Brkcoc 1339

Inside Cisco IT:
Cloud Ready Networks

Dipesh Patel, Architect
Marc De Preter, Design Engineer
BRKCOC-1339
Agenda
• Architectural story
• Cloudports
• Cloud Ready Backbone
• Connecting to Cloud suppliers (Peering/Direct)
• Cloud Defence System
• Cloud Assurance
• Looking ahead: Software Defined Infrastructure, Automation & Orchestration
• Next Generation DMZ
• Cisco Cloud Interconnect
• Automation and orchestration
Architecture & Strategy
Business Challenges
Business Applications moving from Private to Public space

Business Apps
How to ensure optimal connectivity + speed & agility

Agile Connect
Lack of path visibility and troubleshooting complexity

Insightful data
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Ready Network goals
Rapid provisioning of cloud network

Speed connections & services
Maximise security in an era of publicly

Security hosted cloud applications
Ensure best network performance for our users

Experience whether they use private or public cloud
BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco at a Glance
98 583 71,539 141,766 203,702
Countries Offices Employees Connected Connected User
Stakeholders Devices
1,350
Engineering 28,544
Labs CVO
Cisco Virtual
Offices
15
VPN Gateways 4,379
26 Routers
IT Data Centers
350+ 6,769
4,000 InfoSec Team
LAN Switches
Production Apps Members
425 ~3M
348 IP Addresses
Active Production DBs Dedicated
Security Devices
Cloud Ready Backbone Architectural Elements
Infrastructure & Application Compute &
Cloud Security Overlay Networking
Telecom Performance Virtualisation
19
Cisco IT Core 16
17 18
15 Programmable NFV Overlay Support Orchestration

Backbone 13
14
Application Delivery
Application Assurance
Execution 12
App QoS Gen2
Trajectory 11
NextGen Firewall Platform
10
End to End WAN Encryption
World Class DDoS Protection System

9
Secure Cisco Cloud Interconnect
8
Optimised Global DMZ Network
7
Next Generation DMZ Infrastructure
6
Cloud Ready Routing
5 Direct IXP Cloud Peering
Core Backbone solutions:
4
Optimised Internet Access
• Cisco Cloudport (IT)
3 Hi-Speed Optical Telecom
• Cisco Cloud Interconnect (IT)
2 Carrier Neutral Facilities • Secure Agile Exchange (Service Offer)
1 Core Backbone Infrastructure
* Order does not imply necessarily sequential dependencies BRKCOC-1339 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Positioning Internet breakout points
London
Amsterdam Sao Paulo
Bahrain
New York
Mumbai
Washington DC Miami
Chennai
Singapore
Los Angeles
Hong Kong San Francisco
Tokyo
Global Cloud Strategy
Public Cloud Public Cloud
resources resources
Inter-connect
Public Cloud Resource
Private Cloud Resources
Transition of Internet/WAN aggregation
Internet
DC
Cloudport: Strategically positioned
global Internet PoPs/CNF’s allowing
optimal access to Cloud Providers,
Internet and Telecom services
providers such as MPLS VPN,
WAN Private Line, SIP etc
CNF: Carrier Neutral Facility
Transition of Internet/WAN aggregation
Make it easier, quicker, more reliable, and secure… to interconnect with the Cloud!
Cloud XaaS
Partners Internet
Cisco Cloud Direct Cloud

