

Internet

More BW for key applications

Moderately priced

Balanced SLA guarantees

Enterprise

Best price/performance

Enterprise responsible for SLAs

Most SP flexibility


Intelligent WAN Solution Components

Branch

Internet

MPLS

Private Cloud

Virtual Private Cloud

Public Cloud

3G/4G-LTE

AVC

WAAS PfR

Transport Independent

• Consistent operational model • Simple provider migrations • Scalable and modular design • IPsec routing overlay design

• Dynamic Application best path based on policy • Load balancing for full utilization of bandwidth • Improved network availability


• Application visibility with performance monitoring

• Application acceleration and bandwidth optimization

Application Optimization

• Certified strong encryption • Comprehensive threat defense • Cloud Web Security for secure

direct Internet access

Secure Connectivity

Transport-Independent Design

Simplifying Internet- Based WANs


Transport Independent Comprehensive WAN Transport Support with Secure, Full Mesh Connectivity

Secure Flexible Transport-independent

Simplifies WAN Design

Easy multi-homing over any carrier service offering

Single routing control plane with minimal peering to the provider

Dynamic Full-Meshed Connectivity

Consistent design over all transports

Automatic site-to-site IPsec tunnels

Zero-touch hub configuration for new spokes

Proven Robust Security

Consistent design over all transports

Automatic site-to-site IPsec tunnels

Zero-touch hub configuration for new spokes

WAN

Internet

Branch MPLS

Data Center

ASR 1000

ASR 1000

ISR-G2


SINGLE ROUTER, SINGLE PATH

SINGLE ROUTER, DUAL PATHS

DUAL ROUTERS, DUAL PATHS

Building Highly Available WANs with Cisco IWAN Redundancy and Path Diversity Matter

Downtime

per Year

4–9 Hours

5 Minutes

26 Minutes

* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.

Downtime per Year 8 Hours

46 Minutes

IWAN Solution

MPLS

99.95%*

ISR G2

MPLS

99.995%

MPLS

ISR G2

Internet

99.90%*

ISR G2

MPLS

99.995%

Internet

ISR G2

Internet

99.995%

Internet

ISR G2

Internet MPLS

99.999%

ISR G2 ISR G2

Internet Internet

99.999%

ISR G2 ISR G2

99.999%

MPLS

ISR G2

MPLS

ISR G2

Intelligent Path Control:

Performance Routing (PfR) Improving Application Delivery and WAN Efficiency


“Performance Routing (PfR) provides additional intelligence to classic routing technologies to track the performance of, or verify the quality of, a path between two devices over a Wide Area Networking (WAN) infrastructure to determine the best egress or ingress path for application traffic....”

What Is Performance Routing (PfR)?

DSL Cable

Branch MC+BR

BR BR

Data Center

MC

• Cisco IOS technology

• Two components: Master controller and border router


PATH CONTROL

METRICS

ADAPTIVE

PfR Enhances Classical Routing

Classical PfR

• Topological state • Least cost path • Static user preference

• Path cost • Interface state

• Delay • Jitter • Bandwidth

Responds To: • Measured performance changes

(degradation)

Responds To: • Link and node state changes

(up/down)

• Application-aware • Policy controlled • Measured performance

+


SP1 (MPLS) ISP (Internet)

Business App

Hybrid IWAN

Best-Effort Traffic

Detect Loss

Greater Than 10%

ISP-1 (Cable) ISP-2 (DSL)

Voice and Video

Dual Internet iWAN

Detect

High Jitter

VDI

Best-Effort Traffic

What PfR Does Protecting Critical Applications While Increasing Bandwidth Utilization

• Protect business cloud applications from brownouts

Loss < 5%

• Preferred path for business applications:

SP1 (MPLS)

• Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet

Business App and Load-Balancing Policy

• Protect voice and video quality

Latency < 150 ms; Jitter < 20 ms

• Protect VDI applications from brownouts

Loss < 5%

• Voice and video

preferred path SP-A

• VDI preferred path SP-B

• Increase utilization by load sharing

Multimedia and Critical Data Policy


Master Controller commands path changes based on your traffic policy definitions

Best Path

BR BR

MC

MC+BR MC+BR MC+BR MC+BR

Measure the traffic flow and network performance actively or passively and report metrics to the Master Controller

Performance Measurements

BR BR

MC


ISR G2 and ASR Learn traffic classes flowing through Border Routers (BRs) based on your policy definitions

Learning Active TCs

BR BR


Traffic Classes

MC

Identify Traffic Classes based on Applications or Transport Classifiers

ASR1K

ISR G2

How PfR Works Key Operations

Path Enforcement Measurement Learn the Traffic Define Your Traffic Policy


Choose your policy actions for various traffic classes

Alternate path selection based on flexible criteria

Example:

Defining Application Performance Policy

Link

Load Balancing

Max Utilization

Link-Group Path Preference

Bandwidth Costs ($)

Application

Reachability

Delay

Loss

MOS

Jitter

FLEXIBLE CRITERIA

Load-Balance Remaining Traffic

Critical Application

1. Link-Group: Path-B

2. Loss

4. Delay

Voice/Video

1. Link-Group: Path-A

2. Loss

3. Jitter

4. Delay

Optimize Application Performance


HTTP IS THE NEW TCP

Today’s Network Is an IT Blind Spot

Static port classification is no longer enough

More and more apps are opaque

Increasing use of encryption and obfuscation

Application consists of multiple sessions (video, voice, data)

What if user experience is not meeting business needs?

COLLABORATION SaaS INFORMATION

RPC SOAP Video

IM FTP


Application Performance Monitoring for IWAN Track and Report Application Flows and Performance

Public Cloud

DC/Headquarters

Private Cloud

Enterprise Edge

• Traffic statistics records

• Application Response Time records

• Media monitoring records (Application, Jitter, Loss, etc)

NetFlow/IPFIX Records

(Same provisioning, same format)

• ActionPacked

• Glue

• Plixer

• Living Objects

• CompuWare

• CA Technologies

• InfoVista

PARTNER TOOLS ECOSYSTEM NetFlow v9 Export/IPFIX Export

Collecting Collecting Collecting

Provisioning

Exporting

AVC

AVC

NetFlow v9

AVC

Branch

Proliferation of Devices

Users/ Machines

AVC

CSR


Next Generation NBAR (NBAR2) Deep Packet Inspection (DPI)

Provides Advanced Application Classification and Field Extraction capabilities

In-service upgradable Protocol Definitions

No IOS upgrade or reboot for new Protocol Packs

Backward compatibility to preserve existing NBAR investments

NBAR2 Protocol List http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html

Application

Recognition

NBAR2

IOS

NBAR +150

Signatures

SCE Classification

+1000

Signatures

Innovations Native IPv6

Classification

Open API 3rd Party

Integration.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html




http://images.google.fr/imgres?imgurl=http://4.bp.blogspot.com/_UZImdYAiry8/Sb9qYmN0llI/AAAAAAAAPtc/a_qXEx69CB0/s400/oracle_logo.jpg&imgrefurl=http://vectorlogo.blogspot.com/2009/03/oracle-logo-eps.html&usg=__TTg6bQ4L8aDCa2kKWUD3Q4YWewM=&h=161&w=400&sz=7&hl=fr&start=3&sig2=xj4d94noyf1kS0Adw6tzJA&um=1&tbnid=LLEUA6II6jNxiM:&tbnh=50&tbnw=124&prev=/images?q=oracle+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=FeHBSvDVKsjKjAeGsfDoBQ

