delivering cisco next generation sd-wan with viptela...cisco public. why should i care? real life...
TRANSCRIPT
Vedran Hafner, [email protected]
Delivering Cisco Next Generation SD-WAN with Viptela
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why should I care?Real life examples
80 percent reduction in cost/Mbps for a US insurance provider.
$20 million reduction in OpEx over three years for a retailer.
5-fold improvement in Office 365 performance for an energy provider
4-fold improvement in application latency for a healthcare provider.
M&A integration in 2 weeks for a Fortune 50 healthcare provider.
Securely isolated 100+ business partners for a US manufacturer with more than 1.000 sites.
3
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN Solution helps you to:
1. Reduce Cost
2. Operate Faster with better Performance
3. Integrate Latest Cloud & Network Technologies
Key Message of our Presentation
4
Introduction
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The WAN Has Changed
Data Center
Multi-Cloud
SaaS
Internet
SAAS
BranchWAN
UsersDevicesThings
INET
MPLS
Users Internet
MPLS
Branch WANData Center
6
SD-WAN Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN Architecture Overview
Data Center Campus Branch SOHO
4G/LTE
MPLS
Internet
Control Plane = vSmart(Containers or VMs)
Data Plane = Edge(vEdge or Cisco ISR/ASR)
Management = vManage(Multi-tenant or Dedicated)
Orchestration = vBond
Analytics
vManage
vSmart
WAN Edge
Orchestrator ZTP
API
Cloud
9
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIs
vSmart Controllers
vAnalytics 3rd PartyAutomation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
• Orchestrates control and management plane
• First point of authentication (white-list model)
• Distributes list of vSmarts/ vManage to all vEdge routers
• Facilitates NAT traversal• Requires public IP Address [could
sit behind 1:1 NAT]• Highly resilient
Orchestration Plane
Cisco vBond
Cisco SD-WAN Solution ElementsOrchestration Plane
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management Plane
Cisco vManage
• Single pane of glass for Day0, Day1 and Day2 operations
• Multitenant with web scale• Centralized provisioning• Policies and Templates• Troubleshooting and Monitoring• Software upgrades• GUI with RBAC• Programmatic interfaces (REST,
NETCONF)
• Highly resilient
vSmart Controllers
vAnalytics 3rd PartyAutomation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
APIs
Cisco SD-WAN Solution ElementsManagement Plane
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane
Cisco vSmart
• Facilitates fabric discovery• Dissimilates control plane information
between vEdges• Distributes data plane and app-aware
routing policies to the vEdge routers• Implements control plane policies,
such as service chaining, multi-topology and multi-hop
• Dramatically reduces control plane complexity
• Highly resilient
vSmart Controllers
vAnalytics 3rd PartyAutomation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
APIs
Cisco SD-WAN Solution ElementsControl Plane
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data PlanePhysical/Virtual
Cisco vEdge
• WAN edge router• Provides secure data plane with
remote vEdge routers• Establishes secure control plane
with vSmart controllers (OMP)• Implements data plane and
application aware routing policies• Exports performance statistics• Leverages traditional routing
protocols like OSPF, BGP and VRRP• Support Zero Touch Deployment• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
APIs
vSmart Controllers
vAnalytics 3rd PartyAutomation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
Cisco SD-WAN Solution ElementsData Plane
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Controllers’ Deployment ModelsEnterprise IT
vManage
vSmart vBondPrivateCloud
Deploy
MSP Ops Team
vManage
vSmart vBondMSP
Cloud
Deploy
Cisco Cloud Ops
vManage
vSmart vBondCiscoCloud
Deploy
14
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Controller Scale
vManage:• 2.000 Devices per single instance• Tested up to 6 vManage in a cluster
vSmart:• 5.400 Connections per single vSmart• Tested up to 20 vSmarts
vBond:• 1.500 Connections per single vBond• tested up to 6 vBonds
15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN Platform Options
ISR 1000 ISR 4000 ASR 1000
High-performanceHW & SW redundancy
ModularIntegrated service containers
Next-genPerformance flexibility
Branch Services
Public Cloud
vEdge 2000
10 GbpsModular
vEdge 1000
Up to 1 GbpsFixed
vEdge 100
100 Mbps4G LTE & WiFi
SD-WAN
VirtualizationENCS 5100
20 Gbps, Modular
vEdge 5000
ENCS 5400
16
SD-WAN Fabric
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Overlay Management Protocol (OMP)• TCP based extensible control plane protocol• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers- Inside authenticated TLS/DTLS connections
• Advertises control plane context and policies• Dramatically lowers control plane complexity and
raises overall solution scalevSmart vSmart
vSmart
WAN Edge WAN Edge
Note: WAN Edge routers need not connect to all vSmart Controllers
Unified Control Plane
VS
SD-WAN Traditional
O(n) Control Complexity O(n^2) Control Complexity18
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Liveliness and Quality
WAN Edge WAN Edge
WAN Edge
WAN Edge WAN Edge
• Bidirectional Forwarding Detection (BFD)
• Path liveliness and quality measurement- Up/Down, loss/latency/jitter, IPSec tunnel MTU
• Runs between all WAN Edge and WAN Edge Cloud routers in the topology
- Inside IPSec tunnels- Operates in echo mode- Automatically invoked at IPSec tunnel establishment- Cannot be disabled
• Uses hello (up/down) interval, poll (app-aware) interval and multiplier for detection
- Fully customizable per-WAN Edge, per-color
20
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Common Data Plane Communication
Per-Session Load SharingActive/Active
INETMPLS
Default
Per-Session WeightedActive/Active
INETMPLS
Device Configurable
Application PinningActive/Standby
INETMPLS
Policy Enforced
Application Aware RoutingSLA Compliant
INETMPLS
SLA SLA
Policy Enforced
21
Common Enterprise Deployment Use Cases
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Common Enterprise Deployment Use Cases
Critical Application SLA
Cloud onRamp for SaaS and IaaS
Secure Branch
23
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Critical Applications SLA
Path1: 10ms, 0% loss, 5ms jitterPath2: 200ms, 3% loss, 10ms jitterPath3: 140ms, 1% loss, 10ms jitter
vManage App Aware Routing PolicyApp A path must have:
Latency < 150msLoss < 2%
Jitter < 10ms
WAN Edge Routers continuously perform path liveliness and quality measurements
Internet
MPLS
4G LTE
SD-WAN IPSec Tunnel
Remote Site Data CenterPath 2
Optimal Path MTUTCP Optimization
24
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Branch - Segmentation Security Zoning
Compliance
Guest Wi-Fi
Multi-Tenancy
Extranet
Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point
Per-VPN Topology
WAN Edge
VPN 3
VPN 1VPN 2
SD-WANIPSecTunnel
WAN Edge
25
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Branch - Zone Based Firewall
• VPNs as members
• Each VPN can be part of only one zone
• Any traffic going between two different zones will be dropped by default (implicit deny)
• Can inspect traffic within the same VPN
• Zone-pair policy can have Inspect, Drop or Pass action
Zone 1 Zone 2VPN
1VPN
2VPN
0
Zone 1 Zone 1VPN
1VPN
1
Zone 1 Zone 2VPN
1VPN
2
26
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
4GMPLSINET
SOHO
Branch
Campus
Data Center
CloudData Center
Secure Branch - Cloud Security
• Best suited for cloud SaaS applications
• Interoperates with Cloud onRamp for SaaS
• Augments native fabric security
• Can co-exist with on-premise L4-L7 security modes - VPN segmentation
3rd Party
27
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Direct Internet Access
RegionalData Center
Remote Site
ISP1
SD-WANFabric
Data Center
• Can use one or more local DIA exits or backhaul traffic to the regional hub through the SD-WAN fabric and exit to Internet from there
- Per-VPN behavior enforcement
• VPN default route for all traffic DIA or data policy for selective traffic DIA
• Network Address Translation (NAT) on the WAN Edge router only allows response traffic back
- Any unsolicited Internet traffic will be blocked by IP table filters
• For performance based routing toward SaaSapplications use Cloud onRamp
Internet
ISP3
ISP2
MPLS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud onRamp for SaaSDirect Internet Access
Quality Probing
RegionalData Center
Remote SiteISP2
ISP1
SD-WANFabric
Loss/Latency
!
