Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN

Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1
Principal Systems Engineer
Cisco Canada
November, 2017
Understanding Cisco’ Next
Generation SD-WAN
Technology
Rob Barton

Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 2
Your Time Is Now
Connect
Cisco

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
The Branch and WAN Are Being Disrupted!
of revenue
is generated
in the branch
90%
MORE
THREATS
30%
Of advanced threats will
target branch offices by
2016 (up from 5%)
MORE
USERS
80% Of employee and
customers are served in
branch offices
MORE
DEVICES
73%
Growth in mobile
devices from
2014-2018
MORE
APPS
20-50% Increase in enterprise
bandwidth per year
through 2018
IoT devices
connected to
internet by 2020
30B
Annual increase in
enterprise bandwidth
and video adoption50%
Up to
Mobile-connected
devices by 201910B
Of Organizations primarily
use public cloud by 201980%
• The traditional WAN / branch market is undergoing a massive disruption
• Customers are asking for SD-WAN solutions with virtualized services
• In 2017 Cisco acquired Viptela, the de-facto market leader and recognized best-of-breed
technology in the SD-WAN space

Existing
Data Center
Remote Site
MSP-RT
MPLS
NewWAN
Internet
ISP-RT
New
The WAN Market Disruption and Migration
Services
Delivery
• Segment traffic
• Deploy application aware
topologies
• Optimize routing, security, QoS,
multicast, services insertion and
survivability
Transport
Independence
• Leverage overlay through
existing equipment at data center
for transport agnostic redesign
• Replace remote site equipment
or leverage overlay
Application
Policies
• Select test application as
candidate for intelligent traffic
engineering
• Test blackout and brownout
failover scenarios
Existing

APPLICATION POLICIES
SERVICES DELIVERY PLATFORM
TRANSPORT INDEPENDENT FABRIC
Broadband CellularMPLS
ZERO TOUCH ZERO TRUST
QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast
Per-Segment
Topologies
Cloud Path
(IaaS)
Application
SLA
Secure
Perimeter
Traffic
Engineering
Transport
Hub
Cloud Accel
(SaaS)
Analytics
Monitoring
Operations
Business Driven WAN Infrastructure

Cloud-first
management
with flexible
deployment options
Accelerate key
SD-WAN use cases;
Cloud-edge and
Segmentation
Sophisticated, but
still simple to deploy
and operate
Complements Cisco’s Enterprise Networks architecture strategy
Why Did Cisco Buy Viptela?
Cisco Digital
Network Architecture

Better Together
Leading Routing &
SD-WAN Platforms
Goal: Building next generation SD-WAN solutions
Together, helping businesses and IT to innovate faster, securing and delivering
better customer outcomes, while reducing costs and lowering risk
Cloud-managed &
Feature-rich SD-WAN

• Secure Elastic Connectivity
• Cloud First
• Application Quality of
Experience
• Agile Operations
Reinventing the WAN - 4 Technical Pillars
Security
Applications
Services
Connectivity Operations
Flexible
Connectivity
Agile
Operations
Application
Services

Centralized Device
Auth-DB
Authenticated/Encrypted
Control Plane
Automatic Key Rollover
Scalable Data-Plane
Encryption
Embedded Security Secure On-Boarding
Reinventing the WAN
Security
Security Applications
Services
Connectivity OperationsConnectivity Operations
Application
Services

MPLS
LTE
INTERNET
Hybrid WAN
Segmentation/VPNs
Dynamic Per-VPN
Topologies
MPLS
LTE
INTERNET
Provider/Transport
Agnostic
Services
Application
Services
Reinventing the WAN
Connectivity

Deep Packet Inspection Central Orchestration
Application-Aware
Routing
Transport SLA Monitoring
MPLS
LTE
INTERNET
Cloud Services
Integration
SEN Overlay
Application Layer
AnalyticsSecurity Applications
Services
Application
Services
Reinventing the WAN
Application Services

