cisco intelligent wan: ou comment améliorer l’expérience en succursale
TRANSCRIPT
Martin Langlois
Architecte de solutions technologiquesOctobre 2015 – Cisco Connect Montréal
Ou comment améliorer l’expérience en succursaleCisco Intelligent WAN
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2
Agenda
Transport indépendant
Acheminement par application
Accélération
Parlons sécurité
Orchestration et automatisation
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
WAN Intelligent : utiliser l’Internet ? Transport sécuritaire et accès local à l’internet
Transport optimisé et
sécurisé
Succursale
Accès direct aux application
s sur internet
Infonuagiqueprivée
Infonuagique virtuelle privée
Services infonuagiques
1. IWAN transport sécursé pour l’accès aux données et aux applications de l’entreprise
2. Utilisation de Internet à partir de la succursale pour rejoindre les services directement
Augmenter la performance du WAN tout en assurant la rentabilité
Améliorer la performance des applications par une diversification efficace des flux
MPLS (IP-VPN)
Internet
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
4
Intelligent WAN (IWAN) Architecture
MPLS
Succursale
3G/4G-LTE
Internet
Centre de données
Infonuagique
ServicesInternet
Application Optimization
Visibilité sur les applications pour permettre un transport
optimal
Secure Connectivity
Offre de sécurité intégrée
Intelligent Path Control
Routage par application
TransportIndépendent
Simple et performantHybrid WAN
Gestion et automatisation
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Modes de déploiement proposésDual MPLS Hybride Dual Internet
Niveaux de services (SLA, QoS))x Ajout de nouveaux servicesx Dispendieux
En utilisant une méthode de connexion sécurisée cohérente pour tous les modes de déploiements
Permet SaaS et/ou +BW Niveaux de services (SLA, QoS) Jusqu’à 99.999%
Coût prix / performance (BW) Gestion interne pour SLA Jusqu’à 99.999%
Public Public Entreprise
Internet MPLS Internet Internet
Internet
MPLSMPLS
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN: une approche architecturale
• IWAN est une “Solution”• Résous un problème
• Demandé par nos clients
• Approche systémique de développement
• Définie. Testée. Interopérable.• Portée et complexité contenues
• Permets automatisation et améliorations
• Offres des résultats tangibles• Simplifie l’opération du réseau
• Coûts moindres pour plus de bande passante
• Améliore la performance des applications
• Accès direct vers l’infonuagique
• Accès visiteur distribué
IWAN
7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport indépendantVirtualisation du WAN en entreprise
7
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
8
Design simplifié Connexions dynamiques Sécurité robuste éprouvée
Connexions flexibles et sécurisées sur les différents types de transports
SécuriséFlexible
• Multi-homing avec plusieurs fournisseurs simplifié
• Protocol de routage unique
• Solution répliquée sur les différents médias
• Topologies « hub-and-spoke » et de maillage complet évolutives
• Élements de la solution certifiés par les plus hautes normes de l’industries
• Chiffrement en matériel
ISR
WAN
Internet
MPLSASR 1000
ASR 1000
Transport indépendant
HQsuccursale
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2000 9
IWAN – Design - Transport Indépendant avec “Dynamic Multipoint VPN” (DMVPN)• Technologie IPSec éprouvée
• Largement déployée et évolutive• Utilise des procédés standards • QOS: par tunnel, hiérarchique, adaptative
• Flexible & résilient• Sur n’importe quel transport: MPLS, Ethernet, Internet, 3G/4G,..• Hub-n-Spoke avec maillage dynamique (optionnel)• Plusieurs options de redondance: matérielle, hub, transports
• Sécurité• IPsec et pare-feu certifiés• Chiffrement: AES-GCM-256 (Suite B)• IKE Version 2• IEEE 802.1AR Secure unique device identifier
• Déploiements simplifiés• Cisco – guide de design et configuration pour IWAN• Provisionnement automatisé – Prime, IWAN-App, Glue
Succursales
Internet MPLS
DMVPNmauve
DMVPNvert
IWAN HYBRIDE
Data Center
ISP A SP B
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R84>
interface Tunnel100 bandwidth 100000 ip address 10.0.100.84 255.255.255.0 no ip redirects ip mtu 1400 ip pim nbma-mode ip pim sparse-mode ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp nhs 10.0.100.94 nbma 172.16.94.1 multicast ip nhrp redirect ip tcp adjust-mss 1360 load-interval 30
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R84>
interface Tunnel100 ! (Suite)
nhrp map group spoke-600Kbps service-policy output prm-dscp#egress-iwan8#shape-6K nhrp map group spoke-1.5Mbps service-policy output prm-dscp#egress-iwan8#shape-1.5M nhrp map group spoke-6.3Mbps service-policy output prm-dscp#egress-iwan8#shape-6.3M nhrp map group spoke-10Mbps service-policy output prm-dscp#egress-iwan8#shape-10M nhrp map group spoke-15Mbps service-policy output prm-dscp#egress-iwan8#shape-15M nhrp map group spoke-20Mbps service-policy output prm-dscp#egress-iwan8#shape-20M nhrp map group spoke-44Mbps service-policy output prm-dscp#egress-iwan8#shape-44M nhrp map group spoke-100Mbps service-policy output prm-dscp#egress-iwan8#shape-100M performance monitor context PrmAM_AVC-MPLS_c tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint tunnel key 100 tunnel vrf IWAN-MPLS tunnel protection ipsec profile DMVPN-PROFILE-1 domain IWAN path MPLS path-id 1
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R11>
interface Tunnel100
interface Tunnel100 bandwidth 600 bandwidth receive 6000 ip address 10.0.100.11 255.255.255.0 no ip redirects ip mtu 1400 ip pim dr-priority 0 ip pim sparse-mode ip flow monitor MONITOR-STATS input ip flow monitor MONITOR-STATS output ip nhrp authentication cisco ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp nhs 10.0.100.84 nbma 172.16.84.1 multicast ip nhrp nhs 10.0.100.94 nbma 172.16.94.1 multicast ip nhrp registration no-unique
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R11>
interface Tunnel100 !(Suite)
ip nhrp registration timeout 60 ip nhrp shortcut ip tcp adjust-mss 1360 nhrp group spoke-6.3Mbps no nhrp route-watch if-state nhrp performance monitor context PrmAM_AVC-InetMPLS_c cdp enable tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint tunnel key 100 tunnel vrf IWAN-MPLS tunnel protection ipsec profile DMVPN-PROFILE-1
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R11#show ip route !(Pas de VRF ici)Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 10.0.100.94 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/13663573] via 10.0.100.94, 01:20:17, Tunnel100 p 10.0.0.0/8 is variably subnetted, 33 subnets, 4 masksC p 10.0.100.0/24 is directly connected, Tunnel100L p 10.0.100.11/32 is directly connected, Tunnel100C p 10.0.200.0/24 is directly connected, Tunnel200L p 10.0.200.11/32 is directly connected, Tunnel200D p 10.8.0.0/16 [90/13653973] via 10.0.100.84, 01:20:17, Tunnel100D p 10.9.0.0/16 [90/13653973] via 10.0.100.94, 01:20:21, Tunnel100
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R11#show ip eigrp neighborsEIGRP-IPv4 VR(IWAN) Address-Family Neighbors for AS(1)H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num3 10.0.100.84 Tu100 11 01:20:43 6 240 0 11942 10.0.200.85 Tu200 13 01:20:43 3 246 0 23841 10.0.100.94 Tu100 12 01:20:47 7 228 0 27270 10.0.200.95 Tu200 11 01:20:48 3 228 0 678R11#R11#R11#R11#R11#R11#show eigrp service-family ipv4 neighborsEIGRP-SFv4 VR(#AUTOCFG#) Service-Family Neighbors for AS(59501)H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num0 10.8.82.82 Lo0 491 01:20:52 12 100 0 246
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Acheminement intelligent Comment donner plus aux applications
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
18
Acheminement contrôlé avec PfRExemple Voix et Vidéo
Succursale
MPLS
Internet
Services internet
• PfR surveille la performance du réseau et achemine le trafic applicatif en fonction des politiques
• PfR balance le trafic sur tous les liens actifs pour permettre une meilleure utilisation de la bande passante
Le reste du trafic est en balancement de charge Voice/Vidéo sont
détournés si les seuils sont dépassés
Voix/Vidéo utilisent le meilleur chemin: délai, gigue, perte de paquets sont analysés
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
19
Performance Routing (PfR)?
MPLS Internet
Branch
BR BR
Data Center
MC
“Performance Routing (PfR) fournit des renseignements supplémentaires au routage classique afin de suivre et de vérifier la qualité d'un chemin sur un réseau étendu (WAN) pour déterminer la meilleure voie pour le trafic applicatif "
MC+BR
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
20
SP1 (MPLS) ISP (FTTH)
• Préserver la qualité de la voix et de la vidéo
Latence < 150 ms Jitter < 20 ms
• Protège le courriel perte < 5%
• Voix et vidéo utilisent le lient
SP1 de préférence
• Courriel utilise l’internet• Bande passante utilisée plus
efficacement.
Politique pour le multimédia
Critique
Trafic Best-Effort
Haute latence détectée
SP1 (MPLS) ISP (DSL)
Voix et Vidéo
Niveau de jitter trop elevé
Courriel
Trafic Best-Effort
Bande passante pour les applications d’entreprise en premier
• Protection contre une trop grande latence pour les applications critiques < 250ms
• Chemin préféré SP1 (MPLS)
• Meilleure utilisation de la bande passante en utilisant tous les liens disponibles.
Applications prioritaires et balancement du trafic
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
21
Balancement du traficPour maximiser l’utilisation de la bande passante
• Distribution du trafic sur tous les liens
• Balancement basé sur la vitesse du lien
• Les liens peuvent avoir des vitesses différentesMPLS = 1.5MbpsInternet = 15Mbps
ISR
WAN
Internet
MPLSASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24
R82>domain IWAN vrf default master hub source-interface Loopback0 site-prefixes prefix-list DC_PREFIX monitor-interval 4 dscp af31 monitor-interval 4 dscp cs4 monitor-interval 4 dscp af41 monitor-interval 4 dscp ef load-balance enterprise-prefix prefix-list ENTERPRISE_PREFIX collector 10.8.101.8 port 2055 class VOICE sequence 10 match dscp ef policy custom priority 2 loss threshold 5 priority 1 one-way-delay threshold 100 path-preference MPLS fallback INET class CRITICAL sequence 30 match dscp af31 policy custom priority 2 loss threshold 10 priority 1 one-way-delay threshold 600 path-preference MPLS fallback INET
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R84>
domain IWAN vrf default border source-interface Loopback0 master 10.8.82.82 collector 10.8.101.8 port 2055
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
DMVPN
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R11>
domain IWAN vrf default border source-interface Loopback0 master local collector 10.8.101.8 port 2055 master branch source-interface Loopback0 hub 10.8.82.82 collector 10.8.101.8 port 2055
26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R11#show domain IWAN master status
*** Domain MC Status ***
(…)
Borders: IP address: 10.11.0.1 Version: 2 Connection status: CONNECTED (Last Updated 1d22h ago ) Interfaces configured: Name: Tunnel100 | type: external | Service Provider: MPLS | Status: UP | Zero-SLA: NO Number of default Channels: 3
Path-id list: 0:1 1:1
Name: Tunnel200 | type: external | Service Provider: INET | Status: UP | Zero-SLA: NO Number of default Channels: 3
Path-id list: 0:2 1:2
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R11#sh domain IWAN master traffic-classes dscp ef
Dst-Site-Prefix: 10.8.0.0/16 DSCP: ef [46] Traffic class id:272 Clock Time: 11:39:00 (EDT) 06/10/2015 TC Learned: 00:42:24 ago Present State: CONTROLLED Current Performance Status: in-policy Current Service Provider: MPLS since 00:08:06 Previous Service Provider: INET pfr-label: 0:2 | 0:0 [0x20000] for 181 sec BW Used: 80 Kbps Present WAN interface: Tunnel100 in Border 10.11.0.1 Present Channel (primary): 238 MPLS pfr-label:0:1 | 0:0 [0x10000] Backup Channel: 218 INET pfr-label:0:2 | 0:0 [0x20000] Destination Site ID bitmap: 1 Destination Site ID: 10.8.82.82 Class-Sequence in use: 10 Class Name: VOICE using policy User-defined priority 2 packet-loss-rate threshold 5.0 percent priority 1 one-way-delay threshold 100 msec priority 2 byte-loss-rate threshold 5.0 percent BW Updated: 00:00:22 ago (…)
28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
R84 R85
E0/2 E0/2
E0/0
E0/010.8.
24.0/
24
10.8.25.0/24
E0/2
E0/3
10.8.45.0/24E0/2 E0/2
E0/0
E0/0
10.9.
24.0/
24 10.9.25.0/24
E0/2
E0/3
E1/0
10.9.45.0/24R94 R95
E1/0
DCI - 10.89.22.0/24
DMVPN1(MPLS)
DMVPN2(INET)
Tu10010.0.100.13/24
Tu20010.0.200.13/24
Tu10010.0.100.84/24
Tu10010.0.100.94/24
Tu20010.0.200.85/24
Tu20010.0.200.95/24
DC110.8.0.0/16
DC210.9.0.0/16
R12 R13E0/0 E0/0
10.2.12.12/32 10.2.13.13/32R11
R21
E0/0 10.1.11.254/24
10.2.11.11/32
R22
R83 R93R82 R9210.8.23.0/24 10.9.23.0/24R11#sh domain IWAN master traffic-classes dscp ef
(…)Reason for Latest Route Change: Backup to Primary path preference transition Route Change History: Date and Time Previous Exit Current Exit Reason 1: 11:30:54 (EDT) 06/10/2015 INET/10.11.0.1/Tu200 (Ch:218) MPLS/10.11.0.1/Tu100 (Ch:238) Backup to Primary path preference transition 2: 11:27:53 (EDT) 06/10/2015 MPLS/10.11.0.1/Tu100 (Ch:238) INET/10.11.0.1/Tu200 (Ch:218) Unreachable 3: 11:21:55 (EDT) 06/10/2015 INET/10.11.0.1/Tu200 (Ch:218) MPLS/10.11.0.1/Tu100 (Ch:238) Unreachable 4: 11:18:54 (EDT) 06/10/2015 MPLS/10.11.0.1/Tu100 (Ch:238) INET/10.11.0.1/Tu200 (Ch:218) Loss Rate Pkts: 5.0 % 5: 11:10:34 (EDT) 06/10/2015 INET/10.11.0.1/Tu200 (Ch:218) MPLS/10.11.0.1/Tu100 (Ch:238) Unreachable
29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Optimisation par Application
29
30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
30
Succursale
Proliferationof Devices
Utilisateurs/Machines
PrivateCloud
Permettre à IWAN de reconnaitre les applicationsApplication Visibility and Control (AVC)
DC/Headquarters
PublicCloud
Cisco AVC
Application Performance Visibility
• Application inspection à partir des routeurs
• Collecte d’information à partir de NetFlow v9/IPFIX
• Intégration dans plusieurs outils de gestion
Smart CapacityPlanning
• Meilleure utilisation de la bande passante
• Information disponible par succursale
Business Objective Enforcement
• Surveillance des niveaux de services par application
• Améliore la possibilité de respecter les niveaux de services par application
AVC
31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
31
PrivateCloud
Accélération avec WAAS + AkamaiSuccursale DC/POP
ApplicationOptimization
• Améliore la performance des applications
• Deux fois plus d’utilisateurs Citrix sur le même WAN
• Retour sur l’investissement rapide
Content Caching& Prepositioning Simple and Scalable
• Intégré dans les routeurs• Évolution avec AppNav• Redondance intégrée dans la
solution
vWAAS
Proliferationof Devices
Utilisateurs/Machines
AppNav-XEController
CSR
WAVE,vWAAS
WAN
Amélioration de la performance des applications
• Diminue l’utilisation de la bande passante tout en accélérant les applications
• Mise en cache intelligente du contenu interne et Internet
• Prépositionnement de données et de médias avant qu’ils ne soient nécessaires
32© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SupportsAkamai Cloud | Single-sided Optimization | Secure Direct Cloud Access
Application Accélération + PrépositionnementAméliore l’expérience utilisateur en diminuant la charge sur le WAN
AKAMAI CACHINGTransparent HTTP
CachingDynamic URL OTT
HTTP CachingAkamai
Connected CacheContent
Pre-positioning
CISCO WAAS OptimizationLZ
CompressionTCP
OptimizationData
De-duplicationApplication Specific
Acceleration
32
33© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN – Parlons sécurité
33
34© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
34
IWAN: connexions chiffrées
Transport MPLS
Succursale
MPLS (IP-VPN)
Internet
Lien Internet
PrivateCloud Virtual
PrivateCloud
PublicCloud
Deux sujets de préoccupations1. Protéger le réseau des menaces externes tout en conservant la confidentialité2. Protéger les usagers lors de l’utilisation des services infonuagique publique
35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
35
IWAN Transport SécuriséIPSec VPN et Contrôle d’accès
• 1: Authentifié matériel et logicielTrust Anchor vérification
• Step 2: Secure TransportIPsec VPN sur tous les liens
Chiffrement: IKEv2 + AES-GCM 256
F-VRF pour isoler les réseaux fournisseurs
• Step 3: Controler l’accèsIOS Zone-based Firewall où ACL
Accès par rôle avec journalisation
Minimiser la présence (exposition)
Utiliser les adresses fournisseurs dans les succursales
Ne pas publier dans le DNS les adresses des succursales
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
36© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
36
* RFC 6379 ** Not supported on older RP1 based ASR 1000s
Cisco Routeur: Certifications
FIPS Common Criteria Suite B*140-2, Level 2 EAL4 Hardware Assist
Cisco ISR 890 Series P PCisco ISR 1900 Series P PCisco ISR 2900 Series P PCisco ISR 3900 Series P P PCisco ISR 4400 Series P P PCisco ASR 1000 Series P P**
37© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
37
IWAN – Accès direct à l’infonuagique publique
Branch
MPLS (IP-VPN)
InternetDIA
(Direct InternetAccess)
PrivateCloud
VirtualPrivateCloud
PublicCloud
• Accès directe à l’infonuagique et à l’Internet• Améliorer la performance (chemin le plus cours pour les flux)
SolutionsSur Site – Zone Based FirewallInfonuagique – Cloud Web Security
CWS
ISR-AXZBFW
38© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
38
Cloud Web Security Gestion centralisée, politiques distribuées
40© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Orchestration and Automation
40
41© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Customer wants advanced provisioning, life cycle management, and customized policies
• System-wide network consistency assurance
• Lean IT OR IT Network team
Cisco
Prime Infrastructure
• Customer needs customizable IWAN with end-to-end monitoring
• One Assurance across Cisco portfolio from Branch to Datacenter
• IT Network team
Enterprise Network Mgmt and Monitoring
Ecosystem Partners
IWAN App
• Customer wants considerable automation and operational simplicity
• Requirements consistent with prescriptive IWAN Validated Design
• Lean IT organization
Prescriptive Policy Automation
• Customer looking for advanced monitoring and visualization
• QoS/ PfR/ AVC configuration, Real-time analytics and network troubleshooting
• IT Network team
Application Aware Performance Mgmt
AdvancedOrchestration
Cisco IWAN - Portfolio de Gestion
43© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
43
IWAN Automation and Orchestration Evolution
APIC-EM
Device Abstraction Layer
REST APIsAPIC-EM Services (Partial)
Southbound Interface
PKI Svc
NetFlowSvc
ZTDSvc
NetworkSvc
EventsSvc
Inventory
Svc
Traditional Management Systems
Cisc
o Pr
ime
IWAN Transpor
t
PKI Automatio
n
SecurityIntelligent
Path Control
Cisco IWAN Apps Partners (future)
Application
Experience
PnPProvisionin
g
Capacity Planning, Historical Reporting, Licensing, etc…Prime Deploym
ent W
orkflows,Change control, etc…
44© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
44
IWAN App
45© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
45
APIC-EM IWAN AppSite provisioning
46© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
46
APIC-EM IWAN AppSite provisioning
47© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
47
APIC-EM IWAN AppSite provisioning
48© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN App – Site provisioning
48
49© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN App – Site provisioning
49
50© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IWAN App – Site provisioning
50
51© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
51
Prime Infrastructure pour IWAN
• IWAN workflow avec PnP• Template IWAN configurations• PfRv3 Domain, MC and BR• AVC One-Click• QoS configurations• Simple ou double Routeurs• Basé sur les CVD• Vérification prêt pour AVC• Utilise APIC EM
52© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco IWAN Product Portfolio
52
53© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AX RoutersIWAN intégré dans les fonctions du routeur
ISR-AX
Reconnaitre les applications
Un réseauSERVICES UNIFIÉS ASR1000-AX
ISR-4000 AX
Transport Indépendent
Sécurité PfRv3
Optimisation
Contrôlr
Visibilité
Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000