Intelligent WAN : CVU update
Deliver enhanced mobile experience at the branch with Intelligent WAN
Soren D. Andreasen (sandreas@cisco.com)
Technical Solution Architect
CCIE# 3252
Agenda
•
IWAN 2.0/2.1 overview and latest development
Intelligent WAN Solution Components
AVC
Private
Cloud
MPLS
ISR-AX
3G/4G-LTE
ASR1000-AX
Virtual
Private
Cloud
Branch
Internet
WAAS
Akamai
Public
Cloud
PfRv3
Management & Orchestration
Transport
Independence
Intelligent
Path Control
Application
Optimization
Secure
Connectivity
 IPSec WAN Overlay
 Optimal application routing
 Performance monitoring
 NG Strong Encryption
 Consistent Operational
Model
 Efficient use of bandwidth
 Optimization and Caching
 Threat Defense
DMVPN
Performance Routing
AVC, WAAS, Akamai
Suite-B, CWS, ZBFW
Cisco Confidential
IWAN 2.0/2.1 Developments
IWAN Layers
AVC
PfR
QoS
Intelligent Path
Selection
Overlay Routing Protocol (BGP, EIGRP)
Overlay routing
over tunnels
Transport Independent Design (DMVPN)
Transport Overlay
MPLS Routing
Internet Routing
6
ZBFW
CWS
Infrastructure Routing
Intelligent WAN Solution Components
AVC
Private
Cloud
MPLS
ISR-AX
3G/4G-LTE
ASR1000-AX
Virtual
Private
Cloud
Branch
Internet
WAAS
Akamai
Public
Cloud
PfRv3
Management & Orchestration
Transport
Independence
Intelligent
Path Control
Application
Optimization
Secure
Connectivity
 IPSec WAN Overlay
 Optimal application routing
 Performance monitoring
 NG Strong Encryption
 Consistent Operational
Model
 Efficient use of bandwidth
 Optimization and Caching
 Threat Defense
DMVPN
Performance Routing
AVC, WAAS, Akamai
Suite-B, CWS, ZBFW
Cisco Confidential
IWAN Transport Independent Design Summary
• IPsec Overlay – DMVPN Phase 3
•
Site-to-site dynamic tunnels
•
Per-Tunnel QOS
•
PfRv3 Path Control (SD-WAN automation)
DC-East
Path Control
Domain
• Multiple DMVPNs for Path Diversity
•
Separate failure domains
•
Brownout circumvention—PfR
•
Load balancing—PfR and routing protocol
• Single Routing Domain
•
Simplified operations and support
•
Simple ECMP or best path provisioning
•
EIGRP or BGP
DCI
WAN
Core
DC-West
MC
MC
BR
BR
ASR-AX
BR
BR
ASR-AX
DMVPN 1
DMVPN 2
ATBT
MPLS
ISR-AX
Island
ADSL
ISR-AX
• Security
•
Protecting the network from external threats
© 2013 Cisco and/or its affiliates. All rights reserved.
Branch-1
Branch-513
Cisco Confidential
8
Intelligent WAN Solution Components
AVC
Private
Cloud
MPLS
ISR-AX
3G/4G-LTE
ASR1000-AX
Virtual
Private
Cloud
Branch
Internet
WAAS
Akamai
Public
Cloud
PfRv3
Management & Orchestration
Transport
Independence
Intelligent
Path Control
Application
Optimization
Secure
Connectivity
 IPSec WAN Overlay
 Optimal application routing
 Performance monitoring
 NG Strong Encryption
 Consistent Operational
Model
 Efficient use of bandwidth
 Optimization and Caching
 Threat Defense
DMVPN
Performance Routing
AVC, WAAS, Akamai
Suite-B, CWS, ZBFW
Cisco Confidential
Getting the Most Out of Your WAN Investment
Benefits of Intelligent Path Control
Lower
WAN Costs
Full Utilization
of WAN Bandwidth
Improved
Application
Performance
Higher Application
Availability
Enabling
Internet-Based WANs
Efficient Distribution of
Traffic Based Upon Load,
Circuit Cost, and Path
Preference
Per Application Best
Path Based on Delay,
Loss,
Jitter Measurements
Protection From
Carrier Black Holes
and Brownouts
AVC
ASR 1000
Internet
ISR
ASR 1000
Branch
MPLS
WAAS
PfR
Data Center
Enterprise Domain
MC/BR
Site-id 10.2.11.11
Site-id 10.8.3.3
MC/BR
BRANCH
Dual CPE
MPLS
DC/MC
BR
BR
Master Controller
Site-id 10.2.10.10
BR
Hub
INET
MC/BR
The Decision Maker: Master Controller (MC)



Apply policy, verification, reporting
No packet forwarding/ inspection required
Standalone of combined with a BR
BRANCH
Single CPE
The Forwarding Path: Border Router (BR)


Gain network visibility in forwarding path
(Learn, measure)
Enforce MC’s decision (path enforcement)
15
Enterprise Domain
Domain Controller
Site-id 10.2.11.11
Site-id 10.8.3.3
MC/BR
MPLS
DC/MC
BRANCH
Dual CPE
BR
BR
Domain Controller
Site-id 10.2.10.10
Hub
BR
INET
MC/BR
BRANCH
Single CPE
One of the MC is assigned the Domain Controller role



Central point of provisioning for the Enterprise Domain
Branch sites connect to the Hub Master Controller
Service Announcement Framework (SAF) Peering
16
Domain Policies and Monitors
Peering and Distribution
Site-id 10.2.11.11
Site-id 10.8.3.3
MC/BR
Policies
Monitors
DC/MC
BRANCH
Dual CPE
MPLS
BR
BR
Domain Controller
Site-id 10.2.10.10
Hub
BR
INET
MC/BR
BRANCH
Single CPE
• Domain policies and monitor instances are configured on the Hub MC.
• Then distributed to branch sites using the peering infrastructure
17
Performance Monitoring
Passive Monitoring
MC/BR
MPLS
MC
BRANCH
Dual CPE
BR
BR
HUB
Master MC
BR
INET
MC/BR
Bandwidth on egress
Per Traffic Class
BRANCH
Single CPE
Performance on Ingress
RTP and TCP metrics
Per DSCP and site
20
Monitoring
Smart Probing
MC/BR
MPLS
MC
BRANCH
Dual CPE
BR
BR
HUB
Master MC
BR
INET
MC/BR
BRANCH
Single CPE
Smart Probes
• Generated from the dataplane
• Traffic driven – intelligent on/off
• Site to site and per DSCP
Performance Monitor
• Collect Performance Metrics
21
Smart Probing
Help for Measurement Over Channels
INET
MC
Site10
10.1.10.0/24
MC
3
MPLS
BR
3
BR
Traffic Flow
• Without actual traffic
•
BR sends 10 probes spaced 20ms apart in the first 500ms and another similar 10 probes in the next 500ms, thus
achieving 20pps for channels without traffic.
• With actual traffic
•
Lower frequency when real traffic is observed over the channel
•
Probes sent every 1/3 of [Monitor Interval], ie every 10 sec by default
• Measured by Unified Monitoring just like other data traffic
Monitoring
Threshold Crossing Alerts
MC/BR
MPLS
MC
BRANCH
Dual CPE
BR
BR
HUB
Master MC
BR
INET
MC/BR
BRANCH
Single CPE
Threshold Crossing Alert (TCA)
• Sent to source site
• loss, delay, jitter, unreachable
23
Path Enforcement
Policy Decision
• Local MC
• Selects Traffic-class (TC) that are affected
by TCA
• Move them to alternate path
MC
TC DATABASE
•
•
•
destination-prefix,
nbar-app-id,
dscp.
Each traffic-class entry contains
•
•
BR
BR
output interface
nexthop ip address
• BRs
• Impose Next Hop on Internal Interfaces
DMVPN
MPLS
• Input Direction
DMVPN
INET
• Maintains a single database of traffic-class
• Each traffic-class entry contains output interface
and a nexthop ip address.
• Lookup per packet - output-if/next hop retrieved
•
Packet Forwarded
•
If no entry – Uses RIB entry
24
MC/BR
MC/BR
Site10
10.1.10.0/24
Site10
10.1.10.0/24
MC/BR
BR
Site10
10.1.10.0/24
Horizontal Scaling Architecture
• Requirements
HUB SITE
Site ID = 10.8.3.3
MC1
• Multiple DMVPN Hubs per cloud for
redundancy and scaling
BR1
• HA
- If the current exit/channel to a remote site fails,
converge over to an alternate exit/channel on the
same (DMVPN1) network. Else, converge over to
the alternate (DMVPN2) network.
• Scale
- Distribute traffic across multiple BRs/exits on a
single (DMVPN) to utilize all WAN and router
capacity.
- Convergence across hubs/pops should only
occur when all exits/channels
in a hub/pop fail or reach max-bw limits.
Multiple path to
the same
DMVPN
BR2
MPLS
BR3
BR4
INET
Multiple next
hops in the
same DMVPN
MC/BR
10.1.10.0/24
MC/BR
10.1.11.0/24
MC/BR
10.1.12.0/24
10.1.13.0/24
BR
Current Situation up to 3.14/15.5(1)T
HUB SITE
Site ID = 10.8.3.3
• PfR Limitations:
• Path name is unique and cannot be
used on multiple external interfaces
• Spokes have multiple next hops on the
same DMVPN tunnel
MC1
Hub MC
10.8.3.3/32
?
BR1
BR2
Path MPLS?
BR3
BR4
Path MPLS?
• Only one is currently used by PfRv3
MPLS
• PfR Channel definition:
INET
• local site id + remote site id + DSCP +
Interface + path
• Both “spoke to BR1” and “spoke to
BR2” channels are the same, we can’t
differentiate them
MC/BR
10.1.10.0/24
MC/BR
10.1.11.0/24
MC/BR
10.1.12.0/24
10.1.13.0/24
BR
Solution – Multiple Next Hop Per Tunnel
HUB SITE
Site ID = 10.8.3.3
• Solution:
• Need to add an identifier to differentiate channels in
the same DMVPN
• New PATH-ID added to each external Interface
• Path-id unique per POP
• Branches/spokes peer with each Hub BRs
MC1
Hub MC
10.8.3.3/32
BR1
BR2
BR3
BR4
Path MPLS
Id 2
Path MPLS
Id 1
• Active/Active or Active/Backup mode
MPLS
• Targeted for XE 3.15 / 15.5(2)T
interface Tunnel 100
domain IWAN path MPLS path-id 1
MC/BR
10.1.10.0/24
interface Tunnel 100
domain IWAN path MPLS path-id 2
INET
Multiple POPs
Common Prefixes
• Requirements:
– 2 (or more) Transit Sites advertise the very
same set of prefixes
IWAN POP2
MC1
BR1
MC2
BR2
BR3
BR4
10.8.0.0/16
10.8.0.0/16
– Branches can access any DC or DMZ across
either POP(hub). And, DC/DMZs can reach
any branch across multiple Transit Sites
(hubs).
– Multiple BRs per DMVPN per site may be
required for crypto and bandwidth horizontal
scaling
DCI
WAN Core
IWAN POP1
– Datacenter may not be collocated with the
Transit Sites
– DCs/DMZs are reachable across the WAN
Core for each Transit Site
DCn
DC1
DMVPN
MPLS
MC/BR
10.1.10.0/24
DMVPN
INET
MC/BR
10.1.11.0/24
MC/BR
10.1.12.0/24
10.1.13.0/24
BR
Introducing PfR Transit Sites
Transit Sites


TRANSIT SITE
Site ID = 10.9.3.3
HUB SITE
Site ID = 10.8.3.3
Enterprise POPs or Hubs
Transit to DC or spoke to spoke
MC1
Hub MC
BR1
Transit MC
MC2
BR2
BR3
BR4
Branch Sites

Stub
DMVPN
MPLS
• Site Definition:
DMVPN
INET
– Controlled by a local Master Controller (MC)
– Site ID – the IP address of the MC loopback
– One/Multiple BRs
MC/BR
– Each BR one/multiple links
BRANCH SITE
Site10
Site ID = 10.2.10.10
10.1.10.0/24
MC/BR
10.1.11.0/24
MC/BR
10.1.12.0/24
10.1.13.0/24
BR
Transit Master Controller
• Separate independent MC in each POP
• Introduce “Transit Master Controller" concept for
the 2nd Transit site
• Behaves like a Hub without provisioning
• Allows transit Smart Probes (initial spoke to spoke
probe traffic goes through the POP)
TRANSIT SITE
Site ID = 10.9.3.3
HUB SITE
Site ID = 10.8.3.3
MC1
Hub MC
Transit MC
MC2
POP ID 0
BR1
Path MPLS
Id 1
• Allows its BR to configure WAN interface, and
sends out SMP with WAN discovery flag set
POP ID 1
BR2
Path INET
Id 2
DMVPN
MPLS
BR3
BR4
Path MPLS
Id 1
Path INET
Id 2
DMVPN
INET
• Each POP is allocated an unique POP-ID in
the entire domain, this is done by CLI in the
POP MC.
• MC1 in POP1 is the Hub MC – POP-ID 0
• MC2 in POP2 is a Transit MC – POP-ID 1
• Each external interface is allocated a unique
PATH-ID per POP
MC/BR
10.1.10.0/24
MC/BR
10.1.11.0/24
MC/BR
10.1.12.0/24
10.1.13.0/24
BR
Intelligent WAN Solution Components
AVC
Private
Cloud
MPLS
ISR-AX
3G/4G-LTE
ASR1000-AX
Virtual
Private
Cloud
Branch
Internet
WAAS
Akamai
Public
Cloud
PfRv3
Management & Orchestration
Transport
Independence
Intelligent
Path Control
Application
Optimization
Secure
Connectivity
 IPSec WAN Overlay
 Optimal application routing
 Performance monitoring
 NG Strong Encryption
 Consistent Operational
Model
 Efficient use of bandwidth
 Optimization and Caching
 Threat Defense
DMVPN
Performance Routing
AVC, WAAS, Akamai
Suite-B, CWS, ZBFW
Cisco Confidential
Application Visibility and
Control
Make Your IWAN Application Aware
Add Cisco AVC
Users/
Machines
Public
Cloud
Proliferation
of Devices
Private
Cloud
Branch
DC/Headquarters
No Probes
• Rich data collection using
NetFlow v9/IPFIX
• No additional hardware (and
included in AX license)
Cisco AVC
• Easy to integrate into many
reporting tools
Smart Capacity
Planning
• Better use of costly bandwidth
• Per-branch and per-application
level reporting
Business Aligned Privacy
Enforcement
• No need for complex IP and
port ACLs
• See inside HTTP flows to
identify specific Cloud
applications
60% of IT Professionals Cite Performance as Key Challenge for Cloud
AO
ISR G2: 15.2(2)T1
ASR1K: 3.4S
Deep Packet Inspection
Next Generation NBAR (NBAR2)
1000+ Signatures
Advanced
Classification
Techniques
Native IPv4/IPv6
Classification
Advanced Field
Extraction
NBAR2
• New DPI engine provides Advanced Application Classification and Field Extraction
Capabilities
• Categorization to simplify application management
• Protocol Pack allows adding more applications without upgrading or reloading IOS
36
Define Your Own Application in NBAR2
ISR G2: 15.2(4)M2
ASR1K: 3.8S
Custom App
• Port
• TCP or UDP
• 16 static ports per application
• Range of ports (1000
maximum)
• IP and Port
• IOS-XE 3.12
• IOS 15.4(3)M
• Payload
• Search the first 255 bytes of
TCP or UDP payload
• ASCII (16 characters)
• Hex (4 bytes)
• Decimal
• (1-4294967295)
• Variable (4 bytes Hex)
• HTTP
• URI regex
• Host regex
• DNS
37
NBAR2 and Encrypted Traffic
Overview
• With heuristics based classification, NBAR can classify 70+ encrypted applications.
70+
Performance Monitoring
Foundation Overview
Collector
Devices
IETF Scope
2
Export Process
• NetFlow v9
• IPFIX
Capacity Planning
Security
Performance Analysis
Visibility
Metering Process
1
• Flexible NetFlow
• Unified Monitor
39
IWAN Adaptive QoS
How Does It Work?
Adapt Sender shape rate based on the available bandwidth to Receiver
• Configure MQC Policy with Adaptive Shaping
• Collect Periodic bw Stats
on received traffic
Transport Monitoring Enable
DMVPN
Transport Received Rate
•
•
Sender
Calculate Available Bandwidth over the WAN
Adjust Egress Shaper to observed rate
Receiver
Intelligent WAN Solution Components
AVC
Private
Cloud
MPLS
ISR-AX
3G/4G-LTE
ASR1000-AX
Virtual
Private
Cloud
Branch
Internet
WAAS
Akamai
Public
Cloud
PfRv3
Management & Orchestration
Transport
Independence
Intelligent
Path Control
Application
Optimization
Secure
Connectivity
 IPSec WAN Overlay
 Optimal application routing
 Performance monitoring
 NG Strong Encryption
 Consistent Operational
Model
 Efficient use of bandwidth
 Optimization and Caching
 Threat Defense
DMVPN
Performance Routing
AVC, WAAS, Akamai
Suite-B, CWS, ZBFW
Cisco Confidential
Cisco IWAN Management
On-Prem Management
Specialized Management
Cloud-Based Management
Prime
Infrastructure
2.2
End-to-End Assurance of Application
Experience
Application Aware Network
Performance Management
Automates Deployment
and Lifecycle Management
• Single-pane view of IWAN
• Integrates with Cisco AVC and PfR
• Eliminates manual building of WANs
• IWAN deployment workflows
• Monitor and analyze application traffic
• Automated SD-WAN orchestration
• Plug and Play
• End-to-end flow visualization
• Centralized hybrid WAN management
• DMVPN, QoS, AVC deployment and
• Flow & App-based Troubleshooting
• Quick config updates and IOS upgrades
• Fix and Verify in Realtime
• Leverages onePK and REST APIs
monitoring
• PfR v3 deploy/monitoring (April 2015)
• License includes IWAN App and APIC-
EM controller!
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
42
Prime Infra workflow for IWAN
Prime Infra will provide:
•
•
•
•
•
•
•
•
•
•
IWAN workflow wizard with PnP
Template-based config for IWAN PINs
PfRv3 Domain, MC and BR
AVC One-Click provision
QoS Provisioning
Single or Dual Router Branch
CVD-based, Customizable
AVC Readiness Assessment
AVC, QoS, PfR Visibility
Leverages APIC EM services
PfR dashboard – look at events at sites
Router – Provider – Server
Link Details
Link details
PfR threshold crossing
LiveAction 4.3 and Performance Routing
• PfR path change visualization
• Alert and report on PfR Out of Policy events
• Reports on traffic class/application path changes
Before Brown-Out (Northern Path)
After Brown-Out (Southern Path)
Out-Of-Policy
Threshold Crossing Alert
47
Typical IWAN App deployment topology
Datacenter (POP) Aggregation
Branch – Dual Links
www.cisco.com/go/IWAN