cisco sdwan johcurra 2017-11-03 -...

John M CurranSystems Engineer

Introduction and Technical Deep DiveCisco SD-WAN

Viptela Confidential2

Why SD-WAN

High Customer Demand & Rapid Adoption

Explosive Market Growth & Revenue Opportunity

1Gartner Predicts 2016: Enterprise Networks and Network Services, Dec 2015 2Gartner Predicts: SD-WAN and Its Impact on Traditional Router and MPLS Services, Nov 2016Revenue, Worldwide, 2016-2020 3IDC Forecasts Strong Growth for Software-Defined WAN As Enterprises Seek to Optimize Their Cloud Strategies, March 2016

Disrupt or be Disrupted

By the end of 2019, 30% of enterprises will have deployed SD-WAN technology in their branches, up from less than 1% today.1

The overall branch office router marketing will experience a CAGR of -6.3% and the legacy router segment will experience a -28.1% CAGR by the end of 2020.2

SD-WAN Technology and Services market poised to reach $6 Billion by 2020.3


• It costs too much • It’s complex to install and manage• It underperforms• It’s not secure

Why SD-WAN Matters to CustomersLegacy WAN Architecture Does Not Meet the Needs of the Business

Customers Need a Better Way


5X Cloud PerformanceCloud Aware architectures and SLA-based traffic steering deliver blazing

performance for applications like O365, AWS, SFDC and more

10X More BandwidthNo capacity restraints. No choke points.

Instantly add bandwidth anytime, anywhere based on application requirements

50% Lower CostReduced CapEx and bandwidth

expense. Simplified management. Rapid troubleshooting

Enterprise class SD-WAN that is Simple to Operate, Secure and is

built for the Cloud

Viptela: The Leader in SD-WAN Innovation

Separation of management, control, data for scaling

Redundant management—cloud or on premises

Zero-touch provisioning in minutes, not days

Full segmentation support for fast app deployment

Choice of topologies with point-and-click

Complete visibility from single pane of glass

Comprehensive and Flexible to Fit Your Business

OR OR OR

PHYSICALSECURE ROUTERS

VIRTUALSECURE ROUTERS

IN-HOUSE IT

MANAGED SERVICE

CAPEX WITH ANNUAL SUBSCRIPTION

ENTERPRISE-BASED AGREEMENT

SD-WAN Enterprise Grade CapabilitiesReducing Cost and Complexity for Agile IT

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Viptela Company Overview


Viptela At A Glance

$110M VC funding: Sequoia, Redline, Northgate

6 Continents

40 Fortune-500 customers

35,000 Devices deployed

8 Tier-1 Carriers & Global SIs

24x7x365Support

Global Distributionand RMA

Training and Certification

Retail

Hospitality

Financial

Transport

Healthcare Manufacturing

Gov Tech


CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

Case Studies: GAPGlobal Retailer Case Study: Cloud onRamp

Enabled Cloud-Based Healthcare

Apps

Zero Outages

Adding Bandwidth 120 à 2 days

10x Bandwidth

No wasted engineering hours

Outages at Clinics

Couldn’t enable SaaS Apps

Need to add to Office365 and Cloud-based Voice

MPLS à MPLS+ broadband

Cloud-based EMR enabled

Next Phase: Migrate Office 365, Voice to Cloud



Case StudiesGloGlobal Retailer Case Study: Global Retailer

Reduction in WAN Costs

40%

26x Bandwidth improvement

5x Improvement store conversions

$20M Saved over 3-years

Reduce OpEx and CapEx costs

Re-energize customer in-store experience

Improve mobile application performance

Viptela SEN infrastructure

1600 stores globally

MPLS à dual broadband

7 Segments – PCI, guest WiFi, security



Technology Silos Consolidated

46

14 to 1 Carrier MPLS VRFs

Months to weeks rapid M&A onboarding

46 Portfolios consolidated

Rapid M&A integration

14 different environment, 8 carriers

Massive migration to O365 & AWS

Business unit segmentation


Enable active active à MPLS + internet

Case Study: Global Industrial Firm



Less time for deployingnew branch

WAN

80%

20x Bandwidth Improvement

4x Improvement in app performance

50 Sites deployed per night

1000 Devices upgraded in 4 hours

1.5 Engineering hours plan / site(contrast with 40 hours earlier)

High bandwidth apps (HD Video)

Improve application performance

Simplify branch IT operations (incl ATMs)


3000 locations

Augment MPLS with broadband

Case Study: Banking – Fortune 500



Transformed Customer

Experience

Video and WiFi inside Branches

Faster Applications

Agile Operations

Business Continuity: Data loss Prevention and Backup

Customer Experience Applications • Self-service kiosks • Video conf with live experts • New Retail Bank AppsSimplify branch IT operations (incl ATMs)Improve Business continuity with Data loss prevention, backups

Verizon Managed SD-WAN with Viptela SEN

1400 locations

Augment MPLS with LTE

Case Study: Network As a Service


Cisco SD-WANSolution Elements and Overview


Cisco SD-WAN Solution PhilosophyMost Comprehensive Solution on the Market

Transport Independent Fabric

CellularMPLSBroadband

Delivery Platform

QoS

Application PoliciesSecurity

Per-SegmentTopologies

Segmentation Svc Insertion

CloudPath

Application SLA

SecurePerimeter

TrafficEngineering

SurvivabilityRouting

Analytics

Monitoring

Operations

TransportHub

Multicast

CloudAccel

Cisco SD-WAN ArchitectureThe Power of Abstraction

Management Plane

Control Plane

Data Plane

APIs

vSmart Controllers

vAnalytics 3rd PartyAutomation

vManage

Data Center Campus Branch SOHOCloud

vBond

vEdge Routers

4GMPLS

INET

Orchestration Plane

Cisco SD-WAN Solution ElementsOrchestration Plane

APIs

vSmart Controllers


vManage


vBond

vEdge Routers

4GMPLS

INET

• Orchestrates connectivity between management, control and data plane

• First point of authentication• Requires public IP Address• Facilitates NAT traversal• All other components need to

know the vBond IP or DNS information

• Authorizes all control connections (white-list model)

• Distributes list of vSmarts to all vEdges

Orchestration Plane

Cisco vBond

Cisco SD-WAN Solution ElementsManagement Plane

Management Plane

Cisco vManage

• Single pane of glass for Day0, Day1 and Day2 operations

• Real time alerting

• Centralized provisioning• Configuration standardization• Simplicity of deploying• Simplicity of change• Supports

• REST API• CLI• Syslog• SNMP• NETCONF

vSmart Controllers


vManage


vBond

vEdge Routers

4GMPLS

INET

APIs

Cisco SD-WAN Solution ElementsControl Plane

Control Plane

Cisco vSmart

• Centralized brain of the solution• Facilitates fabric discovery

• Establishes OMP peering with all vEdges

• Implements control plane policies, such as service chaining, traffic engineering and per VPN topology

• Dramatically reduces complexity of the entire network

• Distributes connectivity information between vEdge

• Orchestrates secure data plane connectivity between vEdges

vSmart Controllers


vManage


vBond

vEdge Routers

4GMPLS

INET

APIs

Cisco SD-WAN Solution ElementsData Plane Data Plane

Physical/Virtual

Cisco vEdge

• WAN edge router• Provides secure data plane with

remote vEdge routers• Establishes secure control plane

with vSmart controllers (OMP)• Implements data plane and

application aware routing policies

• Exports performance statistics• Leverages traditional routing

protocols like OSPF, BGP and VRRP

• Support Zero Touch Deployment• Physical or Virtual form factor

APIs

vSmart Controllers


vManage


vBond

vEdge Routers

4GMPLS

INET


Cisco vEdge Routers

Small OfficeHome Office

100Mb

1Gb

1/10Gb

BranchCampus

Large CampusData Center

Virtualized BranchCloud

vEdge Cloud

vEdge 2000

vEdge 1000

vEdge 100

ControllersCloud or On-Premise Delivered

Physical Server

vManage vSmart vSmart

VM

vContainer

vBond*

* Can be deployed as physical vEdge appliance

On-Premise

ESXi or KVM

vManage vSmart vSmartvBond

Hosted

VM

vContainer

AWS or Azure


Cisco SD-WANTechnology Deep Dive


Cisco SD-WANZero Trust Fabric

Cisco vEdge Router Identity• Each physical vEdge router is uniquely

identified by the chassis ID and certificate serial number

• Certificate is stored in onboard Tamper Proof Module (TPM)- Installed during manufacturing process

• Certificate is signed by Avnet root CA- Trusted by Control Plane elements

• Symantec root CA chain of trust is used to validate Control Plane elements

• Alternatively, if used, Enterprise root CA chain of trust can be used to validate Control Plane elements- Can be automatically installed during ZTP

TPMChip

Root Chain

During Manufacturing

In Viptela Software

Device Certificate

Cisco vEdgeZero Touch Provisioning

Control and PolicyElements

Initial

cont

rol

com

mun

icatio

n

Initial

devic

e

conf

igura

tion

from

vMan

age Full Registration and

Configuration

vEdge

5

* Factory default config

Assumption:§ DHCP on Transport Side (WAN)§ DNS to resolve ztp.viptela.com*

§ Delivered as-a-Service

3

4

Zero Touch ProvisioningServer

Query to

ztp.viptela.comRedirect to corporate

orchestrator

1

2


Cisco SD-WANFabric Operation

Overlay Management Protocol (OMP)Unified Control Plane

• Runs on top of TCP, extensible control plane protocol

• Runs between vEdge routers and vSmartcontrollers and between the vSmartcontrollers- Inside TLS/DTLS connections

• Advertises control plane contextvSmart vSmart

vSmart

vEdge vEdgeVS

Note: vEdge routers need no control connections amongst them

Bidirectional Forwarding Detection (BFD)

vEdge vEdge

vEdge

vEdge vEdge

• Path liveliness and quality measurement detection protocol- Up/Down, loss/latency/jitter, IPSec

tunnel MTU

• Runs between all vEdge and vEdge Cloud routers in the topology- Inside IPSec tunnels- Automatically invoked after each IPSec

tunnel establishment- Cannot be disabled

• Uses hello (up/down) interval, poll (app-aware) interval and multiplier for detection- Fully customizable per-vEdge, per-color

Transport1

Transport2

§ Each vEdge advertises its local IPsec encryption keys

§ Encryption key is per-transport

Local Keys

vSmartControllers

vEdgevEdge

§ Keys are rotated frequently through OMP

Traffic Encrypted with

Traffic Encrypted with

Data Plane PrivacyTraffic Encryption

Control Plane

OMPUpdate

OMPUpdate

AES256-GCM

Remote Keys

Local Keys

Remote Keys

TLOCs TLOCs

OMP Update:§ Reachability – IP Subnets, TLOCs§ Security – Encryption Keys§ Policy – Data/App-route Policies

BGP, OSPF, Connected, Static

BFDIPSec Tunnel

OMPDTLS/TLS Tunnel

Transport1

Transport2VPN1

A

VPN2

B

VPN1

C

VPN2

D

BGP, OSPF, Connected, Static

vSmart

OMPUpdate

OMPUpdate

vEdge vEdge

Subnets Subnets

TLOCs TLOCs

Policies

Fabric Operation Fabric Walk-Through

OMPUpdate

OMPUpdate


Cisco SD-WANApplication Experience and QoS


Application Visibility

Deep Packet Inspection

ü App Firewall

ü Traffic prioritization

ü Transport selection

vEdge Router

App 1

App 2

App 3,000

4G/LTE

MPLSInternet Data Center

CampusBranch


Cloud Data Center


Critical Applications SLA

Path1: 10ms, 0% loss, 5ms jitterPath2: 200ms, 3% loss, 10ms jitterPath3: 140ms, 1% loss, 10ms jitter

vManage

App Aware Routing PolicyApp A path must have:

Latency < 150msLoss < 2%

Jitter < 10ms

Path 1

Path 3

Path 2

vEdgeRouter

vEdgeRouter

§ vEdge Routers continuously perform path liveliness and quality measurements

Device QoS(shaping, policing, queuing, marking)

Internet

MPLS

4G LTE

Optimal Application Throughput

• High latency path between users and servers, i.e. geo-distances

• vEdge routers terminate TCP sessions and provide local acknowledgements to prevent TCP windowing from reacting

• Selective acknowledgements prevents unnecessary retransmit of the successfully received segments

• Hosts using old TCP/IP stacks will see the most benefit

Users ServersHigh Latency Path

vEdgevEdge

TCP Connections TCP ConnectionsOptimized

TCP Connections (Cubic)

SD-WANFabric

Application OptimizationTCP Performance Optimization


Cisco SD-WANSegmentation and Service Insertion

Cisco SD-WAN VPNsvEdge Router Security Zones

MPLS

INET

Transport(VPN0)

Service(VPNn)

Management(VPN512)

IF

• VPNs are isolated from each other, each VPN has its own forwarding table

• Reachability within VPN is advertised by the OMP

IF,Sub-IF

IF,Sub-IF

IF,Sub-IF

IF,Sub-IF

TransportsTransports

Site 1

Site 2

Data Center

VPN A

VPN B

VPN C

IPSec

20IP

8UDP

36ESP

4VPN

…Data

Label

§ Isolated virtual private networks across any transport

§ VPN mapping is based on physical vEdge Router interface, 802.1Q VLAN tag or a mix of both

§ VPN isolation is carried over all transports- https://tools.ietf.org/html/rfc4023

802.1q

802.1q

IF

IF

IF

IF

End-to-End SegmentationVirtual Private Networks and Mapping

Application Aware TopologiesArbitrary VPN Topologies

VPN1

Full-Mesh

VPN2

Hub-and-Spoke

VPN3

Partial Mesh

VPN4

Point-to-Point

Unified Communications

SecurityCompliance

RegionalServices

PartnerConnectivity

• Leverage control policies to influence per-VPN topology

L4-L7 Service InsertionRegional Secure Perimeter

Data Center

Remote Office

Regional Hub

MPLS INET

4G

L4-L7 ServiceAdvertisement

PolicyAdvertisement*

vSmart

VPN1

VPN1

Traffic Path

Control Plane

FW

* For data policy only. Control policy enforced on vSmart.

VPN1

• Can chain numerous L4-L7 services

Protected Compute Resources

Regional Secure

PerimeterCampus


Branch

FirewallsIDS/IPS/DLP

FirewallsIDS/IPS/DLP

Data Center

CloudData Center

Data Center

Application Traffic SecurityRegional Secure Perimeter

Secure SD-WANFabric

ServiceAdvertisement

Service InsertionPolicy


Cisco SD-WANCloud Adoption

Application Quality Probing

RegionalHub

Remote SiteISP2

ISP1

SD-WANFabric

Loss/Latency

!

Data Center

Cloud onRamp for SaaSSaaS Optimization

Data Center

RegionalHub

Remote Site

SD-WANFabricMPLS

ISP1

Loss/Latency

!

ISP2

Remote Site

SD-WANFabric

Branch

Campus

CloudData Center

Compute VPC/VNET

Compute VPC/VNET

Cloud onRamp for IaaS IaaS

Remote Site

SD-WANFabric

Branch

Campus

CloudData Center

Compute VPCs/VNETs

Gateway VPC/VNET

BGPBGP BGP

IPSec Tunnel

Cloud SecuritySaaS and Internet Security

GRE Tunnel

Remote Site

ISP1

ISP2

Exploits ATP Malware Botnets

POP1 POP2

Remote Site

ISP1

ISP2

DNS Query

Client

• Eliminates backhaul of traffic destined to Internet and cloud applications


Cisco SD-WANHigh Availability and Redundancy


Site Redundancy - Routed

§ Redundant pair of vEdge routers operate in active/active mode

§ vEdge routers are one or more Layer 3 hops away from the hosts

§ Standard OSPF or BGP routing protocols are running between the redundant pair vEdgerouters and the site router

§ Bi-directional redistribution between OMP and OSPF/BGP and vice versa on the vEdgerouters

§ Site router performs equal cost multipathingfor remote destinations across SD-WA Fabric- Can manipulate OSPF/BGP to prefer one vEdge

router over the other

vEdge A

Host

vEdge BOSPF/BGP OSPF/B

GP

SiteRouter

SD-WANFabric


Site Redundancy - Bridged

§ vEdge routers are Layer 2 adjacent to the hosts- Default gateway for the hosts

§ Virtual Router Redundancy Protocol (VRRP) runs between the two redundant vEdgerouters- Active/active when using multigroup

§ VRRP Active vEdge responds to ARP requests for the virtual IP with its physical interface MAC address

§ In case of failover, new VRRP Active vEdgerouter sends out gratuitous ARP to update ARP table on the hosts and mac address table on the intermediate L2 switches

vEdge AVRRP Active

Host

vEdge BVRRP Standby

SD-WANFabric


Transport Redundancy - Meshed

MPLS Internet

§ vEdge routers are connected to all the transports

§ When transport goes down, vEdge routers detect the condition and bring down the tunnels built across the failed transport- BFD times out across tunnels

§ Both vEdge routers still draw the traffic for the prefixes available through the SD-WAN fabric

§ If one of the vEdge routers fails, second vEdge router takes over forwarding the traffic in and out of site- Both transport are still available

Site Network

vEdgevEdge


Transport Redundancy – TLOC Extension

MPLS Internet

Site Network

vEdgevEdge

§ vEdge routers are connected only to their respective transports

§ vEdge routers build IPSec tunnels across directly connected transport and across the transport connected to the neighboring vEdge router- Neighboring vEdge router acts as an

underlay router for tunnels initiated from the other vEdge

§ If one of the vEdge routers fails, second vEdge router takes over forwarding the traffic in and out of site- Only transport connected to the remaining

vEdge router can be used

VRRP OSPF/BGP

OSPF/BGP

INET INETMPLSMPLS

INET

MPLS

Site

DataCenter

MPLS

INET

vSmart Controllers

Control

Data

Site Redundancy Transport Redundancy

Network/Headend Redundancy Control Redundancy

High Availability and RedundancyConnectivity Assurance


Cisco SD-WANAnalytics


vAnalytics

Visibility

Forecasting

What-If

Recommendations

• Offered as a SaaS Service

• Multi-customer sourced data

• Anonymous data-collection

• Reports for Customers, Partners and Viptela

• Included with Enterprise License tier


vAnalytics Dashboard


vAnalytics Main Characteristics

Application/Flow Centric• Based on DPI and cflowd

• Bandwidth Usage- Top sources, destinations apps- Per-Site basis

• Application Performance• Application to tunnel binding and

performance information

• Anomaly Detection- Baseline of application usage- Anomaly detection based on

overall application usage (by application family, by site)

Network Centric• Site Availability

• Network Availability

• Site Usage Analysis- Top sites by bandwidth consumption- Historical bandwidth consumption

• Carrier Performance- App-Route stats on a per-carrier basis- Carriers health ranking


Cisco SD-WANDemo


Phase 2Platform Integration

Phase 1: At CloseNo Integration

vManage

vEdge

vManage

ISR4K + vEdge SW

Viptela Integration PlanPhase 3

Management Integration

vEdge

vManage + DNA Center

ISR4K + vEdge SWvEdge

Cloud-hosted Cloud-hosted

Platform: • As-isManagement:• vManage as-is

Platform: • vEdge capabilities integrated into all IOS-XE

platforms (ISR, CSR, ENCS, ASR1K)Management:• vManage for SD-WAN capabilities on IOS-XE

Management:• Cloud hosted DNA Center integrates vManage

capabilities• Full DNA Center capabilities (SWIM,

Assurance, Patch Management, Integrated workflows for SD-Access and SD-WAN)

Cloud-hosted

Support and Scale the current sales motion

Viptela SD-WAN on strategic ISR platform

Deliver end-to-end experience with full DNA integration

Dep

loym

ent S

cena

rios

Bene

fits

Det

ails

NEW

NEW


vManage

2-box solution: Possible Deployment Scenarios

ISR

TI / E! / DSL

Dep

loym

ent S

cena

rios

vEdge

ISR providing services

vManage

vEdge

Ethernet

ISR

vManage

ISR

TI / E! / DSL

vEdge

ISR providing T1/E1/DSL Connectivity

vManage

ISR

TI / E! / DSL

vEdge

WaaS

UC


Cisco SD-WANPricing and Licensing

Perpetual costof Cisco

SD-WAN CPE hardware

Subscriptioncost of Cisco

SD-WAN software

(Includes SD-WAN controller

+ CPE software)

Operationalcost of Cisco

SD-WAN solution

1. Subscription* license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE. This cost is dependent on two factors:

• Service bandwidth• Features

2. Perpetual cost of Cisco SD-WAN CPE** element.

*Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Cisco SD-WAN support, next day hardware replacement for Cisco SD-WAN CPE, software upgrades on all components and the cost of hosting the Cisco SD-WAN controllers in the Cisco SD-WAN cloud.

**Note: CPE can be Cisco SD-WAN owned or in the case of Virtual CPE customer owned. Cost here implies Cisco SD-WAN CPE only.

Pricing ModelSubscription and Perpetual Elements

Plus Pro

Hub

Spoke Spoke Spoke

MPLS Internet Local breakout

Hub

Spoke Spoke Spoke

MPLS Internet

Spoke Spoke

Local breakout

Dynamic Routing

Dynamic Routing

Hub

Spoke Spoke Spoke

MPLS Internet

Spoke Spoke

Dynamic Routing

Dynamic Routing

SaaS onRamp

SD WAN controllers

AnalyticsSD WAN controllers

SD WAN controllers

AARAAR AAR

E2E Segmentation

E2E Segmentation

• Routing: Static• Topology: Hub-n-spoke only• Internet/Cloud: NAT, Split tunnel• Policy: Local ACL only, Data policy• QoS• SLA: Application aware routing (5 tuple only)• Visibility : DPI for visibility only

• Routing: Dynamic routing (OSPF/BGP)• Topology: Mesh topology• Internet/Cloud: Cloud onRamp for IaaS• Policy: Control policy• Segmentation: 5 VPNs (1+4)• SLA: Application aware routing (DPI)• Multicast

• Segmentation: Unlimited• Internet/Cloud: Cloud onRamp for SaaS • Analytics: vAnalytics platform

Enterprise

Features License Tiers

cisco sdwan johcurra 2017-11-03 -...

Documents