Intelligent WAN (IWAN) Architectures

Intelligent WAN (IWAN) Architecture

Peyton Schouest

Systems Engineer

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda •  Intelligent WAN Overview •  Transport Independent Design

•  Intelligent Path Control •  Application Optimization

•  Secure Connectivity

•  IWAN Management •  IWAN Portfolio

•  Summary


Emerging Branch Demands Application Landscape is Changing

Applications Are Moving to the Data Center and Cloud

Internet Edge Is Moving to the Branch

Branch

Cloud

Data Centers

Cloud of CIOs Expect to Operate via the Cloud by 2015

%50 Mobility

More Mobile Data Traffic by 2015

Fat Apps of Mobile Traffic Will Be Video 6X 2/3

Pressures on the WAN


Enterprise WAN - What’s Going on?

•  WAN bandwidth needs are growing! –  Cloud, BYOD/IOE and Video making it worse

•  IT budgets flat or declining –  Transport/bandwidth costs are majority of WAN budget

•  These factors are driving WAN modernization –  Lower cost transports – Internet, LTE, Carrier Ethernet, –  Cloud application performance monitoring and optimization –  Security – strong encryption and threat protection

Cisco IWAN addressing this market demand!

Cloud

50% of CIOs Expect to Operate via the Cloud by 2015

Mobility

6X More Mobile Data Traffic by 2015

Fat Apps

2/3 of Mobile Traffic Will Be Video


Third-Party Lab Test: Chromebook vs.

Windows 8 Laptop

Chromebook creates more traffic than Windows PC

•  Chromebook creates as high as 692.2 times more network traffic

•  On average, Chromebook creates152 times more network traffic

http://principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf

0 2 4 6 8 10 Asus VivoBook S200E Notebook Running Microsoft Windows 8

Document Manipulation

Photo Manipulation

Video Manipulation

Music Manipulation

Web Browsing

Note Taking

Test Taking

0.14

0.27

2.73

0.21

6.06

5.00 8.65

18.30

77.39

145.56

211.29

57.84

10.80

41.33


Internet Becoming an Extension of Enterprise WAN

Commodity Transports Viable Now

Dramatic Bandwidth, Price Performance Benefits

Higher Network Availability

Improved Performance Over Internet


Low-Cost Alternative

Why is the Internet viable now?

%46 of Organizations Are Planning to

Transition to Internet

Connections 1Internet Transit Pricing based on surveys and informal data collection primarily from Internet Operations Forums—‘street pricing’ estimates

2Packet delivery based on 15 years of ping data from PingER for WORLD (global server sample) from EDU.STANFORD.SLAC in California Source: William Norton (DrPeering.net); Stanford ping end-to-end reporting (PingER)

Internet Pricing vs. Reliability, 1998-2012


Leveraging the Internet Pays Off Fast

1.5 Mbps

10 Mbps

$220

$140

$830

$260

$885

$274

$1,014

$303

EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)

Dual Internet Links Combined for Ent SLA

$665 Savings/Month x

12 Months X 1,000 Sites

= $8M Savings per Year

-75%

iWAN MPLS VPN CoS3

MPLS VPN CoS2

MPLS VPN CoS1

Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website


Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access

Optimized Secure Transport

Branch

Direct Internet Access

Private Cloud

Virtual Private Cloud

Public Cloud

1.  IWAN Secure transport for private and virtual private cloud access

2.  Leverage local Internet path for public cloud and Internet access

!  Increase WAN transport capacity and app performance cost effectively!

!  Improve application performance (right flows to right places)

MPLS (IP-VPN)

Internet


1.  IWAN Secure transport for private and virtual private cloud access

2.  Leverage local Internet path for public cloud and Internet access

!  Increase WAN transport capacity and app performance cost effectively!

!  Improve application performance (right flows to right places)

Intelligent WAN: Leveraging the Internet So What is New Here?

Optimized Secure Transport

Branch


Private Cloud


Public Cloud

MPLS (IP-VPN)

Internet

Mixed transport WANs with High Reliability

SLOs for Business-Critical Applications

Centralized Security Policy for Internet Access

Dramatically Lower WAN Costs Without Compromise


Intelligent WAN Deployment Models

Dual MPLS

Internet

ü  Highest SLA guarantees –  Tightly coupled to SP ẋ  Expensive

Public

MPLS

Branch

MPLS

ü  More BW for key applications ü  Balanced SLA guarantees –  Moderately priced

Public Enterprise

Branch

MPLS+ Internet

Consistent VPN Overlay Enables Security Across Transition

ü  Best price/performance ü  Most SP flexibility –  Enterprise responsible for SLAs

Internet

Branch

Enterprise Public

Hybrid Dual Internet


Intelligent WAN Solution Components

MPLS

Branch

3G/4G-LTE

AVC

Internet

Private Cloud


Public Cloud WAAS PfR

Application Optimization

•  Application visibility with performance monitoring

•  Application acceleration and bandwidth optimization

Secure Connectivity

•  Certified strong encryption •  Cloud Managed Security for

secure direct Internet access •  Comprehensive threat

defense

Intelligent Path Control

•  Dynamic Application best path based on policy

•  Load balancing for full utilization of bandwidth

•  Improved availability

Transport Independent

•  Consistent operational model •  Simple provider migrations •  Scalable and modular design •  IPsec routing overlay design

Control & Management with Automation


IWAN Vision and Strategy

Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA

Secure, Simple, Centralized Policy Automation

ACI Policies, Inter-Cloud Mobility, Optimization, AMP

vRouter, vService and App Orchestration

Predictive, Self Directed

INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD

INTEGRATION SERVICE

VIRTUALIZATION

SELF LEARNING

NETWORKS


IWAN Vision and Strategy Systems Development evolution of IWAN Framework

INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD

INTEGRATION SERVICE

VIRTUALIZATION

SELF LEARNING

NETWORKS

Transport Independent Design



Secure Connectivity

Management & Orchestration IWA

N F

ram

ewor

k

Incremental improvements while delivering new use-cases


IWAN: An Architectural and Systems Approach

•  IWAN is a Solution Architecture –  Solves a network problem –  Use Case Driven –  Systems Development Approach

•  Prescribed. Tested. Interoperable. –  Bounded Scope and Complexity –  Enables Automation and Quality

•  Delivers Business Outcomes –  Reduce Operational Complexity –  Reduce WAN costs, Increase bandwidth –  Improve Application Performance –  Direct Internet Access –  Guest Access Offload

IWAN


IWAN Roadmap Overview IWAN 1.0

Intelligent Virtualization

IWAN 2.0 Automation (Q4 CY2014)

Domain Scale Hundreds of Branches Large Scale (2000 Branches)

Transport Independence

Secure VPN Overlay (DMVPN Phase 2)

VPN Scalability (DMVPN Phase 3)


2nd Generation Path Control – PfRv2

Simplified Path Control – PfRv3 (Centralized Provisioning,

Large Scale)


AVC

WAAS

Adaptive AVC (Performance Optimization)

Adv. QoS (Adaptive Shaping, Local Admission)

Akamai Connect

Secure Connectivity

IPSec Suite-B crypto IOS ZBFW Firewall

Cloud Web Security (CWS)

Key Management Automation (PKI Certificate/Trust Automation)

Management

Cisco Prime

LiveAction

Glue Networks

Prime Infrastructure 2.2: Transport Ind. Design (DMVPN) Application Optimization (AVC),

Automated Deployment Workflow Wizards

APIC-EM EFT: PKI Automation

Site-by-Site Provisioning CVD-based: QoS, AVC, PfR

New

Transport-Independent Design Virtualizing the Enterprise WAN


Simplifies WAN Design Dynamic Full-Meshed Connectivity Proven Robust Security

Flexible Secure IWAN Over Any Transport Secure Flexible

•  Easy multi-homing over any WAN service offering

•  Single routing control plane with minimal peering to the provider

•  Consistent design over all transports

•  Automatic site-to-site IPsec tunnels

•  Zero-touch hub configuration for new spokes

•  Certified crypto and firewall for compliance

•  Scalable design with high- performance cryptography in hardware

ISR-G2

WAN

Internet

MPLS ASR 1000

ASR 1000

Transport-Independent

Data Center Branch


IWAN Transport Independent Design with Dynamic Multipoint VPN (DMVPN) •  Proven IPsec VPN technology

–  Widely deployed, large scale –  Standards based IPsec and Routing –  Adv QOS: hierarchical, per tunnel and adaptive

•  Flexible & Resilient –  Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,.. –  Hub-n-Spoke and Spoke-to-Spoke Topologies –  Multiple encryption, key management, routing options –  Multiple redundancy options: platform, hub, transports

•  Secure –  Industry Certified IPsec and Firewall –  NG Strong Encryption: AES-GCM-256 (Suite B) –  IKE Version 2 –  IEEE 802.1AR Secure unique device identifier

•  Simplified IWAN Deployments –  Prescriptive validated IWAN designs –  Automated provisioning – Prime, APIC, Glue

Branch

Internet MPLS

DMVPN Purple

DMVPN Orange

IWAN HYBRID

Data Center

ISP A SP V


Dynamic Multipoint VPN (DMVPN) •  Branch spoke sites establish an IPsec tunnel to and

register with the hub site

•  IP routing exchanges prefix information for each site

•  BGP or EIGRP are typically used for scalability

•  Only the WAN IP addresses need to be known by the WAN transport

•  WAN interface IP address can be used for the tunnel source address

•  Data traffic flows over the DMVPN tunnels

•  When traffic flows between spoke sites, dynamic site-to-site tunnels are established

•  Per-tunnel QOS is applied to prevent hub site oversubscription to spoke sites

SECURE ON-DEMAND TUNNELS

Branch 2

Traditional Static Tunnels DMVPN On-Demand Tunnels Static Known IP Addresses Dynamic Unknown IP Addresses

ISR G2

Branch 1

Hub

IPsec VPN

Branch n

ASR 1000

ISR G2 ISR G2


Hybrid WAN Designs Traditional and IWAN

Internet MPLS

Branch

DMVPN GETVPN

Internet MPLS

Branch

DMVPN DMVPN

Two IPsec Technologies GETVPN/MPLS DMVPN/Internet

Two WAN Routing Domains MPLS: eBGP or Static Internet: iBGP, EIGRP or OSPF Route Redistribution Route Filtering Loop Prevention

Active/Standby WAN Paths Primary With Backup

One IPsec Overlay DMVPN

One WAN Routing Domain iBGP, EIGRP, or OSPF Minimal route filtering

Active/Active WAN Paths

ISR-G2

ASR 1000 ASR 1000

ISP A SP V

ISR-G2

ISP A SP V

ASR 1000 ASR 1000

TRADITIONAL HYBRID

Data Center

IWAN HYBRID

Data Center


IWAN Transport Independence Consistent deployment models simplify operations

Internet MPLS

Branch

DMVPN DMVPN

IWAN HYBRID

Data Center

ISR-G2

ASR 1000 ASR 1000

ISP A SP V

Internet Internet

Branch

DMVPN DMVPN

IWAN DUAL INTERNET

Data Center

ISR-G2

ISP A DSL

ISP C Cable

ASR 1000 ASR 1000

MPLS

Branch

MPLS

DMVPN

IWAN Dual MPLS

Data Center

ISR-G2

ASR 1000 ASR 1000

ISP A SP V

DMVPN


IWAN Self, Integrator, or Provider Managed

Internet MPLS

Branch

DMVPN DMVPN

Internet MPLS

Branch

DMVPN DMVPN

IWAN HYBRID

Data Center

IWAN HYBRID

Data Center

ISR-G2

ASR 1000 ASR 1000 MSP

ISR-G2

Self or Integrator

ASR 1000 ASR 1000

ISP A DSL

ISP C Cable

Self or Integrator

Managed Service Provider

Hybrid Model Typical

Increases HA Diversity

Competitive Service Offering

Self/Integrator Managed

Hybrid or Internet Models

Ownership of Service Levels

Competitive Provider Selection

MSP


What if the CPE is Owned and Managed by an MSP? ISR-AX – IWAN Services Gateway

•  Lower cost than overlay appliances

•  Integrated services gateway incl AX, SEC, UC, Compute

•  Internet path for extra capacity

•  Direct Internet Access for improved SaaS Cloud performance

ASR 1000 Data Center

Branch

MSP-RT MPLS

ASR 1000 WAN

Internet

ISP-RT

ISR-AX

AVC

WAAS PfR


Building Highly Resilient WANs Redundancy and Path Diversity Matter

ISR G2

MPLS

SINGLE ROUTER, SINGLE PATH

ISR G2

Internet

99.95%* 99.90%* Downtime per Year

4–9 Hours

Downtime per Year 8 Hours

46 Minutes

ISR G2 MPLS MPLS Internet

ISR G2 MPLS

SINGLE ROUTER, DUAL PATHS Internet Internet

ISR G2

99.995% 99.995% 99.995%

26 Minutes

IWAN Solution

DUAL ROUTERS, DUAL PATHS

ISR G2

MPLS Internet

ISR G2 ISR G2

Internet Internet

ISR G2

99.999% 99.999%

5 Minutes

ISR G2

MPLS MPLS

ISR G2

99.999%

* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.


Traditional to IWAN Transition Migration Steps

ADDING DMVPN TO MPLS WAN

REPLACING A WAN SERVICE WITH AN INTERNET SERVICE

OTHER INTERESTING IWAN TOPOLOGIES

* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year.

ISR G2 MPLS MPLS

ISR G2 MPLS MPLS

ISR G2 MPLS MPLS

ISR G2 MPLS MPLS

Internet

Internet

ISR G2 MPLS

3G/4G-LTE

Internet Internet ISR G2

3G/4G-LTE Internet Internet

ISR G2

3 Internet

ISR G2 MPLS

ISR G2 MPLS MPLS

Internet

4 5

0 1 2


IWAN Automated Secure VPN

Intelligent Branch

ISP

Optional External Certificate Authority

Enterprise WAN Core

AX

MPLS

4G

DC

Resilient WAN POP

Embedded Trust Devices

Metro-E

AX

AX

APIC

Branch

Large Site

Campus

Secure Boot Strap

Automatic Configuration and Trust Establishment

Dynamic VPN Establishment

Key and Certificate Controller

IWAN App, Prime, 3rd Party

Deploy, Search, Retrieve, Revoke

Configuration Orchestration

Automatic Session Key Refresh (IKEv2)

Trust Revocation

1H2015


IWAN Transport Best Practices •  Private peering with Internet providers

Use same Internet provider for hub and spoke sites Avoids Internet Exchange bottlenecks between providers Reduces round trip latency

•  DMVPN Phase 3 Scalable dynamic site-to-site tunnels Separate DMVPN per transport for path diversity Per tunnel QOS NG Encryption – IKEv2 + AES-GCM-256 encryption

•  Transport settings Use the same MTU size on all WAN paths Bandwidth settings should match offered rate

•  Routing Overlay iBGP or EIGRP for high scale (1000+ sites) Single routing process, simplified operations Front-side VRF to isolate external interfaces Branch

Internet MPLS

DMVPN Purple

DMVPN Green

IWAN HYBRID

Data Center

ISP A SP V

Intelligent Path Control Improving Application Delivery and WAN Efficiency


Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control

Data Center Branch

ASR 1000

ASR 1000

WAAS PfR

AVC

ISR G2

MPLS

Internet

Enabling Internet-Based WANs

Efficient Distribution of Traffic Based Upon Load,

Circuit Cost, and Path Preference

Per Application Best Path Based on Delay,

Loss, Jitter Measurements

Protection From Carrier Black Holes

and Brownouts

Lower WAN Costs

Full Utilization of WAN Bandwidth

Improved Application

Performance

Higher Application Availability


Intelligent Path Control with PfR Voice and Video Use-Case

Branch

MPLS

Internet


Private Cloud

•  PfR monitors network performance and routes applications based on application performance policies

•  PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth

Other traffic is load balanced to maximize bandwidth Voice/Video will be

rerouted if the current path degrades below policy thresholds

Voice/Video take the best delay, jitter, and/or loss path


What is Performance Routing (PfR)?

DSL Cable

Branch

BR BR

Data Center

MC

“Performance Routing (PfR) provides additional intelligence to classic routing to track and verify the performance quality of a path between two devices over a Wide Area Networking (WAN) to determine the best path for application traffic....”

•  Cisco IOS technology •  Two components: Master Controller , Border Router

MC+BR


PfR Enhances Classical Routing

PATH CONTROL

METRICS

ADAPTIVE

•  Topological state •  Least cost path •  Static user preference

•  Path cost •  Interface state

•  Application-aware •  Policy controlled •  Measured performance

•  Delay •  Jitter •  Bandwidth

Responds To: •  Measured performance

changes (degradation)

Responds To: •  Link and node state

changes (up/down)

+

Classical PfR


SP1 (MPLS) ISP (FTTH)

•  Protect voice and video quality

Latency < 150 ms Jitter < 20 ms

•  Protect Email applications from WAN congestion

Loss < 5%

•  Voice and video preferred path SP1

•  Email preferred path ISP •  Increase utilization

by load sharing

Multimedia and Critical Data Policy

Business App

Best-Effort Traffic

300ms Delay Detected

SP1 (MPLS) ISP (DSL)

Voice and Video

High Jitter Detected

Email

Best-Effort Traffic

Protecting Critical Applications While Increasing Bandwidth Utilization

•  Protect transactional business app from brownouts

delay < 250ms •  Preferred path SP1 (MPLS)

•  Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet

Business App and Load-Balancing Policy


Load Balancing Maximizing Link Utilization to Increase Available Bandwidth

•  External link Load Balancing by default

•  PfR Distributes traffic across a set of links to maintain efficient utilization levels with a defined percentage range. Default utilization range is +/- 20%

•  External links can have different available bandwidth, e.g., Int 1/0 = 1.5Mbps, Int 1/1 = 15Mbps

•  Load Balancing defaults can be modified by CLI –  Utilization Range –  Max Utilization 90%

ISR-G2

WAN

Internet

MPLS ASR 1000

ASR 1000

Data Center

50% T1 = 750kbps

50% 15Mbps = 7.5Mbps


PfR Evolution—Simplification and Scale

PfR/OER •  Internet Edge •  Basic WAN •  Provisioning per site

per policy •  1000s of lines of config

PfRv2 •  Policy simplification •  App Path Selection •  Blackout ~6s •  Brownout ~9s •  Scale 500 sites •  10s of lines of config

PfRv3 •  Centralized provisioning •  AVC Infrastructure •  VRF Awareness •  Blackout ~ 2s •  Brownout ~ 2s •  Scale 2000 sites •  Small Branch config

2014

IWAN 2.0


Performance Routing—Components

The Decision Maker: Master Controller (MC) •  Discover BRs, collect statistics •  Apply policy, verification, reporting •  No packet forwarding/inspection required

The Forwarding Path: Border Router (BR) •  Gain network visibility in forwarding path (Learn, measure) •  Enforce MC’s decision (path enforcement) •  Does all packet forwarding

The Policy Controller: Domain Controller (DC) •  Discover site peers, prefixes and connected networks •  Advertise policy and services •  One per domain, collocated with MC

DSL Cable

Branch MC+BR

BR BR

Data Center

DC/MC


PfR Domain Controller

§  Domain Controller Peering Framework –  Site MCs register to Domain –  Advertise to, or request services –  Simplifies deployment and configuration –  Provides topology auto-discovery

§  Single point of configuration across the domain

§  Used to distribute information to sites: –  Learned site-prefix –  Application/Traffic Policies –  Performance monitoring –  Traffic Class Database

BR BR

MC/BR MC/BR BR MC/BR

WAN1 WAN2

Scaling: recommended 2000 sites max

Domain Controller

DC/MC Master Controller


Define Traffic Classes and service level Policies based on Applications or Transport Classifiers

ISR G2

ASR1K

Border Routers learn current traffic classes going to the WAN based on classifier definitions

Learning Active TCs

BR BR

MC+BR MC+BR MC+BR MC+BR

Traffic Classes

MC

Measure the traffic flow and network performance and report metrics to the Master Controller

Performance Measurements

BR BR

MC+BR MC+BR MC+BR MC+BR

MC

Master Controller commands path changes based on traffic class policy definitions

