Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan solution with viptela

2,264 views

Published on

Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan solution with viptela

Published in: Technology
  • Be the first to comment

Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan solution with viptela

  1. 1. © 2018 Cisco and/or its affiliates. All rights reserved. 1 Understanding Cisco’s Next Generation SD-WAN Solution with Viptela Francis Girard TSA April 2018 Cisco Connect Your Time Is Now
  2. 2. 2© 2018 Cisco and/or its affiliates. All rights reserved. Digital Innovation in the Branch & WAN of revenue is generated in the branch 90% MORE THREATS 30% Of advanced threats will target branch offices by 2016 (up from 5%) MORE USERS 80% Of employee and customers are served in branch offices MORE DEVICES 73% Growth in mobile devices from 2014-2018 MORE APPS 20-50% Increase in enterprise bandwidth per year through 2018 IoT devices connected to internet by 2020 30B Annual increase in enterprise bandwidth and video adoption50% Up to Mobile-connected devices by 201910B Of Organizations primarily use public cloud by 201980%
  3. 3. 3© 2018 Cisco and/or its affiliates. All rights reserved. Software Defined WAN Hybrid WAN Transport IPsec Secure Branch MPLS (IP-VPN) Internet Direct Internet Access Private Cloud Virtual Private Cloud Public Cloud Application Optimization Secure Connectivity Efficient and dynamic load sharing Agnostic WAN Transport Simplified Management, Operation and Orchestration
  4. 4. 4© 2018 Cisco and/or its affiliates. All rights reserved. Cost • Substitute higher cost links or devices for lower cost • Lower cost of management, troubleshooting • Leverage Complete Communications for financial analysis Agility • Focus on how automation and policy abstraction empower the organization to innovate faster while transforming the customer and workforce experience Visibility • Provide quantifiable metrics associated with expedited mean time to detection, mean time to innocence and mean time to repair Performance • Quantify frequency and cost associated with outages • Reduce number of outages affecting user performance • Improve application performance Security • Application relevant topologies • Segmented virtual WANs and security service chains Software Defined WAN Business Case
  5. 5. 5© 2018 Cisco and/or its affiliates. All rights reserved. Cloud-first management with flexible deployment options Accelerate key SD-WAN use cases; Cloud-edge and Segmentation Sophisticated, but still simple to deploy and operate Complements Cisco’s Enterprise Networks architecture strategy Why Did Cisco Buy Viptela? Cisco Digital Network Architecture
  6. 6. 6© 2018 Cisco and/or its affiliates. All rights reserved. Cisco’s New SD-WAN Architecture
  7. 7. 7© 2018 Cisco and/or its affiliates. All rights reserved. Design Challenges with Growing Needs and New Innovation Things to consider with redundant link: • Administrative distance • Filtering • Summarization • Traffic Engineering and path preference Dual routers designs further complicates things by introducing: • Redistribution • Advanced filtering techniques • And the Potential for loops Common WAN Topologies Design and Deployment Considerations
  8. 8. 8© 2018 Cisco and/or its affiliates. All rights reserved. APPLICATION POLICIES SERVICES DELIVERY PLATFORM TRANSPORT INDEPENDENT FABRIC Broadband CellularMPLS ZERO TOUCH ZERO TRUST QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast Per-Segment Topologies Cloud Path (IaaS) Application SLA Secure Perimeter Traffic Engineering Transport Hub Cloud Accel (SaaS) Analytics Monitoring Operations Business Driven WAN Infrastructure
  9. 9. 9© 2018 Cisco and/or its affiliates. All rights reserved. Cisco SD-WAN Solution Overview Data Center Campus Branch Home Office Control Plane (Containers or VMs) Data Plane (Physical or Virtual) Management Plane (Multi-tenant or Dedicated) Orchestration Plane API 4GINTERNET MPLS CONTROL ANALYTICSORCHESTRATION MANAGEMENT vManage vSmart vEdge vBond vAnalytics
  10. 10. 10© 2018 Cisco and/or its affiliates. All rights reserved. Orchestration Plane APIs vSmart Controllers vAnalytics 3rd Party Automation vManage Data Center Campus Branch SOHOCloud vBond vEdge Routers 4GMPLS INET • Orchestrates connectivity between management, control and data plane • First point of authentication • Requires public IP Address • Facilitates NAT traversal • All other components need to know the vBond IP or DNS information • Authorizes all control connections (white-list model) • Distributes list of vSmarts to all vEdges Orchestration Plane Cisco vBond
  11. 11. 11© 2018 Cisco and/or its affiliates. All rights reserved. Management Plane Management Plane Cisco vManage • Single pane of glass for Day0, Day1 and Day2 operations • Real time alerting • Centralized provisioning • Configuration standardization • Simplicity of deploying • Simplicity of change • Supports • REST API • CLI • Syslog • SNMP • NETCONF vSmart Controllers vAnalytics 3rd Party Automation vManage Data Center Campus Branch SOHOCloud vBond vEdge Routers 4GMPLS INET APIs
  12. 12. 12© 2018 Cisco and/or its affiliates. All rights reserved. Control Plane Control Plane Cisco vSmart • Centralized brain of the solution • Facilitates fabric discovery • Establishes OMP peering with all vEdges • Implements control plane policies, such as service chaining, traffic engineering and per VPN topology • Dramatically reduces complexity of the entire network • Distributes connectivity information between vEdge • Orchestrates secure data plane connectivity between vEdges vSmart Controllers vAnalytics 3rd Party Automation vManage Data Center Campus Branch SOHOCloud vBond vEdge Routers 4GMPLS INET APIs
  13. 13. 13© 2018 Cisco and/or its affiliates. All rights reserved. Data Plane Data Plane Physical/Virtual Cisco vEdge • WAN edge router • Provides secure data plane with remote vEdge routers • Establishes secure control plane with vSmart controllers (OMP) • Implements data plane and application aware routing policies • Exports performance statistics • Leverages traditional routing protocols like OSPF and BGP. • Layer 2 redundancy VRRP • Support Zero Touch Deployment • Physical or Virtual form factor (100Mb, 1Gb, 10Gb) APIs vSmart Controllers vAnalytics 3rd Party Automation vManage Data Center Campus Branch SOHOCloud vBond vEdge Routers 4GMPLS INET
  14. 14. 14© 2018 Cisco and/or its affiliates. All rights reserved. Cisco SD-WAN Solution
  15. 15. 15© 2018 Cisco and/or its affiliates. All rights reserved. Ingress vEdge VPN 3 VPN 1 VPN 2 SD-WAN IPSec Tunnel 20 IP 8 UDP 36 ESP 4 VPN … Data Egress vEdge Interface VLAN • Segment connectivity across fabric w/o reliance on underlay transport • vEdge routers maintain per-VPN routing table • Labels are used to identify VPN for destination route lookup • Interfaces and sub-interfaces (802.1Q tags) are mapped into VPNs VPN1 VPN2 Interface VLAN VPN1 VPN2 Secure Segmentation End-to-End Segmentation
  16. 16. 16© 2018 Cisco and/or its affiliates. All rights reserved. Application Aware Topologies Arbitrary VPN Topologies VPN1 Full-Mesh VPN2 Hub-and-Spoke VPN3 Partial Mesh VPN4 Point-to-Point Unified Communications Security Compliance Regional Services Partner Connectivity • Leverage control policies to influence per-VPN topology
  17. 17. 17© 2018 Cisco and/or its affiliates. All rights reserved. Application Quality Probing Regional Hub Remote Site ISP2 ISP1 SD-WAN Fabric Loss/ Latency ! Data Center Cloud onRamp for SaaS SaaS Optimization Data Center Regional Hub Remote Site SD-WAN FabricMPLS ISP1 Loss/ Latency ! ISP2
  18. 18. 18© 2018 Cisco and/or its affiliates. All rights reserved. L4-L7 Service Insertion Regional Secure Perimeter Data Center Remote Office Regional Hub MPLS INET 4G L4-L7 Service Advertisement Policy Advertisement* vSmart VPN1 VPN1 Traffic Path Control Plane FW * For data policy only. Control policy enforced on vSmart. VPN1 • Can chain numerous L4-L7 services
  19. 19. 19© 2018 Cisco and/or its affiliates. All rights reserved. Deep Packet Inspection Engine Primary Use Cases: - Application Visibility - Application Firewall - Traffic Prioritization - Transport Selection - Analytics vEdge Router App 1 App 2 App 3,000 Cloud Data Center Data Center Campus Branch Small Office Home Office MPLS INET 3G/4G Embedded Application Recognition Deep Packet Inspection
  20. 20. 20© 2018 Cisco and/or its affiliates. All rights reserved. • Embedded Deep Packet Inspection engine • Application and flow level visibility for the fabric and individual vEdge routers • Centralized statistics and performance • Export flow level data (IPFIX) to external collector Application and Performance Visibility Deep Packet Inspection
  21. 21. 21© 2018 Cisco and/or its affiliates. All rights reserved. A Flexible Model for Applications Over the WAN Per-Session Loadsharing Active/Active Per-Session Weighted Active/Active Application Pinning Active/Standby Application Aware Routing SLA Compliant SLASLA Core Hierarchical Multihop Fabric Single-hop Fabric
  22. 22. 22© 2018 Cisco and/or its affiliates. All rights reserved.  Enforce SLA compliant path for applications of interest  Other applications will follow fabric routing across all paths Control Plane Path1: 10ms latency, 0% loss, 5ms jitter Path2: 200ms latency, 3% loss, 10ms jitter Path3: 140ms latency , 1% loss, 10ms jitter vManage App Aware Routing Policy App A path must have: latency < 150ms loss < 2% jitter < 10ms vEdge1 vEdge2 Internet MPLS 4G LTE vSmart Controllers App A IPSec Tunnel Critical Applications SLA Path Quality Detection Routing Path 2
  23. 23. 23© 2018 Cisco and/or its affiliates. All rights reserved. MPLS Internet • Protect voice and video quality Latency < 150 ms Jitter < 20 ms • Protect Email applications from WAN congestion Loss < 5% • Voice and video preferred path SP1 • Email preferred path ISP • Increase utilization by load sharing Multimedia and Critical Data Policy Business App Best-Effort Traffic High Delay Detected MPLS Internet Voice and Video High Jitter Detected Email Best-Effort Traffic Protecting Critical Applications While Increasing Link Efficiency • Protect transactional business app from brownouts delay < 250ms • Preferred path MPLS • Increase WAN bandwidth efficiency by load-sharing traffic over all WAN paths, MPLS + Internet Business App and Load-Balancing Policy
  24. 24. 24© 2018 Cisco and/or its affiliates. All rights reserved. • High latency path between users and servers, i.e. geo-distances • vEdge routers terminate TCP sessions and provide local acknowledgements to prevent TCP windowing from reacting • Selective acknowledgements prevents unnecessary retransmit of the successfully received segments • Hosts using old TCP/IP stacks will see the most benefit Users Servers High Latency Path vEdgevEdge TCP Connections TCP Connections Optimized TCP Connections (Cubic) SD-WAN Fabric Application Optimization TCP Performance Optimization Self-Healing Software Upgrade and Configuration Change Active Software Available Software Available Software Available Software A B C D Activate Rollback vEdge Router 1 2 3 Failed Upgrade vEdge Router 1 Attach Template vManage 2 Connectivity Lost Rollback 3 Self-Healing Software Upgrade and Configuration Change Active Software Available Software Available Software Available Software A B C D Activate Rollback vEdge Router 1 2 3 Failed Upgrade vEdge Router 1 Attach Template vManage 2 Connectivity Lost Rollback 3
  25. 25. 25© 2018 Cisco and/or its affiliates. All rights reserved. Cisco SD-WAN Management and Operation
