SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Chris Lewis
Engineering System Manager
May 19th 2016
SP Virtual Managed
Services

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Agenda
• Introduction
• VMS Services
• IWAN
• Cloud VPN
• Cloud VCE
• VMS Technology Drivers
• VMS Definition
• VMS Demo
• Conclusion

Cisco Confidential 3© 2015 Cisco and/or its affiliates. All rights reserved.
Introduction

Digital Innovation Overwhelming the Branch
OS
Updates
HD
Video
Omni-channel
Apps
Mobile
Apps
Online
Training
SaaS Enterprise
Apps
Social
Media
Guest
WiFi
Digital
Displays
Branch Office
*Tech Target, Branch Office Growth Demands New Devices., 2013
**Gartner, Forecast Analysis: Worldwide Enterprise Network Services, Q2 2014 Update
*** Gartner: “Bring Branch Office Network Security Up to the Enterprise Standard, Jeremy D’Hoinne, 26 April. 2013.
20-50%
Of employee and
customers are served in branch
offices*
73%
80%
30%
More
Users
More
Apps
More Risk
Increase in Enterprise
bandwidth per year
through 2018**
Of advanced threats will
target branch offices by 2016
(up from 5%) **
More
Devices Growth in in mobile devices
from 2014 - 2018**

Next generation network characteristics are more
dynamic than in the past
Hybrid DC, Cloud
WAN Connectivity On-demand
Multiple Carriers
New Traffic Patterns
One Large Global WAN
One Carrier
Static Application Flow
5

What Are These New Traffic Patterns?
InternetMPLS NetworkTraditional traffic
Public
Cloud
MPLS Network
Internet
New traffic
6

MPLS is 5x the transport cost for traffic that ends up
on the Internet anyway
7
$1,000 97%
84%
$2.34
Zone of
Enlightenment

VMS Services
8

2016, The Year SD-WAN takes off...
ZK Research

Definition: ONUG* (Large Enterprise User Group) has
specified 10 requirements for an SD-WAN
ONUG SD-WAN Requirements Cisco
1 CPE: physical or virtual form factor ✔
2 Zero Touch Deployment: agility in provisioning and deployment ✔
3 Secure Hybrid WAN: Dynamic traffic engineering across Internet & private WAN based on
application policy, and aware of network availability/degradation
✔
4 Active-Active Architecture: Sites connect to applications through Internet & private WAN ✔
5 High Availability & Resiliency: Optimal for client user experience ✔
6 Layer 2 & 3 Interoperability: With directly connected switch and/or router ✔
7 Visibility, Prioritization & Steering Applications: Specifically business critical and real-time
applications per security, corporate governance and compliance
✔
8 Management Dashboard/Portal: By site, Application and VPN performance level ✔
9 Controller with open APIs: For access and management, forward specific log events ✔
10 FIPS 140-2 Validation Certification: Encryption with automated certificate life cycle management ✔
*ONUG: Open Networking User Group (Large Enterprises)

What are the VMS services?
•Many and varied
•Starts with Cloud VPN
•Adds virtual service attachment
•Supports IWAN
•Real deployments will require aspects of each

vRouter
(CSR1Kv)
Internet
Full Cloud VPN
Internet
I-VRF
Internet
PE DC
SW
UCS
CPE CloudVPN
(IPSec)
Firewall
(ASAv)
BR-
INSIDE-01-
VMS
Web Security
(WSAv)

vRouter
(CSR1Kv)
Internet
Full Cloud VPN + vCE on CSR1Kv
Internet
I-VRF
Internet
PE DC
SW
UCS
CPE CloudVPN
(IPSec)
Firewall
(ASAv)
BR-
INSIDE-01-
VMS
MPLS VPN
CustX-
VRF
VLAN 85
10.193.1.0/24
AS 65001
AS 65010
BR-vCE-PE-CustX
Web Security
(WSAv)

Public Cloud
Virtual
Private Cloud
MPLS
Private
Cloud
Internet
Branch
ISR4K
VMS IWAN as we know it
A DMVPN cloud per transport between branch and enterprise hub
All security implemented at hub before going out to Internet
Multiple independent
broadband circuits
Internet
DMVPN today:
ISR branch today:
Inet and
MPLS
DMVPN
MC1

Public Cloud
Virtual
Private Cloud
MPLS
Private
Cloud
Internet
Branch
ISR4K
VMS IWAN with CPE Based Split Tunneling
Efficient access to SaaS, guarantees branch gets closest resource
Direct
Internet
Access
Local breakout direct to
Internet for Specific SaaS
apps. Needs ZBF and ACL
for security on CPE
Internet
Inet and
MPLS
DMVPN
MC1

Public Cloud
MPLS
Private
Cloud
Internet
Branch
ISR4K
VMS IWAN with service provider security services
Revenue opportunity to offer virtual services to IWAN connected customers
SP Data
Center
Virtual
Security
Services
Internet
Inet and
MPLS
DMVPN

17
Cisco Intelligent WAN
Solution Components
Intelligent
Path Control
Load Balancing
Policy-Based Path Selection
Network Availability
Secure
Connectivity
Scalable, Strong Encryption
App-Aware Threat Defense
Cloud Web Security
Application
Optimization
Application Visibility
App Acceleration
Intelligent Caching
Transport
Independent
Provider Flexibility
Modular Design
Common Operational Model
AX Router

The Challenge with IWAN: New Complexity
MPLS (IP-VPN)
Internet PoP
Data Center
• Stateful firewall
• DNS logging
• URL Black listing
• AV in the cloud
• URL logging
• Netflow Collection
• IDS / IPS
• Anti-Malware
• Full Packet Capture
• Intellectual Property Protection
• Web Proxy logging for compliance
Internet
Public
Cloud
Virtual
Private Cloud
e.g. Cisco: 16 IPoPs serving
~500 branch offices
Today’s Enterprise WAN (e.g Cisco)
18

Scaling Security Posture “How do I capture IWAN savings
with this operational model?”
Internet PoP
Data Center
• Stateful firewall
• DNS logging
• URL Black listing
• AV in the cloud
• URL logging
• Netflow Collection
• IDS / IPS
• Anti-Malware
• Full Packet Capture
• Intellectual Property Protection
• Web Proxy logging for compliance
Internet
?
“16 becomes 500”MPLS (IP-VPN)
“It would be great if an SP could help us with this challenge”
- John Manville, SVP Cisco IT
19

Intelligent WAN (IWAN)
A Hybrid WAN Solution - Built Exclusively for the Enterprise.
Reduce Access Costs
Internet
Branch Branch Branch
Enterprise Hub
IPSec Tunnel
Direct to Hub
InternetInternetInternet
MPLS VPN
Direct to SP
Enterprise HQ
Achieve Network Diversity
20
Intelligent path allocation
Visibility, control and optimization

VMS Technology Drivers
21

• The second half of the chessboard dynamics of processing power
• Why Netconf and Yang are game-changers
• Simplicity of user experience rules
VMS Market Drivers
Why Are Things Different This Time Around?
22

What We’ve Learned From Exponential Growth
Second half of chessboard makes experience of first half irrelevant
53”
45”
7.3”
16 ft2
57.45 ft3
5,500 lbs
9.5”
0.48 ft2
0.013 ft3
1.3 lbs
iPad2 has more computing power than the Cray2 Supercomputer, at
fraction of power consumption
Watson
AI is reaching human levels in
some fields
15

Moore’s Law Applied To Network Equipment
COREEDGEAGGREGATIONACCESSCPE
OPTICAL
16

Automated
Self-Service
On-Demand
Architect
It
Design
It
Where
Can We
Put It?
Procure It Install
It
Configure
It
Secure
It
Is It
Ready?
Manual
Why Netconf and YANG are important
From Complexity to Simplicity and Automation
FROM WEEKS TO MINUTES*
Service
Oriented
Self-Service
Automated
Provisioning
Elasticity
(Capacity-on-Demand)
20

Determining Business Relevance
How Important is an Application to Your Business?
Relevant IrrelevantDefault
• These applications directly
support business objectives
• Applications should be
classified, marked and
treated marked according to
industry best-practice
recommendations
• These applications may/may not
support business objectives
(e.g. HTTP/HTTPS/SSL)
• Applications of this type should
be treated with a Default
Forwarding service
• These applications do not
support business objectives and
are typically consumer-oriented
• Applications of this type should
be treated with a “less-than Best
Effort” service
RFC 4594 RFC 2474 RFC 3662

What Do We Do Under-the-Hood?Apply RFC 4594-based Marking / Queuing / Dropping Treatments
Application
Class
Per-Hop
Behavior
Queuing &
Dropping
Application
Examples
VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence
Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx
Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps
Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution
Default Forwarding DF Default Queue + RED Default Class
Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox LiveIrrelevant
Default
Relevant

Simplicity of user experience
28
• Anticipate user
needs
• Click and drill
• Intelligently guide
user
• User manual not
required

Multiple Innovations Required For Big Leaps
Example: Internet
IP Created HTML Invented Telco’s Deploy Broadband Internet
Simplified Overlay Networks Service Oriented Management Computing power Service Delivery
Framework
Virtual
Managed
Services:
29

VMS Definition
30

Big Data Analytics Based
Assurance
What is VMS?
NSO
31

To get simplicity for the users, we need more
intelligence in the system
• Separate intent from instantiation
• What is intent?
• What is instantiation?
• How do we tie instantiation to configuration?
32

Orchestration
From instantiation to deployment
YANG Model
Instantiation for Site 1
Instantiation for Site 2
Combine with
template
Feed through NED
Deliver via
NETCONF
33

VMS Network Services Orchestrator
PnP Server
Transaction
Database
Open PnP
Service Manager
Device Manager
Network Element
Drivers
x86 Virtual
Service Model Service Model Service Model
Zero Touch Deployment
Open Method for ZTD
Access
Supported by Netconf
Service Manager Interprets
Service Intent with Service
Instantiation Rules and
derives configuration
Device Manager manages derived
and validated configurations in a
transaction manner towards
infrastructure.
Network Element Drivers Abstract the interfaces
to the devices allowing 3rd party infrastructure to
participate in Service Instantiation
Service Models written in Yang
Abstract Service from
underlying physical devices
23

True Zero Touch for devices with Internet Connections
New device is powered on and gets
IP and internet connectivity from ISP
New device invokes web service API
call to PnP Server and registers its
UDI (serial number). Management
channel established
1
2
PnP server matches serial numbers
and downloads the configuration
4
Assumptions:
New device has internet connectivity (from the ISP)
PnP server URL is hard coded
User Activates Desired device
(branch or hub router)
3 Customer branch
PnP Server
1
2
3
4
35

VMS Orchestration Component Mapping
NSO Orchestrator
ESC Life Cycle Manager
OpenStack Virtualization
VNFs
CFS
RFS
Service APIs
Infrastructure
25

VMS Elastic Service Controller
Confd
Service Monitor
Custom
DHCP
SNMP
Ganglia
Service
Provisioning
Scale
Up/Down
Elasticity
Custom
Day 0
Config
VM Provisioning &
Configuration Module
VNS Bring-up & Initial
Configuration
Application.
Multi-vendor Support.
Allows Modular Communication
with NCS.
Data Model Driven.
Affinity Rules and Scale
Requirements for the VNF
components
ESC uses
multidimensional
approach to VNF
Monitoring/Restartability
Elastic Services Controller
Netconf
26

Demo

SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)

More Related Content

What's hot (20)

Similar to SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN) (20)

More from Cisco Canada (20)

Recently uploaded (20)

SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)