SD-WAN For Managed Services

BRKRST-2558
Cisco SD-WAN as a
Managed Service
Jean-Marc Barozet – Principal Engineer

Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKRST-2558
BRKRST-2558 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco SD-WAN as a Managed Service
• Introduction
• SD-WAN as a Service – Benefits
• Cisco SD-WAN Technology Quick Overview
• MSP SD-WAN Controllers Deployment Options
• WAN Edge On-Boarding – Appliances, Universal CPE, VNFs
• SD-WAN gateways, Large Scale, Multiple Domains
• Orchestration for MSPs
• Conclusion
Introduction
BRKRST-2558
Network Transformation
Hardware Centric Software Driven
Manual Automated
Closed Programmable
Reactive Predictive
Network Intent Business Intent
CLOUD & ON-PREM AUTOMATION & SCALE SECURITY & COMPLIANCE ASSURANCE & ANALYTICS
Hosted, delivered, managed Speed, flexible, zero-touch, Segmentation, Users, applications, devices
policy driven threat mitigation
Applications Moving to Not One Cloud, But Many
Devices & Things
DC/Private Cloud
WAN
Campus & Branch Users Internet connectivity
becomes
business critical SaaS
Mobile Users
IaaS
More user, things and applications, everywhere

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network-as-a-Service: SD-WAN Offering
SD-WAN Controllers
Cloud Delivered Controllers
Orchestration with vManage, MSX/NSO 2 MSX 3
SD-WAN
Enhanced Analytics with vAnalytics gateway
NSO MSP
DC
NFVI MSP Shared

USERS DEVICES THINGS Services
SaaS
4
Business VPN Cloud Apps
Apps
1 End-point flexibility
Gray, White or Black box
Internet
3rd
… IaaS
Party (or) 4G/LTE
5 VPC/VNET
Gateways
X86
0 Transport Independent
WAN Fabric
Deployed Use Cases - Sample
Critical Applications SLA Bandwidth Augmentation Secure Segmentation
• Each vEdge router vManage • Augment MPLS with vManage • Complete isolation in the control vManage
continuously monitors path Internet bandwidth and data plane
App Aware Routing Policy
performance and adjusts • Create traffic engineering Traffic Engineering Policy • Not all VPNs have to be present
App A path must have: Configuration Templates
forwarding Latency ≤ 150ms policy to steer application (data policy) everywhere Assign interfaces and sub-
• Loss ≤ 2% App A - > MPLS TLOC
Configurable probing traffic • Policies are VPN- aware interfaces to respective VPNs
Jitter ≤ 10ms App B - > Internet TLOC
intervals - Active/Active if no policy
Internet
Remote Site Remote Site Remote Site 1 Data Center
Internet VPN1
Internet
MPLS A VPN1 VPN2
Data Center Data Center
MPLS
App A Path 2
VPN2 VPN3
B
4G LTE MPLS Remote Site 2
VPN3 ge0/2.1 - > VPN1
Path1: 10ms, 0% loss, 5ms jitter App A - > MPLS TLOC ge0/2 - > VPN1 VPN1 ge0/2.2 - > VPN2
ge0/3.2 - > VPN2 ge0/2.1 - > VPN1
Path2: 200ms, 3% loss, 10ms jitter App B - > Internet TLOC ge0/3.2 - > VPN2 ge0/2.3 - > VPN3
ge0/3.3 - > VPN3 VPN2
Path3: 140ms, 1% loss, 10ms jitter
SDWAN Tunnel SDWAN Fabric SDWAN Tunnel SDWAN Fabric
© 2017 Cisco and/ or its affiliates. All rights reserved. Cisco Confidential © 2017 Cisco and/ or its affiliates. All rights reserved. Cisco Confidential © 2017 Cisco and/ or its affiliates. All rights reserved. Cisco Confidential
SDWAN Tunnel SDWAN Fabric
Regional Secure Perimeter Guest WiFi DIA & DCA

• Guest WiFi traffic is segmented • DNS- based security
• Firewall service is advertised into the vManage
VPN of choice from regional hub off. Guest WiFi VPN is not
vManage
• Overrides client DNS settings vManage
• Control (or data) policy is used to Service Insertion Policy carried over the fabric.
steer the traffic of interest from (control policy) Guest WiFi Configuration Templates
• Support both simple DIA and DIA Configure DNS server in
remote site through Firewall App A - > Route (data policy)
through Cloud Security service side VPN and
App B - > FW Service App A - > DIA
activate DPI
DNS
Remote Site Internet Internet Query
VPN0
Data Center Remote Site
A
MPLS
Remote Site
B DIA Internet Internet
VPN1
Regional VPN1
App A - > NH Remote Site, LBL VPN1 A Data Center Data Center
FW Service
App A - > NH DC, LBL VPN1 Hub App B - > NH RegHub, LBL FW
App B - > NH RegHub, LBL FW (OMP) MPLS MPLS
(OMP) VPN2 VPN2 DNS Server - > OpenDNS
Regional SDWAN Tunnel
Firewall App A - > DIA
SDWAN Fabric
© 2017 Cisco and/ or its affiliates. All rights reserved. Cisco Confidential © 2017 Cisco and/ or its affiliates. All rights reserved. Cisco Confidential SDWAN Tunnel SDWAN Fabric © 2017 Cisco and/ or its affiliates. All rights reserved. Cisco Confidential SDWAN Tunnel SDWAN Fabric
Connectivity and Overlay
End-to-end SD-WAN
Business VPN Extension over Last Mile
with APP level SLA
End-to-end SD-WAN Hosted MPLS Extension
with APP level SLA Services over last mile
MPLS
MPLS
Internet MSP MPLS

