Intelligent WAN : CVU update Deliver enhanced mobile experience at the branch with Intelligent WAN Soren D. Andreasen (sandreas@cisco.com) Technical Solution Architect CCIE# 3252
Agenda IWAN 2.0/2.1 overview and latest development
Intelligent WAN Solution Components AVC MPLS Private Cloud ISR-AX 3G/4G-LTE ASR1000-AX Virtual Private Cloud Branch WAAS Akamai PfRv3 Internet Public Cloud Management & Orchestration Transport Independence Intelligent Path Control Application Optimization Secure Connectivity IPSec WAN Overlay Consistent Operational Model Optimal application routing Efficient use of bandwidth Performance monitoring Optimization and Caching NG Strong Encryption Threat Defense DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW Cisco Confidential
IWAN 2.0/2.1 Developments
IWAN Layers AVC PfR QoS Intelligent Path Selection Overlay Routing Protocol (BGP, EIGRP) Overlay routing over tunnels Transport Independent Design (DMVPN) Transport Overlay MPLS Routing Internet Routing ZBFW CWS Infrastructure Routing 6
Intelligent WAN Solution Components AVC MPLS Private Cloud ISR-AX 3G/4G-LTE ASR1000-AX Virtual Private Cloud Branch WAAS Akamai PfRv3 Internet Public Cloud Management & Orchestration Transport Independence Intelligent Path Control Application Optimization Secure Connectivity IPSec WAN Overlay Consistent Operational Model Optimal application routing Efficient use of bandwidth Performance monitoring Optimization and Caching NG Strong Encryption Threat Defense DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW Cisco Confidential
IWAN Transport Independent Design Summary IPsec Overlay DMVPN Phase 3 Site-to-site dynamic tunnels Per-Tunnel QOS PfRv3 Path Control (SD-WAN automation) Multiple DMVPNs for Path Diversity Separate failure domains Brownout circumvention PfR Load balancing PfR and routing protocol Single Routing Domain Simplified operations and support Simple ECMP or best path provisioning EIGRP or BGP Security Protecting the network from external threats Path Control Domain DC-East MC ASR-AX ATBT MPLS ISR-AX Branch-1 DCI WAN Core MC ASR-AX Island ADSL ISR-AX DC-West DMVPN 1 DMVPN 2 Branch-513 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Intelligent WAN Solution Components AVC MPLS Private Cloud ISR-AX 3G/4G-LTE ASR1000-AX Virtual Private Cloud Branch WAAS Akamai PfRv3 Internet Public Cloud Management & Orchestration Transport Independence Intelligent Path Control Application Optimization Secure Connectivity IPSec WAN Overlay Consistent Operational Model Optimal application routing Efficient use of bandwidth Performance monitoring Optimization and Caching NG Strong Encryption Threat Defense DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW Cisco Confidential
Getting the Most Out of Your WAN Investment Benefits of Intelligent Path Control Lower WAN Costs Enabling Internet-Based WANs Full Utilization of WAN Bandwidth Efficient Distribution of Traffic Based Upon Load, Circuit Cost, and Path Preference Improved Application Performance Per Application Best Path Based on Delay, Loss, Jitter Measurements Higher Application Availability Protection From Carrier Black Holes and Brownouts AVC ISR Internet ASR 1000 Branch WAAS PfR MPLS ASR 1000 Data Center
Enterprise Domain MC/ Site-id 10.2.11.11 Site-id 10.8.3.3 MPLS MC/ ANCH Dual CPE DC/MC Master Controller Site-id 10.2.10.10 Hub INET MC/ ANCH Single CPE The Decision Maker: Master Controller (MC) Apply policy, verification, reporting No packet forwarding/ inspection required Standalone of combined with a The Forwarding Path: Border Router () Gain network visibility in forwarding path (Learn, measure) Enforce MC s decision (path enforcement) 15
