delivering cisco next generation sd-wan with learning journey at cisco live monday tuesday wednesday...
TRANSCRIPT
Delivering Cisco Next Generation SD-WAN with Viptela
David Klebanov, Engineer, Technical Marketing
Nikolai Pitaev, Engineer, Technical Marketing
BRKCRS-2110
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCRS-2110
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
“What’s in it for me?"
In this session Out of scope
Introduction and Design, Building
Blocks
Detailed explanation how it works
under the hood
Use Cases, Operation and Security Troubleshooting and debugging
Live Demo during the session Step-by-step Migration to SD-WAN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Steve Jobs2003
“Design is not just what it looks like and feels like. Design is how it works.”
BRKCRS-2110 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why should I care?Real life examples
80 percent reduction in cost/Mbps for a US insurance provider.
$20 million reduction in OpEx over three years for a retailer.
5-fold improvement in Office 365 performance for an energy provider
4-fold improvement in application latency for a healthcare provider.
M&A integration within 2 weeks for a Fortune 50 healthcare provider.
Securely isolated 100+ business partners for a US manufacturer with more than 1000 sites.
6BRKCRS-2110
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKCRS-2110
Cisco SD-WAN Solution helps you to:
Reduce Cost
Operate Faster
Integrate Latest Cloud and Network Technologies
Key Message
SD-WAN learning Journey at Cisco Live
Monday Tuesday Wednesday Thursday Friday
BRKCRS-2110
Delivering Cisco Next Generation SD-WAN
with Viptela
BRKCRS-2111
Migration to Next-Gen SD-WAN
Architecture and solution
Migration and vQOE
Serviceability
BRKRST-2514
Next Gen SDWAN with application
acceleration/optimization
BRKRST-2557
SD-WAN and NFV Orchestration for Managed Service
Providers
BRKCRS-2112
Serviceability for Next Generation
SD-WAN
TECCRS-20004
Cisco SD-WAN Technical Deep Dive
Deep Dive
BRKCRS-2113
Cloud-Ready WAN for
IAAS and SAAS with
Cisco Next-Gen SD-
WAN
SP orchestration
• Introduction
• Architecture
• Use Cases
• Demo
• Conclusion
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10BRKCRS-2110
Security and Compliance are critical areas and require us to
have the appropriate Segmentation, Policing, Access Controls and Visibility from end-to-end
Network Planning
I want to Simplify Deployments and AutomatePolicy Enforcement to ensure a Consistent and
Seamless Application Experience
Network Operations
I want to Centralized Policy Enforcement and
Assurance to Accelerate Time to Resolution
Network Manager
I need to Replace or Change existing Infrastructureand WAN Services to Lower Costs and Maximize
Investments
Security Operations
Customer Requirements
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKCRS-2110
Traditional and Legacy Architecturescannot scale to address changing needs
EXPENSIVE
Hardware-centric
Fixed capacity
DIFFICULT TO SUPPORT
Discrete device-by-device
configurations
Complex management silos
Require slow truck
rolls for changes
INFLEXIBLE
Tightly controlled, client server model
Historical vs predictive management
CONNECTIVITY-CENTRIC
Fragmented, incomplete user experience
Not application-centric
POORLY INTEGRATED
Conflicting policies and configurations
Inflexible and static
Risk from accidental interactions and vulnerabilities
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12BRKCRS-2110
Cisco SD-WAN is an integrated part of our Digital Network Architecture (DNA)
Cisco DNA™ is a complete system for intent-based networking
Automation Assurance
Virtualization
DNA-ready physical and virtual infrastructure
Security
Cloud service management
SD-WAN Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN Architecture Overview
Data Center Campus Branch SOHO
4G/LTE
MPLS
Internet
Control Plane = vSmart(Containers or VMs)
Data Plane = vEdge(Physical or Virtual)
Management = vManage(Multi-tenant or Dedicated)
Orchestration = vBond
Analytics
vManage
vSmart
vEdge
vOrchestrator ZTP
API
14BRKCRS-2110
Cloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15BRKCRS-2110
vBond is SD-WAN Orchestrator
Orchestrates connectivity between management, control and data plane.
Serves as the first point of authentication.
Requires public IP Address.
All other components need to know the vBond IP or DNS.
Authorizes all control connections (white-list model).
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16BRKCRS-2110
vManage is your NMS for SD-WAN
Single pane of glass for Day 0, Day 1 and Day 2 operations.
Enables centralized provisioning and simplifies changes.
Supports REST API, CLI, Syslog, SNMP, NETCONF.
Provides real time alerting.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKCRS-2110
vSmart is centralized brain of the solution
Implements control plane policies, such as service chaining,
traffic engineering and segmentation per VPN topology.
Reduces complexity of the entire network.
Establishes peering with all vEdges and distributes
connectivity information.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18BRKCRS-2110
vBond, vSmart and vManage are also known as Controllers.
Controllers can be deployed on-prem or on the cloud.
ESXi or KVM
Physical Server
vManage vSmart1 vSmart2vBond
AWS or Azure
vManage vSmart1 vSmart2vBond
On-Premise Hosted
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19BRKCRS-2110
vEdge is your SD-WAN data plane
Provides secure data plane with remote vEdge routers.
Establishes secure control plane with vSmart controllers.
Implements data plane and application aware routing policies.
Exports performance statistics.
Physical (100Mb, 1Gb, 10Gb, 20+Gb) or Virtual form factor.
SD-WAN Fabric
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud-Delivered Control
Enterprise IT
vManage
vSmart vBond
Private
Cloud
Deploy
MSP Ops Team
vManage
vSmart vBond
MSP
Cloud
Deploy
Cisco Cloud Ops
vManage
vSmart vBond
Viptela
Cloud
Deploy
BRKCRS-2110 21
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22BRKCRS-2110
• Overlay Management Protocol (OMP)
• TCP based extensible control plane protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart controllers- Inside TLS/DTLS connections
• Advertises control plane context and policies
• Dramatically lowers control plane complexity and
raises overall solution scalevSmart vSmart
vSmart
vEdge vEdge
Note: vEdge routers need not connect to all vSmart Controllers
Unified Control Plane
VS
SD-WAN Traditional
O(n) Control Complexity O(n^2) Control Complexity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
OMP IPSec Tunnel
vEdge
vEdgevEdge
vEdge
vEdge
vSmart
Local TLOCs
(System IP, Color, Encap)
TLOCs advertised to
vSmarts in TLOC routes
vSmarts advertise TLOCs to
vEdges in TLOC routes
SD-WAN Fabric
with TLOCs as
tunnel endpoints
Data Plane Establishment
INETMPLS
Transport Locator (TLOC)
TLOCs
IPsec
IPsec
IPsec
BRKCRS-2110 23
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24BRKCRS-2110
Data Plane Liveliness and Quality
vEdge vEdge
vEdge
vEdge vEdge
• Bidirectional Forwarding Detection (BFD)
• Path liveliness and quality measurement
- Up/Down, loss/latency/jitter, IPSec tunnel MTU
• Runs between all vEdge and vEdge Cloud routers in
the topology- Inside IPSec tunnels
- Operates in echo mode
- Automatically invoked at IPSec tunnel establishment
- Cannot be disabled
• Uses hello (up/down) interval, poll (app-aware)
interval and multiplier for detection- Fully customizable per-vEdge, per-color
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Common Data Plane Communication
Per-Session Load Sharing
Active/Active
INETMPLS
Default
Per-Session Weighted
Active/Active
INETMPLS
Device Configurable
Application Pinning
Active/Standby
INETMPLS
Policy Enforced
Application Aware Routing
SLA Compliant
INETMPLS
SLA SLA
Policy Enforced
BRKCRS-2110 25
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26BRKCRS-2110
OMP Update: Reachability – IP Subnets, TLOCs Security – Encryption Keys Policy – Data/App-route Policies
BGP, OSPF, Connected, Static
BFD
IPSec Tunnel
OMP
DTLS/TLS Tunnel
Transport1
Transport2VPN1
A
VPN2
B
VPN1
C
VPN2
D
BGP, OSPF, Connected, Static
vSmart
OMPUpdate
OMPUpdate
vEdge vEdge
Subnets Subnets
TLOCs TLOCs
ControlPoliciesOMP
UpdateOMP
Update
Fabric Operation Walk-Through
Common Enterprise Deployment Use Cases
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Visibility and Recognition
Deep Packet Inspection
App Firewall
Traffic prioritization
Transport selection
vEdge Router
App 1
App 2
App 3,000
4GMPLS
INET
Branch
Campus
Cloud
Data Center
Small Office
Home Office
Data Center
BRKCRS-2110 28
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Critical Applications SLA
Path1: 10ms, 0% loss, 5ms jitter
Path2: 200ms, 3% loss, 10ms jitter
Path3: 140ms, 1% loss, 10ms jitter
vManage App Aware Routing PolicyApp A path must have:
Latency < 150ms
Loss < 2%
Jitter < 10ms
vEdge Routers continuously
perform path liveliness and
quality measurements
Internet
MPLS
4G LTE
SD-WAN IPSec Tunnel
Remote Site Data CenterPath 2
Optimal Path MTU
TCP Optimization
BRKCRS-2110 29
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport
(VPN0)
Service
(VPNn)
Out-of-band Management
(VPN512)
IF
• VPNs are isolated from each other, each VPN
has its own forwarding table
• Reachability within VPN is automatically
advertised by the OMP
IF,
Sub-IF
IF,
Sub-IF
IF,
Sub-IF
IF,
Sub-IF
vEdge VPNs and Security Zoning
Internet
MPLS
Untrusted Zone
Trust Zone
BRKCRS-2110 30
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Segmentation Security Zoning
Compliance
Guest Wi-Fi
Multi-Tenancy
Extranet
Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point
Per-VPN Topology
vEdgeVPN 3
VPN 1
VPN 2SD-WAN
IPSecTunnel
vEdge
BRKCRS-2110 31
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
4GMPLS
INET
L4-L7 Regional Secure Perimeter
Protected
Compute Resources
Regional Secure Perimeter
Firewalls
IDS/IPS/DLP
Service Chaining
• DDOS Mitigation • Malware/Virus Containment • Security Policy Compliance
Firewalls
IDS/IPS/DLP
Branch
Campus
Small Office
Home Office
Data Center
Cloud Data Center
BRKCRS-2110 32
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISP2
Cloud Applications
Which way is cloud?
1. Direct Internet Access
2. Regional Breakout
3. Data Center Backhaul
Data Center
Regional
Data Center
Remote Site
ISP1
SD-WAN
Fabric
1
2
3
MPLS
Viptela vEdge Router
User
BRKCRS-2110 33
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud onRamp for SaaSDirect Internet Access
Quality Probing
Regional
Data Center
Remote Site
ISP2
ISP1
SD-WAN
Fabric
Loss/
Latency
!
Data Center
• Detect application performance
through one or more Direct
Internet Access circuits
• vEdge routers chose best
performing path
- Per-Application, Per-VPN
• Automatic failover in case of
performance degradation
• Fully automated
BRKCRS-2110 34
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud onRamp for SaaSDirect Internet Access and Gateways
Remote Site
SD-WAN
Fabric
ISP2
ISP1
Loss/
Latency
!
