cisco community · inbound/outbound wan connectivity and access to colo management networks •...
TRANSCRIPT
July 16th 2019
Cisco SD-WAN Cloud onRamp for CoLocation
Cisco Community
Expert series Webcast
Aaron Rohyans CCIE #21945
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
News &Upcoming events
© 2019
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Ask the Expert following the Webcast
Now through Friday July 19th 2019
http://bit.ly/ask-sdwan-cloud
With Aaron Rohyans
© 2019
Aaron RohyansTechnical Marketing Engineer
CCIE #21945
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Spanish Cisco Community – Content contest
Publish Spanish Technical Content & win prizes!
Insert event banner
http://bit.ly/concurso-sp-19
© 2019
Till FridayJuly 26th 2019
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Become an event Top Contributor!
Participate in Live Interactive Technical Events and much more
http://bit.ly/EventTopContributors
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Rate content at the Cisco Community
Rate documents, Videos & blogs!
Help us to recognize the quality content in the community
Encourage and acknowledge people who generously share their
time and expertise
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Community Expert
Aaron RohyansTechnical Marketing Engineer
CCIE #21945
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Question Manager
Palak DesaiSr. Product Manager
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Download Today’s Presentationhttp://bit.ly/webcastslides-july16-2019
Thank You For
Joining Us Today!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use the Q&A panel to submit your questions and the panel of experts will respond.
They will be answered eventually
Submit Your Questions Now!
Please take a moment to complete the survey at the end of the webcast
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Please make sure you follow up the presentation in the right screen
New Webex!
Aaron RohyansTechnical Marketing Engineer, Cloud onRamp for CoLo/[email protected]
Solution Technical Briefing
Cisco Cloud onRamp for CoLocation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
Key Takeaways
Introduction and Key Concepts
Components and Architecture
Deployment Options and Use Cases
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introduction and Key Concepts
It’s a multicloud world
Source: IDC CloudView, April, 2017, n=8,293 worldwide respondents, weighted by country, company size and industry
Evaluating or usingpublic cloud
85%
Taken steps towards a hybrid cloud strategy
87%
Plan to usemultiple clouds
94%
Among cloud users
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Challenges of Distributed Environments
Complex Routing Policy
Distributed Internet access
Efficient IaaS, SaaS and Data Center access
Scalability
Distributed Security Policy
Application SLAs
SaaS ExtranetData Center
Remote User SD-WAN Fabric
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The WAN of Yesterday, Today and Tomorrow
SaaS IaaS Extranet
Data Center
Data Center
Backhauled Access
SaaS IaaS Extranet
Distributed AccessSecure SD-WAN at the Branch
SaaS IaaS Extranet
Cloud onRamp for CoLo
Regional AccessCisco SD-WAN Cloud onRamp for CoLocation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Customers
Employees
Partners
Colocation/DC
AnyConnect
Cisco SD-WAN Cloud onRamp for CoLocationsSecurely Connecting Users and Application Providers
Turn-key orchestration and automation of enterprise WAN Service-Chains!
Security
Central policy enforcement
Agility & Performance
Rapid provisioning, change control and
scale-out architecture via
NFV fabric. Speed of software with
the performance of hardware.
Cost Savings
Lower OpEx and CapEx through
NFV.
Reduce circuit costs and number
of circuits.
Cloud onRamp for CoLo
SaaS
IaaS
Branch
Private Data Center
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Service Chaining
Regionalized Service Chaining
Cloud onRamp for CoLo
DDOS Mitigation | Malware/Virus Containment | Security Policy Compliance
Branch
Campus
Small OfficeHome Office
4G
MPLS
INET
Regional Secure Perimeter
Data Center
Data Center
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for CoLo
What problem does it solve?
Private Data Center
SaaS
IaaS
Internet
For SDWAN
• Easier Migration(s)• Remote Access VPN integration• Optimized Cloud/DC Access• Optimized Extranet Access
For Legacy WAN
• Remote Access VPN integration• Optimized Cloud/DC Access• Optimized Internet Access• Optimized Extranet Access
For Remote Access Users
• Optimized Cloud Access• Anchor for IaaS, Extranet and
optimized access to Private DC(s)• Optimized Extranet Access
Legacy WAN
MPLS
Remote Access
User
SD-WANFabric
Extranet
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
PollingQuestion 1
Do you utilize Carrier Neutral Facilities (Colocations) in your organization currently?
