Vous êtes sur la page 1sur 81

Next Generation Enterprise WAN:

Branch & Head-End


David Prall
Communications Architect

BRKARC-2091
Housekeeping
 Please switch your mobile phones to STUN
 We value your feedback—don't forget to complete your
online session evaluations after each session and
complete the Overall Conference Evaluation which will be
available online from Thursday
 Visit the World of Solutions
 Please remember this is a non-smoking venue!
 Please make use of the recycling bins provided
 Please remember to wear your badge to the Party

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
“Everything is moving to the CLOUD!”
Hosting providers offer virtual
Server, Application, Desktop infrastructures instead of physical
virtualization are transforming space and equipment – Hybrid
Data Centers into Private Clouds
Clouds.
How do you design a network Hybrid
What if the applications
if you don’t know where the
Private
Cloud? It’s in Cloud? move to a different DC?
Or, Hybrid Cloud offering?
applications reside?
the Cloud!
Which Cloud?
The Internet and Web have Public
revolutionized how Application Cloud?
Service Providers deliver applications. How do you isolate user
performance
issues for Cloud applications?

Mobile devices enable users to access applications


from anywhere at anytime – Work Your Way
How will all of this impact Security Policies and Procedures?
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
 The Borderless Network
 Next Generation Enterprise WAN
 Private Cloud Services
 Hybrid Cloud Services
 Public Cloud Services
 Platform Overview
 Wrap Up / Summary

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Enterprise Megatrends
IMMERSIVE
COLLABORATION
Pervasive Video

MOBILITY CLOUD
BYOD Enterprise Private,
Public
Hybrid

Megatrends

SECURITY,

IT EFFECTIVENESS,

$ COST CONTROL,

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Network Implications: Shifting Borders
Mobile Worker

Location
Border

IT Consumerization
External-Facing Internal Device
Applications Applications Border

Video/Cloud
Application
Border
IaaS,SaaS

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Borderless Networks Architecture
Desktop Pervasive Remote Cloud IT/OT Risk
BYOD
Virtualization Computing Convergence Management & Key IT
Video Expert Compliance
Initiatives

Key System Pillars Addressing Initiatives


Cloud Intelligent Connected
Unified Access Networks Industries Systems
P Excellence
SecureX
Management

R
I Medianet EnergyWise TrustSec App Visibility Cloud Connectors Network and
Multimedia Energy Policy and Control Cloud Optimization End-Point Services
M Optimization Management Enforcement App Performance

E Application Security
Wireless Routing Switching Networking/ Appliance
Technology
Optimization and Firewall Innovation

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cloud Intelligent Networks Solutions
ASR 1000,
AVC, ASA,
WAAS, AppNav

Cisco Prime
Infrastructure
Cisco ISR G2
ASR 1000
Private Cloud
AVC, WAAS
UCS-E

CSR ASA
1000v 1000v VSG
Security vWAAS

Cloud App Visibility & vPath VXLAN Nexus 1000V


Control (AVC)
Cloud
Intelligent Virtual Private
Connectors
Network Cloud Connectors Cloud
ScanSafe
HCS Medianet
Webex CCA
3rd party

HCS
Services

AnyConnect VPN, ScanSafe, WebEx, Public Cloud


and HCS Cloud Connectors

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Introducing the
Next Generation
Enterprise WAN
Next Generation Enterprise WAN
High Level Topology
Application Visibility & Control

MediaNet
Inter
Inter
TrustSec Connect
West
Connect
WAN East
Region
IPv4/v6 Region
Core
Cloud

Operations

Seamless Consistent
any-to-any Remote
South Region Remote
Branch
Security
Branch
Services Regional
WAN Metro

Interconnect
WAN
Primary or
Back up
Efficient
Internet

Data
use of
Public Hybrid Center
Cloud Cloud Service
Provider Local Data
Private
Cloud
Cloud resources
Services
Campus Center
Voice, Video,
Etc.

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Next Generation Enterprise WAN
High Level Topology
Application Visibility & Control

MediaNet
Inter
Inter
TrustSec Connect
West
Connect
WAN East
Region
IPv4/v6 Region
Core
Cloud

Operations

Regional
WAN
South Region Remote
Remote Branch
Branch
Regional
WAN Metro

Interconnect
WAN
Primary or
Intern Back up

et
Hybri Data
Publi Privat Center
d
c Service Cloud
e
Clou
Cloud Provider Local Data Cloud
d
Services
Campus Center
Voice, Video,
Etc.

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Regional WAN Architecture Enterprise Interconnect

Interconnect

Redundant,
Scalable Redundant,
GETVPN Local Data Scalable DMVPN
Standardized Profiles Headend
Campus Center Headend

Simplify Management, ASR1K ASR1K


ASR1K ASR1K
Monitoring, Troubleshooting

Optimized Performance
SP A SP B Internet
MPLS MPLS
Intelligent, Per-Application,
Adaptive Routing OC3, GE DS3, FE Cisco Prime

Pervasive, Scalable Serial,


3G/4G
Ethernet
End-to-end Security ASR1K ASR1K
Satellite

ISR G2
Ultra High-End
Any WAN Transport Branch/Campus ISR G2

ISR G2 ISR G2

High End Standard Mobile


Branch Branch Branch

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Regional WAN Branch Profiles
Ultra High-end
Flexible deployment Branch/Campus
options for different • Very high Bandwidth
Performance and Availability High-end Branch – up to 1Gb
service requirements • Migration from DS3 to • Software and
FastEthernet hardware redundancy
Standard Branch • Dual SP MPLS
• Most common • Same profile as
• Redundant router High-end Branch
Mobile Branch deployment • Application
• Migration from Serial • Services scaled up by
performance dedicated appliance
• 3G/4G or Satellite to Ethernet • 5-9s availability
• WAAS Express to • SP MPLS VPN with engines
• Deliver HD video
boost application Internet VPN backup Remote campus
performance • Application Financial branch,
• Branch mobility performance Med/Large branch office
• Deliver video over • 4-9s availability
4G* • Deliver SD video
Typical branch office
Retail Banking, Kiosk,
Vehicles, Cruises MPLS MPLS MPLS MPLS
MPLS Internet

3G/4G
Satellite
ISR G2 ISR G2 ISR G2 ASR1K ASR1K
ISR G2

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Regional WAN Aggregation Profiles
Branch Profiles WAN Aggregation Profiles
Ultra High-end Branch High-end Aggregation

Scalability and
• Scale to support 5000* sites

Availability
• 5-9s availability
High-end Branch • Dual SP MPLS and Internet
• Redundant Key Server
• Dedicate PfR MC
Standard Aggregation • Hardware/software redundancy
Standard Branch
• Scale to support 1500 sites
• 4-9s availability
• One device serves multiple roles
Mobile Branch
• Hardware/software redundancy

GETVPN COOP GETVPN


GETVPN
Two WAN KS GM/PfR MC
GETVPN KS GM
Aggregation Profiles MPLS
ISR G2 ISR G2
for different ASR1K
MPLS MPLS
High-end ASR1K
availability and Standard
PfR MC
Aggregation Aggregation
scalability
Internet Internet
requirements ASR1K
ASR1K
ASR1K
DMVPN DMVPN

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Private Cloud Services
Application Visibility & Control
WAAS & USC E
MediaNet
TrustSec Security
IPv6
Private Cloud Definition ASR 1000,
AVC, ASA,
WAAS, AppNav

Private Cloud

Used only by a single


company or organization,
the Private Cloud looks a lot CSR
1000 vWAA
AS
A
VS
G
like the traditional Enterprise Security V S 100
0V

Data Centers we’re familiar Cloud App Visibility & vPat VXLA Nexus 1000V

with although they tend to Intelligent


Control (AVC) h N

focus on virtualized Virtual Private


Network Cloud Connectors Cloud
services. They might be
Medianet
operated by a third party
instead of the company
using them.
HCS
Source: NIST Services

Public Cloud

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Application Visibility & Control
“Todays Network is an IT Blind Spot”

 Static port classification is no


longer enough
 More and More apps are
opaque
 Increasing use of Encryption
and Obfuscation
 Application consists of
multiple sessions (Video,
Voice, Data)

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Next Generation Networks will be Application Aware

Gain visibility into application Intelligently prioritize and


running in the network, control application traffic to
performance trend, and user maximize user experience
experiences

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
What is Application Visibility and Control (AVC) Solution

App Visibility &


ISR G2 User Experience Report ISR G2

ISR G2 App BW Transaction …


ASR1K ASR1K
Time
ASR1K SAP 3M 150 ms … High
Sharepoint 10M 500 ms …
Med
NFv9/IPFIX
Low

Reporting Tools

Application Perf. Collection


Reporting Tool & Management
Exporting
Control
Recognition Tool
Advanced reporting
Identify applications Collect application Control application
tool aggregates
using L3 to L7 performance usage to maximize
and reports
information metrics, and export application
application
to management tool performance
performance

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
AVC Solution – Enabled Technologies
App Visibility &
ISR G2 User Experience Report ISR G2

ISR G2 App BW Transaction …


ASR1K ASR1K
Time
ASR1K SAP 3M 150 ms … High
Sharepoint 10M 500 ms …
Med
NFv9/IPFIX
Low

Reporting Tools

Application Perf. Collection


Reporting Tool & Management
Exporting
Control
Recognition Tool
Metric Mediation
Agent • Cisco Prime
• NBAR2 • FNF Infrastructure • QOS
• ART • Cisco Insight • PfR
• MMON • 3rd Party Tools

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Application
Next Generation NBAR (NBAR2) Recognition

Deep Packet Inspection (DPI)


IOS
15.2(2)T1
SCE IOS XE 3.4S
Classification
+1000 Signatures
Innovations
IOS NBAR Advanced Classification Native IPv6 Classification
+150 Signatures Techniques Open API 3rd Party
Integration..

NBAR
2

 Provides Advanced Application Classification and Field Extraction


capabilities
 In-service upgradable Protocol Definitions
No IOS upgrade or reboot for new Protocol Packs
 Backward compatibility to preserve existing NBAR investments
 NBAR2 Protocol List
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Perf. Collection
Performance Collection & Exporting & Exporting

What is it?
Integrated performance monitoring and advanced metrics for different type of applications and use cases

Advanced Voice and Video Performance Critical Applications Performance


Monitoring (Media Monitoring) (Application Response Time)
30% of traffic is 40% of traffic is
voice and video critical applications
What applications, how much bandwidth, flow direction?
Basic Monitoring
(Flexible Netflow and NBAR/NBAR2)

HTTP HTTP

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Perf. Collection
& Exporting

Gaining Full Visibility with Flexible Netflow


Netflow
Flexible NetFlow
 Extensible to support new and future metrics
L3 and L4
 Monitors data from layer 2 thru 7

 Collect only what is needed – define your own


record format and aggregation

Performance
L7 Network Metrics Other
L2 L3 and L4 Metrics
(NBAR) (QoS) Metrics
(MMON, ART)

Flexible
Netflow
Netflow to FNF Migration Guide:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Perf. Collection
& Exporting

Better Visibility with NBAR2 and FNF


 show ip nbar protocol-discovery top-n  Application Information exported in
FNF records
 Reporting tools display top client & server
Router#show ip nbar protocol-discovery top-n 10

GigabitEthernet0/0/3
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
30sec Bit Rate (bps) 30sec Bit Rate (bps)
30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps)
------------- ------------------------ ------------------------

webex-meeting 45807530 163458047


2497543722 129842885217
115000 5998000
152000 7799000
bittorrent 59667396 156155174
12768822744 103187176646
555000 4715000
697000 5077000

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Active or Passive Monitoring for Perf. Collection
& Exporting

Performance Measurement
Active Monitoring Passive Monitoring

Router 1 Router 2
Active Probing

IPSLA Sender IPSLA Responder MMON


FNF
ART

 Generate synthetic traffic into  Inspect traffic to measure


the network performance metrics
 Require IOS responder for  Performance metrics available
advanced monitoring types only when there is traffic

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Perf. Collection
Application Response Time (ART) & Exporting

Measurement
How do I
ensure my
My SLA is met ISR G2: 15.2(4)M2
email is ASR1K: 3.8S
slow!

My query WAN
is taking
long time!

NFv9/IPFIX
Branch Data Center
Reporting
Tool

Key Features Benefits


27 Application Response Time (ART) Metrics Visibility into application usage and performance
Interact with NBAR2 for Application ID and field Quantify user experience
extraction information Troubleshoot application performance
In ISR G2, provide by Performance Agent (PA) Track service levels for application delivery
In ASR1K, ART is part of unified monitoring

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Perf. Collection
& Exporting

ART Path Network Segment Breakdown


Clients
Request Client Server Application Servers
Branch
Network ISR-G2
Network

Client Network Server Network Application


Response
Delay (CND) Delay (SND) Delay (AD)

Network Delay (ND)

Total Delay

 Separate application delivery path into client and server segments


 Server Network Delay (SND) approximates WAN Delay
 Latency per application
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Control

Application-aware QoS with NBAR2


interface Serial0/0/0
class-map match-all business-critical service-policy output my-network-policy
match protocol citrix
match access-group 101
Committed BW Application BW Priority
(50% of the line)
Business Critical Committed 50% High
class-map match-any browsing
match protocol attribute category browsing Browsing 30% (=15% of the line) Normal
Excess BW
(50% of the line)
class-map match-any internal-browsing Internal 60% (Out of
match protocol http url “*myserver.com*” Browsing Browsing)
Remaining 70% (=35% of the line) Normal
policy-map internal-browsing-policy
class internal-browsing
bandwidth remaining percent 60

policy-map my-network-policy
class business-critical
priority percent 50

class browsing
bandwidth remaining percent 30 Remaining:
service-policy internal-browsing-policy Business-Critical: 70% of Excess BW
High Priority (=35% of line)
50% committed
Browsing:
Internal-Browsing:
30% of Excess BW
60% of Browsing
(=15% of the line)
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Control

GRE/IPSec Network QoS Design


Direction of Packet Flow

DSCP CS5 DSCP CS5 DSCP AF41 DSCP CS5


Packet Initially DSCP CS5 DSCP CS5 Packet decapsulated
Marked to To reveal the original
By Default ToS Top-Most ToS is
DSCP AF41 ToS Byte
Values is Copied Rewrote on egress
To IPSec Header
policy-map WAN-OUT
class VOICE
priority percent 10
class VIDEO-INTERACTIVE
priority percent 23
set ip dscp af41
class NETWORK-MGMT
bandwidth percent 5
Remarks the DSCP value on the service-policy MARK-BGP
encrypted/encapsulated header on class class-default
egress interface bandwidth percent 25
random-detect
!
policy-map Int-Gig-Agg-HE
class class-default
shape average 1000000000
service-policy WAN-Out
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Performance Routing (PfR) Control

Application aware adaptive routing

 Full utilization of expensive WAN bandwidth


 Efficient distribution of traffic based upon load, circuit cost and path preference

 Improved Application Performance


 Per application best path based on delay, loss, jitter measurements

 Increased Application Availability


 Protection from carrier blackouts and brownouts

Email Path
PfR MCs
Video Path
Internet
WAE DMVPN Branch
ASR1K
Cluster ISR G2
ASR1K PfR
MC/BR
Email VMs
PfR BRs
SP A
Headquarter MPLS
ASR1K SP B
ASR1K GETVPN
Master Controller (MC) MPLS
Border Router (BR) GETVPN

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Control
PfR Use Case Examples
Protecting critical applications while Maximizing bandwidth utilization
Detect loss Detect high
> 10% Internet jitter WAN

Cloud Service Voice&Video VDI

Best Effort traffic Best Effort traffic

ISP-1 (Primary) ISP-2 (Secondary) SP-A (MPLS VPN) SP-B (MPLS VPN)

Cloud Service & Load Balancing Multimedia & Critical Data Policy
Policy
 Protect voice and video quality
 Protect business Cloud applications – Latency < 200ms; Jitter < 30ms
from Internet brownout
 Protect VDI applications from brownouts
Loss <10%
– Loss < 5%
 Cloud Service preferred path – ISP1
 Voice & Video preferred path SP-A
 Maximize all ISP bandwidth by load
 VDI preferred path SP-B
sharing all other Internet traffic
 Maximize utilization by load sharing

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Management
Tool

Cisco Prime Infrastructure – Assurance


 Configuration of AVC features*
 Network Monitoring
 Service Monitoring
 Reporting and Trends
 Multi-NAM Manager
 Packet and Flows Analysis
 Application Response Time
 Voice and Video Metrics
 Distributed SNMP and
Netflow Collection

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
WAAS and UCS E Series
Cisco WAAS –
Enhancing user experience and WAN efficiency

Problem Solution
• Poor Application • Reduce load
Bandwidth Latency
responsiveness Data Redundancy Elimination, (Mbps) (Seconds)
• WAN Bandwidth costs Compression, TCP optimization4 160

• Application Optimization Bandwidth


Saved
Fewer protocol messages, 3 120
Meta data caching,...

2 80
Reduced
Latency
Application Bandwidth Natively
1 40
Application Bandwidth with WAAS
Application latency Natively
Application latency with WAAS 0 0
Application Application
Bandwidth Latency

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Challenges of Desktop Virtualization over WAN
 Hairpinning Video processed on HVD
 WAN’s effects on Users Experience overloading server compute
Video Source and bandwidth
 Display Protocol Opaque to the Network
Branch Office
End-users see pixelization
over the WAN

Branch Router

T1

Increasing bandwidth is Data Center


expensive and might not help

Campus
Display
Protocol End-users experience
no pixelization on LAN

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
WAAS 5.0 optimization with Citrix ICA AO
 WAAS will optimize encrypted and compressed ICA desktop session traffic (no
changes required on ICA client, HVD, or DC infrastructure) for all versions of
XenDesktop and XenApp
 Includes WAAS 4.4 Application aware DRE feature for unidirectional caching of
desktop session traffic which improves the scalability and Application performance

Data Center
Branch Aggregation
Router Router Citrix HVD

Display
Protocol
ICA
client Display Protocol Acceleration
WAAS WAAS

Note: Multi-Session ICA (MSI) in XenDesktop 5.5 is first supported in WAAS 5.1. If MSI is used, with a prior release, only one initial session (port 1498) will be optimized
automatically. Other flows will be treated as regular TCP flows

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Cisco WAAS: WAN Optimization Solution
Virtual Private CSR vWAAS Server
1000V VMs
Cloud
Nexus 1000v vPATH

IOS WAAS VMware ESXi Server

Branch Office Express

Nexus 1000v VSM UCS /x86 Server

FC SAN
WAAS
Service
Branch Office Module
WAN Data Center or
WAAS WAE
Private Cloud Appliances

WAAS WAE
Appliance
Branch Office Internet
Server VMs

VMware ESXi
vWAAS
Appliances

VPN
WAAS WAE
Appliance

Mobile User
WAAS WAAS Mobile
Mobile Software
Server SOHO User
Regional Office VPN

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Lean Branch Office Applications
Edge Applications That Defy Centralization

Core Windows Mission Critical Client Management


Services Business Applications Services

 DNS and DHCP Servers  Point of Sale Server  Software Update Service
 Microsoft Active Directory  Bank Teller Control Point  Client Monitoring Service
 Windows Print Services  Electronic Medical Records  Backup and Recovery
 Windows File Services  Inventory Management  Terminal Server Gateway
 Others …  Others …  Others …

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
46
UCS E Series
Extend Cloud Services into Branch Infrastructure

Platform for WAN App App App App


Edge Applications
OS OS OS OS
• Microsoft Windows Server Virtualization
Server-Certified
SRE-V SRE-V • Cisco SRE Virtualization Powered by
Hypervisor Hypervisor
VMware vSphere Hypervisor™ (ESXi)
Dedicated Blade
Management SRE Blade CIMC-E SRE Blade Multipurpose x86 Blades
• Cisco Integrated • Cisco Service-Ready
Management Controller IOS, MGF Backplane Switch Engine modules
• Consistent management • House up to four server
for UCS family blades in ISR G2

Single-Device
Network Integration
• House all devices in ISR G2 chassis
• Multigigabit fabric backplane switch Support on ISR G2 2911 and above

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
MediaNet & Video Services
Medianet
Introduction

I want a network infrastructure so that I should not worry when


tomorrow I’ll be asked to implement video applications.
Massimo Fogaroli – IT Manager, Mediolanum Bank

Media Aware IPSLA


Detection and Optimization of
different media and applications
VO
Flow
Endpoint aware MetaData
Automatic detection and Media
configuration Trace

Network Aware Performance


Automatically respond to changes
in devices and service availability
Monitoring

Network
Visibility Diagnostics
Assessment
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Medianet Media Monitoring
Media Assessment, Monitoring, and Troubleshooting

 Pre-deployment assessment / network validation  IP SLA VO


 Use ISR G2 DSPs to generate synthetic video, i.e. TelePresence
 What path and where is the problem?  Mediatrace and Performance Monitor
 Network-initiated mediatrace collecting path and performance metrics of media stream
 Cisco Collaboration Manager displays mediatrace results

Cisco Prime
Collaboration
Manager
I am detecting
video quality Generate Lost packets
Initiate seen
issue TelePresence
mediatrace
MPLS
traffic

ISR G2
ASR1K

IP SLA IP SLA
Internet
Initiator DMVPN Responder

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Perf. Collection
Media Monitoring & Exporting

Performance Monitor

LiveAction

MPLS

Internet
WAN
Branch Headend

Apply to in/out direction of


voice/video VLAN

 Monitor video traffic traversing different network types


 Generate alert based on user configurable threshold
 Enable on voice/video VLAN
 Provide metrics including jitter, packet loss, latency, bitrate, etc.
 MediaNet PerfMon is also the Media Monitor (MMon) in AVC

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Diagnostics
Media Troubleshooting
Mediatrace

Initiate
Mediatrace for
traffic from Collaboration
Branch phone to Manager
Headend phone
MPLS

Internet
VPN
Branch Headend

 Use Mediatrace to further troubleshoot media issues


 Initiate Mediatrace to discover path, system resource, or quality metrics on
devices in the media path
 Mediatrace responders collect the requested metrics and return to initiator
 Works with Cisco Collaboration Manager

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Visibility

Need for End to End Classification


Voice communication between Marylou and John This flow has a DSCP = EF
Voice communication started with application “X” This flow contents RTP
Packets has DSCP=EF Voice
I know lots of information from the application
that I’m not going to send to the wire

Marylou John
This packet has a DSCP=EF
This packet comes from Fast1/0
This packet comes from location “Desk1”
This packet comes from user “Marylou”

• How to enforce a consistent network policy when classification is different along


the path?
‒ Eg: Rule: Prioritize Voice communication from Marylou to John?

• Endpoint can provide information not available or visible to the network

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
MediaNet Metadata for classification Visibility

Metadata Flow Principles


Flow Identifier Metadata

IP Src IP Dst Prot L4 Src L4 Dst Application Vendor Dial From Dial To Caller ID

10.1.1.2 20.1.1.2 UDP 2000 4000 Video- Cisco 83922564 85268229 Albert
Conference Albatross
(Audio)

1. Application Creates
Metadata
QoS based on
Metadata DB

Metadata DB

Metadata DB
Metadata

10.1.1.2 Export of
data to 10.1.1.2
3. Media Flow
2. Metadata NMS
Announcement

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Video Conferencing Services
HQ/Campus

 Multiple video streams traverse


MCU
Video
mixing
Branch
A
the WAN to a central MCU
resource – non-optimal use of
limited WAN BW
WAN
 Video is mixed by a centralized
MCU controlled by CUCM
Signaling
Media
HQ/Campus  Video is mixed by the ISR G2 DSPs
MCU
controlled by CUCM or UCME
Branch
A  Keeps traffic local in the branch if all
Video
mixing participants are located in the branch
WAN
 Ad-hoc and MeetMe conferences

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Video Delivery Optimization
WAAS + Enterprise Content Delivery System (ECDS)
Signage
Branch Channel
Office Corporate
Communications
Channel
+
ECDS
WAN
Context- CDN
aware DRE Infrastructure
Data
Center
HR VOD
+
ECDS
Channel
Branch
Office