Data Center
MPLS
Regional
Data Center
• Detect application performance through
DIAs and gateways
- Customer/SP owned and operated
- Security, performance, reliability
• vEdge routers chose best performing
path
- Per-Application, Per-VPN
• Automatic failover in case of
performance degradation
• Fully automated
Quality Probing
BRKCRS-2110 35
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
4GMPLS
INET
SOHO
Branch
Campus
Data Center
Cloud
Data Center
Cloud Security
• Best suited for cloud SaaS
applications
• Interoperates with Cloud onRamp
for SaaS
• Augments native fabric security
• Can co-exist with on-premise L4-L7
security modes
- VPN segmentation
BRKCRS-2110 36
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN and Public Cloud
Remote Site
SD-WAN
Fabric
Cloud
Data Center
Branch
Campus
VNET VNET
VNET VNET
VPC VPC
VPC VPC
How to provide security,
segmentation, QoS and
reliability to the cloud
workloads?
Viptela vEdge Router
BRKCRS-2110 37
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud onRamp for IaaSEnd-to-End SD-WAN
Remote Site
SD-WAN
Fabric
Branch
Campus
Cloud
Data Center
Compute
VPC/VNETCompute
VPC/VNET• vEdge Cloud routers are
instantiated in every VPC/VNET
- Marketplace
• End-to-end SD-WAN fabric
between sites and public cloud
- Multipathing, QoS and
segmentation
• Shortest-path to Public Cloud
BRKCRS-2110 38
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud onRamp for IaaSEnd-to-End SD-WAN
Remote Site
SD-WAN
Fabric
Branch
Campus
Cloud
Data Center
• Gateway VPC/VNET
- Customer/SP owned and
operated
- Security, performance,
reliability
• Easy deployment model
- No change to existing compute
VPCs/VNETs
• Full automated from vManage
- No marketplace
Compute
VPCs/VNETs
Gateway
VPC/VNET
BRKCRS-2110 39
Operations and Migration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agile Operations
REST NETCONF Syslog Flow ExportSNMP
CLI Linux Shell
Power Tools
BRKCRS-2110 41
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42BRKCRS-2110
VRRP OSPF/BGP
OSPF/BGP
INET INETMPLSMPLS
INET
MPLS
Site
DataCenter
MPLS
INET
vSmart Controllers
Control
Data
Site Redundancy Transport Redundancy
Network/Headend Redundancy Control Redundancy
High Availability and Redundancy
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Transition Strategy
SD-WAN Fabric Secure Tunnel
MPLS Internet
Non-
SDWAN
Non-
SDWAN SDWAN
SDWAN
Site B
Site A
Non-
SDWAN
Non-
SDWAN
Internet
Site B
Site A
MPLS
SDWAN
SDWAN
InternetMPLS
Site B
Site A
SDWAN
SDWAN
SDWAN
SDWAN
BRKCRS-2110 43
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44BRKCRS-2110
Customer Industry Challenge Solution
RetailHigh cost, slow change, limited
flexibility
60-70% cheaper broadband at high bandwidth, centralized
control, full visibility.
Financial
Needed more bandwidth and
guaranteed network uptime for a new
teller application
Dollar cost averaged the bandwidth cost down using a mix
of transport (MPLS, Broadband, LTE). Traffic now uses
the optimal network path to avoid downtime and
slowdowns.
Tech
Slow performance and MPLS outages
provided an expensive and poor user
experience
Monthly savings reduced the cost per Mbps by more than
80%. Diverse circuits improve the reliability of the global
network, with more than half of Agilent’s sites doubling
WAN redundancy.
Healthcare
With an MPLS contract renewal
approaching, Cigna wanted the
flexibility to change carriers without a
massive technology shift
Gained back control of its control plane and created the
Cigna Service Provider Agnostic Network.
Healthcare Security and high network cost
Satisfied strict security and audit requirements and
provided greater flexibility for partnerships and secure
clinical solutions. Cost reductions with the removal of
remote site voice equipment and expensive PRIs, aging
WAN acceleration equipment and maintenance.
Energy
Scale to support evolving field
operations, and support cloud migration
and application SLAs
Provided 30-60% savings in overall bandwidth costs.
Enabled faster response to acquisitions, divestitures and
policy changes.
Proven Solution Across Multiple VerticalsFor Your
Reference
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Demo Summary
Demo 1: SD-WAN @ dCloud
Demo 2: App-aware routing with vEdge Cloud running on ENCS (Enterprise Network Compute System)
BRKCRS-2110
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
dCloud provides huge catalog of free demos, training and sandboxes for every Cisco architecture in the cloud
310+ labs for Customers, Partners and Cisco Employees.
From scripted demos to fully customizable labs with administrative access!
47BRKCRS-2110
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48BRKCRS-2110
dCloud SD-WAN Demo covers 6 cases
Scenario 1 – An overview of the SD-WAN vManage dashboard and Zero Touch Provisioning (ZTP).
Scenario 2 – Hybrid WAN connectivity over multiple WAN transport connections. Using IP as transport to
create flexible data plane topologies from full-mesh to Hub-n-Spoke to any arbitrary topologies.
Scenario 3 – business defined insertion of services (FW, IPS, IDS, etc.) utilizing centralized policies.
Scenario 4 – simplicity of using application firewalling policies centrally. Various applications and/or flows
would not be allowed between sites. Simple centralized policy activation would enforce such policies to
any site on the overlay.
Scenario 5 - Application aware routing along with arbitrary topology networking to show the business
policy driven view of application classification, connectivity and QoS provisioning.
Scenario 6 – Policy driven Data Center preferences for different branches. A subset of branches could
prefer one Data Center over the other as a regional Internet exit.
For YourReference
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demo 2: vEdge Cloud on ENCS
ENCS541212-CoreENCS5408
8-CoreENCS54066-Core
ENCS 5104 ENCS 5406 ENCS 5408 ENCS 5412
CPU 4-core, 3.4 GHz 6-core, 1.9GHz 8-core, 2.0GHz 12-core, 1.5GHz
PoE No No 200W 200W
Capacity Guidance 1-2 VNF 2-3 VNFs 3-4 VNFs 4-5 VNFs
ENCS51044-Core
BRKCRS-2110 49
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50BRKCRS-2110
BR2-vEdge1
ENCS 5412
NFVIS
Transport 1
public-internetTransport 2
mpls
BR2-ISRv1
LAN1/0
BR2-FW1
vBranch real life example
Branch 2Gi0/0 T1
Connection• Dual-homed
• GE and T1 interfaces
VNFs:• vEdge Cloud
• ISRv
• Firepower Firewall
Outlook and Summary
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52BRKCRS-2110
Integration Roadmap
Phase 1No Integration
Platform: • As-is
Management:• vManage
Support and Scale the
current sales motion
Deplo
yment
Scenarios
Benefits
Deta
ils
Phase 3Management Integration
Management:• Cloud hosted DNA Center integrates
vManage capabilities
• Full DNA Center capabilities (Assurance,
Integrated workflows for SD-Access and
SD-WAN)
Deliver end-to-end experience
with full DNA integration
vEdge ISR4K + vEdge SW
DNA
Center
+ SD-WAN
vEdge
vManage
vSmart
Phase 2Platform Integration
Platform: • vEdge capabilities integrated into IOS-XE
Management:• vManage for SD-WAN capabilities on IOS-
XE
Viptela SD-WAN on
strategic ISR platform
ISR4K + vEdge SW
vManage
vSmart
vEdge
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53BRKCRS-2110
Innovation Roadmap (FY 2018)Key Areas Of Focus
Application QOE NaaS
Operational Simplicity
& Analytics
Cloud Networking
Security Integration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54BRKCRS-2110
Video from https://www.cisco.com/c/en/us/solutions/enterprise-networks/sd-wan/index.html
Key TakeawaysSummary
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55BRKCRS-2110
Cisco SD-WAN Solution helps you to:
Reduce Cost
Operate Faster
Integrate Latest Cloud and Network Technologies
Key Message
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCRS-2110
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58BRKCRS-2110
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you