cisco connect dubrovnik · vpc/vnet compute vpc/vnet using marketplace (diy) remote site sd-wan...
TRANSCRIPT
Vedran FranjićSystem Engineer Sales28.03.2019
Delivering Cisco Next Generation SD-WAN with ViptelaCisco SD-WAN
Agenda
• Introduction
• SD-WAN architecture
• SD-WAN fabric
• Deployment options
• Use Cases
• Licensing
The WAN Has Changed
Data Center
Multi-Cloud
SaaS
Internet
SAAS
BranchWAN
UsersDevicesThings
INET
MPLS
Users Internet
MPLS
Branch WANData Center
Traditional and Legacy Architectures
EXPENSIVE
DIFFICULT TO SUPPORT Device-by-device
configurationsComplex management silos
Require slow truck rolls for changes
INFLEXIBLEStatic network
CONNECTIVITY-CENTRICIncomplete user experienceNot application-centric
POORLY INTEGRATEDConflicting policies and configurations
Risk from accidental interactions and vulnerabilities
Cannot Scale to Address Changing Needs
Cisco SD-WAN Architecture Overview
Data Center Campus Branch SOHO
4G/LTE
MPLS
Internet
Control Plane = vSmart(Containers or VMs)
Data Plane = Edge(vEdge, Cisco ISR/ASR/ENCS,
Whitebox)
Management = vManage(Multi-tenant or Dedicated)
Orchestration = vBond
vManage
vSmart
WAN Edge
Orchestrator PnP
APIs
Cloud
vAnalytics
vBond is SD-WAN Orchestrator
• Orchestrates connectivity between management, control and data plane
• Serves as the first point of authentication
• Requires public IP Address, provides NAT-T
• All other components need to know the vBond IP or FQDN
• Authorizes all control connections (white-list model)
vManage is NMS for SD-WAN• Single-tenant or Multitenant
• Single pane of glass for Day 0, Day 1 and Day 2 operations
• Enables centralized provisioning and simplifies changes
• Supports REST API, CLI, Syslog, SNMP, NETCONF
• Provides real time alerting
• Role Based Access Control
vSmart is Centralized Control Plane
• Implements control plane policies, such as service chaining, traffic engineering and per-VPN topology
• Reduces complexity of the entire network
• Establishes peering with all WAN Edges, distributes connectivity and security context
WAN Edge is your SD-WAN Data Plane
• Provides secure data plane with remote WAN Edge routers
• Establishes secure control plane with vSmart controllers
• Implements data plane and application aware routing policies
• Exports performance statistics
• Physical or Virtual form factor
Single Pane Of Glass Operations
Operations Simplicity and Visibility
Rich Analytics
vManage vAnalytics
• Cloud-first management and orchestration• Zero-touch provisioning
• Troubleshooting with simplified workflows • Advanced analytics and assurance
Unified Control Plane• Overlay Management Protocol (OMP)• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers- Inside authenticated TLS/DTLS connections
• Advertises control plane context and policies• Dramatically lowers control plane complexity and
raises overall solution scalevSmart vSmart
vSmart
WAN Edge WAN Edge
Note: WAN Edge routers need not connect to all vSmart Controllers
VS
SD-WAN Traditional
O(n) Control Complexity O(n^2) Control Complexity
Data Plane Establishment
OMP IPSec Tunnel
WAN Edge
WAN EdgeWAN Edge
WAN Edge
WAN Edge
vSmart
Local Routes- Local prefixes (OSPF/BGP)- SD-WAN tunnel endpoints (TLOCs)Security Context- IPSec Encryption Keys
Routes and encryption keys are advertised to vSmarts in
OMP updates
vSmarts advertise routes and encryption keys to WAN Edges in OMP updates
SD-WAN fabric between tunnel
endpoints
INETMPLS
Transport Locator (TLOC)
IPsec
IPsec
IPsec
Fabric Routing:<prefix> via
Data Plane Liveliness and Quality
WAN Edge WAN Edge
WAN Edge
WAN Edge WAN Edge
• Bidirectional Forwarding Detection (BFD)
• Path liveliness and quality measurement- Up/Down, loss/latency/jitter, IPSec tunnel MTU
• Runs between all WAN Edge routers in the topology- Inside SD-WAN tunnels- Across all transports- Operates in echo mode- Automatically invoked at SD-WAN tunnel
establishment- Cannot be disabled
• Uses hello (up/down) interval, poll (app-aware) interval and multiplier for detection- Fully customizable per-WAN Edge, per-transport
Common Data Plane Communication
Per-Session Load SharingActive/Active
INETMPLS
Default
Per-Session WeightedActive/Active
INETMPLS
Device Configurable
Application PinningActive/Standby
INETMPLS
Policy Enforced
Application Aware RoutingSLA Compliant
INETMPLS
SLA SLA
Policy Enforced
SD-AVC
SD-AVC
cEdge
• SD-AVC Controller:• Application Signatures updates• Connectors to external service (O365)• Custom-app definition
vManage
NBAR2 Agent
SD-AVCSensor Data
Application Rule
Pack Update
Branch
Cloud onRampfor SaaS
vManage
SD-AVCController
1 Learn O365IP Networks
2 Distribute O365IP Networks
3First-packetmatch O365
4 First-packetsteer O365
cEdge
NBAR2 Agent
Controllers’ Deployment ModelsEnterprise IT
vManage
vSmart vBondPrivateCloud
Deploy
MSP Ops Team
vManage
vSmart vBondMSPCloud
Deploy
Cisco Cloud Ops
vManage
vSmart vBondCiscoCloud
Deploy
ESXi or KVM
Physical Server
vManage vSmart vSmart
VM
Container
vBond
AWS or Azure
vManage vSmart vSmartvBond
On-Premise/SP Hosted Cloud Hosted
VM
Container
Deploying Controllers – Options
Controller Scale
vManage:• Validated Scale: 2,000 Devices per-single instance• Max Production Deployment: 6 vManage instances in a cluster
vSmart:• Validated Scale: 5,400 Connections per-single vSmart• Max Production Deployment: 20 vSmarts
vBond:• Validated Scale: 1,500 Connections per-single vBond• Max Production Deployment: 6 vBonds
SD-WAN Transition Strategy
SD-WAN Fabric Secure Tunnel
MPLS Internet
Non-SDWAN
Non-SDWAN SDWAN
SDWAN
Site B
Site A
Non-SDWAN
Non-SDWAN
Internet
Site B
Site A
MPLS
SDWAN
SDWAN
InternetMPLS
Site B
Site A
SDWAN
SDWAN
SDWAN
SDWAN
INET
MPLS
Site
DataCenter
Network/Headend Redundancy
MPLS
INET
vSmart Controllers
Control
Data
Control Redundancy
VRRP OSPF/BGP
OSPF/BGP
Site Redundancy
INET INETMPLSMPLS
Transport Redundancy
High Availability and Redundancy
Cisco SD-WAN Platform Options
vEdge 2000
10 GbpsModular
vEdge 1000
1 GbpsFixed
vEdge 100
100 Mbps4G LTE & WiFi
Pureplay SD-WAN
20+ Gbps, Modular
vEdge 5000
VirtualizationENCS 5100 ENCS 5400
ISR 1000 ISR 4000 ASR 1000
High-performance
with redundancy
Modular Integrated services
SD-WAN with Services
Next-gen Performance
Flexibility
Public and Private Clouds
Common Enterprise Deployment Use Cases
Critical Application SLA
SD-WAN Security
MultiCloud onRamp for IaaS and SaaS
Zero Touch Provisioning
Regional Deployment
Critical Applications SLA
Sender Receiver
1 2
3 4
5 6
7 8
XOR
1 2
3 4
P
XOR
1 23
4P
FEC HeaderSD-WAN Tunnel
• Protects against packet loss• Protocol (TCP/UDP) agnostic• Supports multiple transports• Can be invoked dynamically
Forward Error Correction (FEC)
1 2
3 4
SD-WAN Tunnel
SD-WAN Tunnel
Sender Receiver1
1
2
2
3
3
4
4
DD
DD
1 2
3 4
• Protects against packet loss• Protocol (TCP/UDP) agnostic• Operates over multiple transports
Packet Duplication
Application AwareRouting
MultiCloud onRamp for IaaS
Remote Site
SD-WANFabric
Branch
Campus
CloudData Center
Compute VPC/VNET
Compute VPC/VNET
Using Marketplace (DIY)
Remote Site
SD-WANFabric
Branch
Campus
CloudData Center
Compute VPCs/VNETs
Gateway VPC/VNET
Fully Automated
MultiCloud onRamp for SaaS
Quality Probing
Remote SiteISP2
ISP1
Loss/Latency
!Regional
Hub/CoLo/DC
Remote Site
SD-WANFabric
ISP1
Loss/Latency
MPLS
ISP2
!
Home/Mobile
Secure Branch - Firewall
Branch/Campus
SD-WAN and APP Firewall/IPS/URL Filtering
Cisco Umbrella
Secure Internet GW
UnifiedAccess
SecurityData Center/Private Cloud
IaaS
Internet/SaaS
Secure Segmentation§ Security Zoning
§ Compliance
§ Guest Wi-Fi
§ Multi-Tenancy
§ Extranet
Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point
Per-VPN Topology
WAN EdgeVPN 3
VPN 1VPN 2
SD-WANIPSecTunnel
WAN Edge
Branch – SD-WAN Security
CloudApplications
AMP in 2019
VPN1
Direct Cloud Access
GuestEmployee
Use Case:Guest Services
Use Case:Industry Compliance
Use case:Cloud and DIA
VPN2 Data CenterApplications
SD-WAN
vManageDNS/web
layer securityFirewall IPS Firewall IPS Firewall URL Filtering
Control and PolicyElements
* Factory default config
Assumption:• DHCP on Transport Side (WAN)• DNS to resolve devicehelper.cisco.com*
PnP Server
1
2
Full Registration and Configuration
53
4
cEdge
ZTP– New cEdge Appliance
Regional deployment
INETMPLS
Split Zagreb Osijek
INETMPLS INETMPLS
Full/Partial mesh Hub and spoke Full/Partial mesh
Public Internet
Public Internet
Public Internet
How to Choose?
Cisco DNA Essentials
Cisco DNA Advantage
Cisco DNA Premier
1
2
3
4
5
Identify license tier
Pick license term
Select bandwidth
Choose on premises or cloud managed
Determine platform for future scale