Intelligent WAN (IWAN)
Architecture
Simon Dwyer, Systems Engineer

Agenda

Where we have come from and the need to change

What makes up IWAN

How is IWAN deployed

Where we have come from
and need to change

Traditional WAN • Expensive Carrier links • Expensive Backup links • Ridged deployment models • Central traffic route model .

LTE. Cloud application performance monitoring and optimisation Security – strong encryption and threat protection Cisco IWAN addressing this market demand! 6X More Mobile Data Traffic by 2015 Fat Apps 2/3 of Mobile Traffic Will Be Video .What’s Going on? • Cloud WAN bandwidth needs are growing! • • Cloud. BYOD/IOE and Video making it worse IT budgets flat or declining • • 50% Transport/bandwidth costs are majority of WAN budget of CIOs Expect to Operate via the Cloud by 2015 Mobility These factors are driving WAN modernisation • • • Lower cost transports – Internet.Enterprise WAN . Carrier Ethernet.

4 Windows Windows 7 .Mobile Device Network Traffic Average Number of Apps per Device* Average App Size** iOS OS Update File Size*** iOS 8 for iPhone 6 KitKat Android 4.

06 18.30 Test Taking 5.84 Video Manipulation 2.2 times more network traffic On average.pdf 2 4 6 8 Asus VivoBook S200E Notebook Running Microsoft Windows 8 10 .14 Photo Manipulation 0.Chromebook Creates an Average of 152 Times More Traffic Third-Party Lab Test: Chromebook vs.80 57.com/Microsoft/Chromebook_PC_network_traffic_0613.33 Note Taking 6.39 41.73 211.29 Music Manipulation 0.27 10.21 145. Windows 8 Laptop • • Chromebook creates as high as 692.00 8. Chromebook creates152 times more network traffic Document Manipulation 0.65 0 http://principledtechnologies.56 Web Browsing 77.

Dual Business Internet ($ per Month) $1. Verizon website $665 Savings/Month x 12 Months X 1. Comcast Web site.014 $885 $830 -75% 10 Mbps $220 1.000 Sites = $8M Savings per Year .And the Internet Transition Pays Off Fast EXAMPLE: San Francisco Single MPLS VPN vs.5 Mbps $303 MPLS VPN CoS1 $274 MPLS VPN CoS2 $260 MPLS VPN CoS3 $140 iWAN Dual Internet Links Combined for Ent SLA Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013.

Intelligent WAN: Leveraging the Internet So What is New Here? • Internet as WAN with High Reliability SLAs for Business-Critical Applications Branch Centralised Security Policy for Internet Access Public Cloud Dramatically Lower WAN Costs Without Compromise .

What Makes up IWAN? .

Intelligent WAN Solution Components AVC Private Cloud MPLS 3G/4G-LTE Virtual Private Cloud Branch Internet WAAS Public Cloud PfR Control & Management Automation Transport Independent • Consistent operational model • Simple provider migrations • Scalable and modular design • IPsec routing overlay design Intelligent Path Control • Dynamic Application best path based on policy • Load balancing for full utilisation of bandwidth • Improved availability Application Optimisation • Application visibility with performance monitoring • Application acceleration and bandwidth optimisation Secure Connectivity • Certified strong encryption • Comprehensive threat defence • Cloud Managed Security for secure direct Internet access .

Intelligent WAN Deployment Models Dual MPLS Hybrid Dual Internet Internet Public Enterprise MPLS+ Internet MPLS MPLS Branch Public Branch  Highest SLA guarantees – Tightly coupled to SP ẋ Expensive  More BW for key applications  Balanced SLA guarantees – Moderately priced Internet Branch  Best price/performance  Most SP flexibility – Enterprise responsible for SLAs Consistent VPN Overlay Enables Security Across Transition .

Intelligent WAN: Leveraging the Internet Secure WAN transport and Internet access Optimised Secure Transport MPLS (IP-VPN) Private Cloud Virtual Private Cloud Branch Internet Direct Internet Access Public Cloud 1. IWAN Secure transport for private and virtual private cloud access • Increase WAN transport capacity and app performance cost effectively! 2. Leverage local Internet path for public cloud and Internet access • Improve application performance (right flows to right places) .

Interoperable. • • • Solves a network problem Use Case Driven Systems Development Approach Bounded Scope and Complexity Enables Automation and Quality Delivers Business Outcomes • • • • • Reduce WAN costs. Tested. Increase bandwidth Improve and Protect application performance Direct Internet Access Guest Access Offload OpEx Reduction NEW! .IWAN: An Architectural and Systems Approach • IWAN is a Solution Architecture • • • • Prescribed.

Transport-Independent Design .

Flexible Secure WAN Over Any Transport Dynamic Multipoint VPN (DMVPN) MPLS WAN ASR 1000 ISR-G2 Internet Branch ASR 1000 Transport Independent Simplifies WAN Design • Easy multi-homing over any carrier service offering • Single routing control plane with minimal peering to the provider Flexible Dynamic Full-Meshed Connectivity • Consistent design over all transports • Automatic site-to-site IPsec tunnels • Zero-touch hub configuration for new spokes Data Centre Secure Proven Robust Security • Certified crypto and firewall for compliance • Scalable design with highperformance cryptography in hardware .

Hybrid WAN Designs Traditional and IWAN TRADITIONAL HYBRID IWAN HYBRID Active/Standby WAN Paths Active/Active WAN Paths Primary With Backup Data Centre Two IPsec Technologies GETVPN/MPLS DMVPN/Internet Two WAN Routing Domains Data Centre ASR 1000 ASR 1000 SP V ISP A DMVPN GETVPN MPLS Internet ASR 1000 ASR 1000 ISP A SP V DMVPN One IPsec Overlay DMVPN DMVPN MPLS Internet One WAN Routing Domain MPLS: eBGP or Static Internet: iBGP. EIGRP or OSPF Route Redistribution Route Filtering Loop Prevention iBGP. EIGRP. or OSPF ISR-G2 Branch ISR-G2 Branch .

IWAN Transport Independence Consistent deployment models simplify operations IWAN Dual MPLS IWAN Hybrid Data Centre Data Centre ASR 1000 ASR 1000 DMVPN MPLS MPLS ISR-G2 Branch Data Centre ASR 1000 ASR 1000 SP V ISP A DMVPN IWAN Dual Internet SP V ISP A DMVPN Internet ISR-G2 ASR 1000 ASR 1000 ISP A ISP C DSL Cable DMVPN DMVPN DMVPN MPLS Internet Internet Branch ISR-G2 Branch .

95%* Downtime per Year MPLS 8 Hours 46 Minutes 4–9 Hours 99.999% MPLS MPLS MPLS Internet Internet Internet ISR G2 ISR G2 ISR G2 ISR G2 ISR G2 ISR G2 * Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year.Building Highly Available WANs With Cisco IWAN Redundancy and Path Diversity Matter SINGLE ROUTER.999% 5 Minutes 99.995% ISR G2 99. calculated with Cisco AS DAAP tool. DUAL PATHS 99. DUAL PATHS 99.995% SINGLE ROUTER.999% DUAL ROUTERS. SINGLE PATH Downtime per Year 99.995% 26 Minutes MPLS MPLS MPLS Internet Internet Internet ISR G2 ISR G2 99.90%* Internet ISR G2 ISR G2 IWAN Solution 99. .

Glueware Secure On-Demand Tunnels Hub ASR 1000 Branch n IPsec VPN ISR G2 ISR G2 ISR G2 Branch 1 Branch 2 Traditional Static Tunnels DMVPN On-Demand Tunnels Static Known IP Addresses Dynamic Unknown IP Addresses . • Scalable-Mesh or Hub & Spoke Topologies • Multiple encryption. Carrier Ethernet. routing options • Multiple redundancy options: platform.. per tunnel and adaptive Flexible and Resilient • Over any transport: MPLS.IWAN Transport Independent Design With Dynamic Multipoint VPN (DMVPN) Proven IPsec VPN Technology • Widely deployed. APIC.1AR Secure unique device identifier Simplified IWAN Deployments • Prescriptive validated IWAN designs • Automated provisioning—Prime. hub. transports Secure • Industry Certified IPsec and Firewall • NG Strong Encryption: AES-GCN-256 (Suite B) • IKE Version 2 • IEEE 802. key management. 3G/4G. Internet.. large scale • Standards based IPsec and Routing • Advanced QOS: Hierarchical.

DMVPN Evolution IWAN 1.0 IWAN 2. can summarise • Spoke-spoke tunnel triggered by hubs • Removes routing protocol limitations . can summarise on hubs • Direct spoke to spoke data traffic reduces load on hubs • Daisy chain designs • Spoke must have full routing table—no summarisation • Spoke-spoke tunnel triggered by spoke itself • Routing protocol scale limitations • Larger scale and more network design options • Hierarchical designs • Spokes don’t need full routing table. • mGRE interface on spokes mGRE on hubs • Simplified and smaller configuration on hubs • Support dynamically addressed CPEs (NAT) • Support for routing protocols and multicast • Spokes don’t need full routing table.0 Phase 1 Phase 2 Phase 3 • Hub and spoke functionality • Spoke to spoke functionality • p-pGRE interface on spokes.

the hub assists the spokes to establish a site-to-site tunnel Per-tunnel QOS is applied to prevent hub site oversubscription to spoke sites ISR G2 ISR G2 ISR G2 Branch 1 Branch 2 Traditional Static Tunnels DMVPN On-Demand Tunnels Static Known IP Addresses Dynamic Unknown IP Addresses . provider network does not need to route customer internal IP prefixes Data traffic flows over the DMVPN tunnels When traffic flows between spoke sites.Over-the-Top WAN Design with DMVPN • Branch spoke sites establish an IPsec tunnel to and register with the hub site • IP routing exchanges prefix information for each site Secure On-Demand Tunnels Hub ASR 1000 • BGP or EIGRP are typically used for scalability Branch n • • • • IPsec VPN With WAN interface IP address as the tunnel address.

0 /24 .0.17.0.0. but not to other spokes. and the hub will send it an NHRP redirect.5 Tunnel0: 10.0. • The dynamic spoke-to-spoke tunnel is built over the mGRE interface • When traffic ceases then the spoke-to-spoke tunnel is removed .1 Physical: (dynamic) Tunnel0: 10.0.168.1 192.0 /24 .0/24 Physical: 172.0.12 A spoke will initially send a packet to a destination (private) subnet behind another spoke via the hub.168.17.3.1.1 192.0.168.0.0.1 Tunnel0: 10. They register as clients of the NHRP server (hub) and register their NBMA address • Active-Active redundancy model—two or more hubs per spoke • All configured hubs are active and are routing neighbours with spokes • Routing protocol routes are used to determine traffic forwarding • 192.0.12 Tunnel1: 10.DMVPN How it Works Dual DMVPN Design Single mGRE tunnel on Hub.0.11 .168. • The redirect triggers the spoke to send an NHRP query for the data packet destination address behind the destination spoke • The destination spoke initiates a dynamic GRE/IPsec tunnel to the source spoke (it now knows its NBMA address) and sends the NHRP reply.0/24 Physical: (dynamic) Tunnel0: 10.1.2.1 192.11 Tunnel1: 10.1 Physical: 172.0. two mGRE tunnels on Spokes • Spokes build a dynamic permanent GRE/IPsec tunnel to the hub.1.1.

Traditional to IWAN Transition Migration Steps ADDING DMVPN TO MPLS WAN 0 REPLACING A WAN SERVICE WITH AN INTERNET SERVICE OTHER INTERESTING IWAN TOPOLOGIES MPLS MPLS 1 ISR G2 Internet MPLS 3 4 ISR G2 ISR G2 MPLS MPLS MPLS 3G/4G-LTE 3G/4G-LTE Internet Internet ISR G2 MPLS Internet ISR G2 * Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year. Internet ISR G2 5 ISR G2 MPLS MPLS 2 ISR G2 Internet MPLS MPLS MPLS Internet Internet ISR G2 .

IWAN Transport Best Practices Private peering with Internet providers • Use same Internet provider for hub and spoke sites • Avoids Internet Exchange bottlenecks between providers • Reduces round trip latency IWAN Hybrid DMVPN Phase 3 • Scalable dynamic site-to-site tunnels • Separate DMVPN per transport for path diversity • Per tunnel QOS • NG Encryption—IKEv2 + AES-GCM-256 encryption Data Centre ISP A SP V DMVPN Green DMVPN Blue Transport settings • Use the same MTU size on all WAN paths • Bandwidth settings should match offered rate Internet MPLS Routing Overlay • iBGP or EIGRP for high scale (1000+ sites) • Single routing process. simplified operations • Front-side VRF to isolate external interfaces Branch .

Intelligent Path Control .

Loss. and Path Preference Per Application Best Path Based on Delay. Jitter Measurements Protection From Carrier Black Holes and Brownouts . Circuit Cost.Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control AVC Internet ISR G2 ASR 1000 ASR 1000 WAN Branch Data Centre WAAS PfR Lower WAN Costs Full Utilisation of All WAN Bandwidth Improved Application Performance Lower WAN Costs Enabling Internet-Based WANs Efficient Distribution of Traffic Based Upon Load.

or verify the quality of. a path between two devices over a Wide Area Networking (WAN) infrastructure to determine the best egress or ingress path for application traffic..What is Performance Routing (PfR)? Tooling for Intelligent Path Control “Performance Routing (PfR) provides additional intelligence to classic routing technologies to track the performance of...” Data Centre MC BR BR DSL NBN • Cisco IOS technology • Two components: Master controller and border router MC+BR Branch .

PfR Enhances Classical Routing Classical PfR PATH CONTROL • Topological state • Least cost path • Static user preference • Application-aware • Policy controlled • Measured performance METRICS • Path cost • Interface state • Delay • Jitter • Bandwidth ADAPTIVE Responds To: • Link and node state changes (up/down) + Responds To: • Measured performance changes (degradation) .

PfR Evolution Simplification and Scale Available Now IWAN 2.0 Today New PfRv3 PfRv2 PfR/OER • Internet Edge • Basic WAN • Provisioning per site per policy • 1000s of lines of config • Policy simplification • App Path Selection • Blackout ~6s • Brownout ~9s • Scale 500 sites • 10s of lines of config Internet Edge • Centralised provisioning • AVC Infrastructure • VRF Awareness • Blackout ~ 2s • Brownout ~ 2s • Scale 2000 sites • Hub config only .

verification. measure) • Enforce MC’s decision (path enforcement) • Does all packet forwarding BR BR The Forwarding Path: Border Router (BR) DSL NBN MC+BR Branch . reporting • No packet forwarding/inspection required Data Centre MC • Gain network visibility in forwarding path (Learn. collect statistics • Apply policy.Performance Routing—Components The Decision Maker: Master Controller (MC) • Discover BRs.

20% • External links can have different available bandwidth.g. e. Int 1/0 = 1.5Mbps Internet WAN ASR 1000 ISR-G2 MPLS ASR 1000 50% T1 = 750kbps Data Centre .5Mbps.Load Balancing Maximising Link Utilisation to Increase Available Bandwidth • External link Load Balancing is enabled by default for Default Class • PfR Distributes traffic across a set of links to maintain efficient utilisation levels with a defined percentage range. Int 1/1 = 15Mbps • Load Balancing defaults cannot be changed • Utilisation Range 20% • Max Utilisation = Link Capacity 50% 15Mbps = 7.. Default utilisation range is +/.

Intelligent Path Control with PfR Voice and Video Use-Case Voice/Video take the best delay. and/or loss path MPLS Private Cloud Branch Internet Other traffic is load balanced to maximise bandwidth • PfR monitors network performance and routes applications based on application performance policies • PfR load balances traffic based upon link utilisation levels to efficiently utilise all available WAN bandwidth Virtual Private Cloud Voice/Video will be rerouted if the current path degrades below policy thresholds . jitter.

MPLS + Internet Email Best-Effort Traffic SP1 (MPLS) ISP (DSL) Multimedia and Critical Data Policy • Protect voice and video quality Latency < 150 ms Jitter < 20 ms • Protect Email applications from WAN congestion Loss < 5% • Voice and video preferred path SP1 • Email preferred path ISP • Increase utilisation by load sharing .Protecting Critical Applications While Increasing Bandwidth Utilisation High Delay Detected High Jitter Detected Voice and Video Business App Best-Effort Traffic SP1 (MPLS) ISP (FTTH) Business App and Load-Balancing Policy • Protect transactional business app from brownouts delay < 250ms • Preferred path SP1 (MPLS) • Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths.

How PfR Route Control Works Key Operations Traffic Classes ISR G2 ASR1K Learning Active TCs MC BR MC+BR Define Your Traffic Policy Identify Traffic Classes based on Applications or Transport Classifiers MC+BR MC BR MC+BR Performance Measurements BR MC+BR Learn the Traffic ISR G2 and ASR Learn traffic classes flowing through Border Routers (BRs) based on your policy definitions MC+BR MC+BR MC Best Path BR MC+BR BR MC+BR Measurement Measure the traffic flow and network performance actively or passively and report metrics to the Master Controller MC+BR MC+BR BR MC+BR MC+BR Path Enforcement Master Controller commands path changes based on your traffic policy definitions .

Path of last Resort

Creates a link that will be used at
last resort

Normally a link that is expensive
and charged per usage

E.g. Satellite or LTE

IWAN POP1

IWAN POP2

MC1

BR1

BR2

4G

R10

BR3

BR5

BR4

BR6

NBN

DSL

R12

R13

Optimise Application
Performance

Today’s Network Is an IT Blind Spot

Static port classification is no
longer enough

More and more apps are opaque

Increasing use of encryption and
obfuscation

Application consists of multiple
sessions (video, voice, data)

Collaboration

FTP

Information

IM

SOAP

SaaS

SOAP

RPC

Video

What if user experience is not
meeting business needs?

HTTP is the new TCP

Make Your IWAN Application Aware
Add Cisco Application Visibility and Control (AVC)
Users/
Machines

Public
Cloud

Proliferation
of Devices

Private
Cloud
Branch
DC/Headquarters

60% of IT Professionals Cite Cloud Performance as Key Challenge
No Probes

Cisco AVC

Smart Capacity
Planning

Rich data collection—Flexible NetFlow
No additional hardware,
AX license
• Many reporting tool options

Per-application per-site level reporting
Better information improves planning
accuracy

Business Aligned Privacy
Enforcement

Intuitive application policies
Identify specific Cloud applications
within http:

Performance Collection and Exporting Integrated performance monitoring and advanced metrics for different type of applications and use cases Advanced Monitoring Voice and Video Performance (Media Monitoring) 30% of traffic is voice and video Critical Applications Performance (Application Response Time) 40% of traffic is critical applications What applications. flow direction? (NBAR2 and Flexible Netflow) Basic Monitoring HTTP HTTP . how much bandwidth.

Jitter. etc) Exporting Provisioning Collecting Collecting Collecting Partner Tools Ecosystem • • • • • • • InfoVista Plixer ActionPacked CompuWare CA Technologies Living Objects Glue .Application Performance Monitoring for IWAN Track and Report Application Flows and Performance AVC Users/ Machines CSR Proliferation of Devices Enterprise Edge AVC AVC Private Cloud WAN NetFlow v9 Branch AVC DC/Headquarters NetFlow/IPFIX Records (Same provisioning. same format) NetFlow v9 Export/IPFIX Export • Traffic statistics records • Application Response Time records • Media monitoring records (Application. Loss.

App Performance Impacts Business Productivity REVENUE LOSS Source: Walmart EMPLOYEE PRODUCTIVITY Source: Akamai Conversion Rate Population % Source: Aberdeen Group Abandonment Rate Conversion Rate Employee Experience iPhone 31% Decreased effectiveness of IT staff Abandonment Rate (sec) 30 32% 25 Damage to brand reputation 20 47% 15 Decreased responsiveness to needs 5 50% Lost Revenue opportunity 0 0-1 3-4 7-8 11-12 Page Load Time (sec) Slower Pages >15 0 2 4 6 8 10 12 Page Load Time (sec) Low Conversion Rate 14 58% Decreased employee satisfaction Employee Experience Customer Satisfaction .

compression.Cisco WAAS Enhancing User Experience and WAN Efficiency Solution Problem • Application latency • WAN bandwidth inefficiencies • Reduce load Data redundancy elimination (DRE). and TCP optimisation • Application Bandwidth (Mbps) Latency (Seconds) 4 160 Reduction in bandwidth 3 120 2 80 1 40 optimisation Fewer protocol messages and metadata caching Application bandwidth natively Application bandwidth with Cisco® WAAS Application latency natively Application latency with Cisco WAAS 0 0 Application Bandwidth Application Latency Reduction in latency .

Optimise and Enhance Thousands of Applications AX Includes Cisco WAAS WAN Optimisation Email (5MB Attachment) 0 10 20 30 40 50 60 70 80 90 File Services (5MB File) 100 110 120 130 140 150 0 10 20 30 40 50 Time in Seconds 24x Send and Receive Email over native WAN First Optimised with WAAS Second Pass Optimised with WAAS 2 4 6 8 10 12 14 Faster 16 18 80 90 100 110 120 130 140 150 20 22 24 17x Faster VDI (Citrix) 26 28 30 Time in Seconds Sharepoint File Download over Native WAN First Optimised with WAAS Second Pass Optimised with WAAS 70 File Drag and Drop Over native WAN First Optimised with WAAS Second Pass Optimised with WAAS (5MB Document) 0 60 Time in Seconds 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 Time in Seconds 30x Faster Launch Citrix XenDesktop Over Native Citrix ICA/SSL Launch Citrix XenDesktop with WAAS Site Navigation Over Native Citrix ICA/SSL Site Navigation with WAAS 3-8x Faster .

Client WAN WAN WAAS pool1 WAAS pool2 Data Centre Abstraction  Mix form factors  Decouple from topology WAAS pool3 Partitioning  Traffic classification  Logical groupings  App. Branch. server based WAAS pool2 WAAS pool1 Elasticity  Dynamic resource creation  Load-based response  Cloud Elasticity . Greatly Simplify Deployment and Management of WAAS.Cisco AppNav Virtualisation Technology Virtualise WAN Optimisation Resources Into Pools Of Elastic Resources With Business Driven Bindings.

Connectivity or Cloud All HTTP Traffic in Private.Extending Akamai to the Branch with Edge Caching Completing the last mile with Akamai in the branch Branch WAN/ MPLS Data Centre AKAMAI CACHE Akamai Intelligent Platform ISR-AX AKAMAI INSIDE Optimal Experience Regardless of Device. Public. Akamai Cloud Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport Available N! .

Cisco WAAS Advanced Capabilities Edge Caching Enhances the User Experience AKAMAI CONNECT World’s Best Optimisation Solution for HTTP Traffic AKAMAI CACHING AND ACCELERATION Transparent HTTP Caching Dynamic URL OTT HTTP Caching Akamai Connected Cache Content Pre-positioning CISCO WAAS LZ Compression Data De-duplication TCP Optimisation Application Specific Acceleration Now Supports Akamai Cloud | Single-sided Optimisation | Secure Direct Internet Access .

Securing IWAN .

Securing the IWAN IPSec VPN and Firewall Step 1: Secure Transport • IPSec with DMVPN overlay Secure transport independent overlay Add Strong Cryptography: IKEv2 + Elliptic Curve Crypto (Suite-B) Data Centre Front-door VRF Design • IOS Zone-based Firewall • Minimise exposure DHCP addressing for Internet and tunnel interfaces ASR 1000 ASR 1000 Step 2: Threat Defence ISP C ISP A DSL Cable Don’t put tunnel addresses into DNS Step 3: Choose your performance level • Size router based on Encryption with Services and WAN bandwidth Head-end: ASR1000 or ISR4400 Branch: ISR-G2 or ISR4k ISR-G2 Branch .

1.0/24 … Front Side Provider VRF Provider Assigned WAN IP Address 192.1.1.168.0/24 10.254 . Global VRF (blue) for internal networks Provider VRF minimises threat exposure • Default routing only in Provider VRF • Provider assigned IP addressing hides internal network • Provider IP address used as IPSec tunnel source • Only IPsec allowed between internal Global and Provider Front Side VRFs F-VRF Branch LAN 10.2.Securing IWAN Transports with Front-Door VRF Isolation of External Networks • VRFs have independent routing and forwarding planes Global Enterprise VRF IPSec Tunnel Interface • Global Virtual Route Forwarding (VRFs) create multiple logical routers on a single device • Separate control/data planes per VRF • No connectivity between VRFs by default • Provider side VRF (yellow) for external networks.254.

Protecting the Public Facing IWAN Interfaces • Use ACLs. ZBFW or ASA to block all traffic except the DMVPN tunnel traffic to routers • Zone Based Firewall (ZBFW) at the branch if there are plans for direct Internet access Data Centre ASR 1000 • Typical ACL for protecting the Internet interface interface GigabitEthernet0/0 ip vrf forwarding INET-PUBLIC1 ip access-group ACL-INET-PUBLIC in ! ip access-list extended ACL-INET-PUBLIC permit udp any any eq non500-isakmp permit udp any any eq isakmp permit esp any any permit udp any any eq bootpc permit icmp any any echo permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any port-unreachable permit udp any any gt 1023 ttl eq 1 ASR 1000 ISP C ISP A DSL Cable Branch .

Auth Branch Data Centre Problem Statement Solution Overview • BYOD support for non-IT standard devices • Secure Group Tagging (SGT) for Context-aware Firewall enforcement • Enforcing consistent security policy Finance • Secure Group Tag transport over DMVPN. GETVPN Solution Characteristics Scalability • Secure Identity-based access. MAB. keep outsiders out • 100 Gbps FW (ASR1K with ESP100) • Control Access and service levels based on Identity • Authorised access for users and devices • Support up to 6M Sessions at 350K CPS (ASR1K with ESP100) . FlexVPN.1X. Web.TrustSec SGT over DMVPN SGT Tag Carried over the WAN I am an HR person Allow access to HR Server only HR WAN ASR 1000 HQ IPv4 Clients Authentication mechanisms: 802.

Branch Internet Access .

Direct Cloud Access MPLS (IP-VPN) ISR-AX ZBFW Private Cloud Virtual Private Cloud Branch Internet Direct Internet Access CWS • Leverage Local Internet path for Public Cloud and Internet access • Improve application performance (right flows to right places) Public Cloud Solutions On Premise – Zone Based Firewall Cloud Based – Cloud Web Security .Intelligent WAN .

Secure Internet Access with Cisco Cloud Web Security (CWS) IOS Firewall to protect Internet Edge IWAN IPsec VPN for Private Cloud Traffic WAN1 (IP-VPN) WAN2 (Internet) Private Cloud Secure Public Cloud and Internet Access Branch Public Cloud ISR Connector to CWS Firewall towers CWS Internet Web Filtering. Malware Detect . Access Policy.

High-Performance Web Security and Policy.. trending and forensic data Office Based User CWS Roaming User User Granularity • Integration with existing network infrastructure (e. routers. firewalls) • Integration with Directory Services Mobile Devices • Numerous deployment options Policy Control Internet Security • Web 2. Regardless of Where or How Users Access the Internet . drill down visibility • Overview.g.Cisco Cloud Web Security (CWS) Centralised Policy and Granular Reporting Administrator • Flexible reporting with over 75 attributes • Deep.0 content control • Outbreak intelligence • BI-directional content control • Billions of Web requests every day • Dynamic Web Classification • Real-time content analysis of all Web content • HTTP/HTTPS scanning • SearthAhead • Effective zero-day threat protection CWS Offers Consistent. Enforceable.

Simplified Branch Deployments .

Remote Site Deployment Challenges • Limited remote site IT staffing • Travel costs • Travel time lost productivity • Upgrade and change control downtime risks • Lengthy project schedules .

Real-time analytics and network troubleshooting • System-wide network consistency assurance • IT Network team • Lean IT organisation • IT Network team • Lean IT OR IT Network team . life cycle management. and customised policies • One Assurance across Cisco portfolio from Branch to Datacentre • Requirements consistent with prescriptive IWAN Validated Design • QoS/ PfR/ AVC configuration.Cisco IWAN Management Portfolio Covering a broad range of Preferences and Requirements Cisco Prime Infrastructure Enterprise Network Mgmt and Monitoring Ecosystem Partners IWAN App Prescriptive Policy Automation Application Aware Performance Mgmt Advanced Orchestration • Customer needs customisable IWAN with end-to-end monitoring • Customer wants considerable automation and operational simplicity • Customer looking for advanced monitoring and visualisation • Customer wants advanced provisioning.

IWAN Management Solution Positioning Foundation Visualisation & Health Prime Prescriptive Provisioning & Life Cycle Management On Prem Cloud Infrastructure Advanced ASR 1000 IWAN App Customisable Prime .

Troubleshooting. Change control Prime Partners (future) Cisco IWAN Apps IWAN Transport ZTD Provisioning Trust Automation Apps Cisco Prime Security Policy Path Control Policy Application Policy Evolution REST APIs APIC-EM Services (Partial) PKI Svc NetFlow Svc Network Svc Events Svc Inventory Svc Device Abstraction Layer OnePK/Openflow CLI ZTD Svc APIC-EM .IWAN Orchestration and Automation Evolution Traditional Management Systems Capacity Planning.

IWAN Application Home Dashboard .

Datacentre design options .

.

.

.

.

.

.

Application priority policy settings • Path preference • Drag & Drop business buckets .

Map view with Geo location .

Site summary from map view .

.

LiveAction Software • An Application-aware Network Performance Management and QoS Control tool • Fast. cost effective way to monitor and control application performance leveraging Cisco capabilities LiveAction Components Flow QoS Monitor QoS Configure LAN Routing IP SLA . simple.

Glue Networks NGWAN/IWAN Orchestration • Cloud-based SaaS subscription model • Eliminates manual building of WANs • Automated WAN orchestration and management • Quick configuration updates and IOS upgrades • Rapidly delivers nextgen and IWAN features • Forward compatible with SDN and OnePK for app aware WANs • Broadband and MPLS support for centralised hybrid WAN management for IWAN .

Hardware for IWAN .

Start with Cisco AX Routers IWAN Capabilities Embedded in the Router One Network UNIFIED SERVICES Visibility L4-L7 Application Control Services ASR1000-AX Optimisation Simplify Application Delivery Transport L2-L3 Independent Transport Secure Routing ISR-AX Cisco AX Routers 3900 | 2900 | 1900 | 800 | ISR4000-AX | ASR1000-AX .

VPN. PfRV3. Next Generation Branch APPLIANCE LEVEL PERFORMANCE  Service-Aware Dataplane ISR4451 1-2Gbps ISR4431 500Mbps/1G bps ISR 4351 200/400Mbps ISR 4331 100/300Mbps ISR4321 50/100Mbps  Resilient Service Virtualisation  Multi-gigabit Fabric APPLICATION CENTRIC  App/User policy-driven deployment  APIC_EM Automation: deploy in minutes  Pay-as-you-grow  Up-to-75% cost savings INTEGRATED IWAN SERVICES  IOS Firewall. VRF. MPLS  Scalable on-chip service provisioning . AppNav.IWAN Branch Services Routers ISR4000 Series . NBAR2. IPSec. AVC.IWAN AX Ready.

NBAR2. 20G  Up to 8G Crypto Throughput Modular ASR1006 BUSINESS-CRITICAL RESILIENCY  Separate control and data planes  Hardware and software redundancy ASR1002-X  In-service software upgrades INTEGRATED IWAN SERVICES  IOS Firewall. VRF.5G to 200G+ with services enabled  Crypto performance from 2G to 60G+  Flexible I/O: SPAs and Ethernet LCs  2.5G Upgradeable to 5G. AppNav. POWERFUL ROUTER ASR1001-X  Line-rate performance 2. 36G  Up to 4G Crypto Throughput  Modular.IWAN AX Ready. PfRV3.IWAN Aggregation Border Routers ASR1000 . 10G. 20G. MPLS  Scalable on-chip service provisioning  5G Upgradeable to 10G. IPSec. High Performance Routers COMPACT. Redundant up to 200G  Up to 60G Crypto Throughput . AVC. VPN.

Citrix Multipurpose x86 Blades Cisco UCS E Series modules House up to four server blades in an ISR Single-Device Network Integration House all services in ISR chassis Multigigabit fabric backplane switch Server Virtualisation Support on ISR Series Routers . Microsoft.Cisco UCS-E Series Extend Cloud Services into Branch Infrastructure Platform for WAN Edge Applications App App App App OS OS OS OS Microsoft Windows-Server and Linux Certified Hypervisor Dedicated Blade Management Cisco Integrated Management Controller UCS-E Blade Hypervisor CIMC E UCS-E Blade IOS. MGF Backplane Switch Consistent management for UCS family Cisco UCS Virtualisation Powered by VMware.

Why? .

Prime.Intelligent WAN Summary Transport Independent Design • DCI WAN Core Highly available Hybrid WAN Intelligent Path Control • Performance Routing (PfR) to protect applications and load balance traffic to maximise expensive WAN bandwidth DC-East WAAS WAAS MC Internet Application Optimisation • DC-West AV C BR BR BR ASR-AX Application Visibility and Control (AVC) to monitor performance AV C 512M FD WAAS + Akamai to reduce bandwidth consumption while improving application experience Secure Connectivity • Secure the network from outside threats • Cloud Web Security (CWS) for improved Cloud performance while freeing up WAN bandwidth. and more ATBT MPLS Island ADSL 1. GlueWare. without compromising security IWAN Management • BR ASR-AX 256M FD • Internet MC Cisco and Ecosystem Partner tools APIC-EM IWAN-APP.5M FD 20M Dn 2M Up AV C ISR-AX vWAAS Branch-1 ISR-AX vWAAS Branch-513 CWS Internet . LiveAction.

Why Cisco IWAN? Uncompromised Experience Over Any Connection Mixed Transports with High Reliability SLAs for Business Critical Applications Centralised Security Policy for Internet Access Lower WAN Costs without Compromise .

Q&A .

CiscoLiveAPAC. www.com .Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations.com/ciscolivemelbourne2016/ – Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected Friday 11 March at Registration Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.genie-connect. – Directly from your mobile device on the Cisco Live Mobile App – By visiting the Cisco Live Mobile Site http://showcase.

Thank you .

Sign up to vote on this title
UsefulNot useful