Professional Documents
Culture Documents
Cisco SD-WAN Technical Training - VN - 05jun19 - LamDoan
Cisco SD-WAN Technical Training - VN - 05jun19 - LamDoan
(Hands-on Experiences)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 2
Connecting Users to the Data Center was the Priority
Internet
Best
Users Applications Effort
WAN
Branch/Campus
Data Center
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 3
Then the Way We Worked Changed
Mobile Users
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 4
Applications Moving to Not One Cloud, But Many
DC/Private Cloud
Mobile Users
IaaS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 5
Legacy WAN Architecture
IaaS SaaS
• Peer-to-peer control plane
DC1 DC2 (DR)
• Lack of application visibility
• Complex Routing protocol
prorogate for all (N^2) DCI
complexity
• Localize management
• Not scalable
• Impossible to support multiple ISP1(
ISP2
(MPLS/FTTH)
transport MPLS)
• Complex Operations
• High Cost - TCO to operate the
Network
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Systems 7
Evolution of the WAN
Cloud delivered WAN with
5 operational simplicity &
End-point flexibility:
• Physical or virtual Cloud Delivered Analytics analytics
1 • Rich services or lite
• Branch, Agg, Cloud
4 Application
QoE
USERS 6
Cloud
SD-WAN … Use-Cases
OnRamp
WAN
L E A RNI NG
DC
D N A C e n te r
I NT E NT C O NTE X T
SaaS
In te n t- b a s e d
N e tw o rk In fras tru c tu re
vDC
THINGS
S E C U RI T Y
Superior security architecture
2 Transport
WAN Fabric
Independent
3 –
cloud based & on-prem
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 8
Cisco Fabric Architectures
Multitenant/ Rich Highly
Cloud-Delivered Analytics Automated
USERS
SDWAN
Cloud
OnRamp
.… IoT
ACI
DC Fabric
DEVICES
THINGS SaaS
End-to-end Context © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 9
SD-WAN Solution Overview
Cisco SD-WAN Introductions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 10
Cisco SD-WAN Solution
Built on Intent-based Networking for the WAN
Transport
Independence Internet MPLS 4G LTE
End-point
flexibility Data Center Campus Branch Public Cloud
(Physical or Virtual)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems
Integrated
Security
Cisco SD-WAN Solution
Application Secure
Visibility Traffic Per-Segment Perimeter Cloud Cloud Transport
& SLA Engineering Topologies FW/IPS/URL Path Accel Hub
Analytics
Application
Application Policies
Policies
Routing Security Segmentation QoS Multicast Svc Insertion Survivability
Monitoring
Delivery
Delivery Platform
Platform
Operations
Transport
Transport Independent
Independent Fabric
Fabric © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 12
Deploy branches faster at lower cost
Transport independence
Private Cloud
MPLS
3G/4G-LTE
Colocation
Branch
Internet
Cisco
© 2019 vAnalytics
Cisco and/or its affiliates. All rights reserved. Cisco Systems
Simplify migration to the cloud
Application quality of experience
Cloud Cloud
Providers Application
s
Secure branch to cloud
connectivity protects data in
motion
Agile workflows simplifies
Data
extending the enterprise to IaaS Center
Secure
or SaaS
SD-WAN
Analytics determines the optimal Fabric
path for the best application Small Office
experience Home Office
Campus
Branch
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems IaaS/SaaS
Easier to deploy, manage and operate
Centralized cloud managed fabric
Cisco vManage
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems
Reduce complexity for remote sites
Single rich services branch platform
SD-WAN
Unified
Communications
Easy to deploy and
manage services on-
demand
Cloud Based
Security On-demand physical and
Branch
virtual form factors
Application Application
hosting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems Optimization
End-point flexibility
XE-SDWAN: Expanding Impact of IBN for WAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems
Comprehensive threat protection
Integrated security
VPN 1
Cloud
Router IPSec VPN
VPN 3 2 Data Center
Tunnel
VPN 3
Cloud
VPN 4 Security
Internet MPLS
Meet industry compliance with end- Corporate
to-end segmentation Data Center
4G/LTE
Reduce attack surface with cloud
and on-prem security Small Office
Home Office
Talos threat intelligence protects all
users devices
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems
Campus Branch
Gia tăng an toàn trên SD-WAN với các tính
năng bảo mật Cisco Enterprise Firewall
Classification of +1400 layer 7
apps
Intrusion Protection
System
Most widely deployed IPS engine
in the world
Cisco URL-Filtering
Security Web reputation score using 82+
web categories
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems
SD-WAN Solution Overview
Technical
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 22
Cisco SD-WAN Solution Principals
vManage
Management/
APIs
Orchestration Plane
3rd Party
vBond
Automation
vAnalytics
vSmart Controllers
Control Plane
MPLS 4G
INET
Edge Routers
Data Plane
Cloud Data Center Campus Branch CoLo
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 23
Cisco SD-WAN Solution Principals
Network Policy / Forwarding:
• Configuration Points, Control Points,
Enforcement Points, Centralize
Serosity
Most Comprehensive SD-WAN Solution in the Market © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 25
Cisco SD-WAN Edge Devices
Branch Services SD-WAN
ISR 1000 ISR 4000 ASR 1000 vEdge 100 vEdge 1000 vEdge 2000
• Up to 1 Gbps • Up to 10 Gbps
• Up to 100 Mbps • 8 ports (WAN/LAN) • Modular 1/10GB
• Up to 200 Mbps • Up to 6 Gbps • Up to 20 Gbps • 5 ports Ports
(WAN/LAN)
• Next-gen
connectivity
• Modular • High-performance vEdge 5000
• Integrated service service • 4G LTE & Wireless
• Performance containers w/hardware assist
flexibility
• Compute with UCS • Hardware &
E software • Up to 20 Gbps
redundancy • Modular 1/10GB
Ports
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 26
Control Plan Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 27
Zero-Trust Security Principles
Control Elements
vBond
Orchestrators
Private/Viptela/M
anaged Partner
Cloud vSmart vManage
Controllers
Strong authentication
- PKI certificates, 2048bit keys
Highly encrypted tunnels
NAT - DTLS/TLS AES256
- White-list model
X.509 Certificate
TPM Ubiquitous Deployment
DTLS/TLS
Control Tunnel - Automatic NAT mitigation
Edge Router
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 28
Secure Bring-up With Approval
Cisco generates overlay with unique Organization Name.
Add devices chassis and serial numbers stored in the customer portal.
Customer import ".viptela: 256bit hash file to the controller
Validate each device
lic
Edge Router validates vSmart and vManage certificate
organization name against locally configured one
b
u ic lic
P bl u
b
u P
P
Edge
Router
Permanent
DTLS/TLS Control
Org Name Tunnel © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 32
Config
Establish Cloud Edge Router Identity
config
system
Certificate system-ip system ip
Authority site-id xxx
vManage organization-name “org name”
vbond xx.xx.xx.xx
Edge Cloud
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 34
Edge VPNs and Security Zoning
Trust
Zone
Untrusted
Zone
IF, IF,
Sub-IF Sub-IF
MPLS
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF Internet
Out-of-band Management
(VPN512) • VPNs are isolated from each other, each
VPN has its own forwarding table
IF
• Reachability within VPN is automatically
advertised by the OMP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 35
Edge VPNs and Security Zoning
OMP OMP
MPLS
VPN 20 VPN 0 VPN 20
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 36
Centralized Encryption Key Distribution
Each Edge advertises its local IPsec vSmart Can be rapidly rotated
encryption keys as OMP TLOC Controllers
Symmetric encryption keys used
attributes
asymmetrically
Encryption keys are per-transport
OMP OMP
Update Update
Loca
Loca y B1 Encr
w ith Ke ypted
w l
d Transport1 ith K
l ypte e
Encr y A1
B1
B2
A1
A2
y
Ke
Ke
y
y
Ke
Ke
Edge-A Edge-B
Enc
A1
A2
2
rypt ey A
B1
ed w ith K
Transport2
B2
y
ith K w
y
d
Ke
ypte
Ke
ey B
y
Encr
y
Ke
2
Ke
Remote
Remote
Each Edge advertises its own AES256 IPSec encryption key in control plane updates
IPSec encryption keys are distributed by the vSmart Controllers to all Edges part of a given virtual topology
IPSec encryption keys are frequently rotated (default 24h), new keys are advertised in control plane
updates © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 37
End to End Security
Each Edge advertises its local vSmart
Controllers
IPsec encryption key
Edge Edge
Router Transports
Transports
Transports Router
1
Remote
y1
y
Local
Ke
IPSec AES256-GCM
Ke
ESPv3
2
Local
y2
y
Remote
Ke
Ke
Site 1 Site 2
Traffic Encrypted
with Key 2 Symmetric encryption IPsec AES256-GCM
ESPv3, AES256-CBC is used for multicast
Control Plane Traffic Encrypted
with Key 1 Traffic Encryption and Authentication Header
DTLS/TLS
Tunnel Liveliness Detection (BFD)
Anti-Replay Protection
Rekey 24Ciscohours
© 2019 and/or its affiliates. All rights reserved. Cisco Systems 38
DDoS Protection for Edge Routers
vBond
Authenticated
TLS /
Sources DTLS
vSmart vManage
CPU
Implicitly SD-WAN IPSec
Trusted
Sources Control Plane Policing:
300pps per flow
Edge
5,000pps
GR E
IPSec / Packet
Explicitly Forwarding
Defined
Sources
Cloud Security
Any
Deny except:
Unknown 1. Return packets matching flow entry (DIA enabled)
Sources 2. DHCP, DNS, ICMP
Other * Can manually enable :SSH, NETCONF, NTP, OSPF, BGP, STUN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 39
DDoS Protection for Controllers
vBond
Authenticated
Sources TLS /
D TLS
vSmart vManage
CPU
Edge
Control Plane Policing:
500pps per flow
10,000pps
vManage
Packet
Any Forwarding
Unknown vSmart
Sources Note: vBond control plane policing is the
same as Edge
Other
Deny except:
DHCP, DNS, ICMP, NETCONF
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 40
Questions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 41
Overlay Management Protocol
(OMP)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 42
Cisco SD-WAN Terminology
• Transport Side – Controller or Edge Interface connected to the underlay/WAN network
• Always VPN 0
• Traffic typically tunneled/encrypted, unless split-tunneling is used
Data Plane + Local Control Plane Integrated Control and Data Plane
O(n) Control Complexity O(n^2) Control Complexity
High Scale Limited Scale
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 45
Overlay Management Protocol (OMP)
vSmart • TCP based extensible control plane protocol
• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections
• Leverages address families to advertise
reachability for TLOCs, unicast/multicast
vSmart vSmart
destinations (statically/dynamically learnt service
side routes), service routes (L4-L7), BFD up/down
stats (TE node) and Cloud onRamp for SaaS
probe stats (gateway)
- Uses attributes
• Distributes IPSec encryption keys, and data and
WAN Edge WAN Edge
app-aware policies (embedded NETCONF)
Note: WAN Edge routers need not connect to all vSmart Controllers
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 46
Overlay Routing: TLOC Routes
OMP Update
• Most prominent attributes:
- Site-ID
MPLS INET - System IP
- Color
- Encap-SPI
TLOCs - Encap-Authentication
Edge - Encap-Encryption
- Public IP
- Public Port
Connected - Private IP
- Private Port
Static - BFD-Status
- Tag
Dynamic (OSPF/BGP) - Preference
- ©Weight
2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 47
Transport Locators Advertisement
TLOCs vSmart
vSmarts advertise TLOCs to
Edges in OMP TLOC routes
SD-WAN Fabric
TLOCs advertised to vSmarts
with TLOCs as
Edge
in OMP TLOC routes
tunnel endpoints
IPSec
IPSec Local TLOCs
IPSec
(System IP, Color, Encap
MPLS INET
Pub IP/Port, Priv IP/Port)
Edge Edge
Flexible Data Plane © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 48
Bidirectional Forwarding Detection (BFD)
Dynamic (OSPF/BGP)
Dynamic (OSPF/BGP) • OMP learns and translates
Static
Static routing information across the
Connected overlay
Connected
- OMP routes, TLOC routes,
Site2 network service routes
Site1 vSmart - Unicast and multicast address
Overlay families
Management - IPv4 and IPv6 (future)
Protocol
Site3 • Distribution of data-plane
Site4 security parameters and
Connected policies
Connected Static
Static
• Implementation of control
Dynamic (OSPF/BGP)
Dynamic (OSPF/BGP)
(routing) and VPN membership
policies
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 51
Overlay Routing: Network Service Routes
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 53
Transport Locators Colors
Color Identify an individual WAN transport tunnel by assigning it a color. The color
is one of the TLOC parameters associated with the tunnel. On a Edge router, you
can configure only one tunnel interface that has the color default.
