BRKSPG 2017

Cisco SD-WAN in Service
Provider networks
Faisal Chaudhry Principal Architect

Stefan Olofsson Technical Solutions Architect
BRKSPG-2017
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Scope of Presentation
API
• Focus of the session:
SD-WAN  How SPs are using Cisco SD-WAN
Components
 Experiences from deployments
 Automation, Orchestration, API ….
 Complimentary products for E2E
service
• Not planning to cover:
x Details & features
x How to configure
Agenda
• Overview of Cisco SD-WAN

• Deployment Models
• End to End Service Orchestration
• Managed Services Accelerator (MSX)
• Programmability & Automation
• Cisco SD-WAN & existing MPLS/Campus networks
Cisco SD-WAN
Overview
Software Defined WAN – Transport
Independence
MPLS
Site 2
INET
Site 1
Public Clouds
(SaaS/IaaS) Site 3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Software Defined WAN – Transport
Independence
SD-WAN Fabric
Site 2
4G
MPLS
INET
Site 1
IPSec Tunnel
Public Clouds
Software Defined WAN – Intelligent traffic routing
App-Aware Routing (TE, SLAs):

• App1 via MPLS
• App2 via INET
Site 2
4G
APP1
MPLS
INET
APP2
Site 1
Public Clouds
Software Defined WAN - Segmentation
Site 2
VPN1 4G VPN1
MPLS
VPN2 INET
Site 1
VPN2
Public Clouds
Site 3
Software Defined WAN – Centralized Mgmt
Provision
Site 2
VPN1 4G VPN1
MPLS
VPN2 INET
Site 1
VPN2
Public Clouds
Site 3
Software Defined WAN – Centralized Mgmt
Provision Policy
Site 2
VPN1 4G VPN1
MPLS
VPN2 INET
Site 1
VPN2
Public Clouds
Site 3
Software Defined WAN – Security
Provision Policy Security Analytics
VPN Based Security policies (Stateful FW) Site 2

IPS
VPN1 4G VPN1
MPLS
VPN2 INET
AMP
Site 1
VPN2
Public Clouds
Site 3
Software Defined WAN – Overlays
Direct
DC Hub & DC Internet Site 1 DC Regional
Spoke Mesh
Access
Site 1 Site 2 Site 1 Site 2 Site 2 Site 3
Software Defined WAN – Products
MANAGEMENT
Orchestration Plane
vBond
ORCHESTRATION CONTROL
Management Plane
vManage
4G
MPLS Control Plane
INET
vSmart
Data Plane
vEdge, cEdge
Data Center Campus Branch Home Office (WAN Edge)
Controllers – Deployment
On-Premise Hosted
vBond vManage vSmart vBond vManage vSmart
ESXi or KVM Public Cloud (AWS or Azure)
Physical Server
VM
Cisco SD-WAN Fabric Operations
Policies
OMP vSmart
DTLS/TLS Tunnel
vManage vBond
IPSec Tunnel
BFD
OMP OMP
VPN1
MPLS VPN1
VPN2 INET VPN2
Deployment Models
SD-WAN Controller Hosting Models
• Cloud hosted • Cloud hosted + On prem • On prem only
• AWS or Azure • Public Cloud, Private • Private Cloud or DC

Cloud and/or DC Public and Private
• Single or Multiple •
Availability Zones • IP connectivity between transport still supported

domains required Specific design
• Recommended Model •
• Currently Not Supported considerations required
SD-WAN Tenant Hosting Models
• Single Tenant • Virtualized Single Tenant • Multi-tenant
“Micro-tenancy”
• Tenant Dedicated • Natively Multi-tenant
Controllers • VPN Anchored Tenants Controllers / Orchestration
• Single Tenant Operations • Single Tenant Operations • Multi-tenant Operations
• Single Tenant Visibility • Multi-Tenant visibility • Multi-tenant visibility
VPN 1 VPN 1
VPN 2
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
SD-WAN Single Tenant Virtualization
Aka RBAC by VPN / Micro-tenancy
• Single Overlay Network supporting VPN anchored tenancy
• Single Set of Controllers
• vManage provides Admin Access and VPN Group View Access (Read Only)
• Target Use is environment where a single network would support several
lightweight tenants (e.g. Airports)
Operational Admin* VPN Group Operator

Roles
Create VPN dashboards Monitor Access to VPN Dashboard only
• Create/discover VPN segments in a network • Monitor devices, network, and application
• Create VPN groups status via VPN dashboard
• VPN dashboard for each VPN group • VPN dashboard information restricted to
Define VPN group access devices with segments in VPN group
• Link user group to VPN group • Monitor option restricted to devices with
• Create users with access to VPN group segments in VPN group
• Interface monitoring on device restricted to
*Full Access to standard vManage Dashboard interfaces of segments in the VPN group
SD-WAN Single Tenant Virtualization
VPN Group Operator Dashboard VPN Group: Better Airways (VPN 1, 2)
VPN details
Better Airways Better Airways Subtenant access and setup
for Ticketing and Guest WiFi service.
Device
health
status
Application
status
SD-WAN Multi-Tenancy
Native Multi-Tenancy Enabled via Different Platforms
Multi-tenant and Multi-Service
Multi-tenant Orchestration and Management Orchestration and Management
vManage vBond
MSX
Provider Layer
Tenant Layer Tenant Layer Tenant Layer
MSX MSX MSX

Containerized Routing Controllers Tenant 1 Tenant 2 Tenant 3
vSmart vSmart vSmart
Single Tenant Data Plane

VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
Hosting Facility(Cloud/DC)
(Limited EFT Availability Only)

SD-WAN Multi-Tenancy
Native Multi-tenancy Platform (Limited EFT Availability)
• vManage / vBond Natively Multi-tenant
• Provider and Tenant views for mission specific administration
• Clustered deployment for scale and redundancy
• Dynamic Tenant Creation with sizing checks
• vSmart Containerized for tenant sizing flexibility

• vSmarts can be deployed in Containerized or VM format per tenant
• Single Tenant operation to ensure control plane stability during any condition
• Single Tenant WAN Edge

• WAN Edges are always single tenant
• Multi-tenant devices possible with VNF platforms
MSX Platform is available and will be discussed later in this presentation
SD-WAN Controller Scalability
Same Principles Apply for Cloud and On-Prem
vBond Horizontal Scaling with no inter-vBond dependencies

Used for initial node bringup and TLOC bringups only
Every vBond node is always Active
Recommended ratio 2000:1 WAN Edge to vBond
vSmart Horizontal Scaling with full mesh of peering b/t vSmarts of the same tenant
Provides OMP control plane services (Routing, Security, Polices and Services)
Active/Active Redundancy with WAN Edge intelligent session distribution (disabled by default)
Recommended ratio 4000:1 TLOCs to vSmart
vManage vManage Clustering for Scale and Redundancy

Provides Orchestration and Management Services
Active/Passive Cluster Redundancy with WAN Edge intelligent session distribution
Recommended ratio 2700:1 WAN Edge to vManage
SD-WAN Controller Redundancy
Same Principles Apply for Cloud and On-Prem
vBond vBond
No Shared State
No Shared State DNS FQDN to cover multiple vBonds
(e.g. vbond.enterprise.com)
Active Active
vSmart vSmart
OMP Mesh amongst all active vSmarts
OMP vSmart dynamic discovery via vBond
No configuration Required
Active Active
vManage vManage
Active / Standby Cluster Architecture (Improved in 19.2)
DB Sync Clusters are maintained from within vManage
Database synchronization required b/t Active/Standby
Active Standby
End to End Service
End to End Service Orchestration
vManage vSmart vBond
Enterprise Controllers
Centralized Services
Underlay Transport
MPLS
Internet Breakout
INET
Security
DC
Cloud Access
(CPE, Transport, VPNs, Extranets
Routing, Services) Unified Communications
Remote Access
Branch
(CPE, Transport, VPNs,
Routing, Services) Virtualized CPE Physical CPE
SD-WAN Controllers
On-Prem Public Cloud
• Requires dedicated Platform for • Provided by Cisco as part of

Private Orchestration ordering a new Enterprise Overlay
Instantiation and Lifecycle Management (LCM);

including auto-healing, scale-out, configuration management …
SD-WAN CPEs (DC / Branch)
• Zero Touch Provisioning for Virtual CPE and
Validate Device Physical CPE
• VNF Management and Chaining
ZTP/PNP • Configuration Templates

Initial Bring-up • Life-cycle Management (LCM) for VNFs,
Services and Infrastructure
• Telemetry
Apply Config
Transport
Enable Services
Underlay Transport and Network Services
SD-WAN VRF
Routing INET
MPLS
NTE
VPC/VNET Shared Services

Routing / Leaking
VRF/VPN
Policies SaaS
MSX 3rd party
NSO and MSX
Managed Services Accelerators
• Service Creation & Delivery Platform • Provides Pre-build Service Packs for SD-
• Full Stack solution integrates with OSS/BSS WAN, vBranch …
• Orchestration + User/Operator Portal, Service • Also available as SaaS offering
Monitoring, Identity Mgmt, Logging & Alarms … • Reduce Development costs & Time to offer
Network Services Orchestration (NSO)
• Multi-vendor service orchestrator • Provides DIY capabilities

• 100s of customers in large global ENTs and SPs • Pre-build packages (aka Core Function
• Automation Use-cases: existing and NGN Packs)
NSO Core Function Pack (CFP)
NSO Core Function Packs (CFPs) accelerate automation and service to market speed
with Cisco developed and supported prebuilt onboarding and configuration packages.
End to End Service Orchestration: NSO
CLI REST UI
NETCONFG CLI REST
vManage ACI
V V V
Controllers, EMS .. Physical Networks Virtual Networks

End to End Service Orchestration: NSO
CLI REST UI
Service
Models
Device
Models
NETCONFG CLI REST
vManage ACI
V V V
Controllers, EMS .. Physical Networks Virtual Networks

End to End Service Orchestration: Layered
Services Architecture (LSA)
Customer facing Service
Models
Services (CFS) (High level)
Resource facing Resource facing

Services (RFS) Services (RFS)
NSO SDWAN Core
Function Pack
(CFP)
NSO Core Function Packs (CFP)
Cisco
Network Services Orchestrator
SD-WAN
CFP SD-WAN +
Custom vBranch
NFVO Service Model CFP
CFP
• Ready-made implementations for specific features:

NFVO, ENFV, SD-WAN, SAE
• Productized, TAC supported
NSO SD-WAN CFP: Control plane events
Generate CSR for vManage 2

4 Sign CSR
Generate CSRs for vBond, vSmart and
3 Create vManage,
add (configure) on vManage CA server vBond, vSmart
Install signed Certificates on Controllers 5 1 with day0 config
SD-WAN Control Plane up 6 file & apply root-
certs
DC
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
NSO SD-WAN CFP: WAN Edge events
Upload Edge SN to vManage 1 2 Get list of un-used Edges

Instruct vManage to generate
bootstrap (day0) config file
3 4 Get Bootstrap config file
5 Create Edge + VMs with day0 config
Edge to SD-WAN controllers + sync
6
ENCS
Site 1
DC
Managed Services
Accelerator (MSX)
Orchestration and more?
Identity Device Data Billing Catalog Message UI Service
Mgmt Mgmt Platform System Handler Frontend Lookup
Virtualized CPE
Site 1
DC
MSX Platform
OSS / BSS
Integration
UI / API
MSX Platform
IOT SDA Branch SD- SPN SP DC Cloud Meraki Umbrella Collab

NFV WAN NFV
MSX Platform
Identity Device Data Billing Catalog Message UI Service

Mgmt Mgmt Platform System Handler Frontend Lookup
MSX Platform SP OSS/BSS
4
1 MSX Multi-tenancy, SD-WAN Controller on-boarding
1 MSX
2 Public Cloud, MSX on-boarding
3 MSX vBranch support, WAN Edge VNFs
MSX vBranch (ENCS)

3 4 MSX OSS/BSS APIs (MSX micro-service)
MSX MSX MSX

Tenant 1 Tenant 2 Tenant 3
3rd Party ASAv WAN

VNFs FTDv Edge CIsco SD-WAN
Controllers
4G Data Center (DC)
Viptela MPLS
SD-WAN Fabric
INET
2 MSX
Tenant 4
Sites WAN Edge

(vEdge/cEdge) vEdge Public Cloud
Programmability &
Automation of
Cisco SD-WAN
Programmability
Fault Mgmt / operations Native APIs Ansible Scripting (Python)
Native APIs https://vManageIP:8443/apidocs
OSS/BSS
REST
API
vManage
vSmarts vBond
Programmability – Ansible
Role functions Ansible
• Add Controllers • Ease of use, config mgmt. & IT
• Set Organization Name automation tool
• Set vBond • Agent less
• Set Enterprise Root CA • Run tasks sequentially
• Get Controller CSR
• Idempotent
• Install Controller Certificate
• Install Serial File
• Export Templates
vManage
• Import Templates
• Add/Change/Delete
vSmarts vBond
Templates
• Attach Templates
• Export Policy
• Import Policy
• Add/Change/Delete Policy
• Activate Policy
• Get Template facts
• Get Device facts
References
• DEVNET main page: https://developer.cisco.com/sdwan/
• DEVNET DevOps: https://github.com/CiscoDevNet/sdwan-devops
• Ansible with SD-WAN: https://github.com/CiscoDevNet/ansible-viptela
• Python SDK: https://github.com/CiscoDevNet/python-viptela
MPLS & Campus
Interworking
Existing IP/MPLS network
vBond vSmart vManage
Centralized Controllers
EMEA Region
Regional
vBond, vSmart
MPLS
US/NA Region
INET
MPLS
SP Core
INET
Regional IP/MPLS APJC Region
Hub Site(s)
Full Mesh IPSec in Region

MPLS
Choice of WAN Edge INET

based upon scalability,
performance …
Existing IP/MPLS network
OMP BGP OMP
EMEA Region
1) BGP/MPLS Peering
MPLS
US/NA Region
INET
MPLS
SP Core
INET
Regional BGP/MPLS APJC Region
Hub Site(s)
Full Mesh IPSec in Region

MPLS
INET
2) End to End SD-WAN
SDA Campus & SD-WAN network ROADMAP
LISP / BGP OMP LISP / BGP
VXLAN IPSec VXLAN
SDA Campus site SDA Branch
B B
SDA Fabric SD-WAN SDA Fabric
C Fabric C
Agenda
• Overview of Cisco SD-WAN

• Deployment Models
• End to End Service Orchestration
• Managed Services Accelerator (MSX)
• Programmability & Automation
• Cisco SD-WAN & existing MPLS/Campus networks
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

BRKSPG 2017

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKSPG 2017

Uploaded by

Copyright:

Available Formats

Cisco SD-WAN in Service

Faisal Chaudhry Principal Architect

• Overview of Cisco SD-WAN

App-Aware Routing (TE, SLAs):

Provision Policy Security Analytics

VPN Based Security policies (Stateful FW) Site 2

Site 1 Site 2 Site 1 Site 2 Site 2 Site 3

vBond vManage vSmart vBond vManage vSmart

ESXi or KVM Public Cloud (AWS or Azure)

VPN2 INET VPN2

• Cloud hosted • Cloud hosted + On prem • On prem only

• AWS or Azure • Public Cloud, Private • Private Cloud or DC

Availability Zones • IP connectivity between transport still supported

• Currently Not Supported considerations required

Operational Admin* VPN Group Operator

Tenant Layer Tenant Layer Tenant Layer

MSX MSX MSX

Single Tenant Data Plane

(Limited EFT Availability Only)

• vSmart Containerized for tenant sizing flexibility

• Single Tenant WAN Edge

MSX Platform is available and will be discussed later in this presentation

vBond Horizontal Scaling with no inter-vBond dependencies

vManage vManage Clustering for Scale and Redundancy

On-Prem Public Cloud

vManage vSmart vBond

• Requires dedicated Platform for • Provided by Cisco as part of

Instantiation and Lifecycle Management (LCM);

ZTP/PNP • Configuration Templates

VPC/VNET Shared Services

Network Services Orchestration (NSO)

• Multi-vendor service orchestrator • Provides DIY capabilities

NSO Core Function Pack (CFP)

NETCONFG CLI REST

Controllers, EMS .. Physical Networks Virtual Networks

NETCONFG CLI REST

Controllers, EMS .. Physical Networks Virtual Networks

Resource facing Resource facing

• Ready-made implementations for specific features:

Generate CSR for vManage 2

Upload Edge SN to vManage 1 2 Get list of un-used Edges

IOT SDA Branch SD- SPN SP DC Cloud Meraki Umbrella Collab

Identity Device Data Billing Catalog Message UI Service

MSX vBranch (ENCS)

MSX MSX MSX

3rd Party ASAv WAN

4G Data Center (DC)

Sites WAN Edge

Full Mesh IPSec in Region

Choice of WAN Edge INET

Full Mesh IPSec in Region

LISP / BGP OMP LISP / BGP

VXLAN IPSec VXLAN

SDA Campus site SDA Branch

• Overview of Cisco SD-WAN

Cisco Live sessions will be available for viewing on

Meet the Engineer

You might also like