Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN

Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1
Understanding Cisco’ Next
Generation SD-WAN Solution
Steven Wood
Principal Engineer, SD-WAN & Enterprise Architecture
October 12, 2017

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Opening Comments
• Cisco SDWAN is the name for Cisco’s next generation SDWAN
solution.
• Cisco SDWAN will have a roadmap for Innovation and for Integration
(ISR/ASR/ENCS and IOS-XE)
• Cisco IWAN has over 200,000 sites deployed or in deployment
• IWAN 2.x support and roadmap will continue as per customer
commitments
• Cisco is making significant investments in innovation and integration
roadmaps

Digital Innovations Overwhelming the Branch & the WAN
of revenue
is generated
in the branch
90%
MORE
THREATS
30%
Of advanced threats will
target branch offices by
2016 (up from 5%)
MORE
USERS
80% Of employee and
customers are served in
branch offices
MORE
DEVICES
73%
Growth in mobile
devices from
2014-2018
MORE
APPS
20-50% Increase in enterprise
bandwidth per year
through 2018
IoT devices
connected to
internet by 2020
30B
Annual increase in
enterprise bandwidth
and video adoption50%
Up to
Mobile-connected
devices by 201910B
Of Organizations primarily
use public cloud by 201980%

The ROI is real
Traditional WAN vs Cisco SD-WAN
5X Cloud Performance
Cloud Aware architectures and SLA-based
traffic steering deliver blazing performance
for applications like O365, AWS, SFDC, and
more
10X More Bandwidth
No capacity restraints. No Choke
points. Instantly add bandwidth
anytime, anywhere based on
application requirements
50% Lower Cost
Reduced CapEx & OpEx.
Simplified Management.
Rapid troubleshooting
Circuit Costs
Time to enable
New services
Bandwidth Security & Compliance Change Control

Cloud-first
management
with flexible
deployment options
Accelerate key
SD-WAN use cases;
Cloud-edge and
Segmentation
Sophisticated, but
still simple to deploy
and operate
Complements Cisco’s Enterprise Networks architecture strategy
Why Viptela?
Cisco Digital
Network Architecture

Better Together: Providing Better Outcomes
Leading Routing &
SD-WAN Platforms
Goal: Building next generation SD-WAN solutions
Together, helping businesses and IT to innovate faster, securing and delivering
better customer outcomes, while reducing costs and lowering risk
Cloud-managed &
Feature-rich SD-WAN

Accelerating SD-WAN Vision and Strategy
Secure VPN Overlay, Any Transport, Bandwidth Efficiency, Application SLA
Secure, Simple, Centralized Policy Automation, Optimization, Security, E2E Policies
Cloud Migration, Cloud Delivery, Analytics, SDN Architecture
vRouter, vService and NFV
Enterprise Fabric
INTELLIGENT
VIRTUALIZATION
AUTOMATION
CLOUD
INTEGRATION
SERVICE
VIRTUALIZATION
DNA
Next Generation Cisco SDWANIWAN SD-WAN

Cisco Confidential 8© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN:
Architecture & Use Cases

Cisco SD-WAN Solution with Viptela
APPLICATION POLICIES
SERVICES DELIVERY PLATFORM
TRANSPORT INDEPENDENT FABRIC
Broadband CellularMPLS
ZERO TOUCH ZERO TRUST
QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast
Per-Segment
Topologies
Cloud
Path
Application
SLA
Secure
Perimeter
Traffic
Engineering
Transport
Hub
Cloud
Accel
Analytics
Monitoring
Operations

APPLICATIONS
SDWAN
Cloud IoT
.…
Enterprise
Fabric
SD-WAN Fabric – Networking for the Cloud Era
Enabling the Digital Transformation
USERS
DC
IaaS
SaaS
vDC
Analytics
SECURE SCALE OPEN
Cloud Delivered
DEVICES
THINGS

Cisco SD-WAN with Viptela: Solution Overview
Data Center Campus Branch Home Office
Control Plane
(Containers or VMs)
Data Plane
(Physical or Virtual)
Management Plane
(Multi-tenant or Dedicated)
Orchestration Plane
vManage
vSmart
vBond
vEdge
vOrchestrator
API
4GINTERNET MPLS
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT

Critical Applications SLA
Bandwidth
Oversubscription
Path
Brownout
Application-
aware
Topologies
All Links
Failure
Corporate
Data Center
Small Office
Home Office
Cloud
Data Center
Single Link
Failure
Cloud
Applications
Latency
Path MTU
Changes
CPE Device
Failure
4G/LTE
Internet MPLS
BranchCampus

Application Recognition
Deep Packet Inspection Engine
Primary Use Cases:
- Application visibility
- Application Firewall
- Traffic prioritization
- Transport selection
vEdge Router
App 1
App 2
App 3,000
Cloud Data
Center
Data
Center
Campus
Branch
Small Office
Home
Office
MPLS INET
3G/4G

Secure Segmentation
Ingress
vEdge
VPN 3
VPN 1
VPN 2
SD-WAN
IPSec
Tunnel
20
IP
8
UDP
36
ESP
4
VPN
…
Data
Egress
vEdge
Interface
VLAN
• Segment connectivity across fabric w/o
reliance on underlay transport
• vEdge routers maintain per-VPN
routing table
• Labels are used to identify VPN for
destination route lookup
• Interfaces and sub-interfaces (802.1Q
tags) are mapped into VPNs
VPN1
VPN2
Interface
VLAN
VPN1
VPN2

Arbitrary VPN Topologies
VPN1 VPN2
VPN3 VPN4
• Each VPN can have it’s own topology
• VPN topology can be influenced by
leveraging control policies
- Filtering TLOCs or modifying next-
hop TLOC attribute for routes
• Applications can benefit from
shortest path, e.g. voice takes full-
mesh topology
• Security compliance can benefit from
controlled connectivity topology, e.g.
PCI data takes hub-and-spoke
topology
Full-Mesh Hub-and-Spoke
Partial Mesh Point-to-Point

Cloud Ready WAN
IaaS SaaS
Data
Center
Small Office
Home Office
Data
Center
Campus
Small Office
Home Office
Branch
Cloud
Data Center
Secure
SD-WAN
Fabric
CampusBranch
Cloud
Applications
Secure
SD-WAN
Fabric

Enabling optimal Cloud OnRamp
ESSENTIALS
Cloud-ready WAN
Optimal exit points
and access
Pervasive security
Direct Internet
Access
ExpressRoute
Access
CNF
3
Regional
Internet Access
Internet
Exchange
2
Branch
1 2 3
Direct Internet Access
(DIA) for optimal
user experience
Supported by regional
Internet access
ExpressRoute peering
with Microsoft Azure 1
Secure
SD-WAN
Fabric

Cloud onRamp for SaaS – Internet DIA
Regional
Data Center
Remote Site
ISP2
ISP1
SD-WAN
Fabric
Loss/
Latency
!
Data Center
Quality Probing (HTTP ping)
• Remote site path-quality probing for
selected SaaS applications across each
DIA exit
- Simulates client connection using HTTP
ping
• Results are quantified as vQoE score
(combination of loss and latency)
• DIA exit with better vQoE score is
chosen to carry the traffic for the
selected SaaS application

Cloud onRamp for IaaS – Gateway VPC/VNET
Remote Site
SD-WAN
Fabric
Branch
Campus
Cloud
Data Center
Host
VPCs/VNETs
Gateway
VPC/VNET
• A pair of vEdge routers is instantiated in
Amazon VPC or Microsoft Azure VNET
- Gateway VPC/VNET
• A pair of standard-based IPSec tunnels
is stretched from gateway VPC/VNET to
each host VPCs/VNETs
- Connectivity redundancy
• BGP is established across IPSec tunnels
for route advertisement
- Bi-directional BGP/OMP redistribution on
the gateway VPC/VNET vEdge routers
• Entire process is automated through
vManage workflow
Standard IPSec
BGPBGP BGP

