Upload
dinhhuong
View
218
Download
0
Embed Size (px)
Citation preview
Soren D. Andreasen ([email protected])
Technical Solution Architect
CCIE# 3252
Deliver enhanced mobile experience at the branch with Intelligent WAN
Intelligent WAN : CVU update
Intelligent WAN Solution Components
MPLS
Branch
3G/4G-LTE
AVC
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloudWAAS
AkamaiPfRv3
Transport
Independence
Intelligent
Path Control
Application
Optimization
Secure
Connectivity
IPSec WAN Overlay
Consistent Operational Model
Optimal application routing
Efficient use of bandwidth
Performance monitoring
Optimization and Caching
NG Strong Encryption
Threat Defense
DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW
Management & Orchestration
Cisco Confidential
ISR-AX
ASR1000-AX
IWAN Layers
MPLS Routing Internet Routing
Overlay Routing Protocol (BGP, EIGRP)
Transport Independent Design (DMVPN)
PfRAVC QoS
Infrastructure Routing
Transport Overlay
Overlay routing
over tunnels
Intelligent Path
Selection
ZBFW
CWS
6
Transport
Independence
Intelligent
Path Control
Intelligent WAN Solution Components
MPLS
Branch
3G/4G-LTE
AVC
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloudWAAS
AkamaiPfRv3
Application
Optimization
Secure
Connectivity
IPSec WAN Overlay
Consistent Operational Model
Optimal application routing
Efficient use of bandwidth
Performance monitoring
Optimization and Caching
NG Strong Encryption
Threat Defense
DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW
Management & Orchestration
Cisco Confidential
ISR-AX
ASR1000-AX
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
IWAN Transport Independent Design Summary
• IPsec Overlay – DMVPN Phase 3
• Site-to-site dynamic tunnels
• Per-Tunnel QOS
• PfRv3 Path Control (SD-WAN automation)
• Multiple DMVPNs for Path Diversity
• Separate failure domains
• Brownout circumvention—PfR
• Load balancing—PfR and routing protocol
• Single Routing Domain
• Simplified operations and support
• Simple ECMP or best path provisioning
• EIGRP or BGP
• Security
• Protecting the network from external threats
DC-East DC-West
Branch-1 Branch-513
DCI
WAN
Core
MC MC
BR BR
ATBT
MPLS
Island
ADSL
BR
ISR-AX ISR-AX
BRASR-AX ASR-AX
DMVPN 1 DMVPN 2
Path Control Domain
Intelligent WAN Solution Components
MPLS
Branch
3G/4G-LTE
AVC
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloudWAAS
AkamaiPfRv3
Transport
Independence
Intelligent
Path Control
Application
Optimization
Secure
Connectivity
IPSec WAN Overlay
Consistent Operational Model
Optimal application routing
Efficient use of bandwidth
Performance monitoring
Optimization and Caching
NG Strong Encryption
Threat Defense
DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW
Management & Orchestration
Cisco Confidential
ISR-AX
ASR1000-AX
Getting the Most Out of Your WAN InvestmentBenefits of Intelligent Path Control
Data CenterBranch
ASR 1000
ASR 1000
WAAS PfR
AVC
ISR
MPLS
Internet
Enabling
Internet-Based WANs
Efficient Distribution of
Traffic Based Upon Load,
Circuit Cost, and Path
Preference
Per Application Best
Path Based on Delay,
Loss,
Jitter Measurements
Protection From
Carrier Black Holes
and Brownouts
Lower
WAN Costs
Full Utilization
of WAN Bandwidth
Improved
Application
Performance
Higher Application
Availability
Enterprise DomainMC/BR
15
Hub
BR
BR
DC/MC BR
MC/BR
MC/BR
The Decision Maker: Master Controller (MC)
Apply policy, verification, reporting
No packet forwarding/ inspection required
Standalone of combined with a BR
The Forwarding Path: Border Router (BR)
Gain network visibility in forwarding path (Learn, measure)
Enforce MC’s decision (path enforcement)
MPLS
INET
Site-id 10.8.3.3
Site-id 10.2.11.11
Site-id 10.2.10.10
BRANCHSingle CPE
BRANCHDual CPE
Master Controller
Enterprise DomainDomain Controller
16
BR
BR
DC/MC BR
MC/BR
MC/BR
One of the MC is assigned the Domain Controller role
Central point of provisioning for the Enterprise Domain
Branch sites connect to the Hub Master Controller
Service Announcement Framework (SAF) Peering
MPLS
INET BRANCHSingle CPE
BRANCHDual CPE
Hub
Domain Controller
Site-id 10.8.3.3
Site-id 10.2.11.11
Site-id 10.2.10.10
BR
BR
DC/MC BR
MC/BR
MC/BR
MPLS
INET BRANCHSingle CPE
BRANCHDual CPE
Hub
Domain Controller
Site-id 10.8.3.3
Site-id 10.2.11.11
Site-id 10.2.10.10
Domain Policies and MonitorsPeering and Distribution
17
• Domain policies and monitor instances are configured on the Hub MC.
