cisco community · inbound/outbound wan connectivity and access to colo management networks •...

July 16th 2019

Cisco SD-WAN Cloud onRamp for CoLocation

Cisco Community

Expert series Webcast

Aaron Rohyans CCIE #21945

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

News &Upcoming events

© 2019

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Ask the Expert following the Webcast

Now through Friday July 19th 2019

http://bit.ly/ask-sdwan-cloud

With Aaron Rohyans

© 2019

Aaron RohyansTechnical Marketing Engineer

CCIE #21945


http://bit.ly/ATE-Tetration


Spanish Cisco Community – Content contest

Publish Spanish Technical Content & win prizes!

Insert event banner

http://bit.ly/concurso-sp-19

© 2019

Till FridayJuly 26th 2019




Become an event Top Contributor!

Participate in Live Interactive Technical Events and much more

http://bit.ly/EventTopContributors

http://bit.ly/EventTopContributors

https://supportforums.cisco.com/t5/custom/page/page-id/hall-of-fame

https://supportforums.cisco.com/t5/custom/page/page-id/cisco-designated-vips


Rate content at the Cisco Community

Rate documents, Videos & blogs!

Help us to recognize the quality content in the community

Encourage and acknowledge people who generously share their

time and expertise


Cisco Community Expert


CCIE #21945


Question Manager

Palak DesaiSr. Product Manager


Download Today’s Presentationhttp://bit.ly/webcastslides-july16-2019

Thank You For

Joining Us Today!

http://bit.ly/webcastslides-july16-2019

http://bit.ly/webcastslides-july16-2019


Use the Q&A panel to submit your questions and the panel of experts will respond.

They will be answered eventually

Submit Your Questions Now!

Please take a moment to complete the survey at the end of the webcast


Please make sure you follow up the presentation in the right screen

New Webex!

Aaron RohyansTechnical Marketing Engineer, Cloud onRamp for CoLo/[email protected]

Solution Technical Briefing

Cisco Cloud onRamp for CoLocation


Agenda

Key Takeaways

Introduction and Key Concepts

Components and Architecture

Deployment Options and Use Cases


Introduction and Key Concepts

It’s a multicloud world

Source: IDC CloudView, April, 2017, n=8,293 worldwide respondents, weighted by country, company size and industry

Evaluating or usingpublic cloud

85%

Taken steps towards a hybrid cloud strategy

87%

Plan to usemultiple clouds

94%

Among cloud users


The Challenges of Distributed Environments

Complex Routing Policy

Distributed Internet access

Efficient IaaS, SaaS and Data Center access

Scalability

Distributed Security Policy

Application SLAs

SaaS ExtranetData Center

Remote User SD-WAN Fabric


© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

The WAN of Yesterday, Today and Tomorrow

SaaS IaaS Extranet

Data Center

Data Center

Backhauled Access

SaaS IaaS Extranet

Distributed AccessSecure SD-WAN at the Branch

SaaS IaaS Extranet

Cloud onRamp for CoLo

Regional AccessCisco SD-WAN Cloud onRamp for CoLocation


Customers

Employees

Partners

Colocation/DC

AnyConnect

Cisco SD-WAN Cloud onRamp for CoLocationsSecurely Connecting Users and Application Providers

Turn-key orchestration and automation of enterprise WAN Service-Chains!

Security

Central policy enforcement

Agility & Performance

Rapid provisioning, change control and

scale-out architecture via

NFV fabric. Speed of software with

the performance of hardware.

Cost Savings

Lower OpEx and CapEx through

NFV.

Reduce circuit costs and number

of circuits.


SaaS

IaaS

Branch

Private Data Center


Service Chaining

Regionalized Service Chaining


DDOS Mitigation | Malware/Virus Containment | Security Policy Compliance

Branch

Campus

Small OfficeHome Office

4G

MPLS

INET

Regional Secure Perimeter

Data Center

Data Center



What problem does it solve?

Private Data Center

SaaS

IaaS

Internet

For SDWAN

• Easier Migration(s)• Remote Access VPN integration• Optimized Cloud/DC Access• Optimized Extranet Access

For Legacy WAN

• Remote Access VPN integration• Optimized Cloud/DC Access• Optimized Internet Access• Optimized Extranet Access

For Remote Access Users

• Optimized Cloud Access• Anchor for IaaS, Extranet and

optimized access to Private DC(s)• Optimized Extranet Access

Legacy WAN

MPLS

Remote Access

User

SD-WANFabric

Extranet


PollingQuestion 1

Do you utilize Carrier Neutral Facilities (Colocations) in your organization currently?

A. No, and I have no future plans to implement them

B. No, but I’m interested to understand the benefits of a colocation

C. Yes, I utilize one or more colocation facilities

D. I’m not sure what a CNF/Colocation is?


Components and Architecture


Note: vManage/ vBond provide orchestration for the Cisco SD-WAN Cloud onRamp for CoLocation solution and are required elements even if the customer is not running Viptela SD-WAN

Architecture

Regional Colo/DC

Netconf

Cisco CSP5444 #1

Cisco CSP5444 #2

Cisco C9500-40

Cisco C9500-40

WAN Fabric

Cloud onRamp for CoLo Cluster ID: 1Service Group: SDWAN, Firewall, Load-Balancer

Policy: Set Next-Hop US ColoApplication: Sites 1-5, VRF 10

Cisco vManage/ vBond


Cluster Physical Components

Cisco Cloud onRamp for CoLo Cluster

• Managed via vManage

• Requires vManage v18.4+

• Acts as a pool of resources with which to use to create service-chains

• Provides anchor between all Transports/SPs, Clouds, etc.

Cisco Catalyst 9500-40 Switches (Quantity: 2)• Must run IOS-XE v16.9.1 with Network Advantage or greater

• Provides multi-gigabit backplane switching to VNFs, inbound/outbound WAN connectivity and access to Colo management networks

• Operates as one virtual switch (VSS)

• Highly redundant

• Configured via PNP through Colo-Configuration Manager (CCM) on Day0

Cisco CSP 5444 Platform (Quantity: 2)• 44 CPU cores, 192GB of RAM, 4.8TB onboard storage and

8 NICs (10Gb/ps) per chassis

• Runs NFVIS with vDaemon Day0 (Zero Touch Provisioning)

• Must run Cisco NFVIS v3.9.1a or greater

• Runs Colo-Configuration Manager (spawned via vManage after Zero Touch Provisioning)

• Hosts VNF Service Chains (Service Groups) instantiated within vManage


© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

CSP5444 OverviewHardware Overview

• Two Intel Xeon Gold 6152 @ 2.1Ghz (48 Cores)

• 192GB DDR4 RAM (2666Mhz)

• Eight 1.2TB disks (RAID10, 4.4TB usable)

• Two onboard Intel (Niantic)

10Gb/ps ports (Management)

• Two, two-port PCIe Intel (Niantic)

10Gb/ps cards (SR-IOV)

• One, four-port PCIe Intel Fortville 10Gb/ps card (OVS)

Software Overview

NFVIS v3.11.1 | CCM | vDaemon | Ecosystem Partners

(Palo Alto, Fortinet, Avi, etc.)


Colo-Configuration Manager (CCM)

CSP 5444

CSP 5444

DHCP & DNS Server

OO

B M

anagem

ent

Sw

itch

NFVIS confD vDaemonPnP VMLC

NFVIS confD vDaemonPnP VMLC

Colo-Configuration Manager

Placement Switch Manager

confD vDaemonBootstrap

C9500PnP confD

C9500PnP confD

Operates on CSP(s)

Instantiated automatically via vManage on Day0 after initial Zero Touch Provisioning Process

Only one active CCM per Cloud onRamp for CoLo cluster (chassis with the lowest serial # is the active CCM, by default)

