BRKRST 2045

#CLMEL
Advanced Technologies
and Concepts for
Extending L3 VPN Over
IP-based WAN Transport
Evolving Trends and Solutions for L3
Segmentation in the Enterprise
Craig Hill, Distinguished Systems Engineer
BRKRST-2045
@netwrkr95
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKRST-2045
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Goals of This Session…
• Provide you and understanding of:
1. Current drivers and needs for Layer 3 segmentation

2. Primary architecture approaches to Layer 3 segmentation for the WAN
3. Cisco’s Layer 3 segmentation recommendations moving forward
4. Recent architecture shifts in WAN designs using Co-Location space
and in the public cloud
5. Innovations in high-speed encryption for WAN/Metro
6. Importance of incorporating automation into your network operations
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• Introduction - Network
Agenda Segmentation Drivers and
Concepts
• Defining Key Deployment Options
and Transport for L3 Segmentation
WAN Designs
• Evolution and Trends for Core
Backbone Designs
• Technology Deep-Dive on Options
for L3 VPN Segmentation over IP
• “Innovations and Trends” Evolving
in L3 Segmentation
• End to End WAN Design and
Components (Summary of Session)
Concepts
WAN Designs
Backbone Designs
in L3 Segmentation
Evolution of “Network” Segmentation
…Means Many Things to Many People 
• It has evolved a long way from technologies like TDM (1960’s)
• From TDM, ATM/FR Virtual Circuits in the WAN, to…
• VLANs in the Campus, to… Logical/Virtual Routers on routing devices, to…
• Virtual Machines on server clusters in the Data Centre VPP/

Secure Domain
OVS
Routers
Virtual Circuits MPLS
Virtual CSR
VRF Lite
GRE HSRP MPLS VPN Port 1000v
VPLS Channel
VLANs AToM
TDM SDx
L2TPv3 Virtual
Device NfV
Context
Time 2019+
What Is Enterprise L3 “Network” Segmentation?
• Giving One physical network the ability to support multiple L3 virtual networks
• End-user perspective does not change
• Maintains Hierarchy, Virtualises devices, data paths, and services
Internal Separation (sales, eng) Merged Company Guest Access Network
Virtual Network Virtual Network Virtual Network
Actual Physical Infrastructure

Why L3 Network Segmentation?
Key Drivers and Benefits
• Cost Reduction - allowing a single physical network the ability to offer multiple virtual
networks to tenants
• Simpler OAM—reducing the amount of physical network devices needing to be
managed and monitored
• Security—maintaining segmentation of the network for different departments over a
single device/Campus/WAN
• Agility – accelerates adding network segments (virtual) over same physical networks
• High Availability—leverage segmentation through clustering devices that appear as
one (vastly increased uptime)
• Data Centre Applications
• Offer per/multi-tenant segmentation from the DC into the WAN/campus/Branch and cloud
• end-to-end continuity of Segmentation from server-to-campus-to-WAN
Why L3 Network Segmentation?
L3 Network Segmentation Use Cases – Current and Evolving
• Multi-Tenant Dwelling requiring Separation

• Airports – (United, Delta, etc…), Government Facilities – (agencies sharing single
building/campus), Intra Organisation segmentation – (sales, engineering, HR, LoB)
• Company mergers – allowing slow migration for transition, overlapping addressing
• IoT Device Isolation – segment (IP cameras, badge readers) from the user data
• Security for Isolation

• Key Fundamental element for Zero Trust Security framework
• Quarantine Zone – Honey Pot, Steered Traffic as result of DDoS, Anomaly Enforcement
• Mandates to logically separate varying levels of security (e.g. enclaves)
• Regulation requirements - Health Care – HIPPA | Financial and Transactional – Sarbanes-

Oxley, PCI Compliance
• Public Cloud and Key Component of Policy Construct

• L3 segmentation for “per tenant” - GBP, and leveraged in Intent-based network policies
Enterprise Network Segmentation
Key Building Blocks
WAN Segmentation
Segmentation on/of Interconnect Device
Device Pooling
WAN Si Si
“Virtualising” the Extending and Maintaining the “Virtualising”

Routing and “Virtualised” Devices/Pools over Multiple Devices
Forwarding of the Any Media to Function as a
Device Single Device
Enterprise Network Segmentation over the WAN
The Building Blocks – Example Technologies
Device Device
Partitioning Pooling
Si Si
VLANs
VRFs Virtual Sw System (VSS)
VNI (VXLAN) Virtual Port Channel (vPC)
VDC (NX-OS) HSRP/GLBP
(Virtual Device Context) Stackwise
Cloud Services Router (CSR) Router Virtual Network ASR 9000v/nV Clustering
ISRv Functions (VNF) w/ NFV Inter-Chassis Control
IOS-XRv 64-bit Orchestration Protocol (ICCP)
Enterprise Network Segmentation over the WAN
The Building Blocks – Example Technologies
Device WAN Segmentation Device

Partitioning Interconnect Pooling
WAN Si Si
VLAN Virtual Sw System (VSS)

VRF L2 VPNs L3 VPNs
Virtual Port Channel (vPC)
VXLAN EVPN/VxLAN MPLS BGP L3 VPN HSRP/GLBP
VDC (NX-OS) PW/VPLS L3 VPN over IP Stackwise
(Virtual Device Context)
OTV BGP EVPN (VXLAN, SR) Inter-Chassis Control Protocol
Cloud Services Router (CSR) (ICCP)
IOS-XRv 64-bit VXLAN to MPLS Integration
Concepts
WAN Designs
Backbone Designs
for L3 VPN Segmentation over the
WAN
in L3 Segmentation
Deployment Options for
Private IP VPN
WAN Segmentation Models
• Self Deployed MPLS Backbone
Supporting MPLS BGP IP VPN
Services WAN
• Self deployed MPLS BGP IP VPNs

“over the top” of an SP Offered VPN LAN LAN
transport
Self Deployed MPLS Backbone
Self Deployed BGP MPLS IP VPN Backbone (RFC 4364)
• Customer manages and owns: BGP MPLS IP VPN Backbone

• PE, P, CE, all links for interconnect
CE
• IP routing, provisioning, transport Branch
Site
• L2/L3 VPN, TE, QoS SLA E2Eservice P
CE
Campus
portfolio Branch
P DC
PE P PE
Site
• Customer controls service “turn up” CE Customer Owned IP/MPLS
pace, Allows full control Backbone
• Requires more expertise on the

operations team Customer Owned Domain
• Examples: MPLS core/edge,

Segment Routing (MPLS/SRv6)
SP Offered IP VPN Transport Service (MPLS)
Private IP VPN Service for Enterprise Remote Site Connectivity
• CE Routers owned by customer
SP Managed “IP VPN” Transport
• PE Routers owned by SP
• Customer “peers” to “PE” via IP CE SP Managed Domain
Site 1
• No labels are exchanged with SP PE
L3 VPN CE
SP advertises customer routes
Service Site 3
• PE Provider PE
Site 2
network wide reachability
CE IP Routing Peer
• Requires no management of the (BGP, Static)
core infrastructure by customer Customer Owned Customer Owned

Domain Domain
• Limits customers on control of
services
* No Labels Are Exchanged with the SP
“Our rapid change of network requirements can
no longer wait 30-60 days for our service
provider to modify our segmentation [VRF]
requests. We need this change management
to be in minutes not days or weeks.”
Fortune 50 CIO
Private MPLS VPN ”over the top” of SP Offered
IP VPN Transport owns CE
CE SP Managed Domain
Site 1
L3 VPN CE
Service Site 3
PE Provider PE
Site 2
CE IP Routing Peer
(BGP, Static, IGP)
Customer Customer
Managed Domain Managed Domain
VRF’s
SP Offered “IP VPN” Transport
• CE customer owned, PE provider
owned Extend L3 VRF Segmentation “Over the Top”
• Customer enables “PE ”

functionality (BGP/OMP) on the CE Site 1
CE SP Managed Domain
Customer Routing done “Over the CE

L3 VPN
• Service Site 3
Top” of the SP Site 2 PE Provider PE
CE
• MPLS over GRE allows use of IP Routing Peer
(BGP, Static, IGP)
IPSec encryption
Customer Customer
• Scalable Solution Examples: Managed Domain
VRF’s
Managed Domain
• Cisco SD-WAN (Viptela), MPLS VPN

over mGRE, MPLS VPN over DMVPN * VPN Labels Exchanged between “CE” Devices, NOT SP
SDN WAN Deployment Options
Segmentation Domain
Enterprise SD-WAN Backbone SD-WAN

SDN SDN
Controller/Mgmt Controller/Mgmt
Branch Branch CE
Site Site
SP MPLS
CE CE
Campus P Campus
DC P DC
Branch Internet CE Branch PE PE
Site Site P
CE CE
Managed Domain Managed Domain Managed Domain

Overlay Encap
• Targets enterprise customers looking to • Targets Service Provider “like” customers who
consume secure WAN transport, with central need to control SLA’s, rapid service turn up,
mgmt., control, and application visibility more granular service options (SR-TE)
• Cisco SD-WAN, MPLS VPN over IP (open • SR, SR-TE, Centralized WAN controller
controller or tools for automation
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Concepts
WAN Designs
• Evolution and Trends for Self
Deployed MPLS Backbone Designs
for L3 VPN Segmentation over the
WAN
in L3 Segmentation
Self Deployed MPLS
Backbone
1. Self Deployed MPLS Backbone -

Supporting MPLS BGP IP VPN WAN
Services
2. Self deployed MPLS BGP IP VPNs

“over the top” of an SP Offered VPN
LAN LAN
transport
Key Fundamentals of
the Next Gen CORE
Network Backbone
BRKRST-2045
MPLS: The WAN Service Enabler

• L3 VPN Services
• BGP VPN (RFC 4364), VPN over IP, Inter-AS, 6vPE
• L2 VPN Services - PW, VPLS, E-VPN

• Traffic Engineering - Explicit Path Routing
• Traffic Engineering, disjoint paths, attributes for best path (latency, packet loss)
• Optimisation of bandwidth, shift to Segment Routing TE (SR-TE)
• Bandwidth Protection Services - LFA, TI-LFA (IP FRR), MPLS TE FRR

• IP Multicast (per VPN/VRF, Rosen, LSM, BIER)
• Interworking with new solutions – VXLAN  L2/L3 VPN
• Leverage Segment Routing for Next-Gen Scale, Central Control, optimised services
• Offers an “SD-MPLS” solution moving forward
Key Trends and Drivers to Next Gen Backbone
✔ Simplified Core Backbone (Segment Routing)
✔ Support Massive Scale, High Availability (Multi-Planar Design)
✔ Incorporating automation, model-driven API’s, orchestration, and NFV
✔ Leverage Co-Location Facilities, Create “Cloud Edge” close proximity to apps
✔ Extend QoS and best path selection, beyond link cost (latency, jitter, loss, app)
✔ Leveragereal-time model-driven telemetry collection for ML/AI benefits (security,
optimised network operations (AIOps) )
✔ Support line-rate encryption (100/400G) transparent to network protocols
✔ Support new transitions – 400G, Massive Devices (IoT), 5G core requirements,
Application routing
BRKRST-2045
Example: Orchestrated Network Optimization

• The Problem: When congestion happens, operator has to jump through multiple systems
before eventually running the optimization to remove the hotspot.
• The Solution: With service orchestration through NSO and close-loop path computation with
WAE, operator can execute network optimization through a single pane of glass.
• The Value: Faster MTTR to issues and increase customer satisfaction with quick response.
1. EPNM monitors the network and provides

alerts when KPI is out of policy
2. Operator invokes optimization service that
will request WAE to compute an optimized
path based on current network state
3. WAE will compute and provide the
optimization outcome to NSO service, which
evaluates result based on defined business
logic
4. NSO orchestrates deployment to the
network.
5. EPNM discovers the changes from the
network.
Summary of Goals and Targets - Next Gen
Architecture
• High availability (5 9s+)
• Fast converging (targeting now < .5 sec)
• Low latency (<50ms) and low jitter for real time communication services
• Unicast and multicast traffic (Layer 2 or Layer 3)
• Ultra-High Scalability (thousands to 100,000+ nodes, global scale)
• Converged applications on a shared network
• Traffic Engineering as needed
• Fault-domain isolation and service segmentation
• Greater Efficiency (higher average utilisation)
• Secure and Programmable Infrastructure
• Maintenance with little to no customer impact
BRKSPG-2535 – Next Gen Network Architectures – Cisco Live Barcelona
Concepts
WAN Designs
• Evolution and Trends for Self
Deployed MPLS Backbone Designs
in L3 Segmentation
Private IP VPN
“Over the Top”
Solution Options
MPLS VPN over IP…
Simplifying MPLS VPN over IP - RFC 4797 + RFC 4364 + RFC 4023
• Customer may not control the WAN transport Between MPLS networks
• Cannot depend on “end to end” label forwarding for transport
• Customer requires encryption for their PE to PE MPLS traffic
• No native MPLS encryption exists today, must leverage IP
• MPLS over IP allows MPLS VPN solutions to leverage cost effective IP
transport
In Summary, the Implementation Strategy Described Enables the Deployment of

BGP/MPLS IP VPN Technology in Networks Whose Edge Devices are MPLS and
VPN Aware, But Whose Interior Devices Are Not (Source: RFC 4797)
Common Use Cases for MPLS over IP
• State, country or Global based MPLS VPN where transport option is IP only
• The ”business requirement” mandates segmentation (refer to L3

segmentation use cases)
• Wants MPLS VPN but also requires encryption
• Stitch MPLS VPN’s over non MPLS (labeled) transport
• L3 Manages Services (managed CPE over L3 VPN transport)
• Campus and/or DC networks require ”policy” extension over the WAN
• Cisco SD-Access = VN / Cisco ACI = VRF / Cisco SD-WAN = VPN
• Security focused customer leverages proprietary encryption devices
• Targets customers (enterprise/govt/managed-SP) that desire quick on-

demand control of the L3 VPN Segmentation
Primary Components – VPN over IP
• Segmentation component
• Virtual Route Forwarding Instance (VRF)
• Control Plane component
• MP-BGP (RFC 4364), Overlay Management Protocol (OMP), NHRP (for DMVPN)
• Data Plane component
• MPLS over GRE/IP-UDP (RFC 4023)
• Service Support of Each Solution: QoS, IPv6 (selective), Encryption, Multicast, etc…
CP: MP-BGP
DP: MPLS over IP (GRE/UDP)
1. Self Deployed MPLS Backbone: Supporting
MPLS BGP IP VPN Services
WAN
2. Self deployed L3 VPNs: “Over the top” of SP

Offered transport
A. MPLS VPN over mGRE / DMVPN
LAN LAN
B. Cisco SD-WAN (Viptela)
MPLS VPN over Multi
Point GRE (mGRE)
GitHub Repo Location
https://github.com/netwrkr95/mpls-
mgre-configs
• Offers MPLS-VPN over IP SP Managed “IP VPN” Service
• Inherit spoke-to-spoke communications MP-BGP VPNv4
• Uses standard RFC 4364 MP-BGP CE

Site 1
control plane
• Uses standard MPLS over GRE data L3 VPN CE
plane Service
Provider
Site 3
PE PE
Site 2
• Offers dynamic Tunnel Endpoint next- CE
hop via BGP
• Requires only a single IP address for VRF’s Customer
transport over SP network Managed Domain
• Reduces configuration: Requires No mGRE Interface

LDP, No GRE configuration setup
GRE any-to-any
MPLS VPN over mGRE Model
mGRE Interface is Dynamic and De-coupled from Physical Interfaces
• System dynamically configures mGRE tunnel (via tunnel profile)

• mGRE tunnel is decoupled from physical interface
• User traffic is in VRF/VPNv4 of mGRE payload (hidden from provider)
• Only a single IP address (source GRE/BGP-source) advertised to provider
Source IP Address of
• VRF, RD, RT mGRE tunnel advertised
to provider network
WAN to
To user Campus/DC
Gold Provider
networks with VRF mGRE SP WAN
segmentation (802.1Q, Interface Transport
port, etc…) Global
PHY
Blue
• VRF, RD, RT Interface
Logical mGRE interface

de-coupled from a
physical interface
MPLS VPN over Multipoint GRE (mGRE)
Feature Components PE2 2 iBGP PE3 4 View for PE 4
172.16.255.2 172.16.255.3 Tunnel Endpoint DB
1 PE4 172.16.255.1
PE1 IP Transport
172.16.255.1 172.16.255.2
172.16.255.4
172.16.255.3
3 PE6 172.16.255.5
PE5
172.16.255.6 172.16.255.5 172.16.255.6
1 mGRE is a multipoint bi-directional GRE tunnel

Control Plane leverages RFC 4364 using MP-BGP Multipoint GRE
2 Interface
Signalling VPNv4 routes, VPN labels, and building IP next hop (locally)
3 VPNv4 label (VRF) and VPN payload is carried in mGRE tunnel encapsulation
 New encapsulation profile (see next slide) in CLI offers dynamic endpoint discovery:
4 (1) Sets IP encapsulation for next-hop
(2) Installs signaled BGP peer and end-point into “tunnel endpoint database”
VPNv4 Configuration Example
mGRE
PE1 PE4
IPv4 CE2
CE1 Transport Lo0: 10.0.0.4 eBGP

eBGP Lo0: 10.0.0.1
Example for PE4

interface Loopback0
ip address 10.0.0.4 255.255.255.255
!
l3vpn encapsulation ip Cisco Sets mGRE Encapsulation
transport ipv4 source Loopback0 “Profile” for BGP Next-Hop
!
router bgp 100
. . .
address-family vpnv4
neighbor 10.0.0.1 activate Apply Route-Map to Received
neighbor 10.0.0.1 send-community extended
neighbor 10.0.0.1 route-map next-hop-TED in Advertisement from Remote iBGP
exit-address-family Neighbour
. . .
!
route-map next-hop-TED permit 10 Use IP Encap (GRE) for Next-Hop and
set ip next-hop encapsulate l3vpn Cisco Install Prefix in VPN Table as
Connected IP Tunnel Interface
IPv6 (VPNv6) Configuration Example
mGRE
2001:db8::2 /64
PE1 PE4
IPv4 Cloud E 1/0
CE2
CE1
eBGP Lo0: 10.0.0.1 Lo0: 10.0.0.4 eBGP
Example for PE4

interface Ethernet 1/0 NOTE: Relevant MPLS VPN over mGRE
vrf forwarding green Commands That Are Same for IPv4, Are Not
ip address 209.165.200.253 255.255.255.224 Shown in This IPv6 Example
ipv6 address 2001:db8:: /64 eui-64
!
router bgp 100
. . . IPv6 Address Applied to CE2
address-family vpnv6 Facing Interface
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community both
neighbor 10.0.0.1 route-map next-hop-TED in Apply Route-Map to Received
exit-address-family Advertisement from Remote iBGP
. . .
! Neighbour (Same as vpnv4)
route-map next-hop-TED permit 10
set ip next-hop encapsulate l3vpn Cisco
set ipv6 next-hop encapsulate l3vpn Cisco Use IP Encap (GRE) for Next-Hop and
Install IPv6 Prefix in VPNv6 Table as
Connected Tunnel Interface
GitHub Repo Location
https://github.com/netwrkr95/mpls-mgre-configs
Summary
• Simple:
• Only requires advertising a single IP prefix to SP for mGRE operation
• Dynamic Tunnel endpoint discovery is done via iBGP/route-map (no static GRE tunnel)
• Solution requires NO manual configuration of GRE tunnels. LDP NOT required!
• E-BGP can/is still be used for route exchange (mGRE end-point) with the SP
• Standards Based - Leverages standard MP-BGP control plane (RFC 4364)
• Flexible - Supports MVPN and IPv6 per MPLS VPN model (MDT and 6vPE respectfully)
• Multi-platform support:
- ASR 1000 series, ISR/G2, ISR 4xxx, SUP-2T, Cloud Services Router (CSR)
• Supports Inter-AS VPN, Multicast VPN (MVPN), standard QoS/H-QoS
• Supports IPSec for PE-PE encryption (GET VPN or manual SA)
• Scales to 2000 PE’s with ASR 1000 series
Configuration Examples on Github:
https://github.com/netwrkr95/mpls-mgre-configs
http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns658/white_paper_c11-726689.pdf
Layer 3 Segmentation
Using Cisco SD-WAN
Aligning WAN Capabilities with Shift to
Why SD-WAN? Simpler Ops, Agile Transport, optimise
forwarding to Cloud Apps
Enable Control on Customer Owned Edge
Broadband MPLS 4G/LTE
WAN Application
Flexibility Bandwidth ZERO TOUCH ZERO TRUST
Requirements
SECURE WAN FABRIC
SOFTWARE DEFINED: True separation of control, data
and management – central policy, route ctrl, provisioning
Simplified Disjointed
Operations Security
CLOUD: Cloud hosted and delivered
Requirements APPLICATION AWARE: Visibility & forwarding based on
application location and hosted service (XaaS)
SCALE AND FLEXIBILITY: True enterprise scale, ZTP
Cloud Time
Consumption To Capability SECURITY: Ingrained authentication, encryption,
segmentation, access controls & service chaining
OPEN: Automation, orchestration, best-of-breed integration
VISIBILITY: SD-WAN fabric analytics visibility, local/cloud
Cisco SD-WAN (Viptela) Architecture
ANALYTICS
Orchestration Plane
MANAGEMENT
vBond
API
ORCHESTRATION 3rd Party

Applications Management Plane
vManage
CONTROL
INTERNET MPLS 4G Control Plane
vSmart
Data Plane
Data Centre Campus Branch Home Office
vEdge
Deep Dive: BRKRST-2668

Application SLA Aware Routing
 vEdge Routers vManage App Aware Routing Policy
continuously perform path App A path must have:
Latency < 150ms
liveliness and quality Loss < 2%
measurements Jitter < 10ms
Internet
Remote Site
MPLS Regional
Path 2 Data Centre
4G LTE
Path1: 10ms, 0% loss, 5ms jitter

IPSec Tunnel
Cisco Software Defined
WAN (SD-WAN) for L3
Segmentation
Cisco SD-WAN (Viptela) L3 VPN Segmentation
IF IF MPLS • VPN 0: Transport (locked)
• VPN 512: Mgmt (locked)
Service Transport
• VPN n: open user VPN
(VPN n) (VPN0)
IF IF INET
Management
• VPNs enabler is VRF’s, each VRF having its
(VPN512)
own forwarding table
IF • vEdge router allocates label to each of it’s
service VPNs and advertises it as route
attribute in OMP updates
- VPN Labels used to identify customer VPN in
the incoming packets
Secure Segmentation
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
vEdge vEdge
IP UDP ESP VPN Data

20 8 36 4 …
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• vEdge routers maintain per-VPN routing • Interfaces and sub-interfaces (802.1Q
table tags) are mapped into VPNs
Cisco SD-WAN (Viptela) L3 Segmentation
Per L3 VPN Topology and Mapping
 Isolated virtual private networks across any transport  VPN isolation is carried over all transports
- https://tools.ietf.org/html/rfc4023
 VPN mapping is based on physical vEdge Router
interface, 802.1Q VLAN tag or a mix of both
IF Site 1
IF VPN
Transports
A
Transports
IF
VPN 802.1q
B
IF
VPN
C
802.1q Data Centre
Site 2 IPSec
IP UDP ESP VPN Data
20 8 36 4 …
Label
Per L3 VPN Topology (Examples)
Full-Mesh Hub-and-Spoke
• Each VPN can have it’s own topology

- Full-mesh, hub-and-spoke, partial-
mesh, point-to-point, etc…
VPN1 VPN2
• VPN topology is influenced by leveraging
control policies
- Filtering TLOCs or modifying next-hop
TLOC attribute for routes
Partial Mesh Point-to-Point
• Customer mission, business, and
applications can drive a certain topology:
• Applications in single cloud or on-
VPN3 VPN4 prem can benefit from hub-spoke
• voice takes full-mesh topology
• Security compliance - PCI data takes
hub-and-spoke topology
Cisco SD-WAN (Viptela) L3 VPN Segmentation
Example – Routing Table Output from vEdge CLI (vedge20)
VPN TLOC from the remote address

From the controller
Target Use Cases for SD-WAN Deployment
Use Cases
• Customer targeting WAN transport cost-reduction, leveraging Internet as a transport
• Customer applications distributed over different locations (public/private cloud) over
various transport (Internet/4G, private MPLS)
• Desires central management, orchestration, ZTP, integrated L3 segmentation
• Embraces DIA traffic steering for Internet-based SaaS (Office 365)
Common Requirements
• Per app (public/private/on-prem) destinations requiring more complex policies
• Embraces the SD-WAN architecture, complying to SD-WAN RFP’s
• Traffic forwarding policies desired based on transport SLA with app QoE
• Desires cloud-offered controller/management suite
Summary and
Positioning… What?
When? Where?
Summary of L3 VPN WAN Techniques
Strengths / Weaknesses to help evaluate decision criteria Excellent Option
SubOptimal Option
MPLS VPN o mGRE Cisco SD-WAN (Viptela)
R3
Bad Option
Routers only (no controller req)

Controller Based (central) routing
calculations
Native VPN Multicast (MVPN)
Application Awareness
Transport Agnostic (Internet)
Large Scale VRF (>64)
“SD-WAN” Requirement (RFP)
Per VPN Topology (p2p, mesh)
Summary
Enterprise WAN Layer 3
Segmentation Solutions
Enterprise WAN L3 Segmentation Solutions
Let’s Recap
• Fully understand the application and network service requirements needed
• Pace of Service turn-up times, transport available, operational expertise
• Self Deployed MPLS backbone target:
• larger-scale, TE required, L2 VPN, tight control
• Layer 3 Segmentation over IP:
• MPLS VPN over mGRE: simple MPLS VPN over IP, customer not ready for full-
blown SD-WAN yet
• Cisco SD-WAN: applications scattered across multiple locations (on-prem, public
cloud, SaaS), leverage Internet as transport, cloud managed controller interest
• Assure the solution chosen suits the operational skill set of the IT org
• Keep is simple whenever possible
Agenda
• Introduction - Network Segmentation Drivers and Concepts
• Defining Key Deployment Options and Transport for L3
Segmentation WAN Designs
• Evolution and Trends for Self Deployed MPLS Backbone Designs
• Technology Deep-Dive on Options for L3 VPN Segmentation over
IP
• “Innovations and Trends” Evolving in L3 Segmentation
• End to End WAN Design and Components (Summary of Session)
Evolving and Advanced Areas in L3
Segmentation in the WAN
• Cloud Ready Network Design and
Virtual DMZ
• Solutions for Extending L3 VPNs to
AWS using Cloud Services Router
(CSR)
• Enhanced High Speed Encryption
solutions for the WAN
• Leveraging automation in SD-WAN for
Centralised Application Enforcement
Moving to WAN Designs
that are Cloud Ready
Enterprise Network Designs
Employee Thing Vendor Partner Customer
• Majority of applications reside in

on-prem DC
• WAN designs typically align (hub Consumers
site resides at on-prem DC)
• Security DMZ typically co-
located with apps and internet
connectivity in the private on-
prem DC Providers
Private AWS Direct Connect Public

DC Azure ExpressRoute IaaS/SaaS
Internet
Enterprise Network Designs
Shift to Colocation Facility
Employee Thing Vendor Partner Customer
• Leverage CoLo to improve proximity to

cloud services; maintain application SLAs
• Single point to visualise and audit user-to-
app relationships
• Cost Savings
• Automation, PAG licensing, circuit CoLo and
bandwidth savings
• Placing DMZ in CoLo offers consistent
policy enforcement, security & telemetry
across multi-cloud Private Neutral Public
DC Facility IaaS/SaaS
Internet
Cloud Ready WAN Architecture
Extend WAN Hub and DMZ to Carrier Neutral Facility
SaaS
vManage
vSmart
Zones
Controllers
Employees
Co Lo Facility
Internet
Mobile
Cisco SD-
Workers MPLS WAN
4G/LTE IaaS
Virtual
Partners
Fabric vEdge  Move enterprise WAN Hub Site (vEdge or MPLS
PE) to a Carrier Neutral facility (e.g. Equinix)
Customers  Drives down circuit costs, reduces response time

for apps hosted in public cloud (SaaS/IaaS)
Example shows SD-WAN. Private  Offers direct cross-connect to multitude of cloud

MPLS backbone can also and internet services (AWS, Azure, Internet)
leverage this with PE/P in CoLo
 Option to host private ”DMZ” for security and
#CLMEL visibility to those
BRKRST-2045 services
© 2019 Cisco and/or its affiliates.to/from enterprise
All rights reserved. Cisco Public 113 110
Cisco Network Hub
Securely Connecting Users Cloud and Application Providers
Cisco vManage / vBond SaaS
Customers Security Agility & Performance Cost Savings

Private
Data Centre Central policy Rapid provisioning, Lower OpEx and
Network enforcement change control and CapEx through NFV.
AnyConnect Hub
Reduce circuit costs
scale-out architecture
Employees
Branch via NFV fabric. Speed of and number of
software with the circuits.
performance of
hardware.
Partners
Colocation /
DC
IaaS
Turn-key orchestration and
automation of enterprise
WAN Service-Chains!
Cisco Network Hub - Architecture Cisco vManage /
vBond
Network Hub Cluster ID: 1

Regional Colo/DC Service Group: SDWAN,
Firewall, Load-Balancer
Cisco CSP5444 #1 Policy: Set Next-Hop US

Colo
Application: Sites 1-5, VRF
10
Cisco CSP5444 #2
Regional
Cisco C9500-40
Colo/DC
Cisco C9500-40
Regional
Colo/DC
WAN
Fabric
Netconf Note: vManage / vBond
provide orchestration for the
Cisco Network Hub solution
and are required elements
even if the customer is not
running Viptela SD-WAN
Extending Enterprise
Layer 3 Segmentation
to Public Cloud
Connecting to Public Cloud
IPSec tunnel from DX / ER to Public
Internet connection Direct Connect to Public
DC Cloud through SP Cloud through co-locations
Branch
Branch
Branch
Branch
SP
SP Internet MPLS
Internet
Data Carrier PE
Center Colocation
Facility
DX / ER
Internet IPSec DX / ER
VPC/VNet VPC/VNet VPC/VNet VPC/VNet
IPsec Tunnel from MPLS carriers (L3 VPN carrier)

Internet only for DX/ER from the co-location
customer DC to the offers DX/ER as SP Managed
connectivity. to the cloud
cloud Service
Across regions, accounts/subscriptions
Transit VPC VPC
Shared
VPC
A
VPC
C
Services
• High Scale and Performance

…...
Spoke VPC
• High Availability: Redundant VPN
Tunnels with dynamic routing in a
multi-AZ deployment
• Enterprise class routing features in the

Transit VPC AZ1 AZ2
• Spoke VPC’s can leverage VGW or VPC Transit VPC
CSRs
Direct Connect
• Scale-out options allow more Or Internet Colocation
Facility
forwarding when needed on demand
ASR Other
• See BRKARC-2749 for more Private DC Provider
information (Past CL US Events) Hub Site Networks
Cloud onRamp for IaaS – Gateway VPC
Standard IPSec + BGP
BGP <-> OMP

AZ1
• Fully automated through
R
vManage wizard
VGW
AZ2
AZ1
IGW • Greatly simplifies brownfield
INET
Host VPC vEdge GW integration
MPLS
- No changes are required on
AZ2 VGW Direct host VPCs
vEdge GW Connect
AZ1 Gateway VPC

• Multipathing, segmentation,
R
QoS
VGW vManage instantiated and
AZ2 managed vManage • Fast failover
Host VPC - Speed of BGP convergence
AWS Region
Recommended Sessions: BRKRST-2669 Cloud Ready SD-WAN | BRKCLD-3440 – Multicloud Networking

Extending Layer 3 Segmentation to Public Cloud
vManage/vSmart
BGP <-> OMP

AZ1
R
VGW
AZ2 IGW Enterprise Network
AZ1 INET
Host VPC vEdge GW Melbourne
AZ2
vEdge GW
VGW Direct
Connect
MPLS
?
AZ1 Gateway VPC
R Enterprise Network
VGW Perth
AZ2
Host VPC
AWS Region
Tenant/Mission 1
Tenant/Mission 2
Extending Layer 3 Segmentation to Public Cloud
vManage/vSmart
BGP <-> OMP

AZ1
R
VGW
AZ2 IGW Enterprise Network
AZ1 INET
Host VPC vEdge GW Melbourne
MPLS
AZ2 VGW Direct

vEdge GW Connect
AZ1 Gateway VPC

R Cisco SD-WAN Enterprise Network
VGW Virtual Fabric Perth
AZ2
Host VPC
AWS Region  Extend SD-WAN Fabric into the public cloud Tenant/Mission 1
 Transit VPC is “PE” from fabric to Host VPC
 Inter-VRF done through policy (or FW) but stays in region Tenant/Mission 2
High Speed Encryption
Innovations
Link Speeds Out-Pacing IP Encryption
• Bandwidth application requirements out-
pacing IP encryption capabilities
• Bi-directional and packet sizes further
impact encryption performance
• IPSec engines dictate aggregate
performance of the platform (much lower
link throughput)
BW • Cost per bit for IPSec much more
Link speed = Encryption Engine
expensive
time • Encryption must align with link speed
(100G+) to support next-generation
applications
Link Speed
IPSec Encryption Speed
What is MAC Security (MACsec)?
Hop-by-Hop Encryption via IEEE802.1AE
• Hop-by-Hop Encryption model

-Packets are decrypted on ingress port
-Packets are in the clear in the device
-Packets are encrypted on egress port Decrypt at
Ingress
Encrypt at
Egress
01101001010001001 01101001010001001
• Supports 1/10G, 40G, 100G encryption speeds 128bit AES GCM Encryption
01101001000110001001001000
everything in clear
• Data plane (IEEE 802.1AE) and control plane (IEEE through the router
802.1x-Rev) MACsec PHY
• Transparent to IPv4/v6, MPLS, multicast, routing
• Encryption aligns with Link PHY speed (Ethernet)

128/256 bit AES GCM Encryption 128/256 bit AES GCM Encryption
01001010001001001000101001001110101 011010010001100010010010001010010011101010 01101001010001001
Encrypted Encrypted
Segment Segment
What is “WAN MACsec?
MKA Session
Service Provider
Owned Routers/Bridges
Data Data
Centre Public Carrier Centre
Ethernet
Service Central
Remote
Campus/DC Campus/DC
• Leverage MACsec over “public” standard Ethernet transport

MACsec MKA Session
• Optimise MACsec + WAN features to accommodate running over
public Ethernet transport MACsec Secured Path / MKA
Session
• Target “line-rate” encryption for high-speed applications MACsec Capable Router
• Inter DC, MPLS WAN links, massive data projects MACsec Capable PHY
Targets 100G, but support 1/10/40G as well

SP Owned Ethernet
• Transport Device
What is “WAN” MACsec?
New Enhancements to 802.1AE for WAN/Metro-E Transport
• AES-256 (AES/GCM) support – 1/10/40 and 100G rates

• Target Next Generation Encryption (NGE) profile that currently leverages public NSA Suite B
• Standards Based MKA key framework
• (defined in 802.1X-2010) within Cisco security development (Cisco “NGE”)
• Ability to support 802.1Q tags in clear
• Offset 802.1Q tags in clear before encryption (2 tags is optional)
• Vital Network Features to Interoperate over Public Carrier Ethernet Providers
• 802.1Q tag in the clear
• Ability to change MKA EAPoL Destination Address type
• Ability to change MKA Ether-type value
• Ability to configure Anti-replay window sizes
• System Interoperability
• Create a common MACsec integration among all MACsec platforms in Cisco and Open Standards
WAN MACsec Use Cases
Most Common Use Cases Leveraging WAN MACsec in the Enterprise
• 10GE  100GE High speed Site to Site E-LINE / E-LAN - Point to Multipoint
Branch n
• Campus, WAN, DCDC, Metro E
Branch 2
• Data Centre Interconnect
• High Speed replication and storage transfers Carrier
Ethernet
• IP/MPLS core/edge links (PE–P, P–P, PE–PE) Service
• MPLS labels, VPN, Segment Routing is transparent to
MACsec encryption Branch 1 Central
Site
• No GRE, simple. Encryption = Link BW
• High Speed hub-and-spoke
E-LINE - Point to Point
• Leverage low-cost/high-speed Metro E transport
• Simple configuration, no GRE tunnels Carrier
Ethernet
• Hybrid Encryption Design Options
Service
• Ability to leverage BOTH MACsec and IPSec at various Central Central

network points Site / DC 1 Site / DC 2
Hierarchical “Hybrid” MACsec + IPSec Design
CSR MACsec IPsec
High Throughput Encryption + Lower Scale Sites Lower Throughput Encryption + High Scale Sites
Co Lo Facility Regional IPsec Sites
Hub 1 Branch
Branch
Internet
Carrier Ethernet Service Branch
Enterprise
IPsec
Network Branch
Internet Branch
Regional Branch
MPLS WAN Hub 2

MACsec (WAN MACsec) MACsec
Metro E
IPsec Branch
Regional
Hub 3 + DC
• “Hybrid” design option for mix of scale, performance, leveraging Ethernet services
• MACsec: Backbone/Core – Targets Higher BW, Lower Number of Sites
• IPSec: Branch/back-haul – Targets Lower BW, high number of sites, cloud (CSR)
(Subject to change)
Cisco MACsec Portfolio (Summarised Version)

Platform Series MACsec Delivery MACsec Speed (AES-
256)
ISR 4xxx Series • 1p / 2p Ethernet NIM • 1 GE
ASR 1000 Series • Fixed and Modular solutions • 1GE, 10GE, * 100GE
ASR 9000 Series • Modular Line Cards • 10GE, 40GE, 100GE
Nexus 7700 Series ** • Modular M3 Series Card • 1/10GE, 40GE, 100GE
Nexus 9000 Series • Fixed and Modular solutions • 10GE, 40GE, 100GE
Optical NCS Series • Client ports • 10GE, 40GE, 100GE
Catalyst Switching • Multiple Platforms C3850, Cat9K, Cat4K • 1GE, 10GE, 40GE
Catalyst Switching ** • Cat 6K • 1GE, 10GE
** Currently does NOT support MKA key negotiation (SAP only)

* Target Roadmap Capability
External Resources (GitHub)
https://github.com/netwrkr95
• Ansible – MACsec Keychain Examples
• Ansible WAN MACsec Playbook and Configs (https://git.io/vQUR3 )
• YANG Models – MACsec Keychain Examples (Using YDK)
• MACsec Key Chain Configuration applications (https://git.io/vH7uD )
• What is YDK? (https://developer.cisco.com/site/ydk/ )
• Ansible Module Using YANG Models with YDK
• Ansible + YDK app (https://git.io/vH7XZ )
Previous WAN MACsec Sessions at Cisco Live (CL 365)
BRKRST-2309 – Introduction to WAN MACsec
http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdf
Leveraging Automation
for Simplifying Network
Operations
SDN Approach? Offer IT Organisations Choices
Prescriptive Turn-key SDN “Open” Programmable Solutions “Open” Programmable
Solutions with Cisco HW Solutions for Multi-Vendor
Prescriptive Solution “Do it Yourself” Solution
NSO vManage Cisco NSO YANG

WAE vSmart Models YDK
Cisco DNA XTC ACI
Center
• Examples: • Examples: • Examples:
• ACI (DC) • Network Service Orch • Same as Column #2

• SD-Access (campus/Branch) • YANG Models (native, open) +
• SD-WAN (Cisco SD-WAN • Python (protocol libraries)
(Viptela)/Meraki) • REST, RESTCONF • IP/MPLS / Segment Routing
• SP WAN (NSO, WAE, XTC) • Other Tools: Ansible, Puppet, • E-VPN (BGP) / VXLAN
• NFV – SP / Enterprise Chef, etc… • OpenFlow
Demo
Leveraging Cisco SD-WAN
Centralised Policy Enforcement
for Rapid Security Vulnerability
Mitigation
Use Case – Remote Trigger Black-Hole Concept
Challenge
• The ability to rapidly block/rate-limit different traffic types in the WAN
• per box CLI does not scale and increases the “time to react”
• Suspected Vulnerabilities could be anomalies (infected) detected via third-
party tools/applications
• Controlling Non-business applications also of interest (NCAA basketball
during March Madness )
#CLMEL Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Use Case
Solution Options
• Leverage the centralized control point (vSmart) to push policy enforcement
• Centralized pushing of “match” and “action” policy that blocks or strictly
polices a specific application and/or DSCP marking
• Offer the ability for operators to leverage the GUI
• Additionally, offer API’s that allow same capability, allowing 3rd party
applications, or open source tools (Ansible, Python, etc.) to trigger the
enforcement
#CLMEL Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Option
Demo - Dynamic Application Control
2
• vManage 18.3 1
• REST API’s on vManage

GET
• Postman for REST API Testing PUT vManage
POST MANAGEMENT
• Ansible (2.6.12) and Python
3
vSmart
Demo
1. Use vManage
2. REST API (using Postman) Policies Policies
3. REST API (using Ansible-playbook,

custom Ansible module (Python)
vEdge 10 vEdge 20
Option
Demo - Dynamic Application Control
policy
2
data-policy _VPN-99-List_RTBH-Spor_508995825 1
vpn-list VPN-99-List
sequence 1
match
app-list Suspect_Video_Apps GET
! PUT vManage
action drop POST MANAGEMENT
count Blocked-Video_347240515
log
3
! vSmart
!
default-action drop
!
…
Policies Policies
lists
app-list Suspect_Video_Apps
app foxsports
app cbs_video Modify in active policy
!
vEdge 10 vEdge 20
site-list ALL-VPN-99-Router-List
External Resources (GitHub)
https://github.com/netwrkr95
Ansible Playooks – Automate MPLS VPN VRF Deployments
• Ansible VRF Creation and Deployment Playbook (https://github.com/netwrkr95/ansible-mpls-
vpn
Ansible Playbooks – MACsec Keychain Examples

• Ansible WAN MACsec Playbook and Configs (https://git.io/vQUR3 )
YANG Models – MACsec Keychain Examples (Using YDK)

• MACsec Key Chain Configuration applications (https://git.io/vH7uD )
• What is YDK? (https://developer.cisco.com/site/ydk/ )
Ansible Module Using YANG Models with YDK

• Ansible + YDK app (https://git.io/vH7XZ )
DevNet
https://developer.cisco.com
Summary – Key
Takeaways…
WAN Segmentation - Key Takeaways
• Understanding topology, traffic patterns, VRFs, scale… is vital to choosing the
“optimal” Segmentation WAN solution (self-deployed, over-the-top)
• Existing L3 VPN solutions exist, but SD-WAN offers intelligent path control and
future intelligence needed as apps are located in diversified locations
• Consider the transition options of WAN design usage of CoLo (Equinix) as a key
cloud ready WAN architecture component
• L3 Segmentation solutions must be able to extend to public cloud, and
leveraging API’s, as more enterprise apps move to public cloud
• Embrace areas where automation and programmability can be leveraged to
simplify, and innovate, in operations and deployment
• Leverage WAN MACsec for high-speed encryption where applicable
• Leverage the technology, but ALWAYS “Keep it Simple” when possible 
Q&A
#CLMEL
Complete Your Online Session Evaluation
• Give us your feedback and receive
a complimentary Cisco Live 2019
Power Bank after completing the
overall event evaluation and 5
session evaluations.
• All evaluations can be completed
via the Cisco Live Melbourne
Mobile App.
• Don’t forget: Cisco Live sessions
will be available for viewing on
demand after the event at:
https://ciscolive.cisco.com/on-demand-
library/ #CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
#CLMEL
#CLMEL

BRKRST 2045

Uploaded by

Copyright:

Available Formats

You might also like

BRKRST 2045

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKRST 2045

Uploaded by

Copyright:

Available Formats

#CLMEL

1. Current drivers and needs for Layer 3 segmentation

• It has evolved a long way from technologies like TDM (1960’s)

• From TDM, ATM/FR Virtual Circuits in the WAN, to…

• VLANs in the Campus, to… Logical/Virtual Routers on routing devices, to…

• Virtual Machines on server clusters in the Data Centre VPP/

• End-user perspective does not change

• Maintains Hierarchy, Virtualises devices, data paths, and services

Internal Separation (sales, eng) Merged Company Guest Access Network

Virtual Network Virtual Network Virtual Network

Actual Physical Infrastructure

• Multi-Tenant Dwelling requiring Separation

• Security for Isolation

• Regulation requirements - Health Care – HIPPA | Financial and Transactional – Sarbanes-

• Public Cloud and Key Component of Policy Construct

“Virtualising” the Extending and Maintaining the “Virtualising”

Device WAN Segmentation Device

VLAN Virtual Sw System (VSS)

• Self deployed MPLS BGP IP VPNs

• Customer manages and owns: BGP MPLS IP VPN Backbone

• Requires more expertise on the

• Examples: MPLS core/edge,

core infrastructure by customer Customer Owned Customer Owned

• Customer enables “PE ”

Customer Routing done “Over the CE

• Cisco SD-WAN (Viptela), MPLS VPN

Enterprise SD-WAN Backbone SD-WAN

Managed Domain Managed Domain Managed Domain

1. Self Deployed MPLS Backbone -

2. Self deployed MPLS BGP IP VPNs

MPLS: The WAN Service Enabler

• L2 VPN Services - PW, VPLS, E-VPN

• Bandwidth Protection Services - LFA, TI-LFA (IP FRR), MPLS TE FRR

Example: Orchestrated Network Optimization

1. EPNM monitors the network and provides

In Summary, the Implementation Strategy Described Enables the Deployment of

• The ”business requirement” mandates segmentation (refer to L3

• Targets customers (enterprise/govt/managed-SP) that desire quick on-

2. Self deployed L3 VPNs: “Over the top” of SP

• Uses standard RFC 4364 MP-BGP CE

• Reduces configuration: Requires No mGRE Interface

• System dynamically configures mGRE tunnel (via tunnel profile)

Logical mGRE interface

1 mGRE is a multipoint bi-directional GRE tunnel

CE1 Transport Lo0: 10.0.0.4 eBGP

Example for PE4

Example for PE4

ORCHESTRATION 3rd Party

INTERNET MPLS 4G Control Plane

Deep Dive: BRKRST-2668

Path1: 10ms, 0% loss, 5ms jitter

IP UDP ESP VPN Data

• Each VPN can have it’s own topology

VPN TLOC from the remote address

Routers only (no controller req)

Transport Agnostic (Internet)

Large Scale VRF (>64)

“SD-WAN” Requirement (RFP)