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://images.google.fr/imgres?imgurl=http://www.clikphoto.com/2003/Customers/images/Siebel.Logo.JPG&imgrefurl=http://www.clikphoto.com/2003/Customers/links.html&usg=__dY-YhzjlqXwgaBUa3GI7LkIC8nE=&h=137&w=363&sz=4&hl=fr&start=1&sig2=jRZ_dNmSZXrDAJLEkmINsA&um=1&tbnid=q54bb4J2TD1_uM:&tbnh=46&tbnw=121&prev=/images?q=siebel+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=CeHBSv6xGdi7jAfDrYHfBQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ


Performance Collection and Exporting

HTTP HTTP

Voice and Video Performance (Media Monitoring)

Advanced Monitoring

30% of traffic is voice

and video

Critical Applications Performance (Application Response Time)

40% of traffic is

critical applications

Perf. Collection

and Exporting

Integrated performance monitoring and advanced metrics for different type of applications and use cases

What applications, how much bandwidth, flow direction? (Flexible Netflow and NBAR/NBAR2)

Basic Monitoring


SOLUTION

• Reduce load – Data redundancy

elimination (DRE), compression, and TCP optimization

• Application optimization – Fewer protocol messages

and metadata caching

PROBLEM

• Application latency

• WAN bandwidth inefficiencies

Application bandwidth with Cisco® WAAS

Application bandwidth natively

Application latency natively

Application latency with Cisco WAAS

0 0

1

2

3

4

40

80

120

160

Application Bandwidth

Application Latency

Bandwidth

(Mbps)

Latency

(Seconds)

Reduction in bandwidth

Reduction in latency

App Optimization: Reduce Bandwidth and Latency Enhancing User Experience and WAN Efficiency


EMAIL 5 MB Attachment CIFS 5 MB File

WAAS Delivers User Experience at Scale

Send and receive email over native WAN

First optimized with WAAS

Second pass optimized with WAAS

10 0 20 30 40 50 60 70 80 90 100 110 120 130 140 150

Time in Seconds

T1 (1.54Mbps)

80 ms Latency

MS SHAREPOINT 5 MB Document VDI (CITRIX)

10 0 20 30 40 50 60 70 80 90 100 110 120 130 140 150

Time in Seconds

File drag and drop over native WAN



SharePoint file download over native WAN



2 0 4 6 8 10 12 14 16 18 20 22 24 26 28 30

Time in Seconds

Launch Citrix XenDesktop over native Citrix ICA/SSL

Launch Citrix XenDesktop with WAAS

Site navigation over native Citrix ICA/SSL

Site navigation with WAAS

2 0 4 6 8 10 12 14 16 18 20 22 24 26 28 30

Time in Seconds


Akamai Intelligent Platform

Extending Akamai to the Branch with Akamai Connect Akamai Intelligent Caching Inside Cisco ISR-AX

COMPLETING THE LAST MILE

Branch

ISR-AX

AKAMAI INSIDE

AKAMAI

CACHE

Optimal Experience Regardless of Device, Connectivity or Cloud All HTTP Traffic in Private, Public, Akamai Cloud

Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport

Data Center WAN/MLPS

Secure Internet Access


Private Cloud

Secure Internet Access with Cisco Cloud Web Security (CWS)

WAN1 (IP-VPN)

CWS

Public Cloud

Internet

WAN2 (Internet)

Branch

IOS Firewall to protect Internet Edge

Secure Public Cloud and Internet Access

ISR Connector to CWS Firewall towers

Web Filtering, Access Policy, Malware Detect

IWAN IPsec VPN for Private Cloud Traffic


MPLS (IP-VPN)

Internet

Private Cloud


Public Cloud

Branch

Cisco ISR CWS Connector How it Works

HQ Routes

HQ Traffic

Default Route

WAN Tunnel

CWS Connector

Internet

DSL Interface

Cisco ISR G2 with CWS Cloud

Connector—FUNCTIONS:

• Authenticate router and client to CWS cloud • Intercept HTTP/HTTPS traffic based on ACL

filters • Add user credentials header for identifying

policy to be applied • Traffic Relay: replace client Source IP address

with Egress address

• Redirect to CWS for scanning • Act as HTTP proxy to complete requests • Allow/Block or Warn based on user or

group policy • Scan for Malware

IWAN Management


Cisco Prime Infrastructure

Provides Enterprise and Integrator life-cycle network management applications

Glue Networks

Delivers Cloud based simplified deployment portal

LiveAction

IWAN AVC and PfR Configuration and Monitoring

SDN ready with OnePK

Comprehensive programmability kit to enable SDN provisioning applications

IWAN Network Management Solutions From Cisco and NMS Partners


Simplified Deployment

Prime Infrastructure

Transport Independent Design




WAAS Central Manager

Secure Internet Connectivity


Network Health and Status


IWAN 1.0 Management Tool Matrix

(AVC)

Why Cisco IWAN?


Why Cisco IWAN

Up to

in Savings

The Alternative:

Overlay Appliances

App Visibility andControl

IP Sec VPN

WAN Opt.

Firewall

WAN Path Selection

Router

Integrated Platform

for IT Simplicity

• Branch ISR-AX

• DC ASR1K-AX

• Cloud CSR1000V

Granular Control

Everywhere

• Savings enables Business Innovation

Many pay off in

6-12 months

Quick ROI Faster

than Alternatives

• Any to Any Security

• Protect All Branch Resources

• Secure Direct Internet Access

Proven Security

at Scale

• App-Aware

• Endpoint-Aware

• Network-Aware

Unmatched Context-

based Routing


Start with Cisco AX Routers IWAN Capabilities Embedded in the Router

Simplify Application

Delivery

One Network UNIFIED SERVICES

ASR1000-AX

ISR-AX

Cisco AX Routers: ISR-4000-AX | ASR1000-AX

Transport Independent

Routing

Secure Connectivity




Cisco Confidential

IWAN Branch Services Routers

INTEGRATED IWAN SERVICES

APPLICATION CENTRIC

APPLIANCE LEVEL PERFORMANCE

IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS

Scalable on-chip service provisioning

App/User policy-driven deployment

APIC_EM Automation: deploy in minutes

Pay-as-you-grow

Up-to-75% cost savings

Service-Aware Dataplane

Resilient Service Virtualization

Multi-gigabit Fabric

ISR4000 Series - IWAN AX Ready, Next Generation Branch

ISR4431

ISR 4351

ISR 4331

ISR4321

ISR4451

500Mbps/1Gbps

200/400Mbps

100/300Mbps

50/100Mbps

1-2Gbps

NEW!

NEW!

NEW!

NEW!


Cisco Confidential

IWAN Aggregation Border Routers

ASR1000 - IWAN AX Ready, High Performance Routers

INTEGRATED IWAN SERVICES

BUSINESS-CRITICAL RESILIENCY

COMPACT, POWERFUL ROUTER

IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS

Scalable on-chip service provisioning

Separate control and data planes

Hardware and software redundancy

In-service software upgrades

Line-rate performance 2.5G to 200G+ with services enabled

Crypto performance from 2G to 60G+

Flexible I/O: SPAs and Ethernet LCs

2.5G Upgradeable to 5G, 10G, 20G

Up to 8G Crypto Throughput

5G Upgradeable to 10G, 20G, 36G


Modular, Redundant up to 200G


ASR1001-X

ASR1002-X

Modular ASR1006

NEW!


Branch

MPLS (IP-VPN)

Internet

Private Cloud


Public Cloud

Secure WAN Transport

Direct Internet

Access

Intelligent WAN (IWAN)

Internet As WAN with High Reliability

SLAs for Business-Critical Applications

Centralized Security Policy for Internet Access

Dramatically Lower WAN Costs without Compromise

Thank you.

cisco iwan – intelligent connectivity for today’s reality

Technology

internet cisco confidential

cisco andor

cisco intelligent wan

internet transition

cloud internet edge

dual business internet

dual internet links

telegeography mpls vpn