Delivering Cisco Next Generation SD-WAN with learning Journey at Cisco Live Monday Tuesday Wednesday Thursday Friday BRKCRS-2110 Delivering Cisco Next Generation SD-WAN with Viptela

Delivering Cisco Next Generation SD-WAN with Viptela

David Klebanov, Engineer, Technical Marketing

Nikolai Pitaev, Engineer, Technical Marketing

BRKCRS-2110

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCRS-2110


“What’s in it for me?"

In this session Out of scope

Introduction and Design, Building

Blocks

Detailed explanation how it works

under the hood

Use Cases, Operation and Security Troubleshooting and debugging

Live Demo during the session Step-by-step Migration to SD-WAN


Steve Jobs2003

“Design is not just what it looks like and feels like. Design is how it works.”

BRKCRS-2110 5


Why should I care?Real life examples

80 percent reduction in cost/Mbps for a US insurance provider.

$20 million reduction in OpEx over three years for a retailer.

5-fold improvement in Office 365 performance for an energy provider

4-fold improvement in application latency for a healthcare provider.

M&A integration within 2 weeks for a Fortune 50 healthcare provider.

Securely isolated 100+ business partners for a US manufacturer with more than 1000 sites.

6BRKCRS-2110

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKCRS-2110

Cisco SD-WAN Solution helps you to:

Reduce Cost

Operate Faster

Integrate Latest Cloud and Network Technologies

Key Message

SD-WAN learning Journey at Cisco Live

Monday Tuesday Wednesday Thursday Friday

BRKCRS-2110

Delivering Cisco Next Generation SD-WAN

with Viptela

BRKCRS-2111

Migration to Next-Gen SD-WAN

Architecture and solution

Migration and vQOE

Serviceability

BRKRST-2514

Next Gen SDWAN with application

acceleration/optimization

BRKRST-2557

SD-WAN and NFV Orchestration for Managed Service

Providers

BRKCRS-2112

Serviceability for Next Generation

SD-WAN

TECCRS-20004

Cisco SD-WAN Technical Deep Dive

Deep Dive

BRKCRS-2113

Cloud-Ready WAN for

IAAS and SAAS with

Cisco Next-Gen SD-

WAN

SP orchestration

• Introduction

• Architecture

• Use Cases

• Demo

• Conclusion

Agenda


Security and Compliance are critical areas and require us to

have the appropriate Segmentation, Policing, Access Controls and Visibility from end-to-end

Network Planning

I want to Simplify Deployments and AutomatePolicy Enforcement to ensure a Consistent and

Seamless Application Experience

Network Operations

I want to Centralized Policy Enforcement and

Assurance to Accelerate Time to Resolution

Network Manager

I need to Replace or Change existing Infrastructureand WAN Services to Lower Costs and Maximize

Investments

Security Operations

Customer Requirements


Traditional and Legacy Architecturescannot scale to address changing needs

EXPENSIVE

Hardware-centric

Fixed capacity

DIFFICULT TO SUPPORT

Discrete device-by-device

configurations

Complex management silos

Require slow truck

rolls for changes

INFLEXIBLE

Tightly controlled, client server model

Historical vs predictive management

CONNECTIVITY-CENTRIC

Fragmented, incomplete user experience

Not application-centric

POORLY INTEGRATED

Conflicting policies and configurations

Inflexible and static

Risk from accidental interactions and vulnerabilities


Cisco SD-WAN is an integrated part of our Digital Network Architecture (DNA)

Cisco DNA™ is a complete system for intent-based networking

Automation Assurance

Virtualization

DNA-ready physical and virtual infrastructure

Security

Cloud service management

SD-WAN Architecture


Cisco SD-WAN Architecture Overview

Data Center Campus Branch SOHO

4G/LTE

MPLS

Internet

Control Plane = vSmart(Containers or VMs)

Data Plane = vEdge(Physical or Virtual)

Management = vManage(Multi-tenant or Dedicated)

Orchestration = vBond

Analytics

vManage

vSmart

vEdge

vOrchestrator ZTP

API

14BRKCRS-2110

Cloud


vBond is SD-WAN Orchestrator

Orchestrates connectivity between management, control and data plane.

Serves as the first point of authentication.

Requires public IP Address.

All other components need to know the vBond IP or DNS.

Authorizes all control connections (white-list model).


vManage is your NMS for SD-WAN

Single pane of glass for Day 0, Day 1 and Day 2 operations.

Enables centralized provisioning and simplifies changes.

Supports REST API, CLI, Syslog, SNMP, NETCONF.

Provides real time alerting.


vSmart is centralized brain of the solution

Implements control plane policies, such as service chaining,

traffic engineering and segmentation per VPN topology.

Reduces complexity of the entire network.

Establishes peering with all vEdges and distributes

connectivity information.


vBond, vSmart and vManage are also known as Controllers.

Controllers can be deployed on-prem or on the cloud.

ESXi or KVM

Physical Server

vManage vSmart1 vSmart2vBond

AWS or Azure

vManage vSmart1 vSmart2vBond

On-Premise Hosted


vEdge is your SD-WAN data plane

Provides secure data plane with remote vEdge routers.

Establishes secure control plane with vSmart controllers.

Implements data plane and application aware routing policies.

Exports performance statistics.

Physical (100Mb, 1Gb, 10Gb, 20+Gb) or Virtual form factor.

SD-WAN Fabric


Cloud-Delivered Control

Enterprise IT

vManage

vSmart vBond

Private

Cloud

Deploy

MSP Ops Team

vManage

vSmart vBond

MSP

Cloud

Deploy

Cisco Cloud Ops

vManage

vSmart vBond

Viptela

Cloud

Deploy

BRKCRS-2110 21


• Overlay Management Protocol (OMP)

• TCP based extensible control plane protocol

• Runs between vEdge routers and vSmart

controllers and between the vSmart controllers- Inside TLS/DTLS connections

• Advertises control plane context and policies

• Dramatically lowers control plane complexity and

raises overall solution scalevSmart vSmart

vSmart

vEdge vEdge

Note: vEdge routers need not connect to all vSmart Controllers

Unified Control Plane

VS

SD-WAN Traditional

O(n) Control Complexity O(n^2) Control Complexity


OMP IPSec Tunnel

vEdge

vEdgevEdge

vEdge

vEdge

vSmart

Local TLOCs

(System IP, Color, Encap)

TLOCs advertised to

vSmarts in TLOC routes

vSmarts advertise TLOCs to

vEdges in TLOC routes

SD-WAN Fabric

with TLOCs as

tunnel endpoints

Data Plane Establishment

INETMPLS

Transport Locator (TLOC)

TLOCs

IPsec

IPsec

IPsec

BRKCRS-2110 23


Data Plane Liveliness and Quality

vEdge vEdge

vEdge

vEdge vEdge

• Bidirectional Forwarding Detection (BFD)

• Path liveliness and quality measurement

- Up/Down, loss/latency/jitter, IPSec tunnel MTU

• Runs between all vEdge and vEdge Cloud routers in

the topology- Inside IPSec tunnels

- Operates in echo mode

- Automatically invoked at IPSec tunnel establishment

- Cannot be disabled

• Uses hello (up/down) interval, poll (app-aware)

interval and multiplier for detection- Fully customizable per-vEdge, per-color


Common Data Plane Communication

Per-Session Load Sharing

Active/Active

INETMPLS

Default

Per-Session Weighted

Active/Active

INETMPLS

Device Configurable

Application Pinning

Active/Standby

INETMPLS

Policy Enforced

Application Aware Routing

SLA Compliant

INETMPLS

SLA SLA

Policy Enforced

BRKCRS-2110 25


OMP Update: Reachability – IP Subnets, TLOCs Security – Encryption Keys Policy – Data/App-route Policies

