delivering cisco next generation sd-wan with viptela...cisco public. why should i care? real life...

Vedran Hafner, [email protected]

Delivering Cisco Next Generation SD-WAN with Viptela

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Why should I care?Real life examples

80 percent reduction in cost/Mbps for a US insurance provider.

$20 million reduction in OpEx over three years for a retailer.

5-fold improvement in Office 365 performance for an energy provider

4-fold improvement in application latency for a healthcare provider.

M&A integration in 2 weeks for a Fortune 50 healthcare provider.

Securely isolated 100+ business partners for a US manufacturer with more than 1.000 sites.

3


Cisco SD-WAN Solution helps you to:

1. Reduce Cost

2. Operate Faster with better Performance

3. Integrate Latest Cloud & Network Technologies

Key Message of our Presentation

4

Introduction


The WAN Has Changed

Data Center

Multi-Cloud

SaaS

Internet

SAAS

BranchWAN

UsersDevicesThings

INET

MPLS

Users Internet

MPLS

Branch WANData Center

6

SD-WAN Architecture


Cisco SD-WAN Architecture Overview

Data Center Campus Branch SOHO

4G/LTE

MPLS

Internet

Control Plane = vSmart(Containers or VMs)

Data Plane = Edge(vEdge or Cisco ISR/ASR)

Management = vManage(Multi-tenant or Dedicated)

Orchestration = vBond

Analytics

vManage

vSmart

WAN Edge

Orchestrator ZTP

API

Cloud

9


APIs

vSmart Controllers

vAnalytics 3rd PartyAutomation

vManage

Data Center Campus Branch SOHOCloud

vBond

vEdge Routers

4GMPLS

INET

• Orchestrates control and management plane

• First point of authentication (white-list model)

• Distributes list of vSmarts/ vManage to all vEdge routers

• Facilitates NAT traversal• Requires public IP Address [could

sit behind 1:1 NAT]• Highly resilient

Orchestration Plane

Cisco vBond

Cisco SD-WAN Solution ElementsOrchestration Plane


Management Plane

Cisco vManage

• Single pane of glass for Day0, Day1 and Day2 operations

• Multitenant with web scale• Centralized provisioning• Policies and Templates• Troubleshooting and Monitoring• Software upgrades• GUI with RBAC• Programmatic interfaces (REST,

NETCONF)

• Highly resilient

vSmart Controllers


vManage


vBond

vEdge Routers

4GMPLS

INET

APIs

Cisco SD-WAN Solution ElementsManagement Plane


Control Plane

Cisco vSmart

• Facilitates fabric discovery• Dissimilates control plane information

between vEdges• Distributes data plane and app-aware

routing policies to the vEdge routers• Implements control plane policies,

such as service chaining, multi-topology and multi-hop

• Dramatically reduces control plane complexity

• Highly resilient

vSmart Controllers


vManage


vBond

vEdge Routers

4GMPLS

INET

APIs

Cisco SD-WAN Solution ElementsControl Plane


Data PlanePhysical/Virtual

Cisco vEdge

• WAN edge router• Provides secure data plane with

remote vEdge routers• Establishes secure control plane

with vSmart controllers (OMP)• Implements data plane and

application aware routing policies• Exports performance statistics• Leverages traditional routing

protocols like OSPF, BGP and VRRP• Support Zero Touch Deployment• Physical or Virtual form factor

(100Mb, 1Gb, 10Gb)

APIs

vSmart Controllers


vManage


vBond

vEdge Routers

4GMPLS

INET

Cisco SD-WAN Solution ElementsData Plane


Controllers’ Deployment ModelsEnterprise IT

vManage

vSmart vBondPrivateCloud

Deploy

MSP Ops Team

vManage

vSmart vBondMSP

Cloud

Deploy

Cisco Cloud Ops

vManage

vSmart vBondCiscoCloud

Deploy

14


Controller Scale

vManage:• 2.000 Devices per single instance• Tested up to 6 vManage in a cluster

vSmart:• 5.400 Connections per single vSmart• Tested up to 20 vSmarts

vBond:• 1.500 Connections per single vBond• tested up to 6 vBonds

15


Cisco SD-WAN Platform Options

ISR 1000 ISR 4000 ASR 1000

High-performanceHW & SW redundancy

ModularIntegrated service containers

Next-genPerformance flexibility

Branch Services

Public Cloud

vEdge 2000

10 GbpsModular

vEdge 1000

Up to 1 GbpsFixed

vEdge 100

100 Mbps4G LTE & WiFi

SD-WAN

VirtualizationENCS 5100

20 Gbps, Modular

vEdge 5000

ENCS 5400

16

SD-WAN Fabric


• Overlay Management Protocol (OMP)• TCP based extensible control plane protocol• Runs between WAN Edge routers and vSmart