Best Path

BR BR

MC+BR MC+BR BR MC+BR

MC

How PfR Works Key Operations

Path Enforcement Measurement Learn the Traffic Define Your Traffic Policy


Dual POPs – Different Prefix

•  Requirements: –  Separate datacenters/POPs –  Separate prefix advertised from

each datacenters to spokes

•  POP2 Hub MC –  Configured as Branch

Separate Prefix

10.1.10.0/24 10.1.11.0/24 10.1.12.0/24 10.1.13.0/24

DC/MC1 MC2

BR1 BR2 BR3 BR4

R10 R11 R12 R13

EIGRP/BGP 10.8.0.0/16 10.0.0.0/8 0.0.0.0

10.8.0.0/16 10.9.0.0/16

DMVPN MPLS

DMVPN INET

EIGRP/BGP 10.9.0.0/16 10.0.0.0/8 0.0.0.0

IWAN POP1 IWAN POP2 Hub MC 10.8.3.3/32

MC 10.9.3.3/32


PfRv3 Multiple Next Hop Limitation •  Issues:

–  PfRv3 manages traffic between Tunnel Interfaces, not multiple tunnels within a single Tunnel Interface

–  Spokes have multiple next hops on the same DMVPN tunnel Interface

–  Channel definition: •  local site id + remote site id + DSCP + color(SP)

•  No differentiation for multiple channels within a color(SP)

•  Solution: PfRv3 DMVPN Multiple Next Hop support –  Need to add sub-color to differentiate channels –  New channel definition

•  local site id + remote site id + DSCP + color(SP) + SP tag

–  BR1 with tag 1, BR2 with tag 2

•  Targeted for Spring XE 3.15 / PI27 releases

Multiple DMVPN Next Hops

DMVPN2 DMVPN1

10.1.10.0/24 10.1.11.0/24 10.1.12.0/24 10.1.13.0/24

BR1 BR2 BR3 BR4

R10 R11 R12 R13

Hub MC 10.8.3.3/32

MC1

Next Hop 1 Next Hop 2

10.8.0.0/16

IWAN POP1


Dual POPs – Common Prefix

•  Requirements: –  2 (or more) POPs advertise the very same set

of prefixes –  Datacenter may not be collocated with the

POPs –  DCs/DMZs are reachable across the WAN Core

for each PoP –  Branches can access any DC or DMZ across

either POP(hub). And, DC/DMZs can reach any branch across multiple POPs (hubs).

–  Multiple BRs per DMVPN per site may be required for crypto and bandwidth horizontal scaling

•  Targeted for Spring XE 3.15 / PI27 releases

Separate Prefix

10.1.10.0/24 10.1.11.0/24 10.1.12.0/24 10.1.13.0/24

IWAN POP1 IWAN POP2

MC1 MC2

R10 R11 R12 R13

Datacenters

10.8.0.0/16 10.9.0.0/16

10.8.0.0/16 10.9.0.0/16

10.8.0.0/16 10.9.0.0/16 0.0.0.0/0

DMVPN MPLS

DMVPN INET

Backbone/backdoor connectivity between POPs for failover. May not exist

BR1 BR1 BR2

BR2 BR3 BR3 BR4

BR4

Optimize Application Performance


Today’s Network is an IT Blind Spot

•  Static port classification is no longer enough

•  More and more apps are opaque

•  Increasing use of encryption and obfuscation

•  Application consists of multiple sessions (video, voice, data)

•  What if user experience is not meeting business needs?


Branch

Proliferation of Devices

Users/ Machines

Private Cloud

Make Your IWAN Application Aware Add Cisco AVC

DC/Headquarters

Public Cloud

Cisco AVC

60% of IT Professionals Cite Performance as Key Challenge for Cloud

No Probes

•  Rich data collection using NetFlow v9/IPFIX

•  No additional hardware (and included in AX license)

•  Easy to integrate into many reporting tools

Smart Capacity Planning

•  Better use of costly bandwidth •  Per-branch and per-application

level reporting

Business Aligned Privacy Enforcement

•  No need for complex IP and port ACLs

•  See inside HTTP flows to identify specific Cloud applications


NBAR2

IOS NBAR +150 Signatures

SCE Classification +1000 Signatures

Innovations

Native IPv6 Classification Open API 3rd Party

Integration..

Next Generation NBAR (NBAR2) Deep Packet Inspection (DPI)

•  Provides Advanced Application Classification and Field Extraction capabilities •  In-service upgradable Protocol Definitions

No IOS upgrade or reboot for new Protocol Packs

•  Backward compatibility to preserve existing NBAR investments •  NBAR2 Protocol List

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html


What applications, how much bandwidth, flow direction? (NBAR2 and Flexible Netflow) Basic Monitoring

Performance Collection & Exporting Integrated performance monitoring and advanced metrics for different type of applications and use cases

HTTP HTTP

Voice and Video Performance (Media Monitoring)

Unified Monitoring

30% of traffic is voice and video

Critical Applications Performance (Application Response Time)

40% of traffic is critical applications



Users/ Machines

Private Cloud

Application Performance Monitoring for IWAN Track and Report Application Flows and Performance

WAN NetFlow v9

Enterprise Edge

AVC

AVC

CSR

NetFlow/IPFIX Records (Same provisioning, same format)

•  Traffic statistics records •  Application Response Time records •  Media monitoring records

(Application, Jitter, Loss, etc)

Cisco Tools Prime, APIC-EM

Partner Tools Ecosystem LivePacked

Glue Plixer

Living Objects CompuWare

CA Technologies InfoVista

Collecting Collecting Collecting

Provisioning

Exporting

NetFlow v9 Export/IPFIX Export

Branch DC/Headquarters

AVC

AVC


Internet VPN

Up to X Mbps Offered BW : AVAILABLE BW Not always X, typically < X Mbps

Branch

DC

Bandwidth Management Challenges

•  Available Link BW Can Change (Internet)   Static Bandwidth Provisioning (QoS) not accurate   Shapers become inaccurate due to BW fluctuation   Cannot predict BW changes at configuration

•  Application & User Impact   Applications tune based on static shape rate   Indiscriminate traffic drops - SAP instead of YouTube!!   New calls/flows admitted can degrade performance of

existing ones

•  How can QOS improve user experience?

Degrading Application Experience in Non SLA Environments - Internet


IWAN Adaptive QoS How Does It Work?

Adapt Sender shape rate based on the available bandwidth to Receiver

Sender Receiver

•  Configure MQC Policy with Adaptive Shaping

DMVPN

Transport Monitoring Enable

•  Collect Periodic bw Stats on received traffic

Transport Received Rate

•  Calculate Available Bandwidth over the WAN •  Adust Egress Shaper to observed rate

IWAN 2.0


IWAN Advanced QoS Local Per-Flow Admission Control (PFA)

... ...

Pat

h S

elec

tion

Drop or remark flows exceeding nominal interface bandwidth

MPLS or Internet

Pat

h S

elec

tion

DMVPN Tunnel

...

... ...

ASR1000

ASR1000

Path S

election

... ...

Acts on Egress flows only

Dropped or Remarked Flows

DMVPN Tunnel

MPLS or Internet

Branch

Branch

DC

Flows shaped to Available Link BW. PFA Algorithm is aware of Adaptive Shape Rate!

WAN bandwidth oversubscription problem •  The N+1 flow on the pipe can affect quality of all

existing N flows!! •  Problem compounded as available BW itself is variable

and not predictable

IWAN 2.0


Private Cloud

Add WAN Optimization with WAAS + Akamai Speed and Bandwidth Benefits on Top of the IWAN

Branch DC/Headquarters

Faster Applications, More Users, Less Bandwidth

•  90% HD Video optimization and better user experience

•  Twice as many Citrix users over same WAN, 70% faster

•  Toyota: ROI in less than one year, 65% BW cost savings

Easy to Deploy

•  Works with existing branch routers (and existing AX license

Scalable

•  AppNav Controller and WAVE pool is scalable

•  Native HA capability

vWAAS


Users/ Machines

AppNav-XE Controller

CSR

WAVE

WAN

Accelerate Any TCP Connection


Cisco WAAS Enhancing User Experience and WAN Efficiency

Solution

•  Reduce load Data redundancy elimination (DRE), compression, and TCP optimization

•  Application optimization Fewer protocol messages and metadata caching

Problem

•  Application latency •  WAN bandwidth

inefficiencies

Application bandwidth with Cisco® WAAS

Application bandwidth natively

Application latency natively

Application latency with Cisco WAAS 0 0

1

2

3

4

40

80

120

160

Application Bandwidth

Application Latency

Bandwidth (Mbps)

Latency (Seconds)

Reduction in bandwidth

Reduction in latency

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public © 2010 Cisco Systems, Inc. All rights reserved.

WAN

Application-Specific Acceleration §  Application and protocol awareness

Eliminate unnecessary chatter Save WAN bandwidth Pre-populate edge cache as necessary Enable disconnected operations

§ Intelligent protocol acceleration Read-ahead, prediction, and batching Safe data and metadata caching Improves application response time Provide origin server offload

§ DRE Hints Application intelligence signals to DRE & LZ…

whether to compress whether to cache

Safe Caching Read-ahead Prediction Batching DRE Hinting

WAN Optimization DRE/TFO/LZ

Origin Server Offloaded

Application Specific Acceleration


IWAN 2.0

Data Center Branch

Akamai Intelligent Platform

Optimal Experience Regardless of Device, Connectivity or Cloud All HTTP Traffic in Private, Public, Akamai Cloud

Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport

ISR-AX

AKAMAI Inside

AKAMAI CACHE

WAN

IWAN – Application Optimization with Akamai Connect


Akamai Connect Caching & Prepositioning

Branch

MPLS (IP-VPN) Private Cloud


Public Cloud

Akamai Intelligent Pla3orm

WAAS Optimization + Akamai Connect improves both Private and Public Cloud

performance

Cached & Prepositioned content improves application response time dramatically

Prepositioning of internet and Private cloud content, including dynamic URLS like YouTube Caches HTTP Content

Akamai Connect works over WAN and directly

from the Internet


Supports Akamai Cloud | Single-sided Optimization | Secure Direct Internet Access

Application Acceleration + Edge Caching Enhancing User Experience while reducing WAN load

AKAMAI CACHING Transparent HTTP

Caching Dynamic URL OTT

HTTP Caching Akamai

Connected Cache Content

Pre-positioning

CISCO WAAS Optimization LZ

Compression TCP

Optimization Data

De-duplication Application Specific

Acceleration


Cisco WAAS & Akamai Deployment Models

Branch Office

WAAS Service

Module/ UCSe

Branch Office WAAS-XE

on ISR-4000

Branch Office WAAS

Appliance

Regional Office WAAS

Appliance

Data Center or Private Cloud WAAS

Appliances

VPN

VMware ESXi

vWAAS Appliances

Server VMs

AppNav + WAAS

IWAN

vWAAS WAE

Server VMs

VMware ESXi Server

Nexus 1000v vPATH

UCS /x86 Server

FC SAN

Nexus 1000v VSM

Virtual Private Cloud IWAN 2.0

IWAN Secure Connectivity


Intelligent WAN: Secure Connectivity Securing the network and users

Secure WAN Transport

Branch

MPLS (IP-VPN)

Internet Secure Internet Access

Private Cloud Virtual

Private Cloud

Public Cloud

Two areas of concern 1.  Protecting the network from outside threats with data privacy over provider networks 2.  Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…


Securing the IWAN Transport IPSec VPN and Access Control

•  Step 1: Secure Transport IPSec with DMVPN overlay

Secure transport independent overlay Add Strong Cryptography: IKEv2 + AES-GCM 256 F-VRF to isolate internal routing domain

•  Step 2: Access Control IOS Zone-based Firewall or ACLs Minimize exposure

DHCP addressing for Internet and tunnel interfaces Don’t put tunnel addresses into DNS

•  Step 3: Choose your performance level Size router based on Encryption with Services and WAN bandwidth

Head-end: ASR1000 or ISR4451X Branch: ISR-G2 or ISR-4000

DSL Cable

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center


* RFC 6379 ** RP2 is only supported in ASR1004 , ASR1006, and ASR1013

Cisco Router Security Certifications

FIPS Common Criteria Suite B* 140-2, Level 2 EAL4 Hardware Assist

Cisco ISR 890 Series ü P P



Cisco ISR 3900 Series P P P

Cisco ISR 4000 Series P P P

Cisco ASR 1000 Series P ü P**


Cisco VPN ISM for ISR G2 Delivering High Performance VPN for Branch Routers

Features •  Plug and play Internal Service Module (ISM) for VPN acceleration

•  Hardware encryption support for both IPsec and SSL VPN

•  Hardware support for IKEv2 and Suite B NG crypto algorithms

Performance •  High IPsec VPN throughput (Up to 1.2Gbps)

•  Up to 3X throughput and 2X supported IPsec tunnels over onboard crypto engine

Platform Requirements •  IOS Requirement: 15.2(1)T1 or later

•  Supported Platforms: 1941, 2901, 2911, 2921, 2951, 3925, 3945 –  (Note: Not supported on 1941W, 3925E, 3945E)


DSL Cable

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center

Add Network Integrated Threat Defense IOS Zone-Based Firewall

•  Control the Perimeter: –  External and internal protection: internal network is no longer trusted –  Protocol anomaly detection and stateful inspection

•  Communicate Securely: –  Call flow awareness (SIP, SCCP, H323) –  Prevent DoS attacks

•  Flexible: –  Split Tunnel-Branch direct Internet access –  Internal FW— addresses regulatory compliances

•  Integrated: –  No need for additional devices, expenses and power –  Works with other IWAN Services: CWS, WAAS, UCS-E,…

•  Manageable: –  Supports CLI, SNMP, CCP, and CSM –  Supports Cisco Configuration Engine


•  Virtual Route Forwarding (VRFs) create multiple logical routers on a single device –  Separate control/forwarding planes per VRF –  No connectivity between VRFs by default –  Provider side VRF (yellow) for external

networks, Global VRF (blue) for internal networks

•  Provider VRF minimizes threat exposure –  Default routing only in Provider VRF –  Provider assigned IP addressing hides

internal network –  Provider IP address used as IPSec tunnel

source –  Only IPsec allowed between internal Global

and Provider Front Side VRFs

Securing IWAN Transports with Front-door VRF Isolation of external networks

Global

F-VRF

Branch LAN 10.1.1.0/24 10.1.2.0/24 …

Front Side Provider VRF

Provider Assigned WAN IP Address 192.168.254.254

VRFs have independent routing and forwarding

planes IPSec Tunnel Interface

Global Enterprise VRF

IOS ZBFW or ACL to permit only authorized traffic; i.e. IPsec


DSL Cable

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center

Protecting Public facing IWAN Interfaces •  Use ACLs, ZBFW or ASA to block all traffic

except the DMVPN tunnel traffic to routers

•  Zone Based Firewall (ZBFW) at the branch if there are plans for direct Internet access

•  Typical ACL for protecting the Internet interface

interface GigabitEthernet0/0 bandwidth 10000 ip vrf forwarding INET-PUBLIC1 ip address dhcp ip access-group ACL-INET-PUBLIC in duplex auto ! ip access-list extended ACL-INET-PUBLIC permit udp any any eq non500-isakmp permit udp any any eq isakmp permit esp any any permit udp any any eq bootpc permit icmp any any echo permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any port-unreachable permit udp any any gt 1023 ttl eq 1 !


Intelligent WAN—Direct Internet Access

Branch

MPLS (IP-VPN)

Internet Direct

Internet Access

Private Cloud


Public Cloud

•  Leverage Local Internet path for Public Cloud and Internet access •  Improve application performance (right flows to right places)

Solutions On Premise – Zone Based Firewall Cloud Based – Cloud Web Security

CWS

ISR-AX ZBFW


Cloud Web Security Centralized Management for Distributed Policy

Cisco ScanCenter Portal


Secure Internet Access with Cisco Cloud Web Security (CWS)

Secure Public Cloud and Internet

Access

ISR Connector to CWS Firewall towers

Web Filtering, Access Policy, Malware Detect

WAN1 (IP-VPN)

CWS

Private Cloud

Public Cloud

Branch

WAN2 (Internet)

IWAN IPsec VPN for Private Cloud

Traffic IOS Firewall to protect Internet

Edge

Internet


Cisco ISR CWS Connector How it Works

HQ Routes

HQ Traffic

Default Route

WAN Tunnel

CWS Connector

MPLS (IP-VPN)

CWS

Private Cloud


Public Cloud

Internet

Branch

DSL Interface

Cisco ISR G2 with CWS Cloud Connector—FUNCTIONS:

•  Authenticate router and client to CWS cloud •  Intercept HTTP/HTTPS traffic based on ACL filters •  Add user credentials header for identifying policy to be applied •  Traffic Relay: replace client Source IP address with Egress address

•  Redirect to CWS for scanning •  Act as HTTP proxy to complete requests •  Allow/Block or Warn based on user or group policy •  Scan for Malware


CWS Features

•  Custom, granular user-based policies managed in the cloud

•  User-based reporting

•  URL, IP, host, and user agent-based whitelisting for trusted sites (bypasses CWS filtering)

•  Default block or permit action in case of tower unreachability

•  Single sign-on support

•  IP and browser-based authentication bypass features

•  Authenticated IP cached with absolute/idle timer options

•  Default “guest” access on authentication failure

•  Multiple authentication support

User Experience

Transparent

Prompts user for login

Prompts user for login

Supported ADs

Microsoft AD/LDAP

Microsoft AD/LDAP, ACS

Microsoft AD/LDAP, ACS

Authentication Type

NTLM (v1and v2)

HTTP Basic

Web Auth

IWAN Orchestration and Automation


Specialized Management Cloud-Based Management

•  Eliminates manual building of WANs •  Automated SD-WAN orchestration •  Centralized hybrid WAN management •  Quick config updates and IOS upgrades •  Leverages onePK and REST APIs

•  Integrates with Cisco AVC and PfR •  Monitor and analyze application traffic •  End-to-end flow visualization •  Flow & App-based Troubleshooting •  Fix and Verify in Realtime

Cisco IWAN Management

Automates Deployment and Lifecycle Management

Application Aware Network Performance Management

On-Prem Management

Prime Infrastructure

2.2

•  Single-pane view of IWAN •  IWAN deployment workflows •  Plug and Play •  DMVPN, QoS, AVC deployment and

monitoring •  PfR v3 in Q1 2015 •  License includes IWAN App and APIC-

EM controller!

End-to-End Assurance of Application Experience


Prime Infrastructure 2.2 for IWAN

•  IWAN workflow wizard with PnP •  Template-based IWAN configs •  PfRv3 Domain, MC and BR •  AVC One-Click provision •  QoS Provisioning •  Single or Dual Router Branch •  CVD-based, Customizable •  AVC Readiness Assessment •  AVC, QoS, PfR Visibility •  Leverages APIC EM services


Prime Infrastructure Plug-n-Play Options No CLI Skills Required

PnP 1

PnP 2

PnP 3

USB stick to bootstrap the ISR •  Installer connects LAN/WAN cables

•  ISR loads bootstrap config from USB memory stick

Prime Plug-n-Play Application •  Installer connects LAN/WAN cables + a USB console cable to a Laptop/iPhone/iPad

•  PnP Application bootstraps the router

Cisco Configuration Professional Express (ISR Device GUI) •  Installer connects LAN/WAN cables + a PC to a LAN port

•  CCP Express Application to bootstrap the router


WAN1 (IP-VPN)

Branch WAN2 (Internet)

Prime Plug-n-Play Solution Components

PnP Application

Installer application for iPhone, iPad, and Windows PC used for authenticating and booting the IOS device

Prime Infrastructure Server

manages and distributes deployment information (images, configurations, and licenses)

Private Cloud

CNS Agent

CNS Protocol

Cisco PnP protocol for loading IOS image and initial configuration

IOS CNS Agent

Uses bootstrap config to access the PnP Server


Plug-n-Play Application Workflow Overview

0 Pre-Provisioning In Prime Infrastructure

•  Administrator creates a Plug and Play device profile in Prime Infrastructure

•  Administrator specifies device names, desired configuration, SW image, and optionally the device serial numbers

•  A deployment PIN number is generated for each device and can be emailed to the installer

1 Installation at the End Location

•  Installer receives the device, mounts the device and connects the cables

•  Installer launches Plug-and-Play application and enters the PIN

•  Plug-and-Play application registers the device serial number with Prime and then downloads bootstrap configuration to the device

