BRKRST 2041

WAN Architectures and
Design Principles
Dave Fusik, Systems Architect
BRKRST-2041
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKRST-2041 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Who is Dave Fusik?
22+ years 3 years
at Cisco in TAC
#4768
5 years
in CPOC
Systems Architect
14+ years
in Sales
#2013::70
Agenda
• Introduction
• What is Wide Area Network (WAN) Architecture and Design?
• What to consider when designing a WAN
• Impacts of Evolving technology on WAN design
• WAN Designs moving Forward
• Conclusions
Main Message:
Foundational Design is key to

WAN Architecture
The Challenge
• Allow the business to
adopt changes rapidly
and smoothly
• Quickly realize
strategic advantage
from new technologies
• Build a network that
can gracefully adapt to
an evolving technology
landscape Photo by Mikito Tateisi on Unsplash
Cloud, SDN, IPv6, 5G, What’s next?

The WAN Technology Continuum
Early Networking Early-Mid 1990s Mid 1990s-Late 2000s Today
Global Scale
Flat/Bridged Multiprotocol Large Scale
IP Ubiquity
Experimental Networks Business Enabling Mission Critical
Cloud Connected
Architectural Architectural Architectural

Planning
Lessons Lessons Lessons
Protocols required for Route First, Redundancy
Scale & Restoration Bridge only if Must
Build to Scale
?
DMVPN
X.25 Frame-Relay IPv6 NFV
Internet
4G/LTE
Protocol BGP GRE
1960 1980 2000 Future
ARPAnet 1970 RIP (BSD) 1990 Metro- 2010

Tag Ethernet
TCP/IP OSPF, SDWAN
ISDN, Switching GETVPN
ATM BRKRST-2041 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
What is WAN Architecture
and Design?
WAN Architecture and Design
• Network Architecture
• The way network devices and services are structured or organized to serve
and protect the connectivity needs of client devices
• Depending on the place in the network, the requirements and the threats vary,
so different frameworks are built
• In the WAN, this means connecting users to applications, between LAN
locations, sometimes over long distances
• Network Design
• The process of translating business needs, budget, and operational constraints
into a technological approach that addresses the architectural requirements
• Includes documentation, such as implementation guides and topology diagrams
• WAN designs need to minimize cost and enhance user experience when
serving distributed applications to distributed users
Architecture vs. Design
• Architecture looks toward

strategy, structure and purpose
• Design drives toward practice
and implementation
• Architecture goes nowhere
without design
• Design may be too singularly
focused without architecture
Key Principles to WAN Design
Simplicity can often be synonymous with

elegance but must be paired with functional
Modularity implies the use of building blocks that

can be reused and fitted together to drive consistency
Hierarchy creates vertical flow to horizontal

expansion with natural points of aggregation
These are the tools to achieve Structure
Network Design Modularity
East Theater
West Theater
Tier 1
Global
IP/MPLS Core
Tier 2
In-Theater
IP/MPLS Core
West Region East Region
Internet
Cloud
Public Voice/Video Mobility
Tier 3
Metro Metro
Service Service
Private Public
IP IP
Service Service
Hierarchical Network Design
Without a Rock Solid Foundation the Rest Doesn’t Matter
• Hierarchy—each layer has

specific role
• Modular topology—building
blocks
Core • Easy to grow, understand, and
troubleshoot
• Creates small fault domains—
clear demarcations and isolation
Aggregation • Promotes load balancing and
redundancy
• Promotes deterministic traffic
patterns
Access
• Incorporates balance of both
Layer 2 and Layer 3 technology,
leveraging the strength of both
• Utilizes Layer 3 routing for load
balancing, fast convergence,
scalability, and control
Do I Need a Core Layer?
It's Really a Question of Scale, Complexity, and Convergence
• No Core
• Fully-meshed distribution layers
• Physical cabling requirement Second Building
Block–4 New Links
• Routing complexity
4th Building
Block 3rd Building Block
12 New Links 8 New Links
24 Links Total 12 Links Total
8 IGP Neighbors 5 IGP Neighbors
What to consider when
designing a WAN
Business Requirements and Constraints
• Business Environment • Workforce Productivity
• Market transitions • User experience
• Competitive pressures • Access to resources
• Project goals • Employee satisfaction
• Mergers and acquisitions
• Costs • Compliance and Policy

• OPEX and CAPEX • Government and Industry
• Lifecycle and ROI Regulations
• IT Capabilities • Security mandates
• Opportunity costs • Reputation and perception
Technical Requirements and Constraints
• Application requirements • Performance and Resiliency

• Bandwidth, Latency, Jitter • Quality-of-Experience
• Connectivity and Protocols • High Availability
• L2 or L3, IPv4 or IPv6, Multicast, • Convergence and Recovery
• Device quantities and capabilities
• Policy and Compliance
• Security • Existing Network
• Segmentation Infrastructure
• Encryption • Greenfield or Brownfield
• Available documentation
• Current designs and technologies
Physical Requirements and Constraints
• Company Locations • Operational requirements
• 10’s, 100’s, or 1000’s of sites • Access to resources
• Where in the world • Transport options
• Site diversity • Available power
• retail store, campus, large • Size and quantity of equipment
manufacturing plant, etc.
• Risks associated with the

• Topology Implications
Business and Technical
• Single or dual connected
• Geographical dispersity
requirements
• Local, Regional, Global
• Network role
• Data Center, Colo Facility, Branch,
Remote access, Public/Guest access
When Considering High Availability
• Assess system criticality

• How to measure availability
• Eliminate single points of failure
• Failure detection and recovery
• Environmental conditions
Defining Availability
Availability Downtime / Year
• System Availability: a ratio of the
expected uptime to the experienced 98.000000% 7.3 Days
downtime over a period of time of 99.000000% 3.65 Days
the same duration 99.500000% 1.825 Days
99.900000% 8.76 Hrs
• Branch WAN High Availability:
99.990000% 52.56 Min Branch WAN
Between 99.99%(4) and 99.999%(5)
99.999000% 5.256 Min HA Targets
• Ultra High Availability: Between 99.999900% 31.536 Sec
99.9999%(6) and 99.999999%(8) 99.999990% 3.1536 Sec Ultra HA
99.999999% .31536 Sec Targets
Where Can Outages Occur? Link or Device Failure
Link or Device Degraded
MPLS - SP A
C-A-R2
C-A-R1 C-A-R4
C-A-R3
HQ-W1 BR-W1
MPLS - SP B
HQ-W2 BR-W2
C-B-R1 C-B-R4
• How does outage manifest?

