cisco livelocal2014 iwan
DESCRIPTION
TRANSCRIPT
Local Edition
Routing Update – How IWAN Enables the Next Generation Branch
Tim Lovelace
Systems Engineer
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Agenda
• IWAN Introduction and Business Drivers
• Transport Independent Design
• Intelligent Path Control
• Application Optimization
• Secure Connectivity
• Management
• Conclusion
2
Local Edition
IWAN Introduction and Business Drivers
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Mobile Device Network Traffic
Sources: * http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation-%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html ** https://www.abiresearch.com/press/average-size-of-mobile-games-for-ios-increased-by- *** http://www.wirelessandmobilenews.com/2013/05/samsung-galaxy-s3-iii-update-android-4.2.1-jelly-bean.html
http://theiphonewiki.com/wiki/Firmware#iPad_4 http://answers.microsoft.com/en-us/windows/forum/windows_other-windows_update/what-is-average-monthly-size-of-update-downloads/dfe9bb34-c2dd-478e-a6cb-0a26228cf552
Average Number of Apps per Device* Average App Size** OS Update File Size***
iOS
Android
Windows
iOS 7 for iPhone 5
Jelly Beans 4.1
Windows 7
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Third-Party Lab Test: Chromebook vs.
Windows 8 Laptop
Chromebook Data Usage
• Chromebook creates as high as 692.2 times more network traffic
• On average, Chromebook creates152 times more network traffic
http://principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf
0 2 4 6 8 10 Asus VivoBook S200E Notebook Running Microsoft Windows 8
Document Manipulation
Photo Manipulation
Video Manipulation
Music Manipulation
Web Browsing
Note Taking
Test Taking
0.14
0.27
2.73
0.21
6.06
5.00 8.65
18.30
77.39
145.56
211.29
57.84
10.80
41.33
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Emerging Branch Demands The Application Landscape is Changing
Applications Are Moving to the Data Center and Cloud
Internet Edge Is Moving to the Branch
Branch
Cloud
Data Centers
Cloud of CIOs Expect to Operate via the Cloud by 2015
Mobility More Mobile Data Traffic by 2015
Fat Apps of Mobile Traffic Will Be Video
Pressures on the WAN
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Why Move to Internet as WAN?
Low-Cost Alternative
of Organizations Are Planning to
Transition to Internet
Connections 1Internet Transit Pricing based on surveys and informal data collection primarily from Internet Operations Forums—‘street pricing’ estimates
2Packet delivery based on 15 years of ping data from PingER for WORLD (global server sample) from EDU.STANFORD.SLAC in California Source: William Norton (DrPeering.net); Stanford ping end-to-end reporting (PingER)
Internet Pricing vs. Reliability, 1998-2012
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
And the Internet Transition Pays Off Fast
1.5 Mbps
10 Mbps
$220
$140
$830
$260
$885
$274
$1,014
$303
EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)
Dual Internet Links Combined for Ent SLA
$665 Savings/Month x
12 Months X 1,000 Sites
= $8M Savings per Year
-75%
iWAN MPLS VPN CoS3
MPLS VPN CoS2
MPLS VPN CoS1
Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access
Secure WAN Transport
Branch
MPLS (IP-VPN)
Internet Direct
Internet Access
Private Cloud Virtual
Private Cloud
Public Cloud
• Secure WAN transport for private and virtual private cloud access
• Leverage local Internet path for public cloud and Internet access
ü Increased WAN transport capacity, cost effectively!
ü Improve application performance (right flows to right places)
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Branch
MPLS (IP-VPN)
Internet
Private Cloud
Virtual Private Cloud
Public Cloud
Intelligent WAN: Leveraging the Internet So What is New Here?
Hybrid WAN Transport
IPsec Secure
Direct Internet Access
Internet as WAN with High Reliability
SLOs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs Without Compromise
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Intelligent WAN Deployment Models
Dual MPLS Hybrid Dual Internet
Internet
ü Highest SLA guarantees – Tightly coupled to SP ẋ Expensive
Public
MPLS
Consistent VPN Overlay Enables Security Across Transition
ü More BW for key applications ü Balanced SLA guarantees – Moderately priced
ü Best price/performance ü Most SP flexibility – Enterprise responsible for SLAs
Internet
Public Enterprise
Branch Branch Branch
ü ü
MPLS MPLS+ Internet
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Intelligent WAN Solution Components
Internet
Branch
3G/4G-LTE
AVC
MPLS
Private Cloud
Virtual Private Cloud
Public Cloud WAAS PfR
Application Optimization
• Application visibility with performance monitoring
• Application acceleration and bandwidth optimization
Secure Connectivity
• Certified strong encryption • Comprehensive threat
defense • Cloud Web Security for
secure direct Internet access
Intelligent Path Control
• Dynamic Application best path based on policy
• Load balancing for full utilization of bandwidth
• Improved network availability
Transport Independent
• Consistent operational model • Simple provider migrations • Scalable and modular design • IPsec routing overlay design
Local Edition
Transport-Independent Design Simplifying Internet-Based WANs
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Simplifies WAN Design Dynamic Full-Meshed Connectivity Proven Robust Security
Flexible Secure WAN Design Over Any Transport Dynamic Multipoint VPN (DMVPN)
Secure Flexible
• Easy multi-homing over any carrier service offering
• Single routing control plane with minimal peering to the provider
• Consistent design over all transports
• Automatic site-to-site IPsec tunnels
• Zero-touch hub configuration for new spokes
• Certified crypto and firewall for compliance
• Scalable design with high- performance cryptography in hardware
ISR-G2
WAN
Internet
MPLS ASR 1000
ASR 1000
Transport-Independent
Data Center Branch
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Hybrid WAN Designs Traditional and IWAN
Internet MPLS
Branch
DMVPN GETVPN
Internet MPLS
Branch
DMVPN DMVPN
Two IPsec Technologies GETVPN/MPLS DMVPN/Internet
Two WAN Routing Domains MPLS: eBGP or Static Internet: iBGP, EIGRP or OSPF Route Redistribution Route Filtering Loop Prevention
Active/Standby WAN Paths Primary With Backup
One IPsec Overlay DMVPN
One WAN Routing Domain iBGP, EIGRP, or OSPF
Active/Active WAN Paths
ISR-G2
ASR 1000 ASR 1000
ISP A SP V
ISR-G2
ISP A SP V
ASR 1000 ASR 1000
TRADITIONAL HYBRID
Data Center
IWAN HYBRID
Data Center
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Building Highly Available WANs With Cisco IWAN Redundancy and Path Diversity Matter
ISR G2
MPLS
ISR G2 MPLS MPLS Internet
ISR G2 MPLS
SINGLE ROUTER, SINGLE PATH
SINGLE ROUTER, DUAL PATHS
DUAL ROUTERS, DUAL PATHS
Internet Internet
ISR G2
ISR G2
Internet
ISR G2
MPLS Internet
ISR G2 ISR G2
Internet Internet
ISR G2
99.95%* 99.90%*
99.995% 99.995% 99.995%
99.999% 99.999%
Downtime per Year
4–9 Hours
Downtime per Year 8 Hours
46 Minutes
5 Minutes
26 Minutes
IWAN Solution
ISR G2
MPLS MPLS
ISR G2
99.999%
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Relies on Two Proven Technologies Major Features
What is Dynamic Multipoint VPN? DMVPN Is a Cisco IOS Software Solution for Building
IPsec + GRE VPNs in an Easy, Dynamic, and Scalable Manner
• Next-Hop Resolution Protocol (NHRP) Creates a distributed mapping database of VPN (tunnel interface) to real (public interface) addresses
• Multipoint GRE tunnel interface Single GRE interface to support multiple GRE/IPsec tunnels and endpoints
Simplifies size and complexity of configuration Supports dynamic tunnel creation
• Configuration reduction and no-touch deployment supports:
IPv4/v6 unicast and multicast Remote peers with dynamically assigned transport addresses Spokes behind dynamic NAT; Hubs behind static NAT Dynamic spoke-spoke tunnels for partial/full mesh scaling Overlays any transport Internet, MPLS, 3G/4G, etc… Wide variety of network designs and options
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
DMVPN How it Works
• Spokes build a dynamic permanent GRE/IPsec tunnel to the hub (NHRP server) and are registered as NHRP clients
• Active-Active redundancy model—two or more hubs per spoke • All hubs are active and routing neighbors with spokes
• Routing protocol routes are used to determine traffic forwarding • When a spoke needs to send a packet to a destination (private)
subnet behind another spoke, it queries via NHRP for the real (outside) address of the destination spoke
• Originating spoke can initiate a dynamic GRE/IPsec tunnel to the target spoke (because it knows the peer outside address)
• The dynamic spoke-to-spoke tunnel is built over the mGRE interface
• When traffic ceases then the spoke-to-spoke tunnel is removed
192.168.0.0/24
Physical: 172.17.0.5 Tunnel1: 10.0.1.1
Physical: 172.17.0.1 Tunnel0: 10.0.0.1
Physical: (dynamic) Tunnel0: 10.0.0.12 Tunnel1: 10.0.1.12
192.168.2.0/24
.1
Physical: (dynamic) Tunnel0: 10.0.0.11 Tunnel1: 10.0.1.11
192.168.1.0 /24
.1
Dual DMVPN Design Single mGRE tunnel on Hub,
two mGRE tunnels on Spokes
192.168.X.0 /24
.1
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Phase 1 12.2(13)T
Phase 2 12.3(4)T
Phase 3 12.4(6)T
DMVPN Phases
• Hub and spoke functionality • p-pGRE interface on spokes,
mGRE on hubs • Simplified configuration on hubs • Support dynamically
addressed CPEs (NAT) • Support for routing protocols and
multicast • Spokes don’t need full routing
table; can summarize on hubs
• Spoke to spoke functionality • mGRE interface on spokes • Direct spoke to spoke data traffic
reduces load on hubs • Hubs must interconnect in daisy
chain • Spoke must have full routing
table—no summarization • Spoke-spoke tunnel triggered by
spoke itself • Routing protocol scale
limitations
• More network designs and greater scaling
• Same Spoke to Hub ratio • No hub daisy-chain • Spokes don’t need full routing
table; can summarize • Spoke-spoke tunnel triggered by
hubs • Removes routing protocol
limitations • NHRP routes/next-hops in RIB
(15.2(1)T)
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Traditional to IWAN Transition Migration Steps
ADDING DMVPN TO MPLS WAN
REPLACING A WAN SERVICE WITH AN INTERNET SERVICE
OTHER INTERESTING IWAN TOPOLOGIES
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year.
