Cisco-SDWAN

2020 Global Networking Trends

Khalid Raza
Distinguished Architect/CTO Co-Founder Viptela
 SD-WAN: Basic industry definition
According to lead analysts

• Hybrid, Secure Overlay WAN

• Policy Driven App-Aware Path Selection
• Management, Visibility, Orchestration
• Path Agnostic implying Circuit Cost Savings
• Router Replacement
How do we define SD-WAN?

SD-WAN Elements Automation, Orchestration, and Operations

Operational simplicity
§ Leverages hybrid networks Monitoring and Visibility 3 and ease

Table Stakes
§ Has a centralized, application-
based policy controller
Business Logic and Compliance Policies
§ Has application and network Application-aware
performance monitoring
App
classification
WAN path control Network QoS 2 networking
§ Contains a software overlay that
abstracts and secures underlying
Hybrid WAN connectivity Robust and secure
networks
Intelligent
MPLS
4G/LTE
1 infrastructure
§ Has dynamic path selection to network
services
insertion Zero-trust edge
optimize the WAN based on Internet

application requirements Fully encrypted

Mesh Star Hub secure fabric
VPN 1
Segment-based VPN 2
networks End-to-end network segmentation
VPN n

© IDC 8
Visit us at IDC.com and follow us on Twitter: @IDC
SD-WAN
Why has the industry missed the
fundamental definition??
A network architecture in which the network control plane is
decoupled from the physical topology (Kate Greene-MIT)
 Control plane Protocols

entication OMP
o n C ry p tographic Auth
buti
D istri n
cy utio
Poli D is tr i b
Key VP MPBGP Addres
s Family
N LDP
VPN M
PLS Ex
tendab BGP
le
Massive Scale
IKE More control AS Path
c
IPSe
Database
e IGP
Conv ergenc Metric
int port channel tion Limited Scale
r e v en
VLANS VSS/vPC pP
RootGuard BPDUGuard STP L oo
nk Sta
te
Li
HSRP
L2 Hardening 802.1Q VTP VLAN pruning
 Overlay Management Protocol (OMP)
Unified Control Plane
vSmart
• TCP based extensible control plane protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections
• Advertises control plane context
vSmart vSmart • Dramatically lowers control plane complexity and
raises overall solution scale

vEdge vEdge
VS
Note: vEdge routers need not connect to all vSmart Controllers
 SD-WAN Solution Roles and Responsibilities
Orchestration Plane Management Plane
• First point of authentication vManage • Single pane of glass for Day0, Day1
• Distributes list of vSmarts/ and Day2 operations
vManage to all vEdge routers APIs • Multitenant or single-tenant
• Facilitates NAT traversal rd
3 Party • Centralized provisioning,
vBond troubleshooting and monitoring
Automation
• RBAC and APIs
vAnalytics
Data Plane Control Plane
vSmart Controllers
• Physical or virtual • Disseminates control plane
• Zero Touch Provisioning information between vEdges
• Establishes secure fabric MPLS 4G • Distributes data plane policies
• Implements data plane policies • Implements control plane policies
INET
• Exports performance statistics vEdge Routers

Cloud Data Center Campus Branch CoLo

 Control, Data and Management Planes
Separation is crucial for scale and stability

Control Control (Routing)

(Routing/Encryption) Routing Update

• Multi-directional Churn
Resolution • Lack of Synchronization
Routing Update
Control (IPsec/IKE) Hub Switchover
Data Plane New node introduction
Data Plane
Data Plane
Data Plane Bring-up/Teardown Multiple interdependent Control Planes
Bring-up/Teardown Independent Routing and Data Plane Control
No Synchronization of Routing + Encryption
Non-deterministic high volume control traffic
Separated Control/Data Churn on node failovers and node state changes
Fully distributed hierarchical process Churn multiplied by number of WAN links
Inherent Synchronization of Routing + Encryption
Enterprise WAN requirements
Takes us far beyond table stakes

Scalable Multi-domain Centralized Policy Driven

Routing Traffic Management

Multi-domain Policy
Comprehensive Security
and integration

High availability at
SaaS and Multi-Cloud &
every layer
Applications
Centralized Policy Frame work

Functionality: One comprehensive

Policy Engine for every application

Centralized Policy Integration: A single vehicle for

Routing, Encryption and Policy
Driven Traffic Management

Speed: Policy constructs allowing for

target variation and fast updates

Services: Network, Security and

Application services via policy
Centralized Policy Frame work

Topology and VPN Traffic Rules: Local Policy:

