Cisco Intelligent WAN

Similar documents
Intelligent WAN : CVU update

Intelligent WAN (IWAN) Design and Deployment

IWAN APIC-EM Application Cisco Intelligent WAN

Návrh inteligentní WAN sítě

Deploying and Administering Cisco s Digital Network Architecture (DNA) and Intelligent WAN (IWAN) (DNADDC)

Network Automation and Branch Agility The Network Helps Enable Digital Business. Rajinder Singh Product Sales Specialist June 2016

IWAN Under the Hood - Next Gen Performance Routing and DMVPN. David Prall, Communication Architect CCIE 6508 (R&S/SP/Security)

Performance Routing Version 3 Configuration Guide

Intelligent WAN Multiple Data Center Deployment Guide

Intelligent WAN 2.0 Traffic Independent Design and Intelligent Path Selection

Intelligent WAN Multiple VRFs Deployment Guide

Power Your Branch with Intelligent WAN

ARCHIVED DOCUMENT. - The topics in the document are now covered by more recent content.

Intelligent WAN Deployment Guide

SD-WAN Deployment Guide (CVD)

IWAN Intelligent WAN, Next Generation Branch Architecture. Lars Thoren Technical Marketing Engineer, ENG

Cisco Group Encrypted Transport VPN

Pressures on the WAN

Intelligent WAN Design Summary

Cisco recommends that you have basic knowledge of Performance Routing (PfR).

Implementing Next Generation Performance Routing PfRv3

Cloud Intelligent Network

Managing Site-to-Site VPNs: The Basics

PfRv3 Inter-DC Optimization

Cisco Integrated Services Virtual Router

Performing Path Traces

PfRv3 Zero SLA Support

CVP Enterprise Cisco SD-WAN Retail Profile (Hybrid WAN, Segmentation, Zone-Based Firewall, Quality of Service, and Centralized Policies)

WAN Edge MPLSoL2 Service

Intelligent WAN High Availability and Scalability Deployment Guide

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Managing Site-to-Site VPNs: The Basics

REFERENCE NETWORK ARCHITECTURE

Managing Site-to-Site VPNs

Cisco Service Advertisement Framework Deployment Guide

Intelligent WAN. Technology Design Guide

Cisco 5921 Embedded Services Router

We re ready. Are you?

Actualtests questions. Cisco Enterprise Networks Core and WAN Exam

Zero To Hero CCIE CCNP

VPN Overview. VPN Types

Fundamentals and Deployment of Cisco SD-WAN Duration: 3 Days (24 hours) Prerequisites

IWAN Security for Remote Site Direct Internet Access and Guest Wireless

Cisco 5921 Embedded Services Router

Cisco Actualanswers Exam

Cisco Customer Education

CTO PoV: Enterprise Networks (Part 2) Security for IoT & Cloud

Enterprise SD-WAN Financial Profile (Hybrid WAN, Segmentation, Quality of Service, Centralized Policies)

CCNA Routing and Switching Study Guide Chapters 7 & 21: Wide Area Networks

IWAN AVC/QoS Design. Kelly Fleshner, Communications Architect. CCIE # years BRKRST-2043

90 % of WAN decision makers cite their

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Deploying Transit VPC for Amazon Web Services

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

Intelligent WAN. Rupesh Chakkingal Cisco Product Management (Market Strategy) Enterprise Products and Solution

Migrating Your Existing WAN to Cisco s IWAN

Chapter H through R. loss (PfR), page 28. load-balance, page 23 local (PfR), page 24 logging (PfR), page 26

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

Intelligent WAN Remote Site 4G LTE Deployment Guide

Scalability Considerations

Cisco SD-WAN and DNA-C

Cisco recommends that you have basic knowledge of Performance Routing (PfR).

PfRv3 Path of Last Resort

Cisco Certified Network Associate ( )

Deploying IWAN Routers

CCIE Routing & Switching

Deploying Performance Routing

LARGE SCALE DYNAMIC MULTIPOINT VPN

DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458

Technology Brief. VeloCloud Dynamic. Multipath Optimization. Page 1 TECHNOLOGY BRIEF

Cisco Virtual Managed Services

Best Practices for Extending the WAN into AWS (IaaS) with SD-WAN

Cisco Exam Questions & Answers

CCNA Routing and Switching (NI )

VPN Cloud. Mako s SD-WAN Technology

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

Elevate the Branch-Office Experience with an Application-Centric Platform

TEXTBOOK MAPPING CISCO COMPANION GUIDES

Voice of the Customer First American Title SD-WAN Transformation

Performance Routing Version 3 Commands

OpenFlow: What s it Good for?

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

Advanced Concepts of DMVPN (Dynamic Multipoint VPN)

DMVPN for R&S CCIE Candidates

FlexVPN HA Dual Hub Configuration Example

Cisco IOS Performance Routing Version 3 Command Reference

Small Enterprise Design Profile(SEDP) WAN Design

Cisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab

Cisco Performance Routing

IOS Routing Internals

Help! BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Borderless Networks. Tom Schepers, Director Systems Engineering

Technology Overview. Overview CHAPTER

Cisco Cloud Services Router 1000v

IWAN AVC/QoS Design. Kelly Fleshner, Communications Architect CCIE # years BRKRST-2043

ASM Educational Center (ASM) Est Cisco CCNA Routing and Switching Certification

Intelligent WAN Sumanth Kakaraparthi Principal Product Manager PSOCRS-2010

Transcription:

Cisco Intelligent WAN Ľuboš Lontoš Systems Engineer SP/R&S ALEF NULA a.s.

Agenda Cisco iwan Architecture Overview Tranport Independent Design Intelligent Path Control- PfRv3 Product PorMolio

Tradi4onal WAN vs. Hybrid iwan design

iwan - Secure WAN Transport and Internet Access Secure WAN transport for private and virtual private cloud access Leverage local Internet path for public cloud and Internet access Increased WAN transport capacity and cost effecovely Improve applicaoon performance

Intelligent WAN Solu4on Components

iwan Layers

Tranport Independent Design

Dynamic Mul4point VPN (DMVPN) Proven IPsec VPN technology Widely deployed, large scale, standards based Advanced QOS: hierarchical, per tunnel and adapove Zero- packet- loss tunnel inioaoon Flexible & Resilient Overlay any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,.. Hub- n- Spoke and Spoke- to- Spoke Topologies MulOple encrypoon, key management, rouong opoons MulOple redundancy opoons: plamorm, hub, transports Secure Industry CerOfied IPsec and Firewall NG Strong EncrypOon: AES- GCM- 256 (Suite B); IKEv2 IEEE 802.1AR Secure unique device idenofier Simplified iwan Deployments PrescripOve validated IWAN designs Automated provisioning Prime, APIC, LiveAcOon

Over- the- Top WAN Design Branch spoke sites establish a DMVPN tunnel with IPsec encrypoon to and register with the hub site IP rouong exchanges prefix informaoon for each site BGP or EIGRP are typically used for scalability WAN interface address used as the tunnel address, so provider network does not need to know or route customer internal IP prefixes Data traffic flows over the DMVPN tunnels When traffic flows between spoke sites, the hub assists the spokes to establish a site- to- site tunnel Per- tunnel QoS is applied to prevent hub site from overrunning spoke sites

iwan Deployment Models

Securing iwan Transports Virtual Route Forwarding (VRFs) create mulople logical routers on a single device Separate control/data planes per VRF No connecovity between VRFs by default Provider side VRF (yellow) for external networks, Global VRF (blue) for internal networks Provider VRF minimises threat exposure Default rouong only in Provider VRF Provider assigned IP addressing hides internal network Provider IP address used as IPSec tunnel Only IPSec allowed between internal Global and Provider Front Side VRFs

Assuring Confiden4ality / IKEv2 + Strong Cryptography Strong, cerofied cryptography and IPSec architecture to protect transport Protects from eavesdropping and man- in- themiddle akacks 256- bit Advanced EncrypOon Standard EllipOcal Curve Cryptography (AES- 256- GCM) for strongest Security Level IKEv2 for secure, trusted transport security establishment Strongest authenocaoon and Key exchange algos: ECDSA, ECDH and SHA- 2 (SHA- 256/384) NSA cerofied for both unclassified and mostclassified informaoon categories

Intrusion and ANack Preven4on Control Plane akacks are miogated with Control Plane policing (CoPP). Control plane traffic is throkled and dropped to protect the control plane CPU Example set of Control/Mgmt Plane protocols exposed externally include; DHCP IPSec IKE SSH, ICMP, NTP from specific hosts/subnets Data plane DOS akack scenario where akack points are flooded - link saturaoon Integrated ZBFW or ACL to drop all unauthorized traffic. Loss of BW can be miogated with intelligent path control. PfR will detect the congesoon and route traffic to alternate link.

iwan Rou4ng Protocols IWAN Profiles are based upon BGP and EIGRP for scalability and opomal Intelligent Path Control Scalability: BGP (Path Vector) and EIGRP (Advanced Distance Vector) provide best scale over large hub- and- spoke topologies like DMVPN OSPF (Link State) maintains a lot of network state which cannot be subdivided easily in large DMVPN networks Intelligent Path Control: PfR can be used with any rouong protocols by relying on the rouong table (RIB). Requires all valid WAN paths be ECMP so that each valid path is in the RIB. For BGP and EIGRP, PfR can look into protocol s topology informaoon to determine both best paths and secondary paths thus, ECMP is not required.

Intelligent Path Control Performance Rou4ng v3 (PfRv3)

PfR Components The Policy Controller: Domain Controller (DC) Discover site peers, prefixes and connected networks AdverOse policy and services One per domain, collocated with MC The Decision Maker: Master Controller (MC) Discover BRs, collect staosocs Apply policy, verificaoon, reporong No packet forwarding/inspecoon required The Forwarding Path: Border Router (BR) Does all packet forwarding Visibility in network performance Enforce MC s decision (path enforcement)

Intelligent Path Control with PfR Voice and Video Use- Case PfR monitors network performance and routes applicaoons based on applicaoon performance policies PfR load balances traffic based upon link uolizaoon levels to efficiently uolize all available WAN bandwidth

How PfR Works

iwan Traffic Policies Domain policies are configured on the hub MC. These policies are distributed to branch MCs by using the peering infrastructure. All sites that are in the same domain will share the same set of PfR policies. Policies are created using preexisong templates, or they can be customized with manually defined thresholds for delay, loss and jiker. Pre- defined Template Priority Threshold Defini4on Voice 1 one- way- delay threshold 150 msec 2 packet- loss- rate threshold 1.0 percent 2 byte- loss- rate threshold 1.0 percent 3 jiker threshold 30000 usec Real- Ome- video 1 packet- loss- rate threshold 1.0 percent 1 byte- loss- rate threshold 1.0 percent 2 one- way- delay threshold 150 msec 3 jiker threshold 20000 usec Low- latency- data 1 one- way- delay threshold 100 msec 2 packet- loss- rate threshold 5.0 percent 2 byte- loss- rate threshold 5.0 percent Bulk- data 1 one- way- delay threshold 300 msec 2 packet- loss- rate threshold 5.0 percent 2 byte- loss- rate threshold 5.0 percent Best- effort 1 one- way- delay threshold 500 msec 2 packet- loss- rate threshold 10.0 percent 2 byte- loss- rate threshold 10.0 percent Scavenger 1 one- way- delay threshold 500 msec 2 packet- loss- rate threshold 50.0 percent 2 byte- loss- rate threshold 50.0 percent

Load Balancing Maximizing Link U4liza4on to Increase Available Bandwidth External Link Load Balancing is enabled by default for Default Class PfR Distributes traffic across a set of links to maintain efficient uolisaoon levels with a diferent percentage range. Default uolisaoon range +/- 20% External links can have different available bandwidth, e.g., Int1/0=1,5Mbps, Int1/1 = 15Mbps Load Balancing defaults cannot be changed UOlicaOon Range 20% Max UOlicaOon = Link Capacity 50% 15Mbps = 7.5Mbps 50% T1 = 750kbps

Performance Monitors Apply 3 Performance Monitors instances (PMI) over external interfaces Monitor1 Site Prefix Learning (egress direcoon) Monitor2 Aggregate Bandwidth per Traffic Class (egress direcoon) Monitor3 Performance measurements (ingress direcoon) Creates a Channel

Collec4ng Performance Metrics User Traffic Traffic flow captured on the desonaoon site Performance Monitor collects Performance Metrics Per Channel Default Monitor interval is 30 sec (configurable) Smart Probes Without actual traffic 20 pps for channel without traffic IOS- XE: BR sends 10 probes spaced 20ms apart in the first 500ms and another similar 10 probes in the next 500ms IOS: BR sends one packet every 50ms With actual traffic Lower frequency when real traffic is observed over the channel Probes sent every 1/3 of [Monitor Interval], ieevery 10 sec by default Measured by Performance Monitor just like other data traffic

PlaZorm support Cisco ISR G2 family 3900- AX, 2900- AX, 1900- AX, 890 as MC, BR Cisco ISR 4000 family 4300- AX, 4400- AX as MC, BR Cisco ASR 1000 family as MC, BR Cisco CSR1000v as MC, BR(IOS- XE 3.18)

Intelligent WAN Summary Transport Independent Design Highly available Hybrid WAN Intelligent Path Control Performance RouOng (PfR) to protect applicaoonsand load balance traffic to maximize expensive WAN bandwidth ApplicaOon OpOmizaOon ApplicaOon Visibility and Control (AVC) to monitor performance WAAS + Akamai to reduce bandwidth consumpoon while improving applicaoon experience Secure ConnecOvity Secure the network from outside threats Cloud Web Security (CWS) for improved Cloud performance whilefreeing up WAN bandwidth, without compromising security iwan Management Cisco and Ecosystem Partner tools APIC- EM iwan- APP, Prime, LiveAcOon, GlueWare, and more

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback