41
WWW.GTRI.COM © 2016 Global Technology Resources, Inc. All rights reserved. Software Defined WAN 101 Mani Ganesan - Cisco Michael Edwards - GTRI
| Date post: | 16-Apr-2017 |
| Category: |
Technology |
| Upload: | globaltechnologyresourcesinc |
| View: | 277 times |
| Download: | 0 times |
WWW.GTRI.COM© 2016 Global Technology Resources, Inc. All rights reserved.
Software Defined WAN 101Mani Ganesan - CiscoMichael Edwards - GTRI
Agenda• What is SD-WAN ?• IWAN Architecture Overview
• Transport Independence• Intelligent Path Control• Application Optimization• Secure Connectivity
• Orchestration & Automation• Closing
2
Digital Innovation Overwhelming the Branch
3
BRANCH
OSUpdates
HD Video
Mobile Apps
Online Training
Social Media
Guest Wi-Fi
MORE USERS
MORE APPS
MORE THREATS
80% Of employee and customers are servedin branch offices*
20-50%Increase in enterprise bandwidth per year through 2018**
30%Of advanced threats will target branch offices by 2016 (up from 5%) ***
OmnichannelApps
SaaS Enterprise Apps
Digital Displays
* Tech Target, Branch Office Growth Demands New Devices., 2013
** Gartner, Forecast Analysis: Worldwide Enterprise Network Services, Q2 2015 Update
*** Gartner: “Bring Branch Office Network Security Up to the Enterprise Standard, Jeremy D’Hoinne, 26 April. 2013.
58% OF IT BUDGETS SPENT ON WAN CONNECTIVITY
4
Source: IDG
What If Your WAN Can…
5
Hours Minutes
Pinpoint Application Issues Instantly
Improve Your Application Performance
1x 2x -20x
Increase WAN Utilization
Deliver More Bandwidth for Lower Cost
BackhaulLocal & Cloud
Consistent Security Policies
Ensure Security Over Any Connection
By Device System
Simplify Operations
Reduce Network Complexity
Internet as an Extension of Enterprise WAN
6
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Internet Performance
ONUG - Software Defined-WAN Requirements
Branch
PrivateCloud
VirtualPrivateCloud
PublicCloud
MPLS (IP-VPN)
Internet
CSR1000-AX
1) Physical or Virtual* devices2) Zero Touch Deployment
7) L2/3 Interoperability
8) Management Dashboard9) Open North-bound API
3) Dynamic Traffic Engineering
5) HA and Resilient WAN6) App Visibility, Prioritization and Steering
4) Active-Active Architecture
APICPrime
10) FIPS 140-2 w/ Cert Management
OptimizedSecure Transport
Direct InternetAccess
WWW.GTRI.COM© 2016 Global Technology Resources, Inc. All rights reserved.
SD-WAN and beyond with Cisco IWAN
8
SD-WAN and Beyond with Cisco Intelligent WANApplicationsUsers/Devices
Private(MPLS)
Public(Internet/4G LTE)
Hybrid(MPLS, Internet)
SMART• Intelligent Path Control• Application Optimization• Advanced Content Caching
SECURE• Secure Direct Internet Access• Advanced Threat Defense• Robust Data Encryption
SIMPLE• SD-WAN Policy Management• Deployment Automation• Open APIs
TransportIndependence
Application Optimization
Secure Connectivity
Intelligent Path Control
Technology Blocks
Intelligent WAN: Leveraging the InternetSecure WAN Transport and Cloud Access
10
OptimizedSecure Transport
Branch
Direct CloudAccess
PrivateCloud Virtual
PrivateCloud
PublicCloud
1. IWAN Secure transport for private and virtual private cloud access
2. Leverage local Internet path for public cloud and Internet access
Increase WAN transport capacity and app performance cost effectively!
Improve application performance (right flows to right places)
MPLS (IP-VPN)
Internet
Intelligent WAN (IWAN) ArchitectureEnterprise
11
MPLS
UnifiedBranch
3G/4G-LTE
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloud
Application Optimization
Enhanced ApplicationVisibility and Performance
Secure Connectivity
ComprehensiveThreat Defense
Intelligent Path Control
ApplicationAware Routing
TransportIndependence
SimplifiedHybrid WAN
Management Automation
Cisco Intelligent WANEnabling the Next-Generation
Branch
Mani Ganesan - Cisco
WWW.GTRI.COM© 2016 Global Technology Resources, Inc. All rights reserved.
Transport-IndependenceVirtualizing the Enterprise WAN
13
Simplifies WAN Design Dynamic Full-Meshed Connectivity Proven Robust Security
Flexible Secure IWAN Over Any TransportSecureFlexible
• Easy multi-homing with several providers
• Single routing control plane over the top of provider networks
• Consistent design over all WAN transport types
• Scalable Hub-n-spoke with dynamic full mesh topology
• Industry Certified security compliance
• Scalable high-performance cryptography in hardware
ISR
WAN
Internet
MPLSASR 1000
ASR 1000
Transport-Independent
Data CenterBranch14
IWAN Transport IndependenceConsistent deployment models simplify operations
Internet MPLS
Branch
DMVPN DMVPN
IWAN HYBRID
Data Center
ISR
ASR 1000 ASR 1000
ISP A SP B
4G/LTE
Branch
DMVPN
IWAN HYBRID/LTE
Data Center
ISP C SP B
ASR 1000
MPLS
Branch
MPLS
DMVPN
IWAN Dual MPLS
Data Center
ISR
ASR 1000 ASR 1000
SP A SP B
DMVPN
MPLS
DMVPN
ISR
ASR 1000
15
Intelligent Path ControlImproving Application Delivery and WAN Efficiency
23
Getting the Most Out of Your WAN InvestmentBenefits of Intelligent Path Control
Data CenterBranch
ASR 1000
ASR 1000
ISR
MPLS
Internet
EnablingHybrid WANs
Efficient Distribution of Traffic Based Upon Load
or Path Preference
Application Best Path Based on Quality
Protection FromCarrier Black Holes
and Brownouts
Lower WAN Costs
Full Utilization of WAN Bandwidth
Improved Application
Performance
Higher ApplicationAvailability
24
Intelligent Path Control with PfRVoice and Video Use-Case
Branch
MPLS
Internet
Virtual PrivateCloud
Private Cloud
• PfR monitors network performance and routes applicationsbased on policy
• PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth
Other traffic is load balanced to maximize bandwidth Voice/Video will be rerouted if
the current path degrades below policy thresholds
Voice/Video take the best delay, jitter, and/or loss path
25
SP1 (MPLS) ISP (FTTH)
• Protect voice and video quality
Latency < 150 msJitter < 20 ms
• Protect Email applications from WAN congestion
Loss < 5%
• Voice and video preferred path SP1
• Email preferred path ISP• Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Best-Effort Traffic
High Delay Detected
SP1 (MPLS) ISP (DSL)
Voice and Video
High JitterDetected
Best-Effort Traffic
Protecting Critical Applications While Increasing Link Efficiency
• Protect transactionalbusiness app from brownouts
delay < 250ms• Preferred path SP1 (MPLS)
• Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet
Business App and Load-Balancing Policy
27
Load BalancingMaximizing Link Utilization to Increase Available Bandwidth
• Traffic distributed across all paths to efficiently use all WAN bandwidth
• Load Balancing based upon link utilization levels
• External links can have different bandwidth capacitiesMPLS = 1.5MbpsInternet = 15Mbps
ISR
WAN
Internet
MPLSASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
28
Application Optimization
32
Today’s Network is an IT Blind Spot
• Static port classification is nolonger enough
• More and more apps are opaque
• Increasing use of encryptionand obfuscation
• Application consists of multiple sessions (video, voice, data)
• What if user experience is not meeting business needs?
33
Branch
PrivateCloud
Make Your IWAN Application AwareApplication Visibility and Control (AVC)
DC/Headquarters
PublicCloud
Cisco AVC
Application Performance Visibility
• Application inspection with existing routers
• Rich data collection using NetFlow v9/IPFIX
• Easy to integrate into many reporting tools
Smart CapacityPlanning
• Better use of costly bandwidth
• Per-branch and per-application level reporting
Business Objective Enforcement
• Service Level monitoring per application
• Better Analytics to adjust network policies to maintain compliance
AVCAVC
34
What applications, how much bandwidth, flow direction?(NBAR2 and Flexible Netflow) Basic Monitoring
Performance Collection & ExportingIntegrated performance monitoring and advanced metrics for different type of applications and use cases
HTTP HTTP
Voice and Video Performance(Media Monitoring)
Unified Monitoring
30% of traffic is voice and video
Critical Applications Performance(Application Response Time)
40% of traffic is critical applications
AVC
35
PrivateCloud
Add WAN Optimization with WAAS + AkamaiSpeed and Bandwidth Benefits on Top of the IWAN
Branch DC/POP
ApplicationOptimization
• Improved Application performance, delay mitigation, less bandwidth
• Twice as many Citrix users over same WAN, 70% faster
• Typical ROI in less than one year, 65% BW cost savings
Content Caching& Prepositioning Simple and Scalable
• Works with existing branch routers
• Scale out optimizations resources with AppNav
• Native HA resiliency
vWAAS AppNav-XEController
CSR
WAVE,vWAAS
WAN
Improving Application Performance
• Reduces WAN bandwidth usage, while accelerating applications
• Intelligent caching of internal and Internet content
• Prepositioning of data and rich media before it is needed
37
WAAS and Akamai Connect Synergy
AKAMAI ConnectTransparent
Cache Dynamic URL Cache Akamai Connected Cache
Content Pre-positioning
CISCO WAASLZ
CompressionTCP
OptimizationData
De-duplicationApplication Specific
Acceleration
38
IWAN Secure Connectivity
45
Intelligent WAN: Secure ConnectivitySecuring the network and users
Secure WAN Transport
Branch
MPLS (IP-VPN)
InternetSecureInternetAccess
PrivateCloud Virtual
PrivateCloud
PublicCloud
Two areas of concern1. Protecting the network from outside threats with data privacy over provider networks2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…
46
Securing the IWAN TransportIPSec VPN and Access Control
• Step 1: Authenticate hardware and softwareTrust Anchor Module verification
• Step 2: Secure TransportProven IPsec VPN overlayStrong Cryptography: IKEv2 + AES-GCM 256F-VRF to isolate provider networks
• Step 3: Access ControlIOS Zone-based Firewall or ACLs protectionRole based access to router w/ loggingMinimize exposure
Provider assigned addressing to hide routersDon’t put tunnel addresses into DNS
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
47
* RFC 6379 Suite B ** Not supported on older RP1 based ASR 1000s
Cisco Router Security Certifications
FIPS Common Criteria NG Strong Crypto140-2, Level 2 EAL4 AES-GCM-256*
Cisco ISR 890 Series
Cisco ISR 1900 Series
Cisco ISR 2900 Series
Cisco ISR 3900 Series
Cisco ISR 4000 Series
Cisco ASR 1000 Series **
48
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Add Network Integrated Threat DefenseIOS Zone-Based Firewall
• Control the Perimeter:• External and internal protection: internal network is no longer trusted• Protocol anomaly detection and stateful inspection
• Communicate Securely: • Call flow awareness (SIP, SCCP, H323)• Prevent DoS attacks
• Flexible:• Split Tunnel-Branch direct Internet access• Internal FW— addresses regulatory compliances
• Integrated: • No need for additional devices, expenses and power• Works with other IWAN Services: CWS, WAAS, UCS -E,…
• Manageable: • APIC-EM, Prime, CLI, SNMP, CCP, and CSM
51
Intelligent WAN—Direct Cloud Access
Branch
MPLS (IP-VPN)
InternetDirect
InternetAccess
PrivateCloud
VirtualPrivateCloud
PublicCloud
• Leverage Local Internet path for Public Cloud and Internet access• Improve application performance (right flows to right places)
SolutionsOn Premise – Zone Based FirewallCloud Based – Cloud Web Security
CWS
ISR-AXZBFW
55
Secure Internet Access with Cisco Cloud Web Security (CWS) with ISR-4000 and ISR-G2 Series Routers
Secure Public Cloud and Internet
Access
ISR Connector toCWS Firewall towers
Web Filtering, Access Policy, Malware Detect
WAN1(IP-VPN)
CWS
PrivateCloud
PublicCloud
Branch
WAN2(Internet)
IWAN IPsec VPN for Private Cloud
TrafficIOS Firewall to protect Internet
Edge
Internet
60
Orchestration and Automation
61
Network-Wide Abstractions Simplify the NetworkApplications
SecurityOrchestration Automation Collaboration
SOUTHBOUND ABSTRACTION LAYER
REST API
CATALYST® CISCO NEXUS® ASRISR WIRELESSASA OTHER
SDN Ideal: Controller as the
Application Platform
The SDN Ideal:
Controller as the Application
Platform
Virtualization
64
IWAN SD-WAN Automation with APIC-EM
`
Cisco® APIC-EM centralized policy expression and distribution
Distributed policy enforcement
Automated application and topology discovery
Application and network performance monitoring
Adaptive path selection and QoS to sustain policy
Performance analytics collected network-wide and reported centrally
MCBranch
MCLarge Site
MCCampus
Data Centeror POP
4GLTE Internet
Data Centeror POP #2...n
MPLS (IP-VPN)
IWAN Domain ControllerPolicy Rendering
Policy Distribution and Domain Control
Distributed Policy Enforcement
IWAN APP
Policy Expression
66
Cisco IWAN Management PortfolioCovering a broad range of requirements and preferences
• Customer wants advanced provisioning, life cycle management, and customized policies
• System-wide network consistency assurance
• Lean IT OR IT Network team
Cisco
Prime Infrastructure
• Customer needs customizable IWAN with end-to-end monitoring
• One Assurance across Cisco portfolio from Branch to Datacenter
• IT Network team
Enterprise Network Mgmt and Monitoring
Ecosystem Partners
IWAN App
• Customer wants considerable automation and operational simplicity
• Requirements consistent with prescriptive IWAN Validated Design
• Lean IT organization
Prescriptive Policy Automation
• Customer looking for advanced monitoring and visualization
• QoS/ PfR/ AVC configuration, Real-time analytics and network troubleshooting
• IT Network team
Application Aware Performance Mgmt
AdvancedOrchestration
67
IWAN AppDemo
68
GTRI SDN Solutions• GTRI’s Virtualization and Advanced Networking Professional Services
(PS) practice has expertise with SDN vendor solutions.• GTRI has top-tier partner status with the most relevant long-term
vendors in the IT virtualization market.• GTRI offers an SDN readiness assessment service to assess your
infrastructure, your applications, and the benefits to your business gained from using SDN.
• GTRI has a SDN test bed where we can learn and teach SDN solutions and help validate solutions prior to deployment.
• GTRI is performing SDN deployments and we will freely share the latest vendor and industry information with you.
© 2016 Global Technology Resources, Inc. All Rights Reserved. 85
FREE SDN Technology Review• We are offering a FREE 3-hour (~1/2 day) SDN technology review
for your company• Bring your networking, security, DevOps, and other technology
teams together• Review SDN capabilities within your existing networked systems• Discuss SDN architecture and design options• Review network automation and network programmability potential• Engage in conversation on securely deploying IPv6 and using SDN for
security
WWW.GTRI.COM© 2016 Global Technology Resources, Inc. All rights reserved.
Q&AThank you for attending!
[email protected] | 877.603.1984 | @gtri_global