Membership: App-Aware Routing Policy Local Control Policy
Control Policy Data Policy (Traffic Data)
(Routing Policies – OSPF/BGP)
Local Data Policy
VPN Membership Policy cFlowd (QoS, ACL etc)

Policy Device
Netconf Configuration Template
Define

OMP Netconf
Volatile Storage Device
(~Policy RIB) Configuration
 Centralized Policy Frame work
Permanent Session
Temporary Session

WAN Edge vSmart vBond vManage WAN Edge

Periodic:
• NAT Poke-a-Hole Packets

BFD Session Establishment:

• All Known TLOCs

Periodic:
• NAT Poke-a-Hole Packets

BFD Session Establishment:

• All Known TLOCs
 Centralized Policy Frame work
T3 T4 T1 T2

Internet1 Internet
T3 T4 T1 T2
T1 T3

T1 T3 T2 T4

T2 T4 WAN Edge MPLS WAN Edge

WAN Edge WAN Edge
T1, T3 – Internet Color T2, T4 – MPLS Color
Internet2
T1, T3 – Internet1 Color T2, T4 – Internet2 Color T1 T3 T2 T4

T1 T3 T2 T4
T1 T4 T2 T3

T1 T4 T2 T3

Color restrict will prevent attempt to establish IPSec tunnel to TLOCs

with different color
High Availability

Management: Horizontally Scalable

and cross-site redundancy with
automatic endpoint failover

High availability Control: Horizontal scale, automatic

insertion, multi-homing and failover
at every layer
Data: L2 + L3 Active+Active
Redundancy, WAN extension and
dynamic routing w/ policy

Headless: Ability to run headless for a

configurable and extended time
High Availability
Orchestration Plane Management Plane Control Plane
(vBond) (Multi-tenant or Dedicated) (Containers or VMs)
(vManage) (vSmart)

Horizontal Scale Out Model

Add vBond Orchestrators to Create vManage cluster to Add vSmart Controllers for
increase vEdge bringup capacity accommodate more vEdge routers more control plane capacity

• Choose vEdge platform with

appropriate IPSec tunnel
4G/LTE Internet scale
MPLS • Use control policies to define
VPN topologies

Data Center Campus Branch Home Office

High Availability
• vSmart controllers exchange OMP
messages and they have identical view of
Control Plane
the SD-WAN fabric
Data Plane
• vEdge routers connect to upto three vSmart
controllers for redundancy
Cloud
Data Center • No impact as long as vEdge routers can
connect to at least one vSmart Controller
Data Center • If all vSmart controllers fail or become
MPLS 4G
INET
unreachable, vEdge routers will continue
operating on a last known good state for a
Small Office configurable amount of time
Home Office
- No changes allowed
Campus
Branch
High Availability
Site Redundancy Transport Redundancy
MPLS INET MPLS INET

VRRP OSPF/ OSPF/

BGP BGP

Network/Headend Redundancy Control Redundancy

vSmart Controllers
MPLS Control
Data
Center
INET Data MPLS
Site
INET
SaaS and Multi-Cloud & Application

Integration: A single SD-WAN domain

allowed to extend to multiple IaaS and
SaaS providers

Policy: Similarity in path selection,

SaaS and Multi-Cloud policy, ops and troubleshooting

SLA: Supported both On-Net and Off-

net with on-path monitoring

Orchestration: Existing management

platform includes IaaS/SaaS support
SaaS and Multi-Cloud
Applications moved to not one cloud, but many

Devices & Things

DC/Private Cloud

Campus & Branch Users WAN

SaaS

Mobile Users

IaaS
 Cloud Network
• Cloud is not a monolithic single entity
• AWS
• Azure
• GCP

• Cloud provider runs multiple availability zones

• Work load are distributed across multiple availability zones

• Private connections through VPN gateways along with MPLS (express route, direct
connect)
MultiCloud with Cloud onRamp

• Transport Agnostic

Data Center/ • Better Application Experience

CoLo
SD-WAN • Consistent Security Policy
• Horizontally Scalable
• Automated Deployment
vManage vSmart

Remote Site
 Cloud Network
• Existing data centers are also multisite

• Having the ability to optimally route to application workload is essential for user
experience

• Creating a single fabric regardless of circuit location and transport makes SD-WAN
very critical for cloud adoption

• Due to the fluid nature of the where data, applications, and services reside, along
with a need for a more convergence and availability

• Control plane matters for scale, availability, convergence & security!!

