Understanding Cisco' Next Generation SD-WAN Solution: Danny Blais & Luis Cruz

Understanding Cisco’ Next
Generation SD-WAN Solution
Danny Blais & Luis Cruz

Network Eng. Consultants, Canada
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Digital Innovation in the Branch & WAN
80% Of Organizations primarily Increase in enterprise

use public cloud by 2019
MORE 20-50% bandwidth per year
APPS through 2018
10B 90%
Mobile-connected Growth in mobile
devices by 2019
MORE 73% devices from
DEVICES 2014-2018
of revenue
is generated
Up to Annual increase in in the branch Of employee and
MORE 80%
50% enterprise bandwidth
and video adoption USERS
customers are served in
branch offices
IoT devices Of advanced threats will

30B connected to
internet by 2020
MORE
THREATS
30% target branch offices by
2016 (up from 5%)
Software Defined WAN
Hybrid WAN Transport

IPsec Secure
MPLS (IP-VPN) Private

Cloud
Virtual
Private
Cloud
Branch
Internet
Public
Direct Internet
Cloud
Access
Simplified Management, Operation and Orchestration
Agnostic WAN Efficient and Application Secure

Transport dynamic Optimization Connectivity
load sharing
SD-WAN
Business Case
• Substitute lower cost links or devices for higher cost
Cost •
•
Lower cost of management, troubleshooting
Leverage Complete Communications for financial analysis
• Focus on how automation and policy abstraction empower the

Agility organization to innovate faster while transforming the customer and
workforce experience
• Provide quantifiable metrics associated with expedited mean time to

Focus detection, mean time to innocence and mean time to repair
• Quantify frequency and cost associated with outages

Performance •
•
Reduce number of outages affecting user performance
Improve application performance
• Application relevant topologies

Security • Segmented virtual WANs and security service chains
Why Did Cisco Buy Viptela?
Cloud-first Accelerate key Sophisticated, but

management SD-WAN use cases; still simple to deploy
with flexible Cloud-edge and and operate
deployment options Segmentation
Cisco Digital
Network Architecture
Complements Cisco’s Enterprise Networks architecture strategy
Better Together
Leading Routing & Cloud-managed &

SD-WAN Platforms Feature-rich SD-WAN
Together, helping businesses and IT to innovate faster, securing and delivering

better customer outcomes, while reducing costs and lowering risk
Goal: Building next generation SD-WAN solutions

Choosing the Appropriate SD-WAN Solution
Advanced SD-WAN Single Dashboard

• Cloud and OnRamp
• Single pane-of-glass
• More than two active transports SD-WAN Common management for full stack
or active LTE
infrastructure across the branch
• Comprehensive WAN • Hybrid WAN
• Existing Meraki customers
connectivity & services • L3 overlay for hub-spoke
deployments
evaluating SD-WAN
• Complex topologies
• Dynamic path selection • Competitive pricing pressure
• Custom policies at scale
• Cloud-managed • Integrated branch security and
• Advanced routing &
• Zero touch deployment with network connectivity solution
segmentation
templates and easy to use
• Native dynamic cloud
dashboard
application acceleration
Now What About IWAN
• Cisco IWAN has over 200,000 sites deployed or in
deployment
• No plans to EOL or EOS – 3+ years of support
• IWAN 2.x & IWAN App support and roadmap will continue
as per prior customer commitments
Direct Cloud Access, Scale Increase, Hardening, MC Placement, APIC behind NAT
Cisco’s New SD-WAN Architecture
Common WAN Topologies
Design and Deployment Considerations
Design Challenges with Growing Needs and New Innovation
Common WAN Topologies
Growing Complexity - Scale, Policy, Segmentation
Complexity Grows with Scale and Changing Business Requirements
Business Driven WAN Infrastructure
Analytics
Application Traffic Per-Segment Secure Cloud Path Cloud Accel Transport
SLA Engineering Topologies Perimeter (IaaS) (SaaS) Hub
APPLICATION POLICIES
Monitoring
Routing Security Segmentation QoS Multicast Svc Insertion Survivability
SERVICES DELIVERY PLATFORM
Operations Broadband MPLS Cellular
ZERO TOUCH ZERO TRUST
TRANSPORT INDEPENDENT FABRIC

