Global vision.

Local knowledge.
Cisco Connect Dubrovnik
Croatia • 28.03.2019
Cisco SD-WAN
Delivering Cisco Next Generation SD-WAN with Viptela

Vedran Franjić
System Engineer Sales
28.03.2019
 • Introduction
• SD-WAN architecture
SD-WAN fabric
Agenda
•

• Deployment options
• Use Cases
• Licensing
Introduction
The WAN Has Changed
MPLS

Branch WAN
Users Data Center Internet

Data
Center

MPLS
Multi-
Cloud

Users
INET SAAS
SaaS
Branch
Devices WAN
Things Internet
 Traditional and Legacy Architectures
Cannot Scale to Address Changing Needs
EXPENSIVE

POORLY INTEGRATED DIFFICULT TO SUPPORT

Conflicting policies Device-by-device
and configurations configurations
Risk from accidental Complex management silos
interactions and vulnerabilities
Require slow truck
rolls for changes

CONNECTIVITY-CENTRIC INFLEXIBLE
Incomplete user experience Static network
Not application-centric
SD-WAN
Architecture
 Cisco SD-WAN Architecture Overview
Orchestration = vBond Orchestrator PnP

vManage
Management = vManage APIs
(Multi-tenant or Dedicated)
vAnalytics vSmart

WAN Edge
Control Plane = vSmart
(Containers or VMs)

4G/LTE Internet

MPLS

Data Plane = Edge

(vEdge, Cisco ISR/ASR/ENCS,
Whitebox)
Data Center Campus Branch SOHO Cloud
 vBond is SD-WAN Orchestrator

• Orchestrates connectivity between

management, control and data plane

• Serves as the first point of authentication

• Requires public IP Address, provides

NAT-T

• All other components need to know the

vBond IP or FQDN

• Authorizes all control connections (white-

list model)
 vManage is NMS for SD-WAN
• Single-tenant or Multitenant

• Single pane of glass for Day 0, Day 1 and Day

2 operations

• Enables centralized provisioning and simplifies

changes

• Supports REST API, CLI, Syslog, SNMP,

NETCONF

• Provides real time alerting

• Role Based Access Control

 vSmart is Centralized Control Plane

• Implements control plane policies, such

as service chaining, traffic engineering
and per-VPN topology

• Reduces complexity of the entire network

• Establishes peering with all WAN Edges,

distributes connectivity and security
context
 WAN Edge is your SD-WAN Data Plane

• Provides secure data plane with remote

WAN Edge routers

• Establishes secure control plane with

vSmart controllers

• Implements data plane and application

aware routing policies

• Exports performance statistics

• Physical or Virtual form factor

Operations
Simplicity and Visibility

vManage vAnalytics

Single Pane Of Glass Operations Rich Analytics

• Cloud-first management and orchestration • Troubleshooting with simplified workflows

• Zero-touch provisioning • Advanced analytics and assurance
SD-WAN
Fabric
 Unified Control Plane
vSmart
• Overlay Management Protocol (OMP)
• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside authenticated TLS/DTLS connections
• Advertises control plane context and policies
• Dramatically lowers control plane complexity and
vSmart vSmart raises overall solution scale

SD-WAN Traditional

WAN Edge WAN Edge

VS
Note: WAN Edge routers need not connect to all vSmart Controllers
O(n) Control Complexity O(n^2) Control Complexity
 Data Plane Establishment
vSmart
vSmarts advertise routes and
SD-WAN fabric encryption keys to WAN
between tunnel Edges in OMP updates
endpoints
IPsec Routes and encryption keys
IPsec are advertised to vSmarts in
WAN Edge
IPsec OMP updates

Local Routes
- Local prefixes (OSPF/BGP)
MPLS INET - SD-WAN tunnel endpoints (TLOCs)
WAN Edge Security Context
WAN Edge
- IPSec Encryption Keys

Fabric Routing:
<prefix> via
WAN Edge WAN Edge

Transport Locator (TLOC) OMP IPSec Tunnel

 Data Plane Liveliness and Quality
WAN Edge
• Bidirectional Forwarding Detection (BFD)
• Path liveliness and quality measurement
- Up/Down, loss/latency/jitter, IPSec tunnel MTU
• Runs between all WAN Edge routers in the topology
- Inside SD-WAN tunnels
- Across all transports
WAN Edge WAN Edge - Operates in echo mode
- Automatically invoked at SD-WAN tunnel
establishment
- Cannot be disabled

• Uses hello (up/down) interval, poll (app-aware)

WAN Edge WAN Edge interval and multiplier for detection
- Fully customizable per-WAN Edge, per-transport
 Common Data Plane Communication

Per-Session Load Sharing Per-Session Weighted Application Pinning Application Aware Routing
Active/Active Active/Active Active/Standby SLA Compliant

MPLS INET MPLS INET MPLS INET MPLS INET

SLA SLA

Default Device Policy Policy

Configurable Enforced Enforced
SD-AVC

Learn O365
1 IP Networks
SD-AVC SD-AVC
Cloud onRamp
for SaaS Controller

vManage First-packet
vManage
4 steer O365
First-packet
3 Distribute O365
match O365 2 IP Networks

Branch
Application
Rule SD-AVC
Pack Update Sensor Data
• SD-AVC Controller:
• Application Signatures updates
NBAR2 NBAR2 • Connectors to external service (O365)
Agent Agent
• Custom-app definition
cEdge cEdge
Deployment
options
Controllers’ Deployment Models
Cisco Cloud Ops MSP Ops Team Enterprise IT

Deploy Deploy Deploy

vManage vManage vManage

vSmart vBond vSmart vBond vSmart vBond

Cisco MSP Private
Cloud Cloud Cloud
Deploying Controllers – Options
On-Premise/SP Hosted Cloud Hosted

vBond vManage vSmart vSmart vBond vManage vSmart vSmart

ESXi or KVM AWS or Azure

VM VM

Physical Server Container Container

Controller Scale
vManage:
• Validated Scale: 2,000 Devices per-single instance
• Max Production Deployment: 6 vManage instances in a cluster

vSmart:
• Validated Scale: 5,400 Connections per-single vSmart
• Max Production Deployment: 20 vSmarts

vBond:
• Validated Scale: 1,500 Connections per-single vBond
• Max Production Deployment: 6 vBonds
 SD-WAN Transition Strategy
Site B Site B Site B

Non- Non- SDWAN SDWAN

SDWAN SDWAN
SDWAN SDWAN

MPLS Internet MPLS Internet MPLS Internet

Non- Non-
SDWAN SDWAN SDWAN SDWAN SDWAN SDWAN

Site A Site A Site A

SD-WAN Fabric Secure Tunnel
High Availability and Redundancy
Site Redundancy Transport Redundancy

MPLS INET MPLS INET

VRRP OSPF/ OSPF/

BGP BGP

Network/Headend Redundancy Control Redundancy

vSmart Controllers

Control
MPLS
Data
Center
Data MPLS
INET
Site
INET
Cisco SD-WAN Platform Options
SD-WAN with Services Pureplay SD-WAN
ISR 1000 ISR 4000 ASR 1000 vEdge 100 vEdge 1000 vEdge 2000

100 Mbps 1 Gbps 10 Gbps

Next-gen Modular High- 4G LTE & WiFi Fixed Modular
Performance Integrated performance
Flexibility services
vEdge 5000
with redundancy

20+ Gbps, Modular

Virtualization Public and Private Clouds

ENCS 5100 ENCS 5400
Use Cases
Common Enterprise Deployment Use Cases

Critical Application SLA

MultiCloud onRamp for IaaS and SaaS

SD-WAN Security

Zero Touch Provisioning

Regional Deployment
 Critical Applications SLA
Application Aware
Routing

Forward Error Packet

Correction (FEC) Duplication
XOR XOR • Protects against packet loss
• Protects against packet loss 1 2 • Protocol (TCP/UDP) agnostic 1 2
1 2 • Protocol (TCP/UDP) agnostic 1 2
• Operates over multiple transports
P • Supports multiple transports 3 3 4 3 4
3 4 • Can be invoked dynamically P 4 SD-WAN Tunnel
D D
4 3 2 1

5 6 1 2
D D
7 8 3 4 Sender 4 3 2 1 Receiver
Sender Receiver

SD-WAN Tunnel FEC Header SD-WAN Tunnel

 MultiCloud onRamp for IaaS
Using Marketplace (DIY) Fully Automated
Compute Compute Compute
VPC/VNET VPC/VNET VPCs/VNETs

Gateway
VPC/VNET
Cloud Cloud
Data Center Data Center

SD-WAN SD-WAN
Fabric Fabric
Campus
Remote Site Campus
Remote Site

Branch Branch
MultiCloud onRamp for SaaS

ISP2
Loss/ Loss/
Latency Latency

Regional
! ! Hub/CoLo/DC
ISP1
ISP1

SD-WAN
MPLS Fabric
ISP2
Remote Site
Remote Site

Quality Probing
Secure Branch - Firewall

Unified
Access Data Center/
Security Private Cloud
SD-WAN and
APP Firewall/IPS/URL Filtering
Branch/Campus

Cisco
Internet/SaaS
Umbrella

IaaS
Home/Mobile
Secure Internet GW
Secure Segmentation
§ Security Zoning
VPN 1
SD-WAN § Compliance
IPSec VPN 2
Tunnel VPN 3 § Guest Wi-Fi
WAN Edge WAN
Edge § Multi-Tenancy
§ Extranet
Per-VPN Topology

Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point

 Branch – SD-WAN Security
Use case: Use Case: Use Case: AMP in 2019
Cloud and DIA Industry Compliance Guest Services

DNS/web
Firewall Firewall
vManage Firewall layer security IPS IPS URL
Filtering

Direct Cloud Access SD-WAN

Cloud VPN1 VPN2 Data Center

Applications Applications

Employee Guest
 ZTP– New cEdge Appliance
Control and Policy
PnP Server
Elements

2 3
5
1 Full Registration and
Configuration
4
Assumption:
• DHCP on Transport Side (WAN)
• DNS to resolve devicehelper.cisco.com*

cEdge
* Factory default config
Regional deployment
Public Public Public
Internet Internet Internet

Split Zagreb Osijek

MPLS INET MPLS INET MPLS INET

Full/Partial mesh Hub and spoke Full/Partial mesh

Licensing
How to Choose?
1 Identify license tier

Cisco DNA Premier 2 Select bandwidth

Cisco DNA Advantage 3 Pick license term

Choose on premises or
4
cloud managed
Cisco DNA Essentials
Determine platform for
5
future scale
Delivering Cisco Next Generation SD-WAN with Viptela