Understanding Cisco’ Next Generation SD-WAN Technology

© 2017 Cisco and/or its affiliates. All rights reserved. 1

Understanding Cisco’ Next Generation SD-WAN TechnologyColin BolandSE

January 30, 2018 CiscoConnect Your Time

Is Now

The Branch and WAN Are Being Disrupted!

of revenue is generated in the branch

90%

MORE THREATS 30%

Of advanced threats will target branch offices by 2016 (up from 5%)

MORE USERS

80% Of employee and customers are served in branch offices

MORE DEVICES

73% Growth in mobile devices from 2014-2018

MORE APPS

20-50% Increase in enterprise bandwidth per year through 2018

IoT devices connected to internet by 2020

30B

Annual increase in enterprise bandwidth and video adoption50%

Up to

Mobile-connected devices by 201910B

Of Organizations primarily use public cloud by 201980%

• The traditional WAN / branch market is undergoing a massive disruption• Customers are consuming more cloud services• Customers are asking for SD-WAN solutions with virtualized services


Existing Data Center

Remote Site

MSP-RT MPLS

NewWAN

Internet

ISP-RT

New

The WAN Market Disruption

ServicesDelivery

• Access Cloud Services

• Deploy application aware topologies

• Optimize routing, security, QoS, multicast, services insertion and survivability

TransportIndependence

• Leverage overlay through existing equipment at data center for transport agnostic redesign

• Replace remote site equipment or leverage overlay

Application Policies

• Select test application as candidate for intelligent traffic engineering

• Test blackout and brownout failover scenarios

Existing

Multicloud(AWS,

Azure, etc.)

Cloud-first managementwith flexible

deployment options

Accelerate keySD-WAN use cases;

Cloud-edge and Segmentation

Sophisticated, butstill simple to deploy

and operate

Complements Cisco’s Enterprise Networks architecture strategy

Why Did Cisco Buy Viptela?

Cisco DigitalNetwork Architecture

Better Together

Leading Routing & SD-WAN Platforms

Goal: Building next generation SD-WAN solutions

Together, helping businesses and IT to innovate faster, securing and delivering better customer outcomes, while reducing costs and lowering risk

Cloud-managed & Feature-rich SD-WAN


APPLICATION POLICIES

SERVICES DELIVERY PLATFORM

TRANSPORT INDEPENDENT FABRIC

Broadband CellularMPLS

QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast

Per-SegmentTopologies

Cloud Path (IaaS)

Application SLA

SecurePerimeter

TrafficEngineering

TransportHub

Cloud Accel(SaaS)

Analytics

Monitoring

Operations

Business Driven WAN Infrastructure


• Secure Connectivity

• Flexible (Cloud First) Connectivity

• Application Quality of Experience

• Agile Operations

Reinventing the WAN - 4 Technical Pillars

Security ApplicationsServices

Connectivity OperationsFlexible Connectivity

AgileOperations

ApplicationServices


Centralized DeviceAuth-DB

Centralized Key Mgmt

Scalable Data-PlaneEncryption

Embedded Security Secure On-Boarding

Reinventing the WANSecurity


Connectivity OperationsConnectivity Operations

ApplicationServices

Deep Packet InspectionApp Fingerprinting

DPI Engine


MPLS

LTE

INTERNET

Hybrid WAN

Segmentation/VPNsDynamic Per-VPN

Topologies

Google

AWS

Data Center

Provider/TransportAgnostic



ApplicationServices

Reinventing the WANConnectivity


Application Visibility and Control Central Orchestration

Application-AwareRouting

Transport SLA Monitoring

MPLS

LTE

INTERNET

Cloud ServicesIntegration

SEN Overlay

Application LayerAnalytics

App Fingerprinting

DPI Engine



ApplicationServices

Reinventing the WANApplication Services


Centralized OperationsDistributed Execution

Zero Touch ProvisioningTemplate-basedConfigurations

Programmatic APIsOpen Object Model

NetConf Ad-HocAdds/Moves/Changes

CentralizedPolicy Orchestration



ApplicationServices

Reinventing the WANOperations

12© 2017 Cisco and/or its affiliates. All rights reserved.

Cisco SD-WAN Architecture


vEdge Router

Cloud Data Center

Campus

Branch

Small OfficeHome Office

vSmart Controller

vManage

The Viptela branch office router

Policy and Service Control Plane

Cloud or on premises network management

Viptela Solution – Key Components

vBond

On-Boarding and Orchestration


vBond: ZTP and Orchestration Plane

APIs

vSmart Controllers

vAnalytics 3rd PartyAutomation

vManage

Data Center Campus Branch SOHOCloud

vBond

vEdge Routers

4GMPLS

INET

• Used for device on-boarding (ZTD/ZTD)

• Orchestrates connectivity between management, control and data plane

• First point of authentication• All other components need to

know the vBond IP or DNS information

• Authorizes all control connections (white-list model)

• Distributes list of vSmarts to all vEdges

Orchestration Plane

Cisco vBond


vEdge: The Data PlaneData PlanePhysical/Virtual

Cisco vEdge

• WAN edge routers• Provides secure data plane with

remote vEdge routers• Establishes secure control plane

with vSmart controllers (OMP) and Implements data plane and application aware routing policies

• Exports performance statistics• Leverages traditional routing

protocols like OSPF, BGP and VRRP

• Physical or Virtual form factor (100Mb, 1Gb, 10Gb)

APIs

vSmart Controllers


vManage


vBond

vEdge Routers

4GMPLS

INET


vSmart: The Control PlaneControl Plane

Cisco vSmart

• Centralized brain of the solution• Establishes OMP peering with all

vEdges• Implements control plane policies,

such as service chaining, traffic engineering and per VPN topology

• Distributes connectivity information between vEdge

• Orchestrates secure data plane connectivity between vEdges

vSmart Controllers


vManage


vBond

vEdge Routers

4GMPLS

INET

APIs


Overlay Management Protocol (OMP)Unified Control Plane

• Runs between vEdge routers and vSmartcontrollers and between the vSmartcontrollers- Inside TLS/DTLS connections

• Advertises control plane contextvSmart vSmart

vSmart

vEdge vEdgeVS

Note: vEdge routers need no control connections amongst them

vSmart acts like a Key Server


OMP Update:§ Reachability – IP Subnets, TLOCs§ Security – Encryption Keys§ Policy – Data/App-route Policies

BGP, OSPF, Connected, Static

BFDIPSec Tunnel

OMPDTLS/TLS Tunnel

Transport1

Transport2VPN1

A

VPN2

B

VPN1

C

VPN2

D

BGP, OSPF, Connected, Static

vSmart

OMPUpdate

OMPUpdate

vEdge vEdge

Subnets Subnets

TLOCs TLOCs

Policies

Fabric Operation Fabric Walk-Through

OMPUpdate

OMPUpdate

Deploy Encryption Keys


IngressvEdge

VPN 3

VPN 1VPN 2

SD-WANIPSecTunnel

20

IP

8

UDP

36

ESP

4

VPN

…

Data

EgressvEdge

Interface

VLAN

• Segment connectivity across fabric w/o reliance on underlay transport

• vEdge routers maintain per-VPN routing table

• Labels are used to identify VPN for destination route lookup

• Interfaces and sub-interfaces (802.1Q tags) are mapped into VPNs

VPN1

VPN2

Interface

VLAN

VPN1

VPN2

Secure SegmentationEnd-to-End Segmentation


vManage: The Management PlaneManagement Plane

Cisco vManage

• Single pane of glass for Day0, Day1 and Day2 operations

• Real time alerting• Centralized provisioning• Configuration standardization• Supports

• REST API• CLI• NETCONF / YANG• SNMP• Syslog

vSmart Controllers


vManage


vBond

vEdge Routers

4GMPLS

INET

APIs


Single Pane Of Glass Operations

Operations Simplicity and Visibility

Rich Analytics


SD-WAN Fabric and Capabilities


TPMChip

Root Chain

Embedded Device Identity

Controller Trust

Zero-Touch Provisioning of the vEdge Router Identity and Trust

IdentityCert

vEdge

Dynamic Device Identity

Root Chain

Controller Trust

IdentityCert

vEdge Cloud


Zero Trust ModelCertificate-Based Trust

• Bi-directional certificate-based trust between all elements� Public or Enterprise PKI

• White-list of valid vEdges and controllers� Certificate serial number as unique identification

SignedvEdge List

AdministratorDefinedControllers

vEdge

vBond

vManage

vSmart


Zero Touch Provisioning vEdge Walk-throughControl and Policy

Elements

Initial

cont

rol

com

mun

icatio

n

Initial

devic

e

conf

igura

tion

from

vMan

age Full Registration and

Configuration

vEdge

5

* Factory default configured

Assumption:§ DHCP on Transport Side (WAN)§ DNS to resolve ZTP server name*

3

4

Zero Touch ProvisioningServer

Query to ZTP

ServerRedirect to corporate

orchestrator

1

2


Template-Based ConfigurationsCentralized Device Configuration Enforcement

• Templates are attached to provisioned vEdge routers

• Variables are used for rapid bulk configuration rollout with unique per-device settings

• Local configuration changes are not allowed- Prevents configuration drift


Application-Centric Network CapabilitiesPer-Session Loadsharing

Active/ActivePer-Session Weighted

Active/ActiveApplication Pinning

Active/StandbyApplication Aware Routing

SLA Compliant

SLASLA

Core

Hierarchical Multihop Fabric Single-hop Fabric


• Embedded Deep Packet Inspection engine – similar to AVC (but not the same)

• Application and flow level visibility for the fabric and individual vEdgerouters

• Centralized statistics and performance

• Export flow level data (IPFIX) to external collector

Application and Performance VisibilityDeep Packet Inspection


Deep Packet Inspection Engine

Primary Use Cases:- Application Visibility- Application Firewall- Traffic Prioritization- Transport Selection- Analytics

vEdge Router

App 1

App 2

App 3,000

Cloud Data Center

Data Center

Campus

Branch

Small OfficeHome Office

MPLS INET

3G/4G

Embedded Application RecognitionDeep Packet Inspection


§ Enforce SLA compliant path for applications of interest

§ Other applications will follow fabric routing across all paths

Control Plane

Path1: 10ms, 0% loss, 5ms latencyPath2: 200ms, 3% loss, 10ms latencyPath3: 140ms, 1% loss, 10ms latency

vManageApp Aware Routing Policy

App A path must have:latency < 150ms

loss < 2%jitter < 10ms

Path 1

Path 3

vEdge1 vEdge2

Internet

MPLS

4G LTE

vSmart Controllers

App A

IPSec Tunnel

Critical Applications SLAApplication Aware Routing

Path 2


SD-WAN Solution Components Overview


Cisco vEdge Routers Portfolio Positioning

Branch/SOHO/SMB(100Mb)

Branch/Campus(1Gb)

Campus/Data Center(10Gb)

NFV, vCPE(N x cores)

IaaS & Cloud Interconnect(N x cores)

Campus/Data Center(20Gb+)

vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000vEdge Cloud on

Greybox or Whitebox

vEdge Cloud


Data Center Campus Branch Home Office

4G/LTE

MPLS

Internet

Control Plane (Containers or VMs)

(vSmart)

Management Plane(Multi-tenant or Dedicated)

(vManage)

Orchestration Plane(vBond)

2000 vEdges per vBondRedundancy Add 1-2 vBonds

Horizontal Scale out Model

Horizontal Scale Out Model

2700 vEdges per vManage

Horizontal Scale out Model in cluster mode (same DC)

2700 vEdges per vSmartRedundancy Add 1-2 vSmarts

Horizontal Scale out Model

Scalability ConsiderationsOrchestration/Control/Management Plane


Perpetual cost of Cisco

SD-WAN CPE hardware

Subscriptioncost of Cisco

SD-WAN software

(Includes SD-WAN controller

+ CPE software)

Operational cost of Cisco SD-WAN solution

1.Subscription license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE. This cost is dependent on two factors:

• Service bandwidth• Features

2.Perpetual cost of Cisco SD-WAN CPE element.

SD-WAN Pricing ModelSubscription and Perpetual Elements


Plus Pro

Hub

Spoke Spoke Spoke

MPLS Internet Local breakout

Hub

Spoke Spoke Spoke

MPLS Internet

Spoke Spoke

Local breakout

Dynamic Routing

Dynamic Routing

Hub

Spoke Spoke Spoke

MPLS Internet

Spoke Spoke

Dynamic Routing

Dynamic Routing

SaaS onRamp

SD WAN controllers

AnalyticsSD WAN controllers

SD WAN controllers

AARAAR AAR

E2E Segmentation

E2E Segmentation

• Routing: Static• Topology: Hub-n-spoke only• Internet/Cloud: NAT, Split tunnel• Policy: Local ACL only, Data policy• QoS• SLA: Application aware routing (5 tuple

only)• Visibility : DPI for visibility only

• Routing: Dynamic routing (OSPF/BGP)• Topology: Mesh topology• Internet/Cloud: Cloud onRamp for IaaS• Policy: Control policy• Segmentation: 5 VPNs (1+4)• SLA: Application aware routing (DPI)• Multicast

• Segmentation: Unlimited• Internet/Cloud: Cloud onRamp for

SaaS • Analytics: vAnalytics platform

Enterprise

License Tier Features License Tiers

• Cisco is the market and technology leader in SD-WAN, combining the flexibility of Viptela, Meraki, and ISR IOS-XE

• Cisco’s SD-WAN solution (Viptela) is both a cloud and on-prem(hardware) based solution, offering unmatched capabilities

• Cisco will merge the Viptela and IOS-XE capabilities into a common ISR 4K-based platform and DNA Center, but the complimentary Viptela core products are here to stay in foreseeable future

Key Takeaways

Thank you.

Date post:	28-Jan-2018
Category:	Technology
Upload:	cisco-canada
View:	80 times
Download:	10 times