enabling business class internet with intelligent wan (iwan) techadvantage webinar
DESCRIPTION
Slides from the March 26th TechAdvantage Webinar on Intelligent WAN, or IWAN, and how it leverages the Internet to enhance traditional networks and improve cloud performance. This architecture session explains how organizations can not only take advantage of low-cost, high-performance Internet services to reduce costs without compromising network reliability, but also to improve application performance. This session discusses the emerging industry trends and business drivers, as well as which Cisco products and technologies are used to build an IWAN. Each technology is explained to enable you to design your IWAN to take advantage of the price-performance benefits of the Internet but does not go into detail on how to configure an IWAN. Attendees should have a general understanding of Enterprise WAN designs, routers and related IOS WAN technologies. Watch the Replay: WebEx at https://cisco.webex.com/ciscosales/lsr.php?RCID=8277b76ec631405bab09dcf2d626a990TRANSCRIPT
Intelligent WAN (IWAN)
Cisco TechAdvantage Webinar – March 26, 2014
Jean-Marc Barozet – Technical Leader Sumanth Kakaraparthi – Product Manager Network Operating Systems Technology Group
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
• Submit questions in Q&A panel and send to “All Panelists” Avoid CHAT window for better access to panelists
• Please complete the post-event survey
• For WebEx audio, select COMMUNICATE > Join Audio Broadcast
• Where can I get the presentation? Or send email to: [email protected]
• Join us for upcoming TechAdvantage Webinars: www.cisco.com/go/techadvantage
• For WebEx call back, click ALLOW phone button at the bottom of participants side panel
Housekeeping
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Panelists Speakers
Sumanth Kakaraparthi Product Manager
Scott Van de Houten Distinguished Architect [email protected]
Jean-Marc Barozet Technical Leader
Madhavan Arunachalam Technical Leader
Speakers & Panelists Introduction
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Mobile Device Network Traffic
Average Number of Apps per Device*:
iOS 7 for iPhone 5
Sources: * http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation-%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html ** https://www.abiresearch.com/press/average-size-of-mobile-games-for-ios-increased-by- *** http://www.wirelessandmobilenews.com/2013/05/samsung-galaxy-s3-iii-update-android-4.2.1-jelly-bean.html
http://theiphonewiki.com/wiki/Firmware#iPad_4 http://answers.microsoft.com/en-us/windows/forum/windows_other-windows_update/what-is-average-monthly-size-of-update-downloads/dfe9bb34-c2dd-478e-a6cb-0a26228cf552
Average App Size**: OS Update File Size***:
750 MB
168 MB
400 MB
Jelly Beans 4.1
Windows 7
23 MB
6 MB
25 MB
iOS
Android
Windows
41
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Third-Party Lab Test: Chromebook vs.
Windows 8 Laptop
Chromebook Creates an Average of 152 Times More Traffic
• Chromebook creates as high as 692.2 times more network traffic
• On average, Chromebook creates152 times more network traffic
http://principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf
0 2 4 6 8 10 Asus VivoBook S200E Notebook
Document Manipulation
Photo Manipulation
Video Manipulation
Music Manipulation
Web Browsing
Note Taking
Test Taking
0.14
0.27
2.73
0.21
6.06
5.00 8.65
18.30
77.39
145.56
211.29
57.84
10.80
41.33
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Emerging Branch Demands The Application Landscape is Changing
Applications Are Moving to the Data Center and Cloud
Internet Edge Is Moving to the Branch
Branch
Cloud
Data Centers
Cloud
of CIOs Expect to Operate via the Cloud by 2015
Mobility
More Mobile Data Traffic by 2015
Fat Apps
of Mobile Traffic Will Be Video
Pressures on the WAN
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Internet Becoming an Extension of Enterprise WAN
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Performance Over Internet
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Why Move to Internet as WAN?
Low-Cost Alternative
of Organizations Are Planning to Transition
to Internet Connections 1Internet Transit Pricing based on surveys and informal data collection
primarily from Internet Operations Forums—‘street pricing’ estimates 2Packet delivery based on 15 years of ping data from PingER for WORLD (global server sample) from EDU.STANFORD.SLAC in California Source: William Norton (DrPeering.net); Stanford ping end-to-end reporting (PingER)
Internet Pricing vs. Reliability, 1998-2012
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
…And the Internet Transition Pays Off Fast
1.5 Mbps
10 Mbps
iWAN
$220
$140
MPLS VPN CoS3
$830
$260
MPLS VPN CoS2
$885
$274
MPLS VPN CoS1
$1,014
$303
EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)
Dual Internet Links Combined for Ent SLA
$665 Savings/Month x 12 Months X 1,000 Sites
= $8M Savings
per Year
-75%
Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access
Secure WAN Transport
Branch
MPLS (IP-VPN)
Internet Direct
Internet Access
Private Cloud Virtual
Private Cloud
Public Cloud
• Secure WAN transport for private and virtual private cloud access
• Leverage local Internet path for public cloud and Internet access
ü Increased WAN transport capacity, cost effectively!
ü Improve application performance (right flows to right places)
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Intelligent WAN Solution Components
Internet
Branch
3G/4G-LTE
AVC
MPLS
Private Cloud
Virtual Private Cloud
Public Cloud WAAS PfR
Application Optimization
• Application visibility with performance monitoring
• Application acceleration and bandwidth optimization
Secure Connectivity
• Certified strong encryption • Comprehensive threat
defense • Cloud Web Security for
secure direct Internet access
Intelligent Path Control
• Dynamic Application best path based on policy
• Load balancing for full utilization of bandwidth
• Improved network availability
Transport Independent
• Consistent operational model • Simple provider migrations • Scalable and modular design • IPsec routing overlay design
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Intelligent WAN Deployment Models
Dual MPLS Hybrid Dual Internet
Internet
ü Highest SLA guarantees – Tightly coupled to SP ẋ Expensive
Public
MPLS
Consistent VPN Overlay Enables Security Across Transition
ü More BW for key applications ü Balanced SLA guarantees – Moderately priced
ü Best price/performance ü Most SP flexibility – Enterprise responsible for SLAs
Internet
Public Enterprise
Branch Branch Branch
ü ü
MPLS MPLS+ Internet
Transport-Independent Design Simplifying Internet-Based WANs
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Simplifies WAN Design Dynamic Full-Meshed Connectivity Proven Robust Security
Flexible Secure WAN Design Over Any Transport Dynamic Multipoint VPN (DMVPN)
Secure Flexible
• Easy multi-homing over any carrier service offering
• Single routing control plane with minimal peering to the provider
• Consistent design over all transports
• Automatic site-to-site IPsec tunnels
• Zero-touch hub configuration for new spokes
• Certified crypto and firewall for compliance
• Scalable design with high- performance cryptography in hardware
ISR-G2
WAN
Internet
MPLS ASR 1000
ASR 1000
Transport-Independent
Data Center Branch
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
SECURE ON-DEMAND TUNNELS
Over-the-Top WAN Design with
• Branch spoke sites establish an IPsec tunnel to and register with the hub site
• IP routing exchanges prefix information for each site • BGP or EIGRP are typically used for scalability • With WAN interface IP address as the tunnel
source address, provider network does not need to route customer internal IP prefixes
• Data traffic flows over the DMVPN tunnels • When traffic flows between spoke sites, dynamic
site-to-site tunnels are established • Per-tunnel QOS is applied to prevent hub site
oversubscription to spoke sites
Dynamic Multipoint VPN (DMVPN)
Branch 2
Traditional Static Tunnels DMVPN On-Demand Tunnels Static Known IP Addresses Dynamic Unknown IP Addresses
ISR G2
Branch 1
Hub
IPsec VPN
Branch n
ASR 1000
ISR G2 ISR G2
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Internet MPLS
Branch
DMVPN
Internet MPLS
Branch
DMVPN DMVPN
Two IPsec Technologies GETVPN/MPLS DMVPN/Internet
Two WAN Routing Domains MPLS: eBGP or Static Internet: iBGP, EIGRP or OSPF Route Redistribution Route Filtering Loop Prevention
Active/Standby WAN Paths Primary With Backup
One IPsec Overlay DMVPN
One WAN Routing Domain iBGP, EIGRP, or OSPF
Active/Active WAN Paths
ISR-G2
ASR 1000 ASR 1000
ISP A SP V
ISR-G2
ISP A SP V
ASR 1000 ASR 1000
TRADITIONAL HYBRID
Data Center
IWAN HYBRID
Data Center
Hybrid WAN Designs – Traditional and IWAN
GETVPN
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
One DMVPN IPsec Overlay
One WAN Routing Domains iBGP, EIGRP, or OSPF
One Active/Active WAN Paths
IWAN Transport Independent Designs Same Design Over MPLS, Internet, 3G/4G
Internet MPLS
Branch
DMVPN DMVPN
Internet Internet
Branch
DMVPN DMVPN
IWAN HYBRID
Data Center
IWAN DUAL INTERNET
Data Center
ISR-G2
ASR 1000 ASR 1000
ISP A SP V
ISR-G2
ISP A DSL
ISP C Cable
ASR 1000 ASR 1000
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
What if the CPE is Owned and Managed by an MSP? • ISR-AX – IWAN Services Gateway
– Lower cost than overlay appliances – Integrated services gateway incl AX, SEC, UC, Compute – Internet path for extra capacity – Direct Internet Access for improved SaaS Cloud performance
18
ISR-G2
WAN
Internet
MPLS ASR 1000
ASR 1000
Data Center Branch
AVC
PfR WAAS
CPE-MSP
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Building Highly Available WANs With Cisco IWAN Redundancy and Path Diversity Matter
ISR G2
MPLS
ISR G2 MPLS MPLS Internet
ISR G2 MPLS
SINGLE ROUTER, SINGLE PATH
SINGLE ROUTER, DUAL PATHS
DUAL ROUTERS, DUAL PATHS
Internet Internet
ISR G2
ISR G2
Internet
ISR G2
MPLS Internet
ISR G2 ISR G2
Internet Internet
ISR G2
99.95%* 99.90%*
99.995% 99.995% 99.995%
99.999% 99.999%
Downtime per Year
4–9 Hours
Downtime per Year 8 Hours
46 Minutes
5 Minutes
26 Minutes
IWAN Solution
ISR G2
MPLS MPLS
ISR G2
99.999%
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Traditional to IWAN Transition Migration Steps
ADDING DMVPN TO MPLS WAN
REPLACING A WAN SERVICE WITH AN INTERNET SERVICE
OTHER INTERESTING IWAN TOPOLOGIES
ISR G2 MPLS MPLS
ISR G2 MPLS MPLS
ISR G2 MPLS MPLS
ISR G2 MPLS MPLS
Internet
Internet
ISR G2 MPLS
3G/4G-LTE
Internet Internet ISR G2
3G/4G-LTE Internet Internet
ISR G2
3 Internet
ISR G2 MPLS
ISR G2 MPLS MPLS
Internet
4 5
0 1 2
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
IWAN Transport Best Practices • Private peering with Internet providers
– Use same Internet provider for hub and spoke sites – Avoids Internet Exchange bottlenecks between providers – Reduces round trip latency
• DMVPN – DMVPN Phase 2 for dynamic tunnels with PfR – Separate DMVPN network per provider for path diversity – Per tunnel QOS
• Transport settings – Use the same MTU size on all WAN paths – Bandwidth settings should match offered rate – Use a front-side VRF to separate Internet and internal default routes
• Internet security – Firewalls or Access Lists to only permit DMVPN tunnel traffic – Hub Tunnel IP address should not be registered in DNS to hide it
• Routing Overlay – iBGP or EIGRP for high scale (1000+ sites) – Single routing process, simplified operations
Branch
Internet MPLS
DMVPN Purple
DMVPN Green
IWAN HYBRID
Data Center
ISP A SP V
Intelligent Path Control Performance Routing (PfR)
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control
Data Center Branch
ASR 1000
ASR 1000
WAAS PfR
AVC
ISR G2
MPLS
Internet
Enabling Internet-Based WANs
Efficient Distribution of Traffic Based Upon Load, Circuit Cost, and Path Preference
Per Application Best Path Based on Delay, Loss, Jitter Measurements
Protection From Carrier Black Holes
and Brownouts
Lower WAN Costs
Full Utilization of All WAN Bandwidth
Improved Application Performance
Lower WAN Costs
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Intelligent Path Control with PfR Voice and Video Use-Case
Branch
MPLS
Internet
Virtual Private Cloud
Private Cloud
• PfR monitors network performance and routes applications based on application performance policies
• PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth
Other traffic is load balanced to maximize bandwidth Voice/Video will be rerouted if
the current path degrades below policy thresholds
Voice/Video take the best delay, jitter, and/or loss path
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Performance Routing Components
25
The Decision Maker: Master Controller (MC) § Apply policy, verification, reporting § No packet forwarding/ inspection required
The Forwarding Path: Border Router (BR) § Gain network visibility in forwarding path (Learn, measure) § Enforce MC’s decision (path enforcement)
Optimize by: § Reachability, Delay, Loss, Jitter, MOS, § Throughput, Load, and/or $Cost
DSL Cable
Data Center
Branch MC+BR
BR BR
MC
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
How PfR Works – Key Operations
Path Enforcement
Identify Traffic Classes based on Applications or Transport Classifiers
ISR G2 and ASR Learn traffic classes flowing
through Border Routers (BRs) based on your
policy definitions
Measure the traffic flow and network performance actively or passively and
report metrics to the Master Controller
Master Controller commands path changes
based on your traffic policy definitions
Measurement Learn the Traffic Define your Traffic Policy
ISR G2
ASR1K MC
BR BR
MC
BR BR
Performance Measurements
MC
BR BR
Learning Active TCs
Traffic Classes
TC Path
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Performance Routing—Control Loop
Apply Your Traffic Policy: • Compute Path Performance • Compare to defined policy per traffic class
Passive Mode: BW, Delay (TCP), Loss (TCP) Active Mode: Delay, Loss, Jitter, MOS
Measure: • Network Performance
Passive: Netflow Data (Throughput) Active: IPSLA Probes (Jitter, Delay)
• Network Availability Reachability and Topology Info via Routing Processe
Select Path: • Send Good path to BRs
for each traffic class • BRs inject best path into FIB • Gather new path
performance info
Learn Your Traffic Classes: • Prefix-based flows • ACL-based flows • Application flows
Verify New Path: • Verify traffic is flowing on new path • Revert to previous path if
performance remains out-of-policy
1
PfR 2
3
4
5
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Learning Traffic Classes (TCs)
• PfR Operates on Traffic Classes flowing through BRs
• A traffic class is a subset of the traffic defined by policy that is to be optimized
• Traffic Class performance metrics are collected per path
• PfR can learn traffic classes in two ways – Automatic: dynamically learn flows that match TC definitions – Configuration: user defined traffic classes and
prefixes to optimize
• Traffic classes can be identified using: – IP prefixes – ACL classes (e.g., well-known ports,
CoS markings) – Application classes (e.g., NBAR)
BR
Dest. IP DSCP AppID Delay Loss Jitter BW
10.2.2.0/24 EF … … …
… … … … …
Example of a Traffic Class List
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Measuring Network and Application Performance • Passive Measurement
– For Data or Best Effort Applications – Ingress/Egress Bandwidth and TCP Loss and Delay derived from Netflow
• Active Measurement – For Video, Voice and delay sensitive data applications – Path Jitter, Delay, Loss and MOS derived from IPSLA synthetic traffic probes
• PfR automatically enables Netflow and IPSLA – No knowledge or configuration experience needed
• MC Performance Database to determine Policy Enforcement actions • Dedicated IPSLA Responder to offload probing from branch in large deployments
Destination Prefix DSCP
App
Id Delay Jitter Loss
Ingress
BW Egress
BW BR Exit
10.1.1.1/32 EF 60 10 0 20 40 BR1 Gi1/1
10.1.10.0/24 AF31 110 15 0 52 60 BR1 Gi1/2 … 0 89 26 1 34 10 BR2 Gi1/1
DSL Cable
Data Center
MC
Branch MC+BR
Probe
Respond
IPSLA Responder
BR BR
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Defining Application Performance Policy
• Choose your policy actions for various traffic classes
• Alternate path selection based on flexible criteria Example:
Link Load Balancing Max Utilization
Link-Group Path Preference Bandwidth Costs ($)
Application Reachability
Delay Loss MOS Jitter
FLEXIBLE CRITERIA
2. Loss
3. Jitter 4. Delay
Load-Balance Remaining Traffic
Voice/Video
Critical Application
1. Link-Group: Path-A
2. Loss
4. Delay
1. Link-Group: Path-B
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Path Enforcement
• Master controller monitors traffic classes and BR exit links for out-of-policy conditions
• Appropriate enforcement method is determined automatically by the MC
• MC commands the BRs to enforce path changes for policy compliance
Destination Prefix § BGP
- Egress: route injection or Modifying the BGP Local Preference attribute
- Ingress: BGP AS-PATH Prepend or AS Community
§ EIGRP Route Control § Static Route Injection § Protocol Independent Route Optimization
(PIRO) with PBR injection
Application § Dynamic PBR § NBAR/CCE
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Use Case #1 – Load Balancing Maximizing Link Utilization to Increase Available Bandwidth
ISR-G2
WAN
Internet
MPLS ASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
• External link Load Balancing is enabled by default
• PfR Distributes traffic across a set of links to maintain efficient utilization levels with a defined percentage range. Default utilization range is +/- 20%
• External links can have different available bandwidth, e.g., Int 1/0 = 1.5Mbps, Int 1/1 = 15Mbps
• Load Balancing defaults can be modified by CLI – Utilization Range – Max Utilization 90%
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Use Case #2 – Cisco Intelligent WAN Use Case Example
HUB1 HUB2
650 Branches + 2 Traffic Classes
BR BR BR BR
MC MC ASR1002-X ASR1002-X
ISR 890 ISR 810
100M Dn 10M Up
20M Dn 2M Up
DMVPN FTTH
DMVPN ADSL
IPSLA Responder
IPSLA Responder
Requirements: • Broadband Internet to reduce WAN transport costs • Dual ISP design to improve availability • Protect multimedia applications from Internet brownouts • Load balance traffic to maximize WAN bandwidth utilization
Solution Overview: 1. Policies:
– Voice/Video: Delay < 200ms, Jitter < 30ms, Preferred Path = FTTH – Data: Load Balance, max link utilization 90%
2. DMVPN for secure IPsec transport independent design – Per-tunnel QOS at hub to minimize branch bandwidth oversubscription – Site to site dynamic tunnels to reduce latency for multimedia applications
3. Performance Routing (PfR) to protect apps and maximize bandwidth 4. Advanced QoS to prioritize critical applications during congestion 5. Prime Plug-n-Play automated deployment to simplify and
expedite Branch rollout
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
PfR Scale and Performance
Scale Notes
Typical Policies
2 TCs per site 650 Branches
Sufficient for protecting Voice/Video TC and load balancing all data traffic
Advanced Policies 4 TCs per site 300 Branches Multiple application policies and load balancing
Max TCs 18K concurrent ASR1002-X highest scale MC and BR
Recommended Hardware
Hub or DC ASR1002-X Dedicated PfR MC, PfR BR+DMVPN Hub
Hub or DC ISR 3945E Dedicated IPSLA shadow router
Branch ISR 892 FSP ISR1900 or better ASR1001 or better
Branch MC/BR+DMVPN spoke
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
PfR Evolution—Simplification and Scale
PfR/OER • Internet Edge • Basic WAN • Provisioning per site per
policy • 1000s of lines of config
PfRv2 • Policy simplification • App Path Selection • Blackout ~6s • Brownout ~9s • Scale 500 sites • 10s of lines of config
PfRv3 • Centralized provisioning • AVC Infrastructure • VRF Awareness • Blackout ~ 2s • Brownout ~ 2s • Scale 2000 sites • Hub config only
Summer 2014
Today
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Domain
Global Control
Local Monitoring
Single Touch Provisioning
Auto-discovery
Cisco ISR G2 ASR 1000
Branch/Campus Cisco ISR G2 ASR 1000
Branch/Campus
Cisco ISR G2 ASR 1000
Branch/Campus
APIC-EM
Introducing “Enterprise Domain” Full AVC – future
Path Optimization
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Service Exchange. Peering & Coordination at WAN Edge Automatic Discovery - Single Touch Provisioning
Network Discovers the Apps (NBAR2) or based on DSCP Unified Performance Monitor
Collect Application Performance Using Unified Performance Monitors (AVC Infrastructure)
Smart Probes for discovery Also used if there is no traffic
Performance measured on ingress on the remote site Sends performance feedback to Peers
WAN Edge peers, learns SP SLA ( per DSCP), manages congestion (local CAC*, Remote CAC*)
Application Based, Domain, Performance Monitor
Passive Monitoring
Enterprise Domain
Smart Probing
QoS Synthesis
Remote Feedback
Learning
* Not available at FCS
Collecting Application Performance
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Today’s Network is an IT Blind Spot • Static port classification is no
longer enough
• More and more apps are opaque
• Increasing use of encryption and obfuscation
• Application consists of multiple sessions (video, voice, data)
• What if user experience is not meeting business needs?
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
NBAR2
IOS NBAR +150 Signatures
SCE Classification +1000 Signatures
Innovations
Native IPv6 Classification Open API 3rd Party
Integration..
Application Classification Deep Packet Inspection (DPI) with Next Generation NBAR2
40
• Provides Advanced Application Classification and Field Extraction capabilities • In-service upgradable Protocol Definitions
No IOS upgrade or reboot for new Protocol Packs
• Backward compatibility to preserve existing NBAR investments • NBAR2 Protocol List
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Branch
Proliferation of Devices
Users/ Machines
Private Cloud
Add Application Visibility Add Unified Performance Monitor (Cisco AVC)
DC/Headquarters
Public Cloud
Cisco AVC
60% of IT Professionals Cite Performance as Key Challenge for Cloud
No Probes
• Deep Packet Inspection • Passive Monitoring for Voice,
Video, Critical apps and best effort apps
• No additional hardware (and included in AX license)
Smart Capacity Planning
• Better use of costly bandwidth • Per-branch and per-application
level reporting
Business Aligned Privacy Enforcement
• No need for complex IP and port ACLs
• See inside HTTP flows to identify specific Cloud applications
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
What applications, how much bandwidth, flow direction? (Flexible Netflow and NBAR/NBAR2) Basic Monitoring
Performance Collection & Exporting Integrated performance monitoring and advanced metrics for different type of applications and use cases
HTTP HTTP
Voice and Video Performance (Media Monitoring)
Advanced Monitoring
30% of traffic is voice and video
Critical Applications Performance (Application Response Time)
40% of traffic is critical applications
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Evolving to Unified Monitoring
43
• Certain metrics available for certain features. Multiple features to configure
• Separate provisioning • This was the current model for IOS
• All metrics are available within single feature • Single provisioning • This is the current model for IOS XE • This is new in IOS – 15.4(1)T
Exporting
Provisioning
Collecting
Exporting
Provisioning
Collecting
Exporting
Provisioning
Collecting
NetFlow v9 Export IPFIX Export
Flexible NetFlow (FNF) Performance Agent (PA) PerfMon Performance Agent (PA)
Collecting Collecting Collecting