• How quickly can network detect?
• How long is bidirectional reconvergence?
Building Highly Available WANs
Redundancy and Path Diversity Matter
Downtime
SINGLE Downtime Downtime 99.90%*
per Year 99.95%*
per Year per Year
ROUTER, MPLS 4 Hours 8 Hours Internet
SINGLE PATH 4–9 Hours 22 Minutes 46 Minutes
ISR ISR
Branch WAN
HA Solution
99.995% 99.995% 99.995%
SINGLE
ROUTER, 26+ Minutes
DUAL PATHS MPLS MPLS MPLS Internet Internet Internet
ISR ISR ISR
99.999% 99.999% 99.999%
DUAL
ROUTERS, 5+ Minutes
MPLS MPLS MPLS Internet Internet Internet
DUAL PATHS
ISR ISR ISR ISR ISR ISR
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year, calculated with Cisco AS DAAP tool.
Redundancy vs. Convergence Time
More Is Not Always Better
• In principle, redundancy is easy

• Any system with more parallel paths
through the system will fail less often
• The problem is a network isn’t really
a single system but a group of 2.5
interacting systems
• Increasing parallel paths increases
Seconds
routing complexity, therefore
increasing convergence times
0 Routes 10000
Current and Evolving
Technologies that impact
WAN design
WAN Locations and Devices
• Organization sites
• Headquarters Campus
• Branch Office
• Retail store
• Factory, etc.
• Remote Access
• Mobile workers
• Home office
• Cloud
• Private Data Center • Physical devices • Virtualized Network
• Public IaaS • Router/CPE Functions
• SaaS • Firewall • Virtual router
• Colocation Facility • Multi-purpose compute • Virtual Firewall
• Client devices • etc…
Cisco Enterprise Routing Portfolio
Branch Aggregation
ISR 900 ISR 1000 ISR 4000 ASR 1000
• WAN and voice module

• Fixed and fanless • Integrated wired and flexibility • Hardware and software
wireless access redundancy
• IOS Classic based • Compute with UCS E
• PoE/PoE+ • High-performance service with
• Integrated Security stack
hardware assist
• WAN Optimization
• Fixed Chassis
vEdge 100 vEdge 1000 & 2000 vEdge 5000
SD-WAN
• 4G LTE & Wireless • Modular
• Fixed/Pluggable Module
• RPS
Virtual and Cloud

• Service chaining virtual ISRv CSR 1000V
• Cisco DNA virtualization
Cisco ENCS functions
• Extend enterprise routing,
• Options for WAN connectivity
• Open for 3rd party services &
vEdge Cloud security & management to
cloud
apps
Cisco Cloud Services Router (CSR) 1000V
Cisco IOS XE Software in a virtual network function form-factor
Software Performance Elasticity

Same IOS XE software as the Available licenses range from
ASR1000 and ISR4000 10 Mbps to 10 Gbps
CSR 1000V
App App CPU footprint ranges from
Infrastructure Agnostic 1vCPU to 8vCPU
Runs on x86 platforms OS OS
Supported Hypervisors: Programmability
Virtual Switch
VMware ESXi, RHEL Linux KVM, NetConf/Yang, RESTConf, Guest
Suse Linux KVM, Citrix Xen, Hypervisor Shell and SSH/Telnet
Microsoft Hyper-V, Cisco NFVIS
and CSP5000 Server
License Options
Supported Cloud Platforms: Term based 1 year, 3 year
Amazon Web Services, Microsoft or 5 year
Azure, Google Cloud Platform
Enterprise-class networking with rapid deployment and flexibility
Cisco vEdge Cloud Router
Cisco vEdge Software in a virtual network function form-factor
Software Performance
Same software as the physical Available licenses range from
vEdge router platforms 10 Mbps to 100 Mbps
Infrastructure Agnostic CPU footprint minimum 2vCPUs

Runs on x86 platforms
Supported Hypervisors: Positioning

VMware ESXi, RHEL Linux KVM, Extends SD-WAN Overlay into
Suse Linux KVM, Citrix Xen, Cloud Environments
Microsoft Hyper-V, Cisco NFVIS
and CSP5000
License Options
Supported Cloud Platforms: Term based 1 year, 3 year
Amazon Web Services, Microsoft or 5 year
Azure, Google Cloud Platform
Enterprise-class networking with rapid deployment and flexibility
Platform Built for Enterprise NFV
Branch/Campus
Colocation Center
ENCS 5000 Series for the Branch Public Cloud
Best of Routing Complete Open for Third Party

& Compute Virtualized Services Services and Apps
Enterprise Network Compute System
ENCS 5100 Series
8 Integrated LAN Ports ENCS 5400 Series

with Optional POE USB 3.0
Storage
2 Onboard Gigabit Network Interface
Hardware Acceleration for
Ethernet ports Module for LTE & legacy 2 HDD or SSD
VM Traffic
with SFP WAN RAID 0 & 1
What is Cisco SD-Branch?
Network services in minutes, on any platform
Enterprise Network
Compute System
What changes with Cisco SD-Branch?
Before After
Branch router
IPS/IDS appliance
WAAS appliance
NFVI S
Patch panel
Firewall appliance NFVI S
A single x86 compute platform housing multiple VNFs
ISRv and CSR 1000V
Integrated Services Router - Virtual Cloud Services Router
Packaged for NFVIS Cloud and VDC Deployments

Branch-Specific Features Aggregation Use-Cases
Branch-Specific Pricing Flexible Pricing & Packaging
Look-and-feel of an ISR 4000 Virtual ASR 1000 Series
Not available separately Available on multiple platforms
WAN Connection and Transport Technologies
• Dark Fiber
• Highest flexibility, control, and security but only
point-to-point connectivity
• Most costly unless owned by the organization
• MPLS • Broadband
• Widely available service with flexible bandwidth • Lower cost, high bandwidth Internet connectivity
options
• Organization manages a secure overlay VPN
• Provider manages complex WAN routing with QoS between sites but has no control over latency or QoS
SLAs
• Available as wired (DSL, Cable) or wireless
• Offers simplicity with global scale if the organization (3G/4G/5G or satellite)
can afford it
• Legacy T1
• Metro Ethernet
• Last resort option but available anywhere
• Layer 2 Ethernet connectivity service between up to
hundreds of locations within a specific geographic • Cost comparable to Metro Ethernet but only 1.5Mbps
region bandwidth
• Organization manages its own routing and QoS • Point-to-point layer 2 connectivity and requires non-
policies but may offer higher bandwidth at less cost Ethernet type port on router
than MPLS
MPLS VPN Models
CE = Customer Edge router Technology Options
PE = Provider Edge router
MPLS Layer-2 VPNs MPLS Layer-3 VPNs
• CE connected to PE via IP-based