Service Insertion – Single or Multiple
Data
Center
Remote
Office
• vEdge router with connected L4-L7
service makes advertisement
- Service route OMP address family
- Service VPN label
• Service is advertised in specific VPN
• Service can be L3 routed or L2
bridged
• Service can be singly or dually
connected (Firewall trust zones) to
the advertising vEdge
• Control or data policies are used to
insert the service node into the
matching traffic forwarding path
- Match on 6-tuple or DPI signature
- Applied on ingress/egress vEdge
Regional
Hub
MPLS INET
4G
Service
Advertisement
Policy
Advertisement*vSmart
* For data policy only. Control policy enforced on vSmart.
VPN1
VPN1
VPN1
Traffic Path
Control Plane
FW

Replicators
Sender
vSmart
Controllers
Multicast Stream
SD-WAN
Fabric
RP
Control Plane
Branch
BranchReceiver
Receiver
Data
Center
Multicast Traffic
IGMP/PIM
IGMP/PIM
OMP
Update
OMP
Update
OMP
Update
OMP
Update
 vEdges interoperate with IGMP v1/v2 and
PIM on the service side
 vEdges advertise receiver multicast groups
using OMP
 Replicators advertise themselves using
OMP
 vEdge cannot be RP. Router is required.
- If running SSM, RP is not needed
 Replicators replicate multicast stream to
receivers as learnt through OMP

Zero Touch Provisioning – vEdge Appliance
Control and Policy
Elements
Full Registration and
Configuration
vEdge
5
* Factory default configured
Assumption:
 DHCP on Transport Side (WAN)
 DNS to resolve ZTP server name*
 Delivered as-a-Service
3
4
Zero Touch Provisioning
Server
1
2

Simplified Management
REST NETCONF Syslog
Flow
ExportSNMP
CLI Linux Shell
Power Tools
Single Pane Of Glass Rich Analytics & Monitoring

vAnalytics Dashboard

vAnalytics Main Characteristics
Application/Flow Centric
• Based on DPI and cflowd
• Bandwidth Usage
- Top sources, destinations, apps
- Per-Site basis
• Application Performance
• Application to tunnel binding and
performance information
• Anomaly Detection
- Baseline of application usage
- Anomaly detection based on
overall application usage (by
application family, by site)
Network Centric
• Site Availability
• Network Availability
• Site Usage Analysis
- Top sites by bandwidth consumption
- Historical bandwidth consumption
• Carrier Performance
- App-Route stats on a per-carrier basis
- Carriers health ranking

Integration Plans

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela Integration Plan
Phase 2
Platform Integration
Phase 1
No Integration
Phase 3
Management Integration
Platform:
• As-is
Management:
• vManage
Platform:
• vEdge capabilities integrated into all IOS-XE
platforms (ISR, CSR, ENCS, ASR1K)
Management:
• vManage for SD-WAN capabilities on IOS-XE
Management:
• Cloud hosted DNA Center integrates vManage
capabilities
• Full DNA Center capabilities (Assurance,
Integrated workflows for SD-Access and
SD-WAN)
Support current Viptela
customers
Viptela SD-WAN on strategic ISR
platform
Deliver end-to-end experience
with full DNA integration
DeploymentScenariosBenefitsDetails
vEdge ISR4K + vEdge SW
DNA Center
+ SD-WAN
ISR4K + vEdge SW
vManage
vEdge
vManage
vEdge

Integration Roadmap - Prioritization Guidelines
1 All existing Viptela features must be supported
2 Workflow sanctity must be preserved
3 Platforms meet performance & scale expectations
4 Security (Embedded & Cloud)
5 Services (UC & WAAS)
6 Brownfield support
7 Advanced IOS capabilities (QoS, BGP etc)

