Cisco SD-WAN Technical Training

Cisco SD-WAN Technical Training
(Hands-on Experiences)
Doan Nguyen Lam - Nguyen Tien Hoang

Cisco Systems VietNam
05-06Jun19
SD-WAN Solution Overview
Why SD-WAN and Trends ?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 2
Connecting Users to the Data Center was the Priority
Internet
Best
Users Applications Effort
WAN
Branch/Campus
Data Center
Then the Way We Worked Changed
Devices & Things

DC/Private
Cloud
Campus & Branch Users WAN
Mobile Users
Applications Moving to Not One Cloud, But Many
Devices & Things
DC/Private Cloud
Campus & Branch Users WAN

SaaS
Mobile Users
IaaS
Legacy WAN Architecture
IaaS SaaS
• Peer-to-peer control plane
DC1 DC2 (DR)
• Lack of application visibility
• Complex Routing protocol
prorogate for all (N^2) DCI
complexity
• Localize management
• Not scalable
• Impossible to support multiple ISP1(
ISP2
(MPLS/FTTH)
transport MPLS)
• Complex Operations
• High Cost - TCO to operate the
Network
Branch1 Branch2 Branch3

Những hạn chế của mạng WAN truyền thống
STT Yếu tố hạn chế Ảnh hưởng đến mạng/IT
Ảnh hưởng đến ứng dụng, users và IT luôn phải giám sát, review, nâng cấp
1 Thiếu Băng thông WAN thường xuyên
Bị động và ảnh hưởng dịch vụ, mở rộng kinh doanh
Không tận dụng các loại Hạn chế trong việc chia sẽ và tận dụng các loại đường truyền khác nhau
2
đường truyền hiện tại (như MPLS, Internet, LTE, Leased-line,...)
Khả năng nhận diện và Không đánh giá được chất lượng ứng dụng trên các đường truyền WAN,
3
performance của ứng dụng ảnh hưởng hiệu suất của users.
4 Bảo mật Khả năng gia tăng bảo mật tại các Branches, bảo mật cho các ứng dụng
Mở rộng kết nối trực tiếp đến Đánh giá chất lượng đường truyền, ứng dụng để gia tăng hiệu suất truy cập
5
các ứng dụng trên Cloud các ứng dụng trên Cloud.
Quản trị, cấu hình local, không Chi phí vận hành cao, quản lý các Sites phức tạp
6
tập trung Thời gian & công sức quản trị, vận hành, xử lý sự cố.
7 Khó mở rộng các Sites nhanh Ảnh hưởng đến yêu cầu Business và khả năng linh động Sites
8 Chi phí Chi phí vận hành mạng WAN cao (đường truyền, nhân sự, thời gian, issue)
Evolution of the WAN
Cloud delivered WAN with
5 operational simplicity &
End-point flexibility:
• Physical or virtual Cloud Delivered Analytics analytics
1 • Rich services or lite
• Branch, Agg, Cloud
4 Application
QoE
USERS 6
Cloud
SD-WAN … Use-Cases
OnRamp
WAN
L E A RNI NG
DC
D N A C e n te r
DEVICES IaaS Apps

P o lic y A u to m a tio n A n a lytic s
I NT E NT C O NTE X T
SaaS
In te n t- b a s e d
N e tw o rk In fras tru c tu re
vDC
THINGS
S E C U RI T Y
Superior security architecture
2 Transport
WAN Fabric
Independent
3 –
cloud based & on-prem
Cisco Fabric Architectures
Multitenant/ Rich Highly
Cloud-Delivered Analytics Automated
USERS
SDWAN
Cloud
OnRamp
.… IoT
ACI
DC Fabric
DEVICES
SDA Fabric DC APPs
(branch & campus)

SDWAN Fabric
IaaS
THINGS SaaS
End-to-end Context © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 9
Cisco SD-WAN Introductions
Cisco SD-WAN Solution
Built on Intent-based Networking for the WAN
Cloud managed Application quality

and controlled Control | Management | Analytics of experience
fabric
Transport
Independence Internet MPLS 4G LTE
End-point
flexibility Data Center Campus Branch Public Cloud
(Physical or Virtual)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems
Integrated
Security
Cisco SD-WAN Solution
Application Secure
Visibility Traffic Per-Segment Perimeter Cloud Cloud Transport
& SLA Engineering Topologies FW/IPS/URL Path Accel Hub
Analytics
Application
Application Policies
Policies
Routing Security Segmentation QoS Multicast Svc Insertion Survivability
Monitoring
Delivery
Delivery Platform
Platform
Operations
Broadband MPLS Cellular

ZERO TOUCH ZERO TRUST
Transport
Transport Independent
Independent Fabric
Fabric © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 12
Deploy branches faster at lower cost
Transport independence
Private Cloud
MPLS
3G/4G-LTE
Colocation
Branch
Internet
Leverage internet for public cloud Public Cloud

and Internet access
Secure VPN overlay for private and
virtual public cloud access
Seamless extension to the cloud enables

business policy to follow workloads
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco Systems
Optimize the user experience
Analytics and assurance
Visibility of applications and

infrastructure across the
WAN
Forecasting and “what-if”
analysis
Intelligent recommendations
Cisco
© 2019 vAnalytics
Cisco and/or its affiliates. All rights reserved. Cisco Systems
Simplify migration to the cloud
Application quality of experience
Cloud Cloud
Providers Application
s
Secure branch to cloud
connectivity protects data in
motion
Agile workflows simplifies
Data
extending the enterprise to IaaS Center
Secure
or SaaS
SD-WAN
Analytics determines the optimal Fabric
path for the best application Small Office
experience Home Office
Campus
Branch
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems IaaS/SaaS
Easier to deploy, manage and operate
Centralized cloud managed fabric
Cloud-first management and

operations with a single WAN fabric
across all end-points
Simplified workflows for easier
configuration, monitoring and
Advanced analytics and assurance for
troubleshooting.
application service level agreement
Cisco vManage
Reduce complexity for remote sites
Single rich services branch platform
SD-WAN
Unified
Communications
Easy to deploy and
manage services on-
demand
Cloud Based
Security On-demand physical and
Branch
virtual form factors
Best of breed trusted

network services
Application Application
hosting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems Optimization
End-point flexibility
XE-SDWAN: Expanding Impact of IBN for WAN
Broadest range of platforms and

interfaces vManag
e
Millions of ISR/ASR devices eligible
for new capabilities
Cloud + Virtualization + On-Prem

with Integrated security
Virtualization Cloud Platforms
ENCS AWS / Azure / Google vEdge / ISR / ASR
Comprehensive threat protection
Integrated security
VPN 1
Cloud
Router IPSec VPN
VPN 3 2 Data Center
Tunnel
VPN 3
Cloud
VPN 4 Security
Internet MPLS
Meet industry compliance with end- Corporate
to-end segmentation Data Center
4G/LTE
Reduce attack surface with cloud
and on-prem security Small Office
Home Office
Talos threat intelligence protects all
users devices
Campus Branch
Gia tăng an toàn trên SD-WAN với các tính
năng bảo mật Cisco Enterprise Firewall
Classification of +1400 layer 7
apps
Intrusion Protection
System
Most widely deployed IPS engine
in the world
Cisco URL-Filtering
Security Web reputation score using 82+
web categories
Adv. Malware Protection

With File Reputation and
Sandboxing
Cisco SD-WAN Simplified Cloud Security
Easy deployment of Cisco
Umbrella
© 2019 Cisco and/or its affiliates. All rights reserved.

