cisco sdwan - deep dive - sccug · vedgerouters sit at the perimeter of an sd-wan site and provide...
TRANSCRIPT
Jean-Marc BarozetPrincipal Engineer – SDWAN/NFV Technical MarketingDecember 2017
Deep DiveCisco SDWAN
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Introduction to Cisco SDWAN• Solution Overview• SDWAN Products• Cisco SDWAN Overlay – 4 Primary Pillars• Technology Deep-Dive (if interested in the details)
• Components Bring Up (controllers and vEdge devices)• Fabric Operation• Segmentation and Service Insertion• Multicast• Application Experience and QoS• Cloud Adoption• High Availability and Redundancy• Policy Overview
• Operational Simplicity and Transparency• Use Case and Deployment Models• Pricing Structure• Key Takeaways
AGENDA
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introduction to Cisco SDWAN
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network as a Platform forReducing Cost and Complexity While Lowering Risk
Network Transformationfor WAN
Uncompromised & Secure Experience Over Any Connection
DNA
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Applications are moving to the Cloud (private and public)
Internet edge is moving to the remote site
Business mobile devices, BYOD and Guest Access Expected to strain both the corporate LAN (WiFi) and WAN
High Bandwidth Apps
App Content
Rich, Dynamic, Web-Based
App Delivery
App Consumption
Cloud, SaaS, Virtualized
Mobile, Diverse Devices
Common Business & IT Trends Evolving WAN Situation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Separation of management, control, data for scaling
Redundant management—cloud or on premises
Zero-touch provisioning in minutes, not days
Full segmentation support for fast app deployment
Choice of topologies with point-and-click
Complete visibility from single pane of glass
Comprehensive and Flexible to Fit Your Business
OR OR OR
PHYSICALSECURE ROUTERS
VIRTUALSECURE ROUTERS
IN-HOUSE IT
MANAGED SERVICE
CAPEX WITH ANNUAL SUBSCRIPTION
ENTERPRISE-BASED AGREEMENT
SD-WAN Enterprise Grade CapabilitiesReducing Cost and Complexity for Agile IT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Critical Applications SLA
BandwidthOversubscription
Path Brownout
Application-aware
Topologies
All Links Failure
CorporateData Center
Small OfficeHome Office
CloudData Center
Single Link Failure
Cloud Applications
Latency
Path MTU Changes
CPE Device Failure
4G/LTE
Internet MPLS
BranchCampus
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
True Enterprise Class SDWAN
APPLICATION POLICIES
SERVICES DELIVERY PLATFORM
TRANSPORT INDEPENDENT FABRIC
Broadband CellularMPLS
ZERO TOUCH ZERO TRUST
QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast
Per-SegmentTopologies
CloudPath
Application SLA
SecurePerimeter
TrafficEngineering
TransportHub
CloudAccel
Analytics
Monitoring
Operations
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Architectural Constructs
SOFTWARE DEFINED: True separation of control, data and management
CLOUD: Cloud hosted and delivered
APPLICATION AWARE: Visibility & SLA business intent policy enforcement
SCALE AND FLEXIBILITY: True enterprise scale
SECURITY: Ingrained authentication, encryption, segmentation, access controls & service chaining
OPEN: for automation, orchestration, best-of-breed integration
ApplicationBandwidth
Requirements
Cloud Consumption
DisjointedSecurity
SimplifiedOperations
WAN Flexibility
TimeTo Capability
Challenges
Control back to the Enterprise
Enabling Seamless transition from traditional WAN to SD WAN
SECURE WAN FABRIC
Broadband 4G/LTEMPLS
ZERO TOUCH ZERO TRUST
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Flexible ConnectivityLower WAN costs
3G/4G-LTE
Branch
Private Cloud
Colocation
Public Cloud
MPLS
Internet
• Leverage local Internet path for public cloud and Internet access
• Secure VPN for private and virtual public cloud access
LOWER COSTS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
MPLS
InternetApp ServerUser
Virtual Fabric
Reg
iona
l DC
• Data Center WAN bandwidth is not “wasted”
• Firewall service is inserted into the overlay topology
• Security policy is enforced
Site A Data Center
UDP/5001UDP/5002
Allow UDP/5001Deny UDP/5002
VNF (Firewall)
UDP/5001UDP/5002
Allow UDP/5001Deny UDP/5002
• Wasted Bandwidth
Service Based Traffic EngineeringService Insertion and Bandwidth Preservation
REDUCE COMPLEXITY
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Centric Networking
Broadband
4G/LTE
MPLS
#
DPI POLICY SLA
Service Chain
Transport Type
Local/Remote Breakout
SLACloud
APPLICATION VISIBILITY
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure SegmentationvEdgeRouter
VPN 3
VPN 3
VPN 1
VPN 2IPSecTunnel
VPN 4
4G/LTE
CorporateData Center
Campus
Small OfficeHome Office
Branch
CloudData Center
End-to-end segmentation
Local internet breakout
Secure Cloud Gateway
MPLSInternet
REDUCE RISK
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Ready WAN
Data Center
Small OfficeHome Office
Data Center
Campus
Small OfficeHome Office
Branch
CloudData Center
Secure SD-WANFabric
CampusBranch
CloudApplications
Secure SD-WANFabric
BETTER USER EXPERIENCE
Optimized SaaS access and performance visibility from all branches
Secure and resilient IaaS cloud-networking
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simplify WAN ManagementEasier to deploy and manage
• Cloud-first management and orchestration
• Zero-touch provisioning
• Troubleshooting with simplified workflows
• Advanced analytics and assurance
Cloud-first Management Analytics and Assurance
LOWER COSTS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
From Managed WAN To SDWAN Network-as-a-Service
Apps
SD-WAN Cloud Use-Cases.…
WAN
USERS
DC
IaaS
SaaS
vDC
AnalyticsCloud Delivered
DEVICES
THINGS
Intent-based Network Infrastructure
DNA Center
AnalyticsPolicy Automation
I N T E N T C O N T E X T
S E C U R I T Y
L E A R N I N G
0 Transport IndependentWAN Fabric
1 Cloud delivered WAN with operational simplicity & analytics
4End-point flexibility: • Physical or virtual• Rich services or lite• Branch, Agg, Cloud
2 Superior security architecture –cloud based & on-prem
3 Application QOE
5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Network-as-a-Service solution componentsService Provider Careabouts
Multi-tenant Control, Management, Orchestration and Analytics
Cisco NG SDWAN
Virtual Managed Services (VMS)
NSO + Core FPs
Internet
4G LTE
Data Center
IaaS
SaaS… 3rdParty
x86
Multi-tenant Gateway
MPLS
Gray, White or Blackbox
Cloud networking
An Edge device that enables to deliver the solution as a physical
or virtual branch offering
A multi-tenant, cloud-native platform to orchestrate,
provision, control and manage tenants
Transport independent fabric providing a secure scalable NG
overlay
An infrastructure to deliver OTT value added services (UC, Security, AppEx, Analytics)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Management Plane(Multi-tenant or Dedicated)
Control Plane (Containers or VMs)
Data Plane(Physical or Virtual)
Orchestration Plane
Cisco SDWAN
Data Center Campus Branch Home Office
vManage
vSmartvBond
vEdgeOSS/BSS, NSO or VMS
API
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
INET MPLS 4G Secure Control Channel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Solution Elements Functional RolesvBond orchestrator- Primary authenticator for all SDWAN components- Facilitates discovery of the control elements by the vEdge routers- Notifies vEdges of their public IP, if behind NAT.
vManage is the network management system, a single pane of glass, for the entire SD-WAN fabric
vSmart controllers:- Distribute reachability and security information between the vEdge routers- Distribute data and app-route policies from vManage to vEdges. Enforce control policies. - Perform best-path calculation for non ECMP routes and advertise best route to the vEdges (second
best too, if configured)
vEdge routers sit at the perimeter of an SD-WAN site and provide connectivity across the fabric. vEdge routers handle the transmission of data traffic.
vEdge routers are offered as pre-integrated appliance or as a software-only virtual machine for ESXi, KVM, AWS and Microsoft Azure platforms.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Components
Control Plane
Data Plane
Management Plane
Orchestration Plane
vManage
vSmart
vEdge
vBond
Data Center Campus Branch Home Office
OSS/BSS, NSO or VMS
API
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
INET MPLS 4G Secure Control Channel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control PlaneOrchestration Plane
• Orchestrates connectivity• First point of
authentication• Requires public IP Address• Facilitates NAT traversal• All other components need
to know the vBond IP or DNS information
• Authorizes all control connections (white-list model)
• Distributes list of vSmarts to all vEdges
vBond
Data Center Campus Branch Home Office
OSS/BSS, NSO or VMS
API
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
INET MPLS 4G Secure Control Channel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control PlaneControl Plane
• Centralized brain of the solution
• Establishes OMP Peering with vEdges
• Acts like Route Reflector• Enables central control
and central data policy creation and distribution:• TE• Service Chaining• Hub and spoke• Partial or full mesh
• Orchestrates secure data plane connectivity between the edges
vSmart
Data Center Campus Branch Home Office
OSS/BSS, NSO or VMS
API
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
INET MPLS 4G Secure Control Channel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data PlaneData Plane
vEdge
• WAN edge router of the site
• Leverages traditional routing protocols like OSPF, BGP
• Applies policies on data plane traffic
• Establishes control plane (OMP) peering with vSmart
• Provides secure data plane• Either hardware devices or
software VNF support
Data Center Campus Branch Home Office
OSS/BSS, NSO or VMS
API
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
INET MPLS 4G Secure Control Channel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Management PlaneManagement Plane
• Centralized provisioning• Centralized monitoring• Simple graphical
dashboard• Supports:
• REST API• CLI• Syslog• SNMP• NETCONF
vManage
Data Center Campus Branch Home Office
OSS/BSS, NSO or VMS
API
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
INET MPLS 4G Secure Control Channel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multi-Tenant Orchestration Solution
Multi-Tenant vManage
vContainer1
Customer1 vEdge Routers Customer2 vEdge Routers Customer3 vEdge Routers
vContainer2 Multi Tenant vBond
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Controllers
ESXi or KVM
Physical Server
vManage vSmart vSmart
VM
Container
vBond*
AWS or Azure
vManage vSmart vSmartvBond
On-Premise Hosted
VM
Container
* Can be deployed as physical vEdge appliance
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Solution Offering
… 3rd
Party
X86
PIP
Internet
4G/LTE
DC
IaaS
SaaS
Cloud networking
(or)
Gray, White or Black box1
2
VMS
NSO
Multi-tenant: Control, Management, Orchestration With Analytics
Existing / home grown MNS services
(e.g. UCaaS)3
Multi-tenant gateway
4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Platform OptionsProviding for flexibility in deployment
ISR 1000 ISR 4000 ASR 1000
• 2.5-200Gbps• High-performance
service w/hardware assist
• Hardware & software redundancy
• Up to 2 Gbps• Modular• Integrated service
containers • Compute with UCS E
• 200 Mbps • Next-gen
connectivity• Performance
flexibility
Branch Services
Public Cloud
vEdge 2000
• 10 Gbps• Modular
vEdge 1000
• Up to 1 Gbps• Fixed
vEdge 100
• 100 Mbps• 4G LTE & Wireless
SD-WAN
VirtualizationENCS 5100 ENCS 5400
• Up to 250Mbps • 250Mbps – 2GB
vEdge 5000
• ~30 Gbps• Modular
NEW
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Overlay Management Protocol (OMP)Unified Control Plane
• TCP based extensible control plane protocol• Runs between vEdge routers and vSmart
controllers and between the vSmartcontrollers- Inside TLS/DTLS connections
• Advertises control plane context• Dramatically lowers control plane
complexity and raises overall solution scale
vSmart vSmart
vSmart
vEdge vEdgeVS
Note: vEdge routers need not connect to all vSmart Controllers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
OMP Update:§ Reachability – IP Subnets, TLOCs§ Security – Encryption Keys§ Policy – Data/App-route Policies
BGP, OSPF, Connected, Static
BFDIPSec Tunnel
OMPDTLS/TLS Tunnel
Transport1
Transport2VPN1
A
VPN2
B
VPN1
C
VPN2
D
BGP, OSPF, Connected, Static
vSmart
OMPUpdate
OMPUpdate
vEdge vEdge
Subnets Subnets
TLOCs TLOCs
Policies
Fabric Operation Fabric Walk-Through
OMPUpdate
OMPUpdate
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage
vSmart vEdge
Device Configuration Device Configuration
Local Control Policy(OSPF/BGP)
Local Data Policy(QoS/Mirror/ACL)
Centralized Control Policy(Fabric Routing)
Centralized Data Policy(Fabric Data Plane)
Centralized App-Aware Policy(Application SLA)
Centralized Data Policy(Fabric Data Plane)
Centralized App-Aware Policy(Application SLA)
CentralizedPolicies
LocalizedPolicies
NETCONF/YANG
OMP
Policy FrameworkCentralized and Localized Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Single Pane Of Glass Operations
Operations Simplicity and Visibility
Rich Analytics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge Platform PortfolioSOHOSMB
(100 M)
Branch(1 G)
Head-EndAggregation
(10 G)
NFV, vCPE(N x cores)
IaaS & Cloud Interconnect(Nx cores)
Dual LTE variant back
Higher CapacityAggregation
(20 G+)
vEdge-100Tunnels: 250Routes: 25kVPN’s: 62+2
vEdge-1000Tunnels: 1500Routes: 128kVPN’s: 62+2
vEdge-2000Tunnels: 6000Routes: 125kVPN’s: 62+2
vEdge-5000Tunnels: 6000Routes: 128kVPN’s: 62+2
vEdge-CloudTunnels: 2500Routes: 128kVPN’s: 62+2
vEdge-CloudTunnels: 2500Routes: 128kVPN’s: 62+2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge 1000
vEdge-1000 and vEdge-2000 Routers
§ 1 Gbps AES-256§ 1RU, standard rack mountable § 8x GE SFP (10/100/1000)§ TPM chip § 3G/4G via USB (or) Ethernet§ Security, QoS§ Dual Power supplies (external)§ Low power consumption
vEdge 2000
§ 10 Gbps AES-256§ 1RU, standard rack mountable§ 4x Fixed GE SFP (10/100/1000)§ 2 Pluggable Interface Modules§ 8 x 1GE SFP (10/100/1000)§ 2 x 10GE SFP+§ TPM chip§ 3G/4G via USB (or) Ethernet§ Security, QoS§ Dual power supplies (internal)§ Redundant fans
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge-100 Routers
§ 100 Mbps AES-256§ 1RU§ 5x 1000Base-T§ 1x POE port§ 2G/3G/4G LTE§ Internal AC PS§ 1x USB-3.0§ TPM Board-ID§ Kensington lock§ Low power fan§ GPS
§ 100 Mbps AES-256§ 1RU§ 5x 1000Base-T§ 1x POE port§ 2G/3G/4G LTE§ 802.11a/b/g/n/ac§ Internal AC PS§ 1x USB-3.0§ TPM Board-ID§ Kensington lock§ Low power fan§ GPS
vEdge 100m vEdge 100mw
§ 100 Mbps AES-256§ 5x 1000Base-T§ TPM chip§ Security, QoS§ External AC PS§ Kensington lock§ Fan-less§ 9” x 1.75” x 5.5”§ GPS
vEdge 100
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Platform Capabilities:
• 4 Network Interface Modules (NIM) slots
• Variety of NIM options� 8 x 1G � 4 x 10G� 2 x 40G
• Feature parity with Cisco vEdge2000 platform
vEdge 5000Campus and Data Center Edge
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ENCS 5000 Series Portfolio
ENCS541212-Core
ENCS51044-Core
ENCS54088-Core
ENCS54066-Core
ISRv + 3 core VNFLAN PortsNIM LTE, DSL, T1HDD, SSDRAID, HW Crypto
• ISRv + 9 core VNF PoE
• ISRv + 5 core VNF• PoE
ISRv + 2 core VNF LTE on Radar
Shipping NowQ3 CY17
NEWCiscoLive 2017 Las Vegas
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Functions Virtualization Infrastructure
Network Functions Virtualization Infrastructure Software (NFVIS)
ISR 4000 + UCS-E-Series UCS C-Series Enterprise Network Compute
Systems (ENCS)
Orchestration and Management (MANO)
Virtual Router(ISRv)
Virtual Firewall(ASAv)
Virtual WAN Optimization
(vWAAS)3rd Party VNFs
COTS
40
Virtual Router(vEdge)
Virtual Wireless LAN Controller (vWLC)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge Cloud Virtual RoutersVirtualized Branch or Cloud
ESXi or KVM
Physical Server
On-Premise Hosted
VMThroughput:2x vCPU 500Mb/s
4x vCPU 1Gb/s8x vCPU 1.5Gb/s
VM
vEdge Cloud vEdge CloudvEdge Cloud vEdge Cloud vEdge CloudvEdge Cloud
AWS or Azure
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ControllersCloud or On-Premise Delivered
Physical Server
vManage vSmart vSmart
VM
vContainer
vBond*
* Can be deployed as physical vEdge appliance
On-Premise
ESXi or KVM
vManage vSmart vSmartvBondHosted
VM
vContainer
AWS or Azure
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco’s Commitment
Cisco is committed to Viptela’s solution and architecture
Cisco is committedto the existing ISR 4K, ASR1K, ENCS, CSR, IWAN 2.x, and Meraki SD-WAN offerings.
Cisco will commit significant engineering resources to bring next-generation SD-WAN solutions to market
Cisco will addressthe broadest set ofuse cases to deliver successful partner and customer outcomes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Components Bring Up (Controllers and vEdges)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero Touch ProvisioningPlug-n-Play vEdge Secure Bring-up (Zero Trust)
vEdge List(White-List)
vEdge ConfigurationTemplate
vManage
vBondvSmart
Identity Trust
AdministratorZTP
Server
Network Power
vEdge
DHCP
Identity(X.509)
Installer
TPM
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge and Controllers White-List
• Administrator adds controllers (vSmarts and vBonds) on the vManage- Can trigger CSR generation, forwarding to
Symantec, retrieval and installation of signed CSR back into the controllers
• Controllers list is distributed by vManage to all the controllers
• Digitally Signed vEdge list is provided by Viptelaand it is uploaded into the vManage by the administrator- Downloadable from Viptela support page
• vEdge List is distributed by vManage to all the controllers
SignedvEdge List
AdministratorDefined
Controllers
vManage vSmart
vBond
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge Appliance – Router Identity
• Each physical vEdge router is uniquely identified by the chassis ID and certificate serial number
• Certificate is stored in onboard Temper Proof Module (TPM)- Installed during manufacturing process- Certificate is signed by Avnet root CA- Trusted by Control Plane elements
• Symantec root CA chain of trust is used to validate Control Plane elements� Alternatively, if used, Enterprise root CA chain of trust
can be used to validate Control Plane elements
� Can be automatically installed during ZTP
Root Chain
During Manufacturing
In Viptela Software
Device Certificate
TMPChip
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge Cloud – Router Identity
• OTP/Token is generated by vManage- One per (chassisID, serial number) in the uploaded vEdge
list
• OTP/Token is supplied to vEdge Cloud in Cloud-Initduring the VM deployment
• vManage issues self-signed certificate for the vEdgeCloud post OTP/Token validation- vManage removes OTP to prevent reuse
• Symantec root CA chain of trust is used to validate Control Plane elements� Alternatively, if used, Enterprise root CA chain of trust can
be used to validate Control Plane elements� Can be provided in Cloud-Init
In Viptela Software
Issued by vManage
Device Certificate
Root Chain
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Controllers Identity• Controller identity is provided by the Symantec
issued certificate- Alternatively can use Enterprise CA. Requires
Enterprise Root CA chain on all other controllers and vEdge routers
• Avnet Root CA chain is used to authenticate vEdge routers
• Viptela Root CA chain is used to authenticate vEdge Cloud routers- Provided by the CA running on each vManage
server. Cloud be multiple.
• Symantec Root CA chain is used to authenticate other controllers
Root Chain Root Chain
Root Chain Device Certificate
Issued by SymantecIn Viptela Software
In Viptela Software Issued by vManage CA(could be multiple)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Bi-directional certificate-based trust between all elements� Public or Enterprise PKI
• White-list of valid vEdges and controllers� Certificate serial number as unique identification
SignedvEdge List
AdministratorDefined
Controllers
vEdge
vBond
vManage
vSmart
Certificate-Based Trust
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1. Certificates are exchanged and mutual authentication takes place between vBond and vEdge over encrypted tunnel
2. vBond validates vEdge Router serial number and chassis ID against authorized vEdge white-list
3. vEdge Router validates vBond certificate organization name against locally configured one
4. Provisional DTLS tunnel is established between vBond and vEdge
5. vBond returns to vEdge a list of vSmart Controllers and vManage
6. vBond notifies vSmart and vManage of vEdge Router public IP address
7. Provisional DTLS tunnel between vBond and vEdge is terminated
vBond
vSmart vManage
Valid vEdge serial and chassis ID
Public
Public
Org NameConfig
Provisional DTLS/TLS Control Tunnel
vSmartvManage
vEdgeIP addr
vEdgeRouter
Secure Control ChannelvEdge Routers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1. Certificates are exchanged and mutual authentication takes place between vSmart, vManage and vEdge over encrypted tunnel
2. vSmart and vManage validate vEdge Router serial number and chassis ID against authorized vEdge white-list
3. vEdge Router validates vSmart and vManage certificate organization name against locally configured one
4. Permanent DTLS/TLS tunnel between vSmart, vManage and vEdge is established
vBond
vSmart vManage
Org NameConfig
vEdgeRouter
Public
Public
Public
Public
Valid vEdge serial and chassis ID
Valid vEdge serial and chassis ID
Permanent DTLS/TLS Control Tunnel
Secure Control Channel: vEdgeConnection to vSmart Controller and vManage
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control Plane Sessions
vSmart vSmart
vManage
vEdge
• Secure Channel to SD-WAN Controllers (vSmart, vBond, vManage)
• Single extensible control plane• Operates over DTLS/TLS
authenticated and secured tunnels
• OMP - between vEdge routers and vSmart controllers and between the vSmart controllers
• NETCONF – Provisioning from vManage
DTLS or TLS• Viptela Primitives• NETCONF• Permanent• Single Session
vBond
DTLS Only• Viptela Primitives• Temporary
DTLS or TLS• Viptela Primitives• OMP• Permanent• 1 session / vSmart / TLOC
DTLS only• Viptela Primitives• Permanent• Multiple Sessions
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Firewalls Ports – DTLS
vEdge
Firewall
vEdge
UDP12346
UDP
1234612366123861240612426
UDP
Red signifies primary protocol or first port used
• vBond IP’s are not Elastic, its recommended to permit UDP/12346 to/from any from the vEdge.
• vEdge’s can port hop to establish a connection, its recommended to permit all 5 UDP ports inbound to all vEdges
UDP
vBond – IP1 vSmart – IP1vSmart – IP2
vManage – IP1
UDPCore0 - 12346Core1 - 12446Core2 - 12546Core3 - 12646Core4 - 12746Core5 - 12846Core6 - 12946Core7 – 13046
The vManage NMSs and vSmart controllers can run on a virtual machine (VM) with up to eight virtual CPUs (vCPUs). The vCPUs are designated as Core0 through Core7.Each core is allocated separate base ports for control connections
UDPCore0 - 12346Core1 - 12446Core2 - 12546Core3 - 12646Core4 - 12746Core5 - 12846Core6 - 12946Core7 – 13046
vBond orchestrators do not support multiple cores. vBond orchestrators always use DTLS tunnels to establish control connections with other Viptela devices, so they always use UDP. The UDP port is 12346
Default – No Port Offset Configured and DTLS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Firewalls Ports – TLS
vEdge
Firewall
vEdge
UDP12346
UDP
1234612366123861240612426
TCP
Red signifies primary protocol or first port used
• vBond IP’s are not Elastic, its recommended to permit UDP/12346 to/from any from the vEdge.
• vEdge’s can port hop to establish a connection, its recommended to permit all 5 UDP ports inbound to all vEdges
TCP
vBond – IP1 vSmart – IP1vSmart – IP2
vManage – IP1TCPCore0 - 23456Core1 - 23556Core2 - 23656Core3 - 23756Core4 - 23856Core5 - 23956Core6 - 24056Core7 – 24156
TCPCore0 - 23456Core1 - 23556Core2 - 23656Core3 - 23756Core4 - 23856Core5 - 23956Core6 - 24056Core7 – 24156
Default – No Port Offset Configured and TLS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Overlay Management Protocol – Control plane protocol distributing reachability, security and policies throughout the fabric
• Transport Locator (TLOC) – Transport attachment point and next hop route attribute
• Color – Control plane tag used for IPSec tunnel establishment logic
• Site ID – Unique per-site numeric identifier used in policy application
• System IP – Unique per-device (vEdge and controllers) IPv4 notation identifier. Also used as Router ID for BGP and OSPF.
• Organization Name – Overlay identifier common to all elements of the fabric
• VPN – Device-level and network-level segmentation.
Viptela Fabric Terminology
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Software Defined Centralized Control
Control Plane DTLS/TLS
LegacyO(n^2) complexity
SD-WANO(n) complexity
Control Elements
• Virtual Fabric over any transport• Virtual or Physical Platforms (vEdge)• Centralized reachability, security and application
policies• Secure Channel to SD-WAN Controller (vSmart,
vBond, vManage)� Single extensible control plane� Operates over DTLS/TLS authenticated and
secured tunnels
• Dramatically lowers complexity and increases overall solution scale
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Overlay Management Protocol (OMP)
• TCP based extensible control plane protocol
• Runs between vEdge routers and vSmartcontrollers and between the vSmart controllers- Inside TLS/DTLS connections
• Leverages address families to advertise reachability for TLOCs, unicast/multicast destinations (statically/dynamically learnt service side routes), service routes (L4-L7), BFD stats (TE and H-SDWAN) and Cloud onRamp for SaaS probe stats (gateway)- Uses attributes
• Distributes IPSec encryption keys, and data and app-aware policies (embedded NETCONF)
vSmart vSmart
vSmart
vEdge vEdge
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport Independent Fabric Transport Locators Advertisement
Transport Locator (TLOC) OMP IPSec Tunnel
vEdge
vEdgevEdge
vEdge
vEdge
vSmart
Local TLOCs(System IP, Color, Encap)
TLOCs advertised to vSmarts
vSmarts advertise TLOCs to all vEdges*
(Default)
Full Mesh SD-WAN Fabric
(Default)
* Can be influenced by the control policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport Independent FabricTransport Locators Colors
Public
Private
T1 T3
T1 T4
T2 T4
T2 T3
T1, T3 – Public Color T2, T4 – Private Color
Color restrict will prevent attempt to establish IPSec tunnel to TLOCs with different color
vEdge vEdge
Public
Private
T1 T3
T1 T4
T2 T4
T2 T3
T1, T3 – Public Color T2, T4 – Private Color
vEdge vEdge
DMZ
Color - Control plane tag used for IPSec tunnel establishment logic
T3 T4
T1
T2
T3
T4
T1 T2
T1
T2
T3
T4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport Independent FabricNAT Traversal
NAT
vEdge2vEdge1
vBond
IP1Port1
NAT Detection
vSmart
OMP
IP1’Port1
IP1’Port1
IP1’Port1
IP1’Port1
IP2Port2
SymmetricNAT
vBond
vEdge1
IP1Port1
NAT Detection
vSmart
OMP
IP1’Port1’
(accept only traffic from vBond)
IP1’Port1’
IP1’Port1’
IP1’Port1’
vEdge2
IP2Port2
Full-Cone NAT Symmetric NAT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
WAN CommunicationTraffic Forwarding
Per-Session LoadsharingActive/Active
Per-Session WeightedActive/Active
Application PinningActive/Standby
Application Aware RoutingSLA Compliant
SLASLA
Core
Hierarchical Multihop Fabric Single-hop Fabric
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bidirectional Forwarding Detection (BFD)
vEdge vEdge
vEdge
vEdge vEdge
• Path liveliness and quality measurement detection protocol- Up/Down, loss/latency/jitter, IPSec
tunnel MTU
• Runs between all vEdge and vEdge Cloud routers in the topology- Inside IPSec tunnels- Automatically invoked after each IPSec
tunnel establishment- Cannot be disabled
• Uses hello (up/down) interval, poll (app-aware) interval and multiplier for detection- Fully customizable per-vEdge, per-color
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Fabric Walkthrough
BFD
IPSec Tunnel
OMPOMP Update:§ Reachability – IP Subnets, TLOCs§ Security – Encryption Keys
BGP, OSPF, Connected, Static
DTLS/TLS Tunnel
VPN1 VPN2 VPN1 VPN2
Transport1
Transport2
A B C D
BGP, OSPF, Connected, Static
vSmart
OMPUpdate
OMPUpdate
vEdge vEdge
Subnets Subnets
TLOCs TLOCs
Policies
§ VPN isolation is carried over all transports- https://tools.ietf.org/html/rfc4023
VPN0 VPN0
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport1
Transport2
§ Each vEdge advertises its local IPsecencryption keys
§ Encryption key is per-transport
Key1
Local
Key1
’
Remote
vSmartControllers
vEdgevEdge
Key2
Key2
’
Key1
’
Local
Key1
Remote
Key2
’Ke
y2
§ Symmetric encryption keys used asymmetrically
Traffic Encrypted with Keys 1’ / 2’
Traffic Encrypted with Keys 1 / 2
Data Plane Security Encryption
Control PlaneAES256-GCM
OMPUpdate
OMPUpdate
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport1
Transport2
§ vBond discovers vEdge public IP address, even if traverses NAT
§ vBond communicates public IP to the vEdge
vSmartControllers
vEdgevEdge
Data Plane Security Integrity
Control Plane
OMPUpdate
OMPUpdate
AES256-GCM
20IP
8UDP
36ESP
…Data
Encrypted
Authenticated
Network Address
Translation
§ vEdge computes AH value based on the post NAT public IP
§ Packet integrity (+IP headers) is preserved across NAT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation and Service Insertion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela VPNs
MPLS
INET
Transport(VPN0)
IF
IF
Service(VPNn)
IF
IF
Management(VPN512)
IF
• VPNs are isolated from each other, each VPN has its own forwarding table
• vEdge router allocates label to each of it’s service VPNs and advertises it as route attribute in OMP updates- Labels are used to identify VPN in the incoming packets
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure Segmentation
IngressvEdge
VPN 3
VPN 1VPN 2
SD-WANIPSecTunnel
20
IP8
UDP36
ESP4
VPN…
Data
EgressvEdge
Interface
VLAN
• Segment connectivity across fabric w/o reliance on underlay transport
• vEdge routers maintain per-VPN routing table
• Labels are used to identify VPN for destination route lookup
• Interfaces and sub-interfaces (802.1Q tags) or a mix of both are mapped into VPNs
VPN1
VPN2
Interface
VLAN
VPN1
VPN2
§ VPN isolation is carried over all transports- https://tools.ietf.org/html/rfc4023
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Aware TopologiesArbitrary VPN Topologies
VPN1 VPN2
VPN3 VPN4
Full-Mesh Hub-and-Spoke
Partial Mesh Point-to-Point
• Each VPN can have it’s own topology� Full-mesh, hub-and-spoke, partial-
mesh, point-to-point, etc…
• VPN topology can be influenced by leveraging control policies� Filtering TLOCs or modifying next-hop
TLOC attribute for routes
• Applications can benefit from shortest path, e.g. voice takes full-mesh toplogy
• Security compliance can benefit from controlled connectivity topology, e.g. PCI data takes hub-and-spoke topology
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multi-Topology
vSmartControllers
Control Plane
AppPolicies
• Arbitrary per-VPN topology
• Topology reflects desired traffic forwarding patterns, e.g. voice and video full-mesh, business apps hub-and-spoke
• vSmart controls VPN topology through control plane advertisements
• vEdge routers can participate in multiple topologies at the same time
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Single Service Insertion
Data Center
Remote Office
• vEdge router with connected L4-L7 service makes advertisement- Service route OMP address family- Service VPN label
• Service is advertised in specific VPN
• Service can be L3 routed or L2 bridged
• Service can be singly or dually connected (Firewall trust zones) to the advertising vEdge
• Control or data policies are used to insert the service node into the matching traffic forwarding path- Match on 6-tuple of DPI signature- Applied on ingress/egress vEdge
Regional Hub
MPLS INET
4G
ServiceAdvertisement
PolicyAdvertisement*vSmart
* For data policy only. Control policy enforced on vSmart.
VPN1
VPN1VPN1
Traffic Path
Control Plane
FW
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multiple Services Chaining
Data Center
Remote Office
• vEdge routers with connected L4-L7 service make advertisement- Service route OMP address family- Services VPN labels
• Services are advertised in specific VPN
• Services can be L3 routed or L2 bridged
• Services can be singly or dually connected to the advertising vEdges
• Control or data policies are used to insert the service nodes into the matching traffic forwarding path- Match on 6-tuple of DPI signature- Applied on ingress/egress/service vEdge
Regional Hub
MPLS INET
4G
vSmart
* For data policy only. Control policy enforced on vSmart.
VPN1
VPN1
Traffic Path
Control Plane
VPN1
PolicyAdvertisement*
ServiceAdvertisement
FW IDS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialReplicators
Sender
vSmart Controllers
Multicast Stream
SD-WANFabric
RP
Control Plane
Branch
BranchReceiver
Receiver
Data Center
Streaming Content DistributionMulticast Traffic
IGMP/PIM
IGMP/PIM
OMPUpdate
OMPUpdate
OMPUpdate
OMPUpdate
§ vEdges interoperate with IGMP v1/v2 and PIM on the service side
§ vEdges advertise receiver multicast groups using OMP
§ vEdge Replicators replicate multicast stream to receivers
§ Multicast is encapsulated in point-to-point tunnels
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Experience and QoS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application RecognitionDeep Packet Inspection Engine
Primary Use Cases:- Application visibility- Application Firewall- Traffic prioritization- Transport selection
vEdge Router
App 1
App 2
App 3,000
Cloud Data Center
Data Center
Campus
Branch
Small OfficeHome Office
MPLS INET
3G/4G
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bidirectional Forwarding Detection (BFD)
vEdge vEdge
vEdge
vEdge vEdge
• Path liveliness and quality measurement detection protocol- Up/Down, loss/latency/jitter, IPSec tunnel
MTU
• Runs between all vEdge and vEdge Cloud routers in the topology- Inside IPSec tunnels- Automatically invoked after each IPSec tunnel
establishment- Cannot be disabled
• Uses hello (up/down) interval, poll (app-aware) interval and multiplier for detection- Fully customizable per-vEdge, per-color
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Hello Interval (ms)
Poll Interval (ms)Poll IntervalPoll Interval
App-Route Multiplier (n)
Transport SLA MonitoringPath Quality Detection
• Each vEdge router generates BFD packet every “hello” interval for path quality (and liveliness) detection
• BFD packets are generated for each transport individually. Timers can be adjustment for quicker detection.
• Poll interval determines the average path quality measurement (loss, latency, jitter)
• App-route multiplier determines the average path quality measurement across the poll intervals
BFD Probe
vEdge Router
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Critical Applications SLAApplication Aware Routing
§ By default, without any local or centralized data policies, � Cisco SDWAN performs flow-based load
sharing across all transports available between the vEdge routers
§ With Policies:� Enforce SLA compliant path for applications of
interest� Other applications will follow active/active
behavior across all paths
Control Plane
Path1: 10ms, 0% lossPath2: 200ms, 3% lossPath3: 140ms, 1% loss
vManage
App Aware Routing PolicyApp A path must have
latency <150ms and loss <2%
Path 1
Path 3
Path 2
vEdge vEdge
Internet
MPLS
4G LTE
vSmart Controllers
App A
IPSec Tunnel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport1
Transport2
§ Automatic and proactive Network Path MTU Discovery leveraging BFD protocol
§ Support for Host Path MTU Discovery
vEdgevEdge
Optimal Network Utilization for App TrafficPath MTU Discovery
Network PathMTU Discovery
Host PathMTU Discovery
§ Automatic MSS adjust for TCP traffic� Can also be manually configured
§ IP ICMP Unreachable (type 3, code 4)
IPSec Tunnel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ExampleApp Policy applied with DSCP EF preferred path MPLS, rest is defaultSimulation with DSCP 0(default)
App Policy applied with DSCP EF preferred path MPLSSimulation with DSCP 46 (EF)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Egress InterfaceIngr
ess
Inte
rfaceVoice
Business
Best Effort
Traffic Classification
Traffic Flow
Q0Q1Q2Q3Q4Q5Q6Q7
QueueMapping
Scheduling
Queue 0 is strict priority
vEdge Router
IPSec
Copy inner TOS/DSCP bits into outer header
Differentiated ServicesQuality of Service
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Localized Data Policy (QoS) Configurationpolicyclass-mapclass best-effort queue 3class bulk-data queue 2class critical-data queue 1class voice queue 0
Step1: Configure forwarding classes and mapping to output queues Step2: Configure the QoS scheduler forwarding classes
policyqos-scheduler be-schedulerclass best-effortbandwidth-percent 20buffer-percent 20scheduling wrrdrops red-drop!qos-scheduler bulk-schedulerclass bulk-databandwidth-percent 20buffer-percent 20scheduling wrrdrops red-drop!qos-scheduler critical-schedulerclass critical-databandwidth-percent 40buffer-percent 40scheduling wrrdrops red-drop!qos-scheduler voice-schedulerclass voicebandwidth-percent 20buffer-percent 20scheduling llqdrops tail-drop
Step 3: Define QoS Map by grouping QoS Schedulers.
policyqos-map MyQoSMapqos-scheduler be-schedulerqos-scheduler bulk-schedulerqos-scheduler critical-schedulerqos-scheduler voice-scheduler
Step 4: Apply the QoS map to the egress interface
interface ge0/1qos-map MyQoSMap
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Localized Data Policy (QoS) ConfigurationStep 5: Define an Access List to Classify Data Packets into appropriate Forwarding Classes
policyaccess-list MyACLsequence 10matchdscp 46!action acceptclass voice!!sequence 20matchsource-ip 10.1.1.0/24destination-ip 192.168.10.0/24!action acceptclass bulk-datasetdscp 32!!!sequence 30matchdestination-ip 192.168.20.0/24!action acceptclass critical-datasetdscp 22!!!sequence 40action acceptclass best-effortsetdscp 0!!!default-action drop
Step 6: Apply the Access List to an Interface
vpn 10interface ge0/0access-list MyACL in!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• High latency path between users and servers, i.e. geo-distances
• vEdge routers terminate TCP sessions and provide local acknowledgements to prevent TCP windowing from reacting
• Selective acknowledgements prevents unnecessary retransmit of the successfully received segments
• Hosts using old TCP/IP stacks will see the most benefit
Users ServersHigh Latency Path
vEdgevEdge
TCP Connections TCP ConnectionsOptimized
TCP Connections (Cubic)
SD-WANFabric
Application OptimizationTCP Performance Optimization
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Direct Internet Access
RegionalData Center
Remote Site
ISP1
SD-WANFabric
Data Center
• Can use one or more local DIA exits or backhaul traffic to the regional hub through the SD-WAN fabric and exit to Internet from there- Per-VPN behavior enforcement
• VPN default route for all traffic DIA or data policy for selective traffic DIA
• Network Address Translation (NAT) on the vEdge router only allows response traffic back- Any unsolicited Internet traffic will be
blocked by IP table filters
• For performance based routing toward SaaSapplications use Cloud onRamp
Internet
ISP3
ISP2
MPLS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Ready WAN
IaaS SaaS
Data Center
Small OfficeHome Office
Data Center
Campus
Small OfficeHome Office
Branch
CloudData Center
Secure SD-WAN
Fabric
CampusBranch
CloudApplications
Secure SD-WAN
Fabric
Cloud On-Ramp IaaS Cloud On-Ramp SaaS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for SaaS
MPLS INET
vEdge Branch
vEdge DC
vManage Platform
• Optimized Connectivity to SaaS Applications• across DIA, DC and Regional exits
• Continuous Network Health-checks
• Automatic selection of Optimized Path Regional DC
Regional DC
INET
Office 365
EquinixCloud
Exchange
Microsoft Express Route
Direct Internet Access
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialApplication Quality Probing
RegionalHub
Remote SiteISP2
ISP1
SD-WANFabric
Loss/Latency
!
Data Center
Cloud onRamp for SaaSSaaS Optimization
Data Center
RegionalHub
Remote Site
SD-WANFabricMPLS
ISP1
Loss/Latency
!
ISP2
Internet DIA Hybrid DIA
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IaaS Deployment
MPLS INET
IaaS Instance
IaaS Instance
vEdge gateway
vEdge Branch
vEdge DC
vManage Platform
• WAN to Cloud Extension• Branch to Cloud Connectivity• Single WAN Network across Branch, DC & Cloud
• Secure Connectivity to applications
• Multi-Cloud / Multi-Region connectivity
• Carrier Independent hybrid transport
• User – Application Visibility
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• vEdge router is instantiated in Amazon VPCs or Microsoft Azure VNETs• Posted in marketplace• Use Cloud-Init for ZTP
• One vEdge router per VPC/VNET• No multicast support, can’t form VRRP• No router redundancy
• vEdge router joins the fabric and all fabric services are extended to the IaaS instances, e.g. multipathing, segmentation and QoS• For multipathing can combine AWS Direct Connect or
Azure ExpressRoute with direct internet connectivity
Cloud onRamp for IaaS – Attached Compute
MPLS INET
vEdge gateway
vEdge Branch
vEdge DC
vManage Platform
Compute VPC/VNET
Compute VPC/VNET
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• A pair of vEdge routers is instantiated in Amazon VPC or Microsoft Azure VNET• Gateway VPC/VNET
• A pair of standard based IPSec tunnels is stretched from gateway VPC/VNET to each host VPCs/VNETs• Connectivity redundancy
• BGP is established across IPSec tunnels for route advertisement• Bi-directional BGP/OMP redistribution on the gateway
VPC/VNET vEdge routers
• Entire process is automated through vManage workflow
Cloud onRamp for IaaS – Gateway VPC/VNET
MPLS INET
GatewayVPC/VNET
vEdge Branch
vEdge DC
vManage Platform
BGPBGP BGP
Standard IPSec
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud On-Ramp for IaaS – AWS Details
Direct Connect
VGW
AZ1
AZ2
R
VGW
Standard IPSecoverlay to vEdge GW
vEdge GW
vEdge GW
AZ1
AZ2
R
Spoke VPC
vManage instantiated and managed
Gateway VPC
IGW
AWS Region
VGW
AZ1
AZ2
Spoke VPC
• Gateway VPC instantiated by vManage
• Customer workload resides in spoke VPCs. No change required Spoke VPCs
• Share transport (Direct connect and Internet) & vEdge Gateways across multiple spoke VPCs in a region
• Leverage AWS components (IGW, VGW, VPC router) for redundancy. Fast failover times.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Security with Zscaler• vEdge router creates a GRE tunnel to one
or more Zscaler Enforcement Nodes (PoPs)- Redundant PoPs, redundant ISPs
• Eliminates backhaul of traffic destined to Internet and cloud applications
• Provides advanced security services- Can inspect SSL encrypted data, requires
installation of Zscaler root certificate on the hosts
• Cloud onRamp for SaaS can choose the path across best performing ZscalerEnforcement Node (PoP) for selected SaaS applications
RegionalData Center
Remote Site
ISP1
SD-WANFabric
GRE Tunnel
ISP2
Data Center
Exploits ATP Malware Botnets
POP1 POP2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
High Availability and Redundancy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Site Redundancy - Routed§ Redundant pair of vEdge routers operate in active/active
mode
§ vEdge routers are one or more Layer 3 hops away from the hosts
§ Standard OSPF or BGP routing protocols are running between the redundant pair vEdge routers and the site router
§ Bi-directional redistribution between OMP and OSPF/BGP and vice versa on the vEdge routers
§ Site router performs equal cost multipathing for remote destinations across SD-WA Fabric- Can manipulate OSPF/BGP to prefer one vEdge router over the
other
vEdge A
Host
vEdge BOSPF/BGP OSPF/B
GP
SiteRouter
SD-WANFabric
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Site Redundancy - Bridged
§ vEdge routers are Layer 2 adjacent to the hosts- Default gateway for the hosts
§ Virtual Router Redundancy Protocol (VRRP) runs between the two redundant vEdge routers
- Active/active when using multigroup
§ VRRP Active vEdge responds to ARP requests for the virtual IP with its physical interface MAC address
§ In case of failover, new VRRP Active vEdgerouter sends out gratuitous ARP to update ARP table on the hosts and mac address table on the intermediate L2 switches
vEdge AVRRP Active
Host
vEdge BVRRP Standby
SD-WANFabric
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport Redundancy - Meshed§ vEdge routers are connected to all the transports
§ When transport goes down, vEdge routers detect the condition and bring down the tunnels built across the failed transport- BFD times out across tunnels
§ Both vEdge routers still draw the traffic for the prefixes available through the SD-WAN fabric
§ If one of the vEdge routers fails, second vEdgerouter takes over forwarding the traffic in and out of site- Both transport are still availableSite Network
vEdgevEdge
MPLS INET
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
MPLS INET
Transport Redundancy – TLOC Extension
Site Network
vEdgevEdge
• vEdge routers are connected only to their respective transports
• vEdge routers build IPSec tunnels across directly connected transport and across the transport connected to the neighboring vEdge router• Neighboring vEdge router acts as an underlay router
for tunnels initiated from the other vEdge
• If one of the vEdge routers fails, second vEdge router takes over forwarding the traffic in and out of site• Only transport connected to the remaining vEdge
router can be used
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TLOC Extension Configuration
MPLS INET
br1-vedge1 br1-vedge2
ge0/310.5.52.51/24
ge0/210.5.51.51/24
vpn 0interface ge0/0description MPLS tunnelip address 100.65.51.1/30tunnel-interfaceencapsulation ipseccolor mpls restrictmax-control-connections 1[service list]!interface ge0/2description INET tunnelip address 10.5.51.51/24!tunnel-interfaceencapsulation ipsec preference 100color biz-internet restrictmax-control-connections 1[service list]!interface ge0/3ip address 10.5.52.51/24tloc-extension ge0/0no shutdown!ip route 0.0.0.0/0 100.65.51.2ip route 0.0.0.0/0 10.5.51.52
vpn 0interface ge0/0description INET tunnelip dhcp-clientnat!tunnel-interfaceencapsulation ipseccolor biz-internet restrictmax-control-connections 1[service list]
!interface ge0/2ip address 10.5.51.52/24tloc-extension ge0/0no shutdown!interface ge0/3description MPLS tunnelip address 10.5.52.52/24tunnel-interfaceencapsulation ipseccolor mpls restrictmax-control-connections 1[service list]
!ip route 0.0.0.0/0 10.5.52.51
ge0/0100.65.51.1/24
ge0/0dhcp
ge0/210.5.51.52/24
ge0/310.5.52.52/24
ip route 10.5.52.52/32 100.65.51.1
Add route to reach br1-vedge2 mplstunnel end-point
Do not forget NAT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control Redundancy - vSmart
Cloud Data Center
Data Center
Campus
Branch
Small OfficeHome Office
MPLS INET
3G/4G
vSmartControllers
Data Plane
Control Plane§ vSmart controllers exchange OMP messages between
themselves and they have identical view of the SD-WAN fabric
§ vEdge routers connect to up to three vSmart controllers for redundancy
§ Single vSmart controller failure has no impact, as long as there is another vSmart controller vEdge routers are registered with
§ If all vSmart controllers fail or become unreachable, vEdge routers will continue operating on a last known good state for a configurable amount of time (GR timer)
- No updates to reachability- No IPSec rekey- No policy changes propagation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control Redundancy - vManage
Cloud Data Center
Data Center
Campus
Branch
Small OfficeHome Office
MPLS INET
3G/4G
vManageCluster
Management Plane
Data Plane§ vManage servers form a cluster for redundancy and
high availability
§ All servers in the cluster act as active/active nodes- All members of the cluster must be in the same DC /
metro area
§ For geo-redundancy, vManage servers operate in active/standby mode
- Not clustered- Database replication between sites is needed
§ Loss of all vManage servers has no impact on fabric operation- No policy changes- No stats collection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage
vSmart vEdge
Device Configuration Device Configuration
Local Control Policy(OSPF/BGP)
Local Data Policy(QoS/Mirror/ACL)
Centralized Control Policy(Fabric Routing)
Centralized Data Policy(Fabric Data Plane)
Centralized App-Aware Policy(Application SLA)
Centralized Data Policy(Fabric Data Plane)
Centralized App-Aware Policy(Application SLA)
CentralizedPolicies
LocalizedPolicies
NETCONF/YANG
OMP
Policy FrameworkCentralized and Localized Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• The Cisco SDWAN policy software design provides a clear separation between centralized and localized policies. Centralized policy is provisioned on the centralized vSmart controllers and the localized policy is provisioned on vEdge routers
• With Localized Data policy, also called an access list, you can provision QoS to:• Classify incoming data packets into multiple forwarding classes based on importance.• Spread the forwarding classes across different interface queues.• Schedule the transmission rate or weights for each queue
• With Centralized policies on vSmart controllers:• Centralized Control policies affect routing policy to influence routing decisions on the vEdge routers. This type of policy
allows you to set preferences for the routes or paths on the vSmart controller and is reflected in forwarding tables on the vEdge routers.
• Application-Aware routing policies select the best path for a given application based on SLA requirements. These requirements include latency, packet loss, and jitter. Application-aware routing policies are configured on vSmart controllers and are enforced by vEdge routers.
• Centralized Data policies are used for traffic classification, DSCP marking, path selection, service insertion, policing, etc. Data policies are configured on vSmart controllers and enforced by vEdge routers.
Centralized and Localized Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy Driven WAN InfrastructurePolicy Augmented Dynamic Routing
vEdgeWAN router
Access Layer
Branch/DC
vSmart controller – Policy Enforcement/Advertisement
Control Policy:Routing and Services
vManage GUI – Policy Orchestration1
2
3
Data Policy:Extensive Policy-based Routing and Services
App-Route Policy:App-Aware SLA-based
Routing
Combine and Apply per Site
Execute Control PolicyAdvertise AAR/Data Policies to Sites
Execute AAR and Data Policy as receivedDynamic Routing and Policies Combine to
dictate behavior
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Packet Flow Through the vEdge Router
Local Policy / Configuration
PolicerAdmission Control
ClassificationMarking
Centralized Application Aware Routing Policy
Path selection based on SLA
Centralized Data Policy
PolicerAdmission Control
ClassificationMarking / Remarking
Path Selection
RoutingForwarding
Scheduling and Queuing
LLQWRRRED
Local Policy, Shaping and ACL
ShapingRe-markingPolicer, ACL
1
2
3
Service VPN
4
Transport VPN
5
6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• vSmart Policies consist of these building blocks:• Lists used for defining targets of policy application or matching• Policies controlling aspects of control and forwarding
�Control Policy�Application Aware Policy�Data Policy� cflowd-template� vpn-membership-policy
• Policy Application to control towards what a policy is applied� Site-oriented and defined by a site-list
Centralized (vSmart) Policy Architecture
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Routing Policies are traditional routing policies• Attaches to BGP or OSPF locally on the vEdge• Used in the traditional sense for controlling BGP and OSPF� Information exchange� Attributes� Path Selection
vEdge Routing Policy Architecture
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vSmart Policy Construction
• data-prefix-list – list of prefixes for use with a data-policy
• prefix-list – list of prefixes for use with any other policy
• Site-list – list of site-id:s for use in policy and apply-policy
• Tloc-list – list of tloc:s for use in policy
• Vpn-list – list of vpn:s for use in policy
• Colors – List of colors for use in policy
• SLAs – SLA definitions
Lists
• Control Policies affect overlay routing
• Application Aware Routing policy is used in conjunction with SLAs to steer traffic
• Data policies provide VPN level policy based routing
Policy Definition
• An apply directive is used in conjunction with site lists to enable specific policies at specific locations
Policy Application
Centralized policy definition configured on vManage and enforced across entire network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• application-list used in data-policy to define specific applications for traffic matching and policy actions
• data-prefix-list used in data-policy to define prefix and upper layer ports in various combinations for traffic matching
• prefix-list used in control-policy to define prefixes for RIB matching site-list used in control-policy and apply-policy to match source sites or define sites for policy application
• tloc-list used in control-policy to define tlocs for RIB matching and to apply redefined tlocs to vroutes
• vpn-list used in control-policy to define prefixes for RIB matching, in data-policy and app-route-policy to define VPNs for policy application
vSmart Policy Construction - Lists
policylistsdata-prefix-list app1ip-prefix 1.1.1.1/32port 100
!prefix-list pfx1ip-prefix 1.1.1.1/32
!site-list site1site-id 100
!tloc-list site1_tloctloc 1.1.1.1 color mpls
vpn-list vpn1vpn 1
!!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vSmart Policy Construction – Policies
policypolicy-type <name>vpn-list <vpn-list>sequence <n>match <route|tloc|vpn|other>!action <accept|reject|drop> set<attribute> <value>!default-action <reject|accept>!!!!
• Policy definition dictates type of policy and the appropriate syntax
• VPN-list used by data-policy and app-route-policy to list the VPNs for which the policy is applicable
• Sequence defines each sequential step of the policy by sequence number
• Match decides what entity to match on in the specific policy sequence
• Action determines the action for the preceding match statement
• Default-action is the action to take for any entity that was not matched in any sequence of the policy (set to reject by default
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vSmart Policy Construction – Policy Application
apply-policysite-list <name>control-policy <name> <in|out>!site-list <name>data-policy <name>vpn-membership <name>!!
• Site-list determines to which sites a given policy is applied
• Direction applies only to control-policies• Policy Type and Name refers to an already
configured policy to be applied towards sites specified in the site-list for the section
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vSmart Policy ExampleApply the defined policy towards the sites in site-list
apply-policysite-list site1control-policy prefer_local out
!
policylistssite-list site1site-id 100tloc-list prefer_site1tloc 1.1.1.1 color mpls preference 400
!
control-policy prefer_localsequence 10match routesite-list site1!action acceptsettloc-list prefer_site1!!!
Define the lists required for apply-policy and for use within the policy
Define the actual policy to be applied
Lists previously defined used within policy
Note: Items listed as presented in node configuration. The order in which elements are configured should be lists, control-policy then apply-policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Policies are processed sequentially. Order is important!
• When a match occurs, the matched entity is subject to the configured action of the sequence and is then no longer subject to continued processing.
• Any entity not matched in a sequence is subject to the default action for the policy.
• Any node will make use of any and all available routing information
• In a multi-vSmart deployment, every vSmart acts independently to disseminate information to other vSmarts and vEdges
• vManage acts as the entity to ensure all vSmarts are synchronized.
vSmart Policy Processing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Control policies are executed on vSmarts to influence overlay routing.
• Control Policies are used to enable the following services:• Service Chaining• Traffic Engineering• Extranet VPNs• Service path affinity• Arbitrary VPN Topologies
• Control Policy is a powerful tool for any type of path construction that simplifies policy operations by being centrally managed.
1. Control Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Centralized Control Policy: Inbound vs. Outbound
• Inbound Policy: determines which routes are installed in the local routing database of the vSmart controller.
• Outbound Policy: applied AFTER a route is retrieved from routing database, but BEFORE the vSmart controller advertises it.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Application-aware routing consists of three components:� Identify the applications of interest. To determine which applications are running on vEdge
routers, you enable application visibility on these devices. Then you configure an application-aware routing policy on the vSmart controller, which defines the applications of interest and the data plane tunnel performance characteristics required to transmit an application's data traffic. These characteristics are called a service-level agreement (SLA). The controller automatically pushes the policy to the appropriate vEdge routers.
� Monitor and measure data plane tunnel performance is done automatically and continuously by the vEdge routers, by tracking BFD Hello packets. Application-aware routing periodically polls the performance statistics to calculate the packet jitter and latency and packet loss information for each tunnel. The default polling interval is good for most network situations, but you can modify it to meet specific business needs.
� Map application traffic to a specific data plane tunnel is done on the vEdge routers, based on the SLA requirements defined in application-aware routing policy and based on the real-time performance of the vEdge routers' data plane tunnels. You can modify how often a vEdge router calculates each tunnel's SLA and determines a tunnel's SLA classification.
2. Application-Aware Routing Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• An app-route policy is defined through the following steps:• Define the required SLA classes• Define the app-route-policy• Apply the app-route-policy towards the applicable sites
• The SLA-class defines the required loss, latency and jitter thresholds for the application that is to go via the overlay path
• The app-route-policy defines the traffic that is to belong to a defined class in a fashion similar to a data-policy
• Configuring an app-route-policy includes a reference to a VPN-list to dictate which VPNs will benefit from the policy at the listed sites
Application Aware Routing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application-Aware Routing Policy ConfigurationStep 1: Create a list of sites to which the application-aware routing policy is to be appliedpolicylistssite-list mySitessite-id 100-200!
Step 2: Create SLA classes and traffic characteristics to apply to matching application data traffic.policysla-class bulk-data-slalatency 150!sla-class critical-data-slaloss 5latency 150!sla-class voice-slaloss 1latency 100jitter 5!
Step 3: Create lists of applications, IP prefixes, and VPNs to use in identifying application traffic of interest (in the match section of the policy definition
policylistsvpn-list myVPNvpn 10!data-prefix-list approute-Prefixesip-prefix 10.1.0.0/16!app-list myAppsapp office365app salesforce!!!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application-Aware Routing Policy ConfigurationStep 4: Create an application-aware routing policy instance and associate it with a list of VPNspolicyapp-route-policy myApproutePolicyvpn-list myVPN!!
Step 5: Within the policy, create one or more numbered sequence of match–action pairs
policyapp-route-policy myApproutePolicyvpn-list myVPNsequence 10matchapp-list myApps!actionsla-class critical-data-sla preferred-color mpls!!sequence 20match dscp 46
!actionsla-class voice-sla preferred-color mpls!!sequence 30matchdestination-data-prefix-list approute-Prefixes!actionbackup-sla-preferred-color public-internetsla-class bulk-data-sla preferred-color biz-internet!
Step 6: Specify the default action for the policy
policyapp-route-policy myApproutePolicyvpn-list myVPNdefault-action sla-class bulk-data-sla!!!
Step 7: Apply the policy to a site list:
apply-policysite-list mySitesapp-route-policy myApproutePolicy!!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Data Policies provide the functionality equivalent to traditional Policy Routing.
• Data policies are configured and applied centrally (vSmart), then pushed to vEdge to enforce the configured policy in the data plane• Some of the applications enabled by Control Policies can also be enabled by Data Policies, in
addition to more traditional Policy Routing as well as data-plane bound functions
• A Data policy acts on an entire VPN and is not interface-specific
• Data Policies are used to enable the following services:• QoS Classification• Service Chaining• cflowd• NAT• Traffic Policing and Counting Transport Selection• Traffic Engineering
3. Data Policy - Applications and Services
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Centralized Data Policy ConfigurationStep 1: Create a list of sites to which the centralized data policy is to be appliedpolicylistssite-list mySitessite-id 100-200!
Step 2: Create lists of IP prefixes and VPNs, as needed
policylistsprefix-list myPrefixesip-prefix prefix/length
!vpn-list myVPNvpn 1
!app-list myAppsapp office365app salesforce!
Step 3: Create a data policy instance and associate it with a list of VPNs. Within the policy, create one or more numbered sequence of match–action pairs
policydata-policy myDataPolicyvpn-list myVPNsequence 10matchapp-list myApps!actionacceptsetdscp 32
!
Step 4: Apply the policy to one or more sites in the overlay network
apply-policysite-list mySitesdata-policy myDataPolicy (all | from-service | from-tunnel)!!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Cflowd flow collection is enabled by means of a vSmart policy
• Capturing and exporting flow data is controlled via 2 different policies:• Cflowd-template for configuring flow cache behavior and flow export• Data-policy for selection of traffic subject to flow data collection
• The Cflowd template is optional and without is the flow cache in vEdge nodes is managed using default setting and no flow-export takes place
• The data-policy can be configured to be very specific or as a general flow collection filter, depending on requirements
• Both components controlled and distributed from vSmart to ease enablement and configuration
4. Cflowd flow data collection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cflowd Exampleapply-policysite-list site100data-policy cflowd_data allcflowd-template cflowd_temp!!policydata-policy cflowd_datavpn-list cflowd_vpnsequence 10matchprotocol 17!action acceptcflowd!!default-action drop!!cflowd-template cflowd_tempflow-active-timeout 60flow-inactive-timeout 60collector vpn 100 address 1.1.1.1 port 4739 transport transport_udp!!* vpn-list and site-list excluded, please refer to app-route section *
Data-policy
• Covers traffic subject to flow data collection
cflowd-template
•Manages settings related to cache management and flow export (not mandatory)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• The default behavior of the SDWAN OMP architecture is to advertise any configured VPN to any node where it is configured
• This automatically establishes connectivity without unnecessary configuration and operational overhead
• However, certain VPNs may be of a sensitive nature such that their membership must be tightly controlled
• The VPN Membership Policy serves to restrict the distribution of VPN information from vSmart to those that are explicitly approved• Both Whitelist and Blacklist behavior can be established
• With a VPN Membership Policy, a node not explicitly allowed to participate in a VPN may have the VPN configured but will only see local connectivity and routing information
5. VPN Membership PolicyFunctionality
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VPN Membership Policy ExamplePolicylistssite-list sites_1site-id site1site-id site2!site-list sites_2site-id site3site-id site4!vpn-list sites_1vpn 10, 20!vpn-list sites_2vpn 30, 40!!!
Policyvpn-membership acme_1sequence 10match vpn-list sites_1action accept!!default-action reject!vpn-membership acme_2sequence 10match vpn-list sites_2action accept!!default-action reject!!
vpn-lists define the VPN match datavpn-membership acts as either whitelist or blacklist for VPN filteringapply-policy acts in both directions to determine which VPN(s) are allowed from a given site
apply-policysite-list sites_1vpn-membership acme_1!site-list sites_2vpn-membership acme_2!!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Operational Simplicity and Transparency
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Single Pane of Glass OperationsvManage GUI
• Intuitive GUI driven operations� Management, monitoring and
troubleshooting
• Cloud Delivered� Private, hosted or managed
• Single or Multi-tenant
• Role-based Access Control
• Clustered for scale and high availability
• REST APIs based
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero Touch ProvisioningPlug-n-Play vEdge Secure Bring-up (Zero Trust)
vEdge List(White-List)
vEdge ConfigurationTemplate
vManage
vBondvSmart
Identity Trust
AdministratorZTP
Server
Network Power
vEdge
DHCP
Identity(X.509)
Installer
TPM
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero Touch Provisioning – vEdge ApplianceControl and Policy
Elements
Initial
cont
rol
com
mun
icatio
nIn
itial
devic
e
conf
igura
tion
from
vMan
age
Full Registration and Configuration
vEdge
5
* Factory default config
Assumption:§ DHCP on Transport Side (WAN)§ DNS to resolve ztp.viptela.com*
§ Delivered as-a-Service
3
4
Zero Touch ProvisioningServer
Query to
ztp.viptela.comRedirect to corporate
orchestrator1
2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero Touch Provisioning – vEdge CloudControl and Policy
Elements
Initia
l con
trol
commun
icatio
nIni
tial d
evice
confi
gurat
ion fr
om
vMan
age
Full Registration and Configuration
vEdge Cloud* Factory default config
Assumption:§ DHCP on Transport Side (WAN)§ DNS to resolve ztp.viptela.com*
vManage
VM Provisioning
Tool
Cloud-Init
Deploy VM
1
2
3
4
5NSO
(vBranch FP)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Embedded Deep Packet Inspection engine
• Application and flow level visibility for the fabric and individual vEdgerouters
• Centralized statistics and performance
• Export flow level data (IPFIX) to external collector
Application and Performance VisibilityDeep Packet Inspection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Template-Based ConfigurationsCentralized Device Configuration Enforcement
• Templates are attached to provisioned vEdge routers
• Variables are used for rapid bulk configuration rollout with unique per-device settings
• Local configuration changes are not allowed- Prevents configuration drift
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Granular PoliciesCentralized Control over Fabric Behavior
• Centralized data, control and application aware routing policies
• Defined on vManage, enforced on vSmart controllers (control policies) or vEdge routers (data and application aware routing policies)
• Individual site, collection of sites or the entire fabric policy scope
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Troubleshooting and VerificationTransparent Operations
• Embedded tools for data plane connectivity verification
• Control plane health verification
• Real-time GUI based troubleshooting
• Full command line interface and Linux shell for expert level troubleshooting
• Alarms for triggered events
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Self-HealingSoftware Upgrade and Configuration Change
Active Software
Available Software
Available Software
Available Software
A
B
C
D
Activate
Rollback
vEdge Router
1
2
3
FailedUpgrade
vEdge Router
1Attach Template
vManage
2 ConnectivityLost
Rollback
3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Current Orchestration and APIs
Data Center Campus Branch Home Office
4G/LTEMPLS
InternetSecure
Control Plane
SecureData Plane
REST
vSmart
vEdge Routers
Syslog
Netconf
SNMP
CLI
§ Management§ Monitoring§ Provisioning§ Troubleshooting
vManage
cFlowd*
* http://tools.ietf.org/html/rfc7011
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage Programmatic AccessREST API Documentation
• API Documentation built-in – https://vmanage-url/apidocs
• Test calls can be executed directly from doc page
• API programming documented at:https://docs.viptela.com/Product_Documentation/Command_Reference/vManage_REST_APIs/vManage_REST_APIs_Overview/Using_the_vManage_REST_APIs
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Automation decouple Lifecycle of Product-Services and Network Resources Services
• Decouples the Network from OSS/ITIL
• Unlocks agility and flexibility at the Resource Facing Services layer (RFS)
• Enables DevOps at the network/RFS layer
• Network changes and new features can be rolled out continuously during run-time, i.e. DevOps Network Service Orchestration System
Well-defined API
Physical Networks Virtual Networks
OSS / ITIL
Resource Facing Services (RFS)
Product/ Service Systems Lifecycle
NetworkService
Lifecycle
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SDWAN MSP Management Options
NSO
vManage
OSS/BSS
• NSO Single Entry Point• NSO (vBranch, vManage NED) to instantiate VNFs (including 3rd
party VNFs) and activate vEdge. Apply device template• vManage to configure vEdge
REST/NETCONF
• vManage and NSO Entry Point (REST APIs)• vManage improved with NSO (and vBranch, SDWAN,
potentially SAE CFP)• vManage and/or NSO as potential entry point• Reporting and Alerts
NSO/vManage SplitCisco and 3rd party VNFs
NETCONF
NETCONF
Cisco Router
ENCSNFVIS
vEdgeAppliance
NSO vManage
OSS/BSS - VMS
REST/NETCONF REST
REST
NETCONF NETCONF
NSOCisco and 3rd party VNFs
vBranch CFP SDWAN CFP
vBranchCFP
SDWAN CFP
cEdgeAppliance
Cisco Router
ENCSNFVIS
vEdgeAppliance
cEdgeAppliance
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NSO/vManage Split Gives Flexibility
OSS / BSS or VMS
REST/NETCONF
• NSO and vManage run side by side in separate processes
• NSO and vManage are integrated using APIs (a NSO NED using the vManage REST interface)
• NSO will communicate with all devices involved in the CFP for day0 and dayN configuration. vManage will provide dayNconfiguration for vEdge
• The vManage UI will have to be extended with the appropriate CFP workflows and send API calls to NSO.
Network Service Orchestrator (NSO)
vManage
REST
NETCONF
NETCONF
Core FP (SDWAN)Core FP (vBranch) REST
Cisco Router ENCSNFVIS vEdge Appliance cEdge Appliance
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Automation StackVMS Portal/GUI
VMS SIF (Software Integration Framework)
Network Service Orchestrator (NSO)
vManage
Core FP (SDWAN)Core FP (vBranch)
Viptela vManageTarget customer customer has vEdge
appliances without a need for virtual CPE,
service orchestration and OSS/BSS from
Cisco
Extended SD WAN OrchestrationTarget customer has virtual CPE’s or when
orchestration of other than vEdge appliances
are needed without a need for OSS/BSS from
Cisco
Full Stack SD WANTarget customer has a need for Cisco
OSS/BSS capabilities together with SD WAN
1
2
3
1
2
3
Cisco Router ENCSNFVIS
vEdgeAppliance
cEdgeAppliance
REST
NETCONF
NETCONF
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SDWAN Core Function Pack
OSS/BSS - VMS
• NSO Core Function Pack• NSO (vBranch, vManage NED) to instantiate VNFs
(including 3rd party VNFs) and activate vEdge. Apply device template
• vManage to configure vEdge• SDWAN FP scope with expand over time
SDWAN Core FPCisco and 3rd party VNFs
NETCONF
ENCSNFVIS
Cisco Appliance
vEdge/cEdgeAppliance
Service Abstraction APIs
vBranch Function Pack
SDWAN Function Pack
NED NED NED
Potential SP Model
Network Service Orchestrator (NSO)
Core FP (SDWAN)Core FP (vBranch)
vManage
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vBranch FP – High Level View of Service Model
Branch-infra
Branch-cpe
VNF
VNFD
network Cpe config
VDU
nfvo catalog
VNFD VDU deployment
Catalog DefinitionVNFs and Service Chaining
12
vEdge VNF Descriptor and Flavor defined.Deployment parameters defined
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Generate bootstrap information• Download vEdge Cloud Certified Serial Numbers (json)• Get the unclaimed vEdge Cloud router list from vManage• Instruct vManage to generate a Bootstrap Configuration file• Get Bootstrap Configuration file for the vEdge Cloud router (cloud-init config file)
• ENCS/NFVIS on-boarding• NFVIS boots and creates basic n/w infrastructure• NFVIS registers to NSO using PnP• NSO connects to NFVIS at the branch using NETCONF
• vEdge instantiation• NSO registers vEdge Cloud to NFVIS• NFVIS pulls vEdge Cloud images / local preparation• NSO instructs NFVIS to deploy NWs/vEdge Cloud• NFVIS deploys vEdge Cloud, load Bootstrap Configuration File which contains cloud-
config (bootstraps) and cloud-boothook (day0) sections and sets up local vEdgemonitoring
• Process is the same for any platform that runs NFVIS
• Day 1 and post Day 1 activities handled by vManage
vEdge Cloud on ENCS
NFVIS
VNFMPnP
ENCS
vEdge
vManage
vSmart
vBond
SP Datacenter
NSO
NETCONF NETCONF
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NFVIS
On Boarding ENCS/NFVIS
VNFMPnP1) ENCS boots and creates basic n/w infrastructure
2) NFVIS registration to NSO using PnP
IP + serial + model + capabilities
3) NFVIS registered to NSO
4) NSO connects to branch NFVIS (NETCONF)
ENCS/NFVIS on-boarded in NSO
ENCS
PnP Server Branch-Infra FP
Network Service Orchestrator (NSO)Network Service Orchestrator (NSO)
NSO with the vBranch Function Pack
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge-Cloud Onboarding process
Network Service Orchestrator (NSO)
Core FP (vBranch)
Virtual Networks(ENCS)
vManage
Core FP (SDWAN Onboarding)
5
7
PnP
6
8
1
3 4
2
• 1) Upload vEdge Certified Serial Numbers onto vManage
• 2) Get the unclaimed vEdge Cloud router list from vManage
• 3) Instruct vManage to:– Create day0 template– Attach day0 template (with variables) to an unclaimed vEdge Cloud
router– Generate a Bootstrap Configuration file for the vEdge Cloud router
(UUID, Token, …).
• 4) Get Bootstrap Configuration file for the vEdge Cloud router (cloud-init config file) which contains cloud-config(bootstraps) and cloud-boothook (day0) sections
• 5) VNFs instantiated and loaded with Bootstrap Configuration cloud-init file
• 6) NFVIS notifies NSO vEdge is alive
• 7) vEdge to Viptela Control Plane Initial control communication
• 8) vManage installs certificate into vEdge Cloud router and sync up. vEdge Cloud router is ready for configuration from vManage
NSO with the SDWAN Function Pack
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SDWAN CFP – Define Service Chain on NVFIS
vEdge
WAN NIC
GE0/0
8-port GE Switch
wan-netlan-net wan-net2
WAN NIC
GE0/1
ASAvENCS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data LakevAnalytics Clusters
Data Transfer and Storage• Client authenticated and data securely
transmitted from vManage to vAnalytics• Data storage isolation between
customers• No PII (Personal Identifiable
Information) is collectedData Correlation and Algorithms• Only management data (stats, flows)
information collected• All algorithms visualization done on a
per-customer basis• IP Addresses collected for provider
look-ups• Peer benchmarking (future use cases)
only on a group basis. No individual customer data used
vAnalyticsCustomer Data
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1. Bandwidth Usage:1. Identification of top sources / top destinations / top application (family)2. Drill-down into information on a per-Site basis3. Identification of top sources
2. Application Performance:1. Application to tunnel-binding and performance information
3. Anomaly Detection:1. Baseline of Application usage. Anomaly detection based on overall application usage / by
Family / by Site
The Power of AnalyticsApplication Centric (Based on DPI/cflowd)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1. Site Availability (SD-WAN value prop)1. List of Sites with down-time comparing to TLOCs with their down-time
2. Network Availability1. List of sites by down-time2. Comparison of Site down-time vs TLOC down-time (SD-WAN value prop)3. Down site count on a time basis with the ability to drill-down into Sites and downtimes
3. Site Usage Analysis1. Bandwidth consumed by Site (Top Sites)2. Drill-down to show historical bandwidth consumption by time
4. Carrier Performance1. App-Route stats based on a per-carrier basis2. Ability to drill-down on a specific carrier and visibility into various remote carrier connectivity
The Power of AnalyticsNetwork Centric
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vAnalytics – BW Consumption by Applications
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vAnalytics – Network Health by Carriers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Cases and Deployment Models
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vBond
vManage
vSmart
vEdge
ControlService
NAT/Firewall
• Internet transport required• Viptela managed 24/7• Viptela Auto-provisioned• Geo-redundancy• Geo-vicinity• Currently most common
deployment model
• Public or (Private) transport possible• Provider managed• Provider orchestration• Redundancy and vicinity as
supported by SP• Provider value-added
services at discretion
• Public or Private access as per Enterprise policy• Enterprise managed• Enterprise orchestration• Redundancy and Vicinity
as supported by Ent.• Typically preferred by
security conscious verticals (Finance, Public Sector)
AWS Provider Cloud On Premise
Viptela Control Deployment
• Data plane never crosses control layer
• Control deployment mainly about redundancy and security
• Control plane is latency tolerant
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Control Plane DeploymentViptela hosted Controllers / Public Cloud
optional/standby vManage
Region 1 Region 2
Private IPs Private IPs
1:1 NATPublic IPs
1:1 NATPublic IPs
• Control Plane on Public Internet Only
• Most commonly deployed model
• Supports data plane on other transports (MPLS, Leased Line, etc)
Internet
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Control Plane DeploymentHybrid Cloud Controller Deployment
optional/standby vManage
DC/Region 1 DC/Region 2
Public IPs Public IPs
BGP
BGPDMZFW
DMZFW
No NAT
• Control Plane on MPLS and Internet
• Public IPs are assigned to the controllers
• No NAT is used
• For security compliance FW/DMZ on Internet facing side
InternetMPLS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Control Plane DeploymentHybrid Cloud Controller Deployment
optional/standby vManage
DC/Region 1 DC/Region 2
Private IPs Private IPs
BGP
BGP
NAT+
DMZ/FW NAT+
DMZ/FW
Public IP Public IP
* vBond must have Public IP or sit behind 1:1 NAT
No NAT NAT
• Control on MPLS and Internet.
• Private IPs on the controllers.
• Public IPs are not exposed on MPLS
• NAT/FW facing the internet InternetMPLS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Internet
Cisco SD-WAN Control Plane DeploymentPublic Cloud Controller Deployment
DC/Region 1 DC/Region 2
vpn512 vpn512
DCTACACS/RADUIUS
Syslog ServerSNMP Server
NMS Toolsetc
vEdge Cloud co-exist with the controllers
vEdge participate in the overlay
Traffic between the controllers and NMS systems in the DC goes on the overlay tunnels securely
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Internet MPLS
Cisco SD-WAN Site DeploymentGateway/DC Site Deployment
SD-WANOverlay
BGP/OSPF
OMP
Identify Gateway/DC Sites providing connectivity between SD-WAN and legacy sites
Legacy sites talk to each other directly
SD-WAN sites talk to each other directly
Legacy router/connectivity is dropped in the DC/Gateway sites once migration is complete
DC/Gateway Site
SD-WAN Sites
Legacy/MPLS Sites
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Site DeploymentRemote Site Designs
1 2 3 4 5 6 7 Up to 7 Transport Interfaces
Static, VRRP, OSPF, BGP
Internet/ MPLS Internet MPLS Internet MPLS Internet MPLS
Internet MPLS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Management Plane(Multi-tenant or Dedicated)
(vManage)
Control Plane (Containers or VMs)
(vSmart)
Orchestration Plane(vBond)
Orchestration/Control/Management Plane Scale
Data Center Campus Branch Home Office
4G/LTE
MPLS
Internet
2000 vEdges per vBondRedundancy Add 1-2 vBonds
Horizontal Scale out Model
Horizontal Scale Out Model
2700 vEdges per vSmartRedundancy Add 1-2 vSmart
Horizontal Scale out Model
2700 vEdges per vSmartRedundancy Add 1-2 vSmarts
Horizontal Scale out Model
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Plane /IPSec Scale
vEdge100 vEdge1000 vEdge2000
IPSec Tunnels : 250100 Mbps
IPSec Tunnels : 15001 Gbps
IPSec Tunnels : 600010 Gbps
The solution is not limited by one individual component.