Interconnect Peering
DC
Cloudport: Strategically positioned
global Internet PoPs/CNF’s allowing
optimal access to Cloud Providers,
Internet and Telecom services
providers such as MPLS VPN,
WAN Private Line, SIP etc
Carrier Neutral Facilities
‘a facility which allows interconnection between multiple
telecommunication carriers and/or colocation providers. Network neutral
data centres exist all over the world and vary in size and power’
Benefits:
• Access to some of the largest Cloud Providers
• Carrier Neutral encourages Competition leading CNF Partners:
to better pricing & services
• Simpler to switch between suppliers
• Time to connectivity is Fast
Cisco Cloudport solution
2
1 3
Campus
Location
1. Internet
Cisco
2. Branch Office Connectivity
Data Centre
Carrier 3. Backbone Connectivity
Dark Fiber 4
DWDM Ring Neutral 4. Cloud Internet Exchange
Facility
5. Private Cloud Interconnect
6. Extranet Partners
Sales 7. Media/SIP service
Office
SIP
7 5
6
Optimise Cloud connectivity
Challenge: Increasing amount of workloads moving outside the Cisco Intranet perimeter
Cisco
Internet Extended Cloud SaaS
DMZ Cisco
Partners
DC
External / Internet
Internal / Intranet
Cloudport: Strategically positioned global Internet

DC PoPs/CNF’s allowing optimal access to Cloud
Providers, Internet and Telecom services providers
such as MPLS VPN, Private Line, SIP etc

Cisco
Internal
Current state
ISP ISP ISP ISP ISP ISP ISP ISP ISP
Regional WAN: Regional WAN: Regional WAN:

Americas EMEAR Asia Pacific
Cloud Ready Backbone
Cloud Ready Backbone
IBGP Cluster
IBGP Cluster
IBGP Cluster
IBGP Cluster
Regional WAN: Regional WAN: Regional WAN:

Americas EMEAR Asia Pacific
Inside the Cloud Ready Backbone 196.43.145.0/24: AS1
Cloud App
ISP ISP ISP ISP ISP ISP
144.254.0.0/24 144.254.0.0/24 144.254.0.0/24

Community: US Community: US Community: US
AS Prepend x4 AS Prependx2 AS Prepend x1
Cisco
144.254.0.0/24 iBGP mesh
Community: US AS109
196.43.145.0/24 196.43.145.0/24 196.43.145.0/24
Local Pref: 100 Local Pref:150
DMZ Local Pref:200
DC
DC 0/0 0/0 0/0
Americas EMEAR APJC
10.10.x.x /16 10.20.x.x /16 10.30.x.x /16
Direct peering
Carrier Neutral Facility
AS4
AS4
AS3
AS3
AS2
AS2
IXP
AS1
AS1
Backup paths Primary Paths
ISP GW
ISP GW
Internal Prod Internal Prod

Network Network
San Jose Texas RTP London Amsterdam Singapore Tokyo Sydney
Google Google Google < In Progress > Google Google Google All IXC routes
Akamai Akamai Akamai Akamai Akamai Akamai (I,e, Google, Akamai
Box.net Facebook Salesforce Microsoft Facebook Microsoft MS etc)
Hurricane Electric Netflix Microsoft OVH Apple Apple
Microsoft Apple Apple Panther GTC Amazon
Apple Microsoft Charter Amazon Facebook
Charter Facebook Edgecast
LimeLight
…
Internet
Cisco Global Defense Layer
Cloudport hubs
Direct IX Cloud Peering
Where can I peer to Cloud SaaS provider?
Peeringdb.com
Who’s at the Carrier Neutral Facility?
Peeringdb.com
Direct Connect from AWS via the Cloud Exchange
Pass Multiple VPC Connections on Individual Virtual Circuits
Equinix Cloud Exchange
VLAN Y
Public endpoints
VLAN X
Private VIF 1 Virtual private cloud 1
VLAN Z
Cisco Cloud AWS Direct

Connect router Virtual private cloud 2
Interconnect
(CCI) VLAN N
…
Virtual private cloud N
Equinix IBX Region
Enabling agile connections
Enterprise Network Services
A B C
EPG Production Users

Data Centre Tenant
/Application
EPG Extranet Partners
EPG Customers
Cloudport fabric/underlay network

Overlay Virtual
Networks Cloud Providers
DMZ DC to DC FW
Cloud Defense System Corporate FW
Cloud Application FW
Interconnect FW
Global DMZ Global Regional DMZ DC
Network Corporate DC
Network
4th line of defense: EnforcementPrevention
Firewall (Access-Control & Inspection) Web
Security Appliance (Transparent Cache) Network
Address Translation, BGP Blackhole
Prevention
Systems
3rd line of defense: Deep Packet Inspection
DMZ Backbone Passive IDS, Passive DNS, DPI, Malware, Tap …
Taps
DDoS
Detect/Mitigate 2nd line of defense: DDoS Detect/Mitigation
Arbor Treat Detection/Mitigation (DDOS), NAM
Internet
Edge
1st line of defense: Internet Edge
Access-Control, IP Bogons, BGP Black
Trusted From
To Internet Cloud/
hole, Netflow
Cisco
Supplier Customers
Cisco Cloud
Interconnect
Cloud Monitoring Cloud XaaS Customers
Cloud
Partners Employees
Internet Internet
Cloud Defense System
San Jose Texas Raleigh London Amsterdam Bangalore Singapore Hong Kong Tokyo Sydney
SaaS App
Latency
SLA for
Packet Loss
Jitter
Not actual data, example only!
Cloud Health (actual versus historical)

San Jose Texas Raleigh London Amsterdam Bangalore Singapore Hong Kong Tokyo Sydney
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Cloudport building blocks
Suppliers Cloud SaaS Customers Partners Employees
Edge (ISP,IXP)
Network Cloud DMZNet CCI

Service Blocks
Functional Block Design DMZ DC
DMZ Backbone
DMZaaS
Apply security constraints

between functions DC Internal / Corporate Partners
Regional WAN Diverse Business Acquisition Global Backbone
Extending the cloud!
Distribute Compute Capability
IoT IoT
Data Centre Cloudports/CNF Remote Office Home Office
Gradual & phased migration
Virtualization
Cloud Services Platform CSP-2100 High Level Architecture
Consistency between all three interfaces
GUI CLI
REST
NetConf
API NSO
Yang
KVM Virtual Network Appliances

XRv AVI
CSR F5 ASAv …. based
9000 Networks
services Virtual Machines
CSP 2100 Software with Cisco Tail-f Confd

Linux KVM, OVS, NFS Client, Hardware Drivers
Cisco UCS C220 and C240 M4 Intel XL710 Fortville
Intel NIC with SR-IOV + PCIe PassThrough
1 and 10 Gbps Intel X520 Niantic
Network Virtualisation WAN ISP
Cloud XaaS Customers/

Peer/Direct Suppliers
Automation&
Orchestration
via NSO
vFW
vFW
vIPS vFW
Transition vIPS
over time vIPS
vASR
vASR
vASR
UCS
UCS
UCS
Service Manager & Models
Cisco NSO Manages Network Services through the Service Model Construct:
Service
Model EXAMPLE:
Service Instance 1: Create

connection to partner 1 with access
Service policy X
Service
Instance 1 Instance 2
Device 1 Device 2 Device 3 Device 4
Network Automation & Orchestration
Services (described as YANG Data Models)
Services
Services
Automation &
Orchestration Controller e.g. Create partner or
Translation cloud connection
Devices/Infra
Connect LAN Spin VM Spin NFV Connect WAN
e.g. N7K, ASR,

3rD Party
Compute, API’s etc
Switching NFV based
Compute
virtual office
Please refer to session below for more info:
BRKDCT-2409 Building The Secure Agile Hybrid Cloud Network
Secure Agile Exchange
DNA Virtualization for Data Centers and Colocations Facilities
Cloud
SaaS
Customers Secure Agile
Exchange Customers
Colocation
Centers
Private
Secure Agile Data Center
Employees Exchange
Employees
Partners DMZ
Applications Partners Public Cloud
Private
Data Center
Next Generation DMZ
Technology & Solutions required
Infrastructure & Enhanced Application Compute &
Overlay Networking
Cloud Security Performance Virtualisation
17 18 19
16
14
15 Compute NFV Overlay Support LISP
13
Application Acceleration Clustering
Application Assurance
12
App QoS Gen2
11 NextGen Firewall Platform
10
End to End WAN Encryption
World Class DDoS Protection System

9
Secure Cloud Customer Interconnect
Cisco Routing/FW:
8
Optimised Global DMZ Network ASA, VRF, ASR
7
Hi-Density DMZ Infrastructure
6
Cloud Ready Routing Cisco IT Core Backbone
5 Direct IXP Cloud Peering Cisco Routing: Execution trajectory:
4 ASR, BGP
Optimised Internet Access
3 Hi-Speed Optical Telecom
Projects either in-flight or in
2 Carrier Neutral Facilities Global WAN: planning stage to help support
1 Core Backbone Infrastructure
Equinix, IX Cloud Ecxhange the Global Cloud Strategy
* Order does not imply necessarily sequential dependencies
Corporate Network
External network
CCI GW ISP GW
DMZ GW DMZ
Outside
Corp FW
Inside Internal network
Corp GW
Backbone GW
External edge
Network Core
US Data EMEA Data APAC Data
Centers Centers Centers
Campus
CNF
CNF CNF
CNF
Trend #1
Branch CNF
CNF Transition from
Internal App to
Home External Cloud SaaS
Trend #2
External access
to Enterprise Internet
Private Clouds
Partner & Acquisition Cisco Cloud Enterprise Public Cloud

Services SaaS Cloud Exchange
Data
New traffic patterns Outside Inside
Center
DMZ
Lab DMZ
Data Branch
ISP Center Office
CCI
Lab
DMZaaS
Home
Remote
Direct Access Campus
Peering
Connection flows
CCI GW ISP GW
DMZ GW
Outside
Corp FW
Inside
Corp GW
Backbone GW
Connection flows
CCI GW ISP GW
DMZ GW
Outside
Corp FW
Inside
Corp GW
Backbone GW
Connecting DMZs – GRE Tunnels
Cloudport hubs
Connecting DMZs – Overlay network
DMZ DMZ
DMZ
DMZ DMZ
DMZ
DMZ
DMZ
DMZ
DMZ
Cloudport hubs
Connecting DMZs
Internet Internet
DMZ A DMZ B
Site A
Site B
Cloud Backbone Routing
AS3356
AS1445 ‘The’
AS1299 Cloud
AS702
AS701
Cisco
AS109 AS109
BGP 109 AS109 AS13445
AS13445
Webex
EIGRP CORE
Cisco
DMZ Hardware
DMZ Gateway ISP Gateway Firewall
• Nexus 7K • ASR 1006 • ASA 5585
ASA Replacement
• FirePower 9300
Cisco Cloud Interconnect
Cloudports building blocks
Edge (ISP,IXP)
• Internal interconnect
• Custom design DMZNet CCI
• Routing and security

complexity
DMZ Backbone
DMZ DC DMZaaS
DC Internal / Corporate Partners
Regional WAN Diverse Business Acquisition Global Backbone
Previous Interconnect
Internet
DMZ Backbone
Internal / Corporate Partner
Internet
DMZ Backbone Partner
Internal / Corporate
Cisco Cloud Interconect
Edge (ISP,IXP)
• Leveraging Cloudports Partners Acquisition
• Standard design DMZNet CCI Clouds
• Interconnect at the edge Diverse Business DMZaaS
• Simplified routing
DMZ Backbone
DMZ DC
• Simplified security
DC Internal / Corporate
Regional WAN Global Backbone
Cisco Cloudport solution
2
1 3
Campus
Location
1. Internet
Cisco
2. Branch Office Connectivity
Data Centre
Carrier 3. Backbone Connectivity
Dark Fiber 4
DWDM Ring Neutral 4. Cloud Internet Exchange
Facility
5. Private Cloud Interconnect
6. Extranet Partners
Sales 7. Media/SIP service
Office
SIP
7 5
6
Operational models
DMZ CCI Global CCI VRF
Internet
ISP/IXP ISP/IXP CCI CCI CCI CCI
Segmentation
DMZ Backbone VRF-lite/Dot1Q
CORP
Corporate GLOBAL CCI Firewall VRF CCI Firewall
Firewall Global Context Dedicated Context
Cisco Internal Core
Challenges Benefit Benefit
 SLA / Performance  Flexible Routing Policy  Flexible Security Policy
 Restrictive Security policy  “Less” Restrictive Security Policy  More Secure / Network segmentation
 Scalability  Advanced Network Capabilities  Less Flexible Routing Policy
Connection types
Layer 1 Leased Line IPSec Tunnel
(Cisco Managed Optical Ring) (GigE) (Layer 3 Overlay)
Cost models based on

bandwidth tiers Customer Customer Customer
(50 Mbps – 1 Gbps) CNF CNF
VPN
VPN
ITaaC GigE IPSec
CCI CCI CCI CCI CCI CCI
DMZ Backbone
Benefit Benefit Benefit

• High Capacity • Reliable Physical • Fast Provisioning
Connection
• High Resiliency • Most Flexible
• Higher Cost
• High SLA • Lower Cost / SLA
• Improved SLA
CCI Routing flow - DC to DMZDC
- Internal to ISP/IXP
- Internal to/from CCI (Global)
- Internal to/from CCI (VRF)

Customer #1, 2, 3 Customer #4
Public Internet
CCI Global CCI VRF
ISP CCI
DMZBB
Cisco DMZ
DMZDC
Si
Global VRF
DMZDC CORP CCI
CORP
Cisco Internal
DC Si User
Dedicated security CCI FW
ASA5585
CCI Context
VRF Customer #2
Customer #2 VRF 2
CCI
Customized Security Context

VRF VRF Customer #1
Dot1q
Customer #1
CCI
CCI VRF 1
Corp GW
Global Context
Global Customer B Global
Customer A
GLOBAL
CCI
Common Security
for Global context
DMZ CORP
Internet ISP/IXP
Common Security Corp FW

ASA5585
CCI hardware CCI Firewall
• ASA 5585
CCI Gateway
• ASR 1006
ASA Replacement
• FirePower 9300
Aggregation Switch
• 4500-x
CCI Global presence
LON
AER
SJC TYO
RTP
RCDN
ALLN
HK
10 Gb/s
2.5 Gb/s
622 Mb/s
CCI 155 Mb/s
CCI automation
Cloudport on-boarding
Customer Demand Service Service Orchestration Centralized
Portal Policy Control
Extranet Automation
Insightful Data
provisioning
Acquisition
Diverse UCS UCS
Business CNF
Cisco Cloud
Security Cloud Backbone Security
Interconnect Corporate Edge
Zone #1 Zone #2
Public Cloud Platform Technology Deliverables

• ASR1k & Nexus7000 • VDC, VRF, LISP, MPLS • Segmentation/Virtualization
• Firepower 9300 • EIGRP, BGP • Traffic Optimization
Private • UCS-E (ASAv, vWSA, • DDOS, IDS, IPS • Secure Cloud Port
Enterprise Firepower IPS, DDOS)
• TrustSEC / ISE/ SGT • Cloud Agility
Cloud • Arbor DDOS
• Cloud Ready Routing • Identify Services
• NAM, Gigamon, CSIRT
• Peering Globalization
Cloud
Exchange

Cloudport Service Chaining
Eco-System Partners Network Services Security Services Monitoring Services
DMZ Backbone
Public Cloud Peering (Direct, IPSEC) Identify Services / SGT Network Management
Cloud Exchange Disaster Recovery / Resiliency Firewall / Access-Control Netflow collection
Private Cloud Policy Driven Traffic Steering Intrusion Detection/Prevention Traffic Capture / Analysis
Partner Data Center Interconnect DDOS Mitigation Cloud Monitoring
Internal
Acquisition Throughput / Scale Malware Protection Application Visibility
Service Orchestration & Policy Control
Peering (Direct, IPSEC) Identify Services / SGT Network Management
Disaster Recovery / Resiliency Firewall / Access-Control Netflow collection
Internal
Policy Driven Traffic Steering Intrusion Detection/Prevention Traffic Capture / Analysis
Partner Data Center Interconnect DDOS Mitigation Cloud Monitoring
Throughput / Scale Malware Protection Application Visibility
Peering (Direct, IPSEC) Identify Services / SGT Network Management
Cloud Exchange Netflow collection
DMZ Backbone
Disaster Recovery / Resiliency Firewall / Access-Control
Policy Driven Traffic Steering Intrusion Detection/Prevention Traffic Capture / Analysis
Data Center Interconnect DDOS Mitigation Cloud Monitoring
Throughput / Scale Malware Protection Application Visibility
Takeaway & Roadmap
Roadmap
FY16 FY17-18 FY19+
Foundational Continue to invest in Carrier Access Facilities & Core backbone
Extend Invest in extending the Cloud to network edge &

support connectivity to Public Cloud resources
Virtualise Move towards a software define infrastructure for speed

and agility. Abstract out complexity from core network
Digitise Network infrastructure, telecom & Cloud services are

programmable through a common platform
Offer rich Network Data Analytics and

Intelligence
Information Intelligence
Q&A
Thank You

Brkcoc 1339

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkcoc 1339

Uploaded by

Copyright:

Available Formats

Inside Cisco IT:

Cloud Ready Networks

Business Applications moving from Private to Public space

How to ensure optimal connectivity + speed & agility

Lack of path visibility and troubleshooting complexity

Rapid provisioning of cloud network

Maximise security in an era of publicly

Ensure best network performance for our users

15 Programmable NFV Overlay Support Orchestration

World Class DDoS Protection System

Public Cloud Resource

Private Cloud Resources

Cisco Cloud Direct Cloud

Cloudport: Strategically positioned global Internet

CNF: Carrier Neutral Facility

ISP ISP ISP ISP ISP ISP ISP ISP ISP

Regional WAN: Regional WAN: Regional WAN:

Cloud Ready Backbone

Regional WAN: Regional WAN: Regional WAN:

ISP ISP ISP ISP ISP ISP

144.254.0.0/24 144.254.0.0/24 144.254.0.0/24

DC 0/0 0/0 0/0

Americas EMEAR APJC

10.10.x.x /16 10.20.x.x /16 10.30.x.x /16

Backup paths Primary Paths

Internal Prod Internal Prod

Direct IX Cloud Peering

Equinix Cloud Exchange

Private VIF 1 Virtual private cloud 1

Cisco Cloud AWS Direct

Virtual private cloud N

Equinix IBX Region

EPG Production Users

Cloudport fabric/underlay network

Cloud Health (actual versus historical)

Network Cloud DMZNet CCI

Apply security constraints

Regional WAN Diverse Business Acquisition Global Backbone

Data Centre Cloudports/CNF Remote Office Home Office

Gradual & phased migration

KVM Virtual Network Appliances

CSP 2100 Software with Cisco Tail-f Confd

Cloud XaaS Customers/

Service Instance 1: Create

Device 1 Device 2 Device 3 Device 4

e.g. N7K, ASR,

World Class DDoS Protection System

Partner & Acquisition Cisco Cloud Enterprise Public Cloud

• Routing and security

DC Internal / Corporate Partners

Regional WAN Diverse Business Acquisition Global Backbone

Internal / Corporate Partner

DMZ Backbone Partner

• Leveraging Cloudports Partners Acquisition

• Standard design DMZNet CCI Clouds

• Interconnect at the edge Diverse Business DMZaaS

Regional WAN Global Backbone

ISP/IXP ISP/IXP CCI CCI CCI CCI

Cost models based on

Benefit Benefit Benefit

- Internal to/from CCI (Global)

- Internal to/from CCI (VRF)

Customized Security Context