  26. 26. 26© 2018 Cisco and/or its affiliates. All rights reserved. vEdge and Controllers White-List • Administrator adds controllers (vSmarts and vBonds) on the vManage - Can trigger CSR generation, forwarding to Symantec, retrieval and installation of signed CSR back into the controllers • Controllers list is distributed by vManage to all the controllers • Digitally Signed vEdge list is provided by Viptela and it is uploaded into the vManage by the administrator - Downloadable from Viptela support page • vEdge List is distributed by vManage to all the controllers Signed vEdge List Administrator Defined Controllers vManage vSmart vBond
  27. 27. 27© 2018 Cisco and/or its affiliates. All rights reserved. Zero Touch Provisioning Plug-n-Play vEdge Secure Bring-up (Zero Trust) vEdge List (White-List) vEdge Configuration Template vManage vBondvSmart Identity Trust Administrator ZTP Server Network Power vEdge DHCP Identity (X.509) Installer TPM
  28. 28. 28© 2018 Cisco and/or its affiliates. All rights reserved. vEdge Appliance – Router Identity • Each physical vEdge router is uniquely identified by the chassis ID and certificate serial number • Certificate is stored in onboard Temper Proof Module (TPM) - Installed during manufacturing process - Certificate is signed by Avnet root CA - Trusted by Control Plane elements • Symantec root CA chain of trust is used to validate Control Plane elements Alternatively, if used, Enterprise root CA chain of trust can be used to validate Control Plane elements Can be automatically installed during ZTP Root Chain During Manufacturing In Viptela Software Device Certificate TMP Chip
  29. 29. 29© 2018 Cisco and/or its affiliates. All rights reserved. vEdge Cloud – Router Identity • OTP/Token is generated by vManage - One per (chassisID, serial number) in the uploaded vEdge list • OTP/Token is supplied to vEdge Cloud in Cloud-Init during the VM deployment • vManage issues self-signed certificate for the vEdge Cloud post OTP/Token validation - vManage removes OTP to prevent reuse • Symantec root CA chain of trust is used to validate Control Plane elements Alternatively, if used, Enterprise root CA chain of trust can be used to validate Control Plane elements Can be provided in Cloud-Init In Viptela Software Issued by vManage Device Certificate Root Chain
  30. 30. 30© 2018 Cisco and/or its affiliates. All rights reserved. • Bi-directional certificate-based trust between all elements Public or Enterprise PKI • White-list of valid vEdges and controllers Certificate serial number as unique identification Signed vEdge List Administrator Defined Controllers vEdge vBond vManage vSmart Certificate-Based Trust
  31. 31. 31© 2018 Cisco and/or its affiliates. All rights reserved. MPLS INET Transport (VPN0) Service (VPNn) Management (VPN512) IF • VPNs are isolated from each other, each VPN has its own forwarding table • Reachability within VPN is advertised by the OMP IF, Sub-IF IF, Sub-IF IF, Sub-IF IF, Sub-IF Cisco SD-WAN VPNs vEdge Router Security Zones
  32. 32. 32© 2018 Cisco and/or its affiliates. All rights reserved. Software Defined Centralized Control Control Plane DTLS/TLS Legacy O(n^2) complexity SD-WAN O(n) complexity Control Elements • Virtual Fabric over any transport • Virtual or Physical Platforms (vEdge) • Centralized reachability, security and application policies • Secure Channel to SD-WAN Controller (vSmart, vBond, vManage) Single extensible control plane Operates over DTLS/TLS authenticated and secured tunnels • Dramatically lowers complexity and increases overall solution scale
  33. 33. 33© 2018 Cisco and/or its affiliates. All rights reserved. Overlay Management Protocol (OMP) Unified Control Plane • Runs on top of TCP, extensible control plane protocol • Runs between vEdge routers and vSmart controllers and between the vSmart controllers - Inside TLS/DTLS connections • Advertises control plane contextvSmart vSmart vSmart vEdge vEdge VS Note: vEdge routers need no control connections amongst them
  34. 34. 34© 2018 Cisco and/or its affiliates. All rights reserved. OMP Update:  Reachability – IP Subnets, TLOCs  Security – Encryption Keys  Policy – Data/App-route Policies BGP, OSPF, Connected, Static BFD IPSec Tunnel OMP DTLS/TLS Tunnel Transport1 Transport2VPN1 A VPN2 B VPN1 C VPN2 D BGP, OSPF, Connected, Static vSmart OMP Update OMP Update vEdge vEdge Subnets Subnets TLOCs TLOCs Policies Fabric Operation Fabric Walk-Through OMP Update OMP Update
  35. 35. 35© 2018 Cisco and/or its affiliates. All rights reserved. Transport1 Transport2  Each vEdge advertises its local IPsec encryption keys  Encryption key is per-transport Local Remote vSmart Controllers vEdgevEdge Local Remote  Symmetric encryption keys used asymmetrically Traffic Encrypted with Keys 1’ / 2’ Traffic Encrypted with Keys 1 / 2 Data Plane Security Encryption Control Plane AES256-GCM OMP Update OMP Update
  36. 36. 36© 2018 Cisco and/or its affiliates. All rights reserved. Policy Driven WAN Infrastructure Policy Augmented Dynamic Routing vEdge WAN router Access Layer Branch/DC vSmart controller – Policy Enforcement/Advertisement Control Policy: Routing and Services vManage GUI – Policy Orchestration1 2 3 Data Policy: Extensive Policy-based Routing and Services App-Route Policy: App-Aware SLA-based Routing Combine and Apply per Site Execute Control Policy Advertise AAR/Data Policies to Sites Execute AAR and Data Policy as received Dynamic Routing and Policies Combine to dictate behavior
  37. 37. 37© 2018 Cisco and/or its affiliates. All rights reserved. vManage vSmart vEdge Device Configuration Device Configuration Local Control Policy (OSPF/BGP) Local Data Policy (QoS/Mirror/ACL) Centralized Control Policy (Fabric Routing) Centralized Data Policy (Fabric Data Plane) Centralized App-Aware Policy (Application SLA) Centralized Data Policy (Fabric Data Plane) Centralized App-Aware Policy (Application SLA) Centralized Policies Localized Policies NETCONF/YANG OMP Policy Framework Centralized and Localized Policies
  38. 38. 38© 2018 Cisco and/or its affiliates. All rights reserved. Template-Based Configurations Centralized Device Configuration Enforcement • Templates are attached to provisioned vEdge routers • Variables are used for rapid bulk configuration rollout with unique per- device settings • Local configuration changes are not allowed - Prevents configuration drift
  39. 39. 39© 2018 Cisco and/or its affiliates. All rights reserved. Self-Healing Software Upgrade and Configuration Change Active Software Available Software Available Software Available Software A B C D Activate Rollback vEdge Router 1 2 3 Failed Upgrade vEdge Router 1 Attach Template vManage 2 Connectivity Lost Rollback 3
  40. 40. 40© 2018 Cisco and/or its affiliates. All rights reserved. Single Pane of Glass Operations vManage GUI • Intuitive GUI driven operations Management, monitoring and troubleshooting • Cloud Delivered Private, hosted or managed • Single or Multi-tenant • Role-based Access Control • Clustered for scale and high availability • REST APIs based
  41. 41. 41© 2018 Cisco and/or its affiliates. All rights reserved. vAnalytics Dashboard
  42. 42. 42© 2018 Cisco and/or its affiliates. All rights reserved. Cisco SD-WAN Elements
  43. 43. 43© 2018 Cisco and/or its affiliates. All rights reserved. Summary: Solution Elements Orchestration, Control, Data and Management Planes Control Plane Cisco vSmart • Facilitates fabric discovery • Dissimilates control plane information between vEdges • Distributes data plane and app- aware routing policies to the vEdge routers • Implements control plane policies, such as service chaining, multi-topology and multi-hop • Dramatically reduces control plane complexity • Highly resilient Data Plane Physical/Virtual Cisco vEdge • WAN edge router • Provides secure data plane with remote vEdge routers • Establishes secure control plane with vSmart controllers (OMP) • Implements data plane policies • Exports performance statistics • Leverages traditional routing protocols like OSPF, BGP