intelligent wan

Cisco Intelligent WANEnabling the Next-Generation

Branch Technical Overview

David Prall, Communications Architect

[email protected]

CCIE 6508 (R&S/SP/Security)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID

• IWAN Architecture Overview• Transport Independence

• Intelligent Path Control

• Application Optimization

• Secure Connectivity

• Orchestration & Automation

• Product Portfolio

• Closing – Why IWAN?

Agenda

2


What If Your WAN Can…

Hours Minutes

Pinpoint Application Issues Instantly

Improve Your Application Performance

1x 2x -20x

Increase WAN Utilization

Deliver More Bandwidth for Lower Cost

Backhaul Local & Cloud

Consistent Security Policies

Ensure Security Over Any Connection

Device-by-device System

Simplify Operations

Reduce Network Complexity


Internet as an Extension of Enterprise WAN

Commodity Transports Viable Now

Dramatic Bandwidth, Price Performance Benefits

Higher Network Availability

Improved Internet Performance

6


Intelligent WAN: Leveraging the InternetSecure WAN Transport and Internet Access

OptimizedSecure Transport

Branch

Direct CloudAccess

PrivateCloud Virtual

PrivateCloud

PublicCloud

1. IWAN Secure transport for private and virtual private cloud access

2. Leverage local Internet path for public cloud and Internet access

4 Increase WAN transport capacity and app performance cost effectively!

4 Improve application performance (right flows to right places)

MPLS (IP-VPN)

Internet


1. IWAN Secure transport for private and virtual private cloud access

2. Leverage local Internet path for public cloud and Internet access

4 Increase WAN transport capacity and app performance cost effectively!

4 Improve application performance (right flows to right places)

Intelligent WANSo What is New Here?

OptimizedSecure Transport

Branch

Direct InternetAccess

PrivateCloud

VirtualPrivateCloud

PublicCloud

MPLS (IP-VPN)

Internet

Mixed transport WANs with High Reliability

Service Levels for Business-Critical Applications

Centralized Security Policy for Internet Access

Dramatically Lower WAN Costs Without Compromise

9


Intelligent WAN Deployment Models

Dual MPLS

Internet

ü Highest SLA guarantees– Tightly coupledẋ Expensive

Public

MPLS

Branch

MPLS

ü More BW for key applicationsü Balanced SLA guarantees– Moderately priced

PublicEnterprise

Branch

MPLS+Internet

Consistent VPN Overlay Enables Security Across Transition

ü Best price/performanceü Most SP flexibility– Enterprise responsible for SLAs

Internet

Branch

Enterprise Public

Hybrid Dual Internet

10

Internet


Intelligent WAN (IWAN) ArchitectureEnterprise

MPLS

UnifiedBranch

3G/4G-LTE

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloud

Application Optimization

Enhanced ApplicationVisibility and Performance

Secure Connectivity

ComprehensiveThreat Defense

Intelligent Path Control

ApplicationAware Routing

TransportIndependence

SimplifiedHybrid WAN

Management Automation

11


IWAN: An Architectural and Systems Approach

• IWAN is a Solution Architecture• Solves a network problem• Use Case Driven• Systems Development Approach

• Prescribed. Tested. Interoperable.• Bounded Scope and Complexity• Enables Automation and Quality

• Delivers Business Outcomes• Reduce Operational Complexity• Reduce WAN costs, Increase bandwidth• Improve Application Performance• Direct Cloud Access• Guest Access Offload

IWAN


Transport-IndependenceVirtualizing the Enterprise WAN

15


Simplifies WAN Design Dynamic Full-Meshed Connectivity Proven Robust Security

Flexible Secure IWAN Over Any TransportSecureFlexible

• Easy multi-homing over several providers

• Single routing control plane over the top of provider networks

• Consistent design over all WAN service offerings

• Scalable Hub-n-spoke and full mesh topologies

• Industry Certified security compliance

• Scalable high-performance cryptography in hardware

ISR

WAN

Internet

MPLSASR 1000

ASR 1000

Transport-Independent

Data CenterBranch

16


IWAN Transport IndependenceConsistent deployment models simplify operations

Internet MPLS

Branch

DMVPN DMVPN

IWAN HYBRID

Data Center

ISR

ASR 1000 ASR 1000

ISP A SP B

4G/LTE

Branch

DMVPN

IWAN HYBRID/LTE

Data Center

ISP C SP BASR 1000

MPLS

Branch

MPLS

DMVPN

IWAN Dual MPLS

Data Center

ISR

ASR 1000 ASR 1000

SP A SP B

DMVPN

MPLS

DMVPN

ISR

ASR 1000


DUAL ROUTERS,DUAL PATHS

ISR

MPLS Internet

ISR ISR

Internet Internet

ISR

99.999% 99.999%

5 Minutes

ISR

MPLS MPLS

ISR

99.999%

ISR

MPLS MPLS InternetISR

MPLS

SINGLE ROUTER,DUAL PATHS Internet Internet

ISR

99.995% 99.995% 99.995%

26 Minutes

Building Highly Resilient WANsRedundancy and Path Diversity Matter

ISR

MPLS

SINGLE ROUTER,SINGLE PATH

ISR

Internet

99.95%* 99.90%*Downtimeper Year

4–9 Hours

Downtimeper Year8 Hours

46 Minutes

IWAN Solution

* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.18

IWAN Transport Independent Designwith Dynamic Multipoint VPN (DMVPN)• Proven IPsec VPN technology

• Widely deployed, Large scale• Standards based IPsec and Routing• Adv QOS: hierarchical, per tunnel and adaptive

• Flexible & Resilient• Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,..• Hub-n-Spoke with Dynamic full mesh Topology• Multiple encryption, key management, routing options• Multiple redundancy options: platform, hub, transports

• Secure• Industry Certified IPsec and Firewall• NG Strong Encryption: AES-GCM-256 (Suite B)• IKE Version 2• IEEE 802.1AR Secure unique device identifier

• Simplified IWAN Deployments• Prescriptive validated IWAN designs• Automated provisioning – Prime, IWAN-App, Glue

19

Branch

Internet MPLS

DMVPNPurple

DMVPNGreen

IWAN HYBRID

Data Center

ISP A SP B


SECURE ON-DEMAND TUNNELS• Branch spoke sites establish a DMVPN tunnel with

IPsec encryption to and register with the hub site

• IP routing exchanges prefix information for each site

• BGP or EIGRP are typically used for scalability

• WAN interface address used as the tunnel address, so provider network does not need to know or route customer internal IP prefixes

• Data traffic flows over the DMVPN tunnels

• When traffic flows between spoke sites, the hub assists the spokes to establish a site-to-site tunnel

• Per-tunnel QOS is applied to prevent hub site from overrunning spoke sites

Over-the-Top WAN Design withDynamic Multipoint VPN (DMVPN)

Branch 2

Traditional Static TunnelsDMVPN On-Demand TunnelsStatic Known IP AddressesDynamic Unknown IP Addresses

ISR G2

Branch 1

Hub

IPsecVPN

Branch n

ASR 1000

ISR G2ISR G2

20


DMVPN How it Works• Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, but

not to other spokes. They register as clients of the NHRP server (hub) and register their NBMA address

• Active-Active redundancy model—two or more hubs per spoke• All configured hubs are active and are routing neighbors

with spokes• Routing protocol routes are used to determine traffic forwarding• A spoke will initially send a packet to a destination (private) subnet

behind another spoke via the hub, and the hub will send it an NHRP redirect.

• The redirect triggers the spoke to send an NHRP query for the data packet destination address behind the destination spoke

• The destination spoke initiates a dynamic GRE/IPsec tunnel to the source spoke (it now knows its NBMA address) and sends the NHRP reply.

• The dynamic spoke-to-spoke tunnel is built over the same mGRE tunnel interface

• When traffic ceases then the spoke-to-spoke tunnel is removed

192.168.0.0/24

Physical: 172.17.0.5Tunnel1: 10.0.1.1

Physical: 172.17.0.1Tunnel0: 10.0.0.1

Physical: (dynamic)Tunnel0: 10.0.0.12Tunnel1: 10.0.1.12

192.168.3.0/24

.1

Physical: (dynamic)Tunnel0: 10.0.0.11Tunnel1: 10.0.1.11

192.168.1.0 /24

.1

Dual DMVPN DesignSingle mGRE tunnel on Hub,

two mGRE tunnels on Spokes

192.168.2.0 /24

.1


IWAN Transport Best Practices• Private peering with Internet providers

Use same Internet provider for hub and spoke sitesAvoids Internet Exchange bottlenecks between providersReduces round trip latency

• DMVPN Phase 3Scalable dynamic site-to-site tunnelsSeparate DMVPN per transport for path diversityPer tunnel QOSNG Encryption – IKEv2 + AES-GCM-256 encryption

• Transport settingsUse the same MTU size on all WAN pathsBandwidth settings should match offered rate

• Routing OverlayiBGP or EIGRP for high scaleSingle routing process, simplified operationsFront-side VRF to isolate provider networks Branch

Internet MPLS

DMVPNPurple

DMVPNGreen

IWAN HYBRID

Data Center

ISP A SP B

22


Intelligent Path ControlImproving Application Delivery and WAN Efficiency

24


Getting the Most Out of Your WAN InvestmentBenefits of Intelligent Path Control

Data CenterBranch

ASR 1000

ASR 1000

ISR

MPLS

Internet

EnablingHybrid WANs

Efficient Distribution of Traffic Based Upon Load

or Path Preference

Application Best Path Based on Quality

Protection FromCarrier Black Holes

and Brownouts

Lower WAN Costs

Full Utilization of WAN Bandwidth

Improved Application

Performance

Higher ApplicationAvailability

25


Intelligent Path Control with PfRVoice and Video Use-Case

Branch

MPLS

Internet

Virtual PrivateCloud

Private Cloud

• PfR monitors network performance and routes applicationsbased on policy

• PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth

Other traffic is load balanced to maximize bandwidth Voice/Video will be

rerouted if the current path degrades below policy thresholds

Voice/Video take the best delay, jitter, and/or loss path

26


What is Performance Routing (PfR)?

MPLS Internet

Branch

BR BR

Data Center

MC

“Performance Routing (PfR) provides additional intelligence to classic routing to track and verify the quality of a path over a Wide Area Networking (WAN) to determine the best path for application traffic....”

MC+BR

27


SP1 (MPLS) ISP (FTTH)

• Protect voice and video quality

Latency < 150 msJitter < 20 ms

• Protect Email applications from WAN congestion

Loss < 5%

• Voice and video preferred path SP1

• Email preferred path ISP• Increase utilization

by load sharing

Multimedia and Critical Data Policy

Business App

Best-Effort Traffic

High Delay Detected

SP1 (MPLS) ISP (DSL)

Voice and Video

High JitterDetected

Email

Best-Effort Traffic

Protecting Critical Applications While Increasing Bandwidth Utilization

• Protect transactionalbusiness app from brownouts

delay < 250ms• Preferred path SP1 (MPLS)

• Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet

Business App and Load-Balancing Policy

28


Load BalancingMaximizing Link Utilization to Increase Available Bandwidth

• Traffic distributed across all paths to efficiently use all WAN bandwidth

• Load Balancing based upon link utilization levels

• External links can have different bandwidth capacitiesMPLS = 1.5MbpsInternet = 15Mbps

ISR

WAN

Internet

MPLSASR 1000

ASR 1000

Data Center

50% T1 = 750kbps

50% 15Mbps = 7.5Mbps

29


Performance Routing—Components

The Decision Maker: Master Controller (MC)• Discover BRs, collect statistics• Apply policy, verification, reporting• No packet forwarding/inspection required

The Forwarding Path: Border Router (BR)• Does all packet forwarding• Visibility in network performance • Enforce MC’s decision (path enforcement)

The Policy Controller: Domain Controller (DC)• Discover site peers, prefixes and connected networks• Advertise policy and services• One per domain, collocated with MC

MPLS Internet

BranchMC+BR

BR BR

DC/MC

30


PfR Domain Controller

§ Domain Controller (DC) Peering Framework– Site MCs register to Domain– Advertise to, or request services– Simplifies deployment and configuration– Provides topology auto-discovery

§ Single point of configuration across the domain

§ Used to distribute information to sites: – Learned site-prefix – Application/Traffic Policies – Performance monitoring– Traffic Class Database

WAN1 WAN2

Domain Controller

Master Controller

31

BR

BR BR

DC/MC

MC+BR MC+BRMC+BR


Define Traffic Classes and service level Policies based on Applications or Transport Classifiers

ISR

ASR1K

Border Routers learn current traffic classes going to the WAN based on classifier definitions

LearningActive TCs

BR BR

MC+BR MC+BR MC+BR MC+BR

Traffic Classes

MC

Measure the traffic flow and network performance and report metrics to the Master Controller

PerformanceMeasurements

BR BR

MC+BR MC+BR MC+BR MC+BR

MC

How PfR WorksKey Operations

Master Controller commands path changes based on traffic classpolicy definitions

BestPath

BR BR

MC+BR MC+BR BR MC+BR

MC

Path EnforcementMeasurementLearn the TrafficDefine Your Traffic Policy

32


• Simplifies and speeds up failover routing to a backup only path

• Granular failover per traffic class policy

• Extends path-preference to include a last-resort path(s)

• Removes the need for the routing protocol to initiate failover

• Good choice for cellular, satellite and other backup only paths

Intelligent Path ControlPath of Last Resort – New

34Branch Site

MPLS INET MPLS INET

R14

DMVPNMPLS

DMVPNINET

DC1 DC2

LTEMPLS2 INET2 MPLS2 INET2

DC/MC MCDC/MC MC

MC/BR

ASA

LTE

DMVPNLTE

BR

IWAN 2.2Spring 16



35


Today’s Network is an IT Blind Spot

• Static port classification is nolonger enough

• More and more apps are opaque

• Increasing use of encryptionand obfuscation

• Application consists of multiple sessions (video, voice, data)

• What if user experience is not meeting business needs?

36


Branch

Proliferationof Devices

Users/Machines

PrivateCloud

Make Your IWAN Application AwareApplication Visibility and Control (AVC)

DC/Headquarters

PublicCloud

Cisco AVC

Application Performance Visibility

• Application inspection with existing routers

• Rich data collection using NetFlow v9/IPFIX

• Easy to integrate into many reporting tools

Smart CapacityPlanning

• Better use of costly bandwidth• Per-branch and per-application

level reporting

Business Objective Enforcement

• Service Level monitoring per application

• Better Analytics to adjust network policies to maintain compliance

37

AVC


What applications, how much bandwidth, flow direction?(NBAR2 and Flexible Netflow) Basic Monitoring

Performance Collection & ExportingIntegrated performance monitoring and advanced metrics for different type of applications and use cases

HTTP HTTP

Voice and Video Performance(Media Monitoring)

Unified Monitoring

30% of traffic is voice and video

Critical Applications Performance(Application Response Time)

40% of traffic is critical applications

38



Users/Machines

PrivateCloud

Application Performance Monitoring for IWANTrack and Report Application Flows and Performance

WANNetFlow v9

Enterprise Edge

AVC

AVC

CSR

NetFlow/IPFIX Records(Same provisioning, same format)

• Traffic statistics records• Application Response Time records• Media monitoring records

(Application, Jitter, Loss, etc)

Cisco ToolsPrime, APIC-EM

Partner Tools EcosystemLiveAction

Glue NetworksPlixer

Living ObjectsCompuWare

CA Technologies

Collecting Collecting Collecting

Provisioning

Exporting

NetFlow v9 Export/IPFIX Export

Branch DC/Headquarters

AVC

AVC

39


PrivateCloud

Add WAN Optimization with WAAS + AkamaiSpeed and Bandwidth Benefits on Top of the IWAN

Branch DC/POP

ApplicationOptimization

• Improved Application performance, delay mitigation, less bandwidth

• Twice as many Citrix users over same WAN, 70% faster

• Typical ROI in less than one year, 65% BW cost savings

Content Caching& Prepositioning Simple and Scalable

• Works with existing branch routers

• Scale out optimizations resources with AppNav

• Native HA resiliency

vWAAS


Users/Machines

AppNav-XEController

CSR

WAVE,vWAAS

WAN

Improving Application Performance

40

• Reduces WAN bandwidth usage, while accelerating applications

• Intelligent caching of internal and Internet content

• Prepositioning of data and rich media before it is needed


Transport Independent

DMVPN/IPSec Performance Routing (PfR)


Application Visibility and Control (AVC)Akamai Connect

WAAS


IOS Firewall/IPSCloud Web Security

Secure Connectivity

Akamai Connect Part of Cisco Intelligent WANCisco Intelligent WAN

AKAMAI ConnectTransparent

Cache Dynamic URL Cache Akamai Connected Cache

Content Pre-positioning

CISCO WAASLZ

CompressionTCP

OptimizationData

De-duplicationApplication Specific

Acceleration


Branch

End-UserAkamai Connect

integrated into Cisco ISR-AX routers

ISR-AX+AC

Akamai Intelligent Platform

INTERNET

Data Center

WAASWAN

Application OptimizationEnhancing User Experience and WAN Efficiency

Mobile Apps

Video

Software Downloads

Digital Signage

Catalogs

Guest WiFi

Any Device, Connectivity, Cloud ResultReduce Load

Improve Response Time~70+% of HTTP/S data served from

cache

0123456789

WAAS + AKC Native WANA

vg. L

oad

Tim

e (s

ec.)

51% reductionload time


Akamai Connect accelerates HTTP/HTTPS applications, video and content in the branch, while maximizing existing enterprise network bandwidth

Branch

End-UserAkamai Connect

integrated into Cisco ISR-AX

routers

ISR-AX+AC INTERNET

Akamai Intelligent Platform

Data Center

WAASWAN

IWAN – Application Optimizationwith Akamai Connect


Cisco WAAS & Akamai Connect Deployment Models

Data Center or Private Cloud WAAS

Appliances

VMware ESXi

vWAASAppliances

Server VMs

Branch OfficeISR-WAAS

on ISR 4000

WAN

Internet

vWAAS Server VMs

VMware ESXi Server

Nexus 1000v

UCS /x86 Server

FC SAN

Virtual Private Cloud

Branch OfficeWAAS

Appliance

Branch OfficeWAAS

Appliance

Branch Office

WAASService

Module/ UCSe

CSR1000v + AppNav-XE

ASR1K + AppNav-XE


• Single sided SSL enables DIA HTTPS caching with Akamai Connect

Recent/Upcoming App Opt enhancements

46


SSL serverClient

HTTPS Acceleration and Caching - Today

Client WAAS & Akamai Connect Server WAAS

send session key

TransparentSecure Channel

SSL HandshakeSSL Handshake

SSL Session: client to server WAAS SSL Session: core WAE to serverOriginal Data - Encrypted Optimized & Encrypted Optimized - Encrypted


Client

Client WAAS & Akamai Connect

Enterprise WAN

SSL Handshake

SSL Handshake

Internet

HTTPS Caching - Tomorrow

DC/HeadquartersCached Data - Encrypted


IWAN Secure Connectivity

49


Intelligent WAN: Secure ConnectivitySecuring the network and users

Secure WAN Transport

Branch

MPLS (IP-VPN)

InternetSecureInternetAccess

PrivateCloud Virtual

PrivateCloud

PublicCloud

Two areas of concern1. Protecting the network from outside threats with data privacy over provider networks2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…

50


Securing the IWAN TransportIPSec VPN and Access Control

• Step 1: Authenticate hardware and softwareTrust Anchor Module verification

• Step 2: Secure TransportProven IPsec VPN overlayStrong Cryptography: IKEv2 + AES-GCM 256F-VRF to isolate provider networks

• Step 3: Access ControlIOS Zone-based Firewall or ACLs protectionRole based access to router w/ loggingMinimize exposure

Provider assigned addressing to hide routersDon’t put tunnel addresses into DNS

MPLS Internet

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center

51

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID* RFC 6379 ** Not supported on older RP1 based ASR 1000s

Cisco Router Security Certifications

FIPS Common Criteria Suite B*140-2, Level 2 EAL4 Hardware Assist

Cisco ISR 890 Series ü P P



Cisco ISR 3900 Series P P P

Cisco ISR 4000 Series P P P

Cisco ASR 1000 Series P ü P**

52


Trust Anchor Module (TAM)“How do I Know the Hardware is Authentic?”

• Provides Immutable Identity• Standard Identity- IEEE

802.1AR (SUDI- X.509 cert) • Secure Storage of Credentials• Anti-Theft & Anti-Tamper Chip

Design• Certifiable Entropy for

Random Number Generation

Trust Anchor Module

TAM Features & Services

Checks to Verify as Cisco Genuine

TAM/Secure Identity Verification

• ImmutableIdentity

• SecureStorage (Keys& Objects)

• CertifiableEntropySource

• Secure CryptoAssist

• SecureApplicationCertificates

• Authenticity& LicenseCheck

• Verify SecureIdentity

Product Security

• Provides trustworthy hardware offering immutable identity, secure storage, random number generator, and encryption

• Available in the ISR-4000, newer Catalyst and other Cisco products

• Provides Immutable Identity

• Standard Identity- IEEE 802.1AR(SUDI- X.509 cert)

• Secure Storage of Credentials

• Anti-Theft & Anti-Tamper Chip Design

• Certifiable Entropy for Random Number Generation

53


Secure Boot“How do I Know the Software is Authentic?”

Verifies the software has not been altered or tampered since it was signed

Power On Hardware

AnchorSecure

MicroloaderSigned

Bootloader/BIOS

Immutable Anchor ensuring hardware integrity and key authenticity

Integrity Check

Image Signing

Image Signing

Image Signing

Secure Boot Process

Launch Operating System

Signed Operating System

Power-Up

Microloaderverifies Bootloaderand BIOS

A Signed Bootloader/ BIOS validates Operating System

• Ensures only authentic Cisco software boots up on a Cisco Platform

• Anchored in hardware, as the image is created, the signature is installed & signed with a secure private key

• As the software boots, the system checks to ensure the installed digital certificate is valid

• Subsequent hash checks provides continuous monitoring with runtime integrity


MPLS Internet

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center

Add Network Integrated Threat DefenseIOS Zone-Based Firewall• Control the Perimeter:

• External and internal protection: internal network is no longer trusted• Protocol anomaly detection and stateful inspection

• Communicate Securely: • Call flow awareness (SIP, SCCP, H323)• Prevent DoS attacks

• Flexible:• Split Tunnel-Branch direct Internet access• Internal FW— addresses regulatory compliances

• Integrated: • No need for additional devices, expenses and power• Works with other IWAN Services: CWS, WAAS, UCS-E,…

• Manageable: • APIC-EM, Prime, CLI, SNMP, CCP, and CSM

55


Virtual Route Forwarding (VRFs) create multiple logical routers on a single device

• Separate control/forwarding planes per VRF• No connectivity between VRFs by default• Provider side VRF (yellow) for external networks,

Global VRF (blue) for internal networks

Provider VRF minimizes threat exposure• Default routing only in Provider VRF• Provider assigned IP addressing hides internal

network• Provider IP address used as IPSec tunnel source • Only IPsec allowed between internal Global and

Provider Front Side VRFs

Securing IWAN Transports with Front-door VRFIsolation of external networks

Global

F-VRF

Branch LAN10.1.1.0/2410.1.2.0/24…

Front Side “Provider Interface”

VRF

Provider Assigned WAN IP Address192.168.254.254

VRFs have independent routing and forwarding

planesIPSec TunnelInterface

Inside NetworkVRF

IOS ZBFW or ACL to permit only authorized traffic; i.e. IPsec


Protecting the Public facing IWAN Interfaces

57

• Use ACLs, ZBFW or ASA to block all trafficexcept the DMVPN tunnel traffic to routers

• Zone Based Firewall (ZBFW) at the branch if thereare plans for direct Internet access

• Typical ACL for protecting the Internet interfaceinterface GigabitEthernet0/0bandwidth 10000vrf forwarding IWAN-TRANSPORT-2ip address dhcpip access-group ACL-INET-PUBLIC in!ip access-list extended ACL-INET-PUBLICpermit udp any any eq non500-isakmppermit udp any any eq isakmppermit esp any anypermit udp any any eq bootpcpermit icmp any any echopermit icmp any any echo-replypermit icmp any any ttl-exceededpermit icmp any any port-unreachablepermit udp any any range 33434 33463 ttl eq 1

MPLS Internet

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center


IOS SecurityGeneral IOS Security measures for Internet facing interfaces

58

service tcp-keepalives-inservice tcp-keepalives-out!no mop enabled!no service pad!no service config

interface GigabitEthernet0/0description Internet Connection no ip redirectsno ip proxy-arpno lldp transmitno lldp receiveno cdp enableno mop enabled!

• Disable unused services and features

MPLS Internet

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center


Intelligent WAN—Direct Cloud Access

Branch

MPLS (IP-VPN)

InternetDirect

InternetAccess

PrivateCloud

VirtualPrivateCloud

PublicCloud

• Leverage Local Internet path for Public Cloud and Internet access• Improve application performance (right flows to right places)

SolutionsOn Premise – Zone Based FirewallCloud Based – Cloud Web Security

CWS

ISR-AXZBFW

59


Cloud Web Security Centralized Management for Distributed Policy

60

Cisco ScanCenter Portal


Secure Internet Access with Cisco Cloud Web Security (CWS)

Secure Public Cloud and Internet

Access

ISR Connector toCWS Firewall towers

Web Filtering, Access Policy, Malware Detect

WAN1(IP-VPN)

CWS

PrivateCloud

PublicCloud

Branch

WAN2(Internet)

IWAN IPsec VPN for Private Cloud

TrafficIOS Firewall to protect Internet

Edge

Internet

61


Orchestration and Automation

63


Policy driving the NetworkApplication Policies:– AppID, bandwidth, latency, loss, jitter,...Security Policies:– Segmentation, access control, privacy/crypto,

Controllers collect data from the network and push policy to network

The network only maintains segmentsNo application stateNetwork

SDNController

Policy1

2

3

Network enforces the policies and reports status and event data

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID 65

The next generation Branch WAN needs

Automation & Orchestration

APIC-EMIWAN APP

Prime Infrastructure

Enterprise

vMS/NSO

Large Ent & SP


Cisco IWAN Management PortfolioCovering a broad range of requirements and preferences

• Customer wants advanced provisioning, life cycle management, and customized policies

• System-wide network consistency assurance

• Lean IT OR IT Network team

Cisco

Prime Infrastructure

• Customer needs customizable IWAN with end-to-end monitoring

• One Assurance across Cisco portfolio from Branch to Datacenter

• IT Network team

Enterprise Network Mgmt and Monitoring

Ecosystem Partners

IWAN App

• Customer wants considerable automation and operational simplicity

• Requirements consistent with prescriptive IWAN Validated Design

• Lean IT organization

Prescriptive Policy Automation

• Customer looking for advanced monitoring and visualization

• QoS/ PfR/ AVC configuration, Real-time analytics and network troubleshooting

• IT Network team

Application Aware Performance Mgmt

AdvancedOrchestration


IWAN Automation and Orchestration Evolution

APIC-EM

Device Abstraction Layer

REST APIsAPIC-EM Services (Partial)

PKI Svc

NetFlowSvc

ZTDSvc

NetworkSvc

EventsSvc

InventorySvc

Traditional Management Systems

Cisc

o Pr

ime

IWAN Transport

PKI Automation

Security Intelligent Path Control

Cisco IWAN Apps Partners (future)

Application Experience

PnPProvisioning

Capacity Planning, Historical Reporting, Licensing, etc…Prime D

eployment W

orkflows,

Change control, etc…


IWAN App Provisioning

69


IWAN App – Application Classification

70


IWAN App – Policy Provisioning

71


Prime Infrastructure for IWAN

• IWAN workflow wizard with PnP• Template-based IWAN configs• PfRv3 Domain, MC and BR• AVC One-Click provision• QoS Provisioning• Single or Dual Router Branch• CVD-based, Customizable• AVC Readiness Assessment• AVC, QoS, PfR Visibility• Leverages APIC EM services

72


Service Health Summary


PfR dashboard – look at events at sites


Router – Provider – Server


Link details

PfR threshold crossing

Link Details


An Application-aware Network Performance Management

and QoS Control tool

Fast, simple, cost effective way to monitor and control application performance leveraging Cisco

capabilities

LiveAction Software

LiveAction Components

Flow QoS Monitor QoS Configure RoutingLAN IP SLA


LiveAction and Performance Routing• PfR path change visualization

• Alert and report on PfR Out of Policy events

• Reports on traffic class/application path changes

79

Out-Of-PolicyThreshold Crossing Alert

Before Brown-Out (Northern Path) After Brown-Out (Southern Path)


80

Alerts / performance by Site

Alerts / performance by Application Group

All Alerts

PfRv3 Dashboard


Glue Networks IWAN Orchestration

• Cloud-based SaaS subscription model

• Eliminates manual building of WANs

• Automated WAN orchestration and management

• Quick configuration updates and IOS upgrades

• Rapidly delivers nextgen and IWAN features

• Forward compatible with SDN and OnePK for app aware WANs

• Broadband and MPLS support for centralized hybrid WANmanagement for IWAN

82


• Network Engineer Centric vs. Programmer Centric

• Gluware Lab—Rapid Development Environment, NDK, & FLOW (Flexible Language Object Workstream)

• Gluware Control—Network-aware and Customizable Life-Cycle Mgmt

• Integrated with leading architectures (IWAN)

• Rest API third party Monitoring, Visualization, Controllers

Introducing Gluware 2.0:DevOps for Network Engineers


Cisco IWAN Product Portfolio

87


Start with Cisco AX RoutersIWAN Capabilities Embedded in the Router

ISR-AX

Simplify Application

Delivery

One NetworkUNIFIED SERVICES ASR1000-AX

ISR-4000 AX

Transport Independent

Secure Routing

Optimization

Control

Visibility

Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000


IWAN Branch Services RoutersASR4000 Series - IWAN AX Ready, Next Generation Branch

89

INTEGRATED IWAN SERVICES

APPLICATION CENTRIC

APPLIANCE LEVEL PERFORMANCE

4 IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS

4Scalable on-chip service provisioning

4App/User policy-driven deployment4APIC_EM Automation: deploy in

minutes4Pay-as-you-grow4Up-to-75% cost savings

4Service-Aware Dataplane4Resilient Service Virtualization4Multi-gigabit Fabric ISR4431

ISR4351

ISR4331

ISR4321

ISR4451

500Mbps/1Gbps

200/400Mbps

100/300Mbps

50/100Mbps

1-2Gbps


IWAN Aggregation Border RoutersASR1000 - IWAN AX Ready, High Performance Routers

90

INTEGRATED IWAN SERVICES

BUSINESS-CRITICAL RESILIENCY

COMPACT, POWERFUL ROUTER

4 IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS

4Scalable on-chip service provisioning

4Separate control and data planes4Hardware and software redundancy4 In-service software upgrades

4Line-rate performance 2.5G to 200G+ with services enabled

4Crypto performance from 2G to 60G+4Flexible I/O: SPAs and Ethernet LCs

§ 2.5G Upgradeable to 5G, 10G, 20G§ Up to 8G Crypto Throughput

§ 5G Upgradeable to 10G, 20G, 36G§ Up to 4G Crypto Throughput

§ Modular, Redundant up to 200G§ Up to 60G Crypto Throughput

ASR1001-X

ASR1002-X

Modular ASR1006


Cisco UCS-E SeriesExtend Cloud Services into Branch Infrastructure

Support on ISR Series Routers

IOS, MGF Backplane Switch

UCS-E Blade

Hypervisor

CIMCE UCS-E Blade

Hypervisor

OS

App

OS

App

OS

App

OS

AppPlatform for WANEdge ApplicationsMicrosoft Windows-Serverand Linux Certified

Server VirtualizationCisco UCS Virtualization Powered by

VMware, Microsoft, Citrix

Dedicated BladeManagementCisco IntegratedManagement Controller Consistent managementfor UCS family

Multipurpose x86 BladesCisco UCS

E Series modulesHouse up to four server

blades in an ISR

Single-DeviceNetwork IntegrationHouse all services in ISR chassisMultigigabit fabric backplane switch

91


Why Cisco IWAN?

94

Internet

Transport Independent Design

• Highly available Hybrid WAN


• Performance Routing (PfR) to protect applications and load balance traffic to maximize expensive WAN bandwidth

Application Optimization• Application Visibility and Control (AVC) to monitor performance

• WAAS + Akamai to reduce bandwidth consumption while improving application experience

Secure Connectivity• Secure the network from outside threats

• Cloud Web Security (CWS) for improved Cloud performance whilefreeing up WAN bandwidth, without compromising security

IWAN Management

• Cisco and Ecosystem Partner toolsAPIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more

Intelligent WAN Summary

95

Branch-1 Branch-513

DCIWAN Core

MC MC

20M Dn

2M Up

512M FD

BR BR

ATBTMPLS

IslandADSL

BR

ISR-AXvWAAS

ISR-AXvWAAS

1.5M FD

256M FD

CWS

BRASR-AX ASR-AX

WAAS WAAS

AVC

AVC

AVC

ShowMe$$

DC-WestDC-East

Internet Internet


IWAN Vision and Strategy

Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA

Secure, Simple, Centralized Policy Automation

Global Policies, Cloud POPs, Mobility, Optimization, Cloud Security

vRouter, vService and App Orchestration

Campus/WAN/DC

INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD

INTEGRATIONSERVICE

VIRTUALIZATIONSD

Enterprise

96


IWAN Vision and StrategySystems Development evolution of IWAN

INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD

INTEGRATIONSERVICE

VIRTUALIZATIONSD

Enterprise

Transport Independent Design



Secure Connectivity

Management & OrchestrationIWA

N F

ram

ewor

k

Incremental improvements while delivering new use-cases97


Branch

MPLS (IP-VPN)

Internet

PrivateCloud

VirtualPrivateCloud

PublicCloud

Cisco Intelligent WAN (IWAN)

Secure WAN Transport

Direct InternetAccess

Mixed Transport WAN with High Reliability

SLAs for Business-Critical Applications

Centralized Security Policy for Internet Access

Dramatically Lower WAN Costs Without Compromise

98

We’re ready. Are you?

intelligent wan

Technology