Professional Documents
Culture Documents
Deep Dive
Jean-Marc Barozet
Principal Engineer – SDWAN/NFV Technical Marketing
December 2017
AGENDA
• Introduction to Cisco SDWAN
• Solution Overview
• SDWAN Products
• Cisco SDWAN Overlay – 4 Primary Pillars
• Technology Deep-Dive (if interested in the details)
• Components Bring Up (controllers and vEdge devices)
• Fabric Operation
• Segmentation and Service Insertion
• Multicast
• Application Experience and QoS
• Cloud Adoption
• High Availability and Redundancy
• Policy Overview
• Operational Simplicity and Transparency
• Use Case and Deployment Models
• Pricing Structure
• Key Takeaways
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introduction to Cisco
SDWAN
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network as a Platform for
Reducing Cost and Complexity While Lowering Risk
DNA Network
Transformation
for WAN
Uncompromised &
Secure Experience
Over Any
Connection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Common Business & IT Trends
Evolving WAN Situation
App Content
Applications are moving to the Cloud (private and public)
Rich, Dynamic, Web-Based
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-WAN Enterprise Grade Capabilities
Reducing Cost and Complexity for Agile IT
Cloud
Applications
Cloud
Data Center All Links
Latency Failure
Application-
aware Internet MPLS
Corporate
CPE Device
Topologies Data Center Failure
4G/LTE
Small Office
Home Office
Campus Branch
Analytics
Application Traffic Per-Segment Secure Cloud Cloud Transport
SLA Engineering Topologies Perimeter Path Accel Hub
APPLICATION POLICIES
Monitoring
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LOWER COSTS
Flexible Connectivity
Lower WAN costs
Private
Cloud
MPLS
3G/4G-LTE
Colocation
Branch
Internet
Public Cloud
• Leverage local Internet path for
public cloud and Internet access
• Secure VPN for private and virtual
public cloud access
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
REDUCE COMPLEXITY
Allow UDP/5001
• Firewall service is inserted into the overlay
topology
Regional DC
Deny UDP/5002
4G/LTE
Transport Type
SLA
# Cloud Broadband
Service Chain
Local/Remote Breakout
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
REDUCE RISK
Secure Segmentation
vEdge
Cloud Router VPN 1
Data Center
IPSec VPNVPN
3 2
Tunnel
VPN 3
VPN 4
Internet MPLS
Corporate
Data Center
4G/LTE
Small Office End-to-end segmentation
Home Office
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
BETTER USER EXPERIENCE
Cloud
Data Center
Data Data
Center Center
Small Office Small Office
Home Office Secure Secure
Home Office
SD-WAN SD-WAN
Fabric Fabric
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LOWER COSTS
• Zero-touch provisioning
DC
WAN
LEARNING
DEVICE IaaS
DNA Center Apps
S
Policy Automation Analytics
vDC
SECURITY
THINGS
Gray, White Multi-tenant Control, Management, Virtual Managed Services Cloud networking
(VMS)
or Blackbox Orchestration and Analytics
Cisco NSO + Core
NG SDWAN FPs
SaaS
… 3rdParty
Internet
x86
MPLS IaaS
Multi-tenant
4G LTE Gateway
Data Center
An Edge device that enables to Transport independent fabric A multi-tenant, cloud-native An infrastructure to deliver OTT
deliver the solution as a physical providing a secure scalable NG platform to orchestrate, value added services (UC,
or virtual
© 2017 branch
Cisco and/or its offering
affiliates. All rights reserved. Cisco Confidentialoverlay provision, control and manage Security, AppEx, Analytics)
tenants
Solution Overview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SDWAN
vManage
vSmart
vBond
Orchestration Plane
OSS/BSS, NSO or VMS vEdge
MANAGEMENT
ORCHESTRATION ANALYTICS
Control Plane
(Containers or VMs)
CONTROL
Data Plane
(Physical or Virtual)
vManage is the network management system, a single pane of glass, for the entire SD-WAN fabric
vSmart controllers:
- Distribute reachability and security information between the vEdge routers
- Distribute data and app-route policies from vManage to vEdges. Enforce control policies.
- Perform best-path calculation for non ECMP routes and advertise best route to the vEdges (second
best too, if configured)
vEdge routers sit at the perimeter of an SD-WAN site and provide connectivity across the fabric.
vEdge routers handle the transmission of data traffic.
