DCNA

An application of SONA

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

How is IT responding to business drivers?

Flexible Application Deployments

Business Agility
Business Challenges

Simplification
IT Solutions

Differentiation

IT is creatingMeshed custom solutions to support business drivers Composite

Applications
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

SONA Framework

Network Systems Layer

Network Systems

Campus

Data Center

Branch

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

What Is SONA?

SONA is an architectural approach to connect Network Services to Applications to deliver Business Solutions.

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Path Towards SONA

Three Phases Approach
Server Storage Fabric Network Network Data Network Enterprise Applications

AUTOMATION
Dynamic Provisioning and Information Lifecyle Management (ILM) to Enable Business Agility Business Policies On-Demand Service Oriented

LAN WAN MAN

SAN

HPC Cluster GRID

VIRTUALIZATION
Management of Resources Independent of Underlying Physical Infrastructure to Increase Utilization, Efficiency and Flexibility

Intelligent Information Network

Compute

CONSOLIDATION
Centralization and Standardization to Lower Costs, Improve Efficiency and Uptime Compute Network Storage

Network

Storage

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

The WAN Is A Barrier To Consolidation

Applications generally perform well in LAN environments as few barriers exist to application performance
High bandwidth Low latency Reliability
Client LAN Switch Server

Round Trip Time (RTT) ~ 0mS

WAN characteristics hinder performance and consolidation efforts

Already congested Low bandwidth Latency Packet Loss
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Round Trip Time (RTT) ~ many many milliseconds

WAN

Client

LAN Switch LAN Switch

Server

Cisco WAAS - Overcomes the WAN

Cisco WAAS is a solution that leverages a hardware footprint (WAE) in the remote office and in the data center to overcome application performance problems in WAN environments and enable infrastructure consolidation
Remote Office

Remote Office
WAN
Optimized C onnections
tions

Data Center

Remote Office
ized Optim
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

ec Conn

Traditional WAN Optimization:

Preservation of IP and TCP Header Information
Security Filter VPN QoS NBAR NetFlow ACL NAT

Not Seamless, but Disruptive to Existing Network

A B

Traditional WAN Optim.

LAN Switch WAN Router Firewall Core Device Origin File Server

Client Workstation

LAN Switch

Edge Device

Firewall

WAN Router

WAN Tunnel Optimization

NAS

Traditional WAN Optimization changes header information Result: Services may not work Extra integration required Risk of downtime due to dedicated links
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Cisco WAAS:

Seamless Network Integration, Service Preservation

A

Full Preservation of IP and TCP Header Information

QoS NBAR NetFlow ACL NAT

Security Filter VPN

Firewall

QoS NetFlow Visibility

Cisco WAAS
LAN Switch Firewall WAN Router

Client Workstation

LAN Switch

WAN Router

IP Network

NAS

Edge WAE

Core WAE

Robust Application Adapters to Offload WAN and Data Center Local Services

Transport and Flow Optimizations Data Redundancy Elimination Accelerates ALL TCP Traffic

Data Center Scalability

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco WAAS, QoS, and Enterprise VoIP

Cisco WAAS enables enterprise VoIP deployments by easing the contention for available bandwidth resources and complying with network-based end-to-end QoS

WAN

WAN

Without WAAS (QoS only)

With WAAS and QoS

VoIP Scavenger Email ERP

Additional Available Capacity!

VoIP

Scavenger

Email

ERP

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

10

Data Center Integration with Cisco ACE

Application Control Engine (ACE)
Provides transparent integration of Cisco WAAS into the datacenter, server load-balancing, and asymmetric application optimization Scales from 1Gbps to 64Gbps, up to 16 million TCP connections

ACE Features and Benefits

Cisco Application Control Engine Linecard for the Catalyst 6500 Family

Catalyst 6500 series module or standalone appliance form factor Solution for scaling servers, appliances, and network devices Virtual partitions, flexible resource assignment, security, and control

Cisco Application Control Engine 4710 Appliance Series

Asymmetric application optimization complementing WAAS

11

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Path Towards SONA: Virtualization

What is virtualization?
A logical rather than physical view of data, storage, network, and other resources presented independently of location, packaging, or capacity One Network Supports many physical resources: simplifies operations, reduces cost One Network Consolidates all types of resources for increased flexibility (data, voice, video, storage)

Benefit: flexible configuration and management of all infrastructure resources to reduce costs and increase agility
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

12

DCNA - Network Virtualization Framework

Functions
Identify & authenticate 1. client (user, device, app) attempting to gain network access
2. 3.

Access Control
Branch - Campus

Path Isolation
WAN MAN - Campus

Services Edge
Data Center - Campus

Isolate into a Segment

Grant _controlled_ access or prevent access Map client VLAN to transport technology Transport client traffic through isolated path Terminate isolated path @ destination edge Map isolated path to destination VLAN Apply policy at VLAN entry point Isolate Application environments
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

1.

GRE IPSec VRFs

MPLS L2TPV3 MTR

2.

3.

1.

2.

3.

13

Path Isolation
Device Virtualization
Control Plane Virtualization Data Plane Virtualization Management Virtualization

Data Path Virtualization

Single-hop Multi-hop

Tags / circuits

802.1q DLCI VPI/VCI PW, VFI

Tags / circuits

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

14

Campus Network Virtualization

Path Isolation Technologies
Access Control
Layer 2 Access Infrastructure

Path Isolation

Policy Enforcement

Layer 3 Core

VRF-Lite
Builds on existing campus protocols Medium complexity Scales up to a dozen segments

MPLS
High scalability (256+ segments) High complexity Requires new protocol

ACLs/PBR
Widely deployed Seamless services integration Limited scalability High complexity

GRE
Builds on existing campus protocols Limited scalability Medium complexity

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

15

Application of V3PN
IPSec VPNs are replacing traditional WAN media to save costs and enable new work habits Common design issues for both Remote VPN and Branch-to-DC deployments QoS critical in key areas Design IPSec VPNs with QoS today to transport VoIP tomorrow Deploy broadband and IPSec VPNs so WORK IS AN ACTIVITYNOT A PLACE
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

V3PN QoS

16

VTI Consideration

Branch Connection via WAN

Data Center

Branch Router

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

17

VTI - IPSec
Virtual Tunnel Interface:
VTI feature enables Implementing QoS features from crypto head-end to branch routers. Provides a routable interface Interface Tunnel 0 Supports per-tunnnel features / peer (session) configurations Supports Encryption of IP Multicast Head-end routers only need Virtual Templates, not pre-configured tunnel interfaces Load balancing function of Routing Protocol

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

18

QoS Best Practices

A successful QoS deployment includes three key phases:
1) Strategically defining the business objectives to be achieved via QoS 2) Analyzing the service-level requirements of the traffic classes 3) Designing and testing QoS policies
1) Strategically defining the business objectives to be achieved by QoS
Business QoS objectives need to be defined: Is the objective to enable VoIP only, or is video also required? If so, is video-conferencing required streaming video or both? Are there applications that considered missioncritical? If so, what are they? Does the organization wish to squelch certain types of traffic? If so, what are they? Does the business want to use QoS tools to mitigate DoS/worm attacks? How many classes of service are needed to meet the business objectives? Because QoS introduces a system of managed unfairness, most QoS deployments inevitably entail political and organizational repercussions when implemented. To minimize the effects of these non-technical obstacles to deployment, address these political and organizational issues as early as possible, garnishing executive endorsement whenever possible.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

2) Analyze the application service-level requirements.

3) Design and test the QoS Policies.

Classify, mark, and police as close to the traffic-sources as possible; follow Differentiated-Services standards, such as RFC 2474, 2475, 2597, 2698, and 3246.
Application Routing Voice Interactive Video Streaming Video Mission Critical Call-Signalling Transactional Data Network Mgmt Bulk Data Scavenger Best Effort L3 Classification PHB DSCP CS6 48 EF 46 AF41 34 CS4 32 AF31 26 CS3 24 AF21 18 CS2 16 AF11 10 CS1 8 0 0

Voice
Predicable Flows Drop + Delay Sensitive UDP Priority 150 ms one-way delay 30 ms jitter 1% loss 17 kbps-106 kbps VoIP + Call-Signaling

Video
Unpredicable Flows Drop + Delay Sensitive UDP Priority 150 ms one-way delay 30 ms jitter 1% loss Overprovision stream by 20% to account for headers + bursts

Provision queuing in a consistent manner (according to platform capabilities).

Best Effort Scavenger Best Effort Real-time 25% 33% Critical Data

Voice InteractiveVideo

Data
No one-size fits all Smooth/Bursty Benign/Greedy TCP Retransmits/ UDP does not

Bulk Streaming-Video

Routing Net Mgmt Transactional Call-Signaling Mission-Critical

Thoroughly test QoS policies prior to production-network deployment.

19

DC 3.0 - DCNA
Data Center 1.0
Mainframe

Data Center 2.0

Client-Server and Distributed Computing

Data Center 3.0

Service Oriented and Web 2.0 Based

IT Relevance and Control

Service Orchestration App Delivery Server Switching Storage Switching SLB / Firewall LAN Switching IP Routing

CENTRALIZED

DECENTRALIZED

VIRTUALIZED

Application Architecture Evolution

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

20

DCNA - Data Center Virtualization

IP

SAN

FC FC

Network Virtualization

VLAN, VRF, MPLS, GRE

Independent Path/Policies for Network Segments Independent Network Services & Policies for Application Independent Storage for Individual Application Independent Compute Resources wrt Application Services

Network Service Virtualization Storage Virtualization

Firewall, Load Balancer, SSL

VSAN, Storage

Server Virtualization
Presentation_ID

CPU, IO, Server Fabric

2006 Cisco Systems, Inc. All rights reserved.

21

ACE compliments Green DCNA Improving Power, Cooling, and Rack Space
8 Isolated Applications at 2GB Throughput Each

16X

15X

Physical Rack Space

Power Consumption

Mid-Size Enterprise
32 Isolated Applications

Products
4 ACE Modules OR 32 Low-End Competing Devices

12 KW increase for Competing Solution Five year Power and Cooling savings:

ACE Savings

$335K-$419K
22

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Green DCNA Most Robust Application Availability

Catalyst 6500 Catalyst 6500 Catalyst 6500 ACE ACE ACE ACE

Physical Redundancy Inter-chassis

FT VLAN
TRP protocol packets Heart-beats Configuration sync packets State replication packets
Red-grp4 Standby Active

Physical Redundancy Intra-chassis

Red-grp1

Red-grp2 Active Standby

Red-grp3 Standby Active

ACE-1 ACE-2

Active Standby

Failover Tracking HSRP Interface up / down Multiple probes with priority

Application Redundancy -Inter-Context

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

23

Introducing Cisco Validated Designs Building Blocks for SONA Solutions

Teleworker Branch Enterprise Edge

WAN/MAN Data Center Campus

3 Types of CVDs Network Services (Mobility, Security, Unified Communication) Industry Solutions (Retail PCI, Healthcare Translation) Places in the Network (Campus, Data Center, Branch)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

24

Services Edge
VNs
User VN User VN User VN User VN Extranet VN

Services
VN specific VN specific Resource specific VN/resource specific Fusion Router

Resources
Shared

Shared Dedicated

Provide access to resources/subnets

Shared by multiple VNs Dedicated to a single VN

VN Specific logical policy services - Dedicated per VN Resource Specific policy services - Shared across VNs Fusion routing
Access shared resources Inter-VN communication
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

25

Shared Services & Inter-VPN Communication FW + Fusion Router

Fusion router:
Inter-VPN connectivity Shared resource connectivity Internet, servers, etc.
VPN A VRF A VPN B VRF B VPN C VPN D Shared Services VRF C VRF D Shared Services PE FWSM Fusion Router I-Net DMZ

FW contexts:
VPN isolation / protection Per VPN policies: ACL, NAT 256 contexts per FW Map to VLANs

Shared services available:

On their own VPN (distributed) Off the transit router or DMZ (centralized) Access is always centralized

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

26

Understanding VRFs
Route Targets

VRF VRF

Export 3:3 Import 3:3 Export 2:2 Import 1:1

Export 3:3 Import 3:3 Import 2:2 Export 1:1 VRF VRF

Export 3:3 Import 3:3 Export 2:2 Import 1:1

VRF VRF

Red any-to-any Blue - Hub-n-spoke

Import/export routes to/from MP-BGP updates Globally significantcreates the VPN Allows hub and spoke connectivity (central services)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

27

Shared Services Extranet VPN

Multiple-box Extranet Implementation

Export 3:3 Import 1:1 Export 2:2 Import 1:1 VRF VRF VRF VRF Export 3:3 Import 1:1 Export 2:2 Import 1:1

VRF Import 3:3 Import 2:2 Export 1:1 Shared Services

Bi-Directional Communication Between All VRFs and Central Services VRF

Central services routes imported into both VRF red and blue (1:1) Central VRF imports routes for blue and red subnets (3:3, 2:2)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

No routes exchanged between blue/red No transitivity: imported routes are not re-exported
Blue and red remain isolated
28

Path Towards SONA: Automation

Dynamic Network Provisioning
Red Security Policy QoS Policy
Virtual

Blue Security Policy QoS Policy

Virtual

Green Security Policy QoS Policy

Virtual

Physical Campus LAN

User Authenticated Or, MAC Authenticated Assignment

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Static Port Assignment

Application Assignment

29

Summary: The Network as a Platform - DCNA IT need not be a cost centre but a strong driver for business by addressing key challenges with DCNA which offers:
1) Business agility Ability to response rapidly to varying economic condition Ability to adjust rapidly to the changes in a business environment 2) Differentiation from traditional business Enabling SLAs with ease and permits to create layers of differentiated services Address time to market issues Address regulatory compliance that could impact future business 3) Operation Simplification Reduce Opex and Capex through Consolidation, Virtualization and Standardization with an architectural approach validated by Cisco.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

30

Summary: The Network as a Platform

Business Agility Company Differentiation Process Simplification

Business Architecture

Service Oriented Network Architecture

Technology Architecture
Consolidation
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Virtualization

Automation
31

Summary: DCNA Reference Design

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

32

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

33