IWAN - Cisco - Global Home · PDF fileSamsung Chromebook Running Chrome OS Document...

IWAN –Intelligent WAN, Next Generation Branch Architecture

Lars Thoren – Technical Marketing Engineer, ENG

© 2013 Cisco and/or its affiliates. All rights reserved. 3

Mobile Device Network Traffic

Sources: * http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation-%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-

smartphones.html

** https://www.abiresearch.com/press/average-size-of-mobile-games-for-ios-increased-by-

*** http://www.wirelessandmobilenews.com/2013/05/samsung-galaxy-s3-iii-update-android-4.2.1-jelly-bean.html

http://theiphonewiki.com/wiki/Firmware#iPad_4

http://answers.microsoft.com/en-us/windows/forum/windows_other-windows_update/what-is-average-monthly-size-of-update-

downloads/dfe9bb34-c2dd-478e-a6cb-0a26228cf552

Average Number of Apps per Device*

Average App Size** OS Update File

Size***

iOS

Android

Windows

iOS 7 for

iPhone 5

Jelly Beans

4.1

Windows 7


Third-Party Lab Test Chromebook vs. Windows 8 Laptop

Chromebook Creates an Average of 152 Times More Traffic

Chromebook creates as high as 692.2 times more network traffic

On average, Chromebook creates152 times more network traffic

http://principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf

0 2 4 6 8 10

Asus VivoBook S200E Notebook RunningMicrosoft Windows 8Samsung Chromebook Running Chrome OS

Document

Manipulation

Photo

Manipulation

Video

Manipulation

Music

Manipulation

Web

Browsing

Note

Taking

Test

Taking

0.14

0.27

2.73

0.21

6.06

5.00 8.65

18.30

77.39

145.56

211.29

57.84

10.80

41.33


Emerging Branch Demands The Application Landscape is Changing

Applications Are Moving to the Data Center and Cloud

Internet Edge Is Moving to the Branch

Branch

Cloud

Data Centers

Cloud

of CIOs Expect

to Operate via

the

Cloud by 2015

Mobility

More Mobile

Data Traffic by

2015

Fat Apps

of Mobile

Traffic

Will Be Video

Pressures on the WAN


Internet Becoming an Extension of Enterprise WAN

Commodity Transports Viable Now

Dramatic Bandwidth, Price Performance Benefits

Higher Network Availability

Improved Performance Over Internet


Why Move to Internet as WAN?

Low-Cost Alternative

of Organizations

Are Planning to

Transition to

Internet

Connections 1Internet Transit Pricing based on surveys and informal data collection

primarily from Internet Operations Forums—‘street pricing’ estimates 2Packet delivery based on 15 years of ping data from PingER for WORLD

(global server sample) from EDU.STANFORD.SLAC in California

Source: William Norton (DrPeering.net); Stanford ping end-to-end reporting

(PingER)

Internet Pricing vs. Reliability, 1998-2012


And the Internet Transition Pays Off Fast

1.5 Mbps

10 Mbps

$220

$140

$830

$260

$885

$274

$1,014

$303

EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)

Dual Internet Links

Combined for Ent SLA

$665 Savings/Month x

12 Months X 1,000 Sites

= $8M Savings per Year

-75%

iWAN MPLS VPN

CoS3 MPLS VPN

CoS2

MPLS VPN

CoS1

Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website


Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access

Hybrid WAN

Transport

IPsec Secure

Branch

MPLS (IP-VPN)

Internet

Direct

Internet

Access

Private Cloud

Virtual Private Cloud

Public Cloud

• Secure WAN transport for private

and virtual private cloud access

• Leverage local Internet path for

public cloud and Internet access

• Increased WAN transport

capacity;

and cost effectively!

• Improve application performance

(right flows to right places)


Branch

MPLS (IP-VPN)

Internet

Private Cloud


Public Cloud

Intelligent WAN: Leveraging the Internet So What is New Here?