Point-to-Point Layer-2 VPNs Multi-Point Layer-2 VPNs connection (over any layer-2 type)
–Static routing
• CE connected to PE via • CE connected to PE via
L2 connection (Eth, FR, Ethernet connection –PE-CE routing protocol;
ATM, etc.) • CE-CE L2 (Eth) mp eBGP, OSPF, IS-IS
• CE-CE L2 p2p connectivity • CE has peering relationship with PE
connectivity • CE-CE routing • PEs participate in customer routing
• CE-CE routing • No SP involvement • PEs maintain customer-specific routing
• No SP involvement tables
Broadband Internet
• Widely available in wired or wireless
• Wired is generally an Ethernet handoff
• High bandwidth to the Internet so creates security
vulnerability that must be managed
• Provides access to Public Cloud services such as
IaaS and SaaS
• Does not support QoS or Multicast
• Overlay IP encapsulation with IPSec creates a
secure VPN tunnel between Enterprise locations
• No service guarantee for critical applications but
offers a low cost backup or bandwidth
augmentation option
Types of Overlay Service
Layer 2 Overlays Layer 3 Overlays

▪ Virtual Extensible LAN (VXLAN) ▪ IPSec—Encapsulating Security Payload (ESP)
– MAC-in-UDP encapsulation – Strong encryption
– 24-bit segment ID for up to 16M – IP Unicast only
logical networks
▪ Generic Routing Encapsulation (GRE)
▪ Other L2 overlay technologies – IP Unicast, Multicast, Broadcast
– MPLS-over-GRE/mGRE, L2TPv3, – Multiprotocol support
OTV
▪ Other L3 overlay technologies
– MPLS-over-GRE/mGRE, LISP
GRE and IPSec Overlay Encapsulation Example
IP HDR IP Payload
GRE packet with new IP header: Protocol 47 (forwarded using new IP dst)
IP HDR GRE IP HDR IP Payload
20 bytes 4 bytes
IPSec Transport mode 2 bytes

ESP ESP
IP HDR ESP HDR IP Payload
Trailer Auth
20 bytes 30 bytes Encrypted
Authenticated
Authenticated
IPSec Tunnel mode 2 bytes
ESP ESP
IP HDR ESP HDR IP HDR IP Payload
Trailer Auth
20 bytes 54 bytes Encrypted
Authenticated
Wide Area Network Design Trends
• Single Carrier Designs

• Enterprise connects all sites to a single MPLS VPN carrier for L3 connectivity
• Simple design with consistent features
• Bound to single carrier for feature velocity
• Vulnerable to MPLS cloud failure scenario
• Dual Carrier Designs

• Enterprise single/dual connects sites into one/both MPLS VPN carriers
• Protection against full MPLS cloud failure
• Leverage for competitive services pricing
• Complexity from service differences between carriers (QoS, BGP AS, etc.)
• Must settle for least common denominator features
Wide Area Network Design Trends (cont.)
• Hybrid and Overlay Designs

• Tunneling/encryption enables transport agnostic design
+ On-demand or permanent backup links
+ Commodity broadband services offer lower cost, higher bandwidth
+ Flexible overlay topology independent of physical underlay connectivity
− Two “layers” to support Internet Internet
Secure Overlay Secure Overlay
− SLA over commodity transport services
− Must consider potential for fragmentation
Internet Internet Internet Internet Internet

Secure Overlay Secure Overlay Secure Overlay Secure Overlay Secure Overlay
1 2 1 2
Legacy IPsec VPN Technologies Comparison
Features DMVPN FlexVPN GET VPN
▪ Public or Private Transport
Infrastructure ▪ Public or Private Transport ▪ Private IP Transport
▪ Overlay Routing
Network ▪ Overlay Routing ▪ Flat/Non-Overlay IP Routing
▪ IPv4/IPv6 dual Stack
▪ Large Scale Hub and Spoke ▪ Converged Site to Site and ▪ Any-to-Any;
Network Style with dynamic Any-to-Any Remote Access (Site-to-Site)
▪ Dynamic Routing or IKEv2

Failover ▪ Active/Active based on ▪ Transport Routing
Route Distribution
Redundancy Dynamic Routing ▪ COOP Based on GDOI
▪ Server Clustering
▪ Unlimited ▪ Unlimited ▪ 8000 GM total

Scalability ▪ 3000+ Client/Server ▪ 3000+ Client/Server ▪ 4000 GM/KS
▪ Multicast replication in IP
IP Multicast ▪ Multicast replication at hub ▪ Multicast replication at hub
WAN network
▪ Per SA QoS, Hub to Spoke

QoS ▪ Per Tunnel QoS, Hub to Spoke
▪ Per SA QoS, Spoke to Spoke
▪ Transport QoS
▪ Centralized Policy ▪ Central or Local

Policy Control ▪ Locally Managed
Management Management
▪ Tunneled VPN ▪ Tunneled VPN ▪ Tunnel-less VPN
Technology ▪ Multi-Point GRE Tunnel ▪ Point to Point Tunnels ▪ Group Protection
▪ IKEv1 & IKEv2 ▪ IKEv2 Only ▪ IKEv1 & IKEv2
Link Speeds Out-Pacing IP Encryption
• Bandwidth application requirements out-
pacing IP encryption capabilities
• Bi-directional and packet sizes further
impact encryption performance
• IPSec engines dictate aggregate
link performance of the platform (much lower
BW throughput)
Link speed = Encryption speed
• Cost per bit for IPSec much more
expensive
time
• Encryption must align with link speed
Link Speed (100G+) to support next-generation
IPSec Encryption Speed applications
What is MAC Security (MACsec)?
Hop-by-Hop Encryption via IEEE 802.1AE
• Hop-by-Hop Encryption model

-Packets are decrypted on ingress port
-Packets are in the clear in the device
Decrypt at Encrypt at
-Packets are encrypted on egress port Ingress Egress
01101001010001001 01101001010001001
• Supports 1/10G, 40G, 100G encryption speeds

