Professional Documents
Culture Documents
BRKRST-2041-WAN Architectures and Design Principles
BRKRST-2041-WAN Architectures and Design Principles
Stephen Lynn
Consulting Systems Architect
stlynn@cisco.com
CCIE 5507 (R&S/WAN/Security)
CCDE 2013::56
@netw0rkStlynn
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKRST-2041
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
WAN Technologies & Solutions
• WAN Transport Technologies
• WAN Overlay Technologies
• WAN Optimization
• Wide Area Network Quality of Service
• WAN Extension into the Cloud
WAN Architecture Design
Considerations
• WAN Design and Best Practices
• SD-WAN
Summary
WAN Transport Technologies
The WAN Technology Continuum
Early Networking Early-Mid 1990s Mid 1990s-Late 2000s Today
Global Scale
Flat/Bridged Multiprotocol Large Scale
IP Ubiquity
Experimental Networks Business Enabling Mission Critical
Business Survival
DMVPN
X.25 Frame-Relay IPv6
Internet 4G/LTE
Protocol BGP GRE
1960 1980 2000 Future
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Network Design Modularity East Theater
West Theater
Tier 1
Global
IP/MPLS Core
Tier 2
In-Theater
IP/MPLS Core
Internet
Cloud
Public Voice/Video Mobility
Tier 3
Metro Metro
Service Service
Private Public
IP IP
Service Service
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Hierarchical Network Principle
Use hierarchy to manage network scalability and complexity
while reducing routing algorithm overhead
Hierarchical design used to be…
• Three routed layers
• Core, aggregation, access
• Only one hierarchical structure end-to-end
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
MPLS L3VPN Topology
Definition
Spoke
Site 1
Spoke Spoke
Site 2 Site Y Hub Site
(The Network)
SP-Managed Equivalent to
MPLS IP WAN
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Virtual Routing and Forwarding Instance (VRF)
Provides Network Virtualization and Path Isolation
VRF VRF
VRF VRF
VRF VRF
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Dual Carrier: Transit vs. Non Transit
To guarantee single homed site
reachability to a dual homed site
experiencing a failure, transit sites CE3 CE4
had to be elected. CE5
Prefix X Prefix Y
Prefix Z
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Single vs. Dual Carriers
Single Provider Dual Providers
Pro: Common QoS support
Pro: More fault domains
model
Pro: More product offerings to
Pro: Only one carrier to “tune”
business
Pro: Ability to leverage vendors
Pro: Reduced head end circuits
for better pricing
Pro: Nice to have a second
Pro: Overall simpler design
vendor option
Con: Carrier failure could be Con: Increased Bandwidth
catastrophic “Paying for bandwidth twice”
Con: Do not have another Con: Increased overall design
carrier “in your pocket” complexity
Con: May be reduced to
“common denominator” between
carriers
Resiliency Drivers vs. Simplicity
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Metro Ethernet Service (L2VPN)
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
MPLS (L3VPN) vs. Metro Ethernet (L2VPN)
MPLS Layer 3 Service MetroE Layer 2 Service
Routing protocol dependent on the Flexibility of routing protocol and
carrier network topology independent of
the carrier
Layer 3 capability depends on
carrier offering Customer manages layer 3 QoS
• QoS (4 classes/6 classes)
Capable of transport IP and
• IPv6 capability
non-IP traffic.
Transport IP protocol only Routing protocol determines
Highly scalable and ideal for large scalability in point-to-multipoint
network topology
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
WAN Overlay Technologies
Types of Overlay Service
GRE packet with new IP header: Protocol 47 (forwarded using new IP dst)
IP HDR GRE IP HDR IP Payload
20 bytes 4 bytes
2 bytes
IPSec Transport mode
ESP ESP
IP HDR ESP HDR IP Payload
Trailer Auth
20 bytes 30 bytes Encrypted
Authenticated
[ Who is www.cisco.com ] ?