• Secure WAN transport for private

and virtual private cloud access

• Leverage local Internet path for

public cloud and Internet access

• Increased WAN transport

capacity;

and cost effectively!

• Improve application performance

(right flows to right places)

Hybrid WAN

Transport

IPsec Secure

Direct

Internet

Access

Internet as WAN with High Reliability

SLAs for Business-Critical Applications

Centralized Security Policy for Internet Access

Dramatically Lower WAN Costs Without Compromise


Intelligent WAN Solution Components

Internet

Branch

3G/4G-LTE

AVC

MPLS

Private Cloud


Public Cloud WAAS PfR

Application Optimization

• Application monitoring

with Application Visibility

and Control (AVC)

• Application Acceleration

and bandwidth savings

with WAAS

Secure Connectivity

• Certified strong

encryption

• Comprehensive threat

defense with ASA and

IOS firewall/IPS

• Cloud Web Security

(CWS)

for scalable secure direct

Internet access

Intelligent Path Control

• Application best path based

on delay, loss, jitter, path

preference

• Load balancing for full

utilization

of all bandwidth

• Improved network

availability

• Performance Routing (PfR)

Transport Independent

• Consistent operational model

• Simple provider migrations

• Scalable and modular design

• DMVPN IPsec overlay design


Intelligent WAN Deployment Models

Dual MPLS Hybrid Dual Internet

Internet

Highest SLA guarantees

– Tightly coupled to SP

ẋ Expensive

Public

MPL

S

Consistent VPN Overlay Enables Security Across Transition

More BW for key

applications

Balanced SLA

guarantees

– Moderately priced

Best price/performance

Most SP flexibility

– Enterprise responsible

for SLAs

Inter

net

Public Enterprise

Branch Branch Branch

MPL

S

MPLS

+

Intern

et


Transport-Independent Design Simplifying Internet-Based WANs


Simplifies WAN Design Dynamic Full-Meshed

Connectivity Proven Robust Security

Flexible Secure WAN Design Over Any Transport Dynamic Multipoint VPN (DMVPN)

Secure Flexible

• Easy multi-homing over any carrier service offering

• Single routing control plane with minimal peering to the provider

• Consistent design over all transports

• Automatic site-to-site IPsec tunnels

• Zero-touch hub configuration for new spokes

• Certified crypto and firewall for compliance

• Scalable design with high- performance cryptography in hardware

ISR-G2

WAN

Internet

MPLS ASR 1000

ASR 1000

Transport-Independent

Data Center Branch


Relies on Two Proven Technologies

Major Features

What is Dynamic Multipoint VPN?

DMVPN Is a Cisco IOS Software Solution for Building IPsec + GRE VPNs in an Easy, Dynamic, and Scalable Manner

• Next-Hop Resolution Protocol

(NHRP)

Creates a distributed mapping database of

VPN (tunnel interface) to real (public

interface) addresses

• Multipoint GRE tunnel

interface

Single GRE interface to support multiple

GRE/IPsec tunnels and endpoints

Simplifies size and complexity of

configuration

Supports dynamic tunnel creation

• Configuration reduction and no-

touch deployment supports: Passenger protocols (IP(v4/v6) unicast,

multicast, and dynamic routing protocols)

Transport protocols (NBMA) (IPv4 and IPv6)

Remote peers with dynamically

assigned transport addresses

Spoke routers behind dynamic NAT;

hub routers behind static NAT

Dynamic spoke-spoke tunnels for partial/full

mesh scaling

Works with MPLS; GRE tunnels and/or data

packets

in VRFs and MPLS switching over the tunnels

Wide variety of network designs and options


Hybrid WAN Designs Traditional and IWAN

Internet MPLS

Branch

DMVPN GETVPN

Internet MPLS

Branch

DMVPN DMVPN

Two IPsec Technologies GETVPN/MPLS

DMVPN/Internet

Two WAN Routing

Domains MPLS: eBGP or Static

Internet: iBGP, EIGRP or OSPF

Route Redistribution

Route Filtering Loop Prevention

Active/Standby

WAN Paths Primary With Backup

One IPsec Overlay DMVPN

One WAN

Routing Domain iBGP, EIGRP, or OSPF

Active/Active

WAN Paths

ISR-G2

ASR 1000 ASR 1000

ISP A SP V

ISR-G2

ISP A SP V

ASR 1000 ASR 1000

TRADITIONAL HYBRID

Data Center

IWAN HYBRID

Data Center


Traditional WAN to IWAN Transition Migration Steps

ADDING DMVPN

TO MPLS WAN

REPLACING A

WAN SERVICE

WITH AN

INTERNET

SERVICE

OTHER

INTERESTING

IWAN

TOPOLOGIES

* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year.

ISR G2

MPLS MPLS

ISR G2

MPLS MPLS

ISR G2

MPLS MPLS

ISR G2

MPLS MPLS

Internet

Internet

ISR G2

MPLS

3G/4G-LTE

Internet Internet

ISR G2

3G/4G-LTE

Internet Internet

ISR G2

3

Internet

ISR G2

MPLS

ISR G2

MPLS MPLS

Internet

4 5

0 1 2


Building Highly Available WANs With Cisco IWAN Redundancy and Path Diversity Matter

ISR G2

MPLS

ISR G2

MPLS MPLS Internet

ISR G2

MPLS

SINGLE

ROUTER,

SINGLE

PATH

SINGLE

ROUTER,

DUAL

PATHS

DUAL

ROUTERS,

DUAL

PATHS

Internet Internet

ISR G2

ISR G2

Internet

ISR G2

MPLS Internet

ISR G2 ISR G2

Internet Internet

ISR G2

99.95%* 99.90%*

99.995% 99.995% 99.995%

99.999% 99.999%

Downtime

per Year

4–9 Hours

Downtime

per Year

8 Hours

46 Minutes

5 Minutes

26 Minutes

IWAN Solution

ISR G2

MPLS MPLS

ISR G2

99.999%

* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.


Intelligent Path Control Improving Application Delivery and WAN Efficiency


Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control

Data Center Branch

ASR 1000

ASR 1000

WAAS PfR

AVC

ISR G2

WAN

Internet

Enabling

Internet-Based

WANs

Efficient Distribution of

Traffic Based Upon

Load, Circuit Cost,

and Path Preference

Per Application Best

Path Based on

Delay, Loss,

Jitter Measurements

Protection From

Carrier Black Holes

and Brownouts

Lower

WAN Costs

Full Utilization

of All WAN Bandwidth

Improved

Application Performance


Intelligent Path Control with PfR Voice and Video Use-Case

Branch

MPLS

Internet Virtual Private

Cloud

Private Cloud

• PfR monitors network performance and routes applications

based on application performance policies

• PfR load balances traffic based upon link utilization levels

to efficiently utilize all available WAN bandwidth

Other traffic is load

balanced to

maximize

bandwidth Voice/Video will be

rerouted if the current path

degrades below policy

thresholds

Voice/Video take the

best delay, jitter,

and/or loss path


What is Performance Routing (PfR)? Tooling for Intelligent Path Control

DSL Cable

Branch MC+BR

BR BR

Data Center

MC

“Performance Routing (PfR) provides additional intelligence to classic routing technologies to track the performance of, or verify the quality of, a path between two devices over a Wide Area Networking (WAN) infrastructure to determine the best egress or ingress path for application traffic....”

• Cisco IOS technology

• Two components: Master controller and

border router


PfR Enhances Classical Routing

PATH CONTROL

METRICS

ADAPTIVE

• Topological state

• Least cost path

• Static user preference

• Path cost

• Interface state

• Application-aware

• Policy controlled

• Measured

performance

• Delay

• Jitter

• Bandwidth

Responds To:

• Measured performance

changes (degradation)

Responds To:

• Link and node state

changes (up/down)

+

Classical PfR


SP1 (MPLS) ISP (Internet)

• Protect voice and

video quality

Latency less than 150

ms;

Jitter less than 20 ms

• Protect VDI

applications

from brownouts

Loss less than 5%

• Voice and video

preferred

path SP-A

• VDI preferred path

SP-B

• Increase utilization

by load sharing

Multimedia and Critical Data Policy

Cloud Services

Hybrid

IWAN

Best-Effort Traffic

Detect Loss Greater Than

10%

ISP-1 (Cable) ISP-2 (DSL)

Voice and Video

Dual Internet

IWAN Detect

High Jitter

VDI

Best-Effort Traffic

What PfR Does Protecting Critical Applications While Increasing Bandwidth Utilization

• Protect business

cloud applications

from brownouts

Loss less than 5%

• Preferred path for

critical

applications: SP1

(MPLS)

• Increase WAN

bandwidth efficiency

by load-sharing

traffic over all WAN

paths, MPLS +

Internet

Cloud Services and Load-Balancing Policy


Performance Routing—Components

The Decision Maker: Master Controller (MC)

• Discover BRs, collect statistics

• Apply policy, verification, reporting

• No packet forwarding/inspection required

The Forwarding Path: Border Router (BR)

• Gain network visibility in forwarding path (Learn, measure)

• Enforce MC’s decision (path enforcement)

• Does all packet forwarding

Optimize By:

• Reachability, Delay, Loss, Jitter, MOS,

• Throughput, Load, and/or $Cost

DSL Cable

Branch MC+BR

BR BR

Data Center

MC


PfR Evolution—Focusing on Simplification and Scale

PfR/OER

• Internet Edge

• Basic WAN

• Provisioning per site

per policy

• 1000s of lines of config

PfRv2

• Policy simplification

• App Path Selection

• Blackout ~6s

• Brownout ~9s

• Scale 500 sites

• 10s of lines of config

PfRv3

• Centralized

provisioning

• AVC Infrastructure

• VRF Awareness

• Blackout ~ 2s

• Brownout ~ 2s

• Scale 2000 sites

• Hub config only

Summer 2014

Today


Optimize Application

Performance


Static port classification is no longer enough

More and more apps are opaque

Increasing use of encryption and obfuscation

Application consists of multiple sessions (video, voice, data)

What if user experience is not meeting business needs?

FTP IM

RP

C

SOA

P

Vide

o

HTTP is the new TCP

Information Collaboration SaaS


Branch

Proliferation

of Devices

Users/ Machines

Private Cloud

Make Your IWAN Application Aware Add Cisco AVC

DC/Headqua

rters

Public Cloud

Cisco AVC FNF/NBAR2/QoS/Pfr

60% of IT Professionals Cite Performance as Key Challenge for Cloud

No Probes

• Rich data collection using NetFlow v9/IPFIX

• No additional hardware (and included in AX license)

• Easy to integrate into many reporting tools

Smart Capacity Planning

• Better use of costly bandwidth

• Per-branch and per-application level reporting

Business Aligned Privacy Enforcement

• No need for complex IP and port ACLs

• See inside HTTP flows to identify specific Cloud applications


Private Cloud

Add WAN Optimization Speed and Bandwidth Benefits on Top of the IWAN

Branch DC/Headqua

rters

Faster Applications, More Users, Less

Bandwidth

• 90% HD Video optimization and better user experience

• Twice as many Citrix users over same WAN, 70% faster

• Toyota: ROI in less than one year, 65% BW cost savings

Easy to Deploy

• Works with existing branch routers (and existing AX license

Scalable

• AppNav Controller and WAVE pool is scalable

• Native HA capability

vWAAS WAAS Express

Proliferation

of Devices

Users/ Machines

AppNav-XE Controller

CSR

WAVE

WAN

Accelerate Any TCP

Connection


Branch Internet Access


Intelligent WAN—Direct Internet Access

Branch

MPLS (IP-VPN)

Internet

Direct

Internet

Access

Private Cloud


Public Cloud

• Leverage Local Internet path for Public Cloud and Internet access

• Improve application performance (right flows to right places)


Secure Internet Access with Cisco Cloud Web Security (CWS)

Secure Public

Cloud and

Internet Access

ISR Connector to

CWS Firewall

towers

Web Filtering,

Access Policy,

Malware Detect

WAN1 (IP-VPN)

CWS

Private Cloud

Public Cloud

Branch

WAN2 (Internet)

IWAN IPsec

VPN for

Private Cloud

Traffic IOS Firewall to

protect Internet

Edge

Internet


IWAN Management


1. Cisco Prime Infrastructure

– Provides Enterprise and Integrator life-cycle network management applications

2. Glue Networks

– Delivers Cloud based simplified deployment portal

3. Live Action

1. - On Premise IWAN Management solution

4. SDN ready with OnePK

– Comprehensive programmability kit to enable SDN provisioning applications

5. APIC-EM, IWAN app

– Enterprise SDN Controller with IWAN app (Future)


Where to go next?


ASR1000-AX

L2-L3 Transpor

t

L4-L7 Applicati

on Services

IWAN Capabilities Embedded in the Router

Control

Optimization

Visibility

Transport Independent

Secure Routing

ISR-AX

Simplify Application

Delivery

One Network UNIFIED SERVICES

Cisco AX Routers 3900 | 2900 | 1900 | 800 | 4451 | ASR1002-X

Redefining Branch Routing with ISR 4451-X Unprecedented Performance and Service Scalability with IT Simplicity

Cisco ISR 4451-X The Ultimate ISR with Application Experience

• 1-2 Gbps Performance

• Separate Services Planes for Continuity

• Pay-As-You-Grow Model

• No Disruptions or Truck Rolls

• Ease of L2-L7 Service Deployment

• Native, Full-featured WAN Optimization

• Security with Application Visibility

• Application Service Assurance

Appliance-level

Services

Performance

Simplified Service

Integration

3

8

Just in, hot of the press!!!!!!! Best of Interop 2014, Networking

3

9

Network Computing article

http://www.networkcomputing.com/data-networking-management/best-of-interop-2014-winners-unveiled/240166898?pgno=2 Link to video with solution overview http://youtu.be/JvaXi5hSbpI

Cisco is … transforming a

product line that began as a

way to connect remote sites

to corporate networks and

the Internet into a small-

scale data center in a

box...a very small, 2U box.

Kurt Marko, Judge Interop

http://www.networkcomputing.com/data-networking-management/best-of-interop-2014-winners-unveiled/240166898?pgno=2
















http://youtu.be/JvaXi5hSbpI


Why Cisco IWAN?


Proven

Security at

Scale

• Any to Any Security

• Protect All Branch Resources

• Secure Direct Internet Access

Unmatched

Context-

based

Routing

• App-Aware

• Endpoint-Aware

• Network-Aware

Quick ROI

Faster than

Alternatives

• Savings enables Business Innovation

Many pay off in

Granular

Control

Everywhere

• Branch ISR-AX

• DC ASR1K-AX

• Cloud CSR1000V

Integrated

Platform

for IT

Simplicity

Up to

in Savings

The Alternative:

Overlay

Appliances

App Visibility

andControl

IP Sec VPN

WAN Opt.

Firewall

WAN Path Selection

Router

IWAN - Cisco - Global Home · PDF fileSamsung Chromebook Running Chrome OS Document...

Documents

Transcript of IWAN - Cisco - Global Home · PDF fileSamsung Chromebook Running Chrome OS Document...