• Then distributed to branch sites using the peering infrastructure
Policies
Monitors
Policies
Monitors
Performance MonitoringPassive Monitoring
20
BR
BR
MC BR
MC/BR
MC/BR
BRANCHSingle CPE
BRANCHDual CPE
HUBMaster MC
MPLS
INET
Bandwidth on egressPer Traffic Class
Performance on IngressRTP and TCP metrics
Per DSCP and site
MonitoringSmart Probing
21
BR
BR
MC BR
MC/BR
MC/BR
BRANCHSingle CPE
BRANCHDual CPE
HUBMaster MC
MPLS
INET
Smart Probes• Generated from the dataplane
• Traffic driven – intelligent on/off
• Site to site and per DSCP
Performance Monitor• Collect Performance Metrics
Smart Probing
• Without actual traffic
• BR sends 10 probes spaced 20ms apart in the first 500ms and another similar 10 probes in the next 500ms, thus achieving 20pps for channels without traffic.
• With actual traffic
• Lower frequency when real traffic is observed over the channel
• Probes sent every 1/3 of [Monitor Interval], ie every 10 sec by default
• Measured by Unified Monitoring just like other data traffic
Help for Measurement Over Channels
Traffic Flow
Site10
10.1.10.0/24 3
INET
MPLS
3
BR BR
MC MC
MonitoringThreshold Crossing Alerts
23
BR
BR
MC BR
MC/BR
MC/BR
BRANCHSingle CPE
BRANCHDual CPE
HUBMaster MC
MPLS
INET
Threshold Crossing Alert (TCA)• Sent to source site
• loss, delay, jitter, unreachable
Site10
10.1.10.0/24
Site10
10.1.10.0/24
Site10
10.1.10.0/24
Path Enforcement
• Local MC
• Selects Traffic-class (TC) that are affected by TCA
• Move them to alternate path
• BRs
• Impose Next Hop on Internal Interfaces
• Input Direction
• Maintains a single database of traffic-class
• Each traffic-class entry contains output interface and a nexthop ip address.
• Lookup per packet - output-if/next hop retrieved
• Packet Forwarded
• If no entry – Uses RIB entry
Policy Decision
24
MC
BR BR
MC/BR MC/BR MC/BR BR
DMVPNMPLS
DMVPNINET
TC DATABASE
• destination-prefix,
• nbar-app-id,
• dscp.
Each traffic-class entry contains
• output interface
• nexthop ip address
Horizontal Scaling Architecture
• Requirements
• Multiple DMVPN Hubs per cloud for redundancy and scaling
• HA
- If the current exit/channel to a remote site fails, converge over to an alternate exit/channel on the same (DMVPN1) network. Else, converge over to the alternate (DMVPN2) network.
• Scale
- Distribute traffic across multiple BRs/exits on a single (DMVPN) to utilize all WAN and router capacity.
- Convergence across hubs/pops should only occur when all exits/channels in a hub/pop fail or reach max-bw limits.
INETMPLS
10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24
BR1 BR2 BR3 BR4
MC1
MC/BR MC/BR MC/BR BR
Multiple path to
the same
DMVPN
Multiple next
hops in the
same DMVPN
HUB SITESite ID = 10.8.3.3
Current Situation up to 3.14/15.5(1)T
• PfR Limitations:
• Path name is unique and cannot be used on multiple external interfaces
• Spokes have multiple next hops on the same DMVPN tunnel
• Only one is currently used by PfRv3
• PfR Channel definition:
• local site id + remote site id + DSCP + Interface + path
• Both “spoke to BR1” and “spoke to BR2” channels are the same, we can’t differentiate them
INETMPLS
10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24
Hub MC10.8.3.3/32
Path MPLS? Path MPLS?
?BR1 BR2 BR3 BR4
MC1
HUB SITESite ID = 10.8.3.3
MC/BR MC/BR MC/BR BR
INETMPLS
10.1.10.0/24
Hub MC10.8.3.3/32
BR1 BR2 BR3 BR4
MC1
MC/BR
Solution – Multiple Next Hop Per Tunnel
• Solution:
• Need to add an identifier to differentiate channels in the same DMVPN
• New PATH-ID added to each external Interface
• Path-id unique per POP
• Branches/spokes peer with each Hub BRs
• Active/Active or Active/Backup mode
• Targeted for XE 3.15 / 15.5(2)T
Path MPLSId 1
Path MPLSId 2
interface Tunnel 100
domain IWAN path MPLS path-id 1
interface Tunnel 100
domain IWAN path MPLS path-id 2
HUB SITESite ID = 10.8.3.3
Multiple POPsCommon Prefixes
10.8.0.0/16
10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24
MC/BR MC/BR MC/BR BR
BR1 BR2 BR3 BR4
MC1
IWAN POP1 IWAN POP2
MC2
DMVPNMPLS
DMVPNINET
DCIWAN Core
DC1 DCn
• Requirements:
– 2 (or more) Transit Sites advertise the very same set of prefixes
– Datacenter may not be collocated with the Transit Sites
– DCs/DMZs are reachable across the WAN Core for each Transit Site
– Branches can access any DC or DMZ across either POP(hub). And, DC/DMZs can reach any branch across multiple Transit Sites (hubs).
– Multiple BRs per DMVPN per site may be required for crypto and bandwidth horizontal scaling
10.8.0.0/16
Introducing PfR Transit Sites
Transit Sites
Enterprise POPs or Hubs Transit to DC or spoke to spoke
• Site Definition:
– Controlled by a local Master Controller (MC)
– Site ID – the IP address of the MC loopback
– One/Multiple BRs
– Each BR one/multiple links
Branch Sites
Stub
10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24
BR1 BR2 BR3 BR4
MC1
HUB SITESite ID = 10.8.3.3
TRANSIT SITESite ID = 10.9.3.3
DMVPNMPLS
DMVPNINET
MC2
BRANCH SITESite10Site ID = 10.2.10.10
Hub MC Transit MC
MC/BR MC/BR MC/BR BR
10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24
Hub MC
BR1 BR2 BR3 BR4
MC1
Transit Master Controller
• Separate independent MC in each POP
• Introduce “Transit Master Controller" concept for the 2nd Transit site
• Behaves like a Hub without provisioning
• Allows transit Smart Probes (initial spoke to spoke probe traffic goes through the POP)
• Allows its BR to configure WAN interface, and sends out SMP with WAN discovery flag set
• Each POP is allocated an unique POP-ID in the entire domain, this is done by CLI in the POP MC.
• MC1 in POP1 is the Hub MC – POP-ID 0
• MC2 in POP2 is a Transit MC – POP-ID 1
• Each external interface is allocated a unique PATH-ID per POP
Path MPLSId 1
Path INETId 2
Path MPLSId 1
Path INETId 2
Transit MCMC2
DMVPNMPLS
DMVPNINET
POP ID 0 POP ID 1
HUB SITESite ID = 10.8.3.3
TRANSIT SITESite ID = 10.9.3.3
MC/BR MC/BR MC/BR BR
Intelligent WAN Solution Components
MPLS
Branch
3G/4G-LTE
AVC
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloudWAAS
AkamaiPfRv3
Transport
Independence
Intelligent
Path Control
Application
Optimization
Secure
Connectivity
IPSec WAN Overlay
Consistent Operational Model
Optimal application routing
Efficient use of bandwidth
Performance monitoring
Optimization and Caching
NG Strong Encryption
Threat Defense
DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW
Management & Orchestration
Cisco Confidential
ISR-AX
ASR1000-AX
Branch
Proliferation
of Devices
Users/Machines
PrivateCloud
Make Your IWAN Application AwareAdd Cisco AVC
DC/Headquarters
PublicCloud
Cisco AVC
60% of IT Professionals Cite Performance as Key Challenge for Cloud
No Probes
• Rich data collection using NetFlow v9/IPFIX
• No additional hardware (and included in AX license)
• Easy to integrate into many reporting tools
Smart CapacityPlanning
• Better use of costly bandwidth
• Per-branch and per-application level reporting
Business Aligned Privacy Enforcement
• No need for complex IP and port ACLs
• See inside HTTP flows to identify specific Cloud applications
AO
Deep Packet Inspection
• New DPI engine provides Advanced Application Classification and Field Extraction Capabilities
• Categorization to simplify application management
• Protocol Pack allows adding more applications without upgrading or reloading IOS
Next Generation NBAR (NBAR2)
36
ISR G2: 15.2(2)T1
ASR1K: 3.4S
NBAR2
1000+ Signatures
Advanced
Classification
Techniques
Native IPv4/IPv6
ClassificationAdvanced Field
Extraction
Define Your Own Application in NBAR2Custom App
37
• Port• TCP or UDP
• 16 static ports per application
• Range of ports (1000
maximum)
• IP and Port• IOS-XE 3.12
• IOS 15.4(3)M
• Payload• Search the first 255 bytes of
TCP or UDP payload
• ASCII (16 characters)
• Hex (4 bytes)
• Decimal
• (1-4294967295)
• Variable (4 bytes Hex)
• HTTP• URI regex
• Host regex
• DNS
ISR G2: 15.2(4)M2
ASR1K: 3.8S
NBAR2 and Encrypted Traffic
• With heuristics based classification, NBAR can classify 70+ encrypted applications.
Overview
70+
Performance MonitoringFoundation Overview
39
Metering Process
• Flexible NetFlow
• Unified Monitor
Export Process
• NetFlow v9
• IPFIX
IETF Scope
Capacity Planning
Security
Performance Analysis
Visibility
Devices
Collector
1
2
IWAN Adaptive QoSHow Does It Work?
Adapt Sender shape rate based on the available bandwidth to Receiver
Sender Receiver
• Configure MQC Policy with Adaptive Shaping
DMVPN
Transport Monitoring Enable
• Collect Periodic bw Stats
on received traffic
Transport Received Rate
• Calculate Available Bandwidth over the WAN
• Adjust Egress Shaper to observed rate
Intelligent WAN Solution Components
MPLS
Branch
3G/4G-LTE
AVC
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloudWAAS
AkamaiPfRv3
Transport
Independence
Intelligent
Path Control
Application
Optimization
Secure
Connectivity
IPSec WAN Overlay
Consistent Operational Model
Optimal application routing
Efficient use of bandwidth
Performance monitoring
Optimization and Caching
NG Strong Encryption
Threat Defense
DMVPN Performance Routing AVC, WAAS, Akamai Suite-B, CWS, ZBFW
Management & Orchestration
Cisco Confidential
ISR-AX
ASR1000-AX
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Specialized Management Cloud-Based Management
• Eliminates manual building of WANs
• Automated SD-WAN orchestration
• Centralized hybrid WAN management
• Quick config updates and IOS upgrades
• Leverages onePK and REST APIs
• Integrates with Cisco AVC and PfR
• Monitor and analyze application traffic
• End-to-end flow visualization
• Flow & App-based Troubleshooting
• Fix and Verify in Realtime
Cisco IWAN Management
Automates Deployment
and Lifecycle ManagementApplication Aware Network
Performance Management
On-Prem Management
Prime
Infrastructure
2.2
• Single-pane view of IWAN
• IWAN deployment workflows
• Plug and Play
• DMVPN, QoS, AVC deployment and
monitoring
• PfR v3 deploy/monitoring (April 2015)
• License includes IWAN App and APIC-
EM controller!
End-to-End Assurance of Application
Experience
Prime Infra workflow for IWAN
Prime Infra will provide:
• IWAN workflow wizard with PnP
• Template-based config for IWAN PINs
• PfRv3 Domain, MC and BR
• AVC One-Click provision
• QoS Provisioning
• Single or Dual Router Branch
• CVD-based, Customizable
• AVC Readiness Assessment
• AVC, QoS, PfR Visibility
• Leverages APIC EM services
LiveAction 4.3 and Performance Routing• PfR path change visualization
• Alert and report on PfR Out of Policy events
• Reports on traffic class/application path changes
47
Out-Of-Policy
Threshold Crossing Alert
Before Brown-Out (Northern Path) After Brown-Out (Southern Path)