Professional Documents
Culture Documents
Architecture
Simon Dwyer, Systems Engineer
Agenda
Traditional WAN
Cloud
50%
of CIOs Expect to
Operate via the
Cloud by 2015
Mobility
6X
Fat Apps
2/3
of Mobile Traffic
Will Be Video
iOS
iOS 8 for
iPhone 6
KitKat
Android
4.4
Windows
Windows 7
Chromebook creates as
high as 692.2 times more
network traffic
On average, Chromebook
creates152 times more
network traffic
Document
Manipulation
0.14
Photo
Manipulation
0.27
10.80
57.84
Video
Manipulation
2.73
211.29
Music
Manipulation
0.21
145.56
Web
Browsing
77.39
41.33
Note
Taking
6.06
18.30
Test
Taking
5.00
8.65
0
http://principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf
10
$1,014
$885
$830
-75%
10 Mbps
$220
1.5 Mbps
$303
MPLS VPN
CoS1
$274
MPLS VPN
CoS2
$260
MPLS VPN
CoS3
$140
iWAN
Dual Internet Links
Combined for Ent SLA
Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website
$665
Savings/Month x
12 Months X 1,000
Sites
= $8M Savings
per Year
Public
Cloud
Private
Cloud
MPLS
3G/4G-LTE
Virtual
Private
Cloud
Branch
Internet
WAAS
Public
Cloud
PfR
Intelligent
Path Control
Dynamic Application best
utilisation of bandwidth
Improved availability
Application
Optimisation
Application visibility with
performance monitoring
Application acceleration
and bandwidth
optimisation
Secure
Connectivity
Certified strong encryption
Comprehensive threat
defence
Cloud Managed Security for
Hybrid
Dual Internet
Internet
Public
Enterprise
MPLS+
Internet
MPLS
MPLS
Branch
Public
Branch
Internet
Branch
Best price/performance
Most SP flexibility
Enterprise responsible for SLAs
MPLS (IP-VPN)
Private
Cloud
Virtual
Private
Cloud
Branch
Internet
Direct Internet
Access
Public
Cloud
NEW!
Transport-Independent
Design
MPLS
WAN
ASR 1000
ISR-G2
Internet
Branch
ASR 1000
Transport Independent
Simplifies WAN Design
Easy multi-homing over any
Flexible
Dynamic Full-Meshed
Connectivity
Consistent design over all transports
Automatic site-to-site IPsec tunnels
Zero-touch hub configuration for new
spokes
Data Centre
Secure
Proven Robust Security
Certified crypto and firewall for
compliance
Scalable design with highperformance cryptography in
hardware
IWAN HYBRID
Active/Standby
WAN Paths
Active/Active
WAN Paths
Data Centre
Data Centre
ASR 1000
ASR 1000
SP V
ISP A
DMVPN
GETVPN
MPLS
Internet
ASR 1000
ASR 1000
ISP A
SP V
DMVPN
DMVPN
MPLS
Internet
One WAN
Routing Domain
ISR-G2
Branch
ISR-G2
Branch
IWAN Hybrid
Data Centre
Data Centre
ASR 1000
ASR 1000
DMVPN
MPLS
MPLS
ISR-G2
Branch
Data Centre
ASR 1000
ASR 1000
SP V
ISP A
DMVPN
SP V
ISP A
DMVPN
Internet
ISR-G2
ASR 1000
ASR 1000
ISP A
ISP C
DSL
Cable
DMVPN
DMVPN
DMVPN
MPLS
Internet
Internet
Branch
ISR-G2
Branch
Downtime
per Year
99.95%*
Downtime
per Year
MPLS
8 Hours
46 Minutes
49 Hours
99.90%*
Internet
ISR G2
ISR G2
IWAN Solution
99.995%
SINGLE
ROUTER,
DUAL PATHS
99.995%
26 Minutes
MPLS
MPLS
MPLS
Internet
Internet
Internet
ISR G2
ISR G2
99.999%
DUAL
ROUTERS,
DUAL PATHS
99.995%
ISR G2
99.999%
5 Minutes
99.999%
MPLS
MPLS
MPLS
Internet
Internet
Internet
ISR G2
ISR G2
ISR G2
ISR G2
ISR G2
ISR G2
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
Hub
ASR 1000
Branch n
IPsec
VPN
ISR G2
ISR G2
ISR G2
Branch 1
Branch 2
Traditional Static Tunnels
DMVPN On-Demand Tunnels
Static Known IP Addresses
Dynamic Unknown IP Addresses
DMVPN Evolution
IWAN 1.0
IWAN 2.0
Phase 1
Phase 2
Phase 3
mGRE on hubs
Simplified and smaller
configuration on hubs
Support dynamically
and multicast
Spokes dont need full routing
tableno summarisation
Spoke-spoke tunnel triggered
by spoke itself
Routing protocol scale
limitations
by hubs
Removes routing protocol
limitations
Hub
ASR 1000
IPsec
VPN
ISR G2
ISR G2
ISR G2
Branch 1
Branch 2
Traditional Static Tunnels
DMVPN On-Demand Tunnels
Static Known IP Addresses
Dynamic Unknown IP Addresses
192.168.0.0/24
Physical: 172.17.0.5
Tunnel0:
10.0.1.1
Physical: 172.17.0.1
Tunnel0:
10.0.0.1
Physical: (dynamic)
Tunnel0: 10.0.0.12
Tunnel1: 10.0.1.12
The redirect triggers the spoke to send an NHRP query for the data
packet destination address behind the destination spoke
The destination spoke initiates a dynamic GRE/IPsec tunnel to the
source spoke (it now knows its NBMA address) and sends the NHRP
reply.
The dynamic spoke-to-spoke tunnel is built over the mGRE interface
.1
192.168.3.0/24
Physical: (dynamic)
Tunnel0: 10.0.0.11
Tunnel1: 10.0.1.11
.1
192.168.1.0 /24
.1
192.168.2.0 /24
ADDING DMVPN
TO MPLS WAN
0
REPLACING A WAN
SERVICE WITH AN
INTERNET
SERVICE
OTHER
INTERESTING
IWAN
TOPOLOGIES
MPLS
MPLS
ISR G2
Internet
MPLS
ISR G2
ISR G2
MPLS
MPLS
MPLS
3G/4G-LTE
3G/4G-LTE
Internet
Internet
ISR G2
MPLS
Internet
ISR G2
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year.
Internet
ISR G2
ISR G2
MPLS
MPLS
ISR G2
Internet
MPLS
MPLS
MPLS
Internet
Internet
ISR G2
IWAN Hybrid
DMVPN Phase 3
Data Centre
ISP A
SP V
DMVPN
Green
DMVPN
Blue
Transport settings
Internet
MPLS
Routing Overlay
Branch
Internet
ISR G2
ASR 1000
ASR 1000
WAN
Branch
Data Centre
WAAS
PfR
Lower
WAN Costs
Full Utilisation
of All WAN Bandwidth
Improved
Application Performance
Lower
WAN Costs
Enabling
Internet-Based
WANs
Protection From
Carrier Black Holes
and Brownouts
Data Centre
MC
BR
BR
DSL
NBN
Branch
PfR
PATH CONTROL
Topological state
Least cost path
Static user preference
Application-aware
Policy controlled
Measured performance
METRICS
Path cost
Interface state
Delay
Jitter
Bandwidth
ADAPTIVE
Responds To:
Link and node state
changes (up/down)
Responds To:
Measured performance
changes (degradation)
PfR Evolution
Available Now
IWAN 2.0
Today
New
PfRv3
PfRv2
PfR/OER
Internet Edge
Basic WAN
Provisioning per site per
policy
1000s of lines of config
Policy simplification
Centralised provisioning
AVC Infrastructure
VRF Awareness
Blackout ~ 2s
Brownout ~ 2s
Performance RoutingComponents
The Decision Maker: Master Controller (MC)
Data Centre
MC
BR
BR
DSL
NBN
MC+BR
Branch
Load Balancing
Maximising Link Utilisation to Increase Available Bandwidth
Internet
WAN
ASR 1000
ISR-G2
MPLS
ASR 1000
50% T1 = 750kbps
Data Centre
MPLS
Private Cloud
Branch
Internet
Virtual Private
Cloud
High Jitter
Detected
Business App
Best-Effort Traffic
SP1 (MPLS)
ISP (FTTH)
efficiency by load-sharing
traffic over all WAN paths,
MPLS + Internet
Best-Effort Traffic
SP1 (MPLS)
ISP (DSL)
video quality
Latency < 150 ms
Jitter < 20 ms
Protect Email applications
path SP1
Email preferred path ISP
Increase utilisation
by load sharing
ISR G2
ASR1K
Learning
Active TCs
MC
BR
MC+BR
MC+BR
MC
BR
MC+BR
Performance
Measurements
BR
MC+BR
MC+BR
MC+BR
MC
Best
Path
BR
MC+BR
BR
MC+BR
Measurement
MC+BR
MC+BR
BR
MC+BR
MC+BR
Path Enforcement
Master Controller
commands path changes
based on your traffic
policy definitions
IWAN POP1
IWAN POP2
MC1
BR1
BR2
4G
R10
BR3
BR5
BR4
BR6
NBN
DSL
R12
R13
Optimise Application
Performance
Collaboration
FTP
Information
IM
SOAP
SaaS
SOAP
RPC
Video
Public
Cloud
Proliferation
of Devices
Private
Cloud
Branch
DC/Headquarters
Cisco AVC
Smart Capacity
Planning
30% of traffic is
voice and video
40% of traffic is
critical applications
Basic Monitoring
HTTP
HTTP
Users/
Machines
CSR
Proliferation
of Devices
Enterprise Edge
AVC
AVC
Private
Cloud
WAN
NetFlow v9
Branch
AVC
DC/Headquarters
NetFlow/IPFIX Records
(Same provisioning, same format)
Exporting
Provisioning
Collecting
Collecting
Collecting
InfoVista
Plixer
ActionPacked
CompuWare
CA Technologies
Living Objects
Glue
EMPLOYEE PRODUCTIVITY
Source: Akamai
Conversion Rate
Population %
Abandonment Rate
Conversion Rate
Employee Experience
iPhone
31%
Decreased effectiveness of IT staff
30
32%
25
Damage to brand reputation
20
47%
15
50%
Lost Revenue opportunity
0
0-1
3-4
7-8
11-12
Slower Pages
>15
10
12
14
58%
Decreased employee satisfaction
Employee
Experience
Customer
Satisfaction
Cisco WAAS
Enhancing User Experience and WAN Efficiency
Solution
Problem
Application latency
WAN bandwidth
inefficiencies
Reduce load
Data redundancy elimination
(DRE), compression, and
TCP optimisation
Application
Bandwidth
(Mbps)
Latency
(Seconds)
160
Reduction in
bandwidth
3
120
80
40
optimisation
Fewer protocol messages
and metadata caching
Application bandwidth natively
Application bandwidth with Cisco WAAS
Application latency natively
Application latency with Cisco WAAS
Application
Bandwidth
Application
Latency
Reduction
in latency
10
20
30
40
50
60
70
80
90
100
110
120
130
140
150
10
20
30
40
50
Time in Seconds
24x
10
12
14
Faster
16
18
80
90
100
110
120
130
140
150
20
22
24
17x
Faster
VDI (Citrix)
26
28
30
Time in Seconds
70
(5MB Document)
60
Time in Seconds
10
12
14
16
18
20
22
24
26
28
30
Time in Seconds
30x
Faster
3-8x
Faster
Client
WAN
WAN
WAAS
pool1
WAAS
pool2
Data Centre
Abstraction
Mix form factors
Decouple from topology
WAAS
pool3
Partitioning
Traffic classification
Logical groupings
App, Branch, server based
WAAS
pool2
WAAS
pool1
Elasticity
Dynamic resource creation
Load-based response
Cloud Elasticity
Branch
WAN/
MPLS
Data Centre
AKAMAI
CACHE
Akamai
Intelligent
Platform
ISR-AX
AKAMAI INSIDE
Available
N!
AKAMAI CONNECT
Worlds Best Optimisation Solution for HTTP Traffic
AKAMAI CACHING AND ACCELERATION
Transparent HTTP
Caching
Akamai
Connected Cache
Content
Pre-positioning
CISCO WAAS
LZ
Compression
Data
De-duplication
TCP
Optimisation
Application Specific
Acceleration
Now Supports
Akamai Cloud | Single-sided Optimisation | Secure Direct Internet Access
Securing IWAN
Data Centre
ASR 1000
ASR 1000
ISP C
ISP A
DSL
Cable
Branch
VRFs have
independent
routing and
forwarding
planes
Global
Enterprise
VRF
IPSec Tunnel
Interface
Global
F-VRF
Branch LAN
10.1.1.0/24
10.1.2.0/24
Front Side
Provider VRF
Provider Assigned
WAN IP Address
192.168.254.254
Data Centre
ASR 1000
ASR 1000
ISP C
ISP A
DSL
Cable
Branch
I am an
HR person
Allow access to
HR Server only
HR
WAN
ASR 1000
HQ
IPv4 Clients
Branch
Data Centre
Problem Statement
Solution Overview
Enforcing consistent
security policy
Finance
Solution
Characteristics
Scalability
Secure Identity-based
access; keep outsiders out
Support up to 6M Sessions
at 350K CPS (ASR1K with
ESP100)
Private
Cloud
Virtual
Private
Cloud
Branch
Internet
Direct
Internet
Access
CWS
Leverage Local Internet path for Public Cloud and Internet access
Improve application performance (right flows to right places)
Public
Cloud
Solutions
On Premise Zone Based Firewall
Cloud Based Cloud Web Security
WAN2
(Internet)
Private
Cloud
Secure Public
Cloud and Internet
Access
Branch
Public
Cloud
ISR Connector to
CWS Firewall towers
CWS
Internet
Web Filtering,
Access Policy,
Malware Detect
Office Based
User
CWS
Roaming
User
User Granularity
Integration with existing network
infrastructure (e.g., routers, firewalls)
Integration with Directory Services
Mobile
Devices
Policy Control
Internet
Security
Outbreak intelligence
HTTP/HTTPS scanning
SearthAhead
Simplified Branch
Deployments
Travel costs
Ecosystem Partners
IWAN App
Prescriptive
Policy Automation
Application Aware
Performance Mgmt
Advanced
Orchestration
Customer needs
customisable IWAN with
end-to-end monitoring
Customer wants
considerable automation
and operational simplicity
Requirements consistent
with prescriptive IWAN
Validated Design
System-wide network
consistency assurance
IT Network team
Lean IT organisation
IT Network team
Prime
Prescriptive
Provisioning & Life
Cycle Management
On Prem
Cloud
Infrastructure
Advanced
ASR 1000
IWAN App
Customisable
Prime
Prime
Partners (future)
ZTD
Provisioning
Trust
Automation
Apps
Cisco Prime
Security
Policy
Path Control
Policy
Application
Policy
Evolution
REST APIs
NetFlow
Svc
Network
Svc
Events
Svc
Inventory
Svc
CLI
ZTD
Svc
APIC-EM
LiveAction Software
LiveAction Components
Flow
QoS Monitor
QoS Configure
LAN
Routing
IP SLA
Forward compatible with SDN and OnePK for app aware WANs
One Network
UNIFIED SERVICES
Visibility
L4-L7
Application
Control
Services
ASR1000-AX
Optimisation
Simplify
Application
Delivery
Transport
L2-L3
Independent
Transport
Secure
Routing
ISR-AX
ISR4451
1-2Gbps
ISR4431
500Mbps/1G
bps
ISR 4351
200/400Mbps
ISR 4331
100/300Mbps
ISR4321
50/100Mbps
APPLICATION CENTRIC
App/User policy-driven deployment
APIC_EM Automation: deploy in minutes
Pay-as-you-grow
Up-to-75% cost savings
ASR1001-X
Modular ASR1006
BUSINESS-CRITICAL RESILIENCY
Separate control and data planes
Hardware and software redundancy
ASR1002-X
App
App
App
App
OS
OS
OS
OS
Microsoft Windows-Server
and Linux Certified
Hypervisor
Dedicated Blade
Management
Cisco Integrated
Management Controller
UCS-E Blade
Hypervisor
CIMC
E
UCS-E Blade
Consistent management
for UCS family
Single-Device
Network Integration
House all services in ISR chassis
Server Virtualisation
Why?
DCI
WAN
Core
DC-East
WAAS
WAAS
MC
Internet
Application Optimisation
DC-West
AV
C
BR
BR
BR
ASR-AX
AV
C
512M FD
Secure Connectivity
IWAN Management
BR
ASR-AX
256M FD
Internet
MC
ATBT
MPLS
Island
ADSL
1.5M FD
20M Dn
2M Up
AV
C
ISR-AX
vWAAS
Branch-1
ISR-AX
vWAAS
Branch-513
CWS
Internet
Q&A
Thank you