BRKARC-2091

BRKARC-2091 Next Generation Enterprise WAN: Branch & Head-End Scott Van de Houten [email protected] Borderless Networks Technical Strategy BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Housekeeping • Please switch your mobile phones to STUN • We value your feedback—don't forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Thursday • Visit the World of Solutions • Please remember this is a non-smoking venue! • Please make use of the recycling bins provided • Please remember to wear your badge to the Party BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 “Everything is moving to the CLOUD!” Server, Application, Desktop virtualization are transforming Data Centers into Private Clouds. Hosting providers offer virtual infrastructures instead of physical space and equipment – Hybrid Clouds Hybrid Cloud? How do you design a network if you don’t know where the applications reside? Private Cloud? It’s in the Which Cloud? Cloud! Public Cloud? What if the applications move to a different DC? Or, Hybrid Cloud offering? The Internet and Web have revolutionized how Application Service Providers deliver applications. How do you isolate user performance issues for Cloud applications? Mobile devices enable users to access applications from anywhere at anytime – Work Your Way How will all of this impact Security Policies and Procedures? 4 BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public All rights reserved.Agenda • • • • • • • The Borderless Network Next Generation Enterprise WAN Private Cloud Services Hybrid Cloud Services Public Cloud Services Platform Overview Wrap Up / Summary BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public 5 . IT EFFECTIVENESS. © 2013 Cisco and/or its affiliates. Cisco Public .Enterprise Megatrends IMMERSIVE COLLABORATION Pervasive Video MOBILITY BYOD Enterprise Megatrends SECURITY. All rights reserved. Public Hybrid $ BRKARC-2091 COST CONTROL. CLOUD Private. Network Implications: Shifting Borders Mobile Worker Location Border IT Consumerization Internal External-Facing Applications Applications Device Border Video/Cloud Application Border IaaS.SaaS BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public . All rights reserved. All rights reserved.Borderless Networks Architecture BYOD Desktop Virtualization Pervasive Video Remote Expert Cloud Computing Risk IT/OT Convergence Management & Compliance Key IT Initiatives Key System Pillars Addressing Initiatives Unified Access P Management R I M E Wireless Cloud Intelligent Networks SecureX Connected Industries Systems Excellence Medianet Multimedia Optimization EnergyWise Energy Management TrustSec Policy Enforcement App Visibility and Control App Performance Application Networking/ Optimization Cloud Connectors Cloud Optimization Network and End-Point Services Routing Switching Security Appliance and Firewall Technology Innovation BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public . and HCS Cloud Connectors Public Cloud BRKARC-2091 © 2013 Cisco and/or its affiliates.Cloud Intelligent Networks Solutions Cisco ISR G2 Cisco Prime Infrastructure ASR 1000. WAAS. ScanSafe. All rights reserved. AppNav ASR 1000 AVC. Cisco Public 9 . WebEx. AVC. WAAS UCS-E Private Cloud CSR ASA vWAAS 1000V VSG 1000V Security Cloud Connectors ScanSafe HCS Cloud Intelligent Network App Visibility & Control (AVC) Cloud Connectors Medianet vPath VXLAN Nexus 1000V Virtual Private Cloud Webex CCA 3rd party HCS Services AnyConnect VPN. ASA. Cisco Public .Introducing the Next Generation Enterprise WAN BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. All rights reserved. Service Provider Local Campus Data Center Private Cloud Cloud Data Center Efficient use of resources Cisco Public 11 BRKARC-2091 © 2013 Cisco and/or its affiliates.Next Generation Enterprise WAN High Level Topology Application Visibility & Control MediaNet TrustSec IPv4/v6 Cloud Operations West Region Inter Connect Inter Connect WAN Core East Region Seamless any-to-any Services South Region Remote Branch Remote Branch Consistent Security Regional WAN Interconnect Metro Internet WAN Primary or Back up Public Cloud Hybrid Cloud Services Voice. . Video. Etc. Next Generation Enterprise WAN High Level Topology Application Visibility & Control MediaNet TrustSec IPv4/v6 Cloud Operations West Region Inter Connect Inter Connect WAN Core East Region Regional WAN South Region Remote Branch Remote Branch Regional WAN Interconnect Metro Internet WAN Primary or Back up Public Cloud Hybrid Cloud Services Voice. All rights reserved. Cisco Public 12 . Video. Etc. Service Provider Local Campus Data Center Private Cloud Cloud Data Center BRKARC-2091 © 2013 Cisco and/or its affiliates. GE SP V MPLS DS3. Monitoring. Scalable End-to-end Security SP A MPLS OC3. All rights reserved. Ethernet ASR1K ASR1K ISR G2 ISR G2 ISR G2 ISR G2 3G/4G Satellite Any WAN Transport Ultra High-End Branch/Campus High End Branch Standard Branch Mobile Branch BRKARC-2091 © 2013 Cisco and/or its affiliates. Troubleshooting Redundant.Regional WAN Architecture Enterprise Interconnect Interconnect Standardized Profiles Simplify Management. Scalable GETVPN Headend Local Campus Data Center Redundant. FE Internet Cisco Prime Serial. Scalable DMVPN Headend ASR1K ASR1K ASR1K ASR1K Optimized Performance Intelligent. Per-Application. Cisco Public 13 . Adaptive Routing Pervasive. Med/Large branch office • • • Performance and Availability • • • • • • • • • • • • Standard Branch Most common deployment Migration from Serial to Ethernet SP MPLS VPN with Internet VPN backup Application performance 4-9s availability Deliver SD video Typical branch office • Ultra High-end Branch/Campus Very high Bandwidth – up to 1Gb Software and hardware redundancy Same profile as High-end Branch Services scaled up by dedicated appliance engines Remote campus Retail Banking. Cruises MPLS Internet MPLS MPLS MPLS MPLS 3G/4G Satellite ISR G2 ISR G2 ISR G2 ISR G2 ASR1K ASR1K BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Kiosk. Vehicles.Regional WAN Branch Profiles Flexible deployment options for different service requirements • • • Mobile Branch 3G/4G or Satellite WAAS Express to boost application performance Branch mobility Deliver video over 4G* • High-end Branch Migration from DS3 to FastEthernet Dual SP MPLS Redundant router Application performance 5-9s availability Deliver HD video Financial branch. Cisco Public 14 . All rights reserved.Regional WAN Aggregation Profiles Scalability and Availability Branch Profiles Ultra High-end Branch WAN Aggregation Profiles High-end Aggregation • Scale to support 5000* sites • 5-9s availability • Dual SP MPLS and Internet • Redundant Key Server • Dedicate PfR MC • Hardware/software redundancy High-end Branch Standard Branch Mobile Branch Standard Aggregation • Scale to support 1500 sites • 4-9s availability • One device serves multiple roles • Hardware/software redundancy GETVPN KS ISR G2 Two WAN Aggregation Profiles for different availability and scalability requirements GETVPN GM/PfR MC ASR1K MPLS COOP GETVPN KS ISR G2 GETVPN GM MPLS MPLS Standard Aggregation ASR1K Internet PfR MC ASR1K High-end Aggregation ASR1K ASR1K Internet DMVPN DMVPN 15 BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public . Cisco Public . All rights reserved.Private Cloud Services Application Visibility & Control WAAS & USC E MediaNet TrustSec Security IPv6 BRKARC-2091 © 2013 Cisco and/or its affiliates. Private Cloud Definition ASR 1000. Source: NIST CSR ASA VSG 1000V vWAAS 1000V Security Cloud Intelligent Network App Visibility & Control (AVC) Cloud Connectors Medianet vPath VXLAN Nexus 1000V Virtual Private Cloud HCS Services Public Cloud BRKARC-2091 © 2013 Cisco and/or its affiliates. the Private Cloud looks a lot like the traditional Enterprise Data Centers we’re familiar with although they tend to focus on virtualized services. Cisco Public 17 . AppNav Private Cloud Used only by a single company or organization. AVC. All rights reserved. They might be operated by a third party instead of the company using them. WAAS. ASA. Application Visibility & Control . Voice. Cisco Public . Data) BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved.“Today Network is an IT Blind Spot” • Static port classification is no longer enough • More and More apps are opaque • Increasing use of Encryption and Obfuscation • Application consists of multiple sessions (Video. All rights reserved. Cisco Public 20 . and user experiences Intelligently prioritize and control application traffic to maximize user experience BRKARC-2091 © 2013 Cisco and/or its affiliates. performance trend.Next Generation Networks will be Application Aware Gain visibility into application running in the network. . and export to management tool Management Tool Advanced reporting tool aggregates and reports application performance Cisco Public Control Control application usage to maximize application performance BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved.What is Application Visibility and Control (AVC) Solution ISR G2 ASR1K App Visibility & User Experience Report ISR G2 ASR1K App SAP BW 3M Transaction … Time 150 ms 500 ms … … ISR G2 ASR1K High Med Low NFv9/IPFIX Sharepoint 10M Reporting Tools Application Recognition Identify applications using L3 to L7 information Reporting Tool Perf. Collection & Exporting Collect application performance metrics. . All rights reserved.AVC Solution – Enabled Technologies ISR G2 ASR1K App Visibility & User Experience Report ISR G2 ASR1K App SAP BW 3M Transaction … Time 150 ms 500 ms … … ISR G2 ASR1K High Med Low NFv9/IPFIX Sharepoint 10M Reporting Tools Application Recognition Reporting Tool Perf. Collection & Exporting Metric Mediation Agent • FNF • ART • MMON Management Tool • • • Cisco Prime Infrastructure Cisco Insight 3rd Party Tools Cisco Public Control • NBAR2 • • QOS PfR BRKARC-2091 © 2013 Cisco and/or its affiliates. 4S Innovations Native IPv6 Classification Open API 3rd Party Integration. All rights reserved.cisco.Next Generation NBAR (NBAR2) Deep Packet Inspection (DPI) SCE Classification IOS NBAR +150 Signatures +1000 Signatures Advanced Classification Techniques Application Recognition IOS 15..2(2)T1 IOS XE 3. NBAR2 • Provides Advanced Application Classification and Field Extraction capabilities • In-service upgradable Protocol Definitions No IOS upgrade or reboot for new Protocol Packs • Backward compatibility to preserve existing NBAR investments • NBAR2 Protocol List http://www. Cisco Public 23 .html BRKARC-2091 © 2013 Cisco and/or its affiliates.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831. Performance Collection & Exporting – What is it? Perf. how much bandwidth. Collection & Exporting • Integrated performance monitoring and advanced metrics for different type of applications and use cases Advanced Monitoring Voice and Video Performance (Media Monitoring) 30% of traffic is voice and video Basic Monitoring Critical Applications Performance (Application Response Time) 40% of traffic is critical applications What applications. Cisco Public . flow direction? (Flexible Netflow and NBAR/NBAR2) HTTP HTTP BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581. Collection & Exporting Flexible NetFlow Extensible to support new and future metrics L3 and L4 Monitors data from layer 2 thru 7 Collect only what is needed – define your own record format and aggregation L2 L3 and L4 L7 (NBAR) Network Metrics (QoS) Performance Metrics (MMON. ART) Other Metrics Flexible Netflow Netflow to FNF Migration Guide: http://www. All rights reserved. Cisco Public .cisco.html BRKARC-2091 © 2013 Cisco and/or its affiliates.Gaining Full Visibility with Flexible Netflow Netflow Perf. Cisco Public 27 . Collection & Exporting • Application Information exported in FNF records • Reporting tools display top client & server Router#show ip nbar protocol-discover top-n 10 GigabitEthernet0/0/3 Input ----Protocol Packet Count Byte Count 30sec Bit Rate (bps) 30sec Max Bit Rate (bps) -----------------------------------webex-meeting 45807530 2497543722 115000 152000 59667396 12768822744 555000 697000 Output -----Packet Count Byte Count 30sec Bit Rate (bps) 30sec Max Bit Rate (bps) -----------------------163458047 129842885217 5998000 7799000 156155174 103187176646 4715000 5077000 bittorrent BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved.Better Visibility with NBAR2 and FNF • show ip nbar protocol-discovery top-n Perf. • Inspect traffic to measure performance metrics • Performance metrics available only when there is traffic Cisco Public 29 . Collection & Exporting Passive Monitoring FNF MMON ART • Generate synthetic traffic into the network • Require IOS responder for advanced monitoring types BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved.Active or Passive Monitoring for Performance Measurement Active Monitoring Router 1 Active Probing IPSLA Sender IPSLA Responder Router 2 Perf. Collection & Exporting ISR G2: 15. Cisco Public .2(4)M2 ASR1K: 3.Application Response Time (ART) Measurement My email is slow! How do I ensure my SLA is met Perf. provide by Performance Agent (PA) In ASR1K. All rights reserved.8S My query is taking long time! WAN Branch NFv9/IPFIX Data Center Reporting Tool Key Features Benefits 27 Application Response Time (ART) Metrics Interact with NBAR2 for Application ID and field extraction information Visibility into application usage and performance Quantify user experience Troubleshoot application performance In ISR G2. ART is part of unified monitoring BRKARC-2091 Track service levels for application delivery © 2013 Cisco and/or its affiliates. All rights reserved. Collection & Exporting Client Network Branch ISR-G2 Server Network Application Servers Response Client Network Delay (CND) Network Delay (ND) Server Network Delay (SND) Application Delay (AD) Total Delay • Separate application delivery path into client and server segments • Server Network Delay (SND) approximates WAN Delay • Latency per application BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public .ART Path Network Segment Breakdown Clients Request Perf. .Application-aware QoS with NBAR2 class-map match-all business-critical match protocol citrix match access-group 101 interface Serial0/0/0 service-policy output my-network-policy Committed BW (50% of the line) Control Application Business Critical Browsing Internal Browsing Remaining BW Committed 50% 30% (=15% of the line) 60% (Out of Browsing) 70% (=35% of the line) Priority High Normal class-map match-any browsing match protocol attribute category browsingExcess BW (50% of the line) class-map match-any internal-browsing match protocol http url “*myserver. All rights reserved.com*” Normal policy-map internal-browsing-policy class internal-browsing bandwidth remaining percent 60 policy-map my-network-policy class business-critical priority percent 50 class browsing bandwidth remaining percent 30 service-policy internal-browsing-policy Business-Critical: High Priority 50% committed Remaining: 70% of Excess BW (=35% of line) Browsing: Internal-Browsing: 30% of Excess BW 60% of Browsing (=15% of the line) Cisco Public 32 BRKARC-2091 © 2013 Cisco and/or its affiliates. GRE/IPSec Network QoS Design Direction of Packet Flow Control DSCP CS5 Packet Initially Marked to DSCP AF41 DSCP CS5 DSCP CS5 By Default ToS Values is Copied To IPSec Header DSCP AF41 DSCP CS5 Top-Most ToS is Rewrote on egress policy-map WAN-OUT class VOICE priority percent 10 class VIDEO-INTERACTIVE priority percent 23 set ip dscp af41 class NETWORK-MGMT bandwidth percent 5 service-policy MARK-BGP class class-default bandwidth percent 25 random-detect ! policy-map Int-Gig-Agg-HE class class-default shape average 1000000000 service-policy WAN-Out Cisco Public DSCP CS5 Packet decapsulated To reveal the original ToS Byte Remarks the DSCP value on the encrypted/encapsulated header on egress interface BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. . All rights reserved. Cisco Public 35 . jitter measurements • Increased Application Availability  Protection from carrier blackouts and brownouts Email Path Video Path PfR MCs WAE Cluster Email VMs ISR G2 ASR1K ASR1K Internet DMVPN Branch PfR MC/BR PfR BRs Headquarter ASR1K ASR1K Master Controller (MC) Border Router (BR) SP A MPLS SP B GETVPN MPLS GETVPN BRKARC-2091 © 2013 Cisco and/or its affiliates.Performance Routing (PfR) Application aware adaptive routing • Full utilization of expensive WAN bandwidth  Efficient distribution of traffic based upon load. circuit cost and path preference Control • Improved Application Performance  Per application best path based on delay. loss. Control PfR Use Case Examples Protecting critical applications while Maximizing bandwidth utilization Detect loss > 10% Internet Detect high jitter WAN VDI Cloud Service Voice&Video Best Effort traffic ISP-1 (Primary) ISP-2 (Secondary) Best Effort traffic SP-A (MPLS VPN) SP-B (MPLS VPN) Cloud Service & Load Balancing Policy • Protect business Cloud applications from Internet brownout Loss <10% Multimedia & Critical Data Policy • Protect voice and video quality ‒ Latency < 200ms. All rights reserved. Jitter < 30ms • Cloud Service preferred path – ISP1 • Maximize all ISP bandwidth by load sharing all other Internet traffic • Protect VDI applications from brownouts ‒ Loss < 5% • Voice & Video preferred path SP-A • VDI preferred path SP-B • Maximize utilization by load sharing BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public 36 . Cisco Prime Infrastructure – Assurance Management Tool • Configuration of AVC features* • Network Monitoring • Service Monitoring • Reporting and Trends • Multi-NAM Manager • Packet and Flows Analysis • Application Response Time • Voice and Video Metrics • Distributed SNMP and Netflow Collection BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public 37 . All rights reserved. WAAS and UCS E Series 38 . . 3 120 Bandwidth Saved 2 80 Reduced Latency Application Bandwidth Natively Application Bandwidth with WAAS Application latency Natively Application latency with WAAS 0 0 1 40 Application Bandwidth Application Latency BRKARC-2091 © 2013 Cisco and/or its affiliates.Cisco WAAS – Enhancing user experience and WAN efficiency Problem • Poor Application • Reduce load Data Redundancy Elimination.. Cisco Public 39 . Meta data caching. All rights reserved.. Compression. TCP optimization Solution Bandwidth (Mbps) 4 responsiveness • WAN Bandwidth costs Latency (Seconds) 160 • Application Optimization Fewer protocol messages. All rights reserved. .Challenges of Desktop Virtualization over WAN  Hairpinning  WAN’s effects on Users Experience  Display Protocol Opaque to the Network Branch Office End-users see pixelization over the WAN Branch Router T1 Video Source Video processed on HVD overloading server compute and bandwidth Increasing bandwidth is expensive and might not help Data Center Campus Display Protocol End-users experience no pixelization on LAN Cisco Public BRKARC-2091 © 2013 Cisco and/or its affiliates. If MSI is used only one initial session (port 1498) will be optimized automatically.4 Application aware DRE feature for unidirectional caching of desktop session traffic which improves the scalability and Application performance Data Center Branch Router Display Protocol WAAS Display Protocol Acceleration Aggregation Router Citrix HVD ICA client WAAS Note: Multi-Session ICA (MSI) in XenDesktop 5.5 is not supported in the current release. HVD. Other flows will be treated as regular TCP flows BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public . or DC infrastructure) for all versions of XenDesktop and XenApp • Includes WAAS 4.0 optimization with Citrix ICA AO • WAAS will optimize encrypted and compressed ICA desktop session traffic (no changes required on ICA client.WAAS 5. Cisco WAAS: WAN Optimization Solution Virtual Private Cloud IOS WAAS Express CSR 1000V vWAAS Server VMs Nexus 1000v vPATH VMware ESXi Server Branch Office Nexus 1000v VSM WAAS Service Module UCS /x86 Server FC SAN Branch Office WAN Data Center or Private Cloud WAAS WAE Appliances Branch Office WAAS WAE Appliance Internet Server VMs VMware ESXi vWAAS Appliances WAAS WAE Appliance VPN WAAS Mobile Server Mobile User WAAS Mobile Software VPN SOHO User Regional Office BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 . All rights reserved.Lean Branch Office Applications Edge Applications That Defy Centralization Core Windows Services  DNS and DHCP Servers  Microsoft Active Directory  Windows Print Services  Windows File Services  Others … Mission Critical Business Applications  Point of Sale Server  Bank Teller Control Point  Electronic Medical Records  Inventory Management  Others … Client Management Services  Software Update Service  Client Monitoring Service  Backup and Recovery  Terminal Server Gateway  Others … BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public 46 . Cisco Public 47 .UCS E Extend Cloud Services into Branch Infrastructure Platform for WAN Edge Applications • Microsoft Windows App OS App OS App OS App OS Server Virtualization • Cisco SRE Virtualization Powered by Server-Certified SRE-V Hypervisor SRE-V Hypervisor Dedicated Blade Management • Cisco Integrated VMware vSphere Hypervisor™ (ESXi) SRE Blade CIMCE SRE Blade Multipurpose x86 Blades • Cisco Service-Ready Management Controller • Consistent management IOS. All rights reserved. MGF Backplane Switch Engine modules • House up to four server for UCS family blades in ISR G2 Single-Device Network Integration • House all devices in ISR G2 chassis • Multigigabit fabric backplane switch Support on ISR G2 2911 and above BRKARC-2091 © 2013 Cisco and/or its affiliates. MediaNet & Video Services . Medianet Introduction I want a network infrastructure so that I should not worry when tomorrow I’ll be asked to implement video applications. Massimo Fogaroli – IT Manager. All rights reserved. . Mediolanum Bank Media Aware Detection and Optimization of different media and applications IPSLA VO Flow MetaData Media Trace Endpoint aware Automatic detection and configuration Network Aware Automatically respond to changes in devices and service availability Performance Monitoring Visibility BRKARC-2091 Diagnostics Network Assessment Cisco Public 49 © 2013 Cisco and/or its affiliates. i. Monitoring. and Troubleshooting • Pre-deployment assessment / network validation  IP SLA VO  Use ISR G2 DSPs to generate synthetic video.Medianet Media Monitoring Media Assessment. Cisco Public 50 . TelePresence  What path and where is the problem?  Mediatrace and Performance Monitor Network-initiated mediatrace collecting path and performance metrics of media stream Cisco Collaboration Manager displays mediatrace results Cisco Prime Collaboration Manager Generate Initiate TelePresence mediatrace traffic I am detecting video quality issue MPLS Lost packets seen ISR G2 ASR1K IP SLA Initiator Internet DMVPN IP SLA Responder BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved.e. latency. Cisco Public 51 . • MediaNet PerfMon is also the Media Monitor (MMon) in AVC BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Collection & Exporting MPLS Internet Branch Apply to in/out direction of voice/video VLAN WAN Headend • Monitor video traffic traversing different network types • Generate alert based on user configurable threshold • Enable on voice/video VLAN • Provide metrics including jitter. etc. packet loss. bitrate.Media Monitoring Performance Monitor LiveAction Perf. system resource. or quality metrics on devices in the media path • Mediatrace responders collect the requested metrics and return to initiator • Works with Cisco Collaboration Manager BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 .Diagnostics Media Troubleshooting Mediatrace Initiate Mediatrace for traffic from Branch phone to Headend phone Collaboration Manager MPLS Internet Branch VPN Headend • Use Mediatrace to further troubleshoot media issues • Initiate Mediatrace to discover path. Cisco Public 57 .Need for End to End Classification Voice communication between Marylou and John Voice communication started with application “X” Packets has DSCP=EF I know lots of information from the application that I’m not going to send to the wire This flow has a DSCP = EF This flow contents RTP Voice Visibility Marylou This packet has a DSCP=EF This packet comes from Fast1/0 This packet comes from location “Desk1” This packet comes from user “Marylou” John • How to enforce a consistent network policy when classification is different along the path? ‒ Eg: Rule: Prioritize Voice communication from Marylou to John? • Endpoint can provide information not available or visible to the network BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. 2 20.1. Media Flow Export of data to NMS Metadata DB QoS based on Metadata 10.1.MediaNet Metadata for end to end classification Metadata Flow Principles Flow Identifier Metadata Visibility IP Src IP Dst Prot L4 Src L4 Dst Application Vendor Dial From Dial To Caller ID 10.2 UDP 2000 4000 VideoConference (Audio) Cisco 83922564 85268229 Albert Albatross 1. All rights reserved.1.2 © 2013 Cisco and/or its affiliates.1.1.1.1.2 2. Metadata Announcement BRKARC-2091 3. Application Creates Metadata Metadata DB Metadata DB 10.1. Cisco Public . Cisco Public 60 .Video Conferencing Services HQ/Campus MCU Video mixing A Branch WAN • Multiple video streams traverse the WAN to a central MCU resource – non-optimal use of limited WAN BW • Video is mixed by a centralized MCU controlled by CUCM Signaling Media MCU HQ/Campus  Video is mixed by the ISR G2 DSPs controlled by CUCM or UCME  Keeps traffic local in the branch if all participants are located in the branch  Ad-hoc and MeetMe conferences Branch A Video mixing WAN BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 . silverlight. All rights reserved.Video Delivery Optimization WAAS + Enterprise Content Delivery System (ECDS) Branch Office Signage Channel Corporate Communications Channel + ECDS WAN Contextaware DRE CDN Infrastructure Data Center + ECDS HR VOD Channel Branch Office • Multiple “Publish and Subscribe” Channels for simplified management • Broad live broadcast protocol support-wmf. flash • Video Pre-positioning BRKARC-2091 © 2013 Cisco and/or its affiliates. WAN TrustSec Security Services . NG WAN Pervasive Security Secure Reliable Access to Any Services • Provides data privacy across the WAN  GETVPN any-to-any encryption over MPLS  DMVPN & FlexVPN over 3G/4G or Internet provides dynamic spoke-to-spoke tunnel • Highly scalable WAN aggregation with encryption  4000 DMVPN tunnels and 4000 GETVPN Group Members  Up to 28 Gbps of encryption throughput per ASR1K • Interoperation with QoS and PfR ensures service performance • TrustSec simplified access control – SGT, SXP, SGACL and SG Firewall Data Center GETVPN COOP KS WAE Cluster Internet ISR G2 ASR1K ASR1K Protected by DMVPN Protected by GETVPN SXP DMVPN SP A MPLS B SP GETVPN MPLS Standard Branch ISR G2 Branch DMVPN Hub ASR1K Headquarter ASR1K ASR1K Private Cloud SGT SG FW GETVPN GETVPN Cisco Public 64 BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Dynamic Multipoint VPN (DMVPN) • Full meshed connectivity with simple configuration • Zero-touch configuration for addition of new spokes • Automatic site-to-site IPSec tunnels • Transport & Carrier agnostic overlay transport easy multi-homing single control plane simple carrier transition • Large Scale ‒ Up to 4000 spokes per ASR1k hub with EIGRP or BGP Spoke n DMVPN Tunnels Traditional Static Tunnels Static Known IP Addresses Dynamic Unknown IP Addresses Secure On-Demand Meshed Tunnels Hub VPN Spoke 1 Spoke 2 ‒ Hierarchical Hub designs, to scale beyond single hub limits BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Introducing FlexVPN A single overlay VPN solution Corporate LAN Isolated branches (Easy VPN) New Remote Access (AnyConnect) Department RED Department GREEN Shortcut Switching (DMVPN) BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Group Encrypted Transport VPN (GETVPN) Before and After GET VPN Public/Private WAN Private WAN Before: IPSec P2P Tunnels After: Tunnel-Less VPN WAN Multicast  Scalability—an issue (N^2 problem)  Overlay routing  Any-to-any connectivity may require  tunnel setup Inefficient Multicast replication     Scalable architecture for any-to-any connectivity and encryption No overlays—native routing Any-to-any instant connectivity Efficient Multicast replication  Any wan transport BRKARC-2091  Private IP WANs Cisco Public 68 © 2013 Cisco and/or its affiliates. All rights reserved. All rights reserved.Cisco Router Security Certifications FIPS 140-2. Level 2 Cisco ISR 890 Series Cisco ISR 1900 Series Cisco ISR 2900 Series Cisco ISR 3900 Series Common Criteria EAL4 Next-Gen Encryption* Software Support Next-Gen Encryption* Hardware Assist Cisco ISR 3900E Series Cisco ASR 1000 Series                  N/A  ** **   ** http://www. Only ASR 1002-X and ESP-100 based ASR 1000s BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public .com/go/securitycert * NSA Suite B RFC-4869 cryptographic algorithm for both unclassified and most-classified information ** 1900s and lower 2900 Series require ISMs.cisco. 9*) SG Firewall for Egress Enforcement SGT Capability exchange during DMVPN IKEv2 negotiations and GETVPN group membership registration Learn SGT from SXP or Auth-methods Simple one command configuration – DMVPN “crypto ikev2 cts sgt”. Cisco Public 70 .9) will be available in Spring 2013.TrustSec SGT over DMVPN and GETVPN SGT Frame SGACL AP Finance Catalyst® Switch ISE SGT Guest Server Posture Profiler Sales Branch Network SGT Nexus 5000/2000 SGT MPLS ISR G2 GETVPN ASR1k Catalyst® Switch ISR G2 Catalyst 6500 Nexus 7000 Data Center Internet Catalyst® Switch Egress Enforcement WAN • ISR G2/ASR1k.2(2)T) SGToGETVPN support on ISR G2 (IOS PI21*) and ASR1k (XE 3. GETVPN “tag cts sgt” * ISR G2 IOS (PI21) and ASR1k IOS (XE3. BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. SG Firewall Campus Aggregation: • Cat6K/Sup2 – SGACL Data Center Enforcement • Nexus 7000 – SGT/SGACL Admin ISR G2 DMVPN SGT HR • • • • • • DMVPN Inline Tagging – ISR G2 (IOS 15. Active/Active support in ZBFW allows for async routing* SGFW in ISR G2 IOS 15. etc.5 © 2013 Cisco and/or its affiliates.2(2)T and ASR1k IOS XE 3.10.Security Group FW Architecture SGFW ISE for SGACL Policies SGT or SXP C P I ASR1k Enforcement Enterprise WAN SGFW ISR Enforcement IP Address 10. Cisco Public 71 *active/active assumes shared L3 subnet on router interfaces for redundancy groups BRKARC-2091 .1 SGT 10 SGACL Enforcement on a switch Data Center • • • • • • Consistent Classification/enforcement between ISR/ASR SGFW and switching In general SGACL and SGFW policy should be sync’d via policy administration UI SGT allows more dynamic classification in the branch and WAN aggregation Rich Logging requirements will be fulfilled on SGFW – URL logging.1. All rights reserved. Prepare. Prosper .IPv6 Preserve. All rights reserved.IPv6 Why? 3 Feb ‘11 last day of IPv4 address allocations IPv6 Routing ISR G2. better performance for IPv6 • IPv6 parity with IPv4 in most cases • Dual Stack • Tunneling • Translation BRKARC-2091 © 2013 Cisco and/or its affiliates. Anywhere. ASR 1000 designed for IPv6 Anyone. Anytime IPv6 Feature Enablement Broadest coverage in Industry IPv6 Transitioning All transition mechanisms supported • IPv4 address exhaustion • Government mandate • IPv6 device and content growth • Mergers and Acquisitions • Gain familiarity with IPv6 • Routers designed with more memory. Anything. Cisco Public 74 . Prosper Cisco NG Enterprise WAN Solutions • Branch & Campus – Dual Stack IPv4 and IPv6 • IPv4 WAN – Tunnel: 64 tunnels. All rights reserved. Prepare. Cisco Public 75 .Transitioning Network to IPv6 Preserve. IPv6 over DMVPNv4 • IPv6 Internet – Translate: NAT64 allows IPv6 devices to access IPv4 applications Dual-stack Campus/ Datacenter WAN Aggregation Tunnel Dual-stack ISR G2 IPv4 ASR1K ASR1K Branch office ASR1K IPv4 services Internet Edge IPv6 IPv6 devices Translate (nat64) BRKARC-2091 © 2013 Cisco and/or its affiliates. Hybrid Cloud Services Virtual Private Clouds Virtual Networking Services Cloud Services Router BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public . WAAS. Cisco Public 77 . Resources are allocated to individual companies or organizations providing them the look and feel of a private cloud within a shared cloud environment. AVC.Hybrid Cloud Definition Virtual Private Clouds (VPC) ASR 1000. AppNav Private Cloud Hybrid Clouds exist on the premisis and are maintained by a cloud provider. ASA. All rights reserved. Source: NIST CSR ASA VSG 1000V vWAAS 1000V Security Cloud Intelligent Network App Visibility & Control (AVC) Cloud Connectors Medianet vPath VXLAN Nexus 1000V Virtual Private Cloud HCS Services Public Cloud BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public . All rights reserved.hypervisor CSR 1000V • WAN Gateway • IOS Networking vWAAS • WAN Optimization • Application Traffic ASA 1000V • Edge Firewall • Protocol Inspection VSG • Zone-based Firewall • VM-level Control Nexus 1000V • Distributed Switch • NX-OS Consistency BRKARC-2091 © 2013 Cisco and/or its affiliates.Hybrid – Virtual Private Cloud Virtual Networking Services Cloud Provider’s Data Center Physical Infrastructure Servers CSR 1000V Cloud Network Services Tenant A vWAAS ASA 1000V VSG Department A VSG Department B AppNav vPath Nexus 1000V Virtual Infrastructure Multi-Hypervisor Multi . Cisco CSR 1000V Cisco IOS Software in Virtual Form-Factor CSR 1000V App App OS VPC/vDC • Virtual Route Processor (RP) • Virtual Forwarding Processor (FP) • Optimized for single tenant use cases • Hypervisor agnostic • Virtual switch agnostic • Server agnostic OS Hypervisor Virtual Switch Server BRKARC-2091 © 2013 Cisco and/or its affiliates. Cisco Public . All rights reserved. Public Cloud Services Cloud Connectors . Public Cloud Definition Operated wholly by cloud providers. AppNav Private Cloud CSR ASA VSG 1000V vWAAS 1000V Security Cloud Intelligent Network App Visibility & Control (AVC) Cloud Connectors Medianet vPath VXLAN Nexus 1000V Virtual Private Cloud HCS Services Public Cloud BRKARC-2091 © 2013 Cisco and/or its affiliates. WAAS. Cisco Public 81 . AVC. Source: NIST ASR 1000. public clouds offer services to companies. organizations and individuals using a fully virtualized environment hosted in the cloud. All rights reserved. ASA. Services are delivered in a shared environment even though they might be provisioned or customized for the needs of the individual organization. All rights reserved. WebEx Media. Performance. Reliability. Hosted Collaboration Service. Management • Cloud Connector solutions include ScanSafe. Security. Cisco Public 82 .What is Cloud Connector? • Connects a Corporate Network to a Cloud Service • Application or Service specific to ensure transparent access • Improves delivery of Public Cloud Services Provisioning. Storage/Backup. … Cloud Connector ASR1K ASR1K Internet Public Cloud Email VMs Headquarter Campus ASR1K ASR1K MPLS GETVPN MPLS Branch BRKARC-2091 © 2013 Cisco and/or its affiliates. Example – Scan Safe Cloud Connector  ScanSafe provides secure access to Public Cloud services  Single policy portal. All rights reserved. Cisco Public . easy of deployment and management  Direct Internet access reduces WAN cost and improves application performance Web Filtering Web Security Centralized Reporting Consistent Policy Control Internet Public Cloud Applications ASR1K ASR1K Internet ScanSafe Cloud Connector Headquarter Campus ASR1K ASR1K MPLS GETVPN MPLS Branch 83 BRKARC-2091 © 2013 Cisco and/or its affiliates.  Improves voice and video conferencing quality  Reduces 800 toll charges Cisco WebEx Collaboration Cloud Internet WebEx Cloud Connector ASR1K ASR1K Headquarter Campus ASR1K ASR1K MPLS GETVPN MPLS Branch BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 .Example – WebEx Media Connector  WebEx Media Connector peers directly with the Enterprise WAN CUCM+CUBE deployed at Enterprise and WebEx Cloud Firewalls+CUBE to secure the borders with WebEx. Branch files are backed up to the cloud. All rights reserved.Example . Cisco Public .Cloud Storage Connector Third Party Connector MSP Admin Portal Manage end-user accounts. Backup Agent for Roaming Laptop Agent-Less Solution Branch Office BRKARC-2091 © 2013 Cisco and/or its affiliates. restore and share files. service provisioning and billing End-User Virtual Portal Users access their own cloud backups and folders. MSP Network Cisco ISR G2 and UCS® E-Series with Cloud Storage Gateway Cloud storage is cached on UCS E. Platform Overview . Cisco Public .2 Functional Overview  A single integrated solution for comprehensive lifecycle management of wired/wireless access. and branch networks  Automates compliance with regulatory requirements. All rights reserved. Cisco and IT best practices  Utilizes rich performance data for end-to-end network visibility to assure application delivery and optimal end-user experience BRKARC-2091 © 2013 Cisco and/or its affiliates. campus.Prime Infrastructure 1. ISR G2 Portfolio Line Rate N x FE High-End Branch 3945E 3925E 3945 Line Rate FE + 3925 WAN Access Speed With Services Standard Branch 2951 2921 VDSL2+/Sub-rate FE 2911 2901 Mobile Branch EFM SubrateFE 1921 800 1941 10 Mb BRKARC-2091 15 Mb 25 Mb 35 Mb 50 Mb 75 Mb 100 Mb 150 Mb 250 Mb 350 Mb Recommended Positioning with Services © 2013 Cisco and/or its affiliates. Cisco Public 88 . All rights reserved. 5–10 Gbps 5–36 Gbps 10-40 Gbps 10-100+ Gbps Cisco Public 10-360 Gbps © 2013 Cisco and/or its affiliates. . NBAR.5G to 100G+ with services enabled  Investment protection with modular engines. Powerful Router  Line-rate performance 2. IOS CLI and SPAs for I/O  Hardware based QoS engine with up to 232K queues Business-Critical Resiliency  Fully separated control and forwarding planes  Hardware and software redundancy  In-service software upgrades Instant On Service Delivery  Integrated firewall. All rights reserved.5 -5 Gbps BRKARC-2091 2. CUBE  Scalable on-chip service provisioning through software licensing One IOS-XE Feature Set ASR 1001 ASR 1002 ASR 1002-X ASR 1004 ASR 1006 ASR 1013 2. VPN.Cisco ASR 1000 Series Routers: Overview Designed Today for up to 360 Gbps in the Future Compact. encryption. Wrap Up / Summary . All rights reserved. Cisco Public 95 .Realizing the Borderless Enterprise Borderless Experience Reliably Securely Seamlessly ANYONE Private Clouds Hybrid Clouds ANY DEVICE Cisco Cloud Intelligent Network Public Clouds ANYWHERE ANYTIME Application Visibility & Control MediaNet TrustSec Cloud Connect IPv6 Transition Operational Simplicity BRKARC-2091 © 2013 Cisco and/or its affiliates. ASA 1000v. voice. Cisco Public .Next Generation Enterprise WAN Wrap Up/Summary • Architectural approach to solving business requirements ‒ Modular—Building Blocks with Layered Services ‒ Infrastructure Foundation for Cisco’s Borderless Network • Cloud Intelligent Network solutions ‒ Private Cloud Services ‒ Hybrid/Virtual Private Cloud Services ‒ Public Cloud Services • ASR 1000 series high performance Secure WAN aggregation router • ISR G2 series for integrated branch services security. video and cloud access • Virtualized Networks Services – CSR 1000v. All rights reserved. vWAAS. Nexus 1000v • Cisco Prime—Unique Ability to Manage Entire Solution BRKARC-2091 © 2013 Cisco and/or its affiliates. BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 .