next generation enterprise wan: branch &...
TRANSCRIPT
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Housekeeping
Please switch your mobile phones to STUN
We value your feedback—don't forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions
Please remember this is a non-smoking venue!
Please make use of the recycling bins provided
Please remember to wear your badge to the Party
3
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
“Everything is moving to the CLOUD!”
4
Server, Application, Desktop
virtualization are transforming
Data Centers into Private
Clouds.
It’s in
the Cloud!
The Internet and Web have
revolutionized how Application
Service Providers deliver applications.
Hosting providers offer virtual
infrastructures instead of physical
space and equipment – Hybrid
Clouds
Private
Cloud?
How do you design a network
if you don’t know where the
applications reside?
What if the applications
move to a different DC?
Or, Hybrid Cloud offering?
How do you isolate user
performance
issues for Cloud applications?
Public
Cloud?
Mobile devices enable users to access applications
from anywhere at anytime – Work Your Way
How will all of this impact Security Policies and Procedures?
Hybrid
Cloud?
Which Cloud?
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Agenda
The Borderless Network
Next Generation Enterprise WAN
Private Cloud Services
Hybrid Cloud Services
Public Cloud Services
Platform Overview
Wrap Up / Summary
5
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Enterprise Megatrends
COST CONTROL,
Enterprise Megatrends
MOBILITY
BYOD
CLOUD Private,
Public
Hybrid
IMMERSIVE
COLLABORATION
Pervasive Video
IT EFFECTIVENESS,
SECURITY,
$
6
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Network Implications: Shifting Borders
IT Consumerization
Device Border
Mobile Worker
Location Border
Video/Cloud
IaaS,SaaS
Application Border
External-Facing Applications
Internal Applications
7
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
BYOD Desktop
Virtualization Pervasive
Video
Remote
Expert
Cloud
Computing IT/OT
Convergence Key IT
Initiatives
Ma
na
ge
me
nt
P
R
I
M
E
Key System Pillars Addressing Initiatives
Network and
End-Point Services
EnergyWise
Energy Management
TrustSec
Policy Enforcement
App Visibility and Control
App Performance
Medianet
Multimedia Optimization
Technology
Innovation Wireless Routing Switching
Application Networking/ Optimization
Security Appliance
and Firewall
Risk
Management &
Compliance
Borderless Networks Architecture
8
Systems
Excellence
SecureX
Unified Access Cloud Intelligent
Networks Connected Industries
Cloud Connectors
Cloud Optimization
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cloud Intelligent Networks Solutions
9
Cloud Connectors
ScanSafe
HCS
Webex CCA
3rd party
Public Cloud
HCS
Services
Virtual Private
Cloud
ASA
1000v
Nexus 1000V
vWAAS
VSG
VXLAN
CSR
1000v
vPath
Cisco ISR G2
ASR 1000
AVC, WAAS
UCS-E
Private Cloud
ASR 1000, AVC, ASA,
WAAS, AppNav
Cisco Prime Infrastructure
AnyConnect VPN, ScanSafe, WebEx, and HCS Cloud Connectors
Cloud
Intelligent
Network
Security
App Visibility & Control (AVC)
Cloud Connectors
Medianet
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Operations
IPv4/v6
TrustSec
MediaNet
Application Visibility & Control
Cloud
Next Generation Enterprise WAN High Level Topology
11
Local
Campus
Interconnect
Data
Center
Remote
Branch
Regional
WAN
Hybrid
Cloud Service
Provider
Services
Voice, Video,
Etc.
Internet
WAN
Primary or
Back up
Public
Cloud Cloud Private
Cloud
South Region
Inter
Connect
West
Region
Inter
Connect
WAN
Core
East
Region
Efficient
use of
resources
Seamless
any-to-any
Services
Consistent
Security Remote
Branch
Metro
Data
Center
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Operations
IPv4/v6
TrustSec
MediaNet
Application Visibility & Control
Cloud
Local
Campus
Interconnect
Data
Center
Remote
Branch
Regional
WAN
Hybri
d
Clou
d
Service
Provider
Services
Voice, Video,
Etc.
Intern
et
WAN
Primary or
Back up
Publi
c
Cloud Cloud
Privat
e
Cloud
South Region
Inter
Connect
West
Region
Inter
Connect
WAN
Core
East
Region
Remote
Branch
Metro
Data
Center
Regional
WAN
Next Generation Enterprise WAN High Level Topology
12
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Regional WAN Architecture
Redundant,
Scalable
GETVPN
Headend
Standard
Branch
High End
Branch
Mobile
Branch
Serial,
Ethernet
DS3, FE
3G/4G
Satellite
Ultra High-End Branch/Campus
ASR1K
SP B
MPLS
OC3, GE
Enterprise Interconnect
ASR1K
ASR1K ASR1K
ISR G2
ISR G2
ISR G2
ISR G2
Cisco Prime
SP A
MPLS
Redundant,
Scalable DMVPN
Headend
ASR1K ASR1K
Local
Campus
Interconnect
Data
Center
Internet
Standardized Profiles
Any WAN Transport
Pervasive, Scalable
End-to-end Security
Intelligent, Per-Application,
Adaptive Routing
Optimized Performance
Simplify Management,
Monitoring, Troubleshooting
13
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Regional WAN Branch Profiles
Mobile Branch
• 3G/4G or Satellite
• WAAS Express to
boost application
performance
• Branch mobility
• Deliver video over
4G*
Standard Branch • Most common
deployment
• Migration from Serial
to Ethernet
• SP MPLS VPN with
Internet VPN backup
• Application
performance
• 4-9s availability
• Deliver SD video
High-end Branch • Migration from DS3 to
FastEthernet
• Dual SP MPLS
• Redundant router
• Application
performance
• 5-9s availability
• Deliver HD video
Ultra High-end
Branch/Campus • Very high Bandwidth
– up to 1Gb
• Software and
hardware redundancy
• Same profile as
High-end Branch
• Services scaled up by
dedicated appliance
engines
ISR G2
3G/4G
Satellite ISR G2
MPLS Internet MPLS MPLS
ISR G2 ISR G2 ASR1K ASR1K
MPLS MPLS
Perf
orm
ance a
nd A
vaila
bili
ty
Flexible deployment
options for different
service requirements
Retail Banking, Kiosk,
Vehicles, Cruises
Typical branch office
Financial branch,
Med/Large branch office
Remote campus
14
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Regional WAN Aggregation Profiles
Scala
bili
ty a
nd
Availa
bili
ty
Standard Aggregation
• Scale to support 1500 sites
• 4-9s availability
• One device serves multiple roles
• Hardware/software redundancy
High-end Aggregation
• Scale to support 5000* sites
• 5-9s availability
• Dual SP MPLS and Internet
• Redundant Key Server
• Dedicate PfR MC
• Hardware/software redundancy
Ultra High-end Branch
High-end Branch
Standard Branch
Mobile Branch
PfR MC
Internet
GETVPN
GM
DMVPN
COOP
GETVPN KS
ASR1K
ISR G2
ASR1K
High-end
Aggregation
Internet
ASR1K
ASR1K
ISR G2 MPLS
GETVPN
KS GETVPN
GM/PfR MC
DMVPN
Standard
Aggregation
Branch Profiles WAN Aggregation Profiles
ASR1K MPLS
MPLS
Two WAN
Aggregation Profiles
for different
availability and
scalability
requirements
15
Private Cloud Services Application Visibility & Control WAAS & USC E MediaNet TrustSec Security IPv6
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Private Cloud Definition
Public Cloud
HCS
Services
Virtual Private
Cloud
AS
A
100
0V
Nexus 1000V
vWAA
S
VS
G
VXLA
N
CSR
1000
V
vPat
h
Private Cloud
ASR 1000, AVC, ASA,
WAAS, AppNav
Used only by a single company or organization, the Private Cloud looks a lot like the traditional Enterprise Data Centers we’re familiar with although they tend to focus on virtualized services. They might be operated by a third party instead of the company using them.
Source: NIST
Cloud
Intelligent
Network
Security
App Visibility & Control (AVC)
Cloud Connectors
Medianet
17
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
“Todays Network is an IT Blind Spot”
Static port classification is no longer enough
More and More apps are opaque
Increasing use of Encryption and Obfuscation
Application consists of multiple sessions (Video, Voice, Data)
19
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Next Generation Networks will be Application Aware
20
Gain visibility into application running in the network,
performance trend, and user experiences
Intelligently prioritize and control application traffic to maximize user experience
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Control application
usage to maximize
application
performance
ASR1K
ISR G2
Control
High
Med
Low
Advanced reporting
tool aggregates
and reports
application
performance
App Visibility &
User Experience Report
Management
Tool
Collect application
performance
metrics, and export
to management tool
ASR1K
ISR G2
Reporting Tool Perf. Collection &
Exporting
Reporting Tools
NFv9/IPFIX
3
App BW Transaction
Time
…
SAP 3M 150 ms …
Sharepoint 10M 500 ms …
Identify applications
using L3 to L7
information
ASR1K
ISR G2
Application
Recognition
What is Application Visibility and Control (AVC) Solution
21
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
• QOS
• PfR
ASR1K
ISR G2
Control
High
Med
Low
• Cisco Prime
Infrastructure
• Cisco Insight
• 3rd Party Tools
App Visibility &
User Experience Report
Management
Tool
Metric Mediation
Agent
• FNF
• ART
• MMON
ASR1K
ISR G2
Reporting Tool Perf. Collection &
Exporting
Reporting Tools
NFv9/IPFIX
3
App BW Transaction
Time
…
SAP 3M 150 ms …
Sharepoint 10M 500 ms …
• NBAR2
ASR1K
ISR G2
Application
Recognition
AVC Solution – Enabled Technologies
22
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
NBAR2
IOS NBAR +150 Signatures
SCE Classification
+1000 Signatures
Advanced Classification Techniques
Innovations Native IPv6 Classification
Open API 3rd Party Integration..