Hours instead of weeks and months
Cisco Systems
Cisco SD-WAN Benefits and Values
Reduce End to End

Cost Security
Performances Cloud Ready Simplicity
Technical
Cisco SD-WAN Solution Principals
vManage
Management/
APIs
Orchestration Plane
3rd Party
vBond
Automation
vAnalytics
vSmart Controllers
Control Plane
MPLS 4G
INET
Edge Routers
Data Plane
Cloud Data Center Campus Branch CoLo
Cisco SD-WAN Solution Principals
Network Policy / Forwarding:
• Configuration Points, Control Points,
Enforcement Points, Centralize
Serosity
• Separation Control and Data Plane

• DTLS/TLS is used to establish the control
channel
• Control channel is established only with
Internet MPLS1
central controllers
MPLS2 4G/LTE • No scaling issues are with full mesh of
control plane
• Control channel does not have to follow
the data path
Cisco SD-WAN Solution Roles and Responsibilities
Orchestration Plane Management Plane
• First point of authentication vManage • Single pane of glass for Day0, Day1
• Distributes list of vSmarts/ and Day2 operations
vManage to all Edge routers APIs • Multitenant or single-tenant
• Facilitates NAT traversal 3rd Party • Centralized provisioning,
vBond troubleshooting and monitoring
Automation
• RBAC and APIs
vAnalytics
Data Plane Control Plane
vSmart Controllers
• Physical of virtual • Dissimilates control plane information
• Zero Touch Provisioning between Edges
• Establishes secure fabric 4G • Distributes data plane policies
MPLS
• Implements data plane policies • Implements control plane policies
INET
• Exports performance statistics Edge Routers
Cloud Data Center Campus Branch CoLo
Most Comprehensive SD-WAN Solution in the Market © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 25
Cisco SD-WAN Edge Devices
Branch Services SD-WAN
ISR 1000 ISR 4000 ASR 1000 vEdge 100 vEdge 1000 vEdge 2000
• Up to 1 Gbps • Up to 10 Gbps
• Up to 100 Mbps • 8 ports (WAN/LAN) • Modular 1/10GB
• Up to 200 Mbps • Up to 6 Gbps • Up to 20 Gbps • 5 ports Ports
(WAN/LAN)
• Next-gen
connectivity
• Modular • High-performance vEdge 5000
• Integrated service service • 4G LTE & Wireless
• Performance containers w/hardware assist
flexibility
• Compute with UCS • Hardware &
E software • Up to 20 Gbps
redundancy • Modular 1/10GB
Ports
Virtualization Private / Public Cloud

ENCS 5100 ENCS 5400
• Up to 250Mbps • 250Mbps – 2GB
Control Plan Security
Zero-Trust Security Principles
Control Elements
vBond
Orchestrators
Private/Viptela/M
anaged Partner
Cloud vSmart vManage
Controllers
 Strong authentication
- PKI certificates, 2048bit keys
 Highly encrypted tunnels
NAT - DTLS/TLS AES256
- White-list model
X.509 Certificate
TPM  Ubiquitous Deployment
DTLS/TLS
Control Tunnel - Automatic NAT mitigation
Edge Router
Secure Bring-up With Approval
 Cisco generates overlay with unique Organization Name.
 Add devices chassis and serial numbers stored in the customer portal.
 Customer import ".viptela: 256bit hash file to the controller
 Validate each device
Per-device control on TPM identity trust

• Valid - (Zero Touch Provisioning) – TPM identity is automatically trusted
• Invalid - (One Touch Provisioning) – TPM identity is not automatically trusted. Requires administrator validation.
• Staging – TPM identity is automatically trusted for control, but not for data. Requires administrator validation.
Secure Control Channel: Control Elements
Valid certificate
serial numbers
DTLS/TLS
Control Tunnel
 Certificates are exchanged and mutual
vBond authentication takes place
 vBond validates vSmart Controller and

vManage certificate serial numbers against
P
u
bl
ic
P
u
bl
ic authorized white-list
 vSmart Controller and vManage validate

vBond Orchestrator certificate organization
vSmart vManage
name against locally configured one
 DTLS/TLS secure connection is established

ic
bl
u
P
Org Name Org Name

Config Config
Secure Control Channel: Edge Routers
Valid Edge  Certificates are exchanged and mutual authentication
Edge
serial and takes place between vBond and Edge
IP addr chassis ID - Over encrypted tunnel
vSmart vManage
vBond
 vBond validates Edge Router serial number and chassis
ID against authorized Edge white-list
vSmart
vManage
 Edge Router validates vBond certificate organization

name against locally configured one
ic
P
u
bl
 Provisional DTLS/TLS tunnel is established between
vBond and Edge
Provisional  vBond returns to Edge a list of vSmart Controllers and

lic
DTLS/TLS Control P
u
b
vManage
Tunnel
 vBond notifies vSmart and vManage of Edge Router

Edge
public IP address
Router
 Provisional DTLS/TLS tunnel between vBond and Edge is
terminated
Org Name © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 31
Config
Secure Control Channel: Edge Routers
Valid Edge Valid Edge
serial and serial and
chassis ID chassis ID
 Certificates are exchanged and mutual authentication
vSmart vManage takes place between vSmart, vManage and Edge
- Over encrypted tunnel
 vSmart and vManage validate Edge Router serial number

vBond and chassis ID against authorized Edge white-list
lic
 Edge Router validates vSmart and vManage certificate
organization name against locally configured one
b
u ic lic
P bl u
b
u P
P
 Permanent DTLS/TLS tunnel between vSmart, vManage

ic
and Edge is established
bl
u
P
Edge
Router
Permanent
DTLS/TLS Control
Org Name Tunnel © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 32
Config
Establish Cloud Edge Router Identity
config
system
Certificate system-ip system ip
Authority site-id xxx
vManage organization-name “org name”
vbond xx.xx.xx.xx
If do not have DHCP you need to configure the IP address

vpn 0
dns 8.8.8.8 primary
dns 8.8.4.4 secondary
interface ge0/0
Signed ip address xx.xx.xx.xx/xx
no shutdown
!
vSmart vBond
ip route 0.0.0.0/0 xx.xx.xx.xx
commit
request vedge-cloud activate chassis-number uuid token otp
Edge Cloud
Note: UUID and vManage issued certificate serial number

are used to authenticate Edge Cloud post-OTP
Data Plan Security
Edge VPNs and Security Zoning
Trust
Zone
Untrusted
Zone
IF, IF,
Sub-IF Sub-IF
MPLS
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF Internet
Out-of-band Management
(VPN512) • VPNs are isolated from each other, each
VPN has its own forwarding table
IF
• Reachability within VPN is automatically
advertised by the OMP
OMP OMP
VPN 10 VPN 0 VPN 10

INET
MPLS
VPN 20 VPN 0 VPN 20
Centralized Encryption Key Distribution
 Each Edge advertises its local IPsec vSmart  Can be rapidly rotated
encryption keys as OMP TLOC Controllers
 Symmetric encryption keys used
attributes
asymmetrically
 Encryption keys are per-transport
OMP OMP
Update Update
Loca
Loca y B1 Encr
w ith Ke ypted
w l
d Transport1 ith K
l ypte e
Encr y A1
B1
B2
A1
A2
y
Ke
Ke
y
y
Ke
Ke
Edge-A Edge-B
Enc
A1
A2
2
rypt ey A
B1
ed w ith K
Transport2
B2
y
ith K w
y
d
Ke
ypte
Ke
ey B
y
Encr
y
Ke
2
Ke
Remote
Remote
 Each Edge advertises its own AES256 IPSec encryption key in control plane updates
 IPSec encryption keys are distributed by the vSmart Controllers to all Edges part of a given virtual topology
 IPSec encryption keys are frequently rotated (default 24h), new keys are advertised in control plane
updates © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 37
End to End Security
 Each Edge advertises its local vSmart
Controllers
IPsec encryption key
IPSec security associations Update Update IPSec security associations
Edge Edge
Router Transports
Transports
Transports Router
1
Remote
y1
y
Local
Ke
IPSec AES256-GCM
Ke
ESPv3
2
Local
y2
y
Remote
Ke
Ke
Site 1 Site 2
Traffic Encrypted
with Key 2  Symmetric encryption IPsec AES256-GCM
ESPv3, AES256-CBC is used for multicast
Control Plane Traffic Encrypted
with Key 1  Traffic Encryption and Authentication Header
DTLS/TLS
 Tunnel Liveliness Detection (BFD)
 Anti-Replay Protection
 Rekey 24Ciscohours
© 2019 and/or its affiliates. All rights reserved. Cisco Systems 38
DDoS Protection for Edge Routers
vBond
Authenticated
TLS /
Sources DTLS
vSmart vManage
CPU
Implicitly SD-WAN IPSec
Trusted
Sources Control Plane Policing:
 300pps per flow
Edge
 5,000pps
GR E
IPSec / Packet
Explicitly Forwarding
Defined
Sources
Cloud Security
Any
Deny except:
Unknown 1. Return packets matching flow entry (DIA enabled)
Sources 2. DHCP, DNS, ICMP
Other * Can manually enable :SSH, NETCONF, NTP, OSPF, BGP, STUN
DDoS Protection for Controllers
vBond
Authenticated
Sources TLS /
D TLS
vSmart vManage
CPU
Edge
Control Plane Policing:
 500pps per flow
 10,000pps
vManage
Packet
Any Forwarding
Unknown vSmart
Sources Note: vBond control plane policing is the
same as Edge
Other
Deny except:
DHCP, DNS, ICMP, NETCONF
* Can manually enable :SSH, NTP, STUN, HTTPS (vManage)
Questions
Overlay Management Protocol
(OMP)
Cisco SD-WAN Terminology
• Transport Side – Controller or Edge Interface connected to the underlay/WAN network
• Always VPN 0
• Traffic typically tunneled/encrypted, unless split-tunneling is used
• Service Side – Edge interface attaching to the LAN

• VPN 1-510 (511/512 Reserved)
• Traffic forwarded as is from original source
• TLOC – Collection of entities making up a transport side connection

• System-IP: IPv4 Address (non-routed identifier)
• Color: Interface identifier on local Edge
• Private TLOC: IP Address on interface sitting on inside of NAT
• Public TLOC: IP Address on interface sitting on outside of NAT
• Private/Public can be the same if connection is not subject to NAT
• vRoute – Routes learnt/connected on Service Side

• vRoute tagged with attributes as it is picked up by OMP
Cisco SD-WAN Terminology
• OMP – Overlay Management Protocol
• Dynamic Routing Protocol managing the Overlay domain
• Integrated mechanism for distribution Routing, Encryption and Policies
• Site-ID – Identifies the Source Location of an advertised prefix
• Configured on every Edge
• Does not have to be unique, but then assumes same location
• Required configuration for OMP and TLOC to be brought up
• System-IP – Unique identifier of an OMP Endpoint
• 32 Bit dot decimal notation (an IPv4 Address)
• Logically a VPN 0 Loopback Interface, referred to as “system”
• The system interface is the termination point for OMP
• Organization-Name – Defines the OU to match in the Certificate Auth Process

• OU carried in both directions for authentication b/t control and Edge nodes
• Can be set to anything as long as it’s consistent across the Viptela© 2019
SEN domain
Cisco and/or its affiliates. All rights reserved. Cisco Systems 44
Network-wide Control Plane
Cisco SD-WAN Traditional
Network Control Plane
Data Plane + Local Control Plane Integrated Control and Data Plane
O(n) Control Complexity O(n^2) Control Complexity
High Scale Limited Scale
Overlay Management Protocol (OMP)
vSmart • TCP based extensible control plane protocol
• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections
• Leverages address families to advertise
reachability for TLOCs, unicast/multicast
vSmart vSmart
destinations (statically/dynamically learnt service
side routes), service routes (L4-L7), BFD up/down
stats (TE node) and Cloud onRamp for SaaS
probe stats (gateway)
- Uses attributes
• Distributes IPSec encryption keys, and data and
WAN Edge WAN Edge
app-aware policies (embedded NETCONF)
Note: WAN Edge routers need not connect to all vSmart Controllers
Overlay Routing: TLOC Routes
• Routes connecting locations to physical

networks
vSmart
• Advertised to vSmart controllers
OMP Update
• Most prominent attributes:
- Site-ID
MPLS INET - System IP
- Color
- Encap-SPI
TLOCs - Encap-Authentication
Edge - Encap-Encryption
- Public IP
- Public Port
Connected - Private IP
- Private Port
Static - BFD-Status
- Tag
Dynamic (OSPF/BGP) - Preference
- ©Weight
2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 47
Transport Locators Advertisement
TLOCs vSmart
vSmarts advertise TLOCs to
Edges in OMP TLOC routes
SD-WAN Fabric
TLOCs advertised to vSmarts
with TLOCs as
Edge
in OMP TLOC routes
tunnel endpoints
IPSec
IPSec Local TLOCs
IPSec
(System IP, Color, Encap
MPLS INET
Pub IP/Port, Priv IP/Port)
Edge Edge
BFD for quality

and liveliness
detection
Edge Edge
Transport Locator (TLOC) OMP IPSec Tunnel
Flexible Data Plane © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 48
Bidirectional Forwarding Detection (BFD)
Edge • Path liveliness and quality measurement

detection protocol
- Up/Down, loss/latency/jitter, IPSec
tunnel MTU
• Runs between all Edge and Edge Cloud
routers in the topology
- Inside IPSec tunnels
Edge Edge - Automatically invoked after each IPSec
tunnel establishment
- Cannot be disabled
• Uses hello (up/down) interval, poll (app-

aware) interval and multiplier for
Edge Edge detection
- Fully customizable per-Edge, per-color
Overlay Routing: OMP Routes
• Routes learnt from local service side

vSmart
• Advertised to vSmart controllers
INET - TLOC
MPLS
- Site-ID
OMP Update
- Label
- VPN-ID
Edge - Tag
- Preference
- Originator System IP
Connected - Origin Protocol
Service - Origin Metric
Static
Side
Dynamic (OSPF/BGP)
Overlay Routing
• Uniform control plane protocol
Dynamic (OSPF/BGP)
Dynamic (OSPF/BGP) • OMP learns and translates
Static
Static routing information across the
Connected overlay
Connected
- OMP routes, TLOC routes,
Site2 network service routes
Site1 vSmart - Unicast and multicast address
Overlay families
Management - IPv4 and IPv6 (future)
Protocol
Site3 • Distribution of data-plane
Site4 security parameters and
Connected policies
Connected Static
Static
• Implementation of control
Dynamic (OSPF/BGP)
Dynamic (OSPF/BGP)
(routing) and VPN membership
policies
Overlay Routing: Network Service Routes
vSmart • Routes for advertised network

services, i.e. Firewall, IDS, IPS,
generic
MPLS INET • Advertised to vSmart controllers
OMP Update
- VPN-ID
Edge - Service-ID
- Label
- Originator System IP
- TLOC
Network
Service
Firewall
TLOCs, Colors Site-IDs and System IP
• TLOC Color used as static identifier for:
• TLOC Interface on Edge device
• Underlay network attachment
• The specific color used is categorized as Private or Public
• Private Colors [mpls, private1-6, metro-ethernet]
• All other colors are public [red, blue,…, public-ethernet,…]
• Private vs Public color is highly significant
• Color setting applies to:

• Edge to Edge Communication
• Edge to Controller Communication
Transport Locators Colors
Color Identify an individual WAN transport tunnel by assigning it a color. The color
is one of the TLOC parameters associated with the tunnel. On a Edge router, you
can configure only one tunnel interface that has the color default.
The Private Colors : metro-ethernet, mpls, and private1, private2 private3

private4 private5 private6
They use private addresses to connect to the remote side Edge router in a private
network. You can use these colors in a public network provided that there is no
NAT device between the local and remote Edge routers.
The Public colors: default, 3g, lte, biz-internet, public-internet, custom1,

custom2, custom3, red, green, blue, gold, silver, bronze. They using in public
network with NAT
Default Color: default (Public color) © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 54
TLOCs, Colors, Site-IDs and Carriers
• If Site-IDs are identical and colors public:
• Use Private information
• Carrier setting is final influencer to decide on Private/Public
IP/Port
• Use if two endpoints are using private colors and you need session
between them to be established between their Public IP/Port
vpn 0
vpn 0 vpn 0
vpn 0
interface ge0/0
interface ge0/0 interface ge0/0
interface ge0/0
tunnelinterface
tunnelinterface IPsec Tunnel / BFD Session tunnelinterface
tunnelinterface
carrier carrier2
carrier carrier2 carrier carrier4
carrier carrier4
color mpls
color mpls color mpls
color mpls
Transport Locators Colors
Public
T3 T4 T1 T2
Public
T1 T3 T1 T3
T2 T4 T2 T4
Edge Edge Edge Edge
Private
Public
T1, T3 – Public Color T2, T4 – Private Color
T1, T3 – Public Color T2, T4 – Public Color
T1 T3 T2 T4
T1 T3 T2 T4
T1 T4 T2 T3
T1 T4 T2 T3
Color restrict
Color - Control plane tag used for IPSec tunnel establishment logic will prevent ©attempt to itsestablish
2019 Cisco and/or IPSec
affiliates. All rights reserved. tunnel
Cisco Systems 56
to TLOCs with different color

Cisco SD-WAN Topology SITE-ID
SITE-ID
•• Unique
Unique per-site
per-site numeric
numeric
identifier
identifier used
used in
in policy
policy
Site 1 Site 2 application
application
R11 R12 R21 R22 Site6