Data Center
• Detect application performance through one or more Direct Internet Access circuits
• WAN Edge routers chose best performing path
- Per-Application, Per-VPN
• Automatic failover in case of performance degradation
• Fully automated
29
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud onRamp for SaaSDirect Internet Access and Gateways
Remote Site
SD-WANFabric
ISP2
ISP1
Loss/Latency
!
Data CenterMPLS
RegionalData Center
• Detect application performance through DIAs and gateways
- Customer/SP owned and operated- Security, performance, reliability
• WAN Edge routers chose best performing path
- Per-Application, Per-VPN
• Automatic failover in case of performance degradation
• Fully automated
Quality Probing
30
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud onRamp for IaaSEnd-to-End SD-WAN
Remote Site
SD-WANFabric
Branch
Campus
CloudData Center
Compute VPC/VNET
Compute VPC/VNET • WAN Edge Cloud routers are
instantiated in every VPC/VNET- Marketplace
• End-to-end SD-WAN fabric between sites and public cloud
- Multipathing, QoS and segmentation
• Shortest-path to Public Cloud
31
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Regional Secure PerimeterSingle Service Insertion
• vEdge router with connected L4-L7 service makes advertisement
- Service route OMP address family- Service VPN label
• Service is advertised in specific VPN
• Service can be L3 routed or L2 bridged
• Service can be singly or dually connected (Firewall trust zones) to the advertising vEdge
• Control or data policies are used to insert the service node into the matching traffic forwarding path
- Match on 6-tuple or DPI signature- Applied on ingress/egress vEdge
* For data policy only. Control policy enforced on vSmart.
Data Center
Remote Office
Regional Hub
ServiceAdvertisement
PolicyAdvertisement*vSmart
VPN1
VPN1VPN1
Traffic PathControl Plane
FW
4GMPLS
INET
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Regional Secure PerimeterMultiple Services Chaining
Data Center
Remote Office
• vEdge routers with connected L4-L7 service make advertisement
- Service route OMP address family- Services VPN labels
• Services are advertised in specific VPN
• Services can be L3 routed or L2 bridged
• Services can be singly or dually connected to the advertising vEdges
• Control or data policies are used to insert the service nodes into the matching traffic forwarding path
- Match on 6-tuple or DPI signature- Applied on ingress/egress/service vEdge
Regional Hub
vSmart
* For data policy only. Control policy enforced on vSmart.
VPN1
VPN1
VPN1
PolicyAdvertisement*
ServiceAdvertisement
FW IDS
Traffic PathControl Plane
4GMPLS
INET
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advance Security
High Availability, Redundancy and Scale
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site Redundancy - Routed Redundant pair of WAN Edge routers operate in
active/active mode WAN Edge routers are one or more Layer 3 hops away
from the hosts Standard OSPF or BGP routing protocols are running
between the redundant pair WAN Edge routers and the site router
Bi-directional redistribution between OMP and OSPF/BGP and vice versa on the WAN Edge routers
- OSPF DN bit, BGP SoO community Site router performs equal cost multipathing for remote
destinations across SD-WA Fabric- Can manipulate OSPF/BGP to prefer one WAN Edge router
over the other
WAN Edge A
Host
WAN Edge B
SiteRouter
SD-WANFabric
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WANFabric
Site Redundancy - Bridged
WAN Edge routers are Layer 2 adjacent to the hosts- Default gateway for the hosts
Virtual Router Redundancy Protocol (VRRP) runs between the two redundant WAN Edge routers
- Active/active when using multi-group (per-VLAN) VRRP Active WAN Edge responds to ARP requests for
the virtual IP with virtual MAC address In case of failover, VRRP standby WAN Edge router
assumes VRRP Active role
WAN Edge AVRRP Active
Host
WAN Edge BVRRP Standby
VRRP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Redundancy - Meshed
MPLS Internet
WAN Edge routers are directly connected to all the transports
- No need for L2 switches front-ending the WAN Edge routers
When transport goes down, WAN Edge routers detect the condition and bring down the tunnels built across the failed transport
- BFD times out across tunnels
Both WAN Edge routers still draw the traffic for the prefixes available through the SD-WAN fabric
If one of the WAN Edge routers fails (dual failure), second WAN Edge router takes over forwarding the traffic in and out of site
- Both transport are still available
WAN EdgeWAN Edge
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Redundancy – TLOC Extension
MPLS Internet
WAN EdgeWAN Edge
WAN Edge routers are connected only to their respective transports
WAN Edge routers build IPSec tunnels across directly connected transports and across the transports connected to the neighboring WAN Edge router
- Neighboring WAN Edge router acts as an underlay router for tunnels initiated from the other WAN Edge
If one of the WAN Edge routers fails (dual failure), second WAN Edge router takes over forwarding the traffic in and out of site
- Only transport connected to the remaining WAN Edge router can be used
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Path and Remote-End Redundancy
WAN Edge routers leverage BFD for detecting tunnel liveliness
• If intermediate network path through the SD-WAN fabric fails or if the remote-end WAN Edge router (e.g. data center) fails, BFD hellos will time out and remote site WAN Edge router will bring down its relevant IPSec tunnels
• Traffic will be rerouted after the failed condition had been detected
- BFD hello timer and multiplier can be tweaked for faster detection
InternetMPLS
Data Center
RemoteSite
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Redundancy - vSmartvSmart
Controllers
Data Plane
Control Plane
vSmart controllers exchange OMP messages between themselves and they have identical view of the SD-WAN fabric
WAN Edge routers connect to multiple vSmartcontrollers for redundancy
Single vSmart controller failure has no impact, as long as there is another vSmart controller WAN Edge routers are registered with
If all vSmart controllers fail or become unreachable, WAN Edge routers will continue operating on a last known good state for a configurable amount of time (GR timer)
- No updates to reachability- No IPSec rekey- No policy changes propagation
4GMPLS
INET
BranchCampus
CloudData Center
Small OfficeHome Office
Data Center
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Redundancy - vManagevManage
Cluster vManage servers form a cluster for redundancy and high availability
All servers in the cluster act as active/active nodes- All members of the cluster must be in the same DC
/ metro area
For geo-redundancy, vManage servers operate in active/standby mode
- Not clustered- Database replication between sites is needed
Loss of all vManage servers has no impact on fabric operation
- No administrative changes- No statistics collection
4GMPLS
INET
BranchCampus
CloudData Center
Small OfficeHome Office
Data Center
Data Plane
Management Plane
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Horizontal Solution Scale
Data Center Campus Branch Home Office
4G/LTE
MPLS
Internet
Control Plane (Containers or VMs)
(vSmart)
Management Plane(Multi-tenant or Dedicated)
(vManage)
Orchestration Plane(vBond)
Horizontal Scale Out Model
Add vSmart Controllers for more control plane capacity
Create vManage cluster to accommodate more WAN Edge routers
Add vBond Orchestrators to increase WAN Edge bringup capacity
• Choose WAN Edge platform with appropriate IPSec tunnel scale
• Use control policies to define VPN topologies, if needed to constrain the number of IPSec tunnels
Operations and Migration
• All software upgrades are performed centrally from vManage
• One or two stage upgrade- Load software and reboot now- Load software and reboot later
• Self-healing on upgrade failure- Device will revert to the last good image
• There is no requirement to run the same software version on all elements- Controllers should have higher software version
than routers
Centralized Software Upgrades
Active Software
Available Software
Available Software
Available Software
A
B
C
D
Activate Rollback
WAN Edge
1
2
3
FailedUpgrade
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Transition Strategy
SD-WAN Fabric Secure Tunnel
MPLS Internet
Non-SDWAN
Non-SDWAN SDWAN
SDWAN
Site B
Site A
Non-SDWAN
Non-SDWAN
Internet
Site B
Site A
MPLS
SDWAN
SDWAN
InternetMPLS
Site B
Site A
SDWAN
SDWAN
SDWAN
SDWAN
54
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployed Use Cases - Sample
Thank you