128bit AES GCM Encryption
01101001000110001001001000
everything in clear
• Data plane (IEEE 802.1AE) and control plane (IEEE through the router
802.1x-Rev) MACsec PHY
• Transparent to IPv4/v6, MPLS, multicast, routing
• Encryption aligns with Link PHY speed (Ethernet)

128/256 bit AES GCM Encryption 128/256 bit AES GCM Encryption
01001010001001001000101001001110101 011010010001100010010010001010010011101010 01101001010001001
Encrypted Segment Encrypted Segment
What is “WAN MACsec?
MKA Session
Service Provider
Owned Routers/Bridges
Data Data
Centre Public Carrier Centre
Ethernet
Service Central
Remote
Campus/DC Campus/DC
• Leverage MACsec over “public” standard Ethernet
transport
MACsec MKA Session
• Optimize MACsec + WAN features to accommodate MACsec Secured Path / MKA

running over public Ethernet transport Session
MACsec Capable Router
• Target “line-rate” encryption for high-speed applications
MACsec Capable PHY
• Inter DC, MPLS WAN links, massive data projects
SP Owned Ethernet
• Targets 100G, but support 1/10/40G as well Transport Device
WAN MACsec Use Cases
Most Common Use Cases Leveraging WAN MACsec in the Enterprise
• 10GE → 100GE High speed Site to Site E-LINE / E-LAN - Point to Multipoint
• Campus, WAN, DC→DC, Metro E Branch n
• Data Centre Interconnect

Branch 2
• High Speed replication and storage transfers

Carrier
• IP/MPLS core/edge links (PE–P, P–P, PE–PE) Ethernet
Service
• MPLS labels, VPN, Segment Routing is
transparent to MACsec encryption Branch 1 Central
• No GRE, simple. Encryption = Link BW Site
• High Speed hub-and-spoke

• Leverage low-cost/high-speed Metro E transport E-LINE - Point to Point
• Simple configuration, no GRE tunnels Carrier
Ethernet
• Hybrid Encryption Design Options Service
• Ability to leverage BOTH MACsec and IPSec at

various network points Central Central
Site / DC 1 Site / DC 2
What Is Enterprise L3 “Network” Segmentation?
• Giving One physical network the ability to support multiple L3 virtual networks
• End-user perspective does not change
• Maintains Hierarchy, Virtualizes devices, data paths, and services
Internal Separation (sales, eng) Merged Company Guest Access Network
Virtual Network Virtual Network Virtual Network
Actual Physical Infrastructure
Virtual Routing and Forwarding Instance - VRF
Virtual Routing Table and Forwarding Separate to Customer Traffic
• Logical routing context within

the same PE device
• Unique to a VPN
• Allows overlapping customer
IP addresses
• Deployment use cases
• Business VPN services
• Network segmentation
• Data Center access
Enterprise Network Segmentation over the WAN
The Building Blocks – Example Technologies
Device WAN Segmentation Device

Partitioning Interconnect Pooling
WAN Si Si
VLAN StackWise Virtual (SVL)

L2 VPNs L3 VPNs
VRF Virtual Port Channel (vPC)
VXLAN EVPN/VxLAN MPLS BGP L3 VPN Stackwise
Virtual Device Context (VDC) PW/VPLS L3 VPN over IP Inter-Chassis Control
Cloud Services Router (CSR) Protocol (ICCP)
OTV BGP EVPN (VXLAN, SR)
IOS-XRv 64-bit HSRP/GLBP
VXLAN to MPLS Integration
Why L3 Network Segmentation?
Key Drivers and Benefits
• Cost Reduction
• Allowing a single physical network the ability
to offer multiple virtual networks to tenants
• Simpler OAM • High Availability

• Reducing the physical network devices that • Leverage segmentation through clustering
need to be managed and monitored devices that appear as one (vastly increased
uptime)
• Security
• Data Center Applications
• Maintaining segmentation of the network for
different departments over a single • Offer per/multi-tenant segmentation from the
device/Campus/WAN DC into the WAN/campus/Branch and cloud
• End-to-end Segmentation from-server-to-
• Agility campus-to-WAN
• Accelerates adding network segments
(virtual) over same physical networks
Why L3 Network Segmentation?
Current and Evolving Use Cases
• Multi-Tenant Dwelling Separation • Security for Isolation
• Airports – United, Delta, etc… • Key Fundamental element for Zero Trust
• Government Facilities – agencies sharing single Security framework
building/campus • Quarantine Zone – Honey Pot, Steered Traffic
• Intra Organization segmentation – Sales, as result of DDoS, Anomaly Enforcement
Engineering, HR, LoB • Mandates to logically separate varying levels of
• Company mergers – allowing slow migration for security (e.g. enclaves)
transition, overlapping addressing
• Public Cloud and Key Component of
IoT Device Isolation – segment from the user
•
data (IP cameras, badge readers)
Policy Construct
• L3 segmentation for “per tenant” - GBP, and
• Regulation requirements leveraged in Intent-based network policies
• Health Care – HIPPA
• Financial and Transactional – Sarbanes-Oxley
• PCI Compliance
WAN Segmentation Trends Segmentation Domain
MPLS Backbone Enterprise SD-WAN

SDN SDN
Controller/Mgmt Controller/Mgmt
Branch CE Branch
Site Site
CE SP MPLS
CE
P Campus Campus
P DC
Branch DC
PE P PE Branch Internet CE
Site Site
CE CE
Managed Domain Managed Domain Managed Domain
Overlay Encap
• Targets “Service Provider like” customers who • Targets enterprise customers looking to
need to control SLA’s, rapid service turn up consume secure WAN transport, with central
times, tighter granular service options, end- mgmt., control, and application visibility
to-end control, provisioning, and visibility
• Cisco SD-WAN, MPLS VPN over IP (central
• Segment Routing, SR-TE, Centralized WAN controller and/or open tools for automation)
controller
Quality of Service (QoS) Operations
How Does It Work and Essential Elements
Classification Queuing and Post-Queuing
and Marking Dropping Operations
▪Classification and Marking:

• The first element to a QoS policy is to classify/identify the traffic that is to be treated differently. Following
classification, marking tools can set an attribute of a frame or packet to a specific value.
▪Policing:
• Determine whether packets are conforming to administratively-defined traffic rates and take action
accordingly. Such action could include marking, remarking or dropping a packet.
▪Scheduling (including Queuing and Dropping):
• Scheduling tools determine how a frame/packet exits a device. Queuing algorithms are activated only when a
device is experiencing congestion and are deactivated when the congestion clears.
Enabling QoS in the WAN
Traffic Profiles and Requirements
Voice SD Video Conf Telepresence Data
▪ Smooth ▪ Bursty ▪ Bursty ▪ Smooth/bursty

▪ Benign ▪ Greedy ▪ Drop sensitive ▪ Benign/greedy
▪ Drop sensitive ▪ Drop sensitive ▪ Delay sensitive ▪ Drop insensitive
▪ Delay sensitive ▪ Delay sensitive ▪ Jitter sensitive ▪ Delay insensitive
▪ UDP priority ▪ UDP priority ▪ UDP priority ▪ TCP retransmits
Bandwidth per call SD/VC has the same HD/VC has tighter req’s Traffic patterns for Data
depends on codec, requirements as VoIP, than VoIP for jitter and vary across applications
Sampling-Rate, and but traffic patterns and BW varies based on
Layer 2 Media BW varies greatly the resolutions
Data Classes:
• Latency ≤ 150 ms • Latency ≤ 150 ms • Latency ≤ 200 ms • Mission-Critical Apps
• Jitter ≤ 30 ms • Jitter ≤ 30 ms • Jitter ≤ 20 ms • Transactional/Interactive
Apps
• Loss ≤ 1% • Loss ≤ 0.05% • Loss ≤ 0.10%
• Bulk Data Apps
• Bandwidth (30-128Kbps) • Bandwidth (1Mbps) • Bandwidth (5.5-16Mbps) • Best Effort Apps (Default)
• One-Way Requirements • One-Way Requirements • One-Way Requirements
Getting Started with QoS design
Relevant Business as usual Not Important
• Needed to support the • May or may not support • Consumer oriented

core business objective business objectives directly traffic type
• Applications should be • The traffic can be grouped • Treated less than

understood, marked and to qos class queues with best class effort
treated in accordance to proper marking or just tied
best practice to single qos class or
default queues
WAN Edge Bandwidth Allocation Models
Best Effort 62% Voice 33%
Voice 18%
Best Effort 25%
Call-signaling 5%
Three-Class WAN Edge Model

Interactive-
Scavenger 1%
Video 15%
Bulk Data 4%
Best Effort 25%
Voice 33% Call Signaling 5%
Critical Data 27%
Network Control 5%
Scavenger 1%
Eleven-Class WAN Edge Model
Critical Data 36% Call-signaling 5%

Five-Class WAN Edge Model
QoS Tools and Techniques
Classifying and Marking Scheduling
• Network Based Application Recognition • Re-order and selectively drop during
(NBAR2) congestion
• Application Visibility and Control (AVC) • Class Based Weighted Fair Queuing (CBWFQ)
• Layer 2 or 3 marking of CoS/EXP or DSCP/IP • Low Latency Queuing (LLQ) and Multi-LLQ
precedence
Link-specific tools
• Traffic Shaping and Hierarchical QoS (HQoS)
• Compression
• Fragmentation and Interleaving
Policing and Markdown

• Define traffic metering contracts
• Markdown out-of-contract flows
• Conform, Exceed, Violate actions
GRE/IPSec QoS Consideration
ToS Byte Preservation
ToS byte is copied to the
ToS
new IP Header IP HDR IP Payloaad
GRE Tunnel
GRE
ToS
IP HDR IP HDR IP Payload
ToS
HDR
IPSec Tunnel mode

ESP ESP
IP HDR ESP HDR IP HDR
ToS
IP Payload
ToS
Trailer Auth
QoS for IPv6
• The IPv6 implementation of DiffServ is
identical to IPv4
• The same classifiers can be used to
differentiate both IPv6 and IPv4
packets
• Source IP address, destination IP address, IP
Protocol field, source port number, and
destination port number
To match packets on both IPv4 and IPv6 protocols:
• IP precedence or DSCP values class-map match-all ipv6+ipv4forprec5
match precedence 5
• TCP/IP header parameters, such as packet
length To match packets for IPv6 protocols only:
class-map match-all ipv6onlyprec5
• Source and destination MAC addresses match protocol ipv6
match precedence 5
• The match precedence and match dscp
commands filter IPv4 and IPv6 traffic
What Are the QoS Implications of MPLS VPNs?
Bottom Line:
• Enterprises must Co-manage
QoS with Their MPLS VPN
Service Providers
• Their Policies must be both
consistent and complementary
IP Multiservice VPN Service Providers
Service-Level Agreements
Maximum One-Way Service-Levels
Latency ≤ 150 ms/Jitter ≤ 30 ms/Loss ≤ 1%
Enterprise Enterprise
Campus Remote-Branch
Service Provider
CE PE PE CE
Maximum One-Way
SP Service-Levels
Latency ≤ 60 ms
Jitter ≤ 20 ms
Loss ≤ 0.5%
Enterprise-to-Service Provider Mapping
Five-Class Provider-Edge Model Remarking Diagram
Enterprise PE Classes
DSCP
Application
Routing CS6
Voice EF EF SP-Real Time
35%
Interactive Video AF41 ➔ CS5 CS5
Streaming Video CS4 ➔ AF21
CS6
Mission-Critical Data AF31 SP-Critical
AF31
20%
Call Signaling CS3 ➔ CS5 CS3
Transactional Data AF21 ➔ CS3 AF21 SP-Video

CS2 15%
Network Management CS2
AF11/CS1 SP-Bulk 5%
Bulk Data AF11
Scavenger CS1 ➔ 0 SP-Best Effort
25%
Best Effort 0
IP Multicast in the Enterprise WAN
• IPs: 224.0.0.0 – 239.255.255.255 • L2 WAN transport allows Enterprise
to fully manage the Multicast domain
• Group destination IP, never a source
• Can operate in Overlay but may
• Single source transmission efficiently require head-end replication limiting
delivered to a group of receivers overall efficiency
• Protocol-Independent Multicast
(PIM) relies on unicast routing to Unicast
Receiver
build a loop-free, hop-by-hop, path Source Receiver
• PIM must be enabled along the

entire end-to-end path Receiver
• Not supported over the Internet Multicast

Receiver
Receiver
• Service Providers offer MPLS VPN Source
with Multicast capabilities

Receiver
Securing the WAN
• Perimeter security required at all Security Tools
Enterprise Internet connections points ✓ Firewalls
• Private connections (eg. MPLS) provide ✓ Intrusion Prevention
a relative level of security ✓ Visibility
• Backhauling Internet traffic to data ✓ URL Filtering
centers with appropriate perimeter ✓ Advanced Malware
security creates latency, congestion, Protection
and cost ✓ DNS Security
• Deploying perimeter security at every ✓ Transport Security
location for DIA even more costly and ✓ DDoS Protection
difficult to manage ✓ etc…
• The goal is a single security policy
enforced across the entire WAN
Cloud Connectivity Challenges
• Complexity & Dependency - Need
a simple and scalable way to
securely extend the private network
across Multicloud environments
• Inconsistent security policies

between private & public - Need to
apply consistent security policies
• Degraded application performance

and ambiguity for best path to
reach the cloud – Need to enhance
application experience
Public Cloud Deployment Models
Application VPC Transit VPC Auto-scale
Gateway
• CSR deployed in • CSR deployed in • Add pair of CSRs to scale out

application VPC dedicated Transit Hub • Remote end (VGW) has multiple
• Provide IPsec gateway • High speed traffic tunnels and do L3 ECMP (Equal
for entire VPC routing for spoke VPC Cost Multiple Path)
• Need high availability • High availability is built- • Monitors CSR real-time throughput
in natively and spin up new CSRs on demand
Connecting to Public Cloud
Internet IPSec tunnel DX / ER to Public Direct Connect to Public
connection from DC Cloud through SP Cloud through co-locations
Branch
Branch
Branch Branch
SP
Internet MPLS
SP
Internet
Data Center Carrier PE Colocation
Facility
Internet IPSec DX / ER DX / ER
VPC/VNet VPC/VNet VPC/VNet VPC/VNet
IPsec Tunnel MPLS carriers (L3 VPN

Internet only for DX/ER from the co-
from customer carrier) offers DX/ER as
connectivity location to the cloud
DC to the cloud SP Managed Service
Remember the Main Message:

WAN Architecture
WAN Designs moving
Forward
Common WAN Topologies
Design and Deployment Considerations
Design Challenges with Growing Needs and New Innovation
Internet Internet
Internet Internet
3G/4G/5G
Secure Overlay
Internet Internet Internet Internet Internet 3G/4G/5G 3G/4G/5G

Secure Overlay Secure Overlay Secure Overlay Secure Overlay Secure Overlay Secure Overlay Secure Overlay
1 2 1 2
Common WAN Topologies
Growing Complexity - Scale, Policy, Segmentation
Complexity Grows with Scale and Changing Business Requirements
Drivers for Change
• Today, large majority of application traffic on
private network is destined off-network
• Some is critical traffic, not all, destined to SaaS,
IaaS (e.g. O365, Salesforce.com, or Azure)
• Includes regular browsing traffic from each location
• MPLS can be an expensive conduit to a centralized
Internet breakout point
• Enterprise pays for private bandwidth and then
again for Internet bandwidth
• This change in traffic impacts capacity planning,
application performance, and ultimately user
satisfaction
• Major challenge to use traditional WAN features to
deliver a cohesive solution and to troubleshoot
A New Era in Network Architectures
3rd Wave – EPN

Evolved Programmable Network Era,
2nd Wave – MPLS
Digital Transformation
Commoditization of IP services plus
high traffic growth limits profitability,
1st Wave – TDM forces architectural shift
TDM rigidity limits new services,
Applications and Services
Open
forces architectural shift

APIs Services Resources SDN Control
Evolved Services Platform
Open
APIs
Evolved Programmable
Evolved Network
Programmable Infrastructure
Network
TDM Era
Network Function Virtualization, Software Defined
Networking, and Service Orchestration enable
- Open and Dynamic
- Optimal resource utilization
IP unleashes new wave of innovation and service
- Accelerated innovation
revenues
- New services & revenues
- Reduced costs
- Reduced complexity
~5-10 Year Transition ~2-10 Years?

Cisco’s Enterprise SDN Strategy
Policy and Intent to Unlock the Power of your Distributed System
Unlock the Power that

Leverage the Enable Network Wide
Exists
Power of Existing Fidelity to an Expressed
in the Network through
Distributed Systems Intent (Policy)
Abstraction, Automation,
and Policy Enforcement
Cisco Digital Network Architecture
Cloud Service Management Automation

Open and Assurance
Automation Analytics
Security and
Principles Programmable
Virtualization Compliance
Programmable Physical and Virtual infrastructure

API Driven Insights and
Experiences
Security
Cisco Digital Network Architecture
Cisco vManage
Cloud Service Management Automation
Open and Assurance
Automation Analytics
Principles Programmable SD-WAN

Virtualization
Security and
Compliance
Programmable Physical and Virtual infrastructure

API Driven ASR1k/ISR4k/vEdge Insights and
Experiences
Embedded Policy
SecurityEnforcement
SDWAN
Network Transformation
The Era of Digital Transformation
Hardware Centric Software Driven
Manual Automated
Closed Programmable
Reactive Predictive
Network Intent Business Intent
CLOUD & ON-PREM AUTOMATION & SCALE SECURITY & COMPLIANCE ASSURANCE & ANALYTICS
Hosted, delivered, managed Speed, flexible, zero-touch, Segmentation, Users, applications, devices
policy driven threat mitigation
Business Driven SD-WAN Infrastructure
Design and Deploy for Impact Objectives
Analytics
Application Traffic Per-Segment Secure Cloud Path Cloud Accel Transport
SLA Engineering Topologies Perimeter (IaaS) (SaaS) Hub
APPLICATION POLICIES
Monitoring
Routing Security Segmentation QoS Multicast Svc Insertion Survivability
SERVICES DELIVERY PLATFORM
Operations Broadband MPLS Cellular
ZERO TOUCH ZERO TRUST
TRANSPORT INDEPENDENT FABRIC

Reinventing the WAN
The Four Pillars and Focus Areas of Cisco SDWAN
Secure Application
• Security Elastic Applications
QoE
Connectivity Services
• Connectivity
• Application Services Cloud Agile
Connectivity Operations
First Operations
• Operations
Reinventing the WAN
Security
Embedded Security Secure Bring-up
Security Applications
Application
Centralized Device
Services Scalable Data-Plane
Encryption
Auth-DB
Connectivity
Authenticated/Encrypted
Control Plane
Automatic Key Rollover
Reinventing the WAN
Connectivity
Provider/Transport
Hybrid WAN Agnostic
LTE
LTE
INTERNET
INTERNET
MPLS
MPLS
Application
Services
Dynamic Per-VPN
Segmentation/VPNs
Connectivity
Connectivity Operations Topologies
Reinventing the WAN
Application Services
Deep Packet Inspection Central Orchestration
App Fingerprinting
DPI
Engine
Transport SLA Monitoring Application Layer

