Professional Documents
Culture Documents
Cisco SD-WAN: Introduction and Technical Deep Dive
Cisco SD-WAN: Introduction and Technical Deep Dive
Cisco SD-WAN: Introduction and Technical Deep Dive
John M Curran
Systems Engineer
Why SD-WAN
Disrupt or be Disrupted
1GartnerPredicts 2016: Enterprise Networks and Network Services, Dec 2015 2Gartner Predicts: SD-WAN and Its Impact on Traditional Router and MPLS Services, Nov 2016
Revenue, Worldwide, 2016-2020 3IDC Forecasts Strong Growth for Software-Defined WAN As Enterprises Seek to Optimize Their Cloud Strategies, March 2016
2 Viptela Confidential
Why SD-WAN Matters to Customers
Legacy WAN Architecture Does Not Meet the Needs of the Business
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela At A Glance
6 Continents
40 Fortune-500 customers
Enabled Cloud-
Based Healthcare
Apps
Couldn’t enable SaaS Apps Cloud-based EMR enabled Adding Bandwidth 120 à 2 days
Need to add to Office365 and Cloud- Next Phase: Migrate Office 365, Voice 10x Bandwidth
based Voice to Cloud
No wasted engineering hours
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CaseStudy:
Case StudiesGlo
Global Retailer
Global Retailer
40%
Reduction in
WAN Costs
Reduce OpEx and CapEx costs Viptela SEN infrastructure 26x Bandwidth improvement
46
Technology Silos
Consolidated
14 different environment, 8 carriers Enable active active à MPLS + internet Months to weeks rapid
M&A onboarding
Massive migration to O365 & AWS
46 Portfolios consolidated
Business unit segmentation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Case Study: Banking – Fortune 500
80%
Less time
for deploying
new branch
WAN
High bandwidth apps (HD Video) Viptela SEN infrastructure 20x Bandwidth Improvement
Simplify branch IT operations Augment MPLS with broadband 50 Sites deployed per night
(incl ATMs)
1000 Devices upgraded in 4 hours
Transformed
Customer
Experience
Customer Experience Applications Verizon Managed SD-WAN with Video and WiFi inside Branches
Viptela SEN
• Self-service kiosks Faster Applications
• Video conf with live experts 1400 locations
Agile Operations
• New Retail Bank Apps
Augment MPLS with LTE
Simplify branch IT operations Business Continuity: Data loss
(incl ATMs) Prevention and Backup
Improve Business continuity with
Data ©loss
2017 prevention, backups
Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN
Solution Elements and Overview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Solution Philosophy
Most Comprehensive Solution on the Market
Application Traffic Per-Segment Secure Cloud Cloud Transport
SLA Engineering Topologies Perimeter Path Accel Hub
Analytics
Application Policies
Routing Security Segmentation QoS Multicast Svc Insertion Survivability
Monitoring
Delivery Platform
Operations
Broadband MPLS Cellular
vBond
Control Plane
Orchestration Plane vSmart Controllers
MPLS 4G
INET
vEdge Routers
Data Plane
Cloud Data Center Campus Branch SOHO
Cisco SD-WAN Solution Elements
Orchestration Plane
Orchestration Plane
APIs
• Orchestrates connectivity
3rd Party
vAnalytics between management,
Automation
control and data plane
vBond • First point of authentication
• Requires public IP Address
vSmart Controllers
• Facilitates NAT traversal
• All other components need to
MPLS 4G
know the vBond IP or DNS
INET information
vEdge Routers
• Authorizes all control
connections (white-list
model)
Cloud Data Center Campus Branch SOHO • Distributes list of vSmarts to
all vEdges
Cisco SD-WAN Solution Elements
Management Plane
Management Plane
vManage
Cisco vManage
APIs
• Single pane of glass for Day0,
3rd Party Day1 and Day2 operations
vAnalytics
Automation
• Real time alerting
vBond • Centralized provisioning
• Configuration standardization
vSmart Controllers • Simplicity of deploying
• Simplicity of change
MPLS 4G • Supports
INET • REST API
vEdge Routers • CLI
• Syslog
• SNMP
• NETCONF
Cloud Data Center Campus Branch SOHO
Cisco SD-WAN Solution Elements
Control Plane
Control Plane
APIs
• Centralized brain of the solution
3rd Party
vAnalytics • Facilitates fabric discovery
Automation
• Establishes OMP peering with all
vBond vEdges
• Implements control plane policies,
vSmart Controllers such as service chaining, traffic
engineering and per VPN topology
MPLS 4G • Dramatically reduces complexity of
INET the entire network
vEdge Routers • Distributes connectivity information
between vEdge
• Orchestrates secure data plane
Cloud Data Center Campus Branch SOHO connectivity between vEdges
Cisco SD-WAN Solution Elements
Data Plane Data Plane
Physical/Virtual
1/10Gb
vEdge 2000
1Gb
vEdge Cloud
vEdge 1000
100Mb
vEdge 100
VM VM
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN
Zero Trust Fabric
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco vEdge Router Identity
During Manufacturing
• Each physical vEdge router is uniquely
TPM identified by the chassis ID and
Chip certificate serial number
• Certificate is stored in onboard Tamper
Proof Module (TPM)
- Installed during manufacturing process
Device
Certificate • Certificate is signed by Avnet root CA
- Trusted by Control Plane elements
• Symantec root CA chain of trust is used
to validate Control Plane elements
Root Chain • Alternatively, if used, Enterprise root CA
chain of trust can be used to validate Control
Plane elements
In Viptela Software - Can be automatically installed during ZTP
Cisco vEdge
Zero Touch Provisioning
Control and Policy
Zero Touch Provisioning Elements
Server
Re orc
2
dir
ec hest
ztp
at l
ic tro
3
n
t t rat
Qu tela
io
5
un on
. vip
o c or
an tio e
ery .co
m c
vM ra vic
ag n
m ial
Full Registration and
orp
e
e
1
co nit
om ig d
to m
Configuration
fr nf a l
ora
u
co iti
In
te
4
Assumption:
§ DHCP on Transport Side (WAN)
§ DNS to resolve ztp.viptela.com*
vEdge
§ Delivered as-a-Service
* Factory default config
Cisco SD-WAN
Fabric Operation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Overlay Management Protocol (OMP)
Unified Control Plane
vSmart
• Runs on top of TCP, extensible control plane
protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart
controllers
- Inside TLS/DTLS connections
vSmart vSmart • Advertises control plane context
VS
vEdge vEdge
Transport1
TLOCs TLOCs
AES256-GCM
Traffic Encrypted with
Control Plane
Fabric Operation
Fabric Walk-Through
OMP Update:
vSmart § Reachability – IP Subnets, TLOCs
OMP
§ Security – Encryption Keys
DTLS/TLS Tunnel
§ Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update
vEdge vEdge
Transport1
TLOCs TLOCs
Subnets Subnets
Cisco SD-WAN
Application Experience and QoS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Visibility
Cloud Data
Center Deep Packet Inspection
App 1
App 2
App 3,000
vEdge Router
Internet MPLS Data
Center
4G/LTE ü App Firewall
Small Office ü Traffic prioritization
Home Office
Campus ü Transport selection
Branch
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Critical Applications SLA
§ vEdge Routers continuously
perform path liveliness and vManage
SD-WAN
Fabric
Users vEdge vEdge Servers
High Latency Path
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN VPNs
vEdge Router Security Zones
Management
(VPN512)
• VPNs are isolated from each other, each
VPN has its own forwarding table
IF • Reachability within VPN is advertised by
the OMP
End-to-End Segmentation
Virtual Private Networks and Mapping