Default Color: default (Public color) © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 54
TLOCs, Colors, Site-IDs and Carriers
• If Site-IDs are identical and colors public:
• Use Private information
• Carrier setting is final influencer to decide on Private/Public
IP/Port
• Use if two endpoints are using private colors and you need session
between them to be established between their Public IP/Port
vpn 0
vpn 0 vpn 0
vpn 0
interface ge0/0
interface ge0/0 interface ge0/0
interface ge0/0
tunnelinterface
tunnelinterface IPsec Tunnel / BFD Session tunnelinterface
tunnelinterface
carrier carrier2
carrier carrier2 carrier carrier4
carrier carrier4
color mpls
color mpls color mpls
color mpls
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 55
Transport Locators Colors
Public
T3 T4 T1 T2
Public
T1 T3 T1 T3
T2 T4 T2 T4
Edge Edge Edge Edge
Private
Public
T1, T3 – Public Color T2, T4 – Private Color
T1, T3 – Public Color T2, T4 – Public Color
T1 T3 T2 T4
T1 T3 T2 T4
T1 T4 T2 T3
T1 T4 T2 T3
Color restrict
Color - Control plane tag used for IPSec tunnel establishment logic will prevent ©attempt to itsestablish
2019 Cisco and/or IPSec
affiliates. All rights reserved. tunnel
Cisco Systems 56
vbond61
vsmart66
100.65.0.0/16 MPLS 100.64.0.0/16 INET
vsmart67
TLOC
TLOC
•• Transport
Transport attachment
attachment point
point and
and next
next
R41 hop route attribute.
hop route attribute.
R31
•• Comprises
10.3.0.31 10.4.0.41
Comprises of
of “system-ip”,
“system-ip”, “color”
“color” and
and
R51 R52 “encap”
“encap”
10.5.0.51 10.5.0.52
SYSTEM-IP COLOR
COLOR
SYSTEM-IP
•• Each
•• Unique
Site
Unique identifier
3
identifier per-device.
Site 4
per-device.
Site 5 Each tunnel
tunnel interface
interface is is assigned
assigned a a
•• Router-id for BGP, OSPF “color”
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems
“color”
57
Router-id for BGP, OSPF
Fabric Operation
Fabric Walk-Through
OMP Update:
vSmart Reachability – IP Subnets, TLOCs
OMP
Security – Encryption Keys
DTLS/TLS Tunnel
Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update
Edge1 Edge2
T1 Transport1 T3
T3 T4 TLOCs TLOCs T1 T2
T4
T2
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B Static
C D
Subnets Subnets
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 58
NAT Traversal Combinations
Side A Side B IPSec Tunnel Status
Public Public
Public Symmetric
Symmetric Symmetric
Direct IPSec Tunnel No Direct IPSec Tunnel (traffic traverses hub) Mostly Encountered
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 59
NAT Traversal – Dual Sided Full Cone
vBond
NAT Detection
Successful IPSec connection © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 60
NAT Traversal – Full Cone and Symmetric
vBond
NAT Detection
• vBond discovers post-NAT public
IP1’ IP2’
IP and communicates back to
Port1 Port2
vEdges
vSmart - STUN Server
• vEdges notify vSmart of their
post-NAT public IP address
NAT Filter:
NAT Filter: Only from vBond • Symmetric NAT devices enforce
Any source IP/Port From IP1’/Port1 filter
IP1’ Symmetri IP2’ - Only allows traffic from vBond
Full
Port1 Cone c Port2 • vEdge behind symmetric NAT
reaches out to remote vEdge
- NAT entry created with filter to
IP1 IP2’ IP1’ IP2 allow remote vEdge return traffic
Port1 Port2 Port1 Port2 - Remote vEdge will learnt new
Edge1 Edge2 symmetric NAT source port (data
plane learning)
Successful IPSec connection © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 61
Questions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 62
Zero Touch Provisioning (ZTP)
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 63
Zero Touch Provisioning
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
Administrator Installer
ZTP/PNP
Identity Trust
Server
vManage
DHCP /
Static IP
TPM
Edge
Identity
vSmart vBond (X.509)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 64
Zero Touch Provisioning – vEdge / cEdge
ZTP /PnP Control and Policy
Server Elements
Re o
dir rch
ec es
3
at l
ic tro
5
n
t t tra
zt
io
un o n
o
Qu ptel
p.
e rom
m c
co tor
ag n f e
vi
an tio vic
m ial
Full Registration and
er a.c
rp
1
co nit
y
vM ra de
or
Configuration
t o om
i g al
at
nf iti
e
u
co In
Assumption: 4
DHCP on Transport Side (WAN)
DNS to resolve ztp.viptela.com* Authentication
DNS to resolve devicehelper.cisco.com*
Push the configuration
* Factory default config Enforce the version
Edge
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 65
Provisioning – Cloud Edge
1 Cloud-Init
VM
NSO 3
Provisioning
tio l
i c a t ro
n
(vBranch FP) 5
un n
Tool
m co
e om
an tion ice
m al
Full Registration and
co niti
ag fr
vM ra ev
De 2
ig l d
plo Configuration
nf itia
y
u
co In
VM
4
Assumption:
DHCP on Transport Side (WAN)
DNS to resolve vBond IP
Edge Cloud
* FactoryCisco
© 2019 Cisco and/or its affiliates. All rights reserved. default config
Systems 66
Automatic IP Detection (Auto IP) for vEdge
ZTP.VIPTELA.COM
Edge PE
Google
8.8.8.8, 8.8.4.4
OpenDNS
208.67.222.222, 208.67.220.220
Level 3 Public DNS Server Addresses
209.244.0.3, 209.244.0.4, 4.2.2.1, 4.2.2.2,
4.2.2.3, 4.2.2.4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 67
ZTP Support for Static IP
#cloud-boothook
system
personality vedge
device-model vedge-C1111-8PLTEEA
host-name SITE1_ISR1K
system-ip
site-id
10.10.10.10
501
organization-name "CustomerXYZ - 12345"
• Supported on SD-WAN XE only
console-baud-rate 9600
vbond 64.1.1.2 port 12346 • Useful in situations where ZTP is a
!
!
!
requirement, but DHCP is not enabled on CE
interface GigabitEthernet0/0/0
no shutdown
ip address 192.168.10.10 255.255.255.0
to PE link (whether MPLS or Internet)
exit
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1
• Upon bootup, SD-WAN XE router will search
bootflash: or usbflash: for filename
ciscoSD-WAN.cfg
• Config file (which includes basic interface
configuration, Root CA, Organization Name,
vBond information, etc.) is fed into the PnP
process
• Router continues normal ZTP process
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 68
Templates Configuration
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 69
Device and Feature Template
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 70
Device and Feature Template
Datacenter Remote_Type_A Remote_Type_B Remote_Type_C
- System - System - System - System
- Logging - Logging - Logging - Logging
- NTP - NTP - NTP - NTP
- AAA - AAA - AAA - AAA
- OMP - OMP - OMP - OMP
- BFD - BFD - BFD - BFD
- Security - Security - Security - Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 71
Template-Based Configurations
• Templates are attached to
provisioned vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 72
Granular Policies
Centralized Control over Fabric Behavior
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 73
Single Pane of Glass Operations
vManage GUI
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 74
Troubleshooting and Verification
Transparent Operations
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 75
vManage Programmatic Access
REST API Documentation
/apidocs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 76
Self Recovery
Failed
2 Upgrade 1 vManage
Attach Template
Active Software A Rollback
Available Software B
Activate
Available Software C
3 Connectivity
2 Lost
1 Available Software D
Rollback
3
vEdge Router vEdge Router
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 77
Application Quality of
Experience
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 78
Application Visibility
Cloud Deep Packet Inspection
Data Center Over 3000+ application
Data Center
App
App 11
App
App 22
Secure
App
App 3,000
3,000
SD-WAN
Fabric vEdge Router
Transports
Transports
Transports
vEdge vEdge
IPSec
Site 1 Site 2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 80
Application Performances and AAR
By default, without any local or centralized
data policies,
-
vSmart
Cisco SDWAN performs flow-based load
sharing across all transports available between Controllers
the vEdge routers
With Policies: App Aware Routing Policy
- Enforce SLA compliant path for applications of App A path must have
interest
latency <150ms and loss <2%
- Other applications will follow active/active
behavior across all paths
1 INET
vEdge Path
Router vEdge
Router
Path 2
App A MPLS
INET
Path
3
Path1: 10ms, 0% loss, 2ms jitter
Path2: 200ms, 3% loss 5ms jitter
Path3: 140ms, 1% loss 3ms jitter
Optimal Throughput
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 81
Application Security and Service Insertion
Conformance and Compliance
Single-touch centralized vSmart
security policy Controllers
- Access Control List
App
- Application Firewalling Policies
ACL
ACL // Transports
Transports ACL
ACL //
App
App App
App
Transports
Network Service
Nodes Data traffic
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 82
Control Plane
Optimal Secure Cloud Application Experience
Balanced Approach Between Cost and User Experience
Geographically regionalized vSmart Local secure cloud
secure cloud application Controllers application access
access App
Policies
Transports
Transports
Transports
Regional DC/Colo
vEdge
Regional DC/Colo
Firewall
Internet
Cloud
Applications © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 83
Common Data Plane Communication
Per-Session Loadsharing Per-Session Weighted Application Pinning Application Aware Routing
Active/Active Active/Active Active/Standby SLA Compliant
SLA SLA
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 86
Cisco SD-WAN vAnalytics
How Cisco does it
• Baseline / Trending
Increasing • Anomaly Detection
vAnalytic • Comparisons
bandwidth s • Cause – and – Effect
could take up to • Capacity Planning
Carrier
App Bandwidth
Performance
Tunnel
App Anomalies
Performance
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 89
Application Forecasting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 90
Circuit Forecasting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 91
Cloud onRamp for SaaS / IaaS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 92
Shifts in Enterprise Workloads
IaaS SaaS
ISP1 ISP1
SD-WAN SD-WAN
ISP2 Fabric MPLS Fabric
Data Center Data Center
Remote Site Remote Site
Cloud
• One Virtual WAN Edge router per VPC/VNET
Data Center - No multicast support, can’t form VRRP
- No router redundancy
• Virtual WAN Edge routers join the fabric, all
SD-WAN
fabric services are extended to the IaaS
Fabric
Campus instances, e.g. multipathing, segmentation
Remote Site and QoS
- For multipathing, can combine AWS Direct
Connect or Azure ExpressRoute with direct
internet connectivity
Branch
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 96
Cloud onRamp for IaaS - AWS
Standard IPSec +
BGP SD-WAN • VGW for host VPCs
VPC (2x)
BGP <->
AZ1
OMP • Gateway VPC per-region
- Multiple for scale
VPC
AZ2
VGW • Standard based IPSec
AZ1 INET - Connectivity redundancy
Host VPC WAN Edge
MPLS
• BGP across IPSec tunnels for
AZ2 Direct route advertisement
VPC WAN Edge Connect - Active/active forwarding
AZ - BGP into OMP redistribution
1 Gateway VPC
Advertise default route to
VGW host VPCs
AZ
2
• Optional Direct Connect
Host VPC
AWS Region
vManage © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 97
Cloud onRamp for IaaS - Azure
Standard IPSec +
BGP SD-WAN • VPN GW for host VNETs
VNET (2x)
BGP <->
AS1
OMP • VNET Gateway per-region
- Multiple for scale
VNET
VPN
AS2 GW • Standard based IPSec
Host INET - Connectivity redundancy
WAN Edge
VNET
AS
MPLS
• BGP across IPSec tunnels for
Express route advertisement
VNET WAN Edge Route - Active/active forwarding
GW
AS VNET - BGP into OMP redistribution
1
Gateway Advertise default route to
VPN
GW host VNETs
AS
2
Host • Optional Express Route
VNET
Azure Region
vManage © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 98
Cloud onRamp for IaaS Dashboard
• Centralized provisioning
wizard on vManage
• No need to operate
marketplace
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 99
Questions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 100
Direct Internet Access and
Branch Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 101
SD-WAN – Branch Security
I need to protect my I need to protect my I want to reduce I want to leverage the
sensitive data (card company against liability expenses and provide local internet path for all
holder data, patient data) and prevent guest users better user experience internet traffic; I need to
against data breaches from disrupting my for cloud apps. If I open protect myself against
before during and after a network when browsing up my branch office to potential threats coming
transaction. the internet via guest wi- the internet I increase into my network.
fi. the attack surface and I
need to protect my
network.
Compliance Guest Access Direct Cloud Access Direct Internet Access
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 102
Platform Support & Management
Embedded Security Cloud Security
Advanced Malware
Security Ent FW – App Aware
Protection(AMP)
Umbrella
IPS URL Filter
On-site Services
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Systems
URL Filtering Requests for “risky” domain requests
• Customizable end-user
notifications
White/Black lists of custom URLs
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Systems
App-aware SaaS
Firewall
• Application visibility and granular
Internet
Service-VPN 1 Service-VPN 2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Systems
Roadmap
Advanced Malware 1HCY19
Protection(AMP)
AMP
ThreatGrid
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Systems
Cisco Umbrella Cisco Umbrella
DNS-layer
Enforcement Safe Blocked
• Leading security efficacy for request requests
malware, phishing, and s
unacceptable requests by blocking
based on DNS requests
• Supports DNScrypt
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Systems
Manage and Monitor by vManage
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 109
Security Profiles
Customer Persona Security Profile Platform requirements
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 111
Edge VPNs and Security Zoning
Trust
Zone
Untrusted
Zone
IF, IF,
Sub-IF Sub-IF
MPLS
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF Internet
Out-of-band Management
(VPN512) • VPNs are isolated from each other, each
VPN has its own forwarding table
IF
• Reachability within VPN is automatically
advertised by the OMP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 112
End to End Segmentation Interface
Isolated virtual private networks across any
IPSec VPN 1
transport Tunnel
VLAN VPN 2
VPN mapping is based on physical vEdge Router VPN 3
interface, 802.1Q VLAN tag or a mix of both
Prefix
Site 1
IF
IF Use Cases
VPN 1
Transports
Transports
IF Security Zoning
VPN 2 802.1q
Compliance
IF
VPN 3 Guest WiFi
802.1q Data Center
Multi-Tenancy
Site 2 Extranet
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 114
Services Chaining
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 115
Single Service Insertion
Remote 4G
Office
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 116
* For data policy only. Control policy enforced on vSmart.
Multiple Services Chaining
vSmart
Policy
Advertisement* •
Traffic Path vEdge routers with connected L4-L7 service make
Control Plane Service advertisement
Advertisement - Service route OMP address family
- Services VPN labels
FW IDS
• Services are advertised in specific VPN
• Services can be L3 routed or L2 bridged
VPN1
• Services can be singly or dually connected to the
VPN1 advertising vEdges
VPN1
Regional
• Control or data policies are used to insert the
Hub Data service nodes into the matching traffic forwarding
Center path
MPLS INET
- Match on 6-tuple of DPI signature
- Applied on ingress/egress/service vEdge
Remote 4G
Office
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 117
* For data policy only. Control policy enforced on vSmart.
Questions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 118
SD-WAN Controllers Component,
Design & Deployment
vManage, vSmart, vBond
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 119
Controller Deployment Models
vManage
vSmart vBond
Cisco Private
Cloud Cloud
Cloud-Delivered On-Prem
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 120
1 1 1 2 3 1 2 3
VM VM VM VM
VM/ VM/
Container Container
1 1 2 3
Export Import
Cloud
Cloud Network
Network
Edge
DMZ
DMZ
DC Perimeter
DC Perimeter Core Firewall
Core Firewall
CE
CE
MPLS INET
MPLS INET
vEdge
Remote DC
vEdge INET vEdge
MPLS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 125
On-Prem Controller
On-Premise
Controller
Remote DC
vEdge INET vEdge
MPLS L3 Switch
or Router
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 126
How to Deployed
On-Premise Controllers
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 127
Requirements On-Premise Controller
1. Production Two (2) Servers (refer to sizing guide)
2. Five (5) Controllers (Server1: VM, VS1, VB1. Server2: VS2, VB2)
6. Download Image and install control component (Refer to step by step guide)
7. Configure basic configuration and settings (Refer to the controller basic configuration)
8. Request for the Certificate and approve by Cisco Team (Cisco SD-WAN Champion or Account Team)
11. Upload the Edge licenses file (viptela_serial_file.viptela) © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 128
Document On-Prem Controller
Step by step bring-up of controllers:
https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 129
Firewalls Ports – DTLS
vManage – IP1
UDP
Core0 - 12346
Core1 - 12446 UDP
vBond – IP1 vSmart – IP1 Core2 - 12546 Core0 - 12346
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 132
High Availability & Redundancy
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 133
Control Redundancy - vManage
vManage
Cluster
Management Plane
vManage servers form a cluster for redundancy and
Data Plane
Cloud Data high availability
Center
All servers in the cluster act as active/active nodes
- All members of the cluster must be in the same DC /
metro area
MPLS INET
If all vSmart controllers fail or become unreachable,
Data vEdge routers will continue operating on a last known
3G/4G Center good state for a configurable amount of time (GR timer)
- No updates to reachability
Small Office - No IPSec rekey
Home Office - No policy changes propagation
Campus
Branch © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 135
High Availability and Scale
5400
vBond vSmart Con* vManage
1500 1500 1500 2000 2000 2000
Con Con Con 5400 5400 Dev Dev Dev
Con* Con*
x6 x18
x20
Hash
DNS 2 permanent connection
Hash
per-transport
1 transient connection 1 permanent connection
# Tunnels
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 137
WAN Edge High Availability Scenarios
WAN WAN
Edge A S A S Edge
OSPF/BGP
WAN Edge WAN Edge VRRP Grp 1
A B A B
VLAN 1
VRRP Grp 2
Service
Site Router Site Router VLAN 2
Side
MPLS Internet
MPLS Internet MPLS Internet
Transport
WAN WAN WAN WAN
Side
WAN WAN
Edge Edge Edge Edge Edge Edge
A B A B A B
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 138
Transport Redundancy – TLOC Extension
Site Network
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 139
TLOC Extension Configuration
Advertise 2.2.18.0/30
to the MPLS. Next
hop 2.2.16.3
VE120-A VE120-B
INT MPLS
vpn 0 vpn 0
dns 8.8.4.4 secondary dns 8.8.4.4 secondary
dns 8.8.8.8 primary dns 8.8.8.8 primary
! !
interface ge0/1 interface ge0/1
mtu 1504 mtu 1504
no shutdown no shutdown
! !
interface ge0/1.2 interface ge0/1.1
ip address 2.2.18.6/30 ip address 2.2.18.2/30
tloc-extension ge0/0 tloc-extension ge0/0
! !
no shutdown ge0/0 no shutdown
ge0/0
! 2.2.15.3/24 2.2.16.3/24 !
interface ge0/1.1 ge0/1.1 ge0/1.1
interface ge0/1.2
ip address 2.2.18.1/30 2.2.18.1/30 2.2.18.2/30 ip address 2.2.18.5/30
tunnel-interface tunnel-interface
encapsulation ipsec encapsulation ipsec
color mpls restricted color gold
…… ……
ge0/1.2 ge0/1.2
no shutdown 2.2.18.6/30 2.2.18.5/30 no shutdown
! VE120-A VE120-B !
ip route 0.0.0.0/0 2.2.15.1 ip route 0.0.0.0/0 2.2.16.1
ip route 0.0.0.0/0 2.2.18.2 ip route 0.0.0.0/0 2.2.18.6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 140
Questions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 141
Policy Framework
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 142
Policy Framework
vManage
VPN Membership
(Fabric Routing+Segmentation)
OMP OMP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 144
Cisco SD-WAN Policy Architecture
• Suite of Policies to address different functional domains
Data
DataPolicy:
Policy:
Extensive Policy-based
Extensive Policy-based
Control Routing
Routingand
andServices
ControlPolicy:
Policy: Services
App-Route Routing
Routing andServices
and
App-RoutePolicy:
Policy: Services
VPN
VPN
App-Aware SLA-based 1
WA
App-Aware SLA-based
N
1
WA
Routing VPN
N
Routing VPN
2
2
1
WA
VPN
N
VPN
2
2
• Control Policies are applied at vSmart: Tailors routing information advertised to Edge
endpoints
• App-Route Policies are applied at Edge: SLA-driven path selection for applications
5 4
Data Plane Complexity is O(n^2)
¹ Assumes single WAN Edge per-site
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 146
Topology – Centralized Hub and Spoke
1 M
• SD-WAN tunnels only between spoke WAN
Edge nodes and headend WAN Edge nodes
• M tunnel scale at spoke WAN Edge
• N¹ tunnel scale at hub WAN Edge
T1 T2 • Doubled tunnel scale in case of dual transports
• High tunnel capacity WAN Edge at the hub
• Low tunnel capacity WAN Edge at the spoke
1 2 3 N
MPLS Internet
• Problem:
Overlay with a dis-contiguous data plane and endpoints need to communicate end-to-end
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 150
App-Route Policies
Centralized Policy for enabling SLA-driven routing on Edge endpoints
• App-route policies:
• Applied on vSmart
• Advertised to and executed on Edge
• Monitors SLAs for active overlay paths to direct Applications along qualified paths
• Allows for the use of L3/L4 keys or DPI Signatures for application identification
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 151
App-Aware Routing Policies
SLA-Driven Routing / Performance Routing
4G/LTE
VPN
VPN
mpls
1
1
VPN
VPN # public-internet Broadband
2
2 lte
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 152
Data Policies
Policy-driven Routing and Service Enablement
• Data policies:
• Applied on vSmart
• Advertised to and executed on Edge
• A Data policy acts on an entire VPN and is not interface-specific
• Data Policies are used to enable the following functions and services:
• Application Pinning
• NAT/DIA
• Classification, Policing and Marking
• and more …
• The Data Policy is a very powerful tool for any type of data plane centered traffic management
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 153
Questions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 154
Pre-Sale Guideline
DNA Licenses Offering
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 155
Cisco SD-WAN Solution pricing
Cloud Management
Cisco vManage*
License
License for
for
Hardware
Hardware License
License
desired
desired
price
price features
features
Bandwidth
Bandwidth
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 156
Các bước triển khai
1. SD-WAN Centralized Management
Cloud Management On-prem Management
Cisco vManage* Cisco vManage
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 157
Các bước triển khai
2. Thiết bị kết nối SD-WAN tại các Sites
Branch virtualization Public Cloud
ENCS 5100 ENCS 5400
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 158
DNA Licenses Offering
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 159
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 160
Questions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Systems 161