vEdge routers are offered as pre-integrated appliance or as a software-only virtual machine for
ESXi, KVM, AWS and Microsoft Azure platforms.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Components
Orchestration Plane
OSS/BSS, NSO or VMS
vBond
MANAGEMENT
API
Management Plane
ORCHESTRATION ANALYTICS
vManage
vSmart
INET MPLS Secure Control Channel
4G
Data Plane
• Orchestrates connectivity
API
• First point of
ORCHESTRATION ANALYTICS authentication
• Requires public IP Address
• Facilitates NAT traversal
• All other components need
CONTROL to know the vBond IP or
DNS information
• Authorizes all control
INET MPLS 4G Secure Control Channel connections (white-list
model)
• Distributes list of vSmarts
to all vEdges
API
• Centralized provisioning
• Centralized monitoring
ORCHESTRATION ANALYTICS
• Simple graphical
dashboard
• Supports:
• REST API
CONTROL
• CLI
• Syslog
INET MPLS Secure Control Channel
4G • SNMP
• NETCONF
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Controllers
On-Premise Hosted
vBond* vManage vSmart vSmart vBond vManage vSmart vSmart
VM VM
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential * Can be deployed as physical vEdge appliance
Solution Offering
Multi-tenant: Control, Management, Multi-tenant gateway
Orchestration With Analytics 2
Existing / home
3 grown MNS services
VMS (e.g. UCaaS)
NSO
SaaS
PIP
4 Cloud networking
IaaS
3rd
…
Party (or) 4G/LTE
DC
X86
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Platform Options
Providing for flexibility in deployment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Overlay Management Protocol (OMP)
Unified Control Plane
vSmart
• TCP based extensible control plane protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart
controllers
- Inside TLS/DTLS connections
• Advertises control plane context
vSmart vSmart
• Dramatically lowers control plane
complexity and raises overall solution scale
VS
vEdge vEdge
vEdge vEdge
Transport1
TLOCs TLOCs
Subnets
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Subnets
Policy Framework
Centralized and Localized Policies
vManage
NETCONF/YANG
OMP
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SDWAN Products
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge Platform Portfolio
SOHO Head-End Higher Capacity IaaS & Cloud
Branch NFV, vCPE
SMB Aggregation Aggregation Interconnect
(1 G) (N x cores)
(100 M) (10 G) (20 G+) (Nx cores)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge-1000 and vEdge-2000 Routers
vEdge 1000 vEdge 2000
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge-100 Routers
vEdge 100m vEdge 100mw
vEdge 100
Platform Capabilities:
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Shipping Now
Q3 CY17
ENCS5412
12-Core
ENCS5408
NEW 8-Core
CiscoLive 2017 Las Vegas
ENCS5406
6-Core • ISRv + 9 core VNF
ENCS5104 PoE
4-Core
• ISRv + 5 core VNF
• PoE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Functions Virtualization Infrastructure
Virtual WAN
Virtual Router Virtual Router Virtual Firewall Virtual Wireless LAN
Optimization 3rd Party VNFs
(ISRv) (vEdge) (ASAv) Controller (vWLC)
(vWAAS)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
40
vEdge Cloud Virtual Routers
Virtualized Branch or Cloud
On-Premise Hosted
vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud
VM Throughput: VM
Physical Server
2x vCPU 500Mb/s
4x vCPU 1Gb/s
8x vCPU 1.5Gb/s
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Controllers
Cloud or On-Premise Delivered
On-Premise Hosted
vBond* vManage vSmart vSmart vBond vManage vSmart vSmart
VM VM
Cisco is committed Cisco is committed Cisco will commit Cisco will address
to Viptela’s solution to the existing ISR significant engineering the broadest set of
and architecture 4K, ASR1K, ENCS, resources to bring use cases to deliver
CSR, IWAN 2.x, and next-generation SD- successful partner
Meraki SD-WAN WAN solutions to and customer
market
offerings. outcomes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Technology Deep Dive
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Components Bring Up
(Controllers and vEdges)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero Touch Provisioning
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
Administrator Installer
ZTP Identity Trust
Server
vManage
DHCP
TPM
vEdge
Identity
vSmart vBond (X.509)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge and Controllers White-List
Signed vBond
vEdge List • Administrator adds controllers (vSmarts and
vBonds) on the vManage
- Can trigger CSR generation, forwarding to
Symantec, retrieval and installation of signed CSR
back into the controllers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge Appliance – Router Identity
During Manufacturing
• Each physical vEdge router is uniquely identified by
TMP the chassis ID and certificate serial number
Chip
• Certificate is stored in onboard Temper Proof
Module (TPM)
- Installed during manufacturing process
- Certificate is signed by Avnet root CA
- Trusted by Control Plane elements
Device • Symantec root CA chain of trust is used to validate
Certificate
Control Plane elements
Alternatively, if used, Enterprise root CA chain of trust
can be used to validate Control Plane elements
Can be automatically installed during ZTP
Root Chain
In Viptela Software
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge Cloud – Router Identity
Issued by vManage
• OTP/Token is generated by vManage
- One per (chassisID, serial number) in the uploaded vEdge
list
vBond vSmart
vEdge
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure Control Channel
vEdge Routers
Valid vEdge 1. Certificates are exchanged and mutual
vEdge
IP addr serial and authentication takes place between vBond and
chassis ID vEdge over encrypted tunnel
vSmart vManage
2. vBond validates vEdge Router serial number
and chassis ID against authorized vEdge white-
vSmart
list
vManage
vBond 3. vEdge Router validates vBond certificate
organization name against locally configured
one
Provisional ub
lic
P 4. Provisional DTLS tunnel is established between
DTLS/TLS Control
vBond and vEdge
Tunnel
5. vBond returns to vEdge a list of vSmart
lic Controllers and vManage
ub
P
Org Name
© 2017 Config
Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure Control Channel: vEdge
Connection to vSmart Controller and vManage
Valid vEdge Valid vEdge
serial and serial and 1. Certificates are exchanged and mutual
chassis ID chassis ID authentication takes place between vSmart,
vBond
vManage and vEdge over encrypted tunnel
vSmart vManage
2. vSmart and vManage validate vEdge Router
serial number and chassis ID against authorized
vEdge white-list
lic
3. vEdge Router validates vSmart and vManage
lic lic
P
ub
P
ub P
ub certificate organization name against locally
configured one
vEdge
Router
Permanent
Org Name DTLS/TLS Control
Config Tunnel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control Plane Sessions
DTLS only
• Secure Channel to SD-WAN • Viptela Primitives
• Permanent
Controllers (vSmart, vBond, vManage
• Multiple Sessions
vManage) vBond
• Single extensible control plane
• Operates over DTLS/TLS vSmart vSmart
vEdge
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Default – No Port Offset
Configured and DTLS
Firewall
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela Fabric Terminology
• Overlay Management Protocol – Control plane protocol distributing
reachability, security and policies throughout the fabric
• Transport Locator (TLOC) – Transport attachment point and next hop route
attribute
• Color – Control plane tag used for IPSec tunnel establishment logic
• Site ID – Unique per-site numeric identifier used in policy application
• System IP – Unique per-device (vEdge and controllers) IPv4 notation
identifier. Also used as Router ID for BGP and OSPF.
• Organization Name – Overlay identifier common to all elements of the fabric
• VPN – Device-level and network-level segmentation.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Software Defined Centralized Control
• Virtual Fabric over any transport
• Virtual or Physical Platforms (vEdge)
Control Elements • Centralized reachability, security and application
policies
• Secure Channel to SD-WAN Controller (vSmart,
vBond, vManage)
Single extensible control plane
Control Plane Operates over DTLS/TLS authenticated and
DTLS/TLS secured tunnels
• Dramatically lowers complexity and increases
overall solution scale
SD-WAN Legacy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
O(n) complexity O(n^2) complexity
Overlay Management Protocol (OMP)
vSmart
vEdge vEdge
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport Independent Fabric
Transport Locators Advertisement
vSmarts advertise TLOCs
vSmart to all vEdges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
vEdge
Local TLOCs
(System IP, Color, Encap)
vEdge vEdge
vEdge vEdge
* Can be influenced by the control policies
© 2017 Cisco and/or its affiliates. All rights reserved. Transport Locator (TLOC)
Cisco Confidential OMP IPSec Tunnel
Transport Independent Fabric
Transport Locators Colors
Public
T3 T4 T1 T2
Public
T1 T3 T1 DMZ T3
T2 T4 T2 T4
vEdge Private vEdge vEdge vEdge
Private
T1, T3 – Public Color T2, T4 – Private Color
T1, T3 – Public Color T2, T4 – Private Color
T1 T3 T2 T4 T1 T3 T2 T4
T1 T4 T2 T3 T1 T4 T2 T3
Color restrict will prevent attempt to establish IPSec tunnel to TLOCs Color - Control plane tag used for IPSec tunnel establishment logic
© 2017 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
with different color
Transport Independent Fabric
NAT Traversal
Full-Cone NAT Symmetric NAT
vBond vSmart vBond vSmart
SLA SLA
Core
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bidirectional Forwarding Detection (BFD)
vEdge • Path liveliness and quality measurement
detection protocol
- Up/Down, loss/latency/jitter, IPSec
tunnel MTU
• Runs between all vEdge and vEdge Cloud
routers in the topology
- Inside IPSec tunnels
vEdge vEdge - Automatically invoked after each IPSec
tunnel establishment
- Cannot be disabled
IPSec Tunnel
BFD
OMP OMP
Update
Policies
Update
VPN0 VPN0
Transport1
vEdge TLOCs TLOCs vEdge
OMP OMP
Update Update Local
Local
Transport1
1’
2’
y
y
1
Ke
Ke
y
y
Ke
Ke
1
Transport2
2
vEdge vEdge
y
1’
y
2’
Ke
Ke
y
y
Ke
Ke
Remote
Remote Traffic Encrypted with Keys 1’ / 2’
OMP OMP
Update Update
Transport1
vEdge vEdge
Transport2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela VPNs
IF IF MPLS
Service Transport
(VPNn) (VPN0)
IF IF INET
Management • VPNs are isolated from each other, each VPN has its
(VPN512) own forwarding table
• vEdge router allocates label to each of it’s service
IF
VPNs and advertises it as route attribute in OMP
updates
- Labels are used to identify VPN in the incoming packets
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
vEdge vEdge
20 8 36 4 …
• Segment connectivity across fabric w/o reliance on • Labels are used to identify VPN for destination route
underlay transport lookup
• vEdge routers maintain per-VPN routing table • Interfaces and sub-interfaces (802.1Q tags) or a mix of
both are mapped into VPNs
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Aware Topologies
Arbitrary VPN Topologies
Full-Mesh Hub-and-Spoke
• Each VPN can have it’s own topology
Full-mesh, hub-and-spoke, partial-
mesh, point-to-point, etc…
VPN1 VPN2 • VPN topology can be influenced by
leveraging control policies
Filtering TLOCs or modifying next-hop
TLOC attribute for routes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multi-Topology
• Arbitrary per-VPN topology
• Topology reflects desired traffic
forwarding patterns, e.g. voice
and video full-mesh, business
apps hub-and-spoke vSmart
Controllers
• vSmart controls VPN topology
through control plane App
advertisements Policies
Control Plane
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Single Service Insertion
Policy • vEdge router with connected L4-L7 service
vSmart Advertisement* makes advertisement
- Service route OMP address family
- Service VPN label
Traffic Path Service
Control Plane Advertisement • Service is advertised in specific VPN
FW
• Service can be L3 routed or L2 bridged
VPN1 • Service can be singly or dually connected
VPN1 (Firewall trust zones) to the advertising vEdge
• Control or data policies are used to insert the
VPN1 service node into the matching traffic
Regional
Data forwarding path
Hub
Center - Match on 6-tuple of DPI signature
MPLS INET - Applied on ingress/egress vEdge
Remote 4G
Office
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential * For data policy only. Control policy enforced on vSmart.
Multiple Services Chaining
vSmart
Policy
Advertisement*
Traffic Path • vEdge routers with connected L4-L7 service
Control Plane Service make advertisement
Advertisement - Service route OMP address family
- Services VPN labels
FW IDS
• Services are advertised in specific VPN
• Services can be L3 routed or L2 bridged
VPN1
• Services can be singly or dually connected to the
VPN1 advertising vEdges
VPN1
Regional • Control or data policies are used to insert the
Hub Data service nodes into the matching traffic forwarding
INET
Center path
MPLS
- Match on 6-tuple of DPI signature
Remote 4G - Applied on ingress/egress/service vEdge
Office
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential * For data policy only. Control policy enforced on vSmart.
Multicast
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Streaming Content Distribution
Multicast Traffic
§ vEdges interoperate with IGMP v1/v2 and § vEdge Replicators replicate multicast
PIM on the service side stream to receivers
§ vEdges advertise receiver multicast groups § Multicast is encapsulated in point-to-
using OMP point tunnels
vSmart Controllers
OMP
Update
IGMP/PIM OMP
Update
SD-WAN
OMP Sender
Update Fabric
Receiver Branch OMP
Update
Data
IGMP/PIM
Center
RP
Receiver Branch
Replicators Control Plane Multicast Stream
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Experience and
QoS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Recognition
Cloud Data Deep Packet Inspection Engine
Center
App 1
App 2
App 3,000
vEdge Router
MPLS INET
Data
3G/4G Center
Primary Use Cases:
- Application visibility
Small Office - Application Firewall
Home Office - Traffic prioritization
Campus
- Transport selection
Branch
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bidirectional Forwarding Detection (BFD)
• Path liveliness and quality measurement
vEdge
detection protocol
- Up/Down, loss/latency/jitter, IPSec tunnel
MTU
• Runs between all vEdge and vEdge Cloud
routers in the topology
- Inside IPSec tunnels
vEdge vEdge - Automatically invoked after each IPSec tunnel
establishment
- Cannot be disabled
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport SLA Monitoring
Path Quality Detection
App-Route Multiplier (n)
vEdge Router
• Each vEdge router generates BFD packet • Poll interval determines the average path
every “hello” interval for path quality (and quality measurement (loss, latency, jitter)
liveliness) detection • App-route multiplier determines the average
• BFD packets are generated for each path quality measurement across the poll
transport individually. Timers can be intervals
adjustment for quicker detection.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Critical Applications SLA
Application Aware Routing
§ By default, without any local or centralized vManage
data policies, App Aware Routing Policy
Cisco SDWAN performs flow-based load App A path must have
sharing across all transports available between
the vEdge routers
latency <150ms and loss <2%
§ With Policies:
vSmart Controllers
Enforce SLA compliant path for applications of
interest
Other applications will follow active/active
behavior across all paths
1 Internet
Path
vEdge vEdge
Path 2 MPLS
App A
4G LTE
Path
3
Path1: 10ms, 0% loss
Path2: 200ms, 3% loss IPSec Tunnel
Path3: 140ms, 1% loss
Control Plane
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Optimal Network Utilization for App Traffic
Path MTU Discovery
§ Automatic and proactive Network Path § Automatic MSS adjust for TCP traffic
MTU Discovery leveraging BFD protocol Can also be manually configured
§ Support for Host Path MTU Discovery § IP ICMP Unreachable (type 3, code 4)
Transport1
Host Path
MTU Discovery
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Example
App Policy applied with DSCP EF
preferred path MPLS, rest is default
Simulation with DSCP 0(default)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Differentiated Services
Quality of Service
Traffic Flow
vEdge Router
Copy inner TOS/DSCP
bits into outer header
Q0
Q1
Ingress Interface
Egress Interface
Voice Q2
Q3
Business
Q4
IPSec
Best Effort Q5
Q6
Q7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Localized Data Policy (QoS) Configuration
Step 5: Define an Access List to Classify Data Packets
into appropriate Forwarding Classes
policy
access-list MyACL
sequence 10
match
dscp 46
!
action accept
class voice
!
!
sequence 20
match
source-ip 10.1.1.0/24
destination-ip 192.168.10.0/24
Step 6: Apply the Access List to an Interface
!
action accept
class bulk-data
set vpn 10
dscp 32
! interface ge0/0
! access-list MyACL in
!
sequence 30 !
match
destination-ip 192.168.20.0/24
!
action accept
class critical-data
set
dscp 22
!
!
!
sequence 40
action accept
class best-effort
set
dscp 0
!
!
!
default-action drop
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Optimization
TCP Performance Optimization
Optimized
TCP Connections TCP Connections (Cubic) TCP Connections
SD-WAN
Fabric
Users vEdge vEdge Servers
High Latency Path
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Direct Internet Access
• Can use one or more local DIA exits or
Internet backhaul traffic to the regional hub through
the SD-WAN fabric and exit to Internet from
there
- Per-VPN behavior enforcement
IaaS SaaS
Cloud
Applications
Cloud
Data Center
Data Data
Center Center
vManage
Platform
MPLS INET
vEdge vEdge
Branch DC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for SaaS
SaaS Optimization
ISP1 ISP1
SD-WAN SD-WAN
ISP2 Fabric MPLS Fabric
Data Center Data Center
Remote Site Remote Site
vEdge vEdge
Branch DC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for IaaS – Attached Compute
• vEdge router is instantiated in Amazon VPCs or
Microsoft Azure VNETs Compute Compute
VPC/VNET VPC/VNET
• Posted in marketplace
vEdge
• Use Cloud-Init for ZTP gateway
• No router redundancy
• vEdge router joins the fabric and all fabric services MPLS INET
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for IaaS – Gateway VPC/VNET
• A pair of vEdge routers is instantiated in Amazon
VPC or Microsoft Azure VNET
• Gateway VPC/VNET BGP BGP BGP
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Standard IPSec
Cloud On-Ramp for IaaS – AWS Details
Standard IPSec • Gateway VPC instantiated by vManage
overlay to vEdge GW
AZ2
VGW
IGW
• Share transport (Direct connect and
AZ1 Internet) & vEdge Gateways across
Spoke VPC vEdge GW
multiple spoke VPCs in a region
AZ2
VGW Direct
• Leverage AWS components (IGW,
vEdge GW Connect
VGW, VPC router) for redundancy. Fast
AZ1
Gateway VPC
failover times.
R
VGW
vManage instantiated
and managed
AZ2
Spoke VPC
AWS Region
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Security with Zscaler
• vEdge router creates a GRE tunnel to one
or more Zscaler Enforcement Nodes
Exploits Malware ATP Botnets (PoPs)
- Redundant PoPs, redundant ISPs
POP1 POP2
• Eliminates backhaul of traffic destined to
Internet and cloud applications
Regional
Data Center • Provides advanced security services
ISP1 - Can inspect SSL encrypted data, requires
installation of Zscaler root certificate on
SD-WAN the hosts
Fabric
ISP2
• Cloud onRamp for SaaS can choose the
Remote Site Data Center path across best performing Zscaler
Enforcement Node (PoP) for selected
GRE Tunnel SaaS applications
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
High Availability and
Redundancy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Site Redundancy - Routed
§ Redundant pair of vEdge routers operate in active/active
SD-WAN mode
Fabric
§ vEdge routers are one or more Layer 3 hops away from
the hosts
§ Standard OSPF or BGP routing protocols are running
between the redundant pair vEdge routers and the site
router
vEdge A OS vEdge B
P
PF
/B /BG § Bi-directional redistribution between OMP and OSPF/BGP
GP PF
OS and vice versa on the vEdge routers
Host
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Site Redundancy - Bridged
§ vEdge routers are Layer 2 adjacent to the hosts
- Default gateway for the hosts
SD-WAN
Fabric § Virtual Router Redundancy Protocol (VRRP) runs
between the two redundant vEdge routers
- Active/active when using multigroup
Host
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport Redundancy - Meshed
§ vEdge routers are connected to all the transports
§ When transport goes down, vEdge routers
detect the condition and bring down the tunnels
MPLS INET built across the failed transport
- BFD times out across tunnels
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport Redundancy – TLOC Extension
• vEdge routers are connected only to their
respective transports
• vEdge routers build IPSec tunnels across directly
MPLS INET
connected transport and across the transport
connected to the neighboring vEdge router
• Neighboring vEdge router acts as an underlay router
for tunnels initiated from the other vEdge
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TLOC Extension Configuration
vpn 0 vpn 0
ip route 10.5.52.52/32 100.65.51.1
interface ge0/0 interface ge0/0
description MPLS tunnel description INET tunnel
ip address 100.65.51.1/30 Add route to reach ip dhcp-client
tunnel-interface br1-vedge2 mpls nat
Do not forget NAT
encapsulation ipsec tunnel end-point !
color mpls restrict tunnel-interface
max-control-connections 1 encapsulation ipsec
MPLS INET
[service list] color biz-internet restrict
! max-control-connections 1
interface ge0/2 [service list]
description INET tunnel !
ip address 10.5.51.51/24 interface ge0/2
! ip address 10.5.51.52/24
tunnel-interface ge0/0 ge0/0 tloc-extension ge0/0
100.65.51.1/24 dhcp
encapsulation ipsec preference 100 no shutdown
color biz-internet restrict ge0/2 ge0/2 !
max-control-connections 1 10.5.51.51/24 10.5.51.52/24 interface ge0/3
[service list] description MPLS tunnel
! ip address 10.5.52.52/24
interface ge0/3 tunnel-interface
ip address 10.5.52.51/24 ge0/3 ge0/3 encapsulation ipsec
tloc-extension ge0/0 10.5.52.51/24 10.5.52.52/24 color mpls restrict
no shutdown br1-vedge1 br1-vedge2 max-control-connections 1
! [service list]
ip route 0.0.0.0/0 100.65.51.2 !
ip route 0.0.0.0/0 10.5.51.52 ip route 0.0.0.0/0 10.5.52.51
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control Redundancy - vSmart
vSmart
Controllers § vSmart controllers exchange OMP messages between
Control Plane themselves and they have identical view of the SD-
Data Plane WAN fabric
Cloud Data
Center § vEdge routers connect to up to three vSmart controllers
for redundancy
§ Single vSmart controller failure has no impact, as long
as there is another vSmart controller vEdge routers are
registered with
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy Framework
Centralized and Localized Policies
vManage
NETCONF/YANG
OMP
• With Localized Data policy, also called an access list, you can provision QoS to:
• Classify incoming data packets into multiple forwarding classes based on importance.
• Spread the forwarding classes across different interface queues.
• Schedule the transmission rate or weights for each queue
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy Driven WAN Infrastructure
Policy Augmented Dynamic Routing
3
vEdge
WAN
router
Execute AAR and Data Policy as received
Dynamic Routing and Policies Combine to
dictate behavior
Access Layer
Branch/DC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Packet Flow Through the vEdge Router
Local Policy,
Centralized Application Aware Shaping and ACL
Routing
Routing Policy
Forwarding Shaping
Re-marking
Path selection based on SLA Policer, ACL
4
2 6
1 3 5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Centralized (vSmart) Policy Architecture
• vSmart Policies consist of these building blocks:
• Lists used for defining targets of policy application or matching
• Policies controlling aspects of control and forwarding
Control Policy
Application Aware Policy
Data Policy
cflowd-template
vpn-membership-policy
• Policy Application to control towards what a policy is applied
Site-oriented and defined by a site-list
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge Routing Policy Architecture
• Routing Policies are traditional routing policies
• Attaches to BGP or OSPF locally on the vEdge
• Used in the traditional sense for controlling BGP and OSPF
Information exchange
Attributes
Path Selection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vSmart Policy Construction
Lists Policy Definition Policy Application
Centralized policy definition configured on vManage and enforced across entire network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vSmart Policy Construction - Lists
• application-list used in data-policy to define specific
policy applications for traffic matching and policy actions
lists
data-prefix-list app1 • data-prefix-list used in data-policy to define prefix
ip-prefix 1.1.1.1/32
port 100
and upper layer ports in various combinations for
! traffic matching
prefix-list pfx1
ip-prefix 1.1.1.1/32 • prefix-list used in control-policy to define prefixes
! for RIB matching site-list used in control-policy and
site-list site1 apply-policy to match source sites or define sites
site-id 100
! for policy application
tloc-list site1_tloc
tloc 1.1.1.1 color mpls • tloc-list used in control-policy to define tlocs for RIB
vpn-list vpn1 matching and to apply redefined tlocs to vroutes
vpn 1
! • vpn-list used in control-policy to define prefixes for
! RIB matching, in data-policy and app-route-policy
to define VPNs for policy application
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vSmart Policy Construction – Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vSmart Policy Example
apply-policy
site-list site1 Apply the defined policy
control-policy prefer_local out towards the sites in site-list
!
policy Define the lists required for
lists apply-policy and for use
site-list site1
site-id 100
within the policy
tloc-list prefer_site1
tloc 1.1.1.1 color mpls preference 400
!
control-policy prefer_local Define the actual policy to
sequence 10 be applied
match route
site-list site1
!
Lists previously defined
action accept used within policy
set
tloc-list prefer_site1
! Note: Items listed as presented in node
! configuration. The order in which elements are
configured should be lists, control-policy then
!
apply-policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vSmart Policy Processing
• Policies are processed sequentially. Order is important!
• When a match occurs, the matched entity is subject to the configured action
of the sequence and is then no longer subject to continued processing.
• Any entity not matched in a sequence is subject to the default action for the
policy.
• Any node will make use of any and all available routing information
• In a multi-vSmart deployment, every vSmart acts independently to
disseminate information to other vSmarts and vEdges
• vManage acts as the entity to ensure all vSmarts are synchronized.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1. Control Policies
• Control policies are executed on vSmarts to influence overlay
routing.
• Control Policies are used to enable the following services:
• Service Chaining
• Traffic Engineering
• Extranet VPNs
• Service path affinity
• Arbitrary VPN Topologies
• Control Policy is a powerful tool for any type of path construction
that simplifies policy operations by being centrally managed.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Centralized Control Policy: Inbound vs. Outbound
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2. Application-Aware Routing Policy
• Application-aware routing consists of three components:
Identify the applications of interest. To determine which applications are running on vEdge
routers, you enable application visibility on these devices. Then you configure an application-
aware routing policy on the vSmart controller, which defines the applications of interest and the
data plane tunnel performance characteristics required to transmit an application's data traffic.
These characteristics are called a service-level agreement (SLA). The controller automatically
pushes the policy to the appropriate vEdge routers.
Monitor and measure data plane tunnel performance is done automatically and continuously by
the vEdge routers, by tracking BFD Hello packets. Application-aware routing periodically polls
the performance statistics to calculate the packet jitter and latency and packet loss information
for each tunnel. The default polling interval is good for most network situations, but you can
modify it to meet specific business needs.
Map application traffic to a specific data plane tunnel is done on the vEdge routers, based on
the SLA requirements defined in application-aware routing policy and based on the real-time
performance of the vEdge routers' data plane tunnels. You can modify how often a vEdge
router calculates each tunnel's SLA and determines a tunnel's SLA classification.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Aware Routing
• An app-route policy is defined through the following steps:
• Define the required SLA classes
• Define the app-route-policy
• Apply the app-route-policy towards the applicable sites
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application-Aware Routing Policy Configuration
Step 4: Create an application-aware routing policy Step 5: Within the policy, create one or more
instance and associate it with a list of VPNs numbered sequence of match–action pairs
policy
policy
app-route-policy myApproutePolicy
app-route-policy myApproutePolicy
vpn-list myVPN
vpn-list myVPN
!
sequence 10
!
match
app-list myApps
!
Step 6: Specify the default action for the policy action
sla-class critical-data-sla preferred-color mpls
policy !
app-route-policy myApproutePolicy !
vpn-list myVPN sequence 20
default-action sla-class bulk-data-sla match
! dscp 46
! !
! action
sla-class voice-sla preferred-color mpls
!
!
sequence 30
Step 7: Apply the policy to a site list: match
destination-data-prefix-list approute-Prefixes
apply-policy !
site-list mySites action
app-route-policy myApproutePolicy backup-sla-preferred-color public-internet
! sla-class bulk-data-sla preferred-color biz-internet
! !
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3. Data Policy - Applications and Services
• Data Policies provide the functionality equivalent to traditional Policy Routing.
• Data policies are configured and applied centrally (vSmart), then pushed to vEdge to
enforce the configured policy in the data plane
• Some of the applications enabled by Control Policies can also be enabled by Data Policies, in
addition to more traditional Policy Routing as well as data-plane bound functions
apply-policy
site-list mySites
data-policy myDataPolicy (all | from-service | from-tunnel)
!
!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
4. Cflowd flow data collection
• Cflowd flow collection is enabled by means of a vSmart policy
• Capturing and exporting flow data is controlled via 2 different policies:
• Cflowd-template for configuring flow cache behavior and flow export
• Data-policy for selection of traffic subject to flow data collection
• The Cflowd template is optional and without is the flow cache in vEdge
nodes is managed using default setting and no flow-export takes place
• The data-policy can be configured to be very specific or as a general flow
collection filter, depending on requirements
• Both components controlled and distributed from vSmart to ease
enablement and configuration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cflowd Example
apply-policy
site-list site100
data-policy cflowd_data all
cflowd-template cflowd_temp
!
! Data-policy
policy
data-policy cflowd_data
vpn-list cflowd_vpn • Covers traffic subject to flow data
sequence 10 collection
match
protocol 17
!
action accept
cflowd
!
! cflowd-template
default-action drop
! • Manages settings related to cache
! management and flow export (not
cflowd-template cflowd_temp mandatory)
flow-active-timeout 60
flow-inactive-timeout 60
collector vpn 100 address 1.1.1.1 port 4739 transport transport_udp
!
!
© 2017
* vpn-list and site-list excluded, please refer to app-route section *
Cisco and/or its affiliates. All rights reserved. Cisco Confidential
5. VPN Membership Policy
Functionality
• The default behavior of the SDWAN OMP architecture is to advertise any configured
VPN to any node where it is configured
• This automatically establishes connectivity without unnecessary configuration and
operational overhead
• However, certain VPNs may be of a sensitive nature such that their membership must
be tightly controlled
• The VPN Membership Policy serves to restrict the distribution of VPN information from
vSmart to those that are explicitly approved
• Both Whitelist and Blacklist behavior can be established
• With a VPN Membership Policy, a node not explicitly allowed to participate in a VPN
may have the VPN configured but will only see local connectivity and routing
information
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VPN Membership Policy Example
Policy Policy
lists vpn-membership acme_1
site-list sites_1 sequence 10
site-id site1 match vpn-list sites_1
site-id site2 action accept
! !
site-list sites_2 !
site-id site3 default-action reject
site-id site4 !
! vpn-membership acme_2
vpn-list sites_1 sequence 10
vpn 10, 20 match vpn-list sites_2
! action accept
vpn-list sites_2 !
vpn 30, 40 !
! default-action reject
! !
! !
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Single Pane of Glass Operations
vManage GUI
vManage
DHCP
TPM
vEdge
Identity
vSmart vBond (X.509)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero Touch Provisioning – vEdge Appliance
Zero Touch Provisioning Control and Policy
Server Elements
Re or
dir ch
ec es
3
at l
ic tro
5
n
t t tra
ztp
io
un on
o
Qu ptel
e rom
m c
.v
ag n f e
co tor
an tio vic
m ial
Full Registration and
er a.c
i
rp
1
co nit
y
vM ra e
or
Configuration
d
to om
ig al
at
nf iti
e
u
co In
4
Assumption:
§ DHCP on Transport Side (WAN)
§ DNS to resolve ztp.viptela.com*
vEdge
§ Delivered as-a-Service
* Factory default config
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero Touch Provisioning – vEdge Cloud
vManage Control and Policy
Elements
1 Cloud-Init
VM
NSO Provisioning 3
at l
ic ro
5
n
(vBranch FP)
io
un nt
Tool
m o
m al c
e om
an tion ice
Full Registration and
co Initi
ag fr
vM ra ev
De 2
ig l d
plo Configuration
nf tia
y
i
u
co In
VM
4
Assumption:
§ DHCP on Transport Side (WAN)
§ DNS to resolve ztp.viptela.com*
vEdge Cloud
* Factory default config
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application and Performance Visibility
Deep Packet Inspection
• Embedded Deep Packet Inspection
engine
• Application and flow level visibility
for the fabric and individual vEdge
routers
• Centralized statistics and
performance
• Export flow level data (IPFIX) to
external collector
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Template-Based Configurations
Centralized Device Configuration Enforcement
• Templates are attached to provisioned
vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Granular Policies
Centralized Control over Fabric Behavior
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Troubleshooting and Verification
Transparent Operations
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Self-Healing
Software Upgrade and Configuration Change
Failed
2 Upgrade 1 vManage
Attach Template
Active Software A Rollback
Available Software B
Activate 3
Available Software Connectivity
C 2 Lost
1 Available Software D
Rollback
3
vEdge Router vEdge Router
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Current Orchestration and APIs
REST
vManage § Management
Netconf § Monitoring
§ Provisioning
Syslog § Troubleshooting
cFlowd*
CLI
Secure
4G/LTE Internet Control Plane
MPLS
Secure
Data Plane
vEdge Routers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SDWAN MSP Management Options
NSO NSO/vManage Split
Cisco and 3rd party VNFs Cisco and 3rd party VNFs
REST/NETCONF
REST/NETCONF REST
NSO
NSO vManage
vBranch CFP SDWAN CFP REST
SDWAN
CFP
vBranch
NETCONF vManage CFP
NETCONF NETCONF
NETCONF
• NSO Single Entry Point • vManage and NSO Entry Point (REST APIs)
• NSO (vBranch, vManage NED) to instantiate VNFs (including 3rd • vManage improved with NSO (and vBranch, SDWAN,
party VNFs) and activate vEdge. Apply device template potentially SAE CFP)
• vManage to configure vEdge • vManage and/or NSO as potential entry point
• Reporting and Alerts
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NSO/vManage Split Gives Flexibility
OSS / BSS or VMS
• NSO and vManage run side by
side in separate processes
REST/NETCONF
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Automation Stack
3
VMS Portal/GUI
VMS SIF (Software Integration Framework)
2 1 Viptela vManage
Target customer customer has vEdge
Network Service Orchestrator (NSO) appliances without a need for virtual CPE,
service orchestration and OSS/BSS from
REST Cisco
Core FP (vBranch) Core FP (SDWAN)
NETCONF
vManage
3 Full Stack SD WAN
Target customer has a need for Cisco
OSS/BSS capabilities together with SD WAN
NETCONF
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SDWAN Core Function Pack
SDWAN Core FP
Cisco and 3rd party VNFs
Service Abstraction APIs
OSS/BSS - VMS
Potential SP Model
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vBranch FP – High Level View of Service Model
2 1
Branch-infra
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge Cloud on ENCS SP Datacenter
vManage
• Generate bootstrap information
• Download vEdge Cloud Certified Serial Numbers (json)
vSmart
• Get the unclaimed vEdge Cloud router list from vManage
• Instruct vManage to generate a Bootstrap Configuration file
• Get Bootstrap Configuration file for the vEdge Cloud router (cloud-init config file) vBond
• ENCS/NFVIS on-boarding
NSO
• NFVIS boots and creates basic n/w infrastructure
• NFVIS registers to NSO using PnP
• NSO connects to NFVIS at the branch using NETCONF
• Process is the same for any platform that runs NFVIS ENCS
On Boarding ENCS/NFVIS
Network Service Orchestrator (NSO) Network Service Orchestrator (NSO)
ENCS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NSO with the SDWAN
ENCS
vEdge ASAv
GE0/1 GE0/0
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vAnalytics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vAnalytics
Customer Data Data Transfer and Storage
• Client authenticated and data securely
transmitted from vManage to vAnalytics
• Data storage isolation between
vAnalytics customers
Clusters Data Lake
• No PII (Personal Identifiable
Information) is collected
Data Correlation and Algorithms
• Only management data (stats, flows)
information collected
• All algorithms visualization done on a
per-customer basis
• IP Addresses collected for provider
look-ups
• Peer benchmarking (future use cases)
only on a group basis. No individual
customer data used
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Power of Analytics
Application Centric (Based on DPI/cflowd)
1. Bandwidth Usage:
1. Identification of top sources / top destinations / top application (family)
2. Drill-down into information on a per-Site basis
3. Identification of top sources
2. Application Performance:
1. Application to tunnel-binding and performance information
3. Anomaly Detection:
1. Baseline of Application usage. Anomaly detection based on overall application usage / by
Family / by Site
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Power of Analytics
Network Centric
1. Site Availability (SD-WAN value prop)
1. List of Sites with down-time comparing to TLOCs with their down-time
2. Network Availability
1. List of sites by down-time
2. Comparison of Site down-time vs TLOC down-time (SD-WAN value prop)
3. Down site count on a time basis with the ability to drill-down into Sites and downtimes
4. Carrier Performance
1. App-Route stats based on a per-carrier basis
2. Ability to drill-down on a specific carrier and visibility into various remote carrier connectivity
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vAnalytics Dashboard
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vAnalytics – BW Consumption by Applications
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vAnalytics – Network Health by Carriers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Cases and Deployment
Models
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela Control Deployment Control
Service
vBond
AWS Provider Cloud On Premise
vManage
• Public or Private access as
• Public or (Private)
• Internet transport required per Enterprise policy vSmart
transport possible
• Viptela managed 24/7 • Enterprise managed
• Provider managed vEdge
• Viptela Auto-provisioned • Enterprise orchestration
• Provider orchestration
• Geo-redundancy • Redundancy and Vicinity NAT/Firewall
• Redundancy and vicinity as
as supported by Ent.
• Geo-vicinity supported by SP
• Typically preferred by
• Currently most common • Provider value-added
security conscious
deployment model services at discretion
verticals (Finance, Public
Sector)
optional/
standby
Private IPs Private IPs vManage
1:1 NAT 1:1 NAT
Public IPs Public IPs
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Control Plane Deployment
Hybrid Cloud Controller Deployment
DC/Region 1 DC/Region 2
No NAT optional/
standby
Public IPs Public IPs vManage
DMZ
FW BGP
BGP DMZ
FW • Control Plane on MPLS and
Internet
• Public IPs are assigned to the
controllers
MPLS Internet
• No NAT is used
• For security compliance FW/DMZ
on Internet facing side
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Control Plane Deployment
Hybrid Cloud Controller Deployment
DC/Region 1 DC/Region 2
optional/
standby
Private IPs Private IPs vManage
NAT
+
DMZ/FW NAT
BGP + • Control on MPLS and Internet.
DMZ/FW
• Private IPs on the controllers.
BGP Public IP Public IP
• Public IPs are not exposed on
No NAT NAT MPLS
• NAT/FW facing the internet
MPLS Internet
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
* vBond must have Public IP or sit behind 1:1 NAT
Cisco SD-WAN Control Plane Deployment
Public Cloud Controller Deployment
DC/Region 1 DC/Region 2
vpn512 vpn512
Internet
vEdge Cloud co-exist with the controllers
Legacy/MPLS Sites
SD-WAN Sites
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Site Deployment
Remote Site Designs
MPLS
1234567 Up to 7 Transport Interfaces
Internet
2000 vEdges per vBond 2700 vEdges per vSmart 2700 vEdges per vSmart
Redundancy Add 1-2 vBonds Redundancy Add 1-2 vSmart Redundancy Add 1-2 vSmarts
Horizontal Scale out Model Horizontal Scale out Model Horizontal Scale out Model
4G/LTE Internet
MPLS
Data Center
Cisco Confidential Campus
© 2017 Cisco and/or its affiliates. All rights reserved. Branch Home Office
Data Plane /IPSec Scale
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Large Enterprise with Global Distribution
WAN Components connected via overlays from Viptela SEN utilizing Internet, LTE, etc.
Viptela
ZTP/Central Done on Viptela Monitoring/Syslog/ Done on Viptela,
Connectivity Active-Active
Config/Policy NetFlow Nagios
App-
Built-in/ No key-
Routing/PfR/Service Done on Viptela Segmentation Multiple VPNs Encryption
mgmt
Chain
SECURE
CONTROL PLANE
Ethernet Exit
(DSL/Cable/LTE/MPLS)
SECURE
Traffic Symmetry Selective 80/443 AWS, SFDC,
Done on Viptela Split-Tunnel VPN Topology Full Mesh IAAS and SAAS
CONTROL PLANE across regions GRE to ZScaler o365
Platinum
(Dual MPLS, Dual Broadband) North America DCs APAC DC Europe DC
Bronze
(Single Broadband)
vEdge Router
Switch
Existing Existing
Router vEdge Router vEdge vEdge vEdge
Existing Existing
Router vEdge Router vEdge vEdge vEdge
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Secure Virtual Fabric Secure Tunnel
Pricing Structure
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SDWAN Pricing Model
The Cisco SDWAN pricing model consists of two components
1. Subscription* license (1YR, 3YR and 5YR) for Viptela software charged per CPE. This cost is dependent on
two factors:
• Service bandwidth. Slide 5 covers how service bandwidth is calculated.
• Features: Slide 3 covers feature buckets.
Subscription
Perpetual cost cost of Viptela Operational
software
of Viptela CPE (Includes SD-
cost of Viptela
hardware WAN controller solution
+ CPE software)
*Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Viptela support, next day hardware
replacement for Viptela CPE, software upgrades on all components and the cost of hosting the Viptela controllers in the Viptela cloud.
**Note: CPE can be Viptela manufactured or in the case of Virtual CPE customer/partner provisioned. Cost here implies
Viptela CPE only.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela Pricing Tiers
Plus Pro + DPI Enterprise
Dynamic Dynamic
Hub Routing Routing
AAR
AAR AAR
Local
Internet Local Internet MPLS Internet
MPLS MPLS breakout
breakout E2E (App based) E2E
Segmentation CloudExpress
Segmentation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pricing Tiers - Detailed
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
180
Bandwidth Licensing
Bandwidth entitlement* on vEdge is the sum of peak
bandwidth (either upstream or downstream) across
all WAN circuits.
TLOC
TLOC extension interface bandwidth is not included
extension in bandwidth entitlement.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Takeaways
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SDWAN Rollout and Positioning
Phase 1 – FY18 Phase 2 – 1HFY19 Phase 3-2HFY19
No Integration Platform Integration Management Integration
Deployment Scenarios
DNA
vManage vManage Center
+ SD-WAN
-
-or- Meraki or- Meraki -or- Meraki
Late 2018
GPL = Feb’18 GA – Jul’18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Clarification On SDWAN Terminology
"SDWAN
Enabled ISR"
Only Features Highlighted In The Next Slide Are Included In The SD-WAN Image
Traditional IOSXE With IWAN capabilities, for ISR4K, ASR, CSR & ISRv
ISR
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 184
Roadmap subject to change
Integration Roadmap
Phase 1 (April 2018 Phase 2 (July 2018) Phase 3 (Nov 2018)
Capabilities:
Capabilities: ü App QoE
ü Zone Based Firewall ü Per-Tunnel QoS
ü Umbrella (DNS Whitelisting)
IOS Capabilities
CSR 1000V
• 10 Mbps to 10 Gbps • Up to 100 Mbps • Up to 250 Mbps • Up to 2 Gbps • 2.5-200Gbps
• DNA Virtualization • Fixed and fanless • Fixed and fanless • Modular • High-performance
• Extend enterprise • Enterprise-class • SD-WAN ready • Integrated container service w/hardware
routing, security & branch routing with • Integrated wired & applications assist
management to cloud security wireless access
• Compute with UCS E • Hardware & software
redundancy
Virtual
ISRv • 50 Mbps to 2.5 Gbps Cisco ENCS • Service chaining virtual functions
• Virtual enterprise-class networking • Modular WAN connectivity
• Run on x86 compute platform • Open for 3rd party services & apps
• ENFV orchestration & management
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
MSP: SD-WAN Deployment Options
Virtual Managed Cisco NSO + Core
Deployment Model Services (VMS) NG SDWAN FPs