BGP, OSPF, Connected, Static

BFD

IPSec Tunnel

OMP

DTLS/TLS Tunnel

Transport1

Transport2VPN1

A

VPN2

B

VPN1

C

VPN2

D

BGP, OSPF, Connected, Static

vSmart

OMPUpdate

OMPUpdate

vEdge vEdge

Subnets Subnets

TLOCs TLOCs

ControlPoliciesOMP

UpdateOMP

Update

Fabric Operation Walk-Through

Common Enterprise Deployment Use Cases


Application Visibility and Recognition

Deep Packet Inspection

App Firewall

Traffic prioritization

Transport selection

vEdge Router

App 1

App 2

App 3,000

4GMPLS

INET

Branch

Campus

Cloud

Data Center

Small Office

Home Office

Data Center

BRKCRS-2110 28


Critical Applications SLA

Path1: 10ms, 0% loss, 5ms jitter



vManage App Aware Routing PolicyApp A path must have:

Latency < 150ms

Loss < 2%

Jitter < 10ms

vEdge Routers continuously

perform path liveliness and

quality measurements

Internet

MPLS

4G LTE

SD-WAN IPSec Tunnel

Remote Site Data CenterPath 2

Optimal Path MTU

TCP Optimization

BRKCRS-2110 29


Transport

(VPN0)

Service

(VPNn)

Out-of-band Management

(VPN512)

IF

• VPNs are isolated from each other, each VPN

has its own forwarding table

• Reachability within VPN is automatically

advertised by the OMP

IF,

Sub-IF

IF,

Sub-IF

IF,

Sub-IF

IF,

Sub-IF

vEdge VPNs and Security Zoning

Internet

MPLS

Untrusted Zone

Trust Zone

BRKCRS-2110 30


Secure Segmentation Security Zoning

Compliance

Guest Wi-Fi

Multi-Tenancy

Extranet

Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point

Per-VPN Topology

vEdgeVPN 3

VPN 1

VPN 2SD-WAN

IPSecTunnel

vEdge

BRKCRS-2110 31


4GMPLS

INET

L4-L7 Regional Secure Perimeter

Protected

Compute Resources

Regional Secure Perimeter

Firewalls

IDS/IPS/DLP

Service Chaining

• DDOS Mitigation • Malware/Virus Containment • Security Policy Compliance

Firewalls

IDS/IPS/DLP

Branch

Campus

Small Office

Home Office

Data Center

Cloud Data Center

BRKCRS-2110 32


ISP2

Cloud Applications

Which way is cloud?

1. Direct Internet Access

2. Regional Breakout

3. Data Center Backhaul

Data Center

Regional

Data Center

Remote Site

ISP1

SD-WAN

Fabric

1

2

3

MPLS

Viptela vEdge Router

User

BRKCRS-2110 33


Cloud onRamp for SaaSDirect Internet Access

Quality Probing

Regional

Data Center

Remote Site

ISP2

ISP1

SD-WAN

Fabric

Loss/

Latency

!

Data Center

• Detect application performance

through one or more Direct

Internet Access circuits

• vEdge routers chose best

performing path

- Per-Application, Per-VPN

• Automatic failover in case of

performance degradation

• Fully automated

BRKCRS-2110 34


Cloud onRamp for SaaSDirect Internet Access and Gateways

Remote Site

SD-WAN

Fabric

ISP2

ISP1

Loss/

Latency

!

Data Center

MPLS

Regional

Data Center

• Detect application performance through

DIAs and gateways

- Customer/SP owned and operated

- Security, performance, reliability

• vEdge routers chose best performing

path

- Per-Application, Per-VPN

• Automatic failover in case of

performance degradation

• Fully automated

Quality Probing

BRKCRS-2110 35


4GMPLS

INET

SOHO

Branch

Campus

Data Center

Cloud

Data Center

Cloud Security

• Best suited for cloud SaaS

applications

• Interoperates with Cloud onRamp

for SaaS

• Augments native fabric security

• Can co-exist with on-premise L4-L7

security modes

- VPN segmentation

BRKCRS-2110 36


SD-WAN and Public Cloud

Remote Site

SD-WAN

Fabric

Cloud

Data Center

Branch

Campus

VNET VNET

VNET VNET

VPC VPC

VPC VPC

How to provide security,

segmentation, QoS and

reliability to the cloud

workloads?

Viptela vEdge Router

BRKCRS-2110 37


Cloud onRamp for IaaSEnd-to-End SD-WAN

Remote Site

SD-WAN

Fabric

Branch

Campus

Cloud

Data Center

Compute

VPC/VNETCompute

VPC/VNET• vEdge Cloud routers are

instantiated in every VPC/VNET

- Marketplace

• End-to-end SD-WAN fabric

between sites and public cloud

- Multipathing, QoS and

segmentation

• Shortest-path to Public Cloud

BRKCRS-2110 38


Cloud onRamp for IaaSEnd-to-End SD-WAN

Remote Site

SD-WAN

Fabric

Branch

Campus

Cloud

Data Center

• Gateway VPC/VNET

- Customer/SP owned and

operated

- Security, performance,

reliability

• Easy deployment model

- No change to existing compute

VPCs/VNETs

• Full automated from vManage

- No marketplace

Compute

VPCs/VNETs

Gateway

VPC/VNET

BRKCRS-2110 39

Operations and Migration


Agile Operations

REST NETCONF Syslog Flow ExportSNMP

CLI Linux Shell

Power Tools

BRKCRS-2110 41


VRRP OSPF/BGP

OSPF/BGP

INET INETMPLSMPLS

INET

MPLS

Site

DataCenter

MPLS

INET

vSmart Controllers

Control

Data

Site Redundancy Transport Redundancy

Network/Headend Redundancy Control Redundancy

High Availability and Redundancy


SD-WAN Transition Strategy

SD-WAN Fabric Secure Tunnel

MPLS Internet

Non-

SDWAN

Non-

SDWAN SDWAN

SDWAN

Site B

Site A

Non-

SDWAN

Non-

SDWAN

Internet

Site B

Site A

MPLS

SDWAN

SDWAN

InternetMPLS

Site B

Site A

SDWAN

SDWAN

SDWAN

SDWAN

BRKCRS-2110 43


Customer Industry Challenge Solution

RetailHigh cost, slow change, limited

flexibility

60-70% cheaper broadband at high bandwidth, centralized

control, full visibility.

Financial

Needed more bandwidth and

guaranteed network uptime for a new

teller application

Dollar cost averaged the bandwidth cost down using a mix

of transport (MPLS, Broadband, LTE). Traffic now uses

the optimal network path to avoid downtime and

slowdowns.

Tech

Slow performance and MPLS outages

provided an expensive and poor user

experience

Monthly savings reduced the cost per Mbps by more than

80%. Diverse circuits improve the reliability of the global

network, with more than half of Agilent’s sites doubling

WAN redundancy.

Healthcare

With an MPLS contract renewal

approaching, Cigna wanted the

flexibility to change carriers without a

massive technology shift

Gained back control of its control plane and created the

Cigna Service Provider Agnostic Network.

Healthcare Security and high network cost

Satisfied strict security and audit requirements and

provided greater flexibility for partnerships and secure

clinical solutions. Cost reductions with the removal of

remote site voice equipment and expensive PRIs, aging

WAN acceleration equipment and maintenance.

Energy

Scale to support evolving field

operations, and support cloud migration

and application SLAs

Provided 30-60% savings in overall bandwidth costs.

Enabled faster response to acquisitions, divestitures and

policy changes.

Proven Solution Across Multiple VerticalsFor Your

Reference

Demo

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Demo Summary

Demo 1: SD-WAN @ dCloud

Demo 2: App-aware routing with vEdge Cloud running on ENCS (Enterprise Network Compute System)

BRKCRS-2110


dCloud provides huge catalog of free demos, training and sandboxes for every Cisco architecture in the cloud

310+ labs for Customers, Partners and Cisco Employees.

From scripted demos to fully customizable labs with administrative access!

47BRKCRS-2110


dCloud SD-WAN Demo covers 6 cases

Scenario 1 – An overview of the SD-WAN vManage dashboard and Zero Touch Provisioning (ZTP).

Scenario 2 – Hybrid WAN connectivity over multiple WAN transport connections. Using IP as transport to

create flexible data plane topologies from full-mesh to Hub-n-Spoke to any arbitrary topologies.

Scenario 3 – business defined insertion of services (FW, IPS, IDS, etc.) utilizing centralized policies.

Scenario 4 – simplicity of using application firewalling policies centrally. Various applications and/or flows

would not be allowed between sites. Simple centralized policy activation would enforce such policies to

any site on the overlay.

Scenario 5 - Application aware routing along with arbitrary topology networking to show the business

policy driven view of application classification, connectivity and QoS provisioning.

Scenario 6 – Policy driven Data Center preferences for different branches. A subset of branches could

prefer one Data Center over the other as a regional Internet exit.

For YourReference


Demo 2: vEdge Cloud on ENCS

ENCS541212-CoreENCS5408

8-CoreENCS54066-Core

ENCS 5104 ENCS 5406 ENCS 5408 ENCS 5412

CPU 4-core, 3.4 GHz 6-core, 1.9GHz 8-core, 2.0GHz 12-core, 1.5GHz

PoE No No 200W 200W

Capacity Guidance 1-2 VNF 2-3 VNFs 3-4 VNFs 4-5 VNFs

ENCS51044-Core

BRKCRS-2110 49


BR2-vEdge1

ENCS 5412

NFVIS

Transport 1

public-internetTransport 2

mpls

BR2-ISRv1

LAN1/0

BR2-FW1

vBranch real life example

Branch 2Gi0/0 T1

Connection• Dual-homed

• GE and T1 interfaces

VNFs:• vEdge Cloud

• ISRv

• Firepower Firewall

Outlook and Summary


Integration Roadmap

Phase 1No Integration

Platform: • As-is

Management:• vManage

Support and Scale the

current sales motion

Deplo

yment

Scenarios

Benefits

Deta

ils

Phase 3Management Integration

Management:• Cloud hosted DNA Center integrates

vManage capabilities

• Full DNA Center capabilities (Assurance,

Integrated workflows for SD-Access and

SD-WAN)

Deliver end-to-end experience

with full DNA integration

vEdge ISR4K + vEdge SW

DNA

Center

+ SD-WAN

vEdge

vManage

vSmart

Phase 2Platform Integration

Platform: • vEdge capabilities integrated into IOS-XE

Management:• vManage for SD-WAN capabilities on IOS-

XE

Viptela SD-WAN on

strategic ISR platform

ISR4K + vEdge SW

vManage

vSmart

vEdge


Innovation Roadmap (FY 2018)Key Areas Of Focus

Application QOE NaaS

Operational Simplicity

& Analytics

Cloud Networking

Security Integration


Video from https://www.cisco.com/c/en/us/solutions/enterprise-networks/sd-wan/index.html

Key TakeawaysSummary

https://www.cisco.com/c/en/us/solutions/enterprise-networks/sd-wan/index.html


Cisco SD-WAN Solution helps you to:

Reduce Cost

Operate Faster

Integrate Latest Cloud and Network Technologies

Key Message


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCRS-2110


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

Thank you

Documents

Delivering Cisco Next Generation SD-WAN with learning Journey at Cisco Live Monday Tuesday Wednesday Thursday Friday BRKCRS-2110 Delivering Cisco Next Generation SD-WAN with Viptela