Cisco SD-WAN Solution Overview vManage
vSmart
vEdge
Orchestration Plane
MANAGEMENT
vBond
API
Management Plane
(Multi-tenant or Dedicated) ANALYTICS
ORCHESTRATION vAnalytics
Control Plane
(Containers or VMs)
CONTROL
INTERNET MPLS 4G
Data Plane
(Physical or Virtual)
Data Center Campus Branch Home Office
Orchestration Plane
Orchestration Plane
vManage
Cisco vBond
APIs
3rd Party • Orchestrates connectivity

vAnalytics between management, control
Automation
and data plane
vBond • First point of authentication
• Requires public IP Address
vSmart Controllers
• Facilitates NAT traversal
• All other components need to
MPLS 4G
know the vBond IP or DNS
INET information
vEdge Routers
• Authorizes all control
connections (white-list model)
• Distributes list of vSmarts to
Cloud Data Center Campus Branch SOHO all vEdges
Management Plane
Management Plane
vManage
Cisco vManage
APIs
• Single pane of glass for Day0,
3rdParty Day1 and Day2 operations
vAnalytics
Automation
• Real time alerting
vBond • Centralized provisioning
• Configuration standardization
vSmart Controllers • Simplicity of deploying
• Simplicity of change
4G
• Supports
MPLS
• REST API
INET • CLI
vEdge Routers • Syslog
• SNMP
• NETCONF
Cloud Data Center Campus Branch SOHO
Control Plane
Control Plane
vManage
Cisco vSmart
APIs
• Centralized brain of the solution
3rd Party
vAnalytics • Facilitates fabric discovery
Automation
• Establishes OMP peering with all
vBond vEdges
• Implements control plane policies,
vSmart Controllers such as service chaining, traffic
engineering and per VPN topology
MPLS 4G • Dramatically reduces complexity of
INET the entire network
vEdge Routers • Distributes connectivity information
between vEdge
• Orchestrates secure data plane
Cloud Data Center Campus Branch SOHO
connectivity between vEdges
Overlay Management Protocol (OMP)
Unified Control Plane
vSmart
• Runs on top of TCP, extensible control plane
protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart
controllers
- Inside TLS/DTLS connections
vSmart vSmart • Advertises control plane context
VS
vEdge vEdge
Note: vEdge routers need no control connections amongst them

Data Plane
Data Plane
Physical/Virtual
vManage Cisco vEdge
APIs • WAN edge router

3rd Party • Provides secure data plane with
vAnalytics remote vEdge routers
Automation
• Establishes secure control plane
vBond with vSmart controllers (OMP)
vSmart Controllers • Implements data plane and
application aware routing policies
4G • Exports performance statistics
MPLS
INET
• Leverages traditional routing
vEdge Routers protocols like OSPF and BGP.
• Layer 2 redundancy VRRP
• Support Zero Touch Deployment
Cloud Data Center Campus Branch SOHO • Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
Cisco SD-WAN Solution
Secure Segmentation
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
vEdge vEdge
IP UDP ESP VPN Data

20 8 36 4 …
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• vEdge routers maintain per-VPN routing • Interfaces and sub-interfaces (802.1Q tags)
table are mapped into VPNs
Application Aware Topologies
Arbitrary VPN Topologies
Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point
VPN1 VPN2 VPN3 VPN4
Unified Security Regional Partner

Communications Compliance Services Connectivity
• Leverage control policies to influence per-VPN topology
Cloud onRamp for SaaS
SaaS Optimization
Loss/ Loss/ ISP2

Latency Latency
Regional Regional
! Hub
! Hub
ISP1 ISP1
SD-WAN SD-WAN
ISP2 Fabric MPLS Fabric
Data Center Data Center
Remote Site Remote Site
Application Quality Probing

L4-L7 Service Insertion
Regional Secure Perimeter
• Can chain numerous L4-L7 services
vSmart
Policy L4-L7 Service

Advertisement* Advertisement
FW
VPN1
Regional VPN1
Hub
Data
Center
VPN1 MPLS INET
Remote 4G Control Plane

Office
Traffic Path
* For
© 2016 data
Cisco and/or policy
its affiliates. only. Control policy enforced on vSmart.
All rights reserved. Cisco Confidential 23
Embedded Application Recognition
Deep Packet Inspection
Deep Packet Inspection Engine
Cloud Data
Center
App 1
App 2
App 3,000
vEdge Router
MPLS INET Data

Center
3G/4G Primary Use Cases:
Small Office
- Application Visibility
Home Office - Application Firewall
Campus - Traffic Prioritization
Branch - Transport Selection
- Analytics
Application and Performance Visibility
Deep Packet Inspection
• Embedded Deep Packet Inspection
engine
• Application and flow level visibility
for the fabric and individual vEdge
routers
• Centralized statistics and
performance
• Export flow level data (IPFIX) to
external collector
Policy Driven WAN Infrastructure
Policy Augmented Dynamic Routing
1 vManage GUI – Policy Orchestration
App-Route Policy: Data Policy:

Control Policy:
App-Aware SLA-based Extensive Policy-based
Routing and Services
Routing Routing and Services
Combine and Apply per Site
2 vSmart controller – Policy

Enforcement/Advertisement
Execute Control Policy
Advertise AAR/Data Policies to Sites
3
vEdge
WAN Execute AAR and Data Policy as received
router Dynamic Routing and Policies Combine to
dictate behavior
Access Layer
Branch/DC
A Flexible Model for Applications Over the WAN
Per-Session Loadsharing Per-Session Weighted Application Pinning Application Aware Routing
Active/Active Active/Active Active/Standby SLA Compliant
SLA SLA
Hierarchical Multihop Fabric Single-hop Fabric
Core
Critical Applications SLA
Path Quality Detection Routing
vManage
App Aware Routing Policy
§ Enforce SLA compliant path App A path must have:
for applications of interest latency < 150ms
loss < 2%
§ Other applications will follow jitter < 10ms
fabric routing across all vSmart Controllers
paths
Internet
vEdge1 vEdge2
Path 2 MPLS
App A
4G LTE
Path1: 10ms, 0% loss, 5ms latency IPSec Tunnel

Path2: 200ms, 3% loss, 10ms latency
Path3: 140ms, 1% loss, 10ms latency
© 2016 Cisco and/or its affiliates. All rights reserved.
Control Plane
Cisco Confidential 28
Protecting Critical Applications While Increasing Link Efficiency
High Delay
Detected High Jitter
Detected
Business App Voice and Video Email
Best-Effort Traffic Best-Effort Traffic
MPLS Internet MPLS Internet
Business App and Load-Balancing Policy Multimedia and Critical Data Policy
• Protect transactional • Increase WAN bandwidth • Protect voice and • Voice and video preferred
business app from brownouts efficiency by load-sharing traffic video quality path SP1
Latency < 150 ms • Email preferred path ISP
delay < 250ms over all WAN paths, MPLS +
Jitter < 20 ms • Increase utilization
• Preferred path MPLS Internet
• Protect Email applications by load sharing
from WAN congestion
Loss < 5%
Application Optimization
TCP Performance Optimization
Optimized
TCP Connections TCP Connections (Cubic) TCP Connections
SD-WAN
Fabric
Users vEdge vEdge Servers
High Latency Path
• High latency path between users and • Selective acknowledgements prevents

servers, i.e. geo-distances unnecessary retransmit of the successfully
• vEdge routers terminate TCP sessions and received segments
provide local acknowledgements to prevent • Hosts using old TCP/IP stacks will see the
TCP windowing from reacting most benefit
Cisco SD-WAN
Management and Operation
Zero Touch Provisioning
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
Administrator Installer
ZTP Identity Trust
Server
vEdge List vEdge Configuration Network Power

(White-List) Template
vManage
DHCP
TPM
vEdge
Identity
vSmart vBond (X.509)
Template-Based Configurations
Centralized Device Configuration Enforcement
• Templates are attached to provisioned
vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift
Single Pane of Glass Operations
vManage GUI
• Intuitive GUI driven operations

- Management, monitoring and
troubleshooting
• Cloud Delivered
- Private, hosted or managed
• Single or Multi-tenant
• Role-based Access Control
• Clustered for scale and high
availability
• REST APIs based
vAnalytics Dashboard
Cisco SD-WAN Elements
Summary: Solution Elements
Orchestration, Control, Data and Management Planes
Control Plane Data Plane
Orchestration Plane Management Plane Physical/Virtual
Cisco vSmart Cisco vEdge
Cisco vBond Cisco vManage
• Facilitates fabric discovery • WAN edge router
• Single pane of glass for
• Orchestrates control and • Dissimilates control plane
Day0, Day1 and Day2 • Provides secure data plane
management plane information between vEdges
operations with remote vEdge routers
• First point of authentication • Distributes data plane and app-
• Centralized provisioning • Establishes secure control
(white-list model) aware routing policies to the
• Policies and Templates plane with vSmart controllers
• Distributes list of vSmarts/ vEdge routers (OMP)
vManage to all vEdge routers • Troubleshooting and
• Implements control plane • Implements data plane
Monitoring
• Facilitates NAT traversal policies, such as service policies
• Software upgrades chaining, multi-topology and
• Requires public IP Address • Exports performance statistics
[could sit behind 1:1 NAT] • GUI with RBAC multi-hop
• Leverages traditional routing
• Highly resilient • Programmatic interfaces • Dramatically reduces control
protocols like OSPF, BGP and
(REST, NETCONF) plane complexity
VRRP
• NMS interfaces (SNMP, • Highly resilient
• Support Zero Touch
Syslog, IPFIX)
Deployment
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
Cisco vEdge Routers Portfolio
Branch/SOHO/SMB Branch/Campus Campus/Data Center Campus/Data Center NFV, vCPE IaaS & Cloud
(100Mb) (1Gb) (10Gb) (20Gb+) (N x cores) Interconnect
(N x cores)
vEdge Cloud on
vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000 Greybox or vEdge Cloud
Whitebox
vEdge Cloud Virtual Routers
Virtualized Branch or Cloud
On-Premise Hosted
vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud
ESXi or KVM AWS or Azure
VM Throughput: VM
Physical Server 2x vCPU 500Mb/s
4x vCPU 1Gb/s
8x vCPU 1.5Gb/s
Controllers
Cloud or On-Premise Delivered
On-Premise Hosted
vBond* vManage vSmart vSmart vBond vManage vSmart vSmart
ESXi or KVM AWS or Azure
VM VM
Physical Server vContainer vContainer
* Can be deployed as physical vEdge appliance

Cisco SD-WAN Scale
Scalability
Orchestration/Control/Management Plane
Orchestration Plane Management Plane Control Plane
(vBond) (Multi-tenant or Dedicated) (Containers or VMs)
(vManage) (vSmart)
Horizontal Scale Out Model
2000 vEdges per vBond 2700 vEdges per vManage 2700 vEdges per vSmart
Redundancy Add 1-2 vBonds Redundancy Add 1-2 vSmarts
Horizontal Scale out Model
Horizontal Scale out Model in cluster mode (same DC) Horizontal Scale out Model
4G/LTE Internet
MPLS
Data Center Campus Branch Home Office

Scalability
Data Plane and IPsec
vEdge100 Dual LTE variant
back vEdge1000 vEdge2000
IPSec Tunnels : 250 IPSec Tunnels : 1500 IPSec Tunnels : 6000
Max aggregated throughput:

vEdge-100 – 100MB AES-256 full duplex
vEdge-1000 - 1GB AES-256 full duplex
vEdge-2000 – 10GB AES-256 full duplex
Max number of concurrent VPNs: 64

[vpn 0 and vpn 512 included]
Overlay tunnels are static based on policy.

Not dynamically generated on-demand.
Viptela Integration Plan
Viptela Integration Plan
Phase 1 Phase 2 Phase 3
No Integration Platform Integration Management Integration
Deployment Scenarios
DNA Center
vManage vManage
+ SD-WAN
vEdge vEdge ISR4K + vEdge SW vEdge ISR4K + vEdge SW

Benefits
Support current Viptela Viptela SD-WAN on strategic ISR Deliver end-to-end experience
customers platform with full DNA integration
Platform: Platform: Management:

• As-is • vEdge capabilities integrated into all IOS-XE • Cloud hosted DNA Center integrates vManage
Details
Management: platforms (ISR, CSR, ENCS, ASR1K) capabilities

• vManage Management: • Full DNA Center capabilities (Assurance,
• vManage for SD-WAN capabilities on IOS-XE Integrated workflows for SD-Access and
SD-WAN)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
High-level Feature Integration Plan
Existing Viptela Capabilities Existing IOS-XE Capabilities
ü Day 0, Workflows (User

Configuration, System setup, ü Platform & Interfaces:
Segmentation Setup) ASR1K, CSR, ISR4K, T1/E1, FSX/FXO etc
ü Day 1, Control phase setup, ZTP, ü Security & Services:

Templates), Segmentation, DC ZBF, Umbrella, WAAS, UC, etc
routing, Topologies
ü Advanced Capabilities: QoS, BGP etc.

ü Day N, Application Policy, Qos, DIA,
Cloud Express, Monitoring &
Troubleshooting, Upgrade Options
SD-WAN Evolution
6-12 months Target 12-24 months Planning
Analytics
SDWAN + SDA EN wide Multi-cloud connect
Arch Evolution
Leapfrog With
DNA Center
+ SD-WAN
Voice, App acceleration Platform diversity Appliance security
ZBF, URL filtering, IPS/IDS SAE
Innovate With
Portfolio
Core SDWAN
Security Integration MSP NaaS Application QoE TestDrive NaaS P2

(Umbrella + CloudLock, ISE) Quick Deploy
Analytics One-click
Easy Troubleshooting & Ops Visibility Cloud Networking VDI Acceleration Scale cloud-ops
SD-WAN Fabric Integration with DNA
USERS Cloud Delivered Analytics
DC
SDA Fabric ACI Fabric
(branch & campus) IoT
SDWAN
Cloud
.…
DC
DEVICES
IaaS
SDWAN Fabric APPs
SaaS
SDA Fabric
(branch & campus)
THINGS
SECURE SCALE OPEN vDC
End-to-end Context
• User / Device Identity, network-wide

• Policy at Fabric Edge. Over-the-top.
• Policy abstraction at User / Group and • Increased Simplicity. Seamless Mobility.
Application levels
Key Takeaways
• Cisco is the market and technology leader in SD-WAN, combining
the flexibility of Viptela, Meraki, and ISR IOS-XE
• Cisco’s SD-WAN solution (Viptela) is both a cloud and on-prem
(hardware) based solution, offering unmatched capabilities
• Cisco will merge the Viptela and IOS-XE capabilities into a
common ISR 4K-based platform, but the complimentary Viptela
core products are here to stay in foreseeable future
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you.

Understanding Cisco' Next Generation SD-WAN Solution: Danny Blais & Luis Cruz

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Understanding Cisco' Next Generation SD-WAN Solution: Danny Blais & Luis Cruz

Uploaded by

Copyright:

Available Formats

Understanding Cisco’ Next

Generation SD-WAN Solution

Danny Blais & Luis Cruz

80% Of Organizations primarily Increase in enterprise

IoT devices Of advanced threats will

Hybrid WAN Transport

MPLS (IP-VPN) Private

Simplified Management, Operation and Orchestration

Agnostic WAN Efficient and Application Secure

• Focus on how automation and policy abstraction empower the

• Provide quantifiable metrics associated with expedited mean time to

• Quantify frequency and cost associated with outages

• Application relevant topologies

Cloud-first Accelerate key Sophisticated, but

Leading Routing & Cloud-managed &

Together, helping businesses and IT to innovate faster, securing and delivering

Goal: Building next generation SD-WAN solutions

Advanced SD-WAN Single Dashboard

SERVICES DELIVERY PLATFORM

Operations Broadband MPLS Cellular

ZERO TOUCH ZERO TRUST

TRANSPORT INDEPENDENT FABRIC

3rd Party • Orchestrates connectivity

Cloud Data Center Campus Branch SOHO

Note: vEdge routers need no control connections amongst them

vManage Cisco vEdge

APIs • WAN edge router

IP UDP ESP VPN Data

Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point

VPN1 VPN2 VPN3 VPN4

Unified Security Regional Partner

• Leverage control policies to influence per-VPN topology

Loss/ Loss/ ISP2

Application Quality Probing

Policy L4-L7 Service

Remote 4G Control Plane

MPLS INET Data

App-Route Policy: Data Policy:

Combine and Apply per Site

2 vSmart controller – Policy

Hierarchical Multihop Fabric Single-hop Fabric

Path1: 10ms, 0% loss, 5ms latency IPSec Tunnel

Business App Voice and Video Email

Best-Effort Traffic Best-Effort Traffic

MPLS Internet MPLS Internet

• High latency path between users and • Selective acknowledgements prevents

vEdge List vEdge Configuration Network Power

• Intuitive GUI driven operations

ESXi or KVM AWS or Azure

ESXi or KVM AWS or Azure

Physical Server vContainer vContainer

* Can be deployed as physical vEdge appliance

Horizontal Scale Out Model

Data Center Campus Branch Home Office

IPSec Tunnels : 250 IPSec Tunnels : 1500 IPSec Tunnels : 6000

Max aggregated throughput:

Max number of concurrent VPNs: 64

Overlay tunnels are static based on policy.

vEdge vEdge ISR4K + vEdge SW vEdge ISR4K + vEdge SW

Platform: Platform: Management:

Management: platforms (ISR, CSR, ENCS, ASR1K) capabilities

ü Day 0, Workflows (User

ü Day 1, Control phase setup, ZTP, ü Security & Services: