SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1

Chris LewisEngineering System Manager

May 19th 2016

SP Virtual Managed

Services

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Agenda

• Introduction

• VMS Services

• IWAN

• Cloud VPN

• Cloud VCE

• VMS Technology Drivers

• VMS Definition

• VMS Demo

• Conclusion

Cisco Confidential 3© 2015 Cisco and/or its affiliates. All rights reserved.

Introduction


Digital Innovation Overwhelming the Branch

OS

Updates

HD

Video

Omni-channel

Apps

Mobile

Apps

Online

Training

SaaS Enterprise

Apps

Social

Media

Guest

WiFi

Digital

Displays

Branch Office

*Tech Target, Branch Office Growth Demands New Devices., 2013

**Gartner, Forecast Analysis: Worldwide Enterprise Network Services, Q2 2014 Update

*** Gartner: “Bring Branch Office Network Security Up to the Enterprise Standard, Jeremy D’Hoinne, 26 April. 2013.

20-50%

Of employee and

customers are served in branch

offices*

73%

80%

30%

More

Users

More

Apps

More Risk

Increase in Enterprise

bandwidth per year

through 2018**

Of advanced threats will

target branch offices by 2016

(up from 5%) **

More

Devices Growth in in mobile devices

from 2014 - 2018**


Next generation network characteristics are more dynamic than in the past

Hybrid DC, Cloud

WAN Connectivity On-demand

Multiple Carriers

New Traffic Patterns

One Large Global WAN

One Carrier

Static Application Flow

5


What Are These New Traffic Patterns?

InternetMPLS NetworkTraditional traffic

Public Cloud

MPLS NetworkInternet

New traffic

6


MPLS is 5x the transport cost for traffic that ends up on the Internet anyway

7

$1,000 97%

84%

$2.34

Zone of Enlightenment


VMS Services

8


2016, The Year SD-WAN takes off...

ZK Research


Definition: ONUG* (Large Enterprise User Group) has specified 10 requirements for an SD-WAN

ONUG SD-WAN Requirements Cisco

1 CPE: physical or virtual form factor ✔

2 Zero Touch Deployment: agility in provisioning and deployment ✔

3 Secure Hybrid WAN: Dynamic traffic engineering across Internet & private WAN based on

application policy, and aware of network availability/degradation

✔

4 Active-Active Architecture: Sites connect to applications through Internet & private WAN ✔

5 High Availability & Resiliency: Optimal for client user experience ✔

6 Layer 2 & 3 Interoperability: With directly connected switch and/or router ✔

7 Visibility, Prioritization & Steering Applications: Specifically business critical and real-time

applications per security, corporate governance and compliance

✔

8 Management Dashboard/Portal: By site, Application and VPN performance level ✔

9 Controller with open APIs: For access and management, forward specific log events ✔

10 FIPS 140-2 Validation Certification: Encryption with automated certificate life cycle management ✔

*ONUG: Open Networking User Group (Large Enterprises)


What are the VMS services?

• Many and varied

• Starts with Cloud VPN

• Adds virtual service attachment

• Supports IWAN

• Real deployments will require aspects of each


vRouter

(CSR1Kv)

Internet

Full Cloud VPN

Internet

I-VRF

Internet

PE DC

SW

UCS

CPE CloudVPN (IPSec)

Firewall

(ASAv)

BR-INSIDE-01-

VMS

Web Security

(WSAv)


vRouter

(CSR1Kv)

Internet

Full Cloud VPN + vCE on CSR1Kv

Internet

I-VRF

Internet

PE DC

SW

UCS

CPE CloudVPN (IPSec)

Firewall

(ASAv)

BR-INSIDE-01-

VMS

MPLS VPN

CustX-

VRF

VLAN 85

10.193.1.0/24

AS 65001

AS 65010

BR

-vC

E-P

E-C

ustX

Web Security

(WSAv)


Public Cloud

VirtualPrivate Cloud

MPLS

PrivateCloud

Internet

Branch

ISR4K

VMS IWAN as we know itA DMVPN cloud per transport between branch and enterprise hubAll security implemented at hub before going out to Internet

Multiple independent broadband circuits

Internet

DMVPN today:

ISR branch today:

Inet and MPLS

DMVPN

MC1


Public Cloud


MPLS

PrivateCloud

Internet

Branch

ISR4K

VMS IWAN with CPE Based Split TunnelingEfficient access to SaaS, guarantees branch gets closest resource

Direct Internet Access

Local breakout direct to Internet for Specific SaaSapps. Needs ZBF and ACL for security on CPE

Internet

Inet and MPLS

DMVPN

MC1


Public Cloud

MPLSPrivateCloud

Internet

Branch

ISR4K

VMS IWAN with service provider security servicesRevenue opportunity to offer virtual services to IWAN connected customers

SP Data Center

Virtual Security Services

Internet

Inet and MPLS

DMVPN


17

Cisco Intelligent WAN Solution Components

Intelligent Path Control

Load Balancing

Policy-Based Path Selection

Network Availability

Secure Connectivity

Scalable, Strong Encryption

App-Aware Threat Defense

Cloud Web Security

Application Optimization

Application Visibility

App Acceleration

Intelligent Caching

TransportIndependent

Provider Flexibility

Modular Design

Common Operational Model

AX Router


The Challenge with IWAN: New Complexity

MPLS (IP-VPN)

Internet PoP

Data Center

• Stateful firewall

• DNS logging

• URL Black listing

• AV in the cloud• URL logging

• Netflow Collection

• IDS / IPS

• Anti-Malware

• Full Packet Capture

• Intellectual Property Protection

• Web Proxy logging for compliance

Internet

Public Cloud


e.g. Cisco: 16 IPoPs serving

~500 branch offices

Today’s Enterprise WAN (e.g Cisco)

18


Scaling Security Posture “How do I capture IWAN savings with this operational model?”

Internet PoP

Data Center

• Stateful firewall

• DNS logging

• URL Black listing

• AV in the cloud• URL logging

• Netflow Collection

• IDS / IPS

• Anti-Malware

• Full Packet Capture

• Intellectual Property Protection

• Web Proxy logging for compliance

Internet

?

“16 becomes 500”MPLS (IP-VPN)

“It would be great if an SP could help us with this challenge”- John Manville, SVP Cisco IT

19


Intelligent WAN (IWAN) A Hybrid WAN Solution - Built Exclusively for the Enterprise.

Reduce Access Costs

Internet

Branch Branch Branch

Enterprise Hub

IPSec Tunnel Direct to Hub

Internet Internet Internet

MPLS VPN Direct to SP

Enterprise HQ

Achieve Network Diversity

20

Intelligent path allocation

Visibility, control and optimization


VMS Technology Drivers

21


• The second half of the chessboard dynamics of processing power

• Why Netconf and Yang are game-changers

• Simplicity of user experience rules

VMS Market DriversWhy Are Things Different This Time Around?

22


What We’ve Learned From Exponential GrowthSecond half of chessboard makes experience of first half irrelevant

53”

45”

7.3”

16 ft2

57.45 ft3

5,500 lbs

9.5”0.48 ft2

0.013 ft3

1.3 lbs

iPad2 has more computing power than the Cray2 Supercomputer, at

fraction of power consumption

Watson

AI is reaching human levels in some fields

15


Moore’s Law Applied To Network Equipment

COREEDGEAGGREGATIONACCESSCPE

OPTICAL

16


Automated

Self-Service

On-Demand

Architect

It

Design

It

Where

Can We

Put It?

Procure It Install

It

Configure

It

Secure

It

Is It

Ready?

Manual

Why Netconf and YANG are importantFrom Complexity to Simplicity and Automation

FROM WEEKS TO MINUTES*

Service

Oriented

Self-Service

Automated

Provisioning

Elasticity

(Capacity-on-Demand)

20


Determining Business RelevanceHow Important is an Application to Your Business?

Relevant IrrelevantDefault

• These applications directly support business objectives

• Applications should be classified, marked and treated marked according to industry best-practice recommendations

• These applications may/may not support business objectives (e.g. HTTP/HTTPS/SSL)

• Applications of this type should be treated with a Default Forwarding service

• These applications do not support business objectives and are typically consumer-oriented

• Applications of this type should be treated with a “less-than Best Effort” service

RFC 4594 RFC 2474 RFC 3662


What Do We Do Under-the-Hood?Apply RFC 4594-based Marking / Queuing / Dropping Treatments

Application

Class

Per-Hop

Behavior

Queuing &

Dropping

Application

Examples

VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)

Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV

Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence

Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx

Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)

Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE

Signaling CS3 BW Queue SCCP, SIP, H.323

Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog

Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps

Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution

Default Forwarding DF Default Queue + RED Default Class

Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox LiveIrrelevant

Default

Relevant


Simplicity of user experience

28

• Anticipate user needs

• Click and drill

• Intelligently guide user

• User manual not required


Multiple Innovations Required For Big LeapsExample: Internet

IP Created HTML Invented Telco’s Deploy Broadband Internet

Simplified Overlay Networks Service Oriented Management Computing power Service Delivery

Framework

Virtual

Managed

Services:

29


VMS Definition

30


Big Data Analytics Based

AssuranceWhat is VMS?

NSO

31


To get simplicity for the users, we need more intelligence in the system

• Separate intent from instantiation

• What is intent?

• What is instantiation?

• How do we tie instantiation to configuration?

32


OrchestrationFrom instantiation to deployment

YANG Model

Instantiation for Site 1

Instantiation for Site 2

Combine with template

Feed through NED

Deliver via NETCONF

33


VMS Network Services Orchestrator

PnP Server

Transaction

Database

Open PnP

Service Manager

Device Manager

Network Element

Drivers

x86 Virtual

Service Model Service Model Service Model

Zero Touch Deployment

Open Method for ZTD

Access

Supported by Netconf

Service Manager Interprets

Service Intent with Service

Instantiation Rules and

derives configuration

Device Manager manages derived

and validated configurations in a

transaction manner towards

infrastructure.

Network Element Drivers Abstract the interfaces

to the devices allowing 3rd party infrastructure to

participate in Service Instantiation

Service Models written in Yang

Abstract Service from

underlying physical devices

23


True Zero Touch for devices with Internet Connections

New device is powered on and gets IP and internet connectivity from ISP

New device invokes web service API call to PnP Server and registers its UDI (serial number). Management channel established

1

2

PnP server matches serial numbers and downloads the configuration

4

Assumptions:

New device has internet connectivity (from the ISP)

PnP server URL is hard coded

User Activates Desired device (branch or hub router)

3Customer branch

PnP Server

1

2

3

4

35


VMS Orchestration Component Mapping

NSO Orchestrator

ESC Life Cycle Manager

OpenStack Virtualization

VNFs

CFS

RFSService APIs

Infrastructure25


VMS Elastic Service Controller

Confd

Service Monitor

Custom

DHCP

SNMP

Ganglia

Service

Provisioning

Scale

Up/Down

Elasticity

Custom

Day 0

Config

VM Provisioning &

Configuration Module

VNS Bring-up & Initial

Configuration

Application.

Multi-vendor Support.

Allows Modular Communication

with NCS.

Data Model Driven.

Affinity Rules and Scale

Requirements for the VNF

components

ESC uses

multidimensional

approach to VNF

Monitoring/Restartability

Elastic Services Controller

Netconf

26


Demo

Thank you.

Date post:	20-Jan-2017
Category:	Technology
Upload:	cisco-canada
View:	359 times
Download:	2 times