sp virtual managed services (vms) for intelligent wan (iwan)
TRANSCRIPT
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Chris LewisEngineering System Manager
May 19th 2016
SP Virtual Managed
Services
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Agenda
• Introduction
• VMS Services
• IWAN
• Cloud VPN
• Cloud VCE
• VMS Technology Drivers
• VMS Definition
• VMS Demo
• Conclusion
Cisco Confidential 3© 2015 Cisco and/or its affiliates. All rights reserved.
Introduction
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Digital Innovation Overwhelming the Branch
OS
Updates
HD
Video
Omni-channel
Apps
Mobile
Apps
Online
Training
SaaS Enterprise
Apps
Social
Media
Guest
WiFi
Digital
Displays
Branch Office
*Tech Target, Branch Office Growth Demands New Devices., 2013
**Gartner, Forecast Analysis: Worldwide Enterprise Network Services, Q2 2014 Update
*** Gartner: “Bring Branch Office Network Security Up to the Enterprise Standard, Jeremy D’Hoinne, 26 April. 2013.
20-50%
Of employee and
customers are served in branch
offices*
73%
80%
30%
More
Users
More
Apps
More Risk
Increase in Enterprise
bandwidth per year
through 2018**
Of advanced threats will
target branch offices by 2016
(up from 5%) **
More
Devices Growth in in mobile devices
from 2014 - 2018**
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Next generation network characteristics are more dynamic than in the past
Hybrid DC, Cloud
WAN Connectivity On-demand
Multiple Carriers
New Traffic Patterns
One Large Global WAN
One Carrier
Static Application Flow
5
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
What Are These New Traffic Patterns?
InternetMPLS NetworkTraditional traffic
Public Cloud
MPLS NetworkInternet
New traffic
6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
MPLS is 5x the transport cost for traffic that ends up on the Internet anyway
7
$1,000 97%
84%
$2.34
Zone of Enlightenment
Cisco Confidential 8© 2015 Cisco and/or its affiliates. All rights reserved.
VMS Services
8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
2016, The Year SD-WAN takes off...
ZK Research
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Definition: ONUG* (Large Enterprise User Group) has specified 10 requirements for an SD-WAN
ONUG SD-WAN Requirements Cisco
1 CPE: physical or virtual form factor ✔
2 Zero Touch Deployment: agility in provisioning and deployment ✔
3 Secure Hybrid WAN: Dynamic traffic engineering across Internet & private WAN based on
application policy, and aware of network availability/degradation
✔
4 Active-Active Architecture: Sites connect to applications through Internet & private WAN ✔
5 High Availability & Resiliency: Optimal for client user experience ✔
6 Layer 2 & 3 Interoperability: With directly connected switch and/or router ✔
7 Visibility, Prioritization & Steering Applications: Specifically business critical and real-time
applications per security, corporate governance and compliance
✔
8 Management Dashboard/Portal: By site, Application and VPN performance level ✔
9 Controller with open APIs: For access and management, forward specific log events ✔
10 FIPS 140-2 Validation Certification: Encryption with automated certificate life cycle management ✔
*ONUG: Open Networking User Group (Large Enterprises)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
What are the VMS services?
• Many and varied
• Starts with Cloud VPN
• Adds virtual service attachment
• Supports IWAN
• Real deployments will require aspects of each
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
vRouter
(CSR1Kv)
Internet
Full Cloud VPN
Internet
I-VRF
Internet
PE DC
SW
UCS
CPE CloudVPN (IPSec)
Firewall
(ASAv)
BR-INSIDE-01-
VMS
Web Security
(WSAv)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
vRouter
(CSR1Kv)
Internet
Full Cloud VPN + vCE on CSR1Kv
Internet
I-VRF
Internet
PE DC
SW
UCS
CPE CloudVPN (IPSec)
Firewall
(ASAv)
BR-INSIDE-01-
VMS
MPLS VPN
CustX-
VRF
VLAN 85
10.193.1.0/24
AS 65001
AS 65010
BR
-vC
E-P
E-C
ustX
Web Security
(WSAv)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Public Cloud
VirtualPrivate Cloud
MPLS
PrivateCloud
Internet
Branch
ISR4K
VMS IWAN as we know itA DMVPN cloud per transport between branch and enterprise hubAll security implemented at hub before going out to Internet
Multiple independent broadband circuits
Internet
DMVPN today:
ISR branch today:
Inet and MPLS
DMVPN
MC1
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Public Cloud
VirtualPrivate Cloud
MPLS
PrivateCloud
Internet
Branch
ISR4K
VMS IWAN with CPE Based Split TunnelingEfficient access to SaaS, guarantees branch gets closest resource
Direct Internet Access
Local breakout direct to Internet for Specific SaaSapps. Needs ZBF and ACL for security on CPE
Internet
Inet and MPLS
DMVPN
MC1
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Public Cloud
MPLSPrivateCloud
Internet
Branch
ISR4K
VMS IWAN with service provider security servicesRevenue opportunity to offer virtual services to IWAN connected customers
SP Data Center
Virtual Security Services
Internet
Inet and MPLS
DMVPN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
17
Cisco Intelligent WAN Solution Components
Intelligent Path Control
Load Balancing
Policy-Based Path Selection
Network Availability
Secure Connectivity
Scalable, Strong Encryption
App-Aware Threat Defense
Cloud Web Security
Application Optimization
Application Visibility
App Acceleration
Intelligent Caching
TransportIndependent
Provider Flexibility
Modular Design
Common Operational Model
AX Router
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
The Challenge with IWAN: New Complexity
MPLS (IP-VPN)
Internet PoP
Data Center
• Stateful firewall
• DNS logging
• URL Black listing
• AV in the cloud• URL logging
• Netflow Collection
• IDS / IPS
• Anti-Malware
• Full Packet Capture
• Intellectual Property Protection
• Web Proxy logging for compliance
Internet
Public Cloud
VirtualPrivate Cloud
e.g. Cisco: 16 IPoPs serving
~500 branch offices
Today’s Enterprise WAN (e.g Cisco)
18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Scaling Security Posture “How do I capture IWAN savings with this operational model?”
Internet PoP
Data Center
• Stateful firewall
• DNS logging
• URL Black listing
• AV in the cloud• URL logging
• Netflow Collection
• IDS / IPS
• Anti-Malware
• Full Packet Capture
• Intellectual Property Protection
• Web Proxy logging for compliance
Internet
?
“16 becomes 500”MPLS (IP-VPN)
“It would be great if an SP could help us with this challenge”- John Manville, SVP Cisco IT
19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Intelligent WAN (IWAN) A Hybrid WAN Solution - Built Exclusively for the Enterprise.
Reduce Access Costs
Internet
Branch Branch Branch
Enterprise Hub
IPSec Tunnel Direct to Hub
Internet Internet Internet
MPLS VPN Direct to SP
Enterprise HQ
Achieve Network Diversity
20
Intelligent path allocation
Visibility, control and optimization
Cisco Confidential 21© 2015 Cisco and/or its affiliates. All rights reserved.
VMS Technology Drivers
21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
• The second half of the chessboard dynamics of processing power
• Why Netconf and Yang are game-changers
• Simplicity of user experience rules
VMS Market DriversWhy Are Things Different This Time Around?
22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
What We’ve Learned From Exponential GrowthSecond half of chessboard makes experience of first half irrelevant
53”
45”
7.3”
16 ft2
57.45 ft3
5,500 lbs
9.5”0.48 ft2
0.013 ft3
1.3 lbs
iPad2 has more computing power than the Cray2 Supercomputer, at
fraction of power consumption
Watson
AI is reaching human levels in some fields
15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Moore’s Law Applied To Network Equipment
COREEDGEAGGREGATIONACCESSCPE
OPTICAL
16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Automated
Self-Service
On-Demand
Architect
It
Design
It
Where
Can We
Put It?
Procure It Install
It
Configure
It
Secure
It
Is It
Ready?
Manual
Why Netconf and YANG are importantFrom Complexity to Simplicity and Automation
FROM WEEKS TO MINUTES*
Service
Oriented
Self-Service
Automated
Provisioning
Elasticity
(Capacity-on-Demand)
20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Determining Business RelevanceHow Important is an Application to Your Business?
Relevant IrrelevantDefault
• These applications directly support business objectives
• Applications should be classified, marked and treated marked according to industry best-practice recommendations
• These applications may/may not support business objectives (e.g. HTTP/HTTPS/SSL)
• Applications of this type should be treated with a Default Forwarding service
• These applications do not support business objectives and are typically consumer-oriented
• Applications of this type should be treated with a “less-than Best Effort” service
RFC 4594 RFC 2474 RFC 3662
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
What Do We Do Under-the-Hood?Apply RFC 4594-based Marking / Queuing / Dropping Treatments
Application
Class
Per-Hop
Behavior
Queuing &
Dropping
Application
Examples
VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence
Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx
Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps
Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution
Default Forwarding DF Default Queue + RED Default Class
Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox LiveIrrelevant
Default
Relevant
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Simplicity of user experience
28
• Anticipate user needs
• Click and drill
• Intelligently guide user
• User manual not required
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Multiple Innovations Required For Big LeapsExample: Internet
IP Created HTML Invented Telco’s Deploy Broadband Internet
Simplified Overlay Networks Service Oriented Management Computing power Service Delivery
Framework
Virtual
Managed
Services:
29
Cisco Confidential 30© 2015 Cisco and/or its affiliates. All rights reserved.
VMS Definition
30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Big Data Analytics Based
AssuranceWhat is VMS?
NSO
31
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
To get simplicity for the users, we need more intelligence in the system
• Separate intent from instantiation
• What is intent?
• What is instantiation?
• How do we tie instantiation to configuration?
32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
OrchestrationFrom instantiation to deployment
YANG Model
Instantiation for Site 1
Instantiation for Site 2
Combine with template
Feed through NED
Deliver via NETCONF
33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
VMS Network Services Orchestrator
PnP Server
Transaction
Database
Open PnP
Service Manager
Device Manager
Network Element
Drivers
x86 Virtual
Service Model Service Model Service Model
Zero Touch Deployment
Open Method for ZTD
Access
Supported by Netconf
Service Manager Interprets
Service Intent with Service
Instantiation Rules and
derives configuration
Device Manager manages derived
and validated configurations in a
transaction manner towards
infrastructure.
Network Element Drivers Abstract the interfaces
to the devices allowing 3rd party infrastructure to
participate in Service Instantiation
Service Models written in Yang
Abstract Service from
underlying physical devices
23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
True Zero Touch for devices with Internet Connections
New device is powered on and gets IP and internet connectivity from ISP
New device invokes web service API call to PnP Server and registers its UDI (serial number). Management channel established
1
2
PnP server matches serial numbers and downloads the configuration
4
Assumptions:
New device has internet connectivity (from the ISP)
PnP server URL is hard coded
User Activates Desired device (branch or hub router)
3Customer branch
PnP Server
1
2
3
4
35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
VMS Orchestration Component Mapping
NSO Orchestrator
ESC Life Cycle Manager
OpenStack Virtualization
VNFs
CFS
RFSService APIs
Infrastructure25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
VMS Elastic Service Controller
Confd
Service Monitor
Custom
DHCP
SNMP
Ganglia
Service
Provisioning
Scale
Up/Down
Elasticity
Custom
Day 0
Config
VM Provisioning &
Configuration Module
VNS Bring-up & Initial
Configuration
Application.
Multi-vendor Support.
Allows Modular Communication
with NCS.
Data Model Driven.
Affinity Rules and Scale
Requirements for the VNF
components
ESC uses
multidimensional
approach to VNF
Monitoring/Restartability
Elastic Services Controller
Netconf
26
Cisco Confidential 38© 2015 Cisco and/or its affiliates. All rights reserved.
Demo
Thank you.