Recommended
More Related Content
What's hot
What's hot (20)
Similar to [Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (viptela) architecture
Similar to [Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (viptela) architecture (20)
More from Nur Shiqim Chok
More from Nur Shiqim Chok (20)
Recently uploaded
Recently uploaded (20)
[Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (viptela) architecture
- 2. Next-Gen Cisco SD-WAN Architecture Shamil Fernando Manager Systems Engineering (Cisco SD-WAN)
- 3. User and Application Landscape is Changing Change in App Content Change in App Delivery Change in App Consumption Rich, Dynamic, Web-Based Cloud, SaaS, Virtualized Mobile, Diverse devices Internet Edge Is Moving to the Branch Applications Are Moving to the Cloud INTERNET MPLS 4G DC vDC IaaS SaaS mobile branch guest head office
- 4. Customer Requirements Security and Compliance are critical areas and require us to have the appropriate Segmentation, Policing, Access Controls and Visibility from end-to-end Network Planning I want to Simplify Deployments and Automate Policy Enforcement to ensure a Consistent and Seamless Application Experience Network Operations I want to Centralized Policy Enforcement and Assurance to Accelerate Time to Resolution Network Manager I need to Replace or Change existing Infrastructure and WAN Services to Lower Costs and Maximize Investments Security Operations
- 5. Traditional and Legacy Architectures cannot scale to address changing needs SOFTWARE DEFINED: True separation of control, data and management CLOUD: Cloud hosted and delivered APPLICATION AWARE: Visibility & SLA business intent policy enforcement SCALE AND FLEXIBILITY: True enterprise scale SECURITY: Ingrained authentication, encryption, segmentation, access controls & service chaining OPEN: for automation, orchestration, best-of-breed integration Application Bandwidth Requirements Cloud Consumption Disjointed Security Simplified Operations WAN Flexibility Time To Capability Challenges Enabling Seamless transition from traditional WAN to SD WAN SECURE WAN FABRIC Broadband 4G/LTEMPLS ZERO TOUCH ZERO TRUST 1
- 6. • Reduce Cost • Secure Your Network • Operate Faster and Simplicity • Integrate Latest Cloud and Network Technologies Cisco SD-WAN Solution helps you to:
- 7. Traditional Networks Control and Data Plane same devices Peer-to-peer control plane Routing protocol prorogate for all (N^2) complexity Localize management Complex to manage Not scalable Impossible to support multiple transport Link down create route storm Control & Data Plane Control & Data Plane Control & Data Plane
- 8. 4G/LTE MPLS1Internet MPLS2 SD-WAN Principals • Separation Control and Data Plane • DTLS/TLS is used to establish the control channel • Control channel is established only with central controllers • No scaling issues are with full mesh of control plane • Control channel does not have to follow the data path • No disruption one link fail Data Plane Control Plane Data PlaneData Plane Data Plane
- 9. Cisco SD-WAN Architecture Control Plane (Containers or VMs) Data Plane (Physical or Virtual) Management Plane (Multi-tenant or Dedicated) Orchestration Plane API 4GINTERNET MPLS vSmart ANALYTICSORCHESTRATION vManager vManage vSmart vEdge vBond vBond Data Center Campus Branch Home Office
- 10. Cisco SD-WAN Solution Elements 4G/LTE MPLSInternet vEdge Routers vSmartvManage Ubiquitous Data Plane Secure Control Plane Controllers On-premise/cisco Cloud/ Partner Cloud vBond
- 11. Cisco SD-WAN Solution Transport Independent Fabric CellularMPLSBroadband Delivery Platform QoS Application Policies Security Per-Segment Topologies Segmentation Svc Insertion Cloud Path Application Visibility & SLA Secure Perimeter Traffic Engineering SurvivabilityRouting Analytics Monitoring Operations Transport Hub Multicast Cloud Accel
- 12. Zero-Trust Security Principles DTLS/TLS Control Tunnel Strong authentication - PKI certificates, 2048bit keys Highly encrypted tunnels - DTLS/TLS AES256 - White-list model Ubiquitous Deployment - Automatic NAT mitigation Control Elements X.509 Certificate
- 13. Secure Bring-up With Approval • Per-device control on TPM identity trust • Single stage (Zero Touch Provisioning) – TPM identity is automatically trusted • Two stage (One Touch Provisioning) – TPM identity is not automatically trusted. Requires administrator validation. • Staging Mode – TPM identity is automatically trusted for control, but not for data. Requires administrator validation.
- 14. End to End Security TransportsTransportsTransports Site 1 Site 2 IPSec AES256-GCM ESPv3 with HMAC SHA-1 vSmart Controllers Control Plane DTLS/TLS IPSec security associations IPSec security associations Update Update Symmetric encryption IPsec AES256-GCM ESPv3 with HMAC SHA-1 Traffic Encryption and Authentication Header Tunnel Liveliness Detection (BFD) Anti-Replay Protection Rekey 12 hours Each vEdge advertises its local IPsec encryption key Traffic Encrypted with Key 2 Traffic Encrypted with Key 1 vEdge Router vEdge Router Local Remote Local Remote
- 15. Configuration Simplicity and ZTP • Templates are attached to provisioned vEdge routers • Variables are used for rapid bulk configuration rollout with unique per- device settings • Local configuration changes are not allowed - Prevents configuration drift
- 16. Configuration Simplicity and ZTP Zero Touch Bringup Server Control and Policy Elements Full Registration and Configuration vEdge Router 1 2 3 4 5 * Factory default config Assumption: DNS to resolve ztp.viptela.com* Authentication Push the configuration Enforce the version
- 17. Application Visibility Secure SD-WAN Fabric Deep Packet Inspection Over 3000+ application App Firewall Traffic prioritization Transport selection vEdge Router App 1 App 2 App 3,000
- 18. Application Performances and AAR Path1: 10ms, 0% loss, 2ms jitter Path2: 200ms, 3% loss 5ms jitter Path3: 140ms, 1% loss 3ms jitter vSmart Controllers App Aware Routing Policy App A path must have latency <150ms and loss <2% Path 2 vEdge Routers continuously perform path liveliness and quality measurements Latency, Loss and Jitter, Auto Load Balance Device QoS (shaping, policing, queuing, marking) Internet MPLS 4G LTE Optimal Throughput
- 19. End to End Segmentation Use Cases Security Zoning Compliance Guest WiFi Multi-Tenancy Extranet Interface VLAN Prefix TransportsTransports Site 1 Site 2 Data Center VPN A VPN B VPN C IPSec 20 IP 8 UDP 36 ESP 4 VPN … Data Label 802.1q 802.1q IF IF IF IF Isolated virtual private networks across any transport VPN mapping is based on physical vEdge Router interface, 802.1Q VLAN tag or a mix of both
- 20. Per-Segment Topologies Full Mesh Hub-and-Spoke Regional Hub Unified Communications Data Center Applications Regional Internet/Services Optimal Application Experience
- 21. Cloud onRamp for IaaS Secure SD-WAN Fabric Provide security, segmentation, QoS and reliability to cloud workloads?
- 22. Optimize Public Cloud Performance (SaaS) Regional internet exit Branch with local DMZ Data Center/DMZ vFabric httping probes SaaS traffic primary SaaS traffic backup Score Color 8-10 GREEN 5-8 YELLOW 0-5 RED
- 23. Secure Internet Access Secure SD-WAN Fabric Branch Campus Regional Data Center Internet & Cloud Small Office Home Office Cisco Security
- 24. Centralize Management & Monitoring Centralize Configuration • Security • Template Configuration • Policy • Routing • QoS, Marking • ACL • Application SLA • ….. Centralize Monitoring • Devices • Application • Bandwidth usage • Link Performances • Alerts
- 25. Analytics Dashboard Visibility • Application Visibility • Network Visibility • Network Co-relation • Cross-Customer Comparison Forecast • Application Usage Forecast • Bandwidth Usage Forecast What-If • Branch Expansions • Rolling out new applications • Policy changes Recommendation
- 26. Self Healing Capabilities Active Software Available Software Available Software Available Software A B C D Activate Rollback vEdge Router 1 2 3 Failed Upgrade vEdge Router 1 Attach Template vManage 2 Connectivity Lost Rollback 3
- 27. High Availability and Redundancy VRRP OSPF/ BGP OSPF/ BGP Internet InternetMPLSMPLS Internet MPLS Site Data Center MPLS Internet vSmart Controllers Control Data
- 28. vEdge Portfolio vEdge capabilities integrated into all IOS-XE platforms (ISR, CSR, ENCS, ASR1K) cloud Interconnect (2 Gbps +) Small Office Home Office 100 Mbps Branch Campus 1 Gbps Large Campus Data Center 10 Gbps Higher Capacity Aggregation 20 Gbps+ ISR4K ASR1K Private Cloud ENCS
- 29. Why Cisco SD-WAN Trusted by Fortune 500 Enterprises Cisco SD-WAN: The Most-Deployed Enterprise Grade SD-WAN Thousands of sites, every major industry, including: RETAIL HEALTHCARE FINANCIAL SERVICES ENERGY Most deployed and trusted by Fortune 500 enterprises Winning 95% of competitive POCs Standards Compliant: …and more
Editor's Notes
- Cisco SD-WAN provide Multi transport Network Over disjoin network - Separation of the control plane Application visibility over 3000+ application Limited scale them of thousand Reduce the WAN cost Direct access to cloud and improve the performances Simplify the operation
- Disjoined Network No application visibility Limited scale Insufficient BW WAN cost No direct access to cloud app Hybrid Fragment Security Complex Operations
- Component – vEdge Router (Hardware / Software), Control Component (software Support – smaller branch, Large Datacenter, Public and Private cloud Controller can be deployed – Viptela / Private / On Premise Transport Independent Fabric Create Secure data plane connection between the vEdge and controllers Only control information send to the controller vManage for Management and monitoring. Rest full APIS
- Transport Independent Fabric Can connect multiple transport to Single router Simplify the deployment using Zero Touch Zero trust All connation are A/A Eliminate WAN side routing Delivery Platform (Routing) Full Router, Full BGP and OSPF (VRF) Segmentation Full QoS and Shaping Multicast Traffic redirection (Svc Insertions) High Availability (AS/AP) Replace the router and simplify the Network Application & Policies DPI and Application Visibility, Application SLA base policy (best path base on the underline network performances) Traffic engineering Segmentation based topology Secure internet gateway SaaS and IaaS path selection and acceleration Operation, Monitoring and Analytics Complete configuration and Management No Configuration in Edge Device 5 min revert, 8 min revert for upgrade
- Optimal Throughput – MTU discovery
- Largest Deployed in Retail, Healthcare, Financial Services and Energy Most deployed across Fortune-500 Enterprises Thousands of production sites in every major industry Compliant with PCI, HIPAA and other industry standards 1. Sophistication of Use cases for the Enterprise - hybrid wan, business partners, soho, cloud, M&A etc 2. Most deployed and trusted SDWAN solution by Fortune 500