Brkarc 2091

BRKARC-2091
Next Generation Enterprise WAN: Branch & Head-End

Scott Van de Houten
svandeho@cisco.com Borderless Networks Technical Strategy
BRKARC-2091
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Housekeeping
Please switch your mobile phones to STUN We value your feedbackdon't forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions

Please remember this is a non-smoking venue! Please make use of the recycling bins provided
Please remember to wear your badge to the Party
BRKARC-2091
Cisco Public
Everything is moving to the CLOUD!

Server, Application, Desktop virtualization are transforming Data Centers into Private Clouds. Hosting providers offer virtual infrastructures instead of physical space and equipment Hybrid Clouds
Hybrid Cloud?
How do you design a network if you dont know where the applications reside?
Private Cloud?
Its in the Which Cloud? Cloud!

Public Cloud?
What if the applications move to a different DC? Or, Hybrid Cloud offering?
The Internet and Web have revolutionized how Application Service Providers deliver applications.
How do you isolate user performance issues for Cloud applications?
Mobile devices enable users to access applications from anywhere at anytime Work Your Way
How will all of this impact Security Policies and Procedures?

4 BRKARC-2091 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
The Borderless Network Next Generation Enterprise WAN Private Cloud Services Hybrid Cloud Services Public Cloud Services Platform Overview Wrap Up / Summary
BRKARC-2091
Cisco Public
Enterprise Megatrends
IMMERSIVE COLLABORATION
Pervasive Video
MOBILITY
BYOD
Enterprise Megatrends
SECURITY, IT EFFECTIVENESS,
CLOUD
Private, Public Hybrid
$
BRKARC-2091
COST CONTROL,
Cisco Public
Network Implications: Shifting Borders

Mobile Worker
Location Border
IT Consumerization
Internal External-Facing Applications Applications
Device Border
Video/Cloud
Application Border
IaaS,SaaS
BRKARC-2091
Cisco Public
Borderless Networks Architecture
BYOD
Desktop Virtualization
Pervasive Video
Remote Expert
Cloud Computing
Risk IT/OT Convergence Management &

Compliance
Key IT Initiatives
Key System Pillars Addressing Initiatives

Unified Access P Management R I M E
Wireless
Cloud Intelligent Networks

SecureX
Connected Industries
Systems Excellence
Medianet
Multimedia Optimization
EnergyWise
Energy Management
TrustSec
Policy Enforcement
App Visibility and Control

App Performance Application Networking/ Optimization
Cloud Connectors
Cloud Optimization
Network and End-Point Services
Routing
Switching
Security Appliance and Firewall
Technology Innovation
BRKARC-2091
Cisco Public
Cloud Intelligent Networks Solutions

Cisco ISR G2 Cisco Prime Infrastructure
ASR 1000, AVC, ASA, WAAS, AppNav
ASR 1000
AVC, WAAS UCS-E
Private Cloud
CSR ASA vWAAS 1000V VSG 1000V
Security
Cloud Connectors ScanSafe HCS
Cloud Intelligent Network
App Visibility & Control (AVC) Cloud Connectors Medianet
vPath
VXLAN
Nexus 1000V
Virtual Private Cloud
Webex CCA
3rd party
HCS Services
AnyConnect VPN, ScanSafe, WebEx, and HCS Cloud Connectors
Public Cloud
BRKARC-2091
Cisco Public
Introducing the Next Generation Enterprise WAN
BRKARC-2091
Cisco Public
Next Generation Enterprise WAN High Level Topology

Application Visibility & Control MediaNet TrustSec IPv4/v6 Cloud Operations
West Region
Inter Connect Inter Connect
WAN Core
East Region
Seamless any-to-any Services
South Region
Remote Branch
Remote Branch
Consistent Security
Regional WAN
Interconnect
Metro
Internet
WAN Primary or Back up
Public Cloud
Hybrid Cloud
Services Voice, Video, Etc.
Service Provider
Local Campus
Data Center
Private Cloud Cloud
Data Center
Efficient use of resources

Cisco Public 11
BRKARC-2091
Next Generation Enterprise WAN High Level Topology

Application Visibility & Control MediaNet TrustSec IPv4/v6 Cloud Operations
West Region
Inter Connect Inter Connect
WAN Core
East Region
Regional WAN
South Region
Remote Branch Remote Branch
Regional WAN
Interconnect
Metro
Internet
WAN Primary or Back up
Public Cloud
Hybrid Cloud
Services Voice, Video, Etc.
Service Provider
Local Campus
Data Center
Private Cloud Cloud
Data Center
BRKARC-2091
Cisco Public
12
Regional WAN Architecture

Enterprise Interconnect
Interconnect
Standardized Profiles Simplify Management, Monitoring, Troubleshooting
Redundant, Scalable GETVPN Headend
Local Campus
Data Center
Redundant, Scalable DMVPN Headend
ASR1K
ASR1K
ASR1K
ASR1K
Optimized Performance
Intelligent, Per-Application, Adaptive Routing Pervasive, Scalable End-to-end Security
SP A MPLS
OC3, GE
SP V MPLS
DS3, FE
Internet
Cisco Prime
Serial, Ethernet
ASR1K
ASR1K
ISR G2 ISR G2 ISR G2 ISR G2
3G/4G Satellite
Any WAN Transport
Ultra High-End Branch/Campus
High End Branch
Standard Branch
Mobile Branch
BRKARC-2091
Cisco Public
13
Regional WAN Branch Profiles

