Professional Documents
Culture Documents
Khalid Raza
Distinguished Architect/CTO Co-Founder Viptela
SD-WAN: Basic industry definition
According to lead analysts
Table Stakes
§ Has a centralized, application-
based policy controller
Business Logic and Compliance Policies
§ Has application and network Application-aware
performance monitoring
App
classification
WAN path control Network QoS 2 networking
§ Contains a software overlay that
abstracts and secures underlying
Hybrid WAN connectivity Robust and secure
networks
Intelligent
MPLS
4G/LTE
1 infrastructure
§ Has dynamic path selection to network
services
insertion Zero-trust edge
optimize the WAN based on Internet
© IDC 8
Visit us at IDC.com and follow us on Twitter: @IDC
SD-WAN
Why has the industry missed the
fundamental definition??
A network architecture in which the network control plane is
decoupled from the physical topology (Kate Greene-MIT)
Control plane Protocols
entication OMP
o n C ry p tographic Auth
buti
D istri n
cy utio
Poli D is tr i b
Key VP MPBGP Addres
s Family
N LDP
VPN M
PLS Ex
tendab BGP
le
Massive Scale
IKE More control AS Path
c
IPSe
Database
e IGP
Conv ergenc Metric
int port channel tion Limited Scale
r e v en
VLANS VSS/vPC pP
RootGuard BPDUGuard STP L oo
nk Sta
te
Li
HSRP
L2 Hardening 802.1Q VTP VLAN pruning
Overlay Management Protocol (OMP)
Unified Control Plane
vSmart
• TCP based extensible control plane protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections
• Advertises control plane context
vSmart vSmart • Dramatically lowers control plane complexity and
raises overall solution scale
vEdge vEdge
VS
Note: vEdge routers need not connect to all vSmart Controllers
SD-WAN Solution Roles and Responsibilities
Orchestration Plane Management Plane
• First point of authentication vManage • Single pane of glass for Day0, Day1
• Distributes list of vSmarts/ and Day2 operations
vManage to all vEdge routers APIs • Multitenant or single-tenant
• Facilitates NAT traversal rd
3 Party • Centralized provisioning,
vBond troubleshooting and monitoring
Automation
• RBAC and APIs
vAnalytics
Data Plane Control Plane
vSmart Controllers
• Physical or virtual • Disseminates control plane
• Zero Touch Provisioning information between vEdges
• Establishes secure fabric MPLS 4G • Distributes data plane policies
• Implements data plane policies • Implements control plane policies
INET
• Exports performance statistics vEdge Routers
• Multi-directional Churn
Resolution • Lack of Synchronization
Routing Update
Control (IPsec/IKE) Hub Switchover
Data Plane New node introduction
Data Plane
Data Plane
Data Plane Bring-up/Teardown Multiple interdependent Control Planes
Bring-up/Teardown Independent Routing and Data Plane Control
No Synchronization of Routing + Encryption
Non-deterministic high volume control traffic
Separated Control/Data Churn on node failovers and node state changes
Fully distributed hierarchical process Churn multiplied by number of WAN links
Inherent Synchronization of Routing + Encryption
Enterprise WAN requirements
Takes us far beyond table stakes
Multi-domain Policy
Comprehensive Security
and integration
High availability at
SaaS and Multi-Cloud &
every layer
Applications
Centralized Policy Frame work
Policy Device
Netconf Configuration Template
Define
OMP Netconf
Volatile Storage Device
(~Policy RIB) Configuration
Centralized Policy Frame work
Permanent Session
Temporary Session
Periodic:
• NAT Poke-a-Hole Packets
Periodic:
• NAT Poke-a-Hole Packets
Internet1 Internet
T3 T4 T1 T2
T1 T3
T1 T3 T2 T4
T1 T3 T2 T4
T1 T4 T2 T3
T1 T4 T2 T3
Add vBond Orchestrators to Create vManage cluster to Add vSmart Controllers for
increase vEdge bringup capacity accommodate more vEdge routers more control plane capacity
DC/Private Cloud
Mobile Users
IaaS
Cloud Network
• Cloud is not a monolithic single entity
• AWS
• Azure
• GCP
• Private connections through VPN gateways along with MPLS (express route, direct
connect)
MultiCloud with Cloud onRamp
• Transport Agnostic
Remote Site
Cloud Network
• Existing data centers are also multisite
• Having the ability to optimally route to application workload is essential for user
experience
• Creating a single fabric regardless of circuit location and transport makes SD-WAN
very critical for cloud adoption
• Due to the fluid nature of the where data, applications, and services reside, along
with a need for a more convergence and availability
VPC VNET
VPN
VGW
AZ2 GW
AS2
AZ1 INET
Host VPC WAN Edge WAN Edge
Host VNET
AS
MPLS
AZ2 Direct Express
VPC WAN Edge VNET
WAN Edge Connect Route
AZ1 Gateway VPC Gateway VNET AS1
VGW VPN
AZ2 GW AS2
existing branches
VGW
AZ2 IGW
Path 1
VPN 2
VPN 3
AZ1
VPN 1
Host VPC vEdge GW vEdge GW
Path 2
VPN 2
VPN 3
AZ2 VGW
SD-WAN
AZ1
Gateway VPC vEdge GW
R
VPN 1
WAN
VPN 2
VPN 2 VPN 1
WAN
VPN 3
Branch1
Branch2
date
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Quality of Experience
• Our current Application aware timers are programmable and we are looking
at optimizing them long term
• Network Layer FEC better used for small important transfers where
retransmissions are poorly handled or causes delays (e.g. credit card/ATM)
Application Quality of Experience
• For applications using a modern Codec FEC overhead is duplicated
• CODEC performs recovery using internal overhead
• Network FEC with data duplication covering per packet load sharing
• Multi-layer Overhead:
• Data Payload Overhead
• Voice Head-end and receiver processing
• Path termination routers – buffering (latency) and CPU / Forwarding
% weight of one lost packet 0.17 0.25 0.50 1 1.25 1.67 2.5 5 10
Default Sweet Spot
+ Loss Granularity -
# of Buckets:
bfd
Weight of new bucket relative to multiplier: 1/6, 1/4, 1/3 etc
app-route multiplier (default 6)
Comprehensive Security
Services
Per Segment Routing
Branch Segmentation NAT Traversal Policy
Security
WAN
VPN 2
Voice and VPN 3
Collaboration
Application Quality
of Experience
Distributed Decision making Convergence
Cloud
OnRamp
All internet & web traffic Web inspection Port & protocol rules
HQ Destined Traffic
Employee Point of Sale Employee Internet Traffic
SD-WAN
Internet
Enterprise Firewall
Cloud Security
with Umbrella
Domain Domain
Integration Integration
Users
Scalable Multi-domain Routing
Comprehensive Security
Q: With transport redundancy with dual routers at a site, does BFD flow across the
TLOC, to allow a router to know the performance status of a transport link on
another router.?
A: Yes via Tloc extension. BFD is sent across both routers, so you virtually connect
to one transport. and physically connected to other transport.
A: Microsegmentation. Idea is you have end point devices connected to same VLAN
or same physical interface. For example, you can have your video surveillance
camera connected to VLAN 1 along with your physical lock connected to the same
VLAN. Both your video camera and lock although on the same VLAN but they are
not allowed to connect with each other because they are in different microsegment.
Macrosegment: Continuing with our previous example, all the video cameras
connected on your branch or campus are monitored by say company X. In a
particular location you might have 5 video cameras, that are allowed to connect with
company X only. Video camera traffic of all the cameras are profiled is only allowed
to go to a certain destination. Now you have multiple microsegments (cameras)
going through a shared segment to a particular topology decided by the
macrosegment at your SD WAN router. Similar thing happens to all the locks in the
same location.
Thank You