Internet Backbone
Site
Site 4G LTE
4G LTE
Cloud
Transports Managed by SD-WAN MSP Expand Business VPN service over the last mile
But some/all could also be from another SP(s) MSP may not own the transport
Managed Security
Hosted On-Prem or Cloud Security Features
Hosted in the SP Core/CNF
(Managed Firewall, IPS/IDS, etc)
Private IP Data
Center
Private IP
Data Center
Managed
Data Firewall
Center (On-Prem or
Site Internet Cloud/CNF)
Site
Cloud Internet
Cloud
Cisco Umbrella
Hosted On-Premise
Hosted in the SP Core/CNF
Cloud Security for DIA with Cisco Umbrella
Cloud Networking-aaS with SLA (IaaS and SaaS)
One Click Cloud Networking (IaaS)
Branch to Public Cloud SD-WAN Optimized access to SaaS
Hosted Network
Services Private
(MSP Cloud Platform)
Gateway
Transit VPC Regional

Private IP (owned & managed by Gateway
MSP)
Secure Cloud
Interconnect
Internet Private IP
Critical 0r
NetBond
Internet
Direct
Internet
Access
Internet (with SaaS
Non- Application VPC
(owned & managed by
optimization) Hybrid access to
critical
customer)
Local Netbond/Secure
Breakout Cloud
• E2E SD-WAN connectivity to business applications in public cloud Interconnect
• Transport diversity & app aware routing (PIP & Inet) at branch & • Enabling optimal Cloud OnRamp for optimal user experience
public cloud • SP provided interconnect
• Secure private connection to public cloud • Direct peering with SaaS/Cloud providers
Cisco SD-WAN
Technology Overview
Cisco SD-WAN Solution Roles and
Responsibilities
Orchestration Plane Management Plane
• First point of authentication vManage • Single pane of glass for Day0, Day1
• Distributes list of vSmarts/ and Day2 operations
vManage to all vEdge routers APIs • Multitenant or single-tenant
• Facilitates NAT traversal 3rd Party • Centralized provisioning,
vBond troubleshooting and monitoring
Automation
• RBAC and APIs
vAnalytics
Data Plane Control Plane
vSmart Controllers
• Physical or virtual • Dissimilates control plane
• Zero Touch Provisioning information between vEdges
• Establishes secure fabric 4G • Distributes data plane policies
MPLS
• Implements data plane policies • Implements control plane policies
INET
• Exports performance statistics vEdge Routers
Cloud Data Center Campus Branch CoLo
Control Plane Sessions - Summary
DTLS only
• Secure Channel to SD-WAN • Permanent
• Multiple Sessions
Controllers (vSmart, vBond, vManage
vManage) vBond
• Single extensible control plane
• Operates over DTLS/TLS vSmart1 vSmart2
authenticated and secured

tunnels
• OMP - between vEdge routers DTLS or TLS
DTLS or TLS
• OMP
and vSmart controllers and • NETCONF • Permanent
• Permanent • 1 session / vSmart / TLOC
between the vSmart controllers • Single Session
• NETCONF – Provisioning from

vManage
DTLS Only
IPSec • Temporary
WAN Edge WAN Edge
Control Plane - Overlay Management Protocol
(OMP)
Site-ID
System-IP
Encap-Auth
Public IP/Port
vSmart Private IP/Port
Tag
Preference
Weight
TLOC Routes
OMP Routes MPLS INET Service Routes
TLOC TLOCs VPN-ID
Label Service-ID
VPN-ID Label
Tag vEdge
TLOC
Preference
Origin
Protocol Connected
Origin Metric Service Network
Side Static Service
Dynamic (OSPF/BGP)
L4-L7 Node
Data Plane Establishment
A 1 2 WAN Local TLOCs
EdgeA (System IP, Color, Encap
B 1 2 Pub IP/Port, Priv IP/Port)
1 2 OMP Policies
C 1 2 Update
vSmart Control Plane channel to vSmarts
OMP
Update TLOCs advertised to vSmarts in
INET MPLS
A 1 2 TLOC routes
OMP B 1 2
Update
C 1 2 vSmarts advertise TLOCs to vEdges
1 2 1 2 in TLOC routes
WAN WAN
EdgeB EdgeC
A 1 2 A 1 2 SD-WAN Fabric with
VPN1 VPN2 VPN1 VPN2 TLOCs as tunnel
B 1 2 B 1 2 endpoints
A B C 1 2 C D C 1 2
Data Plane - Color Influence
MSP datacenter
• Colors influence the data plane NAT
endpoint selection to ensure the

most optimal connectivity
MPLS INET
• Domain w/o NAT should use Private
endpoints, with NAT; use Public
Endpoints
• MPLS uses Private Color, Internet
uses Public Color
• Connectivity optimized within and
across domains
Private IP/Port Private color
Public IP/Port Public color

Application Quality of Experience
Rate
Queuing Tokens Conforming Default Behavior
Marking
Token Bucket
vEdge
Q0 y
Cop
Egress Interface
Ingress Interface
Egress Interface
Ingress Interface
Q1
Egress Interface
Q2
Ingress Interface
DSCP
DSCP
DSCP
Q7
Modify with Modify with

Classification Queuing Shaping/Policing Queuing ACL/Data Policy re- write rules
Deep Packet Inspection Visibility SLA Routing

Internet
App 1
App 2 MPLS
Remote Site Data Center
App 3,000
4G/LTE
Device Configuration
DTLS
NETCONF
vManage
Yang
vSmart
Device Configuration
DTLS
NETCONF
Device Configuration Yang
WAN Edge
Policy Framework
DTLS
NETCONF
vManage
Yang
Centralized
Policies vSmart
Localized
Centralized Control Policy
Policies DTLS (Fabric Routing)
Local Control Policy
NETCONF Centralized Data Policy
(OSPF/BGP) Yang
(Fabric Data Plane)
Local Data Policy
Centralized App-Aware Policy
(QoS/Mirror/ACL)
(Application SLA)
WAN Edge
MSP SD-WAN
Controllers Deployment
MSP Deploying Controllers – Options
On-Premise/SP Hosted Cloud Hosted
vBond vManage vSmart vSmart vBond vManage vSmart vSmart
ESXi or KVM AWS or Azure
VM VM
Physical Server Container Container
Multi Tenancy
A B A+B
Dedicated VPN
(No) Tenancy Tenancy
VPN1 MPLS 4G VPN1 VPN1 VPN2

MPLS 4G
VPN2 VPN2
VPN3 INET VPN3 INET
Tenant VPN1 VPN1 Tenant Tenant VPN2 VPN1 Tenant
VPN2 VPN2 A B
A VPN3 VPN3 B
Tenant Tenant A Tenant Tenant

B A A+B B A+B B A
Enterprise
Tenancy
VPN1 MPLS 4G VPN1

VPN2 VPN2
VPN3 INET VPN3
Tenant VPN1 VPN1 Tenant

A VPN2 VPN2 Control Plane
VPN3 VPN3 B
Tenant Tenant
B A © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
vManage, vBond, vSmart
• Virtual machines running on KVM,

VMware ESXi, AWS, Azure
• Separate interfaces for control and
Management Subnet / VPN 512
management vManage vSmart vBond
• Separate VPNs for control and

management
- Zone-based security WAN Subnet / VPN 0
ESXi, OpenStack, KVM, AWS, MS Azure
Scaling and High Availability
vBond vSmart vManage
Active Cluster
Active
Active Active Active

DB
Replication
Active Active
Standby Cluster
OPTION 1
Option1 - Public Cloud Hosted Deployment

Interconnected data plane – Separate underlays –
Contiguous connectivity Disjointed connectivity
1:1 NAT 1:1 NAT

Public IPs Public IPs
Control Plane
Data Plane
MPLS INET MPLS INET
Control and Data Plane Establishment
OPTION 2
Option2 - SP Hosted Deployment
Control on MPLS/INET – Public IP Addresses
vBond vSmart vManage • (1) (2) vSmart and vManage

point to the vBond IP address
- NATed public IP address
3
• (3) vBond learns interface private
and NATed public IP address of
vSmart and vManage
DMZ (NAT 1:1) - Private is pre-NAT, public is
post-NAT
• (4) vSmart and vManage use
NATed public IP addresses for
2 4
communication
1
Private IP/Port Private color
Public IP/Port Public color BRKRST-2558 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
OPTION 2
SP Hosted Deployment – Control on MPLS/INET

• (1) vBond/vSmart/vManage NATed public
IP addresses are advertised into MPLS
• (2) WAN Edge points to the NATed
vBond public IP address
• (3) WAN Edge communicates with
vSmart and vManage using NATed public
1 IP address
- Private color to public color uses public IP
address, public color to public color uses
3 INET MPLS 3 public IP address
- vBond NATed public IP address is
Public IPs Public IPs
reachable through MPLS and Internet
transports
2 Private IP/Port Private color
Public IP/Port Public color
OPTION 3
Option3 - SP Hosted Deployment
Control on MPLS Only – Not Recommended
STUN vBond Private vBond
• Controllers accessible via Private Transport
Only - Controllers intentionally restricted to
private access only
• Control Plane on MPLS only (loose HA)
• Internet attached vBond allows for NAT
DMZ (NAT 1:1) Datacenter Segment
Traversal on public
- vBond-as-Stun-Server
• Encryption keys for public exchanged
across private only
INET MPLS
vpn 0
Private IPs interface ge0/0
tunnel-interface
vbond-as-stun-server Private IP/Port Private color
color public-internet Public IP/Port Public color
vBond Discovery
• (1) WAN Edge queries PnP Servers to get vBond IP or
vBond FQDN
Cisco PnP • (2) WAN Edge will try vBond one-by-one on every TLOC
Servers (by default, unless configured differently)
• Controllers and WAN Edge find vBond in the same way:
2 • Locally configured IP-address (for a single vBond) or FQDN
(for multiple vBonds). FQDN can be resolved via DNS or
INET MPLS
locally (host statements)
1 • In case of ZTP and need for local resolution, an IP-address
can be pushed initially and host statements put in place
when template configuration is applied
NAT
Box
• vBond discovers router public IP address and port, even if
traverses NAT and communicates (public IP, public port)
to the router
WAN Edge On-Boarding
Appliances,
Universal CPE, VNFs
Cisco SD-WAN Platform Options
Virtual Platforms
Virtual (x86) Platforms Private Cloud Public Cloud

ENCS 5100 ENCS 5400 generic A B C D E F
A B A B C A B C
OpenStack, ESXi, KVM
vEdge Cloud - ISRv vEdge Cloud – CSR1000v vEdge Cloud – CSR1000v
Physical Platforms
ISR 1000 vEdge 100 ISR 4000 vEdge 1000 ASR 1000 vEdge 2000 vEdge 5000
Small Branch Branch - Campus Campus - Datacenter
SD-WAN Software (Viptela OS – Cisco IOS-XE SD-WAN)

Adding Devices using PnP Connect
If hosted,
1 controllers CloudOps
instantiated by
Device Cisco CloudOps
Device
Ordering Config
Using SA/VA Controllers to org-name
be deployed vBond
Smart Account PnP Connect PnP

Automation Service happens
vManage
Cisco Commerce
Workspace org-name
vBond
If on-prem, controllers
instantiated by Provisioning
2 Customers, controllers File
details added to PnP Power up
Connect WAN Edge
Customer Customer
Service Provider Service Provider
Connecting WAN Edge
Direct Connection Behind CPEs Using Universal CPE
INET MPLS INET MPLS INET MPLS
ISP Provider
Box CPE
x86 runs
WAN Edge NFVIS OS
ENCS / NFVIS
Universal CPE
WAN Edge
1. On-Boarding on INET Using Global PnP
NSO
Configure Device Template

1 and attach to UUID
PnP
MPLS INET Servers
DMZ (NAT 1:1) 5

3
The router contacts a DHCP

2 server and receives its IP address
from the server.
2. On Boarding on MPLS with Static IP
• Supported on SD-WAN XE only
• DHCP is not enabled on CE to PE

link (MPLS transport)
• Upon bootup, SD-WAN XE router
will search bootflash: or usbflash:
for filename ciscosdwan.cfg (case
INET MPLS #cloud-boothook
system sensitive)
personality vedge
device-model vedge-C1111-8PLTEEA
• Config file (which includes basic

host-name SITE1_ISR1K
system-ip 10.10.10.10
site-id 501
organization-name "CustomerXYZ - 12345"
console-baud-rate 9600
vbond 64.1.1.2 port 12346
interface configuration, Root CA,
!
!
! Organization Name, vBond
interface GigabitEthernet0/0/0
no shutdown
ip address 192.168.10.10 255.255.255.0
information, etc.) is fed into the
exit
! PnP process
ip route 0.0.0.0 0.0.0.0 192.168.10.1
• Router has all required information

to connect to vBond
https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Hardware_and_Software_Installation/On-Site_Bootstrap_Process_for_SD-WAN_Devices
3. On Boarding Universal CPE (uCPE)
MPLS INET
Enterprise Networking Compute Platform
x86 runs Virtualization Layer WAN1 WAN2
VNFM
NFVIS
LAN
Quickly roll out new services and location

Ability to run Cisco and 3rd party VNF on NFVIS
SD-WAN Service on Universal CPE
Orchestration and Management (MANO)
NSO with vBranch/SDWAN Core Function Pack
Virtual WAN
Virtual Router Virtual Router Virtual Firewall Virtual Wireless LAN
Optimization 3 rd Party VNFs
(ISRv) (vEdge) (ASAv) Controller (vWLC)
(vWAAS)
Network Functions Virtualization Infrastructure Software (NFVIS)
ISR 4000 + UCS-E- Enterprise Network

UCS C-Series CSP-2100
Series Compute Systems (ENCS)
Secure Overlay to NFVIS
• Secure access to uCPE from NSO
NSO IPSec • NAT traversal - uCPE ”call home” to

Gateway
avoid NAT issues
PnP • IPSec tunnel to Gateway –
NAT instantiated from NFVIS
Gateway
MSP Data Center INET
IPSec
Tunnel Public IP
NAT
NFVIS 3.10.1
NVFIS
Single IP Address for WAN
MSP Data Center MSP Data Center
NSO MPLS NSO INET
Public IP Gi0/0
ISRv
WAN IP ISRv
NFVIS
Cisco Router WAN IP NFVIS MGMT IP
NVFIS
Private IP Private IP
space space
• Service Provider management of legacy MPLS-VPN CPE • Service Providers to manage uCPE as a traditional CPE with a
using to the Public IP address assigned to the WAN interface. single IP address
• NFVIS - The two interfaces that connect the user to the system are
• Most OSS/BSS provisioning systems based on the
the WAN interface and the management interface. By default, the
assumption that CPE has only one IP address used for the
WAN interface has the DHCP configuration and the management
WAN
interface is configured with the static IP address 192.168.1.1
• VNF - requires IP address to be WAN connected
• At least 2 IP Addresses are required
VNF Performance
SRIOV OVS-DPDK OVS
Best Performing Path Performing Path Near SRIOV

Software path
Requires VNF Driver No VNF driver required
(NFVIS 3.10.1)
SD-WAN Service on Universal CPE (ENCS)
Pre-provision Universal CPE

1
Select branch template and enter device serial#
Customer or
Customer
Operator Portal
Service Provider
NSO w SD-WAN
Core Function
Pack
3 PnP Request
4 Configure Universal CPE
ENCS ENCS 5 Spin up and configure VNFs + service chain
2 Ship to Branch 5 (optional) Service Configuration (day-2)
NSO with the SDWAN
Function Pack
On-Boarding – vEdge Cloud, ISRv

vManage Control and Policy
Network Service Orchestrator (NSO) 2 Elements
Core FP Core FP Get the unclaimed vEdge Cloud

(vBranch) (SDWAN-SITE)
router list from vManage. Get
Bootstrap Configuration file (cloud-init
Define SDWAN Service on config file) which contains cloud-
1 ENCS (VNF and Chaining) config (bootstraps) and cloud-
boothook (day0) sections
5
7
3 Full Registration and
Configuration
6
4
VNFs instantiated and loaded with vEdge
Bootstrap Configuration cloud-init file.
Chaining of VNFs occurred if Virtual Networks
requested. (ENCS)
SD-WAN Gateways –
Large Scale, Multiple
Domains
SD-WAN Gateway - Deployment and Migration
SD-WAN Fabric
SDWAN MPLS-VPN
Gateways PEs
BGP
OMP
MPLS
MSP MPLS VPN
Legacy
INET CPE
SD-WAN CPEs
OMP
• Identify Gateway/DC Sites providing connectivity between SD-WAN and legacy sites
• Legacy sites talk to each other directly
• SD-WAN sites talk to each other directly
• Legacy router/connectivity is dropped in the DC/Gateway sites once migration is complete
INET WAN Edge Only to MPLS WAN Edge Only
?
MPLS INET
WAN Edge WAN Edge

single transport MPLS single transport INET
INET WAN Edge Only to MPLS WAN Edge Only
Option1 - Multihomed Gateway Option2 - End to end Data Plane
GATEWAY GATEWAY
OMP OMP
DEFAULT DEFAULT
SUMMARY SUMMARY
MPLS INET MPLS INET
NAT
WAN EDGE 1 WAN EDGE 2 WAN EDGE 1 WAN EDGE 2
Overall MSP Deployment Public MSP
Internet Cloud
• Support Regional Meshing for optimal
connectivity MSP
• Support remote region connectivity through
MSP MPLS VPN Datacenters
Gateways Legacy CPEs
MPLS
• Provide Redundant Gateway Connectivity VPN
US Region EMEA Region APAC Region

SD-WAN
Gateways
(MSP SDN POPs)
MPLS INET MPLS INET MPLS INET
SD-WAN CPE SD-WAN CPE SD-WAN CPE

Full/Partial mesh Full/Partial mesh Full/Partial mesh
Control Policy Case Study – Site Definitions
• Site-ID assignment allowing for Site identification – 32 bits
Continent Country Site number

1-7 1-999 1-9999
Europe Sweden Site
5 046 1000
• TLOC Colors illustrating how sites are attached
• System-IP identifying individual nodes
Control Policy Principles – US Region
TLOCs - Inbound Advertisements ROUTES - Inbound Advertisements
US Region – All Colors US Region – Original Next Hop

US Gateways – All Colors EMEA Region – EMEA GW Next Hop
EMEA Gateways– All Colors APAC Region – APAC GW Next Hop
APAC Gateway – All Colors
TLOCs - Outbound Advertisements ROUTES - Outbound Advertisements
US Gateways – All Colors US Region – US GW NH
Protecting workers wherever they are…
Datacenter/
Multi-factor Private Cloud
SDWAN and
Authentication Firewall/IPS/
URL Filtering
Branch/Campus
• Cisco Umbrella
- Router intercepts client DNS queries
Cisco
IaaS
- DNS queries are forwarded to Cisco Umbrella
Umbrella DNS servers either
unconditionally or based on the policies
- Cisco Umbrella enforces security policy
compliance based on DNS resolution
- Cisco Umbrella can act as proxy for
application traffic with full Unified
Threat Management capabilities Internet/SaaS
Home/Mobile
Secure Internet GW
FCS Q4CY18
SD-WAN Security Committed 1HCY19
Manage in Provisioning Managing

Cloud or
On-Prem Monitoring Reporting Troubleshooting
Branch Edge (Embedded) Branch Edge (Cloud)

Full Edge
Enterprise FW App Aware DNS/web-layer security
Security
IPS URL filter Anti-Malware
Edge ISR 4/1K ENCS w/ISRv

vManage CSR
Branch
Router
Edge
Flexibility ASR1K vEdges (Viptela)
Only App Aware FW and DNS/web-layer security Only FW and DNS/web-layer security
SD-WAN Overall Service Management
SP Data Center 1 SP Data Center 2
• WAN Edge – Management VPN
- VPN 511 for example ORCHESTRATION LiveSP
3rd Party
EMS
PLATFORM
- Management VPN
VPN VPN
- Appliance or VNF Mgmt 511 SD-WAN
Gateway
511 SD-WAN
Gateway
Hub
- Used for SD-WAN Service

management
- Syslog, traps, NetFlow VPN511 dedicated
export for Management
INET
VPN VPN
511 511
SD-WAN Overall Service Management
SP Data Center 1 SP Data Center 2
• ENCS/NFVIS – Secure Channel
- ENCS Bootstrap ORCHESTRATION LiveSP
3rd Party
EMS
PLATFORM
- IPSec tunnel
VPN VPN
- NSO can access NFVIS Mgmt 511 SD-WAN
Gateway
511 SD-WAN
Gateway
Hub
- Outside/Inside of SD-WAN
Fabric
- Management VPN 511
VPN511 dedicated
Secure for Management
- Used to access WAN Edge Channel INET
for management
- Used to access NFVIS
- Used to access VNFs running
on NFVIS
VPN VPN
NVFIS 511 NVFIS 511 VPN VPN
511 511
vBranch Management
- Management VPN 511 Fabric
Data Tunnel
- Used to access WAN Edge for
management
- Used to access NFVIS
ENCS
- Used to access VNFs running WAN Edge
on NFVIS VPN
511
MGMT net
NVFIS
Orchestration for MSPs
MSP Orchestration
3 SP Data Center
5
SP Data Center
Tenant 1 Tenant 2 Tenant 3

SP OSS/BSS
R R
AZ1 AZ2 AZ1 AZ2
Network Service
Orchestrator (NSO)
Tenant 1
Cloud
1 2 4 Services
SP Data Center
vBranch (ENCS) vEdge/cEdge Appliance
Internet
Security and Cloud Services
3rd Party ASAv vEdge
VNFs FTDv Cloud
SP
Services
Hosted Collaboration,
Security, Storage…
Cisco SD-WAN Automation Stack for MSPs
1
Cisco vManage
vManage
Target customer customer
has vEdge appliances
1
without a need for virtual
CPE, service orchestration
SP Datacenter
NFVI Cisco Router
ENCS
NFVIS
vEdge cEdge
and OSS/BSS from Cisco
(OpenStack, VMware
Single Pane of Glass Operations
vManage GUI
• Intuitive GUI driven operations
- Management, monitoring and
troubleshooting
• Cloud Delivered
- Private, hosted or managed
• Single or Multi-tenant
• Role-based Access Control
• Clustered for scale and high
availability
• REST APIs based
Current Orchestration and APIs
REST
vManage  Management
Netconf  Monitoring
 Provisioning
Syslog  Troubleshootin
g
vSmart
SNMP * http://tools.ietf.org/html/rfc7011
cFlowd*
CLI
Secure
Internet Control Plane
4G/LTE
MPLS
Secure
Data Plane
vEdge Routers
Data Center Campus Branch Home Office

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
https://www.cisco.com/c/en/us/solutions/enterprise-networks/sd-wan/technology-alliance-partners.html
Cisco SD-WAN Automation Stack for MSPs
MSP OSS/BSS
Cisco MSX
MSP Customer Portal NSO
vManage vManage vManage
ENCS ENCS ENCS

vEdge cEdge vEdge cEdge vEdge cEdge
NFVIS NFVIS NFVIS
NSO System Overview
Network Engineering Ops and Provisioning Service Developers
• Model-driven end-to-end service
lifecycle and customer experience
in focus
NSO
• Seamless integration
Service Manager with existing and future OSS/BSS
Package environment
CDB Manager
Device Manager • Loosely-coupled and modular
architecture leveraging open APIs
Device Abstraction ESC (VNFM)
and standard protocols
VNF Lifecycle VNF Service • Orchestration across

NED NED NED
Manager Monitoring multi-domain and multi-layer for
centralized policy
and services across
entire network
Multi-domain Networks
SD-WAN Core Function Pack Architecture
Network Service Orchestrator
SD-WAN Core Function Pack
vBranch Core Function Pack

vManage
NED
NETCONF NETCONF REST
VNF VNF
Manager Manager vManage
(ESC-Lite) (ESC)
Virtualized Infrastructure Manager Virtualized Infrastructure Manager

Physical Networks (NFVIS) (OpenStack – VMWare)
Compute Platforms (ENCS, UCS, CSP) Compute Platforms (Servers)
Branch Datacenter or SDN POPs

Cisco vAnalytics Collection and Value
vAnalytics vManage
SD-WAN
Data Export Telemetry
Fabric
Visibility • Requires opt-in

• Cloud only
What-If
• Enterprise License tier
Recommendations
• Network Centric View
Forecasting • Application Centric View
Key Takeaways
BRKRST-2558
Journey to Intent-based Networking
The Network. Intuitive.
Powered by intent. Informed by context. Intent-based
Networking
Machine Constantly Learning
Learning & AI Constantly Adapting
Analytics & Policy Validation Constantly Protecting
Policy-Based Assurance Predictive
Digital—Ready Automation Everything as a sensor Self-healing
Infrastructure Business Policy Telemetry
Secure foundation Translation Historical & Real-time
Programmability Segmentation
Virtualization
We are here
Your SD-WAN learning map at CLEUR
Monday Tuesday Wednesday Thursday Friday
TECCRS-2014 BRKRST-2560
Deep Dive BRKRST-2559
Analytics / ML
On-prem
Deployment BRKCRS-2117
BRKCRS-2112
Serviceability Design
Deployment
TECCRS-2191 BRKCRS-2114
Deployment / BCP BRKCRS-2111 Security
Migration
TECSEC-2355
Security BRKRST-2558 BRKCRS-2113
BRKCRS-2110 SD-WAN as a Cloud onRamp
The foundation Managed Service
More Information
• BRKCRS-2110 – SD-WAN Overview
• BRKCRS-2111 - SD-WAN Migration
• BRKCRS-2112 - SD-WAN Serviceability
• BRKARC-2112 - Deploy Network Services in Minutes on any Platform with Cisco

Enterprise Network Functions Virtualization (NFV)
• BRKCRS-2502 – Software Defined Application Visibility and Control (NBAR2)
• TECCRS-2014 - SD-WAN Deep Dive
• TECRST-2191 - SD-WAN Deployment
• SD-WAN CVD:
• https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-
Deployment-2018OCT.pdf
Cisco Webex Teams
Questions?
How
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you
BACKUP SLIDES
Certificates vBond vManage vSmart
• Automated certificate signing Root
through Symantec
- Symantec Root Cert chain in the Signed Signed Signed
software by default
- Certificates automatically sent to
controllers from Symantec
- Symantec manual also available
• Can use Enterprise/MSP CA
- Install Enterprise Root CA cert
chain in all controllers
- Install certificates on all controllers
Public and Private Colors
Public IP/Port Private IP/Port
1 Private color to Private color
IPSec tunnel – BFD session
Private color to Public color

2 Public color to Public color
IPSec tunnel – BFD session
• TLOC Color used as static identifier for interface and • Color setting applies to:
underlay network attachment. Color is categorized as - WAN Edge to WAN Edge Communication
Private or Public - WAN Edge to Controller Communication
- Private Colors [mpls, private1-6, metro-ethernet]
- All other colors are public [red, blue,…, public-internet,…]
For Your
Information
Certificate – Devices
• Each physical WAN Edge router is uniquely
identified by the chassis ID and certificate serial
TMP
Signed
Device Certificate number
Chip (Manufacturing)
• Certificate is stored in onboard Temper Proof

vEdge Module (TPM) - Installed during manufacturing
Root
Root Chain Certificate
(in SD-WAN Software
process
• Certificate is signed by
- Avnet root CA (vEdge) or Cisco root CA (ISR1100,
TMP Cisco PKI
Signed
Device Certificate
(Manufacturing)
ISR4k))
Chip
- Trusted by Control Plane elements
ISR1100
ISR4k • Symantec root CA chain of trust is used to validate
Root Root Chain Certificate
(in SD-WAN Software Control Plane elements
- Alternatively, if used, Enterprise root CA chain of trust
can be used to validate Control Plane elements
- Can be automatically installed during ZTP
For Your
Information
Certificate – Software Devices

• vEdge Cloud, ISRv, CSR1000v, ASR1000 (no TPM
chipset)
• OTP/Token is generated by vManage
TMP Device Certificate - One per (chassisID, serial number) in the uploaded
Chip Signed (From vManage)
vEdge list
• OTP/Token is supplied to vEdge Cloud in Cloud-Init

Root Root Chain Certificate during the VM deployment
(in SD-WAN Software)
• vManage issues self-signed certificate for the vEdge
Cloud post OTP/Token validation
vEdge Cloud - vManage removes OTP to prevent reuse
ISRv
CSR1000v
• Symantec root CA chain of trust is used to validate
ASR1000 Control Plane elements
• Alternatively, if used, Enterprise root CA chain of trust
can be used to validate Control Plane elements
- Can be provided in Cloud-Init
SP Deployment Requirements for uCPE
• Issue 1 – NFVIS secure management overlay
• Service Providers want a Secure Management Overlay between uCPE (NFVIS) and
Orchestrator (Public Internet)
• IPSec preferred based on SP field team’s inputs
• Issue 2 – NFVIS single public IP support
• Service Providers want to manage uCPE as a traditional CPE with a single IP
address
• Service Provider management of CPE/Router is performed through the Public IP
address assigned to the WAN interface
• Single WAN IP to access both VNF (ISRv) and NFVIS
• Handle VNF (ISRv) failure
NSO with the vBranch
Function Pack
On Boarding - ENCS/NFVIS
Network Service Orchestrator (NSO) Network Service Orchestrator (NSO)
PnP 3 Core FP (vBranch)
• 1) ENCS boots and creates basic n/w

infrastructure
• 2) NFVIS registration to NSO using PnP

2 4 – IP + serial + model + capabilities
• 3) NFVIS registered to NSO
• 4) NSO connects to branch NFVIS (NETCONF)
• 5) ENCS/NFVIS on-boarded in NSO

PnP VNFM vEdge
1
NFVIS 5
On-Boarding – vEdge Cloud, ISRv
vManage Control and Policy
Elements
#cloud-config
vinitparam: 1
- otp : 139a24ccd4add6bc0278fde0cb366f60
- vbond : 10.60.19.45
- uuid : 0a4a4c78-35a8-4c1c-bbd2-e02516606fd7
- org : Cisco Sy1 - 19968
Cloud-Init
VM
NSO
Provisioning 3
(SDWAN-SITE FP) Tool
5
Full Registration and
2
Configuration
Boot using cloud-init

information.
vEdge Cloud
Cisco Webex Teams
Questions?
How
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you

SD-WAN For Managed Services

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SD-WAN For Managed Services

Uploaded by

Copyright:

Available Formats

BRKRST-2558

Jean-Marc Barozet – Principal Engineer

Network Intent Business Intent

Devices & Things

More user, things and applications, everywhere

NFVI MSP Shared

SDWAN Tunnel SDWAN Fabric

Regional Secure Perimeter Guest WiFi DIA & DCA

Internet MSP MPLS

Transit VPC Regional

Cloud Data Center Campus Branch CoLo

authenticated and secured

• NETCONF – Provisioning from

WAN Edge WAN Edge

endpoint selection to ensure the

Private IP/Port Private color

Public IP/Port Public color

Modify with Modify with

Deep Packet Inspection Visibility SLA Routing

vBond vManage vSmart vSmart vBond vManage vSmart vSmart

ESXi or KVM AWS or Azure

Physical Server Container Container

VPN1 MPLS 4G VPN1 VPN1 VPN2

Tenant Tenant A Tenant Tenant

VPN1 MPLS 4G VPN1

Tenant VPN1 VPN1 Tenant

• Virtual machines running on KVM,

management vManage vSmart vBond

• Separate VPNs for control and

ESXi, OpenStack, KVM, AWS, MS Azure

Active Active Active

Option1 - Public Cloud Hosted Deployment

1:1 NAT 1:1 NAT

Control and Data Plane Establishment

vBond vSmart vManage • (1) (2) vSmart and vManage

SP Hosted Deployment – Control on MPLS/INET

Public IP/Port Public color

Virtual (x86) Platforms Private Cloud Public Cloud

Small Branch Branch - Campus Campus - Datacenter

SD-WAN Software (Viptela OS – Cisco IOS-XE SD-WAN)

Smart Account PnP Connect PnP

INET MPLS INET MPLS INET MPLS

Configure Device Template

DMZ (NAT 1:1) 5

The router contacts a DHCP

• DHCP is not enabled on CE to PE

• Config file (which includes basic

• Router has all required information

Quickly roll out new services and location

Network Functions Virtualization Infrastructure Software (NFVIS)

ISR 4000 + UCS-E- Enterprise Network

NSO IPSec • NAT traversal - uCPE ”call home” to

NSO MPLS NSO INET

SRIOV OVS-DPDK OVS

Best Performing Path Performing Path Near SRIOV

Pre-provision Universal CPE

4 Configure Universal CPE

ENCS ENCS 5 Spin up and configure VNFs + service chain

2 Ship to Branch 5 (optional) Service Configuration (day-2)

On-Boarding – vEdge Cloud, ISRv

Core FP Core FP Get the unclaimed vEdge Cloud

MSP MPLS VPN

WAN Edge WAN Edge