• Multiple “Publish and Subscribe” Channels for simplified management


• Broad live broadcast protocol support-wmf, silverlight, flash
• Video Pre-positioning
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
WAN TrustSec Security Services
NG WAN Pervasive Security
Secure Reliable Access to Any Services
 Provides data privacy across the WAN
 GETVPN any-to-any encryption over MPLS
 DMVPN & FlexVPN over 3G/4G or Internet provides dynamic spoke-to-spoke tunnel
 Highly scalable WAN aggregation with encryption
 4000 DMVPN tunnels and 4000 GETVPN Group Members
 Up to 28 Gbps of encryption throughput per ASR1K
 Interoperation with QoS and PfR ensures service performance
 TrustSec simplified access control – SGT, SXP, and SG Firewall
Data Center GETVPN
Protected by DMVPN
COOP KS
Protected by GETVPN
Internet
WAE Standard
ISR G2
Cluster
ASR1K DMVPN SXP
Branch Branch
ASR1K

DMVPN Hub
ISR G2
SP A
ASR1K Headquarter MPLS
ASR1K SP B
Private Cloud ASR1K GETVPN
MPLS SGT
SG FW
GETVPN GETVPN

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Dynamic Multipoint VPN (DMVPN)
 Full meshed connectivity with simple Secure On-Demand Meshed Tunnels
configuration
Hub
 Zero-touch configuration for addition of
new spokes
 Automatic site-to-site IPSec tunnels
 Transport & Carrier agnostic
overlay transport VPN
easy multi-homing Spoke 1
single control plane
simple carrier transition
 Large Scale
Spoke n Spoke 2
– Up to 4000 spokes per ASR1k hub
with EIGRP or BGP DMVPN Tunnels

– Hierarchical Hub designs, to scale beyond Traditional Static Tunnels


single hub limits Static Known IP Addresses
Dynamic Unknown IP Addresses

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Introducing FlexVPN
A single overlay VPN solution
Corporate LAN

Isolated branches
New
(Easy VPN)

Remote Access
(AnyConnect)

Department RED

Department GREEN
Shortcut Switching
(DMVPN)

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Group Encrypted Transport VPN (GETVPN)
Before and After GET VPN
Public/Private WAN Private WAN
Before: IPSec P2P Tunnels After: Tunnel-Less VPN

WAN

Multicast

 Scalability—an issue (N^2 problem)  Scalable architecture for any-to-any


 Overlay routing connectivity and encryption
 Any-to-any connectivity may require  No overlays—native routing
tunnel setup  Any-to-any instant connectivity
 Inefficient Multicast replication  Efficient Multicast replication
 Any wan transport  Private IP WANs
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cisco Router Security Certifications

Common Next-Gen Next-Gen


FIPS
Criteria Encryption* Encryption*
140-2, Software Hardware
EAL4
Level 2 Support Assist
Cisco ISR 890 Series    
Cisco ISR 1900 Series    **
Cisco ISR 2900 Series    **
Cisco ISR 3900 Series    
Cisco ISR 3900E
Series    
Cisco ASR 1000
Series  
http://www.cisco.com/go/securitycert
N/A **
* NSA Suite B RFC-4869 cryptographic algorithm for both unclassified and most-classified information
** 1900s and lower 2900 Series require ISMs. Only ASR 1002-X and ESP-100 based ASR 1000s
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
TrustSec SGT over DMVPN and GETVPN
SGT Frame

SGFW, SGACL
AP Guest Server
Finance Catalyst® Switch
ISE Posture
Profiler

Branch Network SGT Nexus 5000/2000


Sales
MPLS SGT
SGT
ISR G2 GETVPN ASR1k
Catalyst® Switch Catalyst
6500 Nexus 7000 Data Center
ISR G2
Internet Egress Enforcement
Catalyst® Switch Admin DMVPN WAN
• ISR G2/ASR1k, SG Firewall
SGT Campus Aggregation:
ISR G2
HR
• Cat6K/Sup2 – SGACL
Data Center Enforcement
• Nexus 7000 – SGT/SGACL
• DMVPN Inline Tagging – ISR G2 (IOS 15.2(2)T)
• SGToGETVPN support on ISR G2 (IOS PI21*) and ASR1k (XE 3.9*)
• SG Firewall for Egress Enforcement
• SGT Capability exchange during DMVPN IKEv2 negotiations and GETVPN group membership
registration
• Learn SGT from SXP or Auth-methods
• Simple one command configuration – DMVPN “crypto ikev2 cts sgt”; GETVPN “tag cts sgt”

* ISR G2
BRKARC-2091 IOS (PI21) and ASR1k© 2013
IOSCisco
(XE3.9)
and/orwill be available
its affiliates. in Spring 2013.
All rights reserved. Cisco Public 70
Security Group FW Architecture
SGFW ISE for SGACL
Policies
SGT or SXP ASR1k Enforcement

I
C
P
Enterprise
WAN
SGFW
ISR Enforcement
IP Address SGT
SGACL Data Center
10.1.10.1 10
Enforcement on a
switch