Next Generation NBAR (NBAR2) Deep Packet Inspection (DPI)
23
Provides Advanced Application Classification and Field Extraction capabilities
In-service upgradable Protocol Definitions
No IOS upgrade or reboot for new Protocol Packs
Backward compatibility to preserve existing NBAR investments
NBAR2 Protocol List http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
IOS
15.2(2)T1
IOS XE 3.4S
Application
Recognition
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Perf. Collection
& Exporting
What applications, how much bandwidth, flow direction?
(Flexible Netflow and NBAR/NBAR2) Basic Monitoring
Performance Collection & Exporting What is it?
24
Integrated performance monitoring and advanced metrics for different type of applications and use cases
HTTP HTTP
Voice and Video Performance
(Media Monitoring) Advanced
Monitoring
30% of traffic is
voice and video
Critical Applications Performance
(Application Response Time)
40% of traffic is
critical applications
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Gaining Full Visibility with Flexible Netflow
L3 and L4
Netflow
L3 and L4 L2 L7
(NBAR)
Performance
Metrics
(MMON, ART)
Other
Metrics
Network Metrics
(QoS)
Flexible
Netflow
Flexible NetFlow
Extensible to support new and future metrics
Monitors data from layer 2 thru 7
Collect only what is needed – define your own record format and aggregation
Netflow to FNF Migration Guide:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html
Perf. Collection
& Exporting
25
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Perf. Collection
& Exporting
Better Visibility with NBAR2 and FNF
Application Information exported in FNF records
Reporting tools display top client & server
show ip nbar protocol-discovery top-n
Router#show ip nbar protocol-discovery top-n 10
GigabitEthernet0/0/3
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
30sec Bit Rate (bps) 30sec Bit Rate (bps)
30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps)
------------- ------------------------ ------------------------
webex-meeting 45807530 163458047
2497543722 129842885217
115000 5998000
152000 7799000
bittorrent 59667396 156155174
12768822744 103187176646
555000 4715000
697000 5077000
27
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Active or Passive Monitoring for Performance Measurement
Generate synthetic traffic into the network
Require IOS responder for advanced monitoring types
Inspect traffic to measure performance metrics
Performance metrics available only when there is traffic
Router 1 Router 2
IPSLA Responder IPSLA Sender
Active Probing
FNF MMON
ART
Active Monitoring Passive Monitoring
Perf. Collection
& Exporting
29
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Application Response Time (ART) Measurement
Key Features 27 Application Response Time (ART) Metrics
Interact with NBAR2 for Application ID and field
extraction information
In ISR G2, provide by Performance Agent (PA)
In ASR1K, ART is part of unified monitoring
Benefits Visibility into application usage and performance
Quantify user experience
Troubleshoot application performance
Track service levels for application delivery
My query
is taking
long time!
My
email is
slow!
Branch Data Center
How do I
ensure my
SLA is met
Reporting
Tool
WAN
NFv9/IPFIX
ISR G2: 15.2(4)M2
ASR1K: 3.8S
Perf. Collection
& Exporting
30
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
ART Path Network Segment Breakdown
Separate application delivery path into client and server segments
Server Network Delay (SND) approximates WAN Delay
Latency per application
Application Servers
Total Delay
Client
Network Clients
Client Network
Delay (CND) Application
Delay (AD)
Network Delay (ND)
Server
Network Request
Response Server Network
Delay (SND)
Perf. Collection
& Exporting
Branch
ISR-G2
31
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
class-map match-all business-critical match protocol citrix match access-group 101 class-map match-any browsing match protocol attribute category browsing class-map match-any internal-browsing match protocol http url “*myserver.com*” policy-map internal-browsing-policy class internal-browsing bandwidth remaining percent 60 policy-map my-network-policy class business-critical priority percent 50 class browsing bandwidth remaining percent 30 service-policy internal-browsing-policy
Application BW Priority
Business Critical Committed 50% High
Browsing 30% (=15% of the line) Normal
Internal
Browsing
60% (Out of
Browsing)
Remaining 70% (=35% of the line) Normal
Application-aware QoS with NBAR2
Internal-Browsing:
60% of Browsing
Browsing:
30% of Excess BW
(=15% of the line)
Remaining:
70% of Excess BW
(=35% of line)
Committed BW
(50% of the line)
Excess BW
(50% of the line)
interface Serial0/0/0
service-policy output my-network-policy
Control
Business-Critical:
High Priority
50% committed
32
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
GRE/IPSec Network QoS Design Direction of Packet Flow
DSCP CS5
Packet Initially
Marked to
DSCP AF41
DSCP CS5
DSCP CS5
By Default ToS
Values is Copied
To IPSec Header
DSCP CS5
Top-Most ToS is
Rewrote on egress
DSCP CS5
Packet decapsulated
To reveal the original
ToS Byte
policy-map WAN-OUT
class VOICE
priority percent 10
class VIDEO-INTERACTIVE
priority percent 23
set ip dscp af41
class NETWORK-MGMT
bandwidth percent 5
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
!
policy-map Int-Gig-Agg-HE
class class-default
shape average 1000000000
service-policy WAN-Out
Remarks the DSCP value on the
encrypted/encapsulated header on
egress interface
DSCP AF41
Control
34
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Performance Routing (PfR) Application aware adaptive routing
Full utilization of expensive WAN bandwidth
Efficient distribution of traffic based upon load, circuit cost and path preference
Improved Application Performance
Per application best path based on delay, loss, jitter measurements
Increased Application Availability
Protection from carrier blackouts and brownouts
SP A
MPLS
GETVPN
WAE Cluster
Internet
DMVPN ASR1K
ASR1K
PfR MCs
Headquarter
ISR G2
SP B
MPLS
GETVPN
ASR1K
ASR1K
Branch
PfR BRs
PfR MC/BR
Master Controller (MC) Border Router (BR)
Email VMs
Email Path
Video Path
Control
35
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
PfR Use Case Examples Protecting critical applications while Maximizing bandwidth utilization
Protect business Cloud applications from Internet brownout Loss <10%
Cloud Service preferred path – ISP1
Maximize all ISP bandwidth by load sharing all other Internet traffic
Protect voice and video quality
– Latency < 200ms; Jitter < 30ms
Protect VDI applications from brownouts
– Loss < 5%
Voice & Video preferred path SP-A
VDI preferred path SP-B
Maximize utilization by load sharing
Cloud Service & Load Balancing
Policy
Multimedia & Critical Data Policy
ISP-1 (Primary) ISP-2 (Secondary) SP-A (MPLS VPN) SP-B (MPLS VPN)
VDI
Detect loss
> 10%
Detect high
jitter
Cloud Service
Best Effort traffic
Voice&Video
Best Effort traffic
Internet WAN
Control
36
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cisco Prime Infrastructure – Assurance
Configuration of AVC features*
Network Monitoring
Service Monitoring
Reporting and Trends
Multi-NAM Manager
Packet and Flows Analysis
Application Response Time
Voice and Video Metrics
Distributed SNMP and Netflow Collection
Management
Tool
37
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cisco WAAS – Enhancing user experience and WAN efficiency
Solution
• Reduce load
Data Redundancy Elimination,
Compression, TCP optimization
• Application Optimization
Fewer protocol messages,
Meta data caching,...
Application Bandwidth with WAAS
Application Bandwidth Natively
Application latency Natively
Application latency with WAAS 0 0
1
2
3
4
40
80
120
160
Application
Bandwidth
Application
Latency
Bandwidth
(Mbps)
Latency
(Seconds)
Problem
• Poor Application
responsiveness
• WAN Bandwidth costs Bandwidth
Saved
Reduced
Latency
39
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Challenges of Desktop Virtualization over WAN
End-users see pixelization over the WAN
T1
Increasing bandwidth is expensive and might not help
Video processed on HVD overloading server compute and bandwidth
End-users experience no pixelization on LAN
Branch Router
Data Center
Video Source
Campus
Hairpinning
WAN’s effects on Users Experience
Display Protocol Opaque to the Network
Display Protocol
Branch Office
40
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Display
Protocol
WAAS 5.0 optimization with Citrix ICA AO
WAAS will optimize encrypted and compressed ICA desktop session traffic (no changes required on ICA client, HVD, or DC infrastructure) for all versions of XenDesktop and XenApp
Includes WAAS 4.4 Application aware DRE feature for unidirectional caching of desktop session traffic which improves the scalability and Application performance
Branch
Router
WAAS WAAS Display Protocol Acceleration
Aggregation
Router Citrix HVD
ICA
client
Data Center
Note: Multi-Session ICA (MSI) in XenDesktop 5.5 is first supported in WAAS 5.1. If MSI is used, with a prior release, only one initial session (port 1498) will be optimized
automatically. Other flows will be treated as regular TCP flows
41
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cisco WAAS: WAN Optimization Solution
44
SOHO User
WAAS Mobile
Software
Mobile User
Branch Office
WAAS
Service
Module WAN
Internet
Branch Office
IOS WAAS
Express
Branch Office
WAAS WAE
Appliance
Regional Office
WAAS WAE
Appliance
WAAS
Mobile
Server
VPN
Data Center or
Private Cloud WAAS WAE
Appliances
VPN
VMware ESXi vWAAS
Appliances
Server VMs
vWAAS Server
VMs
VMware ESXi Server
Nexus 1000v vPATH
UCS /x86 Server
FC SAN
Nexus 1000v VSM
Virtual Private
Cloud
CSR
1000V
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Lean Branch Office Applications Edge Applications That Defy Centralization
Core Windows Services
Mission Critical Business Applications
Client Management Services
DNS and DHCP Servers
Microsoft Active Directory
Windows Print Services
Windows File Services
Others …
Point of Sale Server
Bank Teller Control Point
Electronic Medical Records
Inventory Management
Others …
Software Update Service
Client Monitoring Service
Backup and Recovery
Terminal Server Gateway
Others …
46 46
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
UCS E Series Extend Cloud Services into Branch Infrastructure
Support on ISR G2 2911 and above
IOS, MGF Backplane Switch
SRE Blade
SRE-V Hypervisor
CIMC-E SRE Blade
SRE-V Hypervisor
OS
App
OS
App
OS
App
OS
App Platform for WAN Edge Applications
• Microsoft Windows Server-Certified
Server Virtualization
• Cisco SRE Virtualization Powered by VMware vSphere Hypervisor™ (ESXi)
Dedicated Blade Management
• Cisco Integrated Management Controller
• Consistent management for UCS family
Multipurpose x86 Blades
• Cisco Service-Ready Engine modules
• House up to four server blades in ISR G2
Single-Device Network Integration
• House all devices in ISR G2 chassis
• Multigigabit fabric backplane switch
47
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Medianet Introduction
I want a network infrastructure so that I should not worry when tomorrow I’ll be asked to implement video applications.
