Professional Documents
Culture Documents
BRKRST 2045
BRKRST 2045
BRKRST 2045
Advanced Technologies
and Concepts for
Extending L3 VPN Over
IP-based WAN Transport
Evolving Trends and Solutions for L3
Segmentation in the Enterprise
Craig Hill, Distinguished Systems Engineer
BRKRST-2045
@netwrkr95
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKRST-2045
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Goals of This Session…
• Provide you and understanding of:
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• Introduction - Network
Agenda Segmentation Drivers and
Concepts
• Defining Key Deployment Options
and Transport for L3 Segmentation
WAN Designs
• Evolution and Trends for Core
Backbone Designs
• Technology Deep-Dive on Options
for L3 VPN Segmentation over IP
• “Innovations and Trends” Evolving
in L3 Segmentation
• End to End WAN Design and
Components (Summary of Session)
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
• Introduction - Network
Agenda Segmentation Drivers and
Concepts
• Defining Key Deployment Options
and Transport for L3 Segmentation
WAN Designs
• Evolution and Trends for Core
Backbone Designs
• Technology Deep-Dive on Options
for L3 VPN Segmentation over IP
• “Innovations and Trends” Evolving
in L3 Segmentation
• End to End WAN Design and
Components (Summary of Session)
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Evolution of “Network” Segmentation
…Means Many Things to Many People
Time 2019+
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
What Is Enterprise L3 “Network” Segmentation?
• Giving One physical network the ability to support multiple L3 virtual networks
WAN Segmentation
Segmentation on/of Interconnect Device
Device Pooling
WAN Si Si
Device Device
Partitioning Pooling
Si Si
VLANs
VRFs Virtual Sw System (VSS)
VNI (VXLAN) Virtual Port Channel (vPC)
VDC (NX-OS) HSRP/GLBP
(Virtual Device Context) Stackwise
Cloud Services Router (CSR) Router Virtual Network ASR 9000v/nV Clustering
ISRv Functions (VNF) w/ NFV Inter-Chassis Control
IOS-XRv 64-bit Orchestration Protocol (ICCP)
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Enterprise Network Segmentation over the WAN
The Building Blocks – Example Technologies
WAN Si Si
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
• Introduction - Network
Agenda Segmentation Drivers and
Concepts
• Defining Key Deployment Options
and Transport for L3 Segmentation
WAN Designs
• Evolution and Trends for Core
Backbone Designs
• Technology Deep-Dive on Options
for L3 VPN Segmentation over the
WAN
• “Innovations and Trends” Evolving
in L3 Segmentation
• End to End WAN Design and
Components (Summary of Session)
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Deployment Options for
Private IP VPN
WAN Segmentation Models
• Self Deployed MPLS Backbone
Supporting MPLS BGP IP VPN
Services WAN
transport
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Self Deployed MPLS Backbone
Self Deployed BGP MPLS IP VPN Backbone (RFC 4364)
Fortune 50 CIO
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Private MPLS VPN ”over the top” of SP Offered
IP VPN Transport owns CE
CE SP Managed Domain
Site 1
L3 VPN CE
Service Site 3
PE Provider PE
Site 2
CE IP Routing Peer
(BGP, Static, IGP)
Customer Customer
Managed Domain Managed Domain
VRF’s
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Private MPLS VPN ”over the top” of SP Offered
IP VPN Transport owns CE
SP Offered “IP VPN” Transport
• CE customer owned, PE provider
owned Extend L3 VRF Segmentation “Over the Top”
CE
• MPLS over GRE allows use of IP Routing Peer
(BGP, Static, IGP)
IPSec encryption
Customer Customer
• Scalable Solution Examples: Managed Domain
VRF’s
Managed Domain
Branch Branch CE
Site Site
SP MPLS
CE CE
Campus P Campus
DC P DC
Branch Internet CE Branch PE PE
Site Site P
CE CE
• Targets enterprise customers looking to • Targets Service Provider “like” customers who
consume secure WAN transport, with central need to control SLA’s, rapid service turn up,
mgmt., control, and application visibility more granular service options (SR-TE)
• Cisco SD-WAN, MPLS VPN over IP (open • SR, SR-TE, Centralized WAN controller
controller or tools for automation
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
• Introduction - Network
Agenda Segmentation Drivers and
Concepts
• Defining Key Deployment Options
and Transport for L3 Segmentation
WAN Designs
• Evolution and Trends for Self
Deployed MPLS Backbone Designs
• Technology Deep-Dive on Options
for L3 VPN Segmentation over the
WAN
• “Innovations and Trends” Evolving
in L3 Segmentation
• End to End WAN Design and
Components (Summary of Session)
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Self Deployed MPLS
Backbone
WAN Segmentation Models
transport
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Key Fundamentals of
the Next Gen CORE
Network Backbone
BRKRST-2045
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Key Trends and Drivers to Next Gen Backbone
✔ Simplified Core Backbone (Segment Routing)
✔ Support Massive Scale, High Availability (Multi-Planar Design)
✔ Incorporating automation, model-driven API’s, orchestration, and NFV
✔ Leverage Co-Location Facilities, Create “Cloud Edge” close proximity to apps
✔ Extend QoS and best path selection, beyond link cost (latency, jitter, loss, app)
✔ Leveragereal-time model-driven telemetry collection for ML/AI benefits (security,
optimised network operations (AIOps) )
✔ Support line-rate encryption (100/400G) transparent to network protocols
✔ Support new transitions – 400G, Massive Devices (IoT), 5G core requirements,
Application routing
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
BRKRST-2045
• Customer may not control the WAN transport Between MPLS networks
• Cannot depend on “end to end” label forwarding for transport
• Customer requires encryption for their PE to PE MPLS traffic
• No native MPLS encryption exists today, must leverage IP
• MPLS over IP allows MPLS VPN solutions to leverage cost effective IP
transport
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Primary Components – VPN over IP
• Segmentation component
• Virtual Route Forwarding Instance (VRF)
• Control Plane component
• MP-BGP (RFC 4364), Overlay Management Protocol (OMP), NHRP (for DMVPN)
• Data Plane component
• MPLS over GRE/IP-UDP (RFC 4023)
• Service Support of Each Solution: QoS, IPv6 (selective), Encryption, Multicast, etc…
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
WAN Segmentation Models
CP: MP-BGP
DP: MPLS over IP (GRE/UDP)
1. Self Deployed MPLS Backbone: Supporting
MPLS BGP IP VPN Services
WAN
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
MPLS VPN over Multi
Point GRE (mGRE)
GitHub Repo Location
https://github.com/netwrkr95/mpls-
mgre-configs
Private MPLS VPN ”over the top” of SP Offered
IP VPN Transport owns CE
• Offers MPLS-VPN over IP SP Managed “IP VPN” Service
• Inherit spoke-to-spoke communications MP-BGP VPNv4
WAN to
To user Campus/DC
Gold Provider
networks with VRF mGRE SP WAN
segmentation (802.1Q, Interface Transport
port, etc…) Global
PHY
Blue
• VRF, RD, RT Interface
3 VPNv4 label (VRF) and VPN payload is carried in mGRE tunnel encapsulation
New encapsulation profile (see next slide) in CLI offers dynamic endpoint discovery:
4 (1) Sets IP encapsulation for next-hop
(2) Installs signaled BGP peer and end-point into “tunnel endpoint database”
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
MPLS VPN over Multipoint GRE (mGRE)
VPNv4 Configuration Example
mGRE
PE1 PE4
IPv4 CE2
CE1
eBGP Lo0: 10.0.0.1 Lo0: 10.0.0.4 eBGP
Summary
MPLS VPN over Multipoint GRE (mGRE)
• Simple:
• Only requires advertising a single IP prefix to SP for mGRE operation
• Dynamic Tunnel endpoint discovery is done via iBGP/route-map (no static GRE tunnel)
• Solution requires NO manual configuration of GRE tunnels. LDP NOT required!
• E-BGP can/is still be used for route exchange (mGRE end-point) with the SP
• Standards Based - Leverages standard MP-BGP control plane (RFC 4364)
• Flexible - Supports MVPN and IPv6 per MPLS VPN model (MDT and 6vPE respectfully)
• Multi-platform support:
- ASR 1000 series, ISR/G2, ISR 4xxx, SUP-2T, Cloud Services Router (CSR)
• Supports Inter-AS VPN, Multicast VPN (MVPN), standard QoS/H-QoS
• Supports IPSec for PE-PE encryption (GET VPN or manual SA)
• Scales to 2000 PE’s with ASR 1000 series
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Configuration Examples on Github:
https://github.com/netwrkr95/mpls-mgre-configs
http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns658/white_paper_c11-726689.pdf
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Layer 3 Segmentation
Using Cisco SD-WAN
Aligning WAN Capabilities with Shift to
Why SD-WAN? Simpler Ops, Agile Transport, optimise
forwarding to Cloud Apps
Enable Control on Customer Owned Edge
Broadband MPLS 4G/LTE
WAN Application
Flexibility Bandwidth ZERO TOUCH ZERO TRUST
Requirements
SECURE WAN FABRIC
SOFTWARE DEFINED: True separation of control, data
and management – central policy, route ctrl, provisioning
Simplified Disjointed
Operations Security
CLOUD: Cloud hosted and delivered
Requirements APPLICATION AWARE: Visibility & forwarding based on
application location and hosted service (XaaS)
SCALE AND FLEXIBILITY: True enterprise scale, ZTP
Cloud Time
Consumption To Capability SECURITY: Ingrained authentication, encryption,
segmentation, access controls & service chaining
OPEN: Automation, orchestration, best-of-breed integration
VISIBILITY: SD-WAN fabric analytics visibility, local/cloud
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Cisco SD-WAN (Viptela) Architecture
ANALYTICS
Orchestration Plane
MANAGEMENT
vBond
API
vManage
CONTROL
vSmart
Data Plane
Data Centre Campus Branch Home Office
vEdge
Internet
Remote Site
MPLS Regional
Path 2 Data Centre
4G LTE
IF IF INET
Management
• VPNs enabler is VRF’s, each VRF having its
(VPN512)
own forwarding table
IF • vEdge router allocates label to each of it’s
service VPNs and advertises it as route
attribute in OMP updates
- VPN Labels used to identify customer VPN in
the incoming packets
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Secure Segmentation
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
vEdge vEdge
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• vEdge routers maintain per-VPN routing • Interfaces and sub-interfaces (802.1Q
table tags) are mapped into VPNs
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Cisco SD-WAN (Viptela) L3 Segmentation
Per L3 VPN Topology and Mapping
Isolated virtual private networks across any transport VPN isolation is carried over all transports
- https://tools.ietf.org/html/rfc4023
VPN mapping is based on physical vEdge Router
interface, 802.1Q VLAN tag or a mix of both
IF Site 1
IF VPN
Transports
A
Transports
IF
VPN 802.1q
B
IF
VPN
C
802.1q Data Centre
Site 2 IPSec
IP UDP ESP VPN Data
20 8 36 4 …
Label
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Per L3 VPN Topology (Examples)
Full-Mesh Hub-and-Spoke
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Cisco SD-WAN (Viptela) L3 VPN Segmentation
Example – Routing Table Output from vEdge CLI (vedge20)
SubOptimal Option
MPLS VPN o mGRE Cisco SD-WAN (Viptela)
R3
Bad Option
Application Awareness
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Summary
Enterprise WAN Layer 3
Segmentation Solutions
Enterprise WAN L3 Segmentation Solutions
Let’s Recap
• Fully understand the application and network service requirements needed
• Pace of Service turn-up times, transport available, operational expertise
• Self Deployed MPLS backbone target:
• larger-scale, TE required, L2 VPN, tight control
• Layer 3 Segmentation over IP:
• MPLS VPN over mGRE: simple MPLS VPN over IP, customer not ready for full-
blown SD-WAN yet
• Cisco SD-WAN: applications scattered across multiple locations (on-prem, public
cloud, SaaS), leverage Internet as transport, cloud managed controller interest