Larger deployments can be handled using
- Additional vEdge Routers to distribute the IPSec Scale- Have a Hierarchical/Regionalize design
Dual LTE variant back
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Large Enterprise with Global DistributionWAN Components connected via overlays from Viptela SEN utilizing Internet, LTE, etc.
LTE Backup
Internet
Distribution Centers GS
SECURE DATA PLANE
Viptela SEN
Data Center
APAC DC
Data Center
Europe DC
Data Center
North America DCs
StoresField
Offices StoresField
Offices StoresField
Offices
Ethernet Exit(DSL/Cable/LTE/MPLS)
vEdge Router
WiFi APs
Switch
DC Core DC Core DC Core
Americas Asia Europe
ZTP/Central Config/Policy
Done on ViptelaConnectivity Active-Active Monitoring/Syslog/
NetFlowDone on Viptela,
Nagios
App-Routing/PfR/Service
ChainDone on Viptela Segmentation Multiple VPNs Encryption Built-in/ No key-
mgmt
Viptela
SECURE CONTROL PLANE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Example Of 100-site (Small Enterprise) - Agilent
OBS
MPLS
Business Class Internet SECURE DATA PLANE
Viptela SEN
Data Center
APAC DC
Data Center
Europe DC
Data Center
North America DCs
Medium
Platinum(Dual MPLS, Dual Broadband)
vEdge Router
Switch
DC Core DC Core DC Core
Americas Asia Europe
ZTP/Central Config/Policy/SW
Upgrade
Done on Viptela Connectivity Active-Active Monitoring/Syslog/cFlow
vManageHP NNMRiverbed
Stealcentral
Seemly Migration (Brownfield)
No impact to traffic: Migrated to Non-migrated
App-Routing/CircuitSelection Done on Viptela Segmentation Single
VPN Encryption Done on ViptelaRapid Site Bring-
up (Paradigm Shift)
order ISP DIA circuits first, then MPLS (if needed)
Traffic Symmetry across regions Done on Viptela Split-Tunnel Selective 80/443
GRE to ZScaler VPN Topology Full Mesh IAAS and SAAS AWS, SFDC, o365
Viptela
SECURE CONTROL PLANE
Gold(Single MPLS, Single Broadband)
Silver(Dual Broadband)
Bronze(Single Broadband)
Large Medium Small MediumLarge Medium Small Medium Small
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Variety Of Deployment Models
Secure Virtual Fabric Secure Tunnel
ExistingRouter
ExistingRouter
Site B
Site A
InternetMPLS
vEdge
vEdge
Site B
MPLS
Site A
Internet
ExistingRouter
ExistingRouter vEdge
vEdge
Site B
Site A
vEdge
vEdge vEdge
vEdge
InternetMPLS
Side-by-Side Hybrid With Fallback Full SDWAN
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SDWAN Pricing Model
Perpetual costof Viptela CPE
hardware
Subscriptioncost of Viptela
software (Includes SD-
WAN controller + CPE software)
Operationalcost of Viptela
solution
The Cisco SDWAN pricing model consists of two components
1. Subscription* license (1YR, 3YR and 5YR) for Viptela software charged per CPE. This cost is dependent on two factors: • Service bandwidth. Slide 5 covers how service bandwidth is calculated.• Features: Slide 3 covers feature buckets.
2. Perpetual cost of Viptela CPE** element.
*Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Viptela support, next day hardware replacement for Viptela CPE, software upgrades on all components and the cost of hosting the Viptela controllers in the Viptela cloud.
**Note: CPE can be Viptela manufactured or in the case of Virtual CPE customer/partner provisioned. Cost here implies Viptela CPE only.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Plus Pro + DPI Enterprise
Hub
Spoke Spoke Spoke
MPLS Internet Local breakout
Hub
Spoke Spoke Spoke
MPLS Internet
Spoke Spoke
Local breakout
(App based)
Dynamic Routing
Dynamic Routing
Hub
Spoke Spoke Spoke
MPLS Internet
Spoke Spoke
Dynamic Routing
Dynamic Routing
CloudExpress
SD WAN controllers
AnalyticsSD WAN controllers
SD WAN controllers
AARAAR AAR
Viptela Pricing Tiers
E2E Segmentation
E2E Segmentation
Features: • Encrypted Fabric• Hub-and-spoke only• App-aware routing (AAR)• Split tunnel
Features: • Plus capability• Dynamic routing• E2E Segmentation (Multiple VPNs)• Application aware routing with DPI• Full-mesh
Features: • Pro + DPI• CloudExpress• Analytics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential180
Pricing Tiers - Detailed
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bandwidth Licensing
Circuit 1
Bandwidth entitlement* on vEdge is the sum of peakbandwidth (either upstream or downstream) across all WAN circuits.
Example: If a 50Mbps bandwidth license is purchased the sum of peak circuit bandwidth (either upstream or downstream) across Circuits 1, 2 and 3 must be less than or equal to 50Mbps.
Bandwidth entitlement also includes i. Split tunnel (Direct Internet Breakout)ii. Traffic offloaded to 3rd party cloud services i.e
zScaler.
TLOC extension interface bandwidth is not included in bandwidth entitlement.
*Note: Entitlement assumes the peak bandwidth usage 95% of the time. This accommodates traffic bursts that might happen.
Circuit 2 Circuit 3
MPLS Internet 3G/4G/LTE
TLOC extension
Branch
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SDWAN Rollout and PositioningPhase 2 – 1HFY19Platform Integration
Phase 1 – FY18No Integration
Phase 3-2HFY19Management Integration
vManage w/ vEdge/ENCS -or- Meraki
vManage w/ Any EN Platform -or- Meraki
DNA Center w/ Any Platform-or- Meraki
Dep
loym
ent S
cena
rios
Lead
M
otio
n
vEdge ISR4K + vEdge SW
DNA Center
+ SD-WAN
ASRISR + vEdge SW
vManage
vEdge
vManage
vEdge
Key
Dat
es vEdge on ENCS (x86) = Nov’17GPL = Feb’18
LA – Mar’18GA – Jul’18 Late 2018
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Clarification On SDWAN Terminology
184
Viptela H/W With All Software Capabilities As-IsvEdge
Traditional IOSXE With IWAN capabilities, for ISR4K, ASR, CSR & ISRvISR
SDWAN Enabled IOSXE for ISR4K, ASR, CSR & ISRv
"SDWAN Enabled ISR" Only Features Highlighted In The Next Slide Are Included In The SD-WAN Image
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Integration Roadmap Vi
ptel
aCa
pabi
litie
s
SD WAN Features:
ü ZTPü App Route Policyü QoSü Cloud Onramp –IAASü Segmentationü DIA-Zscaler(GRE only)Routing Protocols
ü BGP, OSPFMonitoring & Troubleshooting
ü System & Interface statsü Eventsü Performance monitoring
Phase 3 (Nov 2018)
IOS
Capabili
ties
SD WAN Features:
ü Cloud Onramp-SAASü TLOC Extensionü IPv6-Service & Transportü Service Chaining
Services
ü MulticastMonitoring & Troubleshooting
ü vManage with DPI & Cflowd, Analytics
SD WAN Features:
TCP Optimizations
Capabilities:
ü NBAR
Platform
ü ISR 4331, ASR 1001-x
New Interfaces
ü Ethernet, 4G LTE, T1/E1
Capabilities:
ü Zone Based Firewall
ü Umbrella (DNS Whitelisting)
ü Full NBAR (SDAVC, Custom Apps)
ü EIGRP
Platforms:
ü 43xx 44xx, 11xx, ENCS
ü ASR1xxx, CSR
New Interfaces:
ü xDSL
Capabilities:ü App QoEü Per-Tunnel QoS
Services
ü DIA with Umbrella Connectorü UC –SRST, PSTN GW, SIP GWü AppNav Controller
Platforms:
ü All
New Interfaces:
ü All
Roadmap subject to change
Phase 1 (April 2018 Phase 2 (July 2018)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Enterprise Routing Portfolio moving forward
ASR 1000
• 2.5-200Gbps• High-performance
service w/hardware assist
• Hardware & software redundancy
vEdge 2000
• 10 Gbps• Modular
ISR 4000
• Up to 2 Gbps• Modular• Integrated container
applications• Compute with UCS E
vEdge 1000
• Up to 1 Gbps• Fixed
ISR 1000
• Up to 250 Mbps • Fixed and fanless• SD-WAN ready• Integrated wired &
wireless access
vEdge 100
• 100 Mbps• 4G LTE & Wireless
ISR 800
• Up to 100 Mbps • Fixed and fanless• Enterprise-class
branch routing with security
ISRv • 50 Mbps to 2.5 Gbps• Virtual enterprise-class networking• Run on x86 compute platform• ENFV orchestration & management
Cisco ENCS • Service chaining virtual functions• Modular WAN connectivity• Open for 3rd party services & apps
CSR 1000V• 10 Mbps to 10 Gbps• DNA Virtualization• Extend enterprise
routing, security & management to cloud
vEdge Cloud• 10 Mbps to 100
Mbps• Extend overlay to
public cloud
Cloud Branch WAN Edge
Virtual
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
MSP: SD-WAN Deployment OptionsTe
chno
logy
sta
ck
Service Orchestration
ServicesInfrastructure
Data Plane
SP Infrastructure
End User & Operator Portals
Service Creation and Delivery
Service Provider OSS/BSSSP Provided
ENCS
vEdge(vitual/Physical)
VNFs
VMS Portal or SPProvided
APIs | Ordering | Billing | Tenancy | Analytics | Assurance | Management
vManage
vSmart, vBondvOS
NFVISIOS-XE
NSO VNF Mgmt
SP Dev & IntegrationOrdering | Billing | Tenancy | Analytics
| Assurance | Management
vEdge
vSmart, vBondvOS
vManage
Deployment ModelCisco
NG SDWANVirtual Managed Services (VMS)
Use CasesConsumption Models
SP Value Prop
All 3aaS, Cloud, SP managed
Standalone SD-WANCloud, SP Managed
Viptela for pure play SD WAN (Network as a Service)
Turnkey services: SDWAN with vBranch supporting additional security
and VNF service chains
VMS Platform
ViptelaPortal or SP Provided
vSmart, vBondvOS
NFVIS
NSO
vManage
SP Dev & IntegrationOrdering | Billing | Tenancy | Analytics
| Assurance | Management
NSO + Core FPs
All 3SP Managed
Infrastructure orchestration supporting vBranch and NFV
provisioning
NSO VNF Mgmt
**optional**
ISRConverged
IOS / vEdge SW (Future)
ENCS
vEdge(vitual/Physical)
VNFs
ISRConverged
IOS / vEdge SW (Future)
ISRConverged
IOS / vEdge SW (Future)