10.1.0.11 10.1.0.12 10.2.0.21 10.2.0.22
vManage
vbond61
vsmart66
100.65.0.0/16 MPLS 100.64.0.0/16 INET
vsmart67
TLOC
TLOC
•• Transport
Transport attachment
attachment point
point and
and next
next
R41 hop route attribute.
hop route attribute.
R31
•• Comprises
10.3.0.31 10.4.0.41
Comprises of
of “system-ip”,
“system-ip”, “color”
“color” and
and
R51 R52 “encap”
“encap”
10.5.0.51 10.5.0.52
SYSTEM-IP COLOR
COLOR
SYSTEM-IP
•• Each
•• Unique
Site
Unique identifier
3
identifier per-device.
Site 4
per-device.
Site 5 Each tunnel
tunnel interface
interface is is assigned
assigned a a
•• Router-id for BGP, OSPF “color”
“color”
57
Router-id for BGP, OSPF
Fabric Operation
Fabric Walk-Through
OMP Update:
vSmart  Reachability – IP Subnets, TLOCs
OMP
 Security – Encryption Keys
DTLS/TLS Tunnel
 Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update
Edge1 Edge2
T1 Transport1 T3
T3 T4 TLOCs TLOCs T1 T2
T4
T2
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B Static
C D
Subnets Subnets
NAT Traversal Combinations
Side A Side B IPSec Tunnel Status
Public Public
Full Cone Full Cone
Full Cone Port/Address Restricted
Port/Address Restricted Port/Address Restricted
Public Symmetric
Full Cone Symmetric
Symmetric Port/Address Restricted
Symmetric Symmetric
Direct IPSec Tunnel No Direct IPSec Tunnel (traffic traverses hub) Mostly Encountered
NAT Traversal – Dual Sided Full Cone
vBond
NAT Detection
IP1’ IP2’ • vBond discovers post-NAT

Port1 Port2 public IP and communicates
vSmart back to Edges
- STUN Server
• Edges notify vSmart of their
NAT Filter: NAT Filter: post-NAT public IP address
Any source IP/Port Any source IP/Port
IP1’ Full Full IP2’ • NAT devices enforce no filter
Port1 Cone Cone Port2 - Full-cone NAT
IP1 IP2’ IP1’ IP2

Port1 Port2 Port1 Port2
Edge1 Edge2
Successful IPSec connection © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 60
NAT Traversal – Full Cone and Symmetric
vBond
NAT Detection
• vBond discovers post-NAT public
IP1’ IP2’
IP and communicates back to
Port1 Port2
vEdges
vSmart - STUN Server
• vEdges notify vSmart of their
post-NAT public IP address
NAT Filter:
NAT Filter: Only from vBond • Symmetric NAT devices enforce
Any source IP/Port From IP1’/Port1 filter
IP1’ Symmetri IP2’ - Only allows traffic from vBond
Full
Port1 Cone c Port2 • vEdge behind symmetric NAT
reaches out to remote vEdge
- NAT entry created with filter to
IP1 IP2’ IP1’ IP2 allow remote vEdge return traffic
Port1 Port2 Port1 Port2 - Remote vEdge will learnt new
Edge1 Edge2 symmetric NAT source port (data
plane learning)
Successful IPSec connection © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 61
Questions
Zero Touch Provisioning (ZTP)
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
Zero Touch Provisioning
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
Administrator Installer
ZTP/PNP
Identity Trust
Server
vEdge List vEdge Configuration Network Power

(White-List) Template
vManage
DHCP /
Static IP
TPM
Edge
Identity
vSmart vBond (X.509)
Zero Touch Provisioning – vEdge / cEdge
ZTP /PnP Control and Policy
Server Elements
Re o
dir rch
ec es
3
at l
ic tro
5
n
t t tra
zt
io
un o n
o
Qu ptel
p.
e rom
m c
co tor
ag n f e
vi
an tio vic
m ial
Full Registration and
er a.c
rp
1
co nit
y
vM ra de
or
Configuration
t o om
i g al
at
nf iti
e
u
co In
Assumption: 4
 DHCP on Transport Side (WAN)
 DNS to resolve ztp.viptela.com*  Authentication
 DNS to resolve devicehelper.cisco.com*
 Push the configuration
* Factory default config  Enforce the version
Edge
Provisioning – Cloud Edge
vManage Control and Policy

Elements
1 Cloud-Init
VM
NSO 3
Provisioning
tio l
i c a t ro
n
(vBranch FP) 5
un n
Tool
m co
e om
an tion ice
m al
Full Registration and
co niti
ag fr
vM ra ev
De 2
ig l d
plo Configuration
nf itia
y
u
co In
VM
4
Assumption:
 DHCP on Transport Side (WAN)
 DNS to resolve vBond IP
Edge Cloud
* FactoryCisco
© 2019 Cisco and/or its affiliates. All rights reserved. default config
Systems 66
Automatic IP Detection (Auto IP) for vEdge
ZTP.VIPTELA.COM
Edge PE
ARP Request : send from PE looking for mac access

Sender: souse IP/mac (PE)
ZTP Using DHCP
ZTP (Auto IP)

vEdge is programmed to use the following public DNS Server
DNS Servers to resolve ztp.viptela.com
Google
8.8.8.8, 8.8.4.4
OpenDNS
208.67.222.222, 208.67.220.220
Level 3 Public DNS Server Addresses
209.244.0.3, 209.244.0.4, 4.2.2.1, 4.2.2.2,
4.2.2.3, 4.2.2.4
ZTP Support for Static IP
#cloud-boothook
system
personality vedge
device-model vedge-C1111-8PLTEEA
host-name SITE1_ISR1K
system-ip
site-id
10.10.10.10
501
organization-name "CustomerXYZ - 12345"
• Supported on SD-WAN XE only
console-baud-rate 9600
vbond 64.1.1.2 port 12346 • Useful in situations where ZTP is a
!
!
!
requirement, but DHCP is not enabled on CE
interface GigabitEthernet0/0/0
no shutdown
ip address 192.168.10.10 255.255.255.0
to PE link (whether MPLS or Internet)
exit
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1
• Upon bootup, SD-WAN XE router will search
bootflash: or usbflash: for filename
ciscoSD-WAN.cfg
• Config file (which includes basic interface
configuration, Root CA, Organization Name,
vBond information, etc.) is fed into the PnP
process
• Router continues normal ZTP process
Templates Configuration
Device and Feature Template
Device and Feature Template
Datacenter Remote_Type_A Remote_Type_B Remote_Type_C
- System - System - System - System
- Logging - Logging - Logging - Logging
- NTP - NTP - NTP - NTP
- AAA - AAA - AAA - AAA
- OMP - OMP - OMP - OMP
- BFD - BFD - BFD - BFD
- Security - Security - Security - Security
- Transport VPN 0 - Transport VPN 0 - Transport VPN 0 - Transport VPN 0

- VPN Interface - VPN Interface - VPN Interface - VPN Interface
- VPN Interface - VPN Interface
- Services VPN 1 - Services VPN 1 - Services VPN 1 - Services VPN 1

- VPN Interface - VPN Interface - VPN Interface - VPN Interface
- Services VPN 2 - Services VPN 2 - Services VPN 2

- VPN Interface - VPN Interface - VPN Interface
Template-Based Configurations
• Templates are attached to
provisioned vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift
Granular Policies
Centralized Control over Fabric Behavior
• Centralized data, control and

application aware routing policies
• Defined on vManage, enforced on
vSmart controllers (control policies)
or vEdge routers (data and
application aware routing policies)
• Individual site, collection of sites or
the entire fabric policy scope
Single Pane of Glass Operations
vManage GUI
• Intuitive GUI driven operations

- Management, monitoring and
troubleshooting
• Cloud Delivered
- Private, hosted or managed
• Single or Multi-tenant
• Role-based Access Control
• Clustered for scale and high
availability
• REST APIs based
Troubleshooting and Verification
Transparent Operations
vManage Programmatic Access
REST API Documentation
/apidocs
API Documentation built-in – https://vmanage-url/apidocs

Test calls can be executed directly from doc page
API programming documented at:
https://docs.viptela.com/Product_Documentation/Command_Reference/vManage_REST_APIs/vManage_REST_APIs_Ov
erview/Using_the_vManage_REST_APIs
Self Recovery
Failed
2 Upgrade 1 vManage
Attach Template
Active Software A Rollback
Available Software B
Activate
Available Software C
3 Connectivity
2 Lost
1 Available Software D
Rollback
3
vEdge Router vEdge Router
Application Quality of
Experience
Application Visibility
Cloud Deep Packet Inspection
Data Center Over 3000+ application
Data Center
App
App 11
App
App 22
Secure
App
App 3,000
3,000
SD-WAN
Fabric vEdge Router
Small Office  App Firewall

Home Office
 Traffic prioritization
Campus
Branch  Transport selection
Tunnel Liveliness Detection
IPSec security
IPSec security
associations
associations
Transports
Transports
Transports
vEdge vEdge
IPSec
Site 1 Site 2
 BFD packets are bi-directionally echoed

- No BFD neighbors across the tunnels
 IPSec Security Associations stay up as long as BFD periodic

messages succeed IPSec Tunnel
- No idle SA timeout BFD
Application Performances and AAR
 By default, without any local or centralized
data policies,
-
vSmart
Cisco SDWAN performs flow-based load
sharing across all transports available between Controllers
the vEdge routers
 With Policies: App Aware Routing Policy
- Enforce SLA compliant path for applications of App A path must have
interest
latency <150ms and loss <2%
- Other applications will follow active/active
behavior across all paths
1 INET
vEdge Path
Router vEdge
Router
Path 2
App A MPLS
INET
Path
3
Path1: 10ms, 0% loss, 2ms jitter
Path2: 200ms, 3% loss 5ms jitter
Path3: 140ms, 1% loss 3ms jitter
Optimal Throughput
Application Security and Service Insertion
Conformance and Compliance
 Single-touch centralized vSmart
security policy Controllers
- Access Control List
App
- Application Firewalling Policies
ACL
ACL // Transports
Transports ACL
ACL //
App
App App
App
Transports
User Site Data Center Server

vEdge vEdge
 Strong security posture

- Regionalized stateful network
Regional DC/Colo services
vEdge
 Multiple network services
- Service chaining
Network Service
Nodes Data traffic
Control Plane
Optimal Secure Cloud Application Experience
Balanced Approach Between Cost and User Experience
 Geographically regionalized vSmart  Local secure cloud
secure cloud application Controllers application access
access App
Policies
Transports
Transports
Transports
User Site Data Center Server

vEdge vEdge
Regional DC/Colo
vEdge
Regional DC/Colo
Firewall
Internet
Cloud
Applications © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 83
Common Data Plane Communication
Per-Session Loadsharing Per-Session Weighted Application Pinning Application Aware Routing
Active/Active Active/Active Active/Standby SLA Compliant
MPLS INET MPLS INET MPLS INET MPLS INET
SLA SLA
Default Device Policy Policy

Configurable Enforced Enforced
Ultimate Control over Application Traffic Forwarding

vEdge Router Device QoS Overview
Data Policy
vManage Classification of application traffic into QoS
forwarding classes (queues)
Ingress Interface Egress Interface

QoS forwarding QoS
classes Scheduler
FC Q
In FC Q Out
FC Q
Policing Map into FCs Policing Shaping Bandwidth %

Buffer %
Scheduling Priority
Rewrite inner DSCP Map into Rewrite outer DSCP Drop
Egress Queue © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 85
vAnalytics
Cisco SD-WAN vAnalytics
How Cisco does it
• Baseline / Trending
Increasing • Anomaly Detection
vAnalytic • Comparisons
bandwidth s • Cause – and – Effect
could take up to • Capacity Planning
90 days • Real-time visibility

• Historical Visibility
vManage • Troubleshooting Tools
Licensing • Capacity Utilization
Part of Enterprise License • Network Utilization
vAnalytics – Customer Data
Data Transfer and Storage
• Client authenticated and data securely
vAnalytics transmitted from vManage to vAnalytics
Clusters Data Lake
• Data storage isolation between customers
• No PII (Personal Identifiable Information) is
collected
Data Correlation and Algorithms
• Only management data (stats, flows)
information collected
• All algorithms visualization done on a per-
customer basis
• IP Addresses collected for provider look-ups
• Peer benchmarking (future use cases) only
on a group basis. No individual customer
data used© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 88
vAnalytics Main Dashboard
Network Availability App vQoE
Carrier
App Bandwidth
Performance
Tunnel
App Anomalies
Performance
Application Forecasting
Circuit Forecasting
Cloud onRamp for SaaS / IaaS
Shifts in Enterprise Workloads
Public/Hybrid Cloud Cloud Applications
IaaS SaaS
Traditional On-Premise Data Centers

Cloud onRamp for SaaS Quality Probing
• DNS resolution for the configured
DNS Server(s) Cloud onRamp SaaS applications
• Periodic quality probes toward the
Loss/ configured Cloud onRamp SaaS
Latency
applications
Best !
Performing ISP1 ISP2 • vQoE score is determined based on
loss and latency reported by the
quality probes
IF IF
• Edge router determines best
performing DIA circuit toward Cloud
VPN0 onRamp SaaS applications based
DNS Query on vQoE scores
Edge Router Quality Probe
(remote site) © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 94
Cloud onRamp for SaaS
Loss/ Loss/ ISP2

Latency Latency
Regional Regional
! Hub
! Hub
ISP1 ISP1
SD-WAN SD-WAN
ISP2 Fabric MPLS Fabric
Data Center Data Center
Remote Site Remote Site
Internet DIA Hybrid DIA

Application Quality Probing © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 95
Cloud onRamp for IaaS – Attached Compute
• Virtual WAN Edge routers are instantiated in
Compute Compute Amazon VPCs or Microsoft Azure VNETs
VPC/VNET VPC/VNET - Posted in marketplace
- Use Cloud-Init for ZTP/PnP
Cloud
• One Virtual WAN Edge router per VPC/VNET
Data Center - No multicast support, can’t form VRRP
- No router redundancy
• Virtual WAN Edge routers join the fabric, all
SD-WAN
fabric services are extended to the IaaS
Fabric
Campus instances, e.g. multipathing, segmentation
Remote Site and QoS
- For multipathing, can combine AWS Direct
Connect or Azure ExpressRoute with direct
internet connectivity
Branch
Cloud onRamp for IaaS - AWS
Standard IPSec +
BGP SD-WAN • VGW for host VPCs
VPC (2x)
BGP <->
AZ1
OMP • Gateway VPC per-region
- Multiple for scale
VPC
AZ2
VGW • Standard based IPSec
AZ1 INET - Connectivity redundancy
Host VPC WAN Edge
MPLS
• BGP across IPSec tunnels for
AZ2 Direct route advertisement
VPC WAN Edge Connect - Active/active forwarding
AZ - BGP into OMP redistribution
1 Gateway VPC
Advertise default route to
VGW host VPCs
AZ
2
• Optional Direct Connect
Host VPC
AWS Region
vManage © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 97
Cloud onRamp for IaaS - Azure
Standard IPSec +
BGP SD-WAN • VPN GW for host VNETs
VNET (2x)
BGP <->
AS1
OMP • VNET Gateway per-region
- Multiple for scale
VNET
VPN
AS2 GW • Standard based IPSec
Host INET - Connectivity redundancy
WAN Edge
VNET
AS
MPLS
• BGP across IPSec tunnels for
Express route advertisement
VNET WAN Edge Route - Active/active forwarding
GW
AS VNET - BGP into OMP redistribution
1
Gateway Advertise default route to
VPN
GW host VNETs
AS
2
Host • Optional Express Route
VNET
Azure Region
vManage © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 98
Cloud onRamp for IaaS Dashboard
• Centralized provisioning
wizard on vManage
• No need to operate
marketplace
Questions
Direct Internet Access and
Branch Security
SD-WAN – Branch Security
I need to protect my I need to protect my I want to reduce I want to leverage the
sensitive data (card company against liability expenses and provide local internet path for all
holder data, patient data) and prevent guest users better user experience internet traffic; I need to
against data breaches from disrupting my for cloud apps. If I open protect myself against
before during and after a network when browsing up my branch office to potential threats coming
transaction. the internet via guest wi- the internet I increase into my network.
fi. the attack surface and I
need to protect my
network.
Compliance Guest Access Direct Cloud Access Direct Internet Access
App Aware Firewall App Aware Firewall

IPsec VPN IPsec VPN
IPS IPS
App Aware Firewall Attack surface App Aware Firewall Attack surface Attack surface Attack surface
URL Filtering URL Filtering Risk
IPS exposure URL Filtering exposure exposure exposure
Risk
AMP/TG AMP/TG
Umbrella (SIG) Umbrella (SIG)
Platform Support & Management
Embedded Security Cloud Security
Advanced Malware
Security Ent FW – App Aware
Protection(AMP)
Umbrella
IPS URL Filter
vManage Provisioning Policy