DNS
DNS Name -to- IP
Host Server URL Resolution
[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]
‒ LISP resolves locators for queried identities Answers the “WHERE IS” question
[ Where is 2610:D0:110C:1::3 ] ?
LISP LISP Map
LISP
Router System ID -to- Locator
Map Resolution
[ Locator is 128.107.81.169, 128.107.81.170 ]
Provider A Provider X
xTR-1 xTR-1
10.0.0.0/8 12.0.0.0/8
ETR ETR
ITR ITR
S ETR ETR
ITR ITR D
Provider B Provider Y
xTR-2 xTR-2
11.0.0.0/8 13.0.0.0/8
S ETR
11.0.0.2 13.0.0.2
ETR
ITR ITR D
Provider B Provider Y
xTR-2 xTR-2
11.0.0.0/8 13.0.0.0/8
1
DNS entry:
D.abc.com AAAA 2001:db8:2::1
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
LISP Use Cases Efficient Multi-Homing
IPv6 Transition
v6
PxTR
v4 v6
IPv4 Core IPv6
Internet
Internet
v6 service
xTR IPv4
Internet LISP LISP
v6 Site routers
VM VM
West East
DC a.b.c.1 a.b.c.1
DC
Multicast replication in
IP Multicast Multicast replication at hub Multicast replication at hub
IP WAN network
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Dynamic Multipoint VPN (DMVPN)
Branch spoke sites establish an IPsec tunnel to and SECURE ON-DEMAND TUNNELS
register with the hub site
IP routing exchanges prefix information for each site ASR 1000
Hub
BGP or EIGRP are typically used for scalability
IPsec Branch n
With WAN interface IP address as the tunnel VPN ISR
source address, provider network does not need
to route customer internal IP prefixes ISR
ISR
Data traffic flows over the DMVPN tunnels Branch 1
Branch 2
When traffic flows between spoke sites, the hub
assists the spokes to establish a site-to-site tunnel Traditional Static Tunnels
Per-tunnel QOS is applied to prevent hub site DMVPN On-Demand Tunnels
Static Known IP Addresses
oversubscription to spoke sites
Dynamic Unknown IP Addresses
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN – How it Works
Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, Dual DMVPN Design
but not to other spokes. They register as clients of the NHRP Single mGRE tunnel on Hub,
two mGRE tunnels on Spokes
server (hub) and register their NBMA address
192.168.0.0/24
Active-Active redundancy model—two or more hubs per spoke
Physical: 172.17.0.5 Physical: 172.17.0.1
All configured hubs are active and are routing neighbors Tunnel0: 10.0.1.1 Tunnel0: 10.0.0.1
with spokes
Routing protocol routes are used to determine traffic forwarding Physical: (dynamic)
Tunnel0: 10.0.0.12
Tunnel1: 10.0.1.12
A spoke will initially send a packet to a destination (private)
subnet behind another spoke via the hub, and the hub will send it
an NHRP redirect.
The redirect triggers the spoke to send an NHRP query for the
data packet destination address behind the destination spoke .1
192.168.3.0/24
The destination spoke initiates a dynamic GRE/IPsec tunnel to the
source spoke (it now knows its NBMA address) and sends the Physical: (dynamic)
Tunnel0: 10.0.0.11
NHRP reply. Tunnel1: 10.0.1.11
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
DMVPN Network Designs
Spoke-to-hub tunnels
Spoke-to-spoke tunnels
2547oDMVPN tunnels
Increase in Scale
Hub and spoke Spoke-to-spoke VRF-lite
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Any-to-Any Encryption
Before and After GETVPN
Public/Private WAN Private WAN
Before: IPSec P2P Tunnels After: Tunnel-Less VPN
WAN
Multicast
Group
Member
Group
Group Member Member
Encryption Devices
Route Between Secure/
Unsecure Regions Group
Multicast Participation Member
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Group Security Elements
KS Cooperative
Key Servers
Group Policy Protocol
Group
Member
Group
Member
RFC3547RFC6407:
Group Domain of Group
Interpretation (GDOI) Member
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
GETVPN - Group Key Technology
Operation Example GM3
GM4
GM2
GM5
• KS pushes out replacement IPsec GM1
keys before current IPsec keys expire; GM6
This is called a “rekey”
GM9 KS
GM7
GM8 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
GETVPN Virtualization Deployment Model
GETVPN Segmented WAN
CE PE PE CE
MPLS VPN
CE PE PE CE
Market Transition – Ethernet WAN Transport © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is “WAN MACsec?
Secure Ethernet Link(s) over Public Ethernet Transport
MKA Session
Service Provider
Owned Routers/Bridges
Data Data
Center Public Carrier Center
Ethernet
Service Central
Remote
Campus/DC Campus/DC
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
What is “WAN” MACsec?
New Enhancements to 802.1AE for WAN/Metro-E Transport
• AES-256 (AES/GCM) support – 1/10/40 and 100G rates
• Target Next Generation Encryption (NGE) profile that currently leverages public NSA Suite B
• Standards Based MKA key framework
• (defined in 802.1X-2010) within Cisco security development (Cisco “NGE”)
• Ability to support 802.1Q tags in clear
• Offset 802.1Q tags in clear before encryption (2 tags is optional)
• Vital Network Features to Interoperate over Public Carrier Ethernet Providers
• 802.1Q tag in the clear
• Ability to change MKA EAPoL Destination Address type
• Ability to change MKA Ether-type value
• Ability to configure Anti-replay window sizes
• System Interoperability
• Create a common MACsec integration among all MACsec platforms in Cisco and Open Standards
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
MACsec Deployment Model
Ring Topology P-t-P E-LINE
IPv4/v6 P-t-MP E-LAN IPv4/v6
IPv4/v6 IPv4/v6 CE2
CE4IPv4/v6 CE3
Ethernet Sub-interface with IPv4/v6
IPv4/v6 IPv4/v6 802.1q support
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
WAN Optimization
The WAN Is the Barrier to Branch
Application Performance
Applications are
designed to work
Round Trip Time ~ 0ms
well on LAN’s
• High bandwidth
• Low latency
Client LAN Switch Server
• Reliability
WANs have
opposite Round Trip Time ~ Many milliseconds
characteristics
• Low bandwidth
• High latency LAN
Client WAN LAN Switch Server
• Packet loss Switch
Window Packet loss Packet loss Packet loss Packet loss TCP
Size
WAN
Window Scaling
LAN TCP Large Initial Windows LAN TCP
Behavior Congestion Mgmt Behavior
Improved Retransmit
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
WAAS Advanced Compression
DRE and LZ Manage Bandwidth Utilization
Benefits
•Session-based compression
• Application-agnostic compression
Persistent LZ Compression •Up
• Uptoto10:1 compression
100:1 compression
•Works
• WAASeven4.4: during
Contextcold DREDRE
Aware cache
LZ WAN LZ
DRE DRE
Synchronized
Compression
History
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Comparing TCP and Transport
Flow Optimization
Window TFO
Size
TCP
Bandwidth per Call SD/VC has the Same HD/VC has Tighter Traffic patterns for
Depends on Codec, Requirements as Requirements than Data Vary Among
Sampling-Rate, VoIP, but Has VoIP in terms of jitter, Applications
and Layer 2 Media Radically Different and BW varies based
Traffic Patterns on the resolutions
Latency ≤ 150 ms (BW Varies Greatly) Data Classes:
Jitter ≤ 30 ms
Latency ≤ 150 ms Latency ≤ 200 ms Mission-Critical Apps
Loss ≤ 1%
Jitter ≤ 30 ms Jitter ≤ 20 ms Transactional/Interactive Apps
Bandwidth (30-128Kbps) Bulk Data Apps
Loss ≤ 0.05% Loss ≤ 0.10%
One-Way Requirements Best Effort Apps (Default)
Bandwidth (1Mbps) Bandwidth (5.5-16Mbps)
One-Way Requirements One-Way Requirements
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
policy-map WAN
class VOICE
Scheduling Tools priority percent 10
class VIDEO
LLQ/CBWFQ Subsystems priority percent 23
class CRITICAL-DATA
IOS Interface Buffers bandwidth percent 15
random-detect dscp-based
class DATA
1 Mbps
VoIP bandwidth percent 19
Policer random-detect dscp-based
LLQ class SCAVENGER
5 Mbps
RT-Interactive bandwidth percent 5
Policer class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
Packets
bandwidth percent 25
Packets random-detect Out
In
CBWFQ
Scheduler
Tx-Ring
CBWFQ
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Traffic Shaping
Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
GRE/IPSec QoS Consideration
ToS Byte Preservation
ToS
the new IP Header IP HDR IP Payloaad
GRE Tunnel
GRE
ToS
ToS
IP HDR HDR
IP HDR IP Payload
ToS
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
WAN Extension into the Cloud
Cloud Migration Trend
Secure Agile Exchange at Colocations Facilities
Cloud
SaaS
Customers Secure Agile
Exchange Customers
Colocation
Centers
Private
Secure Agile Data Center
Employees Exchange
Employees
Partners DMZ
Applications Partners Public Cloud
Private
Data Center
Internet Cisco
ISR/ASR
VGW
Private
Network
Colocation Facility
Cisco
ISR/ASR
CSR 1000V
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
AWS Virtual Private Cloud (VPC) Overview
Represents logically isolated network
Separate IP range, Subnet, Routes, and
Security
Overlap IP address allowed
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Inter-VPN Design using Transit VPCs with CSR1000v
End to end routings between
App VPC Shared Services VPC 3rd Party VPC
VPCs in all regions and other
none AWS network
Used for hierarchical designs VGW
VPC
• Scaling beyond VPC peering peering
limits VPC
peering
• Security/Monitoring Services in
Transit VPC
Availability Availability
Zone 1 Zone 2
Redundant CSRs for HA and Transit VPC
fast convergence
Direct
Can use VRFs to resolve Connect
Corporate Network/DC
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Transit VPC to Interconnect AWS Regions
AZ 1 AZ 2
Transit VPC
US-West-2 AZ 1 AZ 2
Transit VPC
US-East-2
Corporate Network/DC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN Architecture Design
and Best Practices
Cisco Validate Design
MPLS WAN Technology Design Guide
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN Aggregation Reference Design
Campus/
Data Center
Data
Center/
Campus WAAS Service
WAN
Key
Services/
Servers
Distribution
VPN Termination
WAN Edge
MPLS A MPLS B
Internet
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Routing Topology at WAN Aggregation
Campus/
Core Layer
Data Center
WAN Distribution
Layer EIGRP AS 100
Summaries+
Default
DMVPN Hub
Routers
EIGRP AS = 100 EIGRP AS = 100
iBGP EIGRP AS = 100
Internet Edge
eBGP
Layer 2 Internet
MPLS A MPLS B DMVPN 1 DMVPN 2
WAN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN Edge
Connection Methods Compared Recommended
Multi-Chassis
EtherChannel
VSS/3850
Stacks
Si Shared Si Si Layer 3 Si
WAN
WAN WAN
No Static Routes
No First Hop Redundancy Protocols
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Optimize Convergence and Redundancy
Multi-chassis EtherChannel
VSS/3850
Stacks
Si Layer 3 Si
P-to-P Link
Channel
Member
Removed
IGP recalc
2 ECMP
MEC Max
sec of lost voice
1.5 VSS/3850
Stacks
1
0.5
0
1000 3000 6000 9000 12000
Number of Routes
Number of Routes - Sup720C
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Redundancy vs. Convergence Time
More Is Not Always Better
interacting systems
Seconds
Increasing parallel paths increases
routing complexity, therefore
increasing convergence times
0 Routes 10000
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Best Practice —
Summarize at Service Distribution
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Best Practice –
Preventing Routing Loops with Route Tag and Filter
Mutual route redistribution between protocols can
cause routing loops without preventative measures
IGP Domain
Use route-map to set tags and then redistribute (EIGRP/OSPF)
based on the tags
Routes are implicitly tagged when distributed from Campus
eBGP to EIGRP/OSPF with carrier AS
Use route-map to block re-learning of WAN routes
via the distribution layer (already known via iBGP)
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
MPLS + Internet WAN
Prefer the MPLS Path over Internet
Campus
MPLS A Internet
EIGRP
AS100
10.5.48.0/21
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
MPLS + Internet WAN
Use Autonomous System for IGP Path Differentiation
D EX 10.5.48.0/21 [170/28416] via 10.4.128.2
Campus
eBGP routes are redistributed into EIGRP 100 as
EIGRP
external routes with default Admin Distance 170
AS100
Running same EIGRP AS for both campus and
10.4.128.2 DMVPN network would result in Internet path preferred
over MPLS path
eBGP
eBGP
10.4.160.0/24
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
MPLS VPN BGP Path with IGP Backdoor Path
Campus
After link restore, MPLS CE router receives
EIGRP
BGP advertisement for remote-site route. AS100
eBGP
MPLS A Internet
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
For Your
Reference
BGP Route Selection Algorithm
BGP Prefers Path with:
1. Highest Weight
2. Highest Local Preference
3. Locally originated (via network or aggregate BGP)
4. Shortest AS_PATH
5. Lowest Origin type
IGP>EGP>INCOMPLETE (redistributed into BGP)
6. Lowest Multi-Exit Discriminator (MED)
7. Prefer Externals (eBGP over iBGP paths)
8. Lowest IGP metric to BGP next hop (exit point)
9. Lowest Router ID for exit point
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
BGP Prefers Path with Highest Weight
Routes redistributed into BGP are considered locally originated and get a default
weight of 32768
The eBGP learned prefix has default weight of 0
Path with highest weight is selected
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Prefer the eBGP Path over IGP
Set the eBGP weight > 32768
To resolve this issue set the weights on route learned via eBGP peer higher
than 32768
neighbor 10.4.142.2 weight 35000
ASR1004-1#show ip route
....
B 10.4.160.0/24 [20/0] via 10.4.142.2, 05:00:06
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Cisco SD-WAN
Cisco SD-WAN Solution Philosophy
Application Traffic Per-Segment Secure Cloud Cloud Transport
SLA Engineering Topologies Perimeter Path Accel Hub
Analytics
Application Policies
Delivery Platform
Operations
vBond MANAGEMENT
(Multi-tenant or Dedicated)
ORCHESTRATION
vManage
ANALYTICS
INTERNET MPLS 4G
vSmart
Data Plane
(Physical or Virtual)
3rd Party
vAnalytics Orchestrates connectivity
Automation
First point of authentication
vBond (white-list model)
Distributes list of vSmarts/
vSmart Controllers vManage to all vEdge routers
Requires public IP Address
MPLS 4G
[could be behind 1:1 NAT]
INET Facilitates NAT traversal
vEdge Routers
Highly resilient
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Cisco SD-WAN Solution Elements
Management Plane Management Plane
vManage
Cisco vManage
APIs
Single pane of glass for Day0,
3rd Party
vAnalytics Day1 and Day2 operations
Automation
Multitenant with web scale
vBond Centralized provisioning
vSmart Controllers Policies and Templates
Troubleshooting and
4G Monitoring
MPLS
INET
Software upgrades
vEdge Routers GUI with RBAC
Programmatic interfaces
(REST, NETCONF)
Cloud Campus Branch SOHO
Data Center Highly resilient
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Cisco SD-WAN Solution Elements
Control Plane Control Plane
vManage
Cisco vSmart
APIs
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Cisco SD-WAN Solution Elements Data Plane
Physical/Virtual
Data Plane
vManage Cisco vEdge
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Overlay Management Protocol (OMP)
Unified Control Plane
vSmart TCP based TLS/DTLS control plane protocol
Runs between vEdge routers and vSmart
controllers and between the vSmart controllers
Advertises control plane context, i.e. TLOCs,
unicast/multicast destinations, service routes (L4-
L7), BFD stats (TE and H-SDWAN) and Cloud
onRamp for SaaS probe stats (gateway)
vSmart vSmart
Distributes IPSec encryption keys, and data and
app-aware policies (embedded NETCONF)
VS
vEdge vEdge
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Secure Segmentation
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
vEdge vEdge
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• vEdge routers maintain per-VPN routing • Interfaces and sub-interfaces (802.1Q tags)
table are mapped into VPNs
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Fabric Operation Walk-Through
OMP Update:
OMP
vSmart Reachability – IP Subnets, TLOCs
Security – Encryption Keys
DTLS/TLS Tunnel
Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update
TLOCs TLOCs
VPN1 VPN2 Transport 2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Cisco SD-WAN Migration Strategy
Gateway/DC Site Deployment Identify Gateway/DC Sites
providing connectivity between
BGP/OSPF SD-WAN and legacy sites
Legacy/MPLS Sites
SD-WAN Sites
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
SD-WAN TCP Maximum Segment Size Adjustment
Packet Fragmentation Avoidance for TCP Traffic
Link IP MTU
IPSec
Link IP MTU
1500 Bytes 1500 Bytes
Host vEdge vEdge Application
Secure Fabric
Router Router Servers
Signaled MSS Signaled MSS
1460B MSS Adjust 1320B Send MSS
to 1320B 1320B
Signaled MSS Signaled MSS
1320B MSS Adjust 1460B
Send MSS
1320B to 1320B
* 20B IP header + 20B TCP header. Does not include TCP options.
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Summary
Modern Hierarchical Global WAN Design
East Theater
West Theater
Tier 1
Global
IP/MPLS Core
Tier 2
In-Theater
IP/MPLS Core
Internet
Cloud
Public Voice/Video Mobility
Tier 3
Metro Metro
Service Service
Private Public
IP IP
Service Service
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Key Takeaways
Understand how WAN characteristics can affect your applications.
• Bandwidth, latency, loss
A modular hierarchical network infrastructure is the foundation for a solid WAN
architecture. Good WAN design have many well-utilized component
Encryption is a foundation component of all WAN designs and can be deployed
transparently.
Understand how to build wide area network leveraging Internet transport with
SD-WAN.
Design a network with consistent behavior that provides predictable
performance.
More is not always better. Keep it simple!
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Recommended Reading
Abstract:
Virtual Routing in the Cloud are key enablers of
today’s revolutionary shift to elastic cloud
applications and low-cost virtualized networking.
The book covers every essential building block,
present key use cases and configuration
examples, illuminate design and deployment
scenarios, and show how the CSR 1000V
platform and APIs can enable state-of-the-art
software-defined networks (SDN). Drawing on
extensive early adopter experience, they
illuminate crucial OS and hypervisor details, help
you overcome migration challenges, and offer
practical guidance for monitoring and operations.
http://bit.ly/2l8UAod
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Suggested Sessions
• BRKRST-2042 Highly Available WAN Design
• BRKRST-2309 Introduction to WAN MACsec
• BRKRST-2514 Application Optimization and Provisioning the IWAN
• BRKRST-3045 LISP A Next Generation Networking Architecture
• BRKCRS-2000 Intelligent WAN 2.0 Update
• BRKSEC-4054 Advanced Concepts of DMVPN
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKRST-2041
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be
available for viewing on-demand after the
event at CiscoLive.com/Online.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
BRKRST-2041 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Thank you