Professional Documents
Culture Documents
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Ready Network goals
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco at a Glance
98 583 71,539 141,766 203,702
Countries Offices Employees Connected Connected User
Stakeholders Devices
1,350
Engineering 28,544
Labs CVO
Cisco Virtual
Offices
15
VPN Gateways 4,379
26 Routers
IT Data Centers
350+ 6,769
4,000 InfoSec Team
LAN Switches
Production Apps Members
425 ~3M
348 IP Addresses
Active Production DBs Dedicated
Security Devices
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Ready Backbone Architectural Elements
Infrastructure & Application Compute &
Cloud Security Overlay Networking
Telecom Performance Virtualisation
19
Cisco IT Core 16
17 18
* Order does not imply necessarily sequential dependencies BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Positioning Internet breakout points
London
Amsterdam Sao Paulo
Bahrain
New York
Mumbai
Washington DC Miami
Chennai
Singapore
Los Angeles
Hong Kong San Francisco
Tokyo
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Global Cloud Strategy
Public Cloud Public Cloud
resources resources
Inter-connect
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Transition of Internet/WAN aggregation
Internet
DC
Cloudport: Strategically positioned
global Internet PoPs/CNF’s allowing
optimal access to Cloud Providers,
Internet and Telecom services
providers such as MPLS VPN,
WAN Private Line, SIP etc
CNF: Carrier Neutral Facility
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Transition of Internet/WAN aggregation
Make it easier, quicker, more reliable, and secure… to interconnect with the Cloud!
Cloud XaaS
Partners Internet
DC
Cloudport: Strategically positioned
global Internet PoPs/CNF’s allowing
optimal access to Cloud Providers,
Internet and Telecom services
providers such as MPLS VPN,
WAN Private Line, SIP etc
CNF: Carrier Neutral Facility
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Carrier Neutral Facilities
‘a facility which allows interconnection between multiple
telecommunication carriers and/or colocation providers. Network neutral
data centres exist all over the world and vary in size and power’
Benefits:
• Access to some of the largest Cloud Providers
• Carrier Neutral encourages Competition leading CNF Partners:
to better pricing & services
• Simpler to switch between suppliers
• Time to connectivity is Fast
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Cisco Cloudport solution
2
1 3
Campus
Location
1. Internet
Cisco
2. Branch Office Connectivity
Data Centre
Carrier 3. Backbone Connectivity
Dark Fiber 4
DWDM Ring Neutral 4. Cloud Internet Exchange
Facility
5. Private Cloud Interconnect
6. Extranet Partners
Sales 7. Media/SIP service
Office
SIP
7 5
6
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Optimise Cloud connectivity
Challenge: Increasing amount of workloads moving outside the Cisco Intranet perimeter
Cisco
Internet Extended Cloud SaaS
DMZ Cisco
Partners
DC
External / Internet
Internal / Intranet
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Current state
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Cloud Ready Backbone
IBGP Cluster
IBGP Cluster
IBGP Cluster
IBGP Cluster
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Inside the Cloud Ready Backbone 196.43.145.0/24: AS1
Cloud App
DC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Direct peering
Carrier Neutral Facility
AS4
AS4
AS3
AS3
AS2
AS2
IXP
AS1
AS1
ISP GW
ISP GW
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
San Jose Texas RTP London Amsterdam Singapore Tokyo Sydney
Google Google Google < In Progress > Google Google Google All IXC routes
Akamai Akamai Akamai Akamai Akamai Akamai (I,e, Google, Akamai
Box.net Facebook Salesforce Microsoft Facebook Microsoft MS etc)
Hurricane Electric Netflix Microsoft OVH Apple Apple
Microsoft Apple Apple Panther GTC Amazon
Apple Microsoft Charter Amazon Facebook
Charter Facebook Edgecast
LimeLight
…
Internet
Cisco Global Defense Layer
Cloudport hubs
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Where can I peer to Cloud SaaS provider?
Peeringdb.com
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Who’s at the Carrier Neutral Facility?
