Cisco SD Wan

Cisco SDWAN
Deep Dive
Jean-Marc Barozet
Principal Engineer – SDWAN/NFV Technical Marketing
December 2017
AGENDA
• Introduction to Cisco SDWAN
• Solution Overview
• SDWAN Products
• Cisco SDWAN Overlay – 4 Primary Pillars
• Technology Deep-Dive (if interested in the details)
• Components Bring Up (controllers and vEdge devices)
• Fabric Operation
• Segmentation and Service Insertion
• Multicast
• Application Experience and QoS
• Cloud Adoption
• High Availability and Redundancy
• Policy Overview
• Operational Simplicity and Transparency
• Use Case and Deployment Models
• Pricing Structure
• Key Takeaways
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introduction to Cisco
SDWAN
Network as a Platform for
Reducing Cost and Complexity While Lowering Risk
DNA Network
Transformation
for WAN
Uncompromised &
Secure Experience
Over Any
Connection
Common Business & IT Trends
Evolving WAN Situation
App Content
Applications are moving to the Cloud (private and public)
Rich, Dynamic, Web-Based
Internet edge is moving to the remote site

App Delivery
Cloud, SaaS, Virtualized

Business mobile devices, BYOD and Guest Access
Expected to strain both the corporate LAN (WiFi) and WAN
App Consumption
High Bandwidth Apps Mobile, Diverse Devices
SD-WAN Enterprise Grade Capabilities
Reducing Cost and Complexity for Agile IT
Separation of management, Redundant Zero-touch provisioning in

control, data for scaling management—cloud or minutes, not days
on premises
Full segmentation Choice of topologies with Complete visibility from

support for fast app point-and-click single pane of glass
deployment
Comprehensive and Flexible to Fit Your Business

PHYSICAL CAPEX WITH ANNUAL
IN-HOUSE IT
SECURE ROUTERS SUBSCRIPTION
OR OR OR
VIRTUAL ENTERPRISE-BASED
SECURE ROUTERS MANAGED SERVICE AGREEMENT
Critical Applications SLA
Single Link
Failure
Cloud
Applications
Cloud
Data Center All Links
Latency Failure
Application-
aware Internet MPLS
Corporate
CPE Device
Topologies Data Center Failure
4G/LTE
Small Office
Home Office
Campus Branch
Path MTU Bandwidth

Changes Oversubscription
Path
Brownout
True Enterprise Class SDWAN
Analytics
Application Traffic Per-Segment Secure Cloud Cloud Transport
SLA Engineering Topologies Perimeter Path Accel Hub
APPLICATION POLICIES
Monitoring
Routing Security Segmentation QoS Multicast Svc Insertion Survivability
SERVICES DELIVERY PLATFORM
Operations Broadband MPLS Cellular
ZERO TOUCH ZERO TRUST
TRANSPORT INDEPENDENT FABRIC

Architectural Constructs Enabling Seamless transition
from traditional WAN to SD WAN
Control back to the Enterprise
Broadband MPLS 4G/LTE
WAN Application
Flexibility Bandwidth
Requirements ZERO TOUCH ZERO TRUST
SECURE WAN FABRIC
SOFTWARE DEFINED: True separation of control, data

Simplified Disjointed and management
Operations Security
CLOUD: Cloud hosted and delivered
Challenges
APPLICATION AWARE: Visibility & SLA business intent
policy enforcement
SCALE AND FLEXIBILITY: True enterprise scale
Cloud Time
Consumption To Capability SECURITY: Ingrained authentication, encryption,
segmentation, access controls & service chaining
OPEN: for automation, orchestration,
best-of-breed integration
LOWER COSTS
Flexible Connectivity
Lower WAN costs
Private
Cloud
MPLS
3G/4G-LTE
Colocation
Branch
Internet
Public Cloud
• Leverage local Internet path for
public cloud and Internet access
• Secure VPN for private and virtual
public cloud access
REDUCE COMPLEXITY
Service Based Traffic Engineering

Service Insertion and Bandwidth Preservation
Site A Virtual Fabric Data Center
Allow UDP/5001
Deny UDP/5002
UDP/5001
UDP/5001
UDP/5002
UDP/5002 MPLS
• Wasted
Bandwidth
User App Server

Internet
Allow UDP/5001
• Firewall service is inserted into the overlay
topology
Regional DC
Deny UDP/5002
• Security policy is enforced

• Data Center WAN bandwidth is not “wasted”
VNF (Firewall)
APPLICATION VISIBILITY
Application Centric Networking
4G/LTE
DPI POLICY SLA

MPLS
Transport Type
SLA
# Cloud Broadband
Service Chain
Local/Remote Breakout
REDUCE RISK
Secure Segmentation
vEdge
Cloud Router VPN 1
Data Center
IPSec VPNVPN
3 2
Tunnel
VPN 3
VPN 4
Internet MPLS
Corporate
Data Center
4G/LTE
Small Office End-to-end segmentation
Home Office
Local internet breakout

Campus Branch
Secure Cloud Gateway
BETTER USER EXPERIENCE
Cloud Ready WAN

Cloud
Applications
Cloud
Data Center
Data Data
Center Center
Small Office Small Office
Home Office Secure Secure
Home Office
SD-WAN SD-WAN
Fabric Fabric
Branch Campus Branch Campus
Secure and resilient Optimized SaaS access and performance visibility

IaaS cloud-networking from all branches
LOWER COSTS
Simplify WAN Management

Easier to deploy and manage
• Cloud-first management and orchestration
• Zero-touch provisioning
• Troubleshooting with simplified workflows
• Advanced analytics and assurance
Cloud-first Management Analytics and Assurance

From Managed WAN To SDWAN Network-as-a-Service
Cloud delivered WAN with
1 operational simplicity & analytics
End-point flexibility: Cloud Delivered Analytics
4 • Physical or virtual
• Rich services or lite
• Branch, Agg, Cloud 3 Application QOE
USERS 5
Cloud
SD-WAN .… Use-Cases
DC
WAN
LEARNING
DEVICE IaaS
DNA Center Apps
S
Policy Automation Analytics
INTENT CONTEXT SaaS

Intent-based
Network Infrastructure
vDC
SECURITY
THINGS
0 Transport Independent Superior security architecture –

2 cloud based & on-prem
WAN Fabric
Cisco Network-as-a-Service solution components
Service Provider Careabouts
Gray, White Multi-tenant Control, Management, Virtual Managed Services Cloud networking
(VMS)
or Blackbox Orchestration and Analytics
Cisco NSO + Core
NG SDWAN FPs
SaaS
… 3rdParty
Internet
x86
MPLS IaaS
Multi-tenant
4G LTE Gateway
Data Center
An Edge device that enables to Transport independent fabric A multi-tenant, cloud-native An infrastructure to deliver OTT
deliver the solution as a physical providing a secure scalable NG platform to orchestrate, value added services (UC,
or virtual
© 2017 branch
Cisco and/or its offering
affiliates. All rights reserved. Cisco Confidentialoverlay provision, control and manage Security, AppEx, Analytics)
tenants
Solution Overview
Cisco SDWAN
vManage
vSmart
vBond
Orchestration Plane
OSS/BSS, NSO or VMS vEdge
MANAGEMENT
Management Plane API

(Multi-tenant or Dedicated)
ORCHESTRATION ANALYTICS
Control Plane
(Containers or VMs)
CONTROL
INET MPLS Secure Control Channel

4G
Data Plane
(Physical or Virtual)
Data Center Campus Branch Home Office

Solution Elements Functional Roles
vBond orchestrator
- Primary authenticator for all SDWAN components
- Facilitates discovery of the control elements by the vEdge routers
- Notifies vEdges of their public IP, if behind NAT.
vManage is the network management system, a single pane of glass, for the entire SD-WAN fabric
vSmart controllers:
- Distribute reachability and security information between the vEdge routers
- Distribute data and app-route policies from vManage to vEdges. Enforce control policies.
- Perform best-path calculation for non ECMP routes and advertise best route to the vEdges (second
best too, if configured)
vEdge routers sit at the perimeter of an SD-WAN site and provide connectivity across the fabric.
vEdge routers handle the transmission of data traffic.
vEdge routers are offered as pre-integrated appliance or as a software-only virtual machine for
ESXi, KVM, AWS and Microsoft Azure platforms.
Components
Orchestration Plane
OSS/BSS, NSO or VMS
vBond
MANAGEMENT
API
Management Plane
vManage
CONTROL Control Plane
vSmart
4G
Data Plane
Data Center Campus Branch Home Office vEdge

Control Plane
Orchestration Plane
OSS/BSS, NSO or VMS
vBond
MANAGEMENT
• Orchestrates connectivity
API
• First point of
ORCHESTRATION ANALYTICS authentication
• Requires public IP Address
• Facilitates NAT traversal
• All other components need
CONTROL to know the vBond IP or
DNS information
• Authorizes all control
INET MPLS 4G Secure Control Channel connections (white-list
model)
• Distributes list of vSmarts
to all vEdges

Control Plane
Control Plane
OSS/BSS, NSO or VMS
vSmart
MANAGEMENT
• Centralized brain of the

API
solution
ORCHESTRATION ANALYTICS • Establishes OMP Peering
with vEdges
• Acts like Route Reflector
• Enables central control
CONTROL
and central data policy
creation and distribution:
• TE
Secure Control Channel
• Service Chaining
INET MPLS 4G • Hub and spoke
• Partial or full mesh
• Orchestrates secure data
plane connectivity
between the edges
Data Plane
Data Plane
OSS/BSS, NSO or VMS
vEdge
MANAGEMENT
• WAN edge router of the

API
site
• Leverages traditional
routing protocols like
OSPF, BGP
• Applies policies on data
CONTROL
plane traffic
• Establishes control plane
(OMP) peering with
INET MPLS 4G Secure Control Channel vSmart
• Provides secure data plane
• Either hardware devices or
software VNF support

Management Plane
Management Plane
OSS/BSS, NSO or VMS
vManage
MANAGEMENT
API
• Centralized provisioning
• Centralized monitoring
• Simple graphical
dashboard
• Supports:
• REST API
CONTROL
• CLI
• Syslog
4G • SNMP
• NETCONF

Multi-Tenant Orchestration Solution
Multi-Tenant vManage
vContainer1 vContainer2 Multi Tenant vBond
Customer1 vEdge Routers Customer2 vEdge Routers Customer3 vEdge Routers
Controllers
On-Premise Hosted
vBond* vManage vSmart vSmart vBond vManage vSmart vSmart
ESXi or KVM AWS or Azure
VM VM
Physical Server Container Container
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential * Can be deployed as physical vEdge appliance
Solution Offering
Multi-tenant: Control, Management, Multi-tenant gateway
Orchestration With Analytics 2
Existing / home
3 grown MNS services
VMS (e.g. UCaaS)
NSO
SaaS
PIP
4 Cloud networking
1 Gray, White or Black box

Internet
IaaS
3rd
…
Party (or) 4G/LTE
DC
X86
Cisco SD-WAN Platform Options
Providing for flexibility in deployment
Branch Services SD-WAN

vEdge 100 vEdge 1000 vEdge 2000
ISR 1000 ISR 4000 ASR 1000
• 100 Mbps • Up to 1 Gbps • 10 Gbps

• 4G LTE & Wireless • Fixed • Modular
• 200 Mbps • Up to 2 Gbps • 2.5-200Gbps
• Next-gen • Modular • High-performance vEdge 5000
connectivity service w/hardware
• Integrated service
• Performance assist
flexibility containers
• Hardware & software
NEW
• Compute with UCS E
redundancy • ~30 Gbps
• Modular
Virtualization Public Cloud