Enterprise Domain Domain Controller Site-id 10.2.11.11 Site-id 10.8.3.3 MPLS MC/ ANCH Dual CPE DC/MC Domain Controller Site-id 10.2.10.10 Hub INET MC/ ANCH Single CPE One of the MC is assigned the Domain Controller role Central point of provisioning for the Enterprise Domain Branch sites connect to the Hub Master Controller Service Announcement Framework (SAF) Peering 16
Domain Policies and Monitors Peering and Distribution Site-id 10.2.11.11 Site-id 10.8.3.3 Policies Monitors DC/MC MPLS MC/ ANCH Dual CPE Domain Controller Site-id 10.2.10.10 Hub INET MC/ ANCH Single CPE Domain policies and monitor instances are configured on the Hub MC. Then distributed to branch sites using the peering infrastructure 17
Performance Monitoring Passive Monitoring MPLS MC/ ANCH Dual CPE MC HUB Master MC INET MC/ ANCH Single CPE Bandwidth on egress Per Traffic Class Performance on Ingress RTP and TCP metrics Per DSCP and site 20
Monitoring Smart Probing MPLS MC/ ANCH Dual CPE MC HUB Master MC INET MC/ ANCH Single CPE Smart Probes Generated from the dataplane Traffic driven intelligent on/off Site to site and per DSCP Performance Monitor Collect Performance Metrics 21
Smart Probing Help for Measurement Over Channels MC INET MC 3 Site10 MPLS 10.1.10.0/24 3 Traffic Flow Without actual traffic sends 10 probes spaced 20ms apart in the first 500ms and another similar 10 probes in the next 500ms, thus achieving 20pps for channels without traffic. With actual traffic Lower frequency when real traffic is observed over the channel Probes sent every 1/3 of [Monitor Interval], ie every 10 sec by default Measured by Unified Monitoring just like other data traffic
Monitoring Threshold Crossing Alerts MPLS MC/ ANCH Dual CPE MC HUB Master MC INET MC/ ANCH Single CPE Threshold Crossing Alert (TCA) Sent to source site loss, delay, jitter, unreachable 23
Path Enforcement Policy Decision TC DATABASE MC Local MC Selects Traffic-class (TC) that are affected by TCA Move them to alternate path destination-prefix, nbar-app-id, dscp. Each traffic-class entry contains output interface nexthop ip address s Impose Next Hop on Internal Interfaces Input Direction Maintains a single database of traffic-class Each traffic-class entry contains output interface and a nexthop ip address. Lookup per packet - output-if/next hop retrieved Packet Forwarded If no entry Uses RIB entry MC/ MC/ MC/ Site10 10.1.10.0/24 DMVPN MPLS Site10 10.1.10.0/24 DMVPN INET Site10 10.1.10.0/24 24
Horizontal Scaling Architecture HUB SITE Site ID = 10.8.3.3 Requirements Multiple DMVPN Hubs per cloud for redundancy and scaling HA - If the current exit/channel to a remote site fails, converge over to an alternate exit/channel on the same (DMVPN1) network. Else, converge over to the alternate (DMVPN2) network. Scale - Distribute traffic across multiple s/exits on a single (DMVPN) to utilize all WAN and router capacity. - Convergence across hubs/pops should only occur when all exits/channels in a hub/pop fail or reach max-bw limits. MC1 Multiple path to the same DMVPN Multiple next hops in the same DMVPN 1 2 3 4 MPLS 10.1.10.0/24 10.1.11.0/24 INET MC/ MC/ MC/ 10.1.12.0/24 10.1.13.0/24
Current Situation up to 3.14/15.5(1)T PfR Limitations: Path name is unique and cannot be used on multiple external interfaces Spokes have multiple next hops on the same DMVPN tunnel Only one is currently used by PfRv3 PfR Channel definition: local site id + remote site id + DSCP + Interface + path Both spoke to 1 and spoke to 2 channels are the same, we can t differentiate them MC1 Path MPLS? Hub MC 10.8.3.3/32 MPLS 10.1.10.0/24 10.1.11.0/24 HUB SITE Site ID = 10.8.3.3? 1 2 3 4 Path MPLS? INET MC/ MC/ MC/ 10.1.12.0/24 10.1.13.0/24
Solution Multiple Next Hop Per Tunnel Solution: Need to add an identifier to differentiate channels in the same DMVPN New PATH-ID added to each external Interface Path-id unique per POP Branches/spokes peer with each Hub s Active/Active or Active/Backup mode Targeted for XE 3.15 / 15.5(2)T MC1 Path MPLS Id 1 Hub MC 10.8.3.3/32 1 2 3 4 MPLS HUB SITE Site ID = 10.8.3.3 Path MPLS Id 2 INET interface Tunnel 100 domain IWAN path MPLS path-id 1 MC/ 10.1.10.0/24 interface Tunnel 100 domain IWAN path MPLS path-id 2
Multiple POPs Common Prefixes Requirements: 2 (or more) Transit Sites advertise the very same set of prefixes Datacenter may not be collocated with the Transit Sites DCs/DMZs are reachable across the WAN Core for each Transit Site Branches can access any DC or DMZ across either POP(hub). And, DC/DMZs can reach any branch across multiple Transit Sites (hubs). Multiple s per DMVPN per site may be required for crypto and bandwidth horizontal scaling 10.8.0.0/16 IWAN POP1 MC1 DC1 1 2 3 4 DMVPN MPLS MC/ MC/ MC/ 10.1.10.0/24 10.1.11.0/24 DCI WAN Core DCn DMVPN INET IWAN POP2 10.1.12.0/24 10.1.13.0/24 MC2 10.8.0.0/16
Introducing PfR Transit Sites Transit Sites Enterprise POPs or Hubs Transit to DC or spoke to spoke MC1 HUB SITE Site ID = 10.8.3.3 Hub MC TRANSIT SITE Site ID = 10.9.3.3 MC2 Transit MC Branch Sites Stub Site Definition: Controlled by a local Master Controller (MC) Site ID the IP address of the MC loopback One/Multiple s Each one/multiple links ANCH SITE Site10 Site ID = 10.2.10.10 1 2 3 4 DMVPN MPLS 10.1.10.0/24 10.1.11.0/24 DMVPN INET MC/ MC/ MC/ 10.1.12.0/24 10.1.13.0/24
Transit Master Controller Separate independent MC in each POP Introduce Transit Master Controller" concept for the 2nd Transit site Behaves like a Hub without provisioning Allows transit Smart Probes (initial spoke to spoke probe traffic goes through the POP) Allows its to configure WAN interface, and sends out SMP with WAN discovery flag set Each POP is allocated an unique POP-ID in the entire domain, this is done by CLI in the POP MC. MC1 in POP1 is the Hub MC POP-ID 0 MC2 in POP2 is a Transit MC POP-ID 1 Each external interface is allocated a unique PATH-ID per POP MC1 Path MPLS Id 1 HUB SITE Site ID = 10.8.3.3 Hub MC 1 2 3 4 Path INET Id 2 DMVPN MPLS 10.1.10.0/24 10.1.11.0/24 Path MPLS Id 1 TRANSIT SITE Site ID = 10.9.3.3 MC2 DMVPN INET Transit MC POP ID 0 POP ID 1 10.1.12.0/24 10.1.13.0/24 Path INET Id 2 MC/ MC/ MC/
Intelligent WAN Solution Components AVC MPLS Private Cloud ISR-AX 3G/4G-LTE ASR1000-AX Virtual Private Cloud Branch WAAS Akamai PfRv3 Internet Public Cloud Management & Orchestration Transport Independence Intelligent Path Control Application Optimization Secure Connectivity IPSec WAN Overlay Consistent Operational Model Optimal application routing Efficient use of bandwidth Performance monitoring Optimization and Caching NG Strong Encryption Threat Defense DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW Cisco Confidential
Application Visibility and Control
Make Your IWAN Application Aware Add Cisco AVC AO Users/ Machines Proliferation of Devices Public Cloud Private Cloud Branch DC/Headquarters Cisco AVC No Probes Rich data collection using NetFlow v9/ipfix No additional hardware (and included in AX license) Easy to integrate into many reporting tools Smart Capacity Planning Better use of costly bandwidth Per-branch and per-application level reporting Business Aligned Privacy Enforcement No need for complex IP and port ACLs See inside HTTP flows to identify specific Cloud applications 60% of IT Professionals Cite Performance as Key Challenge for Cloud
Deep Packet Inspection Next Generation NBAR (NBAR2) ISR G2: 15.2(2)T1 ASR1K: 3.4S 1000+ Signatures Advanced Classification Techniques Native IPv4/IPv6 Classification Advanced Field Extraction NBAR2 New DPI engine provides Advanced Application Classification and Field Extraction Capabilities Categorization to simplify application management Protocol Pack allows adding more applications without upgrading or reloading IOS 36
Define Your Own Application in NBAR2 Custom App ISR G2: 15.2(4)M2 ASR1K: 3.8S Port TCP or UDP 16 static ports per application Range of ports (1000 maximum) IP and Port IOS-XE 3.12 IOS 15.4(3)M Payload Search the first 255 bytes of TCP or UDP payload ASCII (16 characters) Hex (4 bytes) Decimal (1-4294967295) Variable (4 bytes Hex) HTTP URI regex Host regex DNS 37
NBAR2 and Encrypted Traffic Overview 70+ With heuristics based classification, NBAR can classify 70+ encrypted applications.
Performance Monitoring Foundation Overview Devices Collector IETF Scope 2 Export Process NetFlow v9 IPFIX Capacity Planning Security Performance Analysis Visibility 1 Metering Process Flexible NetFlow Unified Monitor 39
IWAN Adaptive QoS How Does It Work? Adapt Sender shape rate based on the available bandwidth to Receiver Configure MQC Policy with Adaptive Shaping Collect Periodic bw Stats on received traffic Transport Monitoring Enable DMVPN Sender Calculate Available Bandwidth over the WAN Adjust Egress Shaper to observed rate Transport Received Rate Receiver
Intelligent WAN Solution Components AVC MPLS Private Cloud ISR-AX 3G/4G-LTE ASR1000-AX Virtual Private Cloud Branch WAAS Akamai PfRv3 Internet Public Cloud Management & Orchestration Transport Independence Intelligent Path Control Application Optimization Secure Connectivity IPSec WAN Overlay Consistent Operational Model Optimal application routing Efficient use of bandwidth Performance monitoring Optimization and Caching NG Strong Encryption Threat Defense DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW Cisco Confidential
Cisco IWAN Management On-Prem Management Specialized Management Cloud-Based Management Prime Infrastructure 2.2 End-to-End Assurance of Application Experience Single-pane view of IWAN IWAN deployment workflows Plug and Play DMVPN, QoS, AVC deployment and monitoring PfR v3 deploy/monitoring (April 2015) License includes IWAN App and APIC- EM controller! Application Aware Network Performance Management Integrates with Cisco AVC and PfR Monitor and analyze application traffic End-to-end flow visualization Flow & App-based Troubleshooting Fix and Verify in Realtime Automates Deployment and Lifecycle Management Eliminates manual building of WANs Automated SD-WAN orchestration Centralized hybrid WAN management Quick config updates and IOS upgrades Leverages onepk and REST APIs 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Prime Infra workflow for IWAN Prime Infra will provide: IWAN workflow wizard with PnP Template-based config for IWAN PINs PfRv3 Domain, MC and AVC One-Click provision QoS Provisioning Single or Dual Router Branch CVD-based, Customizable AVC Readiness Assessment AVC, QoS, PfR Visibility Leverages APIC EM services
PfR dashboard look at events at sites
Router Provider Server
Link details Link Details PfR threshold crossing
LiveAction 4.3 and Performance Routing PfR path change visualization Alert and report on PfR Out of Policy events Reports on traffic class/application path changes Before Brown-Out (Northern Path) After Brown-Out (Southern Path) Out-Of-Policy Threshold Crossing Alert 47
Typical IWAN App deployment topology Datacenter (POP) Aggregation Branch Dual Links
www.cisco.com/go/iwan