and VRRP • Support Zero Touch Deployment • Physical or Virtual form factor (100Mb, 1Gb, 10Gb) Management Plane Cisco vManage • Single pane of glass for Day0, Day1 and Day2 operations • Centralized provisioning • Policies and Templates • Troubleshooting and Monitoring • Software upgrades • GUI with RBAC • Programmatic interfaces (REST, NETCONF) • NMS interfaces (SNMP, Syslog, IPFIX) Orchestration Plane Cisco vBond • Orchestrates control and management plane • First point of authentication (white-list model) • Distributes list of vSmarts/ vManage to all vEdge routers • Facilitates NAT traversal • Requires public IP Address [could sit behind 1:1 NAT] • Highly resilient
  44. 44. 44© 2018 Cisco and/or its affiliates. All rights reserved. Cisco vEdge Routers Portfolio Branch/SOHO/SMB (100Mb) Branch/Campus (1Gb) Campus/Data Center (10Gb) NFV, vCPE (N x cores) IaaS & Cloud Interconnect (N x cores) Campus/Data Center (20Gb+) vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000 vEdge Cloud on Greybox or Whitebox vEdge Cloud
  45. 45. 45© 2018 Cisco and/or its affiliates. All rights reserved.  100 Mbps AES-256  1RU  5x 1000Base-T  1x POE port  2G/3G/4G LTE  Internal AC PS  1x USB-3.0  TPM Board-ID  Kensington lock  Low power fan  GPS  100 Mbps AES-256  1RU  5x 1000Base-T  1x POE port  2G/3G/4G LTE  802.11a/b/g/n/ac  Internal AC PS  1x USB-3.0  TPM Board-ID  Kensington lock  Low power fan  GPS vEdge 100m vEdge 100mw  100 Mbps AES-256  5x 1000Base-T  TPM chip  Security, QoS  External AC PS  Kensington lock  Fan-less  9” x 1.75” x 5.5”  GPS vEdge 100 vEdge-100 Routers Small Office, Home Office Edge
  46. 46. 46© 2018 Cisco and/or its affiliates. All rights reserved. vEdge 1000  1 Gbps AES-256  1RU, standard rack mountable  8x GE SFP (10/100/1000)  TPM chip  3G/4G via USB (or) Ethernet  Security, QoS  Dual Power supplies (external)  Low power consumption vEdge 2000  10 Gbps AES-256  1RU, standard rack mountable  4x Fixed GE SFP (10/100/1000)  2 Pluggable Interface Modules  8 x 1GE SFP (10/100/1000)  2 x 10GE SFP+  TPM chip  3G/4G via USB (or) Ethernet  Security, QoS  Dual power supplies (internal)  Redundant fans vEdge-1000 and vEdge-2000 Routers Campus and Data Center Edge
  47. 47. 47© 2018 Cisco and/or its affiliates. All rights reserved. Platform Capabilities: • 4 Network Interface Modules (NIM) slots • Variety of NIM options 8 x 1G 4 x 10G 2 x 40G • Feature parity with Cisco vEdge 2000 platform vEdge 5000 Campus and Data Center Edge
  48. 48. 48© 2018 Cisco and/or its affiliates. All rights reserved. vEdge Cloud Virtual Routers Virtualized Branch or Cloud ESXi or KVM Physical Server On-Premise Hosted VMThroughput: 2x vCPU 500Mb/s 4x vCPU 1Gb/s 8x vCPU 1.5Gb/s VM vEdge Cloud vEdge CloudvEdge Cloud vEdge Cloud vEdge CloudvEdge Cloud AWS or Azure
  49. 49. 49© 2018 Cisco and/or its affiliates. All rights reserved. Controllers Cloud or On-Premise Delivered Physical Server vManage vSmart vSmart VM vContainer vBond* * Can be deployed as physical vEdge appliance On-Premise ESXi or KVM vManage vSmart vSmartvBond Hosted VM vContainer AWS or Azure
  50. 50. 50© 2018 Cisco and/or its affiliates. All rights reserved. Cisco SD-WAN Scale
  51. 51. 51© 2018 Cisco and/or its affiliates. All rights reserved. vEdge100 vEdge1000 vEdge2000 IPSec Tunnels : 250 IPSec Tunnels : 1500 IPSec Tunnels : 6000 Max aggregated throughput: vEdge-100 – 100MB AES-256 full duplex vEdge-1000 - 1GB AES-256 full duplex vEdge-2000 – 10GB AES-256 full duplex Max number of concurrent VPNs: 64 [vpn 0 and vpn 512 included] Overlay tunnels are static based on policy. Not dynamically generated on-demand. Scalability Data Plane and IPsec
  52. 52. 52© 2018 Cisco and/or its affiliates. All rights reserved. Data Center Campus Branch Home Office 4G/LTE MPLS Internet Control Plane (Containers or VMs) (vSmart) Management Plane (Multi-tenant or Dedicated) (vManage) Orchestration Plane (vBond) 2000 vEdges per vBond Redundancy Add 1-2 vBonds Horizontal Scale out Model Horizontal Scale Out Model 2700 vEdges per vManage Horizontal Scale out Model in cluster mode (same DC) 2700 vEdges per vSmart Redundancy Add 1-2 vSmarts Horizontal Scale out Model Scalability Orchestration/Control/Management Plane
  53. 53. 53© 2018 Cisco and/or its affiliates. All rights reserved. Perpetual cost of Cisco SD-WAN CPE hardware Subscription cost of Cisco SD-WAN software (Includes SD-WAN controller + CPE software) Operational cost of Cisco SD-WAN solution 1. Subscription* license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE. This cost is dependent on two factors: • Service bandwidth • Features 2. Perpetual cost of Cisco SD-WAN CPE** element. *Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Cisco SD-WAN support, next day hardware replacement for Cisco SD-WAN CPE, software upgrades on all components and the cost of hosting the Cisco SD-WAN controllers in the Cisco SD-WAN cloud. **Note: CPE can be Cisco SD-WAN owned or in the case of Virtual CPE customer owned. Cost here implies Cisco SD-WAN CPE only. Pricing Model
  54. 54. 54© 2018 Cisco and/or its affiliates. All rights reserved. Licensing Tiers License terms: 1,3,5 Years Plus Professional Hub Spoke Spoke Spoke MPLS Internet Local breakout SDWAN management, controllers AA R • Fabric: Management, Controllers, ZTP • Routing: Static • Topology: Hub-n-spoke only • Internet/Cloud: NAT, Split tunnel, IPSec IKEv1/v2, GRE • Policy: Local ACL only, Data policy • QoS • SLA: Application aware routing (5 tuple only) • Segmentation: 2 VPNs (service + transport) • Visibility : DPI for visibility only • Support: 24x7x365, NBD RMA • All Plus tier features • Routing: Dynamic routing (OSPF/BGP) • Topology: Mesh topology, any • Internet/Cloud: Cloud onRamp for IaaS/SaaS • Policy: Control policy, service insertion, extranet • Segmentation: 5 VPNs (transport + 4x service) • SLA: Application aware routing (DPI) • Multicast • All Professional tier features • Segmentation: Unlimited VPNs • Analytics: vAnalytics platform • Optimizations: TCP Optimization Enterprise Dynamic Routing Hub Spoke Spoke Spoke MPLS Internet Spoke IaaS Cloud Dynamic Routing AAR E2E Segmentation SDWAN management, controllers SAAS Hub Spoke Spoke Spoke MPLS Internet Spoke Dynamic Routing Dynamic Routing Analytics AAR E2E Segmentation SDWAN management, controllers IaaS Cloud SAAS
  55. 55. 55© 2018 Cisco and/or its affiliates. All rights reserved. Viptela Confidential14 Technology Use Cases – M&A, Line-of-business separation, Partner network Segmentation & Multi-Topology MPLS • Independent and isolated virtual topologies operating at the same time Internet Virtual Fabric User Traffic Video Traffic Viptela vEdge Data Center VPN1 VPN2 VPN1 VPN2 Video Video User User SiteASiteB Viptela Confidential12 Fully Managed WAN With Centralized Control WAN NAC & MDM DC CoLo Enterprise NOC & Access Control Data Center CoLo & DMZ Public Cloud & Network Services Branch routing & switching Unified Communications Enterprise Wireless WAN Opt & caching Use Cases & Deployments Supporting a diverse set of topologies and architectures @ scale
  56. 56. 56© 2018 Cisco and/or its affiliates. All rights reserved. Better Together Leading Routing & SD-WAN Platforms Goal: Building next generation SD-WAN solutions Together, helping businesses and IT to innovate faster, securing and delivering better customer outcomes, while reducing costs and lowering risk Cloud-managed & Feature-rich SD-WAN
  57. 57. 57© 2018 Cisco and/or its affiliates. All rights reserved. Choosing the Appropriate SD-WAN Solution • Cloud and OnRamp • More than two active transports or active LTE • Comprehensive WAN connectivity & services • Complex topologies • Custom policies at scale • Advanced routing & segmentation • Native dynamic cloud application acceleration Advanced SD-WAN • Hybrid WAN • L3 overlay for hub-spoke deployments • Dynamic path selection • Cloud-managed • Zero touch deployment with templates and easy to use dashboard SD-WAN Common • Single pane-of-glass management for full stack infrastructure across the branch • Existing Meraki customers evaluating SD-WAN • Competitive pricing pressure • Integrated branch security and network connectivity solution Single Dashboard
  58. 58. 58© 2018 Cisco and/or its affiliates. All rights reserved. Now What About IWAN • Cisco IWAN has over 200,000 sites deployed or in deployment • No plans to EOL or EOS – 3+ years of support • IWAN 2.x & IWAN App support and roadmap will continue as per prior customer commitments Direct Cloud Access, Scale Increase, Hardening, MC Placement, APIC behind NAT
  59. 59. 59© 2018 Cisco and/or its affiliates. All rights reserved. Viptela Integration Plan
  60. 60. 60© 2018 Cisco and/or its affiliates. All rights reserved. Viptela Integration Plan Phase 2 Platform Integration Phase 1 No Integration Phase 3 Management Integration Platform: • As-is Management: • vManage Platform: • vEdge capabilities integrated into all IOS-XE platforms (ISR, CSR, ENCS, ASR1K) Management: • vManage for SD-WAN capabilities on IOS-XE Management: • Cloud hosted DNA Center integrates vManage capabilities • Full DNA Center capabilities (Assurance, Integrated workflows for SD-Access and SD-WAN) Support current Viptela customers Viptela SD-WAN on strategic ISR platform Deliver end-to-end experience with full DNA integration DeploymentScenariosBenefitsDetails vEdge ISR4K + vEdge SW DNA Center + SD-WAN ISR4K + vEdge SW vManage vEdge vManage vEdge
  61. 61. 61© 2018 Cisco and/or its affiliates. All rights reserved. High-level Feature Integration Plan Existing IOS-XE CapabilitiesExisting Viptela Capabilities  Day 0, Workflows (User Configuration, System setup, Segmentation Setup)  Day 1, Control phase setup, ZTP, Templates), Segmentation, DC routing, Topologies  Day N, Application Policy, Qos, DIA, Cloud Express, Monitoring & Troubleshooting, Upgrade Options Platform & Interfaces: ASR1K, CSR, ISR4K, T1/E1, FSX/FXO etc Security & Services: ZBF, Umbrella, WAAS, UC, etc Advanced Capabilities: QoS, BGP etc.
  62. 62. 62© 2018 Cisco and/or its affiliates. All rights reserved. XE-SDWAN Integration Roadmap vEdgeCapabilities SD WAN Features:  ZTP  App Route Policy  QoS  Cloud Onramp –IAAS  Segmentation  NAT DIA  BFD PMTU Routing Protocols  BGP, OSPF Other Features  VRRP  DHCP server, DNS, RADIUS, Syslog, NTP Monitoring & Troubleshooting  System & Interface stats March 2018 -EFT July 2018 -GA release Post GA Roadmap IOSCapabilities SD WAN Feature  All EFT features  TLOC Extension  Loopback interface  Generic IPSEC Tunnel (IKEv1 and IKEv2) Monitoring & Troubleshooting  vManage with DPI & Cflowd, Analytics SD WAN Features: Cloud Onramp-SAAS TCP Optimizations IPv6 support (Service & Transport) Service chaining Services • Multicast Capabilities:  NBAR2 Platform  ISR 4331, ASR 1001-x New Interfaces  Ethernet, 4G LTE, T1/E1 Capabilities:  Security: • Umbrella (DNS redirect) • Zone Based Firewall  Services • NBAR2 SD-AVC Platforms:  C11xx, ISR43xx, ISR4221, ASR1001-X, ASR1002-X, ASR 1001-HX, ASR 1002 –HX, C111, ISRv (ENCS) 5412 New Interfaces:  xDSL Capabilities: • App QoE • Security • Umbrella Services • AppNav Functionality • UC –SRST, PSTN GW, SIP GW • NBAR2-Custom App SDA segmentation use case Platforms: • CSR, ENCS, ISR-4451, ISR-4431 • New Interfaces • Port Channel
  63. 63. 64© 2018 Cisco and/or its affiliates. All rights reserved. Key Takeaways Cisco’s SD-WAN solution (Viptela) is both a cloud and on-prem (hardware) based solution, offering unmatched capabilities Cisco will merge the Viptela and IOS-XE capabilities into a common ISR 4K-based platform, but the complimentary Viptela core products are here to stay in foreseeable future Cisco is the market and technology leader in SD-WAN, combining the flexibility of Viptela, Meraki, and ISR IOS-XE
  64. 64. Thank you.

×