Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
- 1. Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1
Understanding Cisco’ Next
Generation SD-WAN Solution
Steven Wood
Principal Engineer, SD-WAN & Enterprise Architecture
October 12, 2017
- 2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Opening Comments
• Cisco SDWAN is the name for Cisco’s next generation SDWAN
solution.
• Cisco SDWAN will have a roadmap for Innovation and for Integration
(ISR/ASR/ENCS and IOS-XE)
• Cisco IWAN has over 200,000 sites deployed or in deployment
• IWAN 2.x support and roadmap will continue as per customer
commitments
• Cisco is making significant investments in innovation and integration
roadmaps
- 3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Digital Innovations Overwhelming the Branch & the WAN
of revenue
is generated
in the branch
90%
MORE
THREATS
30%
Of advanced threats will
target branch offices by
2016 (up from 5%)
MORE
USERS
80% Of employee and
customers are served in
branch offices
MORE
DEVICES
73%
Growth in mobile
devices from
2014-2018
MORE
APPS
20-50% Increase in enterprise
bandwidth per year
through 2018
IoT devices
connected to
internet by 2020
30B
Annual increase in
enterprise bandwidth
and video adoption50%
Up to
Mobile-connected
devices by 201910B
Of Organizations primarily
use public cloud by 201980%
- 4. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
The ROI is real
Traditional WAN vs Cisco SD-WAN
5X Cloud Performance
Cloud Aware architectures and SLA-based
traffic steering deliver blazing performance
for applications like O365, AWS, SFDC, and
more
10X More Bandwidth
No capacity restraints. No Choke
points. Instantly add bandwidth
anytime, anywhere based on
application requirements
50% Lower Cost
Reduced CapEx & OpEx.
Simplified Management.
Rapid troubleshooting
Circuit Costs
Time to enable
New services
Bandwidth Security & Compliance Change Control
- 5. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cloud-first
management
with flexible
deployment options
Accelerate key
SD-WAN use cases;
Cloud-edge and
Segmentation
Sophisticated, but
still simple to deploy
and operate
Complements Cisco’s Enterprise Networks architecture strategy
Why Viptela?
Cisco Digital
Network Architecture
- 6. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Better Together: Providing Better Outcomes
Leading Routing &
SD-WAN Platforms
Goal: Building next generation SD-WAN solutions
Together, helping businesses and IT to innovate faster, securing and delivering
better customer outcomes, while reducing costs and lowering risk
Cloud-managed &
Feature-rich SD-WAN
- 7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Accelerating SD-WAN Vision and Strategy
Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA
Secure, Simple, Centralized Policy Automation, Optimization, Security, E2E Policies
Cloud Migration, Cloud Delivery, Analytics, SDN Architecture
vRouter, vService and NFV
Enterprise Fabric
INTELLIGENT
VIRTUALIZATION
AUTOMATION
CLOUD
INTEGRATION
SERVICE
VIRTUALIZATION
DNA
Next Generation Cisco SDWANIWAN SD-WAN
- 8. Cisco Confidential 8© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN:
Architecture & Use Cases
- 9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Cisco SD-WAN Solution with Viptela
APPLICATION POLICIES
SERVICES DELIVERY PLATFORM
TRANSPORT INDEPENDENT FABRIC
Broadband CellularMPLS
ZERO TOUCH ZERO TRUST
QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast
Per-Segment
Topologies
Cloud
Path
Application
SLA
Secure
Perimeter
Traffic
Engineering
Transport
Hub
Cloud
Accel
Analytics
Monitoring
Operations
- 10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
APPLICATIONS
SDWAN
Cloud IoT
.…
Enterprise
Fabric
SD-WAN Fabric – Networking for the Cloud Era
Enabling the Digital Transformation
USERS
DC
IaaS
SaaS
vDC
Analytics
SECURE SCALE OPEN
Cloud Delivered
DEVICES
THINGS
- 11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Cisco SD-WAN with Viptela: Solution Overview
Data Center Campus Branch Home Office
Control Plane
(Containers or VMs)
Data Plane
(Physical or Virtual)
Management Plane
(Multi-tenant or Dedicated)
Orchestration Plane
vManage
vSmart
vBond
vEdge
vOrchestrator
API
4GINTERNET MPLS
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
- 12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Critical Applications SLA
Bandwidth
Oversubscription
Path
Brownout
Application-
aware
Topologies
All Links
Failure
Corporate
Data Center
Small Office
Home Office
Cloud
Data Center
Single Link
Failure
Cloud
Applications
Latency
Path MTU
Changes
CPE Device
Failure
4G/LTE
Internet MPLS
BranchCampus
- 13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Application Recognition
Deep Packet Inspection Engine
Primary Use Cases:
- Application visibility
- Application Firewall
- Traffic prioritization
- Transport selection
vEdge Router
App 1
App 2
App 3,000
Cloud Data
Center
Data
Center
Campus
Branch
Small Office
Home
Office
MPLS INET
3G/4G
- 14. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Secure Segmentation
Ingress
vEdge
VPN 3
VPN 1
VPN 2
SD-WAN
IPSec
Tunnel
20
IP
8
UDP
36
ESP
4
VPN
…
Data
Egress
vEdge
Interface
VLAN
• Segment connectivity across fabric w/o
reliance on underlay transport
• vEdge routers maintain per-VPN
routing table
• Labels are used to identify VPN for
destination route lookup
• Interfaces and sub-interfaces (802.1Q
tags) are mapped into VPNs
VPN1
VPN2
Interface
VLAN
VPN1
VPN2
- 15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Arbitrary VPN Topologies
VPN1 VPN2
VPN3 VPN4
• Each VPN can have it’s own topology
• VPN topology can be influenced by
leveraging control policies
- Filtering TLOCs or modifying next-
hop TLOC attribute for routes
• Applications can benefit from
shortest path, e.g. voice takes full-
mesh topology
• Security compliance can benefit from
controlled connectivity topology, e.g.
PCI data takes hub-and-spoke
topology
Full-Mesh Hub-and-Spoke
Partial Mesh Point-to-Point
- 16. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Cloud Ready WAN
IaaS SaaS
Data
Center
Small Office
Home Office
Data
Center
Campus
Small Office
Home Office
Branch
Cloud
Data Center
Secure
SD-WAN
Fabric
CampusBranch
Cloud
Applications
Secure
SD-WAN
Fabric
- 17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Enabling optimal Cloud OnRamp
ESSENTIALS
Cloud-ready WAN
Optimal exit points
and access
Pervasive security
Direct Internet
Access
ExpressRoute
Access
CNF
3
Regional
Internet Access
Internet
Exchange
2
Branch
1 2 3
Direct Internet Access
(DIA) for optimal
user experience
Supported by regional
Internet access
ExpressRoute peering
with Microsoft Azure 1
Secure
SD-WAN
Fabric
- 18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Cloud onRamp for SaaS – Internet DIA
Regional
Data Center
Remote Site
ISP2
ISP1
SD-WAN
Fabric
Loss/
Latency
!
Data Center
Quality Probing (HTTP ping)
• Remote site path-quality probing for
selected SaaS applications across each
DIA exit
- Simulates client connection using HTTP
ping
• Results are quantified as vQoE score
(combination of loss and latency)
• DIA exit with better vQoE score is
chosen to carry the traffic for the
selected SaaS application
- 19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Cloud onRamp for IaaS – Gateway VPC/VNET
Remote Site
SD-WAN
Fabric
Branch
Campus
Cloud
Data Center
Host
VPCs/VNETs
Gateway
VPC/VNET
• A pair of vEdge routers is instantiated in
Amazon VPC or Microsoft Azure VNET
- Gateway VPC/VNET
• A pair of standard-based IPSec tunnels
is stretched from gateway VPC/VNET to
each host VPCs/VNETs
- Connectivity redundancy
• BGP is established across IPSec tunnels
for route advertisement
- Bi-directional BGP/OMP redistribution on
the gateway VPC/VNET vEdge routers
• Entire process is automated through
vManage workflow
Standard IPSec
BGPBGP BGP
- 20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Service Insertion – Single or Multiple
Data
Center
Remote
Office
• vEdge router with connected L4-L7
service makes advertisement
- Service route OMP address family
- Service VPN label
• Service is advertised in specific VPN
• Service can be L3 routed or L2
bridged
• Service can be singly or dually
connected (Firewall trust zones) to
the advertising vEdge
• Control or data policies are used to
insert the service node into the
matching traffic forwarding path
- Match on 6-tuple or DPI signature
- Applied on ingress/egress vEdge
Regional
Hub
MPLS INET
4G
Service
Advertisement
Policy
Advertisement*vSmart
* For data policy only. Control policy enforced on vSmart.
VPN1
VPN1
VPN1
Traffic Path
Control Plane
FW
- 21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Replicators
Sender
vSmart
Controllers
Multicast Stream
SD-WAN
Fabric
RP
Control Plane
Branch
BranchReceiver
Receiver
Data
Center
Multicast Traffic
IGMP/PIM
IGMP/PIM
OMP
Update
OMP
Update
OMP
Update
OMP
Update
vEdges interoperate with IGMP v1/v2 and
PIM on the service side
vEdges advertise receiver multicast groups
using OMP
Replicators advertise themselves using
OMP
vEdge cannot be RP. Router is required.
- If running SSM, RP is not needed
Replicators replicate multicast stream to
receivers as learnt through OMP
- 22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Zero Touch Provisioning – vEdge Appliance
Control and Policy
Elements
Full Registration and
Configuration
vEdge
5
* Factory default configured
Assumption:
DHCP on Transport Side (WAN)
DNS to resolve ZTP server name*
Delivered as-a-Service
3
4
Zero Touch Provisioning
Server
1
2
- 23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Simplified Management
REST NETCONF Syslog
Flow
ExportSNMP
CLI Linux Shell
Power Tools
Single Pane Of Glass Rich Analytics & Monitoring
- 24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
vAnalytics Dashboard
- 25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
vAnalytics Main Characteristics
Application/Flow Centric
• Based on DPI and cflowd
• Bandwidth Usage
- Top sources, destinations, apps
- Per-Site basis
• Application Performance
• Application to tunnel binding and
performance information
• Anomaly Detection
- Baseline of application usage
- Anomaly detection based on
overall application usage (by
application family, by site)
Network Centric
• Site Availability
• Network Availability
• Site Usage Analysis
- Top sites by bandwidth consumption
- Historical bandwidth consumption
• Carrier Performance
- App-Route stats on a per-carrier basis
- Carriers health ranking
- 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela Integration Plan
Phase 2
Platform Integration
Phase 1
No Integration
Phase 3
Management Integration
Platform:
• As-is
Management:
• vManage
Platform:
• vEdge capabilities integrated into all IOS-XE
platforms (ISR, CSR, ENCS, ASR1K)
Management:
• vManage for SD-WAN capabilities on IOS-XE
Management:
• Cloud hosted DNA Center integrates vManage
capabilities
• Full DNA Center capabilities (Assurance,
Integrated workflows for SD-Access and
SD-WAN)
Support current Viptela
customers
Viptela SD-WAN on strategic ISR
platform
Deliver end-to-end experience
with full DNA integration
DeploymentScenariosBenefitsDetails
vEdge ISR4K + vEdge SW
DNA Center
+ SD-WAN
ISR4K + vEdge SW
vManage
vEdge
vManage
vEdge
- 28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Integration Roadmap - Prioritization Guidelines
1 All existing Viptela features must be supported
2 Workflow sanctity must be preserved
3 Platforms meet performance & scale expectations
4 Security (Embedded & Cloud)
5 Services (UC & WAAS)
6 Brownfield support
7 Advanced IOS capabilities (QoS, BGP etc)
- 29. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
High-level Feature Integration Plan
Existing IOSXE CapabilitiesExisting Viptela Capabilities
Day 0, Workflows (User
Configuration, System setup,
Segmentation Setup)
Day 1, Control phase setup, ZTP,
Templates), Segmentation, DC
routing, Topologies
Day N, Application Policy, Qos, DIA,
Cloud Express, Monitoring &
Troubleshooting, Upgrade Options
Platform & Interfaces:
ASR1K, CSR, ISR4K, T1/E1, FSX/FXO etc
Security & Services:
ZBF, Umbrella, Waas, UC, etc
Advanced Capabilities: QoS, BGP etc.
- 30. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
SD-WAN Fabric Integration with DNA
APPs
SDWAN
Cloud IoT
.…
SDWAN Fabric
USERS
DC
IaaS
SaaS
vDC
Analytics
SECURE SCALE OPEN
Cloud Delivered
DEVICES
THINGS
SDA Fabric
(branch & campus)
SDA Fabric
(branch & campus)
DC
ACI Fabric
• User / Device Identity, network-wide
• Policy abstraction at User / Group and
Application levels
• Policy at Fabric Edge. Over-the-top.
• Increased Simplicity. Seamless Mobility.
End-to-end Context
- 32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Where are you in the SD-WAN journey ?
New SDWAN
customers
Customers with Viptela
vEdge or in process of
deployment
Customers
deployed IWAN or
in process of
deployment
Full breadth of solutions:
Cisco SDWAN or Meraki
Cisco will support Viptela
& vEdge hardware
Continued support for
IWAN
- 33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Choosing the Appropriate SD-WAN Solution
Discovery, Insights and Relevancy Triggers
• Cloud and OnRamp
• More than two active
transports or active LTE
• Comprehensive WAN
connectivity & services
• Complex topologies
• Custom policies at scale
• Advanced routing &
segmentation
• Native dynamic cloud
application acceleration
Advanced SD-WAN
• Hybrid WAN
• L3 overlay for hub-spoke
deployments
• Dynamic path selection
• Cloud-managed
• Zero touch deployment with
templates and easy to use
dashboard
SD-WAN Common
• Single pane-of-glass
management for full stack
infrastructure across the
branch
• Existing Meraki customers
evaluating SD-WAN
• Competitive pricing pressure
• Integrated branch security and
network connectivity solution
Single Dashboard
- 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage
Cisco SD-WAN Day 1 Deployment Scenarios
ISR
TI / E! / DSL
DeploymentScenarios
vEdge
ISR Providing Services
vManage
vEdge
Ethernet
ISR
vManage
ISR
TI / E! / DSL
vEdge
ISR Providing T1/E1/DSL
Connectivity
vManage
ISR
TI / E1 / DSL
vEdge
WaaS
UC
Thin Branch
vManage
vEdge
Ethernet
Available Bundles
- 35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• I’ve started my IWAN deployment and it meets my Use Case needs
- Continue deployment
- Invest in strategic platforms: ISR4K/ASR1K/ENCS
- Software migration to NextGen when it is needed
• I’m considering an SD-WAN deployment. I need advanced use cases:
- Automated Segmentation, Cloud
- Consider NextGen Deployment
- Invest in strategic platforms: ISR4K/ASR1K/ENCS; Available vEdge
Bundles
What should I do?
- 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Cisco SDWAN is the name for Cisco’s next generation SDWAN
solution.
• Cisco SDWAN has a roadmap for Innovation and for Integration
(ISR/ASR/ENCS and IOS-XE)
• Cisco IWAN has of 200,000 sites deployed or in deployment
• IWAN 2.x support and roadmap will continue as per customer
commitments
• Cisco is making significant investments in innovation and
integration roadmaps
Key Takeaways