Peeringdb.com
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Direct Connect from AWS via the Cloud Exchange
Pass Multiple VPC Connections on Individual Virtual Circuits
VLAN Y
Public endpoints
VLAN X
VLAN Z
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Enabling agile connections
Enterprise Network Services
A B C
EPG Customers
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
DMZ DC to DC FW
Cloud Defense System Corporate FW
Cloud Application FW
Interconnect FW
Global DMZ Global Regional DMZ DC
Network Corporate DC
Network
4th line of defense: EnforcementPrevention
Firewall (Access-Control & Inspection) Web
Security Appliance (Transparent Cache) Network
Address Translation, BGP Blackhole
Prevention
Systems
3rd line of defense: Deep Packet Inspection
DMZ Backbone Passive IDS, Passive DNS, DPI, Malware, Tap …
Taps
DDoS
Detect/Mitigate 2nd line of defense: DDoS Detect/Mitigation
Arbor Treat Detection/Mitigation (DDOS), NAM
Internet
Edge
1st line of defense: Internet Edge
Access-Control, IP Bogons, BGP Black
Trusted From
To Internet Cloud/
hole, Netflow
Cisco
Supplier Customers
Cisco Cloud
Interconnect
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Cloud Monitoring Cloud XaaS Customers
Cloud
Partners Employees
Internet Internet
Cloud Defense System
San Jose Texas Raleigh London Amsterdam Bangalore Singapore Hong Kong Tokyo Sydney
SaaS App
Latency
SLA for
Packet Loss
Jitter
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Not actual data, example only!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Cloudport building blocks
Suppliers Cloud SaaS Customers Partners Employees
Edge (ISP,IXP)
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Extending the cloud!
Distribute Compute Capability
IoT IoT
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Virtualization
Cloud Services Platform CSP-2100 High Level Architecture
Consistency between all three interfaces
GUI CLI
REST
NetConf
API NSO
Yang
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Network Virtualisation WAN ISP
Automation&
Orchestration
via NSO
vFW
vFW
vIPS vFW
Transition vIPS
over time vIPS
vASR
vASR
vASR
UCS
UCS
UCS
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Service Manager & Models
Cisco NSO Manages Network Services through the Service Model Construct:
Service
Model EXAMPLE:
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Automation & Orchestration
Services (described as YANG Data Models)
Services
Services
Automation &
Orchestration Controller e.g. Create partner or
Translation cloud connection
Devices/Infra
Connect LAN Spin VM Spin NFV Connect WAN
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Please refer to session below for more info:
BRKDCT-2409 Building The Secure Agile Hybrid Cloud Network
Secure Agile Exchange
DNA Virtualization for Data Centers and Colocations Facilities
Cloud
SaaS
Customers Secure Agile
Exchange Customers
Colocation
Centers
Private
Secure Agile Data Center
Employees Exchange
Employees
Partners DMZ
Applications Partners Public Cloud
Private
Data Center
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Next Generation DMZ
Technology & Solutions required
Infrastructure & Enhanced Application Compute &
Overlay Networking
Cloud Security Performance Virtualisation
17 18 19
16
14
15 Compute NFV Overlay Support LISP
13
Application Acceleration Clustering
Application Assurance
12
App QoS Gen2
11 NextGen Firewall Platform
10
End to End WAN Encryption
DMZ GW DMZ
Outside
Corp FW
Inside Internal network
Corp GW
Backbone GW
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
External edge
Network Core
US Data EMEA Data APAC Data
Centers Centers Centers
Campus
CNF
CNF CNF
CNF
Trend #1
Branch CNF
CNF Transition from
Internal App to
Home External Cloud SaaS
Trend #2
External access
to Enterprise Internet
Private Clouds
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Data
New traffic patterns Outside Inside
Center
DMZ
Lab DMZ
Data Branch
ISP Center Office
CCI
Lab
DMZaaS
Home
Remote
Direct Access Campus
Peering
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Connection flows
CCI GW ISP GW
DMZ GW
Outside
Corp FW
Inside
Corp GW
Backbone GW
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Connection flows
CCI GW ISP GW
DMZ GW
Outside
Corp FW
Inside
Corp GW
Backbone GW
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Connecting DMZs – GRE Tunnels
Cloudport hubs
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Connecting DMZs – Overlay network
DMZ DMZ
DMZ
DMZ DMZ
DMZ
DMZ
DMZ
DMZ
DMZ
Cloudport hubs
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Connecting DMZs
Internet Internet
DMZ A DMZ B
Site A
Site B
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cloud Backbone Routing
AS3356
AS1445 ‘The’
AS1299 Cloud
AS702
AS701
Cisco
AS109 AS109
BGP 109 AS109 AS13445
AS13445
Webex
EIGRP CORE
Cisco
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
DMZ Hardware
DMZ Gateway ISP Gateway Firewall
• Nexus 7K • ASR 1006 • ASA 5585
ASA Replacement
• FirePower 9300
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Cisco Cloud Interconnect
Cloudports building blocks
Suppliers Cloud SaaS Customers Partners Employees
Edge (ISP,IXP)
• Internal interconnect
• Custom design DMZNet CCI
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Previous Interconnect
Internet
DMZ Backbone
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cisco Cloud Interconnect
Internet
Internal / Corporate
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Cisco Cloud Interconect
Suppliers Cloud SaaS Customers Partners Employees
Edge (ISP,IXP)
• Simplified routing
DMZ Backbone
DMZ DC
• Simplified security
DC Internal / Corporate
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Cisco Cloudport solution
2
1 3
Campus
Location
1. Internet
Cisco
2. Branch Office Connectivity
Data Centre
Carrier 3. Backbone Connectivity
Dark Fiber 4
DWDM Ring Neutral 4. Cloud Internet Exchange
Facility
5. Private Cloud Interconnect
6. Extranet Partners
Sales 7. Media/SIP service
Office
SIP
7 5
6
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Operational models
DMZ CCI Global CCI VRF
Internet
Segmentation
DMZ Backbone VRF-lite/Dot1Q
CORP
Corporate GLOBAL CCI Firewall VRF CCI Firewall
Firewall Global Context Dedicated Context
Cisco Internal Core
Challenges Benefit Benefit
SLA / Performance Flexible Routing Policy Flexible Security Policy
Restrictive Security policy “Less” Restrictive Security Policy More Secure / Network segmentation
Scalability Advanced Network Capabilities Less Flexible Routing Policy
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Connection types
Layer 1 Leased Line IPSec Tunnel
(Cisco Managed Optical Ring) (GigE) (Layer 3 Overlay)
VPN
VPN
ITaaC GigE IPSec
CCI CCI CCI CCI CCI CCI
DMZ Backbone
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
CCI Routing flow - DC to DMZDC
- Internal to ISP/IXP
ISP CCI
DMZBB
Cisco DMZ
DMZDC
Si
Global VRF
DMZDC CORP CCI
CORP
Cisco Internal
DC Si User
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Dedicated security CCI FW
ASA5585
CCI Context
VRF Customer #2
Customer #2 VRF 2
CCI
Global Context
Global Customer B Global
Customer A
GLOBAL
CCI
Common Security
for Global context
DMZ CORP
Internet ISP/IXP
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
CCI hardware CCI Firewall
• ASA 5585
CCI Gateway
• ASR 1006
ASA Replacement
• FirePower 9300
Aggregation Switch
• 4500-x
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
CCI Global presence
LON
AER
SJC TYO
RTP
RCDN
ALLN
HK
10 Gb/s
2.5 Gb/s
622 Mb/s
CCI 155 Mb/s
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
CCI automation
Cloudport on-boarding
Customer Demand Service Service Orchestration Centralized
Portal Policy Control
Extranet Automation
Insightful Data
provisioning
Acquisition
Business CNF
Cisco Cloud
Security Cloud Backbone Security
Interconnect Corporate Edge
Zone #1 Zone #2
DMZ Backbone
Public Cloud Peering (Direct, IPSEC) Identify Services / SGT Network Management
Private Cloud Policy Driven Traffic Steering Intrusion Detection/Prevention Traffic Capture / Analysis
Internal
Acquisition Throughput / Scale Malware Protection Application Visibility
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Cloudport Service Chaining
Eco-System Partners Network Services Security Services Monitoring Services
Internal
Policy Driven Traffic Steering Intrusion Detection/Prevention Traffic Capture / Analysis
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Cloudport Service Chaining
Eco-System Partners Network Services Security Services Monitoring Services
DMZ Backbone
Disaster Recovery / Resiliency Firewall / Access-Control
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Takeaway & Roadmap
Roadmap
FY16 FY17-18 FY19+
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Q&A
Thank You