Sdwan-17.9 - Workshop

What’s New
SD-WAN v20.9 / 17.9
Telefonica
September 2022
Infrastructure & Services
Operational
At-A-Glance
20.9/17.9 Cloud Networking
Features
Security
vManage (User Experience)
©
© 2022
2022 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
Cisco Confidential
Confidential
Infra, Platform & Services
©
© 2022
2022 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
Cisco Confidential
Confidential
vEdge X
Tiered Transport Preference in AAR and Data Policy cEdge ü
vSmart
Central Data Policy
Problem
• AAR and Data policy supports the notion of preferred
color and local-tloc-preference respectively.
• If all these colors satisfy the SLA for AAR policy as an
example, traffic gets hashed across all the compliant
colors. There is no way to prioritize these set of colors in
order to avoid hashing on all available links.
MPLS
Branch-1-cEdge DC-cEdge
ary
Prim
Solution Biz-internet
ary
Prim
• From 17.9/20.9 IOS-XE SD-WAN release onwards,
enhancement has been done to provide three levels of Seco
n dary Public-internet
priority to prefer colors. Te
• Preferred Color Group list needs to be configured where rt i
ar
y
three levels of priorities can be defined which are primary,
secondary and tertiary preference. LTE
Server
Caveats 10.1.1.1
None
Client
192.168.21.1/24
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
vEdge X
AAR and Data policy for IPv6 cEdge ü
Problem vSmart
• SD-WAN solution currently enforces AAR and Central Data Policy
Data policy by matching the IPv6 traffic using
Prefix-list as that’s the only possible option.
• IPv6 traffic can not be classified using an Application
name/List or DNS Application list under the policy.
Branch-1-cEdge DC-cEdge
Solution
From SD-WAN IOS-XE v17.9 onwards, the IPv6 traffic
classification functionality has now been extended to match
IPv6 traffic using the NBAR classification. Following attributes INET/MPLS
are now supported:
a) Application/Application Family List VPN1
b) DNS application List
IPV6 - AAR & Data policy
Caveats • IPv6 Application

name/Application List
Client-A
Cloud SaaS Application list is not supported 2001:1::10/64 • IPv6 DNS Application List Enterprise Server
2020:1::10/64
Support for Static NAT mapping with HSRP vEdge X
cEdge ü
Problem interface GigabitEthernet3
vrf forwarding 1
ip address 10.30.1.1 255.255.255.0
In a HA deployment scenario, where HSRP is used, the standby version 2
standby 100 ip 10.30.1.254
NAT traffic (DIA) when it fails over from Active router to standby 100 name hsrp_lan
standby 100 preempt
Standby Router, it has to wait for ARP to get timed out !
standby 100 priority 160
which causes delay for the traffic to get NATTED by the ip nat outside source static 99.1.1.1 100.1.1.200 vrf 1 redundancy hsrp_lan match-in-vrf
newly elected Active router resulting in affecting delay BR30-cEdge1 (HSRP Active)
sensitive traffic. vSmart
Central Data Policy
Solution
• SD-WAN IOS-XE v17.9 solves the above-mentioned Gig3
problem by supporting Static NAT mapping with HSRP. X

• With this enhancement, using Static NAT mapping support SW
for HSRP, failover is ensured without having to time out Client
192.168.22.10/24
Gig3 INET/MPLS
and repopulate upstream ARP caches in a high-availability Internet Server
environment.
• HSRP router pairs have identical NAT configuration for
redundancy which is mandatory.
BR30-cEdge2 (HSRP Standby)
Caveats
Not supported for IPv6.
ALG support for NAT and Firewall vEdge X
cEdge ü
vSmart
Problem Central Data Policy
SD-WAN solution currently doesn’t support Application-Level
Gateway to NAT the IP embedded in the payload of application
packet. This prevents the application traffic from getting
imposed to firewall actions which are necessary to offer granular
security control over them.
Solution BR20-cEdge1
SD-WAN IOS-XE v17.9 now supports NAT ALG for DIA use cases only.
Following specific applications in this release:
• FTP
• DNS
• SIP
INET/MPLS
• NAT ALG will inter-operate with ZBFW if it is enabled. 21.21.21.6
S = 192.168.21.2
D = 21.21.21.6
IPv4 FTP Server
Caveats NAT
Payload
• No Feature template support. also
• Only DIA NAT supported
FTP Client
192.168.21.2/24
PPP/Dialer interface support for DIA NAT vEdge
cEdge
X
ü
Problem vSmart
Central Data Policy
• Previously the PPP/Dialer interface had partial support
for DIA NAT and didn’t cover all the types of PPPxxx
interfaces as well.
• This caused interruptions in the inter-operation of DIA
NAT for these type of interfaces as they had to be
selectively used for specific type of Dialer/PPP
interfaces only. INTERNET
PPPoE Client PPPoE Server
SD-WAN IOS-XE v17.9 now provides full support NAT DIA use-
cases that spawns a logical Dialer interface for IOS-XE SD-WAN DSL/Ethernet
platform. (Ethernet PPPoE, DSL PPPoE, PPPoA, PPPoEoA, IPoE)
Caveats DSLAM Broadband Remote