•  Device downloads the SW image and full configuration from Prime, Plug-and-Play application displays status


BRANCH LOCATION

Prime Plug-n-Play Application Simplified Branch Router Deployment

NETWORK OPERATIONS CENTRE (NOC) ENTERPRISE OR SP

Remote ISR

Prime Infrastruct

ure

SP Network (MPLS/Internet)

https

3.  PnP App retrieves serial number from ISR

4.  PnP App requests router config through the 3G connection

8.  ISR bootstrap downloads IOS image and full config from PnP Server

1.  Installer connects the PC to ISR with USB cable and starts PnP App

6.  PnP Gateway registers router Serial number and gets the ISR bootstrap config from Prime Infrastructure

7.  PnP App receives bootstrap config from PnP Gateway and installs it on ISR Alternatively, installer could download the bootstrap config by logging in to the PnP Gateway’s portal prior to installation, eliminating the need for 3G/4G connection

2.  Installer enters PIN and clicks “install”

PnP Gateway

DMZ USB Console

Cable PnP App

5.  PnP Gateway validates installers credentials

ISE Radius, LDAP or AD DES/One-Time-Password

3G/4G


IWAN Management with Application aware Network Performance Management + QoS Control

• End-to-End topology, flow and trace visualization

• Search capability • Alert drilldown to

applicable flows • Point-and-click FnF

configurations

• QoS dashboard and alert drill-down

• Pre and post-QoS graphs

• Congestion indicators

• Single-click QoS audit

• QoS/ACL graphical configurator

• Customized policies with 25+ QoS templates

• Apply policy to multiple devices w/ single click

• CLI preview

•  LAN path and Spanning Tree connections

•  Trunk and access bandwidth

•  Layer 2 QoS stats •  VLAN filtering in

topology view

•  IP SLA topology view

•  IP SLA dashboard • Graphical IP SLA

configurator • Support all IP SLA

tests including Video Operations

• Topology view of active routes

• Graphical Policy Based Routing

• Trace path to destination with return route

Flow QoS Monitor QoS Configure Routing LAN IP SLA

See Visualize Point Troubleshoot, Decision Making

Click Control, Deploy

Fix Improve


Glue Networks IWAN Orchestration

•  Cloud-based SaaS subscription model

•  Eliminates manual building of WANs

•  Automated WAN orchestration and management

•  Quick configuration updates and IOS upgrades

•  Rapidly delivers nextgen and IWAN features

•  Forward compatible with SDN and OnePK for app aware WANs

•  Broadband and MPLS support for centralized hybrid WAN management for IWAN


2 Implement

•  Provision head end routers prior to branch routers •  Initiate provisioning via USBConnect for both

greenfield and brownfield routers •  Routers re-provisioned to Gluware management •  Glueware lifecycle management and orchestration

Quick configuration changes and IOS upgrades

1 Plan

•  Identify network services and IOS features (Security, QoS, etc.)

•  Identify existing WAN infrastructure for inclusion into Gluware orchestrated WAN

•  Translate network characteristics and design into templates via Gluware

DC/HQ Secure SSH

Tunnel

Branch

Branch

Internet

Existing WAN Router

Glue Networks Migrate Existing WAN Routers into Gluware Management


IWAN Automation and Orchestration Evolution

APIC-EM

Device Abstraction Layer

REST APIs APIC-EM Services (Partial)

CLI OnePK/Openflow

PKI Svc

NetFlow Svc

PnP Svc

Network Svc

Events Svc

Inventory Svc

Traditional Management Systems

Cis

co P

rime

Evolution

Apps IWAN

Transport PKI

Automation

Security Intelligent

Path Control

Cisco IWAN Apps Partners (future)

Application Experience

PnP Provisioning

Q2 CY2015

Capacity Planning, Troubleshooting, Change control Prime

Cisco IWAN Product Portfolio


Start with Cisco AX Routers IWAN Capabilities Embedded in the Router

ISR-AX

Simplify Application

Delivery

One Network UNIFIED SERVICES ASR1000-AX

ISR-4000 AX

Transport Independent

Secure Routing

Optimization

Control

Visibility

Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000


IWAN Branch Services Routers

INTEGRATED IWAN SERVICES

APPLICATION CENTRIC

APPLIANCE LEVEL PERFORMANCE

!  IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS

! Scalable on-chip service provisioning

! App/User policy-driven deployment ! APIC_EM Automation: deploy in

minutes ! Pay-as-you-grow ! Up-to-75% cost savings

! Service-Aware Dataplane ! Resilient Service Virtualization ! Multi-gigabit Fabric

ASR4000 Series - IWAN AX Ready, Next Generation Branch

ISR4431

ISR 4351

ISR 4331

ISR4321

ISR4451

500Mbps/1Gbps

200/400Mbps

100/300Mbps

50/100Mbps

1-2Gbps

NEW!

NEW!

NEW!

NEW!

Information Reference


IWAN Aggregation Border Routers ASR1000 - IWAN AX Ready, High Performance Routers

INTEGRATED IWAN SERVICES

BUSINESS-CRITICAL RESILIENCY

COMPACT, POWERFUL ROUTER

!  IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS

! Scalable on-chip service provisioning

! Separate control and data planes ! Hardware and software redundancy !  In-service software upgrades

! Line-rate performance 2.5G to 200G+ with services enabled

! Crypto performance from 2G to 60G+ ! Flexible I/O: SPAs and Ethernet LCs

§  2.5G Upgradeable to 5G, 10G, 20G §  Up to 8G Crypto Throughput

§  5G Upgradeable to 10G, 20G, 36G §  Up to 4G Crypto Throughput

§  Modular, Redundant up to 200G §  Up to 60G Crypto Throughput

ASR1001-X

ASR1002-X

Modular ASR1006

NEW!



Cisco UCS-E Series Extend Cloud Services into Branch Infrastructure

Support on ISR G2 and 4000 Series

IOS, MGF Backplane Switch

UCS-E Blade

Hypervisor

CIMCE UCS-E Blade

Hypervisor

OS

App

OS

App

OS

App

OS

App Platform for WAN Edge Applications

Microsoft Windows-Server and Linux Certified

Server Virtualization

Cisco UCS Virtualization Powered by VMware, Microsoft, Citrix

Dedicated Blade Management

Cisco Integrated Management Controller

Consistent management for UCS family

Multipurpose x86 Blades

Cisco UCS E Series modules

House up to four server blades in an ISR

Single-Device Network Integration

House all devices in ISR G2 chassis

Multigigabit fabric backplane switch



Cisco UCS E-Series Server Hypervisor and OS Support Hypervisors •  VMware vSphere Hypervisor™ 5.0, update 1, 5.1 and 5.5 •  Hyper-V (Windows 2008 R2 and 2012, 2012 R2) •  Citrix XenServer 6.0

Microsoft Windows •  Windows Server 2008 R2 Standard 64-bit •  Windows Server 2008 R2 Enterprise 64-bit •  Windows Server 2012, 2012 R2

Linux •  Red Hat Enterprise Linux 6.2 •  SUSE Linux Enterprise 11, service pack 2 •  Oracle Enterprise Linux 6.0, update 2



Future Application Delivery Write once. Run anywhere.

Blade Hosting Server Hosting

Cisco Network Operating System

External Server Network

Services & Applications

Traditional Features

Container Cisco Network Operating System

Embedded Network Services

ISR-4000 Hosting


Feature

Container


Network Services & Applications

UC

S-E

Bla

de

NEW!


Cisco Advanced Services IWAN Portfolio Customer Situation Advanced Services Offering

Looking to explore IWAN architecture evolution

Network Architecture Discovery Workshop

Desire to evaluate current branch architecture and devise IWAN architecture strategy

Network Architecture Assessment and Strategy

Assistance with designing and planning an IWAN deployment strategy

Network Planning and Design

Customer wants Cisco to manage the full migration to the IWAN solution through a turn-key service

Network Planning, Design, and Implementation Service

NEW!

IWAN 2.0 Considerations


IWAN 2.0 Considerations •  Intelligent Path Control

–  Horizontal scaling with multiple BRs at a site connected to a single DMVPN network –  Common/same prefixes being reachable over multiple hub/pop locations –  Enhancements coming in Spring 2015

•  Application Optimization –  AVC requires flow symmetry across the same border router to classify stateful

applications •  Problematic at sites with dual routers; e.g. hub/pop locations •  Enhancement coming in the Summer or Fall 2015 release

•  Secure Connectivity –  CWS connector not currently supported on the ISR-4000 series routers

•  Support coming in the Summer 2015 release

Why Cisco IWAN?


1st 3rd Savings & Loan (13S&L) Scenario Current Network Design •  East and West Data Centers (DC) for

redundancy and business continuance

•  Internet DMZs at each DC –  13S&L.com Internet presence –  Employee Internet access –  7200 series routers and PIX firewalls

•  WAN –  513 branches with 2 Hub/DC sites –  MPLS VPN provided by AsTheBellTolls (ATBT)

•  3 Classes of service – Real Time, Data and Default •  99.95% circuit availability •  T3 and ½ T1 access to VPN

–  7200 and 2800 series routers Branch-1 Branch-513

768kbps

DS3 45Mbps

ATBT MPLS VPN

7200 7200 7200 7200

2811 2811

3 CoS

Internet Internet 7200 7200

DCI WAN Core

DC-West DC-East


Internet

Intelligent WAN Summary •  Transport Independent Design

–  Hybrid MPLS + Internet transports Increased bandwidth with higher availability

•  Intelligent Path Control –  Performance Routing (PfR) to protect critical applications

and load balance traffic to maximize expensive WAN bandwidth

•  Application Optimization –  Application Visibility and Control (AVC) to monitor application

performance at the branch –  WAAS + Akamai to reduce bandwidth consumption and improved

application experience

•  Secure Connectivity –  Cloud Web Security (CWS) for improved performance of Public

Cloud and Internet applications while reducing bandwidth over the WAN, without compromising security or control

•  IWAN Management –  Prime, LiveAction, or GlueWare with SDN evolution with APIC-EM

Branch-1 Branch-513

DCI WAN Core

MC MC

20M Dn 2M Up

512M FD

BR BR

ATBT MPLS

Island ADSL

BR

ISR-AX vWAAS

ISR-AX vWAAS

1.5M FD

256M FD

CWS

BR ASR-AX ASR-AX

WAAS WAAS

AVC

AVC

AVC

ShowMe$$

DC-West DC-East

Internet Internet


Branch

MPLS (IP-VPN)

Internet

Private Cloud


Public Cloud

Cisco Intelligent WAN (IWAN)

Secure WAN Transport


Mixed Transport WAN with High Reliability

SLAs for Business-Critical Applications

Centralized Security Policy for Internet Access

Dramatically Lower WAN Costs Without Compromise


Customer Proof of Concept (CPOC) IWAN Pre-Built Static Testbed (PBST)

•  IWAN LAB for customer hands-on testing

•  Network, Management, Traffic Generators and Impairment

•  Remote Access with Telepresence


CPOC IWAN PBST Questions? Contact your Cisco Sales or Partner Representative


IWAN Sessions Cisco Live Milan Techtorial

TECCRS-2004 Implementing the Intelligent WAN (IWAN) Jean-Marc, Scott, Steve, David, Bill, Patrick Breakouts

BRKCRS-2000 Intelligent WAN (IWAN) Architecture Scott Van de Houten

BRKRST-2362 Implementing Next Generation Performance Routing – PfRv3 Jean-Marc Barozet

BRKAPP-2030 Troubleshoot Business Applications with Advanced Monitoring Techniques Karthik Dakshinamoorthy

BRKRST-2514 Application Optimization and Provisioning the Intelligent WAN (IWAN) Bill Reilly

BRKRST-2041 WAN Architectures and Design Principles Adam Groudan

BRKCRS-2042 Highly Available Wide Area Network Design David Prall

BRKNMS-2845 IWAN and AVC Management with Cisco Prime Infrastructure Tony Hosseiny

Others

LTRCRS-2005

Intermediate - Intelligent WAN (IWAN) Hands-On Lab : Leveraging Prime to deploy the IWAN Solution to The Next Generation Branch Bill Reilly

CCSRST-2400 SkyConnect, Lufthansa Systems global WAN Platform. Moving Business PKI to “IWAN” while adding more services to the network Markus Voegel (Lufthansa)

Related

BRKCRS-2448 Innovations in Branch Routing Matt Bollick

BRKRST-2121 Self Learning Networks Jean-Philippe Vasseur

BRKNMS-3132 Advanced NetFlow Benoit Claise

BRKRST-2040 WAN and Remote-Site Deployment using Cisco Validated Designs Adam Groudan

PSORST-2008 Introduction to Cisco ISR 4000 Series: Architected for Application Performance Jay Chokshi

TECCRS-2003 Advanced WAN Design Topics (Techtorial - 8h) Adam Groudan, David Prall, Mark Mitchiner, Arvind Durai


Call to Action

•  Visit the World of Solutions for –  Cisco Campus – (speaker to add relevant demos/areas to visit) –  Walk in Labs – (speaker to add relevant walk in labs) –  Technical Solution Clinics

•  Meet the Engineer (Speaker to specify when they will be available for meetings)

•  Lunch time Table Topics

•  DevNet zone related labs and sessions

•  Recommended Reading: for reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2015


Complete Your Online Session Evaluation

•  Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.

•  All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Date post:	18-Jul-2015
Category:	Technology
Upload:	cisco-public-sector
View:	1,315 times
Download:	7 times

Intelligent WAN (IWAN) Architectures

Technology