© 2017 Cisco and/or its affiliates. All rights reserved. 1
Understanding Cisco’ Next Generation SD-WAN TechnologyColin BolandSE
January 30, 2018 CiscoConnect Your Time
Is Now
The Branch and WAN Are Being Disrupted!
of revenue is generated in the branch
90%
MORE THREATS 30%
Of advanced threats will target branch offices by 2016 (up from 5%)
MORE USERS
80% Of employee and customers are served in branch offices
MORE DEVICES
73% Growth in mobile devices from 2014-2018
MORE APPS
20-50% Increase in enterprise bandwidth per year through 2018
IoT devices connected to internet by 2020
30B
Annual increase in enterprise bandwidth and video adoption50%
Up to
Mobile-connected devices by 201910B
Of Organizations primarily use public cloud by 201980%
• The traditional WAN / branch market is undergoing a massive disruption• Customers are consuming more cloud services• Customers are asking for SD-WAN solutions with virtualized services
© 2016 Cisco and/or its affiliates. All rights reserved. 3
Existing Data Center
Remote Site
MSP-RT MPLS
NewWAN
Internet
ISP-RT
New
The WAN Market Disruption
ServicesDelivery
• Access Cloud Services
• Deploy application aware topologies
• Optimize routing, security, QoS, multicast, services insertion and survivability
TransportIndependence
• Leverage overlay through existing equipment at data center for transport agnostic redesign
• Replace remote site equipment or leverage overlay
Application Policies
• Select test application as candidate for intelligent traffic engineering
• Test blackout and brownout failover scenarios
Existing
Multicloud(AWS,
Azure, etc.)
Cloud-first managementwith flexible
deployment options
Accelerate keySD-WAN use cases;
Cloud-edge and Segmentation
Sophisticated, butstill simple to deploy
and operate
Complements Cisco’s Enterprise Networks architecture strategy
Why Did Cisco Buy Viptela?
Cisco DigitalNetwork Architecture
Better Together
Leading Routing & SD-WAN Platforms
Goal: Building next generation SD-WAN solutions
Together, helping businesses and IT to innovate faster, securing and delivering better customer outcomes, while reducing costs and lowering risk
Cloud-managed & Feature-rich SD-WAN
© 2016 Cisco and/or its affiliates. All rights reserved. 6
APPLICATION POLICIES
SERVICES DELIVERY PLATFORM
TRANSPORT INDEPENDENT FABRIC
Broadband CellularMPLS
QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast
Per-SegmentTopologies
Cloud Path (IaaS)
Application SLA
SecurePerimeter
TrafficEngineering
TransportHub
Cloud Accel(SaaS)
Analytics
Monitoring
Operations
Business Driven WAN Infrastructure
© 2016 Cisco and/or its affiliates. All rights reserved. 7
• Secure Connectivity
• Flexible (Cloud First) Connectivity
• Application Quality of Experience
• Agile Operations
Reinventing the WAN - 4 Technical Pillars
Security ApplicationsServices
Connectivity OperationsFlexible Connectivity
AgileOperations
ApplicationServices
© 2016 Cisco and/or its affiliates. All rights reserved. 8
Centralized DeviceAuth-DB
Centralized Key Mgmt
Scalable Data-PlaneEncryption
Embedded Security Secure On-Boarding
Reinventing the WANSecurity
Security ApplicationsServices
Connectivity OperationsConnectivity Operations
ApplicationServices
Deep Packet InspectionApp Fingerprinting
DPI Engine
© 2016 Cisco and/or its affiliates. All rights reserved. 9
MPLS
LTE
INTERNET
Hybrid WAN
Segmentation/VPNsDynamic Per-VPN
Topologies
AWS
Data Center
Provider/TransportAgnostic
Security ApplicationsServices
Connectivity OperationsConnectivity Operations
ApplicationServices
Reinventing the WANConnectivity
© 2016 Cisco and/or its affiliates. All rights reserved. 10
Application Visibility and Control Central Orchestration
Application-AwareRouting
Transport SLA Monitoring
MPLS
LTE
INTERNET
Cloud ServicesIntegration
SEN Overlay
Application LayerAnalytics
App Fingerprinting
DPI Engine
Security ApplicationsServices
Connectivity OperationsConnectivity Operations
ApplicationServices
Reinventing the WANApplication Services
© 2016 Cisco and/or its affiliates. All rights reserved. 11
Centralized OperationsDistributed Execution
Zero Touch ProvisioningTemplate-basedConfigurations
Programmatic APIsOpen Object Model
NetConf Ad-HocAdds/Moves/Changes
CentralizedPolicy Orchestration
Security ApplicationsServices
Connectivity OperationsConnectivity Operations
ApplicationServices
Reinventing the WANOperations
12© 2017 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. 13
vEdge Router
Cloud Data Center
Campus
Branch
Small OfficeHome Office
vSmart Controller
vManage
The Viptela branch office router
Policy and Service Control Plane
Cloud or on premises network management
Viptela Solution – Key Components
vBond
On-Boarding and Orchestration
© 2016 Cisco and/or its affiliates. All rights reserved. 14
vBond: ZTP and Orchestration Plane
APIs
vSmart Controllers
vAnalytics 3rd PartyAutomation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
• Used for device on-boarding (ZTD/ZTD)
• Orchestrates connectivity between management, control and data plane
• First point of authentication• All other components need to
know the vBond IP or DNS information
• Authorizes all control connections (white-list model)
• Distributes list of vSmarts to all vEdges
Orchestration Plane
Cisco vBond
© 2016 Cisco and/or its affiliates. All rights reserved. 15
vEdge: The Data PlaneData PlanePhysical/Virtual
Cisco vEdge
• WAN edge routers• Provides secure data plane with
remote vEdge routers• Establishes secure control plane
with vSmart controllers (OMP) and Implements data plane and application aware routing policies
• Exports performance statistics• Leverages traditional routing
protocols like OSPF, BGP and VRRP
• Physical or Virtual form factor (100Mb, 1Gb, 10Gb)
APIs
vSmart Controllers
vAnalytics 3rd PartyAutomation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
© 2016 Cisco and/or its affiliates. All rights reserved. 16
vSmart: The Control PlaneControl Plane
Cisco vSmart
• Centralized brain of the solution• Establishes OMP peering with all
vEdges• Implements control plane policies,
such as service chaining, traffic engineering and per VPN topology
• Distributes connectivity information between vEdge
• Orchestrates secure data plane connectivity between vEdges
vSmart Controllers
vAnalytics 3rd PartyAutomation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
APIs
© 2016 Cisco and/or its affiliates. All rights reserved. 17
Overlay Management Protocol (OMP)Unified Control Plane
• Runs between vEdge routers and vSmartcontrollers and between the vSmartcontrollers- Inside TLS/DTLS connections
• Advertises control plane contextvSmart vSmart
vSmart
vEdge vEdgeVS
Note: vEdge routers need no control connections amongst them
vSmart acts like a Key Server
© 2016 Cisco and/or its affiliates. All rights reserved. 18
OMP Update:§ Reachability – IP Subnets, TLOCs§ Security – Encryption Keys§ Policy – Data/App-route Policies
BGP, OSPF, Connected, Static
BFDIPSec Tunnel
OMPDTLS/TLS Tunnel
Transport1
Transport2VPN1
A
VPN2
B
VPN1
C
VPN2
D
BGP, OSPF, Connected, Static
vSmart
OMPUpdate
OMPUpdate
vEdge vEdge
Subnets Subnets
TLOCs TLOCs
Policies
Fabric Operation Fabric Walk-Through
OMPUpdate
OMPUpdate
Deploy Encryption Keys
© 2016 Cisco and/or its affiliates. All rights reserved. 19
IngressvEdge
VPN 3
VPN 1VPN 2
SD-WANIPSecTunnel
20
IP
8
UDP
36
ESP
4
VPN
…
Data
EgressvEdge
Interface
VLAN
• Segment connectivity across fabric w/o reliance on underlay transport
• vEdge routers maintain per-VPN routing table
• Labels are used to identify VPN for destination route lookup
• Interfaces and sub-interfaces (802.1Q tags) are mapped into VPNs
VPN1
VPN2
Interface
VLAN
VPN1
VPN2
Secure SegmentationEnd-to-End Segmentation
© 2016 Cisco and/or its affiliates. All rights reserved. 20
vManage: The Management PlaneManagement Plane
Cisco vManage
• Single pane of glass for Day0, Day1 and Day2 operations
• Real time alerting• Centralized provisioning• Configuration standardization• Supports
• REST API• CLI• NETCONF / YANG• SNMP• Syslog
vSmart Controllers
vAnalytics 3rd PartyAutomation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
APIs
© 2016 Cisco and/or its affiliates. All rights reserved. 21
Single Pane Of Glass Operations
Operations Simplicity and Visibility
Rich Analytics
22© 2017 Cisco and/or its affiliates. All rights reserved.
SD-WAN Fabric and Capabilities
© 2016 Cisco and/or its affiliates. All rights reserved. 23
TPMChip
Root Chain
Embedded Device Identity
Controller Trust
Zero-Touch Provisioning of the vEdge Router Identity and Trust
IdentityCert
vEdge
Dynamic Device Identity
Root Chain
Controller Trust
IdentityCert
vEdge Cloud
© 2016 Cisco and/or its affiliates. All rights reserved. 24
Zero Trust ModelCertificate-Based Trust
• Bi-directional certificate-based trust between all elements� Public or Enterprise PKI
• White-list of valid vEdges and controllers� Certificate serial number as unique identification
SignedvEdge List
AdministratorDefinedControllers
vEdge
vBond
vManage
vSmart
© 2016 Cisco and/or its affiliates. All rights reserved. 25
Zero Touch Provisioning vEdge Walk-throughControl and Policy
Elements
Initial
cont
rol
com
mun
icatio
n
Initial
devic
e
conf
igura
tion
from
vMan
age Full Registration and
Configuration
vEdge
5
* Factory default configured
Assumption:§ DHCP on Transport Side (WAN)§ DNS to resolve ZTP server name*
3
4
Zero Touch ProvisioningServer
Query to ZTP
ServerRedirect to corporate
orchestrator
1
2
© 2016 Cisco and/or its affiliates. All rights reserved. 26
Template-Based ConfigurationsCentralized Device Configuration Enforcement
• Templates are attached to provisioned vEdge routers
• Variables are used for rapid bulk configuration rollout with unique per-device settings
• Local configuration changes are not allowed- Prevents configuration drift
© 2016 Cisco and/or its affiliates. All rights reserved. 27
Application-Centric Network CapabilitiesPer-Session Loadsharing
Active/ActivePer-Session Weighted
Active/ActiveApplication Pinning
Active/StandbyApplication Aware Routing
SLA Compliant
SLASLA
Core
Hierarchical Multihop Fabric Single-hop Fabric
© 2016 Cisco and/or its affiliates. All rights reserved. 28
• Embedded Deep Packet Inspection engine – similar to AVC (but not the same)
• Application and flow level visibility for the fabric and individual vEdgerouters
• Centralized statistics and performance
• Export flow level data (IPFIX) to external collector
Application and Performance VisibilityDeep Packet Inspection
© 2016 Cisco and/or its affiliates. All rights reserved. 29
Deep Packet Inspection Engine
Primary Use Cases:- Application Visibility- Application Firewall- Traffic Prioritization- Transport Selection- Analytics
vEdge Router
App 1
App 2
App 3,000
Cloud Data Center
Data Center
Campus
Branch
Small OfficeHome Office
MPLS INET
3G/4G
Embedded Application RecognitionDeep Packet Inspection
© 2016 Cisco and/or its affiliates. All rights reserved. 30
§ Enforce SLA compliant path for applications of interest
§ Other applications will follow fabric routing across all paths
Control Plane
Path1: 10ms, 0% loss, 5ms latencyPath2: 200ms, 3% loss, 10ms latencyPath3: 140ms, 1% loss, 10ms latency
vManageApp Aware Routing Policy
App A path must have:latency < 150ms
loss < 2%jitter < 10ms
Path 1
Path 3
vEdge1 vEdge2
Internet
MPLS
4G LTE
vSmart Controllers
App A
IPSec Tunnel
Critical Applications SLAApplication Aware Routing
Path 2
31© 2017 Cisco and/or its affiliates. All rights reserved.
SD-WAN Solution Components Overview
© 2016 Cisco and/or its affiliates. All rights reserved. 32
Cisco vEdge Routers Portfolio Positioning
Branch/SOHO/SMB(100Mb)
Branch/Campus(1Gb)
Campus/Data Center(10Gb)
NFV, vCPE(N x cores)
IaaS & Cloud Interconnect(N x cores)
Campus/Data Center(20Gb+)
vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000vEdge Cloud on
Greybox or Whitebox
vEdge Cloud
© 2016 Cisco and/or its affiliates. All rights reserved. 33
Data Center Campus Branch Home Office
4G/LTE
MPLS
Internet
Control Plane (Containers or VMs)
(vSmart)
Management Plane(Multi-tenant or Dedicated)
(vManage)
Orchestration Plane(vBond)
2000 vEdges per vBondRedundancy Add 1-2 vBonds
Horizontal Scale out Model
Horizontal Scale Out Model
2700 vEdges per vManage
Horizontal Scale out Model in cluster mode (same DC)
2700 vEdges per vSmartRedundancy Add 1-2 vSmarts
Horizontal Scale out Model
Scalability ConsiderationsOrchestration/Control/Management Plane
© 2016 Cisco and/or its affiliates. All rights reserved. 34
Perpetual cost of Cisco
SD-WAN CPE hardware
Subscriptioncost of Cisco
SD-WAN software
(Includes SD-WAN controller
+ CPE software)
Operational cost of Cisco SD-WAN solution
1.Subscription license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE. This cost is dependent on two factors:
• Service bandwidth• Features
2.Perpetual cost of Cisco SD-WAN CPE element.
SD-WAN Pricing ModelSubscription and Perpetual Elements
© 2016 Cisco and/or its affiliates. All rights reserved. 35
Plus Pro
Hub
Spoke Spoke Spoke
MPLS Internet Local breakout
Hub
Spoke Spoke Spoke
MPLS Internet
Spoke Spoke
Local breakout
Dynamic Routing
Dynamic Routing
Hub
Spoke Spoke Spoke
MPLS Internet
Spoke Spoke
Dynamic Routing
Dynamic Routing
SaaS onRamp
SD WAN controllers
AnalyticsSD WAN controllers
SD WAN controllers
AARAAR AAR
E2E Segmentation
E2E Segmentation
• Routing: Static• Topology: Hub-n-spoke only• Internet/Cloud: NAT, Split tunnel• Policy: Local ACL only, Data policy• QoS• SLA: Application aware routing (5 tuple
only)• Visibility : DPI for visibility only
• Routing: Dynamic routing (OSPF/BGP)• Topology: Mesh topology• Internet/Cloud: Cloud onRamp for IaaS• Policy: Control policy• Segmentation: 5 VPNs (1+4)• SLA: Application aware routing (DPI)• Multicast
• Segmentation: Unlimited• Internet/Cloud: Cloud onRamp for
SaaS • Analytics: vAnalytics platform
Enterprise
License Tier Features License Tiers
• Cisco is the market and technology leader in SD-WAN, combining the flexibility of Viptela, Meraki, and ISR IOS-XE
• Cisco’s SD-WAN solution (Viptela) is both a cloud and on-prem(hardware) based solution, offering unmatched capabilities
• Cisco will merge the Viptela and IOS-XE capabilities into a common ISR 4K-based platform and DNA Center, but the complimentary Viptela core products are here to stay in foreseeable future
Key Takeaways
Thank you.