• IPv6 over PPPoE is not supported Access Server
• With “ip unnumbered”, DIA tracker
will not work.
PPP over Ethernet
Client-1
192.168.21.2/24
Inter Service VPN Route-Leaking vEdge
cEdge
ü
ü
Problem vSmart
• SD-WAN solution only supports route-leaking between Service Central Data Policy
VPN and Transport VPN and vice-versa.
• Inter-Service VPN route can only be leaked using OMP Extranet
method which involves vSmart that needs extra policy
configuration and is susceptible to scaling issues.
• Service-VPN to Service VPN route-leaking is not supported
within the edge router on same site which was required by
many customers for Inter-VPN Route-leaking.
BR20-cEdge1 DC-cEdge
Solution
• SD-WAN IOS-XE v17.9 now supports route-leaking between
different Service-VPN’s within the same Edge router. INET/MPLS
• It uses same workflow as used for route-leaking between
Gig5 Gig6
Service VPN to Transport VPN (vice versa). Route is VPN2 Routing Table
VPN1 VPN2
leaked/replicated first and then redistributed to respective 2.2.2.0/24 Direct
routing protocol. 1.1.1.0/24 VPN1
Caveats
• Not supported for IPv6 Routes. Core Router 1 Core Router 2
1.1.1.0/24 2.2.2.0/24
vEdge ü
NAT DIA Port-forwarding cEdge ü
Problem
vSmart
• In order to perform port-forwarding for DIA traffic, Central Data Policy
the only approach was to use Static 1:1 NAT
• This was problematic as Static 1:1 NAT opens up all the port
which had to be blocked by using route-policies/ACLs for
additional security reasons ip nat inside source static tcp 1.1.1.1 80 172.11.10.1 8080 vrf 1 egress-interface
GigabitEthernet1
SD-WAN IOS-XE v17.9 now supports port-forwarding for DIA use
cases. Following ways of NAT DIA port forwarding is supported: 172.11.10.1 : 8080
1) With Public address using Pool INET
2) With Port translation (Ex, Source port 80 : Translated port 8080)
3) With Interface IP address Gig1
172.11.10.1
Gig5
VRF 1
Caveats
Loopback interface not supported,
Dialer Virtual interfaces not supported
SD-WAN NAT reserved ports and Voice (if enabled) Client

reserved ports can’t be used for DIA NAT port- Server - 1.1.1.1 : 80
forwarding.
Multi-Region Fabric (MRF) SD-WAN vEdge
ü
Problem
cEdge
ü
Core region vSmart
Global Enterprise and MSP customers can have SD-WAN fabrics
Regional vSmart
that span across several regions and geographies.
Customers then attempt to build an OMP core on top of such middle-mile

networks to extend and obtain the benefits of SD-WAN, e.g., performance
monitoring, dynamic traffic steering, path visibility etc
But converting a flat SD-WAN overlay to hierarchical overlay results in

MSP
• Complex routing/control policies for inter-region routing
• Blackholing scenarios
• Multiple re-distribution points, loss of attributes West CORE East
Region 1 Region Region 2
• Scale limitations. Full-mesh
Megaport
Access Region Access Region
Solution
l
t na
ar io
Border
m g
17.7/20.7 introduces a 2-level hierarchical SD-WAN fabric capability.
vS Re
router
It provides additional construct of Regions and Core and necessary
ed
ar
automation to adapt to hierarchical topology out of the box.
Sh
Edge South
router Region 3
Caveat / Prerequisites
No end-to-end AAR
Access Region
At 17.7/20.7 Supports Greenfield deployment only
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge
Multi-region Fabric (MRF) Brownfield Migration Support ü
cEdge
ü
Problem Core region vSmart
Regional vSmart Non-migrated
Many existing SD-WAN deployments that have the concept of a
region, but it is achieved indirectly using complex control policies Access region
or by using BGP in the core and doing mutual redistribution
between BGP and OMP
Solution BGP OMP

ER BR BR
20.9/17.9 provides knobs and constructs to support and ease up
this migration process by providing default or non-migrated West CORE East
region rule relaxation and support for migration with both OMP Region 1 Region Region 2
and BGP cores with minimum downtime. ER
BR
Access Region
Caveats
ra s
d
ig art
te
BGP based core migration is planned for 20.9.2
or F m m
tw R vS
Migration planning should be well thought for every network in-
ne n- M ion
addition to the guidance from this feature.
no eg
k)
g R
ER
in lt
rv fa u
Control connections to South
(se De
default vSmart Region 3
Seamless communication
between migrated and non Migrated Access Region
migrated regions
Edge router Border router

Multi-region Fabric Router Affinity Intelligent Filtering
vSmart
ü
Problem
17.8/20.8, introduced an OMP knob ‘filter affinity-preference outbound enable’ on HUBS TLOCS vSmarts Branch Paths adv to ER
the vSmart. If this knob is configured, vSmart takes the affinity-preference HUB1 AG=1
configuration on the peer device to decide whether to send a path to that device ER11
T1
or not – only paths with an affinity value that is present in the device’s affinity- AG1=16
preference list are sent to that peer device and all other paths are dropped. T2
AG2=16
However, the problem is that vSmart does not guarantee any outbound T3 AG3=0
AG pref (1,2,3)
advertisements based on the preference value after filtering and sends allowed T4 (filtered-limit
affinities in any order to the routers requesting affinity preferences. reached)
Common Prefix
HUB2 AG=2
T1 ER12 AG2=16
Solution AG1=16
T2 Send path AG3=filtered
20.9/17.9, Introduces the option to further enhance the filtering capabilities of vSmart
T3 limit=32 AG pref (2,1) (AG not
and intelligently send paths based on configured affinity preferences. matching)
T4
Example:
Hub1,2,3 have 4 routers and 4 TLOCs advertising same prefix. ER11 request Affinity pref. HUB3 AG=3
values (1,2,3). With the outbound pref. filter configured on vSmart, it will first filter all the T1 ER13 AG3=16
routes not matching with requested affinity pref. list and then send the best max-routes T2 AG2=filtered
based on pref. list order. So, first vSmart will try filling up the ordered list of best max AG1=filtered
T3
path with affinity 1 then 2 and so on until send-path-limit is reached. In this way the AG pref (3)
T4
notion of affinity pref. is also honored for the device requesting it instead of getting
unsorted affinity path. Send backup path will also be sent based on affinity pref. Access Region
Caveats
None
vEdge X
MRF SD-WAN Policy Enhancements
cEdge
ü
Problem
Secondary
20.8 introduces the notion of secondary region or direct tunnels. region-Direct
With that, edge router requires the additional capability and flexibility to create tunnel
policies based on the direction of the traffic destination region to better enforce
the intent for app route and traffic data policies.
CORE
Also, it needs capability to prefer paths between direct tunnel matching SLA or ER11 Region
ER21
multi-hop or both with the additional support of color priority group feature
introduced in 20.9/17.9 for AAR and Traffic data policies.
Solution BR BR
20.9/17.9 policy enhancements provides the capability to match traffic based on flow West Inter-region(multi-hop path) East
to Region 1 Region 2
• Primary region (intra-region)

• Secondary region (secondary region-direct tunnels)
Access Region Access Region
• Other (inter-region-multi-hop)
Additionally, it provides setting the path preference color group feature for
AAR/Traffic data policies wrt. preferring colors pertaining to
• direct path
• multi-hop path
• All paths
This capability provides additional flexibility for complex network scenarios and traffic
engineering intents.
Caveats
These policy constructs are more relevant to ER as direct tunnel
capability is not available for BR.
Multi-Tenancy - Flexible Tenant Placement
20.4 to 20.8
Shared vSmart
Problem
vManage
In vManage versions 20.4 to 20.8 when a tenant is created,
placement of the tenant onto a vSmart pair is done using an internal
algorithm.
The admin user does not have the ability to specify which vSmart
pair the tenant should get placed on.
Tenants
The admin user also does not have the ability to update/edit the
vSmart pair the tenant got placed on at a later stage.
20.9 Onwards
Shared vSmart
Solution
This feature is to provide the user with the ability to make their own vManage
determination on which vSmart pair a tenant should get placed and also the
ability to change this placement at a later stage
Caveats
• None
Tenants
Provider -Admin
Operational
©
© 2022
2022 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
Cisco Confidential
Confidential
Network Wide Path Insight (NWPI) vEdge X
cEdge
ü
vManage
Use Case
NWPI provides network wide insights such as network
path info, DNS domain discovery, path performance
metrics and helps to validate policy design and insights
for various application performance issues.
Solution
NWPI phase 3 in 20.9/17.9 is further enhanced to have
insight summary which includes Path insight overview, S: 192.168.10.1
D: 192.168.20.2 IPv4 … S: 192.168.10.1
D: 192.168.20.2 IPv4
Application Performance Insight, Event Insight and QoS

Insight. SD-WAN
Flow level Path insights provides details on path selected

and what features/policies have determined that routing
decision.
NWPI Trace
• Insight Summary
Caveats • Application Performance Insight
• Event Insight
None • QoS Insight
• Easy DNS Domain Discovery Workflow
SD-WAN Lawful Intercept 2.0 vEdge
ü
cEdge ü
Problem
Starting in release 16.10/18.2 the SD-WAN program embarked on
implementing a Lawful Intercept (LI) capability to ensure that Cisco
and its Managed Service Provider (MSP) Customers can meet their
legal and regulatory requirements in markets that mandate LI
capability in data products. Later, feedbacks received from various
MSPs and several challenges have been identified.
Solution
SD-WAN release 20.9/17.9 addresses previously reported issues and ensure
that our product is fit for market and in compliance with local regulations.
Caveats
20.9 is the first official GA release for this feature.
LI images will not be posted on CCO, they will be available through
special requests.
HSEC Automation vEdge
ü
cEdge ü
Problem
Currently, Edge devices supports installing Smart Licensing
Authorization Code (SLAC) for HSEC9 license (to use more than
250Mbps of crypto throughput) directly from Cisco Smart Software
Manager (CSSM).
When devices are managed by vManage, instead of each device
getting SLAC from CSSM, vManage should support SLAC installation
on its managed devices.
Solution
With SD-WAN release 20.9/17.9, vManage supports managing HSEC9
license SLAC installation on its managed devices.
Caveats
20.9/17.9 is the first official GA release for this feature.
Cloud Networking
©
© 2022
2022 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
Cisco Confidential
Confidential
Azure Government X
vEdge
cEdge
ü
Problem
US Government Agencies want to extend SD-WAN fabric and
policies to their Azure Government workloads.
They could not deploy Cloud onRamp for Multi-Cloud with Azure VWAN
Solution
• Cloud OnRamp for MultiCloud now integrates with Azure Government
• We can now deploy our Catalyst 8000v routers into Azure Government VHUBs
• We can use the same Cloud onRamp workflows as with Azure
• Inter-Region traffic within Azure Government can use VWAN Backbone
Caveats
• Azure Government Supports only 3 regions.
• No backbone connectivity between Azure and Azure Government
• Separate Cloud provider account
• Shared Responsibility Model still applies
CoR Multicloud for AWS Gov Cloud vEdge X
cEdge
ü
Problem
Currently CoR Multicloud automation workflow caters to AWS commercial
cloud but not their Gov Cloud.
Thus, Gov customers are unable to benefits from CoR Multicloud automation VPC VPC
to extend their SD-WAN fabric to the cloud.