Cloud or Troubleshootin
On-Prem Reporting Monitoring
g
Edge ISR 4/1K ENCS w/ISRv

vManage CSR
Branch
Router
Edge
Flexibility ASR1K vEdge
Target Timeline: Q4CY2018 Nov 18 1HCY19 Firewall only

Intrusion Prevention(IPS)
• Snort IPS is the most widely

deployed engine in the world
• Backed by global threat
intelligence (TALOS) signatures
updated automatically
• Signature whitelist support
• Real-time traffic analysis
• PCI compliance IPS
On-site Services
URL Filtering Requests for “risky” domain requests
• Enforce acceptable use controls

URL inspection
• Block based on web reputation
score
Block/Allow based on Categories,
• Create custom black and white Reputation
lists
• Customizable end-user
notifications
White/Black lists of custom URLs
• 82+ web categories and dynamic

updates
App-aware SaaS
Firewall
• Application visibility and granular
Internet
control by category or individual

application Inspect policy
allows only return Outside Zone
• 1400+ applications classified traffic to be allowed
and drops any new
• Prevent lateral movements of connections
threats
(e.g. printing service should not Edge Device
create new connections to
employee network)
• PCI compliance Inside IoT
Users Zone Zone Devices
Service-VPN 1 Service-VPN 2
Roadmap
Advanced Malware 1HCY19
Protection(AMP)
AMP
• Integration with AMP

• File reputation Internet Check Signature
• File retrospection
• Integration with ThreatGrid
• File analysis
• Backed with valuable threat Check file
intelligence(TALOS) Malware Sandbox
ThreatGrid
Cisco Umbrella Cisco Umbrella
DNS-layer
Enforcement Safe Blocked
• Leading security efficacy for request requests
malware, phishing, and s
unacceptable requests by blocking
based on DNS requests
• Supports DNScrypt
Users and Devices

• Local domain-bypass option
Manage and Monitor by vManage
Security Profiles
Customer Persona Security Profile Platform requirements
Customer looking at FW + Umbrella vEdge, cEdge (4GB RAM), ENCS.

compliance and deliver security
through Cloud
Customer looking to do DIA FW + IPS + URLF (Cloud Lookup cEdge, ENCS.

with medium security posture only) + AMP 8GB Bootflash and 8GB
Memory
Customer looking to do DIA FW + IPS + URLF (On-box DB + cEdge, ENCS.

with high security posture Cloud Lookup) + AMP (File 16GB Bootflash and 16GB
hashing) + ThreatGrid Memory
ISR1K 8GB RAM to be launched soon

End to End Segmentation
Trust
Zone
Untrusted
Zone
IF, IF,
Sub-IF Sub-IF
MPLS
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF Internet
Out-of-band Management
(VPN512) • VPNs are isolated from each other, each
VPN has its own forwarding table
IF
• Reachability within VPN is automatically
advertised by the OMP
End to End Segmentation Interface
 Isolated virtual private networks across any
IPSec VPN 1
transport Tunnel
VLAN VPN 2
 VPN mapping is based on physical vEdge Router VPN 3
interface, 802.1Q VLAN tag or a mix of both
Prefix
Site 1
IF
IF Use Cases
VPN 1
Transports
Transports
IF  Security Zoning
VPN 2 802.1q
 Compliance
IF
VPN 3  Guest WiFi
802.1q Data Center
 Multi-Tenancy
Site 2  Extranet
IP UDP ESP VPN Data  VPN isolation is carried over all

1,2, transports
20 8 36 3
…
- https://tools.ietf.org/html/rfc4023
Application Aware Topologies
Full-Mesh Hub-and-Spoke
• Each VPN can have it’s own topology
- Full-mesh, hub-and-spoke, partial-mesh,
point-to-point, etc…
VPN1 VPN2 • VPN topology can be influenced by
leveraging control policies
- Filtering TLOCs or modifying next-hop
TLOC attribute for routes
Partial Mesh Point-to-Point • Applications can benefit from shortest
path, e.g. voice takes full-mesh toplogy
• Security compliance can benefit from
VPN3 VPN4 controlled connectivity topology, e.g.
PCI data takes hub-and-spoke topology
Services Chaining
Single Service Insertion
Policy • vEdge router with connected L4-L7 service

vSmart Advertisement* makes advertisement
- Service route OMP address family
- Service VPN label
Traffic Path Service
Control Plane Advertisement • Service is advertised in specific VPN
• Service can be L3 routed or L2 bridged
FW
VPN1 • Service can be singly or dually connected
VPN1 (Firewall trust zones) to the advertising vEdge
• Control or data policies are used to insert the
VPN1 service node into the matching traffic forwarding
Regional
Data path
Hub
Center - Match on 6-tuple of DPI signature
MPLS INET - Applied on ingress/egress vEdge
Remote 4G
Office
* For data policy only. Control policy enforced on vSmart.
Multiple Services Chaining
vSmart
Policy
Advertisement* •
Traffic Path vEdge routers with connected L4-L7 service make
Control Plane Service advertisement
Advertisement - Service route OMP address family
- Services VPN labels
FW IDS
• Services are advertised in specific VPN
• Services can be L3 routed or L2 bridged
VPN1
• Services can be singly or dually connected to the
VPN1 advertising vEdges
VPN1
Regional
• Control or data policies are used to insert the
Hub Data service nodes into the matching traffic forwarding
Center path
MPLS INET
- Match on 6-tuple of DPI signature
- Applied on ingress/egress/service vEdge
Remote 4G
Office
* For data policy only. Control policy enforced on vSmart.
Questions
SD-WAN Controllers Component,
Design & Deployment
vManage, vSmart, vBond
Controller Deployment Models
vManage
Recommended Control and Management

Elements
vSmart vBond
Deployed by Cisco Deployed by Customer
Cisco Private
Cloud Cloud
Cloud-Delivered On-Prem
AWS, MS-Azure KVM, ESXi

Controller Tenancy
Single Tenant Multi Tenant
vManage vBond vManage vBond
1 1 1 2 3 1 2 3
VM VM VM VM
VM/ VM/
Container Container
1 1 2 3
vSmart vSmart vSmart vSmart
Limit: 200+ tenant and 10000 vEdge’s

Up to 30,000s vEdge’s
(customer’s less than 60 sites)
AWS, MS-Azure, KVM, ESXi

Controllers Redundant Deployment
• Controllers are distributed across multiple
Public Cloud private data centers
Region A Region B
• Active-active, vManage is cold-standby
Data Center A Data Center B
Export Import
• Controllers are distributed across multiple

public cloud regions Export Import
• Active-active, vManage is cold-standby
Cloud Controllers Connection
vBond vSmart vManage
Cloud
Cloud Network
Network
Edge
Public IP Address TLS/DTLS Control Connection

On-Prem Controllers Connections
DMZ
DMZ
DC Perimeter
DC Perimeter Core Firewall
Core Firewall
CE
CE
MPLS INET
MPLS INET
vEdge
Public IP Address TLS/DTLS Control Connection

Cisco / SP Hosted Controller
Services Provider
Hosted Controller
• All controller component should

connect via VPN0.
Remote DC
vEdge INET vEdge
MPLS
On-Prem Controller
On-Premise
Controller
• All controller component should connect

via VPN0.
Remote DC
vEdge INET vEdge
MPLS L3 Switch
or Router
How to Deployed
On-Premise Controllers
Requirements On-Premise Controller
1. Production Two (2) Servers (refer to sizing guide)
2. Five (5) Controllers (Server1: VM, VS1, VB1. Server2: VS2, VB2)
3. FQDN for vBond (abc.vbond.com)
4. Organization Name (Cisco SD-WAN Champion or Account Team)
5. Five (5) Public IP address
6. Download Image and install control component (Refer to step by step guide)
7. Configure basic configuration and settings (Refer to the controller basic configuration)
8. Request for the Certificate and approve by Cisco Team (Cisco SD-WAN Champion or Account Team)
9. Configure the Tunnel Interfaces (Refer to the controller tunnel configuration)
10. Verity the configuration (show control connection)
11. Upload the Edge licenses file (viptela_serial_file.viptela) © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 128
Document On-Prem Controller
Step by step bring-up of controllers:
https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup
Server Hardware recommendations for Viptela controllers:

https://docs.viptela.com/Product_Documentation/Getting_Started/Hardware_and_Software_Installatio
n/Server_Hardware_Recommendations
Firewall ports need to be considered for Viptela deployments:

https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup/
01Bringup_Sequence_of_Events/Firewall_Ports_for_Viptela_Deployments
Software installation and update:

https://docs.viptela.com/Product_Documentation/Getting_Started/Hardware_and_Software_Installation/S
oftware_Installation_and_Upgrade
Firewalls Ports – DTLS
vManage – IP1
UDP
Core0 - 12346
Core1 - 12446 UDP
vBond – IP1 vSmart – IP1 Core2 - 12546 Core0 - 12346

Core4 - 12746 Core2 - 12546
*FQDN Core5 - 12846 Core3 - 12646
Core6 - 12946 Core4 - 12746
Core7 – 13046 Core5 - 12846
vBond orchestrators do not Core6 - 12946
UDP UDP UDP
support multiple cores. UDP Core7 – 13046
12346
vBond orchestrators always
use DTLS tunnels to establish The vManage NMSs and vSmart controllers
control connections with can run on a virtual machine (VM) with up to
eight virtual CPUs (vCPUs). The vCPUs are
other Viptela devices, so designated as Core0 through Core7.
they always use UDP. The Each core is allocated separate base ports
UDP port is 12346 Firewall for control connections
Red signifies primary protocol or first port

used
UDP
• vBond IP’s are not Elastic, its
12346 recommended to permit UDP/12346
Edge 12366 Edge to/from any from the vEdge.
12386
12406 • vEdge’s can port hop to establish a
12426
connection, its recommended to permit all
Firewall ports need to be considered for Viptela deployments: 5 UDP ports
© 2019 inbound
Cisco and/or its affiliates.to all reserved.
All rights vEdges Cisco Systems 130
https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup/01Bringup_Sequence_of_Events/Firewall_Ports_for_Viptela_Deployments
Firewalls Ports – TLS
vManage – IP1
TCP
Core0 - 23456 TCP
Core1 - 23556
vBond – IP1 vSmart – IP1 Core2 - 23656
Core0 - 23456
Core1 - 23556
Core4 - 23856 Core3 - 23756
*FQDN Core5 - 23956 Core4 - 23856
Core6 - 24056 Core5 - 23956
Core7 – 24156 Core6 - 24056
vBond orchestrators do not
UDP UDP TCP Core7 – 24156
support multiple cores. TCP
12346
vBond orchestrators always
use DTLS tunnels to establish
control connections with
other Viptela devices, so
they always use UDP. The
UDP port is 12346 Firewall
Red signifies primary protocol or first port

UDP used
• vBond IP’s are not Elastic, its
12346
Edge 12366 Edge recommended to permit UDP/12346
12386 to/from any from the vEdge.
12406
12426 • vEdge’s can port hop to establish a
connection, its recommended to permit all
Firewall ports need to be considered for Viptela deployments:
5 UDP ports
© 2019 inbound
Cisco and/or its affiliates.to all reserved.
All rights vEdges Cisco Systems 131
https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup/01Bringup_Sequence_of_Events/Firewall_Ports_for_Viptela_Deployments
Administrative Ports Used by vManage NMS
High Availability & Redundancy
Control Redundancy - vManage
vManage
Cluster
Management Plane
 vManage servers form a cluster for redundancy and
Data Plane
Cloud Data high availability
Center
 All servers in the cluster act as active/active nodes
- All members of the cluster must be in the same DC /
metro area
 For geo-redundancy, vManage servers operate in

active/standby mode
- Not clustered
MPLS INET - Database replication between sites is needed
Data
3G/4G Center  Loss of all vManage servers has no impact on fabric
operation
Small Office - No policy changes
Home Office - No stats collection
Campus
Branch © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 134
Control Redundancy – vSmart & vBond
vSmart
Controllers  vSmart controllers exchange OMP messages between
Control Plane themselves and they have identical view of the SD-WAN
Data Plane fabric
Cloud Data
Center  vEdge routers connect to up to three vSmart controllers
for redundancy
 Single vSmart controller failure has no impact, as long
as there is another vSmart controller vEdge routers are
registered with
MPLS INET
 If all vSmart controllers fail or become unreachable,
Data vEdge routers will continue operating on a last known
3G/4G Center good state for a configurable amount of time (GR timer)
- No updates to reachability
Small Office - No IPSec rekey
Home Office - No policy changes propagation
Campus
Branch © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 135
High Availability and Scale
5400
vBond vSmart Con* vManage
1500 1500 1500 2000 2000 2000
Con Con Con 5400 5400 Dev Dev Dev
Con* Con*
x6 x18
x20
FQDN Networked Cluster
Hash
DNS 2 permanent connection
Hash
per-transport
1 transient connection 1 permanent connection
vEdge * 8 Core with 17.1 code

High Availability and Scale – Data Plane
250/1500/6000 250/1500/6000 250/1500/6000
Tunnels Tunnels Tunnels
# Tunnels
100Mbps ~250 Tunnels

Equal Cost (x16)
500Mbps ~ 600 Tunnels
T1 T2 Tn 1Gbps ~ 1500 Tunnels
ECMP 2.5Gbps > ~ 6000 Tunnels
WAN Edge High Availability Scenarios
WAN WAN
Edge A S A S Edge
OSPF/BGP
WAN Edge WAN Edge VRRP Grp 1
A B A B
VLAN 1
VRRP Grp 2
Service
Site Router Site Router VLAN 2
Side
Host Host Host
MPLS Internet
MPLS Internet MPLS Internet
Transport
WAN WAN WAN WAN
Side
WAN WAN
Edge Edge Edge Edge Edge Edge
A B A B A B
Transport Redundancy – TLOC Extension
• Edge routers are connected only to their

respective transports
• Edge routers build IPSec tunnels across directly
MPLS INET
connected transport and across the transport
connected to the neighboring Edge router
• Neighboring Edge router acts as an underlay router for
tunnels initiated from the other Edge
• If one of the Edge routers fails, second Edge

vEdge-A Edge-B router takes over forwarding the traffic in and out
of site
• Only transport connected to the remaining Edge router
can be used
Site Network
TLOC Extension Configuration
Advertise 2.2.18.0/30
to the MPLS. Next
hop 2.2.16.3
VE120-A VE120-B
INT MPLS
vpn 0 vpn 0
dns 8.8.4.4 secondary dns 8.8.4.4 secondary
dns 8.8.8.8 primary dns 8.8.8.8 primary
! !
interface ge0/1 interface ge0/1
mtu 1504 mtu 1504
no shutdown no shutdown
! !
interface ge0/1.2 interface ge0/1.1
ip address 2.2.18.6/30 ip address 2.2.18.2/30
tloc-extension ge0/0 tloc-extension ge0/0
! !
no shutdown ge0/0 no shutdown
ge0/0
! 2.2.15.3/24 2.2.16.3/24 !
interface ge0/1.1 ge0/1.1 ge0/1.1
interface ge0/1.2
ip address 2.2.18.1/30 2.2.18.1/30 2.2.18.2/30 ip address 2.2.18.5/30
tunnel-interface tunnel-interface
encapsulation ipsec encapsulation ipsec
color mpls restricted color gold
…… ……
ge0/1.2 ge0/1.2
no shutdown 2.2.18.6/30 2.2.18.5/30 no shutdown
! VE120-A VE120-B !
ip route 0.0.0.0/0 2.2.15.1 ip route 0.0.0.0/0 2.2.16.1
ip route 0.0.0.0/0 2.2.18.2 ip route 0.0.0.0/0 2.2.18.6
Questions
Policy Framework
Policy Framework
vManage
Centralized Control Policy

(Fabric Routing)
Local Control Policy
Centralized Data Policy
(OSPF/BGP)
(Fabric Data Plane) Centralized Localized
Centralized App-Aware Policy Policies Policies Local Data Policy
(Application SLA) (QoS/Mirror/ACL)
VPN Membership
(Fabric Routing+Segmentation)
Centralized Data Policy Centralized App-Aware Policy

vSmart (Fabric Data Plane) (Application SLA) WAN
Edge
Policy Distribution
Data Policy Control Policy
Local Policies
App Aware Routing Policy VPN Membership Policy
vManage vManage vManage
NETCONF/YANG NETCONF/YANG NETCONF/YANG
vSmart vSmart vSmart vSmart vSmart vSmart
OMP OMP
Edge Edge Edge
Cisco SD-WAN Policy Architecture
• Suite of Policies to address different functional domains
Data
DataPolicy:
Policy:
Extensive Policy-based
Extensive Policy-based
Control Routing
Routingand
andServices
ControlPolicy:
Policy: Services
App-Route Routing
Routing andServices
and
App-RoutePolicy:
Policy: Services
VPN
VPN
App-Aware SLA-based 1
WA
App-Aware SLA-based
N
1
WA
Routing VPN
N
Routing VPN
2
2
VPN MPLS SD-WAN Fabric Internet