ISR G2 MPLS MPLS
ISR G2 MPLS MPLS
ISR G2 MPLS MPLS
ISR G2 MPLS MPLS
Internet
Internet
ISR G2 MPLS
3G/4G-LTE
Internet Internet ISR G2
3G/4G-LTE Internet Internet
ISR G2
3 Internet
ISR G2 MPLS
ISR G2 MPLS MPLS
Internet
4 5
0 1 2
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
IWAN Transport Best Practices • Private peering with Internet providers
– Use same Internet provider for hub and spoke sites – Avoids Internet Exchange bottlenecks between providers – Reduces round trip latency
• DMVPN – DMVPN Phase 2 for dynamic tunnels with PfR – Separate DMVPN network per provider for path diversity – Per tunnel QOS
• Transport settings – Use the same MTU size on all WAN paths – Bandwidth settings should match offered rate – Use a front-side VRF to separate Internet and internal default routes
• Internet security – Firewalls or Access Lists to only permit DMVPN tunnel traffic – Hub Tunnel IP address should not be registered in DNS to hide it
• Routing Overlay – iBGP or EIGRP for high scale (1000+ sites) – Single routing process, simplified operations
Branch
Internet MPLS
DMVPN Purple
DMVPN Green
IWAN HYBRID
Data Center
ISP A SP V
Local Edition
Intelligent Path Control Improving Application Delivery and WAN Efficiency
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control
Data Center Branch
ASR 1000
ASR 1000
WAAS PfR
AVC
ISR G2
MPLS
Internet
Enabling Internet-Based WANs
Efficient Distribution of Traffic Based Upon Load, Circuit Cost, and Path Preference
Per Application Best Path Based on Delay, Loss, Jitter Measurements
Protection From Carrier Black Holes
and Brownouts
Lower WAN Costs
Full Utilization of All WAN Bandwidth
Improved Application Performance
Lower WAN Costs
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
What is Performance Routing (PfR)?
DSL Cable
Branch
BR BR
Data Center
MC
“Performance Routing (PfR) provides additional intelligence to classic routing technologies to track the performance of, or verify the quality of, a path between two devices over a Wide Area Networking (WAN) infrastructure to determine the best egress or ingress path for application traffic....”
• Cisco IOS technology • Two components: Master controller and border router
MC+BR
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
PfR Enhances Classical Routing
PATH CONTROL
METRICS
ADAPTIVE
• Topological state • Least cost path • Static user preference
• Path cost • Interface state
• Application-aware • Policy controlled • Measured performance
• Delay • Jitter • Bandwidth
Responds To: • Measured performance
changes (degradation)
Responds To: • Link and node state
changes (up/down)
+
Classical PfR
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
SP1 (MPLS) ISP (Internet)
• Protect voice and video quality
Latency < 150 ms; Jitter < 20 ms
• Protect VDI applications from brownouts
Loss < 5%
• Voice and video preferred path SP-A
• VDI preferred path SP-B • Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Hybrid IWAN
Best-Effort Traffic
Detect Loss Greater Than 10%
ISP-1 (Cable) ISP-2 (DSL)
Voice and Video
Dual Internet iWAN
Detect High Jitter
VDI
Best-Effort Traffic
What PfR Does Protecting Critical Applications While Increasing Bandwidth Utilization
• Protect business cloud applications from brownouts
Loss < 5% • Preferred path for business
applications: SP1 (MPLS)
• Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet
Business App and Load-Balancing Policy
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Identify Traffic Classes based on Applications or Transport Classifiers
ISR G2
ASR1K
ISR G2 and ASR Learn traffic classes flowing through Border Routers (BRs) based on your policy definitions
Learning Active TCs
BR BR
MC+BR MC+BR MC+BR MC+BR
Traffic Classes
MC
Measure the traffic flow and network performance actively or passively and report metrics to the Master Controller
Performance Measurements
BR BR
MC+BR MC+BR MC+BR MC+BR
MC
Master Controller commands path changes based on your traffic policy definitions
Best Path
BR BR
MC+BR MC+BR MC+BR MC+BR
MC
How PfR Works Key Operations