controllers and between the vSmart controllers- Inside authenticated TLS/DTLS connections

• Advertises control plane context and policies• Dramatically lowers control plane complexity and

raises overall solution scalevSmart vSmart

vSmart

WAN Edge WAN Edge

Note: WAN Edge routers need not connect to all vSmart Controllers

Unified Control Plane

VS

SD-WAN Traditional

O(n) Control Complexity O(n^2) Control Complexity18


Data Plane Liveliness and Quality

WAN Edge WAN Edge

WAN Edge

WAN Edge WAN Edge

• Bidirectional Forwarding Detection (BFD)

• Path liveliness and quality measurement- Up/Down, loss/latency/jitter, IPSec tunnel MTU

• Runs between all WAN Edge and WAN Edge Cloud routers in the topology

- Inside IPSec tunnels- Operates in echo mode- Automatically invoked at IPSec tunnel establishment- Cannot be disabled

• Uses hello (up/down) interval, poll (app-aware) interval and multiplier for detection

- Fully customizable per-WAN Edge, per-color

20


Common Data Plane Communication

Per-Session Load SharingActive/Active

INETMPLS

Default

Per-Session WeightedActive/Active

INETMPLS

Device Configurable

Application PinningActive/Standby

INETMPLS

Policy Enforced

Application Aware RoutingSLA Compliant

INETMPLS

SLA SLA

Policy Enforced

21

Common Enterprise Deployment Use Cases


Common Enterprise Deployment Use Cases

Critical Application SLA

Cloud onRamp for SaaS and IaaS

Secure Branch

23


Critical Applications SLA

Path1: 10ms, 0% loss, 5ms jitterPath2: 200ms, 3% loss, 10ms jitterPath3: 140ms, 1% loss, 10ms jitter

vManage App Aware Routing PolicyApp A path must have:

Latency < 150msLoss < 2%

Jitter < 10ms

WAN Edge Routers continuously perform path liveliness and quality measurements

Internet

MPLS

4G LTE

SD-WAN IPSec Tunnel

Remote Site Data CenterPath 2

Optimal Path MTUTCP Optimization

24


Secure Branch - Segmentation Security Zoning

Compliance

Guest Wi-Fi

Multi-Tenancy

Extranet

Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point

Per-VPN Topology

WAN Edge

VPN 3

VPN 1VPN 2

SD-WANIPSecTunnel

WAN Edge

25


Secure Branch - Zone Based Firewall

• VPNs as members

• Each VPN can be part of only one zone

• Any traffic going between two different zones will be dropped by default (implicit deny)

• Can inspect traffic within the same VPN

• Zone-pair policy can have Inspect, Drop or Pass action

Zone 1 Zone 2VPN

1VPN

2VPN

0

Zone 1 Zone 1VPN

1VPN

1

Zone 1 Zone 2VPN

1VPN

2

26


4GMPLSINET

SOHO

Branch

Campus

Data Center

CloudData Center

Secure Branch - Cloud Security

• Best suited for cloud SaaS applications

• Interoperates with Cloud onRamp for SaaS

• Augments native fabric security

• Can co-exist with on-premise L4-L7 security modes - VPN segmentation

3rd Party

27


Direct Internet Access

RegionalData Center

Remote Site

ISP1

SD-WANFabric

Data Center

• Can use one or more local DIA exits or backhaul traffic to the regional hub through the SD-WAN fabric and exit to Internet from there

- Per-VPN behavior enforcement

• VPN default route for all traffic DIA or data policy for selective traffic DIA

• Network Address Translation (NAT) on the WAN Edge router only allows response traffic back

- Any unsolicited Internet traffic will be blocked by IP table filters

• For performance based routing toward SaaSapplications use Cloud onRamp

Internet

ISP3

ISP2

MPLS


Cloud onRamp for SaaSDirect Internet Access

Quality Probing

RegionalData Center

Remote SiteISP2

ISP1

SD-WANFabric

Loss/Latency

!

Data Center

• Detect application performance through one or more Direct Internet Access circuits

• WAN Edge routers chose best performing path

- Per-Application, Per-VPN

• Automatic failover in case of performance degradation

• Fully automated

29


Cloud onRamp for SaaSDirect Internet Access and Gateways

Remote Site

SD-WANFabric

ISP2

ISP1

Loss/Latency

!

Data CenterMPLS

RegionalData Center

• Detect application performance through DIAs and gateways

- Customer/SP owned and operated- Security, performance, reliability

• WAN Edge routers chose best performing path

- Per-Application, Per-VPN

• Automatic failover in case of performance degradation

• Fully automated

Quality Probing

30


Cloud onRamp for IaaSEnd-to-End SD-WAN

Remote Site

SD-WANFabric

Branch

Campus

CloudData Center

Compute VPC/VNET

Compute VPC/VNET • WAN Edge Cloud routers are

instantiated in every VPC/VNET- Marketplace

• End-to-end SD-WAN fabric between sites and public cloud

- Multipathing, QoS and segmentation

• Shortest-path to Public Cloud

31


Regional Secure PerimeterSingle Service Insertion

• vEdge router with connected L4-L7 service makes advertisement

- Service route OMP address family- Service VPN label

• Service is advertised in specific VPN

• Service can be L3 routed or L2 bridged

• Service can be singly or dually connected (Firewall trust zones) to the advertising vEdge

• Control or data policies are used to insert the service node into the matching traffic forwarding path

- Match on 6-tuple or DPI signature- Applied on ingress/egress vEdge

* For data policy only. Control policy enforced on vSmart.

Data Center

Remote Office

Regional Hub

ServiceAdvertisement

PolicyAdvertisement*vSmart

VPN1

VPN1VPN1

Traffic PathControl Plane

FW

4GMPLS

INET


Regional Secure PerimeterMultiple Services Chaining

Data Center

Remote Office

• vEdge routers with connected L4-L7 service make advertisement

- Service route OMP address family- Services VPN labels

• Services are advertised in specific VPN

• Services can be L3 routed or L2 bridged

• Services can be singly or dually connected to the advertising vEdges

• Control or data policies are used to insert the service nodes into the matching traffic forwarding path

- Match on 6-tuple or DPI signature- Applied on ingress/egress/service vEdge

Regional Hub

vSmart

* For data policy only. Control policy enforced on vSmart.

VPN1

VPN1

VPN1

PolicyAdvertisement*

ServiceAdvertisement

FW IDS

Traffic PathControl Plane

4GMPLS

INET


Advance Security

High Availability, Redundancy and Scale


Site Redundancy - Routed Redundant pair of WAN Edge routers operate in

active/active mode WAN Edge routers are one or more Layer 3 hops away

from the hosts Standard OSPF or BGP routing protocols are running

between the redundant pair WAN Edge routers and the site router

Bi-directional redistribution between OMP and OSPF/BGP and vice versa on the WAN Edge routers

- OSPF DN bit, BGP SoO community Site router performs equal cost multipathing for remote

destinations across SD-WA Fabric- Can manipulate OSPF/BGP to prefer one WAN Edge router

over the other

WAN Edge A

Host

WAN Edge B

SiteRouter

SD-WANFabric


SD-WANFabric

Site Redundancy - Bridged

WAN Edge routers are Layer 2 adjacent to the hosts- Default gateway for the hosts

Virtual Router Redundancy Protocol (VRRP) runs between the two redundant WAN Edge routers

- Active/active when using multi-group (per-VLAN) VRRP Active WAN Edge responds to ARP requests for

the virtual IP with virtual MAC address In case of failover, VRRP standby WAN Edge router

assumes VRRP Active role

WAN Edge AVRRP Active

Host

WAN Edge BVRRP Standby

VRRP


Transport Redundancy - Meshed

MPLS Internet

WAN Edge routers are directly connected to all the transports

- No need for L2 switches front-ending the WAN Edge routers

When transport goes down, WAN Edge routers detect the condition and bring down the tunnels built across the failed transport

- BFD times out across tunnels

Both WAN Edge routers still draw the traffic for the prefixes available through the SD-WAN fabric

If one of the WAN Edge routers fails (dual failure), second WAN Edge router takes over forwarding the traffic in and out of site

- Both transport are still available

WAN EdgeWAN Edge


Transport Redundancy – TLOC Extension

MPLS Internet

WAN EdgeWAN Edge

WAN Edge routers are connected only to their respective transports

WAN Edge routers build IPSec tunnels across directly connected transports and across the transports connected to the neighboring WAN Edge router

- Neighboring WAN Edge router acts as an underlay router for tunnels initiated from the other WAN Edge

If one of the WAN Edge routers fails (dual failure), second WAN Edge router takes over forwarding the traffic in and out of site

- Only transport connected to the remaining WAN Edge router can be used


Path and Remote-End Redundancy

WAN Edge routers leverage BFD for detecting tunnel liveliness

• If intermediate network path through the SD-WAN fabric fails or if the remote-end WAN Edge router (e.g. data center) fails, BFD hellos will time out and remote site WAN Edge router will bring down its relevant IPSec tunnels

• Traffic will be rerouted after the failed condition had been detected

- BFD hello timer and multiplier can be tweaked for faster detection

InternetMPLS

Data Center

RemoteSite


Control Redundancy - vSmartvSmart

Controllers

Data Plane

Control Plane

vSmart controllers exchange OMP messages between themselves and they have identical view of the SD-WAN fabric

WAN Edge routers connect to multiple vSmartcontrollers for redundancy

Single vSmart controller failure has no impact, as long as there is another vSmart controller WAN Edge routers are registered with

If all vSmart controllers fail or become unreachable, WAN Edge routers will continue operating on a last known good state for a configurable amount of time (GR timer)

- No updates to reachability- No IPSec rekey- No policy changes propagation

4GMPLS

INET

BranchCampus

CloudData Center

Small OfficeHome Office

Data Center


Control Redundancy - vManagevManage

Cluster vManage servers form a cluster for redundancy and high availability

All servers in the cluster act as active/active nodes- All members of the cluster must be in the same DC

/ metro area

For geo-redundancy, vManage servers operate in active/standby mode

- Not clustered- Database replication between sites is needed

Loss of all vManage servers has no impact on fabric operation

- No administrative changes- No statistics collection

4GMPLS

INET

BranchCampus

CloudData Center

Small OfficeHome Office

Data Center

Data Plane

Management Plane


Horizontal Solution Scale

Data Center Campus Branch Home Office

4G/LTE

MPLS

Internet

Control Plane (Containers or VMs)

(vSmart)

Management Plane(Multi-tenant or Dedicated)

(vManage)

Orchestration Plane(vBond)

Horizontal Scale Out Model

Add vSmart Controllers for more control plane capacity

Create vManage cluster to accommodate more WAN Edge routers

Add vBond Orchestrators to increase WAN Edge bringup capacity

• Choose WAN Edge platform with appropriate IPSec tunnel scale

• Use control policies to define VPN topologies, if needed to constrain the number of IPSec tunnels

Operations and Migration

• All software upgrades are performed centrally from vManage

• One or two stage upgrade- Load software and reboot now- Load software and reboot later

• Self-healing on upgrade failure- Device will revert to the last good image

• There is no requirement to run the same software version on all elements- Controllers should have higher software version

than routers

Centralized Software Upgrades

Active Software

Available Software

Available Software

Available Software

A

B

C

D

Activate Rollback

WAN Edge

1

2

3

FailedUpgrade


SD-WAN Transition Strategy

SD-WAN Fabric Secure Tunnel

MPLS Internet

Non-SDWAN

Non-SDWAN SDWAN

SDWAN

Site B

Site A

Non-SDWAN

Non-SDWAN

Internet

Site B

Site A

MPLS

SDWAN

SDWAN

InternetMPLS

Site B

Site A

SDWAN

SDWAN

SDWAN

SDWAN

54


Deployed Use Cases - Sample

Thank you

delivering cisco next generation sd-wan with viptela...cisco public. why should i care? real life...

Documents