VPN
1
WA
N
1
WA
VPN
N
VPN
2
2
• Control Policies are applied at vSmart: Tailors routing information advertised to Edge
endpoints
• App-Route Policies are applied at Edge: SLA-driven path selection for applications
• Data Policies are applied at Edge: Extensive Policy driven routing

Topology – Full Mesh
1 2
• Full mesh SD-WAN tunnels between
WAN Edge nodes
• (N-1)¹ tunnel scale
• Double tunnel scale in case of dual
N 3
T1 T2 transports
• High tunnel capacity WAN Edge
5 4
Data Plane Complexity is O(n^2)
¹ Assumes single WAN Edge per-site
Topology – Centralized Hub and Spoke
1 M
• SD-WAN tunnels only between spoke WAN
Edge nodes and headend WAN Edge nodes
• M tunnel scale at spoke WAN Edge
• N¹ tunnel scale at hub WAN Edge
T1 T2 • Doubled tunnel scale in case of dual transports
• High tunnel capacity WAN Edge at the hub
• Low tunnel capacity WAN Edge at the spoke
1 2 3 N
Data Plane Complexity is O(n)

Topology – Regional Mesh
Region 1 Region 2
1 1 • Full mesh inter-region tunnels
2 2 • Full mesh intra-region tunnels
N T1
T1 T1
N • (N-1)¹ tunnel scale for intra-region
T2 T2 WAN Edge
5 5
3 T2 3 • 2*(M-1)² tunnel scale for border
4 4 WAN Edge
1 2 • Doubled tunnel scale in case of dual
N 3 transports
T1 T2 • Low tunnel capacity WAN Edge
5 4

Border WAN Edge
Region M ² Assumes dual border WAN Edges per-region
Control Policies
Overlay Management Protocol Routing Policies
• Control policies are applied and executed on vSmart to influence routing in the Overlay domain
• Control policies filter or manipulate OMP Routing information to:

• Enable services
• Influence path selection
• Control Policies controls the following services:
• Service Chaining
• Traffic Engineering
• Extranet VPNs
• Service and Path affinity
• Arbitrary VPN Topologies
• and more …
• The Control Policy is one of the centralized and powerful tools in the Cisco SD-WAN toolbox
Control Policy
Interconnecting Dis-contiguous Data Planes
MPLS Internet
• Problem:
Overlay with a dis-contiguous data plane and endpoints need to communicate end-to-end
App-Route Policies
Centralized Policy for enabling SLA-driven routing on Edge endpoints
• App-route policies:
• Applied on vSmart
• Advertised to and executed on Edge
• Monitors SLAs for active overlay paths to direct Applications along qualified paths
• Allows for the use of L3/L4 keys or DPI Signatures for application identification
• Delivers a fully distributed SLA-driven routing mechanism
App-Aware Routing Policies
SLA-Driven Routing / Performance Routing
4G/LTE
DPI POLICY SLA MPLS
VPN
VPN
mpls
1
1
VPN
VPN # public-internet Broadband
2
2 lte
Data Policies
Policy-driven Routing and Service Enablement
• Data policies:
• Applied on vSmart
• Advertised to and executed on Edge
• A Data policy acts on an entire VPN and is not interface-specific
• Data Policies are used to enable the following functions and services:
• Application Pinning
• NAT/DIA
• Classification, Policing and Marking
• and more …
• The Data Policy is a very powerful tool for any type of data plane centered traffic management
Questions
Pre-Sale Guideline
DNA Licenses Offering
Cisco SD-WAN Solution pricing
Cloud Management
Cisco vManage*
License
License for
for
Hardware
Hardware License
License
desired
desired
price
price features
features
Bandwidth
Bandwidth
Annual Software Subscription cost
Các bước triển khai
1. SD-WAN Centralized Management
Cloud Management On-prem Management
Cisco vManage* Cisco vManage
Any routing Platform: Any routing Platform:

ISR, ASR, ENCS, vEdge ISR, ASR, ENCS, vEdge
* vManage will continue to be available on-prem
Các bước triển khai
2. Thiết bị kết nối SD-WAN tại các Sites
Branch virtualization Public Cloud
ENCS 5100 ENCS 5400
• Up to 250Mbps • 250Mbps – 2GB
SD-WAN Branch Services

vEdge 100 vEdge 1000 vEdge 2000 ISR 1000 ISR 4000 ASR 1000
• 100 Mbps • Up to 1 Gbps • 10 Gbps

• 4G LTE & • Fixed • Modular • 200 Mbps • Up to 6 Gbps • 2.5-200Gbps
Wireless • Next-gen • Modular • High-performance
connectivity • Integrated service w/hardware
• Performance service assist
flexibility
containers • Hardware &
• Compute with software
UCS E redundancy
DNA Licenses Offering
Enterprise Agreement (EA)

Eligible
DNA Premier
Single
DNA Advantage 3/5 Year Subscription
SKU
Single
DNA Essentials 3/5 Year Subscription
WAN Optimization
SKU
Single
3/5 Year Subscription Analytics
SKU
DNA Advantage DNA Advantage
DNA Essentials DNA Essentials DNA Essentials

Centralized WAN management with SD-WAN with advanced security, Network and application assurance
basic security and hybrid WAN segmentation and optimization for cloud using real-time analytics and WAN
connectivity connectivity optimization
Questions

Cisco SD-WAN Technical Training - VN - 05jun19 - LamDoan

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco SD-WAN Technical Training - VN - 05jun19 - LamDoan

Uploaded by

Copyright:

Available Formats

Doan Nguyen Lam - Nguyen Tien Hoang

Devices & Things

Campus & Branch Users WAN

Devices & Things

Campus & Branch Users WAN

Branch1 Branch2 Branch3

DEVICES IaaS Apps

SDA Fabric DC APPs

(branch & campus)

Cloud managed Application quality

Broadband MPLS Cellular

Leverage internet for public cloud Public Cloud

Seamless extension to the cloud enables

Visibility of applications and

Cloud-first management and

Best of breed trusted

Broadest range of platforms and

Cloud + Virtualization + On-Prem

Adv. Malware Protection

© 2019 Cisco and/or its affiliates. All rights reserved.

Reduce End to End

Performances Cloud Ready Simplicity

• Separation Control and Data Plane

Cloud Data Center Campus Branch CoLo

Virtualization Private / Public Cloud

• Up to 250Mbps • 250Mbps – 2GB

Per-device control on TPM identity trust

 vBond validates vSmart Controller and

 vSmart Controller and vManage validate

 DTLS/TLS secure connection is established

Org Name Org Name

 Edge Router validates vBond certificate organization

Provisional  vBond returns to Edge a list of vSmart Controllers and

 vBond notifies vSmart and vManage of Edge Router

 vSmart and vManage validate Edge Router serial number

 Permanent DTLS/TLS tunnel between vSmart, vManage

If do not have DHCP you need to configure the IP address

request vedge-cloud activate chassis-number uuid token otp

Note: UUID and vManage issued certificate serial number

VPN 10 VPN 0 VPN 10

IPSec security associations Update Update IPSec security associations

* Can manually enable :SSH, NTP, STUN, HTTPS (vManage)

• Service Side – Edge interface attaching to the LAN

• TLOC – Collection of entities making up a transport side connection

• vRoute – Routes learnt/connected on Service Side

• Organization-Name – Defines the OU to match in the Certificate Auth Process

Network Control Plane

• Routes connecting locations to physical

BFD for quality

Edge • Path liveliness and quality measurement

• Uses hello (up/down) interval, poll (app-

• Routes learnt from local service side

vSmart • Routes for advertised network

• Color setting applies to:

The Private Colors : metro-ethernet, mpls, and private1, private2 private3

The Public colors: default, 3g, lte, biz-internet, public-internet, custom1,

to TLOCs with different color

R11 R12 R21 R22 Site6

Full Cone Full Cone

Full Cone Port/Address Restricted

Port/Address Restricted Port/Address Restricted

Full Cone Symmetric