Path Enforcement Measurement Learn the Traffic Define Your Traffic Policy
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Measuring Network and Application Performance • Passive Measurement
– For Data or Best Effort Applications – Ingress/Egress Bandwidth and TCP Loss and Delay derived from Netflow
• Active Measurement – For Video, Voice and delay sensitive data applications – Path Jitter, Delay, Loss and MOS derived from IPSLA synthetic traffic probes
• PfR automatically enables Netflow and IPSLA – No knowledge or configuration experience needed
• MC Performance Database to determine Policy Enforcement actions • Dedicated IPSLA Responder to offload probing from branch in large deployments
Destination Prefix DSCP
App Id
Delay Jitter Loss Ingress
BW Egress
BW BR Exit
10.1.1.1/32 EF 60 10 0 20 40 BR1 Gi1/1
10.1.10.0/24 AF31 110 15 0 52 60 BR1 Gi1/2 … 0 89 26 1 34 10 BR2 Gi1/1
DSL Cable
Data Center
MC
Branch MC+BR
Probe
Respond
IPSLA Responder
BR BR
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Defining Application Performance Policy
• Choose your policy actions for various traffic classes
• Alternate path selection based on flexible criteria Example:
Link Load Balancing Max Utilization
Link-Group Path Preference Bandwidth Costs ($)
Application Reachability
Delay Loss MOS Jitter
FLEXIBLE CRITERIA
2. Loss
3. Jitter 4. Delay
Load-Balance Remaining Traffic
Voice/Video
Critical Application
1. Link-Group: Path-A
2. Loss
4. Delay
1. Link-Group: Path-B
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Path Enforcement
• Master controller monitors traffic classes and BR exit links for out-of-policy conditions
• Appropriate enforcement method is determined automatically by the MC
• MC commands the BRs to enforce path changes for policy compliance
Destination Prefix • BGP
Egress: Route injection or BGP Local Preference attribute Ingress: BGP AS-PATH Prepend or AS Community
• EIGRP Route injection • Static Route injection • Protocol Independent Route Optimization (PIRO)
with PBR injection
Application • Dynamic PBR • NBAR/CCE
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Load Balancing Maximizing Link Utilization to Increase Available Bandwidth
• External link Load Balancing is enabled by default
• PfR Distributes traffic across a set of links to maintain efficient utilization levels with a defined percentage range. Default utilization range is +/- 20%
• External links can have different available bandwidth, e.g., Int 1/0 = 1.5Mbps, Int 1/1 = 15Mbps
• Load Balancing defaults can be modified by CLI – Utilization Range – Max Utilization 90%
ISR-G2
WAN
Internet
MPLS ASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
PfR Scale and Performance
Scale Notes
Typical Policies
2 TCs per site 650 Branches
Sufficient for protecting Voice/Video TC and load balancing all data traffic
Advanced Policies 4 TCs per site 300 Branches Multiple application policies and load balancing
Max TCs 18K concurrent ASR1002-X highest scale MC and BR
Recommended Hardware
Hub or DC ASR1002-X Dedicated PfR MC, PfR BR+DMVPN Hub
Hub or DC ISR 3945E Dedicated IPSLA shadow router
Branch ISR 892 FSP ISR1900 or better ASR1001 or better
Branch MC/BR+DMVPN spoke
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
PfR Evolution—Simplification and Scale
PfR/OER • Internet Edge • Basic WAN • Provisioning per site per
policy • 1000s of lines of config
PfRv2 • Policy simplification • App Path Selection • Blackout ~6s • Brownout ~9s • Scale 500 sites • 10s of lines of config
PfRv3 • Centralized provisioning • AVC Infrastructure • VRF Awareness • Blackout ~ 2s • Brownout ~ 2s • Scale 2000 sites • Hub config only
Summer 2014
Today
Local Edition
Optimize Application Performance
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Today’s Network is an IT Blind Spot
• Static port classification is no longer enough
• More and more apps are opaque
• Increasing use of encryption and obfuscation
• Application consists of multiple sessions (video, voice, data)
• What if user experience is not meeting business needs?
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Use QoS and Pfr to control to
improve application
performance
ASR1K
ISR G2
Control
High Med Low
Advanced reporting tool
aggregates and reports application
performance
App Visibility & User Experience Report
Reporting Tool Routers collect
bandwidth, response time
metrics, and export to management tool
ASR1K
ISR G2
NFv9
FNF IOS PA
Reporting Tool Perf. Collection & Exporting
Reporting Tools
How the AVC Solution Works
3
App BW Transaction Time
…
WebEx 3 Mb 150 ms … Citrix 10 Mb 500 ms …
DPI engine (NBAR2) identifies applications using
L7 signatures
ASR1K
ISR G2
Deep Packet Inspection
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Branch
Proliferation of Devices
Users/ Machines
Private Cloud
Make Your IWAN Application Aware Add Cisco AVC
DC/Headquarters
Public Cloud
Cisco AVC
60% of IT Professionals Cite Performance as Key Challenge for Cloud
No Probes
• Rich data collection using NetFlow v9/IPFIX
• No additional hardware (and included in AX license)
• Easy to integrate into many reporting tools
Smart Capacity Planning
• Better use of costly bandwidth • Per-branch and per-application
level reporting
Business Aligned Privacy Enforcement
• No need for complex IP and port ACLs
• See inside HTTP flows to identify specific Cloud applications
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
NBAR2
IOS NBAR +150 Signatures
SCE Classification +1000 Signatures
Innovations
Native IPv6 Classification Open API 3rd Party
Integration..
Next Generation NBAR (NBAR2) Deep Packet Inspection (DPI)
38
• Provides Advanced Application Classification and Field Extraction capabilities • In-service upgradable Protocol Definitions
No IOS upgrade or reboot for new Protocol Packs • Backward compatibility to preserve existing NBAR investments
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
What applications, how much bandwidth, flow direction? (Flexible Netflow and NBAR/NBAR2) Basic Monitoring
Performance Collection & Exporting
Integrated performance monitoring and advanced metrics for different type of applications and use cases
HTTP HTTP
Voice and Video Performance (Media Monitoring)
Advanced Monitoring
30% of traffic is voice and video
Critical Applications Performance (Application Response Time)
40% of traffic is critical applications
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Perf. Collection & Exporting
Better Visibility with NBAR2 and FNF
40
• Application Information exported in FNF records
• Reporting tools display top client & server • show ip nbar protocol-discovery top-n
Router#show ip nbar protocol-discover top-n 10 GigabitEthernet0/0/3 Input Output ----- ------ Protocol Packet Count Packet Count Byte Count Byte Count 30sec Bit Rate (bps) 30sec Bit Rate (bps) 30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps) ------------- ------------------------ ------------------------ webex-meeting 45807530 163458047 2497543722 129842885217 115000 5998000 152000 7799000 bittorrent 59667396 156155174 12768822744 103187176646 555000 4715000 697000 5077000
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
DMVPN Network QoS Design
• Remark DSCP on egress to align with each SP’s SLA class of service requirements
• H-QOS with shaping to offered rate on egress
• Hub per tunnel QOS to minimize spoke oversubscription
41
DSCP CS5 Packet Initially Marked to DSCP CS5
DSCP CS5
DSCP CS5 By Default DSCP Values is Copied To IPSec Header
DSCP CS5 Top-Most DSCP is Remarked on egress
DSCP CS5 Packet decapsulated To reveal the original DSCP
policy-map WAN-OUT class VOICE priority percent 10 class VIDEO-INTERACTIVE priority percent 23 set ip dscp af41 class NETWORK-MGMT bandwidth percent 5 service-policy MARK-BGP class class-default bandwidth percent 25 random-detect ! policy-map Int-Gig-Agg-HE class class-default shape average 1000000000 service-policy WAN-Out
Remarks the DSCP value on the encrypted/encapsulated header on egress interface
DSCP AF41
Control
ISR-G2
WAN
ASR 1000
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Private Cloud
Add WAN Optimization Speed and Bandwidth Benefits on Top of the IWAN
Branch DC/Headquarters
Faster Applications, More Users, Less Bandwidth
• 90% HD Video optimization and better user experience
• Twice as many Citrix users over same WAN, 70% faster
• Toyota: ROI in less than one year, 65% BW cost savings
Easy to Deploy
• Works with existing branch routers (and existing AX license
Scalable
• AppNav Controller and WAVE pool is scalable
• Native HA capability
vWAAS WAAS Express
Proliferation of Devices
Users/ Machines
AppNav-XE Controller
CSR
WAVE
WAN
Accelerate Any TCP Connection
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Solution
• Reduce load Data redundancy elimination (DRE), compression, and TCP optimization
• Application optimization Fewer protocol messages and metadata caching
Problem
• Application latency • WAN bandwidth inefficiencies
Application bandwidth with Cisco® WAAS
Application bandwidth natively
Application latency natively
Application latency with Cisco WAAS 0 0
1
2
3
4
40
80
120
160
Application Bandwidth
Application Latency
Bandwidth (Mbps)
Latency (Seconds)
Reduction in bandwidth
Reduction in latency
Cisco WAAS Enhancing User Experience and WAN Efficiency
Local Edition
IWAN Secure Connectivity
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
DSL Cable
Branch ISR-G2
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Add Network Integrated Threat Defense IOS Zone-Based Firewall
• Control the Perimeter: – External and internal protection: internal network is no longer trusted – Protocol anomaly detection and stateful inspection
• Communicate Securely: – Call flow awareness (SIP, SCCP, H323) – Prevent DoS attacks
• Flexible: – Split Tunnel-Branch/Remote Office/Store/Clinic – Internal FW—International or un-trusted locations/segments, addresses
regulatory compliances
• Integrated: – No need for additional devices, expenses and power – Works with other Cisco Services: SRE, Scansafe, WaaS Express
• Manageable: – Supports CLI, SNMP, CCP, and CSM – Supports Cisco Configuration Engine
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Intelligent WAN—Direct Internet Access
Branch
MPLS (IP-VPN)
Internet Direct
Internet Access
Private Cloud
Virtual Private Cloud
Public Cloud
• Leverage Local Internet path for Public Cloud and Internet access • Improve application performance (right flows to right places)
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Secure Internet Access Cloud Web Security (CWS)
Secure Public Cloud and Internet
Access
ISR Connector to CWS Firewall towers
Web Filtering, Access Policy, Malware
Detect
WAN1 (IP-VPN)
CWS
Private Cloud
Public Cloud
Branch
WAN2 (Internet)
IWAN IPsec VPN for Private Cloud
Traffic IOS Firewall to protect Internet
Edge
Internet
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Cisco Cloud Web Security (CWS)
48
CWS Offers Consistent, Enforceable, High-Performance Web Security and Policy, Regardless of Where or How Users Access the Internet
User Granularity
• Integration with existing network infrastructure (e.g., routers, firewalls)
• Integration with Directory Services
• Numerous deployment options
Policy Control
• Web 2.0 content control
• Dynamic Web Classification
• HTTP/HTTPS scanning
• SearthAhead
Security
• Outbreak intelligence • Billions of Web
requests every day • Real-time content
analysis of all Web content
• Effective zero-day threat protection
Centralized Policy and Granular Reporting
• Flexible reporting with over 75 attributes
• Deep, drill down visibility
• Overview, trending and forensic data Administrator
Office Based User
Roaming User
Mobile Devices
Internet
CWS
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Cisco ISR CWS Connector How it Works
HQ Routes
HQ Traffic
Default Route
WAN Tunnel
CWS Connector
MPLS (IP-VPN)
Internet
Private Cloud
Virtual Private Cloud
Public Cloud
Internet
Branch
DSL Interface
Cisco ISR G2 with CWS Cloud Connector—FUNCTIONS:
• Authenticate router and client to CWS cloud • Intercept HTTP/HTTPS traffic based on ACL filters • Add user credentials header for identifying policy to be applied • Traffic Relay: replace client Source IP address with Egress address
• Redirect to CWS for scanning • Act as HTTP proxy to complete requests • Allow/Block or Warn based on user or group policy • Scan for Malware
Local Edition
IWAN Management
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
IWAN Network Management Solutions From Cisco and NMS Partners
§ Cisco Prime Infrastructure Provides Enterprise and Integrator life-cycle network management applications
§ Glue Networks Delivers Cloud based simplified deployment portal
§ LiveAction IWAN AVC and PfR Configuration and Monitoring
§ SDN ready with OnePK Comprehensive programmability kit to enable SDN provisioning applications
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Cisco Prime Infrastructure Realizing the Vision of One Management
Lifecycle Simplified
Deployment and
Configuration
Assurance Improved
Application Delivery
Compliance Regulatory
Requirements & Best Practices
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Cisco Prime Lifecycle Services Improve Network Control and Operational Productivity
Plug-n-Play deployment automation Discovery, Inventory, SWIM, Templates, Archive, etc Converged wired and wireless workflows CWS, VPN, Firewall, ACL, routing, VLAN
Network Configuration
Network Health
Network Compliance and Support
Sites, Users and Role based access control Static and Dynamic Grouping, Virtual Domains RF Design, Device Health Dashboards, Fault and Reports Device 360, Interface 360
Industry and Regulatory Compliance Smart Interactions Northbound REST APIs Prime Infrastructure Toolbar and Mobile Application
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
WAN1 (IP-VPN)
Branch WAN2 (Internet)
Prime Plug-n-Play Solution Components
PnP Application
Installer application for iPhone, iPad, and Windows PC used for authenticating and booting the IOS device
Prime Infrastructure Server
manages and distributes deployment information (images, configurations, and licenses)
Private Cloud
CNS Protocol
Cisco PnP protocol for loading IOS image and initial configuration
IOS CNS Agent
Uses bootstrap config to access the PnP Server
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Glue Networks IWAN Orchestration
• Cloud-based SaaS subscription model
• Eliminates manual building of WANs
• Automated WAN orchestration and management
• Quick configuration updates and IOS upgrades
• Rapidly delivers nextgen and IWAN features
• Forward compatible with SDN and OnePK for app aware WANs
• Broadband and MPLS support for centralized hybrid WAN management for IWAN
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Troubleshoot
Deploy
Analyze
Solve
Easily monitor/analyze : QoS, NetFlow, PfR, IP SLA, RouDng, LAN
Fix and verify QoS and App in real-‐Dme
App performance WAN : QoS, PfR, RouDng, IP SLA
Quickly deploy/enable: NBAR2, CEF, QoS, AVC, Medianet, IP SLA
Flow Rate Information
Selected flow highlighted
QoS Marking
End-to-end Flow Visualization Network Situational Awareness
LiveAction (formerly ActionPacked) Application Aware Network Performance Management + QoS Control
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
IWAN 1.0 Management Tool Matrix
Simplified Deployment
Transport Independent Design
Intelligent Path Control
Application Optimization
Secure Internet Connectivity
Network Health & Status
Prime Infrastructure
(AVC)
Prime Infrastructure
WAAS Central Manager
Prime Infrastructure
Prime Infrastructure
Local Edition
Conclusion
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Why Cisco IWAN
Proven Security at Scale
• Any to Any Security
• Protect All Branch Resources
• Secure Direct Internet Access
Unmatched Context-based
Routing
• App-Aware
• Endpoint-Aware
• Network-Aware
Quick ROI Faster than Alternatives
• Savings enables Business Innovation
Many pay off in
Granular Control Everywhere
• Branch à ISR-AX
• DC à ASR1K-AX
• Cloud à CSR1000V
Integrated Platform
for IT Simplicity
Up to in Savings
The Alternative: Overlay Appliances
App Visibility andControl
IP Sec VPN
WAN Opt. Firewall
WAN Path Selection Router
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Local Edition
Useful Links
60
• Cisco Validated Designs for Enterprise WAN • Remote Sites Using Local Internet Access Technology Design Guide
• NBAR2 Protocol Library
Local Edition