High-level Feature Integration Plan
Existing IOSXE CapabilitiesExisting Viptela Capabilities
 Day 0, Workflows (User
Configuration, System setup,
Segmentation Setup)
 Day 1, Control phase setup, ZTP,
Templates), Segmentation, DC
routing, Topologies
 Day N, Application Policy, Qos, DIA,
Cloud Express, Monitoring &
Troubleshooting, Upgrade Options
Platform & Interfaces:
ASR1K, CSR, ISR4K, T1/E1, FSX/FXO etc
Security & Services:
ZBF, Umbrella, Waas, UC, etc
Advanced Capabilities: QoS, BGP etc.

SD-WAN Fabric Integration with DNA
APPs
SDWAN
Cloud IoT
.…
SDWAN Fabric
USERS
DC
IaaS
SaaS
vDC
Analytics
SECURE SCALE OPEN
Cloud Delivered
DEVICES
THINGS
SDA Fabric
(branch & campus)
SDA Fabric
(branch & campus)
DC
ACI Fabric
• User / Device Identity, network-wide
• Policy abstraction at User / Group and
Application levels
• Policy at Fabric Edge. Over-the-top.
• Increased Simplicity. Seamless Mobility.
End-to-end Context

What should I do?

Where are you in the SD-WAN journey ?
New SDWAN
customers
Customers with Viptela
vEdge or in process of
deployment
Customers
deployed IWAN or
in process of
deployment
Full breadth of solutions:
Cisco SDWAN or Meraki
Cisco will support Viptela
& vEdge hardware
Continued support for
IWAN

Choosing the Appropriate SD-WAN Solution
Discovery, Insights and Relevancy Triggers
• Cloud and OnRamp
• More than two active
transports or active LTE
• Comprehensive WAN
connectivity & services
• Complex topologies
• Custom policies at scale
• Advanced routing &
segmentation
• Native dynamic cloud
application acceleration
Advanced SD-WAN
• Hybrid WAN
• L3 overlay for hub-spoke
deployments
• Dynamic path selection
• Cloud-managed
• Zero touch deployment with
templates and easy to use
dashboard
SD-WAN Common
• Single pane-of-glass
management for full stack
infrastructure across the
branch
• Existing Meraki customers
evaluating SD-WAN
• Competitive pricing pressure
• Integrated branch security and
network connectivity solution
Single Dashboard

vManage
Cisco SD-WAN Day 1 Deployment Scenarios
ISR
TI / E! / DSL
DeploymentScenarios
vEdge
ISR Providing Services
vManage
vEdge
Ethernet
ISR
vManage
ISR
TI / E! / DSL
vEdge
ISR Providing T1/E1/DSL
Connectivity
vManage
ISR
TI / E1 / DSL
vEdge
WaaS
UC
Thin Branch
vManage
vEdge
Ethernet
Available Bundles

• I’ve started my IWAN deployment and it meets my Use Case needs
- Continue deployment
- Invest in strategic platforms: ISR4K/ASR1K/ENCS
- Software migration to NextGen when it is needed
• I’m considering an SD-WAN deployment. I need advanced use cases:
- Automated Segmentation, Cloud
- Consider NextGen Deployment
- Invest in strategic platforms: ISR4K/ASR1K/ENCS; Available vEdge
Bundles
What should I do?

• Cisco SDWAN is the name for Cisco’s next generation SDWAN
solution.
• Cisco SDWAN has a roadmap for Innovation and for Integration
(ISR/ASR/ENCS and IOS-XE)
• Cisco IWAN has of 200,000 sites deployed or in deployment
• IWAN 2.x support and roadmap will continue as per customer
commitments
• Cisco is making significant investments in innovation and
integration roadmaps
Key Takeaways

Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (16)

Ähnlich wie Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN

Ähnlich wie Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN (20)

Mehr von Cisco Canada

Mehr von Cisco Canada (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN