Intelligent WAN (IWAN)

Architecture
Simon Dwyer, Systems Engineer

Agenda

Where we have come from and the need to change

What makes up IWAN

How is IWAN deployed

Where we have come from

and need to change

Traditional WAN

Expensive Carrier links

Expensive Backup links

Ridged deployment models

Central traffic route model

Enterprise WAN - Whats Going on?

Cloud

WAN bandwidth needs are growing!

Cloud, BYOD/IOE and Video making it worse

IT budgets flat or declining

50%

Transport/bandwidth costs are majority of WAN budget

of CIOs Expect to
Operate via the
Cloud by 2015

Mobility

These factors are driving WAN modernisation

Lower cost transports Internet, LTE, Carrier Ethernet,

Cloud application performance monitoring and optimisation
Security strong encryption and threat protection

Cisco IWAN addressing this market demand!

6X

More Mobile Data

Traffic by 2015

Fat Apps

2/3

of Mobile Traffic
Will Be Video

Mobile Device Network Traffic

Average Number of
Apps per Device*

Average App Size**

iOS

OS Update File Size***

iOS 8 for
iPhone 6

KitKat
Android

4.4

Windows

Windows 7

Chromebook Creates an Average

of 152 Times More Traffic
Third-Party Lab Test:
Chromebook vs.
Windows 8 Laptop

Chromebook creates as
high as 692.2 times more
network traffic
On average, Chromebook
creates152 times more
network traffic

Document
Manipulation

0.14

Photo
Manipulation

0.27

10.80

57.84

Video
Manipulation

2.73
211.29

Music
Manipulation

0.21
145.56

Web
Browsing

77.39
41.33

Note
Taking

6.06
18.30

Test
Taking

5.00
8.65

0
http://principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf

Asus VivoBook S200E Notebook Running

Microsoft Windows 8

10

And the Internet Transition Pays Off Fast

EXAMPLE: San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)

$1,014

$885

$830

-75%
10 Mbps

$220
1.5 Mbps

$303

MPLS VPN
CoS1

$274
MPLS VPN
CoS2

$260
MPLS VPN
CoS3

$140
iWAN
Dual Internet Links
Combined for Ent SLA

Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website

$665
Savings/Month x
12 Months X 1,000
Sites
= $8M Savings
per Year

Intelligent WAN: Leveraging the Internet

So What is New Here?

Internet as WAN with High Reliability

SLAs for Business-Critical Applications

Branch

Centralised Security Policy for Internet Access

Public
Cloud

Dramatically Lower WAN Costs Without Compromise

What Makes up IWAN?

Intelligent WAN Solution Components

AVC

Private
Cloud

MPLS

3G/4G-LTE

Virtual
Private
Cloud

Branch
Internet
WAAS

Public
Cloud

PfR

Control & Management Automation

Transport
Independent
Consistent operational model
Simple provider migrations
Scalable and modular design
IPsec routing overlay design

Intelligent
Path Control
Dynamic Application best

path based on policy

Load balancing for full

utilisation of bandwidth
Improved availability

Application
Optimisation
Application visibility with

performance monitoring
Application acceleration

and bandwidth
optimisation

Secure
Connectivity
Certified strong encryption
Comprehensive threat

defence
Cloud Managed Security for

secure direct Internet access

Intelligent WAN Deployment Models

Dual MPLS

Hybrid

Dual Internet

Internet
Public

Enterprise

MPLS+
Internet

MPLS
MPLS
Branch

Public

Branch

Highest SLA guarantees

Tightly coupled to SP
Expensive

More BW for key applications

Balanced SLA guarantees
Moderately priced

Internet

Branch

Best price/performance
Most SP flexibility
Enterprise responsible for SLAs

Consistent VPN Overlay Enables Security Across Transition

Intelligent WAN: Leveraging the Internet

Secure WAN transport and Internet access
Optimised
Secure Transport

MPLS (IP-VPN)

Private
Cloud
Virtual
Private
Cloud

Branch

Internet
Direct Internet
Access

Public
Cloud

1. IWAN Secure transport for private

and virtual private cloud access

Increase WAN transport capacity and

app performance cost effectively!

2. Leverage local Internet path for

public cloud and Internet access

Improve application performance

(right flows to right places)

IWAN: An Architectural and Systems Approach

IWAN is a Solution Architecture

Prescribed. Tested. Interoperable.

Solves a network problem

Use Case Driven
Systems Development Approach

Bounded Scope and Complexity

Enables Automation and Quality

Delivers Business Outcomes

Reduce WAN costs. Increase bandwidth

Improve and Protect application
performance
Direct Internet Access
Guest Access Offload
OpEx Reduction

NEW!

Transport-Independent
Design

Flexible Secure WAN Over Any Transport

Dynamic Multipoint VPN (DMVPN)

MPLS

WAN

ASR 1000

ISR-G2

Internet

Branch

ASR 1000

Transport Independent
Simplifies WAN Design
Easy multi-homing over any

carrier service offering

Single routing control plane with
minimal peering to the provider

Flexible
Dynamic Full-Meshed
Connectivity
Consistent design over all transports
Automatic site-to-site IPsec tunnels
Zero-touch hub configuration for new

spokes

Data Centre

Secure
Proven Robust Security
Certified crypto and firewall for

compliance
Scalable design with highperformance cryptography in
hardware

Hybrid WAN Designs

Traditional and IWAN
TRADITIONAL HYBRID

IWAN HYBRID

Active/Standby
WAN Paths

Active/Active
WAN Paths

Primary With Backup

Data Centre

Two IPsec Technologies

GETVPN/MPLS
DMVPN/Internet

Two WAN Routing

Domains

Data Centre
ASR 1000

ASR 1000

SP V

ISP A

DMVPN

GETVPN

MPLS

Internet

ASR 1000

ASR 1000

ISP A

SP V

DMVPN

One IPsec Overlay

DMVPN

DMVPN

MPLS

Internet

One WAN
Routing Domain

MPLS: eBGP or Static

Internet: iBGP, EIGRP or OSPF
Route Redistribution
Route Filtering Loop Prevention

iBGP, EIGRP, or OSPF

ISR-G2

Branch

ISR-G2

Branch

IWAN Transport Independence

Consistent deployment models simplify operations
IWAN Dual MPLS

IWAN Hybrid

Data Centre

Data Centre

ASR 1000

ASR 1000

DMVPN
MPLS

MPLS

ISR-G2

Branch

Data Centre

ASR 1000

ASR 1000

SP V

ISP A

DMVPN

IWAN Dual Internet

SP V

ISP A

DMVPN
Internet

ISR-G2

ASR 1000

ASR 1000

ISP A

ISP C

DSL

Cable

DMVPN

DMVPN

DMVPN

MPLS

Internet

Internet

Branch

ISR-G2

Branch

Building Highly Available WANs With Cisco IWAN

Redundancy and Path Diversity Matter
SINGLE
ROUTER,
SINGLE PATH

Downtime
per Year

99.95%*

Downtime
per Year

MPLS

8 Hours
46 Minutes

49 Hours

99.90%*
Internet

ISR G2

ISR G2

IWAN Solution
99.995%

SINGLE
ROUTER,
DUAL PATHS

99.995%

26 Minutes
MPLS

MPLS

MPLS

Internet

Internet

Internet

ISR G2

ISR G2

99.999%

DUAL
ROUTERS,
DUAL PATHS

99.995%

ISR G2

99.999%

5 Minutes

99.999%

MPLS

MPLS

MPLS

Internet

Internet

Internet

ISR G2

ISR G2

ISR G2

ISR G2

ISR G2

ISR G2

* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.

IWAN Transport Independent Design

With Dynamic Multipoint VPN (DMVPN)
Proven IPsec VPN Technology
Widely deployed, large scale
Standards based IPsec and Routing
Advanced QOS: Hierarchical, per tunnel and adaptive
Flexible and Resilient
Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,..
Scalable-Mesh or Hub & Spoke Topologies
Multiple encryption, key management, routing options
Multiple redundancy options: platform, hub, transports
Secure
Industry Certified IPsec and Firewall
NG Strong Encryption: AES-GCN-256 (Suite B)
IKE Version 2
IEEE 802.1AR Secure unique device identifier
Simplified IWAN Deployments
Prescriptive validated IWAN designs
Automated provisioningPrime, APIC, Glueware

Secure On-Demand Tunnels

Hub
ASR 1000

Branch n

IPsec
VPN

ISR G2

ISR G2
ISR G2

Branch 1

Branch 2
Traditional Static Tunnels
DMVPN On-Demand Tunnels
Static Known IP Addresses
Dynamic Unknown IP Addresses

DMVPN Evolution

IWAN 1.0

IWAN 2.0

Phase 1

Phase 2

Phase 3

Hub and spoke functionality

Spoke to spoke functionality

p-pGRE interface on spokes,

mGRE interface on spokes

mGRE on hubs
Simplified and smaller

configuration on hubs
Support dynamically

addressed CPEs (NAT)

Support for routing protocols

and multicast
Spokes dont need full routing

table; can summarise on hubs

Direct spoke to spoke data

traffic reduces load on hubs

Daisy chain designs

Spoke must have full routing

tableno summarisation
Spoke-spoke tunnel triggered

by spoke itself
Routing protocol scale

limitations

Larger scale and more

network design options

Hierarchical designs

Spokes dont need full routing

table; can summarise

Spoke-spoke tunnel triggered

by hubs
Removes routing protocol

limitations

Over-the-Top WAN Design with DMVPN

Branch spoke sites establish an IPsec tunnel to and

register with the hub site

IP routing exchanges prefix information for each site

Secure On-Demand Tunnels

Hub
ASR 1000

BGP or EIGRP are typically used for scalability

Branch n

IPsec
VPN

With WAN interface IP address as the tunnel address,

provider network does not need to route customer
internal IP prefixes
Data traffic flows over the DMVPN tunnels
When traffic flows between spoke sites, the hub
assists the spokes to establish a site-to-site tunnel
Per-tunnel QOS is applied to prevent hub site
oversubscription to spoke sites

ISR G2

ISR G2
ISR G2

Branch 1

Branch 2
Traditional Static Tunnels
DMVPN On-Demand Tunnels
Static Known IP Addresses
Dynamic Unknown IP Addresses

DMVPN How it Works

Dual DMVPN Design
Single mGRE tunnel on Hub,
two mGRE tunnels on Spokes

Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, but

not to other spokes. They register as clients of the NHRP server
(hub) and register their NBMA address
Active-Active redundancy modeltwo or more hubs per spoke
All configured hubs are active and are routing neighbours
with spokes
Routing protocol routes are used to determine traffic forwarding

192.168.0.0/24
Physical: 172.17.0.5
Tunnel0:
10.0.1.1

Physical: 172.17.0.1
Tunnel0:
10.0.0.1

Physical: (dynamic)
Tunnel0: 10.0.0.12
Tunnel1: 10.0.1.12

A spoke will initially send a packet to a destination (private) subnet

behind another spoke via the hub, and the hub will send it an NHRP
redirect.

The redirect triggers the spoke to send an NHRP query for the data
packet destination address behind the destination spoke
The destination spoke initiates a dynamic GRE/IPsec tunnel to the
source spoke (it now knows its NBMA address) and sends the NHRP
reply.
The dynamic spoke-to-spoke tunnel is built over the mGRE interface

When traffic ceases then the spoke-to-spoke tunnel is removed

.1
192.168.3.0/24
Physical: (dynamic)
Tunnel0: 10.0.0.11
Tunnel1: 10.0.1.11
.1
192.168.1.0 /24

.1
192.168.2.0 /24

Traditional to IWAN Transition

Migration Steps

ADDING DMVPN
TO MPLS WAN

0
REPLACING A WAN
SERVICE WITH AN
INTERNET
SERVICE

OTHER
INTERESTING
IWAN
TOPOLOGIES

MPLS

MPLS

ISR G2

Internet
MPLS

ISR G2

ISR G2

MPLS

MPLS

MPLS

3G/4G-LTE

3G/4G-LTE
Internet

Internet
ISR G2

MPLS

Internet
ISR G2

* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year.

Internet
ISR G2

ISR G2

MPLS

MPLS

ISR G2

Internet
MPLS

MPLS

MPLS

Internet

Internet
ISR G2

IWAN Transport Best Practices

Private peering with Internet providers

Use same Internet provider for hub and spoke sites

Avoids Internet Exchange bottlenecks between providers

Reduces round trip latency

IWAN Hybrid

DMVPN Phase 3

Scalable dynamic site-to-site tunnels

Separate DMVPN per transport for path diversity

Per tunnel QOS

NG EncryptionIKEv2 + AES-GCM-256 encryption

Data Centre

ISP A

SP V

DMVPN
Green

DMVPN
Blue

Transport settings

Use the same MTU size on all WAN paths

Bandwidth settings should match offered rate

Internet

MPLS

Routing Overlay

iBGP or EIGRP for high scale (1000+ sites)

Single routing process, simplified operations

Front-side VRF to isolate external interfaces

Branch

Intelligent Path Control

Getting the Most Out of Your WAN Investment

Benefits of Intelligent Path Control
AVC

Internet

ISR G2

ASR 1000
ASR 1000

WAN

Branch

Data Centre
WAAS

PfR

Lower
WAN Costs

Full Utilisation
of All WAN Bandwidth

Improved
Application Performance

Lower
WAN Costs

Enabling
Internet-Based
WANs

Efficient Distribution of Traffic

Based Upon Load, Circuit
Cost, and Path Preference

Per Application Best Path

Based on Delay, Loss,
Jitter Measurements

Protection From
Carrier Black Holes
and Brownouts

What is Performance Routing (PfR)?

Tooling for Intelligent Path Control
Performance Routing (PfR) provides
additional intelligence to classic routing
technologies to track the performance of,
or verify the quality of, a path between two
devices over a Wide Area Networking
(WAN) infrastructure to determine the
best egress or ingress path for
application traffic....

Data Centre
MC
BR

BR

DSL

NBN

Cisco IOS technology

Two components: Master controller and border router
MC+BR

Branch

PfR Enhances Classical Routing

Classical

PfR

PATH CONTROL

Topological state
Least cost path
Static user preference

Application-aware
Policy controlled
Measured performance

METRICS

Path cost
Interface state

Delay
Jitter
Bandwidth

ADAPTIVE

Responds To:
Link and node state
changes (up/down)

Responds To:
Measured performance
changes (degradation)

PfR Evolution

Simplification and Scale

Available Now
IWAN 2.0

Today

New

PfRv3

PfRv2
PfR/OER
Internet Edge
Basic WAN
Provisioning per site per

policy
1000s of lines of config

Policy simplification

App Path Selection

Blackout ~6s
Brownout ~9s
Scale 500 sites
10s of lines of config
Internet Edge

Centralised provisioning
AVC Infrastructure
VRF Awareness
Blackout ~ 2s
Brownout ~ 2s

Scale 2000 sites

Hub config only

Performance RoutingComponents
The Decision Maker: Master Controller (MC)

Discover BRs, collect statistics

Apply policy, verification, reporting

No packet forwarding/inspection required

Data Centre
MC

Gain network visibility in forwarding path (Learn, measure)

Enforce MCs decision (path enforcement)

Does all packet forwarding

BR

BR

The Forwarding Path: Border Router (BR)

DSL

NBN

MC+BR

Branch

Load Balancing
Maximising Link Utilisation to Increase Available Bandwidth

External link Load Balancing is enabled by default for Default Class

PfR Distributes traffic across a set of links to maintain efficient utilisation

levels with a defined percentage range. Default utilisation range is +/- 20%

External links can have different available bandwidth,

e.g., Int 1/0 = 1.5Mbps, Int 1/1 = 15Mbps

Load Balancing defaults cannot be changed

Utilisation Range 20%

Max Utilisation = Link Capacity

50% 15Mbps = 7.5Mbps

Internet
WAN

ASR 1000

ISR-G2

MPLS
ASR 1000

50% T1 = 750kbps

Data Centre

Intelligent Path Control with PfR

Voice and Video Use-Case
Voice/Video take the best
delay, jitter, and/or loss path

MPLS
Private Cloud

Branch

Internet

Other traffic is load

balanced to maximise
bandwidth

PfR monitors network performance and routes applications

based on application performance policies
PfR load balances traffic based upon link utilisation levels
to efficiently utilise all available WAN bandwidth

Virtual Private
Cloud

Voice/Video will be rerouted if the

current path degrades below policy
thresholds

Protecting Critical Applications While Increasing

Bandwidth Utilisation
High Delay
Detected

High Jitter
Detected

Voice and Video

Business App
Best-Effort Traffic
SP1 (MPLS)

ISP (FTTH)

Business App and Load-Balancing Policy

Protect transactional

business app from brownouts

delay < 250ms
Preferred path SP1 (MPLS)

Increase WAN bandwidth

efficiency by load-sharing
traffic over all WAN paths,
MPLS + Internet

Email

Best-Effort Traffic
SP1 (MPLS)

ISP (DSL)

Multimedia and Critical Data Policy

Protect voice and

video quality
Latency < 150 ms
Jitter < 20 ms
Protect Email applications

from WAN congestion

Loss < 5%

Voice and video preferred

path SP1
Email preferred path ISP
Increase utilisation
by load sharing

How PfR Route Control Works

Key Operations
Traffic
Classes

ISR G2

ASR1K

Learning
Active TCs

MC

BR

MC+BR

Define Your Traffic Policy

Identify Traffic Classes

based on Applications or
Transport Classifiers

MC+BR

MC

BR

MC+BR

Performance
Measurements

BR

MC+BR

Learn the Traffic

ISR G2 and ASR Learn

traffic classes flowing
through Border Routers
(BRs) based on your
policy definitions

MC+BR

MC+BR

MC

Best
Path

BR

MC+BR

BR

MC+BR

Measurement

Measure the traffic flow

and network performance
actively or passively and
report metrics to the
Master Controller

MC+BR

MC+BR

BR

MC+BR

MC+BR

Path Enforcement

Master Controller
commands path changes
based on your traffic
policy definitions

Path of last Resort

Creates a link that will be used at

last resort

Normally a link that is expensive

and charged per usage

E.g. Satellite or LTE

IWAN POP1

IWAN POP2

MC1

BR1

BR2

4G

R10

BR3

BR5

BR4

BR6

NBN

DSL

R12

R13

Optimise Application
Performance

Todays Network Is an IT Blind Spot

Static port classification is no

longer enough

More and more apps are opaque

Increasing use of encryption and

obfuscation

Application consists of multiple

sessions (video, voice, data)

Collaboration

FTP

Information

IM

SOAP

SaaS

SOAP

RPC

Video

What if user experience is not

meeting business needs?

HTTP is the new TCP

Make Your IWAN Application Aware

Add Cisco Application Visibility and Control (AVC)
Users/
Machines

Public
Cloud

Proliferation
of Devices

Private
Cloud
Branch
DC/Headquarters

60% of IT Professionals Cite Cloud Performance as Key Challenge

No Probes

Cisco AVC

Smart Capacity
Planning

Rich data collectionFlexible NetFlow

No additional hardware,
AX license
Many reporting tool options

Per-application per-site level reporting

Better information improves planning
accuracy

Business Aligned Privacy

Enforcement

Intuitive application policies

Identify specific Cloud applications
within http:

Performance Collection and Exporting

Integrated performance monitoring and advanced metrics for different type of applications and use cases
Advanced
Monitoring

Voice and Video Performance

(Media Monitoring)

30% of traffic is
voice and video

Critical Applications Performance

(Application Response Time)

40% of traffic is
critical applications

What applications, how much bandwidth, flow direction?

(NBAR2 and Flexible Netflow)

Basic Monitoring

HTTP
HTTP

Application Performance Monitoring for IWAN

Track and Report Application Flows and Performance
AVC

Users/
Machines

CSR

Proliferation
of Devices

Enterprise Edge
AVC

AVC

Private
Cloud

WAN
NetFlow v9

Branch

AVC

DC/Headquarters

NetFlow/IPFIX Records
(Same provisioning, same format)

NetFlow v9 Export/IPFIX Export

Traffic statistics records

Application Response Time records
Media monitoring records
(Application, Jitter, Loss, etc)

Exporting
Provisioning

Collecting

Collecting

Collecting

Partner Tools Ecosystem

InfoVista
Plixer
ActionPacked
CompuWare
CA Technologies
Living Objects
Glue

App Performance Impacts Business Productivity

REVENUE LOSS
Source: Walmart

EMPLOYEE PRODUCTIVITY

Source: Akamai

Conversion Rate
Population %

Source: Aberdeen Group

Abandonment Rate

Conversion Rate

Employee Experience

iPhone

31%
Decreased effectiveness of IT staff

Abandonment Rate (sec)

30

32%

25
Damage to brand reputation

20
47%
15

Decreased responsiveness to needs

50%
Lost Revenue opportunity

0
0-1

3-4

7-8

11-12

Page Load Time (sec)

Slower Pages

>15

10

12

Page Load Time (sec)

Low Conversion Rate

14

58%
Decreased employee satisfaction

Employee
Experience

Customer
Satisfaction

Cisco WAAS
Enhancing User Experience and WAN Efficiency
Solution

Problem
Application latency
WAN bandwidth

inefficiencies

Reduce load
Data redundancy elimination
(DRE), compression, and
TCP optimisation

Application

Bandwidth
(Mbps)

Latency
(Seconds)

160

Reduction in
bandwidth
3

120

80

40

optimisation
Fewer protocol messages
and metadata caching
Application bandwidth natively
Application bandwidth with Cisco WAAS
Application latency natively
Application latency with Cisco WAAS

Application
Bandwidth

Application
Latency

Reduction
in latency

Optimise and Enhance Thousands of Applications

AX Includes Cisco WAAS WAN Optimisation
Email (5MB Attachment)

10

20

30

40

50

60

70

80

90

File Services (5MB File)

100

110

120

130

140

150

10

20

30

40

50

Time in Seconds

24x

Send and Receive Email over native WAN

First Optimised with WAAS
Second Pass Optimised with WAAS

10

12

14

Faster

16

18

80

90

100

110

120

130

140

150

20

22

24

17x

Faster

VDI (Citrix)

26

28

30

Time in Seconds

Sharepoint File Download over Native WAN

First Optimised with WAAS
Second Pass Optimised with WAAS

70

File Drag and Drop Over native WAN

First Optimised with WAAS
Second Pass Optimised with WAAS

(5MB Document)

60

Time in Seconds

10

12

14

16

18

20

22

24

26

28

30

Time in Seconds

30x

Faster

Launch Citrix XenDesktop Over Native Citrix ICA/SSL

Launch Citrix XenDesktop with WAAS
Site Navigation Over Native Citrix ICA/SSL
Site Navigation with WAAS

3-8x

Faster

Cisco AppNav Virtualisation Technology

Virtualise WAN Optimisation Resources Into Pools Of Elastic Resources With Business Driven
Bindings. Greatly Simplify Deployment and Management of WAAS.

Client

WAN

WAN

WAAS
pool1
WAAS
pool2

Data Centre

Abstraction
Mix form factors
Decouple from topology

WAAS
pool3

Partitioning
Traffic classification
Logical groupings
App, Branch, server based

WAAS
pool2

WAAS
pool1

Elasticity
Dynamic resource creation
Load-based response
Cloud Elasticity

Extending Akamai to the Branch with Edge Caching

Completing the last mile with Akamai in the branch

Branch

WAN/
MPLS

Data Centre

AKAMAI
CACHE

Akamai
Intelligent
Platform
ISR-AX

AKAMAI INSIDE

Optimal Experience Regardless of Device, Connectivity or Cloud

All HTTP Traffic in Private, Public, Akamai Cloud
Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport

Available
N!

Cisco WAAS Advanced Capabilities

Edge Caching Enhances the User Experience

AKAMAI CONNECT
Worlds Best Optimisation Solution for HTTP Traffic
AKAMAI CACHING AND ACCELERATION
Transparent HTTP
Caching

Dynamic URL OTT

HTTP Caching

Akamai
Connected Cache

Content
Pre-positioning

CISCO WAAS
LZ
Compression

Data
De-duplication

TCP
Optimisation

Application Specific
Acceleration

Now Supports
Akamai Cloud | Single-sided Optimisation | Secure Direct Internet Access

Securing IWAN

Securing the IWAN

IPSec VPN and Firewall
Step 1: Secure Transport
IPSec with DMVPN overlay
Secure transport independent overlay
Add Strong Cryptography: IKEv2 + Elliptic Curve Crypto (Suite-B)

Data Centre

Front-door VRF Design

IOS Zone-based Firewall

Minimise exposure
DHCP addressing for Internet and tunnel interfaces

ASR 1000

ASR 1000

Step 2: Threat Defence

ISP C

ISP A

DSL

Cable

Dont put tunnel addresses into DNS

Step 3: Choose your performance level

Size router based on Encryption with Services and WAN bandwidth

Head-end: ASR1000 or ISR4400
Branch: ISR-G2 or ISR4k
ISR-G2

Branch

Securing IWAN Transports with Front-Door VRF

Isolation of External Networks

VRFs have
independent
routing and
forwarding
planes

Global
Enterprise
VRF
IPSec Tunnel
Interface

Global

Virtual Route Forwarding (VRFs) create multiple

logical routers on a single device

Separate control/data planes per VRF

No connectivity between VRFs by default

Provider side VRF (yellow) for external

networks, Global VRF (blue) for internal
networks

Provider VRF minimises threat exposure

Default routing only in Provider VRF

Provider assigned IP addressing hides internal

network

Provider IP address used as IPSec tunnel

source

Only IPsec allowed between internal Global and

Provider Front Side VRFs

F-VRF
Branch LAN
10.1.1.0/24
10.1.2.0/24

Front Side
Provider VRF

Provider Assigned
WAN IP Address
192.168.254.254

Protecting the Public Facing IWAN Interfaces

Use ACLs, ZBFW or ASA to block all traffic

except the DMVPN tunnel traffic to routers

Zone Based Firewall (ZBFW) at the branch if there

are plans for direct Internet access

Data Centre

ASR 1000

Typical ACL for protecting the Internet interface

interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip access-group ACL-INET-PUBLIC in
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1

ASR 1000

ISP C

ISP A

DSL

Cable

Branch

TrustSec SGT over DMVPN

SGT Tag Carried
over the WAN

I am an
HR person

Allow access to
HR Server only

HR

WAN
ASR 1000

HQ
IPv4 Clients

Authentication mechanisms: 802.1X, MAB, Web.Auth

Branch

Data Centre

Problem Statement

Solution Overview

BYOD support for non-IT

standard devices

Secure Group Tagging

(SGT) for Context-aware
Firewall enforcement

Enforcing consistent
security policy

Finance

Secure Group Tag

transport over DMVPN,
FlexVPN, GETVPN

Solution
Characteristics

Scalability

Secure Identity-based
access; keep outsiders out

100 Gbps FW (ASR1K with

ESP100)

Control Access and service

levels based on Identity
Authorised access for users
and devices

Support up to 6M Sessions
at 350K CPS (ASR1K with
ESP100)

Branch Internet Access

Intelligent WAN - Direct Cloud Access

MPLS (IP-VPN)
ISR-AX
ZBFW

Private
Cloud
Virtual
Private
Cloud

Branch

Internet

Direct
Internet
Access

CWS

Leverage Local Internet path for Public Cloud and Internet access
Improve application performance (right flows to right places)

Public
Cloud

Solutions
On Premise Zone Based Firewall
Cloud Based Cloud Web Security

Secure Internet Access with Cisco

Cloud Web Security (CWS)
IOS Firewall to
protect Internet
Edge

IWAN IPsec VPN

for Private Cloud
Traffic
WAN1
(IP-VPN)

WAN2
(Internet)

Private
Cloud

Secure Public
Cloud and Internet
Access

Branch

Public
Cloud

ISR Connector to
CWS Firewall towers
CWS
Internet

Web Filtering,
Access Policy,
Malware Detect

Cisco Cloud Web Security (CWS)

Centralised Policy and Granular Reporting
Administrator

Flexible reporting with

over 75 attributes
Deep, drill down visibility
Overview, trending and
forensic data

Office Based
User

CWS

Roaming
User

User Granularity
Integration with existing network
infrastructure (e.g., routers, firewalls)
Integration with Directory Services

Mobile
Devices

Numerous deployment options

Policy Control

Internet
Security

Web 2.0 content control

Outbreak intelligence

BI-directional content control

Billions of Web requests every day

Dynamic Web Classification

Real-time content analysis of all

Web content

HTTP/HTTPS scanning
SearthAhead

Effective zero-day threat protection

CWS Offers Consistent, Enforceable, High-Performance Web Security

and Policy, Regardless of Where or How Users Access the Internet

Simplified Branch
Deployments

Remote Site Deployment Challenges

Limited remote site IT staffing

Travel costs

Travel time lost productivity

Upgrade and change control downtime risks

Lengthy project schedules

Cisco IWAN Management Portfolio

Covering a broad range of Preferences and Requirements
Cisco
Prime
Infrastructure
Enterprise Network
Mgmt and Monitoring

Ecosystem Partners
IWAN App
Prescriptive
Policy Automation

Application Aware
Performance Mgmt

Advanced
Orchestration

Customer needs
customisable IWAN with
end-to-end monitoring

Customer wants
considerable automation
and operational simplicity

Customer looking for

advanced monitoring and
visualisation

Customer wants advanced

provisioning, life cycle
management, and
customised policies

One Assurance across

Cisco portfolio from Branch
to Datacentre

Requirements consistent
with prescriptive IWAN
Validated Design

QoS/ PfR/ AVC configuration,

Real-time analytics and
network troubleshooting

System-wide network
consistency assurance

IT Network team

Lean IT organisation

IT Network team

Lean IT OR IT Network team

IWAN Management Solution Positioning

Foundation

Visualisation & Health

Prime

Prescriptive
Provisioning & Life
Cycle Management

On Prem

Cloud

Infrastructure

Advanced

ASR 1000

IWAN App

Customisable
Prime

IWAN Orchestration and Automation Evolution

Traditional
Management Systems

Capacity Planning, Troubleshooting,

Change control

Prime

Partners (future)

Cisco IWAN Apps

IWAN
Transport

ZTD
Provisioning

Trust
Automation
Apps

Cisco Prime
Security
Policy

Path Control
Policy

Application
Policy

Evolution
REST APIs

APIC-EM Services (Partial)

PKI
Svc

NetFlow
Svc

Network
Svc

Events
Svc

Inventory
Svc

Device Abstraction Layer

OnePK/Openflow

CLI

ZTD
Svc

APIC-EM

IWAN Application Home Dashboard

Datacentre design options

Application priority policy settings

Path preference
Drag & Drop business buckets

Map view with Geo location

Site summary from map view

LiveAction Software

An Application-aware Network Performance

Management
and QoS Control tool

Fast, simple, cost effective way to monitor and

control application performance leveraging Cisco
capabilities

LiveAction Components

Flow

QoS Monitor

QoS Configure

LAN

Routing

IP SLA

Glue Networks NGWAN/IWAN Orchestration

Cloud-based SaaS subscription model

Eliminates manual building of WANs

Automated WAN orchestration and management

Quick configuration updates and IOS upgrades

Rapidly delivers nextgen and IWAN features

Forward compatible with SDN and OnePK for app aware WANs

Broadband and MPLS support for centralised hybrid WAN

management for IWAN

Hardware for IWAN

Start with Cisco AX Routers

IWAN Capabilities Embedded in the Router

One Network
UNIFIED SERVICES

Visibility
L4-L7
Application
Control
Services

ASR1000-AX

Optimisation

Simplify
Application
Delivery

Transport
L2-L3
Independent
Transport
Secure
Routing

ISR-AX

Cisco AX Routers 3900 | 2900 | 1900 | 800 | ISR4000-AX | ASR1000-AX

IWAN Branch Services Routers

ISR4000 Series - IWAN AX Ready, Next Generation Branch

APPLIANCE LEVEL
PERFORMANCE
Service-Aware Dataplane

ISR4451

1-2Gbps

ISR4431

500Mbps/1G
bps

ISR 4351

200/400Mbps

ISR 4331

100/300Mbps

ISR4321

50/100Mbps

Resilient Service Virtualisation

Multi-gigabit Fabric

APPLICATION CENTRIC
App/User policy-driven deployment
APIC_EM Automation: deploy in minutes

Pay-as-you-grow
Up-to-75% cost savings

INTEGRATED IWAN SERVICES

IOS Firewall, VPN, IPSec, PfRV3,
NBAR2, AVC, AppNav, VRF, MPLS
Scalable on-chip service provisioning

IWAN Aggregation Border Routers

ASR1000 - IWAN AX Ready, High Performance Routers

COMPACT, POWERFUL ROUTER

ASR1001-X

Line-rate performance 2.5G to 200G+

with services enabled
Crypto performance from 2G to 60G+
Flexible I/O: SPAs and Ethernet LCs

2.5G Upgradeable to 5G, 10G, 20G

Up to 8G Crypto Throughput

Modular ASR1006

BUSINESS-CRITICAL RESILIENCY
Separate control and data planes
Hardware and software redundancy

ASR1002-X

In-service software upgrades

INTEGRATED IWAN SERVICES

IOS Firewall, VPN, IPSec, PfRV3,
NBAR2, AVC, AppNav, VRF, MPLS
Scalable on-chip service provisioning

5G Upgradeable to 10G, 20G, 36G

Up to 4G Crypto Throughput

Modular, Redundant up to 200G

Up to 60G Crypto Throughput

Cisco UCS-E Series

Extend Cloud Services into Branch Infrastructure
Platform for WAN
Edge Applications

App

App

App

App

OS

OS

OS

OS

Microsoft Windows-Server
and Linux Certified
Hypervisor

Dedicated Blade
Management
Cisco Integrated
Management Controller

UCS-E Blade

Hypervisor

CIMC
E

UCS-E Blade

IOS, MGF Backplane Switch

Consistent management
for UCS family

Cisco UCS Virtualisation Powered by

VMware, Microsoft, Citrix

Multipurpose x86 Blades

Cisco UCS
E Series modules
House up to four server
blades in an ISR

Single-Device
Network Integration
House all services in ISR chassis

Multigigabit fabric backplane switch

Server Virtualisation

Support on ISR Series Routers

Why?

Intelligent WAN Summary

Transport Independent Design

DCI
WAN
Core

Highly available Hybrid WAN

Intelligent Path Control

Performance Routing (PfR) to protect applications and

load balance traffic to maximise expensive WAN bandwidth

DC-East

WAAS

WAAS

MC

Internet

Application Optimisation

DC-West

AV
C

BR

BR

BR

ASR-AX

Application Visibility and Control (AVC) to monitor performance

AV
C

512M FD

WAAS + Akamai to reduce bandwidth consumption while improving

application experience

Secure Connectivity

Secure the network from outside threats

Cloud Web Security (CWS) for improved Cloud performance while

freeing up WAN bandwidth, without compromising security

IWAN Management

BR

ASR-AX

256M FD

Internet

MC

Cisco and Ecosystem Partner tools

APIC-EM IWAN-APP, Prime, LiveAction, GlueWare, and
more

ATBT
MPLS

Island
ADSL

1.5M FD

20M Dn
2M Up

AV
C
ISR-AX
vWAAS

Branch-1

ISR-AX
vWAAS

Branch-513

CWS
Internet

Why Cisco IWAN?

Uncompromised Experience Over Any Connection

Mixed Transports with High Reliability

SLAs for Business Critical Applications

Centralised Security Policy for Internet

Access
Lower WAN Costs without Compromise

Q&A

Complete Your Online Session Evaluation

Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.

Directly from your mobile device on the Cisco Live

Mobile App
By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/ciscolivemelbourne2016/

Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected Friday 11 March

at Registration

Learn online with Cisco Live!

Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com

Thank you