Traffic Stats Records
Media Records
ART Records
Provisioning
Exporting
NetFlow v9 Export IPFIX Export
App Usage Top Talker
Voice/Video Perf
App Response
Time App Usage Top Talker
Voice/Video Perf
App Response
Time
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Proliferation of Devices
Users/ Machines
Private Cloud
Report Application Flows and Performance Using Standard – NetFlow v9 or IPFIX
WAN
NetFlow v9 IPFIX
Enterprise Edge
AVC
AVC
CSR
NetFlow/IPFIX Records (Same provisioning, same format)
• Traffic statistics records • Application Response Time records • Media monitoring records
(Application, Jitter, Loss, etc)
Partner Tools Ecosystem
ActionPacked Glue Plixer
Living Objects CompuWare
CA Technologies InfoVista
Collecting Collecting Collecting
Provisioning
Exporting
NetFlow v9 Export/IPFIX Export
Branch DC/Headquarters
AVC
AVC
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential 45
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
DMVPN Network QoS Design
46
• Remark DSCP on egress to align with each SP’s SLA class of service requirements
• H-QOS with shaping to offered rate on egress
• Hub per tunnel QOS to minimize spoke oversubscription
DSCP CS5 Packet Initially Marked to DSCP CS5
DSCP CS5
DSCP CS5 By Default DSCP Values is Copied To IPSec Header
DSCP CS5 Top-Most DSCP is Remarked on egress
DSCP CS5 Packet decapsulated To reveal the original DSCP
policy-map WAN-OUT class VOICE priority percent 10 class VIDEO-INTERACTIVE priority percent 23 set ip dscp af41 class NETWORK-MGMT bandwidth percent 5 service-policy MARK-BGP class class-default bandwidth percent 25 random-detect ! policy-map Int-Gig-Agg-HE class class-default shape average 1000000000 service-policy WAN-Out
Remarks the DSCP value on the encrypted/encapsulated header on egress interface
DSCP AF41
Control
ISR-G2
WAN
ASR 1000
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Private Cloud
Add WAN Optimization Speed and Bandwidth Benefits on Top of the IWAN
Branch DC/Headquarters
Faster Applications, More Users, Less Bandwidth
• 90% HD Video optimization and better user experience
• Twice as many Citrix users over same WAN, 70% faster
• Toyota: ROI in less than one year, 65% BW cost savings
Easy to Deploy
• Works with existing branch routers (and existing AX license
Scalable
• AppNav Controller and WAVE pool is scalable
• Native HA capability
vWAAS WAAS Express
Proliferation of Devices
Users/ Machines
AppNav-XE Controller
CSR
WAVE
WAN
Accelerate Any TCP Connection
Secure Internet Access
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Securing the IWAN
• Step 1: Secure Transport – IPSec with DMVPN overlay
• Secure transport independent overlay
• Add Strong Cryptography: IKEv2 + AES-GCM 256
• Step 2: Threat Defense – IOS Zone-based Firewall – Minimize exposure
• DHCP addressing for Internet and tunnel interfaces
• Don’t put tunnel addresses into DNS
• Step 3: Choose your performance level – Size router based on Encryption with Services and WAN bandwidth
• Head-end: ASR1000 or ISR4451X
• Branch: ISR-G2
IPSec VPN and Firewall
DSL Cable
Branch
Data Center
ISR-G2
ASR 1000 ASR 1000
ISP A ISP C
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Intelligent WAN—Direct Internet Access
Branch
MPLS (IP-VPN)
Internet Direct
Internet Access
Private Cloud
Virtual Private Cloud
Public Cloud
• Leverage Local Internet path for Public Cloud and Internet access • Improve application performance (right flows to right places)
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
DSL Cable
Branch ISR-G2
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Add Network Integrated Threat Defense IOS Zone-Based Firewall • Control the Perimeter:
– External and internal protection: internal network is no longer trusted – Protocol anomaly detection and stateful inspection
• Communicate Securely: – Call flow awareness (SIP, SCCP, H323) – Prevent DoS attacks
• Flexible: – Split Tunnel-Branch/Remote Office/Store/Clinic – Internal FW—International or un-trusted locations/segments, addresses
regulatory compliances
• Integrated: – No need for additional devices, expenses and power – Works with other Cisco Services: SRE, Scansafe, WaaS Express
• Manageable: – Supports CLI, SNMP, CCP, and CSM – Supports Cisco Configuration Engine
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Secure Internet Access with Cisco Cloud Web Security (CWS)
Secure Public Cloud and Internet
Access
ISR Connector to CWS Firewall towers
Web Filtering, Access Policy, Malware
Detect
WAN1 (IP-VPN)
CWS
Private Cloud
Public Cloud
Branch
WAN2 (Internet)
IWAN IPsec VPN for Private Cloud
Traffic IOS Firewall to protect Internet
Edge
Internet
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Cisco ISR CWS Connector How it Works
HQ Routes
HQ Traffic
Default Route
WAN Tunnel
CWS Connector
MPLS (IP-VPN)
Internet
Private Cloud
Virtual Private Cloud
Public Cloud
Internet
Branch
DSL Interface
Cisco ISR G2 with CWS Cloud Connector—FUNCTIONS:
• Authenticate router and client to CWS cloud • Intercept HTTP/HTTPS traffic based on ACL filters • Add user credentials header for identifying policy to be applied • Traffic Relay: replace client Source IP address with Egress address
• Redirect to CWS for scanning • Act as HTTP proxy to complete requests • Allow/Block or Warn based on user or group policy • Scan for Malware
IWAN Management
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Specialized Management Cloud-Based Management
• Speed: Eliminates manual building of WANs • Agility: Quick configuration updates and IOS
upgrades • Dynamic: Compatible with onePK for app
aware WANs • Reduced OPEX: Automated WAN
orchestration • Cost Savings: Centralized hybrid WAN
management
• Integrates with Cisco App Visibility and Control
• Monitor and analyze app-level traffic • End-to-end flow visualization • Troubleshoots hop-by-hop to pinpoint
source • Fix and verify QoS and App in realtime
Cisco IWAN Management
Automates Deployment and Lifecycle Management
Application Aware Network Performance Management
On-Prem Management
Cisco Prime
• Lifecycle: Simplified deployment and configuration
• Configuration – Plug and Play deployment automation
• Health Assurance: Improved application delivery
• Compliance: Regulatory requirements and best practices
Enterprise and Integrator Lifecycle Management
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Cisco APIC - Enterprise Module Architecture
Abstracts Network Devices to Mask Complexity Treat Network as a System
Exposes Network Intelligence For Business Innovation Cisco APIC - Enterprise Module
Network Devices Catalyst, ASR, ISR
Network Info Database
Policy Infrastructure Automation
REST API
CLI, OpenFlow, OnePK API
QoS
Third Party
Summary
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
Why Cisco IWAN
Proven Security at Scale
• Any to Any Security
• Protect All Branch Resources
• Secure Direct Internet Access
Unmatched Context-based
Routing
• App-Aware
• Endpoint-Aware
• Network-Aware
Quick ROI Faster than Alternatives
• Savings enables Business Innovation
Many pay off in
Granular Control Everywhere
• Branch à ISR-AX
• DC à ASR1K-AX
• Cloud à CSR1000V
Integrated Platform
for IT Simplicity
Up to in Savings
The Alternative: Overlay Appliances
App Visibility andControl
IP Sec VPN
WAN Opt. Firewall
WAN Path Selection Router
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
ASR1000-AX
Start with Cisco AX Routers IWAN Capabilities Embedded in the Router
Transport Independent
Secure Routing
ISR-AX
Simplify Application
Delivery
One Network UNIFIED SERVICES
Visibility
Control
Optimization
Cisco AX Routers 3900 | 2900 | 1900 | 800 | 4451 | ASR1002-X
© 2014 Cisco and/or its affiliates. All rights reserved. IWAN Cisco Confidential
• Thank you! • Please complete the post-event survey • Join us for upcoming webinars:
Register: www.cisco.com/go/techadvantage Follow us @GetYourBuildOn