ENCS 5100 ENCS 5400
• Up to 250Mbps • 250Mbps – 2GB
Overlay Management Protocol (OMP)
Unified Control Plane
vSmart
• TCP based extensible control plane protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart
controllers
- Inside TLS/DTLS connections
• Advertises control plane context
vSmart vSmart
• Dramatically lowers control plane
complexity and raises overall solution scale
VS
vEdge vEdge
Note: vEdge routers need not connect to all vSmart Controllers

Fabric Operation
Fabric Walk-Through
OMP Update:
vSmart § Reachability – IP Subnets, TLOCs
OMP
§ Security – Encryption Keys
DTLS/TLS Tunnel
§ Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update
vEdge vEdge
Transport1
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2

BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets
Subnets
Policy Framework
Centralized and Localized Policies
vManage
NETCONF/YANG
Device Configuration Device Configuration
Centralized Control Policy Local Control Policy

(Fabric Routing) (OSPF/BGP)
Localized
Centralized Policies
Centralized Data Policy Local Data Policy
(Fabric Data Plane) Policies
(QoS/Mirror/ACL)
Centralized App-Aware Policy
(Application SLA)
OMP
Centralized Data Policy Centralized App-Aware Policy

vSmart (Fabric Data Plane) (Application SLA) vEdge
Operations
Simplicity and Visibility
Single Pane Of Glass Operations Rich Analytics
Cisco SDWAN Products
vEdge Platform Portfolio
SOHO Head-End Higher Capacity IaaS & Cloud
Branch NFV, vCPE
SMB Aggregation Aggregation Interconnect
(1 G) (N x cores)
(100 M) (10 G) (20 G+) (Nx cores)
Dual LTE variant

back
vEdge-100 vEdge-1000 vEdge-2000 vEdge-5000 vEdge-Cloud vEdge-Cloud

Tunnels: 250 Tunnels: 1500 Tunnels: 6000 Tunnels: 6000 Tunnels: 2500 Tunnels: 2500
Routes: 25k Routes: 128k Routes: 125k Routes: 128k Routes: 128k Routes: 128k
VPN’s: 62+2 VPN’s: 62+2 VPN’s: 62+2 VPN’s: 62+2 VPN’s: 62+2 VPN’s: 62+2
vEdge-1000 and vEdge-2000 Routers
vEdge 1000 vEdge 2000
§ 1 Gbps AES-256 § 10 Gbps AES-256

§ 1RU, standard rack mountable § 1RU, standard rack mountable
§ 8x GE SFP (10/100/1000) § 4x Fixed GE SFP (10/100/1000)
§ TPM chip § 2 Pluggable Interface Modules
§ 3G/4G via USB (or) Ethernet § 8 x 1GE SFP (10/100/1000)
§ Security, QoS § 2 x 10GE SFP+
§ Dual Power supplies (external) § TPM chip
§ Low power consumption § 3G/4G via USB (or) Ethernet
§ Security, QoS
§ Dual power supplies (internal)
§ Redundant fans
vEdge-100 Routers
vEdge 100m vEdge 100mw
vEdge 100
§ 100 Mbps AES-256 § 100 Mbps AES-256 § 100 Mbps AES-256

§ 5x 1000Base-T § 1RU § 1RU
§ TPM chip § 5x 1000Base-T § 5x 1000Base-T
§ Security, QoS § 1x POE port § 1x POE port
§ 2G/3G/4G LTE § 2G/3G/4G LTE
§ External AC PS
§ Internal AC PS § 802.11a/b/g/n/ac
§ Kensington lock
§ 1x USB-3.0 § Internal AC PS
§ Fan-less TPM Board-ID
§ § 1x USB-3.0
§ 9” x 1.75” x 5.5” § Kensington lock § TPM Board-ID
§ GPS § Low power fan § Kensington lock
§ GPS § Low power fan
§ GPS
vEdge 5000
Campus and Data Center Edge
Platform Capabilities:
• 4 Network Interface Modules

(NIM) slots
• Variety of NIM options

8 x 1G
4 x 10G
2 x 40G
• Feature parity with Cisco vEdge

2000 platform
Shipping Now
Q3 CY17
ENCS 5000 Series Portfolio
ENCS5412
12-Core
ENCS5408
NEW 8-Core
CiscoLive 2017 Las Vegas
ENCS5406
6-Core • ISRv + 9 core VNF
ENCS5104 PoE
4-Core
• ISRv + 5 core VNF
• PoE
ISRv + 3 core VNF

LAN Ports
ISRv + 2 core VNF
NIM LTE, DSL, T1
LTE on Radar
HDD, SSD
RAID, HW Crypto
Network Functions Virtualization Infrastructure
Orchestration and Management (MANO)
Virtual WAN
Virtual Router Virtual Router Virtual Firewall Virtual Wireless LAN
Optimization 3rd Party VNFs
(ISRv) (vEdge) (ASAv) Controller (vWLC)
(vWAAS)
Network Functions Virtualization Infrastructure Software (NFVIS)
ISR 4000 + UCS-E- Enterprise Network Compute

UCS C-Series COTS
Series Systems (ENCS)
40
vEdge Cloud Virtual Routers
Virtualized Branch or Cloud
On-Premise Hosted
vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud
VM Throughput: VM
Physical Server
2x vCPU 500Mb/s
4x vCPU 1Gb/s
8x vCPU 1.5Gb/s
Controllers
Cloud or On-Premise Delivered
On-Premise Hosted
vBond* vManage vSmart vSmart vBond vManage vSmart vSmart
VM VM
Physical Server vContainer vContainer
* Can be deployed as physical vEdge appliance

Cisco’s Commitment
Cisco is committed Cisco is committed Cisco will commit Cisco will address
to Viptela’s solution to the existing ISR significant engineering the broadest set of
and architecture 4K, ASR1K, ENCS, resources to bring use cases to deliver
CSR, IWAN 2.x, and next-generation SD- successful partner
Meraki SD-WAN WAN solutions to and customer
market
offerings. outcomes
Technology Deep Dive
Components Bring Up
(Controllers and vEdges)
Zero Touch Provisioning
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
Administrator Installer
ZTP Identity Trust
Server
vEdge List vEdge Configuration Network Power

(White-List) Template
vManage
DHCP
TPM
vEdge
Identity
vSmart vBond (X.509)
vEdge and Controllers White-List
Signed vBond
vEdge List • Administrator adds controllers (vSmarts and
vBonds) on the vManage
- Can trigger CSR generation, forwarding to
Symantec, retrieval and installation of signed CSR
back into the controllers
• Controllers list is distributed by vManage to all

the controllers
vManage vSmart • Digitally Signed vEdge list is provided by Viptela

and it is uploaded into the vManage by the
administrator
- Downloadable from Viptela support page
Administrator
• vEdge List is distributed by vManage to all the
Defined
Controllers controllers
vEdge Appliance – Router Identity
During Manufacturing
• Each physical vEdge router is uniquely identified by
TMP the chassis ID and certificate serial number
Chip
• Certificate is stored in onboard Temper Proof
Module (TPM)
- Installed during manufacturing process
- Certificate is signed by Avnet root CA
- Trusted by Control Plane elements
Device • Symantec root CA chain of trust is used to validate
Certificate
Control Plane elements
Alternatively, if used, Enterprise root CA chain of trust
can be used to validate Control Plane elements
Can be automatically installed during ZTP
Root Chain
In Viptela Software
vEdge Cloud – Router Identity
Issued by vManage
• OTP/Token is generated by vManage
- One per (chassisID, serial number) in the uploaded vEdge
list
• OTP/Token is supplied to vEdge Cloud in Cloud-Init

during the VM deployment
Device
Certificate • vManage issues self-signed certificate for the vEdge
Cloud post OTP/Token validation
- vManage removes OTP to prevent reuse
• Symantec root CA chain of trust is used to validate

Control Plane elements
Alternatively, if used, Enterprise root CA chain of trust can
Root Chain be used to validate Control Plane elements
Can be provided in Cloud-Init
In Viptela Software
Controllers Identity
In Viptela Software Issued by Symantec
• Controller identity is provided by the Symantec
issued certificate
- Alternatively can use Enterprise CA. Requires
Enterprise Root CA chain on all other controllers
and vEdge routers
Root Chain Device
Certificate • Avnet Root CA chain is used to authenticate
vEdge routers
• Viptela Root CA chain is used to authenticate
vEdge Cloud routers
- Provided by the CA running on each vManage
server. Cloud be multiple.
Root Chain Root Chain
• Symantec Root CA chain is used to authenticate
other controllers
In Viptela Software Issued by vManage CA
© 2017
(could be multiple)
Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Certificate-Based Trust
Administrator • Bi-directional certificate-based trust between all
Signed
Defined
vEdge List
Controllers
elements
Public or Enterprise PKI
vManage • White-list of valid vEdges and controllers
Certificate serial number as unique identification
vBond vSmart
vEdge
Secure Control Channel
vEdge Routers
Valid vEdge 1. Certificates are exchanged and mutual
vEdge
IP addr serial and authentication takes place between vBond and
chassis ID vEdge over encrypted tunnel
vSmart vManage
2. vBond validates vEdge Router serial number
and chassis ID against authorized vEdge white-
vSmart
list
vManage
vBond 3. vEdge Router validates vBond certificate
organization name against locally configured
one
Provisional ub
lic
P 4. Provisional DTLS tunnel is established between
DTLS/TLS Control
vBond and vEdge
Tunnel
5. vBond returns to vEdge a list of vSmart
lic Controllers and vManage
ub
P
6. vBond notifies vSmart and vManage of vEdge

Router public IP address
vEdge
7. Provisional DTLS tunnel between vBond and
Router vEdge is terminated
Org Name
© 2017 Config
Secure Control Channel: vEdge
Connection to vSmart Controller and vManage
Valid vEdge Valid vEdge
serial and serial and 1. Certificates are exchanged and mutual
chassis ID chassis ID authentication takes place between vSmart,
vBond
vManage and vEdge over encrypted tunnel
vSmart vManage
2. vSmart and vManage validate vEdge Router
serial number and chassis ID against authorized
vEdge white-list
lic
3. vEdge Router validates vSmart and vManage
lic lic
P
ub
P
ub P
ub certificate organization name against locally
configured one
4. Permanent DTLS/TLS tunnel between vSmart,

lic
P
ub vManage and vEdge is established
vEdge
Router
Permanent
Org Name DTLS/TLS Control
Config Tunnel
Control Plane Sessions
DTLS only
• Secure Channel to SD-WAN • Viptela Primitives
• Permanent
Controllers (vSmart, vBond, vManage
• Multiple Sessions
vManage) vBond
• Single extensible control plane
• Operates over DTLS/TLS vSmart vSmart
authenticated and secured

tunnels
• OMP - between vEdge routers DTLS or TLS
DTLS or TLS
• Viptela Primitives
and vSmart controllers and • Viptela Primitives
• NETCONF
• OMP
• Permanent
between the vSmart • Permanent • 1 session / vSmart / TLOC
• Single Session
controllers
• NETCONF – Provisioning from DTLS Only
• Viptela Primitives
vManage • Temporary
vEdge
Default – No Port Offset
Configured and DTLS
Firewalls Ports – DTLS

vManage – IP1
UDP
Core0 - 12346
Core1 - 12446 UDP
vBond – IP1 vSmart – IP1 Core2 - 12546 Core0 - 12346
vSmart – IP2 Core3 - 12646 Core1 - 12446
Core4 - 12746 Core2 - 12546
Core5 - 12846 Core3 - 12646
vBond orchestrators do not Core6 - 12946 Core4 - 12746
support multiple cores. vBond Core7 – 13046 Core5 - 12846
orchestrators always use DTLS 12346 UDP UDP Core6 - 12946
tunnels to establish control UDP Core7 – 13046
connections with other Viptela
devices, so they always use The vManage NMSs and vSmart controllers can
run on a virtual machine (VM) with up to eight
UDP. The UDP port is 12346 virtual CPUs (vCPUs). The vCPUs are designated
as Core0 through Core7.
Each core is allocated separate base ports for
Firewall control connections
Red signifies primary protocol or first port used