A. No, and I have no future plans to implement them
B. No, but I’m interested to understand the benefits of a colocation
C. Yes, I utilize one or more colocation facilities
D. I’m not sure what a CNF/Colocation is?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Components and Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Note: vManage/ vBond provide orchestration for the Cisco SD-WAN Cloud onRamp for CoLocation solution and are required elements even if the customer is not running Viptela SD-WAN
Architecture
Regional Colo/DC
Netconf
Cisco CSP5444 #1
Cisco CSP5444 #2
Cisco C9500-40
Cisco C9500-40
WAN Fabric
Cloud onRamp for CoLo Cluster ID: 1Service Group: SDWAN, Firewall, Load-Balancer
Policy: Set Next-Hop US ColoApplication: Sites 1-5, VRF 10
Cisco vManage/ vBond
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cluster Physical Components
Cisco Cloud onRamp for CoLo Cluster
• Managed via vManage
• Requires vManage v18.4+
• Acts as a pool of resources with which to use to create service-chains
• Provides anchor between all Transports/SPs, Clouds, etc.
Cisco Catalyst 9500-40 Switches (Quantity: 2)• Must run IOS-XE v16.9.1 with Network Advantage or greater
• Provides multi-gigabit backplane switching to VNFs, inbound/outbound WAN connectivity and access to Colo management networks
• Operates as one virtual switch (VSS)
• Highly redundant
• Configured via PNP through Colo-Configuration Manager (CCM) on Day0
Cisco CSP 5444 Platform (Quantity: 2)• 44 CPU cores, 192GB of RAM, 4.8TB onboard storage and
8 NICs (10Gb/ps) per chassis
• Runs NFVIS with vDaemon Day0 (Zero Touch Provisioning)
• Must run Cisco NFVIS v3.9.1a or greater
• Runs Colo-Configuration Manager (spawned via vManage after Zero Touch Provisioning)
• Hosts VNF Service Chains (Service Groups) instantiated within vManage
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSP5444 OverviewHardware Overview
• Two Intel Xeon Gold 6152 @ 2.1Ghz (48 Cores)
• 192GB DDR4 RAM (2666Mhz)
• Eight 1.2TB disks (RAID10, 4.4TB usable)
• Two onboard Intel (Niantic)
10Gb/ps ports (Management)
• Two, two-port PCIe Intel (Niantic)
10Gb/ps cards (SR-IOV)
• One, four-port PCIe Intel Fortville 10Gb/ps card (OVS)
Software Overview
NFVIS v3.11.1 | CCM | vDaemon | Ecosystem Partners
(Palo Alto, Fortinet, Avi, etc.)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Colo-Configuration Manager (CCM)
CSP 5444
CSP 5444
DHCP & DNS Server
OO
B M
anagem
ent
Sw
itch
NFVIS confD vDaemonPnP VMLC
NFVIS confD vDaemonPnP VMLC
Colo-Configuration Manager
Placement Switch Manager
confD vDaemonBootstrap
C9500PnP confD
C9500PnP confD
Operates on CSP(s)
Instantiated automatically via vManage on Day0 after initial Zero Touch Provisioning Process
Only one active CCM per Cloud onRamp for CoLo cluster (chassis with the lowest serial # is the active CCM, by default)
Headless (no GUI) and no interaction necessary from customer
C9500s undergoing PNP will find/register to CCM (using DHCP Option 43) for Day 0 configuration
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CSP 5444 #1 CSP 5444 #2
C9500-40 #1 C9500-40 #2
Stackwise Dual-Active-Detection
Stackwise Virtual Switch Link (Port-channel)
Management Switch
Managem
ent
OVS Data Port-Channel
OVS HA Port-Channel
SR-IOV
1
2
CIMC Management
NFVIS Management
Cabling
40
39
WAN/Transport
Uplink
WAN/Transport
Uplink
CIMC Management
NFVIS Management
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Back PanelSlot 2, Ports 3-4 (Fortville): OVS HA Port-Channel
VNF Dedicated Control/HA Plane
Slot 2, Ports 1-2 (Fortville): OVS Data Port-Channel
VNF Dedicated Data Plane
Slot 1, Ports 1-2 (Niantic): SRIOV
VNF Data/Control Plane
Slot 4, Ports 1-2 (Niantic): SRIOV
VNF Data/Control Plane
Integrated: CSP Management (CIMC)
Integrated: NFVIS Management Port-Channel
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Day0 Provisioning of CSPs
CSPs and C9500s allocated to customer Smart Account/ Virtual Account on
http://software.cisco.com
Plug and Play (PnP) Controller Profile (vBond) created under customer Virtual Account
CSPs associated to newly built Controller Profile
CSPs and C9Ks cabled and booted (next slide)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Day0 Provisioning of CSPs (Cont’d.)CSPs boot up and obtain IP
Address/DNS from Management subnet
Smart Account Sync’d with vManage Cloud-Init information (which includes a one-time password [OTP] generated from vManage) installed within NFVIS
by administrator: request activate chassis-number X token Y
PnP Agent attempts to contact devicehelper.cisco.com (HTTP/XMPP)
PnP service redirects CSP to vBond identified in the Controller Profile
CSP disconnects from PnP service and establishes a
DTLS connection to vBond via vDaemon
vBond authenticates CSP (serial #, SUDI certificate,
OTP) and shares vManage information
CSP disconnects from vBond and
establishes a DTLS connection to vManage
vManage will install an identity certificate on CSP (NFVIS) for further authentication purposes. CCM is instantiated on cluster CSP via vManage NetConf. CCM IP Address (obtained via DHCP)
is recorded within vManage
Administrator sets DHCP reservation for CCM and
configures the reserved IP as DHCP Option (43) within
the colo DHCP server
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for CoLo cluster is ready for configuration via
vManage
C9Ks boot and obtain IP Address as well as Option 43 information
from DHCP server
Switches register to
active CCM
Day0 Provisioning of CSPs (Cont’d.)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simplified Packet Walkthrough
User initiates traffic that matches configured policy
Trailing VNF processes the packet and forwards it to its default gateway on the assigned output VLAN
Regional Colo/DC
Cisco CSP5444 #1
Cisco CSP5444 #2
Cisco C9500-40
Cisco C9500-40
Packet is routed to the WAN CPE IP
Address of the Colo
Packet enters switch
where an L2 lookup is
performed for the WAN
CPE IP. Packet is forwarded
to the VNF’s assigned
input VLAN
Trailing VNF processes the
packet and forwards it to
its default gateway on the assigned output VLAN
Packet is processed by the Service
Chain
MPLS
L3 VPN
SDWAN
WAN Routing Policy dictates that Internet traffic from ‘Source:
Sally’ must have its L3 next-hop set to the Regional Colocation
Packet switched/routed to WAN CPE
PACKETSource: Sally Destination: InternetPolicy: Firewall
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VNF-3
VLAN A VLAN B VLAN B VLAN C
Port-Channel(s)
WAN Input/Output
VNF Packet Walkthrough Packet/frame delivered to C9500 from WAN on VNF-1 input VLAN (’A’ in figure)
Packet is processed by VNF-1 and delivered to output VLAN (‘B’ in figure), where it is routed to input VLAN (B) of VNF-2
Packet is processed by VNF-2 and delivered to output VLAN (C) to be routed to its original destination
User output VLAN (Auto Assigned)
User input VLAN (Auto Assigned)
SR-IOV or OVS
VNF-2VNF-1
Virtual Switch
PACKETSource: Sally
Destination: InternetPolicy: Firewall
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
PollingQuestion 2
Are you familiar with Virtualized Network Functions (VNF)?
A. No, never heard of it
B. Yes, I’ve heard of it (or know a little about it), but do not currently use this technology
C. Yes, I am currently using VNF technology in my organization
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deployment Options andUse-Cases
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for CoLo
Tested Deployment OptionsFW in L3 mode
FW
Palo Alto
Cisco (ASAv, FTDv)
Supported Vendors
L3 Non-HA
L3 HA
Supported Modes
WAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for CoLo
Tested Deployment Options (Cont’d.)FW and Router in L3 mode with sub-interfaces (trunked)
FW RTR
L3 (Trunked) Non-HA
L3 (Trunked) HA
Supported RTR Modes
Palo Alto
Cisco (ASAv, FTDv)
Supported FW Vendors
Cisco (CSR, vEdge)
Supported RTR Vendors
L3 (Trunked) Non-HA
L3 (Trunked) HA
Supported FW Modes
VLAN 1 is required. All other VLANs are optional
WAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for CoLo
Tested Deployment Options (Cont’d.)FW and Router in L3 mode (non-trunked)
FW RTR
L3 Non-HA
L3 HA
Supported RTR Modes
Palo Alto
Cisco (ASAv, FTDv)
Supported FW Vendors
Cisco (CSR, vEdge)
Supported RTR Vendors
L3 Non-HA
L3 HA
Supported FW Modes
WAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for CoLo
Tested Deployment Options (Cont’d.)vEdge in L3 mode, FW in L2 or L3 mode and Router in L3 mode
vEdge must be managed by vManage
FW RTRvEdge
L2 (Transparent) Non-HA
2 (Transparent) HA
L3 Non-HA
L3 HA
Supported FW Modes
L3 Non-HA
L3 HA
Supported RTR Modes
Palo Alto
Cisco (ASAv, FTDv)
Supported FW Vendors
Cisco (CSR, vEdge)
Supported RTR Vendors
WAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Switch(C9500)
Switch (C9500)
Cloud onRamp for CoLo
Internet EdgeOutbound Internet, eCommerce, SaaS
ASAv
Output VLAN A
Output VLAN B
Internet
ASAv provides stateful firewall, L2-7 inspection and NAT
CSR1Kv provides peering with upstream provider
Input VLAN A
Input VLAN B
CSR1Kv
Upstream BGP Config
WAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for CoLo
Switch(C9500)
CSR1Kv
Switch (C9500)
CloudProvider
Cloud EdgePublic Cloud Access
FTDv
Input VLAN A
Input VLAN B
FTDv provides Next-Gen FW, Next-Gen IPS, Threat Intelligence, Anti-Malware and NAT
CSR1Kv provides peering with upstream provider
Output VLAN C
Output VLAN B
WAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Switch(C9500)
CSR1Kv
Switch (C9500)
Partner
Partner / ExtranetIP VPN Access
FTDv
Input VLAN A
FTDv provides Next-Gen FW, Next-Gen IPS, Threat Intelligence, Anti-Malware and NAT
CSR1Kv provides peering with upstream provider
Output VLAN C
Output VLAN B
WAN
Cloud onRamp for CoLo Input VLAN B
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
WAN
Switch(C9500)
Switch (C9500)
Employee Remote Access AnyConnect (ASAv)
ASAv
Output VLAN A
Input VLAN B
ASAv provides stateful firewall, L2-7 inspection, VPN and NAT
Internet
Cloud onRamp for CoLo
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
WAN
Switch(C9500)
CSR1Kv
Switch (C9500)
Internet
Employee Remote Access AnyConnect (FTDv)
FTDv
Output VLAN A
Input VLAN B
Output VLAN B
FTDv provides Next-Gen FW, Next-Gen IPS, Threat Intelligence, Anti-Malware, VPN and NAT
CSR1Kv provides peering with upstream provider
Input VLAN C
Cloud onRamp for CoLo
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-WANFabric
Switch(C9500)
ASAv CSR1Kv
Switch (C9500)
Internet
SD-WAN Regionalized DC, SaaS, IaaS and Internet Access
vEdge Cloud
Input VLAN A Output VLAN B
Input VLAN B Output VLAN C Output VLAN D
Input VLAN C
vEdge Cloud provides access to SDWAN overlay/fabric
ASAv provides stateful firewall, L2-7 inspection and NAT
CSR1Kv provides peering with upstream provider
Cloud onRamp for CoLo
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Takeaways
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for CoLo is an architectural choice
Turn-key automation of Enterprise service-chains
Can be used to address a number of use-cases
Built on Cloud Services Platform with NFVIS
Cisco Cloud onRamp for CoLo
Regionalized service-chaining provides an alternate approach to DIA/SaaS/IaaS/DC/Extranet access without compromising the benefits of SDWAN
Cisco SDWAN controllers are used for automation, management and orchestration, though Cisco SDWAN is not a requirement
• Customers hesitant to move to DIA• Remote Access VPN integration and connectivity automation• Security / Compliance• Further optimized IaaS/SaaS access
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
PollingQuestion 3
Are you familiar with SD-WAN Service Chaining?
A. No, never heard about it
B. Yes, I’ve seen it, but know very little about it
C. Yes, I’ve seen it and utilize it within policy
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demo
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Submit Your Questions Now!
Use the Q&A panel to submit your questions, our expert will respond
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Ask the Expert following the Webcast
Now through Friday Juky 19th 2019
http://bit.ly/ask-sdwan-cloud
With Aaron Rohyans
© 2019
Aaron RohyansTechnical Marketing Engineer
CCIE #21945
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• @Cisco_Support
http://bit.ly/csc-twitter
• Cisco Community
http://bit.ly/csc-facebook
Collaborate within our Social Media
Learn About Upcoming Events
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
We invite you to review ourSocial Media Channels
• Cisco Community
• http://bit.ly/csc-linked-in
• Cisco Technical Support
App
Learn About Upcoming Events
• Cisco Community
• http://bit.ly/csc-youtube
YouTube
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Comunidade da Cisco Portuguese
Сообщество CiscoRussian
Comunidad de Cisco Spanish
シスココミュニティJapanese
思科服务支持社区Chinese
Cisco has support communities in other languages!If you speak Spanish, Portuguese, Japanese, Russian or Chinese we invite you to participate & collaborate
NEWCommunauté Cisco
French
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
More IT Training Videos and Technical Seminars on the Cisco Learning Network
View Upcoming Sessions Schedulehttps://cisco.com/go/techseminars
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you for participating, you earned a discount!
Redeem your 35% discount offer by entering code: CSC when checking out.
http://bit.ly/Community-CiscoPress2019
Cisco Press
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you for Your Time!
Please take a moment to complete the survey
© 2019
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thanks For Joining today!