Massimo Fogaroli – IT Manager, Mediolanum Bank
Network Aware Automatically respond to changes in devices and service availability
Endpoint aware Automatic detection and configuration
Media Aware Detection and Optimization of different media and applications
Visibility Diagnostics Network
Assessment
Media
Trace
Performance
Monitoring
IPSLA
VO
Flow
MetaData
49
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Medianet Media Monitoring Media Assessment, Monitoring, and Troubleshooting
Pre-deployment assessment / network validation IP SLA VO
Use ISR G2 DSPs to generate synthetic video, i.e. TelePresence
ASR1K ISR G2
MPLS
I am detecting
video quality
issue Initiate
mediatrace
Cisco Prime
Collaboration
Manager
Lost packets
seen
What path and where is the problem? Mediatrace and Performance Monitor
Network-initiated mediatrace collecting path and performance metrics of media stream
Cisco Collaboration Manager displays mediatrace results
IP SLA
Initiator IP SLA
Responder
Generate
TelePresence
traffic
Internet
DMVPN
50
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Media Monitoring Performance Monitor
Monitor video traffic traversing different network types
Generate alert based on user configurable threshold
Enable on voice/video VLAN
Provide metrics including jitter, packet loss, latency, bitrate, etc.
MediaNet PerfMon is also the Media Monitor (MMon) in AVC
WAN
Headend Branch
MPLS
Apply to in/out direction of
voice/video VLAN
Internet
LiveAction
Perf. Collection
& Exporting
51
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Media Troubleshooting Mediatrace
Use Mediatrace to further troubleshoot media issues
Initiate Mediatrace to discover path, system resource, or quality metrics on devices in the media path
Mediatrace responders collect the requested metrics and return to initiator
Works with Cisco Collaboration Manager
VPN
Headend Branch
MPLS
Internet
Initiate
Mediatrace for
traffic from
Branch phone to
Headend phone
Collaboration
Manager
Diagnostics
54
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Need for End to End Classification
This flow has a DSCP = EF
This flow contents RTP
Voice
This packet has a DSCP=EF
This packet comes from Fast1/0
This packet comes from location “Desk1”
This packet comes from user “Marylou”
John
Voice communication between Marylou and John
Voice communication started with application “X”
Packets has DSCP=EF
I know lots of information from the application
that I’m not going to send to the wire
Marylou
• How to enforce a consistent network policy when classification is different along the path?
‒ Eg: Rule: Prioritize Voice communication from Marylou to John?
