Cisco Intelligent WAN:

Enabling the Next-Gen Branch

Technical Overview
Agenda
IWAN Introduction and Business Drivers

Transport Independent Design

Intelligent Path Control

Application Visibility

Secure Connectivity for Direct Internet Connectivity

IWAN Management

Summary
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
New Requirements for the Branch/WAN

Rising User Expectations App Performance

Growing Security Threats Advanced Threat Defense

Faster Time to Market Agility/Simplicity

Cost Optimization Operational Simplicity

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Emerging Branch Demands
The Application Landscape Is Changing

Cloud
Applications Are Moving to the Data Center and Cloud

Internet Edge Is Moving to the Branch

Branch Pressures on the WAN Data Centers

Cloud Mobility Fat Apps

of CIOs Expect
to Operate via More Mobile Data of Mobile Traffic
the Cloud by Traffic by 2015 Will Be Video
2015
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Internet Becoming an Extension of Enterprise WAN

Commodity Transports Viable Now

Dramatic Bandwidth, Price Performance Benefits

Higher Network Availability

Improved Performance Over Internet

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
And the Internet Transition Pays Off Fast

EXAMPLE:
San Francisco Single MPLS VPN vs. Dual Business Internet ($ per Month)

$1,014
$885
$830
-75%
10 Mbps

$220
1.5 Mbps $303 $274 $260
$140

MPLS VPN MPLS VPN MPLS VPN iWAN

CoS1 CoS2 CoS3 Dual Internet Links
Combined for Ent SLA

Source: Telegeography MPLS VPN pricing for San Francisco as of March 2013; Comcast Web site; Verizon website
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Intelligent WAN Deployment Models

Dual MPLS Hybrid Dual Internet

Internet
Public Enterprise Public

MPLS MPLS+
MPLS Internet
Internet
Branch Branch Branch

Highest SLA guarantees More BW for key applications Best price/performance

Tightly coupled to SP Balanced SLA guarantees Most SP flexibility
Expensive Moderately priced Enterprise responsible for SLAs

Consistent VPN Overlay Enables Security Across Transition

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
 Intelligent WAN Solution Components

AVC
Private
Internet
Cloud

Virtual
3G/4G-LTE
Private Cloud

Branch

WAAS PfR MPLS

Public Cloud

Transport Intelligent Application Secure

Independent Path Control Optimization Connectivity
Consistent operational model Dynamic Application best path based on policy Application visibility with Certified strong encryption
Simple provider migrations Load balancing for full utilization of bandwidth performance monitoring Comprehensive threat defense
Scalable andand/or
2013-2014 Cisco modular design
its affiliates. Improved network availability
All rights reserved. Application acceleration Cloud Web Security for secure9
Cisco Confidential
IPsec routing overlay design and bandwidth optimization direct Internet access
Transport-
Independent
Design
Simplifying Internet-
Based WANs
Transport Independent
Comprehensive WAN Transport Support with Secure, Full Mesh Connectivity

Transport-independent Flexible Secure

Simplifies WAN Design
Easy multi-homing over any carrier
service offering
Single routing control plane with
minimal peering to the provider
Dynamic Full-Meshed
Connectivity
Consistent design over all transports
Automatic site-to-site IPsec tunnels
Zero-touch hub configuration for
new spokes
Proven Robust Security
Consistent design over all transports
Automatic site-to-site IPsec tunnels
Zero-touch hub configuration for
new spokes

Internet
ASR 1000
WAN
ISR-G2

MPLS ASR 1000

Branch Data Center
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Building Highly Available WANs with Cisco IWAN
Redundancy and Path Diversity Matter

SINGLE Downtime
99.95%* Downtime per Year 99.90%*
ROUTER, per Year
MPLS 8 Hours Internet
SINGLE 46 Minutes
PATH 49 Hours
ISR G2 ISR G2
IWAN Solution
99.995% 99.995% 99.995%
SINGLE
ROUTER, 26 Minutes MPLS MPLS MPLS Internet Internet Internet
DUAL PATHS
ISR G2 ISR G2 ISR G2

99.999% 99.999% 99.999%

DUAL
ROUTERS, 5 Minutes MPLS MPLS MPLS Internet Internet Internet
DUAL PATHS
ISR G2 ISR G2 ISR G2 ISR G2 ISR G2 ISR G2

* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Intelligent Path Control:
Performance Routing (PfR)
Improving Application
Delivery and WAN
Efficiency
What Is Performance Routing (PfR)?

Data
Center
Performance Routing (PfR) provides
additional intelligence to classic routing MC

technologies to track the performance of, or BR BR

verify the quality of, a path between two

devices over a Wide Area Networking (WAN)
infrastructure to determine the best egress or
ingress path for application traffic....
DSL Cable

Cisco IOS technology

Two components: Master controller and border router MC+BR Branch

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
PfR Enhances Classical Routing

Classical PfR

Topological state Application-aware

PATH
Least cost path Policy controlled
CONTROL Static user preference Measured performance

+ Delay
Path cost
METRICS Jitter
Interface state
Bandwidth

Responds To: Responds To:

ADAPTIVE Link and node state changes Measured performance changes
(up/down) (degradation)

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
What PfR Does
Protecting Critical Applications While Increasing Bandwidth Utilization
Hybrid IWAN Dual Internet iWAN
Detect Loss
Detect
Greater Than 10%
High Jitter

Voice and
Business App Video VDI

Best-Effort Traffic Best-Effort Traffic

SP1 (MPLS) ISP (Internet) ISP-1 (Cable) ISP-2 (DSL)

Business App and Load-Balancing Policy Multimedia and Critical Data Policy
Protect business SP1 (MPLS) Protect voice and video preferred path SP-A
cloud applications Increase WAN quality VDI preferred path SP-
from brownouts bandwidth efficiency by
Latency < 150 ms;
B
Loss < 5% Jitter < 20 ms
load-sharing traffic Increase utilization
Preferred path for Protect VDI applications
over all WAN paths, by load sharing
business applications: from brownouts
MPLS + Internet Loss < 5%

Voice and video

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

How PfR Works
Key Operations

ISR G2 Traffic
Classes
Performance
ASR1K Learning Measurements
MC MC MC
Active TCs Best
Path
BR BR BR BR BR BR

MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR

Define Your Traffic Policy Learn the Traffic Measurement Path Enforcement

Identify Traffic Classes ISR G2 and ASR Learn
based on Applications or traffic classes flowing
Transport Classifiers through Border Routers
(BRs) based on your
policy definitions
Measure the traffic flow
and network performance
actively or passively and
report metrics to the
Master Controller
Master Controller
commands path changes
based on your traffic
policy definitions

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Defining Application Performance Policy

Choose your policy actions for various traffic classes FLEXIBLE CRITERIA
Alternate path selection based on flexible criteria
Application
Example:
Reachability
1. Link-Group: Path-A
Delay
2. Loss
Voice/Video Loss
3. Jitter
MOS
4. Delay
Jitter

1. Link-Group: Path-B Link

Critical Application 2. Loss Load Balancing
4. Delay Max Utilization
Link-Group Path Preference
Remaining Traffic Load-Balance Bandwidth Costs ($)
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Optimize
Application
Performance
Todays Network Is an IT Blind Spot
COLLABORATION INFORMATION SaaS

Static port classification is no

longer enough
More and more apps are opaque FTP IM
Increasing use of encryption and obfuscation
Application consists of multiple sessions (video, voice, SOAP RPC Video
data)
What if user experience is not meeting business
needs?

HTTP IS THE NEW TCP

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
 Application Performance Monitoring for IWAN
Track and Report Application Flows and Performance

Users/
CSR
Machines
Proliferation of Devices
AVC
Enterprise Edge

Public Cloud Private

NetFlow v9
Cloud
Branch
AVC AVC
DC/Headquarters
AVC

NetFlow/IPFIX Records
NetFlow v9 Export/IPFIX Export
(Same provisioning, same format)
PARTNER TOOLS ECOSYSTEM
Traffic statistics records ActionPacked CompuWare
Application Response Time records
Exporting Glue CA
Media monitoring records
Provisioning

(Application, Jitter, Loss, etc) Plixer Technologies
2013-2014 Cisco and/or its affiliates. All rights reserved.
Living Objects InfoVista
Cisco Confidential 22
Collecting Collecting Collecting
 Application

Next Generation NBAR (NBAR2)

Recognition

Deep Packet Inspection (DPI)

SCE Innovations
Native IPv6
Classification
Classification
+1000
Open API 3rd Party
Provides Advanced Application Classification and Field Signatures
Integration.
Extraction capabilities
In-service upgradable Protocol Definitions IOS
No IOS upgrade or reboot for new Protocol Packs NBAR
Backward compatibility to preserve existing NBAR +150
investments Signatures
NBAR2
NBAR2 Protocol List
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps653
7/ps6558/ps6616/product_bulletin_c25-627831.html

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
 Perf. Collection

Performance Collection and Exporting

and Exporting

Integrated performance monitoring and advanced metrics for different type of applications and use cases
Advanced Voice and Video Performance Critical Applications Performance
Monitoring (Media Monitoring) (Application Response Time)

30% of traffic is voice 40% of traffic is

and video critical applications

Basic Monitoring What applications, how much bandwidth, flow direction?

(Flexible Netflow and NBAR/NBAR2)

HTTP HTTP
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
App Optimization: Reduce Bandwidth and Latency
Enhancing User Experience and WAN Efficiency

PROBLEM SOLUTION

Application latency Reduce load

Data redundancy Bandwidth Latency
WAN bandwidth elimination (DRE), (Mbps) (Seconds)
inefficiencies compression, and 4 160
TCP optimization Reduction in
bandwidth

Application 3 120

optimization
Fewer protocol messages 2 80
Reduction
and metadata caching in latency

1 40
Application bandwidth natively
Application bandwidth with Cisco WAAS
Application latency natively 0 0
Application Application
Application latency with Cisco WAAS Bandwidth Latency
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
WAAS Delivers User Experience at Scale

EMAIL 5 MB Attachment CIFS 5 MB File

0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150
Time in Seconds Time in Seconds

Send and receive email over native WAN File drag and drop over native WAN
First optimized with WAAS T1 First optimized with WAAS
Second pass optimized with WAAS
(1.54Mbps) Second pass optimized with WAAS

80 ms
Latency
MS SHAREPOINT 5 MB Document VDI (CITRIX)

0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30
Time in Seconds Time in Seconds

SharePoint file download over native WAN Launch Citrix XenDesktop over native Citrix ICA/SSL
First optimized with WAAS Launch Citrix XenDesktop with WAAS
Second pass optimized with WAAS Site navigation over native Citrix ICA/SSL
2013-2014 Cisco and/or its affiliates. All rights reserved. Site navigation with WAAS Cisco Confidential 26
Extending Akamai to the Branch with Akamai Connect
Akamai Intelligent Caching Inside Cisco ISR-AX

COMPLETING THE LAST MILE

Branch Data Center

WAN/MLPS

AKAMAI
CACHE

Akamai
ISR-AX Intelligent
Platform
AKAMAI
INSIDE
Optimal Experience Regardless of Device, Connectivity or Cloud
2013-2014 Cisco and/or its affiliates. All rights reserved.
All HTTP Traffic in Private, Public, Akamai Cloud Cisco Confidential 27
Prepositioning | Dynamic HTTP Caching (YouTube) | Any Transport
Secure Internet
Access
Secure Internet Access with Cisco
Cloud Web Security (CWS)

IWAN IPsec VPN for Private Cloud Traffic

IOS Firewall to protect
Internet Edge WAN1
(IP-VPN)
Private
Cloud

WAN2
(Internet)
Secure Public Cloud and
Branch Internet Access

ISR Connector to Public Cloud

CWS Firewall towers

CWS

Internet
Web Filtering, Access
Policy, Malware Detect
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Cisco ISR CWS Connector
How it Works

HQ
Routes
DSL Private
MPLS (IP-VPN)
Interface Cloud
WAN
Tunnel HQ
Traffic Virtual
Private Cloud
CWS
Branch Connector Default
Route
Internet
Internet

Public Cloud

Authenticate router and client to CWS cloud Redirect to CWS for scanning
Cisco ISR G2 Intercept HTTP/HTTPS traffic based on ACL Act as HTTP proxy to complete requests
with CWS Cloud filters Allow/Block or Warn based on user or
Add user credentials header for identifying group policy
Connector policy to be applied Scan for Malware
FUNCTIONS:
2013-2014 Cisco and/or its affiliates. All rights reserved.
Traffic Relay: replace client Source IP address Cisco Confidential 30

with Egress address

IWAN
Management
IWAN Network Management Solutions
From Cisco and NMS Partners

Cisco Prime Infrastructure

Provides Enterprise and Integrator life-cycle network management
applications
Glue Networks
Delivers Cloud based simplified deployment portal
LiveAction
IWAN AVC and PfR Configuration and Monitoring
SDN ready with OnePK
Comprehensive programmability kit to enable SDN
provisioning applications
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
IWAN 1.0 Management Tool Matrix

Prime
Simplified Deployment
Infrastructure

Transport Independent Prime

Design Infrastructure

Intelligent Path Control (AVC)

WAAS
Application Optimization
Central Manager

Prime
Secure Internet Connectivity
Infrastructure

2013-2014 Cisco and/or its affiliates. All rights reserved. Prime Cisco Confidential 33
Network Health and Status
Infrastructure
Why
Cisco IWAN?
 Why Cisco IWAN
Integrated Platform Granular Control Proven Security Unmatched Context- Quick ROI Faster
for IT Simplicity Everywhere at Scale based Routing than Alternatives

Up to Many pay off in

in Savings 6-12 months
The Alternative: Branch ISR-AX Any to Any Security App-Aware Savings enables
Business Innovation
Overlay Appliances DC ASR1K-AX Protect All Branch Endpoint-Aware
Resources
Router Cloud CSR1000V Network-Aware
WAN Path Selection Secure Direct
App Visibility Internet Access
andControl
WAN Opt.
Firewall
IP Sec VPN

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Start with Cisco AX Routers
IWAN Capabilities Embedded in the Router

One Network Application

UNIFIED SERVICES Optimization

Intelligent
Path Control
ASR1000-AX
Secure
Connectivity
ISR-AX

Simplify Transport
Application Independent
Delivery Routing

Cisco AX Routers: ISR-4000-AX | ASR1000-AX

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
 IWAN Branch Services Routers
ISR4000 Series - IWAN AX Ready, Next Generation Branch

APPLIANCE LEVEL PERFORMANCE

Service-Aware Dataplane
ISR4451 1-2Gbps
Resilient Service Virtualization
Multi-gigabit Fabric 500Mbps/1Gb
ISR4431 NEW!
APPLICATION CENTRIC
ps
App/User policy-driven deployment
APIC_EM Automation: deploy in ISR 4351 NEW! 200/400Mbps
minutes
Pay-as-you-grow
Up-to-75% cost savings
ISR 4331 NEW! 100/300Mbps
INTEGRATED IWAN SERVICES
IOS Firewall, VPN, IPSec, PfRV3,
NBAR2, AVC, AppNav, VRF, MPLS ISR4321 NEW! 50/100Mbps
Scalable on-chip service provisioning
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

Cisco Confidential
 IWAN Aggregation Border Routers
ASR1000 - IWAN AX Ready, High Performance Routers

NEW!
COMPACT, POWERFUL ROUTER ASR1001-X
Line-rate performance 2.5G to 200G+
with services enabled
Modular ASR1006
Crypto performance from 2G to 60G+ 2.5G Upgradeable to 5G, 10G, 20G
Flexible I/O: SPAs and Ethernet LCs Up to 8G Crypto Throughput

BUSINESS-CRITICAL RESILIENCY

Separate control and data planes

Hardware and software redundancy ASR1002-X
In-service software upgrades Modular, Redundant up to 200G
Up to 60G Crypto Throughput
INTEGRATED IWAN SERVICES
5G Upgradeable to 10G, 20G, 36G
IOS Firewall, VPN, IPSec, PfRV3,
NBAR2, AVC, AppNav, VRF, MPLS Up to 4G Crypto Throughput
Scalable on-chip service provisioning
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

Cisco Confidential
Intelligent WAN (IWAN)

Internet As WAN with High Reliability

Secure WAN Transport

Private
MPLS (IP-VPN)
Cloud

Virtual
SLAs for Business-Critical Applications Private Cloud

Branch

Internet
Centralized Security Policy for Internet Access Public Cloud
Direct Internet
Access

Dramatically Lower WAN Costs without Compromise

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Thank you.