• Consistent Classification/enforcement between ISR/ASR SGFW and switching


• In general SGACL and SGFW policy should be sync’d via policy administration UI
• SGT allows more dynamic classification in the branch and WAN aggregation
• Rich Logging requirements will be fulfilled on SGFW – URL logging, etc.
• Active/Active support in ZBFW allows for asymmetric routing*
• SGFW in ISR G2 IOS 15.2(2)T and ASR1k IOS XE 3.5

*active/active assumes shared L3 subnet on router interfaces for redundancy groups


BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
IPv6
Preserve, Prepare, Prosper
IPv6
IPv6 Feature IPv6
Why? IPv6 Routing
Enablement Transitioning
3 Feb ‘11 last day of ISR G2, ASR 1000 Broadest coverage All transition
IPv4 address allocations designed for IPv6 in Industry mechanisms supported

Anyone, Anything,
Anywhere, Anytime

• IPv4 address exhaustion • Routers designed with • IPv6 parity with IPv4 in • Dual Stack
• Government mandate more memory, better most cases • Tunneling
• IPv6 device and content performance for IPv6 • Translation
growth
• Mergers and Acquisitions
• Gain familiarity with IPv6

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Transitioning Network to IPv6
Preserve, Prepare, Prosper

Cisco NG Enterprise WAN Solutions


 Branch & Campus – Dual Stack IPv4 and IPv6
 IPv4 WAN – Tunnel: 64 tunnels, IPv6 over DMVPNv4
 IPv6 Internet – Translate: NAT64 allows IPv6 devices to access IPv4 applications

Dual-stack Tunnel Dual-stack


WAN
Campus/ Aggregation
ISR G2
Datacenter
Branch
office
IPv4
ASR1K
ASR1K

ASR1K
IPv4 IPv6
services Internet
Edge
IPv6 devices

Translate (nat64)

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Hybrid Cloud Services
Virtual Private Clouds
Virtual Networking Services
Cloud Services Router
Hybrid Cloud Definition
Virtual Private Clouds (VPC) ASR 1000,
AVC, ASA,
WAAS, AppNav

Private Cloud

Hybrid Clouds exist on the


premisis and are maintained CSR
1000V
ASA
vWAAS 1000V
VSG

by a cloud provider. Security

Resources are allocated to Cloud App Visibility & vPath VXLAN Nexus 1000V

individual companies or Intelligent


Control (AVC)

organizations providing them Virtual Private


Network Cloud Connectors Cloud
the look and feel of a private
Medianet
cloud within a shared cloud
environment.
Source: NIST
HCS
Services

Public Cloud

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Hybrid – Virtual Private Cloud
Virtual Networking Services
Cloud Provider’s Cloud Network Services
Data Center Tenant A Department A Department B
ASA
CSR 1000V
1000V VSG VSG
vWAAS
Physical
Infrastructure
AppNav
Servers vPath

Nexus 1000V
Virtual Infrastructure
Multi-Hypervisor
Multi - hypervisor
CSR 1000V vWAAS ASA 1000V VSG Nexus 1000V

• WAN Gateway • WAN • Edge Firewall • Zone-based • Distributed


• IOS Networking Optimization Firewall Switch
• Protocol
• Application Inspection • VM-level Control • NX-OS
Traffic Consistency

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Cisco CSR 1000V
Cisco IOS Software in Virtual Form-Factor

CSR 1000V

App App • Virtual Route Processor (RP)


OS OS • Virtual Forwarding Processor (FP)
VPC/vDC

• Optimized for single tenant use cases


Hypervisor
Virtual Switch
• Hypervisor agnostic

Server • Virtual switch agnostic


• Server agnostic

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Public Cloud Services
Cloud Connectors
Public Cloud Definition ASR 1000,
AVC, ASA,
WAAS, AppNav

Operated wholly by cloud Private Cloud


providers, public clouds offer
services to companies,
organizations and
individuals using a fully CSR
1000V
ASA
1000V
VSG
Security vWAAS
virtualized environment
hosted in the Cloud App Visibility &
Control (AVC)
vPath VXLAN Nexus 1000V

cloud. Services are Intelligent Virtual Private


Network Cloud Connectors Cloud
delivered in a shared
environment even though Medianet

they might be provisioned or


customized for the needs of
the individual organization. HCS
Services

Source: NIST
Public Cloud

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
What is Cloud Connector?
 Connects a Corporate Network to a Cloud Service

 Application or Service specific to ensure transparent access

 Improves delivery of Public Cloud Services


 Provisioning, Performance, Security, Reliability, Management

 Cloud Connector solutions include


ScanSafe, WebEx Media, Hosted Collaboration Service, Storage/Backup, …

Cloud Connector
Internet
ASR1K
ASR1K

Public
Email VMs Headquarter Cloud
MPLS
Campus ASR1K
ASR1K GETVPN
MPLS
Branch
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Example – Scan Safe Cloud Connector
 ScanSafe provides secure access to Public Cloud services

 Single policy portal, ease of deployment and management

 Direct Internet access reduces WAN cost and improves Internet


Public Cloud
application performance Applications
Web Filtering Web Security

Centralized Reporting

Consistent Policy Control

ScanSafe
ASR1K
Internet Cloud Connector
ASR1K

Headquarter
MPLS
Campus ASR1K
ASR1K GETVPN
MPLS
Branch
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Example – WebEx Media Connector
 WebEx Media Connector peers directly with the Enterprise WAN
CUCM+CUBE deployed at Enterprise and WebEx Cloud
Firewalls+CUBE to secure the borders with WebEx.

 Improves voice and video conferencing quality

 Reduces 800 toll charges


Cisco WebEx
Collaboration
Cloud WebEx
Cloud Connector
Internet

ASR1K
ASR1K
Headquarter
Campus MPLS
ASR1K
ASR1K GETVPN
MPLS
Branch

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Example - Cloud Storage Connector
Third Party Connector

MSP Admin Portal End-User Virtual Portal


Manage end-user accounts, Users access their own cloud backups and
service provisioning and billing folders, restore and share files.

MSP Network
Cisco ISR G2 and
UCS® E-Series
with Cloud Storage
Gateway

Cloud storage is cached on Backup Agent


UCS E. Branch files are for Roaming Laptop
backed up to the cloud. Agent-Less Solution
Branch Office
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Platform Overview
Prime Infrastructure – Functional Overview

 A single integrated solution for


comprehensive lifecycle
management of wired/wireless
access, campus, and branch
networks
 Automates compliance with
regulatory requirements, Cisco
and IT best practices
 Utilizes rich performance data
for end-to-end network visibility
to assure application delivery
and optimal end-user
experience

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
ISR G2 Portfolio
High-End Branch
3945E
Line Rate
N x FE 3925E
WAN Access Speed With Services

3945

Line Rate 3925


FE +
Standard Branch 2951

2921

VDSL2+/Sub-rate
2911
FE
2901

Mobile Branch
EFM
SubrateFE 1941
1921

800

10 Mb 15 Mb 25 Mb 35 Mb 50 Mb 75 Mb 100 Mb 150 Mb 250 Mb 350 Mb


Recommended Positioning with Services
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Cisco ASR 1000 Series Routers: Overview
Designed Today for up to 360 Gbps in the Future
Compact, Business-Critical Instant On
Powerful Router Resiliency Service Delivery

 Line-rate performance 2.5G to  Fully separated control and  Integrated firewall, VPN,
100G+ with services enabled forwarding planes encryption, NBAR, CUBE
 Investment protection with modular  Hardware and software  Scalable on-chip service
engines, IOS CLI and SPAs for I/O redundancy provisioning through software
 Hardware based QoS engine with licensing
 In-service software upgrades
up to 232K queues

One IOS-XE Feature Set


ASR 1013
ASR 1001 ASR 1002 ASR 1002-X ASR 1004 ASR 1006

2.5 -5 2.5–10 5–36 10-40 10-100+ 10-360


Gbps Gbps Gbps Gbps Gbps Gbps
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Wrap Up / Summary
Realizing the Borderless Enterprise
Borderless Experience
Securely Reliably Seamlessly

Hybrid
ANYONE Private
Clouds ANY DEVICE
Clouds
Cisco
Cloud Intelligent Network

Public
ANYWHERE Clouds ANYTIME

Application Cloud IPv6 Operational


MediaNet TrustSec
Visibility & Control Connect Transition Simplicity

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Next Generation Enterprise WAN
Wrap Up/Summary
 Architectural approach to solving business requirements
– Modular—Building Blocks with Layered Services
– Infrastructure Foundation for Cisco’s Borderless Network
 Cloud Intelligent Network solutions
– Private Cloud Services
– Hybrid/Virtual Private Cloud Services
– Public Cloud Services
 ASR 1000 series high performance Secure WAN aggregation router
 ISR G2 series for integrated branch services security, voice, video and cloud access
 Virtualized Networks Services – CSR 1000v, vWAAS, ASA 1000v, Nexus 1000v
 Cisco Prime—Unique Ability to Manage Entire Solution

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Additional Sessions of Interest

• BRKAPP-2030 Application Visibility and Control in Enterprise WAN


• BRKRST-2362 Deploying Performance Routing
• BRKNMS-3132 Advanced NetFlow
• BRKARC-2016 Integrating Services in the Branch Without Compromise
• PSORST-2002 The Router Is the Application Delivery Platform with
Cisco ISR-AX
• BRKRST-2041 WAN Architectures and Design Principles
• BRKRST-2042 Highly Available Wide Area Network Design

BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Complete Your Online Session Evaluation
 Give us your feedback and
you could win fabulous prizes.
Winners announced daily.
 Receive 20 Cisco Daily Challenge
points for each session evaluation
you complete.
 Complete your session evaluation
online now through either the mobile
app or internet kiosk stations.
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
BRKARC-2091 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 98

Vous aimerez peut-être aussi