Headless (no GUI) and no interaction necessary from customer

C9500s undergoing PNP will find/register to CCM (using DHCP Option 43) for Day 0 configuration


CSP 5444 #1 CSP 5444 #2

C9500-40 #1 C9500-40 #2

Stackwise Dual-Active-Detection

Stackwise Virtual Switch Link (Port-channel)

Management Switch

Managem

ent

OVS Data Port-Channel

OVS HA Port-Channel

SR-IOV

1

2

CIMC Management

NFVIS Management

Cabling

40

39

WAN/Transport

Uplink

WAN/Transport

Uplink

CIMC Management

NFVIS Management


Back PanelSlot 2, Ports 3-4 (Fortville): OVS HA Port-Channel

VNF Dedicated Control/HA Plane

Slot 2, Ports 1-2 (Fortville): OVS Data Port-Channel

VNF Dedicated Data Plane

Slot 1, Ports 1-2 (Niantic): SRIOV

VNF Data/Control Plane

Slot 4, Ports 1-2 (Niantic): SRIOV

VNF Data/Control Plane

Integrated: CSP Management (CIMC)

Integrated: NFVIS Management Port-Channel


Day0 Provisioning of CSPs

CSPs and C9500s allocated to customer Smart Account/ Virtual Account on

http://software.cisco.com

Plug and Play (PnP) Controller Profile (vBond) created under customer Virtual Account

CSPs associated to newly built Controller Profile

CSPs and C9Ks cabled and booted (next slide)

http://software.cisco.com/


Day0 Provisioning of CSPs (Cont’d.)CSPs boot up and obtain IP

Address/DNS from Management subnet

Smart Account Sync’d with vManage Cloud-Init information (which includes a one-time password [OTP] generated from vManage) installed within NFVIS

by administrator: request activate chassis-number X token Y

PnP Agent attempts to contact devicehelper.cisco.com (HTTP/XMPP)

PnP service redirects CSP to vBond identified in the Controller Profile

CSP disconnects from PnP service and establishes a

DTLS connection to vBond via vDaemon

vBond authenticates CSP (serial #, SUDI certificate,

OTP) and shares vManage information

CSP disconnects from vBond and

establishes a DTLS connection to vManage

vManage will install an identity certificate on CSP (NFVIS) for further authentication purposes. CCM is instantiated on cluster CSP via vManage NetConf. CCM IP Address (obtained via DHCP)

is recorded within vManage

Administrator sets DHCP reservation for CCM and

configures the reserved IP as DHCP Option (43) within

the colo DHCP server


Cloud onRamp for CoLo cluster is ready for configuration via

vManage

C9Ks boot and obtain IP Address as well as Option 43 information

from DHCP server

Switches register to

active CCM

Day0 Provisioning of CSPs (Cont’d.)


Simplified Packet Walkthrough

User initiates traffic that matches configured policy

Trailing VNF processes the packet and forwards it to its default gateway on the assigned output VLAN

Regional Colo/DC

Cisco CSP5444 #1

Cisco CSP5444 #2

Cisco C9500-40

Cisco C9500-40

Packet is routed to the WAN CPE IP

Address of the Colo

Packet enters switch

where an L2 lookup is

performed for the WAN

CPE IP. Packet is forwarded

to the VNF’s assigned

input VLAN

Trailing VNF processes the

packet and forwards it to

its default gateway on the assigned output VLAN

Packet is processed by the Service

Chain

MPLS

L3 VPN

SDWAN

WAN Routing Policy dictates that Internet traffic from ‘Source:

Sally’ must have its L3 next-hop set to the Regional Colocation

Packet switched/routed to WAN CPE

PACKETSource: Sally Destination: InternetPolicy: Firewall


VNF-3

VLAN A VLAN B VLAN B VLAN C

Port-Channel(s)

WAN Input/Output

VNF Packet Walkthrough Packet/frame delivered to C9500 from WAN on VNF-1 input VLAN (’A’ in figure)

Packet is processed by VNF-1 and delivered to output VLAN (‘B’ in figure), where it is routed to input VLAN (B) of VNF-2

Packet is processed by VNF-2 and delivered to output VLAN (C) to be routed to its original destination

User output VLAN (Auto Assigned)

User input VLAN (Auto Assigned)

SR-IOV or OVS

VNF-2VNF-1

Virtual Switch

PACKETSource: Sally

Destination: InternetPolicy: Firewall


PollingQuestion 2

Are you familiar with Virtualized Network Functions (VNF)?

A. No, never heard of it

B. Yes, I’ve heard of it (or know a little about it), but do not currently use this technology

C. Yes, I am currently using VNF technology in my organization


Deployment Options andUse-Cases



Tested Deployment OptionsFW in L3 mode

FW

Palo Alto

Cisco (ASAv, FTDv)

Supported Vendors

L3 Non-HA

L3 HA

Supported Modes

WAN



Tested Deployment Options (Cont’d.)FW and Router in L3 mode with sub-interfaces (trunked)

FW RTR

L3 (Trunked) Non-HA

L3 (Trunked) HA

Supported RTR Modes

Palo Alto

Cisco (ASAv, FTDv)

Supported FW Vendors

Cisco (CSR, vEdge)

Supported RTR Vendors

L3 (Trunked) Non-HA

L3 (Trunked) HA

Supported FW Modes

VLAN 1 is required. All other VLANs are optional

WAN



Tested Deployment Options (Cont’d.)FW and Router in L3 mode (non-trunked)

FW RTR

L3 Non-HA

L3 HA

Supported RTR Modes

Palo Alto

Cisco (ASAv, FTDv)


Cisco (CSR, vEdge)


L3 Non-HA

L3 HA

Supported FW Modes

WAN



Tested Deployment Options (Cont’d.)vEdge in L3 mode, FW in L2 or L3 mode and Router in L3 mode

vEdge must be managed by vManage

FW RTRvEdge

L2 (Transparent) Non-HA

2 (Transparent) HA

L3 Non-HA

L3 HA

Supported FW Modes

L3 Non-HA

L3 HA

Supported RTR Modes

Palo Alto

Cisco (ASAv, FTDv)


Cisco (CSR, vEdge)


WAN


Switch(C9500)

Switch (C9500)


Internet EdgeOutbound Internet, eCommerce, SaaS

ASAv

Output VLAN A

Output VLAN B

Internet

ASAv provides stateful firewall, L2-7 inspection and NAT

CSR1Kv provides peering with upstream provider

Input VLAN A

Input VLAN B

CSR1Kv

Upstream BGP Config

WAN



Switch(C9500)

CSR1Kv

Switch (C9500)

CloudProvider

Cloud EdgePublic Cloud Access

FTDv

Input VLAN A

Input VLAN B

FTDv provides Next-Gen FW, Next-Gen IPS, Threat Intelligence, Anti-Malware and NAT


Output VLAN C

Output VLAN B

WAN


Switch(C9500)

CSR1Kv

Switch (C9500)

Partner

Partner / ExtranetIP VPN Access

FTDv

Input VLAN A

FTDv provides Next-Gen FW, Next-Gen IPS, Threat Intelligence, Anti-Malware and NAT


Output VLAN C

Output VLAN B

WAN

Cloud onRamp for CoLo Input VLAN B


WAN

Switch(C9500)

Switch (C9500)

Employee Remote Access AnyConnect (ASAv)

ASAv

Output VLAN A

Input VLAN B

ASAv provides stateful firewall, L2-7 inspection, VPN and NAT

Internet



WAN

Switch(C9500)

CSR1Kv

Switch (C9500)

Internet

Employee Remote Access AnyConnect (FTDv)

FTDv

Output VLAN A

Input VLAN B

Output VLAN B

FTDv provides Next-Gen FW, Next-Gen IPS, Threat Intelligence, Anti-Malware, VPN and NAT


Input VLAN C



SD-WANFabric

Switch(C9500)

ASAv CSR1Kv

Switch (C9500)

Internet

SD-WAN Regionalized DC, SaaS, IaaS and Internet Access

vEdge Cloud

Input VLAN A Output VLAN B

Input VLAN B Output VLAN C Output VLAN D

Input VLAN C

vEdge Cloud provides access to SDWAN overlay/fabric

ASAv provides stateful firewall, L2-7 inspection and NAT




Key Takeaways


Cloud onRamp for CoLo is an architectural choice

Turn-key automation of Enterprise service-chains

Can be used to address a number of use-cases

Built on Cloud Services Platform with NFVIS

Cisco Cloud onRamp for CoLo

Regionalized service-chaining provides an alternate approach to DIA/SaaS/IaaS/DC/Extranet access without compromising the benefits of SDWAN

Cisco SDWAN controllers are used for automation, management and orchestration, though Cisco SDWAN is not a requirement

• Customers hesitant to move to DIA• Remote Access VPN integration and connectivity automation• Security / Compliance• Further optimized IaaS/SaaS access


PollingQuestion 3

Are you familiar with SD-WAN Service Chaining?

A. No, never heard about it

B. Yes, I’ve seen it, but know very little about it

C. Yes, I’ve seen it and utilize it within policy


Demo


Thank you


Submit Your Questions Now!

Use the Q&A panel to submit your questions, our expert will respond


Ask the Expert following the Webcast

Now through Friday Juky 19th 2019


With Aaron Rohyans

© 2019


CCIE #21945


http://bit.ly/ATE-Tetration


Twitter

• @Cisco_Support

http://bit.ly/csc-twitter

Facebook

• Cisco Community

http://bit.ly/csc-facebook

Collaborate within our Social Media

Learn About Upcoming Events

http://bit.ly/csc-facebook


We invite you to review ourSocial Media Channels

• Cisco Community

• http://bit.ly/csc-linked-in

LinkedIn

• Cisco Technical Support

App

Learn About Upcoming Events

• Cisco Community

• http://bit.ly/csc-youtube

YouTube

http://bit.ly/csc-linked-in

https://www.youtube.com/watch?v=LKW61EwIXNs

http://bit.ly/csc-youtube


Comunidade da Cisco Portuguese

Сообщество CiscoRussian

Comunidad de Cisco Spanish

シスココミュニティJapanese

思科服务支持社区Chinese

Cisco has support communities in other languages!If you speak Spanish, Portuguese, Japanese, Russian or Chinese we invite you to participate & collaborate

NEWCommunauté Cisco

French

https://community.cisco.com/t5/comunidade-da-cisco/ct-p/comunidade-portugues

https://community.cisco.com/t5/%D1%81%D0%BE%D0%BE%D0%B1%D1%89%D0%B5%D1%81%D1%82%D0%B2%D0%BE-cisco/ct-p/russian-community

https://community.cisco.com/t5/comunidad-de-cisco/ct-p/comunidad-espanol?lang=es

https://community.cisco.com/t5/japan/ct-p/japanese-community

http://www.csc-china.com.cn/

https://community.cisco.com/t5/communaut%C3%A9-cisco/ct-p/communaute-francais


More IT Training Videos and Technical Seminars on the Cisco Learning Network

View Upcoming Sessions Schedulehttps://cisco.com/go/techseminars

https://cisco.com/go/techseminars


Thank you for participating, you earned a discount!

Redeem your 35% discount offer by entering code: CSC when checking out.

http://bit.ly/Community-CiscoPress2019

Cisco Press

http://bit.ly/Community-CiscoPress2018

http://www.ciscopress.com/store/ccie-routing-and-switching-v5.0-official-cert-guide-9781587143960

http://www.ciscopress.com/store/art-of-network-architecture-business-driven-design-9781587143755

http://www.ciscopress.com/store/programming-and-automating-cisco-networks-a-guide-to-9781587144653


Thanks For Joining today!

cisco community · inbound/outbound wan connectivity and access to colo management networks •...

Documents