• Assure the solution chosen suits the operational skill set of the IT org
• Keep is simple whenever possible
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Agenda
• Introduction - Network Segmentation Drivers and Concepts
• Defining Key Deployment Options and Transport for L3
Segmentation WAN Designs
• Evolution and Trends for Self Deployed MPLS Backbone Designs
• Technology Deep-Dive on Options for L3 VPN Segmentation over
IP
• “Innovations and Trends” Evolving in L3 Segmentation
• End to End WAN Design and Components (Summary of Session)
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Evolving and Advanced Areas in L3
Segmentation in the WAN
• Cloud Ready Network Design and
Virtual DMZ
• Solutions for Extending L3 VPNs to
AWS using Cloud Services Router
(CSR)
• Enhanced High Speed Encryption
solutions for the WAN
• Leveraging automation in SD-WAN for
Centralised Application Enforcement
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Moving to WAN Designs
that are Cloud Ready
Enterprise Network Designs
Employee Thing Vendor Partner Customer
Internet
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Enterprise Network Designs
Shift to Colocation Facility
Employee Thing Vendor Partner Customer
Internet
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Cloud Ready WAN Architecture
Extend WAN Hub and DMZ to Carrier Neutral Facility
SaaS
vManage
vSmart
Zones
Controllers
Employees
Co Lo Facility
Internet
Mobile
Cisco SD-
Workers MPLS WAN
4G/LTE IaaS
Virtual
Partners
Fabric vEdge Move enterprise WAN Hub Site (vEdge or MPLS
PE) to a Carrier Neutral facility (e.g. Equinix)
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Cisco Network Hub - Architecture Cisco vManage /
vBond
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Extending Enterprise
Layer 3 Segmentation
to Public Cloud
Connecting to Public Cloud
IPSec tunnel from DX / ER to Public
Internet connection Direct Connect to Public
DC Cloud through SP Cloud through co-locations
Branch
Branch
Branch
Branch
SP
SP Internet MPLS
Internet
Data Carrier PE
Center Colocation
Facility
DX / ER
Internet IPSec DX / ER
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Across regions, accounts/subscriptions
Transit VPC VPC
Shared
VPC
A
VPC
C
Services
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Cloud onRamp for IaaS – Gateway VPC
Standard IPSec + BGP
VGW
AZ2 IGW Enterprise Network
AZ1 INET
Host VPC vEdge GW Melbourne
AZ2
vEdge GW
VGW Direct
Connect
MPLS
?
AZ1 Gateway VPC
R Enterprise Network
VGW Perth
AZ2
Host VPC
AWS Region
Tenant/Mission 1
Tenant/Mission 2
Extending Layer 3 Segmentation to Public Cloud
vManage/vSmart
Standard IPSec + BGP
VGW
AZ2 IGW Enterprise Network
AZ1 INET
Host VPC vEdge GW Melbourne
MPLS
Host VPC
AWS Region Extend SD-WAN Fabric into the public cloud Tenant/Mission 1
Transit VPC is “PE” from fabric to Host VPC
Inter-VRF done through policy (or FW) but stays in region Tenant/Mission 2
High Speed Encryption
Innovations
Link Speeds Out-Pacing IP Encryption
• Bandwidth application requirements out-
pacing IP encryption capabilities
• Bi-directional and packet sizes further
impact encryption performance
• IPSec engines dictate aggregate
performance of the platform (much lower
link throughput)
BW • Cost per bit for IPSec much more
Link speed = Encryption Engine
expensive
time • Encryption must align with link speed
(100G+) to support next-generation
applications
Link Speed
IPSec Encryption Speed
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
What is MAC Security (MACsec)?
Hop-by-Hop Encryption via IEEE802.1AE
01101001000110001001001000
everything in clear
• Data plane (IEEE 802.1AE) and control plane (IEEE through the router
Encrypted Encrypted
Segment Segment
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
What is “WAN MACsec?
MKA Session
Service Provider
Owned Routers/Bridges
Data Data
Centre Public Carrier Centre
Ethernet
Service Central
Remote
Campus/DC Campus/DC
• Inter DC, MPLS WAN links, massive data projects MACsec Capable PHY
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
What is “WAN” MACsec?
New Enhancements to 802.1AE for WAN/Metro-E Transport
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
WAN MACsec Use Cases
Most Common Use Cases Leveraging WAN MACsec in the Enterprise
• 10GE 100GE High speed Site to Site E-LINE / E-LAN - Point to Multipoint
Branch n
• Campus, WAN, DCDC, Metro E
Branch 2
• Data Centre Interconnect
• High Speed replication and storage transfers Carrier
Ethernet
• IP/MPLS core/edge links (PE–P, P–P, PE–PE) Service
• MPLS labels, VPN, Segment Routing is transparent to
MACsec encryption Branch 1 Central
Site
• No GRE, simple. Encryption = Link BW
• High Speed hub-and-spoke
E-LINE - Point to Point
• Leverage low-cost/high-speed Metro E transport
• Simple configuration, no GRE tunnels Carrier
Ethernet
• Hybrid Encryption Design Options
Service
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Hierarchical “Hybrid” MACsec + IPSec Design
CSR MACsec IPsec
High Throughput Encryption + Lower Scale Sites Lower Throughput Encryption + High Scale Sites
Co Lo Facility Regional IPsec Sites
Hub 1 Branch
Branch
Internet
Carrier Ethernet Service Branch
Enterprise
IPsec
Network Branch
Internet Branch
Regional Branch
Regional
Hub 3 + DC
• “Hybrid” design option for mix of scale, performance, leveraging Ethernet services
• MACsec: Backbone/Core – Targets Higher BW, Lower Number of Sites
• IPSec: Branch/back-haul – Targets Lower BW, high number of sites, cloud (CSR)
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
(Subject to change)
ASR 1000 Series • Fixed and Modular solutions • 1GE, 10GE, * 100GE
Nexus 9000 Series • Fixed and Modular solutions • 10GE, 40GE, 100GE
Catalyst Switching • Multiple Platforms C3850, Cat9K, Cat4K • 1GE, 10GE, 40GE
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Previous WAN MACsec Sessions at Cisco Live (CL 365)
http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdf
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Leveraging Automation
for Simplifying Network
Operations
SDN Approach? Offer IT Organisations Choices
Prescriptive Turn-key SDN “Open” Programmable Solutions “Open” Programmable
Solutions with Cisco HW Solutions for Multi-Vendor
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Demo
Leveraging Cisco SD-WAN
Centralised Policy Enforcement
for Rapid Security Vulnerability
Mitigation
Use Case – Remote Trigger Black-Hole Concept
Challenge
• The ability to rapidly block/rate-limit different traffic types in the WAN
• per box CLI does not scale and increases the “time to react”
• Suspected Vulnerabilities could be anomalies (infected) detected via third-
party tools/applications
• Controlling Non-business applications also of interest (NCAA basketball
during March Madness )
#CLMEL Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Use Case
Solution Options
• Leverage the centralized control point (vSmart) to push policy enforcement
• Centralized pushing of “match” and “action” policy that blocks or strictly
polices a specific application and/or DSCP marking
• Offer the ability for operators to leverage the GUI
• Additionally, offer API’s that allow same capability, allowing 3rd party
applications, or open source tools (Ansible, Python, etc.) to trigger the
enforcement
#CLMEL Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Option
Demo - Dynamic Application Control
2
• vManage 18.3 1
Demo
1. Use vManage
2. REST API (using Postman) Policies Policies
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Option
Demo - Dynamic Application Control
policy
2
data-policy _VPN-99-List_RTBH-Spor_508995825 1
vpn-list VPN-99-List
sequence 1
match
app-list Suspect_Video_Apps GET
! PUT vManage
count Blocked-Video_347240515
log
3
! vSmart
!
default-action drop
!
…
Policies Policies
lists
app-list Suspect_Video_Apps
app foxsports
app cbs_video Modify in active policy
!
vEdge 10 vEdge 20
site-list ALL-VPN-99-Router-List
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
External Resources (GitHub)
https://github.com/netwrkr95
Ansible Playooks – Automate MPLS VPN VRF Deployments
• Ansible VRF Creation and Deployment Playbook (https://github.com/netwrkr95/ansible-mpls-
vpn
https://developer.cisco.com
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Summary – Key
Takeaways…
WAN Segmentation - Key Takeaways
• Understanding topology, traffic patterns, VRFs, scale… is vital to choosing the
“optimal” Segmentation WAN solution (self-deployed, over-the-top)
• Existing L3 VPN solutions exist, but SD-WAN offers intelligent path control and
future intelligence needed as apps are located in diversified locations
• Consider the transition options of WAN design usage of CoLo (Equinix) as a key
cloud ready WAN architecture component
• L3 Segmentation solutions must be able to extend to public cloud, and
leveraging API’s, as more enterprise apps move to public cloud
• Embrace areas where automation and programmability can be leveraged to
simplify, and innovate, in operations and deployment
• Leverage WAN MACsec for high-speed encryption where applicable
• Leverage the technology, but ALWAYS “Keep it Simple” when possible
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
Q&A
#CLMEL
#CLMEL BRKRST-2045 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
Complete Your Online Session Evaluation
• Give us your feedback and receive
a complimentary Cisco Live 2019
Power Bank after completing the
overall event evaluation and 5
session evaluations.
• All evaluations can be completed
via the Cisco Live Melbourne
Mobile App.
• Don’t forget: Cisco Live sessions
will be available for viewing on
demand after the event at:
https://ciscolive.cisco.com/on-demand-
library/ #CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
#CLMEL
#CLMEL