Multi-Cloud onRamp for IaaS
Standard IPSec + BGP SD-WAN Standard IPSec + BGP
(2x) (2x)
VPC VNET
BGP <-> OMP BGP <-> OMP
AZ1
AS1

VPC VNET
VPN
VGW
AZ2 GW
AS2
AZ1 INET
Host VPC WAN Edge WAN Edge
Host VNET
AS
MPLS
AZ2 Direct Express
VPC WAN Edge VNET
WAN Edge Connect Route
AZ1 Gateway VPC Gateway VNET AS1

VGW VPN
AZ2 GW AS2

Host VPC Host VNET

AWS Region Azure Region
vManage
 Multi-cloud single fabric convergence
• Any new cloud location bring up
simple connects with two/three
controllers
vManage instantiated
AWS Cloud and managed
Azure Cloud
Standard IPSec + BGP

Standard IPSec + BGP

• No control plane bring up with any

BGP <-> OMP
AZ1
R

existing branches
VGW
AZ2 IGW
Path 1
VPN 2
VPN 3
AZ1
VPN 1
Host VPC vEdge GW vEdge GW
Path 2
VPN 2
VPN 3
AZ2 VGW

• Once the new site is authenticated Secure

VPN 1
vEdge GW

SD-WAN
AZ1
Gateway VPC vEdge GW
R

it comes into the network as a AZ2

VGW

New zone bring up

Fabric

new data plane location New zone bring up

Host VPC
VPN 2

VPN 1

WAN
VPN 2
VPN 2 VPN 1

WAN
VPN 3

• BFD bring up and a routing up

VPN 2

Branch1
Branch2

date
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Quality of Experience

Application: performance based on

profiles, programmable timers based
on long term optimization

Application Quality of Experience

Policy: Based on application profiles

SLA: Supported on short term and long

term application and circuit
performance
 Application Quality of Experience
• It’s not about mitigating loss, it’s about quality of application experience

• Cisco SD-WAN routers use advance QoS scheme to deliver consistent

differentiated service for applications of interest without reliance on
opportunistic advantages FEC
• Device QoS to prioritize traffic and prevent critical applications queue drops

• SLA compliant path selection (Application Aware Routing)

• Optimal Throughput (Automatic Path MTU discovery)

• Application aware topologies (Shortest path)

 Application Quality of Experience
• Currently we let the customer decide the application performance based on
profiles

• Our current Application aware timers are programmable and we are looking
at optimizing them long term

• Most modern UC applications and protocols can successfully operate in sub-

optimal network conditions and already incorporate FEC or FEC-like features
without reliance on network

• Network Layer FEC better used for small important transfers where
retransmissions are poorly handled or causes delays (e.g. credit card/ATM)
 Application Quality of Experience
• For applications using a modern Codec FEC overhead is duplicated
• CODEC performs recovery using internal overhead
• Network FEC with data duplication covering per packet load sharing
• Multi-layer Overhead:
• Data Payload Overhead
• Voice Head-end and receiver processing
• Path termination routers – buffering (latency) and CPU / Forwarding

• A single vehicle FEC strategy is required

 Application Quality of Experience
• Path Blackout / Brownout Management

BFD: 7s Default Path Down timeout

100% Loss
Application-Aware Routing
AAR Algorithm Tuning:
Bucket Size + Bucket Count
Path Quality
AAR Convergence Dependency
Spectrum (Loss)

FEC: 10-20% Consistent Loss Recovery

2-3% Loss
0% Loss

• Three Components in Complementary Working Order – BFD + FEC + AAR

• Consider Downsides of Traffic Sloshing vs Instant Convergence away from Brownout

 Application Quality of Experience
App Route Algorithm Configuration
• Bucket Size in Packets = app-route poll-interval / hello-interval

• Consider bucket size (packets) impact on recalculation of Mean:

Bucket Size (pkts) 600 400 200 100 80 60 40 20 10

% weight of one lost packet 0.17 0.25 0.50 1 1.25 1.67 2.5 5 10
Default Sweet Spot
+ Loss Granularity -

Bucket Size: Bucket Update Frequency

bfd bfd
app-route poll-interval (default 600,000 ms) hello-interval (default 1000ms)

• Mean Loss / Latency / Jitter calculated across app-route-multiplier buckets

# of Buckets:
bfd
Weight of new bucket relative to multiplier: 1/6, 1/4, 1/3 etc
app-route multiplier (default 6)
Comprehensive Security

Systemic Multi-layer: Secure SD-

WAN architecture coupled with CPE
and Cloud Services

Comprehensive Security Cloud: Complete Cloud-based

security with tight integration

Operations: Security Management and

Operations tightly integrated

CPE Services: Complete offering of

branch anchored security functions
Building the IRON WAN
CPE Anchored Operations and Services

Services
Per Segment Routing
Branch Segmentation NAT Traversal Policy
Security

Cloud VPN 1 Bring-up and Routing

Security

WAN
VPN 2
Voice and VPN 3
Collaboration

Application Quality
of Experience
Distributed Decision making Convergence
Cloud
OnRamp

SD-WAN is a fully functional CPE

Cisco Umbrella
Secure Internet Gateway
Secure onramp to the internet, everywhere

Visibility Protection Control

On & off corporate network DNS-layer security URL block/allow lists

All internet & web traffic Web inspection Port & protocol rules

All apps File inspection Content filtering

All devices Threat intel access App control

Powered by Cisco Talos threat intelligence

Comprehensive SD-WAN Security
Legacy Networking Security Exposure

Internet Data Center Applications

HQ Destined Traffic
Employee Point of Sale Employee Internet Traffic

Attack Surface Threat Vectors Security Tools

• Internet • Phishing / Malvertising
• PoS Network • Vulnerable PoS device
• Employee Network • Vulnerable User endpoint
• PCI Segmentation • Unpatched OS / Apps Ent. FW App IPS
• Infected Users Aware
Comprehensive SD-WAN Security
Ubiquituous Connectivity Security Exposure

SD-WAN

Internet

Data Center Applications

VPN1 VPN2

SaaS HQ Destined Traffic

Employee Employee Employee Internet Traffic
1 2 Employee SAAS Traffic

Attack Surface Threat Vectors Security Tools

• Internet • Phishing / Malvertising
• Employee Network • Vulnerable File Download
• SaaS Data Storage • Unpatched OS / Apps
• IaaS Segmentation • DDoS Ent. FW App IPS AMP Umbrella URL Filtering
• Employee Segmentation • Compromised Users Aware
Integrated Security for Cisco SD-WAN

Enterprise Firewall

Intrusion Protection System

Cisco
SD-WAN
Security URL Filtering

Cloud Security
with Umbrella

One security architecture across Viptela and Meraki powered by

Multi-Doman

Integration: Insert into existing

environment with minimal disruption
and operational transition

Scalable Multi-domain Stability: Similarity in path selection,

Routing policy, ops and troubleshooting

Growth: Readily supports large

networks with horizontal scaling

Simplicity: A single vehicle for

Routing, Security and Policy
Building the IRON WAN
The Journey to Multi-Domain starts with SD-WAN

Scalable Multi- Multi-domain Policy

domain Routing and Integration
Applications
and Services

Cisco DNA Center Cisco vManage Cisco APIC

Domain Domain
Integration Integration

Users
Scalable Multi-domain Routing

Centralized Policy Driven Traffic Management

High availability at every layer

Comprehensive Security

Multi-domain Policy and integration

SaaS and Multi-Cloud

Q&A
Q: Sorry, did Khalid say 12 hours w/o headend? It should be max. 7 days nowadays
(configurable), isn't it?

A: Yes, it’s configurable.

Q: With transport redundancy with dual routers at a site, does BFD flow across the
TLOC, to allow a router to know the performance status of a transport link on
another router.?

A: Yes via Tloc extension. BFD is sent across both routers, so you virtually connect
to one transport. and physically connected to other transport.

Q: Is there more detail around micro and macro segmentation?

A: Microsegmentation. Idea is you have end point devices connected to same VLAN
or same physical interface. For example, you can have your video surveillance
camera connected to VLAN 1 along with your physical lock connected to the same
VLAN. Both your video camera and lock although on the same VLAN but they are
not allowed to connect with each other because they are in different microsegment.
Macrosegment: Continuing with our previous example, all the video cameras
connected on your branch or campus are monitored by say company X. In a
particular location you might have 5 video cameras, that are allowed to connect with
company X only. Video camera traffic of all the cameras are profiled is only allowed
to go to a certain destination. Now you have multiple microsegments (cameras)
going through a shared segment to a particular topology decided by the
macrosegment at your SD WAN router. Similar thing happens to all the locks in the
same location.
Thank You