UDP
• vBond IP’s are not Elastic, its recommended to
permit UDP/12346 to/from any from the vEdge.
12346
vEdge 12366 vEdge • vEdge’s can port hop to establish a connection,
12386
12406 its recommended to permit all 5 UDP ports
12426 inbound to all vEdges
Default – No Port Offset
Configured and TLS
Firewalls Ports – TLS

vManage – IP1
TCP
Core0 - 23456 TCP
Core1 - 23556
vBond – IP1 vSmart – IP1 Core2 - 23656
Core0 - 23456
Core1 - 23556
vSmart – IP2 Core3 - 23756 Core2 - 23656
Core4 - 23856 Core3 - 23756
Core5 - 23956 Core4 - 23856
Core6 - 24056 Core5 - 23956
Core7 – 24156 Core6 - 24056
12346 UDP TCP Core7 – 24156
TCP
Firewall
Red signifies primary protocol or first port used

UDP
• vBond IP’s are not Elastic, its recommended to
permit UDP/12346 to/from any from the vEdge.
12346
vEdge 12366 vEdge • vEdge’s can port hop to establish a connection,
12386
12406 its recommended to permit all 5 UDP ports
12426 inbound to all vEdges
Fabric Operation
Viptela Fabric Terminology
• Overlay Management Protocol – Control plane protocol distributing
reachability, security and policies throughout the fabric
• Transport Locator (TLOC) – Transport attachment point and next hop route
attribute
• Color – Control plane tag used for IPSec tunnel establishment logic
• Site ID – Unique per-site numeric identifier used in policy application
• System IP – Unique per-device (vEdge and controllers) IPv4 notation
identifier. Also used as Router ID for BGP and OSPF.
• Organization Name – Overlay identifier common to all elements of the fabric
• VPN – Device-level and network-level segmentation.
Software Defined Centralized Control
• Virtual Fabric over any transport
• Virtual or Physical Platforms (vEdge)
Control Elements • Centralized reachability, security and application
policies
• Secure Channel to SD-WAN Controller (vSmart,
vBond, vManage)
Single extensible control plane
Control Plane Operates over DTLS/TLS authenticated and
DTLS/TLS secured tunnels
• Dramatically lowers complexity and increases
overall solution scale
SD-WAN Legacy
O(n) complexity O(n^2) complexity
Overlay Management Protocol (OMP)
vSmart
• TCP based extensible control plane protocol

• Runs between vEdge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections
• Leverages address families to advertise

reachability for TLOCs, unicast/multicast
vSmart vSmart destinations (statically/dynamically learnt service
side routes), service routes (L4-L7), BFD stats (TE
and H-SDWAN) and Cloud onRamp for SaaS probe
stats (gateway)
- Uses attributes
• Distributes IPSec encryption keys, and data and

app-aware policies (embedded NETCONF)
vEdge vEdge
Transport Independent Fabric
Transport Locators Advertisement
vSmarts advertise TLOCs
vSmart to all vEdges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
vEdge
Local TLOCs
(System IP, Color, Encap)
vEdge vEdge
vEdge vEdge
* Can be influenced by the control policies
© 2017 Cisco and/or its affiliates. All rights reserved. Transport Locator (TLOC)
Cisco Confidential OMP IPSec Tunnel
Transport Locators Colors
Public
T3 T4 T1 T2
Public
T1 T3 T1 DMZ T3
T2 T4 T2 T4
vEdge Private vEdge vEdge vEdge
Private
T1, T3 – Public Color T2, T4 – Private Color
T1, T3 – Public Color T2, T4 – Private Color
T1 T3 T2 T4 T1 T3 T2 T4
T1 T4 T2 T3 T1 T4 T2 T3
Color restrict will prevent attempt to establish IPSec tunnel to TLOCs Color - Control plane tag used for IPSec tunnel establishment logic
© 2017 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
with different color
NAT Traversal
Full-Cone NAT Symmetric NAT
vBond vSmart vBond vSmart
NAT Detection OMP NAT Detection OMP
IP1’ IP1’ IP1’ IP1’

Port1 Port1 Port1’ Port1’
IP1’ IP1’ Symmetric

NAT
Port1 Port1’ NAT
(accept only traffic

IP1’ from vBond) IP1’
Port1 Port1’
IP1 IP2 IP1 IP2

Port1 Port2 Port1 Port2
vEdge1 vEdge2 vEdge1 vEdge2
WAN Communication
Traffic Forwarding
Per-Session Loadsharing Per-Session Weighted Application Pinning Application Aware Routing
Active/Active Active/Active Active/Standby SLA Compliant
SLA SLA
Hierarchical Multihop Fabric Single-hop Fabric
Core
Bidirectional Forwarding Detection (BFD)
vEdge • Path liveliness and quality measurement
detection protocol
- Up/Down, loss/latency/jitter, IPSec
tunnel MTU
• Runs between all vEdge and vEdge Cloud
routers in the topology
- Inside IPSec tunnels
vEdge vEdge - Automatically invoked after each IPSec
tunnel establishment
- Cannot be disabled
• Uses hello (up/down) interval, poll (app-

aware) interval and multiplier for
vEdge vEdge detection
- Fully customizable per-vEdge, per-color
Fabric Walkthrough
vSmart OMP Update:
OMP § Reachability – IP Subnets, TLOCs
DTLS/TLS Tunnel § Security – Encryption Keys
IPSec Tunnel
BFD
OMP OMP
Update
Policies
Update
VPN0 VPN0
Transport1
vEdge TLOCs TLOCs vEdge
VPN1 VPN2 Transport2 VPN1 VPN2

BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static Static
A B C D
§ VPN isolation is carried over all transports
Subnets - https://tools.ietf.org/html/rfc4023 Subnets
Data Plane Security Encryption
§ Each vEdge advertises its local IPsec vSmart § Symmetric encryption keys used
encryption keys Controllers asymmetrically
§ Encryption key is per-transport
OMP OMP
Update Update Local
Local
Transport1
1’
2’
y
y
1
Ke
Ke
y
y
Ke
Ke
1
Transport2
2
vEdge vEdge
y
1’
y
2’
Ke
Ke
y
y
Ke
Ke
Remote
Remote Traffic Encrypted with Keys 1’ / 2’
Traffic Encrypted with Keys 1 / 2 AES256-GCM

Control Plane
Data Plane Security Integrity
§ vBond discovers vEdge public IP vSmart § vEdge computes AH value based on
address, even if traverses NAT Controllers the post NAT public IP
§ vBond communicates public IP to the § Packet integrity (+IP headers) is
vEdge preserved across NAT
OMP OMP
Update Update
Transport1
vEdge vEdge
Transport2
IP UDP ESP Data

Network 20 8 36 …
Address
Translation Encrypted AES256-GCM
Authenticated Control Plane
Segmentation and Service
Insertion
Viptela VPNs
IF IF MPLS
Service Transport
(VPNn) (VPN0)
IF IF INET
Management • VPNs are isolated from each other, each VPN has its
(VPN512) own forwarding table
• vEdge router allocates label to each of it’s service
IF
VPNs and advertises it as route attribute in OMP
updates
- Labels are used to identify VPN in the incoming packets
Secure Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
vEdge vEdge
§ VPN isolation is carried over all transports

IP UDP ESP VPN Data - https://tools.ietf.org/html/rfc4023
20 8 36 4 …
• Segment connectivity across fabric w/o reliance on • Labels are used to identify VPN for destination route
underlay transport lookup
• vEdge routers maintain per-VPN routing table • Interfaces and sub-interfaces (802.1Q tags) or a mix of
both are mapped into VPNs
Application Aware Topologies
Arbitrary VPN Topologies
Full-Mesh Hub-and-Spoke
• Each VPN can have it’s own topology
Full-mesh, hub-and-spoke, partial-
mesh, point-to-point, etc…
VPN1 VPN2 • VPN topology can be influenced by
leveraging control policies
Filtering TLOCs or modifying next-hop
TLOC attribute for routes
Partial Mesh Point-to-Point • Applications can benefit from shortest

path, e.g. voice takes full-mesh toplogy
• Security compliance can benefit from
controlled connectivity topology, e.g.
VPN3 VPN4
PCI data takes hub-and-spoke
topology
Multi-Topology
• Arbitrary per-VPN topology
• Topology reflects desired traffic
forwarding patterns, e.g. voice
and video full-mesh, business
apps hub-and-spoke vSmart
Controllers
• vSmart controls VPN topology
through control plane App
advertisements Policies
• vEdge routers can participate in

multiple topologies at the same
time
Control Plane
Single Service Insertion
Policy • vEdge router with connected L4-L7 service
vSmart Advertisement* makes advertisement
- Service route OMP address family
- Service VPN label
Traffic Path Service
Control Plane Advertisement • Service is advertised in specific VPN
FW
• Service can be L3 routed or L2 bridged
VPN1 • Service can be singly or dually connected
VPN1 (Firewall trust zones) to the advertising vEdge
• Control or data policies are used to insert the
VPN1 service node into the matching traffic
Regional
Data forwarding path
Hub
Center - Match on 6-tuple of DPI signature
MPLS INET - Applied on ingress/egress vEdge
Remote 4G
Office
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential * For data policy only. Control policy enforced on vSmart.
Multiple Services Chaining
vSmart
Policy
Advertisement*
Traffic Path • vEdge routers with connected L4-L7 service
Control Plane Service make advertisement
Advertisement - Service route OMP address family
- Services VPN labels
FW IDS
• Services are advertised in specific VPN
• Services can be L3 routed or L2 bridged
VPN1
• Services can be singly or dually connected to the
VPN1 advertising vEdges
VPN1
Regional • Control or data policies are used to insert the
Hub Data service nodes into the matching traffic forwarding
INET
Center path
MPLS
- Match on 6-tuple of DPI signature
Remote 4G - Applied on ingress/egress/service vEdge
Office
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential * For data policy only. Control policy enforced on vSmart.
Multicast
Streaming Content Distribution
Multicast Traffic
§ vEdges interoperate with IGMP v1/v2 and § vEdge Replicators replicate multicast
PIM on the service side stream to receivers
§ vEdges advertise receiver multicast groups § Multicast is encapsulated in point-to-
using OMP point tunnels
vSmart Controllers
OMP
Update
IGMP/PIM OMP
Update
SD-WAN
OMP Sender
Update Fabric
Receiver Branch OMP
Update
Data
IGMP/PIM
Center
RP
Receiver Branch
Replicators Control Plane Multicast Stream
Application Experience and
QoS
Application Recognition
Cloud Data Deep Packet Inspection Engine
Center
App 1
App 2
App 3,000
vEdge Router
MPLS INET
Data
3G/4G Center
Primary Use Cases:
- Application visibility
Small Office - Application Firewall
Home Office - Traffic prioritization
Campus
- Transport selection
Branch
Bidirectional Forwarding Detection (BFD)
• Path liveliness and quality measurement
vEdge
detection protocol
- Up/Down, loss/latency/jitter, IPSec tunnel
MTU
• Runs between all vEdge and vEdge Cloud
routers in the topology
- Inside IPSec tunnels
vEdge vEdge - Automatically invoked after each IPSec tunnel
establishment
- Cannot be disabled
• Uses hello (up/down) interval, poll (app-aware)

interval and multiplier for detection
- Fully customizable per-vEdge, per-color
vEdge vEdge
Transport SLA Monitoring
Path Quality Detection
App-Route Multiplier (n)
Poll Interval Poll Interval Poll Interval (ms)
vEdge Router
Hello Interval (ms) BFD Probe
• Each vEdge router generates BFD packet • Poll interval determines the average path
every “hello” interval for path quality (and quality measurement (loss, latency, jitter)
liveliness) detection • App-route multiplier determines the average
• BFD packets are generated for each path quality measurement across the poll
transport individually. Timers can be intervals
adjustment for quicker detection.
Critical Applications SLA
Application Aware Routing
§ By default, without any local or centralized vManage
data policies, App Aware Routing Policy
Cisco SDWAN performs flow-based load App A path must have
sharing across all transports available between
the vEdge routers
latency <150ms and loss <2%
§ With Policies:
vSmart Controllers
Enforce SLA compliant path for applications of
interest
Other applications will follow active/active
behavior across all paths
1 Internet
Path
vEdge vEdge
Path 2 MPLS
App A
4G LTE
Path
3
Path1: 10ms, 0% loss
Path2: 200ms, 3% loss IPSec Tunnel
Path3: 140ms, 1% loss
Control Plane
Optimal Network Utilization for App Traffic
Path MTU Discovery
§ Automatic and proactive Network Path § Automatic MSS adjust for TCP traffic
MTU Discovery leveraging BFD protocol Can also be manually configured
§ Support for Host Path MTU Discovery § IP ICMP Unreachable (type 3, code 4)
Transport1
vEdge Transport2 vEdge
Network Path IPSec Tunnel

MTU Discovery
Host Path
MTU Discovery
Example
App Policy applied with DSCP EF
preferred path MPLS, rest is default
Simulation with DSCP 0(default)
App Policy applied with DSCP EF

preferred path MPLS
Simulation with DSCP 46 (EF)
Differentiated Services
Quality of Service
Traffic Flow
vEdge Router
Copy inner TOS/DSCP
bits into outer header
Q0
Q1
Ingress Interface
Egress Interface
Voice Q2
Q3
Business
Q4
IPSec
Best Effort Q5
Q6
Q7
Traffic Queue Scheduling

Classification Mapping
Queue 0 is strict priority
Localized Data Policy (QoS) Configuration
Step1: Configure forwarding classes and mapping to output queues Step2: Configure the QoS scheduler forwarding classes
policy policy
class-map qos-scheduler be-scheduler
class best-effort queue 3 class best-effort
class bulk-data queue 2 bandwidth-percent 20
class critical-data queue 1 buffer-percent 20
class voice queue 0 scheduling wrr
drops red-drop
!
qos-scheduler bulk-scheduler
Step 3: Define QoS Map by grouping QoS Schedulers. class bulk-data
bandwidth-percent 20
policy buffer-percent 20
qos-map MyQoSMap scheduling wrr
qos-scheduler be-scheduler drops red-drop
qos-scheduler bulk-scheduler !
qos-scheduler critical-scheduler qos-scheduler critical-scheduler
qos-scheduler voice-scheduler class critical-data
buffer-percent 40
scheduling wrr
Step 4: Apply the QoS map to the egress interface drops red-drop
!
interface ge0/1 qos-scheduler voice-scheduler
qos-map MyQoSMap class voice
buffer-percent 20
scheduling llq
drops tail-drop
Localized Data Policy (QoS) Configuration
Step 5: Define an Access List to Classify Data Packets
into appropriate Forwarding Classes
policy
access-list MyACL
sequence 10
match
dscp 46
!
action accept
class voice
!
!
sequence 20
match
source-ip 10.1.1.0/24
destination-ip 192.168.10.0/24
Step 6: Apply the Access List to an Interface
!
action accept
class bulk-data
set vpn 10
dscp 32
! interface ge0/0
! access-list MyACL in
!
sequence 30 !
match
destination-ip 192.168.20.0/24
!
action accept
class critical-data
set
dscp 22
!
!
!
sequence 40
action accept
class best-effort
set
dscp 0
!
!
!
default-action drop
Application Optimization
TCP Performance Optimization
Optimized
TCP Connections TCP Connections (Cubic) TCP Connections
SD-WAN
Fabric
Users vEdge vEdge Servers
High Latency Path
• High latency path between users and • Selective acknowledgements prevents

servers, i.e. geo-distances unnecessary retransmit of the successfully
• vEdge routers terminate TCP sessions and received segments
provide local acknowledgements to prevent • Hosts using old TCP/IP stacks will see the
TCP windowing from reacting most benefit
Cloud Adoption
Direct Internet Access
• Can use one or more local DIA exits or
Internet backhaul traffic to the regional hub through
the SD-WAN fabric and exit to Internet from
there
- Per-VPN behavior enforcement
ISP3 • VPN default route for all traffic DIA or data

policy for selective traffic DIA
• Network Address Translation (NAT) on the
Regional
Data Center vEdge router only allows response traffic
ISP1 back
- Any unsolicited Internet traffic will be
ISP2
SD-WAN blocked by IP table filters
Fabric
MPLS • For performance based routing toward SaaS
Data Center
Remote Site applications use Cloud onRamp
Cloud Ready WAN
IaaS SaaS
Cloud
Applications
Cloud
Data Center
Data Data
Center Center
Small Office Small Office

Home Office Secure Home Office Secure
SD-WAN SD-WAN
Fabric Fabric
Branch Campus Branch Campus
Cloud On-Ramp IaaS Cloud On-Ramp SaaS

Cloud onRamp for SaaS Microsoft
Express
Office 365
Route
• Optimized Connectivity to SaaS Applications
• across DIA, DC and Regional exits Equinix Direct
Cloud INET Internet
Exchange
• Continuous Network Health-checks
Access
• Automatic selection of Optimized Path Regional

DC
Regional
DC
vManage
Platform
MPLS INET
vEdge vEdge
Branch DC
Cloud onRamp for SaaS
SaaS Optimization
Loss/ Loss/ ISP2

Latency Latency
Regional Regional
! Hub
! Hub
ISP1 ISP1
SD-WAN SD-WAN
ISP2 Fabric MPLS Fabric
Data Center Data Center
Remote Site Remote Site
Internet DIA Hybrid DIA

Application Quality Probing
IaaS Deployment
• WAN to Cloud Extension
• Branch to Cloud Connectivity IaaS IaaS
Instance Instance
• Single WAN Network across Branch, DC & Cloud
vEdge
• Secure Connectivity to applications gateway
• Multi-Cloud / Multi-Region connectivity vManage

Platform
• Carrier Independent hybrid transport
• User – Application Visibility MPLS INET
vEdge vEdge
Branch DC
Cloud onRamp for IaaS – Attached Compute
• vEdge router is instantiated in Amazon VPCs or
Microsoft Azure VNETs Compute Compute
VPC/VNET VPC/VNET
• Posted in marketplace
vEdge
• Use Cloud-Init for ZTP gateway
• One vEdge router per VPC/VNET

vManage
• No multicast support, can’t form VRRP Platform
• No router redundancy
• vEdge router joins the fabric and all fabric services MPLS INET
are extended to the IaaS instances, e.g. multipathing,

segmentation and QoS
• For multipathing can combine AWS Direct Connect or
Azure ExpressRoute with direct internet connectivity
vEdge vEdge
Branch DC
Cloud onRamp for IaaS – Gateway VPC/VNET
• A pair of vEdge routers is instantiated in Amazon
VPC or Microsoft Azure VNET
• Gateway VPC/VNET BGP BGP BGP
• A pair of standard based IPSec tunnels is stretched Gateway
from gateway VPC/VNET to each host VPCs/VNETs VPC/VNET
• Connectivity redundancy vManage

Platform
• BGP is established across IPSec tunnels for route

advertisement MPLS INET
• Bi-directional BGP/OMP redistribution on the gateway

VPC/VNET vEdge routers
• Entire process is automated through vManage

workflow
vEdge vEdge
Branch DC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Standard IPSec
Cloud On-Ramp for IaaS – AWS Details
Standard IPSec • Gateway VPC instantiated by vManage
overlay to vEdge GW
• Customer workload resides in spoke

AZ1
R VPCs. No change required Spoke VPCs
AZ2
VGW
IGW
• Share transport (Direct connect and
AZ1 Internet) & vEdge Gateways across
Spoke VPC vEdge GW
multiple spoke VPCs in a region
AZ2
VGW Direct
• Leverage AWS components (IGW,
vEdge GW Connect
VGW, VPC router) for redundancy. Fast
AZ1
Gateway VPC
failover times.
R
VGW
vManage instantiated
and managed
AZ2
Spoke VPC
AWS Region
Cloud Security with Zscaler
• vEdge router creates a GRE tunnel to one
or more Zscaler Enforcement Nodes
Exploits Malware ATP Botnets (PoPs)
- Redundant PoPs, redundant ISPs
POP1 POP2
• Eliminates backhaul of traffic destined to
Internet and cloud applications
Regional
Data Center • Provides advanced security services
ISP1 - Can inspect SSL encrypted data, requires
installation of Zscaler root certificate on
SD-WAN the hosts
Fabric
ISP2
• Cloud onRamp for SaaS can choose the
Remote Site Data Center path across best performing Zscaler
Enforcement Node (PoP) for selected
GRE Tunnel SaaS applications
High Availability and
Redundancy
Site Redundancy - Routed
§ Redundant pair of vEdge routers operate in active/active
SD-WAN mode
Fabric
§ vEdge routers are one or more Layer 3 hops away from
the hosts
§ Standard OSPF or BGP routing protocols are running
between the redundant pair vEdge routers and the site
router
vEdge A OS vEdge B
P
PF
/B /BG § Bi-directional redistribution between OMP and OSPF/BGP
GP PF
OS and vice versa on the vEdge routers
Site § Site router performs equal cost multipathing for remote

Router destinations across SD-WA Fabric
- Can manipulate OSPF/BGP to prefer one vEdge router over the
other
Host
Site Redundancy - Bridged
§ vEdge routers are Layer 2 adjacent to the hosts
- Default gateway for the hosts
SD-WAN
Fabric § Virtual Router Redundancy Protocol (VRRP) runs
between the two redundant vEdge routers
- Active/active when using multigroup
§ VRRP Active vEdge responds to ARP requests

for the virtual IP with its physical interface MAC
address
vEdge A vEdge B
VRRP Active VRRP Standby § In case of failover, new VRRP Active vEdge
router sends out gratuitous ARP to update ARP
table on the hosts and mac address table on
the intermediate L2 switches
Host
Transport Redundancy - Meshed
§ vEdge routers are connected to all the transports
§ When transport goes down, vEdge routers
detect the condition and bring down the tunnels
MPLS INET built across the failed transport
- BFD times out across tunnels
§ Both vEdge routers still draw the traffic for the

vEdge vEdge
prefixes available through the SD-WAN fabric
§ If one of the vEdge routers fails, second vEdge
router takes over forwarding the traffic in and out
of site
Site Network - Both transport are still available
Transport Redundancy – TLOC Extension
• vEdge routers are connected only to their
respective transports
• vEdge routers build IPSec tunnels across directly
MPLS INET
connected transport and across the transport
connected to the neighboring vEdge router
• Neighboring vEdge router acts as an underlay router
for tunnels initiated from the other vEdge
vEdge vEdge • If one of the vEdge routers fails, second vEdge

router takes over forwarding the traffic in and out
of site
• Only transport connected to the remaining vEdge
router can be used
Site Network
TLOC Extension Configuration
vpn 0 vpn 0
ip route 10.5.52.52/32 100.65.51.1
interface ge0/0 interface ge0/0
description MPLS tunnel description INET tunnel
ip address 100.65.51.1/30 Add route to reach ip dhcp-client
tunnel-interface br1-vedge2 mpls nat
Do not forget NAT
encapsulation ipsec tunnel end-point !
color mpls restrict tunnel-interface
max-control-connections 1 encapsulation ipsec
MPLS INET
[service list] color biz-internet restrict
! max-control-connections 1
interface ge0/2 [service list]
description INET tunnel !
ip address 10.5.51.51/24 interface ge0/2
! ip address 10.5.51.52/24
tunnel-interface ge0/0 ge0/0 tloc-extension ge0/0
100.65.51.1/24 dhcp
encapsulation ipsec preference 100 no shutdown
color biz-internet restrict ge0/2 ge0/2 !
max-control-connections 1 10.5.51.51/24 10.5.51.52/24 interface ge0/3
[service list] description MPLS tunnel
! ip address 10.5.52.52/24
interface ge0/3 tunnel-interface
ip address 10.5.52.51/24 ge0/3 ge0/3 encapsulation ipsec
tloc-extension ge0/0 10.5.52.51/24 10.5.52.52/24 color mpls restrict
no shutdown br1-vedge1 br1-vedge2 max-control-connections 1
! [service list]
ip route 0.0.0.0/0 100.65.51.2 !
ip route 0.0.0.0/0 10.5.51.52 ip route 0.0.0.0/0 10.5.52.51
Control Redundancy - vSmart
vSmart
Controllers § vSmart controllers exchange OMP messages between
Control Plane themselves and they have identical view of the SD-
Data Plane WAN fabric
Cloud Data
Center § vEdge routers connect to up to three vSmart controllers
for redundancy
§ Single vSmart controller failure has no impact, as long
as there is another vSmart controller vEdge routers are
registered with
MPLS INET § If all vSmart controllers fail or become unreachable,

Data vEdge routers will continue operating on a last known
3G/4G Center good state for a configurable amount of time (GR timer)
- No updates to reachability
Small Office - No IPSec rekey
Home Office - No policy changes propagation
Campus
Branch
Control Redundancy - vManage
vManage
Cluster
Management Plane
§ vManage servers form a cluster for redundancy and
Data Plane
Cloud Data high availability
Center
§ All servers in the cluster act as active/active nodes
- All members of the cluster must be in the same DC /
metro area
§ For geo-redundancy, vManage servers operate in

active/standby mode
- Not clustered
MPLS INET - Database replication between sites is needed
Data
3G/4G Center § Loss of all vManage servers has no impact on
fabric operation
Small Office - No policy changes
Home Office - No stats collection
Campus
Branch
Policy Framework
Policy Framework
vManage
NETCONF/YANG
Device Configuration Device Configuration
Centralized Control Policy Local Control Policy

(Fabric Routing) (OSPF/BGP)
Localized
Centralized Policies
Centralized Data Policy Local Data Policy
(Fabric Data Plane) Policies
(QoS/Mirror/ACL)
Centralized App-Aware Policy
(Application SLA)
OMP
Centralized Data Policy Centralized App-Aware Policy

vSmart (Fabric Data Plane) (Application SLA) vEdge
• The Cisco SDWAN policy software design provides a clear separation between centralized and localized policies.
Centralized policy is provisioned on the centralized vSmart controllers and the localized policy is provisioned on
vEdge routers
• With Localized Data policy, also called an access list, you can provision QoS to:
• Classify incoming data packets into multiple forwarding classes based on importance.
• Spread the forwarding classes across different interface queues.
• Schedule the transmission rate or weights for each queue
• With Centralized policies on vSmart controllers:

• Centralized Control policies affect routing policy to influence routing decisions on the vEdge routers. This type of policy
allows you to set preferences for the routes or paths on the vSmart controller and is reflected in forwarding tables on the
vEdge routers.
• Application-Aware routing policies select the best path for a given application based on SLA requirements. These
requirements include latency, packet loss, and jitter. Application-aware routing policies are configured on vSmart
controllers and are enforced by vEdge routers.
• Centralized Data policies are used for traffic classification, DSCP marking, path selection, service insertion, policing, etc.
Data policies are configured on vSmart controllers and enforced by vEdge routers.
Policy Driven WAN Infrastructure
Policy Augmented Dynamic Routing
1 vManage GUI – Policy Orchestration
App-Route Policy: Data Policy:

Control Policy:
App-Aware SLA-based Extensive Policy-based
Routing and Services Routing Routing and Services
Combine and Apply per Site
2 vSmart controller – Policy

Enforcement/Advertisement
Execute Control Policy
Advertise AAR/Data Policies to Sites
3
vEdge
WAN
router
Execute AAR and Data Policy as received
Dynamic Routing and Policies Combine to
dictate behavior
Access Layer
Branch/DC
Packet Flow Through the vEdge Router
Local Policy,
Centralized Application Aware Shaping and ACL
Routing
Routing Policy
Forwarding Shaping
Re-marking
Path selection based on SLA Policer, ACL
4
2 6
Service VPN Transport VPN
1 3 5
Centralized Data Policy Scheduling

Local Policy / Configuration and Queuing
Policer
Policer LLQ
Admission Control
Admission Control WRR
Classification
Classification RED
Marking / Remarking
Marking
Path Selection
Centralized (vSmart) Policy Architecture
• vSmart Policies consist of these building blocks:
• Lists used for defining targets of policy application or matching
• Policies controlling aspects of control and forwarding
Control Policy
Application Aware Policy
Data Policy
cflowd-template
vpn-membership-policy
• Policy Application to control towards what a policy is applied
Site-oriented and defined by a site-list
vEdge Routing Policy Architecture
• Routing Policies are traditional routing policies
• Attaches to BGP or OSPF locally on the vEdge
• Used in the traditional sense for controlling BGP and OSPF
Information exchange
Attributes
Path Selection
vSmart Policy Construction
Lists Policy Definition Policy Application
• data-prefix-list – list of prefixes

for use with a data-policy
• prefix-list – list of prefixes for • Control Policies affect
use with any other policy overlay routing
• An apply directive is
• Site-list – list of site-id:s for use • Application Aware
in policy and apply-policy used in conjunction
Routing policy is used in
with site lists to
• Tloc-list – list of tloc:s for use in conjunction with SLAs to
policy enable specific
steer traffic
policies at specific
• Vpn-list – list of vpn:s for use in • Data policies provide
policy
locations
VPN level policy based
• Colors – List of colors for use in routing
policy
• SLAs – SLA definitions
Centralized policy definition configured on vManage and enforced across entire network
vSmart Policy Construction - Lists
• application-list used in data-policy to define specific
policy applications for traffic matching and policy actions
lists
data-prefix-list app1 • data-prefix-list used in data-policy to define prefix
ip-prefix 1.1.1.1/32
port 100
and upper layer ports in various combinations for
! traffic matching
prefix-list pfx1
ip-prefix 1.1.1.1/32 • prefix-list used in control-policy to define prefixes
! for RIB matching site-list used in control-policy and
site-list site1 apply-policy to match source sites or define sites
site-id 100
! for policy application
tloc-list site1_tloc
tloc 1.1.1.1 color mpls • tloc-list used in control-policy to define tlocs for RIB
vpn-list vpn1 matching and to apply redefined tlocs to vroutes
vpn 1
! • vpn-list used in control-policy to define prefixes for
! RIB matching, in data-policy and app-route-policy
to define VPNs for policy application
vSmart Policy Construction – Policies
• Policy definition dictates type of policy and the

appropriate syntax
policy
policy-type <name> • VPN-list used by data-policy and app-route-policy
vpn-list <vpn-list> to list the VPNs for which the policy is applicable
sequence <n>
match <route|tloc|vpn|other> • Sequence defines each sequential step of the policy
!
action <accept|reject|drop> set by sequence number
• Match decides what entity to match on in the
<attribute> <value>
!
default-action <reject|accept> specific policy sequence
!
! • Action determines the action for the preceding
!
! match statement
• Default-action is the action to take for any entity that
was not matched in any sequence of the policy (set
to reject by default
vSmart Policy Construction – Policy Application
• Site-list determines to which sites a given policy is

applied
• Direction applies only to control-policies
apply-policy • Policy Type and Name refers to an already
site-list <name>
control-policy <name> <in|out> configured policy to be applied towards sites
! specified in the site-list for the section
site-list <name>
data-policy <name>
vpn-membership <name>
!
!
vSmart Policy Example
apply-policy
site-list site1 Apply the defined policy
control-policy prefer_local out towards the sites in site-list
!
policy Define the lists required for
lists apply-policy and for use
site-list site1
site-id 100
within the policy
tloc-list prefer_site1
tloc 1.1.1.1 color mpls preference 400
!
control-policy prefer_local Define the actual policy to
sequence 10 be applied
match route
site-list site1
!
Lists previously defined
action accept used within policy
set
tloc-list prefer_site1
! Note: Items listed as presented in node
! configuration. The order in which elements are
configured should be lists, control-policy then
!
apply-policy
vSmart Policy Processing
• Policies are processed sequentially. Order is important!
• When a match occurs, the matched entity is subject to the configured action
of the sequence and is then no longer subject to continued processing.
• Any entity not matched in a sequence is subject to the default action for the
policy.
• Any node will make use of any and all available routing information
• In a multi-vSmart deployment, every vSmart acts independently to
disseminate information to other vSmarts and vEdges
• vManage acts as the entity to ensure all vSmarts are synchronized.
1. Control Policies
• Control policies are executed on vSmarts to influence overlay
routing.
• Control Policies are used to enable the following services:
• Traffic Engineering
• Extranet VPNs
• Service path affinity
• Arbitrary VPN Topologies
• Control Policy is a powerful tool for any type of path construction
that simplifies policy operations by being centrally managed.
Centralized Control Policy: Inbound vs. Outbound
• Inbound Policy: determines which

routes are installed in the local
routing database of the vSmart
controller.
• Outbound Policy: applied AFTER a

route is retrieved from routing
database, but BEFORE the vSmart
controller advertises it.
2. Application-Aware Routing Policy
• Application-aware routing consists of three components:
Identify the applications of interest. To determine which applications are running on vEdge
routers, you enable application visibility on these devices. Then you configure an application-
aware routing policy on the vSmart controller, which defines the applications of interest and the
data plane tunnel performance characteristics required to transmit an application's data traffic.
These characteristics are called a service-level agreement (SLA). The controller automatically
pushes the policy to the appropriate vEdge routers.
Monitor and measure data plane tunnel performance is done automatically and continuously by
the vEdge routers, by tracking BFD Hello packets. Application-aware routing periodically polls
the performance statistics to calculate the packet jitter and latency and packet loss information
for each tunnel. The default polling interval is good for most network situations, but you can
modify it to meet specific business needs.
Map application traffic to a specific data plane tunnel is done on the vEdge routers, based on
the SLA requirements defined in application-aware routing policy and based on the real-time
performance of the vEdge routers' data plane tunnels. You can modify how often a vEdge
router calculates each tunnel's SLA and determines a tunnel's SLA classification.
Application Aware Routing
• An app-route policy is defined through the following steps:
• Define the required SLA classes
• Define the app-route-policy
• Apply the app-route-policy towards the applicable sites
• The SLA-class defines the required loss, latency and jitter

thresholds for the application that is to go via the overlay path
• The app-route-policy defines the traffic that is to belong to a
defined class in a fashion similar to a data-policy
• Configuring an app-route-policy includes a reference to a VPN-list
to dictate which VPNs will benefit from the policy at the listed sites
Application-Aware Routing Policy Configuration
Step 1: Create a list of sites to which the application-
aware routing policy is to be applied
policy
lists
site-list mySites
Step 3: Create lists of applications, IP prefixes, and
site-id 100-200 VPNs to use in identifying application traffic of
! interest (in the match section of the policy definition
policy
lists
Step 2: Create SLA classes and traffic characteristics vpn-list myVPN
vpn 10
to apply to matching application data traffic. !
policy data-prefix-list approute-Prefixes
sla-class bulk-data-sla ip-prefix 10.1.0.0/16
latency 150 !
! app-list myApps
sla-class critical-data-sla app office365
loss 5 app salesforce
latency 150 !
! !
sla-class voice-sla !
loss 1
latency 100
jitter 5
!
Application-Aware Routing Policy Configuration
Step 4: Create an application-aware routing policy Step 5: Within the policy, create one or more
instance and associate it with a list of VPNs numbered sequence of match–action pairs
policy
policy
app-route-policy myApproutePolicy
app-route-policy myApproutePolicy
vpn-list myVPN
vpn-list myVPN
!
sequence 10
!
match
app-list myApps
!
Step 6: Specify the default action for the policy action
sla-class critical-data-sla preferred-color mpls
policy !
app-route-policy myApproutePolicy !
vpn-list myVPN sequence 20
default-action sla-class bulk-data-sla match
! dscp 46
! !
! action
sla-class voice-sla preferred-color mpls
!
!
sequence 30
Step 7: Apply the policy to a site list: match
destination-data-prefix-list approute-Prefixes
apply-policy !
site-list mySites action
app-route-policy myApproutePolicy backup-sla-preferred-color public-internet
! sla-class bulk-data-sla preferred-color biz-internet
! !
3. Data Policy - Applications and Services
• Data Policies provide the functionality equivalent to traditional Policy Routing.
• Data policies are configured and applied centrally (vSmart), then pushed to vEdge to
enforce the configured policy in the data plane
• Some of the applications enabled by Control Policies can also be enabled by Data Policies, in
addition to more traditional Policy Routing as well as data-plane bound functions
• A Data policy acts on an entire VPN and is not interface-specific

• Data Policies are used to enable the following services:
• QoS Classification
• cflowd
• NAT
• Traffic Policing and Counting Transport Selection
• Traffic Engineering
Centralized Data Policy Configuration
Step 1: Create a list of sites to which the
Step 3: Create a data policy instance and associate it
centralized data policy is to be applied
with a list of VPNs. Within the policy, create one or more
policy numbered sequence of match–action pairs
lists
site-list mySites
site-id 100-200 policy
! data-policy myDataPolicy
vpn-list myVPN
sequence 10
Step 2: Create lists of IP prefixes and VPNs, as needed match
app-list myApps
policy !
lists action
prefix-list myPrefixes accept
ip-prefix prefix/length set
! dscp 32
vpn-list myVPN !
vpn 1
!
app-list myApps
app office365 Step 4: Apply the policy to one or more sites in the
app salesforce overlay network
!
apply-policy
site-list mySites
data-policy myDataPolicy (all | from-service | from-tunnel)
!
!
4. Cflowd flow data collection
• Cflowd flow collection is enabled by means of a vSmart policy
• Capturing and exporting flow data is controlled via 2 different policies:
• Cflowd-template for configuring flow cache behavior and flow export
• Data-policy for selection of traffic subject to flow data collection
• The Cflowd template is optional and without is the flow cache in vEdge
nodes is managed using default setting and no flow-export takes place
• The data-policy can be configured to be very specific or as a general flow
collection filter, depending on requirements
• Both components controlled and distributed from vSmart to ease
enablement and configuration
Cflowd Example
apply-policy
site-list site100
data-policy cflowd_data all
cflowd-template cflowd_temp
!
! Data-policy
policy
data-policy cflowd_data
vpn-list cflowd_vpn • Covers traffic subject to flow data
sequence 10 collection
match
protocol 17
!
action accept
cflowd
!
! cflowd-template
default-action drop
! • Manages settings related to cache
! management and flow export (not
cflowd-template cflowd_temp mandatory)
flow-active-timeout 60
flow-inactive-timeout 60
collector vpn 100 address 1.1.1.1 port 4739 transport transport_udp
!
!
© 2017
* vpn-list and site-list excluded, please refer to app-route section *
5. VPN Membership Policy
Functionality
• The default behavior of the SDWAN OMP architecture is to advertise any configured
VPN to any node where it is configured
• This automatically establishes connectivity without unnecessary configuration and
operational overhead
• However, certain VPNs may be of a sensitive nature such that their membership must
be tightly controlled
• The VPN Membership Policy serves to restrict the distribution of VPN information from
vSmart to those that are explicitly approved
• Both Whitelist and Blacklist behavior can be established
• With a VPN Membership Policy, a node not explicitly allowed to participate in a VPN
may have the VPN configured but will only see local connectivity and routing
information
VPN Membership Policy Example
Policy Policy
lists vpn-membership acme_1
site-list sites_1 sequence 10
site-id site1 match vpn-list sites_1
site-id site2 action accept
! !
site-list sites_2 !
site-id site3 default-action reject
site-id site4 !
! vpn-membership acme_2
vpn-list sites_1 sequence 10
vpn 10, 20 match vpn-list sites_2
! action accept
vpn-list sites_2 !
vpn 30, 40 !
! default-action reject
! !
! !
vpn-lists define the VPN match data apply-policy

site-list sites_1
vpn-membership acts as either vpn-membership acme_1
whitelist or blacklist for VPN filtering !
site-list sites_2
apply-policy acts in both directions to vpn-membership acme_2
determine which VPN(s) are allowed !
from a given site !
Operational Simplicity and
Transparency
Single Pane of Glass Operations
vManage GUI
• Intuitive GUI driven operations

Management, monitoring and
troubleshooting
• Cloud Delivered
Private, hosted or managed
• Single or Multi-tenant
• Role-based Access Control
• Clustered for scale and high
availability
• REST APIs based
Zero Touch Provisioning
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
Administrator Installer
ZTP Identity Trust
Server
vEdge List vEdge Configuration Network Power

(White-List) Template
vManage
DHCP
TPM
vEdge
Identity
vSmart vBond (X.509)
Zero Touch Provisioning – vEdge Appliance
Zero Touch Provisioning Control and Policy
Server Elements
Re or
dir ch
ec es
3
at l
ic tro
5
n
t t tra
ztp
io
un on
o
Qu ptel
e rom
m c
.v
ag n f e
co tor
an tio vic
m ial
Full Registration and
er a.c
i
rp
1
co nit
y
vM ra e
or
Configuration
d
to om
ig al
at
nf iti
e
u
co In
4
Assumption:
§ DHCP on Transport Side (WAN)
§ DNS to resolve ztp.viptela.com*
vEdge
§ Delivered as-a-Service
* Factory default config
Zero Touch Provisioning – vEdge Cloud
vManage Control and Policy
Elements
1 Cloud-Init
VM
NSO Provisioning 3
at l
ic ro
5
n
(vBranch FP)
io
un nt
Tool
m o
m al c
e om
an tion ice
Full Registration and
co Initi
ag fr
vM ra ev
De 2
ig l d
plo Configuration
nf tia
y
i
u
co In
VM
4
Assumption:
§ DHCP on Transport Side (WAN)
§ DNS to resolve ztp.viptela.com*
vEdge Cloud
* Factory default config
Application and Performance Visibility
Deep Packet Inspection
• Embedded Deep Packet Inspection
engine
• Application and flow level visibility
for the fabric and individual vEdge
routers
• Centralized statistics and
performance
• Export flow level data (IPFIX) to
external collector
Template-Based Configurations
Centralized Device Configuration Enforcement
• Templates are attached to provisioned
vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift
Granular Policies
Centralized Control over Fabric Behavior
• Centralized data, control and

application aware routing policies
• Defined on vManage, enforced on
vSmart controllers (control policies)
or vEdge routers (data and
application aware routing policies)
• Individual site, collection of sites or
the entire fabric policy scope
Troubleshooting and Verification
Transparent Operations
• Embedded tools for data plane

connectivity verification
• Control plane health verification
• Real-time GUI based
troubleshooting
• Full command line interface and
Linux shell for expert level
troubleshooting
• Alarms for triggered events
Self-Healing
Software Upgrade and Configuration Change
Failed
2 Upgrade 1 vManage
Attach Template
Active Software A Rollback
Available Software B
Activate 3
Available Software Connectivity
C 2 Lost
1 Available Software D
Rollback
3
vEdge Router vEdge Router
Current Orchestration and APIs
REST
vManage § Management
Netconf § Monitoring
§ Provisioning
Syslog § Troubleshooting
SNMP vSmart * http://tools.ietf.org/html/rfc7011
cFlowd*
CLI
Secure
4G/LTE Internet Control Plane
MPLS
Secure
Data Plane
vEdge Routers

vManage Programmatic Access
REST API Documentation
• API Documentation built-in – https://vmanage-url/apidocs
• Test calls can be executed directly from doc page
• API programming documented at:

https://docs.viptela.com/Product_Documentation/Command_Reference/vManage_REST_APIs/vManage_REST_APIs_O
verview/Using_the_vManage_REST_APIs
Network Automation
decouple Lifecycle of Product-Services and Network Resources Services
• Decouples the Network from

OSS/ITIL
OSS / ITIL • Unlocks agility and flexibility at
Product/ the Resource Facing Services
Service layer (RFS)
Systems
Lifecycle • Enables DevOps at the
network/RFS layer
Well-defined API
• Network changes and new
Resource Facing Services (RFS) features can be rolled out
continuously during
Physical Networks Virtual Networks run-time, i.e. DevOps Network
Service Orchestration System
Network
Service
Lifecycle
SDWAN MSP Management Options
NSO NSO/vManage Split
Cisco and 3rd party VNFs Cisco and 3rd party VNFs
OSS/BSS OSS/BSS - VMS
REST/NETCONF
REST/NETCONF REST
NSO
NSO vManage
vBranch CFP SDWAN CFP REST
SDWAN
CFP
vBranch
NETCONF vManage CFP
NETCONF NETCONF
NETCONF
Cisco ENCS vEdge cEdge Cisco ENCS vEdge cEdge

Router NFVIS Appliance Appliance Router NFVIS Appliance Appliance
• NSO Single Entry Point • vManage and NSO Entry Point (REST APIs)
• NSO (vBranch, vManage NED) to instantiate VNFs (including 3rd • vManage improved with NSO (and vBranch, SDWAN,
party VNFs) and activate vEdge. Apply device template potentially SAE CFP)
• vManage to configure vEdge • vManage and/or NSO as potential entry point
• Reporting and Alerts
NSO/vManage Split Gives Flexibility
OSS / BSS or VMS
• NSO and vManage run side by
side in separate processes
REST/NETCONF
Network Service Orchestrator (NSO) • NSO and vManage are integrated

using APIs (a NSO NED using the
Core FP (vBranch) Core FP (SDWAN) REST vManage REST interface)
• NSO will communicate with all
REST
devices involved in the CFP for
day0 and dayN configuration.
NETCONF vManage vManage will provide dayN
configuration for vEdge
NETCONF • The vManage UI will have to be

extended with the appropriate
CFP workflows and send API calls
Cisco Router
ENCS
vEdge Appliance cEdge Appliance
to NSO.
NFVIS
Cisco SD-WAN Automation Stack
3
VMS Portal/GUI
VMS SIF (Software Integration Framework)
2 1 Viptela vManage
Target customer customer has vEdge
Network Service Orchestrator (NSO) appliances without a need for virtual CPE,
service orchestration and OSS/BSS from
REST Cisco
Core FP (vBranch) Core FP (SDWAN)
2 Extended SD WAN Orchestration

Target customer has virtual CPE’s or when
orchestration of other than vEdge appliances
1 are needed without a need for OSS/BSS from
Cisco
NETCONF
vManage
3 Full Stack SD WAN
Target customer has a need for Cisco
OSS/BSS capabilities together with SD WAN
NETCONF
ENCS vEdge cEdge

Cisco Router
NFVIS Appliance Appliance
SDWAN Core Function Pack
SDWAN Core FP
Cisco and 3rd party VNFs
Service Abstraction APIs
OSS/BSS - VMS
Potential SP Model
Network Service Orchestrator (NSO) SDWAN Function Pack
Core FP (vBranch) Core FP (SDWAN)

vBranch Function Pack
vManage NED NED NED
• NSO Core Function Pack

NETCONF
• NSO (vBranch, vManage NED) to instantiate VNFs
(including 3rd party VNFs) and activate vEdge. Apply
device template
Cisco ENCS vEdge/cEdge
Appliance NFVIS Appliance • vManage to configure vEdge
• SDWAN FP scope with expand over time
vBranch FP – High Level View of Service Model
2 1
VNFs and Service Chaining Catalog Definition
Branch-infra
Branch-cpe nfvo catalog
VNF network Cpe config VNFD VDU deployment
VNFD vEdge VNF Descriptor and Flavor defined.

Deployment parameters defined
VDU
vEdge Cloud on ENCS SP Datacenter
vManage
• Generate bootstrap information
• Download vEdge Cloud Certified Serial Numbers (json)
vSmart
• Get the unclaimed vEdge Cloud router list from vManage
• Instruct vManage to generate a Bootstrap Configuration file
• Get Bootstrap Configuration file for the vEdge Cloud router (cloud-init config file) vBond
• ENCS/NFVIS on-boarding
NSO
• NFVIS boots and creates basic n/w infrastructure
• NFVIS registers to NSO using PnP
• NSO connects to NFVIS at the branch using NETCONF
• vEdge instantiation NETCONF NETCONF
• NSO registers vEdge Cloud to NFVIS

• NFVIS pulls vEdge Cloud images / local preparation
vEdge
• NSO instructs NFVIS to deploy NWs/vEdge Cloud
• NFVIS deploys vEdge Cloud, load Bootstrap Configuration File which contains cloud- PnP VNFM
config (bootstraps) and cloud-boothook (day0) sections and sets up local vEdge
monitoring NFVIS
• Process is the same for any platform that runs NFVIS ENCS
• Day 1 and post Day 1 activities handled by vManage

NSO with the vBranch
Function Pack
On Boarding ENCS/NFVIS
Network Service Orchestrator (NSO) Network Service Orchestrator (NSO)
PnP Server 3) NFVIS registered Branch-Infra FP

to NSO
2) NFVIS registration to NSO 4) NSO connects to branch

using PnP NFVIS (NETCONF)
IP + serial + model + capabilities
1) ENCS boots and creates basic PnP VNFM

n/w infrastructure ENCS/NFVIS on-boarded in NSO
NFVIS
ENCS
NSO with the SDWAN
vEdge-Cloud Onboarding process

Function Pack
• 1) Upload vEdge Certified Serial Numbers onto vManage

Network Service Orchestrator (NSO) • 2) Get the unclaimed vEdge Cloud router list from vManage
Core FP (SDWAN
PnP Core FP (vBranch)
Onboarding)
• 3) Instruct vManage to:
– Create day0 template
– Attach day0 template (with variables) to an unclaimed vEdge Cloud
router
1 2 – Generate a Bootstrap Configuration file for the vEdge Cloud router
(UUID, Token, …).
5 6 3 4 • 4) Get Bootstrap Configuration file for the vEdge Cloud

router (cloud-init config file) which contains cloud-config
(bootstraps) and cloud-boothook (day0) sections
• 5) VNFs instantiated and loaded with Bootstrap Configuration

vManage cloud-init file
7 • 6) NFVIS notifies NSO vEdge is alive
• 7) vEdge to Viptela Control Plane Initial control

communication
Virtual Networks
(ENCS) 8
• 8) vManage installs certificate into vEdge Cloud router and
sync up. vEdge Cloud router is ready for configuration from
vManage
SDWAN CFP – Define Service Chain on NVFIS
ENCS
vEdge ASAv
lan-net wan-net2 wan-net
8-port GE Switch WAN NIC WAN NIC
GE0/1 GE0/0
vAnalytics
vAnalytics
Customer Data Data Transfer and Storage
• Client authenticated and data securely
transmitted from vManage to vAnalytics
• Data storage isolation between
vAnalytics customers
Clusters Data Lake
• No PII (Personal Identifiable
Information) is collected
Data Correlation and Algorithms
• Only management data (stats, flows)
information collected
• All algorithms visualization done on a
per-customer basis
• IP Addresses collected for provider
look-ups
• Peer benchmarking (future use cases)
only on a group basis. No individual
customer data used
The Power of Analytics
Application Centric (Based on DPI/cflowd)
1. Bandwidth Usage:
1. Identification of top sources / top destinations / top application (family)
2. Drill-down into information on a per-Site basis
3. Identification of top sources
2. Application Performance:
1. Application to tunnel-binding and performance information
3. Anomaly Detection:
1. Baseline of Application usage. Anomaly detection based on overall application usage / by
Family / by Site
The Power of Analytics
Network Centric
1. Site Availability (SD-WAN value prop)
1. List of Sites with down-time comparing to TLOCs with their down-time
2. Network Availability
1. List of sites by down-time
2. Comparison of Site down-time vs TLOC down-time (SD-WAN value prop)
3. Down site count on a time basis with the ability to drill-down into Sites and downtimes
3. Site Usage Analysis

1. Bandwidth consumed by Site (Top Sites)
2. Drill-down to show historical bandwidth consumption by time
4. Carrier Performance
1. App-Route stats based on a per-carrier basis
2. Ability to drill-down on a specific carrier and visibility into various remote carrier connectivity
vAnalytics Dashboard
vAnalytics – BW Consumption by Applications
vAnalytics – Network Health by Carriers
Use Cases and Deployment
Models
Viptela Control Deployment Control
Service
vBond
AWS Provider Cloud On Premise
vManage
• Public or Private access as
• Public or (Private)
• Internet transport required per Enterprise policy vSmart
transport possible
• Viptela managed 24/7 • Enterprise managed
• Provider managed vEdge
• Viptela Auto-provisioned • Enterprise orchestration
• Provider orchestration
• Geo-redundancy • Redundancy and Vicinity NAT/Firewall
• Redundancy and vicinity as
as supported by Ent.
• Geo-vicinity supported by SP
• Typically preferred by
• Currently most common • Provider value-added
security conscious
deployment model services at discretion
verticals (Finance, Public
Sector)
• Data plane never crosses control layer
• Control deployment mainly about redundancy and security
• Control plane is latency tolerant

Cisco SD-WAN Control Plane Deployment
Viptela hosted Controllers / Public Cloud
Region 1 Region 2
optional/
standby
Private IPs Private IPs vManage
1:1 NAT 1:1 NAT
Public IPs Public IPs
• Control Plane on Public Internet Only

Internet
• Most commonly deployed model
• Supports data plane on other
transports (MPLS, Leased Line, etc)
Hybrid Cloud Controller Deployment
DC/Region 1 DC/Region 2
No NAT optional/
standby
Public IPs Public IPs vManage
DMZ
FW BGP
BGP DMZ
FW • Control Plane on MPLS and
Internet
• Public IPs are assigned to the
controllers
MPLS Internet
• No NAT is used
• For security compliance FW/DMZ
on Internet facing side
Hybrid Cloud Controller Deployment
optional/
standby
Private IPs Private IPs vManage
NAT
+
DMZ/FW NAT
BGP + • Control on MPLS and Internet.
DMZ/FW
• Private IPs on the controllers.
BGP Public IP Public IP
• Public IPs are not exposed on
No NAT NAT MPLS
• NAT/FW facing the internet
MPLS Internet
* vBond must have Public IP or sit behind 1:1 NAT
Public Cloud Controller Deployment
vpn512 vpn512
Internet
vEdge Cloud co-exist with the controllers
vEdge participate in the overlay
Traffic between the controllers and NMS

DC systems in the DC goes on the overlay
TACACS/RADUIUS
Syslog Server tunnels securely
SNMP Server
NMS Tools
etc
Cisco SD-WAN Site Deployment
Gateway/DC Site Deployment
DC/Gateway Site
Identify Gateway/DC Sites providing connectivity
BGP/OSPF between SD-WAN and legacy sites
Legacy sites talk to each other directly
SD-WAN sites talk to each other directly
OMP Legacy router/connectivity is dropped in the

SD-WAN DC/Gateway sites once migration is complete
Internet Overlay MPLS
Legacy/MPLS Sites
SD-WAN Sites
Cisco SD-WAN Site Deployment
Remote Site Designs
Internet MPLS MPLS Internet MPLS

/ MPLS Internet Internet
MPLS
1234567 Up to 7 Transport Interfaces
Internet
Static, VRRP, OSPF, BGP

Orchestration/Control/Management Plane Scale
Management Plane Control Plane
Orchestration Plane (Multi-tenant or Dedicated)
(vBond) (Containers or VMs)
(vManage) (vSmart)
Horizontal Scale Out Model
2000 vEdges per vBond 2700 vEdges per vSmart 2700 vEdges per vSmart
Redundancy Add 1-2 vBonds Redundancy Add 1-2 vSmart Redundancy Add 1-2 vSmarts
Horizontal Scale out Model Horizontal Scale out Model Horizontal Scale out Model
4G/LTE Internet
MPLS
Data Center
Cisco Confidential Campus
© 2017 Cisco and/or its affiliates. All rights reserved. Branch Home Office
Data Plane /IPSec Scale
vEdge100 Dual LTE variant

back vEdge1000 vEdge2000
IPSec Tunnels : 250 IPSec Tunnels : 1500 IPSec Tunnels : 6000

100 Mbps 1 Gbps 10 Gbps
The solution is not limited by one individual component.
Larger deployments can be handled using
- Additional vEdge Routers to distribute the IPSec Scale

- Have a Hierarchical/Regionalize design
Large Enterprise with Global Distribution
WAN Components connected via overlays from Viptela SEN utilizing Internet, LTE, etc.
Viptela
ZTP/Central Done on Viptela Monitoring/Syslog/ Done on Viptela,
Connectivity Active-Active
Config/Policy NetFlow Nagios
App-
Built-in/ No key-
Routing/PfR/Service Done on Viptela Segmentation Multiple VPNs Encryption
mgmt
Chain
SECURE
CONTROL PLANE
North America DCs APAC DC Europe DC
Data Center Data Center

Data Center
DC Core DC Core DC Core
Ethernet Exit
(DSL/Cable/LTE/MPLS)
vEdge Router Viptela SEN

LTE
Backup
Switch
Internet SECURE
WiFi APs DATA PLANE
Field Field Field

Stores Offices Distribution Centers Stores Offices GS Stores Offices
Americas Asia Europe
Example Of 100-site (Small Enterprise) - Agilent
vManage
ZTP/Central Seemly Migration No impact to
Done on Viptela Monitoring/Syslog/c HP NNM
Config/Policy/SW Connectivity Active-Active (Brownfield) traffic: Migrated
Flow Riverbed
Viptela Upgrade
Stealcentral
to Non-migrated
Rapid Site Bring- order ISP DIA

App-Routing/Circuit Single
Done on Viptela Segmentation Encryption Done on Viptela up (Paradigm circuits first, then
Selection VPN
Shift) MPLS (if needed)
SECURE
Traffic Symmetry Selective 80/443 AWS, SFDC,
Done on Viptela Split-Tunnel VPN Topology Full Mesh IAAS and SAAS
CONTROL PLANE across regions GRE to ZScaler o365
Platinum
(Dual MPLS, Dual Broadband) North America DCs APAC DC Europe DC
Gold Data Center

(Single MPLS, Single Broadband) Data Center Data Center
DC Core DC Core DC Core
Silver
(Dual Broadband)
Bronze
(Single Broadband)
vEdge Router
Switch
OBS Viptela SEN

MPLS
Business Class Internet SECURE

DATA PLANE
Large Medium Medium Small Large Medium Medium Small

Medium Small
Americas Asia Europe
Variety Of Deployment Models
Side-by-Side Hybrid With Fallback Full SDWAN
Site B Site B Site B
Existing Existing
Router vEdge Router vEdge vEdge vEdge
MPLS Internet MPLS Internet MPLS Internet
Existing Existing
Router vEdge Router vEdge vEdge vEdge
Site A Site A Site A
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Secure Virtual Fabric Secure Tunnel
Pricing Structure
Cisco SDWAN Pricing Model
The Cisco SDWAN pricing model consists of two components
1. Subscription* license (1YR, 3YR and 5YR) for Viptela software charged per CPE. This cost is dependent on
two factors:
• Service bandwidth. Slide 5 covers how service bandwidth is calculated.
• Features: Slide 3 covers feature buckets.
2. Perpetual cost of Viptela CPE** element.
Subscription
Perpetual cost cost of Viptela Operational
software
of Viptela CPE (Includes SD-
cost of Viptela
hardware WAN controller solution
+ CPE software)
*Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Viptela support, next day hardware
replacement for Viptela CPE, software upgrades on all components and the cost of hosting the Viptela controllers in the Viptela cloud.
**Note: CPE can be Viptela manufactured or in the case of Virtual CPE customer/partner provisioned. Cost here implies
Viptela CPE only.
Viptela Pricing Tiers
Plus Pro + DPI Enterprise
SD WAN SD WAN SD WAN Analytics

controllers controllers controllers
Dynamic Dynamic
Hub Routing Routing
Hub Spoke Spoke Hub Spoke Spoke
AAR
AAR AAR
Local
Internet Local Internet MPLS Internet
MPLS MPLS breakout
breakout E2E (App based) E2E
Segmentation CloudExpress
Segmentation
Spoke Spoke Spoke Spoke Spoke Spoke
Spoke Spoke Spoke

Dynamic Dynamic
Routing Routing
Features: Features: Features:

• Encrypted Fabric • Plus capability • Pro + DPI
• Hub-and-spoke only • Dynamic routing • CloudExpress
• App-aware routing (AAR) • E2E Segmentation (Multiple VPNs) • Analytics
• Split tunnel • Application aware routing with DPI
• Full-mesh
Pricing Tiers - Detailed
180
Bandwidth Licensing
Bandwidth entitlement* on vEdge is the sum of peak
bandwidth (either upstream or downstream) across
all WAN circuits.
Example: If a 50Mbps bandwidth license is

MPLS Internet 3G/4G/LTE purchased the sum of peak circuit bandwidth (either
upstream or downstream) across Circuits 1, 2 and 3
must be less than or equal to 50Mbps.
Bandwidth entitlement also includes

Circuit 1 Circuit 2 Circuit 3 i. Split tunnel (Direct Internet Breakout)
ii. Traffic offloaded to 3rd party cloud services i.e
zScaler.
TLOC
TLOC extension interface bandwidth is not included
extension in bandwidth entitlement.
*Note: Entitlement assumes the peak bandwidth

usage 95% of the time. This accommodates traffic
Branch bursts that might happen.
Key Takeaways
SDWAN Rollout and Positioning
Phase 1 – FY18 Phase 2 – 1HFY19 Phase 3-2HFY19
No Integration Platform Integration Management Integration
Deployment Scenarios
DNA
vManage vManage Center
+ SD-WAN
vEdge vEdge ASRISR + vEdge SW vEdge ISR4K + vEdge SW

Motion
vManage w/ vEdge/ENCS vManage w/ Any EN Platform DNA Center w/ Any Platform

Lead
-
-or- Meraki or- Meraki -or- Meraki
vEdge on ENCS (x86) = Nov’17 LA – Mar’18

Dates
Key
Late 2018
GPL = Feb’18 GA – Jul’18
Clarification On SDWAN Terminology
Viptela H/W With All Software Capabilities As-Is

vEdge
SDWAN Enabled IOSXE for ISR4K, ASR, CSR & ISRv
"SDWAN
Enabled ISR"
Only Features Highlighted In The Next Slide Are Included In The SD-WAN Image
Traditional IOSXE With IWAN capabilities, for ISR4K, ASR, CSR & ISRv
ISR
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 184
Roadmap subject to change
Integration Roadmap
Phase 1 (April 2018 Phase 2 (July 2018) Phase 3 (Nov 2018)
SD WAN Features: SD WAN Features: SD WAN Features:

ü ZTP ü Cloud Onramp-SAAS TCP Optimizations
ü App Route Policy ü TLOC Extension
ü QoS ü IPv6-Service & Transport
Viptela Capabilities
ü Cloud Onramp –IAAS ü Service Chaining

ü Segmentation
ü DIA-Zscaler(GRE only) Services
Routing Protocols ü Multicast
ü BGP, OSPF Monitoring & Troubleshooting
Monitoring & Troubleshooting ü vManage with DPI & Cflowd, Analytics
ü System & Interface stats
ü Events
ü Performance monitoring
Capabilities:
Capabilities: ü App QoE
ü Zone Based Firewall ü Per-Tunnel QoS
ü Umbrella (DNS Whitelisting)
IOS Capabilities
ü Full NBAR (SDAVC, Custom Apps) Services

Capabilities:
ü EIGRP ü DIA with Umbrella Connector
ü NBAR
ü UC –SRST, PSTN GW, SIP GW
Platforms: ü AppNav Controller
Platform
ü ISR 4331, ASR 1001-x ü 43xx 44xx, 11xx, ENCS
ü ASR1xxx, CSR Platforms:
ü All
New Interfaces
ü Ethernet, 4G LTE, T1/E1 New Interfaces:
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ü xDSL New Interfaces:
ü All
Cisco Enterprise Routing Portfolio moving forward
Cloud Branch WAN Edge
ISR 800 ISR 1000 ISR 4000 ASR 1000
CSR 1000V
• 10 Mbps to 10 Gbps • Up to 100 Mbps • Up to 250 Mbps • Up to 2 Gbps • 2.5-200Gbps
• DNA Virtualization • Fixed and fanless • Fixed and fanless • Modular • High-performance
• Extend enterprise • Enterprise-class • SD-WAN ready • Integrated container service w/hardware
routing, security & branch routing with • Integrated wired & applications assist
management to cloud security wireless access
• Compute with UCS E • Hardware & software
redundancy
vEdge Cloud vEdge 100 vEdge 1000 vEdge 2000

• 10 Mbps to 100
Mbps
• Extend overlay to • 100 Mbps • Up to 1 Gbps • 10 Gbps
public cloud
• 4G LTE & Wireless • Fixed • Modular
Virtual
ISRv • 50 Mbps to 2.5 Gbps Cisco ENCS • Service chaining virtual functions
• Virtual enterprise-class networking • Modular WAN connectivity
• Run on x86 compute platform • Open for 3rd party services & apps
• ENFV orchestration & management
MSP: SD-WAN Deployment Options
Virtual Managed Cisco NSO + Core
Deployment Model Services (VMS) NG SDWAN FPs
Use Cases All 3 Standalone SD-WAN All 3

Consumption Models aaS, Cloud, SP managed Cloud, SP Managed SP Managed
Viptela for pure play SD WAN
Turnkey services: SDWAN with Infrastructure orchestration
(Network as a Service)
SP Value Prop vBranch supporting additional security supporting vBranch and NFV
and VNF service chains provisioning
SP Infrastructure Service Provider OSS/BSS
End User & Operator SP Viptela
VMS Portal or Portal or SP Provided SP Provided
Portals Provided
VMS Platform SP Dev & Integration SP Dev & Integration

Service Creation and
APIs | Ordering | Billing | Tenancy | Ordering | Billing | Tenancy | Analytics Ordering | Billing | Tenancy | Analytics
Delivery | Assurance | Management
Analytics | Assurance | Management | Assurance | Management
Technology stack
NSO **optional** NSONSO

Service Orchestration VNF Mgmt VNF Mgmt
vManage
vManage vManage
vSmart, vSmart, vSmart,

Services NFVIS
vBond vBond vBond NFVIS
Infrastructure IOS-XE
vOS vOS vOS
vEdge VNFs vEdge VNFs

(vitual/Physical) (vitual/Physical)
Data Plane
ENCS ISR vEdge ISR ENCS ISR
Converged Converged Converged
IOS / IOS / IOS /
vEdge SW vEdge SW vEdge SW
(Future) (Future) (Future)
1

Cisco SD Wan

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco SD Wan

Uploaded by

Copyright:

Available Formats

Cisco SDWAN

Internet edge is moving to the remote site

Cloud, SaaS, Virtualized

High Bandwidth Apps Mobile, Diverse Devices

Separation of management, Redundant Zero-touch provisioning in

Full segmentation Choice of topologies with Complete visibility from

Comprehensive and Flexible to Fit Your Business

Path MTU Bandwidth

Routing Security Segmentation QoS Multicast Svc Insertion Survivability

SERVICES DELIVERY PLATFORM

Operations Broadband MPLS Cellular

ZERO TOUCH ZERO TRUST

TRANSPORT INDEPENDENT FABRIC

SECURE WAN FABRIC

SOFTWARE DEFINED: True separation of control, data

Service Based Traffic Engineering

User App Server

• Security policy is enforced

Application Centric Networking

DPI POLICY SLA

Local internet breakout

Cloud Ready WAN

Branch Campus Branch Campus

Secure and resilient Optimized SaaS access and performance visibility

Simplify WAN Management

• Cloud-first management and orchestration

• Troubleshooting with simplified workflows

• Advanced analytics and assurance

Cloud-first Management Analytics and Assurance

INTENT CONTEXT SaaS

0 Transport Independent Superior security architecture –

Management Plane API

INET MPLS Secure Control Channel

Data Center Campus Branch Home Office

CONTROL Control Plane

Data Center Campus Branch Home Office vEdge

Data Center Campus Branch Home Office

• Centralized brain of the

• WAN edge router of the

Data Center Campus Branch Home Office

Data Center Campus Branch Home Office

vContainer1 vContainer2 Multi Tenant vBond

Customer1 vEdge Routers Customer2 vEdge Routers Customer3 vEdge Routers

ESXi or KVM AWS or Azure

Physical Server Container Container

1 Gray, White or Black box

Branch Services SD-WAN

• 100 Mbps • Up to 1 Gbps • 10 Gbps

Virtualization Public Cloud

• Up to 250Mbps • 250Mbps – 2GB

Note: vEdge routers need not connect to all vSmart Controllers

VPN1 VPN2 Transport2 VPN1 VPN2

Device Configuration Device Configuration

Centralized Control Policy Local Control Policy

Centralized Data Policy Centralized App-Aware Policy

Single Pane Of Glass Operations Rich Analytics

Dual LTE variant

vEdge-100 vEdge-1000 vEdge-2000 vEdge-5000 vEdge-Cloud vEdge-Cloud

§ 1 Gbps AES-256 § 10 Gbps AES-256

§ 100 Mbps AES-256 § 100 Mbps AES-256 § 100 Mbps AES-256

• 4 Network Interface Modules

• Variety of NIM options

• Feature parity with Cisco vEdge