next generation enterprise wan: branch &...

Next Generation Enterprise WAN: Branch & Head-End

David Prall

Communications Architect

BRKARC-2091

© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public

Housekeeping

Please switch your mobile phones to STUN

We value your feedback—don't forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions

Please remember this is a non-smoking venue!

Please make use of the recycling bins provided

Please remember to wear your badge to the Party

3


“Everything is moving to the CLOUD!”

4

Server, Application, Desktop

virtualization are transforming

Data Centers into Private

Clouds.

It’s in

the Cloud!

The Internet and Web have

revolutionized how Application

Service Providers deliver applications.

Hosting providers offer virtual

infrastructures instead of physical

space and equipment – Hybrid

Clouds

Private

Cloud?

How do you design a network

if you don’t know where the

applications reside?

What if the applications

move to a different DC?

Or, Hybrid Cloud offering?

How do you isolate user

performance

issues for Cloud applications?

Public

Cloud?

Mobile devices enable users to access applications

from anywhere at anytime – Work Your Way

How will all of this impact Security Policies and Procedures?

Hybrid

Cloud?

Which Cloud?


Agenda

The Borderless Network

Next Generation Enterprise WAN

Private Cloud Services

Hybrid Cloud Services

Public Cloud Services

Platform Overview

Wrap Up / Summary

5


Enterprise Megatrends

COST CONTROL,

Enterprise Megatrends

MOBILITY

BYOD

CLOUD Private,

Public

Hybrid

IMMERSIVE

COLLABORATION

Pervasive Video

IT EFFECTIVENESS,

SECURITY,

$

6


Network Implications: Shifting Borders

IT Consumerization

Device Border

Mobile Worker

Location Border

Video/Cloud

IaaS,SaaS

Application Border

External-Facing Applications

Internal Applications

7


BYOD Desktop

Virtualization Pervasive

Video

Remote

Expert

Cloud

Computing IT/OT

Convergence Key IT

Initiatives

Ma

na

ge

me

nt

P

R

I

M

E

Key System Pillars Addressing Initiatives

Network and

End-Point Services

EnergyWise

Energy Management

TrustSec

Policy Enforcement

App Visibility and Control

App Performance

Medianet

Multimedia Optimization

Technology

Innovation Wireless Routing Switching

Application Networking/ Optimization

Security Appliance

and Firewall

Risk

Management &

Compliance

Borderless Networks Architecture

8

Systems

Excellence

SecureX

Unified Access Cloud Intelligent

Networks Connected Industries

Cloud Connectors

Cloud Optimization


Cloud Intelligent Networks Solutions

9

Cloud Connectors

ScanSafe

HCS

Webex CCA

3rd party

Public Cloud

HCS

Services

Virtual Private

Cloud

ASA

1000v

Nexus 1000V

vWAAS

VSG

VXLAN

CSR

1000v

vPath

Cisco ISR G2

ASR 1000

AVC, WAAS

UCS-E

Private Cloud

ASR 1000, AVC, ASA,

WAAS, AppNav

Cisco Prime Infrastructure

AnyConnect VPN, ScanSafe, WebEx, and HCS Cloud Connectors

Cloud

Intelligent

Network

Security

App Visibility & Control (AVC)

Cloud Connectors

Medianet

Introducing the Next Generation Enterprise WAN


Operations

IPv4/v6

TrustSec

MediaNet

Application Visibility & Control

Cloud

Next Generation Enterprise WAN High Level Topology

11

Local

Campus

Interconnect

Data

Center

Remote

Branch

Regional

WAN

Hybrid

Cloud Service

Provider

Services

Voice, Video,

Etc.

Internet

WAN

Primary or

Back up

Public

Cloud Cloud Private

Cloud

South Region

Inter

Connect

West

Region

Inter

Connect

WAN

Core

East

Region

Efficient

use of

resources

Seamless

any-to-any

Services

Consistent

Security Remote

Branch

Metro

Data

Center


Operations

IPv4/v6

TrustSec

MediaNet


Cloud

Local

Campus

Interconnect

Data

Center

Remote

Branch

Regional

WAN

Hybri

d

Clou

d

Service

Provider

Services

Voice, Video,

Etc.

Intern

et

WAN

Primary or

Back up

Publi

c

Cloud Cloud

Privat

e

Cloud

South Region

Inter

Connect

West

Region

Inter

Connect

WAN

Core

East

Region

Remote

Branch

Metro

Data

Center

Regional

WAN

Next Generation Enterprise WAN High Level Topology

12


Regional WAN Architecture

Redundant,

Scalable

GETVPN

Headend

Standard

Branch

High End

Branch

Mobile

Branch

Serial,

Ethernet

DS3, FE

3G/4G

Satellite

Ultra High-End Branch/Campus

ASR1K

SP B

MPLS

OC3, GE

Enterprise Interconnect

ASR1K

ASR1K ASR1K

ISR G2

ISR G2

ISR G2

ISR G2

Cisco Prime

SP A

MPLS

Redundant,

Scalable DMVPN

Headend

ASR1K ASR1K

Local

Campus

Interconnect

Data

Center

Internet

Standardized Profiles

Any WAN Transport

Pervasive, Scalable

End-to-end Security

Intelligent, Per-Application,

Adaptive Routing

Optimized Performance

Simplify Management,

Monitoring, Troubleshooting

13


Regional WAN Branch Profiles

Mobile Branch

• 3G/4G or Satellite

• WAAS Express to

boost application

performance

• Branch mobility

• Deliver video over

4G*

Standard Branch • Most common

deployment

• Migration from Serial

to Ethernet

• SP MPLS VPN with

Internet VPN backup

• Application

performance

• 4-9s availability

• Deliver SD video

High-end Branch • Migration from DS3 to

FastEthernet

• Dual SP MPLS

• Redundant router

• Application

performance


• Deliver HD video

Ultra High-end

Branch/Campus • Very high Bandwidth

– up to 1Gb

• Software and

hardware redundancy

• Same profile as

High-end Branch

• Services scaled up by

dedicated appliance

engines

ISR G2

3G/4G

Satellite ISR G2

MPLS Internet MPLS MPLS

ISR G2 ISR G2 ASR1K ASR1K

MPLS MPLS

Perf

orm

ance a

nd A

vaila

bili

ty

Flexible deployment

options for different

service requirements

Retail Banking, Kiosk,

Vehicles, Cruises

Typical branch office

Financial branch,

Med/Large branch office

Remote campus

14


Regional WAN Aggregation Profiles

Scala

bili

ty a

nd

Availa

bili

ty

Standard Aggregation

• Scale to support 1500 sites


• One device serves multiple roles

• Hardware/software redundancy

High-end Aggregation

• Scale to support 5000* sites


• Dual SP MPLS and Internet

• Redundant Key Server

• Dedicate PfR MC

• Hardware/software redundancy

Ultra High-end Branch

High-end Branch

Standard Branch

Mobile Branch

PfR MC

Internet

GETVPN

GM

DMVPN

COOP

GETVPN KS

ASR1K

ISR G2

ASR1K

High-end

Aggregation

Internet

ASR1K

ASR1K

ISR G2 MPLS

GETVPN

KS GETVPN

GM/PfR MC

DMVPN

Standard

Aggregation

Branch Profiles WAN Aggregation Profiles

ASR1K MPLS

MPLS

Two WAN

Aggregation Profiles

for different

availability and

scalability

requirements

15

Private Cloud Services Application Visibility & Control WAAS & USC E MediaNet TrustSec Security IPv6


Private Cloud Definition

Public Cloud

HCS

Services

Virtual Private

Cloud

AS

A

100

0V

Nexus 1000V

vWAA

S

VS

G

VXLA

N

CSR

1000

V

vPat

h

Private Cloud

ASR 1000, AVC, ASA,

WAAS, AppNav

Used only by a single company or organization, the Private Cloud looks a lot like the traditional Enterprise Data Centers we’re familiar with although they tend to focus on virtualized services. They might be operated by a third party instead of the company using them.

Source: NIST

Cloud

Intelligent

Network

Security


Cloud Connectors

Medianet

17


“Todays Network is an IT Blind Spot”

Static port classification is no longer enough

More and More apps are opaque

Increasing use of Encryption and Obfuscation

Application consists of multiple sessions (Video, Voice, Data)

19


Next Generation Networks will be Application Aware

20

Gain visibility into application running in the network,

performance trend, and user experiences

Intelligently prioritize and control application traffic to maximize user experience

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://4.bp.blogspot.com/_UZImdYAiry8/Sb9qYmN0llI/AAAAAAAAPtc/a_qXEx69CB0/s400/oracle_logo.jpg&imgrefurl=http://vectorlogo.blogspot.com/2009/03/oracle-logo-eps.html&usg=__TTg6bQ4L8aDCa2kKWUD3Q4YWewM=&h=161&w=400&sz=7&hl=fr&start=3&sig2=xj4d94noyf1kS0Adw6tzJA&um=1&tbnid=LLEUA6II6jNxiM:&tbnh=50&tbnw=124&prev=/images?q=oracle+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=FeHBSvDVKsjKjAeGsfDoBQ




Control application

usage to maximize

application

performance

ASR1K

ISR G2

Control

High

Med

Low

Advanced reporting

tool aggregates

and reports

application

performance

App Visibility &

User Experience Report

Management

Tool

Collect application

performance

metrics, and export

to management tool

ASR1K

ISR G2

Reporting Tool Perf. Collection &

Exporting

Reporting Tools

NFv9/IPFIX

3

App BW Transaction

Time

…

SAP 3M 150 ms …

Sharepoint 10M 500 ms …

Identify applications

using L3 to L7

information

ASR1K

ISR G2

Application

Recognition

What is Application Visibility and Control (AVC) Solution

21




• QOS

• PfR

ASR1K

ISR G2

Control

High

Med

Low

• Cisco Prime

Infrastructure

• Cisco Insight

• 3rd Party Tools

App Visibility &

User Experience Report

Management

Tool

Metric Mediation

Agent

• FNF

• ART

• MMON

ASR1K

ISR G2

Reporting Tool Perf. Collection &

Exporting

Reporting Tools

NFv9/IPFIX

3

App BW Transaction

Time

…

SAP 3M 150 ms …

Sharepoint 10M 500 ms …

• NBAR2

ASR1K

ISR G2

Application

Recognition

AVC Solution – Enabled Technologies

22




NBAR2

IOS NBAR +150 Signatures

SCE Classification

+1000 Signatures

Advanced Classification Techniques

Innovations Native IPv6 Classification

Open API 3rd Party Integration..

Next Generation NBAR (NBAR2) Deep Packet Inspection (DPI)

23

Provides Advanced Application Classification and Field Extraction capabilities

In-service upgradable Protocol Definitions

No IOS upgrade or reboot for new Protocol Packs

Backward compatibility to preserve existing NBAR investments

NBAR2 Protocol List http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html

IOS

15.2(2)T1

IOS XE 3.4S

Application

Recognition

http://images.google.fr/imgres?imgurl=http://www.clikphoto.com/2003/Customers/images/Siebel.Logo.JPG&imgrefurl=http://www.clikphoto.com/2003/Customers/links.html&usg=__dY-YhzjlqXwgaBUa3GI7LkIC8nE=&h=137&w=363&sz=4&hl=fr&start=1&sig2=jRZ_dNmSZXrDAJLEkmINsA&um=1&tbnid=q54bb4J2TD1_uM:&tbnh=46&tbnw=121&prev=/images?q=siebel+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=CeHBSv6xGdi7jAfDrYHfBQ


http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html




Perf. Collection

& Exporting

What applications, how much bandwidth, flow direction?

(Flexible Netflow and NBAR/NBAR2) Basic Monitoring

Performance Collection & Exporting What is it?

24

Integrated performance monitoring and advanced metrics for different type of applications and use cases

HTTP HTTP

Voice and Video Performance

(Media Monitoring) Advanced

Monitoring

30% of traffic is

voice and video

Critical Applications Performance

(Application Response Time)

40% of traffic is

critical applications


Gaining Full Visibility with Flexible Netflow

L3 and L4

Netflow

L3 and L4 L2 L7

(NBAR)

Performance

Metrics

(MMON, ART)

Other

Metrics

Network Metrics

(QoS)

Flexible

Netflow

Flexible NetFlow

Extensible to support new and future metrics

Monitors data from layer 2 thru 7

Collect only what is needed – define your own record format and aggregation

Netflow to FNF Migration Guide:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html

Perf. Collection

& Exporting

25





Perf. Collection

& Exporting

Better Visibility with NBAR2 and FNF

Application Information exported in FNF records

Reporting tools display top client & server

show ip nbar protocol-discovery top-n

Router#show ip nbar protocol-discovery top-n 10

GigabitEthernet0/0/3

Input Output

----- ------

Protocol Packet Count Packet Count

Byte Count Byte Count

30sec Bit Rate (bps) 30sec Bit Rate (bps)

30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps)

------------- ------------------------ ------------------------

webex-meeting 45807530 163458047

2497543722 129842885217

115000 5998000

152000 7799000

bittorrent 59667396 156155174

12768822744 103187176646

555000 4715000

697000 5077000

27


Active or Passive Monitoring for Performance Measurement

Generate synthetic traffic into the network

Require IOS responder for advanced monitoring types

Inspect traffic to measure performance metrics

Performance metrics available only when there is traffic

Router 1 Router 2

IPSLA Responder IPSLA Sender

Active Probing

FNF MMON

ART

Active Monitoring Passive Monitoring

Perf. Collection

& Exporting

29


Application Response Time (ART) Measurement

Key Features 27 Application Response Time (ART) Metrics

Interact with NBAR2 for Application ID and field

extraction information

In ISR G2, provide by Performance Agent (PA)

In ASR1K, ART is part of unified monitoring

Benefits Visibility into application usage and performance

Quantify user experience

Troubleshoot application performance

Track service levels for application delivery

My query

is taking

long time!

My

email is

slow!

Branch Data Center

How do I

ensure my

SLA is met

Reporting

Tool

WAN

NFv9/IPFIX

ISR G2: 15.2(4)M2

ASR1K: 3.8S

Perf. Collection

& Exporting

30

http://images.google.com/imgres?imgurl=http://www.mobiletown.com/images/index.php1.gif&imgrefurl=http://www.mobiletown.com/whatisit_us.php&h=132&w=137&sz=4&hl=en&start=3&um=1&tbnid=G6PNLs4aF7kOLM:&tbnh=90&tbnw=93&prev=/images?q=microsoft+exchange+logo&um=1&hl=en&sa=X


ART Path Network Segment Breakdown

Separate application delivery path into client and server segments

Server Network Delay (SND) approximates WAN Delay

Latency per application

Application Servers

Total Delay

Client

Network Clients

Client Network

Delay (CND) Application

Delay (AD)

Network Delay (ND)

Server

Network Request

Response Server Network

Delay (SND)

Perf. Collection

& Exporting

Branch

ISR-G2

31


class-map match-all business-critical match protocol citrix match access-group 101 class-map match-any browsing match protocol attribute category browsing class-map match-any internal-browsing match protocol http url “*myserver.com*” policy-map internal-browsing-policy class internal-browsing bandwidth remaining percent 60 policy-map my-network-policy class business-critical priority percent 50 class browsing bandwidth remaining percent 30 service-policy internal-browsing-policy

Application BW Priority

Business Critical Committed 50% High

Browsing 30% (=15% of the line) Normal

Internal

Browsing

60% (Out of

Browsing)

Remaining 70% (=35% of the line) Normal

Application-aware QoS with NBAR2

Internal-Browsing:

60% of Browsing

Browsing:

30% of Excess BW

(=15% of the line)

Remaining:

70% of Excess BW

(=35% of line)

Committed BW

(50% of the line)

Excess BW

(50% of the line)

interface Serial0/0/0

service-policy output my-network-policy

Control

Business-Critical:

High Priority

50% committed

32


GRE/IPSec Network QoS Design Direction of Packet Flow

DSCP CS5

Packet Initially

Marked to

DSCP AF41

DSCP CS5

DSCP CS5

By Default ToS

Values is Copied

To IPSec Header

DSCP CS5

Top-Most ToS is

Rewrote on egress

DSCP CS5

Packet decapsulated

To reveal the original

ToS Byte

policy-map WAN-OUT

class VOICE

priority percent 10

class VIDEO-INTERACTIVE

priority percent 23

set ip dscp af41

class NETWORK-MGMT

bandwidth percent 5

service-policy MARK-BGP

class class-default

bandwidth percent 25

random-detect

!

policy-map Int-Gig-Agg-HE

class class-default

shape average 1000000000

service-policy WAN-Out

Remarks the DSCP value on the

encrypted/encapsulated header on

egress interface

DSCP AF41

Control

34


Performance Routing (PfR) Application aware adaptive routing

Full utilization of expensive WAN bandwidth

Efficient distribution of traffic based upon load, circuit cost and path preference

Improved Application Performance

Per application best path based on delay, loss, jitter measurements

Increased Application Availability

Protection from carrier blackouts and brownouts

SP A

MPLS

GETVPN

WAE Cluster

Internet

DMVPN ASR1K

ASR1K

PfR MCs

Headquarter

ISR G2

SP B

MPLS

GETVPN

ASR1K

ASR1K

Branch

PfR BRs

PfR MC/BR

Master Controller (MC) Border Router (BR)

Email VMs

Email Path

Video Path

Control

35


PfR Use Case Examples Protecting critical applications while Maximizing bandwidth utilization

Protect business Cloud applications from Internet brownout Loss <10%

Cloud Service preferred path – ISP1

Maximize all ISP bandwidth by load sharing all other Internet traffic

Protect voice and video quality

– Latency < 200ms; Jitter < 30ms

Protect VDI applications from brownouts

– Loss < 5%

Voice & Video preferred path SP-A

VDI preferred path SP-B

Maximize utilization by load sharing

Cloud Service & Load Balancing

Policy

Multimedia & Critical Data Policy

ISP-1 (Primary) ISP-2 (Secondary) SP-A (MPLS VPN) SP-B (MPLS VPN)

VDI

Detect loss

> 10%

Detect high

jitter

Cloud Service

Best Effort traffic

Voice&Video

Best Effort traffic

Internet WAN

Control

36


Cisco Prime Infrastructure – Assurance

Configuration of AVC features*

Network Monitoring

Service Monitoring

Reporting and Trends

Multi-NAM Manager

Packet and Flows Analysis

Application Response Time

Voice and Video Metrics

Distributed SNMP and Netflow Collection

Management

Tool

37

WAAS and UCS E Series


Cisco WAAS – Enhancing user experience and WAN efficiency

Solution

• Reduce load

Data Redundancy Elimination,

Compression, TCP optimization

• Application Optimization

Fewer protocol messages,

Meta data caching,...

Application Bandwidth with WAAS

Application Bandwidth Natively

Application latency Natively

Application latency with WAAS 0 0

1

2

3

4

40

80

120

160

Application

Bandwidth

Application

Latency

Bandwidth

(Mbps)

Latency

(Seconds)

Problem

• Poor Application

responsiveness

• WAN Bandwidth costs Bandwidth

Saved

Reduced

Latency

39


Challenges of Desktop Virtualization over WAN

End-users see pixelization over the WAN

T1

Increasing bandwidth is expensive and might not help

Video processed on HVD overloading server compute and bandwidth

End-users experience no pixelization on LAN

Branch Router

Data Center

Video Source

Campus

Hairpinning

WAN’s effects on Users Experience

Display Protocol Opaque to the Network

Display Protocol

Branch Office

40


Display

Protocol

WAAS 5.0 optimization with Citrix ICA AO

WAAS will optimize encrypted and compressed ICA desktop session traffic (no changes required on ICA client, HVD, or DC infrastructure) for all versions of XenDesktop and XenApp

Includes WAAS 4.4 Application aware DRE feature for unidirectional caching of desktop session traffic which improves the scalability and Application performance

Branch

Router

WAAS WAAS Display Protocol Acceleration

Aggregation

Router Citrix HVD

ICA

client

Data Center

Note: Multi-Session ICA (MSI) in XenDesktop 5.5 is first supported in WAAS 5.1. If MSI is used, with a prior release, only one initial session (port 1498) will be optimized

automatically. Other flows will be treated as regular TCP flows

41


Cisco WAAS: WAN Optimization Solution

44

SOHO User

WAAS Mobile

Software

Mobile User

Branch Office

WAAS

Service

Module WAN

Internet

Branch Office

IOS WAAS

Express

Branch Office

WAAS WAE

Appliance

Regional Office

WAAS WAE

Appliance

WAAS

Mobile

Server

VPN

Data Center or

Private Cloud WAAS WAE

Appliances

VPN

VMware ESXi vWAAS

Appliances

Server VMs

vWAAS Server

VMs

VMware ESXi Server

Nexus 1000v vPATH

UCS /x86 Server

FC SAN

Nexus 1000v VSM

Virtual Private

Cloud

CSR

1000V


Lean Branch Office Applications Edge Applications That Defy Centralization

Core Windows Services

Mission Critical Business Applications

Client Management Services

DNS and DHCP Servers

Microsoft Active Directory

Windows Print Services

Windows File Services

Others …

Point of Sale Server

Bank Teller Control Point

Electronic Medical Records

Inventory Management

Others …

Software Update Service

Client Monitoring Service

Backup and Recovery

Terminal Server Gateway

Others …

46 46


UCS E Series Extend Cloud Services into Branch Infrastructure

Support on ISR G2 2911 and above

IOS, MGF Backplane Switch

SRE Blade

SRE-V Hypervisor

CIMC-E SRE Blade

SRE-V Hypervisor

OS

App

OS

App

OS

App

OS

App Platform for WAN Edge Applications

• Microsoft Windows Server-Certified

Server Virtualization

• Cisco SRE Virtualization Powered by VMware vSphere Hypervisor™ (ESXi)

Dedicated Blade Management

• Cisco Integrated Management Controller

• Consistent management for UCS family

Multipurpose x86 Blades

• Cisco Service-Ready Engine modules

• House up to four server blades in ISR G2

Single-Device Network Integration

• House all devices in ISR G2 chassis

• Multigigabit fabric backplane switch

47

MediaNet & Video Services


Medianet Introduction

I want a network infrastructure so that I should not worry when tomorrow I’ll be asked to implement video applications.

Massimo Fogaroli – IT Manager, Mediolanum Bank

Network Aware Automatically respond to changes in devices and service availability

Endpoint aware Automatic detection and configuration

Media Aware Detection and Optimization of different media and applications

Visibility Diagnostics Network

Assessment

Media

Trace

Performance

Monitoring

IPSLA

VO

Flow

MetaData

49


Medianet Media Monitoring Media Assessment, Monitoring, and Troubleshooting

Pre-deployment assessment / network validation IP SLA VO

Use ISR G2 DSPs to generate synthetic video, i.e. TelePresence

ASR1K ISR G2

MPLS

I am detecting

video quality

issue Initiate

mediatrace

Cisco Prime

Collaboration

Manager

Lost packets

seen

What path and where is the problem? Mediatrace and Performance Monitor

Network-initiated mediatrace collecting path and performance metrics of media stream

Cisco Collaboration Manager displays mediatrace results

IP SLA

Initiator IP SLA

Responder

Generate

TelePresence

traffic

Internet

DMVPN

50


Media Monitoring Performance Monitor

Monitor video traffic traversing different network types

Generate alert based on user configurable threshold

Enable on voice/video VLAN

Provide metrics including jitter, packet loss, latency, bitrate, etc.

MediaNet PerfMon is also the Media Monitor (MMon) in AVC

WAN

Headend Branch

MPLS

Apply to in/out direction of

voice/video VLAN

Internet

LiveAction

Perf. Collection

& Exporting

51


Media Troubleshooting Mediatrace

Use Mediatrace to further troubleshoot media issues

Initiate Mediatrace to discover path, system resource, or quality metrics on devices in the media path

Mediatrace responders collect the requested metrics and return to initiator

Works with Cisco Collaboration Manager

VPN

Headend Branch

MPLS

Internet

Initiate

Mediatrace for

traffic from

Branch phone to

Headend phone

Collaboration

Manager

Diagnostics

54


Need for End to End Classification

This flow has a DSCP = EF

This flow contents RTP

Voice

This packet has a DSCP=EF

This packet comes from Fast1/0

This packet comes from location “Desk1”

This packet comes from user “Marylou”

John

Voice communication between Marylou and John

Voice communication started with application “X”

Packets has DSCP=EF

I know lots of information from the application

that I’m not going to send to the wire

Marylou

• How to enforce a consistent network policy when classification is different along the path?

‒ Eg: Rule: Prioritize Voice communication from Marylou to John?

• Endpoint can provide information not available or visible to the network

Visibility

57


MediaNet Metadata for classification Metadata Flow Principles

1. Application Creates

Metadata

Meta

data

DB

Meta

data

DB

Meta

data

DB

IP Src IP Dst Prot L4 Src L4 Dst Application Vendor Dial From Dial To Caller ID

10.1.1.2 20.1.1.2 UDP 2000 4000 Video-

Conference

(Audio)

Cisco 83922564 85268229 Albert

Albatross

Flow Identifier Metadata

10.1.1.2 10.1.1.2

3. Media Flow 2. Metadata

Announcement

Export of

data to

NMS

QoS based on

Metadata

Visibility

58


Video Conferencing Services

Multiple video streams traverse the WAN to a central MCU resource – non-optimal use of limited WAN BW

Video is mixed by a centralized MCU controlled by CUCM

HQ/Campus

Branch

MCU

A

Video

mixing

WAN

HQ/Campus

MCU

A

Video

mixing

Branch

Video is mixed by the ISR G2 DSPs

controlled by CUCM or UCME

Keeps traffic local in the branch if all

participants are located in the branch

Ad-hoc and MeetMe conferences

Signaling

Media

WAN

60


Video Delivery Optimization WAAS + Enterprise Content Delivery System (ECDS)

Data

Center

WAN

• Multiple “Publish and Subscribe” Channels for simplified management • Broad live broadcast protocol support-wmf, silverlight, flash • Video Pre-positioning

Branch

Office

Branch

Office

CDN

Infrastructure

+

ECDS

+

ECDS

Context-

aware DRE

Signage

Channel

HR VOD

Channel

Corporate

Communications

Channel

62

WAN TrustSec Security Services


NG WAN Pervasive Security Secure Reliable Access to Any Services

Provides data privacy across the WAN

GETVPN any-to-any encryption over MPLS

DMVPN & FlexVPN over 3G/4G or Internet provides dynamic spoke-to-spoke tunnel

Highly scalable WAN aggregation with encryption

4000 DMVPN tunnels and 4000 GETVPN Group Members

Up to 28 Gbps of encryption throughput per ASR1K

Interoperation with QoS and PfR ensures service performance

TrustSec simplified access control – SGT, SXP, and SG Firewall

SP A

MPLS

GETVPN

WAE Cluster

Internet

DMVPN ASR1K

ASR1K

Headquarter SP B

MPLS

GETVPN

ASR1K

ASR1K

Branch

GETVPN

Standard Branch

Data Center Protected by DMVPN

Protected by GETVPN

DMVPN Hub

ISR G2

ASR1K

ISR G2

GETVPN

COOP KS

Private Cloud SG FW

SXP

SGT

64


Dynamic Multipoint VPN (DMVPN)

Full meshed connectivity with simple configuration

Zero-touch configuration for addition of new spokes

Automatic site-to-site IPSec tunnels

Transport & Carrier agnostic overlay transport easy multi-homing single control plane simple carrier transition

Large Scale

– Up to 4000 spokes per ASR1k hub with EIGRP or BGP

– Hierarchical Hub designs, to scale beyond single hub limits

Spoke n

Traditional Static Tunnels

DMVPN Tunnels

Static Known IP Addresses

Dynamic Unknown IP Addresses

Hub

VPN Spoke 1

Spoke 2

Secure On-Demand Meshed Tunnels

65


Introducing FlexVPN A single overlay VPN solution

Corporate LAN

Shortcut Switching

(DMVPN)

Isolated branches

(Easy VPN)

Remote Access

(AnyConnect)

Department RED

Department GREEN

New


Group Encrypted Transport VPN (GETVPN) Before and After GET VPN

Scalability—an issue (N^2 problem)

Overlay routing

Any-to-any connectivity may require tunnel setup

Inefficient Multicast replication

Any wan transport

WAN

Multicast

Before: IPSec P2P Tunnels After: Tunnel-Less VPN

Scalable architecture for any-to-any connectivity and encryption

No overlays—native routing

Any-to-any instant connectivity

Efficient Multicast replication

Private IP WANs

Public/Private WAN Private WAN

68


Cisco Router Security Certifications

69

http://www.cisco.com/go/securitycert

* NSA Suite B RFC-4869 cryptographic algorithm for both unclassified and most-classified information

** 1900s and lower 2900 Series require ISMs. Only ASR 1002-X and ESP-100 based ASR 1000s

FIPS Common Criteria

Next-Gen Encryption*

Next-Gen Encryption*

140-2, Level 2

EAL4 Software Support

Hardware Assist

Cisco ISR 890 Series

Cisco ISR 1900 Series **

Cisco ISR 2900 Series **

Cisco ISR 3900 Series Cisco ISR 3900E Series

Cisco ASR 1000 Series N/A **

http://www.cisco.com/go/securitycert


MPLS

GETVPN

Internet

DMVPN

Nexus 7000 Data Center

Catalyst® Switch

ISE

SGT

Profiler

Posture

Guest Server

TrustSec SGT over DMVPN and GETVPN

70

Nexus 5000/2000

SGFW, SGACL

SGT Frame

WAN • ISR G2/ASR1k, SG Firewall Campus Aggregation: • Cat6K/Sup2 – SGACL Data Center Enforcement • Nexus 7000 – SGT/SGACL

Egress Enforcement

AP

Branch Network

HR

Finance

Sales

SGT

Admin Catalyst® Switch

Catalyst® Switch

SGT

• DMVPN Inline Tagging – ISR G2 (IOS 15.2(2)T)

• SGToGETVPN support on ISR G2 (IOS PI21*) and ASR1k (XE 3.9*)

• SG Firewall for Egress Enforcement

• SGT Capability exchange during DMVPN IKEv2 negotiations and GETVPN group membership

registration

• Learn SGT from SXP or Auth-methods

• Simple one command configuration – DMVPN “crypto ikev2 cts sgt”; GETVPN “tag cts sgt”

* ISR G2 IOS (PI21) and ASR1k IOS (XE3.9) will be available in Spring 2013.

SGT

Catalyst 6500

ISR G2

ISR G2

ISR G2

ASR1k


Security Group FW Architecture

71

Data Center

SGT or SXP

IP Address SGT

10.1.10.1 10

SGFW

SGACL

• Consistent Classification/enforcement between ISR/ASR SGFW and switching

• In general SGACL and SGFW policy should be sync’d via policy administration UI

• SGT allows more dynamic classification in the branch and WAN aggregation

• Rich Logging requirements will be fulfilled on SGFW – URL logging, etc.

• Active/Active support in ZBFW allows for asymmetric routing*

• SGFW in ISR G2 IOS 15.2(2)T and ASR1k IOS XE 3.5

*active/active assumes shared L3 subnet on router interfaces for redundancy groups

ASR1k Enforcement

Enforcement on a

switch

ISE for SGACL

Policies

SGFW ISR Enforcement

PC

I

Enterprise

WAN

IPv6 Preserve, Prepare, Prosper


IPv6

IPv6 Feature Enablement

IPv6 Transitioning

IPv6 Routing

• IPv6 parity with IPv4 in

most cases

• IPv4 address exhaustion

• Government mandate

• IPv6 device and content

growth

• Mergers and Acquisitions

• Gain familiarity with IPv6

• Routers designed with

more memory, better

performance for IPv6

Anyone, Anything, Anywhere, Anytime

ISR G2, ASR 1000 designed for IPv6

Broadest coverage in Industry

3 Feb ‘11 last day of IPv4 address allocations

Why?

All transition mechanisms supported

• Dual Stack

• Tunneling

• Translation

74


Transitioning Network to IPv6 Preserve, Prepare, Prosper

Cisco NG Enterprise WAN Solutions Branch & Campus – Dual Stack IPv4 and IPv6

IPv4 WAN – Tunnel: 64 tunnels, IPv6 over DMVPNv4

IPv6 Internet – Translate: NAT64 allows IPv6 devices to access IPv4 applications

Dual-stack Tunnel Dual-stack

Campus/

Datacenter

Internet

Edge

Branch

office

ISR G2

WAN

Aggregation

IPv4

IPv6 devices

IPv6

Translate (nat64)

IPv4

services

ASR1K

ASR1K

ASR1K

75

http://www.google.com/imgres?imgurl=http://www.amaczone.com/images/image_large/Apple_MacBook_Pro_MB134LL-A_15-4-inch_Laptop_-2-5_GHz_Intel_Core_2_Duo_Processor-_2_GB_RAM-_250_GB_Hard_Drive-_DVD-CD_SuperDrive-291.jpg&imgrefurl=http://www.amaczone.com/category/Apple iPod/pg-4-0&usg=__2j5ay1ry5-cN_Ecir_FBE5Uv7iE=&h=334&w=500&sz=20&hl=en&start=27&itbs=1&tbnid=GImeBvKJZNIR1M:&tbnh=87&tbnw=130&prev=/images?q=mac+pro+laptop&start=20&hl=en&sa=N&gbv=2&ndsp=20&tbs=isch:1

Hybrid Cloud Services Virtual Private Clouds Virtual Networking Services Cloud Services Router


Hybrid Cloud Definition Virtual Private Clouds (VPC)

Public Cloud

HCS

Services

Virtual Private

Cloud

ASA

1000V

Nexus 1000V

vWAAS VSG

VXLAN

CSR

1000V

vPath Cloud

Intelligent

Network

Security


Cloud Connectors

Medianet

Private Cloud

ASR 1000, AVC, ASA,

WAAS, AppNav

Hybrid Clouds exist on the premisis and are maintained by a cloud provider. Resources are allocated to individual companies or organizations providing them the look and feel of a private cloud within a shared cloud environment.

Source: NIST

77


CSR 1000V

• WAN Gateway

• IOS Networking

vWAAS

• WAN Optimization

• Application Traffic

ASA 1000V

• Edge Firewall

• Protocol Inspection

VSG

• Zone-based Firewall

• VM-level Control

Multi - hypervisor

Servers

Tenant A ASA

1000V CSR

1000V

Department B Department A

Nexus 1000V

vPath

Physical Infrastructure

Virtual Infrastructure

Cloud Provider’s Data Center

vWAAS

AppNav

VSG VSG

Hybrid – Virtual Private Cloud Virtual Networking Services

Cloud Network Services

Multi-Hypervisor

78

Nexus 1000V

• Distributed Switch

• NX-OS Consistency


Cisco CSR 1000V Cisco IOS Software in Virtual Form-Factor

• Virtual Route Processor (RP)

• Virtual Forwarding Processor (FP)

• Optimized for single tenant use cases

• Hypervisor agnostic

• Virtual switch agnostic

• Server agnostic

Server

Hypervisor

Virtual Switch

VPC/vDC

OS

App

OS

App

CSR 1000V

79

Public Cloud Services Cloud Connectors


Public Cloud Definition

Public Cloud

HCS

Services

Virtual Private

Cloud

ASA

1000V

Nexus 1000V

vWAAS

VSG

VXLAN

CSR

1000V

vPath Cloud

Intelligent

Network

Security


Cloud Connectors

Medianet

Private Cloud

ASR 1000, AVC, ASA,

WAAS, AppNav

Operated wholly by cloud

providers, public clouds offer

services to companies,

organizations and

individuals using a fully

virtualized environment

hosted in the

cloud. Services are

delivered in a shared

environment even though

they might be provisioned or

customized for the needs of

the individual organization.

Source: NIST

81


Connects a Corporate Network to a Cloud Service

Application or Service specific to ensure transparent access

Improves delivery of Public Cloud Services

Provisioning, Performance, Security, Reliability, Management

Cloud Connector solutions include

ScanSafe, WebEx Media, Hosted Collaboration Service, Storage/Backup, …

What is Cloud Connector?

MPLS

GETVPN

Internet ASR1K

ASR1K

Headquarter

Campus

MPLS ASR1K

ASR1K

Branch

Email VMs

Public

Cloud

Cloud Connector

82


ScanSafe provides secure access to Public Cloud services

Single policy portal, ease of deployment and management

Direct Internet access reduces WAN cost and improves

application performance

Internet

Public Cloud

Applications

Example – Scan Safe Cloud Connector

83

MPLS

GETVPN

Internet ASR1K

ASR1K

Headquarter

Campus

MPLS ASR1K

ASR1K

Branch

ScanSafe

Cloud Connector

Web Security

Web Filtering

Centralized Reporting

Consistent Policy Control

http://www.salesforce.com/


WebEx Media Connector peers directly with the Enterprise WAN

CUCM+CUBE deployed at Enterprise and WebEx Cloud

Firewalls+CUBE to secure the borders with WebEx.

Improves voice and video conferencing quality

Reduces 800 toll charges

Example – WebEx Media Connector

MPLS

GETVPN

Internet

ASR1K

ASR1K

Headquarter

Campus

MPLS ASR1K

ASR1K

Branch

WebEx

Cloud Connector

Cisco WebEx Collaboration

Cloud

84


Example - Cloud Storage Connector Third Party Connector

End-User Virtual Portal

Users access their own cloud backups and

folders, restore and share files.

MSP Admin Portal

Manage end-user accounts,

service provisioning and billing

Cisco ISR G2 and UCS® E-Series with Cloud Storage Gateway

MSP Network

Backup Agent

for Roaming Laptop

Branch Office Agent-Less Solution

Cloud storage is cached on

UCS E. Branch files are

backed up to the cloud.

85

Platform Overview


Prime Infrastructure – Functional Overview

A single integrated solution for comprehensive lifecycle management of wired/wireless access, campus, and branch networks

Automates compliance with regulatory requirements, Cisco and IT best practices

Utilizes rich performance data for end-to-end network visibility to assure application delivery and optimal end-user experience

87


High-End Branch

Standard Branch

Mobile Branch

ISR G2 Portfolio

WA

N A

ccess S

peed

Wit

h S

ervic

es

2911

1921 1941

2901

3945

150 Mb 100 Mb 75 Mb 50 Mb 35 Mb 25 Mb

EFM SubrateFE

VDSL2+/Sub-rate FE

Line Rate FE +

Line Rate N x FE

3945E

3925E

350 Mb

2921

2951

3925

800

15 Mb 250 Mb 10 Mb

Recommended Positioning with Services 88


Instant On

Service Delivery

Cisco ASR 1000 Series Routers: Overview Designed Today for up to 360 Gbps in the Future

Compact,

Powerful Router

Business-Critical

Resiliency

ASR 1002-X ASR 1004 ASR 1006

One IOS-XE Feature Set

5–36

Gbps 10-40

Gbps

10-100+

Gbps

Integrated firewall, VPN, encryption, NBAR, CUBE

Scalable on-chip service provisioning through software licensing

Fully separated control and forwarding planes

Hardware and software redundancy

In-service software upgrades

Line-rate performance 2.5G to 100G+ with services enabled

Investment protection with modular engines, IOS CLI and SPAs for I/O

Hardware based QoS engine with up to 232K queues

ASR 1001

2.5 -5

Gbps 10-360

Gbps

ASR 1013

ASR 1002

2.5–10

Gbps

91

Wrap Up / Summary


Realizing the Borderless Enterprise Borderless Experience

ANYONE ANY DEVICE

ANYTIME ANYWHERE

Securely Reliably Seamlessly

Application

Visibility & Control TrustSec

Operational

Simplicity MediaNet

Cloud

Connect

IPv6

Transition

Cisco

Cloud Intelligent Network

Private

Clouds

Public

Clouds

Hybrid

Clouds

95


Next Generation Enterprise WAN Wrap Up/Summary

Architectural approach to solving business requirements

– Modular—Building Blocks with Layered Services

– Infrastructure Foundation for Cisco’s Borderless Network

Cloud Intelligent Network solutions

– Private Cloud Services

– Hybrid/Virtual Private Cloud Services

– Public Cloud Services

ASR 1000 series high performance Secure WAN aggregation router

ISR G2 series for integrated branch services security, voice, video and cloud access

Virtualized Networks Services – CSR 1000v, vWAAS, ASA 1000v, Nexus 1000v

Cisco Prime—Unique Ability to Manage Entire Solution

96


Additional Sessions of Interest

97

• BRKAPP-2030 Application Visibility and Control in Enterprise WAN

• BRKRST-2362 Deploying Performance Routing

• BRKNMS-3132 Advanced NetFlow

• BRKARC-2016 Integrating Services in the Branch Without Compromise

• PSORST-2002 The Router Is the Application Delivery Platform with Cisco ISR-AX

• BRKRST-2041 WAN Architectures and Design Principles

• BRKRST-2042 Highly Available Wide Area Network Design


Maximize your Cisco Live experience with your

free Cisco Live 365 account. Download session

PDFs, view sessions on-demand and participate in

live activities throughout the year. Click the Enter

Cisco Live 365 button in your Cisco Live portal to

log in.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Daily Challenge points for each session evaluation you complete.

Complete your session evaluation online now through either the mobile app or internet kiosk stations.

98

next generation enterprise wan: branch &...

Documents