Centralized Operations
Distributed Execution
Zero Touch ProvisioningTemplate-based
Configurations
Programmatic APIs
Open Object Model
NetConf Ad-Hoc
Adds/Moves/Changes
Centralized
Policy Orchestration
Services
Application
Services
Reinventing the WAN
Operations

Cisco Confidential 13© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN Architecture

vEdge Router
Cloud Data
Center
Campus
Branch
Small Office
Home
Office
vManage
vControl
The Viptela branch
office router
Cloud or on
premises network
management
Policy and Service
Control Plane
Viptela Solution – Key Components
vBond
On-Boarding and
Orchestration

vBond: ZTD and Orchestration Plane
APIs
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
• Used for device on-boarding
(ZTD)
• Orchestrates connectivity
between management, control
and data plane
• First point of authentication
• All other components need to
know the vBond IP or DNS
information
• Authorizes all control
connections (white-list model)
• Distributes list of vSmarts to all
vEdges
Orchestration Plane
Cisco vBond

vEdge: The Data Plane
Data Plane
Physical/Virtual
Cisco vEdge
• WAN edge routers
• Provides secure data plane with
remote vEdge routers
• Establishes secure control plane
with vSmart controllers (OMP)
• Implements data plane and
application aware routing policies
• Exports performance statistics
• Leverages traditional routing
protocols like OSPF, BGP and
VRRP
• Support Zero Touch Deployment
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
APIs
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
vBond
vEdge Routers
4GMPLS
INET

vSmart: The Control Plane
Control Plane
Cisco vSmart
• Centralized brain of the solution
• Facilitates fabric discovery
• Establishes OMP peering with all
vEdges
• Implements control plane policies,
such as service chaining, traffic
engineering and per VPN topology
• Dramatically reduces complexity of
the entire network
• Distributes connectivity information
between vEdge
• Orchestrates secure data plane
connectivity between vEdges
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
vBond
vEdge Routers
4GMPLS
INET
APIs

Overlay Management Protocol (OMP)
Unified Control Plane
• Runs on top of TCP, extensible control plane
protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart
controllers
- Inside TLS/DTLS connections
• Advertises control plane contextvSmart vSmart
vSmart
vEdge vEdge
VS
Note: vEdge routers need no control connections amongst them

vManage: The Management Plane
Management Plane
Cisco vManage
• Single pane of glass for Day0,
Day1 and Day2 operations
• Real time alerting
• Centralized provisioning
• Configuration standardization
• Simplicity of deploying
• Simplicity of change
• Supports
• REST API
• CLI
• NETCONF / YANG
• SNMP
• Syslog
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
vBond
vEdge Routers
4GMPLS
INET
APIs

Single Pane Of Glass Operations
Operations Simplicity and Visibility
Rich Analytics

SD-WAN Fabric and Capabilities

TMP
Chip
Root Chain
Embedded Device Identity
Controller Trust
Zero-Touch Provisioning of the vEdge Router
Identity and Trust
Identity
Cert
vEdge
Dynamic Device Identity
Root Chain
Controller Trust
Identity
Cert
vEdge Cloud

Zero Trust Model
Certificate-Based Trust
• Bi-directional certificate-based trust between all
elements
- Public or Enterprise PKI
• White-list of valid vEdges and controllers
- Certificate serial number as unique identification
Signed
vEdge List
Administrator
Defined
Controllers
vEdge
vBond
vManage
vSmart

Zero Touch Provisioning vEdge Walk-through
Control and Policy
Elements
Full Registration and
Configuration
vEdge
5
* Factory default configured
Assumption:
 DHCP on Transport Side (WAN)
 DNS to resolve ZTP server name*
3
4
Zero Touch Provisioning
Server
1
2

Template-Based Configurations
Centralized Device Configuration Enforcement
• Templates are attached to provisioned
vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift

OMP Update:
 Reachability – IP Subnets, TLOCs
 Security – Encryption Keys
 Policy – Data/App-route Policies
BGP, OSPF,
Connected,
Static
BFD
IPSec Tunnel
OMP
DTLS/TLS Tunnel
Transport1
Transport2VPN1
A
VPN2
B
VPN1
C
VPN2
D
BGP, OSPF,
Connected,
Static
vSmart
OMP
Update
OMP
Update
vEdge vEdge
Subnets Subnets
TLOCs TLOCs
Policies
Fabric Operation
Fabric Walk-Through
OMP
Update
OMP
Update

Ingress
vEdge
VPN 3
VPN 1
VPN 2
SD-WAN
IPSec
Tunnel
20
IP
8
UDP
36
ESP
4
VPN
…
Data
Egress
vEdge
Interface
VLAN
• Segment connectivity across fabric w/o
reliance on underlay transport
• vEdge routers maintain per-VPN routing
table
• Labels are used to identify VPN for
destination route lookup
• Interfaces and sub-interfaces (802.1Q tags)
are mapped into VPNs
VPN1
VPN2
Interface
VLAN
VPN1
VPN2
Secure Segmentation
End-to-End Segmentation

Application-Centric Network Capabilities
Per-Session Loadsharing
Active/Active
Per-Session Weighted
Active/Active
Application Pinning
Active/Standby
Application Aware Routing
SLA Compliant
SLASLA
Core
Hierarchical Multihop Fabric Single-hop Fabric

 Enforce SLA compliant path
for applications of interest
 Other applications will follow
fabric routing across all
paths
Control Plane
Path1: 10ms, 0% loss, 5ms latency
vManage
App Aware Routing Policy
App A path must have:
latency < 150ms
loss < 2%
jitter < 10ms
vEdge1 vEdge2
Internet
MPLS
4G LTE
vSmart Controllers
App A
IPSec Tunnel
Critical Applications SLA
Application Aware Routing
Path 2

Deep Packet Inspection Engine
Primary Use Cases:
- Application Visibility
- Application Firewall
- Traffic Prioritization
- Transport Selection
- Analytics
vEdge Router
App 1
App 2
App 3,000
Cloud Data
Center
Data
Center
Campus
Branch
Small Office
Home Office
MPLS INET
3G/4G
Embedded Application Recognition
Deep Packet Inspection

• Embedded Deep Packet Inspection
engine
• Application and flow level visibility
for the fabric and individual vEdge
routers
• Centralized statistics and
performance
• Export flow level data (IPFIX) to
external collector
Application and Performance Visibility
Deep Packet Inspection

SD-WAN Solution Components
Overview

Cisco vEdge Routers Portfolio Positioning
Branch/SOHO/SMB
(100Mb)
Branch/Campus
(1Gb)
Campus/Data Center
(10Gb)
NFV, vCPE
(N x cores)
IaaS & Cloud
Interconnect
(N x cores)
Campus/Data Center
(20Gb+)
vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000
vEdge Cloud on
Greybox or
Whitebox
vEdge Cloud

Data Center Campus Branch Home Office
4G/LTE
MPLS
Internet
Control Plane
(Containers or VMs)
(vSmart)
Management Plane
(Multi-tenant or Dedicated)
(vManage)
Orchestration Plane
(vBond)
2000 vEdges per vBond
Redundancy Add 1-2 vBonds
Horizontal Scale out Model
Horizontal Scale Out Model
2700 vEdges per vManage
in cluster mode (same DC)
2700 vEdges per vSmart
Redundancy Add 1-2 vSmarts
Scalability Considerations
Orchestration/Control/Management Plane

vEdge100 vEdge1000 vEdge2000
IPSec Tunnels : 250 IPSec Tunnels : 1500 IPSec Tunnels : 6000
Max aggregated throughput:
vEdge-100 – 100MB AES-256 full duplex
vEdge-1000 - 1GB AES-256 full duplex
vEdge-2000 – 10GB AES-256 full duplex
Max number of concurrent VPNs: 64
[vpn 0 and vpn 512 included]
Overlay tunnels are static based on policy
Not dynamically generated on-demand.
Scalability Considerations
Data Plane and IPsec

