Cisco Connect Dubrovnik · VPC/VNET Compute VPC/VNET Using Marketplace (DIY) Remote Site SD-WAN Fabric Branch Campus Cloud Data Center Compute VPCs/VNETs Gateway VPC/VNET Fully Automated.

Cisco Connect DubrovnikCroatia • 28.03.2019

Global vision.Local knowledge.

Vedran FranjićSystem Engineer Sales28.03.2019

Delivering Cisco Next Generation SD-WAN with ViptelaCisco SD-WAN

Agenda

• Introduction

• SD-WAN architecture

• SD-WAN fabric

• Deployment options

• Use Cases

• Licensing

Introduction

The WAN Has Changed

Data Center

Multi-Cloud

SaaS

Internet

SAAS

BranchWAN

UsersDevicesThings

INET

MPLS

Users Internet

MPLS

Branch WANData Center

Traditional and Legacy Architectures

EXPENSIVE

DIFFICULT TO SUPPORT Device-by-device

configurationsComplex management silos

Require slow truck rolls for changes

INFLEXIBLEStatic network

CONNECTIVITY-CENTRICIncomplete user experienceNot application-centric

POORLY INTEGRATEDConflicting policies and configurations

Risk from accidental interactions and vulnerabilities

Cannot Scale to Address Changing Needs

SD-WANArchitecture

Cisco SD-WAN Architecture Overview

Data Center Campus Branch SOHO

4G/LTE

MPLS

Internet

Control Plane = vSmart(Containers or VMs)

Data Plane = Edge(vEdge, Cisco ISR/ASR/ENCS,

Whitebox)

Management = vManage(Multi-tenant or Dedicated)

Orchestration = vBond

vManage

vSmart

WAN Edge

Orchestrator PnP

APIs

Cloud

vAnalytics

vBond is SD-WAN Orchestrator

• Orchestrates connectivity between management, control and data plane

• Serves as the first point of authentication

• Requires public IP Address, provides NAT-T

• All other components need to know the vBond IP or FQDN

• Authorizes all control connections (white-list model)

vManage is NMS for SD-WAN• Single-tenant or Multitenant

• Single pane of glass for Day 0, Day 1 and Day 2 operations

• Enables centralized provisioning and simplifies changes

• Supports REST API, CLI, Syslog, SNMP, NETCONF

• Provides real time alerting

• Role Based Access Control

vSmart is Centralized Control Plane

• Implements control plane policies, such as service chaining, traffic engineering and per-VPN topology

• Reduces complexity of the entire network

• Establishes peering with all WAN Edges, distributes connectivity and security context

WAN Edge is your SD-WAN Data Plane

• Provides secure data plane with remote WAN Edge routers

• Establishes secure control plane with vSmart controllers

• Implements data plane and application aware routing policies

• Exports performance statistics

• Physical or Virtual form factor

Single Pane Of Glass Operations

Operations Simplicity and Visibility

Rich Analytics

vManage vAnalytics

• Cloud-first management and orchestration• Zero-touch provisioning

• Troubleshooting with simplified workflows • Advanced analytics and assurance

SD-WAN Fabric

Unified Control Plane• Overlay Management Protocol (OMP)• Runs between WAN Edge routers and vSmart

controllers and between the vSmart controllers- Inside authenticated TLS/DTLS connections

• Advertises control plane context and policies• Dramatically lowers control plane complexity and

raises overall solution scalevSmart vSmart

vSmart

WAN Edge WAN Edge

Note: WAN Edge routers need not connect to all vSmart Controllers

VS

SD-WAN Traditional

O(n) Control Complexity O(n^2) Control Complexity

Data Plane Establishment

OMP IPSec Tunnel

WAN Edge

WAN EdgeWAN Edge

WAN Edge

WAN Edge

vSmart

Local Routes- Local prefixes (OSPF/BGP)- SD-WAN tunnel endpoints (TLOCs)Security Context- IPSec Encryption Keys

Routes and encryption keys are advertised to vSmarts in

OMP updates

vSmarts advertise routes and encryption keys to WAN Edges in OMP updates

SD-WAN fabric between tunnel

endpoints

INETMPLS

Transport Locator (TLOC)

IPsec

IPsec

IPsec

Fabric Routing:<prefix> via

Data Plane Liveliness and Quality

WAN Edge WAN Edge

WAN Edge

WAN Edge WAN Edge

• Bidirectional Forwarding Detection (BFD)

• Path liveliness and quality measurement- Up/Down, loss/latency/jitter, IPSec tunnel MTU

• Runs between all WAN Edge routers in the topology- Inside SD-WAN tunnels- Across all transports- Operates in echo mode- Automatically invoked at SD-WAN tunnel

establishment- Cannot be disabled

• Uses hello (up/down) interval, poll (app-aware) interval and multiplier for detection- Fully customizable per-WAN Edge, per-transport

Common Data Plane Communication

Per-Session Load SharingActive/Active

INETMPLS

Default

Per-Session WeightedActive/Active

INETMPLS

Device Configurable

Application PinningActive/Standby

INETMPLS

Policy Enforced

Application Aware RoutingSLA Compliant

INETMPLS

SLA SLA

Policy Enforced

SD-AVC

SD-AVC

cEdge

• SD-AVC Controller:• Application Signatures updates• Connectors to external service (O365)• Custom-app definition

vManage

NBAR2 Agent

SD-AVCSensor Data

Application Rule

Pack Update

Branch

Cloud onRampfor SaaS

vManage

SD-AVCController

1 Learn O365IP Networks

2 Distribute O365IP Networks

3First-packetmatch O365

4 First-packetsteer O365

cEdge

NBAR2 Agent

Deployment options

Controllers’ Deployment ModelsEnterprise IT

vManage

vSmart vBondPrivateCloud

Deploy

MSP Ops Team

vManage

vSmart vBondMSPCloud

Deploy

Cisco Cloud Ops

vManage

vSmart vBondCiscoCloud

Deploy

ESXi or KVM

Physical Server

vManage vSmart vSmart

VM

Container

vBond

AWS or Azure

vManage vSmart vSmartvBond

On-Premise/SP Hosted Cloud Hosted

VM

Container

Deploying Controllers – Options

Controller Scale

vManage:• Validated Scale: 2,000 Devices per-single instance• Max Production Deployment: 6 vManage instances in a cluster

vSmart:• Validated Scale: 5,400 Connections per-single vSmart• Max Production Deployment: 20 vSmarts

vBond:• Validated Scale: 1,500 Connections per-single vBond• Max Production Deployment: 6 vBonds

SD-WAN Transition Strategy

SD-WAN Fabric Secure Tunnel

MPLS Internet

Non-SDWAN

Non-SDWAN SDWAN

SDWAN

Site B

Site A

Non-SDWAN

Non-SDWAN

Internet

Site B

Site A

MPLS

SDWAN

SDWAN

InternetMPLS

Site B

Site A

SDWAN

SDWAN

SDWAN

SDWAN

INET

MPLS

Site

DataCenter

Network/Headend Redundancy

MPLS

INET

vSmart Controllers

Control

Data

Control Redundancy

VRRP OSPF/BGP

OSPF/BGP

Site Redundancy

INET INETMPLSMPLS

Transport Redundancy

High Availability and Redundancy

Cisco SD-WAN Platform Options

vEdge 2000

10 GbpsModular

vEdge 1000

1 GbpsFixed

vEdge 100

100 Mbps4G LTE & WiFi

Pureplay SD-WAN

20+ Gbps, Modular

vEdge 5000

VirtualizationENCS 5100 ENCS 5400

ISR 1000 ISR 4000 ASR 1000

High-performance

with redundancy

Modular Integrated services

SD-WAN with Services

Next-gen Performance

Flexibility

Public and Private Clouds

Use Cases

Common Enterprise Deployment Use Cases

Critical Application SLA

SD-WAN Security

MultiCloud onRamp for IaaS and SaaS

Zero Touch Provisioning

Regional Deployment

Critical Applications SLA

Sender Receiver

1 2

3 4

5 6

7 8

XOR

1 2

3 4

P

XOR

1 23

4P

FEC HeaderSD-WAN Tunnel

• Protects against packet loss• Protocol (TCP/UDP) agnostic• Supports multiple transports• Can be invoked dynamically

Forward Error Correction (FEC)

1 2

3 4

SD-WAN Tunnel

SD-WAN Tunnel

Sender Receiver1

1

2

2

3

3

4

4

DD

DD

1 2

3 4

• Protects against packet loss• Protocol (TCP/UDP) agnostic• Operates over multiple transports

Packet Duplication

Application AwareRouting

MultiCloud onRamp for IaaS

Remote Site

SD-WANFabric

Branch

Campus

CloudData Center

Compute VPC/VNET

Compute VPC/VNET

Using Marketplace (DIY)

Remote Site

SD-WANFabric

Branch

Campus

CloudData Center

Compute VPCs/VNETs

Gateway VPC/VNET

Fully Automated

MultiCloud onRamp for SaaS

Quality Probing

Remote SiteISP2

ISP1

Loss/Latency

!Regional

Hub/CoLo/DC

Remote Site

SD-WANFabric

ISP1

Loss/Latency

MPLS

ISP2

!

Home/Mobile

Secure Branch - Firewall

Branch/Campus

SD-WAN and APP Firewall/IPS/URL Filtering

Cisco Umbrella

Secure Internet GW

UnifiedAccess

SecurityData Center/Private Cloud

IaaS

Internet/SaaS

Secure Segmentation§ Security Zoning

§ Compliance

§ Guest Wi-Fi

§ Multi-Tenancy

§ Extranet

Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point

Per-VPN Topology

WAN EdgeVPN 3

VPN 1VPN 2

SD-WANIPSecTunnel

WAN Edge

Branch – SD-WAN Security

CloudApplications

AMP in 2019

VPN1

Direct Cloud Access

GuestEmployee

Use Case:Guest Services

Use Case:Industry Compliance

Use case:Cloud and DIA

VPN2 Data CenterApplications

SD-WAN

vManageDNS/web

layer securityFirewall IPS Firewall IPS Firewall URL Filtering

Control and PolicyElements

* Factory default config

Assumption:• DHCP on Transport Side (WAN)• DNS to resolve devicehelper.cisco.com*

PnP Server

1

2

Full Registration and Configuration

53

4

cEdge

ZTP– New cEdge Appliance

Regional deployment

INETMPLS

Split Zagreb Osijek

INETMPLS INETMPLS

Full/Partial mesh Hub and spoke Full/Partial mesh

Public Internet

Public Internet

Public Internet

Licensing

How to Choose?

Cisco DNA Essentials

Cisco DNA Advantage

Cisco DNA Premier

1

2

3

4

5

Identify license tier

Pick license term

Select bandwidth

Choose on premises or cloud managed

Determine platform for future scale

Delivering Cisco Next Generation SD-WAN with Viptela