AWS Core
Network
Solution
• With SD-WAN v17.9/20.9, we extend CoR Multicloud automation to AWS Gov
Cloud.
• Using CoR Multicloud workflow for AWS Gov Cloud, the Gov customers can
instantiate CGW in the Gov Cloud for an easy, secure and scalable connectivity to
the Gov Cloud. TVPC
• AWS Gov Cloud workflow follows the same steps as the AWS CoR Multicloud CGW
Workflow respectively.
• Supports all 3 AWS CoR-Multicloud CGW Solutions namely: VPN-based, Connect-
based , Branch Connect. Cisco SD-WAN
Fabric
Caveats
• Applies only to USA Government.
• Will need to associate Gov Cloud Account
(different from commercial cloud account )
C8KV Throughput Performance Improvement in AWS vEdge X
cEdge
ü
Problem SD-WAN IPsec(IMIX) Throughput
Performance
Some customers have high throughput requirements for public cloud
7000
connectivity. 6030
6000
Competitors like Aviatrix claim for example with insane mode 5000
4110
throughput about 25-30 Gbps without naming packet size and other 4000
3990
Mbps
technical details. 3000
2840
2570 2510
2000
Solution 1000
0
• With SD-WAN v17.9/20.9 c8kv can use c5n.18xlarge VM type C5n.9xlarge C5n.4xlarge C5n.2xlarge
• IMIX performance improvement: from 6 Gbps to 7.9 Gbps IMIX XE17.6 XE17.7
c5n.18xlarge SD-WAN Throughput Performance (IMIX)

Caveats 9000
7870
8000 7540
• preliminary number in engineering build, official number subject 7000
to change and typically available 4 weeks after FCS 6000
5000
Mbps
4000
3000
2000
1000
0
SD-WAN IPsec SD-WAN IQDF
vEdge X
Cloud onRamp Multicloud – GCP horizontal Scale
cEdge
ü
Problem
Cloud onRamp for Multicloud requires only two c8kv
acting as SD-WAN routers on GCP.
These could lead to nonsufficient bandwidth
Solution
17.9 introduces ability to spin up up to 8 Catalyst 8000v SD-WAN
routers as a part of Cloud Gateway creation, which address high
bandwidth requirements for GCP.
Caveats
• Number of c8kv routers per region is between 2 and 8.
• Static configuration, no dynamic scale based on
utilization or other KPIs.
CoR Multicloud: SDCI connectivity to CGW vEdge X
cEdge
ü
Problem
Currently Cloud onRamp Multicloud automation for Interconnect
extends SD-WAN fabric till ICGW and not till the CSPs. Thus, benefits
of SD-WAN are not extended to the Cloud.
Solution
• With SD-WAN v17.9/20.9, we extend SD-WAN fabric to the cloud by
connecting ICGW and CGW that are instantiated by their CoR Multicloud
Automation workflow.
• The benefits are:
o Complete End-to-end encryption from branch to SDCI to Cloud.
o Multi-Segment support
o Multi-path support (Internet and Private)
o Avoid prefix advertisement limitation imposed by CSPs.
• Support with both SDCI provider: Megaport and Equinix.
• Support all CSPs: AWS, Azure, GCP.
Caveats
None
SDCI Megaport Entitlement Management vEdge X
cEdge
ü
Problem
Customer can acquire licenses for Megaport resources through
CCW and vManage can instantiate Megaport resources but there is
no way to have visibility for available/used licenses and enforce the CCW
license.
Solution Entitlement Payload

With 17.9/20.9 release, the Megaport licenses purchased through CCW are
made visible inside vManage.
The licenses include MVE (Megaport Virtual Edge) , VXC (Virtual Cross
Connect) and AWS HC (AWS Hosted Connections) licenses. Visibility &
Resource Provisioning
Entitle Enforcement
Megaport shares the current status (Available, Used, Expired) of the licenses
with Cisco vManage.
vManage
Caveats
Purchase of appropriate Megaport SKUs through CCW
Cloud OnRamp for Custom Applications vEdge X
cEdge
ü
Problem
Enterpris
Currently Cloud OnRamp for SaaS supports only 14 business critical e Apps
applications such as Microsoft 365, Webex, Salesforce, Google Apps

etc.
Solution Loss/
Latency
• With SD-WAN v17.8/20.8, we extend Cloud OnRamp for SaaS Regional
capabilities for any Standard or/and Custom NBAR application.
! Data Center
• Cloud OnRamp for SaaS, sends probes to configured IP address or ISP1
FQDN or URL and calculates best performing path based on loss and
latency for probes response.
SD-WAN
• SaaS & Enterprise apps traffic is routed via best performing path
calculated using probes.
ISP2 Fabric
Remote Site Data Center
Caveats / Prerequisites
None
vEdge X
Microsoft Informed Routing cEdge
ü
WAN link Telemetry
to M365
Problem vManage vAnalytics
Lack of visibility on vAnalytics of selected path and

associated telemetry metrics in Microsoft Informed
Routing.
Solution App Telemetry

Data from
Telemetry Data
M365
• Enhanced Path Analytics dashboard integrated into from edge devices
M365 App 360 as part of vAnalytics, which includes a
timeline chart indicating specific path selected at a SD-WAN
given instant and associated telemetry metrics such as
CoR SaaS Network probes and Microsoft Telemetry Fabric
probes.
• 17.9 also includes option to enable/disable Traffic

steering for Microsoft 365 based on Microsoft
telemetry.
Remote Branch Data Center
Caveats
None
31
Security
©
© 2022
2022 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
Cisco Confidential
Confidential
20.9/17.9 Identity based Firewall (using ISE-AD) integrations vEdge
X
Problem
cEdge
ü
Security policies that align to users and groups rather than to
IP addresses give organizations easier, more precise control over who can
access the network/applications—and what they can access.
Active Directory
Typically, a SD-WAN embedded security stack is not aware of the users’
identities and, therefore, cannot apply security policies based on identities. IP to ISE/PXGrid
User/Group
Mapping
Solution vManage vSmart

20.9/17.9 introduces capability to match user identity and apply zone-based
firewall policy based on identities.
OMP
vManage and vSmart controllers in this case integrates with ISE which is further ZB
FW up
ro
integrated with Active Directory. Ip-user and ip-user-group mapping is learned po
l to r / G g
ic y IP se pin IAAS,SAAS
though OMP in the cEdge which is then used for ZBFW policies dynamically U ap
Private Apps
m
Employee Contractor
Caveats
Only one ISE instance allowed
Only one domain allowed
Only one identity list per rule Destination
No destination-based identity matching in FW rule ZBFW Policy Application
ISE-3.2 recommended
Employee Permit All
Source
No SGT mapping (roadmap)
Contractor Deny All
Enhanced SIG Tunnel Monitoring vEdge
X
cEdge
ü
Problem
At present, we do offer Auto-SIG functionality with ZScaler & Umbrella.
However, there is no support for SIG Tunnel monitoring on vManage Security
dashboard
Solution
The main intent of this feature is to provide enhanced Monitoring and Visibility
for SIG tunnels which includes:
1. State of the SIG tunnel – Provides the status of all the tunnels whether it
is UP-ACTIVE / Down.
2. Security Events – vManage gets the Important event notifications from
the Edge router. It includes the events related to SIG tunnel bring up. For
example, if the tunnel bring up fails due to wrong credentials, a 4xx error
notification would be displayed on the vManage along with the reason
which allow the user user to take an appropriate action.
Caveats
• No support for visibility of Top Applications usage over SIG Tunnels
• No support for Manual GRE/IPSec tunnels
Cisco SD-WAN - ZScaler Automatic GRE Tunnel support vEdge
ü
cEdge
ü
Problem
At present in Cisco SD-WAN, the Auto-SIG functionality supports provisioning
of IPSec based SIG tunnels to ZScaler without requiring any prior Zscaler
headend configurations. However, this is limited only to IPSec based SIG
tunnels ZScaler
Solution
The main intent of this feature is to provide:
1. Auto GRE tunnel support – Auto provisioning of GRE based SIG tunnels and
load balancing, policy-based routing will be supported
2. L7 health check for GRE tunnels – SIG service’s health is monitored as per
1Gbps Aggregate
customer defined SLA.
GRE 1
GRE 2
GRE 3
GRE 4
Caveats
1. Zscaler mandates that every device or location have a unique public IP
in order to create GRE tunnels to the ZIA Public Service Edge
(datacenter). We could get the public IP in two ways:
• Have user configure the public IP of the device as part of the
SIG template
• Figure out the public IP of device automatically by doing
nslookup of myip.opendns.com
2. If L7 health check is enabled on GRE tunnels, the tunnel-source vManage Branch
interface should be a physical interface
vManage (User Experience)
©
© 2022
2022 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
Cisco Confidential
Confidential
vManage ü
UX2.0 – Customizable Dashboard
Problem
Monitoring Overview Dashboard is not customizable.
Users like to customize the Monitoring Overview Dashboard to view only

the Dashlets of interest,
Solution
• Provide customization of the Monitoring Overview Dashboard to allow
users to select and sort Dashlets of interest.
• This customization is retrieved every time the user logs back in to

vManage, to build the dashboard.
Caveats
Only the Overview Dashlets are customizable, Hero-bar is not.
vEdge X
UX2.0 – Site Topology (Phase 2) cEdge ü
vManage ü
Problem
Lack of Visibility and Lack of Troubleshooting aids are some of the
areas of weakness in vManage.
Solution
UX2.0 Site Topology Phase 1 is available with the Cisco SD-WAN 20.8/17.8 release.
Provides a static view of the Site topology derived from attached Configuration
Group.
The 20.9/17.9 release aims to enhance this feature and also aid Troubleshooting by
providing more dynamic information of the Site topology which includes Devices,
Transports and Service VPNs.
Caveats
Connections between WAN edges in the selected site, is not shown
in this release, since it is not part of the configuration group.
vEdge X
UX2.0 – Configuration (Phase 2) cEdge ü
vManage ü
Problem
• Device configuration using Templates is not intuitive & sequential

• Device configuration is slow and manual
• Template sprawl can be very high
• Template grouping and inheritance is missing
Solution
Simple, reusable, and structured approach for configuration in Cisco SD-WAN
with Configuration Groups and Feature Profiles, introduced in 20.8/17.8.
In 20.9/17.9, Improved UI in Create Configuration Group workflow, new
Parcels supported (closing gap further: Feature Profiles – Templates parity).
Caveats
Only Basic, WAN and LAN profiles available (also CLI/Other),
Policies planned for future release.
Call to Action
watch
• Subscribe to our new YouTube SD-WAN YouTube Channel
channel! New content is posted
weekly!
SD-WAN CVD Repository
• Check out our Cloud onRamp
sandbox to get hands-on!
read
SD-WAN Communities
• Check out our Communities
page and Release Notes! SD-WAN 17.9 IOS-XE Release Note
SD-WAN 20.9 Viptela OS Release Note
SD-WAN 20.9 Controllers Release Note
do SD-WAN IOS-XE Config Guide

SD-WAN Viptela OS Config Guide

Sdwan-17.9 - Workshop

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sdwan-17.9 - Workshop

Uploaded by

Copyright:

Available Formats

What’s New

SD-WAN v20.9 / 17.9

vManage (User Experience)

Caveats • IPv6 Application

problem by supporting Static NAT mapping with HSRP. X

Caveats DSLAM Broadband Remote

SD-WAN NAT reserved ports and Voice (if enabled) Client

Customers then attempt to build an OMP core on top of such middle-mile

But converting a flat SD-WAN overlay to hierarchical overlay results in

Solution BGP OMP

Edge router Border router

• Primary region (intra-region)

Application Performance Insight, Event Insight and QoS

Flow level Path insights provides details on path selected

to extend their SD-WAN fabric to the cloud.

c5n.18xlarge SD-WAN Throughput Performance (IMIX)

to change and typically available 4 weeks after FCS 6000

These could lead to nonsufficient bandwidth

Solution Entitlement Payload

applications such as Microsoft 365, Webex, Salesforce, Google Apps

Lack of visibility on vAnalytics of selected path and

Solution App Telemetry

• 17.9 also includes option to enable/disable Traffic

Solution vManage vSmart

Users like to customize the Monitoring Overview Dashboard to view only

• This customization is retrieved every time the user logs back in to

• Device configuration using Templates is not intuitive & sequential

do SD-WAN IOS-XE Config Guide

You might also like