Perpetual cost of
Cisco
SD-WAN CPE
hardware
Subscription cost of
Cisco SD-WAN
software (Includes
SD-WAN controller +
CPE software)
Operational cost of
Cisco SD-WAN
solution
1.Subscription license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE.
This cost is dependent on two factors:
• Service bandwidth
• Features
2.Perpetual cost of Cisco SD-WAN CPE element.
SD-WAN Pricing Model
Subscription and Perpetual Elements

Plus Pro
Hub
Spoke Spoke Spoke
MPLS Internet Local
breakout
Hub
Spoke Spoke Spoke
MPLS Internet
Spoke Spoke
Local
breakout
Dynamic Routing
Dynamic
Routing
Hub
Spoke Spoke Spoke
MPLS Internet
Spoke Spoke
Dynamic Routing
Dynamic
Routing
SaaS onRamp
SD WAN
controllers
AnalyticsSD WAN
controllers
SD WAN
controllers
AAR
AAR AAR
E2E
Segmentation
E2E
Segmentation
• Routing: Static
• Topology: Hub-n-spoke only
• Internet/Cloud: NAT, Split tunnel
• Policy: Local ACL only, Data policy
• QoS
• SLA: Application aware routing (5 tuple
only)
• Visibility : DPI for visibility only
• Routing: Dynamic routing (OSPF/BGP)
• Topology: Mesh topology
• Internet/Cloud: Cloud onRamp for IaaS
• Policy: Control policy
• Segmentation: 5 VPNs (1+4)
• SLA: Application aware routing (DPI)
• Multicast
• Segmentation: Unlimited
• Internet/Cloud: Cloud onRamp for
SaaS
• Analytics: vAnalytics platform
Enterprise
License Tier Features
License Tiers

Roadmap

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage
Cisco SD-WAN Day 1 Deployment Scenarios
ISR
TI / E! / DSL
DeploymentScenarios
vEdge
ISR Providing Services
vManage
vEdge
Ethernet
ISR
WaaS
UC
Thin Branch
vManage
vEdge
Ethernet

Roadmap
Phase 2
Platform Integration
Phase 1
No Integration
Phase 3
Management Integration
Platform:
• As-is
Management:
• vManage
Platform:
• vEdge capabilities integrated into all IOS-XE
platforms (ISR, CSR, ENCS, ASR1K)
Management:
• vManage for SD-WAN capabilities on IOS-XE
Management:
• Cloud hosted DNA Center integrates vManage
capabilities
• Full DNA Center capabilities (Assurance,
Integrated workflows for SD-Access and
SD-WAN)
Support current Viptela
customers
Viptela SD-WAN on strategic ISR
platforms
Deliver end-to-end experience
with full DNA integration
DeploymentScenariosBenefitsDetails
vEdge ISR4K + vEdge SW
DNA Center
+ SD-WAN
ISR4K + vEdge SW
vManage
vEdge
vManage
vEdge

Positioning Cisco’s SD-WAN Solutions
1. Do you have a requirement to support end-
to-end secure segmentation over the
WAN?
2. Do you intend to deploy dynamic per VPN
topologies?
3. Do you have different WAN transports with
a need to support a single data plane?
4. Do you intend to deploy a network with
intelligent path selection for IaaS or SaaS?
1. Do you have existing Meraki
infrastructure?
2. Do you have a requirement to manage a
full branch network (switches, firewalls)
through a single management interface?
3. Do you have a lean IT staff with minimal
experience in secure WAN environments?
4. Does your staff desire simple management
and automation for deploying branch
security?

• Cisco is the market and technology leader in SD-WAN, combining
the flexibility of Viptela, Meraki, and ISR IOS-XE
• Cisco’s SD-WAN solution (Viptela) is both a cloud and on-prem
(hardware) based solution, offering unmatched capabilities
• Cisco will merge the Viptela and IOS-XE capabilities into a
common ISR 4K-based platform and DNA Center, but the
complimentary Viptela core products are here to stay in
foreseeable future
Key Takeaways

Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN

Similar to Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN