Post on 27-Jun-2018
transcript
Cisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab
Ali Shaikh – Technical Leader
Faraz Shamim – Sr. Technical Leader
Mossaddaq Turabi – Distinguished ENgineer
LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRCRS-3550
• Introduction
• Migration Strategies
• Templates + Zero Touch Provisioning
• Policy Overview
• Hub & Spoke Topology + Preferential DataCenters
• Service Chaining
• Cloud Express for SaaS
• Application Aware Routing
Agenda
Introduction
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
• Cisco SD-WAN is the next generation software defined architecture for the WAN.
• It is a controller based architecture leveraging centralized policies .
• This lab assumes an understanding of the Cisco SD-WAN components and how they construct overlay communication between them:
• vManage – The overlay management appliance
• vSmart – The overlay policy and routing enforcement appliance
• vBond – The overlay orchestrator appliances
• vEdge – The network routing edge appliance
• The goal of this lab is to learn to manipulate the overlay beyond a basic setup to achieve different topologies and network functions.
6LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN Architecture
Management Plane
Control Plane
Data Plane
APIs
vSmart Controllers
vAnalytics3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
vOrchestrator Service Orchestration
LTRCRS-3550 7
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN Elements and Functions
8LTRCRS-3550
vBond orchestrator
First point of authentication (white-list model)
Orchestrates control and management plane
Facilitates NAT traversal
vManage is the NMS system (a single pane of glass), for the entire SD-WAN fabric
vSmart controllers:
Distribute reachability and security information between the vEdge routers
Distribute data and app-route policies to vEdges
Enforce control policies
vEdge routers
WAN Edge Routers
Establishes OMP session with vSmart for overlay routing
Supports legacy protocols for LAN BGP, OSPF, VRRP
Establishes a secured data plane between sites
Available as HW appliance or as a softaware-only virtual machine (VM)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Segmentation - VPNs
9LTRCRS-3550
MPLS
INET
Transport
(VPN0)
IF
IF
Service
(VPNn)
IF
IF
Management
(VPN512)
IF
• VPNs are isolated from each other, each VPN has its
own forwarding table
• vEdge router allocates label to each of it’s service
VPNs and advertises it as route attribute in OMP
updates- Labels are used to identify VPN in the incoming packets
VPN10
VPN20
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric OperationReachability, Security/TLOCs and Policies
BGP, OSPF, Connected, Static
BFD
IPSec Tunnel
OMP
DTLS/TLS Tunnel
Transport1
Transport2VPN1
A
VPN2
B
VPN1
C
VPN2
D
BGP, OSPF, Connected, Static
vSmart
OMPUpdate
OMPUpdate
vEdge1 vEdge2
Subnets Subnets
TLOCs TLOCs
PoliciesOMP
UpdateOMP
Update
T1
T2
T3
T4
T3 T4 T1 T2
Configurations and Zero Touch Provisioning (ZTP)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12LTRCRS-3550
Configuration and Policy Framework
vManage
vSmart vEdge
Device Configuration Device Configuration
Local Control Policy
(OSPF/BGP)
Local Data Policy
(QoS/Mirror/ACL)
Centralized Control Policy
(Fabric Routing)
Centralized Data Policy
(Fabric Data Plane)
Centralized App-Aware Policy
(Application SLA)
Centralized Data Policy
(Fabric Data Plane)
Centralized App-Aware Policy
(Application SLA)
Centralized
Policies
Localized
Policies
NETCONF/YANG
OMP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zero Touch Provisioning - Overview
• The Zero Touch Provisioning service relies on:• A license file provided by Cisco for the overlay.
• Explicitly marking a device as ”valid” or “staging”.
• A configuration template for the device.
• A device configuration template consists of• Basic Information – Device identifiers (Hostname, System-IP, Site-ID)
• Transport & Management VPN – The VPNs for circuits and out-of-band management
• Service VPN – The LAN side at the branch or datacenter
• Additional Templates – Miscellaneous items such as Banners
• Each section is made of independent modules called “Features”.
• A full device template is made up of combining all the ”Features” into the relevant Device Sections to create a Device Template.
13LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14LTRCRS-3550
GUI based Templates / Feature Templates
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15LTRCRS-3550
QoS/SNMP/Banner Templates
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
QoS Configurations
policy
app-visibility
flow-visibility
class-map
class VOICE queue 0
class VIDEO queue 1
class BIZ-DATA queue 2
class BEST-EFFORT queue 3
!
!
16LTRCRS-3550
qos-scheduler besteffort_scheduler
class BEST-EFFORT
bandwidth-percent 5
buffer-percent 5
drops red-drop
!
qos-scheduler bizdata_scheduler
class BIZ-DATA
bandwidth-percent 50
buffer-percent 50
drops red-drop
!
qos-scheduler video_scheduler
class VIDEO
bandwidth-percent 30
buffer-percent 30
!
qos-scheduler voice_scheduler
class VOICE
bandwidth-percent 15
buffer-percent 15
scheduling llq
!
qos-map WAN-QOS
qos-scheduler besteffort_scheduler
qos-scheduler bizdata_scheduler
qos-scheduler video_scheduler
qos-scheduler voice_scheduler
!
!
access-list GuestWiFi
sequence 10
action accept
class BEST-EFFORT
!
!
default-action accept
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CLI based Device Configuration Template
• Take the CLI based configuration of the device
• Create a Device template
• Highlight the text and create a device specific variable
• Policy definition is part of the device template
• Used for Branch 1 devices
17LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CLI based Device Configuration Template
18LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zero Touch Provisioning - WorkflowControl and Policy Elements
Assumption:
• DHCP on Transport Side (WAN)
• DNS to resolve ztp.viptela.com
Zero Touch Provisioning Server
1
2
Full Registration and
Configuration
5
3
4
vEdge
LTRCRS-3550 19
MigrationStep 1 – DC Deployment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Baseline Topology and Configuration
MPLS Transport
AS 100
198.18.133.0/18
DC1
San Jose
DC2
Chicago
Los Angeles
Branch Type 1
Dallas
Branch Type 2
10.4.0.0/24
10.3.0.0/24
10.2.0.0/24
10.4.254.0/24
HostHost
BGP
AS 65004
Wkst-1
Test Host Test Host
.36 .21.21
.200
.10
OSPF
BR2-MPLS-CE
FW
.1.1
FW
BR1-MPLS-CE
BGP
AS 65003
BGP
AS 65002BGP
AS 65001
OSPFOSPF
.10
.200
DC1-MPLS-CE DC2-MPLS-CE
.221 .221
21LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22LTRCRS-3550
Cisco SD-WAN Site Brownfield DeploymentGateway/DC Site Deployment
Internet MPLSSD-WAN
Overlay
BGP/OSPF
OMP
Identify Gateway/DC Sites providing connectivity
between SD-WAN and legacy sites
Legacy sites talk to each other directly
SD-WAN sites talk to each other directly
Legacy router/connectivity is dropped in the
DC/Gateway sites once migration is complete
DC/Gateway Site
SD-WAN Sites
Legacy/MPLS Sites
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step – 1 : Deploy vEdges in the DC
23
New capabilities and enhancements
• Bandwidth Augmentation and Hybrid Transport (MPLS + Internet)
• VPN Segmentation (Corporate-10, PCI/IOT-20, Guest WiFi-40)
LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploy DC vEdges along with existing MPLS CPEs
Los Angeles
BR1– Site ID 300
Dallas
BR2– Site ID 400
10.4.0.0/2410.3.0.0/24
10.4.254.0/24
Test Host Test Host
.200
.10.10
OSPF
Internet
Transport
AS 200
MPLS Transport
AS 100
ZTP
Controllers
198.18.133.0/18
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
10.2.0.0/24
HostHost
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
Wkst-1
.36 .21
.211 .212
.21
.211 .212OSPFOSPF
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
FW
.1.1
FW
.200
Zero Touch ProvisioningStep 2 – Deploy vEdge in BR2 using ZTP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zero Touch Provisioning – Lab Notes
• In this lab, a number of device templates have been created.
• In this lab, the features that will be used for all the sites have also been created.
• We will manipulate the values and fields already set in the features in this lab to modify the environment.
• We will use the device templates to push configuration to devices at the data center and at the branch.
• Once the configuration has been setup for the devices, we will observe the Zero Touch Provisioning process by which devices that have not become part of the network are brought in to the environment.
26LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dallas
BR2– Site ID 400
10.4.0.0/24
10.4.254.0/24
System-IP
10.4.0.1
Test Host
.10
.21
OSPF
BR2
VEDGE1
Los Angeles
BR1– Site ID 300
10.3.0.0/24
Test Host
.10
Internet Transport
AS 200MPLS Transport
AS 100
ZTP
Controllers
198.18.133.0/18
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
10.2.0.0/24
HostHost
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
Wkst-1
.36 .21
.211 .212
.21
.211 .212OSPFOSPF
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
FW
.1.1
FW
Replace Existing MPLS CE with vEgde in Branch 2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dallas
BR2– Site ID 400
10.4.0.0/24
10.4.254.0/24
System-IP
10.4.0.1
Test Host
.10
.21
OSPF
BR2
VEDGE1
Los Angeles
BR1– Site ID 300
10.3.0.0/24
Test Host
.10
Internet
Transport
AS 200
MPLS Transport
AS 100
ZTP
Controllers
198.18.133.0/18
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
10.2.0.0/24
HostHost
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
Wkst-1
.36 .21
.211 .212
.21
.211 .212OSPFOSPF
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
FW
.1.1
FW
Traffic flow between Migrated and non-Migrated Sites
MigrationStep 3 – Deploy vEdges in BR1 with TLOC Extension
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TLOC Extension and Configuration
MPLS INET
br1-vedge1 br1-vedge2
ge0/3
10.5.52.51/24
ge0/2
10.5.51.51/24
vpn 0
interface ge0/0
description MPLS tunnel
ip address 100.65.51.1/30
tunnel-interface
encapsulation ipsec
color mpls restrict
max-control-connections 1
[service list]
!
interface ge0/2
description INET tunnel
ip address 10.5.51.51/24
!
tunnel-interface
encapsulation ipsec preference 100
color biz-internet restrict
max-control-connections 1
[service list]
!
interface ge0/3
ip address 10.5.52.51/24
tloc-extension ge0/0
no shutdown
!
ip route 0.0.0.0/0 100.65.51.2
ip route 0.0.0.0/0 10.5.51.52
vpn 0
interface ge0/0
description INET tunnel
ip dhcp-client
nat
!
tunnel-interface
encapsulation ipsec
color biz-internet restrict
max-control-connections 1
[service list]
!
interface ge0/2
ip address 10.5.51.52/24
tloc-extension ge0/0
no shutdown
!
interface ge0/3
description MPLS tunnel
ip address 10.5.52.52/24
tunnel-interface
encapsulation ipsec
color mpls restrict
max-control-connections 1
[service list]
!
ip route 0.0.0.0/0 10.5.52.51
ge0/0
100.65.51.1/24
ge0/0
dhcp
ge0/2
10.5.51.52/24
ge0/3
10.5.52.52/24
ip route 10.5.52.52/32 100.65.51.1
Add route to reach
br1-vedge2 mpls
tunnel end-pointDo not forget NAT
LTRCRS-3550 30
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dallas
BR2– Site ID 400
10.4.0.0/24
10.4.254.0/24
System-IP
10.4.0.1
Test Host
.10
.21
OSPF
BR2
VEDGE1
Internet Transport
AS 200MPLS Transport
AS 100
ZTP
Controllers
198.18.133.0/18
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
10.2.0.0/24
HostHost
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
Wkst-1
.36 .21
.211 .212
.21
.211 .212OSPFOSPF
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
FW
.1.1
FW
Replace Existing MPLS CE with vEgdes in Branch 1
Los Angeles
BR1– Site ID 300
10.3.0.0/24
System-IP
10.3.0.1System-IP
10.3.0.2
Test Host
.2 .3
.21
VRRP
BR1
VEDGE1BR1
VEDGE2
X X
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Transport
AS 200
MPLS Transport
AS 100
ZTP
Controllers
10.1.20.0/24
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
Los Angeles
BR1– Site ID 300
Dallas
BR1– Site ID 400
10.4.20.0/24
10.3.20.0/24
10.2.20.0/24
Test HostTest Host
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
System-IP
10.4.0.1
Test Host Test Host
.10
.2 .3
.10
.2 .3
.1
.10
.2 .3
.10
VRRPVRRP
VRRPSystem-IP
10.3.0.1System-IP
10.3.0.2
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
BR2
VEDGE1
BR1
VEDGE1BR1
VEDGE2
VPN 20 – IOT/PCI VPN Segment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Transport
AS 200
MPLS Transport
AS 100
ZTP
Controllers
DC1 – Site ID 100
San Jose
Los Angeles
BR1– Site ID 300
Dallas
BR1– Site ID 400
10.4.40.0/24
10.3.40.0/24
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
System-IP
10.4.0.1
Test Host Test Host
.1
.10
.2 .3
.10
VRRPSystem-IP
10.3.0.1System-IP
10.3.0.2
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
BR2
VEDGE1
BR1
VEDGE1BR1
VEDGE2
VPN 40 – GuestWiFi VPN Segment
Policy
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy - Overview
• The SD-WAN overlay is controlled by centralized policies.
• The policies that dictate the network topology are called Control Policies.
• These policies manipulate the advertisement of routes and TLOCs (Transport Location) information.
• The policies are configured via the vManage GUI.
• The policies are applied to the vSmart controller.
• The vSmart controller propagates the necessary information to the vEdgerouters as per the policy directives.
35LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inbound Policy: determines which routes are installed in the local routing database of the vSmart controller.
Outbound Policy: applied AFTER a route is retrieved from routing database, but BEFORE the vSmart controller advertises it.
Policy - Workflow
LTRCRS-3550 36
Hub & Spoke Topology
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub & Spoke Topology
• By default SDWAN solution supports full mesh
• To make the solution more scalable, hub and spoke topology can be created
• In our example, we will create hub and spoke for VPN 10 and 20
• VPN 40 will be restricted using VPN-Membership policy
• Currently, Branch 1 can directly talk to Branch 2 because of the full mesh topology
• After applying StrictHub-n-Spoke policy, Branch 1 can talk to Branch 2 via hub on
38LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRCRS-3550
Strict Hub and Spoke – Before Policy Application
Dallas
BR2– Site ID 400
10.4.0.0/24
10.4.254.0/24
System-IP
10.4.0.1
Test Host
.10
.21
OSPF
BR2
VEDGE1
Internet Transport
AS 200MPLS Transport
AS 100
ZTP
Controllers
198.18.133.0/18
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
10.2.0.0/24
HostHost
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
Wkst-1
.36 .21
.211 .212
.21
.211 .212OSPFOSPF
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
FW
.1.1
FW
Los Angeles
BR1– Site ID 300
10.3.0.0/24
System-IP
10.3.0.1System-IP
10.3.0.2
Test Host
.2 .3
.21
VRRP
BR1
VEDGE1BR1
VEDGE2
X X
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40LTRCRS-3550
Policy Definition
control-policy Hub-n-SpokeALLVPN
sequence 1
match tloc
site-list AllDC
!
action accept
!
sequence 11
match tloc
!
action reject
!
sequence 21
match route
site-list AllBranches
vpn-list corpVPN
!
action reject
!
!
sequence 31
match route
site-list AllBranches
vpn-list pciVPN
!
action accept
set
tloc-list DC-TLOCS
!
!
!
default-action accept
!
vpn-membership vpnMembership_-258379630
sequence 10
match
vpn-list corpVPN
!
action accept
!
!
sequence 20
match
vpn-list pciVPN
!
action accept
!
!
default-action reject
!
!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRCRS-3550
Strict Hub and Spoke – After Policy Application
Dallas
BR2– Site ID 400
10.4.0.0/24
10.4.254.0/24
System-IP
10.4.0.1
Test Host
.10
.21
OSPF
BR2
VEDGE1
Internet Transport
AS 200MPLS Transport
AS 100
ZTP
Controllers
198.18.133.0/18
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
10.2.0.0/24
HostHost
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
Wkst-1
.36 .21
.211 .212
.21
.211 .212OSPFOSPF
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
FW
.1.1
FW
Los Angeles
BR1– Site ID 300
10.3.0.0/24
System-IP
10.3.0.1System-IP
10.3.0.2
Test Host
.2 .3
.21
VRRP
BR1
VEDGE1BR1
VEDGE2
X X
Preferential Data Centers
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Preferential Data Centers
• By default vEdge will perform load balancing for all routes coming via the DC
• There are situations when a certain site may want to prefer one DC over the other
• In our example, there are 4 vEdges in the DC advertising DC routes
• These DC are also advertising default route (0.0.0.0) for the Internet
• The goal:Branch 1 should prefer DC1 for default routes and Branch 2 should prefer DC2 for the default route
43LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRCRS-3550
DC Preference – Before policy application
Dallas
BR2– Site ID 400
10.4.0.0/24
10.4.254.0/24
System-IP
10.4.0.1
Test Host
.10
.21
OSPF
BR2
VEDGE1
Internet Transport
AS 200MPLS Transport
AS 100
ZTP
Controllers
198.18.133.0/18
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
10.2.0.0/24
HostHost
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
Wkst-1
.36 .21
.211 .212
.21
.211 .212OSPFOSPF
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
FW
.1.1
FW
Los Angeles
BR1– Site ID 300
10.3.0.0/24
System-IP
10.3.0.1System-IP
10.3.0.2
Test Host
.2 .3
.21
VRRP
BR1
VEDGE1BR1
VEDGE2
X X
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45LTRCRS-3550
DC Preference Policycontrol-policy PreferDC1
sequence 1
match route
site-list DC1
!
action accept
set
preference 100
!
!
!
sequence 11
match route
site-list AllBranches
vpn-list pciVPN
!
action accept
set
tloc-list DC-TLOCS
!
!
!
default-action accept
!
control-policy PreferDC2
sequence 1
match route
site-list DC2
!
action accept
set
preference 100
!
!
!
sequence 11
match route
site-list AllBranches
vpn-list pciVPN
!
action accept
set
tloc-list DC-TLOCS
!
!
!
default-action accept
!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRCRS-3550
DC Preference – After policy application
Dallas
BR2– Site ID 400
10.4.0.0/24
10.4.254.0/24
System-IP
10.4.0.1
Test Host
.10
.21
OSPF
BR2
VEDGE1
Internet Transport
AS 200MPLS Transport
AS 100
ZTP
Controllers
198.18.133.0/18
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
10.2.0.0/24
HostHost
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
Wkst-1
.36 .21
.211 .212
.21
.211 .212OSPFOSPF
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
FW
.1.1
FW
Los Angeles
BR1– Site ID 300
10.3.0.0/24
System-IP
10.3.0.1System-IP
10.3.0.2
Test Host
.2 .3
.21
VRRP
BR1
VEDGE1BR1
VEDGE2
X X
Service Insertion
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48LTRCRS-3550
Service Insertion – Workflow
• vEdge router with connected service
makes advertisement- Service route
- Service VPN label
• Service is advertised in the VPN
• Service can be singly or dually connected
(Firewall trust zones) to the advertising
vEdge
• Policies are used to insert the service into
the matching traffic forwarding path- Match on 6-tuple or DPI signature
- Applied on ingress/egress vEdge
Data
Center
Remote
Office
Regional
Hub
Service
Advertisement
Policy
AdvertisementvSmart
VPN1
VPN1
VPN1
Traffic Path
Control Plane
FW
4GMPLS
INET
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49LTRCRS-3550
DC Preference Policycontrol-policy MultiTopologyFWInsertion
sequence 1
match route
site-list AllBranches
vpn-list pciVPN
!
action accept
set
tloc-list DC-TLOCS
!
!
!
sequence 11
match route
site-list AllBranches
vpn-list corpVPN
!
action accept
set
service FW vpn 10
!
!
!
default-action accept
!
vpn 10
service FW address 198.18.130.1
DC vEdges Configuration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRCRS-3550
Service Insertion – Traffic Flow after policy Activation
Dallas
BR2– Site ID 400
10.4.0.0/24
10.4.254.0/24
System-IP
10.4.0.1
Test Host
.10
.21
OSPF
BR2
VEDGE1
Internet Transport
AS 200MPLS Transport
AS 100
ZTP
Controllers
198.18.133.0/18
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
10.2.0.0/24
HostHost
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
Wkst-1
.36 .21
.211 .212
.21
.211 .212OSPFOSPF
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
FW
.1.1
FW
Los Angeles
BR1– Site ID 300
10.3.0.0/24
System-IP
10.3.0.1System-IP
10.3.0.2
Test Host
.2 .3
.21
VRRP
BR1
VEDGE1BR1
VEDGE2
X X
Application-Aware Routing
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Aware Routing - Overview
• Cisco SD-WAN provides the ability to use multiple transports in more than just an active-active fashion. It provides the ability to use intelligent decision making for application steering on different transports.
• App-Aware Routing leverages the following logic:
• Measure loss, latency, jitter characteristics on all active tunnels.
• Network administrator defines a central policy that specifies SLAs for applications.
• The SD-WAN solution steers application traffic onto the paths that satisfy the SLAs.
• Traffic can be steered on any best path, or provided hierarchy in terms of what preferred path to be taken for a given application.
52LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53LTRCRS-3550
Application Aware Routing - Workflow
Path1: 10ms, 0% loss, 5ms jitter
Path2: 200ms, 3% loss, 10ms jitter
Path3: 140ms, 1% loss, 10ms jitter
vManage App Aware Routing PolicyApp A path must have:
Latency < 150ms
Loss < 2%
Jitter < 10ms
vEdges measure path
liveliness and quality
Internet
MPLS
4G LTE
IPSec Tunnel
Remote Site
Regional
Data CenterPath 2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Aware Routing – Lab Notes
• In this lab, you will:
• Learn to use the Simulate Flows to observe behavior in default state.
• Learn to view and modify SLAs for applications.
• Use a policy that steers DSCP 46 traffic onto MPLS as its preferred path.
• Observe via using the Simulate Flows capability that traffic steering takes effect.
• Inject latency into the environment.
• Observe via using the Simulate Flows that traffic is steered onto a path that satisfies the SLA.
54LTRCRS-3550
CloudExpress
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CloudExpress – Overview
56LTRCRS-3550
Carrier-Neutral Facility(CNF)
SD-WANFabric
Regional Facility(Data Center/Colo)
BranchINET
Direct Internet Access(DIA)
Direct Connect
Cloud Exchange
1
2
3a
b
4G
INETMPLS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRCRS-3550
CloudExpress – Lab Implementation
Dallas
BR2– Site ID 400
10.4.0.0/24
10.4.254.0/24
System-IP
10.4.0.1
Test Host
.10
.21
OSPF
BR2
VEDGE1
Internet Transport
AS 200MPLS Transport
AS 100
ZTP
Controllers
198.18.133.0/18
DC1 – Site ID 100
San Jose
DC2 – Site ID 200
Chicago
10.2.0.0/24
HostHost
System-IP
10.1.0.1
System-IP
10.2.0.2System-IP
10.2.0.1
System-IP
10.1.0.2
Wkst-1
.36 .21
.211 .212
.21
.211 .212OSPFOSPF
DC1
VEDGE1
DC1
VEDGE2
DC2
VEDGE1DC2
VEDGE2
FW
.1.1
FW
Los Angeles
BR1– Site ID 300
10.3.0.0/24
System-IP
10.3.0.1System-IP
10.3.0.2
Test Host
.2 .3
.21
VRRP
BR1
VEDGE1BR1
VEDGE2
CXP
Gateway
CXP
Gateway
CXP
DIACXP
DIA
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CloudExpress – Lab Notes
• In this lab, you will:
• Add in a new application to Cloud Express
• Learn how to add a new DIA Site
• Monitor vQoE scores for different applications and sites
58LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRCRS-3550
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
61LTRCRS-3550
Thank you