Flexible deployment options for different service requirements
Mobile Branch 3G/4G or Satellite WAAS Express to boost application performance Branch mobility Deliver video over 4G* High-end Branch Migration from DS3 to FastEthernet Dual SP MPLS Redundant router Application performance 5-9s availability Deliver HD video
Financial branch, Med/Large branch office
Performance and Availability
Standard Branch Most common deployment Migration from Serial to Ethernet SP MPLS VPN with Internet VPN backup Application performance 4-9s availability Deliver SD video
Typical branch office
Ultra High-end Branch/Campus Very high Bandwidth up to 1Gb Software and hardware redundancy Same profile as High-end Branch Services scaled up by dedicated appliance engines
Remote campus
Retail Banking, Kiosk, Vehicles, Cruises
MPLS
Internet
MPLS
MPLS
MPLS
MPLS
3G/4G Satellite
ISR G2 ISR G2 ISR G2 ISR G2 ASR1K ASR1K
BRKARC-2091
Cisco Public
14
Regional WAN Aggregation Profiles

Scalability and Availability Branch Profiles
Ultra High-end Branch
WAN Aggregation Profiles

High-end Aggregation Scale to support 5000* sites 5-9s availability Dual SP MPLS and Internet Redundant Key Server Dedicate PfR MC Hardware/software redundancy
High-end Branch
Standard Branch
Mobile Branch
Standard Aggregation Scale to support 1500 sites 4-9s availability One device serves multiple roles Hardware/software redundancy
GETVPN KS
ISR G2
Two WAN Aggregation Profiles for different availability and scalability requirements
GETVPN GM/PfR MC
ASR1K
MPLS
COOP GETVPN KS
ISR G2
GETVPN GM
MPLS MPLS
Standard Aggregation
ASR1K
Internet
PfR MC
ASR1K
High-end Aggregation
ASR1K
ASR1K
Internet
DMVPN
DMVPN
15
BRKARC-2091
Cisco Public
Private Cloud Services

Application Visibility & Control WAAS & USC E MediaNet TrustSec Security IPv6
BRKARC-2091 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Private Cloud Definition
Private Cloud
Used only by a single company or organization, the Private Cloud looks a lot like the traditional Enterprise Data Centers were familiar with although they tend to focus on virtualized services. They might be operated by a third party instead of the company using them.
Source: NIST
CSR ASA VSG 1000V vWAAS 1000V
Security
vPath
VXLAN
Nexus 1000V
HCS Services
Public Cloud
BRKARC-2091
Cisco Public
17
Application Visibility & Control
Today Network is an IT Blind Spot
Static port classification is no longer enough More and More apps are opaque Increasing use of Encryption and Obfuscation Application consists of multiple sessions (Video, Voice, Data)
BRKARC-2091
Cisco Public
Next Generation Networks will be Application Aware
Gain visibility into application running in the network, performance trend, and user experiences
Intelligently prioritize and control application traffic to maximize user experience
BRKARC-2091
Cisco Public
20
What is Application Visibility and Control (AVC) Solution

ISR G2
ASR1K
App Visibility & User Experience Report

ISR G2
ASR1K App SAP BW 3M Transaction Time 150 ms 500 ms
ISR G2
ASR1K
High Med Low
NFv9/IPFIX
Sharepoint 10M
Reporting Tools
Application Recognition
Identify applications using L3 to L7 information
Reporting Tool Perf. Collection
&
Exporting Collect application performance metrics, and export to management tool
Management Tool
Advanced reporting tool aggregates and reports application performance
Cisco Public
Control
Control application usage to maximize application performance
BRKARC-2091
AVC Solution Enabled Technologies

ISR G2
ASR1K
App Visibility & User Experience Report

ISR G2
ASR1K App SAP BW 3M Transaction Time 150 ms 500 ms
ISR G2
ASR1K
High Med Low
NFv9/IPFIX
Sharepoint 10M
Reporting Tools
Reporting Tool Perf. Collection
&
Exporting
Metric Mediation Agent FNF ART MMON
Management Tool
Cisco Prime Infrastructure Cisco Insight 3rd Party Tools
Cisco Public
Control
NBAR2
QOS PfR
BRKARC-2091
Next Generation NBAR (NBAR2)

Deep Packet Inspection (DPI)
SCE Classification IOS NBAR
+150 Signatures +1000 Signatures Advanced Classification Techniques
IOS 15.2(2)T1 IOS XE 3.4S
Innovations
Native IPv6 Classification Open API 3rd Party Integration..
NBAR2
Provides Advanced Application Classification and Field Extraction capabilities In-service upgradable Protocol Definitions
No IOS upgrade or reboot for new Protocol Packs
Backward compatibility to preserve existing NBAR investments NBAR2 Protocol List

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
BRKARC-2091 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Performance Collection & Exporting What is it?
Perf. Collection & Exporting
Integrated performance monitoring and advanced metrics for different type of applications and use cases
Advanced Monitoring Voice and Video Performance (Media Monitoring) 30% of traffic is voice and video Basic Monitoring Critical Applications Performance (Application Response Time)
40% of traffic is critical applications
What applications, how much bandwidth, flow direction? (Flexible Netflow and NBAR/NBAR2)
HTTP
HTTP
BRKARC-2091
Cisco Public
Gaining Full Visibility with Flexible Netflow

Netflow
Flexible NetFlow
Extensible to support new and future metrics
L3 and L4
Monitors data from layer 2 thru 7

Collect only what is needed define your own
record format and aggregation
L2
L3 and L4
L7 (NBAR)
Network Metrics (QoS)
Performance Metrics (MMON, ART)
Other Metrics
Flexible Netflow
Netflow to FNF Migration Guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html
Better Visibility with NBAR2 and FNF

show ip nbar protocol-discovery top-n
Application Information exported in FNF records Reporting tools display top client & server
Router#show ip nbar protocol-discover top-n 10

GigabitEthernet0/0/3 Input ----Protocol Packet Count Byte Count 30sec Bit Rate (bps) 30sec Max Bit Rate (bps) -----------------------------------webex-meeting 45807530 2497543722 115000 152000 59667396 12768822744 555000 697000
Output -----Packet Count Byte Count 30sec Bit Rate (bps) 30sec Max Bit Rate (bps) -----------------------163458047 129842885217 5998000 7799000 156155174 103187176646 4715000 5077000
bittorrent
BRKARC-2091
Cisco Public
27
Active or Passive Monitoring for Performance Measurement

Active Monitoring
Router 1 Active Probing IPSLA Sender IPSLA Responder Router 2
Passive Monitoring
FNF
MMON ART
Generate synthetic traffic into the network

Require IOS responder for advanced monitoring types
BRKARC-2091 2013 Cisco and/or its affiliates. All rights reserved.
Inspect traffic to measure performance metrics

Performance metrics available only when there is traffic
Cisco Public
29
Application Response Time (ART) Measurement

My email is slow! How do I ensure my SLA is met
ISR G2: 15.2(4)M2 ASR1K: 3.8S
My query is taking long time!
WAN
Branch
NFv9/IPFIX
Data Center Reporting Tool
Key Features
Benefits
27 Application Response Time (ART) Metrics Interact with NBAR2 for Application ID and field extraction information
Visibility into application usage and performance Quantify user experience Troubleshoot application performance
In ISR G2, provide by Performance Agent (PA)

In ASR1K, ART is part of unified monitoring
BRKARC-2091
Track service levels for application delivery
Cisco Public
ART Path Network Segment Breakdown

Clients
Request
Client Network
Branch ISR-G2
Server Network
Application Servers
Response
Client Network Delay (CND) Network Delay (ND)
Server Network Delay (SND)
Application Delay (AD)
Total Delay
Separate application delivery path into client and server segments

Server Network Delay (SND) approximates WAN Delay Latency per application
Application-aware QoS with NBAR2

class-map match-all business-critical match protocol citrix match access-group 101 interface Serial0/0/0 service-policy output my-network-policy
Committed BW (50% of the line)
Control
Application Business Critical Browsing Internal Browsing Remaining
BW Committed 50% 30% (=15% of the line) 60% (Out of Browsing) 70% (=35% of the line)
Priority High Normal
class-map match-any browsing match protocol attribute category browsingExcess BW

(50% of the line)
class-map match-any internal-browsing match protocol http url *myserver.com*
Normal
policy-map internal-browsing-policy class internal-browsing bandwidth remaining percent 60

policy-map my-network-policy class business-critical priority percent 50 class browsing bandwidth remaining percent 30 service-policy internal-browsing-policy Business-Critical: High Priority 50% committed
Remaining: 70% of Excess BW (=35% of line)
Browsing: Internal-Browsing: 30% of Excess BW 60% of Browsing (=15% of the line)

Cisco Public 32
BRKARC-2091
GRE/IPSec Network QoS Design

Direction of Packet Flow
Control
DSCP CS5 Packet Initially Marked to DSCP AF41
DSCP CS5
DSCP CS5 By Default ToS Values is Copied To IPSec Header
DSCP AF41 DSCP CS5 Top-Most ToS is Rewrote on egress

policy-map WAN-OUT class VOICE priority percent 10 class VIDEO-INTERACTIVE priority percent 23 set ip dscp af41 class NETWORK-MGMT bandwidth percent 5 service-policy MARK-BGP class class-default bandwidth percent 25 random-detect ! policy-map Int-Gig-Agg-HE class class-default shape average 1000000000 service-policy WAN-Out
Cisco Public
DSCP CS5 Packet decapsulated To reveal the original ToS Byte
Remarks the DSCP value on the encrypted/encapsulated header on egress interface
BRKARC-2091
Performance Routing (PfR)

Application aware adaptive routing
Full utilization of expensive WAN bandwidth
Efficient distribution of traffic based upon load, circuit cost and path preference
Control
Improved Application Performance

Per application best path based on delay, loss, jitter measurements
Increased Application Availability

Protection from carrier blackouts and brownouts
Email Path Video Path
PfR MCs
WAE Cluster
Email VMs
ISR G2
ASR1K ASR1K
Internet DMVPN
Branch
PfR MC/BR
PfR BRs
Headquarter
ASR1K ASR1K
Master Controller (MC) Border Router (BR)
SP A MPLS SP B GETVPN MPLS GETVPN
BRKARC-2091
Cisco Public
35
Control
PfR Use Case Examples

Protecting critical applications while Maximizing bandwidth utilization
Detect loss > 10%
Internet
Detect high jitter
WAN
VDI
Cloud Service
Voice&Video
Best Effort traffic

ISP-1 (Primary) ISP-2 (Secondary)
Best Effort traffic

SP-A (MPLS VPN) SP-B (MPLS VPN)
Cloud Service & Load Balancing Policy

Protect business Cloud applications from Internet brownout
Loss <10%
Multimedia & Critical Data Policy

Protect voice and video quality
Latency < 200ms; Jitter < 30ms
Cloud Service preferred path ISP1

Maximize all ISP bandwidth by load sharing all other Internet traffic
Protect VDI applications from brownouts

Loss < 5%
Voice & Video preferred path SP-A VDI preferred path SP-B Maximize utilization by load sharing
BRKARC-2091
Cisco Public
36
Cisco Prime Infrastructure Assurance
Management Tool
Configuration of AVC features* Network Monitoring Service Monitoring Reporting and Trends Multi-NAM Manager Packet and Flows Analysis Application Response Time Voice and Video Metrics Distributed SNMP and Netflow Collection
BRKARC-2091
Cisco Public
37
WAAS and UCS E Series
38
Cisco WAAS
Enhancing user experience and WAN efficiency
Problem
Poor Application Reduce load
Data Redundancy Elimination, Compression, TCP optimization
Solution
Bandwidth (Mbps)
4
responsiveness
WAN Bandwidth costs
Latency (Seconds)
160
Application Optimization
Fewer protocol messages, Meta data caching,...
3 120
Bandwidth Saved
80
Reduced Latency
Application Bandwidth Natively

Application Bandwidth with WAAS Application latency Natively Application latency with WAAS
0 0 1 40
Application Bandwidth
Application Latency
BRKARC-2091
Cisco Public
39
Challenges of Desktop Virtualization over WAN

Hairpinning WANs effects on Users Experience Display Protocol Opaque to the Network Branch Office
End-users see pixelization over the WAN
Branch Router
T1
Video Source
Video processed on HVD overloading server compute and bandwidth
Increasing bandwidth is expensive and might not help
Data Center
Campus
Display Protocol
End-users experience no pixelization on LAN

Cisco Public
BRKARC-2091
WAAS 5.0 optimization with Citrix ICA AO
WAAS will optimize encrypted and compressed ICA desktop session traffic (no changes required on ICA client, HVD, or DC infrastructure) for all versions of XenDesktop and XenApp Includes WAAS 4.4 Application aware DRE feature for unidirectional caching of desktop session traffic which improves the scalability and Application performance
Data Center Branch Router
Display Protocol WAAS
Display Protocol Acceleration
Aggregation Router
Citrix HVD
ICA client
WAAS
Note: Multi-Session ICA (MSI) in XenDesktop 5.5 is not supported in the current release. If MSI is used only one initial session (port 1498) will be optimized automatically. Other flows will be treated as regular TCP flows
Cisco WAAS: WAN Optimization Solution

IOS WAAS Express
CSR 1000V vWAAS
Server VMs Nexus 1000v vPATH
VMware ESXi Server
Branch Office
Nexus 1000v VSM

WAAS Service Module
UCS /x86 Server FC SAN
Branch Office
WAN
Data Center or Private Cloud
WAAS WAE Appliances
Branch Office
WAAS WAE Appliance
Internet
Server VMs
VMware ESXi
vWAAS Appliances
WAAS WAE Appliance
VPN
WAAS Mobile Server
Mobile User WAAS Mobile Software VPN SOHO User
Regional Office
BRKARC-2091
Cisco Public
44
Lean Branch Office Applications

Edge Applications That Defy Centralization
Core Windows Services
DNS and DHCP Servers Microsoft Active Directory Windows Print Services Windows File Services Others
Mission Critical Business Applications

Point of Sale Server Bank Teller Control Point Electronic Medical Records Inventory Management Others
Client Management Services

Software Update Service Client Monitoring Service Backup and Recovery Terminal Server Gateway Others
BRKARC-2091
Cisco Public
46
UCS E
Extend Cloud Services into Branch Infrastructure
Platform for WAN Edge Applications
Microsoft Windows
App
OS App OS
App
OS
App OS
Server Virtualization
Cisco SRE Virtualization Powered by
Server-Certified
SRE-V Hypervisor SRE-V Hypervisor
Dedicated Blade Management

Cisco Integrated
VMware vSphere Hypervisor (ESXi)
SRE Blade
CIMCE
SRE Blade
Multipurpose x86 Blades

Cisco Service-Ready
Management Controller
Consistent management
IOS, MGF Backplane Switch
Engine modules
House up to four server
for UCS family
blades in ISR G2
Single-Device Network Integration

House all devices in ISR G2 chassis Multigigabit fabric backplane switch
Support on ISR G2 2911 and above
BRKARC-2091
Cisco Public
47
MediaNet & Video Services
Medianet
Introduction
I want a network infrastructure so that I should not worry when tomorrow Ill be asked to implement video applications.
Massimo Fogaroli IT Manager, Mediolanum Bank
Media Aware
Detection and Optimization of different media and applications
IPSLA VO Flow MetaData Media Trace
Endpoint aware
Automatic detection and configuration
Network Aware
Automatically respond to changes in devices and service availability
Performance Monitoring
Visibility
BRKARC-2091
Diagnostics
Network Assessment
Cisco Public 49
Medianet Media Monitoring

Media Assessment, Monitoring, and Troubleshooting
Pre-deployment assessment / network validation IP SLA VO
Use ISR G2 DSPs to generate synthetic video, i.e. TelePresence
What path and where is the problem? Mediatrace and Performance Monitor
Network-initiated mediatrace collecting path and performance metrics of media stream Cisco Collaboration Manager displays mediatrace results
Cisco Prime Collaboration Manager
Generate Initiate TelePresence mediatrace traffic
I am detecting video quality issue
MPLS
Lost packets seen
ISR G2
ASR1K
IP SLA Initiator
Internet DMVPN
IP SLA Responder
BRKARC-2091
Cisco Public
50
Media Monitoring
Performance Monitor
LiveAction
MPLS
Internet Branch Apply to in/out direction of voice/video VLAN
WAN Headend
Monitor video traffic traversing different network types Generate alert based on user configurable threshold Enable on voice/video VLAN
Provide metrics including jitter, packet loss, latency, bitrate, etc.

MediaNet PerfMon is also the Media Monitor (MMon) in AVC
Diagnostics
Media Troubleshooting
Mediatrace
Initiate Mediatrace for traffic from Branch phone to Headend phone
Collaboration Manager
MPLS
Internet Branch
VPN Headend
Use Mediatrace to further troubleshoot media issues Initiate Mediatrace to discover path, system resource, or quality metrics on devices in the media path
Mediatrace responders collect the requested metrics and return to initiator

Works with Cisco Collaboration Manager
Need for End to End Classification

Voice communication between Marylou and John Voice communication started with application X Packets has DSCP=EF I know lots of information from the application that Im not going to send to the wire
This flow has a DSCP = EF This flow contents RTP Voice
Visibility
Marylou
This packet has a DSCP=EF This packet comes from Fast1/0 This packet comes from location Desk1 This packet comes from user Marylou
John
How to enforce a consistent network policy when classification is different along the path?
Eg: Rule: Prioritize Voice communication from Marylou to John?
Endpoint can provide information not available or visible to the network

MediaNet Metadata for end to end classification

Metadata Flow Principles
Flow Identifier Metadata
Visibility
IP Src
IP Dst
Prot
L4 Src
L4 Dst
Application
Vendor
Dial From
Dial To
Caller ID
10.1.1.2
20.1.1.2
UDP
2000
4000
VideoConference (Audio)
Cisco
83922564
85268229
Albert Albatross
1. Application Creates Metadata

Metadata DB
Metadata DB
10.1.1.2
2. Metadata Announcement
BRKARC-2091
3. Media Flow
Export of data to NMS
Metadata DB
QoS based on Metadata
10.1.1.2
Cisco Public
Video Conferencing Services

HQ/Campus
MCU Video mixing
A
Branch
WAN
Multiple video streams traverse the WAN to a central MCU resource non-optimal use of limited WAN BW Video is mixed by a centralized MCU controlled by CUCM
Signaling Media
MCU
HQ/Campus
Video is mixed by the ISR G2 DSPs controlled by CUCM or UCME Keeps traffic local in the branch if all participants are located in the branch Ad-hoc and MeetMe conferences
Branch
A
Video mixing WAN
BRKARC-2091
Cisco Public
60
Video Delivery Optimization

WAAS + Enterprise Content Delivery System (ECDS)
Branch Office
Signage Channel Corporate Communications Channel
+ ECDS
WAN
Contextaware DRE CDN Infrastructure
Data Center
+ ECDS
HR VOD Channel
Branch Office
Multiple Publish and Subscribe Channels for simplified management Broad live broadcast protocol support-wmf, silverlight, flash Video Pre-positioning
WAN TrustSec Security Services
NG WAN Pervasive Security

Secure Reliable Access to Any Services
Provides data privacy across the WAN
GETVPN any-to-any encryption over MPLS DMVPN & FlexVPN over 3G/4G or Internet provides dynamic spoke-to-spoke tunnel
Highly scalable WAN aggregation with encryption

4000 DMVPN tunnels and 4000 GETVPN Group Members Up to 28 Gbps of encryption throughput per ASR1K
Interoperation with QoS and PfR ensures service performance TrustSec simplified access control SGT, SXP, SGACL and SG Firewall
Data Center GETVPN COOP KS
WAE Cluster
Internet
ISR G2
ASR1K ASR1K
Protected by DMVPN Protected by GETVPN

SXP
DMVPN
SP A MPLS B SP GETVPN MPLS
Standard Branch
ISR G2
Branch
DMVPN Hub
ASR1K
Headquarter
ASR1K ASR1K
Private Cloud
SGT
SG FW
GETVPN
GETVPN
Cisco Public 64
BRKARC-2091
Dynamic Multipoint VPN (DMVPN)

Full meshed connectivity with simple configuration Zero-touch configuration for addition of new spokes Automatic site-to-site IPSec tunnels Transport & Carrier agnostic overlay transport easy multi-homing single control plane simple carrier transition Large Scale
Up to 4000 spokes per ASR1k hub with EIGRP or BGP
Spoke n
DMVPN Tunnels Traditional Static Tunnels Static Known IP Addresses Dynamic Unknown IP Addresses
Secure On-Demand Meshed Tunnels

Hub
VPN
Spoke 1
Spoke 2
Hierarchical Hub designs, to scale beyond single hub limits

BRKARC-2091 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
Introducing FlexVPN A single overlay VPN solution

Corporate LAN Isolated branches (Easy VPN)
New
Remote Access (AnyConnect)
Department RED Department GREEN
Shortcut Switching (DMVPN)
BRKARC-2091
Cisco Public
Group Encrypted Transport VPN (GETVPN)

Before and After GET VPN
Public/Private WAN Private WAN
Before: IPSec P2P Tunnels
After: Tunnel-Less VPN
WAN
Multicast
Scalabilityan issue (N^2 problem) Overlay routing Any-to-any connectivity may require
tunnel setup Inefficient Multicast replication
Scalable architecture for any-to-any connectivity and encryption No overlaysnative routing Any-to-any instant connectivity Efficient Multicast replication
Any wan transport

BRKARC-2091
Private IP WANs
Cisco Public 68
Cisco Router Security Certifications
FIPS
140-2, Level 2 Cisco ISR 890 Series Cisco ISR 1900 Series Cisco ISR 2900 Series Cisco ISR 3900 Series
Common Criteria EAL4
Next-Gen Encryption* Software Support
Next-Gen Encryption* Hardware Assist
Cisco ISR 3900E Series

Cisco ASR 1000 Series

N/A
** ** **
http://www.cisco.com/go/securitycert
* NSA Suite B RFC-4869 cryptographic algorithm for both unclassified and most-classified information
** 1900s and lower 2900 Series require ISMs. Only ASR 1002-X and ESP-100 based ASR 1000s
TrustSec SGT over DMVPN and GETVPN

SGT Frame SGACL
AP
Finance
Catalyst Switch
ISE
SGT
Guest Server Posture Profiler
Sales
Branch Network
SGT
Nexus 5000/2000
SGT
MPLS
ISR G2
GETVPN
ASR1k
Catalyst Switch
ISR G2
Catalyst 6500
Nexus 7000
Data Center
Internet
Catalyst Switch
Egress Enforcement
WAN ISR G2/ASR1k, SG Firewall Campus Aggregation: Cat6K/Sup2 SGACL Data Center Enforcement Nexus 7000 SGT/SGACL
Admin
ISR G2
DMVPN
SGT
HR
DMVPN Inline Tagging ISR G2 (IOS 15.2(2)T) SGToGETVPN support on ISR G2 (IOS PI21*) and ASR1k (XE 3.9*) SG Firewall for Egress Enforcement SGT Capability exchange during DMVPN IKEv2 negotiations and GETVPN group membership registration Learn SGT from SXP or Auth-methods Simple one command configuration DMVPN crypto ikev2 cts sgt; GETVPN tag cts sgt
* ISR G2 IOS (PI21) and ASR1k IOS (XE3.9) will be available in Spring 2013.
Security Group FW Architecture

SGFW
ISE for SGACL Policies
SGT or SXP
C P I
ASR1k Enforcement
Enterprise WAN
SGFW
ISR Enforcement
IP Address 10.1.10.1 SGT 10
SGACL
Enforcement on a switch
Data Center
Consistent Classification/enforcement between ISR/ASR SGFW and switching In general SGACL and SGFW policy should be syncd via policy administration UI SGT allows more dynamic classification in the branch and WAN aggregation Rich Logging requirements will be fulfilled on SGFW URL logging, etc. Active/Active support in ZBFW allows for async routing* SGFW in ISR G2 IOS 15.2(2)T and ASR1k IOS XE 3.5
2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
*active/active assumes shared L3 subnet on router interfaces for redundancy groups

BRKARC-2091
IPv6 Preserve, Prepare, Prosper
IPv6
Why?
3 Feb 11 last day of
IPv4 address allocations
IPv6 Routing
ISR G2, ASR 1000 designed for IPv6
Anyone, Anything, Anywhere, Anytime
IPv6 Feature Enablement

Broadest coverage in Industry
IPv6 Transitioning
All transition mechanisms supported
IPv4 address exhaustion Government mandate IPv6 device and content growth Mergers and Acquisitions Gain familiarity with IPv6
Routers designed with more memory, better performance for IPv6
IPv6 parity with IPv4 in most cases
Dual Stack Tunneling Translation
BRKARC-2091
Cisco Public
74
Transitioning Network to IPv6

Preserve, Prepare, Prosper
Cisco NG Enterprise WAN Solutions
Branch & Campus Dual Stack IPv4 and IPv6 IPv4 WAN Tunnel: 64 tunnels, IPv6 over DMVPNv4 IPv6 Internet Translate: NAT64 allows IPv6 devices to access IPv4 applications
Dual-stack
Campus/ Datacenter
WAN Aggregation
Tunnel
Dual-stack
ISR G2
IPv4
ASR1K ASR1K
Branch office
ASR1K
IPv4 services
Internet Edge
IPv6
IPv6 devices
Translate (nat64)
Hybrid Cloud Services

Virtual Private Clouds Virtual Networking Services Cloud Services Router
BRKARC-2091
Cisco Public
Hybrid Cloud Definition

Virtual Private Clouds (VPC)
Private Cloud
Hybrid Clouds exist on the premisis and are maintained by a cloud provider. Resources are allocated to individual companies or organizations providing them the look and feel of a private cloud within a shared cloud environment.
Source: NIST
Security
vPath
VXLAN
Nexus 1000V
HCS Services
Public Cloud
BRKARC-2091
Cisco Public
77
Hybrid Virtual Private Cloud Virtual Networking Services

Cloud Providers Data Center
Physical Infrastructure
Servers
CSR 1000V
Cloud Network Services Tenant A

vWAAS ASA 1000V VSG
Department A
VSG
Department B
AppNav vPath
Nexus 1000V Virtual Infrastructure Multi-Hypervisor Multi - hypervisor CSR 1000V

WAN Gateway IOS Networking
vWAAS
WAN Optimization Application Traffic
ASA 1000V
Edge Firewall Protocol Inspection
VSG
Zone-based Firewall VM-level Control
Nexus 1000V
Distributed Switch NX-OS Consistency
BRKARC-2091
Cisco Public
Cisco CSR 1000V

Cisco IOS Software in Virtual Form-Factor
CSR 1000V
App
App OS
VPC/vDC
Virtual Route Processor (RP) Virtual Forwarding Processor (FP) Optimized for single tenant use cases Hypervisor agnostic Virtual switch agnostic Server agnostic
OS
Hypervisor
Virtual Switch
Server
BRKARC-2091
Cisco Public
Public Cloud Services

Cloud Connectors
Public Cloud Definition

Operated wholly by cloud providers, public clouds offer services to companies, organizations and individuals using a fully virtualized environment hosted in the cloud. Services are delivered in a shared environment even though they might be provisioned or customized for the needs of the individual organization.
Source: NIST
Private Cloud
Security
vPath
VXLAN
Nexus 1000V
HCS Services
Public Cloud
BRKARC-2091
Cisco Public
81
What is Cloud Connector?

Connects a Corporate Network to a Cloud Service Application or Service specific to ensure transparent access
Improves delivery of Public Cloud Services

Provisioning, Performance, Security, Reliability, Management
Cloud Connector solutions include

ScanSafe, WebEx Media, Hosted Collaboration Service, Storage/Backup,
Cloud Connector
ASR1K ASR1K
Internet Public Cloud
Email VMs
Headquarter Campus
ASR1K ASR1K
MPLS GETVPN MPLS Branch
BRKARC-2091
Cisco Public
82
Example Scan Safe Cloud Connector

ScanSafe provides secure access to Public Cloud services Single policy portal, easy of deployment and management Direct Internet access reduces WAN cost and improves application performance
Web Filtering Web Security Centralized Reporting Consistent Policy Control
Internet Public Cloud Applications
ASR1K ASR1K
Internet
ScanSafe Cloud Connector
Headquarter Campus
ASR1K ASR1K

83
BRKARC-2091
Cisco Public
Example WebEx Media Connector

WebEx Media Connector peers directly with the Enterprise WAN CUCM+CUBE deployed at Enterprise and WebEx Cloud Firewalls+CUBE to secure the borders with WebEx. Improves voice and video conferencing quality Reduces 800 toll charges
Cisco WebEx Collaboration Cloud
Internet
WebEx Cloud Connector
ASR1K ASR1K
Headquarter Campus
ASR1K ASR1K
BRKARC-2091
Cisco Public
84
Example - Cloud Storage Connector

Third Party Connector
MSP Admin Portal
Manage end-user accounts, service provisioning and billing
End-User Virtual Portal

Users access their own cloud backups and folders, restore and share files.
MSP Network
Cisco ISR G2 and UCS E-Series

with Cloud Storage Gateway Cloud storage is cached on UCS E. Branch files are backed up to the cloud. Backup Agent for Roaming Laptop Agent-Less Solution
Branch Office
Platform Overview
Prime Infrastructure 1.2

Functional Overview
A single integrated solution for comprehensive lifecycle management of wired/wireless access, campus, and branch networks Automates compliance with regulatory requirements, Cisco and IT best practices Utilizes rich performance data for end-to-end network visibility to assure application delivery and optimal end-user experience
BRKARC-2091
Cisco Public
ISR G2 Portfolio
Line Rate N x FE
High-End Branch
3945E 3925E 3945 Line Rate FE + 3925
WAN Access Speed With Services
Standard Branch
2951
2921 VDSL2+/Sub-rate FE 2911 2901
Mobile Branch
EFM SubrateFE
1921 800
1941
10 Mb
BRKARC-2091
15 Mb
25 Mb
35 Mb
50 Mb
75 Mb
100 Mb
150 Mb
250 Mb 350 Mb
Recommended Positioning with Services

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Cisco ASR 1000 Series Routers: Overview

Designed Today for up to 360 Gbps in the Future
Compact, Powerful Router
Line-rate performance 2.5G to 100G+ with services enabled
Investment protection with modular engines, IOS CLI and SPAs for I/O Hardware based QoS engine with up to 232K queues
Business-Critical Resiliency
Fully separated control and forwarding planes Hardware and software redundancy In-service software upgrades
Instant On Service Delivery

Integrated firewall, VPN, encryption, NBAR, CUBE Scalable on-chip service provisioning through software licensing
One IOS-XE Feature Set

ASR 1001 ASR 1002 ASR 1002-X ASR 1004 ASR 1006 ASR 1013
2.5 -5 Gbps
BRKARC-2091
2.510 Gbps
536 Gbps
10-40 Gbps
10-100+ Gbps
Cisco Public
10-360 Gbps
Wrap Up / Summary
Realizing the Borderless Enterprise Borderless Experience Reliably Securely
Seamlessly
ANYONE
Private Clouds
Hybrid Clouds
ANY DEVICE
Cisco Cloud Intelligent Network

Public Clouds
ANYWHERE
ANYTIME
Application Visibility & Control
MediaNet
TrustSec
Cloud Connect
IPv6 Transition
Operational Simplicity
BRKARC-2091
Cisco Public
95
Next Generation Enterprise WAN

Wrap Up/Summary
Architectural approach to solving business requirements
ModularBuilding Blocks with Layered Services Infrastructure Foundation for Ciscos Borderless Network
Cloud Intelligent Network solutions

Private Cloud Services
Hybrid/Virtual Private Cloud Services

Public Cloud Services
ASR 1000 series high performance Secure WAN aggregation router ISR G2 series for integrated branch services security, voice, video and cloud access Virtualized Networks Services CSR 1000v, vWAAS, ASA 1000v, Nexus 1000v Cisco PrimeUnique Ability to Manage Entire Solution
BRKARC-2091
Cisco Public
BRKARC-2091
Cisco Public
98

Brkarc 2091

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkarc 2091

Uploaded by

Copyright:

Available Formats

BRKARC-2091

Next Generation Enterprise WAN: Branch & Head-End

2013 Cisco and/or its affiliates. All rights reserved.

Visit the World of Solutions

Please remember to wear your badge to the Party

2013 Cisco and/or its affiliates. All rights reserved.

Everything is moving to the CLOUD!

Its in the Which Cloud? Cloud!

How do you isolate user performance issues for Cloud applications?

How will all of this impact Security Policies and Procedures?

2013 Cisco and/or its affiliates. All rights reserved.

2013 Cisco and/or its affiliates. All rights reserved.

Network Implications: Shifting Borders

Internal External-Facing Applications Applications

2013 Cisco and/or its affiliates. All rights reserved.

Borderless Networks Architecture

Risk IT/OT Convergence Management &

Key System Pillars Addressing Initiatives

Cloud Intelligent Networks

App Visibility and Control

Network and End-Point Services

Security Appliance and Firewall

2013 Cisco and/or its affiliates. All rights reserved.

Cloud Intelligent Networks Solutions

ASR 1000, AVC, ASA, WAAS, AppNav

CSR ASA vWAAS 1000V VSG 1000V

Cloud Connectors ScanSafe HCS

Cloud Intelligent Network

App Visibility & Control (AVC) Cloud Connectors Medianet

Virtual Private Cloud

2013 Cisco and/or its affiliates. All rights reserved.

Introducing the Next Generation Enterprise WAN

2013 Cisco and/or its affiliates. All rights reserved.

Next Generation Enterprise WAN High Level Topology

Seamless any-to-any Services

WAN Primary or Back up

Private Cloud Cloud

Efficient use of resources

2013 Cisco and/or its affiliates. All rights reserved.

Next Generation Enterprise WAN High Level Topology

WAN Primary or Back up

Private Cloud Cloud

2013 Cisco and/or its affiliates. All rights reserved.

Regional WAN Architecture

Standardized Profiles Simplify Management, Monitoring, Troubleshooting

Redundant, Scalable GETVPN Headend

Redundant, Scalable DMVPN Headend

Any WAN Transport

Ultra High-End Branch/Campus

High End Branch

2013 Cisco and/or its affiliates. All rights reserved.

Regional WAN Branch Profiles

Performance and Availability

Retail Banking, Kiosk, Vehicles, Cruises

2013 Cisco and/or its affiliates. All rights reserved.

Regional WAN Aggregation Profiles

WAN Aggregation Profiles

2013 Cisco and/or its affiliates. All rights reserved.

Private Cloud Services

Private Cloud Definition

ASR 1000, AVC, ASA, WAAS, AppNav

CSR ASA VSG 1000V vWAAS 1000V

Cloud Intelligent Network

class-map match-any internal-browsing match protocol http url myserver.com