• Endpoint can provide information not available or visible to the network
Visibility
57
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
MediaNet Metadata for classification Metadata Flow Principles
1. Application Creates
Metadata
Meta
data
DB
Meta
data
DB
Meta
data
DB
IP Src IP Dst Prot L4 Src L4 Dst Application Vendor Dial From Dial To Caller ID
10.1.1.2 20.1.1.2 UDP 2000 4000 Video-
Conference
(Audio)
Cisco 83922564 85268229 Albert
Albatross
Flow Identifier Metadata
10.1.1.2 10.1.1.2
3. Media Flow 2. Metadata
Announcement
Export of
data to
NMS
QoS based on
Metadata
Visibility
58
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Video Conferencing Services
Multiple video streams traverse the WAN to a central MCU resource – non-optimal use of limited WAN BW
Video is mixed by a centralized MCU controlled by CUCM
HQ/Campus
Branch
MCU
A
Video
mixing
WAN
HQ/Campus
MCU
A
Video
mixing
Branch
Video is mixed by the ISR G2 DSPs
controlled by CUCM or UCME
Keeps traffic local in the branch if all
participants are located in the branch
Ad-hoc and MeetMe conferences
Signaling
Media
WAN
60
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Video Delivery Optimization WAAS + Enterprise Content Delivery System (ECDS)
Data
Center
WAN
• Multiple “Publish and Subscribe” Channels for simplified management • Broad live broadcast protocol support-wmf, silverlight, flash • Video Pre-positioning
Branch
Office
Branch
Office
CDN
Infrastructure
+
ECDS
+
ECDS
Context-
aware DRE
Signage
Channel
HR VOD
Channel
Corporate
Communications
Channel
62
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
NG WAN Pervasive Security Secure Reliable Access to Any Services
Provides data privacy across the WAN
GETVPN any-to-any encryption over MPLS
DMVPN & FlexVPN over 3G/4G or Internet provides dynamic spoke-to-spoke tunnel
Highly scalable WAN aggregation with encryption
4000 DMVPN tunnels and 4000 GETVPN Group Members
Up to 28 Gbps of encryption throughput per ASR1K
Interoperation with QoS and PfR ensures service performance
TrustSec simplified access control – SGT, SXP, and SG Firewall
SP A
MPLS
GETVPN
WAE Cluster
Internet
DMVPN ASR1K
ASR1K
Headquarter SP B
MPLS
GETVPN
ASR1K
ASR1K
Branch
GETVPN
Standard Branch
Data Center Protected by DMVPN
Protected by GETVPN
DMVPN Hub
ISR G2
ASR1K
ISR G2
GETVPN
COOP KS
Private Cloud SG FW
SXP
SGT
64
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Dynamic Multipoint VPN (DMVPN)
Full meshed connectivity with simple configuration
Zero-touch configuration for addition of new spokes
Automatic site-to-site IPSec tunnels
Transport & Carrier agnostic overlay transport easy multi-homing single control plane simple carrier transition
Large Scale
– Up to 4000 spokes per ASR1k hub with EIGRP or BGP
– Hierarchical Hub designs, to scale beyond single hub limits
Spoke n
Traditional Static Tunnels
DMVPN Tunnels
Static Known IP Addresses
Dynamic Unknown IP Addresses
Hub
VPN Spoke 1
Spoke 2
Secure On-Demand Meshed Tunnels
65
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Introducing FlexVPN A single overlay VPN solution
Corporate LAN
Shortcut Switching
(DMVPN)
Isolated branches
(Easy VPN)
Remote Access
(AnyConnect)
Department RED
Department GREEN
New
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Group Encrypted Transport VPN (GETVPN) Before and After GET VPN
Scalability—an issue (N^2 problem)
Overlay routing
Any-to-any connectivity may require tunnel setup
Inefficient Multicast replication
Any wan transport
WAN
Multicast
Before: IPSec P2P Tunnels After: Tunnel-Less VPN
Scalable architecture for any-to-any connectivity and encryption
No overlays—native routing
Any-to-any instant connectivity
Efficient Multicast replication
Private IP WANs
Public/Private WAN Private WAN
68
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cisco Router Security Certifications
69
http://www.cisco.com/go/securitycert
* NSA Suite B RFC-4869 cryptographic algorithm for both unclassified and most-classified information
** 1900s and lower 2900 Series require ISMs. Only ASR 1002-X and ESP-100 based ASR 1000s
FIPS Common Criteria
Next-Gen Encryption*
Next-Gen Encryption*
140-2, Level 2
EAL4 Software Support
Hardware Assist
Cisco ISR 890 Series
Cisco ISR 1900 Series **
Cisco ISR 2900 Series **
Cisco ISR 3900 Series Cisco ISR 3900E Series
Cisco ASR 1000 Series N/A **
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
MPLS
GETVPN
Internet
DMVPN
Nexus 7000 Data Center
Catalyst® Switch
ISE
SGT
Profiler
Posture
Guest Server
TrustSec SGT over DMVPN and GETVPN
70
Nexus 5000/2000
SGFW, SGACL
SGT Frame
WAN • ISR G2/ASR1k, SG Firewall Campus Aggregation: • Cat6K/Sup2 – SGACL Data Center Enforcement • Nexus 7000 – SGT/SGACL
Egress Enforcement
AP
Branch Network
HR
Finance
Sales
SGT
Admin Catalyst® Switch
Catalyst® Switch
SGT
• DMVPN Inline Tagging – ISR G2 (IOS 15.2(2)T)
• SGToGETVPN support on ISR G2 (IOS PI21*) and ASR1k (XE 3.9*)
• SG Firewall for Egress Enforcement
• SGT Capability exchange during DMVPN IKEv2 negotiations and GETVPN group membership
registration
• Learn SGT from SXP or Auth-methods
• Simple one command configuration – DMVPN “crypto ikev2 cts sgt”; GETVPN “tag cts sgt”
* ISR G2 IOS (PI21) and ASR1k IOS (XE3.9) will be available in Spring 2013.
SGT
Catalyst 6500
ISR G2
ISR G2
ISR G2
ASR1k
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Security Group FW Architecture
71
Data Center
SGT or SXP
IP Address SGT
10.1.10.1 10
SGFW
SGACL
• Consistent Classification/enforcement between ISR/ASR SGFW and switching
• In general SGACL and SGFW policy should be sync’d via policy administration UI
• SGT allows more dynamic classification in the branch and WAN aggregation
• Rich Logging requirements will be fulfilled on SGFW – URL logging, etc.
• Active/Active support in ZBFW allows for asymmetric routing*
• SGFW in ISR G2 IOS 15.2(2)T and ASR1k IOS XE 3.5
*active/active assumes shared L3 subnet on router interfaces for redundancy groups
ASR1k Enforcement
Enforcement on a
switch
ISE for SGACL
Policies
SGFW ISR Enforcement
PC
I
Enterprise
WAN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
IPv6
IPv6 Feature Enablement
IPv6 Transitioning
IPv6 Routing
• IPv6 parity with IPv4 in
most cases
• IPv4 address exhaustion
• Government mandate
• IPv6 device and content
growth
• Mergers and Acquisitions
• Gain familiarity with IPv6
• Routers designed with
more memory, better
performance for IPv6
Anyone, Anything, Anywhere, Anytime
ISR G2, ASR 1000 designed for IPv6
Broadest coverage in Industry
3 Feb ‘11 last day of IPv4 address allocations
Why?
All transition mechanisms supported
• Dual Stack
• Tunneling
• Translation
74
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Transitioning Network to IPv6 Preserve, Prepare, Prosper
Cisco NG Enterprise WAN Solutions Branch & Campus – Dual Stack IPv4 and IPv6
IPv4 WAN – Tunnel: 64 tunnels, IPv6 over DMVPNv4
IPv6 Internet – Translate: NAT64 allows IPv6 devices to access IPv4 applications
Dual-stack Tunnel Dual-stack
Campus/
Datacenter
Internet
Edge
Branch
office
ISR G2
WAN
Aggregation
IPv4
IPv6 devices
IPv6
Translate (nat64)
IPv4
services
ASR1K
ASR1K
ASR1K
75
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Hybrid Cloud Definition Virtual Private Clouds (VPC)
Public Cloud
HCS
Services
Virtual Private
Cloud
ASA
1000V
Nexus 1000V
vWAAS VSG
VXLAN
CSR
1000V
vPath Cloud
Intelligent
Network
Security
App Visibility & Control (AVC)
Cloud Connectors
Medianet
Private Cloud
ASR 1000, AVC, ASA,
WAAS, AppNav
Hybrid Clouds exist on the premisis and are maintained by a cloud provider. Resources are allocated to individual companies or organizations providing them the look and feel of a private cloud within a shared cloud environment.
Source: NIST
77
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
CSR 1000V
• WAN Gateway
• IOS Networking
vWAAS
• WAN Optimization
• Application Traffic
ASA 1000V
• Edge Firewall
• Protocol Inspection
VSG
• Zone-based Firewall
• VM-level Control
Multi - hypervisor
Servers
Tenant A ASA
1000V CSR
1000V
Department B Department A
Nexus 1000V
vPath
Physical Infrastructure
Virtual Infrastructure
Cloud Provider’s Data Center
vWAAS
AppNav
VSG VSG
Hybrid – Virtual Private Cloud Virtual Networking Services
Cloud Network Services
Multi-Hypervisor
78
Nexus 1000V
• Distributed Switch
• NX-OS Consistency
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Cisco CSR 1000V Cisco IOS Software in Virtual Form-Factor
• Virtual Route Processor (RP)
• Virtual Forwarding Processor (FP)
• Optimized for single tenant use cases
• Hypervisor agnostic
• Virtual switch agnostic
• Server agnostic
Server
Hypervisor
Virtual Switch
VPC/vDC
OS
App
OS
App
CSR 1000V
79
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Public Cloud Definition
Public Cloud
HCS
Services
Virtual Private
Cloud
ASA
1000V
Nexus 1000V
vWAAS
VSG
VXLAN
CSR
1000V
vPath Cloud
Intelligent
Network
Security
App Visibility & Control (AVC)
Cloud Connectors
Medianet
Private Cloud
ASR 1000, AVC, ASA,
WAAS, AppNav
Operated wholly by cloud
providers, public clouds offer
services to companies,
organizations and
individuals using a fully
virtualized environment
hosted in the
cloud. Services are
delivered in a shared
environment even though
they might be provisioned or
customized for the needs of
the individual organization.
Source: NIST
81
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Connects a Corporate Network to a Cloud Service
Application or Service specific to ensure transparent access
Improves delivery of Public Cloud Services
Provisioning, Performance, Security, Reliability, Management
Cloud Connector solutions include
ScanSafe, WebEx Media, Hosted Collaboration Service, Storage/Backup, …
What is Cloud Connector?
MPLS
GETVPN
Internet ASR1K
ASR1K
Headquarter
Campus
MPLS ASR1K
ASR1K
Branch
Email VMs
Public
Cloud
Cloud Connector
82
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
ScanSafe provides secure access to Public Cloud services
Single policy portal, ease of deployment and management
Direct Internet access reduces WAN cost and improves
application performance
Internet
Public Cloud
Applications
Example – Scan Safe Cloud Connector
83
MPLS
GETVPN
Internet ASR1K
ASR1K
Headquarter
Campus
MPLS ASR1K
ASR1K
Branch
ScanSafe
Cloud Connector
Web Security
Web Filtering
Centralized Reporting
Consistent Policy Control
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
WebEx Media Connector peers directly with the Enterprise WAN
CUCM+CUBE deployed at Enterprise and WebEx Cloud
Firewalls+CUBE to secure the borders with WebEx.
Improves voice and video conferencing quality
Reduces 800 toll charges
Example – WebEx Media Connector
MPLS
GETVPN
Internet
ASR1K
ASR1K
Headquarter
Campus
MPLS ASR1K
ASR1K
Branch
WebEx
Cloud Connector
Cisco WebEx Collaboration
Cloud
84
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Example - Cloud Storage Connector Third Party Connector
End-User Virtual Portal
Users access their own cloud backups and
folders, restore and share files.
MSP Admin Portal
Manage end-user accounts,
service provisioning and billing
Cisco ISR G2 and UCS® E-Series with Cloud Storage Gateway
MSP Network
Backup Agent
for Roaming Laptop
Branch Office Agent-Less Solution
Cloud storage is cached on
UCS E. Branch files are
backed up to the cloud.
85
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Prime Infrastructure – Functional Overview
A single integrated solution for comprehensive lifecycle management of wired/wireless access, campus, and branch networks
Automates compliance with regulatory requirements, Cisco and IT best practices
Utilizes rich performance data for end-to-end network visibility to assure application delivery and optimal end-user experience
87
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
High-End Branch
Standard Branch
Mobile Branch
ISR G2 Portfolio
WA
N A
ccess S
peed
Wit
h S
ervic
es
2911
1921 1941
2901
3945
150 Mb 100 Mb 75 Mb 50 Mb 35 Mb 25 Mb
EFM SubrateFE
VDSL2+/Sub-rate FE
Line Rate FE +
Line Rate N x FE
3945E
3925E
350 Mb
2921
2951
3925
800
15 Mb 250 Mb 10 Mb
Recommended Positioning with Services 88
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Instant On
Service Delivery
Cisco ASR 1000 Series Routers: Overview Designed Today for up to 360 Gbps in the Future
Compact,
Powerful Router
Business-Critical
Resiliency
ASR 1002-X ASR 1004 ASR 1006
One IOS-XE Feature Set
5–36
Gbps 10-40
Gbps
10-100+
Gbps
Integrated firewall, VPN, encryption, NBAR, CUBE
Scalable on-chip service provisioning through software licensing
Fully separated control and forwarding planes
Hardware and software redundancy
In-service software upgrades
Line-rate performance 2.5G to 100G+ with services enabled
Investment protection with modular engines, IOS CLI and SPAs for I/O
Hardware based QoS engine with up to 232K queues
ASR 1001
2.5 -5
Gbps 10-360
Gbps
ASR 1013
ASR 1002
2.5–10
Gbps
91
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Realizing the Borderless Enterprise Borderless Experience
ANYONE ANY DEVICE
ANYTIME ANYWHERE
Securely Reliably Seamlessly
Application
Visibility & Control TrustSec
Operational
Simplicity MediaNet
Cloud
Connect
IPv6
Transition
Cisco
Cloud Intelligent Network
Private
Clouds
Public
Clouds
Hybrid
Clouds
95
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Next Generation Enterprise WAN Wrap Up/Summary
Architectural approach to solving business requirements
– Modular—Building Blocks with Layered Services
– Infrastructure Foundation for Cisco’s Borderless Network
Cloud Intelligent Network solutions
– Private Cloud Services
– Hybrid/Virtual Private Cloud Services
– Public Cloud Services
ASR 1000 series high performance Secure WAN aggregation router
ISR G2 series for integrated branch services security, voice, video and cloud access
Virtualized Networks Services – CSR 1000v, vWAAS, ASA 1000v, Nexus 1000v
Cisco Prime—Unique Ability to Manage Entire Solution
96
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Additional Sessions of Interest
97
• BRKAPP-2030 Application Visibility and Control in Enterprise WAN
• BRKRST-2362 Deploying Performance Routing
• BRKNMS-3132 Advanced NetFlow
• BRKARC-2016 Integrating Services in the Branch Without Compromise
• PSORST-2002 The Router Is the Application Delivery Platform with Cisco ISR-AX
• BRKRST-2041 WAN Architectures and Design Principles
• BRKRST-2042 Highly Available Wide Area Network Design
© 2013 Cisco and/or its affiliates. All rights reserved. BRKARC-2091 Cisco Public
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Daily Challenge points for each session evaluation you complete.
Complete your session evaluation online now through either the mobile app or internet kiosk stations.
98