intelligent wan
TRANSCRIPT
Cisco Intelligent WANEnabling the Next-Generation
Branch Technical Overview
David Prall, Communications Architect
CCIE 6508 (R&S/SP/Security)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• IWAN Architecture Overview• Transport Independence
• Intelligent Path Control
• Application Optimization
• Secure Connectivity
• Orchestration & Automation
• Product Portfolio
• Closing – Why IWAN?
Agenda
2
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
What If Your WAN Can…
Hours Minutes
Pinpoint Application Issues Instantly
Improve Your Application Performance
1x 2x -20x
Increase WAN Utilization
Deliver More Bandwidth for Lower Cost
Backhaul Local & Cloud
Consistent Security Policies
Ensure Security Over Any Connection
Device-by-device System
Simplify Operations
Reduce Network Complexity
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Internet as an Extension of Enterprise WAN
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Internet Performance
6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Intelligent WAN: Leveraging the InternetSecure WAN Transport and Internet Access
OptimizedSecure Transport
Branch
Direct CloudAccess
PrivateCloud Virtual
PrivateCloud
PublicCloud
1. IWAN Secure transport for private and virtual private cloud access
2. Leverage local Internet path for public cloud and Internet access
4 Increase WAN transport capacity and app performance cost effectively!
4 Improve application performance (right flows to right places)
MPLS (IP-VPN)
Internet
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
1. IWAN Secure transport for private and virtual private cloud access
2. Leverage local Internet path for public cloud and Internet access
4 Increase WAN transport capacity and app performance cost effectively!
4 Improve application performance (right flows to right places)
Intelligent WANSo What is New Here?
OptimizedSecure Transport
Branch
Direct InternetAccess
PrivateCloud
VirtualPrivateCloud
PublicCloud
MPLS (IP-VPN)
Internet
Mixed transport WANs with High Reliability
Service Levels for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs Without Compromise
9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Intelligent WAN Deployment Models
Dual MPLS
Internet
ü Highest SLA guarantees– Tightly coupledẋ Expensive
Public
MPLS
Branch
MPLS
ü More BW for key applicationsü Balanced SLA guarantees– Moderately priced
PublicEnterprise
Branch
MPLS+Internet
Consistent VPN Overlay Enables Security Across Transition
ü Best price/performanceü Most SP flexibility– Enterprise responsible for SLAs
Internet
Branch
Enterprise Public
Hybrid Dual Internet
10
Internet
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Intelligent WAN (IWAN) ArchitectureEnterprise
MPLS
UnifiedBranch
3G/4G-LTE
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloud
Application Optimization
Enhanced ApplicationVisibility and Performance
Secure Connectivity
ComprehensiveThreat Defense
Intelligent Path Control
ApplicationAware Routing
TransportIndependence
SimplifiedHybrid WAN
Management Automation
11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN: An Architectural and Systems Approach
• IWAN is a Solution Architecture• Solves a network problem• Use Case Driven• Systems Development Approach
• Prescribed. Tested. Interoperable.• Bounded Scope and Complexity• Enables Automation and Quality
• Delivers Business Outcomes• Reduce Operational Complexity• Reduce WAN costs, Increase bandwidth• Improve Application Performance• Direct Cloud Access• Guest Access Offload
IWAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Transport-IndependenceVirtualizing the Enterprise WAN
15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Simplifies WAN Design Dynamic Full-Meshed Connectivity Proven Robust Security
Flexible Secure IWAN Over Any TransportSecureFlexible
• Easy multi-homing over several providers
• Single routing control plane over the top of provider networks
• Consistent design over all WAN service offerings
• Scalable Hub-n-spoke and full mesh topologies
• Industry Certified security compliance
• Scalable high-performance cryptography in hardware
ISR
WAN
Internet
MPLSASR 1000
ASR 1000
Transport-Independent
Data CenterBranch
16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN Transport IndependenceConsistent deployment models simplify operations
Internet MPLS
Branch
DMVPN DMVPN
IWAN HYBRID
Data Center
ISR
ASR 1000 ASR 1000
ISP A SP B
4G/LTE
Branch
DMVPN
IWAN HYBRID/LTE
Data Center
ISP C SP BASR 1000
MPLS
Branch
MPLS
DMVPN
IWAN Dual MPLS
Data Center
ISR
ASR 1000 ASR 1000
SP A SP B
DMVPN
MPLS
DMVPN
ISR
ASR 1000
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
DUAL ROUTERS,DUAL PATHS
ISR
MPLS Internet
ISR ISR
Internet Internet
ISR
99.999% 99.999%
5 Minutes
ISR
MPLS MPLS
ISR
99.999%
ISR
MPLS MPLS InternetISR
MPLS
SINGLE ROUTER,DUAL PATHS Internet Internet
ISR
99.995% 99.995% 99.995%
26 Minutes
Building Highly Resilient WANsRedundancy and Path Diversity Matter
ISR
MPLS
SINGLE ROUTER,SINGLE PATH
ISR
Internet
99.95%* 99.90%*Downtimeper Year
4–9 Hours
Downtimeper Year8 Hours
46 Minutes
IWAN Solution
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.18
IWAN Transport Independent Designwith Dynamic Multipoint VPN (DMVPN)• Proven IPsec VPN technology
• Widely deployed, Large scale• Standards based IPsec and Routing• Adv QOS: hierarchical, per tunnel and adaptive
• Flexible & Resilient• Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,..• Hub-n-Spoke with Dynamic full mesh Topology• Multiple encryption, key management, routing options• Multiple redundancy options: platform, hub, transports
• Secure• Industry Certified IPsec and Firewall• NG Strong Encryption: AES-GCM-256 (Suite B)• IKE Version 2• IEEE 802.1AR Secure unique device identifier
• Simplified IWAN Deployments• Prescriptive validated IWAN designs• Automated provisioning – Prime, IWAN-App, Glue
19
Branch
Internet MPLS
DMVPNPurple
DMVPNGreen
IWAN HYBRID
Data Center
ISP A SP B
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
SECURE ON-DEMAND TUNNELS• Branch spoke sites establish a DMVPN tunnel with
IPsec encryption to and register with the hub site
• IP routing exchanges prefix information for each site
• BGP or EIGRP are typically used for scalability
• WAN interface address used as the tunnel address, so provider network does not need to know or route customer internal IP prefixes
• Data traffic flows over the DMVPN tunnels
• When traffic flows between spoke sites, the hub assists the spokes to establish a site-to-site tunnel
• Per-tunnel QOS is applied to prevent hub site from overrunning spoke sites
Over-the-Top WAN Design withDynamic Multipoint VPN (DMVPN)
Branch 2
Traditional Static TunnelsDMVPN On-Demand TunnelsStatic Known IP AddressesDynamic Unknown IP Addresses
ISR G2
Branch 1
Hub
IPsecVPN
Branch n
ASR 1000
ISR G2ISR G2
20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
DMVPN How it Works• Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, but
not to other spokes. They register as clients of the NHRP server (hub) and register their NBMA address
• Active-Active redundancy model—two or more hubs per spoke• All configured hubs are active and are routing neighbors
with spokes• Routing protocol routes are used to determine traffic forwarding• A spoke will initially send a packet to a destination (private) subnet
behind another spoke via the hub, and the hub will send it an NHRP redirect.
• The redirect triggers the spoke to send an NHRP query for the data packet destination address behind the destination spoke
• The destination spoke initiates a dynamic GRE/IPsec tunnel to the source spoke (it now knows its NBMA address) and sends the NHRP reply.
• The dynamic spoke-to-spoke tunnel is built over the same mGRE tunnel interface
• When traffic ceases then the spoke-to-spoke tunnel is removed
192.168.0.0/24
Physical: 172.17.0.5Tunnel1: 10.0.1.1
Physical: 172.17.0.1Tunnel0: 10.0.0.1
Physical: (dynamic)Tunnel0: 10.0.0.12Tunnel1: 10.0.1.12
192.168.3.0/24
.1
Physical: (dynamic)Tunnel0: 10.0.0.11Tunnel1: 10.0.1.11
192.168.1.0 /24
.1
Dual DMVPN DesignSingle mGRE tunnel on Hub,
two mGRE tunnels on Spokes
192.168.2.0 /24
.1
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN Transport Best Practices• Private peering with Internet providers
Use same Internet provider for hub and spoke sitesAvoids Internet Exchange bottlenecks between providersReduces round trip latency
• DMVPN Phase 3Scalable dynamic site-to-site tunnelsSeparate DMVPN per transport for path diversityPer tunnel QOSNG Encryption – IKEv2 + AES-GCM-256 encryption
• Transport settingsUse the same MTU size on all WAN pathsBandwidth settings should match offered rate
• Routing OverlayiBGP or EIGRP for high scaleSingle routing process, simplified operationsFront-side VRF to isolate provider networks Branch
Internet MPLS
DMVPNPurple
DMVPNGreen
IWAN HYBRID
Data Center
ISP A SP B
22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Intelligent Path ControlImproving Application Delivery and WAN Efficiency
24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Getting the Most Out of Your WAN InvestmentBenefits of Intelligent Path Control
Data CenterBranch
ASR 1000
ASR 1000
ISR
MPLS
Internet
EnablingHybrid WANs
Efficient Distribution of Traffic Based Upon Load
or Path Preference
Application Best Path Based on Quality
Protection FromCarrier Black Holes
and Brownouts
Lower WAN Costs
Full Utilization of WAN Bandwidth
Improved Application
Performance
Higher ApplicationAvailability
25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Intelligent Path Control with PfRVoice and Video Use-Case
Branch
MPLS
Internet
Virtual PrivateCloud
Private Cloud
• PfR monitors network performance and routes applicationsbased on policy
• PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth
Other traffic is load balanced to maximize bandwidth Voice/Video will be
rerouted if the current path degrades below policy thresholds
Voice/Video take the best delay, jitter, and/or loss path
26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
What is Performance Routing (PfR)?
MPLS Internet
Branch
BR BR
Data Center
MC
“Performance Routing (PfR) provides additional intelligence to classic routing to track and verify the quality of a path over a Wide Area Networking (WAN) to determine the best path for application traffic....”
MC+BR
27
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
SP1 (MPLS) ISP (FTTH)
• Protect voice and video quality
Latency < 150 msJitter < 20 ms
• Protect Email applications from WAN congestion
Loss < 5%
• Voice and video preferred path SP1
• Email preferred path ISP• Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Best-Effort Traffic
High Delay Detected
SP1 (MPLS) ISP (DSL)
Voice and Video
High JitterDetected
Best-Effort Traffic
Protecting Critical Applications While Increasing Bandwidth Utilization
• Protect transactionalbusiness app from brownouts
delay < 250ms• Preferred path SP1 (MPLS)
• Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet
Business App and Load-Balancing Policy
28
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Load BalancingMaximizing Link Utilization to Increase Available Bandwidth
• Traffic distributed across all paths to efficiently use all WAN bandwidth
• Load Balancing based upon link utilization levels
• External links can have different bandwidth capacitiesMPLS = 1.5MbpsInternet = 15Mbps
ISR
WAN
Internet
MPLSASR 1000
ASR 1000
Data Center
50% T1 = 750kbps
50% 15Mbps = 7.5Mbps
29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Performance Routing—Components
The Decision Maker: Master Controller (MC)• Discover BRs, collect statistics• Apply policy, verification, reporting• No packet forwarding/inspection required
The Forwarding Path: Border Router (BR)• Does all packet forwarding• Visibility in network performance • Enforce MC’s decision (path enforcement)
The Policy Controller: Domain Controller (DC)• Discover site peers, prefixes and connected networks• Advertise policy and services• One per domain, collocated with MC
MPLS Internet
BranchMC+BR
BR BR
DC/MC
30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
PfR Domain Controller
§ Domain Controller (DC) Peering Framework– Site MCs register to Domain– Advertise to, or request services– Simplifies deployment and configuration– Provides topology auto-discovery
§ Single point of configuration across the domain
§ Used to distribute information to sites: – Learned site-prefix – Application/Traffic Policies – Performance monitoring– Traffic Class Database
WAN1 WAN2
Domain Controller
Master Controller
31
BR
BR BR
DC/MC
MC+BR MC+BRMC+BR
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Define Traffic Classes and service level Policies based on Applications or Transport Classifiers
ISR
ASR1K
Border Routers learn current traffic classes going to the WAN based on classifier definitions
LearningActive TCs
BR BR
MC+BR MC+BR MC+BR MC+BR
Traffic Classes
MC
Measure the traffic flow and network performance and report metrics to the Master Controller
PerformanceMeasurements
BR BR
MC+BR MC+BR MC+BR MC+BR
MC
How PfR WorksKey Operations
Master Controller commands path changes based on traffic classpolicy definitions
BestPath
BR BR
MC+BR MC+BR BR MC+BR
MC
Path EnforcementMeasurementLearn the TrafficDefine Your Traffic Policy
32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Simplifies and speeds up failover routing to a backup only path
• Granular failover per traffic class policy
• Extends path-preference to include a last-resort path(s)
• Removes the need for the routing protocol to initiate failover
• Good choice for cellular, satellite and other backup only paths
Intelligent Path ControlPath of Last Resort – New
34Branch Site
MPLS INET MPLS INET
R14
DMVPNMPLS
DMVPNINET
DC1 DC2
LTEMPLS2 INET2 MPLS2 INET2
DC/MC MCDC/MC MC
MC/BR
ASA
LTE
DMVPNLTE
BR
IWAN 2.2Spring 16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Application Optimization
35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Today’s Network is an IT Blind Spot
• Static port classification is nolonger enough
• More and more apps are opaque
• Increasing use of encryptionand obfuscation
• Application consists of multiple sessions (video, voice, data)
• What if user experience is not meeting business needs?
36
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Branch
Proliferationof Devices
Users/Machines
PrivateCloud
Make Your IWAN Application AwareApplication Visibility and Control (AVC)
DC/Headquarters
PublicCloud
Cisco AVC
Application Performance Visibility
• Application inspection with existing routers
• Rich data collection using NetFlow v9/IPFIX
• Easy to integrate into many reporting tools
Smart CapacityPlanning
• Better use of costly bandwidth• Per-branch and per-application
level reporting
Business Objective Enforcement
• Service Level monitoring per application
• Better Analytics to adjust network policies to maintain compliance
37
AVC
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
What applications, how much bandwidth, flow direction?(NBAR2 and Flexible Netflow) Basic Monitoring
Performance Collection & ExportingIntegrated performance monitoring and advanced metrics for different type of applications and use cases
HTTP HTTP
Voice and Video Performance(Media Monitoring)
Unified Monitoring
30% of traffic is voice and video
Critical Applications Performance(Application Response Time)
40% of traffic is critical applications
38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Proliferationof Devices
Users/Machines
PrivateCloud
Application Performance Monitoring for IWANTrack and Report Application Flows and Performance
WANNetFlow v9
Enterprise Edge
AVC
AVC
CSR
NetFlow/IPFIX Records(Same provisioning, same format)
• Traffic statistics records• Application Response Time records• Media monitoring records
(Application, Jitter, Loss, etc)
Cisco ToolsPrime, APIC-EM
Partner Tools EcosystemLiveAction
Glue NetworksPlixer
Living ObjectsCompuWare
CA Technologies
Collecting Collecting Collecting
Provisioning
Exporting
NetFlow v9 Export/IPFIX Export
Branch DC/Headquarters
AVC
AVC
39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
PrivateCloud
Add WAN Optimization with WAAS + AkamaiSpeed and Bandwidth Benefits on Top of the IWAN
Branch DC/POP
ApplicationOptimization
• Improved Application performance, delay mitigation, less bandwidth
• Twice as many Citrix users over same WAN, 70% faster
• Typical ROI in less than one year, 65% BW cost savings
Content Caching& Prepositioning Simple and Scalable
• Works with existing branch routers
• Scale out optimizations resources with AppNav
• Native HA resiliency
vWAAS
Proliferationof Devices
Users/Machines
AppNav-XEController
CSR
WAVE,vWAAS
WAN
Improving Application Performance
40
• Reduces WAN bandwidth usage, while accelerating applications
• Intelligent caching of internal and Internet content
• Prepositioning of data and rich media before it is needed
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Transport Independent
DMVPN/IPSec Performance Routing (PfR)
Intelligent Path Control
Application Visibility and Control (AVC)Akamai Connect
WAAS
Application Optimization
IOS Firewall/IPSCloud Web Security
Secure Connectivity
Akamai Connect Part of Cisco Intelligent WANCisco Intelligent WAN
AKAMAI ConnectTransparent
Cache Dynamic URL Cache Akamai Connected Cache
Content Pre-positioning
CISCO WAASLZ
CompressionTCP
OptimizationData
De-duplicationApplication Specific
Acceleration
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Branch
End-UserAkamai Connect
integrated into Cisco ISR-AX routers
ISR-AX+AC
Akamai Intelligent Platform
INTERNET
Data Center
WAASWAN
Application OptimizationEnhancing User Experience and WAN Efficiency
Mobile Apps
Video
Software Downloads
Digital Signage
Catalogs
Guest WiFi
Any Device, Connectivity, Cloud ResultReduce Load
Improve Response Time~70+% of HTTP/S data served from
cache
0123456789
WAAS + AKC Native WANA
vg. L
oad
Tim
e (s
ec.)
51% reductionload time
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Akamai Connect accelerates HTTP/HTTPS applications, video and content in the branch, while maximizing existing enterprise network bandwidth
Branch
End-UserAkamai Connect
integrated into Cisco ISR-AX
routers
ISR-AX+AC INTERNET
Akamai Intelligent Platform
Data Center
WAASWAN
IWAN – Application Optimizationwith Akamai Connect
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Cisco WAAS & Akamai Connect Deployment Models
Data Center or Private Cloud WAAS
Appliances
VMware ESXi
vWAASAppliances
Server VMs
Branch OfficeISR-WAAS
on ISR 4000
WAN
Internet
vWAAS Server VMs
VMware ESXi Server
Nexus 1000v
UCS /x86 Server
FC SAN
Virtual Private Cloud
Branch OfficeWAAS
Appliance
Branch OfficeWAAS
Appliance
Branch Office
WAASService
Module/ UCSe
CSR1000v + AppNav-XE
ASR1K + AppNav-XE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Single sided SSL enables DIA HTTPS caching with Akamai Connect
Recent/Upcoming App Opt enhancements
46
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
SSL serverClient
HTTPS Acceleration and Caching - Today
Client WAAS & Akamai Connect Server WAAS
send session key
TransparentSecure Channel
SSL HandshakeSSL Handshake
SSL Session: client to server WAAS SSL Session: core WAE to serverOriginal Data - Encrypted Optimized & Encrypted Optimized - Encrypted
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Client
Client WAAS & Akamai Connect
Enterprise WAN
SSL Handshake
SSL Handshake
Internet
HTTPS Caching - Tomorrow
DC/HeadquartersCached Data - Encrypted
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN Secure Connectivity
49
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Intelligent WAN: Secure ConnectivitySecuring the network and users
Secure WAN Transport
Branch
MPLS (IP-VPN)
InternetSecureInternetAccess
PrivateCloud Virtual
PrivateCloud
PublicCloud
Two areas of concern1. Protecting the network from outside threats with data privacy over provider networks2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…
50
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Securing the IWAN TransportIPSec VPN and Access Control
• Step 1: Authenticate hardware and softwareTrust Anchor Module verification
• Step 2: Secure TransportProven IPsec VPN overlayStrong Cryptography: IKEv2 + AES-GCM 256F-VRF to isolate provider networks
• Step 3: Access ControlIOS Zone-based Firewall or ACLs protectionRole based access to router w/ loggingMinimize exposure
Provider assigned addressing to hide routersDon’t put tunnel addresses into DNS
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
51
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID* RFC 6379 ** Not supported on older RP1 based ASR 1000s
Cisco Router Security Certifications
FIPS Common Criteria Suite B*140-2, Level 2 EAL4 Hardware Assist
Cisco ISR 890 Series ü P P
Cisco ISR 1900 Series ü P P
Cisco ISR 2900 Series ü P P
Cisco ISR 3900 Series P P P
Cisco ISR 4000 Series P P P
Cisco ASR 1000 Series P ü P**
52
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Trust Anchor Module (TAM)“How do I Know the Hardware is Authentic?”
• Provides Immutable Identity• Standard Identity- IEEE
802.1AR (SUDI- X.509 cert) • Secure Storage of Credentials• Anti-Theft & Anti-Tamper Chip
Design• Certifiable Entropy for
Random Number Generation
Trust Anchor Module
TAM Features & Services
Checks to Verify as Cisco Genuine
TAM/Secure Identity Verification
• ImmutableIdentity
• SecureStorage (Keys& Objects)
• CertifiableEntropySource
• Secure CryptoAssist
• SecureApplicationCertificates
• Authenticity& LicenseCheck
• Verify SecureIdentity
Product Security
• Provides trustworthy hardware offering immutable identity, secure storage, random number generator, and encryption
• Available in the ISR-4000, newer Catalyst and other Cisco products
• Provides Immutable Identity
• Standard Identity- IEEE 802.1AR(SUDI- X.509 cert)
• Secure Storage of Credentials
• Anti-Theft & Anti-Tamper Chip Design
• Certifiable Entropy for Random Number Generation
53
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Secure Boot“How do I Know the Software is Authentic?”
Verifies the software has not been altered or tampered since it was signed
Power On Hardware
AnchorSecure
MicroloaderSigned
Bootloader/BIOS
Immutable Anchor ensuring hardware integrity and key authenticity
Integrity Check
Image Signing
Image Signing
Image Signing
Secure Boot Process
Launch Operating System
Signed Operating System
Power-Up
Microloaderverifies Bootloaderand BIOS
A Signed Bootloader/ BIOS validates Operating System
• Ensures only authentic Cisco software boots up on a Cisco Platform
• Anchored in hardware, as the image is created, the signature is installed & signed with a secure private key
• As the software boots, the system checks to ensure the installed digital certificate is valid
• Subsequent hash checks provides continuous monitoring with runtime integrity
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Add Network Integrated Threat DefenseIOS Zone-Based Firewall• Control the Perimeter:
• External and internal protection: internal network is no longer trusted• Protocol anomaly detection and stateful inspection
• Communicate Securely: • Call flow awareness (SIP, SCCP, H323)• Prevent DoS attacks
• Flexible:• Split Tunnel-Branch direct Internet access• Internal FW— addresses regulatory compliances
• Integrated: • No need for additional devices, expenses and power• Works with other IWAN Services: CWS, WAAS, UCS-E,…
• Manageable: • APIC-EM, Prime, CLI, SNMP, CCP, and CSM
55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Virtual Route Forwarding (VRFs) create multiple logical routers on a single device
• Separate control/forwarding planes per VRF• No connectivity between VRFs by default• Provider side VRF (yellow) for external networks,
Global VRF (blue) for internal networks
Provider VRF minimizes threat exposure• Default routing only in Provider VRF• Provider assigned IP addressing hides internal
network• Provider IP address used as IPSec tunnel source • Only IPsec allowed between internal Global and
Provider Front Side VRFs
Securing IWAN Transports with Front-door VRFIsolation of external networks
Global
F-VRF
Branch LAN10.1.1.0/2410.1.2.0/24…
Front Side “Provider Interface”
VRF
Provider Assigned WAN IP Address192.168.254.254
VRFs have independent routing and forwarding
planesIPSec TunnelInterface
Inside NetworkVRF
IOS ZBFW or ACL to permit only authorized traffic; i.e. IPsec
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Protecting the Public facing IWAN Interfaces
57
• Use ACLs, ZBFW or ASA to block all trafficexcept the DMVPN tunnel traffic to routers
• Zone Based Firewall (ZBFW) at the branch if thereare plans for direct Internet access
• Typical ACL for protecting the Internet interfaceinterface GigabitEthernet0/0bandwidth 10000vrf forwarding IWAN-TRANSPORT-2ip address dhcpip access-group ACL-INET-PUBLIC in!ip access-list extended ACL-INET-PUBLICpermit udp any any eq non500-isakmppermit udp any any eq isakmppermit esp any anypermit udp any any eq bootpcpermit icmp any any echopermit icmp any any echo-replypermit icmp any any ttl-exceededpermit icmp any any port-unreachablepermit udp any any range 33434 33463 ttl eq 1
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IOS SecurityGeneral IOS Security measures for Internet facing interfaces
58
service tcp-keepalives-inservice tcp-keepalives-out!no mop enabled!no service pad!no service config
interface GigabitEthernet0/0description Internet Connection no ip redirectsno ip proxy-arpno lldp transmitno lldp receiveno cdp enableno mop enabled!
• Disable unused services and features
MPLS Internet
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Intelligent WAN—Direct Cloud Access
Branch
MPLS (IP-VPN)
InternetDirect
InternetAccess
PrivateCloud
VirtualPrivateCloud
PublicCloud
• Leverage Local Internet path for Public Cloud and Internet access• Improve application performance (right flows to right places)
SolutionsOn Premise – Zone Based FirewallCloud Based – Cloud Web Security
CWS
ISR-AXZBFW
59
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Cloud Web Security Centralized Management for Distributed Policy
60
Cisco ScanCenter Portal
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Secure Internet Access with Cisco Cloud Web Security (CWS)
Secure Public Cloud and Internet
Access
ISR Connector toCWS Firewall towers
Web Filtering, Access Policy, Malware Detect
WAN1(IP-VPN)
CWS
PrivateCloud
PublicCloud
Branch
WAN2(Internet)
IWAN IPsec VPN for Private Cloud
TrafficIOS Firewall to protect Internet
Edge
Internet
61
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Orchestration and Automation
63
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Policy driving the NetworkApplication Policies:– AppID, bandwidth, latency, loss, jitter,...Security Policies:– Segmentation, access control, privacy/crypto,
Controllers collect data from the network and push policy to network
The network only maintains segmentsNo application stateNetwork
SDNController
Policy1
2
3
Network enforces the policies and reports status and event data
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID 65
The next generation Branch WAN needs
Automation & Orchestration
APIC-EMIWAN APP
Prime Infrastructure
Enterprise
vMS/NSO
Large Ent & SP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Cisco IWAN Management PortfolioCovering a broad range of requirements and preferences
• Customer wants advanced provisioning, life cycle management, and customized policies
• System-wide network consistency assurance
• Lean IT OR IT Network team
Cisco
Prime Infrastructure
• Customer needs customizable IWAN with end-to-end monitoring
• One Assurance across Cisco portfolio from Branch to Datacenter
• IT Network team
Enterprise Network Mgmt and Monitoring
Ecosystem Partners
IWAN App
• Customer wants considerable automation and operational simplicity
• Requirements consistent with prescriptive IWAN Validated Design
• Lean IT organization
Prescriptive Policy Automation
• Customer looking for advanced monitoring and visualization
• QoS/ PfR/ AVC configuration, Real-time analytics and network troubleshooting
• IT Network team
Application Aware Performance Mgmt
AdvancedOrchestration
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN Automation and Orchestration Evolution
APIC-EM
Device Abstraction Layer
REST APIsAPIC-EM Services (Partial)
PKI Svc
NetFlowSvc
ZTDSvc
NetworkSvc
EventsSvc
InventorySvc
Traditional Management Systems
Cisc
o Pr
ime
IWAN Transport
PKI Automation
Security Intelligent Path Control
Cisco IWAN Apps Partners (future)
Application Experience
PnPProvisioning
Capacity Planning, Historical Reporting, Licensing, etc…Prime D
eployment W
orkflows,
Change control, etc…
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN App Provisioning
69
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN App – Application Classification
70
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN App – Policy Provisioning
71
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Prime Infrastructure for IWAN
• IWAN workflow wizard with PnP• Template-based IWAN configs• PfRv3 Domain, MC and BR• AVC One-Click provision• QoS Provisioning• Single or Dual Router Branch• CVD-based, Customizable• AVC Readiness Assessment• AVC, QoS, PfR Visibility• Leverages APIC EM services
72
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Service Health Summary
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
PfR dashboard – look at events at sites
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Router – Provider – Server
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Link details
PfR threshold crossing
Link Details
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
An Application-aware Network Performance Management
and QoS Control tool
Fast, simple, cost effective way to monitor and control application performance leveraging Cisco
capabilities
LiveAction Software
LiveAction Components
Flow QoS Monitor QoS Configure RoutingLAN IP SLA
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
LiveAction and Performance Routing• PfR path change visualization
• Alert and report on PfR Out of Policy events
• Reports on traffic class/application path changes
79
Out-Of-PolicyThreshold Crossing Alert
Before Brown-Out (Northern Path) After Brown-Out (Southern Path)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
80
Alerts / performance by Site
Alerts / performance by Application Group
All Alerts
PfRv3 Dashboard
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Glue Networks IWAN Orchestration
• Cloud-based SaaS subscription model
• Eliminates manual building of WANs
• Automated WAN orchestration and management
• Quick configuration updates and IOS upgrades
• Rapidly delivers nextgen and IWAN features
• Forward compatible with SDN and OnePK for app aware WANs
• Broadband and MPLS support for centralized hybrid WANmanagement for IWAN
82
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Network Engineer Centric vs. Programmer Centric
• Gluware Lab—Rapid Development Environment, NDK, & FLOW (Flexible Language Object Workstream)
• Gluware Control—Network-aware and Customizable Life-Cycle Mgmt
• Integrated with leading architectures (IWAN)
• Rest API third party Monitoring, Visualization, Controllers
Introducing Gluware 2.0:DevOps for Network Engineers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Cisco IWAN Product Portfolio
87
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Start with Cisco AX RoutersIWAN Capabilities Embedded in the Router
ISR-AX
Simplify Application
Delivery
One NetworkUNIFIED SERVICES ASR1000-AX
ISR-4000 AX
Transport Independent
Secure Routing
Optimization
Control
Visibility
Cisco AX Routers 800 | 1900 | 2900 | 3900 | 4000 | ASR 1000
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN Branch Services RoutersASR4000 Series - IWAN AX Ready, Next Generation Branch
89
INTEGRATED IWAN SERVICES
APPLICATION CENTRIC
APPLIANCE LEVEL PERFORMANCE
4 IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS
4Scalable on-chip service provisioning
4App/User policy-driven deployment4APIC_EM Automation: deploy in
minutes4Pay-as-you-grow4Up-to-75% cost savings
4Service-Aware Dataplane4Resilient Service Virtualization4Multi-gigabit Fabric ISR4431
ISR4351
ISR4331
ISR4321
ISR4451
500Mbps/1Gbps
200/400Mbps
100/300Mbps
50/100Mbps
1-2Gbps
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN Aggregation Border RoutersASR1000 - IWAN AX Ready, High Performance Routers
90
INTEGRATED IWAN SERVICES
BUSINESS-CRITICAL RESILIENCY
COMPACT, POWERFUL ROUTER
4 IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS
4Scalable on-chip service provisioning
4Separate control and data planes4Hardware and software redundancy4 In-service software upgrades
4Line-rate performance 2.5G to 200G+ with services enabled
4Crypto performance from 2G to 60G+4Flexible I/O: SPAs and Ethernet LCs
§ 2.5G Upgradeable to 5G, 10G, 20G§ Up to 8G Crypto Throughput
§ 5G Upgradeable to 10G, 20G, 36G§ Up to 4G Crypto Throughput
§ Modular, Redundant up to 200G§ Up to 60G Crypto Throughput
ASR1001-X
ASR1002-X
Modular ASR1006
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Cisco UCS-E SeriesExtend Cloud Services into Branch Infrastructure
Support on ISR Series Routers
IOS, MGF Backplane Switch
UCS-E Blade
Hypervisor
CIMCE UCS-E Blade
Hypervisor
OS
App
OS
App
OS
App
OS
AppPlatform for WANEdge ApplicationsMicrosoft Windows-Serverand Linux Certified
Server VirtualizationCisco UCS Virtualization Powered by
VMware, Microsoft, Citrix
Dedicated BladeManagementCisco IntegratedManagement Controller Consistent managementfor UCS family
Multipurpose x86 BladesCisco UCS
E Series modulesHouse up to four server
blades in an ISR
Single-DeviceNetwork IntegrationHouse all services in ISR chassisMultigigabit fabric backplane switch
91
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Why Cisco IWAN?
94
Internet
Transport Independent Design
• Highly available Hybrid WAN
Intelligent Path Control
• Performance Routing (PfR) to protect applications and load balance traffic to maximize expensive WAN bandwidth
Application Optimization• Application Visibility and Control (AVC) to monitor performance
• WAAS + Akamai to reduce bandwidth consumption while improving application experience
Secure Connectivity• Secure the network from outside threats
• Cloud Web Security (CWS) for improved Cloud performance whilefreeing up WAN bandwidth, without compromising security
IWAN Management
• Cisco and Ecosystem Partner toolsAPIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and more
Intelligent WAN Summary
95
Branch-1 Branch-513
DCIWAN Core
MC MC
20M Dn
2M Up
512M FD
BR BR
ATBTMPLS
IslandADSL
BR
ISR-AXvWAAS
ISR-AXvWAAS
1.5M FD
256M FD
CWS
BRASR-AX ASR-AX
WAAS WAAS
AVC
AVC
AVC
ShowMe$$
DC-WestDC-East
Internet Internet
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN Vision and Strategy
Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA
Secure, Simple, Centralized Policy Automation
Global Policies, Cloud POPs, Mobility, Optimization, Cloud Security
vRouter, vService and App Orchestration
Campus/WAN/DC
INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD
INTEGRATIONSERVICE
VIRTUALIZATIONSD
Enterprise
96
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
IWAN Vision and StrategySystems Development evolution of IWAN
INTELLIGENT VIRTUALIZATION AUTOMATION CLOUD
INTEGRATIONSERVICE
VIRTUALIZATIONSD
Enterprise
Transport Independent Design
Intelligent Path Control
Application Optimization
Secure Connectivity
Management & OrchestrationIWA
N F
ram
ewor
k
Incremental improvements while delivering new use-cases97
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Branch
MPLS (IP-VPN)
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloud
Cisco Intelligent WAN (IWAN)
Secure WAN Transport
Direct InternetAccess
Mixed Transport WAN with High Reliability
SLAs for Business-Critical Applications
Centralized Security Policy for Internet Access
Dramatically Lower WAN Costs Without Compromise
98
We’re ready. Are you?