Cisco Blogs
Share
tweet

Cisco SD-WAN Networking Service for Public Clouds

- April 13, 2017 - 4 Comments

Guest post by Fan Yang & Tony Banuelos

Enterprises across all verticals are migrating their applications to public cloud (IaaS) services and taking advantage of the great cost savings on compute hosting. But the cost benefits shouldn’t affect security, scalability or customer experience. Enterprises require the same level of secure network access, control and visibility in the cloud as they do with on-premise networks. Cloud providers offer basic network functions like IPSEC VPN, BGP routing, NAT. It’s a good enough solution to build a simple site-to-site VPN network with some routing, but enterprises could quickly face these challenges:

  1. How can I build a hub spoke network with transit routing capability?
  2. How can I visualize my traffic across different locations?
  3. How can I select the best path for different applications if I have both Internet and AWS Direct Connect or Azure Express Route at the same time?

With the Cisco IWAN solution running on Cisco CSR1000v, a network admin can extend Cisco IWAN capabilities into a public cloud (AWS, Azure, Alibaba Cloud [coming soon]).

What is Cisco IWAN (Intelligent WAN)?

 

  • Transport-independent design: you can choose whatever combination of providers and connectivity that works best for you.
  • Intelligent path control: automatically route network traffic and load-balance based on the “best path” to make sure your applications perform well.
  • Application optimization: add WAN optimization and caching to help applications run faster and efficiently using your current WAN bandwidth.
  • Secure connectivity: block attacks with highly secure VPN overlay and strong encryption techniques.

 

 How do I provision IWAN?

Cisco Application Policy Infrastructure Controller – Enterprise Module (APIC-EM) is the Cisco SD-WAN controller. The IWAN app on APIC-EM simplifies WAN deployments by providing a highly intuitive, policy-based interface that helps IT abstract network complexity and design for business intent. The IWAN Application is prescriptive of the Cisco Validated Design and provisioning of its core pillars for a large number of sites from a centralized location.

How do I use IWAN in public cloud?

The Cisco® Cloud Services Router 1000v (CSR 1000v) is a virtual form factor router that delivers comprehensive WAN gateway and network services functions into virtual and cloud environments. It’s offered in AWS and Azure marketplaces. You can easily deploy it like any virtual machine and manage it through Cisco APIC-EM.

Enterprise customers can have dual links into public clouds. One dedicated MPLS link like Amazon AWS Direct Connect or Microsoft Azure Express Route for fast and private connections, and the other link could be an Internet based VPN. Also, most enterprise customers may have multiple VPC (Virtual Private Cloud) or VNET (Virtual Network) connections across different regions, in addition to their on-premise network. By enabling IWAN capability on CSR1000v, it will help build an overlay network by interconnecting various resources in a scalable way, recognize your application traffic, and split them across multiple paths based on business priority.

As shown in the network topology above, you may have multiple VPCs in AWS cloud and one physical branch. You can turn your AWS VPC network into an IWAN Hub and spoke by running CSR1000v as an IWAN BR (Broader Router). APIC-EM is hosted in your hub (Cloud Data Center) to provision IWAN services for the IWAN hub and branch, including virtual and physical.

LiveAction is used to visualize traffic for PfR (Performance Routing) path selection. For example, the following diagram shows how “HTTP” traffic is routed through INET (Internet) while “FTP” traffic is routed through MPLS (Direct Connect) based on an application policy set in APIC-EM.

If you are interested in this solution and want to understand more details, please watch our demo video:

Tags:
Leave a comment

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

4 Comments

  1. Wow, It's a great post. Cisco is doing great by implementing SD-WAN for public clouds. Great Job. I too implemented WAN through WANOS and received a great service.

  2. Very informative article about an innovative solution. I have a friendly suggestion, don't take it the wrong way. I think it is best to take screenshot of Powerpoint slide in full-screen mode. Otherwise, we end up with annoying red underlines for phrases like Akamai, PfR, QoS etc. Another alternative is to add these to run a spell checker and add them to the dictionary. Keep up the great work.

    Why does the APIC-EM support all flavors of the 800 series ISR with respect to application visibility, easyQos, PNP but the iwan application module on the APIC-EM only supports the 892FSP as a branch router

      Hi David, The IWAN App reflects the configurations and roles that are part of the officially tested IWAN Solution. You'll be able to configure more features in the generic APIC-EM tool than you can under the prescriptive IWAN App. This is true for all of the ISRs, but more noticeable on the 800 Series where the lower platform performance really limits the roles it can play in the official IWAN solution. That doesn't mean it can't do those things, just that it isn't tested and certified in those areas for the solution. Matt

Share
tweet