LTE
Application Analytics
Services
INTERNET
MPLS
Connectivity
Connectivity Operations Cloud Services
Application-Aware Integration
Routing
SEN Overlay
Reinventing the WAN
Operations
Centralized Operations Centralized
Distributed Execution Policy Orchestration
Template-based Security Applications

Application Zero Touch Provisioning
Configurations Services
Programmatic APIs Connectivity

Open Object Model
NetConf Ad-Hoc
Adds/Moves/Changes
Cisco SDWAN Solution Overview
Applying SDN Principles To The Wide Area Network
vManage
Orchestration Plane vBond

vSmart
MANAGEMENT
vBond
Management Plane API vEdge

(Multi-tenant or Dedicated)
ORCHESTRATION ANALYTICS
Control Plane
(Containers or VMs)
CONTROL
Secure DTLS Control Channel

Secure IPSEC Data Channel INET MPLS 4G
Data Plane
(Physical or Virtual)
Data Center Campus Branch Home Office
Cisco SDWAN Typical Architecture
Private Cloud Site Enterprise Controllers Virtual Private Cloud SaaS
App
Servers
SDWAN Servers
VPC VPC
Headend
VPC VPC
Distro
Switch
V V
CE
Routers
MPLS1 INET
V = Virtual Router
Single
Legacy Dual Router
Router
Branch Branch
Branch
Cloud-Delivered SDWAN Control
Flexible Deployment Options
Cisco Cloud Ops MSP Ops Team Enterprise IT
Deploy Deploy Deploy
vManage vManage vManage

Recommended
DTLS DTLS DTLS

Or TLS Or TLS Or TLS
Connections Connections Connections
vSmart vBond vSmart vBond vSmart vBond

Cisco MSP Private
Cloud Cloud Cloud
Multi-Path Multi Destination – Per SLA
App Aware Routing Policy
App A path must have:
Latency < 150ms
vManage
Loss < 0%
Jitter < 5ms
Analytics Internet
Path1: 10ms, 0% loss, 5ms jitter
Path4: 180ms, 1% loss, 5ms jitter SD-WAN Edge Routers continuously perform Controlled
IDS
path liveliness and quality measurements Access
Point
FedRAMP
MPLS SaaS
Government Agency Internet Equinix

Cloud
Branch Location Exchange
Regional DC / CoLo
Application Aware Probe Controlled Access Path Regional CoLocation Center
Cisco SD-WAN – Cloud OnRamp for SaaS
• User designates Cloud onRamp

gateways which can be remote DMZs
or local CPE (DIA case)
• App-Aware routing to SaaS end-

point from gateway routers
• SLA metrics are computed by using

httping based probes to the SaaS
endpoint through the Cloud onRamp
gateway
• Per application SLA metrics include

loss and latency
• Path experiencing better SLA for the

application is chosen
Cloud Ready
WAN Architecture
Centralized Data Center Architecture (Legacy)
Hosted Applications in the Agency Owned Data Center
Data
Campus / Center Mainframe
Branch WAN Servers
Users
Internet
Full Security Stack
Next Generation Enterprise Architecture
Network Architecture Transition in a Multi-Cloud World
Data
Center
Cloud Public Cloud

SDA Campus / Edge
Branch SD-WAN
Users
DNA Center vManage SaaS

(DNAC) Co-Location
Center
Devices
Internet
Direct Internet Access
Full Security Stack
Deliver Segmentation, Security, Automation, anytime, anywhere, Any transport

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Ready Network Architecture
Aligning WAN Design w/ Applications and Perimeter DMZ in Co-Location Centers
MANAGEMENT
ORCHESTRATION SaaS
Customers
CONTROL
Secure
Employees Private
SD-WAN Physical or
Internet Fabric Virtual DMZ Data Center
Solution
MPLS
4G/LTE
Partners
Public Cloud
Internet
IoT
Office / Mobile App Aware SD-WAN Cloud Edge DMZ
Management | Security | Policy | Orchestration | Analytics

Cisco SD-WAN Cloud On-Ramp for CoLo
Securely Connecting Users Cloud and Application Providers
Cisco vManage / vBond SaaS
Customers Security Agility & Performance Cost Savings

Private
Data Centre Central policy Rapid provisioning, Lower OpEx and
Cloud On-
Ramp for enforcement change control and CapEx through NFV.
AnyConnect Colo
scale-out architecture Reduce circuit costs
Employees
Branch via NFV fabric. Speed and number of
of software with the circuits.
performance of
Partners hardware.
Colocation /
DC
IaaS
Turn-key orchestration and

automation of enterprise WAN
Service-Chains!
Modern Hierarchical Global WAN Design
Tier 1
East Theater
West Theater
Global
IP/MPLS Core
In-Theater
Tier 2
IP/MPLS Core

Private DC Co-Lo Center Co-Lo Center Private DC
Internet
Tier 3
FTD FTD FTD FTD
SaaS IaaS
IaaS
Cloud Services / Internet
Internet Internet Secure

Secure Internet
Internet
SD-WAN Metro
SD-WAN Metro
MPLS MPLS
Fabric Service
4G/LTE
Fabric Service
4G/LTE
Campus / Branch
Campus / Branch
Secure Mobile Secure Mobile
Summary
Global Scale
IP Ubiquity
Cloud Connected
Architectural Architectural Architectural

Planning
Lessons Lessons Lessons
Protocols required for Route First, Redundancy
Scale & Restoration Bridge only if Must
Build to Scale
?
DMVPN
Internet
4G/LTE
Protocol BGP GRE
1960 1980 2000 Future

Tag Ethernet
TCP/IP OSPF, SDWAN
Global Scale
IP Ubiquity
Cloud Connected
Architectural Architectural Architectural Architectural

Lessons Lessons Lessons Lessons
Protocols required for Route first, Bridge only if Redundancy Optimize for application
Scale & Restoration must experience
Build to Scale
SDN delivers agility
Central policy enforcement
DMVPN
Internet
4G/LTE
Protocol BGP GRE
1960 1980 2000 Future

Tag Ethernet
TCP/IP OSPF, SDWAN
The WAN of Yesterday, Today and Tomorrow
Backhauled
Access Distributed Access Optimized Access
SaaS IaaS Extranet SaaS IaaS Extranet SaaS IaaS Extranet
Data Center Data Center Data Center Data Center Data Center Data Center
Cloud
onRamp
or SAE
MPLS MPLS Internet
MPLS Internet
East Theater
West Theater
Tier 1
Global
IP/MPLS Core
Tier 2
In-Theater
IP/MPLS Core
Internet
Cloud
Public Voice/Video Mobility
Tier 3
Metro Metro
Service Service
Private Public
IP IP
Service Service
Tier 1
East Theater
West Theater
Global
IP/MPLS Core
In-Theater
Tier 2
IP/MPLS Core

Private DC Co-Lo Center Co-Lo Center Private DC
Internet
Tier 3
FTD FTD FTD FTD
SaaS IaaS
IaaS
Cloud Services / Internet
Internet Internet Secure

Secure Internet
Internet
SD-WAN Metro
SD-WAN Metro
MPLS MPLS
Fabric Service
4G/LTE
Fabric Service
4G/LTE
Campus / Branch
Campus / Branch
Secure Mobile Secure Mobile
WAN Architectures and Design Principles
Key Takeaways
• The goal is for a simple, modular,

hierarchical, structured design
• Business, technical, and physical
requirements and constraints
must all be considered
• Desired WAN availability and
services have design implications
• Evolving technology is driving
new WAN designs
• Leveraging Internet, Cloud, and
CoLo now fundamental
One final time, the Main Message:

WAN Architecture
TECCRS-2014
SD-WAN Technical Deep Dive 8 Hours
TECRST – 2191
SD-WAN design, deploy and best 4 Hours
practices
TECCRS-3006
ENFV Deep Dive and Hands on Lab 8 Hours
Cisco SD-WAN
#CLEMEA
Tectorials
BRKRST-2791
Building and using Policies with Cisco SD-
BRKRST-2377 WAN
08:00
SD-WAN Security 08:00 BRKRST-2560
Keynote 09:30
SD-Wan Machine Analytics, Machine
08:00
Learnings and IA
BRKCRS-1579 BRKRST-2096
SD-Wan Proof Of Concept
11:00
SD-WAN Powered by 11:00 BRKRST-2095 BRKRST-2093
Meraki SD-WAN Routing 16:00 Deploy, monitor and troubleshoot
11:00 BRKRST-2091
BRKRST-2041 Migration
BRKARC-2012 SD-WAN Datacenter and Branch 09:00
WAN Architecture 11:00 ENFV Architecture, Configuration and
11:00 Integration Design
troubleshooting
and Design Principal
BRKRST-2559
BRKCRS-2110 3 Steps to design SD-WAN On Prem
14:00
Delivering Cisco Next 14:00 BRKRST-3404 BRKRST-2097 BRKOPS-2826
gen SD-WAN with How to choose the 16:00 Conquer the Cloud with SD-WAN SD-WAN as Managed Services 11:00
14:45
Viptela correct branch device BRKRST-2095
SD-WAN Routing Migrations
16:45
BRKCRS-2113 Keynote 17:00
Cloud Ready WAN for 17:00 Cisco Live
IAAS and SAASA with Celebration
Cisco SD-WAN 18:30
SD-WAN
#CLEMEA
Breakouts
Call to Action
As you leave ask yourself these three questions:
• Is it a simple design?
• What are the critical business requirements?
• Are you leveraging the available technology?
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the Walk-in

Cisco campus self-paced labs
Meet the engineer

Related sessions
1:1 meetings
Thank you

BRKRST 2041

Uploaded by

Copyright:

Available Formats

BRKRST 2041

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKRST 2041

Uploaded by

Copyright:

Available Formats

WAN Architectures and

Dave Fusik, Systems Architect

Foundational Design is key to

Cloud, SDN, IPv6, 5G, What’s next?

Architectural Architectural Architectural

ARPAnet 1970 RIP (BSD) 1990 Metro- 2010

• Architecture looks toward

Simplicity can often be synonymous with

Modularity implies the use of building blocks that

Hierarchy creates vertical flow to horizontal

These are the tools to achieve Structure

West Region East Region

• Hierarchy—each layer has

• Costs • Compliance and Policy

• Application requirements • Performance and Resiliency

• Risks associated with the

• Assess system criticality

Link or Device Degraded

• How does outage manifest?

ISR ISR ISR

99.999% 99.999% 99.999%

• In principle, redundancy is easy

• WAN and voice module

Virtual and Cloud

Software Performance Elasticity

Enterprise-class networking with rapid deployment and flexibility

Infrastructure Agnostic CPU footprint minimum 2vCPUs

Supported Hypervisors: Positioning

Enterprise-class networking with rapid deployment and flexibility

ENCS 5000 Series for the Branch Public Cloud

Best of Routing Complete Open for Third Party

Enterprise Network Compute System

ENCS 5100 Series

8 Integrated LAN Ports ENCS 5400 Series

Firewall appliance NFVI S

A single x86 compute platform housing multiple VNFs

Integrated Services Router - Virtual Cloud Services Router

Packaged for NFVIS Cloud and VDC Deployments

MPLS Layer-2 VPNs MPLS Layer-3 VPNs

• CE connected to PE via IP-based

Layer 2 Overlays Layer 3 Overlays

IPSec Transport mode 2 bytes

• Single Carrier Designs

• Dual Carrier Designs

• Hybrid and Overlay Designs

Internet Internet Internet Internet Internet

▪ Dynamic Routing or IKEv2

▪ Unlimited ▪ Unlimited ▪ 8000 GM total

▪ Per SA QoS, Hub to Spoke

▪ Centralized Policy ▪ Central or Local

• Hop-by-Hop Encryption model

• Supports 1/10G, 40G, 100G encryption speeds

802.1x-Rev) MACsec PHY

• Transparent to IPv4/v6, MPLS, multicast, routing

• Encryption aligns with Link PHY speed (Ethernet)

01001010001001001000101001001110101 011010010001100010010010001010010011101010 01101001010001001

Encrypted Segment Encrypted Segment

• Optimize MACsec + WAN features to accommodate MACsec Secured Path / MKA

• Data Centre Interconnect