§ Isolated virtual private networks across any § VPN isolation is carried over all transports
transport - https://tools.ietf.org/html/rfc4023
Site 2 IPSec
IP UDP ESP VPN Data
20 8 36 4 …
Label
Application Aware Topologies
Arbitrary VPN Topologies
Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point
FW
VPN1
Regional VPN1
Hub
Data
Center
VPN1 MPLS INET
Secure Data
Center
SD-WAN
Fabric Firewalls
Branch IDS/IPS/DLP Cloud
Data Center
Regional
Service Secure
Advertisement Perimeter
Campus
Cisco SD-WAN
Cloud Adoption
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for SaaS
SaaS Optimization
ISP1 ISP1
SD-WAN SD-WAN
ISP2 Fabric MPLS Fabric
Data Center Data Center
Remote Site Remote Site
Gateway
VPC/VNET
Cloud Cloud
Data Center Data Center
SD-WAN SD-WAN
Fabric Fabric
Campus Campus
Remote Site Remote Site
Branch Branch
IPSec Tunnel
Cloud Security
SaaS and Internet Security
ISP1 ISP1
ISP2 ISP2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Site Redundancy - Routed
§ Redundant pair of vEdge routers operate in
active/active mode
SD-WAN
Fabric § vEdge routers are one or more Layer 3 hops
away from the hosts
§ Standard OSPF or BGP routing protocols are
running between the redundant pair vEdge
vEdge A OS vEdge B routers and the site router
PF P
BG
/B
GP PF
/
§ Bi-directional redistribution between OMP and
OS
OSPF/BGP and vice versa on the vEdge
Site routers
Router
§ Site router performs equal cost multipathing
for remote destinations across SD-WA Fabric
- Can manipulate OSPF/BGP to prefer one vEdge
Host router over the other
84 Viptela Confidential
Site Redundancy - Bridged
86 Viptela Confidential
Transport Redundancy – TLOC Extension
87 Viptela Confidential
High Availability and Redundancy
Connectivity Assurance
Site Redundancy Transport Redundancy
MPLS INET MPLS INET
Control
MPLS
Data
Center
Data MPLS
INET
Site
INET
Cisco SD-WAN
Analytics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vAnalytics
• Offered as a SaaS Service
Visibility • Multi-customer sourced data
• Anonymous data-collection
Forecasting
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela Integration Plan
Phase 1: At Close Phase 2 Phase 3
No Integration Platform Integration Management Integration
Deployment Scenarios
NEW
vManage vManage
vManage +
Cloud-hosted Cloud-hosted DNA Center Cloud-hosted
Support and Scale the current Viptela SD-WAN on strategic Deliver end-to-end experience
sales motion ISR platform with full DNA integration
vManage vManage
vManage vManage
Deployment Scenarios
TI / E! / DSL TI / E! / DSL
TI / E! / DSL Ethernet
ISR ISR
ISR vEdge
WaaS
vEdge UC vEdge
vEdge ISR
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN
Pricing and Licensing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pricing Model
Subscription and Perpetual Elements
1. Subscription* license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE. This cost is
dependent on two factors:
• Service bandwidth
• Features
Subscription
Perpetual cost cost of Cisco Operational
of Cisco SD-WAN
software
cost of Cisco
SD-WAN CPE (Includes SD- SD-WAN
hardware WAN controller solution
+ CPE software)
*Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Cisco SD-WAN support, next day hardware
replacement for Cisco SD-WAN CPE, software upgrades on all components and the cost of hosting the Cisco SD-WAN controllers in the
Cisco SD-WAN cloud.
**Note: CPE can be Cisco SD-WAN owned or in the case of Virtual CPE customer owned. Cost here implies Cisco SD-WAN
CPE only.
Features
License Tiers
Plus Pro Enterprise
SD WAN SD WAN SD WAN Analytics
controllers controllers controllers
Dynamic Dynamic
Hub Routing Routing
AAR
AAR AAR