cisco sdwan - deep dive - sccug · vedgerouters sit at the perimeter of an sd-wan site and provide...

Jean-Marc BarozetPrincipal Engineer – SDWAN/NFV Technical MarketingDecember 2017

Deep DiveCisco SDWAN

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Introduction to Cisco SDWAN• Solution Overview• SDWAN Products• Cisco SDWAN Overlay – 4 Primary Pillars• Technology Deep-Dive (if interested in the details)

• Components Bring Up (controllers and vEdge devices)• Fabric Operation• Segmentation and Service Insertion• Multicast• Application Experience and QoS• Cloud Adoption• High Availability and Redundancy• Policy Overview

• Operational Simplicity and Transparency• Use Case and Deployment Models• Pricing Structure• Key Takeaways

AGENDA


Introduction to Cisco SDWAN


Network as a Platform forReducing Cost and Complexity While Lowering Risk

Network Transformationfor WAN

Uncompromised & Secure Experience Over Any Connection

DNA


Applications are moving to the Cloud (private and public)

Internet edge is moving to the remote site

Business mobile devices, BYOD and Guest Access Expected to strain both the corporate LAN (WiFi) and WAN

High Bandwidth Apps

App Content

Rich, Dynamic, Web-Based

App Delivery

App Consumption

Cloud, SaaS, Virtualized

Mobile, Diverse Devices

Common Business & IT Trends Evolving WAN Situation


Separation of management, control, data for scaling

Redundant management—cloud or on premises

Zero-touch provisioning in minutes, not days

Full segmentation support for fast app deployment

Choice of topologies with point-and-click

Complete visibility from single pane of glass

Comprehensive and Flexible to Fit Your Business

OR OR OR

PHYSICALSECURE ROUTERS

VIRTUALSECURE ROUTERS

IN-HOUSE IT

MANAGED SERVICE

CAPEX WITH ANNUAL SUBSCRIPTION

ENTERPRISE-BASED AGREEMENT

SD-WAN Enterprise Grade CapabilitiesReducing Cost and Complexity for Agile IT


Critical Applications SLA

BandwidthOversubscription

Path Brownout

Application-aware

Topologies

All Links Failure

CorporateData Center

Small OfficeHome Office

CloudData Center

Single Link Failure

Cloud Applications

Latency

Path MTU Changes

CPE Device Failure

4G/LTE

Internet MPLS

BranchCampus


True Enterprise Class SDWAN

APPLICATION POLICIES

SERVICES DELIVERY PLATFORM

TRANSPORT INDEPENDENT FABRIC

Broadband CellularMPLS

ZERO TOUCH ZERO TRUST

QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast

Per-SegmentTopologies

CloudPath

Application SLA

SecurePerimeter

TrafficEngineering

TransportHub

CloudAccel

Analytics

Monitoring

Operations


Architectural Constructs

SOFTWARE DEFINED: True separation of control, data and management

CLOUD: Cloud hosted and delivered

APPLICATION AWARE: Visibility & SLA business intent policy enforcement

SCALE AND FLEXIBILITY: True enterprise scale

SECURITY: Ingrained authentication, encryption, segmentation, access controls & service chaining

OPEN: for automation, orchestration, best-of-breed integration

ApplicationBandwidth

Requirements

Cloud Consumption

DisjointedSecurity

SimplifiedOperations

WAN Flexibility

TimeTo Capability

Challenges

Control back to the Enterprise

Enabling Seamless transition from traditional WAN to SD WAN

SECURE WAN FABRIC

Broadband 4G/LTEMPLS

ZERO TOUCH ZERO TRUST


Flexible ConnectivityLower WAN costs

3G/4G-LTE

Branch

Private Cloud

Colocation

Public Cloud

MPLS

Internet

• Leverage local Internet path for public cloud and Internet access

• Secure VPN for private and virtual public cloud access

LOWER COSTS


MPLS

InternetApp ServerUser

Virtual Fabric

Reg

iona

l DC

• Data Center WAN bandwidth is not “wasted”

• Firewall service is inserted into the overlay topology

• Security policy is enforced

Site A Data Center

UDP/5001UDP/5002

Allow UDP/5001Deny UDP/5002

VNF (Firewall)

UDP/5001UDP/5002

Allow UDP/5001Deny UDP/5002

• Wasted Bandwidth

Service Based Traffic EngineeringService Insertion and Bandwidth Preservation

REDUCE COMPLEXITY


Application Centric Networking

Broadband

4G/LTE

MPLS

#

DPI POLICY SLA

Service Chain

Transport Type

Local/Remote Breakout

SLACloud

APPLICATION VISIBILITY


Secure SegmentationvEdgeRouter

VPN 3

VPN 3

VPN 1

VPN 2IPSecTunnel

VPN 4

4G/LTE

CorporateData Center

Campus


Branch

CloudData Center

End-to-end segmentation

Local internet breakout

Secure Cloud Gateway

MPLSInternet

REDUCE RISK


Cloud Ready WAN

Data Center


Data Center

Campus


Branch

CloudData Center

Secure SD-WANFabric

CampusBranch

CloudApplications

Secure SD-WANFabric

BETTER USER EXPERIENCE

Optimized SaaS access and performance visibility from all branches

Secure and resilient IaaS cloud-networking


Simplify WAN ManagementEasier to deploy and manage

• Cloud-first management and orchestration

• Zero-touch provisioning

• Troubleshooting with simplified workflows

• Advanced analytics and assurance

Cloud-first Management Analytics and Assurance

LOWER COSTS


From Managed WAN To SDWAN Network-as-a-Service

Apps

SD-WAN Cloud Use-Cases.…

WAN

USERS

DC

IaaS

SaaS

vDC

AnalyticsCloud Delivered

DEVICES

THINGS

Intent-based Network Infrastructure

DNA Center

AnalyticsPolicy Automation

I N T E N T C O N T E X T

S E C U R I T Y

L E A R N I N G

0 Transport IndependentWAN Fabric

1 Cloud delivered WAN with operational simplicity & analytics

4End-point flexibility: • Physical or virtual• Rich services or lite• Branch, Agg, Cloud

2 Superior security architecture –cloud based & on-prem

3 Application QOE

5


Cisco Network-as-a-Service solution componentsService Provider Careabouts

Multi-tenant Control, Management, Orchestration and Analytics

Cisco NG SDWAN

Virtual Managed Services (VMS)

NSO + Core FPs

Internet

4G LTE

Data Center

IaaS

SaaS… 3rdParty

x86

Multi-tenant Gateway

MPLS

Gray, White or Blackbox

Cloud networking

An Edge device that enables to deliver the solution as a physical

or virtual branch offering

A multi-tenant, cloud-native platform to orchestrate,

provision, control and manage tenants

Transport independent fabric providing a secure scalable NG

overlay

An infrastructure to deliver OTT value added services (UC, Security, AppEx, Analytics)


Solution Overview


Management Plane(Multi-tenant or Dedicated)

Control Plane (Containers or VMs)

Data Plane(Physical or Virtual)

Orchestration Plane

Cisco SDWAN

Data Center Campus Branch Home Office

vManage

vSmartvBond

vEdgeOSS/BSS, NSO or VMS

API

CONTROL

ANALYTICSORCHESTRATION

MANAGEMENT

INET MPLS 4G Secure Control Channel


Solution Elements Functional RolesvBond orchestrator- Primary authenticator for all SDWAN components- Facilitates discovery of the control elements by the vEdge routers- Notifies vEdges of their public IP, if behind NAT.

vManage is the network management system, a single pane of glass, for the entire SD-WAN fabric

vSmart controllers:- Distribute reachability and security information between the vEdge routers- Distribute data and app-route policies from vManage to vEdges. Enforce control policies. - Perform best-path calculation for non ECMP routes and advertise best route to the vEdges (second

best too, if configured)

vEdge routers sit at the perimeter of an SD-WAN site and provide connectivity across the fabric. vEdge routers handle the transmission of data traffic.

vEdge routers are offered as pre-integrated appliance or as a software-only virtual machine for ESXi, KVM, AWS and Microsoft Azure platforms.


Components

Control Plane

Data Plane

Management Plane

Orchestration Plane

vManage

vSmart

vEdge

vBond


OSS/BSS, NSO or VMS

API

CONTROL


MANAGEMENT



Control PlaneOrchestration Plane

• Orchestrates connectivity• First point of

authentication• Requires public IP Address• Facilitates NAT traversal• All other components need

to know the vBond IP or DNS information

• Authorizes all control connections (white-list model)

• Distributes list of vSmarts to all vEdges

vBond


OSS/BSS, NSO or VMS

API

CONTROL


MANAGEMENT



Control PlaneControl Plane

• Centralized brain of the solution

• Establishes OMP Peering with vEdges

• Acts like Route Reflector• Enables central control

and central data policy creation and distribution:• TE• Service Chaining• Hub and spoke• Partial or full mesh

• Orchestrates secure data plane connectivity between the edges

vSmart


OSS/BSS, NSO or VMS

API

CONTROL


MANAGEMENT



Data PlaneData Plane

vEdge

• WAN edge router of the site

• Leverages traditional routing protocols like OSPF, BGP

• Applies policies on data plane traffic

• Establishes control plane (OMP) peering with vSmart

• Provides secure data plane• Either hardware devices or

software VNF support


OSS/BSS, NSO or VMS

API

CONTROL


MANAGEMENT



Management PlaneManagement Plane

• Centralized provisioning• Centralized monitoring• Simple graphical

dashboard• Supports:

• REST API• CLI• Syslog• SNMP• NETCONF

vManage


OSS/BSS, NSO or VMS

API

CONTROL


MANAGEMENT



Multi-Tenant Orchestration Solution

Multi-Tenant vManage

vContainer1

Customer1 vEdge Routers Customer2 vEdge Routers Customer3 vEdge Routers

vContainer2 Multi Tenant vBond


Controllers

ESXi or KVM

Physical Server

vManage vSmart vSmart

VM

Container

vBond*

AWS or Azure

vManage vSmart vSmartvBond

On-Premise Hosted

VM

Container

* Can be deployed as physical vEdge appliance


Solution Offering

… 3rd

Party

X86

PIP

Internet

4G/LTE

DC

IaaS

SaaS

Cloud networking

(or)

Gray, White or Black box1

2

VMS

NSO

Multi-tenant: Control, Management, Orchestration With Analytics

Existing / home grown MNS services

(e.g. UCaaS)3

Multi-tenant gateway

4


Cisco SD-WAN Platform OptionsProviding for flexibility in deployment

ISR 1000 ISR 4000 ASR 1000

• 2.5-200Gbps• High-performance

service w/hardware assist

• Hardware & software redundancy

• Up to 2 Gbps• Modular• Integrated service

containers • Compute with UCS E

• 200 Mbps • Next-gen

connectivity• Performance

flexibility

Branch Services

Public Cloud

vEdge 2000

• 10 Gbps• Modular

vEdge 1000

• Up to 1 Gbps• Fixed

vEdge 100

• 100 Mbps• 4G LTE & Wireless

SD-WAN

VirtualizationENCS 5100 ENCS 5400

• Up to 250Mbps • 250Mbps – 2GB

vEdge 5000

• ~30 Gbps• Modular

NEW


Overlay Management Protocol (OMP)Unified Control Plane

• TCP based extensible control plane protocol• Runs between vEdge routers and vSmart

controllers and between the vSmartcontrollers- Inside TLS/DTLS connections

• Advertises control plane context• Dramatically lowers control plane

complexity and raises overall solution scale

vSmart vSmart

vSmart

vEdge vEdgeVS

Note: vEdge routers need not connect to all vSmart Controllers


OMP Update:§ Reachability – IP Subnets, TLOCs§ Security – Encryption Keys§ Policy – Data/App-route Policies

BGP, OSPF, Connected, Static

BFDIPSec Tunnel

OMPDTLS/TLS Tunnel

Transport1

Transport2VPN1

A

VPN2

B

VPN1

C

VPN2

D


vSmart

OMPUpdate

OMPUpdate

vEdge vEdge

Subnets Subnets

TLOCs TLOCs

Policies

Fabric Operation Fabric Walk-Through

OMPUpdate

OMPUpdate


vManage

vSmart vEdge

Device Configuration Device Configuration

Local Control Policy(OSPF/BGP)

Local Data Policy(QoS/Mirror/ACL)

Centralized Control Policy(Fabric Routing)

Centralized Data Policy(Fabric Data Plane)

Centralized App-Aware Policy(Application SLA)



CentralizedPolicies

LocalizedPolicies

NETCONF/YANG

OMP

Policy FrameworkCentralized and Localized Policies


Single Pane Of Glass Operations

Operations Simplicity and Visibility

Rich Analytics


Cisco SDWAN Products


vEdge Platform PortfolioSOHOSMB

(100 M)

Branch(1 G)

Head-EndAggregation

(10 G)

NFV, vCPE(N x cores)

IaaS & Cloud Interconnect(Nx cores)

Dual LTE variant back

Higher CapacityAggregation

(20 G+)

vEdge-100Tunnels: 250Routes: 25kVPN’s: 62+2




vEdge-CloudTunnels: 2500Routes: 128kVPN’s: 62+2

vEdge-CloudTunnels: 2500Routes: 128kVPN’s: 62+2


vEdge 1000

vEdge-1000 and vEdge-2000 Routers

§ 1 Gbps AES-256§ 1RU, standard rack mountable § 8x GE SFP (10/100/1000)§ TPM chip § 3G/4G via USB (or) Ethernet§ Security, QoS§ Dual Power supplies (external)§ Low power consumption

vEdge 2000

§ 10 Gbps AES-256§ 1RU, standard rack mountable§ 4x Fixed GE SFP (10/100/1000)§ 2 Pluggable Interface Modules§ 8 x 1GE SFP (10/100/1000)§ 2 x 10GE SFP+§ TPM chip§ 3G/4G via USB (or) Ethernet§ Security, QoS§ Dual power supplies (internal)§ Redundant fans


vEdge-100 Routers

§ 100 Mbps AES-256§ 1RU§ 5x 1000Base-T§ 1x POE port§ 2G/3G/4G LTE§ Internal AC PS§ 1x USB-3.0§ TPM Board-ID§ Kensington lock§ Low power fan§ GPS

§ 100 Mbps AES-256§ 1RU§ 5x 1000Base-T§ 1x POE port§ 2G/3G/4G LTE§ 802.11a/b/g/n/ac§ Internal AC PS§ 1x USB-3.0§ TPM Board-ID§ Kensington lock§ Low power fan§ GPS

vEdge 100m vEdge 100mw

§ 100 Mbps AES-256§ 5x 1000Base-T§ TPM chip§ Security, QoS§ External AC PS§ Kensington lock§ Fan-less§ 9” x 1.75” x 5.5”§ GPS

vEdge 100


Platform Capabilities:

• 4 Network Interface Modules (NIM) slots

• Variety of NIM options� 8 x 1G � 4 x 10G� 2 x 40G

• Feature parity with Cisco vEdge2000 platform

vEdge 5000Campus and Data Center Edge


ENCS 5000 Series Portfolio

ENCS541212-Core

ENCS51044-Core

ENCS54088-Core

ENCS54066-Core

ISRv + 3 core VNFLAN PortsNIM LTE, DSL, T1HDD, SSDRAID, HW Crypto

• ISRv + 9 core VNF PoE

• ISRv + 5 core VNF• PoE

ISRv + 2 core VNF LTE on Radar

Shipping NowQ3 CY17

NEWCiscoLive 2017 Las Vegas


Network Functions Virtualization Infrastructure

Network Functions Virtualization Infrastructure Software (NFVIS)

ISR 4000 + UCS-E-Series UCS C-Series Enterprise Network Compute

Systems (ENCS)

Orchestration and Management (MANO)

Virtual Router(ISRv)

Virtual Firewall(ASAv)

Virtual WAN Optimization

(vWAAS)3rd Party VNFs

COTS

40

Virtual Router(vEdge)

Virtual Wireless LAN Controller (vWLC)


vEdge Cloud Virtual RoutersVirtualized Branch or Cloud

ESXi or KVM

Physical Server

On-Premise Hosted

VMThroughput:2x vCPU 500Mb/s

4x vCPU 1Gb/s8x vCPU 1.5Gb/s

VM

vEdge Cloud vEdge CloudvEdge Cloud vEdge Cloud vEdge CloudvEdge Cloud

AWS or Azure


ControllersCloud or On-Premise Delivered

Physical Server

vManage vSmart vSmart

VM

vContainer

vBond*

* Can be deployed as physical vEdge appliance

On-Premise

ESXi or KVM

vManage vSmart vSmartvBondHosted

VM

vContainer

AWS or Azure


Cisco’s Commitment

Cisco is committed to Viptela’s solution and architecture

Cisco is committedto the existing ISR 4K, ASR1K, ENCS, CSR, IWAN 2.x, and Meraki SD-WAN offerings.

Cisco will commit significant engineering resources to bring next-generation SD-WAN solutions to market

Cisco will addressthe broadest set ofuse cases to deliver successful partner and customer outcomes


Technology Deep Dive


Components Bring Up (Controllers and vEdges)


Zero Touch ProvisioningPlug-n-Play vEdge Secure Bring-up (Zero Trust)

vEdge List(White-List)

vEdge ConfigurationTemplate

vManage

vBondvSmart

Identity Trust

AdministratorZTP

Server

Network Power

vEdge

DHCP

Identity(X.509)

Installer

TPM


vEdge and Controllers White-List

• Administrator adds controllers (vSmarts and vBonds) on the vManage- Can trigger CSR generation, forwarding to

Symantec, retrieval and installation of signed CSR back into the controllers

• Controllers list is distributed by vManage to all the controllers

• Digitally Signed vEdge list is provided by Viptelaand it is uploaded into the vManage by the administrator- Downloadable from Viptela support page

• vEdge List is distributed by vManage to all the controllers

SignedvEdge List

AdministratorDefined

Controllers

vManage vSmart

vBond


vEdge Appliance – Router Identity

• Each physical vEdge router is uniquely identified by the chassis ID and certificate serial number

• Certificate is stored in onboard Temper Proof Module (TPM)- Installed during manufacturing process- Certificate is signed by Avnet root CA- Trusted by Control Plane elements

• Symantec root CA chain of trust is used to validate Control Plane elements� Alternatively, if used, Enterprise root CA chain of trust

can be used to validate Control Plane elements

� Can be automatically installed during ZTP

Root Chain

During Manufacturing

In Viptela Software

Device Certificate

TMPChip


vEdge Cloud – Router Identity

• OTP/Token is generated by vManage- One per (chassisID, serial number) in the uploaded vEdge

list

• OTP/Token is supplied to vEdge Cloud in Cloud-Initduring the VM deployment

• vManage issues self-signed certificate for the vEdgeCloud post OTP/Token validation- vManage removes OTP to prevent reuse

• Symantec root CA chain of trust is used to validate Control Plane elements� Alternatively, if used, Enterprise root CA chain of trust can

be used to validate Control Plane elements� Can be provided in Cloud-Init

In Viptela Software

Issued by vManage

Device Certificate

Root Chain


Controllers Identity• Controller identity is provided by the Symantec

issued certificate- Alternatively can use Enterprise CA. Requires

Enterprise Root CA chain on all other controllers and vEdge routers

• Avnet Root CA chain is used to authenticate vEdge routers

• Viptela Root CA chain is used to authenticate vEdge Cloud routers- Provided by the CA running on each vManage

server. Cloud be multiple.

• Symantec Root CA chain is used to authenticate other controllers

Root Chain Root Chain

Root Chain Device Certificate

Issued by SymantecIn Viptela Software

In Viptela Software Issued by vManage CA(could be multiple)


• Bi-directional certificate-based trust between all elements� Public or Enterprise PKI

• White-list of valid vEdges and controllers� Certificate serial number as unique identification

SignedvEdge List

AdministratorDefined

Controllers

vEdge

vBond

vManage

vSmart

Certificate-Based Trust


1. Certificates are exchanged and mutual authentication takes place between vBond and vEdge over encrypted tunnel

2. vBond validates vEdge Router serial number and chassis ID against authorized vEdge white-list

3. vEdge Router validates vBond certificate organization name against locally configured one

4. Provisional DTLS tunnel is established between vBond and vEdge

5. vBond returns to vEdge a list of vSmart Controllers and vManage

6. vBond notifies vSmart and vManage of vEdge Router public IP address

7. Provisional DTLS tunnel between vBond and vEdge is terminated

vBond

vSmart vManage

Valid vEdge serial and chassis ID

Public

Public

Org NameConfig

Provisional DTLS/TLS Control Tunnel

vSmartvManage

vEdgeIP addr

vEdgeRouter

Secure Control ChannelvEdge Routers


1. Certificates are exchanged and mutual authentication takes place between vSmart, vManage and vEdge over encrypted tunnel

2. vSmart and vManage validate vEdge Router serial number and chassis ID against authorized vEdge white-list

3. vEdge Router validates vSmart and vManage certificate organization name against locally configured one

4. Permanent DTLS/TLS tunnel between vSmart, vManage and vEdge is established

vBond

vSmart vManage

Org NameConfig

vEdgeRouter

Public

Public

Public

Public



Permanent DTLS/TLS Control Tunnel

Secure Control Channel: vEdgeConnection to vSmart Controller and vManage


Control Plane Sessions

vSmart vSmart

vManage

vEdge

• Secure Channel to SD-WAN Controllers (vSmart, vBond, vManage)

• Single extensible control plane• Operates over DTLS/TLS

authenticated and secured tunnels

• OMP - between vEdge routers and vSmart controllers and between the vSmart controllers

• NETCONF – Provisioning from vManage

DTLS or TLS• Viptela Primitives• NETCONF• Permanent• Single Session

vBond

DTLS Only• Viptela Primitives• Temporary

DTLS or TLS• Viptela Primitives• OMP• Permanent• 1 session / vSmart / TLOC

DTLS only• Viptela Primitives• Permanent• Multiple Sessions


Firewalls Ports – DTLS

vEdge

Firewall

vEdge

UDP12346

UDP

1234612366123861240612426

UDP

Red signifies primary protocol or first port used

• vBond IP’s are not Elastic, its recommended to permit UDP/12346 to/from any from the vEdge.

• vEdge’s can port hop to establish a connection, its recommended to permit all 5 UDP ports inbound to all vEdges

UDP

vBond – IP1 vSmart – IP1vSmart – IP2

vManage – IP1

UDPCore0 - 12346Core1 - 12446Core2 - 12546Core3 - 12646Core4 - 12746Core5 - 12846Core6 - 12946Core7 – 13046

The vManage NMSs and vSmart controllers can run on a virtual machine (VM) with up to eight virtual CPUs (vCPUs). The vCPUs are designated as Core0 through Core7.Each core is allocated separate base ports for control connections

UDPCore0 - 12346Core1 - 12446Core2 - 12546Core3 - 12646Core4 - 12746Core5 - 12846Core6 - 12946Core7 – 13046

vBond orchestrators do not support multiple cores. vBond orchestrators always use DTLS tunnels to establish control connections with other Viptela devices, so they always use UDP. The UDP port is 12346

Default – No Port Offset Configured and DTLS


Firewalls Ports – TLS

vEdge

Firewall

vEdge

UDP12346

UDP

1234612366123861240612426

TCP

Red signifies primary protocol or first port used

• vBond IP’s are not Elastic, its recommended to permit UDP/12346 to/from any from the vEdge.

• vEdge’s can port hop to establish a connection, its recommended to permit all 5 UDP ports inbound to all vEdges

TCP

vBond – IP1 vSmart – IP1vSmart – IP2

vManage – IP1TCPCore0 - 23456Core1 - 23556Core2 - 23656Core3 - 23756Core4 - 23856Core5 - 23956Core6 - 24056Core7 – 24156

TCPCore0 - 23456Core1 - 23556Core2 - 23656Core3 - 23756Core4 - 23856Core5 - 23956Core6 - 24056Core7 – 24156

Default – No Port Offset Configured and TLS


Fabric Operation


• Overlay Management Protocol – Control plane protocol distributing reachability, security and policies throughout the fabric

• Transport Locator (TLOC) – Transport attachment point and next hop route attribute

• Color – Control plane tag used for IPSec tunnel establishment logic

• Site ID – Unique per-site numeric identifier used in policy application

• System IP – Unique per-device (vEdge and controllers) IPv4 notation identifier. Also used as Router ID for BGP and OSPF.

• Organization Name – Overlay identifier common to all elements of the fabric

• VPN – Device-level and network-level segmentation.

Viptela Fabric Terminology


Software Defined Centralized Control

Control Plane DTLS/TLS

LegacyO(n^2) complexity

SD-WANO(n) complexity

Control Elements

• Virtual Fabric over any transport• Virtual or Physical Platforms (vEdge)• Centralized reachability, security and application

policies• Secure Channel to SD-WAN Controller (vSmart,

vBond, vManage)� Single extensible control plane� Operates over DTLS/TLS authenticated and

secured tunnels

• Dramatically lowers complexity and increases overall solution scale


Overlay Management Protocol (OMP)

• TCP based extensible control plane protocol

• Runs between vEdge routers and vSmartcontrollers and between the vSmart controllers- Inside TLS/DTLS connections

• Leverages address families to advertise reachability for TLOCs, unicast/multicast destinations (statically/dynamically learnt service side routes), service routes (L4-L7), BFD stats (TE and H-SDWAN) and Cloud onRamp for SaaS probe stats (gateway)- Uses attributes

• Distributes IPSec encryption keys, and data and app-aware policies (embedded NETCONF)

vSmart vSmart

vSmart

vEdge vEdge


Transport Independent Fabric Transport Locators Advertisement

Transport Locator (TLOC) OMP IPSec Tunnel

vEdge

vEdgevEdge

vEdge

vEdge

vSmart

Local TLOCs(System IP, Color, Encap)

TLOCs advertised to vSmarts

vSmarts advertise TLOCs to all vEdges*

(Default)

Full Mesh SD-WAN Fabric

(Default)

* Can be influenced by the control policies


Transport Independent FabricTransport Locators Colors

Public

Private

T1 T3

T1 T4

T2 T4

T2 T3

T1, T3 – Public Color T2, T4 – Private Color

Color restrict will prevent attempt to establish IPSec tunnel to TLOCs with different color

vEdge vEdge

Public

Private

T1 T3

T1 T4

T2 T4

T2 T3

T1, T3 – Public Color T2, T4 – Private Color

vEdge vEdge

DMZ

Color - Control plane tag used for IPSec tunnel establishment logic

T3 T4

T1

T2

T3

T4

T1 T2

T1

T2

T3

T4


Transport Independent FabricNAT Traversal

NAT

vEdge2vEdge1

vBond

IP1Port1

NAT Detection

vSmart

OMP

IP1’Port1

IP1’Port1

IP1’Port1

IP1’Port1

IP2Port2

SymmetricNAT

vBond

vEdge1

IP1Port1

NAT Detection

vSmart

OMP

IP1’Port1’

(accept only traffic from vBond)

IP1’Port1’

IP1’Port1’

IP1’Port1’

vEdge2

IP2Port2

Full-Cone NAT Symmetric NAT


WAN CommunicationTraffic Forwarding

Per-Session LoadsharingActive/Active

Per-Session WeightedActive/Active

Application PinningActive/Standby

Application Aware RoutingSLA Compliant

SLASLA

Core

Hierarchical Multihop Fabric Single-hop Fabric


Bidirectional Forwarding Detection (BFD)

vEdge vEdge

vEdge

vEdge vEdge

• Path liveliness and quality measurement detection protocol- Up/Down, loss/latency/jitter, IPSec

tunnel MTU

• Runs between all vEdge and vEdge Cloud routers in the topology- Inside IPSec tunnels- Automatically invoked after each IPSec

tunnel establishment- Cannot be disabled

• Uses hello (up/down) interval, poll (app-aware) interval and multiplier for detection- Fully customizable per-vEdge, per-color


Fabric Walkthrough

BFD

IPSec Tunnel

OMPOMP Update:§ Reachability – IP Subnets, TLOCs§ Security – Encryption Keys


DTLS/TLS Tunnel

VPN1 VPN2 VPN1 VPN2

Transport1

Transport2

A B C D


vSmart

OMPUpdate

OMPUpdate

vEdge vEdge

Subnets Subnets

TLOCs TLOCs

Policies

§ VPN isolation is carried over all transports- https://tools.ietf.org/html/rfc4023

VPN0 VPN0

https://tools.ietf.org/html/rfc4023


Transport1

Transport2

§ Each vEdge advertises its local IPsecencryption keys

§ Encryption key is per-transport

Key1

Local

Key1

’

Remote

vSmartControllers

vEdgevEdge

Key2

Key2

’

Key1

’

Local

Key1

Remote

Key2

’Ke

y2

§ Symmetric encryption keys used asymmetrically

Traffic Encrypted with Keys 1’ / 2’

Traffic Encrypted with Keys 1 / 2

Data Plane Security Encryption

Control PlaneAES256-GCM

OMPUpdate

OMPUpdate


Transport1

Transport2

§ vBond discovers vEdge public IP address, even if traverses NAT

§ vBond communicates public IP to the vEdge

vSmartControllers

vEdgevEdge

Data Plane Security Integrity

Control Plane

OMPUpdate

OMPUpdate

AES256-GCM

20IP

8UDP

36ESP

…Data

Encrypted

Authenticated

Network Address

Translation

§ vEdge computes AH value based on the post NAT public IP

§ Packet integrity (+IP headers) is preserved across NAT


Segmentation and Service Insertion


Viptela VPNs

MPLS

INET

Transport(VPN0)

IF

IF

Service(VPNn)

IF

IF

Management(VPN512)

IF

• VPNs are isolated from each other, each VPN has its own forwarding table

• vEdge router allocates label to each of it’s service VPNs and advertises it as route attribute in OMP updates- Labels are used to identify VPN in the incoming packets


Secure Segmentation

IngressvEdge

VPN 3

VPN 1VPN 2

SD-WANIPSecTunnel

20

IP8

UDP36

ESP4

VPN…

Data

EgressvEdge

Interface

VLAN

• Segment connectivity across fabric w/o reliance on underlay transport

• vEdge routers maintain per-VPN routing table

• Labels are used to identify VPN for destination route lookup

• Interfaces and sub-interfaces (802.1Q tags) or a mix of both are mapped into VPNs

VPN1

VPN2

Interface

VLAN

VPN1

VPN2

§ VPN isolation is carried over all transports- https://tools.ietf.org/html/rfc4023

https://tools.ietf.org/html/rfc4023


Application Aware TopologiesArbitrary VPN Topologies

VPN1 VPN2

VPN3 VPN4

Full-Mesh Hub-and-Spoke

Partial Mesh Point-to-Point

• Each VPN can have it’s own topology� Full-mesh, hub-and-spoke, partial-

mesh, point-to-point, etc…

• VPN topology can be influenced by leveraging control policies� Filtering TLOCs or modifying next-hop

TLOC attribute for routes

• Applications can benefit from shortest path, e.g. voice takes full-mesh toplogy

• Security compliance can benefit from controlled connectivity topology, e.g. PCI data takes hub-and-spoke topology


Multi-Topology

vSmartControllers

Control Plane

AppPolicies

• Arbitrary per-VPN topology

• Topology reflects desired traffic forwarding patterns, e.g. voice and video full-mesh, business apps hub-and-spoke

• vSmart controls VPN topology through control plane advertisements

• vEdge routers can participate in multiple topologies at the same time


Single Service Insertion

Data Center

Remote Office

• vEdge router with connected L4-L7 service makes advertisement- Service route OMP address family- Service VPN label

• Service is advertised in specific VPN

• Service can be L3 routed or L2 bridged

• Service can be singly or dually connected (Firewall trust zones) to the advertising vEdge

• Control or data policies are used to insert the service node into the matching traffic forwarding path- Match on 6-tuple of DPI signature- Applied on ingress/egress vEdge

Regional Hub

MPLS INET

4G

ServiceAdvertisement

PolicyAdvertisement*vSmart

* For data policy only. Control policy enforced on vSmart.

VPN1

VPN1VPN1

Traffic Path

Control Plane

FW


Multiple Services Chaining

Data Center

Remote Office

• vEdge routers with connected L4-L7 service make advertisement- Service route OMP address family- Services VPN labels

• Services are advertised in specific VPN

• Services can be L3 routed or L2 bridged

• Services can be singly or dually connected to the advertising vEdges

• Control or data policies are used to insert the service nodes into the matching traffic forwarding path- Match on 6-tuple of DPI signature- Applied on ingress/egress/service vEdge

Regional Hub

MPLS INET

4G

vSmart

* For data policy only. Control policy enforced on vSmart.

VPN1

VPN1

Traffic Path

Control Plane

VPN1

PolicyAdvertisement*

ServiceAdvertisement

FW IDS


Multicast

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialReplicators

Sender

vSmart Controllers

Multicast Stream

SD-WANFabric

RP

Control Plane

Branch

BranchReceiver

Receiver

Data Center

Streaming Content DistributionMulticast Traffic

IGMP/PIM

IGMP/PIM

OMPUpdate

OMPUpdate

OMPUpdate

OMPUpdate

§ vEdges interoperate with IGMP v1/v2 and PIM on the service side

§ vEdges advertise receiver multicast groups using OMP

§ vEdge Replicators replicate multicast stream to receivers

§ Multicast is encapsulated in point-to-point tunnels


Application Experience and QoS


Application RecognitionDeep Packet Inspection Engine

Primary Use Cases:- Application visibility- Application Firewall- Traffic prioritization- Transport selection

vEdge Router

App 1

App 2

App 3,000

Cloud Data Center

Data Center

Campus

Branch


MPLS INET

3G/4G


Bidirectional Forwarding Detection (BFD)

vEdge vEdge

vEdge

vEdge vEdge

• Path liveliness and quality measurement detection protocol- Up/Down, loss/latency/jitter, IPSec tunnel

MTU

• Runs between all vEdge and vEdge Cloud routers in the topology- Inside IPSec tunnels- Automatically invoked after each IPSec tunnel

establishment- Cannot be disabled

• Uses hello (up/down) interval, poll (app-aware) interval and multiplier for detection- Fully customizable per-vEdge, per-color


Hello Interval (ms)

Poll Interval (ms)Poll IntervalPoll Interval

App-Route Multiplier (n)

Transport SLA MonitoringPath Quality Detection

• Each vEdge router generates BFD packet every “hello” interval for path quality (and liveliness) detection

• BFD packets are generated for each transport individually. Timers can be adjustment for quicker detection.

• Poll interval determines the average path quality measurement (loss, latency, jitter)

• App-route multiplier determines the average path quality measurement across the poll intervals

BFD Probe

vEdge Router


Critical Applications SLAApplication Aware Routing

§ By default, without any local or centralized data policies, � Cisco SDWAN performs flow-based load

sharing across all transports available between the vEdge routers

§ With Policies:� Enforce SLA compliant path for applications of

interest� Other applications will follow active/active

behavior across all paths

Control Plane

Path1: 10ms, 0% lossPath2: 200ms, 3% lossPath3: 140ms, 1% loss

vManage

App Aware Routing PolicyApp A path must have

latency <150ms and loss <2%

Path 1

Path 3

Path 2

vEdge vEdge

Internet

MPLS

4G LTE

vSmart Controllers

App A

IPSec Tunnel


Transport1

Transport2

§ Automatic and proactive Network Path MTU Discovery leveraging BFD protocol

§ Support for Host Path MTU Discovery

vEdgevEdge

Optimal Network Utilization for App TrafficPath MTU Discovery

Network PathMTU Discovery

Host PathMTU Discovery

§ Automatic MSS adjust for TCP traffic� Can also be manually configured

§ IP ICMP Unreachable (type 3, code 4)

IPSec Tunnel


ExampleApp Policy applied with DSCP EF preferred path MPLS, rest is defaultSimulation with DSCP 0(default)

App Policy applied with DSCP EF preferred path MPLSSimulation with DSCP 46 (EF)


Egress InterfaceIngr

ess

Inte

rfaceVoice

Business

Best Effort

Traffic Classification

Traffic Flow

Q0Q1Q2Q3Q4Q5Q6Q7

QueueMapping

Scheduling

Queue 0 is strict priority

vEdge Router

IPSec

Copy inner TOS/DSCP bits into outer header

Differentiated ServicesQuality of Service


Localized Data Policy (QoS) Configurationpolicyclass-mapclass best-effort queue 3class bulk-data queue 2class critical-data queue 1class voice queue 0

Step1: Configure forwarding classes and mapping to output queues Step2: Configure the QoS scheduler forwarding classes

policyqos-scheduler be-schedulerclass best-effortbandwidth-percent 20buffer-percent 20scheduling wrrdrops red-drop!qos-scheduler bulk-schedulerclass bulk-databandwidth-percent 20buffer-percent 20scheduling wrrdrops red-drop!qos-scheduler critical-schedulerclass critical-databandwidth-percent 40buffer-percent 40scheduling wrrdrops red-drop!qos-scheduler voice-schedulerclass voicebandwidth-percent 20buffer-percent 20scheduling llqdrops tail-drop

Step 3: Define QoS Map by grouping QoS Schedulers.

policyqos-map MyQoSMapqos-scheduler be-schedulerqos-scheduler bulk-schedulerqos-scheduler critical-schedulerqos-scheduler voice-scheduler

Step 4: Apply the QoS map to the egress interface

interface ge0/1qos-map MyQoSMap


Localized Data Policy (QoS) ConfigurationStep 5: Define an Access List to Classify Data Packets into appropriate Forwarding Classes

policyaccess-list MyACLsequence 10matchdscp 46!action acceptclass voice!!sequence 20matchsource-ip 10.1.1.0/24destination-ip 192.168.10.0/24!action acceptclass bulk-datasetdscp 32!!!sequence 30matchdestination-ip 192.168.20.0/24!action acceptclass critical-datasetdscp 22!!!sequence 40action acceptclass best-effortsetdscp 0!!!default-action drop

Step 6: Apply the Access List to an Interface

vpn 10interface ge0/0access-list MyACL in!


• High latency path between users and servers, i.e. geo-distances

• vEdge routers terminate TCP sessions and provide local acknowledgements to prevent TCP windowing from reacting

• Selective acknowledgements prevents unnecessary retransmit of the successfully received segments

• Hosts using old TCP/IP stacks will see the most benefit

Users ServersHigh Latency Path

vEdgevEdge

TCP Connections TCP ConnectionsOptimized

TCP Connections (Cubic)

SD-WANFabric

Application OptimizationTCP Performance Optimization


Cloud Adoption


Direct Internet Access

RegionalData Center

Remote Site

ISP1

SD-WANFabric

Data Center

• Can use one or more local DIA exits or backhaul traffic to the regional hub through the SD-WAN fabric and exit to Internet from there- Per-VPN behavior enforcement

• VPN default route for all traffic DIA or data policy for selective traffic DIA

• Network Address Translation (NAT) on the vEdge router only allows response traffic back- Any unsolicited Internet traffic will be

blocked by IP table filters

• For performance based routing toward SaaSapplications use Cloud onRamp

Internet

ISP3

ISP2

MPLS


Cloud Ready WAN

IaaS SaaS

Data Center


Data Center

Campus


Branch

CloudData Center

Secure SD-WAN

Fabric

CampusBranch

CloudApplications

Secure SD-WAN

Fabric

Cloud On-Ramp IaaS Cloud On-Ramp SaaS


Cloud onRamp for SaaS

MPLS INET

vEdge Branch

vEdge DC

vManage Platform

• Optimized Connectivity to SaaS Applications• across DIA, DC and Regional exits

• Continuous Network Health-checks

• Automatic selection of Optimized Path Regional DC

Regional DC

INET

Office 365

EquinixCloud

Exchange

Microsoft Express Route

Direct Internet Access

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialApplication Quality Probing

RegionalHub

Remote SiteISP2

ISP1

SD-WANFabric

Loss/Latency

!

Data Center

Cloud onRamp for SaaSSaaS Optimization

Data Center

RegionalHub

Remote Site

SD-WANFabricMPLS

ISP1

Loss/Latency

!

ISP2

Internet DIA Hybrid DIA


IaaS Deployment

MPLS INET

IaaS Instance

IaaS Instance

vEdge gateway

vEdge Branch

vEdge DC

vManage Platform

• WAN to Cloud Extension• Branch to Cloud Connectivity• Single WAN Network across Branch, DC & Cloud

• Secure Connectivity to applications

• Multi-Cloud / Multi-Region connectivity

• Carrier Independent hybrid transport

• User – Application Visibility


• vEdge router is instantiated in Amazon VPCs or Microsoft Azure VNETs• Posted in marketplace• Use Cloud-Init for ZTP

• One vEdge router per VPC/VNET• No multicast support, can’t form VRRP• No router redundancy

• vEdge router joins the fabric and all fabric services are extended to the IaaS instances, e.g. multipathing, segmentation and QoS• For multipathing can combine AWS Direct Connect or

Azure ExpressRoute with direct internet connectivity

Cloud onRamp for IaaS – Attached Compute

MPLS INET

vEdge gateway

vEdge Branch

vEdge DC

vManage Platform

Compute VPC/VNET

Compute VPC/VNET


• A pair of vEdge routers is instantiated in Amazon VPC or Microsoft Azure VNET• Gateway VPC/VNET

• A pair of standard based IPSec tunnels is stretched from gateway VPC/VNET to each host VPCs/VNETs• Connectivity redundancy

• BGP is established across IPSec tunnels for route advertisement• Bi-directional BGP/OMP redistribution on the gateway

VPC/VNET vEdge routers

• Entire process is automated through vManage workflow

Cloud onRamp for IaaS – Gateway VPC/VNET

MPLS INET

GatewayVPC/VNET

vEdge Branch

vEdge DC

vManage Platform

BGPBGP BGP

Standard IPSec


Cloud On-Ramp for IaaS – AWS Details

Direct Connect

VGW

AZ1

AZ2

R

VGW

Standard IPSecoverlay to vEdge GW

vEdge GW

vEdge GW

AZ1

AZ2

R

Spoke VPC

vManage instantiated and managed

Gateway VPC

IGW

AWS Region

VGW

AZ1

AZ2

Spoke VPC

• Gateway VPC instantiated by vManage

• Customer workload resides in spoke VPCs. No change required Spoke VPCs

• Share transport (Direct connect and Internet) & vEdge Gateways across multiple spoke VPCs in a region

• Leverage AWS components (IGW, VGW, VPC router) for redundancy. Fast failover times.


Cloud Security with Zscaler• vEdge router creates a GRE tunnel to one

or more Zscaler Enforcement Nodes (PoPs)- Redundant PoPs, redundant ISPs

• Eliminates backhaul of traffic destined to Internet and cloud applications

• Provides advanced security services- Can inspect SSL encrypted data, requires

installation of Zscaler root certificate on the hosts

• Cloud onRamp for SaaS can choose the path across best performing ZscalerEnforcement Node (PoP) for selected SaaS applications

RegionalData Center

Remote Site

ISP1

SD-WANFabric

GRE Tunnel

ISP2

Data Center

Exploits ATP Malware Botnets

POP1 POP2


High Availability and Redundancy


Site Redundancy - Routed§ Redundant pair of vEdge routers operate in active/active

mode

§ vEdge routers are one or more Layer 3 hops away from the hosts

§ Standard OSPF or BGP routing protocols are running between the redundant pair vEdge routers and the site router

§ Bi-directional redistribution between OMP and OSPF/BGP and vice versa on the vEdge routers

§ Site router performs equal cost multipathing for remote destinations across SD-WA Fabric- Can manipulate OSPF/BGP to prefer one vEdge router over the

other

vEdge A

Host

vEdge BOSPF/BGP OSPF/B

GP

SiteRouter

SD-WANFabric


Site Redundancy - Bridged

§ vEdge routers are Layer 2 adjacent to the hosts- Default gateway for the hosts

§ Virtual Router Redundancy Protocol (VRRP) runs between the two redundant vEdge routers

- Active/active when using multigroup

§ VRRP Active vEdge responds to ARP requests for the virtual IP with its physical interface MAC address

§ In case of failover, new VRRP Active vEdgerouter sends out gratuitous ARP to update ARP table on the hosts and mac address table on the intermediate L2 switches

vEdge AVRRP Active

Host

vEdge BVRRP Standby

SD-WANFabric


Transport Redundancy - Meshed§ vEdge routers are connected to all the transports

§ When transport goes down, vEdge routers detect the condition and bring down the tunnels built across the failed transport- BFD times out across tunnels

§ Both vEdge routers still draw the traffic for the prefixes available through the SD-WAN fabric

§ If one of the vEdge routers fails, second vEdgerouter takes over forwarding the traffic in and out of site- Both transport are still availableSite Network

vEdgevEdge

MPLS INET


MPLS INET

Transport Redundancy – TLOC Extension

Site Network

vEdgevEdge

• vEdge routers are connected only to their respective transports

• vEdge routers build IPSec tunnels across directly connected transport and across the transport connected to the neighboring vEdge router• Neighboring vEdge router acts as an underlay router

for tunnels initiated from the other vEdge

• If one of the vEdge routers fails, second vEdge router takes over forwarding the traffic in and out of site• Only transport connected to the remaining vEdge

router can be used


TLOC Extension Configuration

MPLS INET

br1-vedge1 br1-vedge2

ge0/310.5.52.51/24

ge0/210.5.51.51/24

vpn 0interface ge0/0description MPLS tunnelip address 100.65.51.1/30tunnel-interfaceencapsulation ipseccolor mpls restrictmax-control-connections 1[service list]!interface ge0/2description INET tunnelip address 10.5.51.51/24!tunnel-interfaceencapsulation ipsec preference 100color biz-internet restrictmax-control-connections 1[service list]!interface ge0/3ip address 10.5.52.51/24tloc-extension ge0/0no shutdown!ip route 0.0.0.0/0 100.65.51.2ip route 0.0.0.0/0 10.5.51.52

vpn 0interface ge0/0description INET tunnelip dhcp-clientnat!tunnel-interfaceencapsulation ipseccolor biz-internet restrictmax-control-connections 1[service list]

!interface ge0/2ip address 10.5.51.52/24tloc-extension ge0/0no shutdown!interface ge0/3description MPLS tunnelip address 10.5.52.52/24tunnel-interfaceencapsulation ipseccolor mpls restrictmax-control-connections 1[service list]

!ip route 0.0.0.0/0 10.5.52.51

ge0/0100.65.51.1/24

ge0/0dhcp

ge0/210.5.51.52/24

ge0/310.5.52.52/24

ip route 10.5.52.52/32 100.65.51.1

Add route to reach br1-vedge2 mplstunnel end-point

Do not forget NAT


Control Redundancy - vSmart

Cloud Data Center

Data Center

Campus

Branch


MPLS INET

3G/4G

vSmartControllers

Data Plane

Control Plane§ vSmart controllers exchange OMP messages between

themselves and they have identical view of the SD-WAN fabric

§ vEdge routers connect to up to three vSmart controllers for redundancy

§ Single vSmart controller failure has no impact, as long as there is another vSmart controller vEdge routers are registered with

§ If all vSmart controllers fail or become unreachable, vEdge routers will continue operating on a last known good state for a configurable amount of time (GR timer)

- No updates to reachability- No IPSec rekey- No policy changes propagation


Control Redundancy - vManage

Cloud Data Center

Data Center

Campus

Branch


MPLS INET

3G/4G

vManageCluster

Management Plane

Data Plane§ vManage servers form a cluster for redundancy and

high availability

§ All servers in the cluster act as active/active nodes- All members of the cluster must be in the same DC /

metro area

§ For geo-redundancy, vManage servers operate in active/standby mode

- Not clustered- Database replication between sites is needed

§ Loss of all vManage servers has no impact on fabric operation- No policy changes- No stats collection


Policy Framework


vManage

vSmart vEdge

Device Configuration Device Configuration

Local Control Policy(OSPF/BGP)

Local Data Policy(QoS/Mirror/ACL)

Centralized Control Policy(Fabric Routing)





CentralizedPolicies

LocalizedPolicies

NETCONF/YANG

OMP

Policy FrameworkCentralized and Localized Policies


• The Cisco SDWAN policy software design provides a clear separation between centralized and localized policies. Centralized policy is provisioned on the centralized vSmart controllers and the localized policy is provisioned on vEdge routers

• With Localized Data policy, also called an access list, you can provision QoS to:• Classify incoming data packets into multiple forwarding classes based on importance.• Spread the forwarding classes across different interface queues.• Schedule the transmission rate or weights for each queue

• With Centralized policies on vSmart controllers:• Centralized Control policies affect routing policy to influence routing decisions on the vEdge routers. This type of policy

allows you to set preferences for the routes or paths on the vSmart controller and is reflected in forwarding tables on the vEdge routers.

• Application-Aware routing policies select the best path for a given application based on SLA requirements. These requirements include latency, packet loss, and jitter. Application-aware routing policies are configured on vSmart controllers and are enforced by vEdge routers.

• Centralized Data policies are used for traffic classification, DSCP marking, path selection, service insertion, policing, etc. Data policies are configured on vSmart controllers and enforced by vEdge routers.

Centralized and Localized Policies


Policy Driven WAN InfrastructurePolicy Augmented Dynamic Routing

vEdgeWAN router

Access Layer

Branch/DC

vSmart controller – Policy Enforcement/Advertisement

Control Policy:Routing and Services

vManage GUI – Policy Orchestration1

2

3

Data Policy:Extensive Policy-based Routing and Services

App-Route Policy:App-Aware SLA-based

Routing

Combine and Apply per Site

Execute Control PolicyAdvertise AAR/Data Policies to Sites

Execute AAR and Data Policy as receivedDynamic Routing and Policies Combine to

dictate behavior


Packet Flow Through the vEdge Router

Local Policy / Configuration

PolicerAdmission Control

ClassificationMarking

Centralized Application Aware Routing Policy

Path selection based on SLA

Centralized Data Policy

PolicerAdmission Control

ClassificationMarking / Remarking

Path Selection

RoutingForwarding

Scheduling and Queuing

LLQWRRRED

Local Policy, Shaping and ACL

ShapingRe-markingPolicer, ACL

1

2

3

Service VPN

4

Transport VPN

5

6


• vSmart Policies consist of these building blocks:• Lists used for defining targets of policy application or matching• Policies controlling aspects of control and forwarding

�Control Policy�Application Aware Policy�Data Policy� cflowd-template� vpn-membership-policy

• Policy Application to control towards what a policy is applied� Site-oriented and defined by a site-list

Centralized (vSmart) Policy Architecture


• Routing Policies are traditional routing policies• Attaches to BGP or OSPF locally on the vEdge• Used in the traditional sense for controlling BGP and OSPF� Information exchange� Attributes� Path Selection

vEdge Routing Policy Architecture


vSmart Policy Construction

• data-prefix-list – list of prefixes for use with a data-policy

• prefix-list – list of prefixes for use with any other policy

• Site-list – list of site-id:s for use in policy and apply-policy

• Tloc-list – list of tloc:s for use in policy

• Vpn-list – list of vpn:s for use in policy

• Colors – List of colors for use in policy

• SLAs – SLA definitions

Lists

• Control Policies affect overlay routing

• Application Aware Routing policy is used in conjunction with SLAs to steer traffic

• Data policies provide VPN level policy based routing

Policy Definition

• An apply directive is used in conjunction with site lists to enable specific policies at specific locations

Policy Application

Centralized policy definition configured on vManage and enforced across entire network


• application-list used in data-policy to define specific applications for traffic matching and policy actions

• data-prefix-list used in data-policy to define prefix and upper layer ports in various combinations for traffic matching

• prefix-list used in control-policy to define prefixes for RIB matching site-list used in control-policy and apply-policy to match source sites or define sites for policy application

• tloc-list used in control-policy to define tlocs for RIB matching and to apply redefined tlocs to vroutes

• vpn-list used in control-policy to define prefixes for RIB matching, in data-policy and app-route-policy to define VPNs for policy application

vSmart Policy Construction - Lists

policylistsdata-prefix-list app1ip-prefix 1.1.1.1/32port 100

!prefix-list pfx1ip-prefix 1.1.1.1/32

!site-list site1site-id 100

!tloc-list site1_tloctloc 1.1.1.1 color mpls

vpn-list vpn1vpn 1

!!


vSmart Policy Construction – Policies

policypolicy-type <name>vpn-list <vpn-list>sequence <n>match <route|tloc|vpn|other>!action <accept|reject|drop> set<attribute> <value>!default-action <reject|accept>!!!!

• Policy definition dictates type of policy and the appropriate syntax

• VPN-list used by data-policy and app-route-policy to list the VPNs for which the policy is applicable

• Sequence defines each sequential step of the policy by sequence number

• Match decides what entity to match on in the specific policy sequence

• Action determines the action for the preceding match statement

• Default-action is the action to take for any entity that was not matched in any sequence of the policy (set to reject by default


vSmart Policy Construction – Policy Application

apply-policysite-list <name>control-policy <name> <in|out>!site-list <name>data-policy <name>vpn-membership <name>!!

• Site-list determines to which sites a given policy is applied

• Direction applies only to control-policies• Policy Type and Name refers to an already

configured policy to be applied towards sites specified in the site-list for the section


vSmart Policy ExampleApply the defined policy towards the sites in site-list

apply-policysite-list site1control-policy prefer_local out

!

policylistssite-list site1site-id 100tloc-list prefer_site1tloc 1.1.1.1 color mpls preference 400

!

control-policy prefer_localsequence 10match routesite-list site1!action acceptsettloc-list prefer_site1!!!

Define the lists required for apply-policy and for use within the policy

Define the actual policy to be applied

Lists previously defined used within policy

Note: Items listed as presented in node configuration. The order in which elements are configured should be lists, control-policy then apply-policy


• Policies are processed sequentially. Order is important!

• When a match occurs, the matched entity is subject to the configured action of the sequence and is then no longer subject to continued processing.

• Any entity not matched in a sequence is subject to the default action for the policy.

• Any node will make use of any and all available routing information

• In a multi-vSmart deployment, every vSmart acts independently to disseminate information to other vSmarts and vEdges

• vManage acts as the entity to ensure all vSmarts are synchronized.

vSmart Policy Processing


• Control policies are executed on vSmarts to influence overlay routing.

• Control Policies are used to enable the following services:• Service Chaining• Traffic Engineering• Extranet VPNs• Service path affinity• Arbitrary VPN Topologies

• Control Policy is a powerful tool for any type of path construction that simplifies policy operations by being centrally managed.

1. Control Policies


Centralized Control Policy: Inbound vs. Outbound

• Inbound Policy: determines which routes are installed in the local routing database of the vSmart controller.

• Outbound Policy: applied AFTER a route is retrieved from routing database, but BEFORE the vSmart controller advertises it.


• Application-aware routing consists of three components:� Identify the applications of interest. To determine which applications are running on vEdge

routers, you enable application visibility on these devices. Then you configure an application-aware routing policy on the vSmart controller, which defines the applications of interest and the data plane tunnel performance characteristics required to transmit an application's data traffic. These characteristics are called a service-level agreement (SLA). The controller automatically pushes the policy to the appropriate vEdge routers.

� Monitor and measure data plane tunnel performance is done automatically and continuously by the vEdge routers, by tracking BFD Hello packets. Application-aware routing periodically polls the performance statistics to calculate the packet jitter and latency and packet loss information for each tunnel. The default polling interval is good for most network situations, but you can modify it to meet specific business needs.

� Map application traffic to a specific data plane tunnel is done on the vEdge routers, based on the SLA requirements defined in application-aware routing policy and based on the real-time performance of the vEdge routers' data plane tunnels. You can modify how often a vEdge router calculates each tunnel's SLA and determines a tunnel's SLA classification.

2. Application-Aware Routing Policy


• An app-route policy is defined through the following steps:• Define the required SLA classes• Define the app-route-policy• Apply the app-route-policy towards the applicable sites

• The SLA-class defines the required loss, latency and jitter thresholds for the application that is to go via the overlay path

• The app-route-policy defines the traffic that is to belong to a defined class in a fashion similar to a data-policy

• Configuring an app-route-policy includes a reference to a VPN-list to dictate which VPNs will benefit from the policy at the listed sites

Application Aware Routing


Application-Aware Routing Policy ConfigurationStep 1: Create a list of sites to which the application-aware routing policy is to be appliedpolicylistssite-list mySitessite-id 100-200!

Step 2: Create SLA classes and traffic characteristics to apply to matching application data traffic.policysla-class bulk-data-slalatency 150!sla-class critical-data-slaloss 5latency 150!sla-class voice-slaloss 1latency 100jitter 5!

Step 3: Create lists of applications, IP prefixes, and VPNs to use in identifying application traffic of interest (in the match section of the policy definition

policylistsvpn-list myVPNvpn 10!data-prefix-list approute-Prefixesip-prefix 10.1.0.0/16!app-list myAppsapp office365app salesforce!!!


Application-Aware Routing Policy ConfigurationStep 4: Create an application-aware routing policy instance and associate it with a list of VPNspolicyapp-route-policy myApproutePolicyvpn-list myVPN!!

Step 5: Within the policy, create one or more numbered sequence of match–action pairs

policyapp-route-policy myApproutePolicyvpn-list myVPNsequence 10matchapp-list myApps!actionsla-class critical-data-sla preferred-color mpls!!sequence 20match dscp 46

!actionsla-class voice-sla preferred-color mpls!!sequence 30matchdestination-data-prefix-list approute-Prefixes!actionbackup-sla-preferred-color public-internetsla-class bulk-data-sla preferred-color biz-internet!

Step 6: Specify the default action for the policy

policyapp-route-policy myApproutePolicyvpn-list myVPNdefault-action sla-class bulk-data-sla!!!

Step 7: Apply the policy to a site list:

apply-policysite-list mySitesapp-route-policy myApproutePolicy!!


• Data Policies provide the functionality equivalent to traditional Policy Routing.

• Data policies are configured and applied centrally (vSmart), then pushed to vEdge to enforce the configured policy in the data plane• Some of the applications enabled by Control Policies can also be enabled by Data Policies, in

addition to more traditional Policy Routing as well as data-plane bound functions

• A Data policy acts on an entire VPN and is not interface-specific

• Data Policies are used to enable the following services:• QoS Classification• Service Chaining• cflowd• NAT• Traffic Policing and Counting Transport Selection• Traffic Engineering

3. Data Policy - Applications and Services


Centralized Data Policy ConfigurationStep 1: Create a list of sites to which the centralized data policy is to be appliedpolicylistssite-list mySitessite-id 100-200!

Step 2: Create lists of IP prefixes and VPNs, as needed

policylistsprefix-list myPrefixesip-prefix prefix/length

!vpn-list myVPNvpn 1

!app-list myAppsapp office365app salesforce!

Step 3: Create a data policy instance and associate it with a list of VPNs. Within the policy, create one or more numbered sequence of match–action pairs

policydata-policy myDataPolicyvpn-list myVPNsequence 10matchapp-list myApps!actionacceptsetdscp 32

!

Step 4: Apply the policy to one or more sites in the overlay network

apply-policysite-list mySitesdata-policy myDataPolicy (all | from-service | from-tunnel)!!


• Cflowd flow collection is enabled by means of a vSmart policy

• Capturing and exporting flow data is controlled via 2 different policies:• Cflowd-template for configuring flow cache behavior and flow export• Data-policy for selection of traffic subject to flow data collection

• The Cflowd template is optional and without is the flow cache in vEdge nodes is managed using default setting and no flow-export takes place

• The data-policy can be configured to be very specific or as a general flow collection filter, depending on requirements

• Both components controlled and distributed from vSmart to ease enablement and configuration

4. Cflowd flow data collection


Cflowd Exampleapply-policysite-list site100data-policy cflowd_data allcflowd-template cflowd_temp!!policydata-policy cflowd_datavpn-list cflowd_vpnsequence 10matchprotocol 17!action acceptcflowd!!default-action drop!!cflowd-template cflowd_tempflow-active-timeout 60flow-inactive-timeout 60collector vpn 100 address 1.1.1.1 port 4739 transport transport_udp!!* vpn-list and site-list excluded, please refer to app-route section *

Data-policy

• Covers traffic subject to flow data collection

cflowd-template

•Manages settings related to cache management and flow export (not mandatory)


• The default behavior of the SDWAN OMP architecture is to advertise any configured VPN to any node where it is configured

• This automatically establishes connectivity without unnecessary configuration and operational overhead

• However, certain VPNs may be of a sensitive nature such that their membership must be tightly controlled

• The VPN Membership Policy serves to restrict the distribution of VPN information from vSmart to those that are explicitly approved• Both Whitelist and Blacklist behavior can be established

• With a VPN Membership Policy, a node not explicitly allowed to participate in a VPN may have the VPN configured but will only see local connectivity and routing information

5. VPN Membership PolicyFunctionality


VPN Membership Policy ExamplePolicylistssite-list sites_1site-id site1site-id site2!site-list sites_2site-id site3site-id site4!vpn-list sites_1vpn 10, 20!vpn-list sites_2vpn 30, 40!!!

Policyvpn-membership acme_1sequence 10match vpn-list sites_1action accept!!default-action reject!vpn-membership acme_2sequence 10match vpn-list sites_2action accept!!default-action reject!!

vpn-lists define the VPN match datavpn-membership acts as either whitelist or blacklist for VPN filteringapply-policy acts in both directions to determine which VPN(s) are allowed from a given site

apply-policysite-list sites_1vpn-membership acme_1!site-list sites_2vpn-membership acme_2!!


Operational Simplicity and Transparency


Single Pane of Glass OperationsvManage GUI

• Intuitive GUI driven operations� Management, monitoring and

troubleshooting

• Cloud Delivered� Private, hosted or managed

• Single or Multi-tenant

• Role-based Access Control

• Clustered for scale and high availability

• REST APIs based


Zero Touch ProvisioningPlug-n-Play vEdge Secure Bring-up (Zero Trust)

vEdge List(White-List)

vEdge ConfigurationTemplate

vManage

vBondvSmart

Identity Trust

AdministratorZTP

Server

Network Power

vEdge

DHCP

Identity(X.509)

Installer

TPM


Zero Touch Provisioning – vEdge ApplianceControl and Policy

Elements

Initial

cont

rol

com

mun

icatio

nIn

itial

devic

e

conf

igura

tion

from

vMan

age

Full Registration and Configuration

vEdge

5

* Factory default config

Assumption:§ DHCP on Transport Side (WAN)§ DNS to resolve ztp.viptela.com*

§ Delivered as-a-Service

3

4

Zero Touch ProvisioningServer

Query to

ztp.viptela.comRedirect to corporate

orchestrator1

2


Zero Touch Provisioning – vEdge CloudControl and Policy

Elements

Initia

l con

trol

commun

icatio

nIni

tial d

evice

confi

gurat

ion fr

om

vMan

age

Full Registration and Configuration

vEdge Cloud* Factory default config

Assumption:§ DHCP on Transport Side (WAN)§ DNS to resolve ztp.viptela.com*

vManage

VM Provisioning

Tool

Cloud-Init

Deploy VM

1

2

3

4

5NSO

(vBranch FP)


• Embedded Deep Packet Inspection engine

• Application and flow level visibility for the fabric and individual vEdgerouters

• Centralized statistics and performance

• Export flow level data (IPFIX) to external collector

Application and Performance VisibilityDeep Packet Inspection


Template-Based ConfigurationsCentralized Device Configuration Enforcement

• Templates are attached to provisioned vEdge routers

• Variables are used for rapid bulk configuration rollout with unique per-device settings

• Local configuration changes are not allowed- Prevents configuration drift


Granular PoliciesCentralized Control over Fabric Behavior

• Centralized data, control and application aware routing policies

• Defined on vManage, enforced on vSmart controllers (control policies) or vEdge routers (data and application aware routing policies)

• Individual site, collection of sites or the entire fabric policy scope


Troubleshooting and VerificationTransparent Operations

• Embedded tools for data plane connectivity verification

• Control plane health verification

• Real-time GUI based troubleshooting

• Full command line interface and Linux shell for expert level troubleshooting

• Alarms for triggered events


Self-HealingSoftware Upgrade and Configuration Change

Active Software

Available Software

Available Software

Available Software

A

B

C

D

Activate

Rollback

vEdge Router

1

2

3

FailedUpgrade

vEdge Router

1Attach Template

vManage

2 ConnectivityLost

Rollback

3


Current Orchestration and APIs


4G/LTEMPLS

InternetSecure

Control Plane

SecureData Plane

REST

vSmart

vEdge Routers

Syslog

Netconf

SNMP

CLI

§ Management§ Monitoring§ Provisioning§ Troubleshooting

vManage

cFlowd*

* http://tools.ietf.org/html/rfc7011


vManage Programmatic AccessREST API Documentation

• API Documentation built-in – https://vmanage-url/apidocs

• Test calls can be executed directly from doc page

• API programming documented at:https://docs.viptela.com/Product_Documentation/Command_Reference/vManage_REST_APIs/vManage_REST_APIs_Overview/Using_the_vManage_REST_APIs


Network Automation decouple Lifecycle of Product-Services and Network Resources Services

• Decouples the Network from OSS/ITIL

• Unlocks agility and flexibility at the Resource Facing Services layer (RFS)

• Enables DevOps at the network/RFS layer

• Network changes and new features can be rolled out continuously during run-time, i.e. DevOps Network Service Orchestration System

Well-defined API

Physical Networks Virtual Networks

OSS / ITIL

Resource Facing Services (RFS)

Product/ Service Systems Lifecycle

NetworkService

Lifecycle


SDWAN MSP Management Options

NSO

vManage

OSS/BSS

• NSO Single Entry Point• NSO (vBranch, vManage NED) to instantiate VNFs (including 3rd

party VNFs) and activate vEdge. Apply device template• vManage to configure vEdge

REST/NETCONF

• vManage and NSO Entry Point (REST APIs)• vManage improved with NSO (and vBranch, SDWAN,

potentially SAE CFP)• vManage and/or NSO as potential entry point• Reporting and Alerts

NSO/vManage SplitCisco and 3rd party VNFs

NETCONF

NETCONF

Cisco Router

ENCSNFVIS

vEdgeAppliance

NSO vManage

OSS/BSS - VMS

REST/NETCONF REST

REST

NETCONF NETCONF

NSOCisco and 3rd party VNFs

vBranch CFP SDWAN CFP

vBranchCFP

SDWAN CFP

cEdgeAppliance

Cisco Router

ENCSNFVIS

vEdgeAppliance

cEdgeAppliance


NSO/vManage Split Gives Flexibility

OSS / BSS or VMS

REST/NETCONF

• NSO and vManage run side by side in separate processes

• NSO and vManage are integrated using APIs (a NSO NED using the vManage REST interface)

• NSO will communicate with all devices involved in the CFP for day0 and dayN configuration. vManage will provide dayNconfiguration for vEdge

• The vManage UI will have to be extended with the appropriate CFP workflows and send API calls to NSO.

Network Service Orchestrator (NSO)

vManage

REST

NETCONF

NETCONF

Core FP (SDWAN)Core FP (vBranch) REST

Cisco Router ENCSNFVIS vEdge Appliance cEdge Appliance


Cisco SD-WAN Automation StackVMS Portal/GUI

VMS SIF (Software Integration Framework)


vManage

Core FP (SDWAN)Core FP (vBranch)

Viptela vManageTarget customer customer has vEdge

appliances without a need for virtual CPE,

service orchestration and OSS/BSS from

Cisco

Extended SD WAN OrchestrationTarget customer has virtual CPE’s or when

orchestration of other than vEdge appliances

are needed without a need for OSS/BSS from

Cisco

Full Stack SD WANTarget customer has a need for Cisco

OSS/BSS capabilities together with SD WAN

1

2

3

1

2

3

Cisco Router ENCSNFVIS

vEdgeAppliance

cEdgeAppliance

REST

NETCONF

NETCONF


SDWAN Core Function Pack

OSS/BSS - VMS

• NSO Core Function Pack• NSO (vBranch, vManage NED) to instantiate VNFs

(including 3rd party VNFs) and activate vEdge. Apply device template

• vManage to configure vEdge• SDWAN FP scope with expand over time

SDWAN Core FPCisco and 3rd party VNFs

NETCONF

ENCSNFVIS

Cisco Appliance

vEdge/cEdgeAppliance

Service Abstraction APIs

vBranch Function Pack

SDWAN Function Pack

NED NED NED

Potential SP Model


Core FP (SDWAN)Core FP (vBranch)

vManage


vBranch FP – High Level View of Service Model

Branch-infra

Branch-cpe

VNF

VNFD

network Cpe config

VDU

nfvo catalog

VNFD VDU deployment

Catalog DefinitionVNFs and Service Chaining

12

vEdge VNF Descriptor and Flavor defined.Deployment parameters defined


• Generate bootstrap information• Download vEdge Cloud Certified Serial Numbers (json)• Get the unclaimed vEdge Cloud router list from vManage• Instruct vManage to generate a Bootstrap Configuration file• Get Bootstrap Configuration file for the vEdge Cloud router (cloud-init config file)

• ENCS/NFVIS on-boarding• NFVIS boots and creates basic n/w infrastructure• NFVIS registers to NSO using PnP• NSO connects to NFVIS at the branch using NETCONF

• vEdge instantiation• NSO registers vEdge Cloud to NFVIS• NFVIS pulls vEdge Cloud images / local preparation• NSO instructs NFVIS to deploy NWs/vEdge Cloud• NFVIS deploys vEdge Cloud, load Bootstrap Configuration File which contains cloud-

config (bootstraps) and cloud-boothook (day0) sections and sets up local vEdgemonitoring

• Process is the same for any platform that runs NFVIS

• Day 1 and post Day 1 activities handled by vManage

vEdge Cloud on ENCS

NFVIS

VNFMPnP

ENCS

vEdge

vManage

vSmart

vBond

SP Datacenter

NSO

NETCONF NETCONF


NFVIS

On Boarding ENCS/NFVIS

VNFMPnP1) ENCS boots and creates basic n/w infrastructure

2) NFVIS registration to NSO using PnP

IP + serial + model + capabilities

3) NFVIS registered to NSO

4) NSO connects to branch NFVIS (NETCONF)

ENCS/NFVIS on-boarded in NSO

ENCS

PnP Server Branch-Infra FP

Network Service Orchestrator (NSO)Network Service Orchestrator (NSO)

NSO with the vBranch Function Pack


vEdge-Cloud Onboarding process


Core FP (vBranch)

Virtual Networks(ENCS)

vManage

Core FP (SDWAN Onboarding)

5

7

PnP

6

8

1

3 4

2

• 1) Upload vEdge Certified Serial Numbers onto vManage

• 2) Get the unclaimed vEdge Cloud router list from vManage

• 3) Instruct vManage to:– Create day0 template– Attach day0 template (with variables) to an unclaimed vEdge Cloud

router– Generate a Bootstrap Configuration file for the vEdge Cloud router

(UUID, Token, …).

• 4) Get Bootstrap Configuration file for the vEdge Cloud router (cloud-init config file) which contains cloud-config(bootstraps) and cloud-boothook (day0) sections

• 5) VNFs instantiated and loaded with Bootstrap Configuration cloud-init file

• 6) NFVIS notifies NSO vEdge is alive

• 7) vEdge to Viptela Control Plane Initial control communication

• 8) vManage installs certificate into vEdge Cloud router and sync up. vEdge Cloud router is ready for configuration from vManage

NSO with the SDWAN Function Pack


SDWAN CFP – Define Service Chain on NVFIS

vEdge

WAN NIC

GE0/0

8-port GE Switch

wan-netlan-net wan-net2

WAN NIC

GE0/1

ASAvENCS


vAnalytics


Data LakevAnalytics Clusters

Data Transfer and Storage• Client authenticated and data securely

transmitted from vManage to vAnalytics• Data storage isolation between

customers• No PII (Personal Identifiable

Information) is collectedData Correlation and Algorithms• Only management data (stats, flows)

information collected• All algorithms visualization done on a

per-customer basis• IP Addresses collected for provider

look-ups• Peer benchmarking (future use cases)

only on a group basis. No individual customer data used

vAnalyticsCustomer Data


1. Bandwidth Usage:1. Identification of top sources / top destinations / top application (family)2. Drill-down into information on a per-Site basis3. Identification of top sources

2. Application Performance:1. Application to tunnel-binding and performance information

3. Anomaly Detection:1. Baseline of Application usage. Anomaly detection based on overall application usage / by

Family / by Site

The Power of AnalyticsApplication Centric (Based on DPI/cflowd)


1. Site Availability (SD-WAN value prop)1. List of Sites with down-time comparing to TLOCs with their down-time

2. Network Availability1. List of sites by down-time2. Comparison of Site down-time vs TLOC down-time (SD-WAN value prop)3. Down site count on a time basis with the ability to drill-down into Sites and downtimes

3. Site Usage Analysis1. Bandwidth consumed by Site (Top Sites)2. Drill-down to show historical bandwidth consumption by time

4. Carrier Performance1. App-Route stats based on a per-carrier basis2. Ability to drill-down on a specific carrier and visibility into various remote carrier connectivity

The Power of AnalyticsNetwork Centric


vAnalytics Dashboard


vAnalytics – BW Consumption by Applications


vAnalytics – Network Health by Carriers


Use Cases and Deployment Models


vBond

vManage

vSmart

vEdge

ControlService

NAT/Firewall

• Internet transport required• Viptela managed 24/7• Viptela Auto-provisioned• Geo-redundancy• Geo-vicinity• Currently most common

deployment model

• Public or (Private) transport possible• Provider managed• Provider orchestration• Redundancy and vicinity as

supported by SP• Provider value-added

services at discretion

• Public or Private access as per Enterprise policy• Enterprise managed• Enterprise orchestration• Redundancy and Vicinity

as supported by Ent.• Typically preferred by

security conscious verticals (Finance, Public Sector)

AWS Provider Cloud On Premise

Viptela Control Deployment

• Data plane never crosses control layer

• Control deployment mainly about redundancy and security

• Control plane is latency tolerant


Cisco SD-WAN Control Plane DeploymentViptela hosted Controllers / Public Cloud

optional/standby vManage

Region 1 Region 2

Private IPs Private IPs

1:1 NATPublic IPs

1:1 NATPublic IPs

• Control Plane on Public Internet Only

• Most commonly deployed model

• Supports data plane on other transports (MPLS, Leased Line, etc)

Internet


Cisco SD-WAN Control Plane DeploymentHybrid Cloud Controller Deployment


DC/Region 1 DC/Region 2

Public IPs Public IPs

BGP

BGPDMZFW

DMZFW

No NAT

• Control Plane on MPLS and Internet

• Public IPs are assigned to the controllers

• No NAT is used

• For security compliance FW/DMZ on Internet facing side

InternetMPLS


Cisco SD-WAN Control Plane DeploymentHybrid Cloud Controller Deployment



Private IPs Private IPs

BGP

BGP

NAT+

DMZ/FW NAT+

DMZ/FW

Public IP Public IP

* vBond must have Public IP or sit behind 1:1 NAT

No NAT NAT

• Control on MPLS and Internet.

• Private IPs on the controllers.

• Public IPs are not exposed on MPLS

• NAT/FW facing the internet InternetMPLS


Internet

Cisco SD-WAN Control Plane DeploymentPublic Cloud Controller Deployment


vpn512 vpn512

DCTACACS/RADUIUS

Syslog ServerSNMP Server

NMS Toolsetc

vEdge Cloud co-exist with the controllers

vEdge participate in the overlay

Traffic between the controllers and NMS systems in the DC goes on the overlay tunnels securely


Internet MPLS

Cisco SD-WAN Site DeploymentGateway/DC Site Deployment

SD-WANOverlay

BGP/OSPF

OMP

Identify Gateway/DC Sites providing connectivity between SD-WAN and legacy sites

Legacy sites talk to each other directly

SD-WAN sites talk to each other directly

Legacy router/connectivity is dropped in the DC/Gateway sites once migration is complete

DC/Gateway Site

SD-WAN Sites

Legacy/MPLS Sites


Cisco SD-WAN Site DeploymentRemote Site Designs

1 2 3 4 5 6 7 Up to 7 Transport Interfaces

Static, VRRP, OSPF, BGP

Internet/ MPLS Internet MPLS Internet MPLS Internet MPLS

Internet MPLS


Management Plane(Multi-tenant or Dedicated)

(vManage)

Control Plane (Containers or VMs)

(vSmart)

Orchestration Plane(vBond)

Orchestration/Control/Management Plane Scale


4G/LTE

MPLS

Internet

2000 vEdges per vBondRedundancy Add 1-2 vBonds

Horizontal Scale out Model

Horizontal Scale Out Model

2700 vEdges per vSmartRedundancy Add 1-2 vSmart


2700 vEdges per vSmartRedundancy Add 1-2 vSmarts



Data Plane /IPSec Scale

vEdge100 vEdge1000 vEdge2000

IPSec Tunnels : 250100 Mbps

IPSec Tunnels : 15001 Gbps

IPSec Tunnels : 600010 Gbps

The solution is not limited by one individual component.

Larger deployments can be handled using

- Additional vEdge Routers to distribute the IPSec Scale- Have a Hierarchical/Regionalize design

Dual LTE variant back


Large Enterprise with Global DistributionWAN Components connected via overlays from Viptela SEN utilizing Internet, LTE, etc.

LTE Backup

Internet

Distribution Centers GS

SECURE DATA PLANE

Viptela SEN

Data Center

APAC DC

Data Center

Europe DC

Data Center

North America DCs

StoresField

Offices StoresField

Offices StoresField

Offices

Ethernet Exit(DSL/Cable/LTE/MPLS)

vEdge Router

WiFi APs

Switch

DC Core DC Core DC Core

Americas Asia Europe

ZTP/Central Config/Policy

Done on ViptelaConnectivity Active-Active Monitoring/Syslog/

NetFlowDone on Viptela,

Nagios

App-Routing/PfR/Service

ChainDone on Viptela Segmentation Multiple VPNs Encryption Built-in/ No key-

mgmt

Viptela

SECURE CONTROL PLANE


Example Of 100-site (Small Enterprise) - Agilent

OBS

MPLS

Business Class Internet SECURE DATA PLANE

Viptela SEN

Data Center

APAC DC

Data Center

Europe DC

Data Center

North America DCs

Medium

Platinum(Dual MPLS, Dual Broadband)

vEdge Router

Switch

DC Core DC Core DC Core

Americas Asia Europe

ZTP/Central Config/Policy/SW

Upgrade

Done on Viptela Connectivity Active-Active Monitoring/Syslog/cFlow

vManageHP NNMRiverbed

Stealcentral

Seemly Migration (Brownfield)

No impact to traffic: Migrated to Non-migrated

App-Routing/CircuitSelection Done on Viptela Segmentation Single

VPN Encryption Done on ViptelaRapid Site Bring-

up (Paradigm Shift)

order ISP DIA circuits first, then MPLS (if needed)

Traffic Symmetry across regions Done on Viptela Split-Tunnel Selective 80/443

GRE to ZScaler VPN Topology Full Mesh IAAS and SAAS AWS, SFDC, o365

Viptela

SECURE CONTROL PLANE

Gold(Single MPLS, Single Broadband)

Silver(Dual Broadband)

Bronze(Single Broadband)

Large Medium Small MediumLarge Medium Small Medium Small


Variety Of Deployment Models

Secure Virtual Fabric Secure Tunnel

ExistingRouter

ExistingRouter

Site B

Site A

InternetMPLS

vEdge

vEdge

Site B

MPLS

Site A

Internet

ExistingRouter

ExistingRouter vEdge

vEdge

Site B

Site A

vEdge

vEdge vEdge

vEdge

InternetMPLS

Side-by-Side Hybrid With Fallback Full SDWAN


Pricing Structure


Cisco SDWAN Pricing Model

Perpetual costof Viptela CPE

hardware

Subscriptioncost of Viptela

software (Includes SD-

WAN controller + CPE software)

Operationalcost of Viptela

solution

The Cisco SDWAN pricing model consists of two components

1. Subscription* license (1YR, 3YR and 5YR) for Viptela software charged per CPE. This cost is dependent on two factors: • Service bandwidth. Slide 5 covers how service bandwidth is calculated.• Features: Slide 3 covers feature buckets.

2. Perpetual cost of Viptela CPE** element.

*Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Viptela support, next day hardware replacement for Viptela CPE, software upgrades on all components and the cost of hosting the Viptela controllers in the Viptela cloud.

**Note: CPE can be Viptela manufactured or in the case of Virtual CPE customer/partner provisioned. Cost here implies Viptela CPE only.


Plus Pro + DPI Enterprise

Hub

Spoke Spoke Spoke

MPLS Internet Local breakout

Hub

Spoke Spoke Spoke

MPLS Internet

Spoke Spoke

Local breakout

(App based)

Dynamic Routing

Dynamic Routing

Hub

Spoke Spoke Spoke

MPLS Internet

Spoke Spoke

Dynamic Routing

Dynamic Routing

CloudExpress

SD WAN controllers

AnalyticsSD WAN controllers

SD WAN controllers

AARAAR AAR

Viptela Pricing Tiers

E2E Segmentation

E2E Segmentation

Features: • Encrypted Fabric• Hub-and-spoke only• App-aware routing (AAR)• Split tunnel

Features: • Plus capability• Dynamic routing• E2E Segmentation (Multiple VPNs)• Application aware routing with DPI• Full-mesh

Features: • Pro + DPI• CloudExpress• Analytics


Bandwidth Licensing

Circuit 1

Bandwidth entitlement* on vEdge is the sum of peakbandwidth (either upstream or downstream) across all WAN circuits.

Example: If a 50Mbps bandwidth license is purchased the sum of peak circuit bandwidth (either upstream or downstream) across Circuits 1, 2 and 3 must be less than or equal to 50Mbps.

Bandwidth entitlement also includes i. Split tunnel (Direct Internet Breakout)ii. Traffic offloaded to 3rd party cloud services i.e

zScaler.

TLOC extension interface bandwidth is not included in bandwidth entitlement.

*Note: Entitlement assumes the peak bandwidth usage 95% of the time. This accommodates traffic bursts that might happen.

Circuit 2 Circuit 3

MPLS Internet 3G/4G/LTE

TLOC extension

Branch


Key Takeaways


SDWAN Rollout and PositioningPhase 2 – 1HFY19Platform Integration

Phase 1 – FY18No Integration

Phase 3-2HFY19Management Integration

vManage w/ vEdge/ENCS -or- Meraki

vManage w/ Any EN Platform -or- Meraki

DNA Center w/ Any Platform-or- Meraki

Dep

loym

ent S

cena

rios

Lead

M

otio

n

vEdge ISR4K + vEdge SW

DNA Center

+ SD-WAN

ASRISR + vEdge SW

vManage

vEdge

vManage

vEdge

Key

Dat

es vEdge on ENCS (x86) = Nov’17GPL = Feb’18

LA – Mar’18GA – Jul’18 Late 2018


Clarification On SDWAN Terminology

184

Viptela H/W With All Software Capabilities As-IsvEdge

Traditional IOSXE With IWAN capabilities, for ISR4K, ASR, CSR & ISRvISR

SDWAN Enabled IOSXE for ISR4K, ASR, CSR & ISRv

"SDWAN Enabled ISR" Only Features Highlighted In The Next Slide Are Included In The SD-WAN Image


Integration Roadmap Vi

ptel

aCa

pabi

litie

s

SD WAN Features:

ü ZTPü App Route Policyü QoSü Cloud Onramp –IAASü Segmentationü DIA-Zscaler(GRE only)Routing Protocols

ü BGP, OSPFMonitoring & Troubleshooting

ü System & Interface statsü Eventsü Performance monitoring

Phase 3 (Nov 2018)

IOS

Capabili

ties

SD WAN Features:

ü Cloud Onramp-SAASü TLOC Extensionü IPv6-Service & Transportü Service Chaining

Services

ü MulticastMonitoring & Troubleshooting

ü vManage with DPI & Cflowd, Analytics

SD WAN Features:

TCP Optimizations

Capabilities:

ü NBAR

Platform

ü ISR 4331, ASR 1001-x

New Interfaces

ü Ethernet, 4G LTE, T1/E1

Capabilities:

ü Zone Based Firewall

ü Umbrella (DNS Whitelisting)

ü Full NBAR (SDAVC, Custom Apps)

ü EIGRP

Platforms:

ü 43xx 44xx, 11xx, ENCS

ü ASR1xxx, CSR

New Interfaces:

ü xDSL

Capabilities:ü App QoEü Per-Tunnel QoS

Services

ü DIA with Umbrella Connectorü UC –SRST, PSTN GW, SIP GWü AppNav Controller

Platforms:

ü All

New Interfaces:

ü All

Roadmap subject to change

Phase 1 (April 2018 Phase 2 (July 2018)


Cisco Enterprise Routing Portfolio moving forward

ASR 1000

• 2.5-200Gbps• High-performance

service w/hardware assist

• Hardware & software redundancy

vEdge 2000

• 10 Gbps• Modular

ISR 4000

• Up to 2 Gbps• Modular• Integrated container

applications• Compute with UCS E

vEdge 1000

• Up to 1 Gbps• Fixed

ISR 1000

• Up to 250 Mbps • Fixed and fanless• SD-WAN ready• Integrated wired &

wireless access

vEdge 100

• 100 Mbps• 4G LTE & Wireless

ISR 800

• Up to 100 Mbps • Fixed and fanless• Enterprise-class

branch routing with security

ISRv • 50 Mbps to 2.5 Gbps• Virtual enterprise-class networking• Run on x86 compute platform• ENFV orchestration & management

Cisco ENCS • Service chaining virtual functions• Modular WAN connectivity• Open for 3rd party services & apps

CSR 1000V• 10 Mbps to 10 Gbps• DNA Virtualization• Extend enterprise

routing, security & management to cloud

vEdge Cloud• 10 Mbps to 100

Mbps• Extend overlay to

public cloud

Cloud Branch WAN Edge

Virtual


MSP: SD-WAN Deployment OptionsTe

chno

logy

sta

ck

Service Orchestration

ServicesInfrastructure

Data Plane

SP Infrastructure

End User & Operator Portals

Service Creation and Delivery

Service Provider OSS/BSSSP Provided

ENCS

vEdge(vitual/Physical)

VNFs

VMS Portal or SPProvided

APIs | Ordering | Billing | Tenancy | Analytics | Assurance | Management

vManage

vSmart, vBondvOS

NFVISIOS-XE

NSO VNF Mgmt

SP Dev & IntegrationOrdering | Billing | Tenancy | Analytics

| Assurance | Management

vEdge

vSmart, vBondvOS

vManage

Deployment ModelCisco

NG SDWANVirtual Managed Services (VMS)

Use CasesConsumption Models

SP Value Prop

All 3aaS, Cloud, SP managed

Standalone SD-WANCloud, SP Managed

Viptela for pure play SD WAN (Network as a Service)

Turnkey services: SDWAN with vBranch supporting additional security

and VNF service chains

VMS Platform

ViptelaPortal or SP Provided

vSmart, vBondvOS

NFVIS

NSO

vManage

SP Dev & IntegrationOrdering | Billing | Tenancy | Analytics

| Assurance | Management

NSO + Core FPs

All 3SP Managed

Infrastructure orchestration supporting vBranch and NFV

provisioning

NSO VNF Mgmt

**optional**

ISRConverged

IOS / vEdge SW (Future)

ENCS

vEdge(vitual/Physical)

VNFs

ISRConverged


ISRConverged


cisco sdwan - deep dive - sccug · vedgerouters sit at the perimeter of an sd-wan site and provide...

Documents